Greetings, I am migrating from Solaris 8 to Solaris 10 and in the process upgrading freeradius from 0.9.3 to 2.1.7. I'm having some difficulty in getting it to work. I've pretty much copied the users and radiusd.conf files over from the old server. Here's some output with debugging turned on. This is from a cisco 7206 trying to authenticate against the new radius server. My goal is to have the radius server use getpw() to find the login since we scrapped NIS for LDAP which runs on a different server. rad_recv: Access-Request packet from host x.x.x.x port 1645, id=2, length=84 User-Name = "jason" User-Password = "test" NAS-Port = 2 NAS-Port-Id = "tty2" NAS-Port-Type = Virtual Calling-Station-Id = "y.y.y.y" NAS-IP-Address = x.x.x.x Thu Oct 8 14:12:07 2009 : Debug: +- entering group authorize {...} Thu Oct 8 14:12:07 2009 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 1 Thu Oct 8 14:12:07 2009 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 1 Thu Oct 8 14:12:07 2009 : Debug: ++[preprocess] returns ok Thu Oct 8 14:12:07 2009 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 1 Thu Oct 8 14:12:07 2009 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 1 Thu Oct 8 14:12:07 2009 : Debug: ++[chap] returns noop Thu Oct 8 14:12:07 2009 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 1 Thu Oct 8 14:12:07 2009 : Debug: No '@' in User-Name = "jason", looking up realm NULL Thu Oct 8 14:12:07 2009 : Debug: No such realm "NULL" Thu Oct 8 14:12:07 2009 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 1 Thu Oct 8 14:12:07 2009 : Debug: ++[suffix] returns noop Thu Oct 8 14:12:07 2009 : Debug: modsingle[authorize]: calling files (rlm_files) for request 1 Thu Oct 8 14:12:07 2009 : Debug: users: Matched entry jason at line 14 Thu Oct 8 14:12:07 2009 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 1 Thu Oct 8 14:12:07 2009 : Debug: ++[files] returns ok Thu Oct 8 14:12:07 2009 : Debug: Found Auth-Type = System Thu Oct 8 14:12:07 2009 : Debug: +- entering group UNIX {...} Thu Oct 8 14:12:07 2009 : Debug: modsingle[authenticate]: calling unix (rlm_unix) for request 1 Thu Oct 8 14:12:07 2009 : Auth: [unix] invalid password "jason" Thu Oct 8 14:12:07 2009 : Debug: modsingle[authenticate]: returned from unix (rlm_unix) for request 1 Thu Oct 8 14:12:07 2009 : Debug: ++[unix] returns reject Thu Oct 8 14:12:07 2009 : Debug: Failed to authenticate the user. Thu Oct 8 14:12:07 2009 : Auth: Login incorrect: [jason/test] (from client fonseca port 2 cli y.y.y.y) Thu Oct 8 14:12:07 2009 : Debug: Delaying reject of request 1 for 1 seconds Thu Oct 8 14:12:07 2009 : Debug: Going to the next request Thu Oct 8 14:12:07 2009 : Debug: Waking up in 0.9 seconds. Thu Oct 8 14:12:08 2009 : Debug: Sending delayed reject for request 1 Sending Access-Reject of id 2 to x.x.x.x port 1645 Thu Oct 8 14:12:08 2009 : Debug: Waking up in 4.9 seconds. Here's the relevant parts of the users file: DEFAULT Group == "disabled", Auth-Type := Reject Reply-Message = "Your account has been disabled." # # Staff users here # jason Auth-Type := System Fall-Through = Yes I've included what I think is needed from the radius.conf file. If more is needed please let me know and I'll forward it over. -Jason unix { # # Cache /etc/passwd, /etc/shadow, and /etc/group # # The default is to NOT cache them. # # For FreeBSD and NetBSD, you do NOT want to enable # the cache, as it's password lookups are done via a # database, so set this value to 'no'. # # Some systems (e.g. RedHat Linux with pam_pwbd) can # take *seconds* to check a password, when th passwd # file containing 1000's of entries. For those systems, # you should set the cache value to 'yes', and set # the locations of the 'passwd', 'shadow', and 'group' # files, below. # # allowed values: {no, yes} cache = no # Reload the cache every 600 seconds (10mins). 0 to disable. cache_reload = 600 # # Define the locations of the normal passwd, shadow, and # group files. # # 'shadow' is commented out by default, because not all # systems have shadow passwords. # # To force the module to use the system password functions, # instead of reading the files, leave the following entries # commented out. # # This is required for some systems, like FreeBSD, # and Mac OSX. # #passwd = /usr/local/etc/raddb/passwd #shadow = /usr/local/etc/raddb/shadow #group = /usr/local/etc/raddb/group # # The location of the "wtmp" file. # This should be moved to it's own module soon. # # The only use for 'radlast'. If you don't use # 'radlast', then you can comment out this item. # radwtmp = ${logdir}/radwtmp } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users # If you want to use the old Cistron 'users' file # with FreeRADIUS, you should change the next line # to 'compat = cistron'. You can the copy your 'users' # file from Cistron. compat = no } authenticate { # # PAP authentication, when a back-end database listed # in the 'authorize' section supplies a password. The # password can be clear-text, or encrypted. Auth-Type PAP { pap } # # Most people want CHAP authentication # A back-end database listed in the 'authorize' section # MUST supply a CLEAR TEXT password. Encrypted passwords # won't work. Auth-Type CHAP { chap } # # MSCHAP authentication. #Auth-Type MS-CHAP { # mschap #} # # If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line, and the 'digest' # line in the 'authorize' section. # digest # # See 'man getpwent' for information on how the 'unix' # module checks the users password. Note that packets # containing CHAP-Password attributes CANNOT be authenticated # against /etc/passwd! See the FAQ for details. # Auth-Type UNIX { unix } # Uncomment it if you want to use ldap for authentication # # Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password. # Auth-Type LDAP { # ldap # } # # Allow EAP authentication. # eap }