Hello Alan Thanks for the answer. But I allready did that !!! I configured my passwd module with kmdov3 works fine. I added the kmdov3 in the top pf the authorize section of sites-enabled/default preprocess # # If you want to have a log of authentication requests, # un-comment the following line, and the 'detail auth_log' # section, above. # auth_log kmdov3 ... .. Unix ... .. Pap But still the unix authorization is used and the client is rejected because of the invalid shell. Is it not possible to force a single client to use only one type of authorization etc. Kmdov3 ? Do I need to add something to the authentication section? Here is the full debug log of the client call and you can see that kmdov3 returns OK but the unix on fails with the invalid shell rad_recv: Access-Request packet from host 131.165.80.37 port 9183, id=169, length=61 User-Name = "jmd" User-Password = "password" NAS-IP-Address = 127.0.0.1 NAS-Port = 8158 NAS-Port-Type = Virtual Fri Jul 23 07:57:40 2010 : Info: +- entering group authorize {...} Fri Jul 23 07:57:40 2010 : Info: ++[preprocess] returns ok Fri Jul 23 07:57:40 2010 : Info: [kmdov3] Added crypt-Password: 'TLw0SiK4QfQxg' to config_items Fri Jul 23 07:57:40 2010 : Info: ++[kmdov3] returns ok Fri Jul 23 07:57:40 2010 : Info: [radius_group] Added Radius1-Group: 'wcs-superadmin' to request_items Fri Jul 23 07:57:40 2010 : Info: ++[radius_group] returns ok Fri Jul 23 07:57:40 2010 : Info: ++[chap] returns noop Fri Jul 23 07:57:40 2010 : Info: ++[mschap] returns noop Fri Jul 23 07:57:40 2010 : Info: [suffix] No '@' in User-Name = "jmd", looking up realm NULL Fri Jul 23 07:57:40 2010 : Info: [suffix] No such realm "NULL" Fri Jul 23 07:57:40 2010 : Info: ++[suffix] returns noop Fri Jul 23 07:57:40 2010 : Info: [eap] No EAP-Message, not doing EAP Fri Jul 23 07:57:40 2010 : Info: ++[eap] returns noop Fri Jul 23 07:57:40 2010 : Auth: [unix] [jmd]: invalid shell [/bin/bash1] Fri Jul 23 07:57:40 2010 : Info: ++[unix] returns reject Fri Jul 23 07:57:40 2010 : Info: Using Post-Auth-Type Reject Fri Jul 23 07:57:40 2010 : Info: +- entering group REJECT {...} Fri Jul 23 07:57:40 2010 : Info: [attr_filter.access_reject] expand: %{User-Name} -> jmd Fri Jul 23 07:57:40 2010 : Debug: attr_filter: Matched entry DEFAULT at line 11 Fri Jul 23 07:57:40 2010 : Info: ++[attr_filter.access_reject] returns updated Fri Jul 23 07:57:40 2010 : Info: Delaying reject of request 1 for 1 seconds Fri Jul 23 07:57:40 2010 : Debug: Going to the next request Fri Jul 23 07:57:40 2010 : Debug: Waking up in 0.9 seconds. Fri Jul 23 07:57:41 2010 : Info: Sending delayed reject for request 1 Sending Access-Reject of id 169 to 131.165.80.37 port 9183 Fri Jul 23 07:57:41 2010 : Debug: Waking up in 4.9 seconds. Fri Jul 23 07:57:46 2010 : Info: Cleaning up request 1 ID 169 with timestamp +89 Fri Jul 23 07:57:46 2010 : Info: Ready to process requests. Best regards Jan Madsen -----Oprindelig meddelelse----- Fra: freeradius-users-bounces+jmd=kmd.dk@lists.freeradius.org [mailto:freeradius-users-bounces+jmd=kmd.dk@lists.freeradius.org] På vegne af Alan DeKok Sendt: 22. juli 2010 14:20 Til: FreeRadius users mailing list Emne: Re: Controlling with Auth-Type a client must use Madsen.Jan JMD wrote:
I’m using the module passwd working fine, and I have enabled unix authentication in my default section.
Don't. Use "pap". It can do crypt authentication.
Thu Jul 22 13:22:21 2010 : Auth: [unix] [jmd]: invalid shell [/usr/bin/bash] Thu Jul 22 13:22:21 2010 : Info: ++[unix] returns reject
Which is what the Unix module does.
But what I want to do is to set the client ONLY to use kmdov3 as my authentication and not the Unix one. Is this possible?
No. You want "crypt" authentication, without checking /etc/passwd. Use the "pap" module. When you say "only to use kmdov3 as my authentication", it means you have confused authorization and authentication. They are *very* different.
I have been trying to use the Auth-Type attribute, but can’t figure out how to tell that I want to use the kmdov3 authentication type.
Don't. Don't set Auth-Type. In the default configuration, all you need to do is: 1) configure the kmdov3 module in raddb/modules 2) list "kmdov3" in the "authorize" section *before* the "pap" module 3) authentication *will* work Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html