Using radtest against radius in debug mode it works (output below.) One thing to note is that this radius server is proxying authentication to a WiKID server for 2 factor authentication. The password you see here is the one generated by the software token. =============RADTEST OUTPUT=================== rad_recv: Access-Request packet from host 192.168.10.109 port 50842, id=212, length=59 User-Name = "rsguser" User-Password = "612315" NAS-IP-Address = 192.168.10.107 NAS-Port = 10 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.10.109/auth-detail-20110823 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.10.109/auth-detail-20110823 [auth_log] expand: %t -> Tue Aug 23 13:44:29 2011 ++[auth_log] returns ok [suffix] No '@' in User-Name = "rsguser", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "rsguser" [suffix] Adding Realm = "NULL" [suffix] Proxying request from user rsguser to realm NULL [suffix] Preparing to proxy authentication request to realm "NULL" ++[suffix] returns updated [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop [ldap] performing user authorization for rsguser [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=rsguser) [ldap] expand: dc=remoteservices,dc=CSPKRB -> dc=remoteservices,dc=CSPKRB rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=remoteservices,dc=CSPKRB, with filter (uid=rsguser) [ldap] checking if remote access for rsguser is allowed by dialupAccess [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user rsguser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: Empty section. Using default return values. Sending Access-Request of id 163 to 192.168.10.108 port 1812 User-Name = "rsguser" User-Password = "612315" NAS-IP-Address = 192.168.10.107 NAS-Port = 10 Proxy-State = 0x323132 Proxying request 1 to home server 192.168.10.108 port 1812 Sending Access-Request of id 163 to 192.168.10.108 port 1812 User-Name = "rsguser" User-Password = "612315" NAS-IP-Address = 192.168.10.107 NAS-Port = 10 Proxy-State = 0x323132 Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Accept packet from host 192.168.10.108 port 1812, id=163, length=41 Reply-Message = "Access Granted" Proxy-State = 0x323132 +- entering group post-proxy {...} [eap] No pre-existing handler found ++[eap] returns noop Found Auth-Type = Accept Auth-Type = Accept, accepting the user Login OK: [rsguser] (from client 192.168.0.0/16 port 10) WARNING: Empty section. Using default return values. Sending Access-Accept of id 212 to 192.168.10.109 port 50842 Reply-Message = "Access Granted" Finished request 1. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 212 with timestamp +29 Ready to process requests. ====================================================== When I configure sshd to authenticate using pam radius I get this. It looks like the WiKID is returning "INCORRECT" in response to what radius is sending for the password, even though radius-WiKID communication works when using radtest. This is why I'm focusing on pam-radius. ===============PAM RADIUS AUTHENTICATION============== rad_recv: Access-Request packet from host 192.168.10.109 port 19567, id=61, length=91 User-Name = "rsguser" User-Password = "\010\n\r\177INCORRECT" NAS-IP-Address = 192.168.10.107 NAS-Identifier = "sshd" NAS-Port = 18542 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = "CSID IP ADDRESS -- removed" +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.10.109/auth-detail-20110823 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.10.109/auth-detail-20110823 [auth_log] expand: %t -> Tue Aug 23 14:33:10 2011 ++[auth_log] returns ok [suffix] No '@' in User-Name = "rsguser", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "rsguser" [suffix] Adding Realm = "NULL" [suffix] Proxying request from user rsguser to realm NULL [suffix] Preparing to proxy authentication request to realm "NULL" ++[suffix] returns updated [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop [ldap] performing user authorization for rsguser [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=rsguser) [ldap] expand: dc=remoteservices,dc=CSPKRB -> dc=remoteservices,dc=CSPKRB rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as / to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=remoteservices,dc=CSPKRB, with filter (uid=rsguser) [ldap] checking if remote access for rsguser is allowed by dialupAccess [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user rsguser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: Empty section. Using default return values. Sending Access-Request of id 241 to 192.168.10.108 port 1812 User-Name = "rsguser" User-Password = "\010\n\r\177INCORRECT" NAS-IP-Address = 192.168.10.107 NAS-Identifier = "sshd" NAS-Port = 18542 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = "CSID IP ADDRESS -- removed" Proxy-State = 0x3631 Proxying request 0 to home server 192.168.10.108 port 1812 Sending Access-Request of id 241 to 192.168.10.108 port 1812 User-Name = "rsguser" User-Password = "\010\n\r\177INCORRECT" NAS-IP-Address = 192.168.10.107 NAS-Identifier = "sshd" NAS-Port = 18542 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = "CSID IP ADDRESS -- removed" Proxy-State = 0x3631 Going to the next request Waking up in 0.8 seconds. rad_recv: Access-Reject packet from host 192.168.10.108 port 1812, id=241, length=24 Proxy-State = 0x3631 +- entering group post-proxy {...} [eap] No pre-existing handler found ++[eap] returns noop Login incorrect (Home Server says so): [rsguser] (from client 192.168.0.0/16 port 18542 cli [IP ADDRESS -- removed] +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> rsguser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 61 to 192.168.10.109 port 19567 Waking up in 4.7 seconds. Cleaning up request 0 ID 61 with timestamp +2475 Ready to process requests. -- View this message in context: http://freeradius.1045715.n5.nabble.com/compiling-pam-radius-module-tp472714... Sent from the FreeRadius - User mailing list archive at Nabble.com.