rlm_pam not getting password?
I'm trying to authenticate against a pam module and running into difficulty and humbly beg for assistance. I am, of course, looking to do pap/ttls, which I hear is the only way. To summarize: 1. radtest works fine with static cleartext AND pam users 2. eapol_test with static cleartext user is fine 3. eapol_test with pam user - not fine. "rlm_pam: Attribute "User-Password" is required for authentication." Here is my simple static pap user that works perfectly in my eapol_test: $ cat ttls-pap2.conf # # eapol_test -c ttls-pap.conf -s testing123 # network={ ssid="example" key_mgmt=WPA-EAP eap=TTLS identity="bob" # anonymous_identity="anonymous" password="hello" phase2="auth=PAP" # # Uncomment the following to perform server certificate validation. # ca_cert="/etc/raddb/certs/ca.der" } A radtest also works quite well. (radtest pam_username pam_password localhost 1814 radius_password) This all *seems* to imply the eap/pap/pam configuration is working fine. However, a eapol_test with SAME pam username/pass information as that radtest shows this: Found Auth-Type = PAM # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} rlm_pam: Attribute "User-Password" is required for authentication. When it should say something like it does for radtest: Found Auth-Type = PAM # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} pam_pass: using pamauth string <radiusd> for pam.conf lookup pam_pass: authentication succeeded for <daniel.schmidt> ++[pam] returns ok I don't get it. eapol_test seems to imply that the eap.conf config is correct, right? I do not know where to look next. Please forgive me if I have left out anything, I did not want to clutter with spurious config. Thanks. E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties.
Daniel Schmidt wrote:
To summarize: 1. radtest works fine with static cleartext AND pam users 2. eapol_test with static cleartext user is fine 3. eapol_test with pam user - not fine. "rlm_pam: Attribute "User-Password" is required for authentication."
Because you're forcing "Auth-Type = PAM", in the "default" virtual server.
This all *seems* to imply the eap/pap/pam configuration is working fine.
No. PAP does password authentication. The "default" virtual server processes this. EAP-TTLS does EAP authentication. The "default" virtual server processes this. Notice there is NO PASSWORD. Inside of EAP-TTLS, there's a password. This *inner* authentication is processed in the "inner-tunnel" virtual server. If you READ the debug output, you would see this. You need to put the PAM authentication into the "inner-tunnel" virtual server. In recent versions, read the top of raddb/sites-available/inner-tunnel. It describes how to test the inner-tunnel authentication methods. Alan DeKok.
participants (2)
-
Alan DeKok -
Daniel Schmidt