RADIUS challenge response using the PAM module
Hi, I've been pulling my hair trying to get the PAM radius module to successfully authenticate against a radius server that thows a password challenge response AFTER a user has been verified using their user name and password (it's not a FreeRadius server). By looking at the source code, It seems as if this should be possible. But I can't figure this one out. The PAM module recieves the access challenge from the radius server. The problem is that instead of asking the user for additional input, the module returns an invald challenge back to the radius server and therefore the authentication fails. Does anyone out there have a working PAM module configuration that asks the user for additional input, such as a token value, after their user name and password has been checked? Any help is greatly appreciated thanx Robert
Robert Svensson wrote:
The PAM module recieves the access challenge from the radius server. The problem is that instead of asking the user for additional input, the module returns an invald challenge back to the radius server and therefore the authentication fails.
What's an "invalid challenge"? Alan DeKok.
something else than what the radius server expected. Like an invalid OTP for example ________________________________________ From: freeradius-users-bounces+robert.svensson=mideye.com@lists.freeradius.org [freeradius-users-bounces+robert.svensson=mideye.com@lists.freeradius.org] On Behalf Of Alan DeKok [aland@deployingradius.com] Sent: Wednesday, March 18, 2009 6:22 PM To: FreeRadius users mailing list Subject: Re: RADIUS challenge response using the PAM module Robert Svensson wrote:
The PAM module recieves the access challenge from the radius server. The problem is that instead of asking the user for additional input, the module returns an invald challenge back to the radius server and therefore the authentication fails.
What's an "invalid challenge"? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I'm fully aware of the fact that the radius server generates the challenge. The problem is that the access challenge sent by the radius server, to the pam module, is returned by the pam module without being displayed to the user. What I expect is for the access challenge to be displayed to the user: Enter your OTP (or something). After the user has responded to the access challenge, the response should be sent back to the radius server for authentication. As of now, the PAM module responds to the access challenge by itself without asking for additional user input. Therefore, the reply message doesn't contain the correct value. ________________________________________ From: freeradius-users-bounces+robert.svensson=mideye.com@lists.freeradius.org [freeradius-users-bounces+robert.svensson=mideye.com@lists.freeradius.org] On Behalf Of Alan DeKok [aland@deployingradius.com] Sent: Wednesday, March 18, 2009 9:47 PM To: FreeRadius users mailing list Subject: Re: RADIUS challenge response using the PAM module Robert Svensson wrote:
something else than what the radius server expected. Like an invalid OTP for example
Uh... the RADIUS server is the one generating the challenge. Not the PAM module. Perhaps you could give explanations of what you expect, and what you see. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The problem is that the access challenge sent by the radius server, to the pam module, is returned by the pam module without being displayed to the user. What I expect is for the access challenge to be displayed to the user: Enter your OTP (or something). After the user has responded to the access challenge, the response should be sent back to the radius server for authentication.
Is this PAM module you are talking about pam_radius_auth from freeradius? Did you try debug option? Ivan Kalik Kalik Informatika ISP
Yes. I'm talking about the PAM module. I've tried the debug option but it isn't verbose enough. I need to recompile the module with some extra debug messages regarding the access challenge. I'll figure it out one way or another -----Ursprungligt meddelande----- Från: freeradius-users-bounces+robert.svensson=mideye.com@lists.freeradius.org [mailto:freeradius-users-bounces+robert.svensson=mideye.com@lists.freeradius.org] För tnt@kalik.net Skickat: den 18 mars 2009 23:49 Till: FreeRadius users mailing list Ämne: RE: RADIUS challenge response using the PAM module
The problem is that the access challenge sent by the radius server, to the pam module, is returned by the pam module without being displayed to the user. What I expect is for the access challenge to be displayed to the user: Enter your OTP (or something). After the user has responded to the access challenge, the response should be sent back to the radius server for authentication.
Is this PAM module you are talking about pam_radius_auth from freeradius? Did you try debug option? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Robert Svensson wrote:
The problem is that the access challenge sent by the radius server, to the pam module, is returned by the pam module without being displayed to the user.
That sentence doesn't make any sense.
What I expect is for the access challenge to be displayed to the user: Enter your OTP (or something). After the user has responded to the access challenge, the response should be sent back to the radius server for authentication.
Yes, that should happen.
As of now, the PAM module responds to the access challenge by itself without asking for additional user input. Therefore, the reply message doesn't contain the correct value.
Ah... *that* is the explanation I was looking for. Saying things like "the access challenge is returned by the pam module" is *very* confusing. All I know is that I last tested the module with Access-Challenge a long time ago... and it worked then. I would suggest updating the module source to print out what it's doing, and why. That will help you understand the decisions it's making. Alan DeKok.
participants (3)
-
Alan DeKok -
Robert Svensson -
tnt@kalik.net