etc_passwd module doesnt authenticate
Hiya, I have a problem (as you can see in the output of radiusd -X) I am using a VPN server, and I want it to authenticate to my /etc/samba/smbpasswd file. Somehow it seems to me it gets the password from the radiusclient but then it gives the cryptical option: <no User-Password attribute> in the logfiles and tells me that the login incorrect was. I have the funny feeling that I need to edit the users file (now still default, and I dont know what to edit where to get this going. ) I am using this softwareversions: Fedora core 4 all updates applied ppp-2.4.3-5 from the pptpclient yum repository kernel-ppp-mppe-0.0.5-5dkms pptpd-1.2.1-2 freeradius-1.0.4-1 radiusclient-0.3.2-0.1 (RPM version from apt.sw.be) The VPN client I am using is Windows XP pro english btw... i hope that someone has time to help a stupid dutchman ;) This is the output of "radiusd -X" Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/clients.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "yes" main: lower_pass = "no" main: nospace_user = "yes" main: nospace_pass = "yes" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = yes main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded passwd passwd: filename = "/etc/samba/smbpasswd" passwd: format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::" passwd: authtype = "MS-CHAP" passwd: delimiter = ":" passwd: ignorenislike = no passwd: ignoreempty = yes passwd: allowmultiplekeys = no passwd: hashsize = 100 rlm_passwd: nfields: 7 keyfield 0(User-Name) listable: no Module: Instantiated passwd (etc_smbpasswd) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 192.87.138.222:32774, id=176, length=68 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "ramses" Calling-Station-Id = "192.87.138.220" NAS-IP-Address = 192.87.138.222 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_passwd: Added LM-Password: '95903FD81E9ECFEC17306D272A9441BB' to config_items rlm_passwd: Added NT-Password: '435979E55C915EC8AD30AF6418407E89' to config_items rlm_passwd: Added SMB-Account-CTRL-TEXT: '[UX ]' to config_items rlm_passwd: Adding "Auth-Type = MS-CHAP" modcall[authorize]: module "etc_smbpasswd" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_mschap: Found LM-Password rlm_mschap: Found NT-Password rlm_mschap: No MS-CHAP-Challenge in the request modcall[authenticate]: module "mschap" returns reject for request 0 modcall: group Auth-Type returns reject for request 0 auth: Failed to validate the user. Login incorrect: [ramses/<no User-Password attribute>] (from client h-range port 0 cli 192.87.138.220) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 176 to 192.87.138.222:32774 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 176 with timestamp 42e78a98 Nothing to do. Sleeping until we see a request. ----- end output ------ I have the following configurationfiles /etc/raddb/radiusd.conf prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = /usr/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = /usr/lib pidfile = ${run_dir}/radiusd.pid user = radiusd group = radiusd max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = no extended_expressions = no log_stripped_names = yes log_auth = yes log_auth_badpass = yes log_auth_goodpass = yes usercollide = no lower_user = yes lower_pass = no nospace_user = yes nospace_pass = yes checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = yes } proxy_requests = no $INCLUDE ${confdir}/clients.conf snmp = no thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { mschap { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes } passwd etc_smbpasswd { filename = /etc/samba/smbpasswd format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::" authtype = MS-CHAP hashsize = 100 ignorenislike = no allowmultiplekeys = no } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ntdomain_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } # perm = 0600 } #instantiate { #} authorize { preprocess mschap etc_smbpasswd } authenticate { Auth-Type MS-CHAP { mschap } } #preacct { # preprocess # files #} #accounting { # detail #} #post-auth { #} #pre-proxy { #} #post-proxy { #} ----- end radiusd.conf ------ /etc/raddb/clients.conf # # clients.conf - client configuration directives # ####################################################################### ####################################################################### # # Definition of a RADIUS client (usually a NAS). # # The information given here over rides anything given in the # 'clients' file, or in the 'naslist' file. The configuration here # contains all of the information from those two files, and allows # for more configuration items. # # The "shortname" is be used for logging. The "nastype", "login" and # "password" fields are mainly used for checkrad and are optional. # # # Defines a RADIUS client. The format is 'client [hostname|ip-address]' # # '127.0.0.1' is another name for 'localhost'. It is enabled by default, # to allow testing of the server after an initial installation. If you # are not going to be permitting RADIUS queries from localhost, we suggest # that you delete, or comment out, this entry. # client 127.0.0.1 { # # The shared secret use to "encrypt" and "sign" packets between # the NAS and FreeRADIUS. You MUST change this secret from the # default, otherwise it's not a secret any more! # # The secret can be any string, up to 32 characters in length. # secret = testing123 # # The short name is used as an alias for the fully qualified # domain name, or the IP address. # shortname = localhost # # the following three fields are optional, but may be used by # checkrad.pl for simultaneous use checks # # # The nastype tells 'checkrad.pl' which NAS-specific method to # use to query the NAS for simultaneous use. # # Permitted NAS types are: # # cisco # computone # livingston # max40xx # multitech # netserver # pathras # patton # portslave # tc # usrhiper # other # for all other types # nastype = other # localhost isn't usually a NAS... # # The following two configurations are for future use. # The 'naspasswd' file is currently used to store the NAS # login name and password, which is used by checkrad.pl # when querying the NAS for simultaneous use. # # login = !root # password = someadminpas } #client some.host.org { # secret = testing123 # shortname = localhost #} # # You can now specify one secret for a network of clients. # When a client request comes in, the BEST match is chosen. # i.e. The entry from the smallest possible network. # client 192.87.138.0/24 { secret = testing123 shortname = h-range } client 195.169.144.0/24 { secret = testing123 shortname = n-range } #client 10.10.10.10 { # # secret and password are mapped through the "secrets" file. # secret = testing123 # shortname = liv1 # # the following three fields are optional, but may be used by # # checkrad.pl for simultaneous usage checks # nastype = livingston # login = !root # password = someadminpas #} ----- end clients.conf ------ /etc/raddb/users # # Please read the documentation file ../doc/processing_users_file, # or 'man 5 users' (after installing the server) for more information. # # This file contains authentication security and configuration # information for each user. Accounting requests are NOT processed # through this file. Instead, see 'acct_users', in this directory. # # The first field is the user's name and can be up to # 253 characters in length. This is followed (on the same line) with # the list of authentication requirements for that user. This can # include password, comm server name, comm server port number, protocol # type (perhaps set by the "hints" file), and huntgroup name (set by # the "huntgroups" file). # # If you are not sure why a particular reply is being sent by the # server, then run the server in debugging mode (radiusd -X), and # you will see which entries in this file are matched. # # When an authentication request is received from the comm server, # these values are tested. Only the first match is used unless the # "Fall-Through" variable is set to "Yes". # # A special user named "DEFAULT" matches on all usernames. # You can have several DEFAULT entries. All entries are processed # in the order they appear in this file. The first entry that # matches the login-request will stop processing unless you use # the Fall-Through variable. # # If you use the database support to turn this file into a .db or .dbm # file, the DEFAULT entries _have_ to be at the end of this file and # you can't have multiple entries for one username. # # You don't need to specify a password if you set Auth-Type += System # on the list of authentication requirements. The RADIUS server # will then check the system password file. # # Indented (with the tab character) lines following the first # line indicate the configuration values to be passed back to # the comm server to allow the initiation of a user session. # This can include things like the PPP configuration values # or the host to log the user onto. # # You can include another `users' file with `$INCLUDE users.other' # # # For a list of RADIUS attributes, and links to their definitions, # see: # # http://www.freeradius.org/rfc/attributes.html # # # Deny access for a specific user. Note that this entry MUST # be before any other 'Auth-Type' attribute which results in the user # being authenticated. # # Note that there is NO 'Fall-Through' attribute, so the user will not # be given any additional resources. # #lameuser Auth-Type := Reject # Reply-Message = "Your account has been disabled." # # Deny access for a group of users. # # Note that there is NO 'Fall-Through' attribute, so the user will not # be given any additional resources. # #DEFAULT Group == "disabled", Auth-Type := Reject # Reply-Message = "Your account has been disabled." # # # This is a complete entry for "steve". Note that there is no Fall-Through # entry so that no DEFAULT entry will be used, and the user will NOT # get any attributes in addition to the ones listed here. # #steve Auth-Type := Local, User-Password == "testing" # Service-Type = Framed-User, # Framed-Protocol = PPP, # Framed-IP-Address = 172.16.3.33, # Framed-IP-Netmask = 255.255.255.0, # Framed-Routing = Broadcast-Listen, # Framed-Filter-Id = "std.ppp", # Framed-MTU = 1500, # Framed-Compression = Van-Jacobsen-TCP-IP # # This is an entry for a user with a space in their name. # Note the double quotes surrounding the name. # #"John Doe" Auth-Type := Local, User-Password == "hello" # Reply-Message = "Hello, %u" # # Dial user back and telnet to the default host for that port # #Deg Auth-Type := Local, User-Password == "ge55ged" # Service-Type = Callback-Login-User, # Login-IP-Host = 0.0.0.0, # Callback-Number = "9,5551212", # Login-Service = Telnet, # Login-TCP-Port = Telnet # # Another complete entry. After the user "dialbk" has logged in, the # connection will be broken and the user will be dialed back after which # he will get a connection to the host "timeshare1". # #dialbk Auth-Type := Local, User-Password == "callme" # Service-Type = Callback-Login-User, # Login-IP-Host = timeshare1, # Login-Service = PortMaster, # Callback-Number = "9,1-800-555-1212" # # user "swilson" will only get a static IP number if he logs in with # a framed protocol on a terminal server in Alphen (see the huntgroups file). # # Note that by setting "Fall-Through", other attributes will be added from # the following DEFAULT entries # #swilson Service-Type == Framed-User, Huntgroup-Name == "alphen" # Framed-IP-Address = 192.168.1.65, # Fall-Through = Yes # # If the user logs in as 'username.shell', then authenticate them # against the system database, give them shell access, and stop processing # the rest of the file. # #DEFAULT Suffix == ".shell", Auth-Type := System # Service-Type = Login-User, # Login-Service = Telnet, # Login-IP-Host = your.shell.machine # # The rest of this file contains the several DEFAULT entries. # DEFAULT entries match with all login names. # Note that DEFAULT entries can also Fall-Through (see first entry). # A name-value pair from a DEFAULT entry will _NEVER_ override # an already existing name-value pair. # # # First setup all accounts to be checked against the UNIX /etc/passwd. # (Unless a password was already given earlier in this file). # DEFAULT Auth-Type = System Fall-Through = 1 # # Set up different IP address pools for the terminal servers. # Note that the "+" behind the IP address means that this is the "base" # IP address. The Port-Id (S0, S1 etc) will be added to it. # #DEFAULT Service-Type == Framed-User, Huntgroup-Name == "alphen" # Framed-IP-Address = 192.168.1.32+, # Fall-Through = Yes #DEFAULT Service-Type == Framed-User, Huntgroup-Name == "delft" # Framed-IP-Address = 192.168.2.32+, # Fall-Through = Yes # # Defaults for all framed connections. # DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes # # Default for PPP: dynamic IP address, PPP mode, VJ-compression. # NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected # by the terminal server in which case there may not be a "P" suffix. # The terminal server sends "Framed-Protocol = PPP" for auto PPP. # DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP # # Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression. # DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP # # Default for SLIP: dynamic IP address, SLIP mode. # DEFAULT Hint == "SLIP" Framed-Protocol = SLIP # # Last default: rlogin to our main server. # #DEFAULT # Service-Type = Login-User, # Login-Service = Rlogin, # Login-IP-Host = shellbox.ispdomain.com # # # # Last default: shell on the local terminal server. # # # DEFAULT # Service-Type = Shell-User # On no match, the user is denied access. ----- end users ------
Ramses van Pinxteren <ramses@niob.knaw.nl> wrote:
i hope that someone has time to help a stupid dutchman ;)
Hmm... I resemble that remark.
Module: Loaded passwd passwd: filename = "/etc/samba/smbpasswd" passwd: format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::" passwd: authtype = "MS-CHAP"
You've configured the passwd module to set Auth-Type = MSCHAP. Don't do that.
rad_recv: Access-Request packet from host 192.87.138.222:32774, id=176, length=68 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "ramses" Calling-Station-Id = "192.87.138.220" NAS-IP-Address = 192.87.138.222 NAS-Port = 0
Which doesn't contain an MS-CHAP password. Or any password, for that matter. How do you expect to authenticate that request? Alan DeKok.
Module: Loaded passwd passwd: filename = "/etc/samba/smbpasswd" passwd: format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::" passwd: authtype = "MS-CHAP"
You've configured the passwd module to set Auth-Type = MSCHAP. Don't do that.
This is the config file I am using minus all the comments: prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = /usr/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = /usr/lib pidfile = ${run_dir}/radiusd.pid user = radiusd group = radiusd max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = no extended_expressions = no log_stripped_names = yes log_auth = yes log_auth_badpass = yes log_auth_goodpass = yes usercollide = no lower_user = yes lower_pass = no nospace_user = yes nospace_pass = yes checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = yes } proxy_requests = no $INCLUDE ${confdir}/clients.conf snmp = no thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { mschap { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes } passwd etc_smbpasswd { filename = /etc/samba/smbpasswd format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::" # authtype = MS-CHAP hashsize = 100 ignorenislike = no allowmultiplekeys = no } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ntdomain_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } } authorize { preprocess mschap etc_smbpasswd } authenticate { Auth-Type MS-CHAP { mschap } } I commented it out the Auth-Type = MSCHAP, restarted the radiusd and found out how to test radiusclient. I just copied the NT password from the /etc/sambpasswd file and did the following: echo "User-Name = ramses, password = xxxxxxxxxxxxx" | radclient 127.0.0.1 auth mysecretkey This is the complete output: [root@h222 raddb]# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/clients.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "yes" main: lower_pass = "no" main: nospace_user = "yes" main: nospace_pass = "yes" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = yes main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded passwd passwd: filename = "/etc/samba/smbpasswd" passwd: format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::" passwd: authtype = "(null)" passwd: delimiter = ":" passwd: ignorenislike = no passwd: ignoreempty = yes passwd: allowmultiplekeys = no passwd: hashsize = 100 rlm_passwd: nfields: 7 keyfield 0(User-Name) listable: no Module: Instantiated passwd (etc_smbpasswd) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:32774, id=224, length=62 User-Name = "ramses" User-Password = "95903FD81E9ECFEC17306D272A9441BB" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_passwd: Added LM-Password: '95903FD81E9ECFEC17306D272A9441BB' to config_items rlm_passwd: Added NT-Password: '435979E55C915EC8AD30AF6418407E89' to config_items rlm_passwd: Added SMB-Account-CTRL-TEXT: '[UX ]' to config_items modcall[authorize]: module "etc_smbpasswd" returns ok for request 0 modcall: group authorize returns ok for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [ramses/95903FD81E9ECFEC17306D272A9441BB] (from client localhost port 0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 224 to 127.0.0.1:32774 Waking up in 4 seconds... I start to get the feeling my users file is not right. It is now just default and I am afraid that when i am going to mess with it (I dont understand hell about it even after reading everything for 4 or 5 times, lack of experience with radius)
rad_recv: Access-Request packet from host 192.87.138.222:32774, id=176, length=68 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "ramses" Calling-Station-Id = "192.87.138.220" NAS-IP-Address = 192.87.138.222 NAS-Port = 0
Which doesn't contain an MS-CHAP password.
Or any password, for that matter. How do you expect to authenticate that request?
That is the second problem. I am using radius to check passwords of my VPN server. When I am testing pppd against a chap-secrets file, it can authenticate, but it looks to me like the radiusclient is not relayting the right info. Can someone tell me where I went wrong with configuring it? # General settings # specify which authentication comes first respectively which # authentication is used. possible values are: "radius" and "local". # if you specify "radius,local" then the RADIUS server is asked # first then the local one. if only one keyword is specified only # this server is asked. auth_order radius,local # maximum login tries a user has login_tries 4 # timeout for all login tries # if this time is exceeded the user is kicked out login_timeout 60 # name of the nologin file which when it exists disables logins. # it may be extended by the ttyname which will result in # a terminal specific lock (e.g. /etc/nologin.ttyS2 will disable # logins on /dev/ttyS2) nologin /etc/nologin # name of the issue file. it's only display when no username is passed # on the radlogin command line issue /etc/radiusclient/issue # RADIUS settings # RADIUS server to use for authentication requests. this config # item can appear more then one time. if multiple servers are # defined they are tried in a round robin fashion if one # server is not answering. # optionally you can specify a the port number on which is remote # RADIUS listens separated by a colon from the hostname. if # no port is specified /etc/services is consulted of the radius # service. if this fails also a compiled in default is used. #authserver localhost authserver h222.niob.knaw.nl:1812 # RADIUS server to use for accouting requests. All that I # said for authserver applies, too. # #acctserver localhost acctserver h222.niob.knaw.nl:1813 # file holding shared secrets used for the communication # between the RADIUS client and server servers /etc/radiusclient/servers # dictionary of allowed attributes and values # just like in the normal RADIUS distributions dictionary /etc/radiusclient/dictionary # program to call for a RADIUS authenticated login login_radius /usr/sbin/login.radius # file which holds sequence number for communication with the # RADIUS server seqfile /var/run/radius.seq # file which specifies mapping between ttyname and NAS-Port attribute mapfile /etc/radiusclient/port-id-map # default authentication realm to append to all usernames if no # realm was explicitly specified by the user # the radiusd directly form Livingston doesnt use any realms, so leave # it blank then default_realm # time to wait for a reply from the RADIUS server radius_timeout 10 # resend request this many times before trying the next server radius_retries 3 # LOCAL settings # program to execute for local login # it must support the -f flag for preauthenticated login login_local /bin/login
Ramses van Pinxteren <ramses@niob.knaw.nl> wrote:
You've configured the passwd module to set Auth-Type = MSCHAP. Don't do that.
This is the config file I am using minus all the comments:
That's nice. It's also irrelevant. I asked you to change *one* thing, not to show your entire config.
rad_recv: Access-Request packet from host 127.0.0.1:32774, id=224, length=62 User-Name = "ramses" User-Password = "95903FD81E9ECFEC17306D272A9441BB"
Is that really the password? I doubt it very much.
rlm_passwd: Added LM-Password: '95903FD81E9ECFEC17306D272A9441BB' to config_items
Ah, yes. You're giving the client the hashed password, not the real password. That's wrong.
auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
So set Auth-Type. But don't set it to MS-CHAP. Alan DeKok.
participants (2)
-
Alan DeKok -
Ramses van Pinxteren