Hi, I'm using EAP-TTLS-PAP aginst LDAP, however I want to provide guest access to users without adding these users to the LDAP directory. I know I could add them as local users to the /etc/raddb/users file, but that would involve a SIGHUP, and I'd prefer to avoid that if I could. Instead, what I'd like to do is create a user account on the radius server itself (with nologin, and an expiry, no rights, etc..). This could be done "on-the-fly" and therefore require no such SIGHUP. Now I know Alan does not recommend DEFAULT Auth-Type, but for here, I think it might be necessary. So in my users file, I added the following: DEFAULT Auth-Type := System Fall-Through = Yes Thinking that would allow my users who have accounts on the server to login. However, that is not working because in the logs in debug mode I see: Debug: modcall: group authorize returns ok for request 0 Debug: rad_check_password: Found Auth-Type System Debug: auth: type "System" Debug: ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. Debug: auth: Failed to validate the user. I'm sure it's something small I'm missing, but can't find it. That or this is not possible and I'm missing the reason why for that too! Any advice is appreciated. Thanks Matt mda@unb.ca
Matt Ashfield wrote:
Now I know Alan does not recommend DEFAULT Auth-Type, but for here, I think it might be necessary. So in my users file, I added the following:
DEFAULT Auth-Type := System Fall-Through = Yes
Don't use ":=", use "=".
Thinking that would allow my users who have accounts on the server to login. However, that is not working because in the logs in debug mode I see:
Debug: modcall: group authorize returns ok for request 0 Debug: rad_check_password: Found Auth-Type System Debug: auth: type "System" Debug: ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. Debug: auth: Failed to validate the user.
You deleted the "unix" entry from the "authenticate" section. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
I've uncommented the unix line in authenticate and left the /etc/shadow, /etc/group, /etc/password files commented out of the unix module definition part: unix { cache = no cache_reload = 600 #passwd = /etc/passwd #shadow = /etc/shadow #group = /etc/group radwtmp = ${logdir}/radwtmp } but am still getting the following in my log: Auth: rlm_unix: [baduser]: invalid password Debug: modsingle[authenticate]: returned from unix (rlm_unix) for request 0 Debug: modcall[authenticate]: module "unix" returns reject for request 0 I am 100% positive I'm putting the password in correctly. The user "baduser" has a shell of /sbin/nologin. Would that account for any of this? Thanks Matt mda@unb.ca -----Original Message----- From: Alan DeKok [mailto:aland@deployingradius.com] Sent: March 2, 2007 4:47 AM To: mda@unb.ca; FreeRadius users mailing list Subject: Re: guest acces? Matt Ashfield wrote:
Now I know Alan does not recommend DEFAULT Auth-Type, but for here, I think it might be necessary. So in my users file, I added the following:
DEFAULT Auth-Type := System Fall-Through = Yes
Don't use ":=", use "=".
Thinking that would allow my users who have accounts on the server to login. However, that is not working because in the logs in debug mode I see:
Debug: modcall: group authorize returns ok for request 0 Debug: rad_check_password: Found Auth-Type System Debug: auth: type "System" Debug: ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. Debug: auth: Failed to validate the user.
You deleted the "unix" entry from the "authenticate" section. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Matt Ashfield wrote:
The user "baduser" has a shell of /sbin/nologin. Would that account for any of this?
Yes. Change it to /bin/true, which is often listed as a valid shell in /etc/shells, but still won't let them log in. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Weird. I'm still getting invalid password. When I first changed the login shell to /bin/true, I got an invalid shell message. I added /bin/true to /etc/shell and got rid of that error, but still getting invalid password even though I'm sure I'm using the correct users's password. Matt mda@unb.ca -----Original Message----- From: Alan DeKok [mailto:aland@deployingradius.com] Sent: March 2, 2007 12:37 PM To: mda@unb.ca; FreeRadius users mailing list Subject: Re: guest acces? Matt Ashfield wrote:
The user "baduser" has a shell of /sbin/nologin. Would that account for any of this?
Yes. Change it to /bin/true, which is often listed as a valid shell in /etc/shells, but still won't let them log in. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (2)
-
Alan DeKok -
Matt Ashfield