How do I setup users tester-a to use /etc/shadow for authentication? Currently I have tester-a Auth-Type := Local, User-Password == "superuser" cisco-avpair = "shell:priv-lvl=15", Service-Type = Administrative-User Norman
Norman Zhang wrote:
How do I setup users tester-a to use /etc/shadow for authentication?
Currently I have
tester-a Auth-Type := Local, User-Password == "superuser" cisco-avpair = "shell:priv-lvl=15", Service-Type = Administrative-User
I would start by reading radiusd.conf. Look for every instance of the word "shadow" and read those comments. Then setup the unix module properly. Make sure the user/group that radiusd runs as can read /etc/shadow. Make sure you are *only* using PAP. CHAP encrypts the password over the wire and you cannot compare crypt to crypt. One of them needs to be cleartext (this is a limitation of encryption, not FreeRADIUS). See the table here: http://deployingradius.com/documents/protocols/compatibility.html (you are using Unix Crypt). Make sure you have the unix module referenced in the *authorize* section at the bottom of the conf file. Oh, and obviously you'll want to remove (or at least change) that entry in the users file. Run the server in debug mode (radiusd -X) and test. I've never tried to use /etc/shadow myself, but the comments in the config file should get you 90% there. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com
Dennis Skinner wrote:
Norman Zhang wrote:
How do I setup users tester-a to use /etc/shadow for authentication?
Currently I have
tester-a Auth-Type := Local, User-Password == "superuser" cisco-avpair = "shell:priv-lvl=15", Service-Type = Administrative-User
I would start by reading radiusd.conf. Look for every instance of the word "shadow" and read those comments. Then setup the unix module properly.
Make sure the user/group that radiusd runs as can read /etc/shadow.
Thanks. Changed /etc/shadow to 444 for now. Also unix { password = /etc/password group = /etc/group shadow = /etc/shadow } are uncommented in radiusd.conf
Make sure you are *only* using PAP. CHAP encrypts the password over the wire and you cannot compare crypt to crypt. One of them needs to be cleartext (this is a limitation of encryption, not FreeRADIUS). See the table here:
http://deployingradius.com/documents/protocols/compatibility.html
(you are using Unix Crypt).
pap { encryption_scheme = crypt } chap { authtype = CHAP } still fails. I guess I need to configure users. Will run radiusd -X to debug. Norman
Dennis Skinner wrote:
Make sure you are *only* using PAP. CHAP encrypts the password over the wire and you cannot compare crypt to crypt. One of them needs to be cleartext (this is a limitation of encryption, not FreeRADIUS). See the table here:
http://deployingradius.com/documents/protocols/compatibility.html
(you are using Unix Crypt).
I changed pap { encryption_scheme = clear # was crypt } chap { authtype = pap # was CHAP } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 passwd = /etc/passwd shadow = /etc/shadow group = /etc/group radwtmp = ${logdir}/radwtmp } but I still cannot get in. rad_recv: Access-Request packet from host 10.0.0.2:1645, id=27, length=79 NAS-IP-Address = 10.0.0.2 NAS-Port = 1 NAS-Port-Type = Virtual User-Name = "tester" Calling-Station-Id = "10.0.0.1" User-Password = "testing123" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "tester", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module "unix" returns ok for request 0 modcall: group authenticate returns ok for request 0 Login OK: [tester] (from client test-network port 1 cli 10.0.0.1) Sending Access-Accept of id 27 to 10.0.0.2:1645 Finished request 0 Going to the next request --- Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "clear" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "/etc/passwd" unix: shadow = "/etc/shadow" unix: group = "/etc/group" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests.
Login OK: [tester] (from client test-network port 1 cli 10.0.0.1) Sending Access-Accept of id 27 to 10.0.0.2:1645 You have "got in". But you haven't returned any radius attributes. You need to return something like Service-Type = Administrative-User or NAS-Prompt-User so NAS knows what to do with the user. Ivan Kalik Kaliik Informatika ISP Dana 25/4/2007, "Norman Zhang" <norman.zhang@gmail.com> piše:
Dennis Skinner wrote:
Make sure you are *only* using PAP. CHAP encrypts the password over the wire and you cannot compare crypt to crypt. One of them needs to be cleartext (this is a limitation of encryption, not FreeRADIUS). See the table here:
http://deployingradius.com/documents/protocols/compatibility.html
(you are using Unix Crypt).
I changed
pap { encryption_scheme = clear # was crypt }
chap { authtype = pap # was CHAP }
pam { pam_auth = radiusd }
unix { cache = no cache_reload = 600 passwd = /etc/passwd shadow = /etc/shadow group = /etc/group radwtmp = ${logdir}/radwtmp }
but I still cannot get in.
rad_recv: Access-Request packet from host 10.0.0.2:1645, id=27, length=79 NAS-IP-Address = 10.0.0.2 NAS-Port = 1 NAS-Port-Type = Virtual User-Name = "tester" Calling-Station-Id = "10.0.0.1" User-Password = "testing123" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "tester", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module "unix" returns ok for request 0 modcall: group authenticate returns ok for request 0 Login OK: [tester] (from client test-network port 1 cli 10.0.0.1) Sending Access-Accept of id 27 to 10.0.0.2:1645 Finished request 0 Going to the next request
---
Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "clear" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "/etc/passwd" unix: shadow = "/etc/shadow" unix: group = "/etc/group" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
tnt@kalik.co.yu wrote:
Login OK: [tester] (from client test-network port 1 cli 10.0.0.1) Sending Access-Accept of id 27 to 10.0.0.2:1645
You have "got in". But you haven't returned any radius attributes. You need to return something like Service-Type = Administrative-User or NAS-Prompt-User so NAS knows what to do with the user.
Thanks for the hint. I added the last two lines to users, now I can login. DEFAULT Auth-Type = System Fall-Through = 1, cisco-avpair = "shell:priv-lvl=15", Service-Type = Administrative-User Still trying to learn FreeRADIUS, should Fall-Through = True and not 1? How can I specify some users to have priv-lvl lower than 15, if default is 15? Norman
Put your users into groups and add extra entries: DEFAULT Group == numpties cisco-avpair := "shell:priv-lvl=1" DEFAULT Group == supernumpties cisco-avpair := "shell:priv-lvl=10" Notes: These lines use := to over-rule the cisco-avpair previously set. They do not fall through. I personally would make the default a low privilege, with high privilege coming from group membership. You'll need to read up on the available mechanisms for grouping users. Regards, Frank Ranner
-----Original Message----- From: freeradius-users-bounces+frank.ranner=defence.gov.au@lists.fre eradius.org [mailto:freeradius-users-bounces+frank.ranner=defence.gov.au@l ists.freeradius.org] On Behalf Of Norman Zhang Sent: Thursday, 26 April 2007 10:50 To: freeradius-users@lists.freeradius.org Subject: Re: User /etc/shadow for Authentication
tnt@kalik.co.yu wrote:
Login OK: [tester] (from client test-network port 1 cli 10.0.0.1) Sending Access-Accept of id 27 to 10.0.0.2:1645
You have "got in". But you haven't returned any radius attributes. You need to return something like Service-Type = Administrative-User or NAS-Prompt-User so NAS knows what to do with the user.
Thanks for the hint. I added the last two lines to users, now I can login.
DEFAULT Auth-Type = System Fall-Through = 1, cisco-avpair = "shell:priv-lvl=15", Service-Type = Administrative-User
Still trying to learn FreeRADIUS, should Fall-Through = True and not 1? How can I specify some users to have priv-lvl lower than 15, if default is 15?
Norman
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ranner, Frank MR wrote:
Put your users into groups and add extra entries:
DEFAULT Group == numpties cisco-avpair := "shell:priv-lvl=1"
DEFAULT Group == supernumpties cisco-avpair := "shell:priv-lvl=10"
Notes: These lines use := to over-rule the cisco-avpair previously set. They do not fall through. I personally would make the default a low privilege, with high privilege coming from group membership.
You'll need to read up on the available mechanisms for grouping users.
Thanks. I edited users with the following entries DEFAULT Auth-Type = System Fall-Through = 1, cisco-avpair = "shell:priv-lvl=1", Service-Type = Administrative-User DEFAULT Group == user-ro cisco-avpair := "shell:priv-lvl=7" DEFAULT Group == user-rw cisco-avpair := "shell:priv-lvl=15" but all users still get privilege level 15 access. Something wrong with my config? Norman
Norman Zhang wrote:
Thanks. I edited users with the following entries
DEFAULT Auth-Type = System Fall-Through = 1, cisco-avpair = "shell:priv-lvl=1", Service-Type = Administrative-User
DEFAULT Group == user-ro cisco-avpair := "shell:priv-lvl=7"
DEFAULT Group == user-rw cisco-avpair := "shell:priv-lvl=15"
but all users still get privilege level 15 access. Something wrong with my config?
Found it. Service-Type should = NAS-Prompt-User. Norman
participants (4)
-
Dennis Skinner -
Norman Zhang -
Ranner, Frank MR -
tnt@kalik.co.yu