Google authenticator : Access-Reject
Hello, I followed this tutorial (https://www.techdrabble.com/citrix/14-2factor-with-google-authenticator-and-... <https://www.techdrabble.com/citrix/14-2factor-with-google-authenticator-and-netscaler>) and managed to get it running on Debian 9 with FR 3.0.12 thanks to the help here. But I have another issue : when I try to authenticate with password + googleauth code, I got rejected. I'm able to log on the FR server with domain credentials without problem. The google auth code gets generated without issue either. Radtest: radtest user@mydomain.com <mailto:user@mydomain.com> password123456 localhost 18120 testing123 Sent Access-Request Id 226 from 0.0.0.0:38763 to 127.0.0.1:1812 length 92 User-Name = "user@mydomain.com <mailto:user@mydomain.com>" User-Password = "password123456" NAS-IP-Address = 127.0.1.1 NAS-Port = 18120 Message-Authenticator = 0x00 Cleartext-Password = "password123456" Received Access-Reject Id 226 from 127.0.0.1:1812 to 0.0.0.0:0 length 20 (0) -: Expected Access-Accept got Access-Reject Log: Ready to process requests Waking up in 0.3 seconds. (0) Received Access-Request Id 226 from 127.0.0.1:38763 to 127.0.0.1:1812 length 92 (0) User-Name = "user@mydomain.com <mailto:user@mydomain.com>" (0) User-Password = "password123456" (0) NAS-IP-Address = 127.0.1.1 (0) NAS-Port = 18120 (0) Message-Authenticator = 0x53b836642c653e776b0d9f8a542fca3a (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default Waking up in 0.3 seconds. Waking up in 0.2 seconds. (0) pam: ERROR: pam_authenticate failed: Authentication failure (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default Waking up in 0.7 seconds. (0) Sent Access-Reject Id 226 from 127.0.0.1:1812 to 127.0.0.1:38763 length 20 Waking up in 3.9 seconds. Ready to process requests Regards
PS : With this line in /etc/pam.d/sshd : "auth required /usr/local/lib/security/pam_google_authenticator.so" I'm able to do ssh login with my google auth code. 24. Avr 2018 11:48 de servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>:
Hello,
I followed this tutorial (> https://www.techdrabble.com/citrix/14-2factor-with-google-authenticator-and-... <https://www.techdrabble.com/citrix/14-2factor-with-google-authenticator-and-netscaler>> ) and managed to get it running on Debian 9 with FR 3.0.12 thanks to the help here. But I have another issue : when I try to authenticate with password + googleauth code, I got rejected. I'm able to log on the FR server with domain credentials without problem. The google auth code gets generated without issue either.
Radtest: radtest > user@mydomain.com <mailto:user@mydomain.com>> password123456 localhost 18120 testing123 Sent Access-Request Id 226 from 0.0.0.0:38763 to 127.0.0.1:1812 length 92 User-Name = "> user@mydomain.com <mailto:user@mydomain.com>> " User-Password = "password123456" NAS-IP-Address = 127.0.1.1 NAS-Port = 18120 Message-Authenticator = 0x00 Cleartext-Password = "password123456" Received Access-Reject Id 226 from 127.0.0.1:1812 to 0.0.0.0:0 length 20 (0) -: Expected Access-Accept got Access-Reject
Log: Ready to process requests Waking up in 0.3 seconds. (0) Received Access-Request Id 226 from 127.0.0.1:38763 to 127.0.0.1:1812 length 92 (0) User-Name = "> user@mydomain.com <mailto:user@mydomain.com>> " (0) User-Password = "password123456" (0) NAS-IP-Address = 127.0.1.1 (0) NAS-Port = 18120 (0) Message-Authenticator = 0x53b836642c653e776b0d9f8a542fca3a (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default Waking up in 0.3 seconds. Waking up in 0.2 seconds. (0) pam: ERROR: pam_authenticate failed: Authentication failure (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default Waking up in 0.7 seconds. (0) Sent Access-Reject Id 226 from 127.0.0.1:1812 to 127.0.0.1:38763 length 20 Waking up in 3.9 seconds. Ready to process requests
Regards
Try radtest without @doman part, as It is not part of username Eero On Tue, Apr 24, 2018 at 1:08 PM, <servernemesis@tutanota.com> wrote:
PS : With this line in /etc/pam.d/sshd : "auth required /usr/local/lib/security/pam_google_authenticator.so" I'm able to do ssh login with my google auth code.
24. Avr 2018 11:48 de servernemesis@tutanota.com <mailto:servernemesis@ tutanota.com>:
Hello,
I followed this tutorial (> https://www.techdrabble.com/
citrix/14-2factor-with-google-authenticator-and-netscaler < https://www.techdrabble.com/citrix/14-2factor-with-google- authenticator-and-netscaler>> ) and managed to get it running on Debian 9 with FR 3.0.12 thanks to the help here. But I have another issue : when I try to authenticate with password + googleauth code, I got rejected.
I'm able to log on the FR server with domain credentials without problem. The google auth code gets generated without issue either.
Radtest: radtest > user@mydomain.com <mailto:user@mydomain.com>> password123456 localhost 18120 testing123 Sent Access-Request Id 226 from 0.0.0.0:38763 to 127.0.0.1:1812 length 92 User-Name = "> user@mydomain.com <mailto:user@mydomain.com>> " User-Password = "password123456" NAS-IP-Address = 127.0.1.1 NAS-Port = 18120 Message-Authenticator = 0x00 Cleartext-Password = "password123456" Received Access-Reject Id 226 from 127.0.0.1:1812 to 0.0.0.0:0 length 20 (0) -: Expected Access-Accept got Access-Reject
Log: Ready to process requests Waking up in 0.3 seconds. (0) Received Access-Request Id 226 from 127.0.0.1:38763 to 127.0.0.1:1812 length 92 (0) User-Name = "> user@mydomain.com <mailto:user@mydomain.com>> " (0) User-Password = "password123456" (0) NAS-IP-Address = 127.0.1.1 (0) NAS-Port = 18120 (0) Message-Authenticator = 0x53b836642c653e776b0d9f8a542fca3a (0) # Executing section authorize from file /etc/freeradius/3.0/sites- enabled/default (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) # Executing group from file /etc/freeradius/3.0/sites- enabled/default Waking up in 0.3 seconds. Waking up in 0.2 seconds. (0) pam: ERROR: pam_authenticate failed: Authentication failure (0) # Executing group from file /etc/freeradius/3.0/sites- enabled/default Waking up in 0.7 seconds. (0) Sent Access-Reject Id 226 from 127.0.0.1:1812 to 127.0.0.1:38763 length 20 Waking up in 3.9 seconds. Ready to process requests
Regards
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
I log with the fqdn (use_fully_qualified_names true in sssd) But I tried without and same problem.
Try radtest without @doman part, as It is not part of usernameEero 24. Avr 2018 12:08 de servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>:
PS : With this line in /etc/pam.d/sshd : "auth required /usr/local/lib/security/pam_google_authenticator.so" I'm able to do ssh login with my google auth code.
24. Avr 2018 11:48 de > servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>> :
Hello,
I followed this tutorial (>> https://www.techdrabble.com/citrix/14-2factor-with-google-authenticator-and-... <https://www.techdrabble.com/citrix/14-2factor-with-google-authenticator-and-netscaler>>> ) and managed to get it running on Debian 9 with FR 3.0.12 thanks to the help here. But I have another issue : when I try to authenticate with password + googleauth code, I got rejected. I'm able to log on the FR server with domain credentials without problem. The google auth code gets generated without issue either.
Radtest: radtest >> user@mydomain.com <mailto:user@mydomain.com>>> password123456 localhost 18120 testing123 Sent Access-Request Id 226 from 0.0.0.0:38763 to 127.0.0.1:1812 length 92 User-Name = ">> user@mydomain.com <mailto:user@mydomain.com>>> " User-Password = "password123456" NAS-IP-Address = 127.0.1.1 NAS-Port = 18120 Message-Authenticator = 0x00 Cleartext-Password = "password123456" Received Access-Reject Id 226 from 127.0.0.1:1812 to 0.0.0.0:0 length 20 (0) -: Expected Access-Accept got Access-Reject
Log: Ready to process requests Waking up in 0.3 seconds. (0) Received Access-Request Id 226 from 127.0.0.1:38763 to 127.0.0.1:1812 length 92 (0) User-Name = ">> user@mydomain.com <mailto:user@mydomain.com>>> " (0) User-Password = "password123456" (0) NAS-IP-Address = 127.0.1.1 (0) NAS-Port = 18120 (0) Message-Authenticator = 0x53b836642c653e776b0d9f8a542fca3a (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default Waking up in 0.3 seconds. Waking up in 0.2 seconds. (0) pam: ERROR: pam_authenticate failed: Authentication failure (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default Waking up in 0.7 seconds. (0) Sent Access-Reject Id 226 from 127.0.0.1:1812 to 127.0.0.1:38763 length 20 Waking up in 3.9 seconds. Ready to process requests
Regards
well. check out all logs and run freeradius in debug mode -XXX (if I remember switch correctly) Eero ti 24. huhtik. 2018 klo 12.34 <servernemesis@tutanota.com> kirjoitti: > I log with the fqdn (use_fully_qualified_names true in sssd) > But I tried without and same problem. > > > > Try radtest without @doman part, as It is not part of usernameEero > 24. Avr 2018 12:08 de servernemesis@tutanota.com <mailto: > servernemesis@tutanota.com>: > > > > PS : > > With this line in /etc/pam.d/sshd : > > "auth required /usr/local/lib/security/pam_google_authenticator.so" > > I'm able to do ssh login with my google auth code. > > > > > > 24. Avr 2018 11:48 de > servernemesis@tutanota.com <mailto: > servernemesis@tutanota.com>> : > > > > > >> > >> Hello, > >> > >> I followed this tutorial (>> > https://www.techdrabble.com/citrix/14-2factor-with-google-authenticator-and-netscaler > < > https://www.techdrabble.com/citrix/14-2factor-with-google-authenticator-and-netscaler>>> > ) and managed to get it running on Debian 9 with FR 3.0.12 thanks to the > help here. But I have another issue : when I try to authenticate with > password + googleauth code, I got rejected. > >> I'm able to log on the FR server with domain credentials without > problem. The google auth code gets generated without issue either. > >> > >> Radtest: > >> radtest >> user@mydomain.com <mailto:user@mydomain.com>>> > password123456 localhost 18120 testing123 > >> Sent Access-Request Id 226 from 0.0.0.0:38763 to 127.0.0.1:1812 length > 92 > >> User-Name = ">> user@mydomain.com <mailto:user@mydomain.com>>> > " > >> User-Password = "password123456" > >> NAS-IP-Address = 127.0.1.1 > >> NAS-Port = 18120 > >> Message-Authenticator = 0x00 > >> Cleartext-Password = "password123456" > >> Received Access-Reject Id 226 from 127.0.0.1:1812 to 0.0.0.0:0 length > 20 > >> (0) -: Expected Access-Accept got Access-Reject > >> > >> > >> Log: > >> Ready to process requests > >> Waking up in 0.3 seconds. > >> (0) Received Access-Request Id 226 from 127.0.0.1:38763 to > 127.0.0.1:1812 length 92 > >> (0) User-Name = ">> user@mydomain.com <mailto:user@mydomain.com>>> " > >> (0) User-Password = "password123456" > >> (0) NAS-IP-Address = 127.0.1.1 > >> (0) NAS-Port = 18120 > >> (0) Message-Authenticator = 0x53b836642c653e776b0d9f8a542fca3a > >> (0) # Executing section authorize from file > /etc/freeradius/3.0/sites-enabled/default > >> (0) pap: WARNING: No "known good" password found for the user. Not > setting Auth-Type > >> (0) pap: WARNING: Authentication will fail unless a "known good" > password is available > >> (0) # Executing group from file > /etc/freeradius/3.0/sites-enabled/default > >> Waking up in 0.3 seconds. > >> Waking up in 0.2 seconds. > >> (0) pam: ERROR: pam_authenticate failed: Authentication failure > >> (0) # Executing group from file > /etc/freeradius/3.0/sites-enabled/default > >> Waking up in 0.7 seconds. > >> (0) Sent Access-Reject Id 226 from 127.0.0.1:1812 to 127.0.0.1:38763 > length 20 > >> Waking up in 3.9 seconds. > >> Ready to process requests > >> > >> Regards > >> > >> > >> > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html
Thanks for your help, here is the full debug :
Tue Apr 24 15:06:13 2018 : Debug: Threads: total/active/spare threads = 5/0/5
Tue Apr 24 15:06:13 2018 : Debug: Waking up in 0.3 seconds.
Tue Apr 24 15:06:13 2018 : Debug: Thread 5 got semaphore
Tue Apr 24 15:06:13 2018 : Debug: Thread 5 handling request 0, (1 handled so far)
Tue Apr 24 15:06:13 2018 : Debug: (0) Received Access-Request Id 86 from 127.0.0.1:47786 to 127.0.0.1:1812 length 92
Tue Apr 24 15:06:13 2018 : Debug: (0) User-Name = "user@mydomain.com <mailto:user@mydomain.com>"
Tue Apr 24 15:06:13 2018 : Debug: (0) User-Password = "password123456"
Tue Apr 24 15:06:13 2018 : Debug: (0) NAS-IP-Address = 127.0.1.1
Tue Apr 24 15:06:13 2018 : Debug: (0) NAS-Port = 18120
Tue Apr 24 15:06:13 2018 : Debug: (0) Message-Authenticator = 0x5f5b5b060935a0141122f9c08e0c4aa6
Tue Apr 24 15:06:13 2018 : Debug: (0) session-state: No State attribute
Tue Apr 24 15:06:13 2018 : Debug: (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
Tue Apr 24 15:06:13 2018 : Debug: (0) authorize {
Tue Apr 24 15:06:13 2018 : Debug: (0) policy filter_username {
Tue Apr 24 15:06:13 2018 : Debug: (0) if (&User-Name) {
Tue Apr 24 15:06:13 2018 : Debug: (0) if (&User-Name) -> TRUE
Tue Apr 24 15:06:13 2018 : Debug: (0) if (&User-Name) {
Tue Apr 24 15:06:13 2018 : Debug: (0) if (&User-Name =~ / /) {
Tue Apr 24 15:06:13 2018 : Debug: (0) if (&User-Name =~ / /) -> FALSE
Tue Apr 24 15:06:13 2018 : Debug: (0) if (&User-Name =~ /@[^@]*@/ ) {
Tue Apr 24 15:06:13 2018 : Debug: (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
Tue Apr 24 15:06:13 2018 : Debug: (0) if (&User-Name =~ /\.\./ ) {
Tue Apr 24 15:06:13 2018 : Debug: (0) if (&User-Name =~ /\.\./ ) -> FALSE
Tue Apr 24 15:06:13 2018 : Debug: (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
Tue Apr 24 15:06:13 2018 : Debug: (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
Tue Apr 24 15:06:13 2018 : Debug: (0) if (&User-Name =~ /\.$/) {
Tue Apr 24 15:06:13 2018 : Debug: (0) if (&User-Name =~ /\.$/) -> FALSE
Tue Apr 24 15:06:13 2018 : Debug: (0) if (&User-Name =~ /@\./) {
Tue Apr 24 15:06:13 2018 : Debug: (0) if (&User-Name =~ /@\./) -> FALSE
Tue Apr 24 15:06:13 2018 : Debug: (0) } # if (&User-Name) = notfound
Tue Apr 24 15:06:13 2018 : Debug: (0) } # policy filter_username = notfound
Tue Apr 24 15:06:13 2018 : Debug: (0) modsingle[authorize]: calling preprocess (rlm_preprocess)
Tue Apr 24 15:06:13 2018 : Debug: (0) modsingle[authorize]: returned from preprocess (rlm_preprocess)
Tue Apr 24 15:06:13 2018 : Debug: (0) [preprocess] = ok
Tue Apr 24 15:06:13 2018 : Debug: (0) modsingle[authorize]: calling chap (rlm_chap)
Tue Apr 24 15:06:13 2018 : Debug: (0) modsingle[authorize]: returned from chap (rlm_chap)
Tue Apr 24 15:06:13 2018 : Debug: (0) [chap] = noop
Tue Apr 24 15:06:13 2018 : Debug: (0) modsingle[authorize]: calling mschap (rlm_mschap)
Tue Apr 24 15:06:13 2018 : Debug: (0) modsingle[authorize]: returned from mschap (rlm_mschap)
Tue Apr 24 15:06:13 2018 : Debug: (0) [mschap] = noop
Tue Apr 24 15:06:13 2018 : Debug: (0) modsingle[authorize]: calling digest (rlm_digest)
Tue Apr 24 15:06:13 2018 : Debug: (0) modsingle[authorize]: returned from digest (rlm_digest)
Tue Apr 24 15:06:13 2018 : Debug: (0) [digest] = noop
Tue Apr 24 15:06:13 2018 : Debug: (0) modsingle[authorize]: calling suffix (rlm_realm)
Tue Apr 24 15:06:13 2018 : Debug: (0) suffix: Checking for suffix after "@"
Tue Apr 24 15:06:13 2018 : Debug: (0) suffix: Looking up realm "mydomain.com" for User-Name = "user@mydomain.com <mailto:user@mydomain.com>"
Tue Apr 24 15:06:13 2018 : Debug: (0) suffix: No such realm "mydomain.com"
Tue Apr 24 15:06:13 2018 : Debug: (0) modsingle[authorize]: returned from suffix (rlm_realm)
Tue Apr 24 15:06:13 2018 : Debug: (0) [suffix] = noop
Tue Apr 24 15:06:13 2018 : Debug: (0) modsingle[authorize]: calling eap (rlm_eap)
Tue Apr 24 15:06:13 2018 : Debug: (0) eap: No EAP-Message, not doing EAP
Tue Apr 24 15:06:13 2018 : Debug: (0) modsingle[authorize]: returned from eap (rlm_eap)
Tue Apr 24 15:06:13 2018 : Debug: (0) [eap] = noop
Tue Apr 24 15:06:13 2018 : Debug: (0) modsingle[authorize]: calling files (rlm_files)
Tue Apr 24 15:06:13 2018 : Debug: (0) files: users: Matched entry DEFAULT at line 221
Tue Apr 24 15:06:13 2018 : Debug: (0) modsingle[authorize]: returned from files (rlm_files)
Tue Apr 24 15:06:13 2018 : Debug: (0) [files] = ok
Tue Apr 24 15:06:13 2018 : Debug: (0) modsingle[authorize]: calling expiration (rlm_expiration)
Tue Apr 24 15:06:13 2018 : Debug: (0) modsingle[authorize]: returned from expiration (rlm_expiration)
Tue Apr 24 15:06:13 2018 : Debug: (0) [expiration] = noop
Tue Apr 24 15:06:13 2018 : Debug: (0) modsingle[authorize]: calling logintime (rlm_logintime)
Tue Apr 24 15:06:13 2018 : Debug: (0) modsingle[authorize]: returned from logintime (rlm_logintime)
Tue Apr 24 15:06:13 2018 : Debug: (0) [logintime] = noop
Tue Apr 24 15:06:13 2018 : Debug: (0) modsingle[authorize]: calling pap (rlm_pap)
Tue Apr 24 15:06:13 2018 : WARNING: (0) pap: No "known good" password found for the user. Not setting Auth-Type
Tue Apr 24 15:06:13 2018 : WARNING: (0) pap: Authentication will fail unless a "known good" password is available
Tue Apr 24 15:06:13 2018 : Debug: (0) modsingle[authorize]: returned from pap (rlm_pap)
Tue Apr 24 15:06:13 2018 : Debug: (0) [pap] = noop
Tue Apr 24 15:06:13 2018 : Debug: (0) } # authorize = ok
Tue Apr 24 15:06:13 2018 : Debug: (0) Found Auth-Type = pam
Tue Apr 24 15:06:13 2018 : Debug: (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
Tue Apr 24 15:06:13 2018 : Debug: (0) authenticate {
Tue Apr 24 15:06:13 2018 : Debug: (0) modsingle[authenticate]: calling pam (rlm_pam)
Tue Apr 24 15:06:13 2018 : Debug: (0) pam: Using pamauth string "radiusd" for pam.conf lookup
Tue Apr 24 15:06:13 2018 : Debug: Waking up in 0.3 seconds.
Tue Apr 24 15:06:13 2018 : Debug: Waking up in 0.2 seconds.
Tue Apr 24 15:06:13 2018 : Debug: Waking up in 0.4 seconds.
Tue Apr 24 15:06:14 2018 : Debug: Waking up in 0.7 seconds.
Tue Apr 24 15:06:14 2018 : Debug: Waking up in 1.1 seconds.
Tue Apr 24 15:06:15 2018 : ERROR: (0) pam: pam_authenticate failed: Authentication failure
Tue Apr 24 15:06:15 2018 : Debug: (0) modsingle[authenticate]: returned from pam (rlm_pam)
Tue Apr 24 15:06:15 2018 : Debug: (0) [pam] = reject
Tue Apr 24 15:06:15 2018 : Debug: (0) } # authenticate = reject
Tue Apr 24 15:06:15 2018 : Debug: (0) Failed to authenticate the user
Tue Apr 24 15:06:15 2018 : Debug: (0) Using Post-Auth-Type Reject
Tue Apr 24 15:06:15 2018 : Debug: (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
Tue Apr 24 15:06:15 2018 : Debug: (0) Post-Auth-Type REJECT {
Tue Apr 24 15:06:15 2018 : Debug: (0) modsingle[post-auth]: calling attr_filter.access_reject (rlm_attr_filter)
Tue Apr 24 15:06:15 2018 : Debug: %{User-Name}
Tue Apr 24 15:06:15 2018 : Debug: Parsed xlat tree:
Tue Apr 24 15:06:15 2018 : Debug: attribute --> User-Name
Tue Apr 24 15:06:15 2018 : Debug: (0) attr_filter.access_reject: EXPAND %{User-Name}
Tue Apr 24 15:06:15 2018 : Debug: (0) attr_filter.access_reject: --> user@mydomain.com <mailto:user@mydomain.com>
Tue Apr 24 15:06:15 2018 : Debug: (0) attr_filter.access_reject: Matched entry DEFAULT at line 11
Tue Apr 24 15:06:15 2018 : Debug: (0) modsingle[post-auth]: returned from attr_filter.access_reject (rlm_attr_filter)
Tue Apr 24 15:06:15 2018 : Debug: (0) [attr_filter.access_reject] = updated
Tue Apr 24 15:06:15 2018 : Debug: (0) modsingle[post-auth]: calling eap (rlm_eap)
Tue Apr 24 15:06:15 2018 : Debug: (0) eap: Request didn't contain an EAP-Message, not inserting EAP-Failure
Tue Apr 24 15:06:15 2018 : Debug: (0) modsingle[post-auth]: returned from eap (rlm_eap)
Tue Apr 24 15:06:15 2018 : Debug: (0) [eap] = noop
Tue Apr 24 15:06:15 2018 : Debug: (0) policy remove_reply_message_if_eap {
Tue Apr 24 15:06:15 2018 : Debug: (0) if (&reply:EAP-Message && &reply:Reply-Message) {
Tue Apr 24 15:06:15 2018 : Debug: (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
Tue Apr 24 15:06:15 2018 : Debug: (0) else {
Tue Apr 24 15:06:15 2018 : Debug: (0) modsingle[post-auth]: calling noop (rlm_always)
Tue Apr 24 15:06:15 2018 : Debug: (0) modsingle[post-auth]: returned from noop (rlm_always)
Tue Apr 24 15:06:15 2018 : Debug: (0) [noop] = noop
Tue Apr 24 15:06:15 2018 : Debug: (0) } # else = noop
Tue Apr 24 15:06:15 2018 : Debug: (0) } # policy remove_reply_message_if_eap = noop
Tue Apr 24 15:06:15 2018 : Debug: (0) } # Post-Auth-Type REJECT = updated
Tue Apr 24 15:06:15 2018 : Debug: (0) Delaying response for 1.000000 seconds
Tue Apr 24 15:06:15 2018 : Debug: Thread 5 waiting to be assigned a request
Tue Apr 24 15:06:16 2018 : Debug: Waking up in 0.2 seconds.
Tue Apr 24 15:06:16 2018 : Debug: (0) Sending delayed response
Tue Apr 24 15:06:16 2018 : Debug: (0) Sent Access-Reject Id 86 from 127.0.0.1:1812 to 127.0.0.1:47786 length 20
Tue Apr 24 15:06:16 2018 : Debug: Waking up in 3.9 seconds.
Tue Apr 24 15:06:20 2018 : Debug: (0) Cleaning up request packet ID 86 with timestamp +29
Tue Apr 24 15:06:20 2018 : Info: Ready to process requests
24. Avr 2018 12:44 de eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>:
> well. check out all logs and run freeradius in debug mode -XXX (if I
> remember switch correctly)
>
> Eero
>
> ti 24. huhtik. 2018 klo 12.34 <> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>> > kirjoitti:
>
>> I log with the fqdn (use_fully_qualified_names true in sssd)
>> But I tried without and same problem.
>>
>> >
>> Try radtest without @doman part, as It is not part of usernameEero
>> 24. Avr 2018 12:08 de >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >:
>>
>>
>> > PS :
>> > With this line in /etc/pam.d/sshd :
>> > "auth required /usr/local/lib/security/pam_google_authenticator.so"
>> > I'm able to do ssh login with my google auth code.
>> >
>> >
>> > 24. Avr 2018 11:48 de > >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >> :
>> >
>> >
>> >>
>> >> Hello,
>> >>
>> >> I followed this tutorial (>>
>> https://www.techdrabble.com/citrix/14-2factor-with-google-authenticator-and-netscaler <https://www.techdrabble.com/citrix/14-2factor-with-google-authenticator-and-netscaler>
>> <
>> https://www.techdrabble.com/citrix/14-2factor-with-google-authenticator-and-netscaler <https://www.techdrabble.com/citrix/14-2factor-with-google-authenticator-and-netscaler>>> >>>
>> ) and managed to get it running on Debian 9 with FR 3.0.12 thanks to the
>> help here. But I have another issue : when I try to authenticate with
>> password + googleauth code, I got rejected.
>> >> I'm able to log on the FR server with domain credentials without
>> problem. The google auth code gets generated without issue either.
>> >>
>> >> Radtest:
>> >> radtest >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>>
>> password123456 localhost 18120 testing123
>> >> Sent Access-Request Id 226 from 0.0.0.0:38763 to 127.0.0.1:1812 length
>> 92
>> >> User-Name = ">> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>>
>> "
>> >> User-Password = "password123456"
>> >> NAS-IP-Address = 127.0.1.1
>> >> NAS-Port = 18120
>> >> Message-Authenticator = 0x00
>> >> Cleartext-Password = "password123456"
>> >> Received Access-Reject Id 226 from 127.0.0.1:1812 to 0.0.0.0:0 length
>> 20
>> >> (0) -: Expected Access-Accept got Access-Reject
>> >>
>> >>
>> >> Log:
>> >> Ready to process requests
>> >> Waking up in 0.3 seconds.
>> >> (0) Received Access-Request Id 226 from 127.0.0.1:38763 to
>> 127.0.0.1:1812 length 92
>> >> (0) User-Name = ">> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> "
>> >> (0) User-Password = "password123456"
>> >> (0) NAS-IP-Address = 127.0.1.1
>> >> (0) NAS-Port = 18120
>> >> (0) Message-Authenticator = 0x53b836642c653e776b0d9f8a542fca3a
>> >> (0) # Executing section authorize from file
>> /etc/freeradius/3.0/sites-enabled/default
>> >> (0) pap: WARNING: No "known good" password found for the user. Not
>> setting Auth-Type
>> >> (0) pap: WARNING: Authentication will fail unless a "known good"
>> password is available
>> >> (0) # Executing group from file
>> /etc/freeradius/3.0/sites-enabled/default
>> >> Waking up in 0.3 seconds.
>> >> Waking up in 0.2 seconds.
>> >> (0) pam: ERROR: pam_authenticate failed: Authentication failure
>> >> (0) # Executing group from file
>> /etc/freeradius/3.0/sites-enabled/default
>> >> Waking up in 0.7 seconds.
>> >> (0) Sent Access-Reject Id 226 from 127.0.0.1:1812 to 127.0.0.1:38763
>> length 20
>> >> Waking up in 3.9 seconds.
>> >> Ready to process requests
>> >>
>> >> Regards
>> >>
>> >>
>> >>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
> -
> List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
well. looks like @domain part is not working. try without it
Eero
On Tue, Apr 24, 2018 at 4:15 PM, <servernemesis@tutanota.com> wrote:
> Thanks for your help, here is the full debug :
>
> Tue Apr 24 15:06:13 2018 : Debug: Threads: total/active/spare threads =
> 5/0/5
> Tue Apr 24 15:06:13 2018 : Debug: Waking up in 0.3 seconds.
> Tue Apr 24 15:06:13 2018 : Debug: Thread 5 got semaphore
> Tue Apr 24 15:06:13 2018 : Debug: Thread 5 handling request 0, (1 handled
> so far)
> Tue Apr 24 15:06:13 2018 : Debug: (0) Received Access-Request Id 86 from
> 127.0.0.1:47786 to 127.0.0.1:1812 length 92
> Tue Apr 24 15:06:13 2018 : Debug: (0) User-Name = "user@mydomain.com
> <mailto:user@mydomain.com>"
> Tue Apr 24 15:06:13 2018 : Debug: (0) User-Password = "password123456"
> Tue Apr 24 15:06:13 2018 : Debug: (0) NAS-IP-Address = 127.0.1.1
> Tue Apr 24 15:06:13 2018 : Debug: (0) NAS-Port = 18120
> Tue Apr 24 15:06:13 2018 : Debug: (0) Message-Authenticator =
> 0x5f5b5b060935a0141122f9c08e0c4aa6
> Tue Apr 24 15:06:13 2018 : Debug: (0) session-state: No State attribute
> Tue Apr 24 15:06:13 2018 : Debug: (0) # Executing section authorize from
> file /etc/freeradius/3.0/sites-enabled/default
> Tue Apr 24 15:06:13 2018 : Debug: (0) authorize {
> Tue Apr 24 15:06:13 2018 : Debug: (0) policy filter_username {
> Tue Apr 24 15:06:13 2018 : Debug: (0) if (&User-Name) {
> Tue Apr 24 15:06:13 2018 : Debug: (0) if (&User-Name) -> TRUE
> Tue Apr 24 15:06:13 2018 : Debug: (0) if (&User-Name) {
> Tue Apr 24 15:06:13 2018 : Debug: (0) if (&User-Name =~ / /) {
> Tue Apr 24 15:06:13 2018 : Debug: (0) if (&User-Name =~ / /) ->
> FALSE
> Tue Apr 24 15:06:13 2018 : Debug: (0) if (&User-Name =~ /@[^@]*@/
> ) {
> Tue Apr 24 15:06:13 2018 : Debug: (0) if (&User-Name =~ /@[^@]*@/
> ) -> FALSE
> Tue Apr 24 15:06:13 2018 : Debug: (0) if (&User-Name =~ /\.\./ ) {
> Tue Apr 24 15:06:13 2018 : Debug: (0) if (&User-Name =~ /\.\./ )
> -> FALSE
> Tue Apr 24 15:06:13 2018 : Debug: (0) if ((&User-Name =~ /@/) &&
> (&User-Name !~ /@(.+)\.(.+)$/)) {
> Tue Apr 24 15:06:13 2018 : Debug: (0) if ((&User-Name =~ /@/) &&
> (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
> Tue Apr 24 15:06:13 2018 : Debug: (0) if (&User-Name =~ /\.$/) {
> Tue Apr 24 15:06:13 2018 : Debug: (0) if (&User-Name =~ /\.$/)
> -> FALSE
> Tue Apr 24 15:06:13 2018 : Debug: (0) if (&User-Name =~ /@\./) {
> Tue Apr 24 15:06:13 2018 : Debug: (0) if (&User-Name =~ /@\./)
> -> FALSE
> Tue Apr 24 15:06:13 2018 : Debug: (0) } # if (&User-Name) = notfound
> Tue Apr 24 15:06:13 2018 : Debug: (0) } # policy filter_username =
> notfound
> Tue Apr 24 15:06:13 2018 : Debug: (0) modsingle[authorize]: calling
> preprocess (rlm_preprocess)
> Tue Apr 24 15:06:13 2018 : Debug: (0) modsingle[authorize]: returned
> from preprocess (rlm_preprocess)
> Tue Apr 24 15:06:13 2018 : Debug: (0) [preprocess] = ok
> Tue Apr 24 15:06:13 2018 : Debug: (0) modsingle[authorize]: calling
> chap (rlm_chap)
> Tue Apr 24 15:06:13 2018 : Debug: (0) modsingle[authorize]: returned
> from chap (rlm_chap)
> Tue Apr 24 15:06:13 2018 : Debug: (0) [chap] = noop
> Tue Apr 24 15:06:13 2018 : Debug: (0) modsingle[authorize]: calling
> mschap (rlm_mschap)
> Tue Apr 24 15:06:13 2018 : Debug: (0) modsingle[authorize]: returned
> from mschap (rlm_mschap)
> Tue Apr 24 15:06:13 2018 : Debug: (0) [mschap] = noop
> Tue Apr 24 15:06:13 2018 : Debug: (0) modsingle[authorize]: calling
> digest (rlm_digest)
> Tue Apr 24 15:06:13 2018 : Debug: (0) modsingle[authorize]: returned
> from digest (rlm_digest)
> Tue Apr 24 15:06:13 2018 : Debug: (0) [digest] = noop
> Tue Apr 24 15:06:13 2018 : Debug: (0) modsingle[authorize]: calling
> suffix (rlm_realm)
> Tue Apr 24 15:06:13 2018 : Debug: (0) suffix: Checking for suffix after "@"
> Tue Apr 24 15:06:13 2018 : Debug: (0) suffix: Looking up realm "
> mydomain.com" for User-Name = "user@mydomain.com <mailto:user@mydomain.com
> >"
> Tue Apr 24 15:06:13 2018 : Debug: (0) suffix: No such realm "mydomain.com"
> Tue Apr 24 15:06:13 2018 : Debug: (0) modsingle[authorize]: returned
> from suffix (rlm_realm)
> Tue Apr 24 15:06:13 2018 : Debug: (0) [suffix] = noop
> Tue Apr 24 15:06:13 2018 : Debug: (0) modsingle[authorize]: calling
> eap (rlm_eap)
> Tue Apr 24 15:06:13 2018 : Debug: (0) eap: No EAP-Message, not doing EAP
> Tue Apr 24 15:06:13 2018 : Debug: (0) modsingle[authorize]: returned
> from eap (rlm_eap)
> Tue Apr 24 15:06:13 2018 : Debug: (0) [eap] = noop
> Tue Apr 24 15:06:13 2018 : Debug: (0) modsingle[authorize]: calling
> files (rlm_files)
> Tue Apr 24 15:06:13 2018 : Debug: (0) files: users: Matched entry DEFAULT
> at line 221
> Tue Apr 24 15:06:13 2018 : Debug: (0) modsingle[authorize]: returned
> from files (rlm_files)
> Tue Apr 24 15:06:13 2018 : Debug: (0) [files] = ok
> Tue Apr 24 15:06:13 2018 : Debug: (0) modsingle[authorize]: calling
> expiration (rlm_expiration)
> Tue Apr 24 15:06:13 2018 : Debug: (0) modsingle[authorize]: returned
> from expiration (rlm_expiration)
> Tue Apr 24 15:06:13 2018 : Debug: (0) [expiration] = noop
> Tue Apr 24 15:06:13 2018 : Debug: (0) modsingle[authorize]: calling
> logintime (rlm_logintime)
> Tue Apr 24 15:06:13 2018 : Debug: (0) modsingle[authorize]: returned
> from logintime (rlm_logintime)
> Tue Apr 24 15:06:13 2018 : Debug: (0) [logintime] = noop
> Tue Apr 24 15:06:13 2018 : Debug: (0) modsingle[authorize]: calling
> pap (rlm_pap)
> Tue Apr 24 15:06:13 2018 : WARNING: (0) pap: No "known good" password
> found for the user. Not setting Auth-Type
> Tue Apr 24 15:06:13 2018 : WARNING: (0) pap: Authentication will fail
> unless a "known good" password is available
> Tue Apr 24 15:06:13 2018 : Debug: (0) modsingle[authorize]: returned
> from pap (rlm_pap)
> Tue Apr 24 15:06:13 2018 : Debug: (0) [pap] = noop
> Tue Apr 24 15:06:13 2018 : Debug: (0) } # authorize = ok
> Tue Apr 24 15:06:13 2018 : Debug: (0) Found Auth-Type = pam
> Tue Apr 24 15:06:13 2018 : Debug: (0) # Executing group from file
> /etc/freeradius/3.0/sites-enabled/default
> Tue Apr 24 15:06:13 2018 : Debug: (0) authenticate {
> Tue Apr 24 15:06:13 2018 : Debug: (0) modsingle[authenticate]: calling
> pam (rlm_pam)
> Tue Apr 24 15:06:13 2018 : Debug: (0) pam: Using pamauth string "radiusd"
> for pam.conf lookup
> Tue Apr 24 15:06:13 2018 : Debug: Waking up in 0.3 seconds.
> Tue Apr 24 15:06:13 2018 : Debug: Waking up in 0.2 seconds.
> Tue Apr 24 15:06:13 2018 : Debug: Waking up in 0.4 seconds.
> Tue Apr 24 15:06:14 2018 : Debug: Waking up in 0.7 seconds.
> Tue Apr 24 15:06:14 2018 : Debug: Waking up in 1.1 seconds.
> Tue Apr 24 15:06:15 2018 : ERROR: (0) pam: pam_authenticate failed:
> Authentication failure
> Tue Apr 24 15:06:15 2018 : Debug: (0) modsingle[authenticate]:
> returned from pam (rlm_pam)
> Tue Apr 24 15:06:15 2018 : Debug: (0) [pam] = reject
> Tue Apr 24 15:06:15 2018 : Debug: (0) } # authenticate = reject
> Tue Apr 24 15:06:15 2018 : Debug: (0) Failed to authenticate the user
> Tue Apr 24 15:06:15 2018 : Debug: (0) Using Post-Auth-Type Reject
> Tue Apr 24 15:06:15 2018 : Debug: (0) # Executing group from file
> /etc/freeradius/3.0/sites-enabled/default
> Tue Apr 24 15:06:15 2018 : Debug: (0) Post-Auth-Type REJECT {
> Tue Apr 24 15:06:15 2018 : Debug: (0) modsingle[post-auth]: calling
> attr_filter.access_reject (rlm_attr_filter)
> Tue Apr 24 15:06:15 2018 : Debug: %{User-Name}
> Tue Apr 24 15:06:15 2018 : Debug: Parsed xlat tree:
> Tue Apr 24 15:06:15 2018 : Debug: attribute --> User-Name
> Tue Apr 24 15:06:15 2018 : Debug: (0) attr_filter.access_reject: EXPAND
> %{User-Name}
> Tue Apr 24 15:06:15 2018 : Debug: (0) attr_filter.access_reject: -->
> user@mydomain.com <mailto:user@mydomain.com>
> Tue Apr 24 15:06:15 2018 : Debug: (0) attr_filter.access_reject: Matched
> entry DEFAULT at line 11
> Tue Apr 24 15:06:15 2018 : Debug: (0) modsingle[post-auth]: returned
> from attr_filter.access_reject (rlm_attr_filter)
> Tue Apr 24 15:06:15 2018 : Debug: (0) [attr_filter.access_reject] =
> updated
> Tue Apr 24 15:06:15 2018 : Debug: (0) modsingle[post-auth]: calling
> eap (rlm_eap)
> Tue Apr 24 15:06:15 2018 : Debug: (0) eap: Request didn't contain an
> EAP-Message, not inserting EAP-Failure
> Tue Apr 24 15:06:15 2018 : Debug: (0) modsingle[post-auth]: returned
> from eap (rlm_eap)
> Tue Apr 24 15:06:15 2018 : Debug: (0) [eap] = noop
> Tue Apr 24 15:06:15 2018 : Debug: (0) policy
> remove_reply_message_if_eap {
> Tue Apr 24 15:06:15 2018 : Debug: (0) if (&reply:EAP-Message &&
> &reply:Reply-Message) {
> Tue Apr 24 15:06:15 2018 : Debug: (0) if (&reply:EAP-Message &&
> &reply:Reply-Message) -> FALSE
> Tue Apr 24 15:06:15 2018 : Debug: (0) else {
> Tue Apr 24 15:06:15 2018 : Debug: (0) modsingle[post-auth]:
> calling noop (rlm_always)
> Tue Apr 24 15:06:15 2018 : Debug: (0) modsingle[post-auth]:
> returned from noop (rlm_always)
> Tue Apr 24 15:06:15 2018 : Debug: (0) [noop] = noop
> Tue Apr 24 15:06:15 2018 : Debug: (0) } # else = noop
> Tue Apr 24 15:06:15 2018 : Debug: (0) } # policy
> remove_reply_message_if_eap = noop
> Tue Apr 24 15:06:15 2018 : Debug: (0) } # Post-Auth-Type REJECT = updated
> Tue Apr 24 15:06:15 2018 : Debug: (0) Delaying response for 1.000000
> seconds
> Tue Apr 24 15:06:15 2018 : Debug: Thread 5 waiting to be assigned a request
> Tue Apr 24 15:06:16 2018 : Debug: Waking up in 0.2 seconds.
> Tue Apr 24 15:06:16 2018 : Debug: (0) Sending delayed response
> Tue Apr 24 15:06:16 2018 : Debug: (0) Sent Access-Reject Id 86 from
> 127.0.0.1:1812 to 127.0.0.1:47786 length 20
> Tue Apr 24 15:06:16 2018 : Debug: Waking up in 3.9 seconds.
> Tue Apr 24 15:06:20 2018 : Debug: (0) Cleaning up request packet ID 86
> with timestamp +29
> Tue Apr 24 15:06:20 2018 : Info: Ready to process requests
>
>
>
>
> 24. Avr 2018 12:44 de eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>
> :
>
>
> > well. check out all logs and run freeradius in debug mode -XXX (if I
> > remember switch correctly)
> >
> > Eero
> >
> > ti 24. huhtik. 2018 klo 12.34 <> servernemesis@tutanota.com <mailto:
> servernemesis@tutanota.com>> > kirjoitti:
> >
> >> I log with the fqdn (use_fully_qualified_names true in sssd)
> >> But I tried without and same problem.
> >>
> >> >
> >> Try radtest without @doman part, as It is not part of usernameEero
> >> 24. Avr 2018 12:08 de >> servernemesis@tutanota.com <mailto:
> servernemesis@tutanota.com>>> <mailto:
> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >:
> >>
> >>
> >> > PS :
> >> > With this line in /etc/pam.d/sshd :
> >> > "auth required /usr/local/lib/security/pam_google_authenticator.so"
> >> > I'm able to do ssh login with my google auth code.
> >> >
> >> >
> >> > 24. Avr 2018 11:48 de > >> servernemesis@tutanota.com <mailto:
> servernemesis@tutanota.com>>> <mailto:
> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >> :
> >> >
> >> >
> >> >>
> >> >> Hello,
> >> >>
> >> >> I followed this tutorial (>>
> >> https://www.techdrabble.com/citrix/14-2factor-with-google-
> authenticator-and-netscaler <https://www.techdrabble.com/
> citrix/14-2factor-with-google-authenticator-and-netscaler>
> >> <
> >> https://www.techdrabble.com/citrix/14-2factor-with-google-
> authenticator-and-netscaler <https://www.techdrabble.com/
> citrix/14-2factor-with-google-authenticator-and-netscaler>>> >>>
> >> ) and managed to get it running on Debian 9 with FR 3.0.12 thanks to the
> >> help here. But I have another issue : when I try to authenticate with
> >> password + googleauth code, I got rejected.
> >> >> I'm able to log on the FR server with domain credentials without
> >> problem. The google auth code gets generated without issue either.
> >> >>
> >> >> Radtest:
> >> >> radtest >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>>
> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>>
> >> password123456 localhost 18120 testing123
> >> >> Sent Access-Request Id 226 from 0.0.0.0:38763 to 127.0.0.1:1812
> length
> >> 92
> >> >> User-Name = ">> >> user@mydomain.com <mailto:
> user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:
> user@mydomain.com>>> >>>
> >> "
> >> >> User-Password = "password123456"
> >> >> NAS-IP-Address = 127.0.1.1
> >> >> NAS-Port = 18120
> >> >> Message-Authenticator = 0x00
> >> >> Cleartext-Password = "password123456"
> >> >> Received Access-Reject Id 226 from 127.0.0.1:1812 to 0.0.0.0:0
> length
> >> 20
> >> >> (0) -: Expected Access-Accept got Access-Reject
> >> >>
> >> >>
> >> >> Log:
> >> >> Ready to process requests
> >> >> Waking up in 0.3 seconds.
> >> >> (0) Received Access-Request Id 226 from 127.0.0.1:38763 to
> >> 127.0.0.1:1812 length 92
> >> >> (0) User-Name = ">> >> user@mydomain.com <mailto:user@mydomain.com>>>
> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> "
> >> >> (0) User-Password = "password123456"
> >> >> (0) NAS-IP-Address = 127.0.1.1
> >> >> (0) NAS-Port = 18120
> >> >> (0) Message-Authenticator = 0x53b836642c653e776b0d9f8a542fca3a
> >> >> (0) # Executing section authorize from file
> >> /etc/freeradius/3.0/sites-enabled/default
> >> >> (0) pap: WARNING: No "known good" password found for the user. Not
> >> setting Auth-Type
> >> >> (0) pap: WARNING: Authentication will fail unless a "known good"
> >> password is available
> >> >> (0) # Executing group from file
> >> /etc/freeradius/3.0/sites-enabled/default
> >> >> Waking up in 0.3 seconds.
> >> >> Waking up in 0.2 seconds.
> >> >> (0) pam: ERROR: pam_authenticate failed: Authentication failure
> >> >> (0) # Executing group from file
> >> /etc/freeradius/3.0/sites-enabled/default
> >> >> Waking up in 0.7 seconds.
> >> >> (0) Sent Access-Reject Id 226 from 127.0.0.1:1812 to 127.0.0.1:38763
> >> length 20
> >> >> Waking up in 3.9 seconds.
> >> >> Ready to process requests
> >> >>
> >> >> Regards
> >> >>
> >> >>
> >> >>
> >> -
> >> List info/subscribe/unsubscribe? See
> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>
> > -
> > List info/subscribe/unsubscribe? See > http://www.freeradius.org/
> list/users.html <http://www.freeradius.org/list/users.html>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>
On Apr 24, 2018, at 9:15 AM, <servernemesis@tutanota.com> <servernemesis@tutanota.com> wrote:
Thanks for your help, here is the full debug :
Please read: http://wiki.freeradius.org/list-help It tells you what we need. Alan DeKok.
(0) Received Access-Request Id 65 from 127.0.0.1:46785 to 127.0.0.1:1812 length 92 (0) User-Name = "user@mydomain.com <mailto:user@mydomain.com>" (0) User-Password = "password123456" (0) NAS-IP-Address = 127.0.1.1 (0) NAS-Port = 18120 (0) Message-Authenticator = 0x3a86aa1c500c621d719b69dfc18e0118 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "mydomain.com" for User-Name = "user@mydomain.com <mailto:user@mydomain.com>" (0) suffix: No such realm "mydomain.com" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: users: Matched entry DEFAULT at line 221 (0) [files] = ok (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = pam (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) pam: Using pamauth string "radiusd" for pam.conf lookup (0) pam: ERROR: pam_authenticate failed: Authentication failure (0) [pam] = reject (0) } # authenticate = reject (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> user@mydomain.com <mailto:user@mydomain.com> (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds Waking up in 0.9 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 65 from 127.0.0.1:1812 to 127.0.0.1:46785 length 20 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 65 with timestamp +87 Ready to process requests 24. Avr 2018 15:22 de aland@deployingradius.com <mailto:aland@deployingradius.com>:
On Apr 24, 2018, at 9:15 AM, <>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> > <>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> > wrote:
Thanks for your help, here is the full debug :
Please read: > http://wiki.freeradius.org/list-help <http://wiki.freeradius.org/list-help>
It tells you what we need.
Alan DeKok.
- List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
On Apr 24, 2018, at 9:56 AM, <servernemesis@tutanota.com> <servernemesis@tutanota.com> wrote:
(0) Received Access-Request Id 65 from 127.0.0.1:46785 to 127.0.0.1:1812 length 92 (0) User-Name = "user@mydomain.com"
That's the full user name, *with* domain. ...
(0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "mydomain.com" for User-Name = "user@mydomain.com" (0) suffix: No such realm "mydomain.com" (0) [suffix] = noop
And there's no realm, so the User-Name isn't being stripped of the domain name.
(0) pam: Using pamauth string "radiusd" for pam.conf lookup (0) pam: ERROR: pam_authenticate failed: Authentication failure
Does PAM (and everything past it) know about "user", or "user@mydomain.com"? If it doesn't know about the domain, then add a realm for "mydomain.com". Make it LOCAL (see proxy.conf). Once that's done, FreeRADIUS will pass "user" to PAM, and it should work. *Reading* the debug output helps. See also http://wiki.freeradius.org/radiusd-X Alan DeKok.
Thank you ! My FR server is domain joined, and his krb5 realm is mydomain.com I don't know where I could specify the domain for PAM. I'm not sure what you mean by "If it doesn't know about the domain, then add a realm for "mydomain.com". Make it LOCAL (see proxy.conf)." Should I edit the /etc/pam.d/radiusd ? What's proxy.conf ? Best regards 24. Avr 2018 16:00 de aland@deployingradius.com <mailto:aland@deployingradius.com>:
On Apr 24, 2018, at 9:56 AM, <>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> > <>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> > wrote:
(0) Received Access-Request Id 65 from 127.0.0.1:46785 to 127.0.0.1:1812 length 92 (0) User-Name = ">> user@mydomain.com <mailto:user@mydomain.com>>> "
That's the full user name, *with* domain.
...
(0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "mydomain.com" for User-Name = ">> user@mydomain.com <mailto:user@mydomain.com>>> " (0) suffix: No such realm "mydomain.com" (0) [suffix] = noop
And there's no realm, so the User-Name isn't being stripped of the domain name.
(0) pam: Using pamauth string "radiusd" for pam.conf lookup (0) pam: ERROR: pam_authenticate failed: Authentication failure
Does PAM (and everything past it) know about "user", or "> user@mydomain.com <mailto:user@mydomain.com>> "?
If it doesn't know about the domain, then add a realm for "mydomain.com". Make it LOCAL (see proxy.conf).
Once that's done, FreeRADIUS will pass "user" to PAM, and it should work.
*Reading* the debug output helps. See also > http://wiki.freeradius.org/radiusd-X <http://wiki.freeradius.org/radiusd-X>
Alan DeKok.
- List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
On Apr 24, 2018, at 10:23 AM, <servernemesis@tutanota.com> <servernemesis@tutanota.com> wrote:
My FR server is domain joined, and his krb5 realm is mydomain.com I don't know where I could specify the domain for PAM.
I didn't tell you to specify the domain for PAM.
I'm not sure what you mean by "If it doesn't know about the domain, then add a realm for "mydomain.com". Make it LOCAL (see proxy.conf)." Should I edit the /etc/pam.d/radiusd ? What's proxy.conf ?
You know you're on the FreeRADIUS mailing list, right? proxy.conf is for FreeRADIUS, not PAM. No, don't edit the /etc/pam.d/radiusd file. If I had meant to edit that file, I would have told you to edit that file. Look in the /etc/raddb (or on debian / Ubuntu) /etc/freeradius directory. The proxy.conf file is there. Read it. Alan DeKok.
Thanks, it looks better but it's still failing : Ready to process requests (0) Received Access-Request Id 113 from 127.0.0.1:34793 to 127.0.0.1:1812 length 92 (0) User-Name = "user@mydomain.com <mailto:user@mydomain.com>" (0) User-Password = "password123456" (0) NAS-IP-Address = 127.0.1.1 (0) NAS-Port = 18120 (0) Message-Authenticator = 0xd028fefb31c1de33ebec1d53011953ce (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "mydomain.com" for User-Name = "user@mydomain.com <mailto:user@mydomain.com>" (0) suffix: Found realm "mydomain.com" (0) suffix: Adding Stripped-User-Name = "user" (0) suffix: Adding Realm = "mydomain.com" (0) suffix: Authentication realm is LOCAL (0) [suffix] = ok (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: users: Matched entry DEFAULT at line 221 (0) [files] = ok (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = pam (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) pam: Using pamauth string "radiusd" for pam.conf lookup (0) pam: ERROR: pam_authenticate failed: Authentication failure (0) [pam] = reject (0) } # authenticate = reject (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> user@mydomain.com <mailto:user@mydomain.com> (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 113 from 127.0.0.1:1812 to 127.0.0.1:34793 length 20 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 113 with timestamp +11 Ready to process requests 24. Avr 2018 16:40 de aland@deployingradius.com <mailto:aland@deployingradius.com>:
On Apr 24, 2018, at 10:23 AM, <> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>> > <> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>> > wrote:
My FR server is domain joined, and his krb5 realm is mydomain.com I don't know where I could specify the domain for PAM.
I didn't tell you to specify the domain for PAM.
I'm not sure what you mean by "If it doesn't know about the domain, then add a realm for "mydomain.com". Make it LOCAL (see proxy.conf)." Should I edit the /etc/pam.d/radiusd ? What's proxy.conf ?
You know you're on the FreeRADIUS mailing list, right? proxy.conf is for FreeRADIUS, not PAM.
No, don't edit the /etc/pam.d/radiusd file. If I had meant to edit that file, I would have told you to edit that file.
Look in the /etc/raddb (or on debian / Ubuntu) /etc/freeradius directory. The proxy.conf file is there. Read it.
Alan DeKok.
- List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
On Apr 24, 2018, at 11:29 AM, <servernemesis@tutanota.com> <servernemesis@tutanota.com> wrote:
Thanks, it looks better but it's still failing :
Ready to process reques (0) pam: Using pamauth string "radiusd" for pam.conf lookup (0) pam: ERROR: pam_authenticate failed: Authentication failure (0) [pam] = reject
<shrug> Ask PAM why it's rejecting the user. Once PAM gets the user name / password, FreeRADIUS has no idea what PAM does with it. Alan DeKok.
You need to enable pam logging on google authenticator.
what is content of /etc/pam.d/radiusd ?
Eero
ti 24. huhtik. 2018 klo 17.29 <servernemesis@tutanota.com> kirjoitti:
> Thanks, it looks better but it's still failing :
>
> Ready to process requests
> (0) Received Access-Request Id 113 from 127.0.0.1:34793 to 127.0.0.1:1812
> length 92
> (0) User-Name = "user@mydomain.com <mailto:user@mydomain.com>"
> (0) User-Password = "password123456"
> (0) NAS-IP-Address = 127.0.1.1
> (0) NAS-Port = 18120
> (0) Message-Authenticator = 0xd028fefb31c1de33ebec1d53011953ce
> (0) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (0) authorize {
> (0) policy filter_username {
> (0) if (&User-Name) {
> (0) if (&User-Name) -> TRUE
> (0) if (&User-Name) {
> (0) if (&User-Name =~ / /) {
> (0) if (&User-Name =~ / /) -> FALSE
> (0) if (&User-Name =~ /@[^@]*@/ ) {
> (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (0) if (&User-Name =~ /\.\./ ) {
> (0) if (&User-Name =~ /\.\./ ) -> FALSE
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
> -> FALSE
> (0) if (&User-Name =~ /\.$/) {
> (0) if (&User-Name =~ /\.$/) -> FALSE
> (0) if (&User-Name =~ /@\./) {
> (0) if (&User-Name =~ /@\./) -> FALSE
> (0) } # if (&User-Name) = notfound
> (0) } # policy filter_username = notfound
> (0) [preprocess] = ok
> (0) [chap] = noop
> (0) [mschap] = noop
> (0) [digest] = noop
> (0) suffix: Checking for suffix after "@"
> (0) suffix: Looking up realm "mydomain.com" for User-Name = "
> user@mydomain.com <mailto:user@mydomain.com>"
> (0) suffix: Found realm "mydomain.com"
> (0) suffix: Adding Stripped-User-Name = "user"
> (0) suffix: Adding Realm = "mydomain.com"
> (0) suffix: Authentication realm is LOCAL
> (0) [suffix] = ok
> (0) eap: No EAP-Message, not doing EAP
> (0) [eap] = noop
> (0) files: users: Matched entry DEFAULT at line 221
> (0) [files] = ok
> (0) [expiration] = noop
> (0) [logintime] = noop
> (0) pap: WARNING: No "known good" password found for the user. Not
> setting Auth-Type
> (0) pap: WARNING: Authentication will fail unless a "known good" password
> is available
> (0) [pap] = noop
> (0) } # authorize = ok
> (0) Found Auth-Type = pam
> (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (0) authenticate {
> (0) pam: Using pamauth string "radiusd" for pam.conf lookup
> (0) pam: ERROR: pam_authenticate failed: Authentication failure
> (0) [pam] = reject
> (0) } # authenticate = reject
> (0) Failed to authenticate the user
> (0) Using Post-Auth-Type Reject
> (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (0) Post-Auth-Type REJECT {
> (0) attr_filter.access_reject: EXPAND %{User-Name}
> (0) attr_filter.access_reject: --> user@mydomain.com <mailto:
> user@mydomain.com>
> (0) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (0) [attr_filter.access_reject] = updated
> (0) [eap] = noop
> (0) policy remove_reply_message_if_eap {
> (0) if (&reply:EAP-Message && &reply:Reply-Message) {
> (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> (0) else {
> (0) [noop] = noop
> (0) } # else = noop
> (0) } # policy remove_reply_message_if_eap = noop
> (0) } # Post-Auth-Type REJECT = updated
> (0) Delaying response for 1.000000 seconds
> Waking up in 0.3 seconds.
> Waking up in 0.6 seconds.
> (0) Sending delayed response
> (0) Sent Access-Reject Id 113 from 127.0.0.1:1812 to 127.0.0.1:34793
> length 20
> Waking up in 3.9 seconds.
> (0) Cleaning up request packet ID 113 with timestamp +11
> Ready to process requests
>
>
> 24. Avr 2018 16:40 de aland@deployingradius.com <mailto:
> aland@deployingradius.com>:
>
>
> > On Apr 24, 2018, at 10:23 AM, <> servernemesis@tutanota.com <mailto:
> servernemesis@tutanota.com>> > <> servernemesis@tutanota.com <mailto:
> servernemesis@tutanota.com>> > wrote:
> >>
> >> My FR server is domain joined, and his krb5 realm is mydomain.com
> >> I don't know where I could specify the domain for PAM.
> >
> > I didn't tell you to specify the domain for PAM.
> >
> >> I'm not sure what you mean by "If it doesn't know about the domain,
> then add a realm for "mydomain.com". Make it LOCAL (see proxy.conf)."
> >> Should I edit the /etc/pam.d/radiusd ? What's proxy.conf ?
> >
> > You know you're on the FreeRADIUS mailing list, right? proxy.conf is
> for FreeRADIUS, not PAM.
> >
> > No, don't edit the /etc/pam.d/radiusd file. If I had meant to edit
> that file, I would have told you to edit that file.
> >
> > Look in the /etc/raddb (or on debian / Ubuntu) /etc/freeradius
> directory. The proxy.conf file is there. Read it.
> >
> > Alan DeKok.
> >
> >
> > -
> > List info/subscribe/unsubscribe? See >
> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
I tried
#
# /etc/pam.d/radiusd - PAM configuration for FreeRADIUS
#
# We fall back to the system default in /etc/pam.d/common-*
#
#@include common-auth
#@include common-account
#@include common-password
#@include common-session
auth required /usr/local/lib/security/pam_google_authenticator.so
and
#
# /etc/pam.d/radiusd - PAM configuration for FreeRADIUS
#
# We fall back to the system default in /etc/pam.d/common-*
#
#@include common-auth
#@include common-account
#@include common-password
#@include common-session
auth requisite /usr/local/lib/security/pam_google_authenticator.so forward_pass
auth required pam_unix.so use_first_pass
In both cases :
Apr 25 09:05:43 SRV-FREERADIUS radiusd(pam_google_authenticator)[6847]: user("user") not found
Apr 25 09:05:43 SRV-FREERADIUS radiusd(pam_google_authenticator)[6847]: No secret configured for user user, asking for code anyway.
Apr 25 09:05:43 SRV-FREERADIUS radiusd(pam_google_authenticator)[6847]: Invalid verification code for user
24. Avr 2018 19:21 de eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>:
> You need to enable pam logging on google authenticator.
>
> what is content of /etc/pam.d/radiusd ?
>
> Eero
>
> ti 24. huhtik. 2018 klo 17.29 <> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>> > kirjoitti:
>
>> Thanks, it looks better but it's still failing :
>>
>> Ready to process requests
>> (0) Received Access-Request Id 113 from 127.0.0.1:34793 to 127.0.0.1:1812
>> length 92
>> (0) User-Name = ">> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >"
>> (0) User-Password = "password123456"
>> (0) NAS-IP-Address = 127.0.1.1
>> (0) NAS-Port = 18120
>> (0) Message-Authenticator = 0xd028fefb31c1de33ebec1d53011953ce
>> (0) # Executing section authorize from file
>> /etc/freeradius/3.0/sites-enabled/default
>> (0) authorize {
>> (0) policy filter_username {
>> (0) if (&User-Name) {
>> (0) if (&User-Name) -> TRUE
>> (0) if (&User-Name) {
>> (0) if (&User-Name =~ / /) {
>> (0) if (&User-Name =~ / /) -> FALSE
>> (0) if (&User-Name =~ /@[^@]*@/ ) {
>> (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
>> (0) if (&User-Name =~ /\.\./ ) {
>> (0) if (&User-Name =~ /\.\./ ) -> FALSE
>> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
>> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
>> -> FALSE
>> (0) if (&User-Name =~ /\.$/) {
>> (0) if (&User-Name =~ /\.$/) -> FALSE
>> (0) if (&User-Name =~ /@\./) {
>> (0) if (&User-Name =~ /@\./) -> FALSE
>> (0) } # if (&User-Name) = notfound
>> (0) } # policy filter_username = notfound
>> (0) [preprocess] = ok
>> (0) [chap] = noop
>> (0) [mschap] = noop
>> (0) [digest] = noop
>> (0) suffix: Checking for suffix after "@"
>> (0) suffix: Looking up realm "mydomain.com" for User-Name = "
>> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >"
>> (0) suffix: Found realm "mydomain.com"
>> (0) suffix: Adding Stripped-User-Name = "user"
>> (0) suffix: Adding Realm = "mydomain.com"
>> (0) suffix: Authentication realm is LOCAL
>> (0) [suffix] = ok
>> (0) eap: No EAP-Message, not doing EAP
>> (0) [eap] = noop
>> (0) files: users: Matched entry DEFAULT at line 221
>> (0) [files] = ok
>> (0) [expiration] = noop
>> (0) [logintime] = noop
>> (0) pap: WARNING: No "known good" password found for the user. Not
>> setting Auth-Type
>> (0) pap: WARNING: Authentication will fail unless a "known good" password
>> is available
>> (0) [pap] = noop
>> (0) } # authorize = ok
>> (0) Found Auth-Type = pam
>> (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
>> (0) authenticate {
>> (0) pam: Using pamauth string "radiusd" for pam.conf lookup
>> (0) pam: ERROR: pam_authenticate failed: Authentication failure
>> (0) [pam] = reject
>> (0) } # authenticate = reject
>> (0) Failed to authenticate the user
>> (0) Using Post-Auth-Type Reject
>> (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
>> (0) Post-Auth-Type REJECT {
>> (0) attr_filter.access_reject: EXPAND %{User-Name}
>> (0) attr_filter.access_reject: --> >> user@mydomain.com <mailto:user@mydomain.com>>> <mailto:
>> user@mydomain.com <mailto:user@mydomain.com>>> >
>> (0) attr_filter.access_reject: Matched entry DEFAULT at line 11
>> (0) [attr_filter.access_reject] = updated
>> (0) [eap] = noop
>> (0) policy remove_reply_message_if_eap {
>> (0) if (&reply:EAP-Message && &reply:Reply-Message) {
>> (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
>> (0) else {
>> (0) [noop] = noop
>> (0) } # else = noop
>> (0) } # policy remove_reply_message_if_eap = noop
>> (0) } # Post-Auth-Type REJECT = updated
>> (0) Delaying response for 1.000000 seconds
>> Waking up in 0.3 seconds.
>> Waking up in 0.6 seconds.
>> (0) Sending delayed response
>> (0) Sent Access-Reject Id 113 from 127.0.0.1:1812 to 127.0.0.1:34793
>> length 20
>> Waking up in 3.9 seconds.
>> (0) Cleaning up request packet ID 113 with timestamp +11
>> Ready to process requests
>>
>>
>> 24. Avr 2018 16:40 de >> aland@deployingradius.com <mailto:aland@deployingradius.com>>> <mailto:
>> aland@deployingradius.com <mailto:aland@deployingradius.com>>> >:
>>
>>
>> > On Apr 24, 2018, at 10:23 AM, <> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >> > <> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >> > wrote:
>> >>
>> >> My FR server is domain joined, and his krb5 realm is mydomain.com
>> >> I don't know where I could specify the domain for PAM.
>> >
>> > I didn't tell you to specify the domain for PAM.
>> >
>> >> I'm not sure what you mean by "If it doesn't know about the domain,
>> then add a realm for "mydomain.com". Make it LOCAL (see proxy.conf)."
>> >> Should I edit the /etc/pam.d/radiusd ? What's proxy.conf ?
>> >
>> > You know you're on the FreeRADIUS mailing list, right? proxy.conf is
>> for FreeRADIUS, not PAM.
>> >
>> > No, don't edit the /etc/pam.d/radiusd file. If I had meant to edit
>> that file, I would have told you to edit that file.
>> >
>> > Look in the /etc/raddb (or on debian / Ubuntu) /etc/freeradius
>> directory. The proxy.conf file is there. Read it.
>> >
>> > Alan DeKok.
>> >
>> >
>> > -
>> > List info/subscribe/unsubscribe? See >
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
> -
> List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
PS : If I disable the domain suffix for the users on the server (being able to login with just "user"), I get
Apr 25 09:27:42 SRV-FREERADIUS radiusd(pam_google_authenticator)[1661]: Invalid verification code for user
25. Avr 2018 09:15 de servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>:
> I tried
>
> #
> # /etc/pam.d/radiusd - PAM configuration for FreeRADIUS
> #
>
> # We fall back to the system default in /etc/pam.d/common-*
> #
>
> #@include common-auth
> #@include common-account
> #@include common-password
> #@include common-session
> auth required /usr/local/lib/security/pam_google_authenticator.so
>
> and
>
> #
> # /etc/pam.d/radiusd - PAM configuration for FreeRADIUS
> #
>
> # We fall back to the system default in /etc/pam.d/common-*
> #
>
> #@include common-auth
> #@include common-account
> #@include common-password
> #@include common-session
> auth requisite /usr/local/lib/security/pam_google_authenticator.so forward_pass
> auth required pam_unix.so use_first_pass
>
> In both cases :
>
> Apr 25 09:05:43 SRV-FREERADIUS radiusd(pam_google_authenticator)[6847]: user("user") not found
> Apr 25 09:05:43 SRV-FREERADIUS radiusd(pam_google_authenticator)[6847]: No secret configured for user user, asking for code anyway.
> Apr 25 09:05:43 SRV-FREERADIUS radiusd(pam_google_authenticator)[6847]: Invalid verification code for user
>
>
>
> 24. Avr 2018 19:21 de > eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>> :
>
>
>> You need to enable pam logging on google authenticator.
>>
>> what is content of /etc/pam.d/radiusd ?
>>
>> Eero
>>
>> ti 24. huhtik. 2018 klo 17.29 <>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> > kirjoitti:
>>
>>> Thanks, it looks better but it's still failing :
>>>
>>> Ready to process requests
>>> (0) Received Access-Request Id 113 from 127.0.0.1:34793 to 127.0.0.1:1812
>>> length 92
>>> (0) User-Name = ">>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>> >"
>>> (0) User-Password = "password123456"
>>> (0) NAS-IP-Address = 127.0.1.1
>>> (0) NAS-Port = 18120
>>> (0) Message-Authenticator = 0xd028fefb31c1de33ebec1d53011953ce
>>> (0) # Executing section authorize from file
>>> /etc/freeradius/3.0/sites-enabled/default
>>> (0) authorize {
>>> (0) policy filter_username {
>>> (0) if (&User-Name) {
>>> (0) if (&User-Name) -> TRUE
>>> (0) if (&User-Name) {
>>> (0) if (&User-Name =~ / /) {
>>> (0) if (&User-Name =~ / /) -> FALSE
>>> (0) if (&User-Name =~ /@[^@]*@/ ) {
>>> (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
>>> (0) if (&User-Name =~ /\.\./ ) {
>>> (0) if (&User-Name =~ /\.\./ ) -> FALSE
>>> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
>>> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
>>> -> FALSE
>>> (0) if (&User-Name =~ /\.$/) {
>>> (0) if (&User-Name =~ /\.$/) -> FALSE
>>> (0) if (&User-Name =~ /@\./) {
>>> (0) if (&User-Name =~ /@\./) -> FALSE
>>> (0) } # if (&User-Name) = notfound
>>> (0) } # policy filter_username = notfound
>>> (0) [preprocess] = ok
>>> (0) [chap] = noop
>>> (0) [mschap] = noop
>>> (0) [digest] = noop
>>> (0) suffix: Checking for suffix after "@"
>>> (0) suffix: Looking up realm "mydomain.com" for User-Name = "
>>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>> >"
>>> (0) suffix: Found realm "mydomain.com"
>>> (0) suffix: Adding Stripped-User-Name = "user"
>>> (0) suffix: Adding Realm = "mydomain.com"
>>> (0) suffix: Authentication realm is LOCAL
>>> (0) [suffix] = ok
>>> (0) eap: No EAP-Message, not doing EAP
>>> (0) [eap] = noop
>>> (0) files: users: Matched entry DEFAULT at line 221
>>> (0) [files] = ok
>>> (0) [expiration] = noop
>>> (0) [logintime] = noop
>>> (0) pap: WARNING: No "known good" password found for the user. Not
>>> setting Auth-Type
>>> (0) pap: WARNING: Authentication will fail unless a "known good" password
>>> is available
>>> (0) [pap] = noop
>>> (0) } # authorize = ok
>>> (0) Found Auth-Type = pam
>>> (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
>>> (0) authenticate {
>>> (0) pam: Using pamauth string "radiusd" for pam.conf lookup
>>> (0) pam: ERROR: pam_authenticate failed: Authentication failure
>>> (0) [pam] = reject
>>> (0) } # authenticate = reject
>>> (0) Failed to authenticate the user
>>> (0) Using Post-Auth-Type Reject
>>> (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
>>> (0) Post-Auth-Type REJECT {
>>> (0) attr_filter.access_reject: EXPAND %{User-Name}
>>> (0) attr_filter.access_reject: --> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <mailto:
>>> user@mydomain.com <mailto:user@mydomain.com>>>> >
>>> (0) attr_filter.access_reject: Matched entry DEFAULT at line 11
>>> (0) [attr_filter.access_reject] = updated
>>> (0) [eap] = noop
>>> (0) policy remove_reply_message_if_eap {
>>> (0) if (&reply:EAP-Message && &reply:Reply-Message) {
>>> (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
>>> (0) else {
>>> (0) [noop] = noop
>>> (0) } # else = noop
>>> (0) } # policy remove_reply_message_if_eap = noop
>>> (0) } # Post-Auth-Type REJECT = updated
>>> (0) Delaying response for 1.000000 seconds
>>> Waking up in 0.3 seconds.
>>> Waking up in 0.6 seconds.
>>> (0) Sending delayed response
>>> (0) Sent Access-Reject Id 113 from 127.0.0.1:1812 to 127.0.0.1:34793
>>> length 20
>>> Waking up in 3.9 seconds.
>>> (0) Cleaning up request packet ID 113 with timestamp +11
>>> Ready to process requests
>>>
>>>
>>> 24. Avr 2018 16:40 de >>> aland@deployingradius.com <mailto:aland@deployingradius.com>>>> <mailto:
>>> aland@deployingradius.com <mailto:aland@deployingradius.com>>>> >:
>>>
>>>
>>> > On Apr 24, 2018, at 10:23 AM, <> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> <mailto:
>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> >> > <> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> <mailto:
>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> >> > wrote:
>>> >>
>>> >> My FR server is domain joined, and his krb5 realm is mydomain.com
>>> >> I don't know where I could specify the domain for PAM.
>>> >
>>> > I didn't tell you to specify the domain for PAM.
>>> >
>>> >> I'm not sure what you mean by "If it doesn't know about the domain,
>>> then add a realm for "mydomain.com". Make it LOCAL (see proxy.conf)."
>>> >> Should I edit the /etc/pam.d/radiusd ? What's proxy.conf ?
>>> >
>>> > You know you're on the FreeRADIUS mailing list, right? proxy.conf is
>>> for FreeRADIUS, not PAM.
>>> >
>>> > No, don't edit the /etc/pam.d/radiusd file. If I had meant to edit
>>> that file, I would have told you to edit that file.
>>> >
>>> > Look in the /etc/raddb (or on debian / Ubuntu) /etc/freeradius
>>> directory. The proxy.conf file is there. Read it.
>>> >
>>> > Alan DeKok.
>>> >
>>> >
>>> > -
>>> > List info/subscribe/unsubscribe? See >
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> <
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> >
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
>> -
>> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
It means that code is wrong? is the server using ntp and clock is sync and
mobile is in sync.
Try following: log into user. delete .google* file from user home directory.
run google-authenticator without params and select time based token/auth
and add new authenticator code to google auth in phone
Eero
ke 25. huhtik. 2018 klo 10.39 <servernemesis@tutanota.com> kirjoitti:
> PS : If I disable the domain suffix for the users on the server (being
> able to login with just "user"), I get
>
> Apr 25 09:27:42 SRV-FREERADIUS radiusd(pam_google_authenticator)[1661]:
> Invalid verification code for user
>
>
> 25. Avr 2018 09:15 de servernemesis@tutanota.com <mailto:
> servernemesis@tutanota.com>:
>
>
> > I tried
> >
> > #
> > # /etc/pam.d/radiusd - PAM configuration for FreeRADIUS
> > #
> >
> > # We fall back to the system default in /etc/pam.d/common-*
> > #
> >
> > #@include common-auth
> > #@include common-account
> > #@include common-password
> > #@include common-session
> > auth required /usr/local/lib/security/pam_google_authenticator.so
> >
> > and
> >
> > #
> > # /etc/pam.d/radiusd - PAM configuration for FreeRADIUS
> > #
> >
> > # We fall back to the system default in /etc/pam.d/common-*
> > #
> >
> > #@include common-auth
> > #@include common-account
> > #@include common-password
> > #@include common-session
> > auth requisite /usr/local/lib/security/pam_google_authenticator.so
> forward_pass
> > auth required pam_unix.so use_first_pass
> >
> > In both cases :
> >
> > Apr 25 09:05:43 SRV-FREERADIUS radiusd(pam_google_authenticator)[6847]:
> user("user") not found
> > Apr 25 09:05:43 SRV-FREERADIUS radiusd(pam_google_authenticator)[6847]:
> No secret configured for user user, asking for code anyway.
> > Apr 25 09:05:43 SRV-FREERADIUS radiusd(pam_google_authenticator)[6847]:
> Invalid verification code for user
> >
> >
> >
> > 24. Avr 2018 19:21 de > eero.volotinen@iki.fi <mailto:
> eero.volotinen@iki.fi>> :
> >
> >
> >> You need to enable pam logging on google authenticator.
> >>
> >> what is content of /etc/pam.d/radiusd ?
> >>
> >> Eero
> >>
> >> ti 24. huhtik. 2018 klo 17.29 <>> servernemesis@tutanota.com <mailto:
> servernemesis@tutanota.com>>> > kirjoitti:
> >>
> >>> Thanks, it looks better but it's still failing :
> >>>
> >>> Ready to process requests
> >>> (0) Received Access-Request Id 113 from 127.0.0.1:34793 to
> 127.0.0.1:1812
> >>> length 92
> >>> (0) User-Name = ">>> user@mydomain.com <mailto:user@mydomain.com>>>>
> <>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>> >"
> >>> (0) User-Password = "password123456"
> >>> (0) NAS-IP-Address = 127.0.1.1
> >>> (0) NAS-Port = 18120
> >>> (0) Message-Authenticator = 0xd028fefb31c1de33ebec1d53011953ce
> >>> (0) # Executing section authorize from file
> >>> /etc/freeradius/3.0/sites-enabled/default
> >>> (0) authorize {
> >>> (0) policy filter_username {
> >>> (0) if (&User-Name) {
> >>> (0) if (&User-Name) -> TRUE
> >>> (0) if (&User-Name) {
> >>> (0) if (&User-Name =~ / /) {
> >>> (0) if (&User-Name =~ / /) -> FALSE
> >>> (0) if (&User-Name =~ /@[^@]*@/ ) {
> >>> (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> >>> (0) if (&User-Name =~ /\.\./ ) {
> >>> (0) if (&User-Name =~ /\.\./ ) -> FALSE
> >>> (0) if ((&User-Name =~ /@/) && (&User-Name !~
> /@(.+)\.(.+)$/)) {
> >>> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
> >>> -> FALSE
> >>> (0) if (&User-Name =~ /\.$/) {
> >>> (0) if (&User-Name =~ /\.$/) -> FALSE
> >>> (0) if (&User-Name =~ /@\./) {
> >>> (0) if (&User-Name =~ /@\./) -> FALSE
> >>> (0) } # if (&User-Name) = notfound
> >>> (0) } # policy filter_username = notfound
> >>> (0) [preprocess] = ok
> >>> (0) [chap] = noop
> >>> (0) [mschap] = noop
> >>> (0) [digest] = noop
> >>> (0) suffix: Checking for suffix after "@"
> >>> (0) suffix: Looking up realm "mydomain.com" for User-Name = "
> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:
> user@mydomain.com <mailto:mailto:user@mydomain.com>>>> >"
> >>> (0) suffix: Found realm "mydomain.com"
> >>> (0) suffix: Adding Stripped-User-Name = "user"
> >>> (0) suffix: Adding Realm = "mydomain.com"
> >>> (0) suffix: Authentication realm is LOCAL
> >>> (0) [suffix] = ok
> >>> (0) eap: No EAP-Message, not doing EAP
> >>> (0) [eap] = noop
> >>> (0) files: users: Matched entry DEFAULT at line 221
> >>> (0) [files] = ok
> >>> (0) [expiration] = noop
> >>> (0) [logintime] = noop
> >>> (0) pap: WARNING: No "known good" password found for the user. Not
> >>> setting Auth-Type
> >>> (0) pap: WARNING: Authentication will fail unless a "known good"
> password
> >>> is available
> >>> (0) [pap] = noop
> >>> (0) } # authorize = ok
> >>> (0) Found Auth-Type = pam
> >>> (0) # Executing group from file
> /etc/freeradius/3.0/sites-enabled/default
> >>> (0) authenticate {
> >>> (0) pam: Using pamauth string "radiusd" for pam.conf lookup
> >>> (0) pam: ERROR: pam_authenticate failed: Authentication failure
> >>> (0) [pam] = reject
> >>> (0) } # authenticate = reject
> >>> (0) Failed to authenticate the user
> >>> (0) Using Post-Auth-Type Reject
> >>> (0) # Executing group from file
> /etc/freeradius/3.0/sites-enabled/default
> >>> (0) Post-Auth-Type REJECT {
> >>> (0) attr_filter.access_reject: EXPAND %{User-Name}
> >>> (0) attr_filter.access_reject: --> >>> user@mydomain.com <mailto:
> user@mydomain.com>>>> <mailto:
> >>> user@mydomain.com <mailto:user@mydomain.com>>>> >
> >>> (0) attr_filter.access_reject: Matched entry DEFAULT at line 11
> >>> (0) [attr_filter.access_reject] = updated
> >>> (0) [eap] = noop
> >>> (0) policy remove_reply_message_if_eap {
> >>> (0) if (&reply:EAP-Message && &reply:Reply-Message) {
> >>> (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> >>> (0) else {
> >>> (0) [noop] = noop
> >>> (0) } # else = noop
> >>> (0) } # policy remove_reply_message_if_eap = noop
> >>> (0) } # Post-Auth-Type REJECT = updated
> >>> (0) Delaying response for 1.000000 seconds
> >>> Waking up in 0.3 seconds.
> >>> Waking up in 0.6 seconds.
> >>> (0) Sending delayed response
> >>> (0) Sent Access-Reject Id 113 from 127.0.0.1:1812 to 127.0.0.1:34793
> >>> length 20
> >>> Waking up in 3.9 seconds.
> >>> (0) Cleaning up request packet ID 113 with timestamp +11
> >>> Ready to process requests
> >>>
> >>>
> >>> 24. Avr 2018 16:40 de >>> aland@deployingradius.com <mailto:
> aland@deployingradius.com>>>> <mailto:
> >>> aland@deployingradius.com <mailto:aland@deployingradius.com>>>> >:
> >>>
> >>>
> >>> > On Apr 24, 2018, at 10:23 AM, <> >>> servernemesis@tutanota.com
> <mailto:servernemesis@tutanota.com>>>> <mailto:
> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> >>
> > <> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>
> <mailto:
> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> >>
> > wrote:
> >>> >>
> >>> >> My FR server is domain joined, and his krb5 realm is mydomain.com
> >>> >> I don't know where I could specify the domain for PAM.
> >>> >
> >>> > I didn't tell you to specify the domain for PAM.
> >>> >
> >>> >> I'm not sure what you mean by "If it doesn't know about the domain,
> >>> then add a realm for "mydomain.com". Make it LOCAL (see proxy.conf)."
> >>> >> Should I edit the /etc/pam.d/radiusd ? What's proxy.conf ?
> >>> >
> >>> > You know you're on the FreeRADIUS mailing list, right? proxy.conf
> is
> >>> for FreeRADIUS, not PAM.
> >>> >
> >>> > No, don't edit the /etc/pam.d/radiusd file. If I had meant to edit
> >>> that file, I would have told you to edit that file.
> >>> >
> >>> > Look in the /etc/raddb (or on debian / Ubuntu) /etc/freeradius
> >>> directory. The proxy.conf file is there. Read it.
> >>> >
> >>> > Alan DeKok.
> >>> >
> >>> >
> >>> > -
> >>> > List info/subscribe/unsubscribe? See >
> >>> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>> <
> >>> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>> >
> >>> -
> >>> List info/subscribe/unsubscribe? See
> >>> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>
> >> -
> >> List info/subscribe/unsubscribe? See >>
> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
Hello,
No because if I login with SSH, it works :
Apr 25 09:45:10 SRV-FREERADIUS sshd(pam_google_authenticator)[1885]: Accepted google_authenticator for user
Apr 25 09:45:11 SRV-FREERADIUS sshd[1885]: Accepted password for user from 192.168.50.68 port 50020 ssh2
Apr 25 09:45:11 SRV-FREERADIUS sshd[1885]: pam_unix(sshd:session): session opened for user user by (uid=0)
Apr 25 09:45:11 SRV-FREERADIUS systemd-logind[535]: New session 11 of user user.
I don't get why it's not working with the radius...
25. Avr 2018 09:46 de eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>:
> It means that code is wrong? is the server using ntp and clock is sync and
> mobile is in sync.
>
> Try following: log into user. delete .google* file from user home directory.
>
> run google-authenticator without params and select time based token/auth
> and add new authenticator code to google auth in phone
>
> Eero
>
> ke 25. huhtik. 2018 klo 10.39 <> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>> > kirjoitti:
>
>> PS : If I disable the domain suffix for the users on the server (being
>> able to login with just "user"), I get
>>
>> Apr 25 09:27:42 SRV-FREERADIUS radiusd(pam_google_authenticator)[1661]:
>> Invalid verification code for user
>>
>>
>> 25. Avr 2018 09:15 de >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >:
>>
>>
>> > I tried
>> >
>> > #
>> > # /etc/pam.d/radiusd - PAM configuration for FreeRADIUS
>> > #
>> >
>> > # We fall back to the system default in /etc/pam.d/common-*
>> > #
>> >
>> > #@include common-auth
>> > #@include common-account
>> > #@include common-password
>> > #@include common-session
>> > auth required /usr/local/lib/security/pam_google_authenticator.so
>> >
>> > and
>> >
>> > #
>> > # /etc/pam.d/radiusd - PAM configuration for FreeRADIUS
>> > #
>> >
>> > # We fall back to the system default in /etc/pam.d/common-*
>> > #
>> >
>> > #@include common-auth
>> > #@include common-account
>> > #@include common-password
>> > #@include common-session
>> > auth requisite /usr/local/lib/security/pam_google_authenticator.so
>> forward_pass
>> > auth required pam_unix.so use_first_pass
>> >
>> > In both cases :
>> >
>> > Apr 25 09:05:43 SRV-FREERADIUS radiusd(pam_google_authenticator)[6847]:
>> user("user") not found
>> > Apr 25 09:05:43 SRV-FREERADIUS radiusd(pam_google_authenticator)[6847]:
>> No secret configured for user user, asking for code anyway.
>> > Apr 25 09:05:43 SRV-FREERADIUS radiusd(pam_google_authenticator)[6847]:
>> Invalid verification code for user
>> >
>> >
>> >
>> > 24. Avr 2018 19:21 de > >> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>> <mailto:
>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>> >> :
>> >
>> >
>> >> You need to enable pam logging on google authenticator.
>> >>
>> >> what is content of /etc/pam.d/radiusd ?
>> >>
>> >> Eero
>> >>
>> >> ti 24. huhtik. 2018 klo 17.29 <>> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> > kirjoitti:
>> >>
>> >>> Thanks, it looks better but it's still failing :
>> >>>
>> >>> Ready to process requests
>> >>> (0) Received Access-Request Id 113 from 127.0.0.1:34793 to
>> 127.0.0.1:1812
>> >>> length 92
>> >>> (0) User-Name = ">>> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>>>
>> <>>> >> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> <>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> >>>> >"
>> >>> (0) User-Password = "password123456"
>> >>> (0) NAS-IP-Address = 127.0.1.1
>> >>> (0) NAS-Port = 18120
>> >>> (0) Message-Authenticator = 0xd028fefb31c1de33ebec1d53011953ce
>> >>> (0) # Executing section authorize from file
>> >>> /etc/freeradius/3.0/sites-enabled/default
>> >>> (0) authorize {
>> >>> (0) policy filter_username {
>> >>> (0) if (&User-Name) {
>> >>> (0) if (&User-Name) -> TRUE
>> >>> (0) if (&User-Name) {
>> >>> (0) if (&User-Name =~ / /) {
>> >>> (0) if (&User-Name =~ / /) -> FALSE
>> >>> (0) if (&User-Name =~ /@[^@]*@/ ) {
>> >>> (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
>> >>> (0) if (&User-Name =~ /\.\./ ) {
>> >>> (0) if (&User-Name =~ /\.\./ ) -> FALSE
>> >>> (0) if ((&User-Name =~ /@/) && (&User-Name !~
>> /@(.+)\.(.+)$/)) {
>> >>> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
>> >>> -> FALSE
>> >>> (0) if (&User-Name =~ /\.$/) {
>> >>> (0) if (&User-Name =~ /\.$/) -> FALSE
>> >>> (0) if (&User-Name =~ /@\./) {
>> >>> (0) if (&User-Name =~ /@\./) -> FALSE
>> >>> (0) } # if (&User-Name) = notfound
>> >>> (0) } # policy filter_username = notfound
>> >>> (0) [preprocess] = ok
>> >>> (0) [chap] = noop
>> >>> (0) [mschap] = noop
>> >>> (0) [digest] = noop
>> >>> (0) suffix: Checking for suffix after "@"
>> >>> (0) suffix: Looking up realm "mydomain.com" for User-Name = "
>> >>> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>>> <>>> mailto:
>> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> >>>> >"
>> >>> (0) suffix: Found realm "mydomain.com"
>> >>> (0) suffix: Adding Stripped-User-Name = "user"
>> >>> (0) suffix: Adding Realm = "mydomain.com"
>> >>> (0) suffix: Authentication realm is LOCAL
>> >>> (0) [suffix] = ok
>> >>> (0) eap: No EAP-Message, not doing EAP
>> >>> (0) [eap] = noop
>> >>> (0) files: users: Matched entry DEFAULT at line 221
>> >>> (0) [files] = ok
>> >>> (0) [expiration] = noop
>> >>> (0) [logintime] = noop
>> >>> (0) pap: WARNING: No "known good" password found for the user. Not
>> >>> setting Auth-Type
>> >>> (0) pap: WARNING: Authentication will fail unless a "known good"
>> password
>> >>> is available
>> >>> (0) [pap] = noop
>> >>> (0) } # authorize = ok
>> >>> (0) Found Auth-Type = pam
>> >>> (0) # Executing group from file
>> /etc/freeradius/3.0/sites-enabled/default
>> >>> (0) authenticate {
>> >>> (0) pam: Using pamauth string "radiusd" for pam.conf lookup
>> >>> (0) pam: ERROR: pam_authenticate failed: Authentication failure
>> >>> (0) [pam] = reject
>> >>> (0) } # authenticate = reject
>> >>> (0) Failed to authenticate the user
>> >>> (0) Using Post-Auth-Type Reject
>> >>> (0) # Executing group from file
>> /etc/freeradius/3.0/sites-enabled/default
>> >>> (0) Post-Auth-Type REJECT {
>> >>> (0) attr_filter.access_reject: EXPAND %{User-Name}
>> >>> (0) attr_filter.access_reject: --> >>> >> user@mydomain.com <mailto:user@mydomain.com>>> <mailto:
>> user@mydomain.com <mailto:user@mydomain.com>>> >>>> <mailto:
>> >>> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>>> >
>> >>> (0) attr_filter.access_reject: Matched entry DEFAULT at line 11
>> >>> (0) [attr_filter.access_reject] = updated
>> >>> (0) [eap] = noop
>> >>> (0) policy remove_reply_message_if_eap {
>> >>> (0) if (&reply:EAP-Message && &reply:Reply-Message) {
>> >>> (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
>> >>> (0) else {
>> >>> (0) [noop] = noop
>> >>> (0) } # else = noop
>> >>> (0) } # policy remove_reply_message_if_eap = noop
>> >>> (0) } # Post-Auth-Type REJECT = updated
>> >>> (0) Delaying response for 1.000000 seconds
>> >>> Waking up in 0.3 seconds.
>> >>> Waking up in 0.6 seconds.
>> >>> (0) Sending delayed response
>> >>> (0) Sent Access-Reject Id 113 from 127.0.0.1:1812 to 127.0.0.1:34793
>> >>> length 20
>> >>> Waking up in 3.9 seconds.
>> >>> (0) Cleaning up request packet ID 113 with timestamp +11
>> >>> Ready to process requests
>> >>>
>> >>>
>> >>> 24. Avr 2018 16:40 de >>> >> aland@deployingradius.com <mailto:aland@deployingradius.com>>> <mailto:
>> aland@deployingradius.com <mailto:aland@deployingradius.com>>> >>>> <mailto:
>> >>> >> aland@deployingradius.com <mailto:aland@deployingradius.com>>> <>> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>> >>>> >:
>> >>>
>> >>>
>> >>> > On Apr 24, 2018, at 10:23 AM, <> >>> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>
>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>>> <mailto:
>> >>> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>>> >>
>> > <> >>> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>>>
>> <mailto:
>> >>> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>>> >>
>> > wrote:
>> >>> >>
>> >>> >> My FR server is domain joined, and his krb5 realm is mydomain.com
>> >>> >> I don't know where I could specify the domain for PAM.
>> >>> >
>> >>> > I didn't tell you to specify the domain for PAM.
>> >>> >
>> >>> >> I'm not sure what you mean by "If it doesn't know about the domain,
>> >>> then add a realm for "mydomain.com". Make it LOCAL (see proxy.conf)."
>> >>> >> Should I edit the /etc/pam.d/radiusd ? What's proxy.conf ?
>> >>> >
>> >>> > You know you're on the FreeRADIUS mailing list, right? proxy.conf
>> is
>> >>> for FreeRADIUS, not PAM.
>> >>> >
>> >>> > No, don't edit the /etc/pam.d/radiusd file. If I had meant to edit
>> >>> that file, I would have told you to edit that file.
>> >>> >
>> >>> > Look in the /etc/raddb (or on debian / Ubuntu) /etc/freeradius
>> >>> directory. The proxy.conf file is there. Read it.
>> >>> >
>> >>> > Alan DeKok.
>> >>> >
>> >>> >
>> >>> > -
>> >>> > List info/subscribe/unsubscribe? See >
>> >>> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>>> <
>> >>> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>>> >
>> >>> -
>> >>> List info/subscribe/unsubscribe? See
>> >>> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >
>> >> -
>> >> List info/subscribe/unsubscribe? See >>
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
> -
> List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
well. radius secret can be wrong also for your client.
radius secret is in client.conf and its tied to client ip address. check it
out and test again.
anyway. in your config you need use only google code, not password.
Eero
ke 25. huhtik. 2018 klo 10.49 <servernemesis@tutanota.com> kirjoitti:
> Hello,
>
> No because if I login with SSH, it works :
>
> Apr 25 09:45:10 SRV-FREERADIUS sshd(pam_google_authenticator)[1885]:
> Accepted google_authenticator for user
> Apr 25 09:45:11 SRV-FREERADIUS sshd[1885]: Accepted password for user from
> 192.168.50.68 port 50020 ssh2
> Apr 25 09:45:11 SRV-FREERADIUS sshd[1885]: pam_unix(sshd:session): session
> opened for user user by (uid=0)
> Apr 25 09:45:11 SRV-FREERADIUS systemd-logind[535]: New session 11 of user
> user.
>
> I don't get why it's not working with the radius...
>
> 25. Avr 2018 09:46 de eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi
> >:
>
>
> > It means that code is wrong? is the server using ntp and clock is sync
> and
> > mobile is in sync.
> >
> > Try following: log into user. delete .google* file from user home
> directory.
> >
> > run google-authenticator without params and select time based token/auth
> > and add new authenticator code to google auth in phone
> >
> > Eero
> >
> > ke 25. huhtik. 2018 klo 10.39 <> servernemesis@tutanota.com <mailto:
> servernemesis@tutanota.com>> > kirjoitti:
> >
> >> PS : If I disable the domain suffix for the users on the server (being
> >> able to login with just "user"), I get
> >>
> >> Apr 25 09:27:42 SRV-FREERADIUS radiusd(pam_google_authenticator)[1661]:
> >> Invalid verification code for user
> >>
> >>
> >> 25. Avr 2018 09:15 de >> servernemesis@tutanota.com <mailto:
> servernemesis@tutanota.com>>> <mailto:
> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >:
> >>
> >>
> >> > I tried
> >> >
> >> > #
> >> > # /etc/pam.d/radiusd - PAM configuration for FreeRADIUS
> >> > #
> >> >
> >> > # We fall back to the system default in /etc/pam.d/common-*
> >> > #
> >> >
> >> > #@include common-auth
> >> > #@include common-account
> >> > #@include common-password
> >> > #@include common-session
> >> > auth required /usr/local/lib/security/pam_google_authenticator.so
> >> >
> >> > and
> >> >
> >> > #
> >> > # /etc/pam.d/radiusd - PAM configuration for FreeRADIUS
> >> > #
> >> >
> >> > # We fall back to the system default in /etc/pam.d/common-*
> >> > #
> >> >
> >> > #@include common-auth
> >> > #@include common-account
> >> > #@include common-password
> >> > #@include common-session
> >> > auth requisite /usr/local/lib/security/pam_google_authenticator.so
> >> forward_pass
> >> > auth required pam_unix.so use_first_pass
> >> >
> >> > In both cases :
> >> >
> >> > Apr 25 09:05:43 SRV-FREERADIUS
> radiusd(pam_google_authenticator)[6847]:
> >> user("user") not found
> >> > Apr 25 09:05:43 SRV-FREERADIUS
> radiusd(pam_google_authenticator)[6847]:
> >> No secret configured for user user, asking for code anyway.
> >> > Apr 25 09:05:43 SRV-FREERADIUS
> radiusd(pam_google_authenticator)[6847]:
> >> Invalid verification code for user
> >> >
> >> >
> >> >
> >> > 24. Avr 2018 19:21 de > >> eero.volotinen@iki.fi <mailto:
> eero.volotinen@iki.fi>>> <mailto:
> >> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>> >> :
> >> >
> >> >
> >> >> You need to enable pam logging on google authenticator.
> >> >>
> >> >> what is content of /etc/pam.d/radiusd ?
> >> >>
> >> >> Eero
> >> >>
> >> >> ti 24. huhtik. 2018 klo 17.29 <>> >> servernemesis@tutanota.com
> <mailto:servernemesis@tutanota.com>>> <mailto:
> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> >
> kirjoitti:
> >> >>
> >> >>> Thanks, it looks better but it's still failing :
> >> >>>
> >> >>> Ready to process requests
> >> >>> (0) Received Access-Request Id 113 from 127.0.0.1:34793 to
> >> 127.0.0.1:1812
> >> >>> length 92
> >> >>> (0) User-Name = ">>> >> user@mydomain.com <mailto:
> user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:
> user@mydomain.com>>> >>>>
> >> <>>> >> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>
> <>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:
> user@mydomain.com>>> >>>> >"
> >> >>> (0) User-Password = "password123456"
> >> >>> (0) NAS-IP-Address = 127.0.1.1
> >> >>> (0) NAS-Port = 18120
> >> >>> (0) Message-Authenticator = 0xd028fefb31c1de33ebec1d53011953ce
> >> >>> (0) # Executing section authorize from file
> >> >>> /etc/freeradius/3.0/sites-enabled/default
> >> >>> (0) authorize {
> >> >>> (0) policy filter_username {
> >> >>> (0) if (&User-Name) {
> >> >>> (0) if (&User-Name) -> TRUE
> >> >>> (0) if (&User-Name) {
> >> >>> (0) if (&User-Name =~ / /) {
> >> >>> (0) if (&User-Name =~ / /) -> FALSE
> >> >>> (0) if (&User-Name =~ /@[^@]*@/ ) {
> >> >>> (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> >> >>> (0) if (&User-Name =~ /\.\./ ) {
> >> >>> (0) if (&User-Name =~ /\.\./ ) -> FALSE
> >> >>> (0) if ((&User-Name =~ /@/) && (&User-Name !~
> >> /@(.+)\.(.+)$/)) {
> >> >>> (0) if ((&User-Name =~ /@/) && (&User-Name !~
> /@(.+)\.(.+)$/))
> >> >>> -> FALSE
> >> >>> (0) if (&User-Name =~ /\.$/) {
> >> >>> (0) if (&User-Name =~ /\.$/) -> FALSE
> >> >>> (0) if (&User-Name =~ /@\./) {
> >> >>> (0) if (&User-Name =~ /@\./) -> FALSE
> >> >>> (0) } # if (&User-Name) = notfound
> >> >>> (0) } # policy filter_username = notfound
> >> >>> (0) [preprocess] = ok
> >> >>> (0) [chap] = noop
> >> >>> (0) [mschap] = noop
> >> >>> (0) [digest] = noop
> >> >>> (0) suffix: Checking for suffix after "@"
> >> >>> (0) suffix: Looking up realm "mydomain.com" for User-Name = "
> >> >>> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:
> user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>>> <>>> mailto:
> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:mailto:
> user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> >>>> >"
> >> >>> (0) suffix: Found realm "mydomain.com"
> >> >>> (0) suffix: Adding Stripped-User-Name = "user"
> >> >>> (0) suffix: Adding Realm = "mydomain.com"
> >> >>> (0) suffix: Authentication realm is LOCAL
> >> >>> (0) [suffix] = ok
> >> >>> (0) eap: No EAP-Message, not doing EAP
> >> >>> (0) [eap] = noop
> >> >>> (0) files: users: Matched entry DEFAULT at line 221
> >> >>> (0) [files] = ok
> >> >>> (0) [expiration] = noop
> >> >>> (0) [logintime] = noop
> >> >>> (0) pap: WARNING: No "known good" password found for the user. Not
> >> >>> setting Auth-Type
> >> >>> (0) pap: WARNING: Authentication will fail unless a "known good"
> >> password
> >> >>> is available
> >> >>> (0) [pap] = noop
> >> >>> (0) } # authorize = ok
> >> >>> (0) Found Auth-Type = pam
> >> >>> (0) # Executing group from file
> >> /etc/freeradius/3.0/sites-enabled/default
> >> >>> (0) authenticate {
> >> >>> (0) pam: Using pamauth string "radiusd" for pam.conf lookup
> >> >>> (0) pam: ERROR: pam_authenticate failed: Authentication failure
> >> >>> (0) [pam] = reject
> >> >>> (0) } # authenticate = reject
> >> >>> (0) Failed to authenticate the user
> >> >>> (0) Using Post-Auth-Type Reject
> >> >>> (0) # Executing group from file
> >> /etc/freeradius/3.0/sites-enabled/default
> >> >>> (0) Post-Auth-Type REJECT {
> >> >>> (0) attr_filter.access_reject: EXPAND %{User-Name}
> >> >>> (0) attr_filter.access_reject: --> >>> >> user@mydomain.com
> <mailto:user@mydomain.com>>> <mailto:
> >> user@mydomain.com <mailto:user@mydomain.com>>> >>>> <mailto:
> >> >>> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:
> user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>>> >
> >> >>> (0) attr_filter.access_reject: Matched entry DEFAULT at line 11
> >> >>> (0) [attr_filter.access_reject] = updated
> >> >>> (0) [eap] = noop
> >> >>> (0) policy remove_reply_message_if_eap {
> >> >>> (0) if (&reply:EAP-Message && &reply:Reply-Message) {
> >> >>> (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> >> >>> (0) else {
> >> >>> (0) [noop] = noop
> >> >>> (0) } # else = noop
> >> >>> (0) } # policy remove_reply_message_if_eap = noop
> >> >>> (0) } # Post-Auth-Type REJECT = updated
> >> >>> (0) Delaying response for 1.000000 seconds
> >> >>> Waking up in 0.3 seconds.
> >> >>> Waking up in 0.6 seconds.
> >> >>> (0) Sending delayed response
> >> >>> (0) Sent Access-Reject Id 113 from 127.0.0.1:1812 to
> 127.0.0.1:34793
> >> >>> length 20
> >> >>> Waking up in 3.9 seconds.
> >> >>> (0) Cleaning up request packet ID 113 with timestamp +11
> >> >>> Ready to process requests
> >> >>>
> >> >>>
> >> >>> 24. Avr 2018 16:40 de >>> >> aland@deployingradius.com <mailto:
> aland@deployingradius.com>>> <mailto:
> >> aland@deployingradius.com <mailto:aland@deployingradius.com>>> >>>>
> <mailto:
> >> >>> >> aland@deployingradius.com <mailto:aland@deployingradius.com>>>
> <>> mailto:aland@deployingradius.com <mailto:mailto:
> aland@deployingradius.com>>> >>>> >:
> >> >>>
> >> >>>
> >> >>> > On Apr 24, 2018, at 10:23 AM, <> >>> >>
> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>
> >> <>> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>> >>>> <mailto:
> >> >>> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>
> <>> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>> >>>> >>
> >> > <> >>> >> servernemesis@tutanota.com <mailto:
> servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com
> <mailto:mailto:servernemesis@tutanota.com>>> >>>>
> >> <mailto:
> >> >>> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>
> <>> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>> >>>> >>
> >> > wrote:
> >> >>> >>
> >> >>> >> My FR server is domain joined, and his krb5 realm is
> mydomain.com
> >> >>> >> I don't know where I could specify the domain for PAM.
> >> >>> >
> >> >>> > I didn't tell you to specify the domain for PAM.
> >> >>> >
> >> >>> >> I'm not sure what you mean by "If it doesn't know about the
> domain,
> >> >>> then add a realm for "mydomain.com". Make it LOCAL (see
> proxy.conf)."
> >> >>> >> Should I edit the /etc/pam.d/radiusd ? What's proxy.conf ?
> >> >>> >
> >> >>> > You know you're on the FreeRADIUS mailing list, right?
> proxy.conf
> >> is
> >> >>> for FreeRADIUS, not PAM.
> >> >>> >
> >> >>> > No, don't edit the /etc/pam.d/radiusd file. If I had meant to
> edit
> >> >>> that file, I would have told you to edit that file.
> >> >>> >
> >> >>> > Look in the /etc/raddb (or on debian / Ubuntu) /etc/freeradius
> >> >>> directory. The proxy.conf file is there. Read it.
> >> >>> >
> >> >>> > Alan DeKok.
> >> >>> >
> >> >>> >
> >> >>> > -
> >> >>> > List info/subscribe/unsubscribe? See >
> >> >>> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >>>> <
> >> >>> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >>>> >
> >> >>> -
> >> >>> List info/subscribe/unsubscribe? See
> >> >>> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >
> >> >> -
> >> >> List info/subscribe/unsubscribe? See >>
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >
> >> -
> >> List info/subscribe/unsubscribe? See
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>
> > -
> > List info/subscribe/unsubscribe? See >
> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
I'm using the radtest command on localhost with the secret testing123 (double checked)
25. Avr 2018 09:55 de eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>:
> well. radius secret can be wrong also for your client.
>
> radius secret is in client.conf and its tied to client ip address. check it
> out and test again.
>
> anyway. in your config you need use only google code, not password.
>
> Eero
>
> ke 25. huhtik. 2018 klo 10.49 <> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>> > kirjoitti:
>
>> Hello,
>>
>> No because if I login with SSH, it works :
>>
>> Apr 25 09:45:10 SRV-FREERADIUS sshd(pam_google_authenticator)[1885]:
>> Accepted google_authenticator for user
>> Apr 25 09:45:11 SRV-FREERADIUS sshd[1885]: Accepted password for user from
>> 192.168.50.68 port 50020 ssh2
>> Apr 25 09:45:11 SRV-FREERADIUS sshd[1885]: pam_unix(sshd:session): session
>> opened for user user by (uid=0)
>> Apr 25 09:45:11 SRV-FREERADIUS systemd-logind[535]: New session 11 of user
>> user.
>>
>> I don't get why it's not working with the radius...
>>
>> 25. Avr 2018 09:46 de >> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>> <>> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>
>> >:
>>
>>
>> > It means that code is wrong? is the server using ntp and clock is sync
>> and
>> > mobile is in sync.
>> >
>> > Try following: log into user. delete .google* file from user home
>> directory.
>> >
>> > run google-authenticator without params and select time based token/auth
>> > and add new authenticator code to google auth in phone
>> >
>> > Eero
>> >
>> > ke 25. huhtik. 2018 klo 10.39 <> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >> > kirjoitti:
>> >
>> >> PS : If I disable the domain suffix for the users on the server (being
>> >> able to login with just "user"), I get
>> >>
>> >> Apr 25 09:27:42 SRV-FREERADIUS radiusd(pam_google_authenticator)[1661]:
>> >> Invalid verification code for user
>> >>
>> >>
>> >> 25. Avr 2018 09:15 de >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> <mailto:
>> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>> >:
>> >>
>> >>
>> >> > I tried
>> >> >
>> >> > #
>> >> > # /etc/pam.d/radiusd - PAM configuration for FreeRADIUS
>> >> > #
>> >> >
>> >> > # We fall back to the system default in /etc/pam.d/common-*
>> >> > #
>> >> >
>> >> > #@include common-auth
>> >> > #@include common-account
>> >> > #@include common-password
>> >> > #@include common-session
>> >> > auth required /usr/local/lib/security/pam_google_authenticator.so
>> >> >
>> >> > and
>> >> >
>> >> > #
>> >> > # /etc/pam.d/radiusd - PAM configuration for FreeRADIUS
>> >> > #
>> >> >
>> >> > # We fall back to the system default in /etc/pam.d/common-*
>> >> > #
>> >> >
>> >> > #@include common-auth
>> >> > #@include common-account
>> >> > #@include common-password
>> >> > #@include common-session
>> >> > auth requisite /usr/local/lib/security/pam_google_authenticator.so
>> >> forward_pass
>> >> > auth required pam_unix.so use_first_pass
>> >> >
>> >> > In both cases :
>> >> >
>> >> > Apr 25 09:05:43 SRV-FREERADIUS
>> radiusd(pam_google_authenticator)[6847]:
>> >> user("user") not found
>> >> > Apr 25 09:05:43 SRV-FREERADIUS
>> radiusd(pam_google_authenticator)[6847]:
>> >> No secret configured for user user, asking for code anyway.
>> >> > Apr 25 09:05:43 SRV-FREERADIUS
>> radiusd(pam_google_authenticator)[6847]:
>> >> Invalid verification code for user
>> >> >
>> >> >
>> >> >
>> >> > 24. Avr 2018 19:21 de > >> >> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>> <mailto:
>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>> >>> <mailto:
>> >> >> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>> <>> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>> >>> >> :
>> >> >
>> >> >
>> >> >> You need to enable pam logging on google authenticator.
>> >> >>
>> >> >> what is content of /etc/pam.d/radiusd ?
>> >> >>
>> >> >> Eero
>> >> >>
>> >> >> ti 24. huhtik. 2018 klo 17.29 <>> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>
>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>> <mailto:
>> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>> >>> >
>> kirjoitti:
>> >> >>
>> >> >>> Thanks, it looks better but it's still failing :
>> >> >>>
>> >> >>> Ready to process requests
>> >> >>> (0) Received Access-Request Id 113 from 127.0.0.1:34793 to
>> >> 127.0.0.1:1812
>> >> >>> length 92
>> >> >>> (0) User-Name = ">>> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <mailto:
>> user@mydomain.com <mailto:user@mydomain.com>>> >>> <>> >> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> <mailto:mailto:
>> user@mydomain.com <mailto:user@mydomain.com>>> >>> >>>>
>> >> <>>> >> >> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> <>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> >>>
>> <>> >> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> <mailto:mailto:mailto:
>> user@mydomain.com <mailto:user@mydomain.com>>> >>> >>>> >"
>> >> >>> (0) User-Password = "password123456"
>> >> >>> (0) NAS-IP-Address = 127.0.1.1
>> >> >>> (0) NAS-Port = 18120
>> >> >>> (0) Message-Authenticator = 0xd028fefb31c1de33ebec1d53011953ce
>> >> >>> (0) # Executing section authorize from file
>> >> >>> /etc/freeradius/3.0/sites-enabled/default
>> >> >>> (0) authorize {
>> >> >>> (0) policy filter_username {
>> >> >>> (0) if (&User-Name) {
>> >> >>> (0) if (&User-Name) -> TRUE
>> >> >>> (0) if (&User-Name) {
>> >> >>> (0) if (&User-Name =~ / /) {
>> >> >>> (0) if (&User-Name =~ / /) -> FALSE
>> >> >>> (0) if (&User-Name =~ /@[^@]*@/ ) {
>> >> >>> (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
>> >> >>> (0) if (&User-Name =~ /\.\./ ) {
>> >> >>> (0) if (&User-Name =~ /\.\./ ) -> FALSE
>> >> >>> (0) if ((&User-Name =~ /@/) && (&User-Name !~
>> >> /@(.+)\.(.+)$/)) {
>> >> >>> (0) if ((&User-Name =~ /@/) && (&User-Name !~
>> /@(.+)\.(.+)$/))
>> >> >>> -> FALSE
>> >> >>> (0) if (&User-Name =~ /\.$/) {
>> >> >>> (0) if (&User-Name =~ /\.$/) -> FALSE
>> >> >>> (0) if (&User-Name =~ /@\./) {
>> >> >>> (0) if (&User-Name =~ /@\./) -> FALSE
>> >> >>> (0) } # if (&User-Name) = notfound
>> >> >>> (0) } # policy filter_username = notfound
>> >> >>> (0) [preprocess] = ok
>> >> >>> (0) [chap] = noop
>> >> >>> (0) [mschap] = noop
>> >> >>> (0) [digest] = noop
>> >> >>> (0) suffix: Checking for suffix after "@"
>> >> >>> (0) suffix: Looking up realm "mydomain.com" for User-Name = "
>> >> >>> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> <>> mailto:
>> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> >>> >>>> <>>> mailto:
>> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> <>> mailto:mailto:
>> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:mailto:mailto:user@mydomain.com <mailto:mailto:mailto:mailto:user@mydomain.com>>> >>> >>>> >"
>> >> >>> (0) suffix: Found realm "mydomain.com"
>> >> >>> (0) suffix: Adding Stripped-User-Name = "user"
>> >> >>> (0) suffix: Adding Realm = "mydomain.com"
>> >> >>> (0) suffix: Authentication realm is LOCAL
>> >> >>> (0) [suffix] = ok
>> >> >>> (0) eap: No EAP-Message, not doing EAP
>> >> >>> (0) [eap] = noop
>> >> >>> (0) files: users: Matched entry DEFAULT at line 221
>> >> >>> (0) [files] = ok
>> >> >>> (0) [expiration] = noop
>> >> >>> (0) [logintime] = noop
>> >> >>> (0) pap: WARNING: No "known good" password found for the user. Not
>> >> >>> setting Auth-Type
>> >> >>> (0) pap: WARNING: Authentication will fail unless a "known good"
>> >> password
>> >> >>> is available
>> >> >>> (0) [pap] = noop
>> >> >>> (0) } # authorize = ok
>> >> >>> (0) Found Auth-Type = pam
>> >> >>> (0) # Executing group from file
>> >> /etc/freeradius/3.0/sites-enabled/default
>> >> >>> (0) authenticate {
>> >> >>> (0) pam: Using pamauth string "radiusd" for pam.conf lookup
>> >> >>> (0) pam: ERROR: pam_authenticate failed: Authentication failure
>> >> >>> (0) [pam] = reject
>> >> >>> (0) } # authenticate = reject
>> >> >>> (0) Failed to authenticate the user
>> >> >>> (0) Using Post-Auth-Type Reject
>> >> >>> (0) # Executing group from file
>> >> /etc/freeradius/3.0/sites-enabled/default
>> >> >>> (0) Post-Auth-Type REJECT {
>> >> >>> (0) attr_filter.access_reject: EXPAND %{User-Name}
>> >> >>> (0) attr_filter.access_reject: --> >>> >> >> user@mydomain.com <mailto:user@mydomain.com>
>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> <mailto:
>> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> >>>> <mailto:
>> >> >>> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> <>> mailto:
>> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> >>> >>>> >
>> >> >>> (0) attr_filter.access_reject: Matched entry DEFAULT at line 11
>> >> >>> (0) [attr_filter.access_reject] = updated
>> >> >>> (0) [eap] = noop
>> >> >>> (0) policy remove_reply_message_if_eap {
>> >> >>> (0) if (&reply:EAP-Message && &reply:Reply-Message) {
>> >> >>> (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
>> >> >>> (0) else {
>> >> >>> (0) [noop] = noop
>> >> >>> (0) } # else = noop
>> >> >>> (0) } # policy remove_reply_message_if_eap = noop
>> >> >>> (0) } # Post-Auth-Type REJECT = updated
>> >> >>> (0) Delaying response for 1.000000 seconds
>> >> >>> Waking up in 0.3 seconds.
>> >> >>> Waking up in 0.6 seconds.
>> >> >>> (0) Sending delayed response
>> >> >>> (0) Sent Access-Reject Id 113 from 127.0.0.1:1812 to
>> 127.0.0.1:34793
>> >> >>> length 20
>> >> >>> Waking up in 3.9 seconds.
>> >> >>> (0) Cleaning up request packet ID 113 with timestamp +11
>> >> >>> Ready to process requests
>> >> >>>
>> >> >>>
>> >> >>> 24. Avr 2018 16:40 de >>> >> >> aland@deployingradius.com <mailto:aland@deployingradius.com>>> <mailto:
>> aland@deployingradius.com <mailto:aland@deployingradius.com>>> >>> <mailto:
>> >> >> aland@deployingradius.com <mailto:aland@deployingradius.com>>> <>> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>> >>> >>>>
>> <mailto:
>> >> >>> >> >> aland@deployingradius.com <mailto:aland@deployingradius.com>>> <>> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>> >>>
>> <>> >> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>> <mailto:mailto:
>> aland@deployingradius.com <mailto:aland@deployingradius.com>>> >>> >>>> >:
>> >> >>>
>> >> >>>
>> >> >>> > On Apr 24, 2018, at 10:23 AM, <> >>> >>
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >
>> >> <>> >> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> <mailto:mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> >>>> <mailto:
>> >> >>> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>>
>> <>> >> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> <mailto:mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> >>>> >>
>> >> > <> >>> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> <>> >> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>
>> <>> mailto:mailto:servernemesis@tutanota.com <mailto:mailto:mailto:servernemesis@tutanota.com>>> >>> >>>>
>> >> <mailto:
>> >> >>> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>>
>> <>> >> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> <mailto:mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> >>>> >>
>> >> > wrote:
>> >> >>> >>
>> >> >>> >> My FR server is domain joined, and his krb5 realm is
>> mydomain.com
>> >> >>> >> I don't know where I could specify the domain for PAM.
>> >> >>> >
>> >> >>> > I didn't tell you to specify the domain for PAM.
>> >> >>> >
>> >> >>> >> I'm not sure what you mean by "If it doesn't know about the
>> domain,
>> >> >>> then add a realm for "mydomain.com". Make it LOCAL (see
>> proxy.conf)."
>> >> >>> >> Should I edit the /etc/pam.d/radiusd ? What's proxy.conf ?
>> >> >>> >
>> >> >>> > You know you're on the FreeRADIUS mailing list, right?
>> proxy.conf
>> >> is
>> >> >>> for FreeRADIUS, not PAM.
>> >> >>> >
>> >> >>> > No, don't edit the /etc/pam.d/radiusd file. If I had meant to
>> edit
>> >> >>> that file, I would have told you to edit that file.
>> >> >>> >
>> >> >>> > Look in the /etc/raddb (or on debian / Ubuntu) /etc/freeradius
>> >> >>> directory. The proxy.conf file is there. Read it.
>> >> >>> >
>> >> >>> > Alan DeKok.
>> >> >>> >
>> >> >>> >
>> >> >>> > -
>> >> >>> > List info/subscribe/unsubscribe? See >
>> >> >>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> <
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> >>>> <
>> >> >>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> <
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> >>>> >
>> >> >>> -
>> >> >>> List info/subscribe/unsubscribe? See
>> >> >>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> <
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> >
>> >> >> -
>> >> >> List info/subscribe/unsubscribe? See >>
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> <
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> >
>> >> -
>> >> List info/subscribe/unsubscribe? See
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >
>> > -
>> > List info/subscribe/unsubscribe? See >
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
> -
> List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
please, give example of your radtest command.
Eero
ke 25. huhtik. 2018 klo 11.02 <servernemesis@tutanota.com> kirjoitti:
> I'm using the radtest command on localhost with the secret testing123
> (double checked)
>
> 25. Avr 2018 09:55 de eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi
> >:
>
>
> > well. radius secret can be wrong also for your client.
> >
> > radius secret is in client.conf and its tied to client ip address. check
> it
> > out and test again.
> >
> > anyway. in your config you need use only google code, not password.
> >
> > Eero
> >
> > ke 25. huhtik. 2018 klo 10.49 <> servernemesis@tutanota.com <mailto:
> servernemesis@tutanota.com>> > kirjoitti:
> >
> >> Hello,
> >>
> >> No because if I login with SSH, it works :
> >>
> >> Apr 25 09:45:10 SRV-FREERADIUS sshd(pam_google_authenticator)[1885]:
> >> Accepted google_authenticator for user
> >> Apr 25 09:45:11 SRV-FREERADIUS sshd[1885]: Accepted password for user
> from
> >> 192.168.50.68 port 50020 ssh2
> >> Apr 25 09:45:11 SRV-FREERADIUS sshd[1885]: pam_unix(sshd:session):
> session
> >> opened for user user by (uid=0)
> >> Apr 25 09:45:11 SRV-FREERADIUS systemd-logind[535]: New session 11 of
> user
> >> user.
> >>
> >> I don't get why it's not working with the radius...
> >>
> >> 25. Avr 2018 09:46 de >> eero.volotinen@iki.fi <mailto:
> eero.volotinen@iki.fi>>> <>> mailto:eero.volotinen@iki.fi <mailto:mailto:
> eero.volotinen@iki.fi>
> >> >:
> >>
> >>
> >> > It means that code is wrong? is the server using ntp and clock is sync
> >> and
> >> > mobile is in sync.
> >> >
> >> > Try following: log into user. delete .google* file from user home
> >> directory.
> >> >
> >> > run google-authenticator without params and select time based
> token/auth
> >> > and add new authenticator code to google auth in phone
> >> >
> >> > Eero
> >> >
> >> > ke 25. huhtik. 2018 klo 10.39 <> >> servernemesis@tutanota.com
> <mailto:servernemesis@tutanota.com>>> <mailto:
> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >> >
> kirjoitti:
> >> >
> >> >> PS : If I disable the domain suffix for the users on the server
> (being
> >> >> able to login with just "user"), I get
> >> >>
> >> >> Apr 25 09:27:42 SRV-FREERADIUS
> radiusd(pam_google_authenticator)[1661]:
> >> >> Invalid verification code for user
> >> >>
> >> >>
> >> >> 25. Avr 2018 09:15 de >> >> servernemesis@tutanota.com <mailto:
> servernemesis@tutanota.com>>> <mailto:
> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>>
> <mailto:
> >> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>
> <>> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>> >>> >:
> >> >>
> >> >>
> >> >> > I tried
> >> >> >
> >> >> > #
> >> >> > # /etc/pam.d/radiusd - PAM configuration for FreeRADIUS
> >> >> > #
> >> >> >
> >> >> > # We fall back to the system default in /etc/pam.d/common-*
> >> >> > #
> >> >> >
> >> >> > #@include common-auth
> >> >> > #@include common-account
> >> >> > #@include common-password
> >> >> > #@include common-session
> >> >> > auth required /usr/local/lib/security/pam_google_authenticator.so
> >> >> >
> >> >> > and
> >> >> >
> >> >> > #
> >> >> > # /etc/pam.d/radiusd - PAM configuration for FreeRADIUS
> >> >> > #
> >> >> >
> >> >> > # We fall back to the system default in /etc/pam.d/common-*
> >> >> > #
> >> >> >
> >> >> > #@include common-auth
> >> >> > #@include common-account
> >> >> > #@include common-password
> >> >> > #@include common-session
> >> >> > auth requisite /usr/local/lib/security/pam_google_authenticator.so
> >> >> forward_pass
> >> >> > auth required pam_unix.so use_first_pass
> >> >> >
> >> >> > In both cases :
> >> >> >
> >> >> > Apr 25 09:05:43 SRV-FREERADIUS
> >> radiusd(pam_google_authenticator)[6847]:
> >> >> user("user") not found
> >> >> > Apr 25 09:05:43 SRV-FREERADIUS
> >> radiusd(pam_google_authenticator)[6847]:
> >> >> No secret configured for user user, asking for code anyway.
> >> >> > Apr 25 09:05:43 SRV-FREERADIUS
> >> radiusd(pam_google_authenticator)[6847]:
> >> >> Invalid verification code for user
> >> >> >
> >> >> >
> >> >> >
> >> >> > 24. Avr 2018 19:21 de > >> >> eero.volotinen@iki.fi <mailto:
> eero.volotinen@iki.fi>>> <mailto:
> >> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>> >>> <mailto:
> >> >> >> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>> <>>
> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>> >>>
> >> :
> >> >> >
> >> >> >
> >> >> >> You need to enable pam logging on google authenticator.
> >> >> >>
> >> >> >> what is content of /etc/pam.d/radiusd ?
> >> >> >>
> >> >> >> Eero
> >> >> >>
> >> >> >> ti 24. huhtik. 2018 klo 17.29 <>> >> >>
> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>
> >> <>> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>> >>> <mailto:
> >> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>
> <>> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>> >>> >>> >
> >> kirjoitti:
> >> >> >>
> >> >> >>> Thanks, it looks better but it's still failing :
> >> >> >>>
> >> >> >>> Ready to process requests
> >> >> >>> (0) Received Access-Request Id 113 from 127.0.0.1:34793 to
> >> >> 127.0.0.1:1812
> >> >> >>> length 92
> >> >> >>> (0) User-Name = ">>> >> >> user@mydomain.com <mailto:
> user@mydomain.com>>> <mailto:
> >> user@mydomain.com <mailto:user@mydomain.com>>> >>> <>> >> mailto:
> user@mydomain.com <mailto:mailto:user@mydomain.com>>> <mailto:mailto:
> >> user@mydomain.com <mailto:user@mydomain.com>>> >>> >>>>
> >> >> <>>> >> >> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>
> <>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:
> user@mydomain.com>>> >>>
> >> <>> >> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:
> user@mydomain.com>>> <mailto:mailto:mailto:
> >> user@mydomain.com <mailto:user@mydomain.com>>> >>> >>>> >"
> >> >> >>> (0) User-Password = "password123456"
> >> >> >>> (0) NAS-IP-Address = 127.0.1.1
> >> >> >>> (0) NAS-Port = 18120
> >> >> >>> (0) Message-Authenticator = 0xd028fefb31c1de33ebec1d53011953ce
> >> >> >>> (0) # Executing section authorize from file
> >> >> >>> /etc/freeradius/3.0/sites-enabled/default
> >> >> >>> (0) authorize {
> >> >> >>> (0) policy filter_username {
> >> >> >>> (0) if (&User-Name) {
> >> >> >>> (0) if (&User-Name) -> TRUE
> >> >> >>> (0) if (&User-Name) {
> >> >> >>> (0) if (&User-Name =~ / /) {
> >> >> >>> (0) if (&User-Name =~ / /) -> FALSE
> >> >> >>> (0) if (&User-Name =~ /@[^@]*@/ ) {
> >> >> >>> (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> >> >> >>> (0) if (&User-Name =~ /\.\./ ) {
> >> >> >>> (0) if (&User-Name =~ /\.\./ ) -> FALSE
> >> >> >>> (0) if ((&User-Name =~ /@/) && (&User-Name !~
> >> >> /@(.+)\.(.+)$/)) {
> >> >> >>> (0) if ((&User-Name =~ /@/) && (&User-Name !~
> >> /@(.+)\.(.+)$/))
> >> >> >>> -> FALSE
> >> >> >>> (0) if (&User-Name =~ /\.$/) {
> >> >> >>> (0) if (&User-Name =~ /\.$/) -> FALSE
> >> >> >>> (0) if (&User-Name =~ /@\./) {
> >> >> >>> (0) if (&User-Name =~ /@\./) -> FALSE
> >> >> >>> (0) } # if (&User-Name) = notfound
> >> >> >>> (0) } # policy filter_username = notfound
> >> >> >>> (0) [preprocess] = ok
> >> >> >>> (0) [chap] = noop
> >> >> >>> (0) [mschap] = noop
> >> >> >>> (0) [digest] = noop
> >> >> >>> (0) suffix: Checking for suffix after "@"
> >> >> >>> (0) suffix: Looking up realm "mydomain.com" for User-Name = "
> >> >> >>> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>>
> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> <>>
> mailto:
> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:mailto:
> user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> >>> >>>>
> <>>> mailto:
> >> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:
> user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> <>> mailto:
> mailto:
> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:mailto
> :mailto:user@mydomain.com <mailto:mailto:mailto:mailto:user@mydomain.com>>>
> >>> >>>> >"
> >> >> >>> (0) suffix: Found realm "mydomain.com"
> >> >> >>> (0) suffix: Adding Stripped-User-Name = "user"
> >> >> >>> (0) suffix: Adding Realm = "mydomain.com"
> >> >> >>> (0) suffix: Authentication realm is LOCAL
> >> >> >>> (0) [suffix] = ok
> >> >> >>> (0) eap: No EAP-Message, not doing EAP
> >> >> >>> (0) [eap] = noop
> >> >> >>> (0) files: users: Matched entry DEFAULT at line 221
> >> >> >>> (0) [files] = ok
> >> >> >>> (0) [expiration] = noop
> >> >> >>> (0) [logintime] = noop
> >> >> >>> (0) pap: WARNING: No "known good" password found for the user.
> Not
> >> >> >>> setting Auth-Type
> >> >> >>> (0) pap: WARNING: Authentication will fail unless a "known good"
> >> >> password
> >> >> >>> is available
> >> >> >>> (0) [pap] = noop
> >> >> >>> (0) } # authorize = ok
> >> >> >>> (0) Found Auth-Type = pam
> >> >> >>> (0) # Executing group from file
> >> >> /etc/freeradius/3.0/sites-enabled/default
> >> >> >>> (0) authenticate {
> >> >> >>> (0) pam: Using pamauth string "radiusd" for pam.conf lookup
> >> >> >>> (0) pam: ERROR: pam_authenticate failed: Authentication failure
> >> >> >>> (0) [pam] = reject
> >> >> >>> (0) } # authenticate = reject
> >> >> >>> (0) Failed to authenticate the user
> >> >> >>> (0) Using Post-Auth-Type Reject
> >> >> >>> (0) # Executing group from file
> >> >> /etc/freeradius/3.0/sites-enabled/default
> >> >> >>> (0) Post-Auth-Type REJECT {
> >> >> >>> (0) attr_filter.access_reject: EXPAND %{User-Name}
> >> >> >>> (0) attr_filter.access_reject: --> >>> >> >>
> user@mydomain.com <mailto:user@mydomain.com>
> >> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>>
> <mailto:
> >> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:
> user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> >>>> <mailto:
> >> >> >>> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>>
> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> <>>
> mailto:
> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:mailto:
> user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> >>> >>>> >
> >> >> >>> (0) attr_filter.access_reject: Matched entry DEFAULT at line 11
> >> >> >>> (0) [attr_filter.access_reject] = updated
> >> >> >>> (0) [eap] = noop
> >> >> >>> (0) policy remove_reply_message_if_eap {
> >> >> >>> (0) if (&reply:EAP-Message && &reply:Reply-Message) {
> >> >> >>> (0) if (&reply:EAP-Message && &reply:Reply-Message) ->
> FALSE
> >> >> >>> (0) else {
> >> >> >>> (0) [noop] = noop
> >> >> >>> (0) } # else = noop
> >> >> >>> (0) } # policy remove_reply_message_if_eap = noop
> >> >> >>> (0) } # Post-Auth-Type REJECT = updated
> >> >> >>> (0) Delaying response for 1.000000 seconds
> >> >> >>> Waking up in 0.3 seconds.
> >> >> >>> Waking up in 0.6 seconds.
> >> >> >>> (0) Sending delayed response
> >> >> >>> (0) Sent Access-Reject Id 113 from 127.0.0.1:1812 to
> >> 127.0.0.1:34793
> >> >> >>> length 20
> >> >> >>> Waking up in 3.9 seconds.
> >> >> >>> (0) Cleaning up request packet ID 113 with timestamp +11
> >> >> >>> Ready to process requests
> >> >> >>>
> >> >> >>>
> >> >> >>> 24. Avr 2018 16:40 de >>> >> >> aland@deployingradius.com
> <mailto:aland@deployingradius.com>>> <mailto:
> >> aland@deployingradius.com <mailto:aland@deployingradius.com>>> >>>
> <mailto:
> >> >> >> aland@deployingradius.com <mailto:aland@deployingradius.com>>>
> <>> mailto:aland@deployingradius.com <mailto:mailto:
> aland@deployingradius.com>>> >>> >>>>
> >> <mailto:
> >> >> >>> >> >> aland@deployingradius.com <mailto:
> aland@deployingradius.com>>> <>> mailto:aland@deployingradius.com
> <mailto:mailto:aland@deployingradius.com>>> >>>
> >> <>> >> mailto:aland@deployingradius.com <mailto:mailto:
> aland@deployingradius.com>>> <mailto:mailto:
> >> aland@deployingradius.com <mailto:aland@deployingradius.com>>> >>>
> >>>> >:
> >> >> >>>
> >> >> >>>
> >> >> >>> > On Apr 24, 2018, at 10:23 AM, <> >>> >>
> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>>
> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>> >
> >> >> <>> >> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>> <mailto:mailto:
> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>>
> >>>> <mailto:
> >> >> >>> >> >> servernemesis@tutanota.com <mailto:
> servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com
> <mailto:mailto:servernemesis@tutanota.com>>> >>>
> >> <>> >> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>> <mailto:mailto:
> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>>
> >>>> >>
> >> >> > <> >>> >> >> servernemesis@tutanota.com <mailto:
> servernemesis@tutanota.com>>> <mailto:
> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>>
> <>> >> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>
> >> <>> mailto:mailto:servernemesis@tutanota.com <mailto:mailto:mailto:
> servernemesis@tutanota.com>>> >>> >>>>
> >> >> <mailto:
> >> >> >>> >> >> servernemesis@tutanota.com <mailto:
> servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com
> <mailto:mailto:servernemesis@tutanota.com>>> >>>
> >> <>> >> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>> <mailto:mailto:
> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>>
> >>>> >>
> >> >> > wrote:
> >> >> >>> >>
> >> >> >>> >> My FR server is domain joined, and his krb5 realm is
> >> mydomain.com
> >> >> >>> >> I don't know where I could specify the domain for PAM.
> >> >> >>> >
> >> >> >>> > I didn't tell you to specify the domain for PAM.
> >> >> >>> >
> >> >> >>> >> I'm not sure what you mean by "If it doesn't know about the
> >> domain,
> >> >> >>> then add a realm for "mydomain.com". Make it LOCAL (see
> >> proxy.conf)."
> >> >> >>> >> Should I edit the /etc/pam.d/radiusd ? What's proxy.conf ?
> >> >> >>> >
> >> >> >>> > You know you're on the FreeRADIUS mailing list, right?
> >> proxy.conf
> >> >> is
> >> >> >>> for FreeRADIUS, not PAM.
> >> >> >>> >
> >> >> >>> > No, don't edit the /etc/pam.d/radiusd file. If I had meant
> to
> >> edit
> >> >> >>> that file, I would have told you to edit that file.
> >> >> >>> >
> >> >> >>> > Look in the /etc/raddb (or on debian / Ubuntu)
> /etc/freeradius
> >> >> >>> directory. The proxy.conf file is there. Read it.
> >> >> >>> >
> >> >> >>> > Alan DeKok.
> >> >> >>> >
> >> >> >>> >
> >> >> >>> > -
> >> >> >>> > List info/subscribe/unsubscribe? See >
> >> >> >>> >> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >>> <
> >> >> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >>> >>>> <
> >> >> >>> >> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >>> <
> >> >> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >>> >>>> >
> >> >> >>> -
> >> >> >>> List info/subscribe/unsubscribe? See
> >> >> >>> >> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >>> <
> >> >> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >>> >
> >> >> >> -
> >> >> >> List info/subscribe/unsubscribe? See >>
> >> >> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >>> <
> >> >> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >>> >
> >> >> -
> >> >> List info/subscribe/unsubscribe? See
> >> >> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >
> >> > -
> >> > List info/subscribe/unsubscribe? See >
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >
> >> -
> >> List info/subscribe/unsubscribe? See
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>
> > -
> > List info/subscribe/unsubscribe? See >
> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
radtest user@mydomain.com <mailto:user@mydomain.com> password123456 localhost 18120 testing123
-> where "password" is my AD password and "123456" is my google Auth code
I also tested with just "user" and "123456", same result
25. Avr 2018 10:11 de eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>:
> please, give example of your radtest command.
>
> Eero
>
> ke 25. huhtik. 2018 klo 11.02 <> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>> > kirjoitti:
>
>> I'm using the radtest command on localhost with the secret testing123
>> (double checked)
>>
>> 25. Avr 2018 09:55 de >> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>> <>> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>
>> >:
>>
>>
>> > well. radius secret can be wrong also for your client.
>> >
>> > radius secret is in client.conf and its tied to client ip address. check
>> it
>> > out and test again.
>> >
>> > anyway. in your config you need use only google code, not password.
>> >
>> > Eero
>> >
>> > ke 25. huhtik. 2018 klo 10.49 <> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >> > kirjoitti:
>> >
>> >> Hello,
>> >>
>> >> No because if I login with SSH, it works :
>> >>
>> >> Apr 25 09:45:10 SRV-FREERADIUS sshd(pam_google_authenticator)[1885]:
>> >> Accepted google_authenticator for user
>> >> Apr 25 09:45:11 SRV-FREERADIUS sshd[1885]: Accepted password for user
>> from
>> >> 192.168.50.68 port 50020 ssh2
>> >> Apr 25 09:45:11 SRV-FREERADIUS sshd[1885]: pam_unix(sshd:session):
>> session
>> >> opened for user user by (uid=0)
>> >> Apr 25 09:45:11 SRV-FREERADIUS systemd-logind[535]: New session 11 of
>> user
>> >> user.
>> >>
>> >> I don't get why it's not working with the radius...
>> >>
>> >> 25. Avr 2018 09:46 de >> >> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>> <mailto:
>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>> >>> <>> >> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>> <mailto:mailto:
>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>> >
>> >> >:
>> >>
>> >>
>> >> > It means that code is wrong? is the server using ntp and clock is sync
>> >> and
>> >> > mobile is in sync.
>> >> >
>> >> > Try following: log into user. delete .google* file from user home
>> >> directory.
>> >> >
>> >> > run google-authenticator without params and select time based
>> token/auth
>> >> > and add new authenticator code to google auth in phone
>> >> >
>> >> > Eero
>> >> >
>> >> > ke 25. huhtik. 2018 klo 10.39 <> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>
>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>> <mailto:
>> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>> >> >
>> kirjoitti:
>> >> >
>> >> >> PS : If I disable the domain suffix for the users on the server
>> (being
>> >> >> able to login with just "user"), I get
>> >> >>
>> >> >> Apr 25 09:27:42 SRV-FREERADIUS
>> radiusd(pam_google_authenticator)[1661]:
>> >> >> Invalid verification code for user
>> >> >>
>> >> >>
>> >> >> 25. Avr 2018 09:15 de >> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> <mailto:
>> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>> >>>
>> <mailto:
>> >> >> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>>
>> <>> >> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> <mailto:mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> >>> >:
>> >> >>
>> >> >>
>> >> >> > I tried
>> >> >> >
>> >> >> > #
>> >> >> > # /etc/pam.d/radiusd - PAM configuration for FreeRADIUS
>> >> >> > #
>> >> >> >
>> >> >> > # We fall back to the system default in /etc/pam.d/common-*
>> >> >> > #
>> >> >> >
>> >> >> > #@include common-auth
>> >> >> > #@include common-account
>> >> >> > #@include common-password
>> >> >> > #@include common-session
>> >> >> > auth required /usr/local/lib/security/pam_google_authenticator.so
>> >> >> >
>> >> >> > and
>> >> >> >
>> >> >> > #
>> >> >> > # /etc/pam.d/radiusd - PAM configuration for FreeRADIUS
>> >> >> > #
>> >> >> >
>> >> >> > # We fall back to the system default in /etc/pam.d/common-*
>> >> >> > #
>> >> >> >
>> >> >> > #@include common-auth
>> >> >> > #@include common-account
>> >> >> > #@include common-password
>> >> >> > #@include common-session
>> >> >> > auth requisite /usr/local/lib/security/pam_google_authenticator.so
>> >> >> forward_pass
>> >> >> > auth required pam_unix.so use_first_pass
>> >> >> >
>> >> >> > In both cases :
>> >> >> >
>> >> >> > Apr 25 09:05:43 SRV-FREERADIUS
>> >> radiusd(pam_google_authenticator)[6847]:
>> >> >> user("user") not found
>> >> >> > Apr 25 09:05:43 SRV-FREERADIUS
>> >> radiusd(pam_google_authenticator)[6847]:
>> >> >> No secret configured for user user, asking for code anyway.
>> >> >> > Apr 25 09:05:43 SRV-FREERADIUS
>> >> radiusd(pam_google_authenticator)[6847]:
>> >> >> Invalid verification code for user
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > 24. Avr 2018 19:21 de > >> >> >> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>> <mailto:
>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>> >>> <mailto:
>> >> >> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>> <>> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>> >>> >>> <mailto:
>> >> >> >> >> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>> <>> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>> >>> <>>
>> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>> <>> mailto:mailto:eero.volotinen@iki.fi <mailto:mailto:mailto:eero.volotinen@iki.fi>>> >>> >>>
>> >> :
>> >> >> >
>> >> >> >
>> >> >> >> You need to enable pam logging on google authenticator.
>> >> >> >>
>> >> >> >> what is content of /etc/pam.d/radiusd ?
>> >> >> >>
>> >> >> >> Eero
>> >> >> >>
>> >> >> >> ti 24. huhtik. 2018 klo 17.29 <>> >> >>
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >
>> >> <>> >> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> <mailto:mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> >>> <mailto:
>> >> >> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>>
>> <>> >> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> <mailto:mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> >>> >>> >
>> >> kirjoitti:
>> >> >> >>
>> >> >> >>> Thanks, it looks better but it's still failing :
>> >> >> >>>
>> >> >> >>> Ready to process requests
>> >> >> >>> (0) Received Access-Request Id 113 from 127.0.0.1:34793 to
>> >> >> 127.0.0.1:1812
>> >> >> >>> length 92
>> >> >> >>> (0) User-Name = ">>> >> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <mailto:
>> user@mydomain.com <mailto:user@mydomain.com>>> >>> <mailto:
>> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> >>> <>> >> mailto:
>> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> >>> <mailto:mailto:
>> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> >>> >>>>
>> >> >> <>>> >> >> >> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> <>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> >>>
>> <>> >> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> <mailto:mailto:mailto:
>> user@mydomain.com <mailto:user@mydomain.com>>> >>> >>>
>> >> <>> >> >> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> <mailto:mailto:mailto:
>> user@mydomain.com <mailto:user@mydomain.com>>> >>> <mailto:mailto:mailto:
>> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> >>> >>>> >"
>> >> >> >>> (0) User-Password = "password123456"
>> >> >> >>> (0) NAS-IP-Address = 127.0.1.1
>> >> >> >>> (0) NAS-Port = 18120
>> >> >> >>> (0) Message-Authenticator = 0xd028fefb31c1de33ebec1d53011953ce
>> >> >> >>> (0) # Executing section authorize from file
>> >> >> >>> /etc/freeradius/3.0/sites-enabled/default
>> >> >> >>> (0) authorize {
>> >> >> >>> (0) policy filter_username {
>> >> >> >>> (0) if (&User-Name) {
>> >> >> >>> (0) if (&User-Name) -> TRUE
>> >> >> >>> (0) if (&User-Name) {
>> >> >> >>> (0) if (&User-Name =~ / /) {
>> >> >> >>> (0) if (&User-Name =~ / /) -> FALSE
>> >> >> >>> (0) if (&User-Name =~ /@[^@]*@/ ) {
>> >> >> >>> (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
>> >> >> >>> (0) if (&User-Name =~ /\.\./ ) {
>> >> >> >>> (0) if (&User-Name =~ /\.\./ ) -> FALSE
>> >> >> >>> (0) if ((&User-Name =~ /@/) && (&User-Name !~
>> >> >> /@(.+)\.(.+)$/)) {
>> >> >> >>> (0) if ((&User-Name =~ /@/) && (&User-Name !~
>> >> /@(.+)\.(.+)$/))
>> >> >> >>> -> FALSE
>> >> >> >>> (0) if (&User-Name =~ /\.$/) {
>> >> >> >>> (0) if (&User-Name =~ /\.$/) -> FALSE
>> >> >> >>> (0) if (&User-Name =~ /@\./) {
>> >> >> >>> (0) if (&User-Name =~ /@\./) -> FALSE
>> >> >> >>> (0) } # if (&User-Name) = notfound
>> >> >> >>> (0) } # policy filter_username = notfound
>> >> >> >>> (0) [preprocess] = ok
>> >> >> >>> (0) [chap] = noop
>> >> >> >>> (0) [mschap] = noop
>> >> >> >>> (0) [digest] = noop
>> >> >> >>> (0) suffix: Checking for suffix after "@"
>> >> >> >>> (0) suffix: Looking up realm "mydomain.com" for User-Name = "
>> >> >> >>> >> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> <>>
>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> <>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> >>> >>> <>>
>> mailto:
>> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> <>> mailto:mailto:
>> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:mailto:mailto:user@mydomain.com <mailto:mailto:mailto:mailto:user@mydomain.com>>> >>> >>> >>>>
>> <>>> mailto:
>> >> >> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> <>> mailto:
>> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> >>> >>> <>> mailto:
>> mailto:
>> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> <>> mailto:mailto
>> :mailto:user@mydomain.com <mailto::mailto:user@mydomain.com>>> <>> mailto:mailto:mailto:mailto:user@mydomain.com <mailto:mailto:mailto:mailto:mailto:user@mydomain.com>>> >>>
>> >>> >>>> >"
>> >> >> >>> (0) suffix: Found realm "mydomain.com"
>> >> >> >>> (0) suffix: Adding Stripped-User-Name = "user"
>> >> >> >>> (0) suffix: Adding Realm = "mydomain.com"
>> >> >> >>> (0) suffix: Authentication realm is LOCAL
>> >> >> >>> (0) [suffix] = ok
>> >> >> >>> (0) eap: No EAP-Message, not doing EAP
>> >> >> >>> (0) [eap] = noop
>> >> >> >>> (0) files: users: Matched entry DEFAULT at line 221
>> >> >> >>> (0) [files] = ok
>> >> >> >>> (0) [expiration] = noop
>> >> >> >>> (0) [logintime] = noop
>> >> >> >>> (0) pap: WARNING: No "known good" password found for the user.
>> Not
>> >> >> >>> setting Auth-Type
>> >> >> >>> (0) pap: WARNING: Authentication will fail unless a "known good"
>> >> >> password
>> >> >> >>> is available
>> >> >> >>> (0) [pap] = noop
>> >> >> >>> (0) } # authorize = ok
>> >> >> >>> (0) Found Auth-Type = pam
>> >> >> >>> (0) # Executing group from file
>> >> >> /etc/freeradius/3.0/sites-enabled/default
>> >> >> >>> (0) authenticate {
>> >> >> >>> (0) pam: Using pamauth string "radiusd" for pam.conf lookup
>> >> >> >>> (0) pam: ERROR: pam_authenticate failed: Authentication failure
>> >> >> >>> (0) [pam] = reject
>> >> >> >>> (0) } # authenticate = reject
>> >> >> >>> (0) Failed to authenticate the user
>> >> >> >>> (0) Using Post-Auth-Type Reject
>> >> >> >>> (0) # Executing group from file
>> >> >> /etc/freeradius/3.0/sites-enabled/default
>> >> >> >>> (0) Post-Auth-Type REJECT {
>> >> >> >>> (0) attr_filter.access_reject: EXPAND %{User-Name}
>> >> >> >>> (0) attr_filter.access_reject: --> >>> >> >>
>> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >
>> >> <>> >> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> <>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> >>> >>>
>> <mailto:
>> >> >> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> <>> mailto:
>> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> >>> >>> >>>> <mailto:
>> >> >> >>> >> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> <>>
>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> <>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> >>> >>> <>>
>> mailto:
>> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> <>> mailto:mailto:
>> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:mailto:mailto:user@mydomain.com <mailto:mailto:mailto:mailto:user@mydomain.com>>> >>> >>> >>>> >
>> >> >> >>> (0) attr_filter.access_reject: Matched entry DEFAULT at line 11
>> >> >> >>> (0) [attr_filter.access_reject] = updated
>> >> >> >>> (0) [eap] = noop
>> >> >> >>> (0) policy remove_reply_message_if_eap {
>> >> >> >>> (0) if (&reply:EAP-Message && &reply:Reply-Message) {
>> >> >> >>> (0) if (&reply:EAP-Message && &reply:Reply-Message) ->
>> FALSE
>> >> >> >>> (0) else {
>> >> >> >>> (0) [noop] = noop
>> >> >> >>> (0) } # else = noop
>> >> >> >>> (0) } # policy remove_reply_message_if_eap = noop
>> >> >> >>> (0) } # Post-Auth-Type REJECT = updated
>> >> >> >>> (0) Delaying response for 1.000000 seconds
>> >> >> >>> Waking up in 0.3 seconds.
>> >> >> >>> Waking up in 0.6 seconds.
>> >> >> >>> (0) Sending delayed response
>> >> >> >>> (0) Sent Access-Reject Id 113 from 127.0.0.1:1812 to
>> >> 127.0.0.1:34793
>> >> >> >>> length 20
>> >> >> >>> Waking up in 3.9 seconds.
>> >> >> >>> (0) Cleaning up request packet ID 113 with timestamp +11
>> >> >> >>> Ready to process requests
>> >> >> >>>
>> >> >> >>>
>> >> >> >>> 24. Avr 2018 16:40 de >>> >> >> >> aland@deployingradius.com <mailto:aland@deployingradius.com>
>> <>> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>> >>> <mailto:
>> >> >> aland@deployingradius.com <mailto:aland@deployingradius.com>>> <>> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>> >>> >>>
>> <mailto:
>> >> >> >> >> aland@deployingradius.com <mailto:aland@deployingradius.com>>> <>> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>> >>>
>> <>> >> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>> <mailto:mailto:
>> aland@deployingradius.com <mailto:aland@deployingradius.com>>> >>> >>> >>>>
>> >> <mailto:
>> >> >> >>> >> >> >> aland@deployingradius.com <mailto:aland@deployingradius.com>>> <mailto:
>> aland@deployingradius.com <mailto:aland@deployingradius.com>>> >>> <>> >> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>
>> <>> mailto:mailto:aland@deployingradius.com <mailto:mailto:mailto:aland@deployingradius.com>>> >>> >>>
>> >> <>> >> >> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>> <mailto:mailto:
>> aland@deployingradius.com <mailto:aland@deployingradius.com>>> >>> <mailto:mailto:
>> >> >> aland@deployingradius.com <mailto:aland@deployingradius.com>>> <>> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>> >>> >>>
>> >>>> >:
>> >> >> >>>
>> >> >> >>>
>> >> >> >>> > On Apr 24, 2018, at 10:23 AM, <> >>> >>
>> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>> <>>
>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> <mailto:mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> >
>> >> >> <>> >> >> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> <mailto:mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> <mailto:mailto:
>> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>> >>>
>> >>>> <mailto:
>> >> >> >>> >> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> <>> >> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>
>> <>> mailto:mailto:servernemesis@tutanota.com <mailto:mailto:mailto:servernemesis@tutanota.com>>> >>> >>>
>> >> <>> >> >> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> <mailto:mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> <mailto:mailto:
>> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>> >>>
>> >>>> >>
>> >> >> > <> >>> >> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> <mailto:
>> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>> >>>
>> <>> >> >> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> <mailto:mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >
>> >> <>> >> mailto:mailto:servernemesis@tutanota.com <mailto:mailto:mailto:servernemesis@tutanota.com>>> <mailto:mailto:mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> >>> >>>>
>> >> >> <mailto:
>> >> >> >>> >> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> <>> >> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>
>> <>> mailto:mailto:servernemesis@tutanota.com <mailto:mailto:mailto:servernemesis@tutanota.com>>> >>> >>>
>> >> <>> >> >> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> <mailto:mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> <mailto:mailto:
>> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>> >>>
>> >>>> >>
>> >> >> > wrote:
>> >> >> >>> >>
>> >> >> >>> >> My FR server is domain joined, and his krb5 realm is
>> >> mydomain.com
>> >> >> >>> >> I don't know where I could specify the domain for PAM.
>> >> >> >>> >
>> >> >> >>> > I didn't tell you to specify the domain for PAM.
>> >> >> >>> >
>> >> >> >>> >> I'm not sure what you mean by "If it doesn't know about the
>> >> domain,
>> >> >> >>> then add a realm for "mydomain.com". Make it LOCAL (see
>> >> proxy.conf)."
>> >> >> >>> >> Should I edit the /etc/pam.d/radiusd ? What's proxy.conf ?
>> >> >> >>> >
>> >> >> >>> > You know you're on the FreeRADIUS mailing list, right?
>> >> proxy.conf
>> >> >> is
>> >> >> >>> for FreeRADIUS, not PAM.
>> >> >> >>> >
>> >> >> >>> > No, don't edit the /etc/pam.d/radiusd file. If I had meant
>> to
>> >> edit
>> >> >> >>> that file, I would have told you to edit that file.
>> >> >> >>> >
>> >> >> >>> > Look in the /etc/raddb (or on debian / Ubuntu)
>> /etc/freeradius
>> >> >> >>> directory. The proxy.conf file is there. Read it.
>> >> >> >>> >
>> >> >> >>> > Alan DeKok.
>> >> >> >>> >
>> >> >> >>> >
>> >> >> >>> > -
>> >> >> >>> > List info/subscribe/unsubscribe? See >
>> >> >> >>> >> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> <
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> >>> <
>> >> >> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> <
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> >>> >>>> <
>> >> >> >>> >> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> <
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> >>> <
>> >> >> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> <
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> >>> >>>> >
>> >> >> >>> -
>> >> >> >>> List info/subscribe/unsubscribe? See
>> >> >> >>> >> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> <
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> >>> <
>> >> >> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> <
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> >>> >
>> >> >> >> -
>> >> >> >> List info/subscribe/unsubscribe? See >>
>> >> >> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> <
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> >>> <
>> >> >> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> <
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> >>> >
>> >> >> -
>> >> >> List info/subscribe/unsubscribe? See
>> >> >> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> <
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> >
>> >> > -
>> >> > List info/subscribe/unsubscribe? See >
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> <
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> >
>> >> -
>> >> List info/subscribe/unsubscribe? See
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >
>> > -
>> > List info/subscribe/unsubscribe? See >
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
> -
> List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
Ok, it's working with a local user I created, by just specifying the google auth code, still don't know why it's not working with domain users...
radtest ggg 494659 localhost 18120 testing123
Sent Access-Request Id 65 from 0.0.0.0:43805 to 127.0.0.1:1812 length 73
User-Name = "ggg"
User-Password = "494659"
NAS-IP-Address = 127.0.1.1
NAS-Port = 18120
Message-Authenticator = 0x00
Cleartext-Password = "494659"
Received Access-Accept Id 65 from 127.0.0.1:1812 to 0.0.0.0:0 length 20
25. Avr 2018 10:11 de eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>:
> please, give example of your radtest command.
>
> Eero
>
> ke 25. huhtik. 2018 klo 11.02 <> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>> > kirjoitti:
>
>> I'm using the radtest command on localhost with the secret testing123
>> (double checked)
>>
>> 25. Avr 2018 09:55 de >> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>> <>> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>
>> >:
>>
>>
>> > well. radius secret can be wrong also for your client.
>> >
>> > radius secret is in client.conf and its tied to client ip address. check
>> it
>> > out and test again.
>> >
>> > anyway. in your config you need use only google code, not password.
>> >
>> > Eero
>> >
>> > ke 25. huhtik. 2018 klo 10.49 <> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >> > kirjoitti:
>> >
>> >> Hello,
>> >>
>> >> No because if I login with SSH, it works :
>> >>
>> >> Apr 25 09:45:10 SRV-FREERADIUS sshd(pam_google_authenticator)[1885]:
>> >> Accepted google_authenticator for user
>> >> Apr 25 09:45:11 SRV-FREERADIUS sshd[1885]: Accepted password for user
>> from
>> >> 192.168.50.68 port 50020 ssh2
>> >> Apr 25 09:45:11 SRV-FREERADIUS sshd[1885]: pam_unix(sshd:session):
>> session
>> >> opened for user user by (uid=0)
>> >> Apr 25 09:45:11 SRV-FREERADIUS systemd-logind[535]: New session 11 of
>> user
>> >> user.
>> >>
>> >> I don't get why it's not working with the radius...
>> >>
>> >> 25. Avr 2018 09:46 de >> >> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>> <mailto:
>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>> >>> <>> >> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>> <mailto:mailto:
>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>> >
>> >> >:
>> >>
>> >>
>> >> > It means that code is wrong? is the server using ntp and clock is sync
>> >> and
>> >> > mobile is in sync.
>> >> >
>> >> > Try following: log into user. delete .google* file from user home
>> >> directory.
>> >> >
>> >> > run google-authenticator without params and select time based
>> token/auth
>> >> > and add new authenticator code to google auth in phone
>> >> >
>> >> > Eero
>> >> >
>> >> > ke 25. huhtik. 2018 klo 10.39 <> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>
>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>> <mailto:
>> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>> >> >
>> kirjoitti:
>> >> >
>> >> >> PS : If I disable the domain suffix for the users on the server
>> (being
>> >> >> able to login with just "user"), I get
>> >> >>
>> >> >> Apr 25 09:27:42 SRV-FREERADIUS
>> radiusd(pam_google_authenticator)[1661]:
>> >> >> Invalid verification code for user
>> >> >>
>> >> >>
>> >> >> 25. Avr 2018 09:15 de >> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> <mailto:
>> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>> >>>
>> <mailto:
>> >> >> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>>
>> <>> >> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> <mailto:mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> >>> >:
>> >> >>
>> >> >>
>> >> >> > I tried
>> >> >> >
>> >> >> > #
>> >> >> > # /etc/pam.d/radiusd - PAM configuration for FreeRADIUS
>> >> >> > #
>> >> >> >
>> >> >> > # We fall back to the system default in /etc/pam.d/common-*
>> >> >> > #
>> >> >> >
>> >> >> > #@include common-auth
>> >> >> > #@include common-account
>> >> >> > #@include common-password
>> >> >> > #@include common-session
>> >> >> > auth required /usr/local/lib/security/pam_google_authenticator.so
>> >> >> >
>> >> >> > and
>> >> >> >
>> >> >> > #
>> >> >> > # /etc/pam.d/radiusd - PAM configuration for FreeRADIUS
>> >> >> > #
>> >> >> >
>> >> >> > # We fall back to the system default in /etc/pam.d/common-*
>> >> >> > #
>> >> >> >
>> >> >> > #@include common-auth
>> >> >> > #@include common-account
>> >> >> > #@include common-password
>> >> >> > #@include common-session
>> >> >> > auth requisite /usr/local/lib/security/pam_google_authenticator.so
>> >> >> forward_pass
>> >> >> > auth required pam_unix.so use_first_pass
>> >> >> >
>> >> >> > In both cases :
>> >> >> >
>> >> >> > Apr 25 09:05:43 SRV-FREERADIUS
>> >> radiusd(pam_google_authenticator)[6847]:
>> >> >> user("user") not found
>> >> >> > Apr 25 09:05:43 SRV-FREERADIUS
>> >> radiusd(pam_google_authenticator)[6847]:
>> >> >> No secret configured for user user, asking for code anyway.
>> >> >> > Apr 25 09:05:43 SRV-FREERADIUS
>> >> radiusd(pam_google_authenticator)[6847]:
>> >> >> Invalid verification code for user
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > 24. Avr 2018 19:21 de > >> >> >> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>> <mailto:
>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>> >>> <mailto:
>> >> >> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>> <>> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>> >>> >>> <mailto:
>> >> >> >> >> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>> <>> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>> >>> <>>
>> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>> <>> mailto:mailto:eero.volotinen@iki.fi <mailto:mailto:mailto:eero.volotinen@iki.fi>>> >>> >>>
>> >> :
>> >> >> >
>> >> >> >
>> >> >> >> You need to enable pam logging on google authenticator.
>> >> >> >>
>> >> >> >> what is content of /etc/pam.d/radiusd ?
>> >> >> >>
>> >> >> >> Eero
>> >> >> >>
>> >> >> >> ti 24. huhtik. 2018 klo 17.29 <>> >> >>
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >
>> >> <>> >> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> <mailto:mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> >>> <mailto:
>> >> >> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>>
>> <>> >> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> <mailto:mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> >>> >>> >
>> >> kirjoitti:
>> >> >> >>
>> >> >> >>> Thanks, it looks better but it's still failing :
>> >> >> >>>
>> >> >> >>> Ready to process requests
>> >> >> >>> (0) Received Access-Request Id 113 from 127.0.0.1:34793 to
>> >> >> 127.0.0.1:1812
>> >> >> >>> length 92
>> >> >> >>> (0) User-Name = ">>> >> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <mailto:
>> user@mydomain.com <mailto:user@mydomain.com>>> >>> <mailto:
>> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> >>> <>> >> mailto:
>> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> >>> <mailto:mailto:
>> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> >>> >>>>
>> >> >> <>>> >> >> >> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> <>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> >>>
>> <>> >> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> <mailto:mailto:mailto:
>> user@mydomain.com <mailto:user@mydomain.com>>> >>> >>>
>> >> <>> >> >> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> <mailto:mailto:mailto:
>> user@mydomain.com <mailto:user@mydomain.com>>> >>> <mailto:mailto:mailto:
>> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> >>> >>>> >"
>> >> >> >>> (0) User-Password = "password123456"
>> >> >> >>> (0) NAS-IP-Address = 127.0.1.1
>> >> >> >>> (0) NAS-Port = 18120
>> >> >> >>> (0) Message-Authenticator = 0xd028fefb31c1de33ebec1d53011953ce
>> >> >> >>> (0) # Executing section authorize from file
>> >> >> >>> /etc/freeradius/3.0/sites-enabled/default
>> >> >> >>> (0) authorize {
>> >> >> >>> (0) policy filter_username {
>> >> >> >>> (0) if (&User-Name) {
>> >> >> >>> (0) if (&User-Name) -> TRUE
>> >> >> >>> (0) if (&User-Name) {
>> >> >> >>> (0) if (&User-Name =~ / /) {
>> >> >> >>> (0) if (&User-Name =~ / /) -> FALSE
>> >> >> >>> (0) if (&User-Name =~ /@[^@]*@/ ) {
>> >> >> >>> (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
>> >> >> >>> (0) if (&User-Name =~ /\.\./ ) {
>> >> >> >>> (0) if (&User-Name =~ /\.\./ ) -> FALSE
>> >> >> >>> (0) if ((&User-Name =~ /@/) && (&User-Name !~
>> >> >> /@(.+)\.(.+)$/)) {
>> >> >> >>> (0) if ((&User-Name =~ /@/) && (&User-Name !~
>> >> /@(.+)\.(.+)$/))
>> >> >> >>> -> FALSE
>> >> >> >>> (0) if (&User-Name =~ /\.$/) {
>> >> >> >>> (0) if (&User-Name =~ /\.$/) -> FALSE
>> >> >> >>> (0) if (&User-Name =~ /@\./) {
>> >> >> >>> (0) if (&User-Name =~ /@\./) -> FALSE
>> >> >> >>> (0) } # if (&User-Name) = notfound
>> >> >> >>> (0) } # policy filter_username = notfound
>> >> >> >>> (0) [preprocess] = ok
>> >> >> >>> (0) [chap] = noop
>> >> >> >>> (0) [mschap] = noop
>> >> >> >>> (0) [digest] = noop
>> >> >> >>> (0) suffix: Checking for suffix after "@"
>> >> >> >>> (0) suffix: Looking up realm "mydomain.com" for User-Name = "
>> >> >> >>> >> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> <>>
>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> <>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> >>> >>> <>>
>> mailto:
>> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> <>> mailto:mailto:
>> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:mailto:mailto:user@mydomain.com <mailto:mailto:mailto:mailto:user@mydomain.com>>> >>> >>> >>>>
>> <>>> mailto:
>> >> >> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> <>> mailto:
>> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> >>> >>> <>> mailto:
>> mailto:
>> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> <>> mailto:mailto
>> :mailto:user@mydomain.com <mailto::mailto:user@mydomain.com>>> <>> mailto:mailto:mailto:mailto:user@mydomain.com <mailto:mailto:mailto:mailto:mailto:user@mydomain.com>>> >>>
>> >>> >>>> >"
>> >> >> >>> (0) suffix: Found realm "mydomain.com"
>> >> >> >>> (0) suffix: Adding Stripped-User-Name = "user"
>> >> >> >>> (0) suffix: Adding Realm = "mydomain.com"
>> >> >> >>> (0) suffix: Authentication realm is LOCAL
>> >> >> >>> (0) [suffix] = ok
>> >> >> >>> (0) eap: No EAP-Message, not doing EAP
>> >> >> >>> (0) [eap] = noop
>> >> >> >>> (0) files: users: Matched entry DEFAULT at line 221
>> >> >> >>> (0) [files] = ok
>> >> >> >>> (0) [expiration] = noop
>> >> >> >>> (0) [logintime] = noop
>> >> >> >>> (0) pap: WARNING: No "known good" password found for the user.
>> Not
>> >> >> >>> setting Auth-Type
>> >> >> >>> (0) pap: WARNING: Authentication will fail unless a "known good"
>> >> >> password
>> >> >> >>> is available
>> >> >> >>> (0) [pap] = noop
>> >> >> >>> (0) } # authorize = ok
>> >> >> >>> (0) Found Auth-Type = pam
>> >> >> >>> (0) # Executing group from file
>> >> >> /etc/freeradius/3.0/sites-enabled/default
>> >> >> >>> (0) authenticate {
>> >> >> >>> (0) pam: Using pamauth string "radiusd" for pam.conf lookup
>> >> >> >>> (0) pam: ERROR: pam_authenticate failed: Authentication failure
>> >> >> >>> (0) [pam] = reject
>> >> >> >>> (0) } # authenticate = reject
>> >> >> >>> (0) Failed to authenticate the user
>> >> >> >>> (0) Using Post-Auth-Type Reject
>> >> >> >>> (0) # Executing group from file
>> >> >> /etc/freeradius/3.0/sites-enabled/default
>> >> >> >>> (0) Post-Auth-Type REJECT {
>> >> >> >>> (0) attr_filter.access_reject: EXPAND %{User-Name}
>> >> >> >>> (0) attr_filter.access_reject: --> >>> >> >>
>> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >
>> >> <>> >> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> <>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> >>> >>>
>> <mailto:
>> >> >> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> <>> mailto:
>> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> >>> >>> >>>> <mailto:
>> >> >> >>> >> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> <>>
>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> <>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> >>> >>> <>>
>> mailto:
>> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> <>> mailto:mailto:
>> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:mailto:mailto:user@mydomain.com <mailto:mailto:mailto:mailto:user@mydomain.com>>> >>> >>> >>>> >
>> >> >> >>> (0) attr_filter.access_reject: Matched entry DEFAULT at line 11
>> >> >> >>> (0) [attr_filter.access_reject] = updated
>> >> >> >>> (0) [eap] = noop
>> >> >> >>> (0) policy remove_reply_message_if_eap {
>> >> >> >>> (0) if (&reply:EAP-Message && &reply:Reply-Message) {
>> >> >> >>> (0) if (&reply:EAP-Message && &reply:Reply-Message) ->
>> FALSE
>> >> >> >>> (0) else {
>> >> >> >>> (0) [noop] = noop
>> >> >> >>> (0) } # else = noop
>> >> >> >>> (0) } # policy remove_reply_message_if_eap = noop
>> >> >> >>> (0) } # Post-Auth-Type REJECT = updated
>> >> >> >>> (0) Delaying response for 1.000000 seconds
>> >> >> >>> Waking up in 0.3 seconds.
>> >> >> >>> Waking up in 0.6 seconds.
>> >> >> >>> (0) Sending delayed response
>> >> >> >>> (0) Sent Access-Reject Id 113 from 127.0.0.1:1812 to
>> >> 127.0.0.1:34793
>> >> >> >>> length 20
>> >> >> >>> Waking up in 3.9 seconds.
>> >> >> >>> (0) Cleaning up request packet ID 113 with timestamp +11
>> >> >> >>> Ready to process requests
>> >> >> >>>
>> >> >> >>>
>> >> >> >>> 24. Avr 2018 16:40 de >>> >> >> >> aland@deployingradius.com <mailto:aland@deployingradius.com>
>> <>> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>> >>> <mailto:
>> >> >> aland@deployingradius.com <mailto:aland@deployingradius.com>>> <>> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>> >>> >>>
>> <mailto:
>> >> >> >> >> aland@deployingradius.com <mailto:aland@deployingradius.com>>> <>> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>> >>>
>> <>> >> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>> <mailto:mailto:
>> aland@deployingradius.com <mailto:aland@deployingradius.com>>> >>> >>> >>>>
>> >> <mailto:
>> >> >> >>> >> >> >> aland@deployingradius.com <mailto:aland@deployingradius.com>>> <mailto:
>> aland@deployingradius.com <mailto:aland@deployingradius.com>>> >>> <>> >> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>
>> <>> mailto:mailto:aland@deployingradius.com <mailto:mailto:mailto:aland@deployingradius.com>>> >>> >>>
>> >> <>> >> >> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>> <mailto:mailto:
>> aland@deployingradius.com <mailto:aland@deployingradius.com>>> >>> <mailto:mailto:
>> >> >> aland@deployingradius.com <mailto:aland@deployingradius.com>>> <>> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>> >>> >>>
>> >>>> >:
>> >> >> >>>
>> >> >> >>>
>> >> >> >>> > On Apr 24, 2018, at 10:23 AM, <> >>> >>
>> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>> <>>
>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> <mailto:mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> >
>> >> >> <>> >> >> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> <mailto:mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> <mailto:mailto:
>> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>> >>>
>> >>>> <mailto:
>> >> >> >>> >> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> <>> >> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>
>> <>> mailto:mailto:servernemesis@tutanota.com <mailto:mailto:mailto:servernemesis@tutanota.com>>> >>> >>>
>> >> <>> >> >> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> <mailto:mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> <mailto:mailto:
>> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>> >>>
>> >>>> >>
>> >> >> > <> >>> >> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> <mailto:
>> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>> >>>
>> <>> >> >> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> <mailto:mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >
>> >> <>> >> mailto:mailto:servernemesis@tutanota.com <mailto:mailto:mailto:servernemesis@tutanota.com>>> <mailto:mailto:mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> >>> >>>>
>> >> >> <mailto:
>> >> >> >>> >> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> <>> >> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>
>> <>> mailto:mailto:servernemesis@tutanota.com <mailto:mailto:mailto:servernemesis@tutanota.com>>> >>> >>>
>> >> <>> >> >> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> <mailto:mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> <mailto:mailto:
>> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>> >>>
>> >>>> >>
>> >> >> > wrote:
>> >> >> >>> >>
>> >> >> >>> >> My FR server is domain joined, and his krb5 realm is
>> >> mydomain.com
>> >> >> >>> >> I don't know where I could specify the domain for PAM.
>> >> >> >>> >
>> >> >> >>> > I didn't tell you to specify the domain for PAM.
>> >> >> >>> >
>> >> >> >>> >> I'm not sure what you mean by "If it doesn't know about the
>> >> domain,
>> >> >> >>> then add a realm for "mydomain.com". Make it LOCAL (see
>> >> proxy.conf)."
>> >> >> >>> >> Should I edit the /etc/pam.d/radiusd ? What's proxy.conf ?
>> >> >> >>> >
>> >> >> >>> > You know you're on the FreeRADIUS mailing list, right?
>> >> proxy.conf
>> >> >> is
>> >> >> >>> for FreeRADIUS, not PAM.
>> >> >> >>> >
>> >> >> >>> > No, don't edit the /etc/pam.d/radiusd file. If I had meant
>> to
>> >> edit
>> >> >> >>> that file, I would have told you to edit that file.
>> >> >> >>> >
>> >> >> >>> > Look in the /etc/raddb (or on debian / Ubuntu)
>> /etc/freeradius
>> >> >> >>> directory. The proxy.conf file is there. Read it.
>> >> >> >>> >
>> >> >> >>> > Alan DeKok.
>> >> >> >>> >
>> >> >> >>> >
>> >> >> >>> > -
>> >> >> >>> > List info/subscribe/unsubscribe? See >
>> >> >> >>> >> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> <
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> >>> <
>> >> >> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> <
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> >>> >>>> <
>> >> >> >>> >> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> <
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> >>> <
>> >> >> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> <
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> >>> >>>> >
>> >> >> >>> -
>> >> >> >>> List info/subscribe/unsubscribe? See
>> >> >> >>> >> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> <
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> >>> <
>> >> >> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> <
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> >>> >
>> >> >> >> -
>> >> >> >> List info/subscribe/unsubscribe? See >>
>> >> >> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> <
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> >>> <
>> >> >> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> <
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> >>> >
>> >> >> -
>> >> >> List info/subscribe/unsubscribe? See
>> >> >> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> <
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> >
>> >> > -
>> >> > List info/subscribe/unsubscribe? See >
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> <
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> >
>> >> -
>> >> List info/subscribe/unsubscribe? See
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >
>> > -
>> > List info/subscribe/unsubscribe? See >
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
> -
> List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
what is content of /etc/pam.d/ssh* files?
Eero
ke 25. huhtik. 2018 klo 13.29 <servernemesis@tutanota.com> kirjoitti:
> Ok, it's working with a local user I created, by just specifying the
> google auth code, still don't know why it's not working with domain users...
>
> radtest ggg 494659 localhost 18120 testing123
> Sent Access-Request Id 65 from 0.0.0.0:43805 to 127.0.0.1:1812 length 73
> User-Name = "ggg"
> User-Password = "494659"
> NAS-IP-Address = 127.0.1.1
> NAS-Port = 18120
> Message-Authenticator = 0x00
> Cleartext-Password = "494659"
> Received Access-Accept Id 65 from 127.0.0.1:1812 to 0.0.0.0:0 length 20
>
> 25. Avr 2018 10:11 de eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi
> >:
>
>
> > please, give example of your radtest command.
> >
> > Eero
> >
> > ke 25. huhtik. 2018 klo 11.02 <> servernemesis@tutanota.com <mailto:
> servernemesis@tutanota.com>> > kirjoitti:
> >
> >> I'm using the radtest command on localhost with the secret testing123
> >> (double checked)
> >>
> >> 25. Avr 2018 09:55 de >> eero.volotinen@iki.fi <mailto:
> eero.volotinen@iki.fi>>> <>> mailto:eero.volotinen@iki.fi <mailto:mailto:
> eero.volotinen@iki.fi>
> >> >:
> >>
> >>
> >> > well. radius secret can be wrong also for your client.
> >> >
> >> > radius secret is in client.conf and its tied to client ip address.
> check
> >> it
> >> > out and test again.
> >> >
> >> > anyway. in your config you need use only google code, not password.
> >> >
> >> > Eero
> >> >
> >> > ke 25. huhtik. 2018 klo 10.49 <> >> servernemesis@tutanota.com
> <mailto:servernemesis@tutanota.com>>> <mailto:
> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >> >
> kirjoitti:
> >> >
> >> >> Hello,
> >> >>
> >> >> No because if I login with SSH, it works :
> >> >>
> >> >> Apr 25 09:45:10 SRV-FREERADIUS sshd(pam_google_authenticator)[1885]:
> >> >> Accepted google_authenticator for user
> >> >> Apr 25 09:45:11 SRV-FREERADIUS sshd[1885]: Accepted password for user
> >> from
> >> >> 192.168.50.68 port 50020 ssh2
> >> >> Apr 25 09:45:11 SRV-FREERADIUS sshd[1885]: pam_unix(sshd:session):
> >> session
> >> >> opened for user user by (uid=0)
> >> >> Apr 25 09:45:11 SRV-FREERADIUS systemd-logind[535]: New session 11 of
> >> user
> >> >> user.
> >> >>
> >> >> I don't get why it's not working with the radius...
> >> >>
> >> >> 25. Avr 2018 09:46 de >> >> eero.volotinen@iki.fi <mailto:
> eero.volotinen@iki.fi>>> <mailto:
> >> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>> >>> <>> >>
> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>>
> <mailto:mailto:
> >> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>> >
> >> >> >:
> >> >>
> >> >>
> >> >> > It means that code is wrong? is the server using ntp and clock is
> sync
> >> >> and
> >> >> > mobile is in sync.
> >> >> >
> >> >> > Try following: log into user. delete .google* file from user home
> >> >> directory.
> >> >> >
> >> >> > run google-authenticator without params and select time based
> >> token/auth
> >> >> > and add new authenticator code to google auth in phone
> >> >> >
> >> >> > Eero
> >> >> >
> >> >> > ke 25. huhtik. 2018 klo 10.39 <> >> >> servernemesis@tutanota.com
> <mailto:servernemesis@tutanota.com>
> >> <>> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>> >>> <mailto:
> >> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>
> <>> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>> >>> >> >
> >> kirjoitti:
> >> >> >
> >> >> >> PS : If I disable the domain suffix for the users on the server
> >> (being
> >> >> >> able to login with just "user"), I get
> >> >> >>
> >> >> >> Apr 25 09:27:42 SRV-FREERADIUS
> >> radiusd(pam_google_authenticator)[1661]:
> >> >> >> Invalid verification code for user
> >> >> >>
> >> >> >>
> >> >> >> 25. Avr 2018 09:15 de >> >> >> servernemesis@tutanota.com
> <mailto:servernemesis@tutanota.com>>> <mailto:
> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>>
> <mailto:
> >> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>
> <>> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>> >>> >>>
> >> <mailto:
> >> >> >> >> >> servernemesis@tutanota.com <mailto:
> servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com
> <mailto:mailto:servernemesis@tutanota.com>>> >>>
> >> <>> >> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>> <mailto:mailto:
> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>>
> >>> >:
> >> >> >>
> >> >> >>
> >> >> >> > I tried
> >> >> >> >
> >> >> >> > #
> >> >> >> > # /etc/pam.d/radiusd - PAM configuration for FreeRADIUS
> >> >> >> > #
> >> >> >> >
> >> >> >> > # We fall back to the system default in /etc/pam.d/common-*
> >> >> >> > #
> >> >> >> >
> >> >> >> > #@include common-auth
> >> >> >> > #@include common-account
> >> >> >> > #@include common-password
> >> >> >> > #@include common-session
> >> >> >> > auth required
> /usr/local/lib/security/pam_google_authenticator.so
> >> >> >> >
> >> >> >> > and
> >> >> >> >
> >> >> >> > #
> >> >> >> > # /etc/pam.d/radiusd - PAM configuration for FreeRADIUS
> >> >> >> > #
> >> >> >> >
> >> >> >> > # We fall back to the system default in /etc/pam.d/common-*
> >> >> >> > #
> >> >> >> >
> >> >> >> > #@include common-auth
> >> >> >> > #@include common-account
> >> >> >> > #@include common-password
> >> >> >> > #@include common-session
> >> >> >> > auth requisite
> /usr/local/lib/security/pam_google_authenticator.so
> >> >> >> forward_pass
> >> >> >> > auth required pam_unix.so use_first_pass
> >> >> >> >
> >> >> >> > In both cases :
> >> >> >> >
> >> >> >> > Apr 25 09:05:43 SRV-FREERADIUS
> >> >> radiusd(pam_google_authenticator)[6847]:
> >> >> >> user("user") not found
> >> >> >> > Apr 25 09:05:43 SRV-FREERADIUS
> >> >> radiusd(pam_google_authenticator)[6847]:
> >> >> >> No secret configured for user user, asking for code anyway.
> >> >> >> > Apr 25 09:05:43 SRV-FREERADIUS
> >> >> radiusd(pam_google_authenticator)[6847]:
> >> >> >> Invalid verification code for user
> >> >> >> >
> >> >> >> >
> >> >> >> >
> >> >> >> > 24. Avr 2018 19:21 de > >> >> >> eero.volotinen@iki.fi <mailto:
> eero.volotinen@iki.fi>>> <mailto:
> >> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>> >>> <mailto:
> >> >> >> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>> <>>
> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>> >>>
> >>> <mailto:
> >> >> >> >> >> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>>
> <>> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>>
> >>> <>>
> >> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>>
> <>> mailto:mailto:eero.volotinen@iki.fi <mailto:mailto:mailto:
> eero.volotinen@iki.fi>>> >>> >>>
> >> >> :
> >> >> >> >
> >> >> >> >
> >> >> >> >> You need to enable pam logging on google authenticator.
> >> >> >> >>
> >> >> >> >> what is content of /etc/pam.d/radiusd ?
> >> >> >> >>
> >> >> >> >> Eero
> >> >> >> >>
> >> >> >> >> ti 24. huhtik. 2018 klo 17.29 <>> >> >>
> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>>
> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>> >
> >> >> <>> >> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>> <mailto:mailto:
> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>>
> >>> <mailto:
> >> >> >> >> >> servernemesis@tutanota.com <mailto:
> servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com
> <mailto:mailto:servernemesis@tutanota.com>>> >>>
> >> <>> >> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>> <mailto:mailto:
> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>>
> >>> >>> >
> >> >> kirjoitti:
> >> >> >> >>
> >> >> >> >>> Thanks, it looks better but it's still failing :
> >> >> >> >>>
> >> >> >> >>> Ready to process requests
> >> >> >> >>> (0) Received Access-Request Id 113 from 127.0.0.1:34793 to
> >> >> >> 127.0.0.1:1812
> >> >> >> >>> length 92
> >> >> >> >>> (0) User-Name = ">>> >> >> >> user@mydomain.com <mailto:
> user@mydomain.com>>> <mailto:
> >> user@mydomain.com <mailto:user@mydomain.com>>> >>> <mailto:
> >> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:
> user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> >>> <>> >>
> mailto:
> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:mailto:
> user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> >>> <mailto:
> mailto:
> >> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:
> user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> >>> >>>>
> >> >> >> <>>> >> >> >> mailto:user@mydomain.com <mailto:mailto:
> user@mydomain.com>>> <>> mailto:mailto:user@mydomain.com <mailto:mailto
> :mailto:user@mydomain.com>>> >>>
> >> <>> >> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:
> user@mydomain.com>>> <mailto:mailto:mailto:
> >> user@mydomain.com <mailto:user@mydomain.com>>> >>> >>>
> >> >> <>> >> >> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:
> user@mydomain.com>>> <mailto:mailto:mailto:
> >> user@mydomain.com <mailto:user@mydomain.com>>> >>> <mailto:mailto
> :mailto:
> >> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:
> user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> >>> >>>> >"
> >> >> >> >>> (0) User-Password = "password123456"
> >> >> >> >>> (0) NAS-IP-Address = 127.0.1.1
> >> >> >> >>> (0) NAS-Port = 18120
> >> >> >> >>> (0) Message-Authenticator =
> 0xd028fefb31c1de33ebec1d53011953ce
> >> >> >> >>> (0) # Executing section authorize from file
> >> >> >> >>> /etc/freeradius/3.0/sites-enabled/default
> >> >> >> >>> (0) authorize {
> >> >> >> >>> (0) policy filter_username {
> >> >> >> >>> (0) if (&User-Name) {
> >> >> >> >>> (0) if (&User-Name) -> TRUE
> >> >> >> >>> (0) if (&User-Name) {
> >> >> >> >>> (0) if (&User-Name =~ / /) {
> >> >> >> >>> (0) if (&User-Name =~ / /) -> FALSE
> >> >> >> >>> (0) if (&User-Name =~ /@[^@]*@/ ) {
> >> >> >> >>> (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> >> >> >> >>> (0) if (&User-Name =~ /\.\./ ) {
> >> >> >> >>> (0) if (&User-Name =~ /\.\./ ) -> FALSE
> >> >> >> >>> (0) if ((&User-Name =~ /@/) && (&User-Name !~
> >> >> >> /@(.+)\.(.+)$/)) {
> >> >> >> >>> (0) if ((&User-Name =~ /@/) && (&User-Name !~
> >> >> /@(.+)\.(.+)$/))
> >> >> >> >>> -> FALSE
> >> >> >> >>> (0) if (&User-Name =~ /\.$/) {
> >> >> >> >>> (0) if (&User-Name =~ /\.$/) -> FALSE
> >> >> >> >>> (0) if (&User-Name =~ /@\./) {
> >> >> >> >>> (0) if (&User-Name =~ /@\./) -> FALSE
> >> >> >> >>> (0) } # if (&User-Name) = notfound
> >> >> >> >>> (0) } # policy filter_username = notfound
> >> >> >> >>> (0) [preprocess] = ok
> >> >> >> >>> (0) [chap] = noop
> >> >> >> >>> (0) [mschap] = noop
> >> >> >> >>> (0) [digest] = noop
> >> >> >> >>> (0) suffix: Checking for suffix after "@"
> >> >> >> >>> (0) suffix: Looking up realm "mydomain.com" for User-Name = "
> >> >> >> >>> >> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>>
> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> <>>
> >> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> <>>
> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>
> >>> >>> <>>
> >> mailto:
> >> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:
> user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> <>> mailto:
> mailto:
> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:mailto
> :mailto:user@mydomain.com <mailto:mailto:mailto:mailto:user@mydomain.com>>>
> >>> >>> >>>>
> >> <>>> mailto:
> >> >> >> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:
> user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> <>> mailto:
> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:mailto:
> user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> >>> >>> <>>
> mailto:
> >> mailto:
> >> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:
> user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> <>> mailto:
> mailto
> >> :mailto:user@mydomain.com <mailto::mailto:user@mydomain.com>>> <>>
> mailto:mailto:mailto:mailto:user@mydomain.com <mailto:mailto:mailto:mailto
> :mailto:user@mydomain.com>>> >>>
> >> >>> >>>> >"
> >> >> >> >>> (0) suffix: Found realm "mydomain.com"
> >> >> >> >>> (0) suffix: Adding Stripped-User-Name = "user"
> >> >> >> >>> (0) suffix: Adding Realm = "mydomain.com"
> >> >> >> >>> (0) suffix: Authentication realm is LOCAL
> >> >> >> >>> (0) [suffix] = ok
> >> >> >> >>> (0) eap: No EAP-Message, not doing EAP
> >> >> >> >>> (0) [eap] = noop
> >> >> >> >>> (0) files: users: Matched entry DEFAULT at line 221
> >> >> >> >>> (0) [files] = ok
> >> >> >> >>> (0) [expiration] = noop
> >> >> >> >>> (0) [logintime] = noop
> >> >> >> >>> (0) pap: WARNING: No "known good" password found for the user.
> >> Not
> >> >> >> >>> setting Auth-Type
> >> >> >> >>> (0) pap: WARNING: Authentication will fail unless a "known
> good"
> >> >> >> password
> >> >> >> >>> is available
> >> >> >> >>> (0) [pap] = noop
> >> >> >> >>> (0) } # authorize = ok
> >> >> >> >>> (0) Found Auth-Type = pam
> >> >> >> >>> (0) # Executing group from file
> >> >> >> /etc/freeradius/3.0/sites-enabled/default
> >> >> >> >>> (0) authenticate {
> >> >> >> >>> (0) pam: Using pamauth string "radiusd" for pam.conf lookup
> >> >> >> >>> (0) pam: ERROR: pam_authenticate failed: Authentication
> failure
> >> >> >> >>> (0) [pam] = reject
> >> >> >> >>> (0) } # authenticate = reject
> >> >> >> >>> (0) Failed to authenticate the user
> >> >> >> >>> (0) Using Post-Auth-Type Reject
> >> >> >> >>> (0) # Executing group from file
> >> >> >> /etc/freeradius/3.0/sites-enabled/default
> >> >> >> >>> (0) Post-Auth-Type REJECT {
> >> >> >> >>> (0) attr_filter.access_reject: EXPAND %{User-Name}
> >> >> >> >>> (0) attr_filter.access_reject: --> >>> >> >>
> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:
> user@mydomain.com <mailto:mailto:user@mydomain.com>>> >
> >> >> <>> >> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>
> <>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:
> user@mydomain.com>>> >>> >>>
> >> <mailto:
> >> >> >> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:
> user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> <>> mailto:
> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:mailto:
> user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> >>> >>>
> >>>> <mailto:
> >> >> >> >>> >> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>>
> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> <>>
> >> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> <>>
> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>
> >>> >>> <>>
> >> mailto:
> >> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:
> user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> <>> mailto:
> mailto:
> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:mailto
> :mailto:user@mydomain.com <mailto:mailto:mailto:mailto:user@mydomain.com>>>
> >>> >>> >>>> >
> >> >> >> >>> (0) attr_filter.access_reject: Matched entry DEFAULT at line
> 11
> >> >> >> >>> (0) [attr_filter.access_reject] = updated
> >> >> >> >>> (0) [eap] = noop
> >> >> >> >>> (0) policy remove_reply_message_if_eap {
> >> >> >> >>> (0) if (&reply:EAP-Message && &reply:Reply-Message) {
> >> >> >> >>> (0) if (&reply:EAP-Message && &reply:Reply-Message) ->
> >> FALSE
> >> >> >> >>> (0) else {
> >> >> >> >>> (0) [noop] = noop
> >> >> >> >>> (0) } # else = noop
> >> >> >> >>> (0) } # policy remove_reply_message_if_eap = noop
> >> >> >> >>> (0) } # Post-Auth-Type REJECT = updated
> >> >> >> >>> (0) Delaying response for 1.000000 seconds
> >> >> >> >>> Waking up in 0.3 seconds.
> >> >> >> >>> Waking up in 0.6 seconds.
> >> >> >> >>> (0) Sending delayed response
> >> >> >> >>> (0) Sent Access-Reject Id 113 from 127.0.0.1:1812 to
> >> >> 127.0.0.1:34793
> >> >> >> >>> length 20
> >> >> >> >>> Waking up in 3.9 seconds.
> >> >> >> >>> (0) Cleaning up request packet ID 113 with timestamp +11
> >> >> >> >>> Ready to process requests
> >> >> >> >>>
> >> >> >> >>>
> >> >> >> >>> 24. Avr 2018 16:40 de >>> >> >> >> aland@deployingradius.com
> <mailto:aland@deployingradius.com>
> >> <>> mailto:aland@deployingradius.com <mailto:mailto:
> aland@deployingradius.com>>> >>> <mailto:
> >> >> >> aland@deployingradius.com <mailto:aland@deployingradius.com>>>
> <>> mailto:aland@deployingradius.com <mailto:mailto:
> aland@deployingradius.com>>> >>> >>>
> >> <mailto:
> >> >> >> >> >> aland@deployingradius.com <mailto:aland@deployingradius.com>>>
> <>> mailto:aland@deployingradius.com <mailto:mailto:
> aland@deployingradius.com>>> >>>
> >> <>> >> mailto:aland@deployingradius.com <mailto:mailto:
> aland@deployingradius.com>>> <mailto:mailto:
> >> aland@deployingradius.com <mailto:aland@deployingradius.com>>> >>> >>>
> >>>>
> >> >> <mailto:
> >> >> >> >>> >> >> >> aland@deployingradius.com <mailto:
> aland@deployingradius.com>>> <mailto:
> >> aland@deployingradius.com <mailto:aland@deployingradius.com>>> >>>
> <>> >> mailto:aland@deployingradius.com <mailto:mailto:
> aland@deployingradius.com>
> >> <>> mailto:mailto:aland@deployingradius.com <mailto:mailto:mailto:
> aland@deployingradius.com>>> >>> >>>
> >> >> <>> >> >> mailto:aland@deployingradius.com <mailto:mailto:
> aland@deployingradius.com>>> <mailto:mailto:
> >> aland@deployingradius.com <mailto:aland@deployingradius.com>>> >>>
> <mailto:mailto:
> >> >> >> aland@deployingradius.com <mailto:aland@deployingradius.com>>>
> <>> mailto:aland@deployingradius.com <mailto:mailto:
> aland@deployingradius.com>>> >>> >>>
> >> >>>> >:
> >> >> >> >>>
> >> >> >> >>>
> >> >> >> >>> > On Apr 24, 2018, at 10:23 AM, <> >>> >>
> >> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>
> <>> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>> >>> <>>
> >> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>> <mailto:mailto:
> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> >
> >> >> >> <>> >> >> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>> <mailto:mailto:
> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>>
> <mailto:mailto:
> >> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>
> <>> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>> >>> >>>
> >> >>>> <mailto:
> >> >> >> >>> >> >> >> servernemesis@tutanota.com <mailto:
> servernemesis@tutanota.com>>> <mailto:
> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>>
> <>> >> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>
> >> <>> mailto:mailto:servernemesis@tutanota.com <mailto:mailto:mailto:
> servernemesis@tutanota.com>>> >>> >>>
> >> >> <>> >> >> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>> <mailto:mailto:
> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>>
> <mailto:mailto:
> >> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>
> <>> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>> >>> >>>
> >> >>>> >>
> >> >> >> > <> >>> >> >> >> servernemesis@tutanota.com <mailto:
> servernemesis@tutanota.com>>> <mailto:
> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>>
> <mailto:
> >> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>
> <>> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>> >>> >>>
> >> <>> >> >> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>> <mailto:mailto:
> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >
> >> >> <>> >> mailto:mailto:servernemesis@tutanota.com <mailto:mailto
> :mailto:servernemesis@tutanota.com>>> <mailto:mailto:mailto:
> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>>
> >>> >>>>
> >> >> >> <mailto:
> >> >> >> >>> >> >> >> servernemesis@tutanota.com <mailto:
> servernemesis@tutanota.com>>> <mailto:
> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>>
> <>> >> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>
> >> <>> mailto:mailto:servernemesis@tutanota.com <mailto:mailto:mailto:
> servernemesis@tutanota.com>>> >>> >>>
> >> >> <>> >> >> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>> <mailto:mailto:
> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>>
> <mailto:mailto:
> >> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>
> <>> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>> >>> >>>
> >> >>>> >>
> >> >> >> > wrote:
> >> >> >> >>> >>
> >> >> >> >>> >> My FR server is domain joined, and his krb5 realm is
> >> >> mydomain.com
> >> >> >> >>> >> I don't know where I could specify the domain for PAM.
> >> >> >> >>> >
> >> >> >> >>> > I didn't tell you to specify the domain for PAM.
> >> >> >> >>> >
> >> >> >> >>> >> I'm not sure what you mean by "If it doesn't know about the
> >> >> domain,
> >> >> >> >>> then add a realm for "mydomain.com". Make it LOCAL (see
> >> >> proxy.conf)."
> >> >> >> >>> >> Should I edit the /etc/pam.d/radiusd ? What's proxy.conf ?
> >> >> >> >>> >
> >> >> >> >>> > You know you're on the FreeRADIUS mailing list, right?
> >> >> proxy.conf
> >> >> >> is
> >> >> >> >>> for FreeRADIUS, not PAM.
> >> >> >> >>> >
> >> >> >> >>> > No, don't edit the /etc/pam.d/radiusd file. If I had
> meant
> >> to
> >> >> edit
> >> >> >> >>> that file, I would have told you to edit that file.
> >> >> >> >>> >
> >> >> >> >>> > Look in the /etc/raddb (or on debian / Ubuntu)
> >> /etc/freeradius
> >> >> >> >>> directory. The proxy.conf file is there. Read it.
> >> >> >> >>> >
> >> >> >> >>> > Alan DeKok.
> >> >> >> >>> >
> >> >> >> >>> >
> >> >> >> >>> > -
> >> >> >> >>> > List info/subscribe/unsubscribe? See >
> >> >> >> >>> >> >> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >>> <
> >> >> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >>> >>> <
> >> >> >> >> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >>> <
> >> >> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >>> >>> >>>> <
> >> >> >> >>> >> >> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >>> <
> >> >> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >>> >>> <
> >> >> >> >> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >>> <
> >> >> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >>> >>> >>>> >
> >> >> >> >>> -
> >> >> >> >>> List info/subscribe/unsubscribe? See
> >> >> >> >>> >> >> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >>> <
> >> >> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >>> >>> <
> >> >> >> >> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >>> <
> >> >> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >>> >>> >
> >> >> >> >> -
> >> >> >> >> List info/subscribe/unsubscribe? See >>
> >> >> >> >> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >>> <
> >> >> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >>> >>> <
> >> >> >> >> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >>> <
> >> >> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >>> >>> >
> >> >> >> -
> >> >> >> List info/subscribe/unsubscribe? See
> >> >> >> >> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >>> <
> >> >> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >>> >
> >> >> > -
> >> >> > List info/subscribe/unsubscribe? See >
> >> >> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >>> <
> >> >> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >>> >
> >> >> -
> >> >> List info/subscribe/unsubscribe? See
> >> >> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >
> >> > -
> >> > List info/subscribe/unsubscribe? See >
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >
> >> -
> >> List info/subscribe/unsubscribe? See
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>
> > -
> > List info/subscribe/unsubscribe? See >
> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
Here it is
# PAM configuration for the Secure Shell service
# Standard Un*x authentication.
@include common-auth
#auth required /usr/local/lib/security/pam_google_authenticator.so
# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so
# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account required pam_access.so
# Standard Un*x authorization.
@include common-account
# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without this it is possible that a
# module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
# Set the loginuid process attribute.
session required pam_loginuid.so
# Create a new session keyring.
session optional pam_keyinit.so force revoke
# Standard Un*x session setup and teardown.
@include common-session
# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
# Print the status of the user's mailbox upon successful login.
session optional pam_mail.so standard noenv # [1]
# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so
# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
session required pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
# SELinux needs to intervene at login time to ensure that the process starts
# in the proper default security context. Only sessions which are intended
# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
# Standard Un*x password updating.
@include common-password
25. Avr 2018 15:26 de eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>:
> what is content of /etc/pam.d/ssh* files?
>
> Eero
>
> ke 25. huhtik. 2018 klo 13.29 <> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>> > kirjoitti:
>
>> Ok, it's working with a local user I created, by just specifying the
>> google auth code, still don't know why it's not working with domain users...
>>
>> radtest ggg 494659 localhost 18120 testing123
>> Sent Access-Request Id 65 from 0.0.0.0:43805 to 127.0.0.1:1812 length 73
>> User-Name = "ggg"
>> User-Password = "494659"
>> NAS-IP-Address = 127.0.1.1
>> NAS-Port = 18120
>> Message-Authenticator = 0x00
>> Cleartext-Password = "494659"
>> Received Access-Accept Id 65 from 127.0.0.1:1812 to 0.0.0.0:0 length 20
>>
>> 25. Avr 2018 10:11 de >> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>> <>> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>
>> >:
>>
>>
>> > please, give example of your radtest command.
>> >
>> > Eero
>> >
>> > ke 25. huhtik. 2018 klo 11.02 <> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >> > kirjoitti:
>> >
>> >> I'm using the radtest command on localhost with the secret testing123
>> >> (double checked)
>> >>
>> >> 25. Avr 2018 09:55 de >> >> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>> <mailto:
>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>> >>> <>> >> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>> <mailto:mailto:
>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>> >
>> >> >:
>> >>
>> >>
>> >> > well. radius secret can be wrong also for your client.
>> >> >
>> >> > radius secret is in client.conf and its tied to client ip address.
>> check
>> >> it
>> >> > out and test again.
>> >> >
>> >> > anyway. in your config you need use only google code, not password.
>> >> >
>> >> > Eero
>> >> >
>> >> > ke 25. huhtik. 2018 klo 10.49 <> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>
>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>> <mailto:
>> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>> >> >
>> kirjoitti:
>> >> >
>> >> >> Hello,
>> >> >>
>> >> >> No because if I login with SSH, it works :
>> >> >>
>> >> >> Apr 25 09:45:10 SRV-FREERADIUS sshd(pam_google_authenticator)[1885]:
>> >> >> Accepted google_authenticator for user
>> >> >> Apr 25 09:45:11 SRV-FREERADIUS sshd[1885]: Accepted password for user
>> >> from
>> >> >> 192.168.50.68 port 50020 ssh2
>> >> >> Apr 25 09:45:11 SRV-FREERADIUS sshd[1885]: pam_unix(sshd:session):
>> >> session
>> >> >> opened for user user by (uid=0)
>> >> >> Apr 25 09:45:11 SRV-FREERADIUS systemd-logind[535]: New session 11 of
>> >> user
>> >> >> user.
>> >> >>
>> >> >> I don't get why it's not working with the radius...
>> >> >>
>> >> >> 25. Avr 2018 09:46 de >> >> >> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>> <mailto:
>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>> >>> <mailto:
>> >> >> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>> <>> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>> >>> >>> <>> >>
>> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>> <>> mailto:mailto:eero.volotinen@iki.fi <mailto:mailto:mailto:eero.volotinen@iki.fi>>> >>>
>> <mailto:mailto:
>> >> >> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>> <>> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>> >>> >
>> >> >> >:
>> >> >>
>> >> >>
>> >> >> > It means that code is wrong? is the server using ntp and clock is
>> sync
>> >> >> and
>> >> >> > mobile is in sync.
>> >> >> >
>> >> >> > Try following: log into user. delete .google* file from user home
>> >> >> directory.
>> >> >> >
>> >> >> > run google-authenticator without params and select time based
>> >> token/auth
>> >> >> > and add new authenticator code to google auth in phone
>> >> >> >
>> >> >> > Eero
>> >> >> >
>> >> >> > ke 25. huhtik. 2018 klo 10.39 <> >> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>
>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >
>> >> <>> >> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> <mailto:mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> >>> <mailto:
>> >> >> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>>
>> <>> >> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> <mailto:mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> >>> >> >
>> >> kirjoitti:
>> >> >> >
>> >> >> >> PS : If I disable the domain suffix for the users on the server
>> >> (being
>> >> >> >> able to login with just "user"), I get
>> >> >> >>
>> >> >> >> Apr 25 09:27:42 SRV-FREERADIUS
>> >> radiusd(pam_google_authenticator)[1661]:
>> >> >> >> Invalid verification code for user
>> >> >> >>
>> >> >> >>
>> >> >> >> 25. Avr 2018 09:15 de >> >> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>
>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>> <mailto:
>> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>> >>>
>> <mailto:
>> >> >> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>>
>> <>> >> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> <mailto:mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> >>> >>>
>> >> <mailto:
>> >> >> >> >> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> <>> >> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>
>> <>> mailto:mailto:servernemesis@tutanota.com <mailto:mailto:mailto:servernemesis@tutanota.com>>> >>> >>>
>> >> <>> >> >> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> <mailto:mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> <mailto:mailto:
>> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>> >>>
>> >>> >:
>> >> >> >>
>> >> >> >>
>> >> >> >> > I tried
>> >> >> >> >
>> >> >> >> > #
>> >> >> >> > # /etc/pam.d/radiusd - PAM configuration for FreeRADIUS
>> >> >> >> > #
>> >> >> >> >
>> >> >> >> > # We fall back to the system default in /etc/pam.d/common-*
>> >> >> >> > #
>> >> >> >> >
>> >> >> >> > #@include common-auth
>> >> >> >> > #@include common-account
>> >> >> >> > #@include common-password
>> >> >> >> > #@include common-session
>> >> >> >> > auth required
>> /usr/local/lib/security/pam_google_authenticator.so
>> >> >> >> >
>> >> >> >> > and
>> >> >> >> >
>> >> >> >> > #
>> >> >> >> > # /etc/pam.d/radiusd - PAM configuration for FreeRADIUS
>> >> >> >> > #
>> >> >> >> >
>> >> >> >> > # We fall back to the system default in /etc/pam.d/common-*
>> >> >> >> > #
>> >> >> >> >
>> >> >> >> > #@include common-auth
>> >> >> >> > #@include common-account
>> >> >> >> > #@include common-password
>> >> >> >> > #@include common-session
>> >> >> >> > auth requisite
>> /usr/local/lib/security/pam_google_authenticator.so
>> >> >> >> forward_pass
>> >> >> >> > auth required pam_unix.so use_first_pass
>> >> >> >> >
>> >> >> >> > In both cases :
>> >> >> >> >
>> >> >> >> > Apr 25 09:05:43 SRV-FREERADIUS
>> >> >> radiusd(pam_google_authenticator)[6847]:
>> >> >> >> user("user") not found
>> >> >> >> > Apr 25 09:05:43 SRV-FREERADIUS
>> >> >> radiusd(pam_google_authenticator)[6847]:
>> >> >> >> No secret configured for user user, asking for code anyway.
>> >> >> >> > Apr 25 09:05:43 SRV-FREERADIUS
>> >> >> radiusd(pam_google_authenticator)[6847]:
>> >> >> >> Invalid verification code for user
>> >> >> >> >
>> >> >> >> >
>> >> >> >> >
>> >> >> >> > 24. Avr 2018 19:21 de > >> >> >> >> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>> <mailto:
>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>> >>> <mailto:
>> >> >> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>> <>> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>> >>> >>> <mailto:
>> >> >> >> >> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>> <>> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>> >>> <>>
>> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>> <>> mailto:mailto:eero.volotinen@iki.fi <mailto:mailto:mailto:eero.volotinen@iki.fi>>> >>> >>>
>> >>> <mailto:
>> >> >> >> >> >> >> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>> <>> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>> >>>
>> <>> >> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>> <>> mailto:mailto:eero.volotinen@iki.fi <mailto:mailto:mailto:eero.volotinen@iki.fi>>> >>>
>> >>> <>>
>> >> >> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>> <>> mailto:mailto:eero.volotinen@iki.fi <mailto:mailto:mailto:eero.volotinen@iki.fi>>> >>>
>> <>> >> mailto:mailto:eero.volotinen@iki.fi <mailto:mailto:mailto:eero.volotinen@iki.fi>>> <mailto:mailto:mailto:
>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>> >>> >>> >>>
>> >> >> :
>> >> >> >> >
>> >> >> >> >
>> >> >> >> >> You need to enable pam logging on google authenticator.
>> >> >> >> >>
>> >> >> >> >> what is content of /etc/pam.d/radiusd ?
>> >> >> >> >>
>> >> >> >> >> Eero
>> >> >> >> >>
>> >> >> >> >> ti 24. huhtik. 2018 klo 17.29 <>> >> >>
>> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>> <>>
>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> <mailto:mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> >
>> >> >> <>> >> >> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> <mailto:mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> <mailto:mailto:
>> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>> >>>
>> >>> <mailto:
>> >> >> >> >> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> <>> >> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>
>> <>> mailto:mailto:servernemesis@tutanota.com <mailto:mailto:mailto:servernemesis@tutanota.com>>> >>> >>>
>> >> <>> >> >> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> <mailto:mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> <mailto:mailto:
>> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>> >>>
>> >>> >>> >
>> >> >> kirjoitti:
>> >> >> >> >>
>> >> >> >> >>> Thanks, it looks better but it's still failing :
>> >> >> >> >>>
>> >> >> >> >>> Ready to process requests
>> >> >> >> >>> (0) Received Access-Request Id 113 from 127.0.0.1:34793 to
>> >> >> >> 127.0.0.1:1812
>> >> >> >> >>> length 92
>> >> >> >> >>> (0) User-Name = ">>> >> >> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <mailto:
>> user@mydomain.com <mailto:user@mydomain.com>>> >>> <mailto:
>> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> >>> <mailto:
>> >> >> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> <>> mailto:
>> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> >>> >>> >>> <>> >>
>> mailto:
>> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> <>> mailto:mailto:
>> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:mailto:mailto:user@mydomain.com <mailto:mailto:mailto:mailto:user@mydomain.com>>> >>> >>> <mailto:
>> mailto:
>> >> >> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> <>> mailto:
>> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> >>> >>> >>> >>>>
>> >> >> >> <>>> >> >> >> >> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> <mailto:mailto:
>> user@mydomain.com <mailto:user@mydomain.com>>> >>> <>> >> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> <mailto:mailto
>> :mailto:user@mydomain.com <mailto::mailto:user@mydomain.com>>> >>> >>>
>> >> <>> >> >> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> <mailto:mailto:mailto:
>> user@mydomain.com <mailto:user@mydomain.com>>> >>> <mailto:mailto:mailto:
>> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> >>> >>>
>> >> >> <>> >> >> >> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> <mailto:mailto:mailto:
>> user@mydomain.com <mailto:user@mydomain.com>>> >>> <mailto:mailto:mailto:
>> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> >>> <mailto:mailto
>> :mailto:
>> >> >> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> <>> mailto:
>> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> >>> >>> >>> >>>> >"
>> >> >> >> >>> (0) User-Password = "password123456"
>> >> >> >> >>> (0) NAS-IP-Address = 127.0.1.1
>> >> >> >> >>> (0) NAS-Port = 18120
>> >> >> >> >>> (0) Message-Authenticator =
>> 0xd028fefb31c1de33ebec1d53011953ce
>> >> >> >> >>> (0) # Executing section authorize from file
>> >> >> >> >>> /etc/freeradius/3.0/sites-enabled/default
>> >> >> >> >>> (0) authorize {
>> >> >> >> >>> (0) policy filter_username {
>> >> >> >> >>> (0) if (&User-Name) {
>> >> >> >> >>> (0) if (&User-Name) -> TRUE
>> >> >> >> >>> (0) if (&User-Name) {
>> >> >> >> >>> (0) if (&User-Name =~ / /) {
>> >> >> >> >>> (0) if (&User-Name =~ / /) -> FALSE
>> >> >> >> >>> (0) if (&User-Name =~ /@[^@]*@/ ) {
>> >> >> >> >>> (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
>> >> >> >> >>> (0) if (&User-Name =~ /\.\./ ) {
>> >> >> >> >>> (0) if (&User-Name =~ /\.\./ ) -> FALSE
>> >> >> >> >>> (0) if ((&User-Name =~ /@/) && (&User-Name !~
>> >> >> >> /@(.+)\.(.+)$/)) {
>> >> >> >> >>> (0) if ((&User-Name =~ /@/) && (&User-Name !~
>> >> >> /@(.+)\.(.+)$/))
>> >> >> >> >>> -> FALSE
>> >> >> >> >>> (0) if (&User-Name =~ /\.$/) {
>> >> >> >> >>> (0) if (&User-Name =~ /\.$/) -> FALSE
>> >> >> >> >>> (0) if (&User-Name =~ /@\./) {
>> >> >> >> >>> (0) if (&User-Name =~ /@\./) -> FALSE
>> >> >> >> >>> (0) } # if (&User-Name) = notfound
>> >> >> >> >>> (0) } # policy filter_username = notfound
>> >> >> >> >>> (0) [preprocess] = ok
>> >> >> >> >>> (0) [chap] = noop
>> >> >> >> >>> (0) [mschap] = noop
>> >> >> >> >>> (0) [digest] = noop
>> >> >> >> >>> (0) suffix: Checking for suffix after "@"
>> >> >> >> >>> (0) suffix: Looking up realm "mydomain.com" for User-Name = "
>> >> >> >> >>> >> >> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> <>>
>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> <>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> >>> >>> <>>
>> >> >> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> <>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> >>> <>>
>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> <>> mailto:mailto:mailto:user@mydomain.com <mailto:mailto:mailto:mailto:user@mydomain.com>>> >>>
>> >>> >>> <>>
>> >> mailto:
>> >> >> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> <>> mailto:
>> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> >>> >>> <>> mailto:
>> mailto:
>> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> <>> mailto:mailto
>> :mailto:user@mydomain.com <mailto::mailto:user@mydomain.com>>> <>> mailto:mailto:mailto:mailto:user@mydomain.com <mailto:mailto:mailto:mailto:mailto:user@mydomain.com>>> >>>
>> >>> >>> >>>>
>> >> <>>> mailto:
>> >> >> >> >> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> <>> mailto:
>> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> >>> >>> <>> mailto:
>> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> <>> mailto:mailto:
>> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:mailto:mailto:user@mydomain.com <mailto:mailto:mailto:mailto:user@mydomain.com>>> >>> >>> >>> <>>
>> mailto:
>> >> mailto:
>> >> >> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> <>> mailto:
>> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> >>> >>> <>> mailto:
>> mailto
>> >> >> :mailto:user@mydomain.com <mailto::mailto:user@mydomain.com>>> <>> mailto::mailto:user@mydomain.com <mailto:mailto::mailto:user@mydomain.com>>> >>> <>>
>> mailto:mailto:mailto:mailto:user@mydomain.com <mailto:mailto:mailto:mailto:mailto:user@mydomain.com>>> <mailto:mailto:mailto:mailto
>> :mailto:user@mydomain.com <mailto::mailto:user@mydomain.com>>> >>> >>>
>> >> >>> >>>> >"
>> >> >> >> >>> (0) suffix: Found realm "mydomain.com"
>> >> >> >> >>> (0) suffix: Adding Stripped-User-Name = "user"
>> >> >> >> >>> (0) suffix: Adding Realm = "mydomain.com"
>> >> >> >> >>> (0) suffix: Authentication realm is LOCAL
>> >> >> >> >>> (0) [suffix] = ok
>> >> >> >> >>> (0) eap: No EAP-Message, not doing EAP
>> >> >> >> >>> (0) [eap] = noop
>> >> >> >> >>> (0) files: users: Matched entry DEFAULT at line 221
>> >> >> >> >>> (0) [files] = ok
>> >> >> >> >>> (0) [expiration] = noop
>> >> >> >> >>> (0) [logintime] = noop
>> >> >> >> >>> (0) pap: WARNING: No "known good" password found for the user.
>> >> Not
>> >> >> >> >>> setting Auth-Type
>> >> >> >> >>> (0) pap: WARNING: Authentication will fail unless a "known
>> good"
>> >> >> >> password
>> >> >> >> >>> is available
>> >> >> >> >>> (0) [pap] = noop
>> >> >> >> >>> (0) } # authorize = ok
>> >> >> >> >>> (0) Found Auth-Type = pam
>> >> >> >> >>> (0) # Executing group from file
>> >> >> >> /etc/freeradius/3.0/sites-enabled/default
>> >> >> >> >>> (0) authenticate {
>> >> >> >> >>> (0) pam: Using pamauth string "radiusd" for pam.conf lookup
>> >> >> >> >>> (0) pam: ERROR: pam_authenticate failed: Authentication
>> failure
>> >> >> >> >>> (0) [pam] = reject
>> >> >> >> >>> (0) } # authenticate = reject
>> >> >> >> >>> (0) Failed to authenticate the user
>> >> >> >> >>> (0) Using Post-Auth-Type Reject
>> >> >> >> >>> (0) # Executing group from file
>> >> >> >> /etc/freeradius/3.0/sites-enabled/default
>> >> >> >> >>> (0) Post-Auth-Type REJECT {
>> >> >> >> >>> (0) attr_filter.access_reject: EXPAND %{User-Name}
>> >> >> >> >>> (0) attr_filter.access_reject: --> >>> >> >>
>> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> <>> mailto:
>> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> >>> >
>> >> >> <>> >> >> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> <>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> >>>
>> <>> >> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> <mailto:mailto:mailto:
>> user@mydomain.com <mailto:user@mydomain.com>>> >>> >>> >>>
>> >> <mailto:
>> >> >> >> >> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> <>> mailto:
>> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> >>> >>> <>> mailto:
>> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> <>> mailto:mailto:
>> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:mailto:mailto:user@mydomain.com <mailto:mailto:mailto:mailto:user@mydomain.com>>> >>> >>> >>>
>> >>>> <mailto:
>> >> >> >> >>> >> >> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> <>>
>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> <>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> >>> >>> <>>
>> >> >> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> <>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> >>> <>>
>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> <>> mailto:mailto:mailto:user@mydomain.com <mailto:mailto:mailto:mailto:user@mydomain.com>>> >>>
>> >>> >>> <>>
>> >> mailto:
>> >> >> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> <>> mailto:
>> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> >>> >>> <>> mailto:
>> mailto:
>> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> <>> mailto:mailto
>> :mailto:user@mydomain.com <mailto::mailto:user@mydomain.com>>> <>> mailto:mailto:mailto:mailto:user@mydomain.com <mailto:mailto:mailto:mailto:mailto:user@mydomain.com>>> >>>
>> >>> >>> >>>> >
>> >> >> >> >>> (0) attr_filter.access_reject: Matched entry DEFAULT at line
>> 11
>> >> >> >> >>> (0) [attr_filter.access_reject] = updated
>> >> >> >> >>> (0) [eap] = noop
>> >> >> >> >>> (0) policy remove_reply_message_if_eap {
>> >> >> >> >>> (0) if (&reply:EAP-Message && &reply:Reply-Message) {
>> >> >> >> >>> (0) if (&reply:EAP-Message && &reply:Reply-Message) ->
>> >> FALSE
>> >> >> >> >>> (0) else {
>> >> >> >> >>> (0) [noop] = noop
>> >> >> >> >>> (0) } # else = noop
>> >> >> >> >>> (0) } # policy remove_reply_message_if_eap = noop
>> >> >> >> >>> (0) } # Post-Auth-Type REJECT = updated
>> >> >> >> >>> (0) Delaying response for 1.000000 seconds
>> >> >> >> >>> Waking up in 0.3 seconds.
>> >> >> >> >>> Waking up in 0.6 seconds.
>> >> >> >> >>> (0) Sending delayed response
>> >> >> >> >>> (0) Sent Access-Reject Id 113 from 127.0.0.1:1812 to
>> >> >> 127.0.0.1:34793
>> >> >> >> >>> length 20
>> >> >> >> >>> Waking up in 3.9 seconds.
>> >> >> >> >>> (0) Cleaning up request packet ID 113 with timestamp +11
>> >> >> >> >>> Ready to process requests
>> >> >> >> >>>
>> >> >> >> >>>
>> >> >> >> >>> 24. Avr 2018 16:40 de >>> >> >> >> >> aland@deployingradius.com <mailto:aland@deployingradius.com>
>> <>> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>> >
>> >> <>> >> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>> <mailto:mailto:
>> aland@deployingradius.com <mailto:aland@deployingradius.com>>> >>> >>> <mailto:
>> >> >> >> >> aland@deployingradius.com <mailto:aland@deployingradius.com>>> <>> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>> >>>
>> <>> >> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>> <mailto:mailto:
>> aland@deployingradius.com <mailto:aland@deployingradius.com>>> >>> >>> >>>
>> >> <mailto:
>> >> >> >> >> >> >> aland@deployingradius.com <mailto:aland@deployingradius.com>>> <>> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>> >>>
>> <>> >> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>> <mailto:mailto:
>> aland@deployingradius.com <mailto:aland@deployingradius.com>>> >>> >>>
>> >> <>> >> >> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>> <mailto:mailto:
>> aland@deployingradius.com <mailto:aland@deployingradius.com>>> >>> <mailto:mailto:
>> >> >> aland@deployingradius.com <mailto:aland@deployingradius.com>>> <>> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>> >>> >>> >>>
>> >>>>
>> >> >> <mailto:
>> >> >> >> >>> >> >> >> >> aland@deployingradius.com <mailto:aland@deployingradius.com>>> <mailto:
>> aland@deployingradius.com <mailto:aland@deployingradius.com>>> >>> <mailto:
>> >> >> aland@deployingradius.com <mailto:aland@deployingradius.com>>> <>> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>> >>> >>>
>> <>> >> >> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>> <mailto:mailto:
>> aland@deployingradius.com <mailto:aland@deployingradius.com>>> >
>> >> <>> >> mailto:mailto:aland@deployingradius.com <mailto:mailto:mailto:aland@deployingradius.com>>> <mailto:mailto:mailto:
>> aland@deployingradius.com <mailto:aland@deployingradius.com>>> >>> >>> >>>
>> >> >> <>> >> >> >> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>> <mailto:mailto:
>> aland@deployingradius.com <mailto:aland@deployingradius.com>>> >>> <mailto:mailto:
>> >> >> aland@deployingradius.com <mailto:aland@deployingradius.com>>> <>> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>> >>> >>>
>> <mailto:mailto:
>> >> >> >> >> aland@deployingradius.com <mailto:aland@deployingradius.com>>> <>> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>> >>>
>> <>> >> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>> <mailto:mailto:
>> aland@deployingradius.com <mailto:aland@deployingradius.com>>> >>> >>> >>>
>> >> >>>> >:
>> >> >> >> >>>
>> >> >> >> >>>
>> >> >> >> >>> > On Apr 24, 2018, at 10:23 AM, <> >>> >>
>> >> >> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>>
>> <>> >> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> <mailto:mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> >>> <>>
>> >> >> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> <mailto:mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> <mailto:mailto:
>> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>> >>> >
>> >> >> >> <>> >> >> >> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> <mailto:mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> <mailto:mailto:
>> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>> >>>
>> <mailto:mailto:
>> >> >> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>>
>> <>> >> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> <mailto:mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> >>> >>>
>> >> >>>> <mailto:
>> >> >> >> >>> >> >> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> <mailto:
>> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>> >>>
>> <>> >> >> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> <mailto:mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >
>> >> <>> >> mailto:mailto:servernemesis@tutanota.com <mailto:mailto:mailto:servernemesis@tutanota.com>>> <mailto:mailto:mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> >>> >>>
>> >> >> <>> >> >> >> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> <mailto:mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> <mailto:mailto:
>> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>> >>>
>> <mailto:mailto:
>> >> >> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>>
>> <>> >> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> <mailto:mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> >>> >>>
>> >> >>>> >>
>> >> >> >> > <> >>> >> >> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> <mailto:
>> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>> >>>
>> <mailto:
>> >> >> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>>
>> <>> >> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> <mailto:mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> >>> >>>
>> >> <>> >> >> >> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> <mailto:mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> <mailto:mailto:
>> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>> >
>> >> >> <>> >> >> mailto:mailto:servernemesis@tutanota.com <mailto:mailto:mailto:servernemesis@tutanota.com>>> <mailto:mailto
>> :mailto:servernemesis@tutanota.com <mailto::mailto:servernemesis@tutanota.com>>> >>> <mailto:mailto:mailto:
>> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>> >>>
>> >>> >>>>
>> >> >> >> <mailto:
>> >> >> >> >>> >> >> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> <mailto:
>> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>> >>>
>> <>> >> >> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> <mailto:mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >
>> >> <>> >> mailto:mailto:servernemesis@tutanota.com <mailto:mailto:mailto:servernemesis@tutanota.com>>> <mailto:mailto:mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> >>> >>>
>> >> >> <>> >> >> >> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> <mailto:mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> <mailto:mailto:
>> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>> >>>
>> <mailto:mailto:
>> >> >> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> >>>
>> <>> >> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>> <mailto:mailto:
>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>> >>> >>>
>> >> >>>> >>
>> >> >> >> > wrote:
>> >> >> >> >>> >>
>> >> >> >> >>> >> My FR server is domain joined, and his krb5 realm is
>> >> >> mydomain.com
>> >> >> >> >>> >> I don't know where I could specify the domain for PAM.
>> >> >> >> >>> >
>> >> >> >> >>> > I didn't tell you to specify the domain for PAM.
>> >> >> >> >>> >
>> >> >> >> >>> >> I'm not sure what you mean by "If it doesn't know about the
>> >> >> domain,
>> >> >> >> >>> then add a realm for "mydomain.com". Make it LOCAL (see
>> >> >> proxy.conf)."
>> >> >> >> >>> >> Should I edit the /etc/pam.d/radiusd ? What's proxy.conf ?
>> >> >> >> >>> >
>> >> >> >> >>> > You know you're on the FreeRADIUS mailing list, right?
>> >> >> proxy.conf
>> >> >> >> is
>> >> >> >> >>> for FreeRADIUS, not PAM.
>> >> >> >> >>> >
>> >> >> >> >>> > No, don't edit the /etc/pam.d/radiusd file. If I had
>> meant
>> >> to
>> >> >> edit
>> >> >> >> >>> that file, I would have told you to edit that file.
>> >> >> >> >>> >
>> >> >> >> >>> > Look in the /etc/raddb (or on debian / Ubuntu)
>> >> /etc/freeradius
>> >> >> >> >>> directory. The proxy.conf file is there. Read it.
>> >> >> >> >>> >
>> >> >> >> >>> > Alan DeKok.
>> >> >> >> >>> >
>> >> >> >> >>> >
>> >> >> >> >>> > -
>> >> >> >> >>> > List info/subscribe/unsubscribe? See >
>> >> >> >> >>> >> >> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> <
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> >>> <
>> >> >> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> <
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> >>> >>> <
>> >> >> >> >> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> <
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> >>> <
>> >> >> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> <
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> >>> >>> >>>> <
>> >> >> >> >>> >> >> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> <
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> >>> <
>> >> >> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> <
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> >>> >>> <
>> >> >> >> >> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> <
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> >>> <
>> >> >> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> <
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> >>> >>> >>>> >
>> >> >> >> >>> -
>> >> >> >> >>> List info/subscribe/unsubscribe? See
>> >> >> >> >>> >> >> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> <
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> >>> <
>> >> >> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> <
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> >>> >>> <
>> >> >> >> >> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> <
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> >>> <
>> >> >> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> <
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> >>> >>> >
>> >> >> >> >> -
>> >> >> >> >> List info/subscribe/unsubscribe? See >>
>> >> >> >> >> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> <
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> >>> <
>> >> >> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> <
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> >>> >>> <
>> >> >> >> >> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> <
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> >>> <
>> >> >> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> <
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> >>> >>> >
>> >> >> >> -
>> >> >> >> List info/subscribe/unsubscribe? See
>> >> >> >> >> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> <
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> >>> <
>> >> >> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> <
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> >>> >
>> >> >> > -
>> >> >> > List info/subscribe/unsubscribe? See >
>> >> >> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> <
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> >>> <
>> >> >> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> <
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> >>> >
>> >> >> -
>> >> >> List info/subscribe/unsubscribe? See
>> >> >> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> <
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> >
>> >> > -
>> >> > List info/subscribe/unsubscribe? See >
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> <
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >>> >
>> >> -
>> >> List info/subscribe/unsubscribe? See
>> >> >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >
>> > -
>> > List info/subscribe/unsubscribe? See >
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> <
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
> -
> List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
Since the problem is related to AD <-> freeradius, do you think I should follow the guidelines of the chapter "Installation of FreeRADIUS"
in https://wiki.freeradius.org/guide/freeradius-active-directory-integration-howto <https://wiki.freeradius.org/guide/freeradius-active-directory-integration-howto> ?
for example :
clients.confmods-available/mschapmods-available/eapusers
25. Avr 2018 16:26 de servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>:
> Here it is
>
> # PAM configuration for the Secure Shell service
>
> # Standard Un*x authentication.
> @include common-auth
> #auth required /usr/local/lib/security/pam_google_authenticator.so
>
> # Disallow non-root logins when /etc/nologin exists.
> account required pam_nologin.so
>
> # Uncomment and edit /etc/security/access.conf if you need to set complex
> # access limits that are hard to express in sshd_config.
> # account required pam_access.so
>
> # Standard Un*x authorization.
> @include common-account
>
> # SELinux needs to be the first session rule. This ensures that any
> # lingering context has been cleared. Without this it is possible that a
> # module could execute code in the wrong domain.
> session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
>
> # Set the loginuid process attribute.
> session required pam_loginuid.so
>
> # Create a new session keyring.
> session optional pam_keyinit.so force revoke
>
> # Standard Un*x session setup and teardown.
> @include common-session
>
> # Print the message of the day upon successful login.
> # This includes a dynamically generated part from /run/motd.dynamic
> # and a static (admin-editable) part from /etc/motd.
> session optional pam_motd.so motd=/run/motd.dynamic
> session optional pam_motd.so noupdate
>
> # Print the status of the user's mailbox upon successful login.
> session optional pam_mail.so standard noenv # [1]
>
> # Set up user limits from /etc/security/limits.conf.
> session required pam_limits.so
>
> # Read environment variables from /etc/environment and
> # /etc/security/pam_env.conf.
> session required pam_env.so # [1]
> # In Debian 4.0 (etch), locale-related environment variables were moved to
> # /etc/default/locale, so read that as well.
> session required pam_env.so user_readenv=1 envfile=/etc/default/locale
>
> # SELinux needs to intervene at login time to ensure that the process starts
> # in the proper default security context. Only sessions which are intended
> # to run in the user's context should be run after this.
> session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
>
> # Standard Un*x password updating.
> @include common-password
>
>
> 25. Avr 2018 15:26 de > eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>> :
>
>
>> what is content of /etc/pam.d/ssh* files?
>>
>> Eero
>>
>> ke 25. huhtik. 2018 klo 13.29 <>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> > kirjoitti:
>>
>>> Ok, it's working with a local user I created, by just specifying the
>>> google auth code, still don't know why it's not working with domain users...
>>>
>>> radtest ggg 494659 localhost 18120 testing123
>>> Sent Access-Request Id 65 from 0.0.0.0:43805 to 127.0.0.1:1812 length 73
>>> User-Name = "ggg"
>>> User-Password = "494659"
>>> NAS-IP-Address = 127.0.1.1
>>> NAS-Port = 18120
>>> Message-Authenticator = 0x00
>>> Cleartext-Password = "494659"
>>> Received Access-Accept Id 65 from 127.0.0.1:1812 to 0.0.0.0:0 length 20
>>>
>>> 25. Avr 2018 10:11 de >>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>>> <>>> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>
>>> >:
>>>
>>>
>>> > please, give example of your radtest command.
>>> >
>>> > Eero
>>> >
>>> > ke 25. huhtik. 2018 klo 11.02 <> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> <mailto:
>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> >> > kirjoitti:
>>> >
>>> >> I'm using the radtest command on localhost with the secret testing123
>>> >> (double checked)
>>> >>
>>> >> 25. Avr 2018 09:55 de >> >>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>>> <mailto:
>>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>>> >>> <>> >>> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>>> <mailto:mailto:
>>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>>> >
>>> >> >:
>>> >>
>>> >>
>>> >> > well. radius secret can be wrong also for your client.
>>> >> >
>>> >> > radius secret is in client.conf and its tied to client ip address.
>>> check
>>> >> it
>>> >> > out and test again.
>>> >> >
>>> >> > anyway. in your config you need use only google code, not password.
>>> >> >
>>> >> > Eero
>>> >> >
>>> >> > ke 25. huhtik. 2018 klo 10.49 <> >> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>
>>> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>> >>> <mailto:
>>> >> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>> >>> >> >
>>> kirjoitti:
>>> >> >
>>> >> >> Hello,
>>> >> >>
>>> >> >> No because if I login with SSH, it works :
>>> >> >>
>>> >> >> Apr 25 09:45:10 SRV-FREERADIUS sshd(pam_google_authenticator)[1885]:
>>> >> >> Accepted google_authenticator for user
>>> >> >> Apr 25 09:45:11 SRV-FREERADIUS sshd[1885]: Accepted password for user
>>> >> from
>>> >> >> 192.168.50.68 port 50020 ssh2
>>> >> >> Apr 25 09:45:11 SRV-FREERADIUS sshd[1885]: pam_unix(sshd:session):
>>> >> session
>>> >> >> opened for user user by (uid=0)
>>> >> >> Apr 25 09:45:11 SRV-FREERADIUS systemd-logind[535]: New session 11 of
>>> >> user
>>> >> >> user.
>>> >> >>
>>> >> >> I don't get why it's not working with the radius...
>>> >> >>
>>> >> >> 25. Avr 2018 09:46 de >> >> >>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>>> <mailto:
>>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>>> >>> <mailto:
>>> >> >>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>>> <>>> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>>> >>> >>> <>> >>
>>> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>>> <>>> mailto:mailto:eero.volotinen@iki.fi <mailto:mailto:mailto:eero.volotinen@iki.fi>>>> >>>
>>> <mailto:mailto:
>>> >> >>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>>> <>>> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>>> >>> >
>>> >> >> >:
>>> >> >>
>>> >> >>
>>> >> >> > It means that code is wrong? is the server using ntp and clock is
>>> sync
>>> >> >> and
>>> >> >> > mobile is in sync.
>>> >> >> >
>>> >> >> > Try following: log into user. delete .google* file from user home
>>> >> >> directory.
>>> >> >> >
>>> >> >> > run google-authenticator without params and select time based
>>> >> token/auth
>>> >> >> > and add new authenticator code to google auth in phone
>>> >> >> >
>>> >> >> > Eero
>>> >> >> >
>>> >> >> > ke 25. huhtik. 2018 klo 10.39 <> >> >> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>
>>> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>> >
>>> >> <>> >>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>> <mailto:mailto:
>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> >>> >>> <mailto:
>>> >> >> >> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>> >>>
>>> <>> >>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>> <mailto:mailto:
>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> >>> >>> >> >
>>> >> kirjoitti:
>>> >> >> >
>>> >> >> >> PS : If I disable the domain suffix for the users on the server
>>> >> (being
>>> >> >> >> able to login with just "user"), I get
>>> >> >> >>
>>> >> >> >> Apr 25 09:27:42 SRV-FREERADIUS
>>> >> radiusd(pam_google_authenticator)[1661]:
>>> >> >> >> Invalid verification code for user
>>> >> >> >>
>>> >> >> >>
>>> >> >> >> 25. Avr 2018 09:15 de >> >> >> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>
>>> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>> >>> <mailto:
>>> >> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>> >>> >>>
>>> <mailto:
>>> >> >> >> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>> >>>
>>> <>> >>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>> <mailto:mailto:
>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> >>> >>> >>>
>>> >> <mailto:
>>> >> >> >> >> >> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> <mailto:
>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> >>> <>> >>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>
>>> <>>> mailto:mailto:servernemesis@tutanota.com <mailto:mailto:mailto:servernemesis@tutanota.com>>>> >>> >>>
>>> >> <>> >> >>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>> <mailto:mailto:
>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> >>> <mailto:mailto:
>>> >> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>> >>> >>>
>>> >>> >:
>>> >> >> >>
>>> >> >> >>
>>> >> >> >> > I tried
>>> >> >> >> >
>>> >> >> >> > #
>>> >> >> >> > # /etc/pam.d/radiusd - PAM configuration for FreeRADIUS
>>> >> >> >> > #
>>> >> >> >> >
>>> >> >> >> > # We fall back to the system default in /etc/pam.d/common-*
>>> >> >> >> > #
>>> >> >> >> >
>>> >> >> >> > #@include common-auth
>>> >> >> >> > #@include common-account
>>> >> >> >> > #@include common-password
>>> >> >> >> > #@include common-session
>>> >> >> >> > auth required
>>> /usr/local/lib/security/pam_google_authenticator.so
>>> >> >> >> >
>>> >> >> >> > and
>>> >> >> >> >
>>> >> >> >> > #
>>> >> >> >> > # /etc/pam.d/radiusd - PAM configuration for FreeRADIUS
>>> >> >> >> > #
>>> >> >> >> >
>>> >> >> >> > # We fall back to the system default in /etc/pam.d/common-*
>>> >> >> >> > #
>>> >> >> >> >
>>> >> >> >> > #@include common-auth
>>> >> >> >> > #@include common-account
>>> >> >> >> > #@include common-password
>>> >> >> >> > #@include common-session
>>> >> >> >> > auth requisite
>>> /usr/local/lib/security/pam_google_authenticator.so
>>> >> >> >> forward_pass
>>> >> >> >> > auth required pam_unix.so use_first_pass
>>> >> >> >> >
>>> >> >> >> > In both cases :
>>> >> >> >> >
>>> >> >> >> > Apr 25 09:05:43 SRV-FREERADIUS
>>> >> >> radiusd(pam_google_authenticator)[6847]:
>>> >> >> >> user("user") not found
>>> >> >> >> > Apr 25 09:05:43 SRV-FREERADIUS
>>> >> >> radiusd(pam_google_authenticator)[6847]:
>>> >> >> >> No secret configured for user user, asking for code anyway.
>>> >> >> >> > Apr 25 09:05:43 SRV-FREERADIUS
>>> >> >> radiusd(pam_google_authenticator)[6847]:
>>> >> >> >> Invalid verification code for user
>>> >> >> >> >
>>> >> >> >> >
>>> >> >> >> >
>>> >> >> >> > 24. Avr 2018 19:21 de > >> >> >> >>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>>> <mailto:
>>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>>> >>> <mailto:
>>> >> >>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>>> <>>> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>>> >>> >>> <mailto:
>>> >> >> >> >>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>>> <>>> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>>> >>> <>>
>>> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>>> <>>> mailto:mailto:eero.volotinen@iki.fi <mailto:mailto:mailto:eero.volotinen@iki.fi>>>> >>> >>>
>>> >>> <mailto:
>>> >> >> >> >> >> >>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>>> <>>> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>>> >>>
>>> <>> >>> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>>> <>>> mailto:mailto:eero.volotinen@iki.fi <mailto:mailto:mailto:eero.volotinen@iki.fi>>>> >>>
>>> >>> <>>
>>> >> >>> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>>> <>>> mailto:mailto:eero.volotinen@iki.fi <mailto:mailto:mailto:eero.volotinen@iki.fi>>>> >>>
>>> <>> >>> mailto:mailto:eero.volotinen@iki.fi <mailto:mailto:mailto:eero.volotinen@iki.fi>>>> <mailto:mailto:mailto:
>>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>>> >>> >>> >>>
>>> >> >> :
>>> >> >> >> >
>>> >> >> >> >
>>> >> >> >> >> You need to enable pam logging on google authenticator.
>>> >> >> >> >>
>>> >> >> >> >> what is content of /etc/pam.d/radiusd ?
>>> >> >> >> >>
>>> >> >> >> >> Eero
>>> >> >> >> >>
>>> >> >> >> >> ti 24. huhtik. 2018 klo 17.29 <>> >> >>
>>> >> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>> >>> <>>
>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>> <mailto:mailto:
>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> >>> >
>>> >> >> <>> >> >>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>> <mailto:mailto:
>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> >>> <mailto:mailto:
>>> >> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>> >>> >>>
>>> >>> <mailto:
>>> >> >> >> >> >> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> <mailto:
>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> >>> <>> >>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>
>>> <>>> mailto:mailto:servernemesis@tutanota.com <mailto:mailto:mailto:servernemesis@tutanota.com>>>> >>> >>>
>>> >> <>> >> >>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>> <mailto:mailto:
>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> >>> <mailto:mailto:
>>> >> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>> >>> >>>
>>> >>> >>> >
>>> >> >> kirjoitti:
>>> >> >> >> >>
>>> >> >> >> >>> Thanks, it looks better but it's still failing :
>>> >> >> >> >>>
>>> >> >> >> >>> Ready to process requests
>>> >> >> >> >>> (0) Received Access-Request Id 113 from 127.0.0.1:34793 to
>>> >> >> >> 127.0.0.1:1812
>>> >> >> >> >>> length 92
>>> >> >> >> >>> (0) User-Name = ">>> >> >> >> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <mailto:
>>> user@mydomain.com <mailto:user@mydomain.com>>>> >>> <mailto:
>>> >> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>> >>> >>> <mailto:
>>> >> >> >> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>> >>> <>> mailto:
>>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>> >>> >>> >>> <>> >>
>>> mailto:
>>> >> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>> >>> <>> mailto:mailto:
>>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:mailto:mailto:user@mydomain.com <mailto:mailto:mailto:mailto:user@mydomain.com>>>> >>> >>> <mailto:
>>> mailto:
>>> >> >> >> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>> >>> <>> mailto:
>>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>> >>> >>> >>> >>>>
>>> >> >> >> <>>> >> >> >> >>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>> <mailto:mailto:
>>> user@mydomain.com <mailto:user@mydomain.com>>>> >>> <>> >>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>> <mailto:mailto
>>> :mailto:user@mydomain.com <mailto::mailto:user@mydomain.com>>>> >>> >>>
>>> >> <>> >> >>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>> <mailto:mailto:mailto:
>>> user@mydomain.com <mailto:user@mydomain.com>>>> >>> <mailto:mailto:mailto:
>>> >> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>> >>> >>> >>>
>>> >> >> <>> >> >> >>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>> <mailto:mailto:mailto:
>>> user@mydomain.com <mailto:user@mydomain.com>>>> >>> <mailto:mailto:mailto:
>>> >> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>> >>> >>> <mailto:mailto
>>> :mailto:
>>> >> >> >> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>> >>> <>> mailto:
>>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>> >>> >>> >>> >>>> >"
>>> >> >> >> >>> (0) User-Password = "password123456"
>>> >> >> >> >>> (0) NAS-IP-Address = 127.0.1.1
>>> >> >> >> >>> (0) NAS-Port = 18120
>>> >> >> >> >>> (0) Message-Authenticator =
>>> 0xd028fefb31c1de33ebec1d53011953ce
>>> >> >> >> >>> (0) # Executing section authorize from file
>>> >> >> >> >>> /etc/freeradius/3.0/sites-enabled/default
>>> >> >> >> >>> (0) authorize {
>>> >> >> >> >>> (0) policy filter_username {
>>> >> >> >> >>> (0) if (&User-Name) {
>>> >> >> >> >>> (0) if (&User-Name) -> TRUE
>>> >> >> >> >>> (0) if (&User-Name) {
>>> >> >> >> >>> (0) if (&User-Name =~ / /) {
>>> >> >> >> >>> (0) if (&User-Name =~ / /) -> FALSE
>>> >> >> >> >>> (0) if (&User-Name =~ /@[^@]*@/ ) {
>>> >> >> >> >>> (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
>>> >> >> >> >>> (0) if (&User-Name =~ /\.\./ ) {
>>> >> >> >> >>> (0) if (&User-Name =~ /\.\./ ) -> FALSE
>>> >> >> >> >>> (0) if ((&User-Name =~ /@/) && (&User-Name !~
>>> >> >> >> /@(.+)\.(.+)$/)) {
>>> >> >> >> >>> (0) if ((&User-Name =~ /@/) && (&User-Name !~
>>> >> >> /@(.+)\.(.+)$/))
>>> >> >> >> >>> -> FALSE
>>> >> >> >> >>> (0) if (&User-Name =~ /\.$/) {
>>> >> >> >> >>> (0) if (&User-Name =~ /\.$/) -> FALSE
>>> >> >> >> >>> (0) if (&User-Name =~ /@\./) {
>>> >> >> >> >>> (0) if (&User-Name =~ /@\./) -> FALSE
>>> >> >> >> >>> (0) } # if (&User-Name) = notfound
>>> >> >> >> >>> (0) } # policy filter_username = notfound
>>> >> >> >> >>> (0) [preprocess] = ok
>>> >> >> >> >>> (0) [chap] = noop
>>> >> >> >> >>> (0) [mschap] = noop
>>> >> >> >> >>> (0) [digest] = noop
>>> >> >> >> >>> (0) suffix: Checking for suffix after "@"
>>> >> >> >> >>> (0) suffix: Looking up realm "mydomain.com" for User-Name = "
>>> >> >> >> >>> >> >> >> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>> >>> <>>
>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>> <>>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>> >>> >>> <>>
>>> >> >>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>> <>>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>> >>> <>>
>>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>> <>>> mailto:mailto:mailto:user@mydomain.com <mailto:mailto:mailto:mailto:user@mydomain.com>>>> >>>
>>> >>> >>> <>>
>>> >> mailto:
>>> >> >> >> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>> >>> <>> mailto:
>>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>> >>> >>> <>> mailto:
>>> mailto:
>>> >> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>> >>> <>> mailto:mailto
>>> :mailto:user@mydomain.com <mailto::mailto:user@mydomain.com>>>> <>>> mailto:mailto:mailto:mailto:user@mydomain.com <mailto:mailto:mailto:mailto:mailto:user@mydomain.com>>>> >>>
>>> >>> >>> >>>>
>>> >> <>>> mailto:
>>> >> >> >> >> >> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>> >>> <>> mailto:
>>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>> >>> >>> <>> mailto:
>>> >> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>> >>> <>> mailto:mailto:
>>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:mailto:mailto:user@mydomain.com <mailto:mailto:mailto:mailto:user@mydomain.com>>>> >>> >>> >>> <>>
>>> mailto:
>>> >> mailto:
>>> >> >> >> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>> >>> <>> mailto:
>>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>> >>> >>> <>> mailto:
>>> mailto
>>> >> >>> :mailto:user@mydomain.com <mailto::mailto:user@mydomain.com>>>> <>>> mailto::mailto:user@mydomain.com <mailto:mailto::mailto:user@mydomain.com>>>> >>> <>>
>>> mailto:mailto:mailto:mailto:user@mydomain.com <mailto:mailto:mailto:mailto:mailto:user@mydomain.com>>>> <mailto:mailto:mailto:mailto
>>> :mailto:user@mydomain.com <mailto::mailto:user@mydomain.com>>>> >>> >>>
>>> >> >>> >>>> >"
>>> >> >> >> >>> (0) suffix: Found realm "mydomain.com"
>>> >> >> >> >>> (0) suffix: Adding Stripped-User-Name = "user"
>>> >> >> >> >>> (0) suffix: Adding Realm = "mydomain.com"
>>> >> >> >> >>> (0) suffix: Authentication realm is LOCAL
>>> >> >> >> >>> (0) [suffix] = ok
>>> >> >> >> >>> (0) eap: No EAP-Message, not doing EAP
>>> >> >> >> >>> (0) [eap] = noop
>>> >> >> >> >>> (0) files: users: Matched entry DEFAULT at line 221
>>> >> >> >> >>> (0) [files] = ok
>>> >> >> >> >>> (0) [expiration] = noop
>>> >> >> >> >>> (0) [logintime] = noop
>>> >> >> >> >>> (0) pap: WARNING: No "known good" password found for the user.
>>> >> Not
>>> >> >> >> >>> setting Auth-Type
>>> >> >> >> >>> (0) pap: WARNING: Authentication will fail unless a "known
>>> good"
>>> >> >> >> password
>>> >> >> >> >>> is available
>>> >> >> >> >>> (0) [pap] = noop
>>> >> >> >> >>> (0) } # authorize = ok
>>> >> >> >> >>> (0) Found Auth-Type = pam
>>> >> >> >> >>> (0) # Executing group from file
>>> >> >> >> /etc/freeradius/3.0/sites-enabled/default
>>> >> >> >> >>> (0) authenticate {
>>> >> >> >> >>> (0) pam: Using pamauth string "radiusd" for pam.conf lookup
>>> >> >> >> >>> (0) pam: ERROR: pam_authenticate failed: Authentication
>>> failure
>>> >> >> >> >>> (0) [pam] = reject
>>> >> >> >> >>> (0) } # authenticate = reject
>>> >> >> >> >>> (0) Failed to authenticate the user
>>> >> >> >> >>> (0) Using Post-Auth-Type Reject
>>> >> >> >> >>> (0) # Executing group from file
>>> >> >> >> /etc/freeradius/3.0/sites-enabled/default
>>> >> >> >> >>> (0) Post-Auth-Type REJECT {
>>> >> >> >> >>> (0) attr_filter.access_reject: EXPAND %{User-Name}
>>> >> >> >> >>> (0) attr_filter.access_reject: --> >>> >> >>
>>> >> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>> >>> <>> mailto:
>>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>> >>> >
>>> >> >> <>> >> >>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>> <>>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>> >>>
>>> <>> >>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>> <mailto:mailto:mailto:
>>> user@mydomain.com <mailto:user@mydomain.com>>>> >>> >>> >>>
>>> >> <mailto:
>>> >> >> >> >> >> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>> >>> <>> mailto:
>>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>> >>> >>> <>> mailto:
>>> >> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>> >>> <>> mailto:mailto:
>>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:mailto:mailto:user@mydomain.com <mailto:mailto:mailto:mailto:user@mydomain.com>>>> >>> >>> >>>
>>> >>>> <mailto:
>>> >> >> >> >>> >> >> >> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>> >>> <>>
>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>> <>>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>> >>> >>> <>>
>>> >> >>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>> <>>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>> >>> <>>
>>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>> <>>> mailto:mailto:mailto:user@mydomain.com <mailto:mailto:mailto:mailto:user@mydomain.com>>>> >>>
>>> >>> >>> <>>
>>> >> mailto:
>>> >> >> >> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>> >>> <>> mailto:
>>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>> >>> >>> <>> mailto:
>>> mailto:
>>> >> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>> >>> <>> mailto:mailto
>>> :mailto:user@mydomain.com <mailto::mailto:user@mydomain.com>>>> <>>> mailto:mailto:mailto:mailto:user@mydomain.com <mailto:mailto:mailto:mailto:mailto:user@mydomain.com>>>> >>>
>>> >>> >>> >>>> >
>>> >> >> >> >>> (0) attr_filter.access_reject: Matched entry DEFAULT at line
>>> 11
>>> >> >> >> >>> (0) [attr_filter.access_reject] = updated
>>> >> >> >> >>> (0) [eap] = noop
>>> >> >> >> >>> (0) policy remove_reply_message_if_eap {
>>> >> >> >> >>> (0) if (&reply:EAP-Message && &reply:Reply-Message) {
>>> >> >> >> >>> (0) if (&reply:EAP-Message && &reply:Reply-Message) ->
>>> >> FALSE
>>> >> >> >> >>> (0) else {
>>> >> >> >> >>> (0) [noop] = noop
>>> >> >> >> >>> (0) } # else = noop
>>> >> >> >> >>> (0) } # policy remove_reply_message_if_eap = noop
>>> >> >> >> >>> (0) } # Post-Auth-Type REJECT = updated
>>> >> >> >> >>> (0) Delaying response for 1.000000 seconds
>>> >> >> >> >>> Waking up in 0.3 seconds.
>>> >> >> >> >>> Waking up in 0.6 seconds.
>>> >> >> >> >>> (0) Sending delayed response
>>> >> >> >> >>> (0) Sent Access-Reject Id 113 from 127.0.0.1:1812 to
>>> >> >> 127.0.0.1:34793
>>> >> >> >> >>> length 20
>>> >> >> >> >>> Waking up in 3.9 seconds.
>>> >> >> >> >>> (0) Cleaning up request packet ID 113 with timestamp +11
>>> >> >> >> >>> Ready to process requests
>>> >> >> >> >>>
>>> >> >> >> >>>
>>> >> >> >> >>> 24. Avr 2018 16:40 de >>> >> >> >> >>> aland@deployingradius.com <mailto:aland@deployingradius.com>
>>> <>>> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>>> >
>>> >> <>> >>> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>>> <mailto:mailto:
>>> aland@deployingradius.com <mailto:aland@deployingradius.com>>>> >>> >>> <mailto:
>>> >> >> >> >>> aland@deployingradius.com <mailto:aland@deployingradius.com>>>> <>>> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>>> >>>
>>> <>> >>> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>>> <mailto:mailto:
>>> aland@deployingradius.com <mailto:aland@deployingradius.com>>>> >>> >>> >>>
>>> >> <mailto:
>>> >> >> >> >> >> >>> aland@deployingradius.com <mailto:aland@deployingradius.com>>>> <>>> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>>> >>>
>>> <>> >>> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>>> <mailto:mailto:
>>> aland@deployingradius.com <mailto:aland@deployingradius.com>>>> >>> >>>
>>> >> <>> >> >>> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>>> <mailto:mailto:
>>> aland@deployingradius.com <mailto:aland@deployingradius.com>>>> >>> <mailto:mailto:
>>> >> >>> aland@deployingradius.com <mailto:aland@deployingradius.com>>>> <>>> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>>> >>> >>> >>>
>>> >>>>
>>> >> >> <mailto:
>>> >> >> >> >>> >> >> >> >>> aland@deployingradius.com <mailto:aland@deployingradius.com>>>> <mailto:
>>> aland@deployingradius.com <mailto:aland@deployingradius.com>>>> >>> <mailto:
>>> >> >>> aland@deployingradius.com <mailto:aland@deployingradius.com>>>> <>>> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>>> >>> >>>
>>> <>> >> >>> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>>> <mailto:mailto:
>>> aland@deployingradius.com <mailto:aland@deployingradius.com>>>> >
>>> >> <>> >>> mailto:mailto:aland@deployingradius.com <mailto:mailto:mailto:aland@deployingradius.com>>>> <mailto:mailto:mailto:
>>> aland@deployingradius.com <mailto:aland@deployingradius.com>>>> >>> >>> >>>
>>> >> >> <>> >> >> >>> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>>> <mailto:mailto:
>>> aland@deployingradius.com <mailto:aland@deployingradius.com>>>> >>> <mailto:mailto:
>>> >> >>> aland@deployingradius.com <mailto:aland@deployingradius.com>>>> <>>> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>>> >>> >>>
>>> <mailto:mailto:
>>> >> >> >> >>> aland@deployingradius.com <mailto:aland@deployingradius.com>>>> <>>> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>>> >>>
>>> <>> >>> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>>> <mailto:mailto:
>>> aland@deployingradius.com <mailto:aland@deployingradius.com>>>> >>> >>> >>>
>>> >> >>>> >:
>>> >> >> >> >>>
>>> >> >> >> >>>
>>> >> >> >> >>> > On Apr 24, 2018, at 10:23 AM, <> >>> >>
>>> >> >> >> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>> >>>
>>> <>> >>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>> <mailto:mailto:
>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> >>> >>> <>>
>>> >> >>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>> <mailto:mailto:
>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> >>> <mailto:mailto:
>>> >> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>> >>> >>> >
>>> >> >> >> <>> >> >> >>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>> <mailto:mailto:
>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> >>> <mailto:mailto:
>>> >> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>> >>> >>>
>>> <mailto:mailto:
>>> >> >> >> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>> >>>
>>> <>> >>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>> <mailto:mailto:
>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> >>> >>> >>>
>>> >> >>>> <mailto:
>>> >> >> >> >>> >> >> >> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> <mailto:
>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> >>> <mailto:
>>> >> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>> >>> >>>
>>> <>> >> >>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>> <mailto:mailto:
>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> >
>>> >> <>> >>> mailto:mailto:servernemesis@tutanota.com <mailto:mailto:mailto:servernemesis@tutanota.com>>>> <mailto:mailto:mailto:
>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> >>> >>> >>>
>>> >> >> <>> >> >> >>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>> <mailto:mailto:
>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> >>> <mailto:mailto:
>>> >> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>> >>> >>>
>>> <mailto:mailto:
>>> >> >> >> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>> >>>
>>> <>> >>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>> <mailto:mailto:
>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> >>> >>> >>>
>>> >> >>>> >>
>>> >> >> >> > <> >>> >> >> >> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> <mailto:
>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> >>> <mailto:
>>> >> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>> >>> >>>
>>> <mailto:
>>> >> >> >> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>> >>>
>>> <>> >>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>> <mailto:mailto:
>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> >>> >>> >>>
>>> >> <>> >> >> >>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>> <mailto:mailto:
>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> >>> <mailto:mailto:
>>> >> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>> >>> >
>>> >> >> <>> >> >>> mailto:mailto:servernemesis@tutanota.com <mailto:mailto:mailto:servernemesis@tutanota.com>>>> <mailto:mailto
>>> :mailto:servernemesis@tutanota.com <mailto::mailto:servernemesis@tutanota.com>>>> >>> <mailto:mailto:mailto:
>>> >> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>> >>> >>>
>>> >>> >>>>
>>> >> >> >> <mailto:
>>> >> >> >> >>> >> >> >> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> <mailto:
>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> >>> <mailto:
>>> >> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>> >>> >>>
>>> <>> >> >>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>> <mailto:mailto:
>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> >
>>> >> <>> >>> mailto:mailto:servernemesis@tutanota.com <mailto:mailto:mailto:servernemesis@tutanota.com>>>> <mailto:mailto:mailto:
>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> >>> >>> >>>
>>> >> >> <>> >> >> >>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>> <mailto:mailto:
>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> >>> <mailto:mailto:
>>> >> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>> >>> >>>
>>> <mailto:mailto:
>>> >> >> >> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>> >>>
>>> <>> >>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>> <mailto:mailto:
>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> >>> >>> >>>
>>> >> >>>> >>
>>> >> >> >> > wrote:
>>> >> >> >> >>> >>
>>> >> >> >> >>> >> My FR server is domain joined, and his krb5 realm is
>>> >> >> mydomain.com
>>> >> >> >> >>> >> I don't know where I could specify the domain for PAM.
>>> >> >> >> >>> >
>>> >> >> >> >>> > I didn't tell you to specify the domain for PAM.
>>> >> >> >> >>> >
>>> >> >> >> >>> >> I'm not sure what you mean by "If it doesn't know about the
>>> >> >> domain,
>>> >> >> >> >>> then add a realm for "mydomain.com". Make it LOCAL (see
>>> >> >> proxy.conf)."
>>> >> >> >> >>> >> Should I edit the /etc/pam.d/radiusd ? What's proxy.conf ?
>>> >> >> >> >>> >
>>> >> >> >> >>> > You know you're on the FreeRADIUS mailing list, right?
>>> >> >> proxy.conf
>>> >> >> >> is
>>> >> >> >> >>> for FreeRADIUS, not PAM.
>>> >> >> >> >>> >
>>> >> >> >> >>> > No, don't edit the /etc/pam.d/radiusd file. If I had
>>> meant
>>> >> to
>>> >> >> edit
>>> >> >> >> >>> that file, I would have told you to edit that file.
>>> >> >> >> >>> >
>>> >> >> >> >>> > Look in the /etc/raddb (or on debian / Ubuntu)
>>> >> /etc/freeradius
>>> >> >> >> >>> directory. The proxy.conf file is there. Read it.
>>> >> >> >> >>> >
>>> >> >> >> >>> > Alan DeKok.
>>> >> >> >> >>> >
>>> >> >> >> >>> >
>>> >> >> >> >>> > -
>>> >> >> >> >>> > List info/subscribe/unsubscribe? See >
>>> >> >> >> >>> >> >> >> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> <
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> >>> <
>>> >> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> <
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> >>> >>> <
>>> >> >> >> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> <
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> >>> <
>>> >> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> <
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> >>> >>> >>> <
>>> >> >> >> >> >> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> <
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> >>> <
>>> >> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> <
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> >>> >>> <
>>> >> >> >> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> <
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> >>> <
>>> >> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> <
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> >>> >>> >>> >>>> <
>>> >> >> >> >>> >> >> >> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> <
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> >>> <
>>> >> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> <
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> >>> >>> <
>>> >> >> >> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> <
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> >>> <
>>> >> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> <
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> >>> >>> >>> <
>>> >> >> >> >> >> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> <
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> >>> <
>>> >> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> <
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> >>> >>> <
>>> >> >> >> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> <
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> >>> <
>>> >> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> <
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> >>> >>> >>> >>>> >
>>> >> >> >> >>> -
>>> >> >> >> >>> List info/subscribe/unsubscribe? See
>>> >> >> >> >>> >> >> >> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> <
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> >>> <
>>> >> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> <
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> >>> >>> <
>>> >> >> >> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> <
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> >>> <
>>> >> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> <
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> >>> >>> >>> <
>>> >> >> >> >> >> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> <
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> >>> <
>>> >> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> <
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> >>> >>> <
>>> >> >> >> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> <
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> >>> <
>>> >> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> <
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> >>> >>> >>> >
>>> >> >> >> >> -
>>> >> >> >> >> List info/subscribe/unsubscribe? See >>
>>> >> >> >> >> >> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> <
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> >>> <
>>> >> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> <
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> >>> >>> <
>>> >> >> >> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> <
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> >>> <
>>> >> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> <
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> >>> >>> >>> <
>>> >> >> >> >> >> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> <
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> >>> <
>>> >> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> <
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> >>> >>> <
>>> >> >> >> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> <
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> >>> <
>>> >> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> <
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> >>> >>> >>> >
>>> >> >> >> -
>>> >> >> >> List info/subscribe/unsubscribe? See
>>> >> >> >> >> >> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> <
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> >>> <
>>> >> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> <
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> >>> >>> <
>>> >> >> >> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> <
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> >>> <
>>> >> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> <
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> >>> >>> >
>>> >> >> > -
>>> >> >> > List info/subscribe/unsubscribe? See >
>>> >> >> >> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> <
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> >>> <
>>> >> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> <
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> >>> >>> <
>>> >> >> >> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> <
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> >>> <
>>> >> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> <
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> >>> >>> >
>>> >> >> -
>>> >> >> List info/subscribe/unsubscribe? See
>>> >> >> >> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> <
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> >>> <
>>> >> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> <
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> >>> >
>>> >> > -
>>> >> > List info/subscribe/unsubscribe? See >
>>> >> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> <
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> >>> <
>>> >> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> <
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> >>> >
>>> >> -
>>> >> List info/subscribe/unsubscribe? See
>>> >> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> <
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> >
>>> > -
>>> > List info/subscribe/unsubscribe? See >
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> <
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>> >
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
>> -
>> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
Well. Hard to say. I used winbind to integrate Linux with AD box on RHEL
6/7. It was trivial task using provided tools.
Eero
On Wed, Apr 25, 2018 at 5:32 PM, <servernemesis@tutanota.com> wrote:
> Since the problem is related to AD <-> freeradius, do you think I should
> follow the guidelines of the chapter "Installation of FreeRADIUS"
> in https://wiki.freeradius.org/guide/freeradius-active-
> directory-integration-howto <https://wiki.freeradius.org/
> guide/freeradius-active-directory-integration-howto> ?
> for example :
>
> clients.confmods-available/mschapmods-available/eapusers
> 25. Avr 2018 16:26 de servernemesis@tutanota.com <mailto:servernemesis@
> tutanota.com>:
>
>
> > Here it is
> >
> > # PAM configuration for the Secure Shell service
> >
> > # Standard Un*x authentication.
> > @include common-auth
> > #auth required /usr/local/lib/security/pam_google_authenticator.so
> >
> > # Disallow non-root logins when /etc/nologin exists.
> > account required pam_nologin.so
> >
> > # Uncomment and edit /etc/security/access.conf if you need to set complex
> > # access limits that are hard to express in sshd_config.
> > # account required pam_access.so
> >
> > # Standard Un*x authorization.
> > @include common-account
> >
> > # SELinux needs to be the first session rule. This ensures that any
> > # lingering context has been cleared. Without this it is possible that a
> > # module could execute code in the wrong domain.
> > session [success=ok ignore=ignore module_unknown=ignore
> default=bad] pam_selinux.so close
> >
> > # Set the loginuid process attribute.
> > session required pam_loginuid.so
> >
> > # Create a new session keyring.
> > session optional pam_keyinit.so force revoke
> >
> > # Standard Un*x session setup and teardown.
> > @include common-session
> >
> > # Print the message of the day upon successful login.
> > # This includes a dynamically generated part from /run/motd.dynamic
> > # and a static (admin-editable) part from /etc/motd.
> > session optional pam_motd.so motd=/run/motd.dynamic
> > session optional pam_motd.so noupdate
> >
> > # Print the status of the user's mailbox upon successful login.
> > session optional pam_mail.so standard noenv # [1]
> >
> > # Set up user limits from /etc/security/limits.conf.
> > session required pam_limits.so
> >
> > # Read environment variables from /etc/environment and
> > # /etc/security/pam_env.conf.
> > session required pam_env.so # [1]
> > # In Debian 4.0 (etch), locale-related environment variables were moved
> to
> > # /etc/default/locale, so read that as well.
> > session required pam_env.so user_readenv=1
> envfile=/etc/default/locale
> >
> > # SELinux needs to intervene at login time to ensure that the process
> starts
> > # in the proper default security context. Only sessions which are
> intended
> > # to run in the user's context should be run after this.
> > session [success=ok ignore=ignore module_unknown=ignore
> default=bad] pam_selinux.so open
> >
> > # Standard Un*x password updating.
> > @include common-password
> >
> >
> > 25. Avr 2018 15:26 de > eero.volotinen@iki.fi <mailto:
> eero.volotinen@iki.fi>> :
> >
> >
> >> what is content of /etc/pam.d/ssh* files?
> >>
> >> Eero
> >>
> >> ke 25. huhtik. 2018 klo 13.29 <>> servernemesis@tutanota.com <mailto:
> servernemesis@tutanota.com>>> > kirjoitti:
> >>
> >>> Ok, it's working with a local user I created, by just specifying the
> >>> google auth code, still don't know why it's not working with domain
> users...
> >>>
> >>> radtest ggg 494659 localhost 18120 testing123
> >>> Sent Access-Request Id 65 from 0.0.0.0:43805 to 127.0.0.1:1812 length
> 73
> >>> User-Name = "ggg"
> >>> User-Password = "494659"
> >>> NAS-IP-Address = 127.0.1.1
> >>> NAS-Port = 18120
> >>> Message-Authenticator = 0x00
> >>> Cleartext-Password = "494659"
> >>> Received Access-Accept Id 65 from 127.0.0.1:1812 to 0.0.0.0:0 length
> 20
> >>>
> >>> 25. Avr 2018 10:11 de >>> eero.volotinen@iki.fi <mailto:
> eero.volotinen@iki.fi>>>> <>>> mailto:eero.volotinen@iki.fi <mailto:
> mailto:eero.volotinen@iki.fi>
> >>> >:
> >>>
> >>>
> >>> > please, give example of your radtest command.
> >>> >
> >>> > Eero
> >>> >
> >>> > ke 25. huhtik. 2018 klo 11.02 <> >>> servernemesis@tutanota.com
> <mailto:servernemesis@tutanota.com>>>> <mailto:
> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> >>
> > kirjoitti:
> >>> >
> >>> >> I'm using the radtest command on localhost with the secret
> testing123
> >>> >> (double checked)
> >>> >>
> >>> >> 25. Avr 2018 09:55 de >> >>> eero.volotinen@iki.fi <mailto:
> eero.volotinen@iki.fi>>>> <mailto:
> >>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>>> >>> <>> >>>
> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>>>
> <mailto:mailto:
> >>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>>> >
> >>> >> >:
> >>> >>
> >>> >>
> >>> >> > well. radius secret can be wrong also for your client.
> >>> >> >
> >>> >> > radius secret is in client.conf and its tied to client ip address.
> >>> check
> >>> >> it
> >>> >> > out and test again.
> >>> >> >
> >>> >> > anyway. in your config you need use only google code, not
> password.
> >>> >> >
> >>> >> > Eero
> >>> >> >
> >>> >> > ke 25. huhtik. 2018 klo 10.49 <> >> >>>
> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>
> >>> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@
> tutanota.com>>>> >>> <mailto:
> >>> >> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>
> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@
> tutanota.com>>>> >>> >> >
> >>> kirjoitti:
> >>> >> >
> >>> >> >> Hello,
> >>> >> >>
> >>> >> >> No because if I login with SSH, it works :
> >>> >> >>
> >>> >> >> Apr 25 09:45:10 SRV-FREERADIUS sshd(pam_google_authenticator)
> [1885]:
> >>> >> >> Accepted google_authenticator for user
> >>> >> >> Apr 25 09:45:11 SRV-FREERADIUS sshd[1885]: Accepted password for
> user
> >>> >> from
> >>> >> >> 192.168.50.68 port 50020 ssh2
> >>> >> >> Apr 25 09:45:11 SRV-FREERADIUS sshd[1885]:
> pam_unix(sshd:session):
> >>> >> session
> >>> >> >> opened for user user by (uid=0)
> >>> >> >> Apr 25 09:45:11 SRV-FREERADIUS systemd-logind[535]: New session
> 11 of
> >>> >> user
> >>> >> >> user.
> >>> >> >>
> >>> >> >> I don't get why it's not working with the radius...
> >>> >> >>
> >>> >> >> 25. Avr 2018 09:46 de >> >> >>> eero.volotinen@iki.fi <mailto:
> eero.volotinen@iki.fi>>>> <mailto:
> >>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>>> >>> <mailto:
> >>> >> >>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>>> <>>>
> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>>> >>>
> >>> <>> >>
> >>> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>>>
> <>>> mailto:mailto:eero.volotinen@iki.fi <mailto:mailto:mailto:eero.
> volotinen@iki.fi>>>> >>>
> >>> <mailto:mailto:
> >>> >> >>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>>> <>>>
> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>>> >>>
> >
> >>> >> >> >:
> >>> >> >>
> >>> >> >>
> >>> >> >> > It means that code is wrong? is the server using ntp and clock
> is
> >>> sync
> >>> >> >> and
> >>> >> >> > mobile is in sync.
> >>> >> >> >
> >>> >> >> > Try following: log into user. delete .google* file from user
> home
> >>> >> >> directory.
> >>> >> >> >
> >>> >> >> > run google-authenticator without params and select time based
> >>> >> token/auth
> >>> >> >> > and add new authenticator code to google auth in phone
> >>> >> >> >
> >>> >> >> > Eero
> >>> >> >> >
> >>> >> >> > ke 25. huhtik. 2018 klo 10.39 <> >> >> >>>
> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>
> >>> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@
> tutanota.com>>>> >
> >>> >> <>> >>> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>>> <mailto:mailto:
> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> >>>
> >>> <mailto:
> >>> >> >> >> >>> servernemesis@tutanota.com <mailto:servernemesis@
> tutanota.com>>>> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>>> >>>
> >>> <>> >>> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>>> <mailto:mailto:
> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> >>>
> >>> >> >
> >>> >> kirjoitti:
> >>> >> >> >
> >>> >> >> >> PS : If I disable the domain suffix for the users on the
> server
> >>> >> (being
> >>> >> >> >> able to login with just "user"), I get
> >>> >> >> >>
> >>> >> >> >> Apr 25 09:27:42 SRV-FREERADIUS
> >>> >> radiusd(pam_google_authenticator)[1661]:
> >>> >> >> >> Invalid verification code for user
> >>> >> >> >>
> >>> >> >> >>
> >>> >> >> >> 25. Avr 2018 09:15 de >> >> >> >>> servernemesis@tutanota.com
> <mailto:servernemesis@tutanota.com>
> >>> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@
> tutanota.com>>>> >>> <mailto:
> >>> >> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>
> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@
> tutanota.com>>>> >>> >>>
> >>> <mailto:
> >>> >> >> >> >>> servernemesis@tutanota.com <mailto:servernemesis@
> tutanota.com>>>> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>>> >>>
> >>> <>> >>> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>>> <mailto:mailto:
> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> >>>
> >>> >>>
> >>> >> <mailto:
> >>> >> >> >> >> >> >>> servernemesis@tutanota.com <mailto:servernemesis@
> tutanota.com>>>> <mailto:
> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>
> >>> <>> >>> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>
> >>> <>>> mailto:mailto:servernemesis@tutanota.com <mailto:mailto:mailto:
> servernemesis@tutanota.com>>>> >>> >>>
> >>> >> <>> >> >>> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>>> <mailto:mailto:
> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>
> >>> <mailto:mailto:
> >>> >> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>
> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@
> tutanota.com>>>> >>> >>>
> >>> >>> >:
> >>> >> >> >>
> >>> >> >> >>
> >>> >> >> >> > I tried
> >>> >> >> >> >
> >>> >> >> >> > #
> >>> >> >> >> > # /etc/pam.d/radiusd - PAM configuration for FreeRADIUS
> >>> >> >> >> > #
> >>> >> >> >> >
> >>> >> >> >> > # We fall back to the system default in /etc/pam.d/common-*
> >>> >> >> >> > #
> >>> >> >> >> >
> >>> >> >> >> > #@include common-auth
> >>> >> >> >> > #@include common-account
> >>> >> >> >> > #@include common-password
> >>> >> >> >> > #@include common-session
> >>> >> >> >> > auth required
> >>> /usr/local/lib/security/pam_google_authenticator.so
> >>> >> >> >> >
> >>> >> >> >> > and
> >>> >> >> >> >
> >>> >> >> >> > #
> >>> >> >> >> > # /etc/pam.d/radiusd - PAM configuration for FreeRADIUS
> >>> >> >> >> > #
> >>> >> >> >> >
> >>> >> >> >> > # We fall back to the system default in /etc/pam.d/common-*
> >>> >> >> >> > #
> >>> >> >> >> >
> >>> >> >> >> > #@include common-auth
> >>> >> >> >> > #@include common-account
> >>> >> >> >> > #@include common-password
> >>> >> >> >> > #@include common-session
> >>> >> >> >> > auth requisite
> >>> /usr/local/lib/security/pam_google_authenticator.so
> >>> >> >> >> forward_pass
> >>> >> >> >> > auth required pam_unix.so use_first_pass
> >>> >> >> >> >
> >>> >> >> >> > In both cases :
> >>> >> >> >> >
> >>> >> >> >> > Apr 25 09:05:43 SRV-FREERADIUS
> >>> >> >> radiusd(pam_google_authenticator)[6847]:
> >>> >> >> >> user("user") not found
> >>> >> >> >> > Apr 25 09:05:43 SRV-FREERADIUS
> >>> >> >> radiusd(pam_google_authenticator)[6847]:
> >>> >> >> >> No secret configured for user user, asking for code anyway.
> >>> >> >> >> > Apr 25 09:05:43 SRV-FREERADIUS
> >>> >> >> radiusd(pam_google_authenticator)[6847]:
> >>> >> >> >> Invalid verification code for user
> >>> >> >> >> >
> >>> >> >> >> >
> >>> >> >> >> >
> >>> >> >> >> > 24. Avr 2018 19:21 de > >> >> >> >>> eero.volotinen@iki.fi
> <mailto:eero.volotinen@iki.fi>>>> <mailto:
> >>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>>> >>> <mailto:
> >>> >> >>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>>> <>>>
> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>>> >>>
> >>> <mailto:
> >>> >> >> >> >>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>>>
> <>>> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>>>
> >>> <>>
> >>> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>>>
> <>>> mailto:mailto:eero.volotinen@iki.fi <mailto:mailto:mailto:eero.
> volotinen@iki.fi>>>> >>> >>>
> >>> >>> <mailto:
> >>> >> >> >> >> >> >>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi
> >>>> <>>> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@
> iki.fi>>>> >>>
> >>> <>> >>> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@
> iki.fi>>>> <>>> mailto:mailto:eero.volotinen@iki.fi <mailto:mailto
> :mailto:eero.volotinen@iki.fi>>>> >>>
> >>> >>> <>>
> >>> >> >>> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@
> iki.fi>>>> <>>> mailto:mailto:eero.volotinen@iki.fi <mailto:mailto
> :mailto:eero.volotinen@iki.fi>>>> >>>
> >>> <>> >>> mailto:mailto:eero.volotinen@iki.fi <mailto:mailto:mailto:
> eero.volotinen@iki.fi>>>> <mailto:mailto:mailto:
> >>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>>> >>> >>> >>>
> >>> >> >> :
> >>> >> >> >> >
> >>> >> >> >> >
> >>> >> >> >> >> You need to enable pam logging on google authenticator.
> >>> >> >> >> >>
> >>> >> >> >> >> what is content of /etc/pam.d/radiusd ?
> >>> >> >> >> >>
> >>> >> >> >> >> Eero
> >>> >> >> >> >>
> >>> >> >> >> >> ti 24. huhtik. 2018 klo 17.29 <>> >> >>
> >>> >> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>
> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@
> tutanota.com>>>> >>> <>>
> >>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@
> tutanota.com>>>> <mailto:mailto:
> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> >>>
> >
> >>> >> >> <>> >> >>> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>>> <mailto:mailto:
> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>
> >>> <mailto:mailto:
> >>> >> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>
> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@
> tutanota.com>>>> >>> >>>
> >>> >>> <mailto:
> >>> >> >> >> >> >> >>> servernemesis@tutanota.com <mailto:servernemesis@
> tutanota.com>>>> <mailto:
> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>
> >>> <>> >>> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>
> >>> <>>> mailto:mailto:servernemesis@tutanota.com <mailto:mailto:mailto:
> servernemesis@tutanota.com>>>> >>> >>>
> >>> >> <>> >> >>> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>>> <mailto:mailto:
> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>
> >>> <mailto:mailto:
> >>> >> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>
> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@
> tutanota.com>>>> >>> >>>
> >>> >>> >>> >
> >>> >> >> kirjoitti:
> >>> >> >> >> >>
> >>> >> >> >> >>> Thanks, it looks better but it's still failing :
> >>> >> >> >> >>>
> >>> >> >> >> >>> Ready to process requests
> >>> >> >> >> >>> (0) Received Access-Request Id 113 from 127.0.0.1:34793
> to
> >>> >> >> >> 127.0.0.1:1812
> >>> >> >> >> >>> length 92
> >>> >> >> >> >>> (0) User-Name = ">>> >> >> >> >>> user@mydomain.com
> <mailto:user@mydomain.com>>>> <mailto:
> >>> user@mydomain.com <mailto:user@mydomain.com>>>> >>> <mailto:
> >>> >> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:
> user@mydomain.com <mailto:mailto:user@mydomain.com>>>> >>> >>> <mailto:
> >>> >> >> >> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>>
> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>> >>> <>>
> mailto:
> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:mailto:
> user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>> >>> >>>
> >>> <>> >>
> >>> mailto:
> >>> >> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:
> user@mydomain.com <mailto:mailto:user@mydomain.com>>>> >>> <>> mailto:
> mailto:
> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:mailto
> :mailto:user@mydomain.com <mailto:mailto:mailto:mailto:user@mydomain.com>>>>
> >>> >>> <mailto:
> >>> mailto:
> >>> >> >> >> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>>
> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>> >>> <>>
> mailto:
> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:mailto:
> user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>> >>> >>> >>>
> >>>>
> >>> >> >> >> <>>> >> >> >> >>> mailto:user@mydomain.com <mailto:mailto:
> user@mydomain.com>>>> <mailto:mailto:
> >>> user@mydomain.com <mailto:user@mydomain.com>>>> >>> <>> >>> mailto:
> mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>>
> <mailto:mailto
> >>> :mailto:user@mydomain.com <mailto::mailto:user@mydomain.com>>>> >>>
> >>>
> >>> >> <>> >> >>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:
> user@mydomain.com>>>> <mailto:mailto:mailto:
> >>> user@mydomain.com <mailto:user@mydomain.com>>>> >>> <mailto:mailto
> :mailto:
> >>> >> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:
> user@mydomain.com <mailto:mailto:user@mydomain.com>>>> >>> >>> >>>
> >>> >> >> <>> >> >> >>> mailto:mailto:user@mydomain.com <mailto:mailto
> :mailto:user@mydomain.com>>>> <mailto:mailto:mailto:
> >>> user@mydomain.com <mailto:user@mydomain.com>>>> >>> <mailto:mailto
> :mailto:
> >>> >> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:
> user@mydomain.com <mailto:mailto:user@mydomain.com>>>> >>> >>> <mailto:
> mailto
> >>> :mailto:
> >>> >> >> >> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>>
> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>> >>> <>>
> mailto:
> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:mailto:
> user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>> >>> >>> >>>
> >>>> >"
> >>> >> >> >> >>> (0) User-Password = "password123456"
> >>> >> >> >> >>> (0) NAS-IP-Address = 127.0.1.1
> >>> >> >> >> >>> (0) NAS-Port = 18120
> >>> >> >> >> >>> (0) Message-Authenticator =
> >>> 0xd028fefb31c1de33ebec1d53011953ce
> >>> >> >> >> >>> (0) # Executing section authorize from file
> >>> >> >> >> >>> /etc/freeradius/3.0/sites-enabled/default
> >>> >> >> >> >>> (0) authorize {
> >>> >> >> >> >>> (0) policy filter_username {
> >>> >> >> >> >>> (0) if (&User-Name) {
> >>> >> >> >> >>> (0) if (&User-Name) -> TRUE
> >>> >> >> >> >>> (0) if (&User-Name) {
> >>> >> >> >> >>> (0) if (&User-Name =~ / /) {
> >>> >> >> >> >>> (0) if (&User-Name =~ / /) -> FALSE
> >>> >> >> >> >>> (0) if (&User-Name =~ /@[^@]*@/ ) {
> >>> >> >> >> >>> (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> >>> >> >> >> >>> (0) if (&User-Name =~ /\.\./ ) {
> >>> >> >> >> >>> (0) if (&User-Name =~ /\.\./ ) -> FALSE
> >>> >> >> >> >>> (0) if ((&User-Name =~ /@/) && (&User-Name !~
> >>> >> >> >> /@(.+)\.(.+)$/)) {
> >>> >> >> >> >>> (0) if ((&User-Name =~ /@/) && (&User-Name !~
> >>> >> >> /@(.+)\.(.+)$/))
> >>> >> >> >> >>> -> FALSE
> >>> >> >> >> >>> (0) if (&User-Name =~ /\.$/) {
> >>> >> >> >> >>> (0) if (&User-Name =~ /\.$/) -> FALSE
> >>> >> >> >> >>> (0) if (&User-Name =~ /@\./) {
> >>> >> >> >> >>> (0) if (&User-Name =~ /@\./) -> FALSE
> >>> >> >> >> >>> (0) } # if (&User-Name) = notfound
> >>> >> >> >> >>> (0) } # policy filter_username = notfound
> >>> >> >> >> >>> (0) [preprocess] = ok
> >>> >> >> >> >>> (0) [chap] = noop
> >>> >> >> >> >>> (0) [mschap] = noop
> >>> >> >> >> >>> (0) [digest] = noop
> >>> >> >> >> >>> (0) suffix: Checking for suffix after "@"
> >>> >> >> >> >>> (0) suffix: Looking up realm "mydomain.com" for
> User-Name = "
> >>> >> >> >> >>> >> >> >> >>> user@mydomain.com <mailto:user@mydomain.com>>>>
> <>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>> >>>
> <>>
> >>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>> <>>>
> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>>
> >>> >>> <>>
> >>> >> >>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>>
> <>>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@
> mydomain.com>>>> >>> <>>
> >>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@
> mydomain.com>>>> <>>> mailto:mailto:mailto:user@mydomain.com <mailto:
> mailto:mailto:mailto:user@mydomain.com>>>> >>>
> >>> >>> >>> <>>
> >>> >> mailto:
> >>> >> >> >> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>>
> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>> >>> <>>
> mailto:
> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:mailto:
> user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>> >>> >>>
> <>> mailto:
> >>> mailto:
> >>> >> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:
> user@mydomain.com <mailto:mailto:user@mydomain.com>>>> >>> <>> mailto:
> mailto
> >>> :mailto:user@mydomain.com <mailto::mailto:user@mydomain.com>>>> <>>>
> mailto:mailto:mailto:mailto:user@mydomain.com <mailto:mailto:mailto:mailto
> :mailto:user@mydomain.com>>>> >>>
> >>> >>> >>> >>>>
> >>> >> <>>> mailto:
> >>> >> >> >> >> >> >>> user@mydomain.com <mailto:user@mydomain.com>>>>
> <>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>> >>>
> <>> mailto:
> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:mailto:
> user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>> >>> >>>
> <>> mailto:
> >>> >> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:
> user@mydomain.com <mailto:mailto:user@mydomain.com>>>> >>> <>> mailto:
> mailto:
> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:mailto
> :mailto:user@mydomain.com <mailto:mailto:mailto:mailto:user@mydomain.com>>>>
> >>> >>> >>> <>>
> >>> mailto:
> >>> >> mailto:
> >>> >> >> >> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>>
> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>> >>> <>>
> mailto:
> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:mailto:
> user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>> >>> >>>
> <>> mailto:
> >>> mailto
> >>> >> >>> :mailto:user@mydomain.com <mailto::mailto:user@mydomain.com>>>>
> <>>> mailto::mailto:user@mydomain.com <mailto:mailto::mailto:user@
> mydomain.com>>>> >>> <>>
> >>> mailto:mailto:mailto:mailto:user@mydomain.com <mailto:mailto:mailto:
> mailto:mailto:user@mydomain.com>>>> <mailto:mailto:mailto:mailto
> >>> :mailto:user@mydomain.com <mailto::mailto:user@mydomain.com>>>> >>>
> >>>
> >>> >> >>> >>>> >"
> >>> >> >> >> >>> (0) suffix: Found realm "mydomain.com"
> >>> >> >> >> >>> (0) suffix: Adding Stripped-User-Name = "user"
> >>> >> >> >> >>> (0) suffix: Adding Realm = "mydomain.com"
> >>> >> >> >> >>> (0) suffix: Authentication realm is LOCAL
> >>> >> >> >> >>> (0) [suffix] = ok
> >>> >> >> >> >>> (0) eap: No EAP-Message, not doing EAP
> >>> >> >> >> >>> (0) [eap] = noop
> >>> >> >> >> >>> (0) files: users: Matched entry DEFAULT at line 221
> >>> >> >> >> >>> (0) [files] = ok
> >>> >> >> >> >>> (0) [expiration] = noop
> >>> >> >> >> >>> (0) [logintime] = noop
> >>> >> >> >> >>> (0) pap: WARNING: No "known good" password found for the
> user.
> >>> >> Not
> >>> >> >> >> >>> setting Auth-Type
> >>> >> >> >> >>> (0) pap: WARNING: Authentication will fail unless a "known
> >>> good"
> >>> >> >> >> password
> >>> >> >> >> >>> is available
> >>> >> >> >> >>> (0) [pap] = noop
> >>> >> >> >> >>> (0) } # authorize = ok
> >>> >> >> >> >>> (0) Found Auth-Type = pam
> >>> >> >> >> >>> (0) # Executing group from file
> >>> >> >> >> /etc/freeradius/3.0/sites-enabled/default
> >>> >> >> >> >>> (0) authenticate {
> >>> >> >> >> >>> (0) pam: Using pamauth string "radiusd" for pam.conf
> lookup
> >>> >> >> >> >>> (0) pam: ERROR: pam_authenticate failed: Authentication
> >>> failure
> >>> >> >> >> >>> (0) [pam] = reject
> >>> >> >> >> >>> (0) } # authenticate = reject
> >>> >> >> >> >>> (0) Failed to authenticate the user
> >>> >> >> >> >>> (0) Using Post-Auth-Type Reject
> >>> >> >> >> >>> (0) # Executing group from file
> >>> >> >> >> /etc/freeradius/3.0/sites-enabled/default
> >>> >> >> >> >>> (0) Post-Auth-Type REJECT {
> >>> >> >> >> >>> (0) attr_filter.access_reject: EXPAND %{User-Name}
> >>> >> >> >> >>> (0) attr_filter.access_reject: --> >>> >> >>
> >>> >> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:
> user@mydomain.com <mailto:mailto:user@mydomain.com>>>> >>> <>> mailto:
> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:mailto:
> user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>> >>> >
> >>> >> >> <>> >> >>> mailto:user@mydomain.com <mailto:mailto:
> user@mydomain.com>>>> <>>> mailto:mailto:user@mydomain.com <mailto:mailto
> :mailto:user@mydomain.com>>>> >>>
> >>> <>> >>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@
> mydomain.com>>>> <mailto:mailto:mailto:
> >>> user@mydomain.com <mailto:user@mydomain.com>>>> >>> >>> >>>
> >>> >> <mailto:
> >>> >> >> >> >> >> >>> user@mydomain.com <mailto:user@mydomain.com>>>>
> <>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>> >>>
> <>> mailto:
> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:mailto:
> user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>> >>> >>>
> <>> mailto:
> >>> >> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:
> user@mydomain.com <mailto:mailto:user@mydomain.com>>>> >>> <>> mailto:
> mailto:
> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:mailto
> :mailto:user@mydomain.com <mailto:mailto:mailto:mailto:user@mydomain.com>>>>
> >>> >>> >>>
> >>> >>>> <mailto:
> >>> >> >> >> >>> >> >> >> >>> user@mydomain.com <mailto:user@mydomain.com>>>>
> <>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>> >>>
> <>>
> >>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>> <>>>
> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>>
> >>> >>> <>>
> >>> >> >>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>>
> <>>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@
> mydomain.com>>>> >>> <>>
> >>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@
> mydomain.com>>>> <>>> mailto:mailto:mailto:user@mydomain.com <mailto:
> mailto:mailto:mailto:user@mydomain.com>>>> >>>
> >>> >>> >>> <>>
> >>> >> mailto:
> >>> >> >> >> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>>
> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>> >>> <>>
> mailto:
> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:mailto:
> user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>> >>> >>>
> <>> mailto:
> >>> mailto:
> >>> >> >>> user@mydomain.com <mailto:user@mydomain.com>>>> <>>> mailto:
> user@mydomain.com <mailto:mailto:user@mydomain.com>>>> >>> <>> mailto:
> mailto
> >>> :mailto:user@mydomain.com <mailto::mailto:user@mydomain.com>>>> <>>>
> mailto:mailto:mailto:mailto:user@mydomain.com <mailto:mailto:mailto:mailto
> :mailto:user@mydomain.com>>>> >>>
> >>> >>> >>> >>>> >
> >>> >> >> >> >>> (0) attr_filter.access_reject: Matched entry DEFAULT at
> line
> >>> 11
> >>> >> >> >> >>> (0) [attr_filter.access_reject] = updated
> >>> >> >> >> >>> (0) [eap] = noop
> >>> >> >> >> >>> (0) policy remove_reply_message_if_eap {
> >>> >> >> >> >>> (0) if (&reply:EAP-Message && &reply:Reply-Message)
> {
> >>> >> >> >> >>> (0) if (&reply:EAP-Message &&
> &reply:Reply-Message) ->
> >>> >> FALSE
> >>> >> >> >> >>> (0) else {
> >>> >> >> >> >>> (0) [noop] = noop
> >>> >> >> >> >>> (0) } # else = noop
> >>> >> >> >> >>> (0) } # policy remove_reply_message_if_eap = noop
> >>> >> >> >> >>> (0) } # Post-Auth-Type REJECT = updated
> >>> >> >> >> >>> (0) Delaying response for 1.000000 seconds
> >>> >> >> >> >>> Waking up in 0.3 seconds.
> >>> >> >> >> >>> Waking up in 0.6 seconds.
> >>> >> >> >> >>> (0) Sending delayed response
> >>> >> >> >> >>> (0) Sent Access-Reject Id 113 from 127.0.0.1:1812 to
> >>> >> >> 127.0.0.1:34793
> >>> >> >> >> >>> length 20
> >>> >> >> >> >>> Waking up in 3.9 seconds.
> >>> >> >> >> >>> (0) Cleaning up request packet ID 113 with timestamp +11
> >>> >> >> >> >>> Ready to process requests
> >>> >> >> >> >>>
> >>> >> >> >> >>>
> >>> >> >> >> >>> 24. Avr 2018 16:40 de >>> >> >> >> >>>
> aland@deployingradius.com <mailto:aland@deployingradius.com>
> >>> <>>> mailto:aland@deployingradius.com <mailto:mailto:aland@
> deployingradius.com>>>> >
> >>> >> <>> >>> mailto:aland@deployingradius.com <mailto:mailto:aland@
> deployingradius.com>>>> <mailto:mailto:
> >>> aland@deployingradius.com <mailto:aland@deployingradius.com>>>> >>>
> >>> <mailto:
> >>> >> >> >> >>> aland@deployingradius.com <mailto:aland@deployingradius.
> com>>>> <>>> mailto:aland@deployingradius.com <mailto:mailto:aland@
> deployingradius.com>>>> >>>
> >>> <>> >>> mailto:aland@deployingradius.com <mailto:mailto:aland@
> deployingradius.com>>>> <mailto:mailto:
> >>> aland@deployingradius.com <mailto:aland@deployingradius.com>>>> >>>
> >>> >>>
> >>> >> <mailto:
> >>> >> >> >> >> >> >>> aland@deployingradius.com <mailto:
> aland@deployingradius.com>>>> <>>> mailto:aland@deployingradius.com
> <mailto:mailto:aland@deployingradius.com>>>> >>>
> >>> <>> >>> mailto:aland@deployingradius.com <mailto:mailto:aland@
> deployingradius.com>>>> <mailto:mailto:
> >>> aland@deployingradius.com <mailto:aland@deployingradius.com>>>> >>>
> >>>
> >>> >> <>> >> >>> mailto:aland@deployingradius.com <mailto:mailto:aland@
> deployingradius.com>>>> <mailto:mailto:
> >>> aland@deployingradius.com <mailto:aland@deployingradius.com>>>> >>>
> <mailto:mailto:
> >>> >> >>> aland@deployingradius.com <mailto:aland@deployingradius.com>>>>
> <>>> mailto:aland@deployingradius.com <mailto:mailto:aland@
> deployingradius.com>>>> >>> >>> >>>
> >>> >>>>
> >>> >> >> <mailto:
> >>> >> >> >> >>> >> >> >> >>> aland@deployingradius.com <mailto:
> aland@deployingradius.com>>>> <mailto:
> >>> aland@deployingradius.com <mailto:aland@deployingradius.com>>>> >>>
> <mailto:
> >>> >> >>> aland@deployingradius.com <mailto:aland@deployingradius.com>>>>
> <>>> mailto:aland@deployingradius.com <mailto:mailto:aland@
> deployingradius.com>>>> >>> >>>
> >>> <>> >> >>> mailto:aland@deployingradius.com <mailto:mailto:aland@
> deployingradius.com>>>> <mailto:mailto:
> >>> aland@deployingradius.com <mailto:aland@deployingradius.com>>>> >
> >>> >> <>> >>> mailto:mailto:aland@deployingradius.com <mailto:mailto
> :mailto:aland@deployingradius.com>>>> <mailto:mailto:mailto:
> >>> aland@deployingradius.com <mailto:aland@deployingradius.com>>>> >>>
> >>> >>>
> >>> >> >> <>> >> >> >>> mailto:aland@deployingradius.com <mailto:mailto:
> aland@deployingradius.com>>>> <mailto:mailto:
> >>> aland@deployingradius.com <mailto:aland@deployingradius.com>>>> >>>
> <mailto:mailto:
> >>> >> >>> aland@deployingradius.com <mailto:aland@deployingradius.com>>>>
> <>>> mailto:aland@deployingradius.com <mailto:mailto:aland@
> deployingradius.com>>>> >>> >>>
> >>> <mailto:mailto:
> >>> >> >> >> >>> aland@deployingradius.com <mailto:aland@deployingradius.
> com>>>> <>>> mailto:aland@deployingradius.com <mailto:mailto:aland@
> deployingradius.com>>>> >>>
> >>> <>> >>> mailto:aland@deployingradius.com <mailto:mailto:aland@
> deployingradius.com>>>> <mailto:mailto:
> >>> aland@deployingradius.com <mailto:aland@deployingradius.com>>>> >>>
> >>> >>>
> >>> >> >>>> >:
> >>> >> >> >> >>>
> >>> >> >> >> >>>
> >>> >> >> >> >>> > On Apr 24, 2018, at 10:23 AM, <> >>> >>
> >>> >> >> >> >>> servernemesis@tutanota.com <mailto:servernemesis@
> tutanota.com>>>> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>>> >>>
> >>> <>> >>> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>>> <mailto:mailto:
> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> >>>
> >>> <>>
> >>> >> >>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@
> tutanota.com>>>> <mailto:mailto:
> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>
> >>> <mailto:mailto:
> >>> >> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>
> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@
> tutanota.com>>>> >>> >>> >
> >>> >> >> >> <>> >> >> >>> mailto:servernemesis@tutanota.com <mailto:
> mailto:servernemesis@tutanota.com>>>> <mailto:mailto:
> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>
> >>> <mailto:mailto:
> >>> >> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>
> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@
> tutanota.com>>>> >>> >>>
> >>> <mailto:mailto:
> >>> >> >> >> >>> servernemesis@tutanota.com <mailto:servernemesis@
> tutanota.com>>>> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>>> >>>
> >>> <>> >>> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>>> <mailto:mailto:
> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> >>>
> >>> >>>
> >>> >> >>>> <mailto:
> >>> >> >> >> >>> >> >> >> >>> servernemesis@tutanota.com <mailto:
> servernemesis@tutanota.com>>>> <mailto:
> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>
> >>> <mailto:
> >>> >> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>
> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@
> tutanota.com>>>> >>> >>>
> >>> <>> >> >>> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>>> <mailto:mailto:
> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> >
> >>> >> <>> >>> mailto:mailto:servernemesis@tutanota.com <mailto:mailto
> :mailto:servernemesis@tutanota.com>>>> <mailto:mailto:mailto:
> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> >>>
> >>> >>>
> >>> >> >> <>> >> >> >>> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>>> <mailto:mailto:
> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>
> >>> <mailto:mailto:
> >>> >> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>
> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@
> tutanota.com>>>> >>> >>>
> >>> <mailto:mailto:
> >>> >> >> >> >>> servernemesis@tutanota.com <mailto:servernemesis@
> tutanota.com>>>> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>>> >>>
> >>> <>> >>> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>>> <mailto:mailto:
> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> >>>
> >>> >>>
> >>> >> >>>> >>
> >>> >> >> >> > <> >>> >> >> >> >>> servernemesis@tutanota.com <mailto:
> servernemesis@tutanota.com>>>> <mailto:
> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>
> >>> <mailto:
> >>> >> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>
> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@
> tutanota.com>>>> >>> >>>
> >>> <mailto:
> >>> >> >> >> >>> servernemesis@tutanota.com <mailto:servernemesis@
> tutanota.com>>>> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>>> >>>
> >>> <>> >>> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>>> <mailto:mailto:
> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> >>>
> >>> >>>
> >>> >> <>> >> >> >>> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>>> <mailto:mailto:
> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>
> >>> <mailto:mailto:
> >>> >> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>
> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@
> tutanota.com>>>> >>> >
> >>> >> >> <>> >> >>> mailto:mailto:servernemesis@tutanota.com <mailto:
> mailto:mailto:servernemesis@tutanota.com>>>> <mailto:mailto
> >>> :mailto:servernemesis@tutanota.com <mailto::mailto:servernemesis@
> tutanota.com>>>> >>> <mailto:mailto:mailto:
> >>> >> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>
> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@
> tutanota.com>>>> >>> >>>
> >>> >>> >>>>
> >>> >> >> >> <mailto:
> >>> >> >> >> >>> >> >> >> >>> servernemesis@tutanota.com <mailto:
> servernemesis@tutanota.com>>>> <mailto:
> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>
> >>> <mailto:
> >>> >> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>
> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@
> tutanota.com>>>> >>> >>>
> >>> <>> >> >>> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>>> <mailto:mailto:
> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> >
> >>> >> <>> >>> mailto:mailto:servernemesis@tutanota.com <mailto:mailto
> :mailto:servernemesis@tutanota.com>>>> <mailto:mailto:mailto:
> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> >>>
> >>> >>>
> >>> >> >> <>> >> >> >>> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>>> <mailto:mailto:
> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>
> >>> <mailto:mailto:
> >>> >> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>
> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@
> tutanota.com>>>> >>> >>>
> >>> <mailto:mailto:
> >>> >> >> >> >>> servernemesis@tutanota.com <mailto:servernemesis@
> tutanota.com>>>> <>>> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>>> >>>
> >>> <>> >>> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>>> <mailto:mailto:
> >>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> >>>
> >>> >>>
> >>> >> >>>> >>
> >>> >> >> >> > wrote:
> >>> >> >> >> >>> >>
> >>> >> >> >> >>> >> My FR server is domain joined, and his krb5 realm is
> >>> >> >> mydomain.com
> >>> >> >> >> >>> >> I don't know where I could specify the domain for PAM.
> >>> >> >> >> >>> >
> >>> >> >> >> >>> > I didn't tell you to specify the domain for PAM.
> >>> >> >> >> >>> >
> >>> >> >> >> >>> >> I'm not sure what you mean by "If it doesn't know
> about the
> >>> >> >> domain,
> >>> >> >> >> >>> then add a realm for "mydomain.com". Make it LOCAL (see
> >>> >> >> proxy.conf)."
> >>> >> >> >> >>> >> Should I edit the /etc/pam.d/radiusd ? What's
> proxy.conf ?
> >>> >> >> >> >>> >
> >>> >> >> >> >>> > You know you're on the FreeRADIUS mailing list, right?
> >>> >> >> proxy.conf
> >>> >> >> >> is
> >>> >> >> >> >>> for FreeRADIUS, not PAM.
> >>> >> >> >> >>> >
> >>> >> >> >> >>> > No, don't edit the /etc/pam.d/radiusd file. If I had
> >>> meant
> >>> >> to
> >>> >> >> edit
> >>> >> >> >> >>> that file, I would have told you to edit that file.
> >>> >> >> >> >>> >
> >>> >> >> >> >>> > Look in the /etc/raddb (or on debian / Ubuntu)
> >>> >> /etc/freeradius
> >>> >> >> >> >>> directory. The proxy.conf file is there. Read it.
> >>> >> >> >> >>> >
> >>> >> >> >> >>> > Alan DeKok.
> >>> >> >> >> >>> >
> >>> >> >> >> >>> >
> >>> >> >> >> >>> > -
> >>> >> >> >> >>> > List info/subscribe/unsubscribe? See >
> >>> >> >> >> >>> >> >> >> >>> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>> <
> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>>>> >>> <
> >>> >> >>> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>> <
> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>>>> >>> >>> <
> >>> >> >> >> >>> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>> <
> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>>>> >>> <
> >>> >> >>> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>> <
> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>>>> >>> >>> >>> <
> >>> >> >> >> >> >> >>> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>> <
> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>>>> >>> <
> >>> >> >>> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>> <
> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>>>> >>> >>> <
> >>> >> >> >> >>> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>> <
> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>>>> >>> <
> >>> >> >>> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>> <
> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>>>> >>> >>> >>> >>>> <
> >>> >> >> >> >>> >> >> >> >>> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>> <
> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>>>> >>> <
> >>> >> >>> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>> <
> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>>>> >>> >>> <
> >>> >> >> >> >>> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>> <
> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>>>> >>> <
> >>> >> >>> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>> <
> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>>>> >>> >>> >>> <
> >>> >> >> >> >> >> >>> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>> <
> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>>>> >>> <
> >>> >> >>> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>> <
> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>>>> >>> >>> <
> >>> >> >> >> >>> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>> <
> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>>>> >>> <
> >>> >> >>> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>> <
> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>>>> >>> >>> >>> >>>> >
> >>> >> >> >> >>> -
> >>> >> >> >> >>> List info/subscribe/unsubscribe? See
> >>> >> >> >> >>> >> >> >> >>> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>> <
> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>>>> >>> <
> >>> >> >>> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>> <
> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>>>> >>> >>> <
> >>> >> >> >> >>> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>> <
> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>>>> >>> <
> >>> >> >>> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>> <
> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>>>> >>> >>> >>> <
> >>> >> >> >> >> >> >>> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>> <
> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>>>> >>> <
> >>> >> >>> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>> <
> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>>>> >>> >>> <
> >>> >> >> >> >>> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>> <
> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>>>> >>> <
> >>> >> >>> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>> <
> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>>>> >>> >>> >>> >
> >>> >> >> >> >> -
> >>> >> >> >> >> List info/subscribe/unsubscribe? See >>
> >>> >> >> >> >> >> >>> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>> <
> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>>>> >>> <
> >>> >> >>> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>> <
> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>>>> >>> >>> <
> >>> >> >> >> >>> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>> <
> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>>>> >>> <
> >>> >> >>> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>> <
> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>>>> >>> >>> >>> <
> >>> >> >> >> >> >> >>> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>> <
> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>>>> >>> <
> >>> >> >>> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>> <
> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>>>> >>> >>> <
> >>> >> >> >> >>> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>> <
> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>>>> >>> <
> >>> >> >>> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>> <
> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>>>> >>> >>> >>> >
> >>> >> >> >> -
> >>> >> >> >> List info/subscribe/unsubscribe? See
> >>> >> >> >> >> >> >>> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>> <
> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>>>> >>> <
> >>> >> >>> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>> <
> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>>>> >>> >>> <
> >>> >> >> >> >>> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>> <
> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>>>> >>> <
> >>> >> >>> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>> <
> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>>>> >>> >>> >
> >>> >> >> > -
> >>> >> >> > List info/subscribe/unsubscribe? See >
> >>> >> >> >> >>> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>> <
> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>>>> >>> <
> >>> >> >>> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>> <
> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>>>> >>> >>> <
> >>> >> >> >> >>> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>> <
> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>>>> >>> <
> >>> >> >>> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>> <
> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>>>> >>> >>> >
> >>> >> >> -
> >>> >> >> List info/subscribe/unsubscribe? See
> >>> >> >> >> >>> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>> <
> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>>>> >>> <
> >>> >> >>> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>> <
> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>>>> >>> >
> >>> >> > -
> >>> >> > List info/subscribe/unsubscribe? See >
> >>> >> >>> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>> <
> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>>>> >>> <
> >>> >> >>> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>> <
> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>>>> >>> >
> >>> >> -
> >>> >> List info/subscribe/unsubscribe? See
> >>> >> >>> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>> <
> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>>>> >
> >>> > -
> >>> > List info/subscribe/unsubscribe? See >
> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>>>> <
> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>>>> >
> >>> -
> >>> List info/subscribe/unsubscribe? See
> >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/
> list/users.html>
> >> -
> >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/
> list/users.html <http://www.freeradius.org/list/users.html>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>
OK ! It's working (at least with radtest, don't have time to test with netscaler today)
I had to edit sssd.conf and make a few changes :
- set "default_domain_suffix"
- use fqdn : false
- access_provider = permit
That way, both shortname and fqdn work, no need to edit proxy.conf
I still have a warning in my fr log :
files: users: Matched entry DEFAULT at line 221
(4) [files] = ok
(4) [expiration] = noop
(4) [logintime] = noop
(4) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(4) pap: WARNING: Authentication will fail unless a "known good" password is available
(4) [pap] = noop
(4) } # authorize = ok
(4) Found Auth-Type = pam
Don't know if it's big deal or not but I don't like that...
25. Apr 2018 14:32 by servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>:
> Since the problem is related to AD <-> freeradius, do you think I should follow the guidelines of the chapter "Installation of FreeRADIUS"
> in > https://wiki.freeradius.org/guide/freeradius-active-directory-integration-howto <https://wiki.freeradius.org/guide/freeradius-active-directory-integration-howto>> ?
> for example :
>
> clients.conf> mods-available/mschap> mods-available/eap> users
> 25. Avr 2018 16:26 de > servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>> :
>
>
>> Here it is
>>
>> # PAM configuration for the Secure Shell service
>>
>> # Standard Un*x authentication.
>> @include common-auth
>> #auth required /usr/local/lib/security/pam_google_authenticator.so
>>
>> # Disallow non-root logins when /etc/nologin exists.
>> account required pam_nologin.so
>>
>> # Uncomment and edit /etc/security/access.conf if you need to set complex
>> # access limits that are hard to express in sshd_config.
>> # account required pam_access.so
>>
>> # Standard Un*x authorization.
>> @include common-account
>>
>> # SELinux needs to be the first session rule. This ensures that any
>> # lingering context has been cleared. Without this it is possible that a
>> # module could execute code in the wrong domain.
>> session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
>>
>> # Set the loginuid process attribute.
>> session required pam_loginuid.so
>>
>> # Create a new session keyring.
>> session optional pam_keyinit.so force revoke
>>
>> # Standard Un*x session setup and teardown.
>> @include common-session
>>
>> # Print the message of the day upon successful login.
>> # This includes a dynamically generated part from /run/motd.dynamic
>> # and a static (admin-editable) part from /etc/motd.
>> session optional pam_motd.so motd=/run/motd.dynamic
>> session optional pam_motd.so noupdate
>>
>> # Print the status of the user's mailbox upon successful login.
>> session optional pam_mail.so standard noenv # [1]
>>
>> # Set up user limits from /etc/security/limits.conf.
>> session required pam_limits.so
>>
>> # Read environment variables from /etc/environment and
>> # /etc/security/pam_env.conf.
>> session required pam_env.so # [1]
>> # In Debian 4.0 (etch), locale-related environment variables were moved to
>> # /etc/default/locale, so read that as well.
>> session required pam_env.so user_readenv=1 envfile=/etc/default/locale
>>
>> # SELinux needs to intervene at login time to ensure that the process starts
>> # in the proper default security context. Only sessions which are intended
>> # to run in the user's context should be run after this.
>> session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
>>
>> # Standard Un*x password updating.
>> @include common-password
>>
>>
>> 25. Avr 2018 15:26 de >> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>> :
>>
>>
>>> what is content of /etc/pam.d/ssh* files?
>>>
>>> Eero
>>>
>>> ke 25. huhtik. 2018 klo 13.29 <>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>> > kirjoitti:
>>>
>>>> Ok, it's working with a local user I created, by just specifying the
>>>> google auth code, still don't know why it's not working with domain users...
>>>>
>>>> radtest ggg 494659 localhost 18120 testing123
>>>> Sent Access-Request Id 65 from 0.0.0.0:43805 to 127.0.0.1:1812 length 73
>>>> User-Name = "ggg"
>>>> User-Password = "494659"
>>>> NAS-IP-Address = 127.0.1.1
>>>> NAS-Port = 18120
>>>> Message-Authenticator = 0x00
>>>> Cleartext-Password = "494659"
>>>> Received Access-Accept Id 65 from 127.0.0.1:1812 to 0.0.0.0:0 length 20
>>>>
>>>> 25. Avr 2018 10:11 de >>>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>>>> <>>>> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>
>>>> >:
>>>>
>>>>
>>>> > please, give example of your radtest command.
>>>> >
>>>> > Eero
>>>> >
>>>> > ke 25. huhtik. 2018 klo 11.02 <> >>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> <mailto:
>>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> >> > kirjoitti:
>>>> >
>>>> >> I'm using the radtest command on localhost with the secret testing123
>>>> >> (double checked)
>>>> >>
>>>> >> 25. Avr 2018 09:55 de >> >>>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>>>> <mailto:
>>>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>>>> >>> <>> >>>> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>>>> <mailto:mailto:
>>>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>>>> >
>>>> >> >:
>>>> >>
>>>> >>
>>>> >> > well. radius secret can be wrong also for your client.
>>>> >> >
>>>> >> > radius secret is in client.conf and its tied to client ip address.
>>>> check
>>>> >> it
>>>> >> > out and test again.
>>>> >> >
>>>> >> > anyway. in your config you need use only google code, not password.
>>>> >> >
>>>> >> > Eero
>>>> >> >
>>>> >> > ke 25. huhtik. 2018 klo 10.49 <> >> >>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>
>>>> <>>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>>> >>> <mailto:
>>>> >> >>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> <>>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>>> >>> >> >
>>>> kirjoitti:
>>>> >> >
>>>> >> >> Hello,
>>>> >> >>
>>>> >> >> No because if I login with SSH, it works :
>>>> >> >>
>>>> >> >> Apr 25 09:45:10 SRV-FREERADIUS sshd(pam_google_authenticator)[1885]:
>>>> >> >> Accepted google_authenticator for user
>>>> >> >> Apr 25 09:45:11 SRV-FREERADIUS sshd[1885]: Accepted password for user
>>>> >> from
>>>> >> >> 192.168.50.68 port 50020 ssh2
>>>> >> >> Apr 25 09:45:11 SRV-FREERADIUS sshd[1885]: pam_unix(sshd:session):
>>>> >> session
>>>> >> >> opened for user user by (uid=0)
>>>> >> >> Apr 25 09:45:11 SRV-FREERADIUS systemd-logind[535]: New session 11 of
>>>> >> user
>>>> >> >> user.
>>>> >> >>
>>>> >> >> I don't get why it's not working with the radius...
>>>> >> >>
>>>> >> >> 25. Avr 2018 09:46 de >> >> >>>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>>>> <mailto:
>>>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>>>> >>> <mailto:
>>>> >> >>>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>>>> <>>>> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>>>> >>> >>> <>> >>
>>>> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>>>> <>>>> mailto:mailto:eero.volotinen@iki.fi <mailto:mailto:mailto:eero.volotinen@iki.fi>>>>> >>>
>>>> <mailto:mailto:
>>>> >> >>>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>>>> <>>>> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>>>> >>> >
>>>> >> >> >:
>>>> >> >>
>>>> >> >>
>>>> >> >> > It means that code is wrong? is the server using ntp and clock is
>>>> sync
>>>> >> >> and
>>>> >> >> > mobile is in sync.
>>>> >> >> >
>>>> >> >> > Try following: log into user. delete .google* file from user home
>>>> >> >> directory.
>>>> >> >> >
>>>> >> >> > run google-authenticator without params and select time based
>>>> >> token/auth
>>>> >> >> > and add new authenticator code to google auth in phone
>>>> >> >> >
>>>> >> >> > Eero
>>>> >> >> >
>>>> >> >> > ke 25. huhtik. 2018 klo 10.39 <> >> >> >>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>
>>>> <>>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>>> >
>>>> >> <>> >>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>>> <mailto:mailto:
>>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> >>> >>> <mailto:
>>>> >> >> >> >>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> <>>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>>> >>>
>>>> <>> >>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>>> <mailto:mailto:
>>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> >>> >>> >> >
>>>> >> kirjoitti:
>>>> >> >> >
>>>> >> >> >> PS : If I disable the domain suffix for the users on the server
>>>> >> (being
>>>> >> >> >> able to login with just "user"), I get
>>>> >> >> >>
>>>> >> >> >> Apr 25 09:27:42 SRV-FREERADIUS
>>>> >> radiusd(pam_google_authenticator)[1661]:
>>>> >> >> >> Invalid verification code for user
>>>> >> >> >>
>>>> >> >> >>
>>>> >> >> >> 25. Avr 2018 09:15 de >> >> >> >>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>
>>>> <>>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>>> >>> <mailto:
>>>> >> >>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> <>>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>>> >>> >>>
>>>> <mailto:
>>>> >> >> >> >>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> <>>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>>> >>>
>>>> <>> >>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>>> <mailto:mailto:
>>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> >>> >>> >>>
>>>> >> <mailto:
>>>> >> >> >> >> >> >>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> <mailto:
>>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> >>> <>> >>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>
>>>> <>>>> mailto:mailto:servernemesis@tutanota.com <mailto:mailto:mailto:servernemesis@tutanota.com>>>>> >>> >>>
>>>> >> <>> >> >>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>>> <mailto:mailto:
>>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> >>> <mailto:mailto:
>>>> >> >>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> <>>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>>> >>> >>>
>>>> >>> >:
>>>> >> >> >>
>>>> >> >> >>
>>>> >> >> >> > I tried
>>>> >> >> >> >
>>>> >> >> >> > #
>>>> >> >> >> > # /etc/pam.d/radiusd - PAM configuration for FreeRADIUS
>>>> >> >> >> > #
>>>> >> >> >> >
>>>> >> >> >> > # We fall back to the system default in /etc/pam.d/common-*
>>>> >> >> >> > #
>>>> >> >> >> >
>>>> >> >> >> > #@include common-auth
>>>> >> >> >> > #@include common-account
>>>> >> >> >> > #@include common-password
>>>> >> >> >> > #@include common-session
>>>> >> >> >> > auth required
>>>> /usr/local/lib/security/pam_google_authenticator.so
>>>> >> >> >> >
>>>> >> >> >> > and
>>>> >> >> >> >
>>>> >> >> >> > #
>>>> >> >> >> > # /etc/pam.d/radiusd - PAM configuration for FreeRADIUS
>>>> >> >> >> > #
>>>> >> >> >> >
>>>> >> >> >> > # We fall back to the system default in /etc/pam.d/common-*
>>>> >> >> >> > #
>>>> >> >> >> >
>>>> >> >> >> > #@include common-auth
>>>> >> >> >> > #@include common-account
>>>> >> >> >> > #@include common-password
>>>> >> >> >> > #@include common-session
>>>> >> >> >> > auth requisite
>>>> /usr/local/lib/security/pam_google_authenticator.so
>>>> >> >> >> forward_pass
>>>> >> >> >> > auth required pam_unix.so use_first_pass
>>>> >> >> >> >
>>>> >> >> >> > In both cases :
>>>> >> >> >> >
>>>> >> >> >> > Apr 25 09:05:43 SRV-FREERADIUS
>>>> >> >> radiusd(pam_google_authenticator)[6847]:
>>>> >> >> >> user("user") not found
>>>> >> >> >> > Apr 25 09:05:43 SRV-FREERADIUS
>>>> >> >> radiusd(pam_google_authenticator)[6847]:
>>>> >> >> >> No secret configured for user user, asking for code anyway.
>>>> >> >> >> > Apr 25 09:05:43 SRV-FREERADIUS
>>>> >> >> radiusd(pam_google_authenticator)[6847]:
>>>> >> >> >> Invalid verification code for user
>>>> >> >> >> >
>>>> >> >> >> >
>>>> >> >> >> >
>>>> >> >> >> > 24. Avr 2018 19:21 de > >> >> >> >>>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>>>> <mailto:
>>>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>>>> >>> <mailto:
>>>> >> >>>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>>>> <>>>> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>>>> >>> >>> <mailto:
>>>> >> >> >> >>>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>>>> <>>>> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>>>> >>> <>>
>>>> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>>>> <>>>> mailto:mailto:eero.volotinen@iki.fi <mailto:mailto:mailto:eero.volotinen@iki.fi>>>>> >>> >>>
>>>> >>> <mailto:
>>>> >> >> >> >> >> >>>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>>>> <>>>> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>>>> >>>
>>>> <>> >>>> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>>>> <>>>> mailto:mailto:eero.volotinen@iki.fi <mailto:mailto:mailto:eero.volotinen@iki.fi>>>>> >>>
>>>> >>> <>>
>>>> >> >>>> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>>>> <>>>> mailto:mailto:eero.volotinen@iki.fi <mailto:mailto:mailto:eero.volotinen@iki.fi>>>>> >>>
>>>> <>> >>>> mailto:mailto:eero.volotinen@iki.fi <mailto:mailto:mailto:eero.volotinen@iki.fi>>>>> <mailto:mailto:mailto:
>>>> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>>>> >>> >>> >>>
>>>> >> >> :
>>>> >> >> >> >
>>>> >> >> >> >
>>>> >> >> >> >> You need to enable pam logging on google authenticator.
>>>> >> >> >> >>
>>>> >> >> >> >> what is content of /etc/pam.d/radiusd ?
>>>> >> >> >> >>
>>>> >> >> >> >> Eero
>>>> >> >> >> >>
>>>> >> >> >> >> ti 24. huhtik. 2018 klo 17.29 <>> >> >>
>>>> >> >>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> <>>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>>> >>> <>>
>>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>>> <mailto:mailto:
>>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> >>> >
>>>> >> >> <>> >> >>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>>> <mailto:mailto:
>>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> >>> <mailto:mailto:
>>>> >> >>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> <>>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>>> >>> >>>
>>>> >>> <mailto:
>>>> >> >> >> >> >> >>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> <mailto:
>>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> >>> <>> >>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>
>>>> <>>>> mailto:mailto:servernemesis@tutanota.com <mailto:mailto:mailto:servernemesis@tutanota.com>>>>> >>> >>>
>>>> >> <>> >> >>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>>> <mailto:mailto:
>>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> >>> <mailto:mailto:
>>>> >> >>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> <>>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>>> >>> >>>
>>>> >>> >>> >
>>>> >> >> kirjoitti:
>>>> >> >> >> >>
>>>> >> >> >> >>> Thanks, it looks better but it's still failing :
>>>> >> >> >> >>>
>>>> >> >> >> >>> Ready to process requests
>>>> >> >> >> >>> (0) Received Access-Request Id 113 from 127.0.0.1:34793 to
>>>> >> >> >> 127.0.0.1:1812
>>>> >> >> >> >>> length 92
>>>> >> >> >> >>> (0) User-Name = ">>> >> >> >> >>>> user@mydomain.com <mailto:user@mydomain.com>>>>> <mailto:
>>>> user@mydomain.com <mailto:user@mydomain.com>>>>> >>> <mailto:
>>>> >> >>>> user@mydomain.com <mailto:user@mydomain.com>>>>> <>>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>>> >>> >>> <mailto:
>>>> >> >> >> >>>> user@mydomain.com <mailto:user@mydomain.com>>>>> <>>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>>> >>> <>> mailto:
>>>> user@mydomain.com <mailto:user@mydomain.com>>>>> <>>>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>>> >>> >>> >>> <>> >>
>>>> mailto:
>>>> >> >>>> user@mydomain.com <mailto:user@mydomain.com>>>>> <>>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>>> >>> <>> mailto:mailto:
>>>> user@mydomain.com <mailto:user@mydomain.com>>>>> <>>>> mailto:mailto:mailto:user@mydomain.com <mailto:mailto:mailto:mailto:user@mydomain.com>>>>> >>> >>> <mailto:
>>>> mailto:
>>>> >> >> >> >>>> user@mydomain.com <mailto:user@mydomain.com>>>>> <>>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>>> >>> <>> mailto:
>>>> user@mydomain.com <mailto:user@mydomain.com>>>>> <>>>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>>> >>> >>> >>> >>>>
>>>> >> >> >> <>>> >> >> >> >>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>>> <mailto:mailto:
>>>> user@mydomain.com <mailto:user@mydomain.com>>>>> >>> <>> >>>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>>> <mailto:mailto
>>>> :mailto:user@mydomain.com <mailto::mailto:user@mydomain.com>>>>> >>> >>>
>>>> >> <>> >> >>>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>>> <mailto:mailto:mailto:
>>>> user@mydomain.com <mailto:user@mydomain.com>>>>> >>> <mailto:mailto:mailto:
>>>> >> >>>> user@mydomain.com <mailto:user@mydomain.com>>>>> <>>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>>> >>> >>> >>>
>>>> >> >> <>> >> >> >>>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>>> <mailto:mailto:mailto:
>>>> user@mydomain.com <mailto:user@mydomain.com>>>>> >>> <mailto:mailto:mailto:
>>>> >> >>>> user@mydomain.com <mailto:user@mydomain.com>>>>> <>>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>>> >>> >>> <mailto:mailto
>>>> :mailto:
>>>> >> >> >> >>>> user@mydomain.com <mailto:user@mydomain.com>>>>> <>>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>>> >>> <>> mailto:
>>>> user@mydomain.com <mailto:user@mydomain.com>>>>> <>>>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>>> >>> >>> >>> >>>> >"
>>>> >> >> >> >>> (0) User-Password = "password123456"
>>>> >> >> >> >>> (0) NAS-IP-Address = 127.0.1.1
>>>> >> >> >> >>> (0) NAS-Port = 18120
>>>> >> >> >> >>> (0) Message-Authenticator =
>>>> 0xd028fefb31c1de33ebec1d53011953ce
>>>> >> >> >> >>> (0) # Executing section authorize from file
>>>> >> >> >> >>> /etc/freeradius/3.0/sites-enabled/default
>>>> >> >> >> >>> (0) authorize {
>>>> >> >> >> >>> (0) policy filter_username {
>>>> >> >> >> >>> (0) if (&User-Name) {
>>>> >> >> >> >>> (0) if (&User-Name) -> TRUE
>>>> >> >> >> >>> (0) if (&User-Name) {
>>>> >> >> >> >>> (0) if (&User-Name =~ / /) {
>>>> >> >> >> >>> (0) if (&User-Name =~ / /) -> FALSE
>>>> >> >> >> >>> (0) if (&User-Name =~ /@[^@]*@/ ) {
>>>> >> >> >> >>> (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
>>>> >> >> >> >>> (0) if (&User-Name =~ /\.\./ ) {
>>>> >> >> >> >>> (0) if (&User-Name =~ /\.\./ ) -> FALSE
>>>> >> >> >> >>> (0) if ((&User-Name =~ /@/) && (&User-Name !~
>>>> >> >> >> /@(.+)\.(.+)$/)) {
>>>> >> >> >> >>> (0) if ((&User-Name =~ /@/) && (&User-Name !~
>>>> >> >> /@(.+)\.(.+)$/))
>>>> >> >> >> >>> -> FALSE
>>>> >> >> >> >>> (0) if (&User-Name =~ /\.$/) {
>>>> >> >> >> >>> (0) if (&User-Name =~ /\.$/) -> FALSE
>>>> >> >> >> >>> (0) if (&User-Name =~ /@\./) {
>>>> >> >> >> >>> (0) if (&User-Name =~ /@\./) -> FALSE
>>>> >> >> >> >>> (0) } # if (&User-Name) = notfound
>>>> >> >> >> >>> (0) } # policy filter_username = notfound
>>>> >> >> >> >>> (0) [preprocess] = ok
>>>> >> >> >> >>> (0) [chap] = noop
>>>> >> >> >> >>> (0) [mschap] = noop
>>>> >> >> >> >>> (0) [digest] = noop
>>>> >> >> >> >>> (0) suffix: Checking for suffix after "@"
>>>> >> >> >> >>> (0) suffix: Looking up realm "mydomain.com" for User-Name = "
>>>> >> >> >> >>> >> >> >> >>>> user@mydomain.com <mailto:user@mydomain.com>>>>> <>>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>>> >>> <>>
>>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>>> <>>>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>>> >>> >>> <>>
>>>> >> >>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>>> <>>>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>>> >>> <>>
>>>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>>> <>>>> mailto:mailto:mailto:user@mydomain.com <mailto:mailto:mailto:mailto:user@mydomain.com>>>>> >>>
>>>> >>> >>> <>>
>>>> >> mailto:
>>>> >> >> >> >>>> user@mydomain.com <mailto:user@mydomain.com>>>>> <>>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>>> >>> <>> mailto:
>>>> user@mydomain.com <mailto:user@mydomain.com>>>>> <>>>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>>> >>> >>> <>> mailto:
>>>> mailto:
>>>> >> >>>> user@mydomain.com <mailto:user@mydomain.com>>>>> <>>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>>> >>> <>> mailto:mailto
>>>> :mailto:user@mydomain.com <mailto::mailto:user@mydomain.com>>>>> <>>>> mailto:mailto:mailto:mailto:user@mydomain.com <mailto:mailto:mailto:mailto:mailto:user@mydomain.com>>>>> >>>
>>>> >>> >>> >>>>
>>>> >> <>>> mailto:
>>>> >> >> >> >> >> >>>> user@mydomain.com <mailto:user@mydomain.com>>>>> <>>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>>> >>> <>> mailto:
>>>> user@mydomain.com <mailto:user@mydomain.com>>>>> <>>>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>>> >>> >>> <>> mailto:
>>>> >> >>>> user@mydomain.com <mailto:user@mydomain.com>>>>> <>>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>>> >>> <>> mailto:mailto:
>>>> user@mydomain.com <mailto:user@mydomain.com>>>>> <>>>> mailto:mailto:mailto:user@mydomain.com <mailto:mailto:mailto:mailto:user@mydomain.com>>>>> >>> >>> >>> <>>
>>>> mailto:
>>>> >> mailto:
>>>> >> >> >> >>>> user@mydomain.com <mailto:user@mydomain.com>>>>> <>>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>>> >>> <>> mailto:
>>>> user@mydomain.com <mailto:user@mydomain.com>>>>> <>>>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>>> >>> >>> <>> mailto:
>>>> mailto
>>>> >> >>>> :mailto:user@mydomain.com <mailto::mailto:user@mydomain.com>>>>> <>>>> mailto::mailto:user@mydomain.com <mailto:mailto::mailto:user@mydomain.com>>>>> >>> <>>
>>>> mailto:mailto:mailto:mailto:user@mydomain.com <mailto:mailto:mailto:mailto:mailto:user@mydomain.com>>>>> <mailto:mailto:mailto:mailto
>>>> :mailto:user@mydomain.com <mailto::mailto:user@mydomain.com>>>>> >>> >>>
>>>> >> >>> >>>> >"
>>>> >> >> >> >>> (0) suffix: Found realm "mydomain.com"
>>>> >> >> >> >>> (0) suffix: Adding Stripped-User-Name = "user"
>>>> >> >> >> >>> (0) suffix: Adding Realm = "mydomain.com"
>>>> >> >> >> >>> (0) suffix: Authentication realm is LOCAL
>>>> >> >> >> >>> (0) [suffix] = ok
>>>> >> >> >> >>> (0) eap: No EAP-Message, not doing EAP
>>>> >> >> >> >>> (0) [eap] = noop
>>>> >> >> >> >>> (0) files: users: Matched entry DEFAULT at line 221
>>>> >> >> >> >>> (0) [files] = ok
>>>> >> >> >> >>> (0) [expiration] = noop
>>>> >> >> >> >>> (0) [logintime] = noop
>>>> >> >> >> >>> (0) pap: WARNING: No "known good" password found for the user.
>>>> >> Not
>>>> >> >> >> >>> setting Auth-Type
>>>> >> >> >> >>> (0) pap: WARNING: Authentication will fail unless a "known
>>>> good"
>>>> >> >> >> password
>>>> >> >> >> >>> is available
>>>> >> >> >> >>> (0) [pap] = noop
>>>> >> >> >> >>> (0) } # authorize = ok
>>>> >> >> >> >>> (0) Found Auth-Type = pam
>>>> >> >> >> >>> (0) # Executing group from file
>>>> >> >> >> /etc/freeradius/3.0/sites-enabled/default
>>>> >> >> >> >>> (0) authenticate {
>>>> >> >> >> >>> (0) pam: Using pamauth string "radiusd" for pam.conf lookup
>>>> >> >> >> >>> (0) pam: ERROR: pam_authenticate failed: Authentication
>>>> failure
>>>> >> >> >> >>> (0) [pam] = reject
>>>> >> >> >> >>> (0) } # authenticate = reject
>>>> >> >> >> >>> (0) Failed to authenticate the user
>>>> >> >> >> >>> (0) Using Post-Auth-Type Reject
>>>> >> >> >> >>> (0) # Executing group from file
>>>> >> >> >> /etc/freeradius/3.0/sites-enabled/default
>>>> >> >> >> >>> (0) Post-Auth-Type REJECT {
>>>> >> >> >> >>> (0) attr_filter.access_reject: EXPAND %{User-Name}
>>>> >> >> >> >>> (0) attr_filter.access_reject: --> >>> >> >>
>>>> >> >>>> user@mydomain.com <mailto:user@mydomain.com>>>>> <>>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>>> >>> <>> mailto:
>>>> user@mydomain.com <mailto:user@mydomain.com>>>>> <>>>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>>> >>> >
>>>> >> >> <>> >> >>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>>> <>>>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>>> >>>
>>>> <>> >>>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>>> <mailto:mailto:mailto:
>>>> user@mydomain.com <mailto:user@mydomain.com>>>>> >>> >>> >>>
>>>> >> <mailto:
>>>> >> >> >> >> >> >>>> user@mydomain.com <mailto:user@mydomain.com>>>>> <>>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>>> >>> <>> mailto:
>>>> user@mydomain.com <mailto:user@mydomain.com>>>>> <>>>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>>> >>> >>> <>> mailto:
>>>> >> >>>> user@mydomain.com <mailto:user@mydomain.com>>>>> <>>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>>> >>> <>> mailto:mailto:
>>>> user@mydomain.com <mailto:user@mydomain.com>>>>> <>>>> mailto:mailto:mailto:user@mydomain.com <mailto:mailto:mailto:mailto:user@mydomain.com>>>>> >>> >>> >>>
>>>> >>>> <mailto:
>>>> >> >> >> >>> >> >> >> >>>> user@mydomain.com <mailto:user@mydomain.com>>>>> <>>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>>> >>> <>>
>>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>>> <>>>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>>> >>> >>> <>>
>>>> >> >>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>>> <>>>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>>> >>> <>>
>>>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>>> <>>>> mailto:mailto:mailto:user@mydomain.com <mailto:mailto:mailto:mailto:user@mydomain.com>>>>> >>>
>>>> >>> >>> <>>
>>>> >> mailto:
>>>> >> >> >> >>>> user@mydomain.com <mailto:user@mydomain.com>>>>> <>>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>>> >>> <>> mailto:
>>>> user@mydomain.com <mailto:user@mydomain.com>>>>> <>>>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>>>> >>> >>> <>> mailto:
>>>> mailto:
>>>> >> >>>> user@mydomain.com <mailto:user@mydomain.com>>>>> <>>>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>>> >>> <>> mailto:mailto
>>>> :mailto:user@mydomain.com <mailto::mailto:user@mydomain.com>>>>> <>>>> mailto:mailto:mailto:mailto:user@mydomain.com <mailto:mailto:mailto:mailto:mailto:user@mydomain.com>>>>> >>>
>>>> >>> >>> >>>> >
>>>> >> >> >> >>> (0) attr_filter.access_reject: Matched entry DEFAULT at line
>>>> 11
>>>> >> >> >> >>> (0) [attr_filter.access_reject] = updated
>>>> >> >> >> >>> (0) [eap] = noop
>>>> >> >> >> >>> (0) policy remove_reply_message_if_eap {
>>>> >> >> >> >>> (0) if (&reply:EAP-Message && &reply:Reply-Message) {
>>>> >> >> >> >>> (0) if (&reply:EAP-Message && &reply:Reply-Message) ->
>>>> >> FALSE
>>>> >> >> >> >>> (0) else {
>>>> >> >> >> >>> (0) [noop] = noop
>>>> >> >> >> >>> (0) } # else = noop
>>>> >> >> >> >>> (0) } # policy remove_reply_message_if_eap = noop
>>>> >> >> >> >>> (0) } # Post-Auth-Type REJECT = updated
>>>> >> >> >> >>> (0) Delaying response for 1.000000 seconds
>>>> >> >> >> >>> Waking up in 0.3 seconds.
>>>> >> >> >> >>> Waking up in 0.6 seconds.
>>>> >> >> >> >>> (0) Sending delayed response
>>>> >> >> >> >>> (0) Sent Access-Reject Id 113 from 127.0.0.1:1812 to
>>>> >> >> 127.0.0.1:34793
>>>> >> >> >> >>> length 20
>>>> >> >> >> >>> Waking up in 3.9 seconds.
>>>> >> >> >> >>> (0) Cleaning up request packet ID 113 with timestamp +11
>>>> >> >> >> >>> Ready to process requests
>>>> >> >> >> >>>
>>>> >> >> >> >>>
>>>> >> >> >> >>> 24. Avr 2018 16:40 de >>> >> >> >> >>>> aland@deployingradius.com <mailto:aland@deployingradius.com>
>>>> <>>>> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>>>> >
>>>> >> <>> >>>> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>>>> <mailto:mailto:
>>>> aland@deployingradius.com <mailto:aland@deployingradius.com>>>>> >>> >>> <mailto:
>>>> >> >> >> >>>> aland@deployingradius.com <mailto:aland@deployingradius.com>>>>> <>>>> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>>>> >>>
>>>> <>> >>>> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>>>> <mailto:mailto:
>>>> aland@deployingradius.com <mailto:aland@deployingradius.com>>>>> >>> >>> >>>
>>>> >> <mailto:
>>>> >> >> >> >> >> >>>> aland@deployingradius.com <mailto:aland@deployingradius.com>>>>> <>>>> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>>>> >>>
>>>> <>> >>>> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>>>> <mailto:mailto:
>>>> aland@deployingradius.com <mailto:aland@deployingradius.com>>>>> >>> >>>
>>>> >> <>> >> >>>> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>>>> <mailto:mailto:
>>>> aland@deployingradius.com <mailto:aland@deployingradius.com>>>>> >>> <mailto:mailto:
>>>> >> >>>> aland@deployingradius.com <mailto:aland@deployingradius.com>>>>> <>>>> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>>>> >>> >>> >>>
>>>> >>>>
>>>> >> >> <mailto:
>>>> >> >> >> >>> >> >> >> >>>> aland@deployingradius.com <mailto:aland@deployingradius.com>>>>> <mailto:
>>>> aland@deployingradius.com <mailto:aland@deployingradius.com>>>>> >>> <mailto:
>>>> >> >>>> aland@deployingradius.com <mailto:aland@deployingradius.com>>>>> <>>>> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>>>> >>> >>>
>>>> <>> >> >>>> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>>>> <mailto:mailto:
>>>> aland@deployingradius.com <mailto:aland@deployingradius.com>>>>> >
>>>> >> <>> >>>> mailto:mailto:aland@deployingradius.com <mailto:mailto:mailto:aland@deployingradius.com>>>>> <mailto:mailto:mailto:
>>>> aland@deployingradius.com <mailto:aland@deployingradius.com>>>>> >>> >>> >>>
>>>> >> >> <>> >> >> >>>> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>>>> <mailto:mailto:
>>>> aland@deployingradius.com <mailto:aland@deployingradius.com>>>>> >>> <mailto:mailto:
>>>> >> >>>> aland@deployingradius.com <mailto:aland@deployingradius.com>>>>> <>>>> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>>>> >>> >>>
>>>> <mailto:mailto:
>>>> >> >> >> >>>> aland@deployingradius.com <mailto:aland@deployingradius.com>>>>> <>>>> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>>>> >>>
>>>> <>> >>>> mailto:aland@deployingradius.com <mailto:mailto:aland@deployingradius.com>>>>> <mailto:mailto:
>>>> aland@deployingradius.com <mailto:aland@deployingradius.com>>>>> >>> >>> >>>
>>>> >> >>>> >:
>>>> >> >> >> >>>
>>>> >> >> >> >>>
>>>> >> >> >> >>> > On Apr 24, 2018, at 10:23 AM, <> >>> >>
>>>> >> >> >> >>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> <>>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>>> >>>
>>>> <>> >>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>>> <mailto:mailto:
>>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> >>> >>> <>>
>>>> >> >>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>>> <mailto:mailto:
>>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> >>> <mailto:mailto:
>>>> >> >>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> <>>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>>> >>> >>> >
>>>> >> >> >> <>> >> >> >>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>>> <mailto:mailto:
>>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> >>> <mailto:mailto:
>>>> >> >>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> <>>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>>> >>> >>>
>>>> <mailto:mailto:
>>>> >> >> >> >>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> <>>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>>> >>>
>>>> <>> >>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>>> <mailto:mailto:
>>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> >>> >>> >>>
>>>> >> >>>> <mailto:
>>>> >> >> >> >>> >> >> >> >>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> <mailto:
>>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> >>> <mailto:
>>>> >> >>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> <>>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>>> >>> >>>
>>>> <>> >> >>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>>> <mailto:mailto:
>>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> >
>>>> >> <>> >>>> mailto:mailto:servernemesis@tutanota.com <mailto:mailto:mailto:servernemesis@tutanota.com>>>>> <mailto:mailto:mailto:
>>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> >>> >>> >>>
>>>> >> >> <>> >> >> >>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>>> <mailto:mailto:
>>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> >>> <mailto:mailto:
>>>> >> >>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> <>>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>>> >>> >>>
>>>> <mailto:mailto:
>>>> >> >> >> >>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> <>>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>>> >>>
>>>> <>> >>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>>> <mailto:mailto:
>>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> >>> >>> >>>
>>>> >> >>>> >>
>>>> >> >> >> > <> >>> >> >> >> >>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> <mailto:
>>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> >>> <mailto:
>>>> >> >>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> <>>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>>> >>> >>>
>>>> <mailto:
>>>> >> >> >> >>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> <>>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>>> >>>
>>>> <>> >>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>>> <mailto:mailto:
>>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> >>> >>> >>>
>>>> >> <>> >> >> >>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>>> <mailto:mailto:
>>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> >>> <mailto:mailto:
>>>> >> >>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> <>>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>>> >>> >
>>>> >> >> <>> >> >>>> mailto:mailto:servernemesis@tutanota.com <mailto:mailto:mailto:servernemesis@tutanota.com>>>>> <mailto:mailto
>>>> :mailto:servernemesis@tutanota.com <mailto::mailto:servernemesis@tutanota.com>>>>> >>> <mailto:mailto:mailto:
>>>> >> >>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> <>>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>>> >>> >>>
>>>> >>> >>>>
>>>> >> >> >> <mailto:
>>>> >> >> >> >>> >> >> >> >>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> <mailto:
>>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> >>> <mailto:
>>>> >> >>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> <>>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>>> >>> >>>
>>>> <>> >> >>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>>> <mailto:mailto:
>>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> >
>>>> >> <>> >>>> mailto:mailto:servernemesis@tutanota.com <mailto:mailto:mailto:servernemesis@tutanota.com>>>>> <mailto:mailto:mailto:
>>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> >>> >>> >>>
>>>> >> >> <>> >> >> >>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>>> <mailto:mailto:
>>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> >>> <mailto:mailto:
>>>> >> >>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> <>>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>>> >>> >>>
>>>> <mailto:mailto:
>>>> >> >> >> >>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> <>>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>>> >>>
>>>> <>> >>>> mailto:servernemesis@tutanota.com <mailto:mailto:servernemesis@tutanota.com>>>>> <mailto:mailto:
>>>> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>>> >>> >>> >>>
>>>> >> >>>> >>
>>>> >> >> >> > wrote:
>>>> >> >> >> >>> >>
>>>> >> >> >> >>> >> My FR server is domain joined, and his krb5 realm is
>>>> >> >> mydomain.com
>>>> >> >> >> >>> >> I don't know where I could specify the domain for PAM.
>>>> >> >> >> >>> >
>>>> >> >> >> >>> > I didn't tell you to specify the domain for PAM.
>>>> >> >> >> >>> >
>>>> >> >> >> >>> >> I'm not sure what you mean by "If it doesn't know about the
>>>> >> >> domain,
>>>> >> >> >> >>> then add a realm for "mydomain.com". Make it LOCAL (see
>>>> >> >> proxy.conf)."
>>>> >> >> >> >>> >> Should I edit the /etc/pam.d/radiusd ? What's proxy.conf ?
>>>> >> >> >> >>> >
>>>> >> >> >> >>> > You know you're on the FreeRADIUS mailing list, right?
>>>> >> >> proxy.conf
>>>> >> >> >> is
>>>> >> >> >> >>> for FreeRADIUS, not PAM.
>>>> >> >> >> >>> >
>>>> >> >> >> >>> > No, don't edit the /etc/pam.d/radiusd file. If I had
>>>> meant
>>>> >> to
>>>> >> >> edit
>>>> >> >> >> >>> that file, I would have told you to edit that file.
>>>> >> >> >> >>> >
>>>> >> >> >> >>> > Look in the /etc/raddb (or on debian / Ubuntu)
>>>> >> /etc/freeradius
>>>> >> >> >> >>> directory. The proxy.conf file is there. Read it.
>>>> >> >> >> >>> >
>>>> >> >> >> >>> > Alan DeKok.
>>>> >> >> >> >>> >
>>>> >> >> >> >>> >
>>>> >> >> >> >>> > -
>>>> >> >> >> >>> > List info/subscribe/unsubscribe? See >
>>>> >> >> >> >>> >> >> >> >>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> <
>>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> >>> <
>>>> >> >>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> <
>>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> >>> >>> <
>>>> >> >> >> >>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> <
>>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> >>> <
>>>> >> >>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> <
>>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> >>> >>> >>> <
>>>> >> >> >> >> >> >>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> <
>>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> >>> <
>>>> >> >>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> <
>>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> >>> >>> <
>>>> >> >> >> >>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> <
>>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> >>> <
>>>> >> >>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> <
>>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> >>> >>> >>> >>>> <
>>>> >> >> >> >>> >> >> >> >>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> <
>>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> >>> <
>>>> >> >>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> <
>>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> >>> >>> <
>>>> >> >> >> >>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> <
>>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> >>> <
>>>> >> >>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> <
>>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> >>> >>> >>> <
>>>> >> >> >> >> >> >>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> <
>>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> >>> <
>>>> >> >>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> <
>>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> >>> >>> <
>>>> >> >> >> >>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> <
>>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> >>> <
>>>> >> >>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> <
>>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> >>> >>> >>> >>>> >
>>>> >> >> >> >>> -
>>>> >> >> >> >>> List info/subscribe/unsubscribe? See
>>>> >> >> >> >>> >> >> >> >>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> <
>>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> >>> <
>>>> >> >>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> <
>>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> >>> >>> <
>>>> >> >> >> >>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> <
>>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> >>> <
>>>> >> >>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> <
>>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> >>> >>> >>> <
>>>> >> >> >> >> >> >>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> <
>>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> >>> <
>>>> >> >>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> <
>>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> >>> >>> <
>>>> >> >> >> >>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> <
>>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> >>> <
>>>> >> >>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> <
>>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> >>> >>> >>> >
>>>> >> >> >> >> -
>>>> >> >> >> >> List info/subscribe/unsubscribe? See >>
>>>> >> >> >> >> >> >>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> <
>>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> >>> <
>>>> >> >>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> <
>>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> >>> >>> <
>>>> >> >> >> >>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> <
>>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> >>> <
>>>> >> >>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> <
>>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> >>> >>> >>> <
>>>> >> >> >> >> >> >>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> <
>>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> >>> <
>>>> >> >>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> <
>>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> >>> >>> <
>>>> >> >> >> >>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> <
>>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> >>> <
>>>> >> >>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> <
>>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> >>> >>> >>> >
>>>> >> >> >> -
>>>> >> >> >> List info/subscribe/unsubscribe? See
>>>> >> >> >> >> >> >>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> <
>>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> >>> <
>>>> >> >>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> <
>>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> >>> >>> <
>>>> >> >> >> >>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> <
>>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> >>> <
>>>> >> >>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> <
>>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> >>> >>> >
>>>> >> >> > -
>>>> >> >> > List info/subscribe/unsubscribe? See >
>>>> >> >> >> >>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> <
>>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> >>> <
>>>> >> >>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> <
>>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> >>> >>> <
>>>> >> >> >> >>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> <
>>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> >>> <
>>>> >> >>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> <
>>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> >>> >>> >
>>>> >> >> -
>>>> >> >> List info/subscribe/unsubscribe? See
>>>> >> >> >> >>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> <
>>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> >>> <
>>>> >> >>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> <
>>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> >>> >
>>>> >> > -
>>>> >> > List info/subscribe/unsubscribe? See >
>>>> >> >>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> <
>>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> >>> <
>>>> >> >>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> <
>>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> >>> >
>>>> >> -
>>>> >> List info/subscribe/unsubscribe? See
>>>> >> >>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> <
>>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> >
>>>> > -
>>>> > List info/subscribe/unsubscribe? See >
>>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> <
>>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>>>> >
>>>> -
>>>> List info/subscribe/unsubscribe? See
>>>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
>>> -
>>> List info/subscribe/unsubscribe? See >>> http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
and https://github.com/google/google-authenticator/wiki/TroubleShooting-Tips
eero
ke 25. huhtik. 2018 klo 11.02 <servernemesis@tutanota.com> kirjoitti:
> I'm using the radtest command on localhost with the secret testing123
> (double checked)
>
> 25. Avr 2018 09:55 de eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi
> >:
>
>
> > well. radius secret can be wrong also for your client.
> >
> > radius secret is in client.conf and its tied to client ip address. check
> it
> > out and test again.
> >
> > anyway. in your config you need use only google code, not password.
> >
> > Eero
> >
> > ke 25. huhtik. 2018 klo 10.49 <> servernemesis@tutanota.com <mailto:
> servernemesis@tutanota.com>> > kirjoitti:
> >
> >> Hello,
> >>
> >> No because if I login with SSH, it works :
> >>
> >> Apr 25 09:45:10 SRV-FREERADIUS sshd(pam_google_authenticator)[1885]:
> >> Accepted google_authenticator for user
> >> Apr 25 09:45:11 SRV-FREERADIUS sshd[1885]: Accepted password for user
> from
> >> 192.168.50.68 port 50020 ssh2
> >> Apr 25 09:45:11 SRV-FREERADIUS sshd[1885]: pam_unix(sshd:session):
> session
> >> opened for user user by (uid=0)
> >> Apr 25 09:45:11 SRV-FREERADIUS systemd-logind[535]: New session 11 of
> user
> >> user.
> >>
> >> I don't get why it's not working with the radius...
> >>
> >> 25. Avr 2018 09:46 de >> eero.volotinen@iki.fi <mailto:
> eero.volotinen@iki.fi>>> <>> mailto:eero.volotinen@iki.fi <mailto:mailto:
> eero.volotinen@iki.fi>
> >> >:
> >>
> >>
> >> > It means that code is wrong? is the server using ntp and clock is sync
> >> and
> >> > mobile is in sync.
> >> >
> >> > Try following: log into user. delete .google* file from user home
> >> directory.
> >> >
> >> > run google-authenticator without params and select time based
> token/auth
> >> > and add new authenticator code to google auth in phone
> >> >
> >> > Eero
> >> >
> >> > ke 25. huhtik. 2018 klo 10.39 <> >> servernemesis@tutanota.com
> <mailto:servernemesis@tutanota.com>>> <mailto:
> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >> >
> kirjoitti:
> >> >
> >> >> PS : If I disable the domain suffix for the users on the server
> (being
> >> >> able to login with just "user"), I get
> >> >>
> >> >> Apr 25 09:27:42 SRV-FREERADIUS
> radiusd(pam_google_authenticator)[1661]:
> >> >> Invalid verification code for user
> >> >>
> >> >>
> >> >> 25. Avr 2018 09:15 de >> >> servernemesis@tutanota.com <mailto:
> servernemesis@tutanota.com>>> <mailto:
> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>>
> <mailto:
> >> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>
> <>> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>> >>> >:
> >> >>
> >> >>
> >> >> > I tried
> >> >> >
> >> >> > #
> >> >> > # /etc/pam.d/radiusd - PAM configuration for FreeRADIUS
> >> >> > #
> >> >> >
> >> >> > # We fall back to the system default in /etc/pam.d/common-*
> >> >> > #
> >> >> >
> >> >> > #@include common-auth
> >> >> > #@include common-account
> >> >> > #@include common-password
> >> >> > #@include common-session
> >> >> > auth required /usr/local/lib/security/pam_google_authenticator.so
> >> >> >
> >> >> > and
> >> >> >
> >> >> > #
> >> >> > # /etc/pam.d/radiusd - PAM configuration for FreeRADIUS
> >> >> > #
> >> >> >
> >> >> > # We fall back to the system default in /etc/pam.d/common-*
> >> >> > #
> >> >> >
> >> >> > #@include common-auth
> >> >> > #@include common-account
> >> >> > #@include common-password
> >> >> > #@include common-session
> >> >> > auth requisite /usr/local/lib/security/pam_google_authenticator.so
> >> >> forward_pass
> >> >> > auth required pam_unix.so use_first_pass
> >> >> >
> >> >> > In both cases :
> >> >> >
> >> >> > Apr 25 09:05:43 SRV-FREERADIUS
> >> radiusd(pam_google_authenticator)[6847]:
> >> >> user("user") not found
> >> >> > Apr 25 09:05:43 SRV-FREERADIUS
> >> radiusd(pam_google_authenticator)[6847]:
> >> >> No secret configured for user user, asking for code anyway.
> >> >> > Apr 25 09:05:43 SRV-FREERADIUS
> >> radiusd(pam_google_authenticator)[6847]:
> >> >> Invalid verification code for user
> >> >> >
> >> >> >
> >> >> >
> >> >> > 24. Avr 2018 19:21 de > >> >> eero.volotinen@iki.fi <mailto:
> eero.volotinen@iki.fi>>> <mailto:
> >> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>> >>> <mailto:
> >> >> >> eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>> <>>
> mailto:eero.volotinen@iki.fi <mailto:mailto:eero.volotinen@iki.fi>>> >>>
> >> :
> >> >> >
> >> >> >
> >> >> >> You need to enable pam logging on google authenticator.
> >> >> >>
> >> >> >> what is content of /etc/pam.d/radiusd ?
> >> >> >>
> >> >> >> Eero
> >> >> >>
> >> >> >> ti 24. huhtik. 2018 klo 17.29 <>> >> >>
> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>
> >> <>> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>> >>> <mailto:
> >> >> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>>
> <>> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>> >>> >>> >
> >> kirjoitti:
> >> >> >>
> >> >> >>> Thanks, it looks better but it's still failing :
> >> >> >>>
> >> >> >>> Ready to process requests
> >> >> >>> (0) Received Access-Request Id 113 from 127.0.0.1:34793 to
> >> >> 127.0.0.1:1812
> >> >> >>> length 92
> >> >> >>> (0) User-Name = ">>> >> >> user@mydomain.com <mailto:
> user@mydomain.com>>> <mailto:
> >> user@mydomain.com <mailto:user@mydomain.com>>> >>> <>> >> mailto:
> user@mydomain.com <mailto:mailto:user@mydomain.com>>> <mailto:mailto:
> >> user@mydomain.com <mailto:user@mydomain.com>>> >>> >>>>
> >> >> <>>> >> >> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>>
> <>> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:
> user@mydomain.com>>> >>>
> >> <>> >> mailto:mailto:user@mydomain.com <mailto:mailto:mailto:
> user@mydomain.com>>> <mailto:mailto:mailto:
> >> user@mydomain.com <mailto:user@mydomain.com>>> >>> >>>> >"
> >> >> >>> (0) User-Password = "password123456"
> >> >> >>> (0) NAS-IP-Address = 127.0.1.1
> >> >> >>> (0) NAS-Port = 18120
> >> >> >>> (0) Message-Authenticator = 0xd028fefb31c1de33ebec1d53011953ce
> >> >> >>> (0) # Executing section authorize from file
> >> >> >>> /etc/freeradius/3.0/sites-enabled/default
> >> >> >>> (0) authorize {
> >> >> >>> (0) policy filter_username {
> >> >> >>> (0) if (&User-Name) {
> >> >> >>> (0) if (&User-Name) -> TRUE
> >> >> >>> (0) if (&User-Name) {
> >> >> >>> (0) if (&User-Name =~ / /) {
> >> >> >>> (0) if (&User-Name =~ / /) -> FALSE
> >> >> >>> (0) if (&User-Name =~ /@[^@]*@/ ) {
> >> >> >>> (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> >> >> >>> (0) if (&User-Name =~ /\.\./ ) {
> >> >> >>> (0) if (&User-Name =~ /\.\./ ) -> FALSE
> >> >> >>> (0) if ((&User-Name =~ /@/) && (&User-Name !~
> >> >> /@(.+)\.(.+)$/)) {
> >> >> >>> (0) if ((&User-Name =~ /@/) && (&User-Name !~
> >> /@(.+)\.(.+)$/))
> >> >> >>> -> FALSE
> >> >> >>> (0) if (&User-Name =~ /\.$/) {
> >> >> >>> (0) if (&User-Name =~ /\.$/) -> FALSE
> >> >> >>> (0) if (&User-Name =~ /@\./) {
> >> >> >>> (0) if (&User-Name =~ /@\./) -> FALSE
> >> >> >>> (0) } # if (&User-Name) = notfound
> >> >> >>> (0) } # policy filter_username = notfound
> >> >> >>> (0) [preprocess] = ok
> >> >> >>> (0) [chap] = noop
> >> >> >>> (0) [mschap] = noop
> >> >> >>> (0) [digest] = noop
> >> >> >>> (0) suffix: Checking for suffix after "@"
> >> >> >>> (0) suffix: Looking up realm "mydomain.com" for User-Name = "
> >> >> >>> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>>
> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> <>>
> mailto:
> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:mailto:
> user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> >>> >>>>
> <>>> mailto:
> >> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:
> user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> <>> mailto:
> mailto:
> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:mailto
> :mailto:user@mydomain.com <mailto:mailto:mailto:mailto:user@mydomain.com>>>
> >>> >>>> >"
> >> >> >>> (0) suffix: Found realm "mydomain.com"
> >> >> >>> (0) suffix: Adding Stripped-User-Name = "user"
> >> >> >>> (0) suffix: Adding Realm = "mydomain.com"
> >> >> >>> (0) suffix: Authentication realm is LOCAL
> >> >> >>> (0) [suffix] = ok
> >> >> >>> (0) eap: No EAP-Message, not doing EAP
> >> >> >>> (0) [eap] = noop
> >> >> >>> (0) files: users: Matched entry DEFAULT at line 221
> >> >> >>> (0) [files] = ok
> >> >> >>> (0) [expiration] = noop
> >> >> >>> (0) [logintime] = noop
> >> >> >>> (0) pap: WARNING: No "known good" password found for the user.
> Not
> >> >> >>> setting Auth-Type
> >> >> >>> (0) pap: WARNING: Authentication will fail unless a "known good"
> >> >> password
> >> >> >>> is available
> >> >> >>> (0) [pap] = noop
> >> >> >>> (0) } # authorize = ok
> >> >> >>> (0) Found Auth-Type = pam
> >> >> >>> (0) # Executing group from file
> >> >> /etc/freeradius/3.0/sites-enabled/default
> >> >> >>> (0) authenticate {
> >> >> >>> (0) pam: Using pamauth string "radiusd" for pam.conf lookup
> >> >> >>> (0) pam: ERROR: pam_authenticate failed: Authentication failure
> >> >> >>> (0) [pam] = reject
> >> >> >>> (0) } # authenticate = reject
> >> >> >>> (0) Failed to authenticate the user
> >> >> >>> (0) Using Post-Auth-Type Reject
> >> >> >>> (0) # Executing group from file
> >> >> /etc/freeradius/3.0/sites-enabled/default
> >> >> >>> (0) Post-Auth-Type REJECT {
> >> >> >>> (0) attr_filter.access_reject: EXPAND %{User-Name}
> >> >> >>> (0) attr_filter.access_reject: --> >>> >> >>
> user@mydomain.com <mailto:user@mydomain.com>
> >> <>> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>>
> <mailto:
> >> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:
> user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> >>>> <mailto:
> >> >> >>> >> >> user@mydomain.com <mailto:user@mydomain.com>>> <>>
> mailto:user@mydomain.com <mailto:mailto:user@mydomain.com>>> >>> <>>
> mailto:
> >> user@mydomain.com <mailto:user@mydomain.com>>> <>> mailto:mailto:
> user@mydomain.com <mailto:mailto:mailto:user@mydomain.com>>> >>> >>>> >
> >> >> >>> (0) attr_filter.access_reject: Matched entry DEFAULT at line 11
> >> >> >>> (0) [attr_filter.access_reject] = updated
> >> >> >>> (0) [eap] = noop
> >> >> >>> (0) policy remove_reply_message_if_eap {
> >> >> >>> (0) if (&reply:EAP-Message && &reply:Reply-Message) {
> >> >> >>> (0) if (&reply:EAP-Message && &reply:Reply-Message) ->
> FALSE
> >> >> >>> (0) else {
> >> >> >>> (0) [noop] = noop
> >> >> >>> (0) } # else = noop
> >> >> >>> (0) } # policy remove_reply_message_if_eap = noop
> >> >> >>> (0) } # Post-Auth-Type REJECT = updated
> >> >> >>> (0) Delaying response for 1.000000 seconds
> >> >> >>> Waking up in 0.3 seconds.
> >> >> >>> Waking up in 0.6 seconds.
> >> >> >>> (0) Sending delayed response
> >> >> >>> (0) Sent Access-Reject Id 113 from 127.0.0.1:1812 to
> >> 127.0.0.1:34793
> >> >> >>> length 20
> >> >> >>> Waking up in 3.9 seconds.
> >> >> >>> (0) Cleaning up request packet ID 113 with timestamp +11
> >> >> >>> Ready to process requests
> >> >> >>>
> >> >> >>>
> >> >> >>> 24. Avr 2018 16:40 de >>> >> >> aland@deployingradius.com
> <mailto:aland@deployingradius.com>>> <mailto:
> >> aland@deployingradius.com <mailto:aland@deployingradius.com>>> >>>
> <mailto:
> >> >> >> aland@deployingradius.com <mailto:aland@deployingradius.com>>>
> <>> mailto:aland@deployingradius.com <mailto:mailto:
> aland@deployingradius.com>>> >>> >>>>
> >> <mailto:
> >> >> >>> >> >> aland@deployingradius.com <mailto:
> aland@deployingradius.com>>> <>> mailto:aland@deployingradius.com
> <mailto:mailto:aland@deployingradius.com>>> >>>
> >> <>> >> mailto:aland@deployingradius.com <mailto:mailto:
> aland@deployingradius.com>>> <mailto:mailto:
> >> aland@deployingradius.com <mailto:aland@deployingradius.com>>> >>>
> >>>> >:
> >> >> >>>
> >> >> >>>
> >> >> >>> > On Apr 24, 2018, at 10:23 AM, <> >>> >>
> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> <>>
> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>> >
> >> >> <>> >> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>> <mailto:mailto:
> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>>
> >>>> <mailto:
> >> >> >>> >> >> servernemesis@tutanota.com <mailto:
> servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com
> <mailto:mailto:servernemesis@tutanota.com>>> >>>
> >> <>> >> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>> <mailto:mailto:
> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>>
> >>>> >>
> >> >> > <> >>> >> >> servernemesis@tutanota.com <mailto:
> servernemesis@tutanota.com>>> <mailto:
> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>>
> <>> >> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>
> >> <>> mailto:mailto:servernemesis@tutanota.com <mailto:mailto:mailto:
> servernemesis@tutanota.com>>> >>> >>>>
> >> >> <mailto:
> >> >> >>> >> >> servernemesis@tutanota.com <mailto:
> servernemesis@tutanota.com>>> <>> mailto:servernemesis@tutanota.com
> <mailto:mailto:servernemesis@tutanota.com>>> >>>
> >> <>> >> mailto:servernemesis@tutanota.com <mailto:mailto:
> servernemesis@tutanota.com>>> <mailto:mailto:
> >> servernemesis@tutanota.com <mailto:servernemesis@tutanota.com>>> >>>
> >>>> >>
> >> >> > wrote:
> >> >> >>> >>
> >> >> >>> >> My FR server is domain joined, and his krb5 realm is
> >> mydomain.com
> >> >> >>> >> I don't know where I could specify the domain for PAM.
> >> >> >>> >
> >> >> >>> > I didn't tell you to specify the domain for PAM.
> >> >> >>> >
> >> >> >>> >> I'm not sure what you mean by "If it doesn't know about the
> >> domain,
> >> >> >>> then add a realm for "mydomain.com". Make it LOCAL (see
> >> proxy.conf)."
> >> >> >>> >> Should I edit the /etc/pam.d/radiusd ? What's proxy.conf ?
> >> >> >>> >
> >> >> >>> > You know you're on the FreeRADIUS mailing list, right?
> >> proxy.conf
> >> >> is
> >> >> >>> for FreeRADIUS, not PAM.
> >> >> >>> >
> >> >> >>> > No, don't edit the /etc/pam.d/radiusd file. If I had meant
> to
> >> edit
> >> >> >>> that file, I would have told you to edit that file.
> >> >> >>> >
> >> >> >>> > Look in the /etc/raddb (or on debian / Ubuntu)
> /etc/freeradius
> >> >> >>> directory. The proxy.conf file is there. Read it.
> >> >> >>> >
> >> >> >>> > Alan DeKok.
> >> >> >>> >
> >> >> >>> >
> >> >> >>> > -
> >> >> >>> > List info/subscribe/unsubscribe? See >
> >> >> >>> >> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >>> <
> >> >> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >>> >>>> <
> >> >> >>> >> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >>> <
> >> >> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >>> >>>> >
> >> >> >>> -
> >> >> >>> List info/subscribe/unsubscribe? See
> >> >> >>> >> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >>> <
> >> >> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >>> >
> >> >> >> -
> >> >> >> List info/subscribe/unsubscribe? See >>
> >> >> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >>> <
> >> >> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >>> >
> >> >> -
> >> >> List info/subscribe/unsubscribe? See
> >> >> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >
> >> > -
> >> > List info/subscribe/unsubscribe? See >
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >
> >> -
> >> List info/subscribe/unsubscribe? See
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>
> > -
> > List info/subscribe/unsubscribe? See >
> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
Hi, I am not sure how your setup works, but in mine, there is no @mydomain at username Anyway, I used this setup: https://networkjutsu.com/freeradius-google-authenticator/ (which also includes static password with google authenticator). Eero On Tue, Apr 24, 2018 at 12:48 PM, <servernemesis@tutanota.com> wrote:
Hello,
I followed this tutorial (https://www.techdrabble.com/ citrix/14-2factor-with-google-authenticator-and-netscaler < https://www.techdrabble.com/citrix/14-2factor-with-google- authenticator-and-netscaler>) and managed to get it running on Debian 9 with FR 3.0.12 thanks to the help here. But I have another issue : when I try to authenticate with password + googleauth code, I got rejected. I'm able to log on the FR server with domain credentials without problem. The google auth code gets generated without issue either.
Radtest: radtest user@mydomain.com <mailto:user@mydomain.com> password123456 localhost 18120 testing123 Sent Access-Request Id 226 from 0.0.0.0:38763 to 127.0.0.1:1812 length 92 User-Name = "user@mydomain.com <mailto:user@mydomain.com>" User-Password = "password123456" NAS-IP-Address = 127.0.1.1 NAS-Port = 18120 Message-Authenticator = 0x00 Cleartext-Password = "password123456" Received Access-Reject Id 226 from 127.0.0.1:1812 to 0.0.0.0:0 length 20 (0) -: Expected Access-Accept got Access-Reject
Log: Ready to process requests Waking up in 0.3 seconds. (0) Received Access-Request Id 226 from 127.0.0.1:38763 to 127.0.0.1:1812 length 92 (0) User-Name = "user@mydomain.com <mailto:user@mydomain.com>" (0) User-Password = "password123456" (0) NAS-IP-Address = 127.0.1.1 (0) NAS-Port = 18120 (0) Message-Authenticator = 0x53b836642c653e776b0d9f8a542fca3a (0) # Executing section authorize from file /etc/freeradius/3.0/sites- enabled/default (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default Waking up in 0.3 seconds. Waking up in 0.2 seconds. (0) pam: ERROR: pam_authenticate failed: Authentication failure (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default Waking up in 0.7 seconds. (0) Sent Access-Reject Id 226 from 127.0.0.1:1812 to 127.0.0.1:38763 length 20 Waking up in 3.9 seconds. Ready to process requests
Regards
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
participants (3)
-
Alan DeKok -
Eero Volotinen -
servernemesis@tutanota.com