Apache2 - PAM - freeRADIUS - users
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hey, freeRADIUS works quite good and it's possible to authenticate via PAM, for example local logins, ssh-logins, su, chsh, gdm, ... are working quite fine. The only thing is the htaccess from apache2 which will not work. The Radius gets the request and permits the user: rad_recv: Access-Request packet from host 127.0.0.1:11970, id=92, length=94 User-Name = "micmes" User-Password = "**********" NAS-IP-Address = 192.168.2.12 NAS-Identifier = "apache2" NAS-Port = 10945 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = "192.168.2.103" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 68 modcall[authorize]: module "preprocess" returns ok for request 68 radius_xlat: '/var/log/freeradius/radacct/127.0.0.1/auth-detail-20070321' rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/auth-detai l-20070321 modcall[authorize]: module "auth_log" returns ok for request 68 modcall[authorize]: module "chap" returns noop for request 68 modcall[authorize]: module "mschap" returns noop for request 68 rlm_realm: No '@' in User-Name = "micmes", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 68 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 68 users: Matched entry micmes at line 250 modcall[authorize]: module "files" returns ok for request 68 modcall: leaving group authorize (returns ok) for request 68 auth: type Local auth: user supplied User-Password matches local User-Password radius_xlat: 'Hello, micmes' Login OK: [micmes/**********] (from client localhost port 10945 cli 192.168.2.103) Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 68 radius_xlat: '/var/log/freeradius/radacct/127.0.0.1/reply-detail-20070321' rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/reply-det ail-20070321 modcall[post-auth]: module "reply_log" returns ok for request 68 modcall: leaving group post-auth (returns ok) for request 68 Sending Access-Accept of id 92 to 127.0.0.1 port 11970 Filter-Id == "Enterasys:version=1:mgmt=su:policy=Admin-Policy" Reply-Message = "Hello, micmes" Finished request 68 Going to the next request - --- Walking the entire request list --- also pam gives me the message that the user is authenticated: Mar 21 00:07:07 debianmike apache2: pam_radius_auth: Got user name micmes Mar 21 00:07:07 debianmike apache2: pam_radius_auth: Sending RADIUS request code 1 Mar 21 00:07:07 debianmike apache2: pam_radius_auth: Got RADIUS response code 2 Mar 21 00:07:07 debianmike apache2: pam_radius_auth: authentication succeeded and the apache log gives me this last information: [Wed Mar 21 00:07:07 2007] [error] [client 192.168.2.103] PAM: user 'micmes' - invalid account: Authentication service cannot retrieve authentication info. my browser displays: Authorization Required This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required. the .htaccess: cat /var/www/apache2-default/.htaccess AuthType "basic" AuthName "Radius Authentication" AuthPAM_Enabled on Require valid-user some information: freeradius -v freeradius: FreeRADIUS Version 1.1.4, for host i386-pc-linux-gnu, built on Feb 16 2007 at 21:35:11Copyright (C) 2000-2006 The FreeRADIUS server project.There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR APARTICULAR PURPOSE.You may redistribute copies of FreeRADIUS under the terms of theGNU General Public License.For more information about these matters, see the file named COPYRIGHT. apache2 -v Server version: Apache/2.0.54Server built: Jul 28 2006 09:04:55 libpam-radius-auth 1.3.16-3 on a debian stable with all patches any ideas whats going wrong? thanks for any help ca mIke -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGAGslyUY4xkIcFVQRAgA5AKDg64L+9T9zX/C2h9gB29xT6KV77gCgyYUo X4pCc64EWq4nO+QrOZwl8Ok= =0gqo -----END PGP SIGNATURE-----
Michael Messner wrote:
hey,
freeRADIUS works quite good and it's possible to authenticate via PAM, for example local logins, ssh-logins, su, chsh, gdm, ... are working quite fine.
The only thing is the htaccess from apache2 which will not work. The Radius gets the request and permits the user:
I would suggest finding out why Apache is requiring more from PAM than everyone else does. It's not really a pam_radius problem, because it works with everything else. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Hello Michael,
freeRADIUS works quite good and it's possible to authenticate via PAM, for example local logins, ssh-logins, su, chsh, gdm, ... are working quite fine.
The only thing is the htaccess from apache2 which will not work. The Radius gets the request and permits the user:
I would suggest finding out why Apache is requiring more from PAM than everyone else does. It's not really a pam_radius problem, because it works with everything else.
we had similar problems with radius and Apache2 (it is not a RADIUS/PAM problem!) PAM didn't work for us neither, so a colleague found another radius module for Apache 2: http://www.outoforder.cc/projects/apache/mod_auth_xradius/ But it only works with Apache 2.0.x. With Apache 2.2.x we didn't manage to get any radius authentication working. Greetings
On 3/21/07, Helmut Tröbs <Helmut.Troebs@lrz-muenchen.de> wrote:
Hello Michael,
freeRADIUS works quite good and it's possible to authenticate via PAM, for example local logins, ssh-logins, su, chsh, gdm, ... are working quite fine.
The only thing is the htaccess from apache2 which will not work. The Radius gets the request and permits the user:
I would suggest finding out why Apache is requiring more from PAM than everyone else does. It's not really a pam_radius problem, because it works with everything else.
we had similar problems with radius and Apache2 (it is not a RADIUS/PAM problem!) PAM didn't work for us neither, so a colleague found another radius module for Apache 2:
http://www.outoforder.cc/projects/apache/mod_auth_xradius/
But it only works with Apache 2.0.x. With Apache 2.2.x we didn't manage to get any radius authentication working.
I got apache <-> radius working with mod_auth_xradius with apache-2.2.2 on FC6. a very basic how-to is here: http://www.howtoforge.com/apache_radius_two_factor_authentication hth. nick -- Nick Owen WiKID Systems, Inc. 404.962.8983 (desk) 404.542.9453 (cell) http://www.wikidsystems.com At last, two-factor authentication, without the hassle factor Now open source: http://sourceforge.net/projects/wikid-twofactor/
participants (4)
-
Alan DeKok -
Helmut Tröbs -
Michael Messner -
Nick Owen