Apache2 - PAM - freeRADIUS - users

Michael Messner michael.messner_edv at inode.at
Wed Mar 21 00:15:49 CET 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

hey,

 freeRADIUS works quite good and it's possible to authenticate via PAM,
for example local logins, ssh-logins, su, chsh, gdm, ... are working
quite fine.

The only thing is the htaccess from apache2 which will not work. The
Radius gets the request and permits the user:

rad_recv: Access-Request packet from host 127.0.0.1:11970, id=92, length=94
        User-Name = "micmes"
        User-Password = "**********"
        NAS-IP-Address = 192.168.2.12
        NAS-Identifier = "apache2"
        NAS-Port = 10945
        NAS-Port-Type = Virtual
        Service-Type = Authenticate-Only
        Calling-Station-Id = "192.168.2.103"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 68
  modcall[authorize]: module "preprocess" returns ok for request 68
radius_xlat:  '/var/log/freeradius/radacct/127.0.0.1/auth-detail-20070321'
rlm_detail:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/127.0.0.1/auth-detai
l-20070321
  modcall[authorize]: module "auth_log" returns ok for request 68
  modcall[authorize]: module "chap" returns noop for request 68
  modcall[authorize]: module "mschap" returns noop for request 68
    rlm_realm: No '@' in User-Name = "micmes", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 68
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 68
    users: Matched entry micmes at line 250
  modcall[authorize]: module "files" returns ok for request 68
modcall: leaving group authorize (returns ok) for request 68
auth: type Local
auth: user supplied User-Password matches local User-Password
radius_xlat:  'Hello, micmes'
Login OK: [micmes/**********] (from client localhost port 10945 cli
192.168.2.103)
  Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 68
radius_xlat:  '/var/log/freeradius/radacct/127.0.0.1/reply-detail-20070321'
rlm_detail:
/var/log/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
expands to /var/log/freeradius/radacct/127.0.0.1/reply-det
ail-20070321
  modcall[post-auth]: module "reply_log" returns ok for request 68
modcall: leaving group post-auth (returns ok) for request 68
Sending Access-Accept of id 92 to 127.0.0.1 port 11970
        Filter-Id == "Enterasys:version=1:mgmt=su:policy=Admin-Policy"
        Reply-Message = "Hello, micmes"
Finished request 68
Going to the next request
- --- Walking the entire request list ---


also pam gives me the message that the user is authenticated:

Mar 21 00:07:07 debianmike apache2: pam_radius_auth: Got user name micmes
Mar 21 00:07:07 debianmike apache2: pam_radius_auth: Sending RADIUS
request code 1
Mar 21 00:07:07 debianmike apache2: pam_radius_auth: Got RADIUS response
code 2
Mar 21 00:07:07 debianmike apache2: pam_radius_auth: authentication
succeeded


and the apache log gives me this last information:

[Wed Mar 21 00:07:07 2007] [error] [client 192.168.2.103] PAM: user
'micmes'  - invalid account: Authentication service cannot retrieve
authentication info.


my browser displays:

Authorization Required

This server could not verify that you are authorized to access the
document requested. Either you supplied the wrong credentials (e.g., bad
password), or your browser doesn't understand how to supply the
credentials required.


the .htaccess:

cat /var/www/apache2-default/.htaccess
AuthType "basic"
AuthName "Radius Authentication"
AuthPAM_Enabled on
Require valid-user


some information:

freeradius -v
freeradius: FreeRADIUS Version 1.1.4, for host i386-pc-linux-gnu, built
on Feb 16 2007 at 21:35:11Copyright (C) 2000-2006 The FreeRADIUS server
project.There is NO warranty; not even for MERCHANTABILITY or FITNESS
FOR APARTICULAR PURPOSE.You may redistribute copies of FreeRADIUS under
the terms of theGNU General Public License.For more information about
these matters, see the file named COPYRIGHT.

apache2 -v
Server version: Apache/2.0.54Server built:   Jul 28 2006 09:04:55

libpam-radius-auth 1.3.16-3
on a debian stable with all patches


any ideas whats going wrong?

thanks for any help
ca
mIke
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGAGslyUY4xkIcFVQRAgA5AKDg64L+9T9zX/C2h9gB29xT6KV77gCgyYUo
X4pCc64EWq4nO+QrOZwl8Ok=
=0gqo
-----END PGP SIGNATURE-----



More information about the Freeradius-Users mailing list