LDAP/RACF authentication issue

Marc Giuliani marc.giuliani at earthlink.net
Thu May 10 18:03:39 CEST 2007 

Hello,

I am VERY new to radius and need some guidance...I have read the configuration instructions and have searched the freeradius mail archives to no avail...

We are trying to set up Oracle to use radius/ldap and racf for the authentication. Oracle (10g on Solaris) --> Radius (on Solaris) --> LDAP (on Z/os) --> RACF (authenticate and pass back to Oracle ok or not ok to connect). 

Radius is installed and I have followed the instructions provided by IBM to set up RACF/LDAP and Radius in the document http://www.redbooks.ibm.com/abstracts/sg246482.html chapter 9. However when I run radtest I cannot get a successful return. Also a log file is not being generated on the logdir and I have confirmed by adding a foo file manually that the id does have permission to write to the log directory....I have tried many variations of the radius.conf....Any ideas or guidance would be very appreciated. 

Here is the output when running radiusd -X:


/opt/local/etc/raddb>radiusd -X

Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /opt/local/etc/raddb/clients.conf
Config:   including file: /opt/local/etc/raddb/snmp.conf
Config:   including file: /opt/local/etc/raddb/eap.conf
 main: prefix = "/opt/local"
 main: localstatedir = "/opt/local/var"
 main: logdir = "/opt/local/var/log/radius"
 main: libdir = "/opt/local/lib"
 main: radacctdir = "/opt/local/var/log/radius/radacct"
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/opt/local/var/log/radius/radius.log"
 main: log_auth = yes
 main: log_auth_badpass = yes
 main: log_auth_goodpass = no
 main: pidfile = "/opt/local/var/run/radiusd/radiusd.pid"
 main: user = "(null)"
 main: group = "(null)"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/opt/local/sbin/checkrad"
 main: proxy_requests = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /opt/local/lib
Module: Loaded exec 
 exec: wait = yes
 exec: program = "(null)"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec) 
Module: Loaded expr 
Module: Instantiated expr (expr) 
Module: Loaded PAP 
 pap: encryption_scheme = "crypt"
 pap: auto_header = yes
Module: Instantiated pap (pap) 
Module: Loaded CHAP 
Module: Instantiated chap (chap) 
Module: Loaded MS-CHAP 
 mschap: use_mppe = yes
 mschap: require_encryption = no
 mschap: require_strong = no
 mschap: with_ntdomain_hack = no
 mschap: passwd = "(null)"
 mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap) 
Module: Loaded System 
 unix: cache = no
 unix: passwd = "(null)"
 unix: shadow = "(null)"
 unix: group = "(null)"
 unix: radwtmp = "/opt/local/var/log/radius/radwtmp"
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix) 
Module: Loaded eap 
 eap: default_eap_type = "md5"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
 gtc: challenge = "Password: "
 gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
 mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap) 
Module: Loaded preprocess 
 preprocess: huntgroups = "/opt/local/etc/raddb/huntgroups"
 preprocess: hints = "/opt/local/etc/raddb/hints"
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
 preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess) 
Module: Loaded detail 
 detail: detailfile = "/opt/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d"
 detail: detailperm = 384
 detail: dirperm = 493
 detail: locking = no
Module: Instantiated detail (auth_log) 
Module: Loaded realm 
 realm: format = "suffix"
 realm: delimiter = "@"
 realm: ignore_default = yes
 realm: ignore_null = yes
Module: Instantiated realm (suffix) 
Module: Loaded files 
 files: usersfile = "/opt/local/etc/raddb/users"
 files: acctusersfile = "/opt/local/etc/raddb/acct_users"
 files: preproxy_usersfile = "/opt/local/etc/raddb/preproxy_users"
 files: compat = "no"
Module: Instantiated files (files) 
Module: Loaded Acct-Unique-Session-Id 
 acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique) 
 detail: detailfile = "/opt/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
 detail: detailperm = 384
 detail: dirperm = 493
 detail: locking = no
Module: Instantiated detail (detail) 
Module: Loaded radutmp 
 radutmp: filename = "/opt/local/var/log/radius/radutmp"
 radutmp: username = "%{User-Name}"
 radutmp: case_sensitive = yes
 radutmp: check_with_nas = yes
 radutmp: perm = 384
 radutmp: callerid = yes
Module: Instantiated radutmp (radutmp) 
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 10.71.175.19:36661, id=228, length=59
        User-Name = "NBCTST1"
        User-Password = "testpwd"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 0
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat:  '/opt/local/var/log/radius/radacct/10.71.175.19/auth-detail-20070510'
rlm_detail: /opt/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /opt/local/var/log/radius/radacct/10.71.175.19/auth-detail-20070510
  modcall[authorize]: module "auth_log" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: No '@' in User-Name = "NBCTST1", skipping NULL due to config.
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
    users: Matched entry DEFAULT at line 152
  modcall[authorize]: module "files" returns ok for request 0
rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 0
modcall: leaving group authorize (returns ok) for request 0
  rad_check_password:  Found Auth-Type System
auth: type "System"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
  modcall[authenticate]: module "unix" returns notfound for request 0
modcall: leaving group authenticate (returns notfound) for request 0
auth: Failed to validate the user.
Login incorrect: [NBCTST1/testpwd] (from client denord01 port 0)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 228 to 10.71.175.19 port 36661
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 228 with timestamp 46433e16
Nothing to do.  Sleeping until we see a request.

More information about the Freeradius-Users mailing list