radtest seems to fail out of the box

Alan DeKok aland at deployingradius.com
Wed Nov 28 18:53:20 CET 2007


Dan Gahlinger wrote:
> Ok, Al, can you explain or help with this.
> 
> just to appease you, I unpacked free radius, out of the box,
> changed a single line in "server" as such:
> 127.0.0.1       testing123             3

  I think that's a config file for the PAM module.  FreeRADIUS doesn't
use it.

> ran radtest using a testuser local account:

  In /etc/passwd...

> Radiusd -X shows:
...
>     users: Matched entry DEFAULT at line 155

  Which is the entry setting Auth-Type = System.  i.e. "check against
/etc/passwd".

> rlm_unix: [testuser]: invalid password

  Which is pretty definitive.  FreeRADIUS just calls the standard Unix
API's to get the users password from /etc/passwd or /etc/shadow, and
then calls the standard Unix API's to check that against what the user
entered.

  It looks like the second call is causing issues.  It's returning
something, but that something doesn't match what's in /etc/passwd.

  If it helps, FreeRADIUS is simply at the mercy of the system API's
here.  Are you running as root in debugging mode?

> the password is valid, as a local SSH using the same information works.

  Ouch.

> And one other oddity, when using users with "hardended" passwords like
> say "test@"
> radtest and radiusd -X will show the password as "test2", whether quotes
> are used or not.

  That's... odd.  There may be shell escaping issues, but when I test
users like that using single quotes ( 'test@' ) in radtest && the
"users" file, it works for me.

> is this normal? and why does the radtest fail?

  It's not normal.  radtest fails because the API's FreeRADIUS calls
don't seem to work.

  Alan DeKok.



More information about the Freeradius-Users mailing list