Help with freeradius

Thu Oct 8 20:32:12 CEST 2009

Greetings,

I am migrating from Solaris 8 to Solaris 10 and in the process upgrading
freeradius from 0.9.3 to 2.1.7.  I'm having some difficulty in getting
it to work.  I've pretty much copied the users and radiusd.conf files
over from the old server.  Here's some output with debugging turned on.
This is from a cisco 7206 trying to authenticate against the new radius
server.  My goal is to have the radius server use getpw() to find the
login since we scrapped NIS for LDAP which runs on a different server.

rad_recv: Access-Request packet from host x.x.x.x port 1645, id=2, length=84
        User-Name = "jason"
        User-Password = "test"
        NAS-Port = 2
        NAS-Port-Id = "tty2"
        NAS-Port-Type = Virtual
        Calling-Station-Id = "y.y.y.y"
        NAS-IP-Address = x.x.x.x
Thu Oct  8 14:12:07 2009 : Debug: +- entering group authorize {...}
Thu Oct  8 14:12:07 2009 : Debug:   modsingle[authorize]: calling
preprocess (rlm_preprocess) for request 1
Thu Oct  8 14:12:07 2009 : Debug:   modsingle[authorize]: returned from
preprocess (rlm_preprocess) for request 1
Thu Oct  8 14:12:07 2009 : Debug: ++[preprocess] returns ok
Thu Oct  8 14:12:07 2009 : Debug:   modsingle[authorize]: calling chap
(rlm_chap) for request 1
Thu Oct  8 14:12:07 2009 : Debug:   modsingle[authorize]: returned from
chap (rlm_chap) for request 1
Thu Oct  8 14:12:07 2009 : Debug: ++[chap] returns noop
Thu Oct  8 14:12:07 2009 : Debug:   modsingle[authorize]: calling suffix
(rlm_realm) for request 1
Thu Oct  8 14:12:07 2009 : Debug: No '@' in User-Name = "jason", looking
up realm NULL
Thu Oct  8 14:12:07 2009 : Debug: No such realm "NULL"
Thu Oct  8 14:12:07 2009 : Debug:   modsingle[authorize]: returned from
suffix (rlm_realm) for request 1
Thu Oct  8 14:12:07 2009 : Debug: ++[suffix] returns noop
Thu Oct  8 14:12:07 2009 : Debug:   modsingle[authorize]: calling files
(rlm_files) for request 1
Thu Oct  8 14:12:07 2009 : Debug: users: Matched entry jason at line 14
Thu Oct  8 14:12:07 2009 : Debug:   modsingle[authorize]: returned from
files (rlm_files) for request 1
Thu Oct  8 14:12:07 2009 : Debug: ++[files] returns ok
Thu Oct  8 14:12:07 2009 : Debug: Found Auth-Type = System
Thu Oct  8 14:12:07 2009 : Debug: +- entering group UNIX {...}
Thu Oct  8 14:12:07 2009 : Debug:   modsingle[authenticate]: calling
unix (rlm_unix) for request 1
Thu Oct  8 14:12:07 2009 : Auth: [unix] invalid password "jason"
Thu Oct  8 14:12:07 2009 : Debug:   modsingle[authenticate]: returned
from unix (rlm_unix) for request 1
Thu Oct  8 14:12:07 2009 : Debug: ++[unix] returns reject
Thu Oct  8 14:12:07 2009 : Debug: Failed to authenticate the user.
Thu Oct  8 14:12:07 2009 : Auth: Login incorrect: [jason/test] (from
client fonseca port 2 cli y.y.y.y)
Thu Oct  8 14:12:07 2009 : Debug: Delaying reject of request 1 for 1 seconds
Thu Oct  8 14:12:07 2009 : Debug: Going to the next request
Thu Oct  8 14:12:07 2009 : Debug: Waking up in 0.9 seconds.
Thu Oct  8 14:12:08 2009 : Debug: Sending delayed reject for request 1
Sending Access-Reject of id 2 to x.x.x.x port 1645
Thu Oct  8 14:12:08 2009 : Debug: Waking up in 4.9 seconds.

Here's the relevant parts of the users file:

DEFAULT         Group == "disabled", Auth-Type := Reject
                Reply-Message = "Your account has been disabled."

#
#  Staff users here
#
jason        Auth-Type := System
                Fall-Through = Yes

I've included what I think is needed from the radius.conf file.  If more
is needed please let me know and I'll forward it over.

-Jason

        unix {
                #
                #  Cache /etc/passwd, /etc/shadow, and /etc/group
                #
                #  The default is to NOT cache them.
                #
                #  For FreeBSD and NetBSD, you do NOT want to enable
                #  the cache, as it's password lookups are done via a
                #  database, so set this value to 'no'.
                #
                #  Some systems (e.g. RedHat Linux with pam_pwbd) can
                #  take *seconds* to check a password, when th passwd
                #  file containing 1000's of entries.  For those systems,
                #  you should set the cache value to 'yes', and set
                #  the locations of the 'passwd', 'shadow', and 'group'
                #  files, below.
                #
                # allowed values: {no, yes}
                cache = no

                # Reload the cache every 600 seconds (10mins). 0 to disable.
                cache_reload = 600

                #
                #  Define the locations of the normal passwd, shadow, and
                #  group files.
                #
                #  'shadow' is commented out by default, because not all
                #  systems have shadow passwords.
                #
                #  To force the module to use the system password functions,
                #  instead of reading the files, leave the following entries
                #  commented out.
                #
                #  This is required for some systems, like FreeBSD,
                #  and Mac OSX.
                #
                #passwd = /usr/local/etc/raddb/passwd
                #shadow = /usr/local/etc/raddb/shadow
                #group = /usr/local/etc/raddb/group

                #
                #  The location of the "wtmp" file.
                #  This should be moved to it's own module soon.
                #
                #  The only use for 'radlast'.  If you don't use
                #  'radlast', then you can comment out this item.
                #
                radwtmp = ${logdir}/radwtmp
        }
        files {
                usersfile = ${confdir}/users
                acctusersfile = ${confdir}/acct_users

                #  If you want to use the old Cistron 'users' file
                #  with FreeRADIUS, you should change the next line
                #  to 'compat = cistron'.  You can the copy your 'users'
                #  file from Cistron.
                compat = no
        }
authenticate {
        #
        #  PAP authentication, when a back-end database listed
        #  in the 'authorize' section supplies a password.  The
        #  password can be clear-text, or encrypted.
        Auth-Type PAP {
                pap
        }

        #
        #  Most people want CHAP authentication
        #  A back-end database listed in the 'authorize' section
        #  MUST supply a CLEAR TEXT password.  Encrypted passwords
        #  won't work.
        Auth-Type CHAP {
                chap
        }

        #
        #  MSCHAP authentication.
        #Auth-Type MS-CHAP {
        #       mschap
        #}

        #
        #  If you have a Cisco SIP server authenticating against
        #  FreeRADIUS, uncomment the following line, and the 'digest'
        #  line in the 'authorize' section.
        #       digest

        #
        #  See 'man getpwent' for information on how the 'unix'
        #  module checks the users password.  Note that packets
        #  containing CHAP-Password attributes CANNOT be authenticated
        #  against /etc/passwd!  See the FAQ for details.
        #
        Auth-Type UNIX {
                unix
        }

        # Uncomment it if you want to use ldap for authentication
        #
        # Note that this means "check plain-text password against
        # the ldap database", which means that EAP won't work,
        # as it does not supply a plain-text password.
#       Auth-Type LDAP {
#               ldap
#       }

        #
        #  Allow EAP authentication.
#       eap
}