Setting up pam_radius_auth
Mike J
sleeper0110 at gmail.com
Thu Jul 22 18:39:00 CEST 2010
Hi,
I'm trying to get the the pam radius module to work.
I've built a test radius server (FreeRADIUS Version 2.1.9) and I've setup a
linux box with the pam radius module (1.3.17)
The server seems to be setup properly to authenticate users:
# radtest testing password 127.0.0.1 0 testing123
Sending Access-Request of id 87 to 127.0.0.1 port 1812
User-Name = "testing"
User-Password = "password"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=87,
length=20
I have the following config on the server to correspond to my pam radius
client:
clients.conf:
client testclient1 {
ipaddr = CLIENTIP
secret = testing123
require_message_authenticator = no
shortname = testc1
nastype = other # localhost isn't usually a NAS...
}
And on the client (using pam_radius_auth) I have the following in
/etc/raddb/server:
# server[:port] shared_secret timeout (s)
SERVERIP testing123 4
Now, when I try to authenticate my pam radius client, I get this in the
client logs:
Jul 22 10:22:45 (none) pamtest: pam_radius_auth: Got user name testing
Jul 22 10:22:54 (none) pamtest: pam_radius_auth: Sending RADIUS request code
1
Jul 22 10:22:54 (none) pamtest: pam_radius_auth: DEBUG:
getservbyname(radius, udp) returned 267885588.
Jul 22 10:22:55 (none) pamtest: pam_radius_auth: packet from RADIUS server
SERVERIP fails verification: The shared secret is probably incorrect.
Jul 22 10:22:55 (none) pamtest: pam_radius_auth: All RADIUS servers failed
to respond.
Jul 22 10:22:55 (none) pamtest: pam_radius_auth: authentication failed
And I get this on the radius server (running in debug mode, i.e. radiusd -X)
rad_recv: Access-Request packet from host CLIENTIP port 18580, id=32,
length=72
User-Name = "testing"
User-Password = "\237TqI\3335Q\231\025O\020bw\021;\362"
NAS-Identifier = "other"
NAS-Port = 17555
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry testing at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "?TqI�5Q??O?bw?;
[pap] Using clear text password "password"
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
WARNING: Unprintable characters in the password. Double-check the
shared secret on the server and the NAS!
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> testing
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 32 to CLIENTIP port 18580
Waking up in 4.9 seconds.
Cleaning up request 0 ID 32 with timestamp +24
Ready to process requests.
Now obviously is says there's a problem with the secret, but I believe I've
setup the secret correctly in the configs I've shown above.
Does anybody have any ideas what I'm doing wrong?
Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100722/f12cdf15/attachment.html>
More information about the Freeradius-Users
mailing list