Setting up pam_radius_auth

Mike J sleeper0110 at
Thu Jul 22 18:39:00 CEST 2010


I'm trying to get the the pam radius module to work.
I've built a test radius server (FreeRADIUS Version 2.1.9) and I've setup a
linux box with the pam radius module (1.3.17)

The server seems to be setup properly to authenticate users:

# radtest testing password 0 testing123
Sending Access-Request of id 87 to port 1812
    User-Name = "testing"
    User-Password = "password"
    NAS-IP-Address =
    NAS-Port = 0
rad_recv: Access-Accept packet from host port 1812, id=87,

I have the following config on the server to correspond to my pam radius

client testclient1 {
        ipaddr = CLIENTIP

        secret          = testing123

        require_message_authenticator = no

        shortname       = testc1

        nastype     = other     # localhost isn't usually a NAS...


And on the client (using pam_radius_auth) I have the following in

# server[:port]    shared_secret      timeout (s)
SERVERIP  testing123 4

Now, when I try to authenticate my pam radius client, I get this in the
client logs:

Jul 22 10:22:45 (none) pamtest: pam_radius_auth: Got user name testing
Jul 22 10:22:54 (none) pamtest: pam_radius_auth: Sending RADIUS request code
Jul 22 10:22:54 (none) pamtest: pam_radius_auth: DEBUG:
getservbyname(radius, udp) returned 267885588.
Jul 22 10:22:55 (none) pamtest: pam_radius_auth: packet from RADIUS server
SERVERIP fails verification: The shared secret is probably incorrect.
Jul 22 10:22:55 (none) pamtest: pam_radius_auth: All RADIUS servers failed
to respond.
Jul 22 10:22:55 (none) pamtest: pam_radius_auth: authentication failed

And I get this on the radius server (running in debug mode, i.e. radiusd -X)
rad_recv: Access-Request packet from host CLIENTIP port 18580, id=32,
    User-Name = "testing"
    User-Password = "\237TqI\3335Q\231\025O\020bw\021;\362"
    NAS-Identifier = "other"
    NAS-Port = 17555
    NAS-Port-Type = Virtual
    Service-Type = Authenticate-Only
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry testing at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "?TqI�5Q??O?bw?;
[pap] Using clear text password "password"
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
  WARNING: Unprintable characters in the password.       Double-check the
shared secret on the server and the NAS!
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> testing
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 32 to CLIENTIP port 18580
Waking up in 4.9 seconds.
Cleaning up request 0 ID 32 with timestamp +24
Ready to process requests.

Now obviously is says there's a problem with the secret, but I believe I've
setup the secret correctly in the configs I've shown above.
Does anybody have any ideas what I'm doing wrong?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list