compiling pam radius module
g17jimmy
g17jimmy at gmail.com
Tue Aug 23 21:01:12 CEST 2011
Using radtest against radius in debug mode it works (output below.) One thing
to note is that this radius server is proxying authentication to a WiKID
server for 2 factor authentication. The password you see here is the one
generated by the software token.
=============RADTEST OUTPUT===================
rad_recv: Access-Request packet from host 192.168.10.109 port 50842, id=212,
length=59
User-Name = "rsguser"
User-Password = "612315"
NAS-IP-Address = 192.168.10.107
NAS-Port = 10
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/192.168.10.109/auth-detail-20110823
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.10.109/auth-detail-20110823
[auth_log] expand: %t -> Tue Aug 23 13:44:29 2011
++[auth_log] returns ok
[suffix] No '@' in User-Name = "rsguser", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "rsguser"
[suffix] Adding Realm = "NULL"
[suffix] Proxying request from user rsguser to realm NULL
[suffix] Preparing to proxy authentication request to realm "NULL"
++[suffix] returns updated
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
[ldap] performing user authorization for rsguser
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
[ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=rsguser)
[ldap] expand: dc=remoteservices,dc=CSPKRB -> dc=remoteservices,dc=CSPKRB
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=remoteservices,dc=CSPKRB, with filter
(uid=rsguser)
[ldap] checking if remote access for rsguser is allowed by dialupAccess
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] user rsguser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
WARNING: Empty section. Using default return values.
Sending Access-Request of id 163 to 192.168.10.108 port 1812
User-Name = "rsguser"
User-Password = "612315"
NAS-IP-Address = 192.168.10.107
NAS-Port = 10
Proxy-State = 0x323132
Proxying request 1 to home server 192.168.10.108 port 1812
Sending Access-Request of id 163 to 192.168.10.108 port 1812
User-Name = "rsguser"
User-Password = "612315"
NAS-IP-Address = 192.168.10.107
NAS-Port = 10
Proxy-State = 0x323132
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Accept packet from host 192.168.10.108 port 1812, id=163,
length=41
Reply-Message = "Access Granted"
Proxy-State = 0x323132
+- entering group post-proxy {...}
[eap] No pre-existing handler found
++[eap] returns noop
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
Login OK: [rsguser] (from client 192.168.0.0/16 port 10)
WARNING: Empty section. Using default return values.
Sending Access-Accept of id 212 to 192.168.10.109 port 50842
Reply-Message = "Access Granted"
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 212 with timestamp +29
Ready to process requests.
======================================================
When I configure sshd to authenticate using pam radius I get this. It looks
like the WiKID is returning "INCORRECT" in response to what radius is
sending for the password, even though radius-WiKID communication works when
using radtest. This is why I'm focusing on pam-radius.
===============PAM RADIUS AUTHENTICATION==============
rad_recv: Access-Request packet from host 192.168.10.109 port 19567, id=61,
length=91
User-Name = "rsguser"
User-Password = "\010\n\r\177INCORRECT"
NAS-IP-Address = 192.168.10.107
NAS-Identifier = "sshd"
NAS-Port = 18542
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = "CSID IP ADDRESS -- removed"
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/192.168.10.109/auth-detail-20110823
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.10.109/auth-detail-20110823
[auth_log] expand: %t -> Tue Aug 23 14:33:10 2011
++[auth_log] returns ok
[suffix] No '@' in User-Name = "rsguser", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "rsguser"
[suffix] Adding Realm = "NULL"
[suffix] Proxying request from user rsguser to realm NULL
[suffix] Preparing to proxy authentication request to realm "NULL"
++[suffix] returns updated
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
[ldap] performing user authorization for rsguser
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
[ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=rsguser)
[ldap] expand: dc=remoteservices,dc=CSPKRB -> dc=remoteservices,dc=CSPKRB
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as / to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=remoteservices,dc=CSPKRB, with filter
(uid=rsguser)
[ldap] checking if remote access for rsguser is allowed by dialupAccess
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] user rsguser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
WARNING: Empty section. Using default return values.
Sending Access-Request of id 241 to 192.168.10.108 port 1812
User-Name = "rsguser"
User-Password = "\010\n\r\177INCORRECT"
NAS-IP-Address = 192.168.10.107
NAS-Identifier = "sshd"
NAS-Port = 18542
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = "CSID IP ADDRESS -- removed"
Proxy-State = 0x3631
Proxying request 0 to home server 192.168.10.108 port 1812
Sending Access-Request of id 241 to 192.168.10.108 port 1812
User-Name = "rsguser"
User-Password = "\010\n\r\177INCORRECT"
NAS-IP-Address = 192.168.10.107
NAS-Identifier = "sshd"
NAS-Port = 18542
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = "CSID IP ADDRESS -- removed"
Proxy-State = 0x3631
Going to the next request
Waking up in 0.8 seconds.
rad_recv: Access-Reject packet from host 192.168.10.108 port 1812, id=241,
length=24
Proxy-State = 0x3631
+- entering group post-proxy {...}
[eap] No pre-existing handler found
++[eap] returns noop
Login incorrect (Home Server says so): [rsguser] (from client 192.168.0.0/16
port 18542 cli [IP ADDRESS -- removed]
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> rsguser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 61 to 192.168.10.109 port 19567
Waking up in 4.7 seconds.
Cleaning up request 0 ID 61 with timestamp +2475
Ready to process requests.
--
View this message in context: http://freeradius.1045715.n5.nabble.com/compiling-pam-radius-module-tp4727149p4727853.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
More information about the Freeradius-Users
mailing list