CentOS 6.3 and FreeRadius - can't authenticate to Unix

Jacobs, Joseph Joseph.Jacobs at adp.com
Tue Oct 30 01:28:26 CET 2012


Hello, I'm a new user to Linux and Freeradius.

I'm trying to set up Freeradius to authenticate against the local Linux user accounts.

I'm having issues getting the "radtest" tool to authenticate against local users in the unix system.

I'm using CentOS 6.3 - 64bit
 (uname - a output     Linux Joe2dot0-freeradius 2.6.32-279.el6.x86_64 #1 SMP Fri Jun 22 12:19:21 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux)
(Contents of the "etc/redhat-release" file        CentOS release 6.3 (Final))


I used YUM to install Freeradius2  (2.1.12-4.el6_3)

Here's the output of the "yum list installed" command
freeradius.x86_64                               2.1.12-4.el6_3   @updates
freeradius-utils.x86_64                     2.1.12-4.el6_3   @updates


I installed the packages as 'root'

I'm running 'radtest' while logged in a root.

The users file is configured as follows:

joe2 Auth-Type := System   (I've tried this with both := and =)
bob Cleartext-Password := "hello"



When I run "radtest bob hello localhost 0 testing1234"       *********Successful***********    (I don't use quotes when I input to linux)

Here is the debug output from the radiusd -X

rad_recv: Access-Request packet from host 127.0.0.1 port 54241, id=124, length=73
        User-Name = "bob"
        User-Password = "hello"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 0
        Message-Authenticator = 0x0333c5040a7f6b1a6051a1543e5bf4ea
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry bob at line 8
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "hello"
[pap] Using clear text password "hello"
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 124 to 127.0.0.1 port 54241
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 124 with timestamp +78
Ready to process requests.





When I run  "radtest joe2 secret localhost 0 testing1234"          (I don't use quotes when I input to linux)      *************Access-Reject from the server********************

Here is the debug output from the radiusd -X

rad_recv: Access-Request packet from host 127.0.0.1 port 40697, id=134, length=74
        User-Name = "joe2"
        User-Password = "secret"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 0
        Message-Authenticator = 0xcf3011a6da2e12ec1e1a66746be3c6ad
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "joe2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry joe2 at line 6
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = System
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
++[unix] returns notfound
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> joe2
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 2
Sending Access-Reject of id 134 to 127.0.0.1 port 40697
Waking up in 4.9 seconds.
Cleaning up request 2 ID 134 with timestamp +212
Ready to process requests.


I think I'm having an issue with freeradius reading the shadow file for the passwords, but then again, I'm not sure.

One of the steps involved putting the group for freeradius to be "shadow" but there is no "shadow" group in the group file in CentOS 6.3.

Here are the output for the ls - l in the etc directory for the password files

-rw-r--r--. 1 root root 1579 Oct 29 15:26 passwd
----------. 1 root root 1110 Oct 29 15:26 shadow



I also did confirm that I can log into my server using joe2 / secret password.

Any help would be appreciated.

Thanks,
Joe



This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20121029/a6496d31/attachment-0001.html>


More information about the Freeradius-Users mailing list