PAM authentication not working

Jaap Winius jwinius at umrk.nl
Fri Feb 8 20:41:13 CET 2013 

Hi folks,

Having managed to get freeradius 2.10 to run on Debian squeeze with a  
username and password defined in /etc/freeradius/users, I was hoping  
to take a step forward by getting it to authenticate users through  
PAM. But, that's not working out as I had hoped.

Could sombody please tell me what's missing, or what I'm doing wrong?  
So far I have done the following:

1.) Copied a set of 4096-bit MD5 SSL certificates that were used in  
the previous configuration to the /etc/freeradius/certs directory. To  
generate them, each time I used "LongStringNumberOne" for both the  
input and output passwords.
Among the encryption files generated are ca.pem, dh, server.key and  
server.pem. The ca.pem file was also copied to my laptop's /etc/certs  
directory and is used with wpasupplicant for testing the system.

2.) Added the following lines to the end of /etc/freeradius/clients:

   client 192.168.2.0/24 {
       secret     = LongStringNumberTwo
       shortname  = mynet
   }

3.) Added the following line to the end of /etc/freeradius/users:

   DEFAULT Auth-Type = Pam

4.) In /etc/freeradius/eap.conf I changed the values of the following  
two attributes to:

   default_eap_type = ttls
   private_key_password = LongStringNumberOne

5.) In /etc/freeradius/radiusd.conf I changed the value of the  
following attribute to:

   user = root

6.) In both /etc/freeradius/sites-enabled/default and  
/etc/freeradius/sites-enabled/inner-tunnel, I uncommented the "pam"  
entry in section "authenticate".

7.) Some sources suggest changing it, but I chose to leave the  
contents of /etc/pam.d/radiusd unmodified:

   @include common-auth
   @include common-account
   @include common-password
   @include common-session

8.) My NAS is a Linksys is a WRT54GS running DD-WRT v24 firmware and  
is configured as follows:

   Wireless Mode                  AP
   Wireless Network Mode          Mixed
   Wireless Network Name (SSID)   mynet
   Wireless Channel               6 - 2.437 GHz
   Wireless SSID Broadcast        Enable
   Network Configuration          Bridged

   Security Mode                  WPA2 Enterprise
   WPA Algorithms                 TKIP+AES
   RADIUS Server Address          192.168.2.12
   RADIUS Server Port             1812
   RADIUS Shared Secret           LongStringNumberTwo
   Key Renewal Interval (in sec.) 3600

Unfortunately, after starting the server in debugging mode with  
"freeradius -X", my client's authentication attempts get rejected and  
I get the following output from the freeradius server:

=========================================

rad_recv: Access-Request packet from host 192.168.2.2 port 1025, id=0,
length=245
Cleaning up request 6 ID 0 with timestamp +12
WARNING:  
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x2ecb21dd28cc340c did not finish!
WARNING: !! Please read http://wiki.freeradius.org/
Certificate_Compatibility
WARNING:  
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
         User-Name = "jwinius"
         NAS-IP-Address = 192.168.2.2
         Called-Station-Id = "0014bf72f676"
         Calling-Station-Id = "00110a81fb2b"
         NAS-Identifier = "0014bf72f676"
         NAS-Port = 17
         Framed-MTU = 1400
         State = 0x2ecb21dd28cc340c8873b5871c637572
         NAS-Port-Type = Wireless-802.11
         EAP-Message = 0x020700701500170301002073bdd7051dfb44f3caccd4c92...
         Message-Authenticator = 0x6cbe906a70bc7ee95f9ad3365a0471b0
# Executing section authorize from file /etc/freeradius/sites-enabled/
default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "jwinius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 112
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] eaptls_process returned 7
[ttls] Session established.  Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
         EAP-Message = 0x0201001604109f00ed2b3ff2dd5111997f0ba6cee99e
         FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
         EAP-Message = 0x0201001604109f00ed2b3ff2dd5111997f0ba6cee99e
         FreeRADIUS-Proxied-To = 127.0.0.1
         User-Name = "jwinius"
         State = 0xdbd7fca1dbd6f80c791225e3340ea6e4
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/
inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "jwinius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 1 length 22
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 211
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/md5
[eap] processing type md5
rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication
[eap] Handler failed in EAP/md5
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
} # server inner-tunnel
[ttls] Got tunneled reply code 3
         EAP-Message = 0x04010004
         Message-Authenticator = 0x00000000000000000000000000000000
[ttls] Got tunneled Access-Reject
[eap] Handler failed in EAP/ttls
rlm_eap_ttls: Freeing handler for user jwinius
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]         expand: %{User-Name} -> jwinius
  attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 7 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 7
Sending Access-Reject of id 0 to 192.168.2.2 port 1025
         EAP-Message = 0x04070004
         Message-Authenticator = 0x00000000000000000000000000000000

=========================================

Any idea what I'm doing wrong?

Thanks,

Jaap

More information about the Freeradius-Users mailing list