pam_radius - Choose Authentication Type

tirili at web.de tirili at web.de
Mon Jul 11 11:16:11 CEST 2016 

   Hello list,

   is there a possibility to force authentication type for a specific NAS?
   Currently - when having pam_radius configured for SSHD logins there is
   "User-Password" sent in clear.
   How could MSCHAP being forced?

   e.g. from radtest mschap is working, and I get an Accept.

   radtest -t mschap -x aduser adpassword 192.168.0.123:21812 0 testing123
   Sending Access-Request Id 83 from 0.0.0.0:58815 to 192.168.0.223:21812
           User-Name = 'aduser'
           NAS-IP-Address = 192.168.0.238
           NAS-Port = 0
           Message-Authenticator = 0x00
           MS-CHAP-Challenge = 0x30fb2004f73cbc0e
           MS-CHAP-Response =
   0x000100000000000000000000000000000000000000000000000023532ec8407591c34
   d2c080afae6edb888f822115566aabb
   Received Access-Accept Id 83 from 192.168.0.223:21812 to
   192.168.0.238:58815 length 84
           MS-CHAP-MPPE-Keys = 0x
           MS-MPPE-Encryption-Policy = Encryption-Allowed
           MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed

   Using PAM_RADIUS trying to Login:

   rad_recv: Access-Request packet from host 192.168.0.238 port 41971,
   id=41, length=91
           User-Name = "aduser"
           User-Password = "adpassword"
           NAS-IP-Address = 192.168.0.238
           NAS-Identifier = "sshd"
           NAS-Port = 27766
           NAS-Port-Type = Virtual
           Service-Type = Authenticate-Only
           Calling-Station-Id = "localhost"
   Mon Jul 11 11:11:50 2016 : Info: +- entering group authorize {...}
   Mon Jul 11 11:11:50 2016 : Info: [detail]       expand:
   /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
   /var/log/radius/radacct/192.168.0.238/detail-20160711
   Mon Jul 11 11:11:50 2016 : Info: [detail]
   /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to
   /var/log/radius/radacct/192.168.0.238/detail-20160711
   Mon Jul 11 11:11:50 2016 : Info: [detail]       expand: %t -> Mon Jul
   11 11:11:50 2016
   Mon Jul 11 11:11:50 2016 : Info: ++[detail] returns ok
   Mon Jul 11 11:11:50 2016 : Info: [preprocess]   hints: Matched DEFAULT
   at 35
   Mon Jul 11 11:11:50 2016 : Info: [preprocess]   expand:
   %{User-Name}@test.local -> aduser at test.local
   Mon Jul 11 11:11:50 2016 : Info: ++[preprocess] returns ok
   Mon Jul 11 11:11:50 2016 : Info: [auth_log]     expand:
   /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
   /var/log/radius/radacct/192.168.0.238/auth-detail-20160711
   Mon Jul 11 11:11:50 2016 : Info: [auth_log]
   /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
   to /var/log/radius/radacct/192.168.0.238/auth-detail-20160711
   Mon Jul 11 11:11:50 2016 : Info: [auth_log]     expand: %t -> Mon Jul
   11 11:11:50 2016
   Mon Jul 11 11:11:50 2016 : Info: ++[auth_log] returns ok
   Mon Jul 11 11:11:50 2016 : Info: ++[mschap] returns noop
   Mon Jul 11 11:11:50 2016 : Info: [suffix] Looking up realm "test.local"
   for User-Name = "aduser at test.local"
   Mon Jul 11 11:11:50 2016 : Info: [suffix] Found realm "test.local"
   Mon Jul 11 11:11:50 2016 : Info: [suffix] Adding Stripped-User-Name =
   "aduser"
   Mon Jul 11 11:11:50 2016 : Info: [suffix] Adding Realm = "test.local"
   Mon Jul 11 11:11:50 2016 : Info: [suffix] Authentication realm is
   LOCAL.
   Mon Jul 11 11:11:50 2016 : Info: ++[suffix] returns ok
   Mon Jul 11 11:11:50 2016 : Info: [eap] No EAP-Message, not doing EAP
   Mon Jul 11 11:11:50 2016 : Info: ++[eap] returns noop
   Mon Jul 11 11:11:50 2016 : Info: ++[unix] returns notfound
   Mon Jul 11 11:11:50 2016 : Info: ++[files] returns noop
   Mon Jul 11 11:11:50 2016 : Info: ++[expiration] returns noop
   Mon Jul 11 11:11:50 2016 : Info: ++[logintime] returns noop
   Mon Jul 11 11:11:50 2016 : Info: [pap] WARNING! No "known good"
   password found for the user.  Authentication may fail because of this.
   Mon Jul 11 11:11:50 2016 : Info: ++[pap] returns noop
   Mon Jul 11 11:11:50 2016 : Info: No authenticate method (Auth-Type)
   configuration found for the request: Rejecting the user
   Mon Jul 11 11:11:50 2016 : Info: Failed to authenticate the user.
   Mon Jul 11 11:11:50 2016 : Auth: Login incorrect: [aduser at test.local]
   (from client bastionng port 27766 cli localhost)
   Mon Jul 11 11:11:50 2016 : Info: Using Post-Auth-Type Reject
   Mon Jul 11 11:11:50 2016 : Info: +- entering group REJECT {...}
   Mon Jul 11 11:11:50 2016 : Info: [attr_filter.access_reject]    expand:
   %{User-Name} -> aduser at test.local
   Mon Jul 11 11:11:50 2016 : Debug:  attr_filter: Matched entry DEFAULT
   at line 11
   Mon Jul 11 11:11:50 2016 : Info: ++[attr_filter.access_reject] returns
   updated
   Mon Jul 11 11:11:50 2016 : Info: Delaying reject of request 0 for 1
   seconds
   Mon Jul 11 11:11:50 2016 : Debug: Going to the next request
   Mon Jul 11 11:11:50 2016 : Debug: Waking up in 0.9 seconds.
   Mon Jul 11 11:11:51 2016 : Info: Sending delayed reject for request 0
   Sending Access-Reject of id 41 to 192.168.0.238 port 41971
   Mon Jul 11 11:11:51 2016 : Debug: Waking up in 4.9 seconds.


   Any help is appreciated.
   Thomas

More information about the Freeradius-Users mailing list