multiple instances of pam module

Lars Hillebrand lars.hillebrand at fh-dortmund.de
Tue Apr 18 13:01:38 CEST 2017 

Hello everybody,

Is there a way to include multiple instances of the pam module in the radius?
We are currently using a freeradius 2.2.8 with several virtual servers.
Two services are to be secured by a 2-factor authentication (Google Authenticator).
1. Login VMware HorizonView (desktop-virtualization)
2. IPsec VPN connection

VMware Horizon expects a login with username and passcode with a subsequent query of the password.
For the login of the VPN connection the password + passcode is expected together in a field.

Attempts to integrate several instances (similar to the file or ldap module) within the pam module do not work.
I am thankful for every hint.
Thanks in advance.

Best regards
Lars Hillebrand



 - Content of /etc/freeradius/modules/pam

pam {
        pam_auth = radiusd
}
pam 2facaut_pam {
        pam_auth = 2facaut_pam
}
pam horizon_pam {
        pam_auth = horizon_pam
}


- Contents of the individual pam files from /etc/pam.d/

# /etc/pam.d/horizon_pam - PAM configuration for FreeRADIUS
auth requisite pam_google_authenticator.so forward_pass try_first_pass
auth    [success=2 default=ignore]      pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_ldap.so use_first_pass

# /etc/pam.d/2facaut_pam - PAM configuration for FreeRADIUS
auth required pam_google_authenticator.so forward_pass
auth required  pam_ldap.so use_first_pass

- Here the debug log with separate horizon_pam configuration in the radius

Tue Apr 18 12:08:41 2017 : Debug: server horizon {
Tue Apr 18 12:08:41 2017 : Debug: # Executing section authorize from file /etc/freeradius/sites-enabled/horizon
Tue Apr 18 12:08:41 2017 : Debug: +group authorize {
Tue Apr 18 12:08:41 2017 : Debug: ++policy filter_username {
Tue Apr 18 12:08:41 2017 : Debug: +++? if (User-Name =~ / /)
Tue Apr 18 12:08:41 2017 : Debug: ? Evaluating (User-Name =~ / /) -> FALSE
Tue Apr 18 12:08:41 2017 : Debug: +++? if (User-Name =~ / /) -> FALSE
Tue Apr 18 12:08:41 2017 : Debug: +++? if (User-Name =~ /@.*@/ )
Tue Apr 18 12:08:41 2017 : Debug: ? Evaluating (User-Name =~ /@.*@/) -> FALSE
Tue Apr 18 12:08:41 2017 : Debug: +++? if (User-Name =~ /@.*@/ ) -> FALSE
Tue Apr 18 12:08:41 2017 : Debug: +++? if (User-Name =~ /\\.\\./ )
Tue Apr 18 12:08:41 2017 : Debug: ? Evaluating (User-Name =~ /\\.\\./) -> FALSE
Tue Apr 18 12:08:41 2017 : Debug: +++? if (User-Name =~ /\\.\\./ ) -> FALSE
Tue Apr 18 12:08:41 2017 : Debug: +++? if (User-Name =~ /\\.$/)
Tue Apr 18 12:08:41 2017 : Debug: ? Evaluating (User-Name =~ /\\.$/) -> FALSE
Tue Apr 18 12:08:41 2017 : Debug: +++? if (User-Name =~ /\\.$/) -> FALSE
Tue Apr 18 12:08:41 2017 : Debug: +++? if (User-Name =~ /@\\./)
Tue Apr 18 12:08:41 2017 : Debug: ? Evaluating (User-Name =~ /@\\./) -> FALSE
Tue Apr 18 12:08:41 2017 : Debug: +++? if (User-Name =~ /@\\./) -> FALSE
Tue Apr 18 12:08:41 2017 : Debug: ++} # policy filter_username = notfound
Tue Apr 18 12:08:41 2017 : Debug: ++[preprocess] = ok
Tue Apr 18 12:08:41 2017 : Debug: [horizon_log]         expand: /var/log/freeradius/radacct/horizon-auth-detail-%Y%m%d -> /var/log/freeradius/radacct/horizon-auth-detail-20170418
Tue Apr 18 12:08:41 2017 : Debug: [horizon_log] /var/log/freeradius/radacct/horizon-auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/horizon-auth-detail-20170418
Tue Apr 18 12:08:41 2017 : Debug: [horizon_log]         expand: %t -> Tue Apr 18 12:08:41 2017
Tue Apr 18 12:08:41 2017 : Debug: ++[horizon_log] = ok
Tue Apr 18 12:08:41 2017 : Debug: ++[chap] = noop
Tue Apr 18 12:08:41 2017 : Debug: ++[mschap] = noop
Tue Apr 18 12:08:41 2017 : Debug: [suffix] No '@' in User-Name = "lahil001", looking up realm NULL
Tue Apr 18 12:08:41 2017 : Debug: [suffix] Found realm "NULL"
Tue Apr 18 12:08:41 2017 : Debug: [suffix] Adding Stripped-User-Name = "lahil001"
Tue Apr 18 12:08:41 2017 : Debug: [suffix] Adding Realm = "NULL"
Tue Apr 18 12:08:41 2017 : Debug: [suffix] Authentication realm is LOCAL.
Tue Apr 18 12:08:41 2017 : Debug: ++[suffix] = ok
Tue Apr 18 12:08:41 2017 : Debug: [eap] No EAP-Message, not doing EAP
Tue Apr 18 12:08:41 2017 : Debug: ++[eap] = noop
Tue Apr 18 12:08:41 2017 : Debug: [horizon_files] users: Matched entry DEFAULT at line 190
Tue Apr 18 12:08:41 2017 : Debug: ++[horizon_files] = ok
Tue Apr 18 12:08:41 2017 : Debug: ++[expiration] = noop
Tue Apr 18 12:08:41 2017 : Debug: ++[logintime] = noop
Tue Apr 18 12:08:41 2017 : Debug: [pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
Tue Apr 18 12:08:41 2017 : Debug: ++[pap] = noop
Tue Apr 18 12:08:41 2017 : Debug: +} # group authorize = ok
Tue Apr 18 12:08:41 2017 : Debug: Found Auth-Type = PAM
Tue Apr 18 12:08:41 2017 : Debug:   WARNING: Unknown value specified for Auth-Type.  Cannot perform requested action.
Tue Apr 18 12:08:41 2017 : Debug: # Executing group from file /etc/freeradius/sites-enabled/horizon
Tue Apr 18 12:08:41 2017 : Debug: Failed to authenticate the user.
Tue Apr 18 12:08:41 2017 : Debug: } # server horizon

__

Fachhochschule Dortmund
University of Applied Sciences and Arts

Dipl.-Ing. (FH) Lars Hillebrand
Dez. VI, IT-Basisdienste
Sonnenstraße 100 - 44139 Dortmund
Raum SON D 008
Tel     0231 9112-253
Fax     0231 9112-338
lars.hillebrand at fh-dortmund.de <mailto:lars.hillebrand at fh-dortmund.de>
www.fh-dortmund.de <http://www.fh-dortmund.de/>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4932 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170418/6fcb86bb/attachment.bin>

More information about the Freeradius-Users mailing list