radius to pam with 2FA from duo

Alan DeKok aland at deployingradius.com
Fri Jul 26 20:48:55 CEST 2019

On Jul 26, 2019, at 12:55 PM, Andrew Meyer via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> Hello,
> I am trying to get FreeRADIUS working with 2FA.  I have it mostly setup.  I can see in the debug output that saying my user exists in the system.  However I'm still getting Access-Reject from my client.  
> Here is the output from FreeRADIUS (using the FreeRADIUS repo)

> (0) Received Access-Request Id 98 from to length 92
> (0)   User-Name = "test"
> (0)   User-Password = "Password!1234"
> (0)   NAS-IP-Address =
> (0)   NAS-Port = 0
> (0)   Message-Authenticator = 0xef25474df3491218de56a2d8874cfe47
> ...
> (0) pam: Using pamauth string "radiusd" for pam.conf lookup
> (0) pam: ERROR: pam_authenticate failed: Error in service module
> (0)     [pam] = reject

  That error comes from PAM, not from FreeRADIUS.

> [root at radius01 ~]# cat /etc/pam.d/radiusd 
> #%PAM-1.0
> #auth       include     password-auth
> auth       requisite    pam_duo.so forward_pass
> account    required     pam_nologin.so
> account    include      password-auth
> password   include      password-auth
> session    include      password-auth
> [root at radius01 ~]# 

  Something in that config is wrong, or is saying "no user".

  What's wrong?  I don't know.   PAM is fanatical about producing useless errors.  And it's been ~15 years since I did anything with PAM.

> Should I have changed the radius pam config file?  Should I have changed the password-auth config file instead?  Eventually I want this work with SSH.

  I have no idea.  Ask the PAM people how their software works.

  Alan DeKok.

More information about the Freeradius-Users mailing list