WEB Login fails occasionally even though radius authentication succeed

Rajesh Subramanian rajeshs at niagaranetworks.com
Mon Apr 13 13:42:26 CEST 2020 

Hello all,

I am using PAM radius module version 1.4.1

Testing sample:
PAM radius does not support authorization.
I DO NOT require accounting and authorization and have kept the return
types as optional.
Configure radius server and trying to login using radius users. Syslog is
enabled

Scenario 1:

The following is the configuration inside /etc/pam.d/

# cat ssh
auth sufficient /lib/security/pam_radius_auth.so debug
account optional /lib/security/pam_radius_auth.so debug
session optional /lib/security/pam_radius_auth.so debug
auth required /lib/security/pam_unix.so use_first_pass
account optional /lib/security/pam_unix.so use_first_pass
session optional /lib/security/pam_unix.so use_first_pass


# cat php
auth required /lib/security/pam_succeed_if.so user != root quiet
auth sufficient /lib/security/pam_radius_auth.so debug
account optional /lib/security/pam_radius_auth.so debug
session optional /lib/security/pam_radius_auth.so debug
auth required /lib/security/pam_unix.so use_first_pass
account optional /lib/security/pam_unix.so use_first_pass
session optional /lib/security/pam_unix.so use_first_pass

SSH - Always successful
WEB - Sometimes, the login fails (NOT always)

The following are noticed during the failure scenarios

1. Radius authentication always succeeds and final SYSLOG from radius
module received is


*USER.DEBUG. php: pam_radius_auth: authentication succeeded*
2. After this, the following SYSLOG is seen and login failed



*AUTHPRIV.WARNING. php: pam_unix(php:auth): check pass; user
unknownAUTHPRIV.NOTICE. php: pam_unix(php:auth): authentication failure,
logname= uid=0 euid=0 tty= ruser= rhost=<IP address>*
Scenario 2:
I did the following changes with respect to the configuration to skip
pam_unix and depend on pam_radius only.

# cat ssh
auth sufficient /lib/security/pam_radius_auth.so debug
account optional /lib/security/pam_radius_auth.so debug
session optional /lib/security/pam_radius_auth.so debug


# cat php
auth required /lib/security/pam_succeed_if.so user != root quiet
auth sufficient /lib/security/pam_radius_auth.so debug
account optional /lib/security/pam_radius_auth.so debug
session optional /lib/security/pam_radius_auth.so debug


SSH - Always successful
WEB - Sometimes, the login fails (NOT always)

The following are noticed during the failure scenarios

1. Radius authentication always succeeds and final SYSLOG from radius
module received is


*USER.DEBUG. php: pam_radius_auth: authentication succeeded*
2. After this, there are no SYSLOG messages

In both cases, login fails sometimes and only through a WEB interface.

Could you please provide any suggestions on the above?
Why is the user unknown in scenario 1

Thanks,
Rajesh

More information about the Freeradius-Users mailing list