WEB Login fails occasionally even though radius authentication succeed

Alan DeKok aland at deployingradius.com
Mon Apr 13 13:58:14 CEST 2020


> On Apr 13, 2020, at 7:42 AM, Rajesh Subramanian <rajeshs at niagaranetworks.com> wrote:
> Testing sample:
> PAM radius does not support authorization.
> I DO NOT require accounting and authorization and have kept the return
> types as optional.

  OK...

  Note that PAM just does password checks.  It does NOT set UID, GID, home directory, etc. for the user.

  You still need some way to define those fields.  This is usually done via NSS.  Or, define the user in /etc/passwd.  And only use PAM for password checks.

> SSH - Always successful
> WEB - Sometimes, the login fails (NOT always)

  That's bad.

> The following are noticed during the failure scenarios
> 
> 1. Radius authentication always succeeds and final SYSLOG from radius
> module received is
> 
> *USER.DEBUG. php: pam_radius_auth: authentication succeeded*

  OK, that's good.

> 2. After this, the following SYSLOG is seen and login failed
> 
> 
> *AUTHPRIV.WARNING. php: pam_unix(php:auth): check pass; user
> unknownAUTHPRIV.NOTICE. php: pam_unix(php:auth): authentication failure,
> logname= uid=0 euid=0 tty= ruser= rhost=<IP address>*

  The pam_unix module saying that the user isn't in /etc/passwd.  Which is likely true.

> Scenario 2:
> I did the following changes with respect to the configuration to skip
> pam_unix and depend on pam_radius only.
...
> SSH - Always successful
> WEB - Sometimes, the login fails (NOT always)

  PAM is magic that makes FreeRADIUS look trivial by comparison.

> The following are noticed during the failure scenarios
> 
> 1. Radius authentication always succeeds and final SYSLOG from radius
> module received is
> 
> *USER.DEBUG. php: pam_radius_auth: authentication succeeded*
> 2. After this, there are no SYSLOG messages

  Then it's difficult to see what's going wrong.

> In both cases, login fails sometimes and only through a WEB interface.
> 
> Could you please provide any suggestions on the above?
> Why is the user unknown in scenario 1

  Because the user isn't in /etc/passwd.

  FreeRADIUS can use PAM for name / password checking.  But it uses PAM *only* for that, and doesn't require users to be in /etc/passwd.

  My guess is that the web system is doing *additional* checks after PAM succeeds.  And then failing those checks, without telling you what they are, or what it's doing.

  There's a reason that FreeRADIUS has enormous debug logs.  Much of the time those logs contain exactly the information needed to fix a problem like this.  In contrast, many other programs have helpful messages like "FAILED".  Which makes me think that the developers have a deep hatred of their end users.

  Alan DeKok.




More information about the Freeradius-Users mailing list