Good afternoon All
If somebody could answer this question form I would be most grateful.
I have configured freeradius-3.0 and all works well when I am using the
users file for authentication.
I wish however to use the shadow file and the users file together.
I have uncommented the /etc/shadow (My O/S is Solaris 8) line in the
radiusd.conf file. I am also running radius with a user that can read the
shadow file.
My problem is covered slightly in the radius FAQ but I think i am missing
the point. As I wish to use CHAP and PAP.
When I use a windows 2000 machine and configure dialup networking to use
"typical recommended settings"
i.e. Allow unsecured password. Radius rejects the users name and password
(please see below)
#####OUT PUT FROM radius -X#########################
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 194.216.59.26:1038, id=74,
length=105
User-Name = "gfrost"
CHAP-Password = "I HAVE REMOVED THIS"
NAS-IP-Address = 194.216.59.26
NAS-Port = 20102
NAS-Port-Type = Async
Service-Type = Framed-User
Framed-Protocol = PPP
State = 0x
Calling-Station-Id = "02089617000"
Acct-Session-Id = "352283926"
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "suffix" returns ok
users: Matched DEFAULT at 8
modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type System
auth: type "System"
modcall: entering group authenticate
rlm_unix: Attribute "Password" is required for authentication. Cannot use
"CHAP-Password".
modcall[authenticate]: module "unix" returns invalid
modcall: group authenticate returns invalid
auth: Failed to validate the user.
Sending Access-Reject of id 74 to 194.216.59.26:1038
##################END OUT PUT FROM radiusd -X #################
(Sorry if is becoming a long question)
If I force the dialup connection to use PAP it works fine. This gives me the
problem of having to telling my users to choosing PAP in their
configuration. When I put the username in the /etc/ahadow file and set it to
CHAP when its in the users file. (I wish to use the users file as an
exception to the normal configuration say if the user can use both channels
on the ISDN. Something like that)
I thought you could set up the following in the users file so you could use
both.
##################TOP OF USERS FILE #######################
DEFAULT Auth-Type := System # telling radius to look at /etc/shadow
first?
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Routing = None,
Ascend-Assign-IP-Pool = 1,
X-Ascend-Idle-Limit = 1800,
Fall-Through = Yes # Apply to all
a Auth-Type := Local, Password == "a" # I Use this line to set to
CHAP password
aa Auth-Type := Reject # I used this line to reject users I this case the
user name is aa
Service-Type == Login-User,
Reply-Message = "Mailbox only account. Please Use a different
account..",
Ascend-TS-Idle-Limit = 1
####################################END USERS FILE#####################
Again sorry if this email has become long winded but im running out of hair
and need some guidance.
Regards
Gareth Frost
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
