"McNutt, Justin M." <[EMAIL PROTECTED]> wrote: > So my original question, slightly reworded, is "If PAM is able to > authenticate me correctly, which it does, why does FreeRADIUS still > return a reject unless there is a local account?" This would seem to be > a function of what FreeRADIUS requests of PAM.
I'm not sure why. As I said before, the PAM code in FreeRADIUS is copied pretty much verbatim from the Cistron source. And the 'username/password' authentication part of PAM is pretty hard to get wrong. I would suggest looking at the PAM logs, to see why it decides to not authenticate the user. What, you say? There's no PAM logs? Or, at least, no useful/helpful logs, and no way of debugging PAM's internals? I hate PAM. > Was this observation really necessary. I provided the information above > for everyone's use, not for value judgements of the BayStack. I judge what I see. I've seen other NAS boxes do similar, or much worse things. I've disappointed with them. > The BayStack is *not* a piece of crap, despite the fact that it doesn't > do RADIUS authentication in the best possible way. They've gone out of their way to make it *harder* to use. That disappoints me. Say your NAS comes back up after a power outage, and fires 5k requests to the RADIUS server, when everyone dials in again. The server MAY take a second or so to respond, under the high load. In the mean time, the BayStack will time out (VERY quickly), and reject many of the users. This is equipment you want to base your network on? That would make *me* nervous... > I agree, with the reservation that while FreeRADIUS works very well and > is highly configurable, there is a severe lack of documentation (which > is somewhat reasonable since it is still in 0.xx versions) Well, it *is* free software, which is generally well known for having poor documentation. > and its developers are extremely opinionated and sensitive to > criticism. :-/ I can't speak for others here, but I know *I'm* sensitive to a lot of things which aren't criticism. If you say "The server core dumped on me, I hate it, it's crap", I'll most likely agree with you. On the other hand, many comments involve a lack of awareness of how RADIUS works, or how Unix systems work. There's not much that can be said there, other than "go read the OTHER guy's documentation, that's not part of FreeRADIUS." Other comments involve people unwilling or unable to read what documentation exists, and *those* get blunt responses from me. > THEREFORE, my biggest worry at the moment is how I can use FreeRADIUS to > authenticate people logging into BayStacks, using PAM as the local > authentication method on the RADIUS server side *without* having to > create user accounts on the RADIUS server for every switch admin. Find out why PAM is rejecting the users, all the server knows from rlm_pam is that the authentication failed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
