We're trying to compile the pam_radius module on Irix. There are a few
gotchas, mainly compiler weirdness and pointers fun :-) but we got it to
the point where it sends a Radius packet to the server and it parses the
reply.
That being said, it doesn't work. See debug info below at the end of the
message.
My Radius server is SafeWord, which contains a full Livingston-1.2
implementation:
/*
* @(#)conf.h 1.2 12/22/94
*/
A look into a .o file confirms the version number: 1.2
My question is: is pam_radius working with Livingston at all? Were there
any success stories with this combination?
Looks like Livingston doesn't like some stuff in the packets sent by
pam_radius.
Debug info follows.
The syslog file contains the debug messages from pam_radius. Please note
that the code has been hacked a little bit, and these might not be the
messages as one would expect them from the original pam_radius.
Some strings were replaced with XXXes to protect the innocent. ;-)
Jun 26 12:42:04 7E:diaspar sshd[130755]: pam_radius_auth: Got User Name
XXXXXX
Jun 26 12:42:04 7E:diaspar sshd[130755]: pam_radius_auth: Sending RADIUS
request code 1
Jun 26 12:42:04 7E:diaspar sshd[130755]: pam_radius_auth: DEBUG:
getservbyname(radius, udp) returned XXXXXXXXX.
Jun 26 12:42:04 3E:diaspar sshd[130755]: pam_radius_auth: packet from
RADIUS server XXXXXXXXXXXXXX.sgi.com fails verification: The shared
secret is probably incorrect.
Jun 26 12:42:05 3E:diaspar sshd[130755]: pam_radius_auth: All RADIUS
servers failed to respond.
Jun 26 12:42:05 7E:diaspar sshd[130755]: pam_radius_auth: authentication
failed
Here's a tcpdump session on the Radius server itself, showing the failed
Radius authentication:
12:49:09.577617 XXX.XXX.XXX.XXX.33507 > XXX.XXX.XXX.XXX.1812: [udp sum
ok] rad-access-req 97 [id 232] Attr[ User{XXXXXX} Pass
NAS_ipaddr{XXX.XXX.XXX.XXX} NAS_id{sshd} NAS_port{130786}
NAS_port_type{#1286} Service_type{#2079}
Calling_station{XXXXXXXXXXX.sgi.com} ] (ttl 55, id 52801, len 125)
12:49:09.628042 XXX.XXX.XXX.XXX.1812 > XXX.XXX.XXX.XXX.33507: [udp sum
ok] rad-access-reject 20 [id 232] (ttl 64, id 17241, len 48)
Here's a successful authentication, using radtest (from XTRadius) as a
client:
12:49:55.256775 XXX.XXX.XXX.XXX.1026 > XXX.XXX.XXX.XXX.1812: [udp sum
ok] rad-access-req 90 [id 12] Attr[ User{XXXXXX} Pass NAS_port{12}
Vendor_specific{...3..test..TiNC} Vendor_specific{.......#test}
NAS_ipaddr{XXX.XXX.XXX.XXX} ] (ttl 55, id 53284, len 118)
12:49:55.334824 XXX.XXX.XXX.XXX.1812 > XXX.XXX.XXX.XXX.1026: [udp sum
ok] rad-access-accept 26 [id 12] Attr[ Service_type{#2153} ] (ttl 64,
id 17304, len 54)
--
Florin Andrei
"You can get excited about just any subject if you study it enough.
It's the deep knowledge that makes a topic interesting." - Larry McVoy
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
