Alan,

After making the recommended changes, and commenting everything out of the radiusd.conf,
allowing EAP only MD5, and disallowing all other forms of auth:

modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "eap" returns updated
rlm_realm: No '@' in User-Name = "lunatic", looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module "suffix" returns noop
users: Matched DEFAULT at 152
users: Matched lunatic at 156
modcall[authorize]: module "files" returns ok
modcall: group authorize returns updated
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP_TYPE - md5
rlm_eap: processing type md5
rlm_eap_md5: No password configured for this user
modcall[authenticate]: module "eap" returns invalid
modcall: group authenticate returns invalid
auth: Failed to validate the user.
Delaying request 2 for 1 seconds
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.17.247:2048, id=115, length=16

I guess my bigger question:
If this method were to work, the admin would have to hard-code user/password into
the users.conf. Is there another tried/true method for using some central password facility,
LDAP i don't think will work....

thanks for your interest



Alan DeKok wrote:

Shawn Adams <[EMAIL PROTECTED]> wrote:

I think my Radius is using the system /etc/passwd, as this is the default.
This seems not to be an option, since /etc/passwd is not cleartext.

Exactly.


giving the user a specific entry in the users.conf:

Auth-Type := Local, User-Password = "Hello"

does not seem to help.

Of course. You told it to use 'Local' authentication, not EAP.
Change the line to:

Auth-Type += Local, User-Password = "Hello"

Then, list the EAP module BEFORE 'files' in the authorize section.
If it sees an EAP-Message, then EAP module will add 'Auth-Type :=
EAP', and the 'files' module will add 'Auth-Type += Local' AFTER that.

The EAP will take priority, and it will all work...

Alan DeKok.


- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to