I am having a problem with the pam_radius_auth module running under HP-UX.
I compiled version 1.3.16 of pam_radius_auth on an HP-UX 11.0 system with HP's Ansi C
compiler. I had to #define u_int32_t to be unsigned int. The code compiled ok and the
shared library was built successfully.
My test environment is as follows:
1 HP-UX 11.11 system running pam_radius_auth version 1.3.16 (systemA XXX.XXX.XXX.150)
1 Solaris 2.8 system running pam_radius_auth version 1.3.16 (systemB)
2 Red Hat AS 2.1 Linux servers running freeRADIUS server version 0.9.3
(XXX.XXX.XXX.251 & XXX.XXX.XXX.238)
a local user account called "test" on the Linux systems, with a valid password
a local user account called "test" with an invalid password on both the HP-UX and
Solaris systems.
The /etc/raddb/server file on both clients systemA and systemB contains:
XXX.XXX.XXX.251:1812 secret 5
XXX.XXX.XXX.238:1812 secret 5
The problem is that pam_radius_auth module on the HP (systemA) system fails to
authenticate the user "test" on the freeRADIUS server. The same "test" user will
authenticate fine when coming from the Solaris (systemB) system. The messages
produced by the debug on the failing client are:
============================================================
Dec 17 08:07:36 systemA login: pam_radius_auth: RADIUS server XXX.XXX.XXX.251 failed
to respond
Dec 17 08:07:37 systemA login: pam_radius_auth: packet from RADIUS server
XXX.XXX.XXX.238 fails verification: The shared secret is probably incorrect.
Dec 17 08:07:37 systemA login: pam_radius_auth: All RADIUS servers failed to respond.
Dec 17 08:07:37 systemA login: pam_radius_auth: authentication failed
Dec 17 08:07:37 systemA login: pam_authenticate: error Can not retrieve authentication
info
Dec 17 08:07:45 systemA login: pam_setcred: error Can not retrieve authentication info
============================================================
The Linux server XXX.XXX.XXX.238 is running with -X option and produces the following
messages:
============================================================
rad_recv: Access-Request packet from host XXX.XXX.XXX.150:14570, id=39, length=101
User-Name = "test"
User-Password = "\311\260\020\\Q\245\306f}\025\224R\334?\016\275"
NAS-IP-Address = XXX.XXX.XXX.150
NAS-Identifier = "login"
NAS-Port = 13545
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = "clientA"
modcall: entering group authorize for request 0
users: Matched DEFAULT at 5
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns ok for request 0
Sending Access-Request of id 1 to XXX.XXX.XXX.72:1645
User-Name = "test"
User-Password = "\311\260\020\\Q\245\306f}\025\224R\334?\016\275"
NAS-IP-Address = XXX.XXX.XXX.150
NAS-Identifier = "login"
NAS-Port = 13545
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = "clientA"
Proxy-State = 0x3339
--- Walking the entire request list ---
Re-sending Access-Request of id 1 to XXX.XXX.XXX.72:1645
User-Name = "test"
User-Password = "\263\316+\025\312p\t\000\234\273l,\336)L~"
NAS-IP-Address = XXX.XXX.XXX.150
NAS-Identifier = "login"
NAS-Port = 13545
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = "clientA"
Realm = "realm1"
Proxy-State = 0x3339
Waking up in 1 seconds...
--- Walking the entire request list ---
Server rejecting request 0.
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 39 to XXX.XXX.XXX.150:14570
Cleaning up request 0 ID 39 with timestamp 3fe08909
Nothing to do. Sleeping until we see a request.
============================================================
Now, I have triple checked the correctness of the shared secret and I have also
manually recreated this file twice, typing the entries by hand, but I still continue
to get the "shared secret is incorrect" message. It appears that the problem is
related to MD5 hashing of the shared secret and the user's password. Can anybody shed
some light on this?
Regards,
Jim Lynch
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
