|
Hi I currently
running the following system: Server: FreeRadius, MySQL Client: pam_radius_auth,
libnss_mysql.so I use the freeradius to auth
and account ssh logins, here is my pam.d/sshd file on
the client. #%PAM-1.0 auth
sufficient
/lib/security/pam_radius_auth.so debug auth
required
/lib/security/pam_stack.so service=system-auth auth
required
/lib/security/pam_nologin.so account
sufficient
/lib/security/pam_radius_auth.so debug account
required
/lib/security/pam_stack.so service=system-auth password
required
/lib/security/pam_stack.so service=system-auth session
required
/lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022 session
sufficient
/lib/security/pam_radius_auth.so debug conf=/etc/radiusclient/servers session
required
/lib/security/pam_stack.so service=system-auth session
required
/lib/security/pam_limits.so session
optional
/lib/security/pam_console.so Now when I authenticate I can
see that the Calling-Station-ID gets passed, but when I do authentication that
field seems to be missing. Here is the output of radiusd
-X Ready to process requests. rad_recv: Access-Request
packet from host 10.0.0.1:3698, id=220, length=89
User-Name = "test"
User-Password = "123pass"
NAS-IP-Address = 10.0.0.1
NAS-Identifier = "sshd" NAS-Port = 2673
NAS-Port-Type = Virtual Service-Type = Authenticate-Only
Calling-Station-Id = "10.1.1.1" Processing the authorize section of
radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]:
module "preprocess" returns ok for request 0 modcall[authorize]:
module "chap" returns noop for request 0 modcall[authorize]:
module "mschap" returns noop for request 0 rlm_realm: No '@' in
User-Name = "test", looking up realm NULL rlm_realm: No such realm
"NULL" modcall[authorize]:
module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]:
module "eap" returns noop for request 0 users:
Matched entry DEFAULT at line 153 modcall[authorize]:
module "files" returns ok for request 0 radius_xlat: 'test' rlm_sql (sql): sql_set_user
escaped user --> 'test' radius_xlat: 'SELECT id,UserName,Attribute,Value,op
FROM radcheck WHERE Username = 'test' ORDER BY id' rlm_sql (sql): Reserving sql
socket id: 7 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username = 'test' AND usergroup.GroupName = radgroupcheck.GroupName
ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op
FROM radreply WHERE Username = 'test' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
usergroup.Username = 'test' AND usergroup.GroupName = radgroupreply.GroupName
ORDER BY radgroupreply.id' rlm_sql (sql): Released sql
socket id: 7 modcall[authorize]:
module "sql" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type pap auth: type "PAP" Processing the authenticate section of
radiusd.conf modcall: entering group Auth-Type for request 0 rlm_pap: login attempt by
"test" with password 123pass rlm_pap: Using password
"$1$n/uxpq.r$FBKqAEC8KvsK13QVHRwAf/" for user test authentication. rlm_pap: Using CRYPT
encryption. rlm_pap: User authenticated
succesfully modcall[authenticate]:
module "pap" returns ok for request 0 modcall: group Auth-Type returns ok for request 0 Sending Access-Accept of id
220 to 10.0.0.1:3698
Framed-IP-Address := 10.1.1.1
Framed-Protocol := PPP
Service-Type := Framed-User
Framed-Compression := Van-Jacobson-TCP-IP Finished request 0 Going to the next request --- Walking the entire
request list --- Waking up in 6 seconds... rad_recv: Accounting-Request
packet from host 10.0.0.1:3698, id=66, length=72
User-Name = "test"
NAS-IP-Address = 10.0.0.1 NAS-Identifier = "sshd"
NAS-Port = 2673 NAS-Port-Type = Virtual
Acct-Status-Type = Start
Acct-Session-Id = "00002673"
Acct-Authentic = RADIUS Processing the preacct section of
radiusd.conf modcall: entering group preacct for request 1 modcall[preacct]:
module "preprocess" returns noop for request 1 rlm_acct_unique: Hashing 'NAS-Port
= 2673,Client-IP-Address = 10.0.0.1,NAS-IP-Address = 10.0.0.1,Acct-Session-Id
= "00002673",User-Name = "test"' rlm_acct_unique: Acct-Unique-Session-ID = "a0ec8ab13c262f56".
modcall[preacct]: module "acct_unique" returns ok
for request 1 rlm_realm: No '@' in
User-Name = "test", looking up realm NULL rlm_realm: No such realm
"NULL" modcall[preacct]:
module "suffix" returns noop for request 1 modcall[preacct]:
module "files" returns noop for request 1 modcall: group preacct returns ok for request 1 Processing the accounting section of
radiusd.conf modcall: entering group accounting for request 1 radius_xlat: '/usr/local/var/log/radius/radacct/10.0.0.1/detail-20050603' rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/10.0.0.1/detail-20050603 modcall[accounting]:
module "detail" returns ok for request 1 modcall[accounting]:
module "unix" returns ok for request 1 radius_xlat: '/usr/local/var/log/radius/radutmp' radius_xlat: 'test' modcall[accounting]:
module "radutmp" returns ok for request 1 radius_xlat: 'test' rlm_sql (sql): sql_set_user
escaped user --> 'test' radius_xlat: 'INSERT into radacct (AcctSessionId,
AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType,
AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start,
ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId,
CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol,
FramedIPAddress, AcctStartDelay, AcctStopDelay) values('00002673',
'a0ec8ab13c262f56', 'test', '', '10.0.0.1', '2673', 'Virtual',
'2005-06-03 14:20:01', '0', '0', 'RADIUS', '', '', '0', '0', '', '', '', '',
'', '', '', '0')' rlm_sql (sql): Reserving sql
socket id: 6 rlm_sql (sql): Released sql
socket id: 6 modcall[accounting]:
module "sql" returns ok for request 1 modcall: group accounting returns ok for request 1 Sending Accounting-Response
of id 66 to 10.0.0.1:3698 Finished request 1 Going to the next request Cleaning up request 1 ID 66
with timestamp 42a05901 Waking up in 6 seconds... --- Walking the entire
request list --- Cleaning up request 0 ID 220
with timestamp 42a05901 Nothing to
do. Sleeping until we see
a request. As you can see the
CallingStationId is empty, also there is no mention of it in the Accounting
request packet. If this is not supported by
the accounting, is there a way to get it from the authentication section? Would also like to say that I know this
is more related to the PAM module and I assume this makes this mail a bit out
of context in this mail group, but any help would be most appreciated. Kind Regards Christiaan Ehlers |
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
