Someone will correct me if I am wrong, but I believe that is the "unix" entry under sites-available/default.
David From: freeradius-users-bounces+david.peterson=acc-corp....@lists.freeradius.org [mailto:freeradius-users-bounces+david.peterson=acc-corp....@lists.freeradiu s.org] On Behalf Of Martin Richard Sent: Thursday, June 10, 2010 11:32 AM To: [email protected] Subject: Removing local auth (freeradius server 2.1.9) Hello, I've tried the doc, the wiki, and the ML archives but I can't find an answer to what must be a simple configuration thing.. I've compiled freeradius server 2.1.9 and only added two simples lines to $confdir/user: mrichard Cleartext-Password := "qwerty" mrichard2 Cleartext-Password := "qwerty" When starting radiusd -X (yes, I've looked at the output) and testing these 2 most simple accounts with radtest, the first one fails while the second one works. The difference being that there's a "mrichard" account on the box in /etc/passwd while "mrichard2" only exists in radiusd's config. Hence the output differences when calling "radtest thelogin qwerty localhost 666 testing123" (cut) : for mrichard: +- entering group PAP {...} [pap] login attempt with password "qwerty" [pap] Using CRYPT encryption. [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject for mrichard2: +- entering group PAP {...} [pap] login attempt with password "qwerty" [pap] Using clear text password "qwerty" [pap] User authenticated successfully ++[pap] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 79 to 127.0.0.1 port 60023 Of course, the first account works if I use the OS level password associated with it. After a bit of searching I found a reference in the ML archives to $confdir/sites-enabled/default and saw "unix" in there with the description saying it caches the hashes from /etc/passwd and its accompanying shadow. I've commented those lines and restarted the daemon. Now I get this in the PAP output for both users: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject I must be missing something rather obvious.. But how can I totally disable the lookup of OS accounts ? Thanks Martin
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
