Simon, New version of freeradius is still doing that. But anyway we can look at that part later.
At this point, my ldap and oath works well independently. But when I put them together in PAM, only the first module will get user name and password popped up. The second module doesn't give me the prompt for inputting user name and password. I'm testing with Juniper VPN. My /etc/pam.d/radiusd is: #%PAM-1.0 auth required pam_ldap.so debug auth required pam_oath.so debug usersfile=/etc/users.oath window=20 account include system-auth password include system-auth session include system-auth So when Juniper VPN pop up the user name prompt, I put ldap login but I saw the oath is taking that password too. It didn't give me the 2nd prompt. I guess I need do something after the pam_ldap finishes. Maybe I need modify the oath code to add conversation function to it? Lou On Tue, Jun 14, 2011 at 10:23 AM, Hailu Meng <[email protected]> wrote: > Let me upgrade my Freeradius and try one more time. > > > On Mon, Jun 13, 2011 at 11:51 PM, Simon Josefsson <[email protected]>wrote: > >> Hailu Meng <[email protected]> writes: >> >> > I found the problem. I comment the account command in pam. After I put >> > in-system for account. The user root can authenticate successfully. It >> seems >> > like I need create all the users in the server to get authentication >> > successful. >> >> Right -- real user accounts need to exist, I have also run into this >> issue. If anyone knows how to disable this check in FreeRadius, that >> would be great to know. Sometimes it is just a pain to create real user >> accounts on the Radius server. >> >> /Simon >> >> > On Mon, Jun 13, 2011 at 8:52 AM, Hailu Meng <[email protected]> >> wrote: >> > >> >> Hi All, >> >> >> >> I'm getting there. But went into some problem. I have Freeradius 1.1.3. >> I'm >> >> testing Radius --> PAM --> OATH. The oath toolkit got executed >> successfully >> >> and return the "success" message to PAM stack but for some reason >> pam_pass >> >> failed. Here is the debug from radiusd: >> >> >> >> rad_recv: Access-Request packet from host 127.0.0.1:53651, id=230, >> >> length=56 >> >> User-Name = "root" >> >> User-Password = "073348" >> >> NAS-IP-Address = 255.255.255.255 >> >> NAS-Port = 1812 >> >> Processing the authorize section of radiusd.conf >> >> modcall: entering group authorize for request 2 >> >> modcall[authorize]: module "preprocess" returns ok for request 2 >> >> modcall[authorize]: module "chap" returns noop for request 2 >> >> modcall[authorize]: module "mschap" returns noop for request 2 >> >> rlm_realm: No '@' in User-Name = "root", looking up realm NULL >> >> rlm_realm: No such realm "NULL" >> >> modcall[authorize]: module "suffix" returns noop for request 2 >> >> rlm_eap: No EAP-Message, not doing EAP >> >> modcall[authorize]: module "eap" returns noop for request 2 >> >> users: Matched entry DEFAULT at line 152 >> >> modcall[authorize]: module "files" returns ok for request 2 >> >> modcall: leaving group authorize (returns ok) for request 2 >> >> rad_check_password: Found Auth-Type pam >> >> auth: type "PAM" >> >> Processing the authenticate section of radiusd.conf >> >> modcall: entering group authenticate for request 2 >> >> pam_pass: using pamauth string <radiusd> for pam.conf lookup >> >> [pam_oath.c:parse_cfg(118)] called. >> >> [pam_oath.c:parse_cfg(119)] flags 0 argc 3 >> >> [pam_oath.c:parse_cfg(121)] argv[0]=debug >> >> [pam_oath.c:parse_cfg(121)] argv[1]=usersfile=/etc/users.oath >> >> [pam_oath.c:parse_cfg(121)] argv[2]=window=20 >> >> [pam_oath.c:parse_cfg(122)] debug=1 >> >> [pam_oath.c:parse_cfg(123)] alwaysok=0 >> >> [pam_oath.c:parse_cfg(124)] try_first_pass=0 >> >> [pam_oath.c:parse_cfg(125)] use_first_pass=0 >> >> [pam_oath.c:parse_cfg(126)] usersfile=/etc/users.oath >> >> [pam_oath.c:parse_cfg(127)] digits=0 >> >> [pam_oath.c:parse_cfg(128)] window=20 >> >> [pam_oath.c:pam_sm_authenticate(157)] get user returned: root >> >> [pam_oath.c:pam_sm_authenticate(232)] conv returned: 073348 >> >> [pam_oath.c:pam_sm_authenticate(292)] OTP: 073348 >> >> [pam_oath.c:pam_sm_authenticate(305)] authenticate rc 0 (OATH_OK: >> >> Successful return) last otp Mon Jun 13 08:32:53 2011 >> >> >> >> [pam_oath.c:pam_sm_authenticate(327)] done. [Success] >> >> pam_pass: function pam_acct_mgmt FAILED for <root>. Reason: >> Authentication >> >> failure >> >> modcall[authenticate]: module "pam" returns reject for request 2 >> >> modcall: leaving group authenticate (returns reject) for request 2 >> >> auth: Failed to validate the user. >> >> Login incorrect: [root] (from client localhost port 1812) >> >> >> >> Any idea about this? Thanks for your help!! >> >> >> >> Lou >> >> >> > >
