Re: Radius Authentication
Hi Todor, Thanks, Ive read before that there has to be a user on the local server with the same name as the windows domain and i have used the man pages for the configuration, i think the problem lies with the autentication against the Radius server, or the Radius server itself. I shall venture forth and try to combat this plague!!! :-P thanks for the speedy reply btw! =) Todor Genov-2 wrote: Hi Matt, The three important steps here are as follows: 1.) Confirm that authentication against the RADIUS server succeeds using any command line RADIUS util. 2.) configure /etc/radius.conf as per man pam_radius and man radius.conf 3.) Add a user on the FreeBSD machine whose name corresponds with the Windows domain account (if the name contains spaces then refer to the pre-Windows2000 compatible username in AD). This is mandatory as pam_radius is only used for authentication. UID, GID, home dir and all *nix relevant account parameters are still retrieved from the local user database. An alternative to step 3 would be to use the template_user option in radius.conf, but this means that all your Windows users will appear to the system with same UID/GID as the template_user. MattAD wrote: I would just like to know if anyone on earth has been able to get the pam_radius module working on FreeBSD, using a windows domain username through ssh... ??? This has become a mystery to me. My /etc/pam.d/sshd config looks like so: # # $FreeBSD: src/etc/pam.d/sshd,v 1.16 2007/06/10 18:57:20 yar Exp $ # # PAM configuration for the sshd service # # auth authrequiredpam_nologin.so no_warn authsufficient pam_opie.so no_warn no_fake_prompts authrequisite pam_opieaccess.so no_warn allow_local authsufficient pam_radius.so no_warn try_first_pass #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass authsufficient pam_unix.so no_warn try_first_pass # account account requiredpam_nologin.so #accountrequiredpam_krb5.so account requiredpam_login_access.so account requiredpam_unix.so # session #sessionoptionalpam_ssh.so session requiredpam_permit.so # password #password sufficient pam_krb5.so no_warn try_first_pass passwordrequiredpam_unix.so no_warn try_first_pass :confused: -- Regards, Todor Genov Systems Operations Verizon Business South Africa (Pty) Ltd [EMAIL PROTECTED] Tel: +27 11 235 6500 Fax: 086 692 0543 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/Radius-Authentication-tp20013780p20027802.html Sent from the freebsd-questions mailing list archive at Nabble.com. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Radius Authentication
Hi Matt, The three important steps here are as follows: 1.) Confirm that authentication against the RADIUS server succeeds using any command line RADIUS util. 2.) configure /etc/radius.conf as per man pam_radius and man radius.conf 3.) Add a user on the FreeBSD machine whose name corresponds with the Windows domain account (if the name contains spaces then refer to the pre-Windows2000 compatible username in AD). This is mandatory as pam_radius is only used for authentication. UID, GID, home dir and all *nix relevant account parameters are still retrieved from the local user database. An alternative to step 3 would be to use the template_user option in radius.conf, but this means that all your Windows users will appear to the system with same UID/GID as the template_user. MattAD wrote: I would just like to know if anyone on earth has been able to get the pam_radius module working on FreeBSD, using a windows domain username through ssh... ??? This has become a mystery to me. My /etc/pam.d/sshd config looks like so: # # $FreeBSD: src/etc/pam.d/sshd,v 1.16 2007/06/10 18:57:20 yar Exp $ # # PAM configuration for the sshd service # # auth authrequiredpam_nologin.so no_warn authsufficient pam_opie.so no_warn no_fake_prompts authrequisite pam_opieaccess.so no_warn allow_local authsufficient pam_radius.so no_warn try_first_pass #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass authsufficient pam_unix.so no_warn try_first_pass # account account requiredpam_nologin.so #accountrequiredpam_krb5.so account requiredpam_login_access.so account requiredpam_unix.so # session #sessionoptionalpam_ssh.so session requiredpam_permit.so # password #password sufficient pam_krb5.so no_warn try_first_pass passwordrequiredpam_unix.so no_warn try_first_pass :confused: -- Regards, Todor Genov Systems Operations Verizon Business South Africa (Pty) Ltd [EMAIL PROTECTED] Tel: +27 11 235 6500 Fax: 086 692 0543 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Radius Authentication
MattAD wrote: I would just like to know if anyone on earth has been able to get the pam_radius module working on FreeBSD, using a windows domain username through ssh... ??? This has become a mystery to me. My /etc/pam.d/sshd config looks like so: I don't have a direct answer to your question, but we use tac_plus with the RADIUS extension to authenticate from our IPS environment to a Windows 2003 domain, and there are two things I vaguely remember from that setup (maybe they apply to your setup as well): - when authenticating we have to use the complete login name, including domain info: [EMAIL PROTECTED] - we had to switch 'Store passwords in reversable form' (or something like that - in Windows that is) to be able to authenticate. The first password is stored that way after a password change. - we discovered that some password do not work: passwords with a + sign in it, but I don't know if that due to TACACS or RADIUS. Hope it helps. Peter -- http://www.boosten.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]