help w/ pam_radius_auth

Thu, 10 Aug 2006 08:08:13 -0700 

Hello,
I am new to the list and a newbie on RADIUS. My problem is not directly related to using freeradius, but rather accessing a RADIUS server via the pam_radius_auth module. Since this module seems to be supported/maintained under freeradius, I hope to get some help from the list members. 


I have a (cistron-based, running on an Ubuntu box) RADIUS 
server configured w/ IP address 192.168.200.1. Under 
"users" file, there is a default entry to authenticate 
users against the system /etc/passwd file. Under "clients" 
file, there is an entry for IP address 192.168.200.10 w/ a 
shared secret "somesecret". There is a user "gakkor" w/ 
password "dummy" in the /etc/passwd file in the box that 
the server resides. I am running the server in debug mode 
"/usr/sbin/radiusd -sfxxyz -l stdout"



I have a client machine, running a Linux based system. If 
I use the test client "radtest" w/


#> radtest gakkor dummy 192.168.200.1 101 somesecret


everything works fine. I get the following debug output 
from the server:



radrecv: Packet from host 192.168.200.10 code=1, id=219, 
length=58

    User-Name = "gakkor"

    User-Password = 
"\326)\312g\tEL\351\033\031\271\234vmE\206"

    NAS-IP-Address = 192.168.200.10
    NAS-Port = 101
  users: Matched DEFAULT at line 136
  auth: System
Sending Ack of id 219 to 192.168.200.10
Login OK: [gakkor/dummy] (from nas nas1/S101)


Now, instead of the radtest, I want to use an application 
called "authmanager" which makes a call to the 
pam_sm_authenticate method of the pam_radius_auth module, 
with the same username/password. The "server" file under 
/etc/raddb (on client side) has an entry "192.168.200.1 
somesecret". So, the shared secrest are the same both for 
the client and server. The /etc/pam.conf file has an entry



authmanager auth    required 
     /usr/lib/pam_radius_auth.so skip_passwd



However, I see that the password sent to the server 
becomes garbled and authentication fails. Here is the 
output from the server in this scenario....



radrecv: Packet from host 192.168.200.10 code=1, id=94, 
length=79

    User-Name = "gakkor"

    User-Password = 
"b\364f\330\214\250\271\274\"G\2258\371\217\\\330"

    NAS-IP-Address = 192.168.200.10
    NAS-Identifier = "authmanager"
    NAS-Port = 229
    NAS-Port-Type = Virtual
    Service-Type = Authenticate-Only
  users: Matched DEFAULT at line 136
  auth: System
Sending Reject of id 94 to 192.168.200.10
Login incorrect: [gakkor/];:/[EMAIL PROTECTED] (from nas nas1/S229)


Notice, that the debug output has unprintable characters 
for password... The syslog message on the client side 
says:



pam_radius_auth: packet from RADIUS server 192.168.200.1 
fails verification: The shared secret is probably 
incorrect.
 
This seems like a problem with the MD5 hashing or 
byte-order. The client and server both are little-endian. 
And as far as I can tell from the PAM module code that the 
default case id also litle-endian as far as the byte-order 
is concerned.


Any suggestions as to where I might be going wrong?

Thanks in advance,
Gun Akkor

Staff Scientist,
Patton Electronics, Co.
Gaithersburg, MD
gakkor AT patton DOT com

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html













    











					Reply via email to