Re: User /etc/shadow for Authentication
Norman Zhang wrote: Thanks. I edited users with the following entries DEFAULT Auth-Type = System Fall-Through = 1, cisco-avpair = shell:priv-lvl=1, Service-Type = Administrative-User DEFAULT Group == user-ro cisco-avpair := shell:priv-lvl=7 DEFAULT Group == user-rw cisco-avpair := shell:priv-lvl=15 but all users still get privilege level 15 access. Something wrong with my config? Found it. Service-Type should = NAS-Prompt-User. Norman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User /etc/shadow for Authentication
Dennis Skinner wrote:
Make sure you are *only* using PAP. CHAP encrypts the password over the
wire and you cannot compare crypt to crypt. One of them needs to be
cleartext (this is a limitation of encryption, not FreeRADIUS). See the
table here:
http://deployingradius.com/documents/protocols/compatibility.html
(you are using Unix Crypt).
I changed
pap {
encryption_scheme = clear # was crypt
}
chap {
authtype = pap# was CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
passwd = /etc/passwd
shadow = /etc/shadow
group = /etc/group
radwtmp = ${logdir}/radwtmp
}
but I still cannot get in.
rad_recv: Access-Request packet from host 10.0.0.2:1645, id=27, length=79
NAS-IP-Address = 10.0.0.2
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = tester
Calling-Station-Id = 10.0.0.1
User-Password = testing123
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = tester, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
users: Matched DEFAULT at 152
modcall[authorize]: module files returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type System
auth: type System
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
modcall[authenticate]: module unix returns ok for request 0
modcall: group authenticate returns ok for request 0
Login OK: [tester] (from client test-network port 1 cli 10.0.0.1)
Sending Access-Accept of id 27 to 10.0.0.2:1645
Finished request 0
Going to the next request
---
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = /usr/lib
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/radius/radius.log
main: log_auth = yes
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /var/run/radiusd/radiusd.pid
main: user = radiusd
main: group = radiusd
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = clear
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = /etc/passwd
unix: shadow = /etc/shadow
unix: group = /etc/group
unix: radwtmp = /var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = md5
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and
Re: User /etc/shadow for Authentication
Login OK: [tester] (from client test-network port 1 cli 10.0.0.1)
Sending Access-Accept of id 27 to 10.0.0.2:1645
You have got in. But you haven't returned any radius attributes. You
need to return something like Service-Type = Administrative-User or
NAS-Prompt-User so NAS knows what to do with the user.
Ivan Kalik
Kaliik Informatika ISP
Dana 25/4/2007, Norman Zhang [EMAIL PROTECTED] piše:
Dennis Skinner wrote:
Make sure you are *only* using PAP. CHAP encrypts the password over the
wire and you cannot compare crypt to crypt. One of them needs to be
cleartext (this is a limitation of encryption, not FreeRADIUS). See the
table here:
http://deployingradius.com/documents/protocols/compatibility.html
(you are using Unix Crypt).
I changed
pap {
encryption_scheme = clear # was crypt
}
chap {
authtype = pap# was CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
passwd = /etc/passwd
shadow = /etc/shadow
group = /etc/group
radwtmp = ${logdir}/radwtmp
}
but I still cannot get in.
rad_recv: Access-Request packet from host 10.0.0.2:1645, id=27, length=79
NAS-IP-Address = 10.0.0.2
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = tester
Calling-Station-Id = 10.0.0.1
User-Password = testing123
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = tester, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
users: Matched DEFAULT at 152
modcall[authorize]: module files returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type System
auth: type System
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
modcall[authenticate]: module unix returns ok for request 0
modcall: group authenticate returns ok for request 0
Login OK: [tester] (from client test-network port 1 cli 10.0.0.1)
Sending Access-Accept of id 27 to 10.0.0.2:1645
Finished request 0
Going to the next request
---
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = /usr/lib
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/radius/radius.log
main: log_auth = yes
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /var/run/radiusd/radiusd.pid
main: user = radiusd
main: group = radiusd
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = clear
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache =
Re: User /etc/shadow for Authentication
[EMAIL PROTECTED] wrote: Login OK: [tester] (from client test-network port 1 cli 10.0.0.1) Sending Access-Accept of id 27 to 10.0.0.2:1645 You have got in. But you haven't returned any radius attributes. You need to return something like Service-Type = Administrative-User or NAS-Prompt-User so NAS knows what to do with the user. Thanks for the hint. I added the last two lines to users, now I can login. DEFAULT Auth-Type = System Fall-Through = 1, cisco-avpair = shell:priv-lvl=15, Service-Type = Administrative-User Still trying to learn FreeRADIUS, should Fall-Through = True and not 1? How can I specify some users to have priv-lvl lower than 15, if default is 15? Norman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: User /etc/shadow for Authentication [unclas]
Put your users into groups and add extra entries: DEFAULT Group == numpties cisco-avpair := shell:priv-lvl=1 DEFAULT Group == supernumpties cisco-avpair := shell:priv-lvl=10 Notes: These lines use := to over-rule the cisco-avpair previously set. They do not fall through. I personally would make the default a low privilege, with high privilege coming from group membership. You'll need to read up on the available mechanisms for grouping users. Regards, Frank Ranner -Original Message- From: [EMAIL PROTECTED] eradius.org [mailto:[EMAIL PROTECTED] ists.freeradius.org] On Behalf Of Norman Zhang Sent: Thursday, 26 April 2007 10:50 To: freeradius-users@lists.freeradius.org Subject: Re: User /etc/shadow for Authentication [EMAIL PROTECTED] wrote: Login OK: [tester] (from client test-network port 1 cli 10.0.0.1) Sending Access-Accept of id 27 to 10.0.0.2:1645 You have got in. But you haven't returned any radius attributes. You need to return something like Service-Type = Administrative-User or NAS-Prompt-User so NAS knows what to do with the user. Thanks for the hint. I added the last two lines to users, now I can login. DEFAULT Auth-Type = System Fall-Through = 1, cisco-avpair = shell:priv-lvl=15, Service-Type = Administrative-User Still trying to learn FreeRADIUS, should Fall-Through = True and not 1? How can I specify some users to have priv-lvl lower than 15, if default is 15? Norman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
User /etc/shadow for Authentication
How do I setup users tester-a to use /etc/shadow for authentication? Currently I have tester-a Auth-Type := Local, User-Password == superuser cisco-avpair = shell:priv-lvl=15, Service-Type = Administrative-User Norman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User /etc/shadow for Authentication
Norman Zhang wrote: How do I setup users tester-a to use /etc/shadow for authentication? Currently I have tester-a Auth-Type := Local, User-Password == superuser cisco-avpair = shell:priv-lvl=15, Service-Type = Administrative-User I would start by reading radiusd.conf. Look for every instance of the word shadow and read those comments. Then setup the unix module properly. Make sure the user/group that radiusd runs as can read /etc/shadow. Make sure you are *only* using PAP. CHAP encrypts the password over the wire and you cannot compare crypt to crypt. One of them needs to be cleartext (this is a limitation of encryption, not FreeRADIUS). See the table here: http://deployingradius.com/documents/protocols/compatibility.html (you are using Unix Crypt). Make sure you have the unix module referenced in the *authorize* section at the bottom of the conf file. Oh, and obviously you'll want to remove (or at least change) that entry in the users file. Run the server in debug mode (radiusd -X) and test. I've never tried to use /etc/shadow myself, but the comments in the config file should get you 90% there. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User /etc/shadow for Authentication
Dennis Skinner wrote:
Norman Zhang wrote:
How do I setup users tester-a to use /etc/shadow for authentication?
Currently I have
tester-a Auth-Type := Local, User-Password == superuser
cisco-avpair = shell:priv-lvl=15,
Service-Type = Administrative-User
I would start by reading radiusd.conf. Look for every instance of the
word shadow and read those comments. Then setup the unix module properly.
Make sure the user/group that radiusd runs as can read /etc/shadow.
Thanks. Changed /etc/shadow to 444 for now. Also
unix {
password = /etc/password
group = /etc/group
shadow = /etc/shadow
}
are uncommented in radiusd.conf
Make sure you are *only* using PAP. CHAP encrypts the password over the
wire and you cannot compare crypt to crypt. One of them needs to be
cleartext (this is a limitation of encryption, not FreeRADIUS). See the
table here:
http://deployingradius.com/documents/protocols/compatibility.html
(you are using Unix Crypt).
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
still fails. I guess I need to configure users. Will run radiusd -X to
debug.
Norman
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
