Re: User /etc/shadow for Authentication
Norman Zhang wrote: Thanks. I edited users with the following entries DEFAULT Auth-Type = System Fall-Through = 1, cisco-avpair = shell:priv-lvl=1, Service-Type = Administrative-User DEFAULT Group == user-ro cisco-avpair := shell:priv-lvl=7 DEFAULT Group == user-rw cisco-avpair := shell:priv-lvl=15 but all users still get privilege level 15 access. Something wrong with my config? Found it. Service-Type should = NAS-Prompt-User. Norman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User /etc/shadow for Authentication
Dennis Skinner wrote: Make sure you are *only* using PAP. CHAP encrypts the password over the wire and you cannot compare crypt to crypt. One of them needs to be cleartext (this is a limitation of encryption, not FreeRADIUS). See the table here: http://deployingradius.com/documents/protocols/compatibility.html (you are using Unix Crypt). I changed pap { encryption_scheme = clear # was crypt } chap { authtype = pap# was CHAP } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 passwd = /etc/passwd shadow = /etc/shadow group = /etc/group radwtmp = ${logdir}/radwtmp } but I still cannot get in. rad_recv: Access-Request packet from host 10.0.0.2:1645, id=27, length=79 NAS-IP-Address = 10.0.0.2 NAS-Port = 1 NAS-Port-Type = Virtual User-Name = tester Calling-Station-Id = 10.0.0.1 User-Password = testing123 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = tester, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module unix returns ok for request 0 modcall: group authenticate returns ok for request 0 Login OK: [tester] (from client test-network port 1 cli 10.0.0.1) Sending Access-Accept of id 27 to 10.0.0.2:1645 Finished request 0 Going to the next request --- Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = clear Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = /etc/passwd unix: shadow = /etc/shadow unix: group = /etc/group unix: radwtmp = /var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and
Re: User /etc/shadow for Authentication
Login OK: [tester] (from client test-network port 1 cli 10.0.0.1) Sending Access-Accept of id 27 to 10.0.0.2:1645 You have got in. But you haven't returned any radius attributes. You need to return something like Service-Type = Administrative-User or NAS-Prompt-User so NAS knows what to do with the user. Ivan Kalik Kaliik Informatika ISP Dana 25/4/2007, Norman Zhang [EMAIL PROTECTED] piše: Dennis Skinner wrote: Make sure you are *only* using PAP. CHAP encrypts the password over the wire and you cannot compare crypt to crypt. One of them needs to be cleartext (this is a limitation of encryption, not FreeRADIUS). See the table here: http://deployingradius.com/documents/protocols/compatibility.html (you are using Unix Crypt). I changed pap { encryption_scheme = clear # was crypt } chap { authtype = pap# was CHAP } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 passwd = /etc/passwd shadow = /etc/shadow group = /etc/group radwtmp = ${logdir}/radwtmp } but I still cannot get in. rad_recv: Access-Request packet from host 10.0.0.2:1645, id=27, length=79 NAS-IP-Address = 10.0.0.2 NAS-Port = 1 NAS-Port-Type = Virtual User-Name = tester Calling-Station-Id = 10.0.0.1 User-Password = testing123 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = tester, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module unix returns ok for request 0 modcall: group authenticate returns ok for request 0 Login OK: [tester] (from client test-network port 1 cli 10.0.0.1) Sending Access-Accept of id 27 to 10.0.0.2:1645 Finished request 0 Going to the next request --- Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = clear Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache =
Re: User /etc/shadow for Authentication
[EMAIL PROTECTED] wrote: Login OK: [tester] (from client test-network port 1 cli 10.0.0.1) Sending Access-Accept of id 27 to 10.0.0.2:1645 You have got in. But you haven't returned any radius attributes. You need to return something like Service-Type = Administrative-User or NAS-Prompt-User so NAS knows what to do with the user. Thanks for the hint. I added the last two lines to users, now I can login. DEFAULT Auth-Type = System Fall-Through = 1, cisco-avpair = shell:priv-lvl=15, Service-Type = Administrative-User Still trying to learn FreeRADIUS, should Fall-Through = True and not 1? How can I specify some users to have priv-lvl lower than 15, if default is 15? Norman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: User /etc/shadow for Authentication [unclas]
Put your users into groups and add extra entries: DEFAULT Group == numpties cisco-avpair := shell:priv-lvl=1 DEFAULT Group == supernumpties cisco-avpair := shell:priv-lvl=10 Notes: These lines use := to over-rule the cisco-avpair previously set. They do not fall through. I personally would make the default a low privilege, with high privilege coming from group membership. You'll need to read up on the available mechanisms for grouping users. Regards, Frank Ranner -Original Message- From: [EMAIL PROTECTED] eradius.org [mailto:[EMAIL PROTECTED] ists.freeradius.org] On Behalf Of Norman Zhang Sent: Thursday, 26 April 2007 10:50 To: freeradius-users@lists.freeradius.org Subject: Re: User /etc/shadow for Authentication [EMAIL PROTECTED] wrote: Login OK: [tester] (from client test-network port 1 cli 10.0.0.1) Sending Access-Accept of id 27 to 10.0.0.2:1645 You have got in. But you haven't returned any radius attributes. You need to return something like Service-Type = Administrative-User or NAS-Prompt-User so NAS knows what to do with the user. Thanks for the hint. I added the last two lines to users, now I can login. DEFAULT Auth-Type = System Fall-Through = 1, cisco-avpair = shell:priv-lvl=15, Service-Type = Administrative-User Still trying to learn FreeRADIUS, should Fall-Through = True and not 1? How can I specify some users to have priv-lvl lower than 15, if default is 15? Norman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
User /etc/shadow for Authentication
How do I setup users tester-a to use /etc/shadow for authentication? Currently I have tester-a Auth-Type := Local, User-Password == superuser cisco-avpair = shell:priv-lvl=15, Service-Type = Administrative-User Norman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User /etc/shadow for Authentication
Norman Zhang wrote: How do I setup users tester-a to use /etc/shadow for authentication? Currently I have tester-a Auth-Type := Local, User-Password == superuser cisco-avpair = shell:priv-lvl=15, Service-Type = Administrative-User I would start by reading radiusd.conf. Look for every instance of the word shadow and read those comments. Then setup the unix module properly. Make sure the user/group that radiusd runs as can read /etc/shadow. Make sure you are *only* using PAP. CHAP encrypts the password over the wire and you cannot compare crypt to crypt. One of them needs to be cleartext (this is a limitation of encryption, not FreeRADIUS). See the table here: http://deployingradius.com/documents/protocols/compatibility.html (you are using Unix Crypt). Make sure you have the unix module referenced in the *authorize* section at the bottom of the conf file. Oh, and obviously you'll want to remove (or at least change) that entry in the users file. Run the server in debug mode (radiusd -X) and test. I've never tried to use /etc/shadow myself, but the comments in the config file should get you 90% there. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User /etc/shadow for Authentication
Dennis Skinner wrote: Norman Zhang wrote: How do I setup users tester-a to use /etc/shadow for authentication? Currently I have tester-a Auth-Type := Local, User-Password == superuser cisco-avpair = shell:priv-lvl=15, Service-Type = Administrative-User I would start by reading radiusd.conf. Look for every instance of the word shadow and read those comments. Then setup the unix module properly. Make sure the user/group that radiusd runs as can read /etc/shadow. Thanks. Changed /etc/shadow to 444 for now. Also unix { password = /etc/password group = /etc/group shadow = /etc/shadow } are uncommented in radiusd.conf Make sure you are *only* using PAP. CHAP encrypts the password over the wire and you cannot compare crypt to crypt. One of them needs to be cleartext (this is a limitation of encryption, not FreeRADIUS). See the table here: http://deployingradius.com/documents/protocols/compatibility.html (you are using Unix Crypt). pap { encryption_scheme = crypt } chap { authtype = CHAP } still fails. I guess I need to configure users. Will run radiusd -X to debug. Norman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html