Re: How to get PAM to use RADIUS to authenticate a user?
the radiusd.conf file needs the pam entry uncommented. you need a /etc/pam.d/radiusd file. (I never got the pam_auth argument in the radiusd.conf file to work correctly, I don't believe you want to use the login file anyway since that checks out what tty you are using and in this case you are not using any..) Your 'users' file needs to include something like: DEFAULT Auth-Type :=Pam pam-auth=radius, Fall-Through = Yes I am not sure pam-auth= should read pam-auth=radiusd here. You can crank up debugging on the pam modules, I think it is the -d pam or -debug or something similar. Try something like this in your /etc/pam.d/radius.d file: auth required /lib/security/pam_unix.so auth required /lib/security/pam_nologin.so accountrequired /lib/security/pam_permit.so password required /lib/security/pam_permit.so sessionrequired /lib/security/pam_permit.so On Thu, 20 May 2004, Maqbool Hashim wrote: I posted the following to the list yesterday, I thought I would post it again in case anyone else has any ideas regarding this...? (Are there any experts on PAM on the list?) I know this may be a little of topic if it is a PAM problem, but I would appreciate help from anyone who has got RADIUS to work with PAM. Thanks and please forgive me for posting it twice Maqbool Hashim wrote: FreeRadius version: 0.9.3 Redhat Linux 9.0 I have installed FreeRadius on my system and to get familiar with it I am attempting to the Unix login program to authenticate using the radius server.In order to this I am using the radius pam module pam_radius_auth. So PAM is the radius client. (All programs are running on the same machine, client and radius server). Heres what I have in /etc/pam.d/login : #%PAM-1.0 auth required pam_securetty.so auth sufficient /lib/security/pam_radius_auth.so debug auth required pam_stack.so service=system-auth auth required pam_nologin.so accountrequired pam_stack.so service=system-auth password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionoptional pam_console.so and in /raddb/users I have the following default line: DEFAULT Auth-Type := System Service-Type = Login-User I start the radius server as follows: radiusd -i 127.0.0.1 -X then in another terminal I execute login and try to login as a normal user. The login program returns with: Authentication service cannot retrieve authentication info. Now I check the radius server debugging info and from that side it seems to be authenticating the user fine: users: Matched DEFAULT at 140 modcall[authorize]: module files returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type System modcall: entering group authenticate for request 0 modcall[authenticate]: module unix returns ok for request 0 modcall: group authenticate returns ok for request 0 Sending Access-Accept of id 206 to 127.0.0.1:5735 Service-Type = Login-User Finished request 0 This problem has me confused. If anyone can shed any light on the matter I would appreciate it. Perhaps the problem lies in the .../pam.d/login configuration? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to get PAM to use RADIUS to authenticate a user?
FreeRadius version: 0.9.3 Redhat Linux 9.0 I have installed FreeRadius on my system and to get familiar with it I am attempting to the Unix login program to authenticate using the radius server.In order to this I am using the radius pam module pam_radius_auth. So PAM is the radius client. (All programs are running on the same machine, client and radius server). Heres what I have in /etc/pam.d/login : #%PAM-1.0 auth required pam_securetty.so auth sufficient /lib/security/pam_radius_auth.so debug auth required pam_stack.so service=system-auth auth required pam_nologin.so accountrequired pam_stack.so service=system-auth password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionoptional pam_console.so and in /raddb/users I have the following default line: DEFAULT Auth-Type := System Service-Type = Login-User I start the radius server as follows: radiusd -i 127.0.0.1 -X then in another terminal I execute login and try to login as a normal user. The login program returns with: Authentication service cannot retrieve authentication info. Now I check the radius server debugging info and from that side it seems to be authenticating the user fine: users: Matched DEFAULT at 140 modcall[authorize]: module files returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type System modcall: entering group authenticate for request 0 modcall[authenticate]: module unix returns ok for request 0 modcall: group authenticate returns ok for request 0 Sending Access-Accept of id 206 to 127.0.0.1:5735 Service-Type = Login-User Finished request 0 This problem has me confused. If anyone can shed any light on the matter I would appreciate it. Perhaps the problem lies in the .../pam.d/login configuration? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to get PAM to use RADIUS to authenticate a user?
Y ou just ahve to put Auth-Type := pam in the users file = Déborah Malka Thanks for the reply Deborah, unfortunately the suggestion you made below doesn't seem to work. When I change auth-type from system to pam... this is what happens: When I run login it behaves very strangely... it asks for password twice. After I enter the password for the second time I get the same message as before: login: test Password: Password: Authentication service cannot retrieve authentication info. On the Radius server I now get an access-reject message: rad_check_password: Found Auth-Type pam auth: type PAM auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 125 to 127.0.0.1:6512 Waking up in 4 seconds... Also I think that using Auth-Type = Pam, makes radius authenticate via pam. Whereas what I am trying to do is to get the unix login program to authenticate via my radius server using pam module. Anyone have any further ideas? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to get PAM to use RADIUS to authenticate a user?
Maqbool Hashim [EMAIL PROTECTED] wrote: I have installed FreeRadius on my system and to get familiar with it I am attempting to the Unix login program to authenticate using the radius server. Ok.. (All programs are running on the same machine, client and radius server). I'm not sure that's a good idea. and in /raddb/users I have the following default line: DEFAULT Auth-Type := System Service-Type = Login-User Hmm... so long as there's no PAM entry for radiusd, saying use radius, I guess that's OK. then in another terminal I execute login and try to login as a normal user. The login program returns with: Authentication service cannot retrieve authentication info. Are there PAM debug logs you can read? This problem has me confused. If anyone can shed any light on the matter I would appreciate it. Perhaps the problem lies in the .../pam.d/login configuration? It's most likely PAM, which is very insistent on not telling you what went wrong, or why. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html