Re: User /etc/shadow for Authentication
Norman Zhang wrote: > Thanks. I edited users with the following entries > > DEFAULT Auth-Type = System > Fall-Through = 1, > cisco-avpair = "shell:priv-lvl=1", > Service-Type = Administrative-User > > DEFAULT Group == user-ro > cisco-avpair := "shell:priv-lvl=7" > > DEFAULT Group == user-rw > cisco-avpair := "shell:priv-lvl=15" > > but all users still get privilege level 15 access. Something wrong with > my config? Found it. Service-Type should = NAS-Prompt-User. Norman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User /etc/shadow for Authentication
Ranner, Frank MR wrote: > Put your users into groups and add extra entries: > > DEFAULT Group == numpties > cisco-avpair := "shell:priv-lvl=1" > > DEFAULT Group == supernumpties > cisco-avpair := "shell:priv-lvl=10" > > Notes: > These lines use := to over-rule the cisco-avpair previously set. > They do not fall through. > I personally would make the default a low privilege, with high > privilege coming from group membership. > > You'll need to read up on the available mechanisms for grouping users. Thanks. I edited users with the following entries DEFAULT Auth-Type = System Fall-Through = 1, cisco-avpair = "shell:priv-lvl=1", Service-Type = Administrative-User DEFAULT Group == user-ro cisco-avpair := "shell:priv-lvl=7" DEFAULT Group == user-rw cisco-avpair := "shell:priv-lvl=15" but all users still get privilege level 15 access. Something wrong with my config? Norman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: User /etc/shadow for Authentication [unclas]
Put your users into groups and add extra entries: DEFAULT Group == numpties cisco-avpair := "shell:priv-lvl=1" DEFAULT Group == supernumpties cisco-avpair := "shell:priv-lvl=10" Notes: These lines use := to over-rule the cisco-avpair previously set. They do not fall through. I personally would make the default a low privilege, with high privilege coming from group membership. You'll need to read up on the available mechanisms for grouping users. Regards, Frank Ranner > -Original Message- > From: > [EMAIL PROTECTED] > eradius.org > [mailto:[EMAIL PROTECTED] > ists.freeradius.org] On Behalf Of Norman Zhang > Sent: Thursday, 26 April 2007 10:50 > To: freeradius-users@lists.freeradius.org > Subject: Re: User /etc/shadow for Authentication > > [EMAIL PROTECTED] wrote: > > Login OK: [tester] (from client test-network port 1 cli 10.0.0.1) > > Sending Access-Accept of id 27 to 10.0.0.2:1645 > > > > You have "got in". But you haven't returned any radius > attributes. You > > need to return something like Service-Type = Administrative-User or > > NAS-Prompt-User so NAS knows what to do with the user. > > Thanks for the hint. I added the last two lines to users, now > I can login. > > DEFAULT Auth-Type = System > Fall-Through = 1, > cisco-avpair = "shell:priv-lvl=15", > Service-Type = Administrative-User > > Still trying to learn FreeRADIUS, should Fall-Through = True > and not 1? > How can I specify some users to have priv-lvl lower than 15, > if default is 15? > > Norman > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User /etc/shadow for Authentication
[EMAIL PROTECTED] wrote: > Login OK: [tester] (from client test-network port 1 cli 10.0.0.1) > Sending Access-Accept of id 27 to 10.0.0.2:1645 > > You have "got in". But you haven't returned any radius attributes. You > need to return something like Service-Type = Administrative-User or > NAS-Prompt-User so NAS knows what to do with the user. Thanks for the hint. I added the last two lines to users, now I can login. DEFAULT Auth-Type = System Fall-Through = 1, cisco-avpair = "shell:priv-lvl=15", Service-Type = Administrative-User Still trying to learn FreeRADIUS, should Fall-Through = True and not 1? How can I specify some users to have priv-lvl lower than 15, if default is 15? Norman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User /etc/shadow for Authentication
Login OK: [tester] (from client test-network port 1 cli 10.0.0.1)
Sending Access-Accept of id 27 to 10.0.0.2:1645
You have "got in". But you haven't returned any radius attributes. You
need to return something like Service-Type = Administrative-User or
NAS-Prompt-User so NAS knows what to do with the user.
Ivan Kalik
Kaliik Informatika ISP
Dana 25/4/2007, "Norman Zhang" <[EMAIL PROTECTED]> piše:
>Dennis Skinner wrote:
>> Make sure you are *only* using PAP. CHAP encrypts the password over the
>> wire and you cannot compare crypt to crypt. One of them needs to be
>> cleartext (this is a limitation of encryption, not FreeRADIUS). See the
>> table here:
>>
>> http://deployingradius.com/documents/protocols/compatibility.html
>>
>> (you are using Unix Crypt).
>
>
>I changed
>
>pap {
> encryption_scheme = clear # was crypt
>}
>
>chap {
> authtype = pap# was CHAP
>}
>
>pam {
> pam_auth = radiusd
>}
>
>unix {
> cache = no
> cache_reload = 600
> passwd = /etc/passwd
> shadow = /etc/shadow
> group = /etc/group
> radwtmp = ${logdir}/radwtmp
>}
>
>but I still cannot get in.
>
>rad_recv: Access-Request packet from host 10.0.0.2:1645, id=27, length=79
> NAS-IP-Address = 10.0.0.2
> NAS-Port = 1
> NAS-Port-Type = Virtual
> User-Name = "tester"
> Calling-Station-Id = "10.0.0.1"
> User-Password = "testing123"
> Processing the authorize section of radiusd.conf
>modcall: entering group authorize for request 0
> modcall[authorize]: module "preprocess" returns ok for request 0
> modcall[authorize]: module "chap" returns noop for request 0
> modcall[authorize]: module "mschap" returns noop for request 0
> rlm_realm: No '@' in User-Name = "tester", looking up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for request 0
> rlm_eap: No EAP-Message, not doing EAP
> modcall[authorize]: module "eap" returns noop for request 0
> users: Matched DEFAULT at 152
> modcall[authorize]: module "files" returns ok for request 0
>modcall: group authorize returns ok for request 0
> rad_check_password: Found Auth-Type System
>auth: type "System"
> Processing the authenticate section of radiusd.conf
>modcall: entering group authenticate for request 0
> modcall[authenticate]: module "unix" returns ok for request 0
>modcall: group authenticate returns ok for request 0
>Login OK: [tester] (from client test-network port 1 cli 10.0.0.1)
>Sending Access-Accept of id 27 to 10.0.0.2:1645
>Finished request 0
>Going to the next request
>
>---
>
>Starting - reading configuration files ...
>reread_config: reading radiusd.conf
>Config: including file: /etc/raddb/proxy.conf
>Config: including file: /etc/raddb/clients.conf
>Config: including file: /etc/raddb/snmp.conf
>Config: including file: /etc/raddb/eap.conf
>Config: including file: /etc/raddb/sql.conf
> main: prefix = "/usr"
> main: localstatedir = "/var"
> main: logdir = "/var/log/radius"
> main: libdir = "/usr/lib"
> main: radacctdir = "/var/log/radius/radacct"
> main: hostname_lookups = no
> main: max_request_time = 30
> main: cleanup_delay = 5
> main: max_requests = 1024
> main: delete_blocked_requests = 0
> main: port = 0
> main: allow_core_dumps = no
> main: log_stripped_names = no
> main: log_file = "/var/log/radius/radius.log"
> main: log_auth = yes
> main: log_auth_badpass = no
> main: log_auth_goodpass = no
> main: pidfile = "/var/run/radiusd/radiusd.pid"
> main: user = "radiusd"
> main: group = "radiusd"
> main: usercollide = no
> main: lower_user = "no"
> main: lower_pass = "no"
> main: nospace_user = "no"
> main: nospace_pass = "no"
> main: checkrad = "/usr/sbin/checkrad"
> main: proxy_requests = yes
> proxy: retry_delay = 5
> proxy: retry_count = 3
> proxy: synchronous = no
> proxy: default_fallback = yes
> proxy: dead_time = 120
> proxy: post_proxy_authorize = yes
> proxy: wake_all_if_all_dead = no
> security: max_attributes = 200
> security: reject_delay = 1
> security: status_server = no
> main: debug_level = 0
>read_config_files: reading dictionary
>read_config_files: reading naslist
>Using deprecated naslist file. Support for this will go away soon.
>read_config_files: reading clients
>read_config_files: reading realms
>radiusd: entering modules setup
>Module: Library search path is /usr/lib
>Module: Loaded exec
> exec: wait = yes
> exec: program = "(null)"
> exec: input_pairs = "request"
> exec: output_pairs = "(null)"
> exec: packet_type = "(null)"
>rlm_exec: Wait=yes but no output defined. Did you mean output=none?
>Module: Instantiated exec (exec)
>Module: Loaded expr
>Module: Instantiated expr (expr)
>Module: Loaded PAP
> pap: encryption_scheme = "clear"
>Module: Instantiated pap (pap)
>Module: Loaded CHAP
>Module: Instantiated chap (chap)
>Module: Loaded MS-CHAP
> mschap: use_mppe = yes
> mschap: require_encryption = no
> mscha
Re: User /etc/shadow for Authentication
Dennis Skinner wrote:
> Make sure you are *only* using PAP. CHAP encrypts the password over the
> wire and you cannot compare crypt to crypt. One of them needs to be
> cleartext (this is a limitation of encryption, not FreeRADIUS). See the
> table here:
>
> http://deployingradius.com/documents/protocols/compatibility.html
>
> (you are using Unix Crypt).
I changed
pap {
encryption_scheme = clear # was crypt
}
chap {
authtype = pap# was CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
passwd = /etc/passwd
shadow = /etc/shadow
group = /etc/group
radwtmp = ${logdir}/radwtmp
}
but I still cannot get in.
rad_recv: Access-Request packet from host 10.0.0.2:1645, id=27, length=79
NAS-IP-Address = 10.0.0.2
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = "tester"
Calling-Station-Id = "10.0.0.1"
User-Password = "testing123"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "tester", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type System
auth: type "System"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
modcall[authenticate]: module "unix" returns ok for request 0
modcall: group authenticate returns ok for request 0
Login OK: [tester] (from client test-network port 1 cli 10.0.0.1)
Sending Access-Accept of id 27 to 10.0.0.2:1645
Finished request 0
Going to the next request
---
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/lib"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "radiusd"
main: group = "radiusd"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "clear"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "/etc/passwd"
unix: shadow = "/etc/shadow"
unix: group = "/etc/group"
unix: radwtmp = "/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "md5"
eap: timer_expire = 60
eap: ignore_u
Re: User /etc/shadow for Authentication
Dennis Skinner wrote:
> Norman Zhang wrote:
>> How do I setup users tester-a to use /etc/shadow for authentication?
>>
>> Currently I have
>>
>> tester-a Auth-Type := Local, User-Password == "superuser"
>> cisco-avpair = "shell:priv-lvl=15",
>> Service-Type = Administrative-User
>
> I would start by reading radiusd.conf. Look for every instance of the
> word "shadow" and read those comments. Then setup the unix module properly.
>
> Make sure the user/group that radiusd runs as can read /etc/shadow.
Thanks. Changed /etc/shadow to 444 for now. Also
unix {
password = /etc/password
group = /etc/group
shadow = /etc/shadow
}
are uncommented in radiusd.conf
> Make sure you are *only* using PAP. CHAP encrypts the password over the
> wire and you cannot compare crypt to crypt. One of them needs to be
> cleartext (this is a limitation of encryption, not FreeRADIUS). See the
> table here:
>
> http://deployingradius.com/documents/protocols/compatibility.html
>
> (you are using Unix Crypt).
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
still fails. I guess I need to configure users. Will run radiusd -X to
debug.
Norman
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User /etc/shadow for Authentication
Norman Zhang wrote: > How do I setup users tester-a to use /etc/shadow for authentication? > > Currently I have > > tester-a Auth-Type := Local, User-Password == "superuser" > cisco-avpair = "shell:priv-lvl=15", > Service-Type = Administrative-User I would start by reading radiusd.conf. Look for every instance of the word "shadow" and read those comments. Then setup the unix module properly. Make sure the user/group that radiusd runs as can read /etc/shadow. Make sure you are *only* using PAP. CHAP encrypts the password over the wire and you cannot compare crypt to crypt. One of them needs to be cleartext (this is a limitation of encryption, not FreeRADIUS). See the table here: http://deployingradius.com/documents/protocols/compatibility.html (you are using Unix Crypt). Make sure you have the unix module referenced in the *authorize* section at the bottom of the conf file. Oh, and obviously you'll want to remove (or at least change) that entry in the users file. Run the server in debug mode (radiusd -X) and test. I've never tried to use /etc/shadow myself, but the comments in the config file should get you 90% there. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
