Re: User /etc/shadow for Authentication
Norman Zhang wrote: > Thanks. I edited users with the following entries > > DEFAULT Auth-Type = System > Fall-Through = 1, > cisco-avpair = "shell:priv-lvl=1", > Service-Type = Administrative-User > > DEFAULT Group == user-ro > cisco-avpair := "shell:priv-lvl=7" > > DEFAULT Group == user-rw > cisco-avpair := "shell:priv-lvl=15" > > but all users still get privilege level 15 access. Something wrong with > my config? Found it. Service-Type should = NAS-Prompt-User. Norman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User /etc/shadow for Authentication
Ranner, Frank MR wrote: > Put your users into groups and add extra entries: > > DEFAULT Group == numpties > cisco-avpair := "shell:priv-lvl=1" > > DEFAULT Group == supernumpties > cisco-avpair := "shell:priv-lvl=10" > > Notes: > These lines use := to over-rule the cisco-avpair previously set. > They do not fall through. > I personally would make the default a low privilege, with high > privilege coming from group membership. > > You'll need to read up on the available mechanisms for grouping users. Thanks. I edited users with the following entries DEFAULT Auth-Type = System Fall-Through = 1, cisco-avpair = "shell:priv-lvl=1", Service-Type = Administrative-User DEFAULT Group == user-ro cisco-avpair := "shell:priv-lvl=7" DEFAULT Group == user-rw cisco-avpair := "shell:priv-lvl=15" but all users still get privilege level 15 access. Something wrong with my config? Norman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: User /etc/shadow for Authentication [unclas]
Put your users into groups and add extra entries: DEFAULT Group == numpties cisco-avpair := "shell:priv-lvl=1" DEFAULT Group == supernumpties cisco-avpair := "shell:priv-lvl=10" Notes: These lines use := to over-rule the cisco-avpair previously set. They do not fall through. I personally would make the default a low privilege, with high privilege coming from group membership. You'll need to read up on the available mechanisms for grouping users. Regards, Frank Ranner > -Original Message- > From: > [EMAIL PROTECTED] > eradius.org > [mailto:[EMAIL PROTECTED] > ists.freeradius.org] On Behalf Of Norman Zhang > Sent: Thursday, 26 April 2007 10:50 > To: freeradius-users@lists.freeradius.org > Subject: Re: User /etc/shadow for Authentication > > [EMAIL PROTECTED] wrote: > > Login OK: [tester] (from client test-network port 1 cli 10.0.0.1) > > Sending Access-Accept of id 27 to 10.0.0.2:1645 > > > > You have "got in". But you haven't returned any radius > attributes. You > > need to return something like Service-Type = Administrative-User or > > NAS-Prompt-User so NAS knows what to do with the user. > > Thanks for the hint. I added the last two lines to users, now > I can login. > > DEFAULT Auth-Type = System > Fall-Through = 1, > cisco-avpair = "shell:priv-lvl=15", > Service-Type = Administrative-User > > Still trying to learn FreeRADIUS, should Fall-Through = True > and not 1? > How can I specify some users to have priv-lvl lower than 15, > if default is 15? > > Norman > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User /etc/shadow for Authentication
[EMAIL PROTECTED] wrote: > Login OK: [tester] (from client test-network port 1 cli 10.0.0.1) > Sending Access-Accept of id 27 to 10.0.0.2:1645 > > You have "got in". But you haven't returned any radius attributes. You > need to return something like Service-Type = Administrative-User or > NAS-Prompt-User so NAS knows what to do with the user. Thanks for the hint. I added the last two lines to users, now I can login. DEFAULT Auth-Type = System Fall-Through = 1, cisco-avpair = "shell:priv-lvl=15", Service-Type = Administrative-User Still trying to learn FreeRADIUS, should Fall-Through = True and not 1? How can I specify some users to have priv-lvl lower than 15, if default is 15? Norman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User /etc/shadow for Authentication
Login OK: [tester] (from client test-network port 1 cli 10.0.0.1) Sending Access-Accept of id 27 to 10.0.0.2:1645 You have "got in". But you haven't returned any radius attributes. You need to return something like Service-Type = Administrative-User or NAS-Prompt-User so NAS knows what to do with the user. Ivan Kalik Kaliik Informatika ISP Dana 25/4/2007, "Norman Zhang" <[EMAIL PROTECTED]> piše: >Dennis Skinner wrote: >> Make sure you are *only* using PAP. CHAP encrypts the password over the >> wire and you cannot compare crypt to crypt. One of them needs to be >> cleartext (this is a limitation of encryption, not FreeRADIUS). See the >> table here: >> >> http://deployingradius.com/documents/protocols/compatibility.html >> >> (you are using Unix Crypt). > > >I changed > >pap { > encryption_scheme = clear # was crypt >} > >chap { > authtype = pap# was CHAP >} > >pam { > pam_auth = radiusd >} > >unix { > cache = no > cache_reload = 600 > passwd = /etc/passwd > shadow = /etc/shadow > group = /etc/group > radwtmp = ${logdir}/radwtmp >} > >but I still cannot get in. > >rad_recv: Access-Request packet from host 10.0.0.2:1645, id=27, length=79 > NAS-IP-Address = 10.0.0.2 > NAS-Port = 1 > NAS-Port-Type = Virtual > User-Name = "tester" > Calling-Station-Id = "10.0.0.1" > User-Password = "testing123" > Processing the authorize section of radiusd.conf >modcall: entering group authorize for request 0 > modcall[authorize]: module "preprocess" returns ok for request 0 > modcall[authorize]: module "chap" returns noop for request 0 > modcall[authorize]: module "mschap" returns noop for request 0 > rlm_realm: No '@' in User-Name = "tester", looking up realm NULL > rlm_realm: No such realm "NULL" > modcall[authorize]: module "suffix" returns noop for request 0 > rlm_eap: No EAP-Message, not doing EAP > modcall[authorize]: module "eap" returns noop for request 0 > users: Matched DEFAULT at 152 > modcall[authorize]: module "files" returns ok for request 0 >modcall: group authorize returns ok for request 0 > rad_check_password: Found Auth-Type System >auth: type "System" > Processing the authenticate section of radiusd.conf >modcall: entering group authenticate for request 0 > modcall[authenticate]: module "unix" returns ok for request 0 >modcall: group authenticate returns ok for request 0 >Login OK: [tester] (from client test-network port 1 cli 10.0.0.1) >Sending Access-Accept of id 27 to 10.0.0.2:1645 >Finished request 0 >Going to the next request > >--- > >Starting - reading configuration files ... >reread_config: reading radiusd.conf >Config: including file: /etc/raddb/proxy.conf >Config: including file: /etc/raddb/clients.conf >Config: including file: /etc/raddb/snmp.conf >Config: including file: /etc/raddb/eap.conf >Config: including file: /etc/raddb/sql.conf > main: prefix = "/usr" > main: localstatedir = "/var" > main: logdir = "/var/log/radius" > main: libdir = "/usr/lib" > main: radacctdir = "/var/log/radius/radacct" > main: hostname_lookups = no > main: max_request_time = 30 > main: cleanup_delay = 5 > main: max_requests = 1024 > main: delete_blocked_requests = 0 > main: port = 0 > main: allow_core_dumps = no > main: log_stripped_names = no > main: log_file = "/var/log/radius/radius.log" > main: log_auth = yes > main: log_auth_badpass = no > main: log_auth_goodpass = no > main: pidfile = "/var/run/radiusd/radiusd.pid" > main: user = "radiusd" > main: group = "radiusd" > main: usercollide = no > main: lower_user = "no" > main: lower_pass = "no" > main: nospace_user = "no" > main: nospace_pass = "no" > main: checkrad = "/usr/sbin/checkrad" > main: proxy_requests = yes > proxy: retry_delay = 5 > proxy: retry_count = 3 > proxy: synchronous = no > proxy: default_fallback = yes > proxy: dead_time = 120 > proxy: post_proxy_authorize = yes > proxy: wake_all_if_all_dead = no > security: max_attributes = 200 > security: reject_delay = 1 > security: status_server = no > main: debug_level = 0 >read_config_files: reading dictionary >read_config_files: reading naslist >Using deprecated naslist file. Support for this will go away soon. >read_config_files: reading clients >read_config_files: reading realms >radiusd: entering modules setup >Module: Library search path is /usr/lib >Module: Loaded exec > exec: wait = yes > exec: program = "(null)" > exec: input_pairs = "request" > exec: output_pairs = "(null)" > exec: packet_type = "(null)" >rlm_exec: Wait=yes but no output defined. Did you mean output=none? >Module: Instantiated exec (exec) >Module: Loaded expr >Module: Instantiated expr (expr) >Module: Loaded PAP > pap: encryption_scheme = "clear" >Module: Instantiated pap (pap) >Module: Loaded CHAP >Module: Instantiated chap (chap) >Module: Loaded MS-CHAP > mschap: use_mppe = yes > mschap: require_encryption = no > mscha
Re: User /etc/shadow for Authentication
Dennis Skinner wrote: > Make sure you are *only* using PAP. CHAP encrypts the password over the > wire and you cannot compare crypt to crypt. One of them needs to be > cleartext (this is a limitation of encryption, not FreeRADIUS). See the > table here: > > http://deployingradius.com/documents/protocols/compatibility.html > > (you are using Unix Crypt). I changed pap { encryption_scheme = clear # was crypt } chap { authtype = pap# was CHAP } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 passwd = /etc/passwd shadow = /etc/shadow group = /etc/group radwtmp = ${logdir}/radwtmp } but I still cannot get in. rad_recv: Access-Request packet from host 10.0.0.2:1645, id=27, length=79 NAS-IP-Address = 10.0.0.2 NAS-Port = 1 NAS-Port-Type = Virtual User-Name = "tester" Calling-Station-Id = "10.0.0.1" User-Password = "testing123" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "tester", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module "unix" returns ok for request 0 modcall: group authenticate returns ok for request 0 Login OK: [tester] (from client test-network port 1 cli 10.0.0.1) Sending Access-Accept of id 27 to 10.0.0.2:1645 Finished request 0 Going to the next request --- Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "clear" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "/etc/passwd" unix: shadow = "/etc/shadow" unix: group = "/etc/group" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_u
Re: User /etc/shadow for Authentication
Dennis Skinner wrote: > Norman Zhang wrote: >> How do I setup users tester-a to use /etc/shadow for authentication? >> >> Currently I have >> >> tester-a Auth-Type := Local, User-Password == "superuser" >> cisco-avpair = "shell:priv-lvl=15", >> Service-Type = Administrative-User > > I would start by reading radiusd.conf. Look for every instance of the > word "shadow" and read those comments. Then setup the unix module properly. > > Make sure the user/group that radiusd runs as can read /etc/shadow. Thanks. Changed /etc/shadow to 444 for now. Also unix { password = /etc/password group = /etc/group shadow = /etc/shadow } are uncommented in radiusd.conf > Make sure you are *only* using PAP. CHAP encrypts the password over the > wire and you cannot compare crypt to crypt. One of them needs to be > cleartext (this is a limitation of encryption, not FreeRADIUS). See the > table here: > > http://deployingradius.com/documents/protocols/compatibility.html > > (you are using Unix Crypt). pap { encryption_scheme = crypt } chap { authtype = CHAP } still fails. I guess I need to configure users. Will run radiusd -X to debug. Norman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User /etc/shadow for Authentication
Norman Zhang wrote: > How do I setup users tester-a to use /etc/shadow for authentication? > > Currently I have > > tester-a Auth-Type := Local, User-Password == "superuser" > cisco-avpair = "shell:priv-lvl=15", > Service-Type = Administrative-User I would start by reading radiusd.conf. Look for every instance of the word "shadow" and read those comments. Then setup the unix module properly. Make sure the user/group that radiusd runs as can read /etc/shadow. Make sure you are *only* using PAP. CHAP encrypts the password over the wire and you cannot compare crypt to crypt. One of them needs to be cleartext (this is a limitation of encryption, not FreeRADIUS). See the table here: http://deployingradius.com/documents/protocols/compatibility.html (you are using Unix Crypt). Make sure you have the unix module referenced in the *authorize* section at the bottom of the conf file. Oh, and obviously you'll want to remove (or at least change) that entry in the users file. Run the server in debug mode (radiusd -X) and test. I've never tried to use /etc/shadow myself, but the comments in the config file should get you 90% there. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
User /etc/shadow for Authentication
How do I setup users tester-a to use /etc/shadow for authentication? Currently I have tester-a Auth-Type := Local, User-Password == "superuser" cisco-avpair = "shell:priv-lvl=15", Service-Type = Administrative-User Norman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html