On Wed, 2005-01-19 at 11:49 +0100, Fabio Massimo Di Nitto wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Fabio Massimo Di Nitto wrote:
> | Joost De Cock wrote:
> | | On Tuesday 11 January 2005 10:02, you shoved this in my mailbox:
> | |
> | |>Joost De Cock wrote:
> | |>| Package: libpam-radius-auth
> | |>| Version: 1.3.16-2
> | |>| Severity: important
> | |>|
> | |>|
> | |>| I'm trying to set up Radius authentication on a stock Debian Sarge
> | |>| installation.
> | |>| The PAM Radius module sends out the loopback IP address as the 'NAS IP
> | |>| Address' Radius Attribute. The RFC has the following to say about this
> | |>| attribute:
> | |>|
> | |>| This Attribute indicates the identifying IP Address of the NAS
> | |>| which is requesting authentication of the user, and SHOULD
> | |>| be unique to the NAS within the scope of the RADIUS
> | |>| server.
> | |>|
> | |>| So our Radius server (a vasco) responds with 'cannot lookup client
> | |>| details' since that 127.0.0.1 address doesn't make sense.
>
> Hi Joost,
>
> I am checking the code right now and there are a couple of "misterious" things
> that i would like to check together with you.
>
> The ipaddr definition starts a bit up in the code:
>
> ~ gethostname(hostname, sizeof(hostname) - 1);
>
> then a bit later:
>
> ~ if ((conf->server->ip.s_addr == ntohl(0x7f000001)) || (!hostname[0])) {
> ~ ipaddr = 0x7f000001;
>
> so what we should check is:
>
> a) what is the result of hostname on your machine? you can check that on any
> shell.
> if it returns localhost than it is clear why the lib is sending 127.0.0.1 as
> NAS IP
> and the machine needs to properly resolv the hostname. Perhaps it is a
> misconfiguration
> in /etc/hosts or in the dns.
>
> b) can you try defining the client_id= option in the config file? and set it
> to your ip?
> ~ do not use hostname here since apparently the code doesn't try to resolve
> it.
>
> I never realized how hugly is this code :(
Here's the output from hostname and the contents of /etc/hosts:
eddie:~# hostname
eddie
eddie:~# cat /etc/hosts
127.0.0.1 localhost.localdomain localhost eddie
I've changed the config file as follows:
eddie:~# cat /etc/pam.d/common-auth
auth sufficient /lib/security/pam_radius_auth.so debug
client-id=10.100.1.223
auth required pam_unix.so nullok_secure
account sufficient /lib/security/pam_radius_auth.so
to no avail, I can still see the Radius request being sent out with the
NAS IP Address set to 127.0.0.1 and as a result, the Radius server sends
an access reject.
Let me know if there's more I can do :-/
joost
DISCLAIMER
This e-mail and any attached files are confidential and may be legally
privileged. If you are not the addressee, any disclosure, reproduction,
copying, distribution, or other dissemination or use of this communication is
strictly prohibited. If you have received this transmission in error please
notify A.S.T.R.I.D. nv/sa immediately and then delete this e-mail.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
