Okay, got a new coupla quandaries with FreeRADIUS 0.5 and Linux-PAM 0.75:
1) FreeRADIUS refuses to authenticate any user who does not have an account on the
local workstation. This user, for instance, cannot authenticate:
guestm Auth-Type := Pam
Service-Type = Administrative-User,
Fall-Through = No
Here is /etc/pam.d/radiusd (for reference):
#%PAM-1.0
auth sufficient /usr/pam/lib/security/pam_krb5.so
auth required /usr/pam/lib/security/pam_unix.so
Testing with other services (httpd, sshd) shows that Kerberos and pam_krb5.so are
working properly. Cistron RADIUS 1.6.4 did not have this problem.
2) There is some difference between the way FreeRADIUS 0.5 and Cistron RADIUS 1.6.4
respond when there is no user in the raddb/users file to match an authentication
request (and there is no default). A BayStack 450 switch will allow you to enable
"RADIUS Password Fallback", which means that if RADIUS fails, it will check to see if
the user entered the locally-configured password.
With Cistron RADIUS, this works. No matter what user name is used, if I enter the
locally-configured password for the switch I can gain access. However with FreeRADIUS
0.5, the BayStack says "Querying RADIUS server..." and waits forever.
I'm going to try to get some packet captures of this to see what's going on in more
detail, but I wondered if anyone had any experiences with the BayStacks or had any
other ideas that occurred to them immediately that might be useful.
Thanks!
Justin McNutt
Network Systems Analyst - Expert
DNPS, Mizzou Telecom
(573) 882-5183
One IP to rule them all, one IP to find them,
One IP to bring them all, and in the darkness BIND them,
In the land of Ether, where the packets fly.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
