> "McNutt, Justin M." <[EMAIL PROTECTED]> wrote: > > > PAM does username/password authentication, nothing else. > > > > Not so. PAM can provide several different authorization > functions as > > well. > > ... and for authentication, it does username/password (or > equivalents)
But RADIUS does more than authentication, which is my point. RADIUS is responsible for both authentication - via username/password - and authorization - via attribute pairs. So my original question, slightly reworded, is "If PAM is able to authenticate me correctly, which it does, why does FreeRADIUS still return a reject unless there is a local account?" This would seem to be a function of what FreeRADIUS requests of PAM. > > I figured this one out. FreeRADIUS has an option to delay > the response. > > This delay - even if set to only a second or two - is more than the > > BayStack is willing to wait. > > Then the BayStack is a piece of crap. Was this observation really necessary. I provided the information above for everyone's use, not for value judgements of the BayStack. The BayStack is *not* a piece of crap, despite the fact that it doesn't do RADIUS authentication in the best possible way. > That's why FreeRADIUS isn't a piece of crap, and is configurable. I agree, with the reservation that while FreeRADIUS works very well and is highly configurable, there is a severe lack of documentation (which is somewhat reasonable since it is still in 0.xx versions) and its developers are extremely opinionated and sensitive to criticism. :-/ > Of course, you've now opened yourself up to a DoS attack, but that's > life. True. However I need to deal with the problems in my network one at a time. Right now, convenient authenticated access to the switches for our administrators is the larger problem. I have several Nortel folks to whom I can speak about improvements to the RADIUS code if I need to address those other problems later. They have been listening when it comes to security issues in general (for example, they are implementing SNMPv3 quite soon), so I am confident that this is not a waste of time. THEREFORE, my biggest worry at the moment is how I can use FreeRADIUS to authenticate people logging into BayStacks, using PAM as the local authentication method on the RADIUS server side *without* having to create user accounts on the RADIUS server for every switch admin. --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html