Hi everyone, in my radius.log file, some of my customers come in as userxyz, <CHAP -password> now how can i see their passwords as i need to trouble shoot some time. thanx
iq ----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, April 09, 2002 7:51 AM Subject: Freeradius-Users digest, Vol 1 #637 - 20 msgs > Send Freeradius-Users mailing list submissions to > [EMAIL PROTECTED] > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.cistron.nl/mailman/listinfo/freeradius-users > or, via email, send a message with subject or body 'help' to > [EMAIL PROTECTED] > > You can reach the person managing the list at > [EMAIL PROTECTED] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeradius-Users digest..." > > > Today's Topics: > > 1. Re: FreeRADIUS and PAM (Alan DeKok) > 2. Re: Weird accouting entry (Alan DeKok) > 3. RE: FreeRADIUS and PAM (McNutt, Justin M.) > 4. Re: FreeRadius 0.5 and Debian 3.0 (Chad Miller) > 5. Re: freeradius and mysql (Alan DeKok) > 6. Re: freeradius port (Alan DeKok) > 7. Re: odd error since switching to an L2TP config (Alan DeKok) > 8. Re: freeradius and mysql (tywe) > 9. RE: Weird accouting entry (Edgard Castro) > 10. Re: FreeRadius 0.5 and Debian 3.0 (Florin Andrei) > 11. freeradius troubles with cisco access point (David Wong) > 12. Re: Pb configuring EAP/MD5 auth with Orinoco AP1000 (Raghu) > 13. RE: freeradius port (Michael S. McCollough) > 14. Re: Core dump when user is in group (msyql) (Alan DeKok) > 15. Re: how does detail file works. (Alan DeKok) > 16. Re: FreeRadius 0.5 with mysql 3.22.32 (Alan DeKok) > 17. Re: freeradius and mysql (Artur Hecker) > 18. Re: FreeRADIUS and PAM (Alan DeKok) > 19. Re: FreeRADIUS and PAM (Steve Langasek) > 20. RE: FreeRADIUS and PAM (McNutt, Justin M.) > > --__--__-- > > Message: 1 > From: "Alan DeKok" <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: FreeRADIUS and PAM > <[EMAIL PROTECTED]> > Date: Mon, 08 Apr 2002 11:55:21 -0400 > Reply-To: [EMAIL PROTECTED] > > "McNutt, Justin M." <[EMAIL PROTECTED]> wrote: > > > PAM does username/password authentication, nothing else. > > > > Not so. PAM can provide several different authorization functions as > > well. > > ... and for authentication, it does username/password (or > equivalents) > > > I figured this one out. FreeRADIUS has an option to delay the response. > > This delay - even if set to only a second or two - is more than the > > BayStack is willing to wait. > > Then the BayStack is a piece of crap. > > That's why FreeRADIUS isn't a piece of crap, and is configurable. > > > Of course, you've now opened yourself up to a DoS attack, but that's > life. > > Alan DeKok. > > > --__--__-- > > Message: 2 > From: "Alan DeKok" <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: Weird accouting entry > <[EMAIL PROTECTED]> > Date: Mon, 08 Apr 2002 11:55:58 -0400 > Reply-To: [EMAIL PROTECTED] > > Edgard Castro <[EMAIL PROTECTED]> wrote: > > See? I just got that error because I have a program that process the detail > > to import to a database. Anyone got that before? > > Nope. Are you sure your script isn't breaking things? > > Alan DeKok. > > > --__--__-- > > Message: 3 > charset="iso-8859-1" > Subject: RE: FreeRADIUS and PAM > Date: Mon, 8 Apr 2002 11:05:17 -0500 > From: "McNutt, Justin M." <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > > > "McNutt, Justin M." <[EMAIL PROTECTED]> wrote: > > > > PAM does username/password authentication, nothing else. > > >=20 > > > Not so. PAM can provide several different authorization=20 > > functions as > > > well. > >=20 > > ... and for authentication, it does username/password (or > > equivalents) > > But RADIUS does more than authentication, which is my point. RADIUS is = > responsible for both authentication - via username/password - and = > authorization - via attribute pairs. > > So my original question, slightly reworded, is "If PAM is able to = > authenticate me correctly, which it does, why does FreeRADIUS still = > return a reject unless there is a local account?" This would seem to be = > a function of what FreeRADIUS requests of PAM. > > > > I figured this one out. FreeRADIUS has an option to delay=20 > > the response.=20 > > > This delay - even if set to only a second or two - is more than the > > > BayStack is willing to wait. > >=20 > > Then the BayStack is a piece of crap. > > Was this observation really necessary. I provided the information above = > for everyone's use, not for value judgements of the BayStack. > > The BayStack is *not* a piece of crap, despite the fact that it doesn't = > do RADIUS authentication in the best possible way. > > > That's why FreeRADIUS isn't a piece of crap, and is configurable. > > I agree, with the reservation that while FreeRADIUS works very well and = > is highly configurable, there is a severe lack of documentation (which = > is somewhat reasonable since it is still in 0.xx versions) and its = > developers are extremely opinionated and sensitive to criticism. :-/ > > > Of course, you've now opened yourself up to a DoS attack, but that's > > life. > > True. However I need to deal with the problems in my network one at a = > time. Right now, convenient authenticated access to the switches for = > our administrators is the larger problem. I have several Nortel folks = > to whom I can speak about improvements to the RADIUS code if I need to = > address those other problems later. They have been listening when it = > comes to security issues in general (for example, they are implementing = > SNMPv3 quite soon), so I am confident that this is not a waste of time. > > THEREFORE, my biggest worry at the moment is how I can use FreeRADIUS to = > authenticate people logging into BayStacks, using PAM as the local = > authentication method on the RADIUS server side *without* having to = > create user accounts on the RADIUS server for every switch admin. > > --J > > > --__--__-- > > Message: 4 > Date: Mon, 8 Apr 2002 09:30:33 -0700 > From: Chad Miller <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: FreeRadius 0.5 and Debian 3.0 > Reply-To: [EMAIL PROTECTED] > > > From: "Andrew Tait" <[EMAIL PROTECTED]> > > Subject: FreeRadius 0.5 and Debian 3.0 > > Date: Mon, 8 Apr 2002 15:34:20 +1000 > > > > The radiusd-freeradius packages have been REMOVED from Debian testing/woody, > > because of the severe bugs > > (http://bugs.debian.org/cgi-bin/pkgreport.cgi?src=radiusd-freeradius&repeatm > > erged=yes) outstanding, and the fact that the debian package is outdated > > (0.4) > > > > If freeradius is going to be in the Debian distribution, now is the time to > > get it in there. Woody is getting close to release (1st May is probable > > date). > > I (the current maintainer) am working on it. > > > > --- > > From: Matthew Wallis <[EMAIL PROTECTED]> > > Can apt be setup to get a nightly snapshot, compile, and install that? > > With some simple scripting, it's possible. > > > While it would be nice to have FreeRadius in Debian, I think the > > current release cycle is entirely to fast for it. > > > > 0.5 was released less than a month ago, and the nightly builds > > already far surpass it. > > > > I don't believe packaging is the issue for FreeRadius, simply that > > the amount of work currently being done, means that no package > > would stay in Debian for more than a night. > > Matthew's right. The rate of development makes it awfully hard to plan > releases. IMO, FreeRADIUS needs a "stable" branch that is pushed towards > 1.0, instead of the whole tree being in a perpetual alpha-state. That > means no EAP, no Python module, no $whiz_bang_untested_feature, and I'm not > sure anyone is willing to draw a line, as yet, and that makes my job > awfully hard. > > Freeze, branch a stable tree, backport bugfixes, wait, release. > > I'll release a CVS snapshot, likely. :( > > - chad > > -- > Chad Miller <[EMAIL PROTECTED]> > <url: http://www.advogato.org/person/cmiller/> > ``Having a smoking section in a restaurant is > like having a peeing section in a pool.'' > > > --__--__-- > > Message: 5 > From: "Alan DeKok" <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: freeradius and mysql > <[EMAIL PROTECTED]> > Date: Mon, 08 Apr 2002 13:24:35 -0400 > Reply-To: [EMAIL PROTECTED] > > Artur Hecker <[EMAIL PROTECTED]> wrote: > > i don't use sql and it doesn't work either. the files are the > > aquivalents of the system-wide utmp, wtmp, etc. files, if i'm not > > completely wrong. > > SQL accounting is NOT the equivalent of utmp/wmtp. Even utmp/wmtp > are not equivalent. They have different purposes. > > I have a patch sitting somewhere which adds the ability for SQL to > do Simultaneous-Use checks, that might help. > > > in fact i'm waiting for a note/comment of one of the > > developers (alan?) but the issue is either well-known or not important > > since there is no answer inspite of numerous posts. > > ... or the answer is unknown. I don't use SQL, so I'm not too > familiar with it. > > Alan DeKok. > > > --__--__-- > > Message: 6 > From: "Alan DeKok" <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: freeradius port > <[EMAIL PROTECTED]> > Date: Mon, 08 Apr 2002 13:25:34 -0400 > Reply-To: [EMAIL PROTECTED] > > "yoav" <[EMAIL PROTECTED]> wrote: > > is it possible to tell radiusd to run on more than one port? > > Right now, no. > > > if not,any idea? > > Change the code in the server, src/main/radiusd.c > > Patches are always welcome. > > Alan DeKok. > > > --__--__-- > > Message: 7 > From: "Alan DeKok" <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: odd error since switching to an L2TP config > <[EMAIL PROTECTED]> > Date: Mon, 08 Apr 2002 13:33:12 -0400 > Reply-To: [EMAIL PROTECTED] > > John <[EMAIL PROTECTED]> wrote: > > Since we've switched to the L2TP config, we now see an odd thing when people > > are logging in with a '[EMAIL PROTECTED]' username. If they login with > > '[EMAIL PROTECTED]' we see something like: > > > > Sun Apr 7 13:02:12 2002 : Auth: Login incorrect: [realm.com/cisco] > > (from nas l2tp port 35 cli 2015790101) > > That's a "username/password" log message. It looks to me like your > NAS is sending an additional authentication request to the server. > > Run the server in debugging mode to see whether or not this is > happening. > > > Also, am having trouble finding a way to search the list archives at > > http://lists.cistron.nl/archives/freeradius-users/2002/04/ - is there a > > search tool available on that server? > > Have you read the FAQ? > > Alan DeKok. > > > --__--__-- > > Message: 8 > From: "tywe" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Subject: Re: freeradius and mysql > Date: Mon, 8 Apr 2002 14:00:41 -0400 > charset="iso-8859-1" > Reply-To: [EMAIL PROTECTED] > > > I have a patch sitting somewhere which adds the ability for SQL to > > do Simultaneous-Use checks, that might help. > > If you can dig up that patch and post it, I will greatly appreciate it. So > other than Simultaneous-Use, what else do the tmp files do for me? I'm just > trying to see if I need to get them working, or if I can just not worry > about it and rely on SQL accounting. > > Thanks!! > > Frank > > > > > > --__--__-- > > Message: 9 > From: Edgard Castro <[EMAIL PROTECTED]> > To: "'[EMAIL PROTECTED]'" > <[EMAIL PROTECTED]> > Subject: RE: Weird accouting entry > Date: Mon, 8 Apr 2002 15:18:24 -0300 > charset="iso-8859-1" > Reply-To: [EMAIL PROTECTED] > > Not really, this is the untouched detail archive. The only thing that the > rotate script does is stop the radius server, rename the detail and restart > it again. > > Weeeeeiiird. > > > > > -----Original Message----- > > From: Alan DeKok [mailto:[EMAIL PROTECTED]] > > Sent: Monday, April 08, 2002 12:56 PM > > To: [EMAIL PROTECTED] > > Subject: Re: Weird accouting entry > > > > > > Edgard Castro <[EMAIL PROTECTED]> wrote: > > > See? I just got that error because I have a program that > > process the detail > > > to import to a database. Anyone got that before? > > > > Nope. Are you sure your script isn't breaking things? > > > > Alan DeKok. > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > > --__--__-- > > Message: 10 > Subject: Re: FreeRadius 0.5 and Debian 3.0 > From: Florin Andrei <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > <[EMAIL PROTECTED]> > Date: 08 Apr 2002 11:54:52 -0700 > Reply-To: [EMAIL PROTECTED] > > On Mon, 2002-04-08 at 09:30, Chad Miller wrote: > > > > Matthew's right. The rate of development makes it awfully hard to plan > > releases. IMO, FreeRADIUS needs a "stable" branch that is pushed towards > > 1.0, instead of the whole tree being in a perpetual alpha-state. That > > means no EAP, no Python module, no $whiz_bang_untested_feature > > That would be awesome! > > I would like to deploy FreeRadius in production, as an authorization > server (keep the allowed IPs for each user in MySQL with FreeRadius) and > pushing the authentication to another Radius server (using FreeRadius's > proxy feature), but the current status of the source tree kind of scares > me. :-/ > > I mean, for me, if only the MySQL authorization backend and the Radius > proxy authentication would be "stable" - that should be theoretically > enough. But there's a ton of other things that make me wait for a stable > release. Which kind of sucks, because FreeRadius is so cool. ;-) > > -- > Florin Andrei > > A bug is a feature that can't be turned off. > > > > --__--__-- > > Message: 11 > Date: Mon, 8 Apr 2002 12:19:55 -0700 (PDT) > From: David Wong <[EMAIL PROTECTED]> > Subject: freeradius troubles with cisco access point > To: [EMAIL PROTECTED] > Reply-To: [EMAIL PROTECTED] > > can anybody verify if freeradius works with cisco's > 350 series wireless access point? and if not, can > anyone recommend a radius server that does work with > that access point (besides cisco's radius server)? > thanks in advance. > > __________________________________________________ > Do You Yahoo!? > Yahoo! Tax Center - online filing with TurboTax > http://taxes.yahoo.com/ > > > --__--__-- > > Message: 12 > Date: Mon, 08 Apr 2002 12:49:01 -0700 > From: Raghu <[EMAIL PROTECTED]> > Organization: HereUAre Communications > To: [EMAIL PROTECTED] > Subject: Re: Pb configuring EAP/MD5 auth with Orinoco AP1000 > Reply-To: [EMAIL PROTECTED] > > > EAP-Message = "\002\004\000\r\001portable" > > modcall: group authenticate returns ok > > > radius_xlat: 'Coucou Mathieu' > > > Sending Access-Challenge of id 4 to 134.214.79.172:192 > > User-Name = "portable" > > User-Password = "portable" > > Reply-Message = "Coucou Mathieu" > > EAP-Message = > > "\001\004\000\026\004\020[\212\202\037\031\201\001v\244\362\212\317\350+\360 > > " > > Message-Authenticator = 0x00000000000000000000000000000000 > > State = > > 0x0e3eafaa13bde6170947e6a9c48e97f6f295ad3c996cb47d000dbb24cb4b05b943d8a3c5 > > > > ... And then no answer, XP client cannot connect to the network... > > Strangely Access-Challenge is sending User-Password attribute. > Check your radius configuration. This should never happen. > > I am not sure about Orinico AP-1000. > > -Raghu > > > --__--__-- > > Message: 13 > From: "Michael S. McCollough" <[EMAIL PROTECTED]> > To: "'[EMAIL PROTECTED]'" > <[EMAIL PROTECTED]> > Subject: RE: freeradius port > Date: Mon, 8 Apr 2002 15:49:51 -0400 > Reply-To: [EMAIL PROTECTED] > > Not sure if there are other implications or not, but I did a quick test of: > > 1) ran radiusd.init start > 2) radiusd -p 1645 > > First command runs the normal init script and starts radius on port 1812 > Second command runs the radiusd executable with the port flag -p to specify > port 1645 (it still reads the normal config file and gets everything except > the port from there. > > I tested authentication on both ports using the above config and it worked. > You could modify your start scripts to use the above config if wanted. I am > not sure about accouting and any locking that may take place on the files. I > havn't used freeradius extensively, but accounting files in versions I have > used are named by the client's shorname so there should be be file > sharing/contention. > > > Hope this helps. > > -- > Michael > > > > -----Original Message----- > From: Alan DeKok [mailto:[EMAIL PROTECTED]] > Sent: Monday, April 08, 2002 1:26 PM > To: [EMAIL PROTECTED] > Subject: Re: freeradius port > > > "yoav" <[EMAIL PROTECTED]> wrote: > > is it possible to tell radiusd to run on more than one port? > > Right now, no. > > > if not,any idea? > > Change the code in the server, src/main/radiusd.c > > Patches are always welcome. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > --__--__-- > > Message: 14 > From: "Alan DeKok" <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: Core dump when user is in group (msyql) > <[EMAIL PROTECTED]> > Date: Mon, 08 Apr 2002 16:10:35 -0400 > Reply-To: [EMAIL PROTECTED] > > "Veli-Matti Riepula" <[EMAIL PROTECTED]> wrote: > > I have a RH7.2 box running on standard kernel with FR 0.5 and mysql 3.23.40. > > When I try to authenticate a user that is mapped into any group in usergroup > > table, I get a core dump. > > Can you read 'doc/bugs', and post the relevant information to the > list? > > Alan DeKok. > > > --__--__-- > > Message: 15 > From: "Alan DeKok" <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: how does detail file works. > <005801c1de8d$a811d320$[EMAIL PROTECTED]> > Date: Mon, 08 Apr 2002 16:13:45 -0400 > Reply-To: [EMAIL PROTECTED] > > "freeradlist@GoldenIT" <[EMAIL PROTECTED]> wrote: > > I am new to free radius. It is working fine for me. I > > was just wondering how does "detail file > > (/usr/local/var/log/radius/radaact/ip/detail)" works in free radius. I mean > > does it gives us stats on daily basis or weekly basis, is it written over > > daily or weekly or does it keeps the record since the radius is installed? > > It's never over-written. It's an append-only log. > > If you want daily/weekly versions, see 'doc/variables.txt'. In > 'radiusd.conf', you can use: > > detailfile = ${radacctdir}/%{Client-IP-Address}/%Y-%m/%d.detail > > To get a monthly directory, with different detail files for each > day. Then you don't have to do any rotation of the files. > > > I have software that imports detail file once a month and make > > stats out of it. I was wondering if detail file is getting written > > over every day if yes then how will we make monthly stats. > > Read 'doc/variables.txt', and edit 'detailfile' in 'radiusd.conf' > > Alan DeKok. > > > --__--__-- > > Message: 16 > From: "Alan DeKok" <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: FreeRadius 0.5 with mysql 3.22.32 > <000801c1dea3$28d35aa0$65943e9c@cpu1945> > Date: Mon, 08 Apr 2002 16:15:04 -0400 > Reply-To: [EMAIL PROTECTED] > > "Tsui Kai Ho Kyo" <[EMAIL PROTECTED]> wrote: > > I had configured my free-radius 0.5 on redhat 6.2 linux server. > > I run the server by using "./radiusd -xxyz -l stdout" > > The problem is that my dial up users got "Error 5: access denied", > > however, the standard output shown things ok.. > > Uh, no. You posted an *accounting* message. Authentication is > different. > > > one more thing.. > > I can find the record for username "egtwc98" at radacct table too... > > Use your SQL tools? > > Alan DeKok. > > > --__--__-- > > Message: 17 > Date: Mon, 08 Apr 2002 22:21:35 +0200 > From: Artur Hecker <[EMAIL PROTECTED]> > Organization: priv > To: [EMAIL PROTECTED] > Subject: Re: freeradius and mysql > Reply-To: [EMAIL PROTECTED] > > > > Alan DeKok wrote: > > > > Artur Hecker <[EMAIL PROTECTED]> wrote: > > > i don't use sql and it doesn't work either. the files are the > > > aquivalents of the system-wide utmp, wtmp, etc. files, if i'm not > > > completely wrong. > > > > SQL accounting is NOT the equivalent of utmp/wmtp. Even utmp/wmtp > > are not equivalent. They have different purposes. > > you misgot it. we were talking about the sense of the > radutmp/sradutmp/radwtmp files. Frank just supposed that these files > don't exist in his case because of the usage of SQL accounting. I > answered that they do not exist in my case either, even I don't use the > SQL accounting. > > > > ... or the answer is unknown. I don't use SQL, so I'm not too > > familiar with it. > > again, the problem was not the SQL and whatsoever dependint on it. for a > plenty of people here the problem are the *tmp files which DO NOT exist > even it the modules ARE active. > > do you have an idea on this topic? > > it just doesn't log anything, in my case for example. I've already > posted this issue here at least three times with all the needed > information, I would suppose... > > Thanks, > > artur > > -- > artur[at]hecker.info > > > --__--__-- > > Message: 18 > From: "Alan DeKok" <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: FreeRADIUS and PAM > <[EMAIL PROTECTED]> > Date: Mon, 08 Apr 2002 16:34:39 -0400 > Reply-To: [EMAIL PROTECTED] > > "McNutt, Justin M." <[EMAIL PROTECTED]> wrote: > > So my original question, slightly reworded, is "If PAM is able to > > authenticate me correctly, which it does, why does FreeRADIUS still > > return a reject unless there is a local account?" This would seem to be > > a function of what FreeRADIUS requests of PAM. > > I'm not sure why. As I said before, the PAM code in FreeRADIUS is > copied pretty much verbatim from the Cistron source. And the > 'username/password' authentication part of PAM is pretty hard to get > wrong. > > I would suggest looking at the PAM logs, to see why it decides to > not authenticate the user. > > What, you say? There's no PAM logs? Or, at least, no > useful/helpful logs, and no way of debugging PAM's internals? > > I hate PAM. > > > Was this observation really necessary. I provided the information above > > for everyone's use, not for value judgements of the BayStack. > > I judge what I see. I've seen other NAS boxes do similar, or much > worse things. I've disappointed with them. > > > The BayStack is *not* a piece of crap, despite the fact that it doesn't > > do RADIUS authentication in the best possible way. > > They've gone out of their way to make it *harder* to use. That > disappoints me. > > Say your NAS comes back up after a power outage, and fires 5k > requests to the RADIUS server, when everyone dials in again. The > server MAY take a second or so to respond, under the high load. In > the mean time, the BayStack will time out (VERY quickly), and reject > many of the users. > > This is equipment you want to base your network on? That would make > *me* nervous... > > > I agree, with the reservation that while FreeRADIUS works very well and > > is highly configurable, there is a severe lack of documentation (which > > is somewhat reasonable since it is still in 0.xx versions) > > Well, it *is* free software, which is generally well known for > having poor documentation. > > > and its developers are extremely opinionated and sensitive to > > criticism. :-/ > > I can't speak for others here, but I know *I'm* sensitive to a lot > of things which aren't criticism. If you say "The server core dumped > on me, I hate it, it's crap", I'll most likely agree with you. > > On the other hand, many comments involve a lack of awareness of how > RADIUS works, or how Unix systems work. There's not much that can be > said there, other than "go read the OTHER guy's documentation, that's > not part of FreeRADIUS." Other comments involve people unwilling or > unable to read what documentation exists, and *those* get blunt > responses from me. > > > THEREFORE, my biggest worry at the moment is how I can use FreeRADIUS to > > authenticate people logging into BayStacks, using PAM as the local > > authentication method on the RADIUS server side *without* having to > > create user accounts on the RADIUS server for every switch admin. > > Find out why PAM is rejecting the users, all the server knows from > rlm_pam is that the authentication failed. > > Alan DeKok. > > > --__--__-- > > Message: 19 > Date: Mon, 8 Apr 2002 15:55:14 -0500 > From: Steve Langasek <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: FreeRADIUS and PAM > protocol="application/pgp-signature"; boundary="P+33d92oIH25kiaB" > Reply-To: [EMAIL PROTECTED] > > > --P+33d92oIH25kiaB > Content-Type: text/plain; charset=us-ascii > Content-Disposition: inline > Content-Transfer-Encoding: quoted-printable > > Justin, > > On Mon, Apr 08, 2002 at 04:34:39PM -0400, Alan DeKok wrote: > > "McNutt, Justin M." <[EMAIL PROTECTED]> wrote: > > > So my original question, slightly reworded, is "If PAM is able to > > > authenticate me correctly, which it does, why does FreeRADIUS still > > > return a reject unless there is a local account?" This would seem to be > > > a function of what FreeRADIUS requests of PAM. > > > I'm not sure why. As I said before, the PAM code in FreeRADIUS is > > copied pretty much verbatim from the Cistron source. And the > > 'username/password' authentication part of PAM is pretty hard to get > > wrong. > > > I would suggest looking at the PAM logs, to see why it decides to > > not authenticate the user. > > PAM itself doesn't care about local vs. non-local accounts. If you're=20 > having trouble with this, you almost certainly have a module in your PAM=20 > config which you shouldn't -- such as pam_unix, which by definition=20 > requires local accounts and will give you a failure for anything else. > > Someone on the list may be able to pinpoint the exact trouble if you=20 > dump us your PAM config for freeradius. > > Steve Langasek > postmodern programmer > > --P+33d92oIH25kiaB > Content-Type: application/pgp-signature > Content-Disposition: inline > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (GNU/Linux) > Comment: For info see http://www.gnupg.org > > iD8DBQE8sgOxKN6ufymYLloRAqiBAJ9ou9Eref3KQgxQ+Jt06yXppwzIsQCgwShn > /j5YeeX/vcUFZLRCG6q1v1I= > =cS9f > -----END PGP SIGNATURE----- > > --P+33d92oIH25kiaB-- > > > --__--__-- > > Message: 20 > charset="iso-8859-1" > Subject: RE: FreeRADIUS and PAM > Date: Mon, 8 Apr 2002 16:49:35 -0500 > From: "McNutt, Justin M." <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > > > "McNutt, Justin M." <[EMAIL PROTECTED]> wrote: > > > So my original question, slightly reworded, is "If PAM is able to > > > authenticate me correctly, which it does, why does FreeRADIUS still > > > return a reject unless there is a local account?" This=20 > > would seem to be > > > a function of what FreeRADIUS requests of PAM. > >=20 > > I'm not sure why. As I said before, the PAM code in FreeRADIUS is > > copied pretty much verbatim from the Cistron source. And the > > 'username/password' authentication part of PAM is pretty hard to get > > wrong. > >=20 > > I would suggest looking at the PAM logs, to see why it decides to > > not authenticate the user. > > Hrmmm... 'kay. > > > What, you say? There's no PAM logs? Or, at least, no > > useful/helpful logs, and no way of debugging PAM's internals? > >=20 > > I hate PAM. > > <grin> One other tack I was considering was setting up rlm_krb5, since = > I'm really using PAM as a front end to our Kerberos servers. While PAM = > gave me the additional fallback option of using a user's local password, = > it may not be worth it (since the logging is indeed not very good...). > > > > The BayStack is *not* a piece of crap, despite the fact=20 > > that it doesn't > > > do RADIUS authentication in the best possible way. > >=20 > > They've gone out of their way to make it *harder* to use. That > > disappoints me. > >=20 > > Say your NAS comes back up after a power outage, and fires 5k > > requests to the RADIUS server, when everyone dials in again. The > > server MAY take a second or so to respond, under the high load. In > > the mean time, the BayStack will time out (VERY quickly), and reject > > many of the users. > >=20 > > This is equipment you want to base your network on? That would make > > *me* nervous... > > Except that in this case, the BayStack is not a NAS, it is merely a = > RADIUS client. It uses RADIUS to authenticate users who attempt to log = > into the switch for management purposes. This only happens a few times = > per day (let alone per second). > > When the BayStack becomes a NAS - and it will, as EAP becomes more = > practical for Ethernet-connected workstations - we will address the = > effective DoS scenario with Nortel. In the meantime, though, I still = > think it's a pretty good box. > > > > I agree, with the reservation that while FreeRADIUS works=20 > > very well and > > > is highly configurable, there is a severe lack of=20 > > documentation (which > > > is somewhat reasonable since it is still in 0.xx versions) > >=20 > > Well, it *is* free software, which is generally well known for > > having poor documentation. > > Yes and no, but it's certainly fair to say that free software in its = > alpha version isn't going to have PDF manuals yet. :-) I mean the = > thing isn't even finished yet! :-P > > As it comes closer to v1.0, though, documentation - hopefully = > user-contributed - will become a necessity. I'll help where I can (I = > plan to stick with this server until somebody pries it from my RedHat = > box with a crowbar). > > > > and its developers are extremely opinionated and sensitive to > > > criticism. :-/ > >=20 > > I can't speak for others here, but I know *I'm* sensitive to a lot > > of things which aren't criticism. If you say "The server core dumped > > on me, I hate it, it's crap", I'll most likely agree with you. > >=20 > > On the other hand, many comments involve a lack of awareness of how > > RADIUS works, or how Unix systems work. There's not much that can be > > said there, other than "go read the OTHER guy's documentation, that's > > not part of FreeRADIUS." Other comments involve people unwilling or > > unable to read what documentation exists, and *those* get blunt > > responses from me. > >=20 > > > THEREFORE, my biggest worry at the moment is how I can use=20 > > FreeRADIUS to > > > authenticate people logging into BayStacks, using PAM as the local > > > authentication method on the RADIUS server side *without* having to > > > create user accounts on the RADIUS server for every switch admin. > >=20 > > Find out why PAM is rejecting the users, all the server knows from > > rlm_pam is that the authentication failed. > > <nods> 'Kay. Fair enough. > > --J > > > > --__--__-- > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > End of Freeradius-Users Digest- > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html