Hi everyone,
in my radius.log file, some of my customers come in as
userxyz, <CHAP -password>
now how can i see their passwords as i need to trouble shoot some time.
thanx
iq
----- Original Message -----
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, April 09, 2002 7:51 AM
Subject: Freeradius-Users digest, Vol 1 #637 - 20 msgs
> Send Freeradius-Users mailing list submissions to
> [EMAIL PROTECTED]
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.cistron.nl/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> [EMAIL PROTECTED]
>
> You can reach the person managing the list at
> [EMAIL PROTECTED]
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. Re: FreeRADIUS and PAM (Alan DeKok)
> 2. Re: Weird accouting entry (Alan DeKok)
> 3. RE: FreeRADIUS and PAM (McNutt, Justin M.)
> 4. Re: FreeRadius 0.5 and Debian 3.0 (Chad Miller)
> 5. Re: freeradius and mysql (Alan DeKok)
> 6. Re: freeradius port (Alan DeKok)
> 7. Re: odd error since switching to an L2TP config (Alan DeKok)
> 8. Re: freeradius and mysql (tywe)
> 9. RE: Weird accouting entry (Edgard Castro)
> 10. Re: FreeRadius 0.5 and Debian 3.0 (Florin Andrei)
> 11. freeradius troubles with cisco access point (David Wong)
> 12. Re: Pb configuring EAP/MD5 auth with Orinoco AP1000 (Raghu)
> 13. RE: freeradius port (Michael S. McCollough)
> 14. Re: Core dump when user is in group (msyql) (Alan DeKok)
> 15. Re: how does detail file works. (Alan DeKok)
> 16. Re: FreeRadius 0.5 with mysql 3.22.32 (Alan DeKok)
> 17. Re: freeradius and mysql (Artur Hecker)
> 18. Re: FreeRADIUS and PAM (Alan DeKok)
> 19. Re: FreeRADIUS and PAM (Steve Langasek)
> 20. RE: FreeRADIUS and PAM (McNutt, Justin M.)
>
> --__--__--
>
> Message: 1
> From: "Alan DeKok" <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Re: FreeRADIUS and PAM
> <[EMAIL PROTECTED]>
> Date: Mon, 08 Apr 2002 11:55:21 -0400
> Reply-To: [EMAIL PROTECTED]
>
> "McNutt, Justin M." <[EMAIL PROTECTED]> wrote:
> > > PAM does username/password authentication, nothing else.
> >
> > Not so. PAM can provide several different authorization functions as
> > well.
>
> ... and for authentication, it does username/password (or
> equivalents)
>
> > I figured this one out. FreeRADIUS has an option to delay the response.
> > This delay - even if set to only a second or two - is more than the
> > BayStack is willing to wait.
>
> Then the BayStack is a piece of crap.
>
> That's why FreeRADIUS isn't a piece of crap, and is configurable.
>
>
> Of course, you've now opened yourself up to a DoS attack, but that's
> life.
>
> Alan DeKok.
>
>
> --__--__--
>
> Message: 2
> From: "Alan DeKok" <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Re: Weird accouting entry
> <[EMAIL PROTECTED]>
> Date: Mon, 08 Apr 2002 11:55:58 -0400
> Reply-To: [EMAIL PROTECTED]
>
> Edgard Castro <[EMAIL PROTECTED]> wrote:
> > See? I just got that error because I have a program that process the
detail
> > to import to a database. Anyone got that before?
>
> Nope. Are you sure your script isn't breaking things?
>
> Alan DeKok.
>
>
> --__--__--
>
> Message: 3
> charset="iso-8859-1"
> Subject: RE: FreeRADIUS and PAM
> Date: Mon, 8 Apr 2002 11:05:17 -0500
> From: "McNutt, Justin M." <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
>
> > "McNutt, Justin M." <[EMAIL PROTECTED]> wrote:
> > > > PAM does username/password authentication, nothing else.
> > >=20
> > > Not so. PAM can provide several different authorization=20
> > functions as
> > > well.
> >=20
> > ... and for authentication, it does username/password (or
> > equivalents)
>
> But RADIUS does more than authentication, which is my point. RADIUS is =
> responsible for both authentication - via username/password - and =
> authorization - via attribute pairs.
>
> So my original question, slightly reworded, is "If PAM is able to =
> authenticate me correctly, which it does, why does FreeRADIUS still =
> return a reject unless there is a local account?" This would seem to be =
> a function of what FreeRADIUS requests of PAM.
>
> > > I figured this one out. FreeRADIUS has an option to delay=20
> > the response.=20
> > > This delay - even if set to only a second or two - is more than the
> > > BayStack is willing to wait.
> >=20
> > Then the BayStack is a piece of crap.
>
> Was this observation really necessary. I provided the information above =
> for everyone's use, not for value judgements of the BayStack.
>
> The BayStack is *not* a piece of crap, despite the fact that it doesn't =
> do RADIUS authentication in the best possible way.
>
> > That's why FreeRADIUS isn't a piece of crap, and is configurable.
>
> I agree, with the reservation that while FreeRADIUS works very well and =
> is highly configurable, there is a severe lack of documentation (which =
> is somewhat reasonable since it is still in 0.xx versions) and its =
> developers are extremely opinionated and sensitive to criticism. :-/
>
> > Of course, you've now opened yourself up to a DoS attack, but that's
> > life.
>
> True. However I need to deal with the problems in my network one at a =
> time. Right now, convenient authenticated access to the switches for =
> our administrators is the larger problem. I have several Nortel folks =
> to whom I can speak about improvements to the RADIUS code if I need to =
> address those other problems later. They have been listening when it =
> comes to security issues in general (for example, they are implementing =
> SNMPv3 quite soon), so I am confident that this is not a waste of time.
>
> THEREFORE, my biggest worry at the moment is how I can use FreeRADIUS to =
> authenticate people logging into BayStacks, using PAM as the local =
> authentication method on the RADIUS server side *without* having to =
> create user accounts on the RADIUS server for every switch admin.
>
> --J
>
>
> --__--__--
>
> Message: 4
> Date: Mon, 8 Apr 2002 09:30:33 -0700
> From: Chad Miller <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Re: FreeRadius 0.5 and Debian 3.0
> Reply-To: [EMAIL PROTECTED]
>
> > From: "Andrew Tait" <[EMAIL PROTECTED]>
> > Subject: FreeRadius 0.5 and Debian 3.0
> > Date: Mon, 8 Apr 2002 15:34:20 +1000
> >
> > The radiusd-freeradius packages have been REMOVED from Debian
testing/woody,
> > because of the severe bugs
> >
(http://bugs.debian.org/cgi-bin/pkgreport.cgi?src=radiusd-freeradius&repeatm
> > erged=yes) outstanding, and the fact that the debian package is outdated
> > (0.4)
> >
> > If freeradius is going to be in the Debian distribution, now is the time
to
> > get it in there. Woody is getting close to release (1st May is probable
> > date).
>
> I (the current maintainer) am working on it.
>
>
> > ---
> > From: Matthew Wallis <[EMAIL PROTECTED]>
> > Can apt be setup to get a nightly snapshot, compile, and install that?
>
> With some simple scripting, it's possible.
>
> > While it would be nice to have FreeRadius in Debian, I think the
> > current release cycle is entirely to fast for it.
> >
> > 0.5 was released less than a month ago, and the nightly builds
> > already far surpass it.
> >
> > I don't believe packaging is the issue for FreeRadius, simply that
> > the amount of work currently being done, means that no package
> > would stay in Debian for more than a night.
>
> Matthew's right. The rate of development makes it awfully hard to plan
> releases. IMO, FreeRADIUS needs a "stable" branch that is pushed towards
> 1.0, instead of the whole tree being in a perpetual alpha-state. That
> means no EAP, no Python module, no $whiz_bang_untested_feature, and I'm
not
> sure anyone is willing to draw a line, as yet, and that makes my job
> awfully hard.
>
> Freeze, branch a stable tree, backport bugfixes, wait, release.
>
> I'll release a CVS snapshot, likely. :(
>
> - chad
>
> --
> Chad Miller <[EMAIL PROTECTED]>
> <url: http://www.advogato.org/person/cmiller/>
> ``Having a smoking section in a restaurant is
> like having a peeing section in a pool.''
>
>
> --__--__--
>
> Message: 5
> From: "Alan DeKok" <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Re: freeradius and mysql
> <[EMAIL PROTECTED]>
> Date: Mon, 08 Apr 2002 13:24:35 -0400
> Reply-To: [EMAIL PROTECTED]
>
> Artur Hecker <[EMAIL PROTECTED]> wrote:
> > i don't use sql and it doesn't work either. the files are the
> > aquivalents of the system-wide utmp, wtmp, etc. files, if i'm not
> > completely wrong.
>
> SQL accounting is NOT the equivalent of utmp/wmtp. Even utmp/wmtp
> are not equivalent. They have different purposes.
>
> I have a patch sitting somewhere which adds the ability for SQL to
> do Simultaneous-Use checks, that might help.
>
> > in fact i'm waiting for a note/comment of one of the
> > developers (alan?) but the issue is either well-known or not important
> > since there is no answer inspite of numerous posts.
>
> ... or the answer is unknown. I don't use SQL, so I'm not too
> familiar with it.
>
> Alan DeKok.
>
>
> --__--__--
>
> Message: 6
> From: "Alan DeKok" <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Re: freeradius port
> <[EMAIL PROTECTED]>
> Date: Mon, 08 Apr 2002 13:25:34 -0400
> Reply-To: [EMAIL PROTECTED]
>
> "yoav" <[EMAIL PROTECTED]> wrote:
> > is it possible to tell radiusd to run on more than one port?
>
> Right now, no.
>
> > if not,any idea?
>
> Change the code in the server, src/main/radiusd.c
>
> Patches are always welcome.
>
> Alan DeKok.
>
>
> --__--__--
>
> Message: 7
> From: "Alan DeKok" <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Re: odd error since switching to an L2TP config
> <[EMAIL PROTECTED]>
> Date: Mon, 08 Apr 2002 13:33:12 -0400
> Reply-To: [EMAIL PROTECTED]
>
> John <[EMAIL PROTECTED]> wrote:
> > Since we've switched to the L2TP config, we now see an odd thing when
people
> > are logging in with a '[EMAIL PROTECTED]' username. If they login with
> > '[EMAIL PROTECTED]' we see something like:
> >
> > Sun Apr 7 13:02:12 2002 : Auth: Login incorrect: [realm.com/cisco]
> > (from nas l2tp port 35 cli 2015790101)
>
> That's a "username/password" log message. It looks to me like your
> NAS is sending an additional authentication request to the server.
>
> Run the server in debugging mode to see whether or not this is
> happening.
>
> > Also, am having trouble finding a way to search the list archives at
> > http://lists.cistron.nl/archives/freeradius-users/2002/04/ - is there a
> > search tool available on that server?
>
> Have you read the FAQ?
>
> Alan DeKok.
>
>
> --__--__--
>
> Message: 8
> From: "tywe" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Subject: Re: freeradius and mysql
> Date: Mon, 8 Apr 2002 14:00:41 -0400
> charset="iso-8859-1"
> Reply-To: [EMAIL PROTECTED]
>
> > I have a patch sitting somewhere which adds the ability for SQL to
> > do Simultaneous-Use checks, that might help.
>
> If you can dig up that patch and post it, I will greatly appreciate it. So
> other than Simultaneous-Use, what else do the tmp files do for me? I'm
just
> trying to see if I need to get them working, or if I can just not worry
> about it and rely on SQL accounting.
>
> Thanks!!
>
> Frank
>
>
>
>
>
> --__--__--
>
> Message: 9
> From: Edgard Castro <[EMAIL PROTECTED]>
> To: "'[EMAIL PROTECTED]'"
> <[EMAIL PROTECTED]>
> Subject: RE: Weird accouting entry
> Date: Mon, 8 Apr 2002 15:18:24 -0300
> charset="iso-8859-1"
> Reply-To: [EMAIL PROTECTED]
>
> Not really, this is the untouched detail archive. The only thing that the
> rotate script does is stop the radius server, rename the detail and
restart
> it again.
>
> Weeeeeiiird.
>
>
>
> > -----Original Message-----
> > From: Alan DeKok [mailto:[EMAIL PROTECTED]]
> > Sent: Monday, April 08, 2002 12:56 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: Weird accouting entry
> >
> >
> > Edgard Castro <[EMAIL PROTECTED]> wrote:
> > > See? I just got that error because I have a program that
> > process the detail
> > > to import to a database. Anyone got that before?
> >
> > Nope. Are you sure your script isn't breaking things?
> >
> > Alan DeKok.
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
>
>
> --__--__--
>
> Message: 10
> Subject: Re: FreeRadius 0.5 and Debian 3.0
> From: Florin Andrei <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> <[EMAIL PROTECTED]>
> Date: 08 Apr 2002 11:54:52 -0700
> Reply-To: [EMAIL PROTECTED]
>
> On Mon, 2002-04-08 at 09:30, Chad Miller wrote:
> >
> > Matthew's right. The rate of development makes it awfully hard to plan
> > releases. IMO, FreeRADIUS needs a "stable" branch that is pushed
towards
> > 1.0, instead of the whole tree being in a perpetual alpha-state. That
> > means no EAP, no Python module, no $whiz_bang_untested_feature
>
> That would be awesome!
>
> I would like to deploy FreeRadius in production, as an authorization
> server (keep the allowed IPs for each user in MySQL with FreeRadius) and
> pushing the authentication to another Radius server (using FreeRadius's
> proxy feature), but the current status of the source tree kind of scares
> me. :-/
>
> I mean, for me, if only the MySQL authorization backend and the Radius
> proxy authentication would be "stable" - that should be theoretically
> enough. But there's a ton of other things that make me wait for a stable
> release. Which kind of sucks, because FreeRadius is so cool. ;-)
>
> --
> Florin Andrei
>
> A bug is a feature that can't be turned off.
>
>
>
> --__--__--
>
> Message: 11
> Date: Mon, 8 Apr 2002 12:19:55 -0700 (PDT)
> From: David Wong <[EMAIL PROTECTED]>
> Subject: freeradius troubles with cisco access point
> To: [EMAIL PROTECTED]
> Reply-To: [EMAIL PROTECTED]
>
> can anybody verify if freeradius works with cisco's
> 350 series wireless access point? and if not, can
> anyone recommend a radius server that does work with
> that access point (besides cisco's radius server)?
> thanks in advance.
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Tax Center - online filing with TurboTax
> http://taxes.yahoo.com/
>
>
> --__--__--
>
> Message: 12
> Date: Mon, 08 Apr 2002 12:49:01 -0700
> From: Raghu <[EMAIL PROTECTED]>
> Organization: HereUAre Communications
> To: [EMAIL PROTECTED]
> Subject: Re: Pb configuring EAP/MD5 auth with Orinoco AP1000
> Reply-To: [EMAIL PROTECTED]
>
> > EAP-Message = "\002\004\000\r\001portable"
> > modcall: group authenticate returns ok
>
> > radius_xlat: 'Coucou Mathieu'
>
> > Sending Access-Challenge of id 4 to 134.214.79.172:192
> > User-Name = "portable"
> > User-Password = "portable"
> > Reply-Message = "Coucou Mathieu"
> > EAP-Message =
> >
"\001\004\000\026\004\020[\212\202\037\031\201\001v\244\362\212\317\350+\360
> > "
> > Message-Authenticator = 0x00000000000000000000000000000000
> > State =
> >
0x0e3eafaa13bde6170947e6a9c48e97f6f295ad3c996cb47d000dbb24cb4b05b943d8a3c5
> >
> > ... And then no answer, XP client cannot connect to the network...
>
> Strangely Access-Challenge is sending User-Password attribute.
> Check your radius configuration. This should never happen.
>
> I am not sure about Orinico AP-1000.
>
> -Raghu
>
>
> --__--__--
>
> Message: 13
> From: "Michael S. McCollough" <[EMAIL PROTECTED]>
> To: "'[EMAIL PROTECTED]'"
> <[EMAIL PROTECTED]>
> Subject: RE: freeradius port
> Date: Mon, 8 Apr 2002 15:49:51 -0400
> Reply-To: [EMAIL PROTECTED]
>
> Not sure if there are other implications or not, but I did a quick test
of:
>
> 1) ran radiusd.init start
> 2) radiusd -p 1645
>
> First command runs the normal init script and starts radius on port 1812
> Second command runs the radiusd executable with the port flag -p to
specify
> port 1645 (it still reads the normal config file and gets everything
except
> the port from there.
>
> I tested authentication on both ports using the above config and it
worked.
> You could modify your start scripts to use the above config if wanted. I
am
> not sure about accouting and any locking that may take place on the files.
I
> havn't used freeradius extensively, but accounting files in versions I
have
> used are named by the client's shorname so there should be be file
> sharing/contention.
>
>
> Hope this helps.
>
> --
> Michael
>
>
>
> -----Original Message-----
> From: Alan DeKok [mailto:[EMAIL PROTECTED]]
> Sent: Monday, April 08, 2002 1:26 PM
> To: [EMAIL PROTECTED]
> Subject: Re: freeradius port
>
>
> "yoav" <[EMAIL PROTECTED]> wrote:
> > is it possible to tell radiusd to run on more than one port?
>
> Right now, no.
>
> > if not,any idea?
>
> Change the code in the server, src/main/radiusd.c
>
> Patches are always welcome.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> --__--__--
>
> Message: 14
> From: "Alan DeKok" <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Re: Core dump when user is in group (msyql)
> <[EMAIL PROTECTED]>
> Date: Mon, 08 Apr 2002 16:10:35 -0400
> Reply-To: [EMAIL PROTECTED]
>
> "Veli-Matti Riepula" <[EMAIL PROTECTED]> wrote:
> > I have a RH7.2 box running on standard kernel with FR 0.5 and mysql
3.23.40.
> > When I try to authenticate a user that is mapped into any group in
usergroup
> > table, I get a core dump.
>
> Can you read 'doc/bugs', and post the relevant information to the
> list?
>
> Alan DeKok.
>
>
> --__--__--
>
> Message: 15
> From: "Alan DeKok" <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Re: how does detail file works.
> <005801c1de8d$a811d320$[EMAIL PROTECTED]>
> Date: Mon, 08 Apr 2002 16:13:45 -0400
> Reply-To: [EMAIL PROTECTED]
>
> "freeradlist@GoldenIT" <[EMAIL PROTECTED]> wrote:
> > I am new to free radius. It is working fine for
me. I
> > was just wondering how does "detail file
> > (/usr/local/var/log/radius/radaact/ip/detail)" works in free radius. I
mean
> > does it gives us stats on daily basis or weekly basis, is it written
over
> > daily or weekly or does it keeps the record since the radius is
installed?
>
> It's never over-written. It's an append-only log.
>
> If you want daily/weekly versions, see 'doc/variables.txt'. In
> 'radiusd.conf', you can use:
>
> detailfile = ${radacctdir}/%{Client-IP-Address}/%Y-%m/%d.detail
>
> To get a monthly directory, with different detail files for each
> day. Then you don't have to do any rotation of the files.
>
> > I have software that imports detail file once a month and make
> > stats out of it. I was wondering if detail file is getting written
> > over every day if yes then how will we make monthly stats.
>
> Read 'doc/variables.txt', and edit 'detailfile' in 'radiusd.conf'
>
> Alan DeKok.
>
>
> --__--__--
>
> Message: 16
> From: "Alan DeKok" <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Re: FreeRadius 0.5 with mysql 3.22.32
> <000801c1dea3$28d35aa0$65943e9c@cpu1945>
> Date: Mon, 08 Apr 2002 16:15:04 -0400
> Reply-To: [EMAIL PROTECTED]
>
> "Tsui Kai Ho Kyo" <[EMAIL PROTECTED]> wrote:
> > I had configured my free-radius 0.5 on redhat 6.2 linux server.
> > I run the server by using "./radiusd -xxyz -l stdout"
> > The problem is that my dial up users got "Error 5: access denied",
> > however, the standard output shown things ok..
>
> Uh, no. You posted an *accounting* message. Authentication is
> different.
>
> > one more thing..
> > I can find the record for username "egtwc98" at radacct table too...
>
> Use your SQL tools?
>
> Alan DeKok.
>
>
> --__--__--
>
> Message: 17
> Date: Mon, 08 Apr 2002 22:21:35 +0200
> From: Artur Hecker <[EMAIL PROTECTED]>
> Organization: priv
> To: [EMAIL PROTECTED]
> Subject: Re: freeradius and mysql
> Reply-To: [EMAIL PROTECTED]
>
>
>
> Alan DeKok wrote:
> >
> > Artur Hecker <[EMAIL PROTECTED]> wrote:
> > > i don't use sql and it doesn't work either. the files are the
> > > aquivalents of the system-wide utmp, wtmp, etc. files, if i'm not
> > > completely wrong.
> >
> > SQL accounting is NOT the equivalent of utmp/wmtp. Even utmp/wmtp
> > are not equivalent. They have different purposes.
>
> you misgot it. we were talking about the sense of the
> radutmp/sradutmp/radwtmp files. Frank just supposed that these files
> don't exist in his case because of the usage of SQL accounting. I
> answered that they do not exist in my case either, even I don't use the
> SQL accounting.
>
>
> > ... or the answer is unknown. I don't use SQL, so I'm not too
> > familiar with it.
>
> again, the problem was not the SQL and whatsoever dependint on it. for a
> plenty of people here the problem are the *tmp files which DO NOT exist
> even it the modules ARE active.
>
> do you have an idea on this topic?
>
> it just doesn't log anything, in my case for example. I've already
> posted this issue here at least three times with all the needed
> information, I would suppose...
>
> Thanks,
>
> artur
>
> --
> artur[at]hecker.info
>
>
> --__--__--
>
> Message: 18
> From: "Alan DeKok" <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Re: FreeRADIUS and PAM
> <[EMAIL PROTECTED]>
> Date: Mon, 08 Apr 2002 16:34:39 -0400
> Reply-To: [EMAIL PROTECTED]
>
> "McNutt, Justin M." <[EMAIL PROTECTED]> wrote:
> > So my original question, slightly reworded, is "If PAM is able to
> > authenticate me correctly, which it does, why does FreeRADIUS still
> > return a reject unless there is a local account?" This would seem to be
> > a function of what FreeRADIUS requests of PAM.
>
> I'm not sure why. As I said before, the PAM code in FreeRADIUS is
> copied pretty much verbatim from the Cistron source. And the
> 'username/password' authentication part of PAM is pretty hard to get
> wrong.
>
> I would suggest looking at the PAM logs, to see why it decides to
> not authenticate the user.
>
> What, you say? There's no PAM logs? Or, at least, no
> useful/helpful logs, and no way of debugging PAM's internals?
>
> I hate PAM.
>
> > Was this observation really necessary. I provided the information above
> > for everyone's use, not for value judgements of the BayStack.
>
> I judge what I see. I've seen other NAS boxes do similar, or much
> worse things. I've disappointed with them.
>
> > The BayStack is *not* a piece of crap, despite the fact that it doesn't
> > do RADIUS authentication in the best possible way.
>
> They've gone out of their way to make it *harder* to use. That
> disappoints me.
>
> Say your NAS comes back up after a power outage, and fires 5k
> requests to the RADIUS server, when everyone dials in again. The
> server MAY take a second or so to respond, under the high load. In
> the mean time, the BayStack will time out (VERY quickly), and reject
> many of the users.
>
> This is equipment you want to base your network on? That would make
> *me* nervous...
>
> > I agree, with the reservation that while FreeRADIUS works very well and
> > is highly configurable, there is a severe lack of documentation (which
> > is somewhat reasonable since it is still in 0.xx versions)
>
> Well, it *is* free software, which is generally well known for
> having poor documentation.
>
> > and its developers are extremely opinionated and sensitive to
> > criticism. :-/
>
> I can't speak for others here, but I know *I'm* sensitive to a lot
> of things which aren't criticism. If you say "The server core dumped
> on me, I hate it, it's crap", I'll most likely agree with you.
>
> On the other hand, many comments involve a lack of awareness of how
> RADIUS works, or how Unix systems work. There's not much that can be
> said there, other than "go read the OTHER guy's documentation, that's
> not part of FreeRADIUS." Other comments involve people unwilling or
> unable to read what documentation exists, and *those* get blunt
> responses from me.
>
> > THEREFORE, my biggest worry at the moment is how I can use FreeRADIUS to
> > authenticate people logging into BayStacks, using PAM as the local
> > authentication method on the RADIUS server side *without* having to
> > create user accounts on the RADIUS server for every switch admin.
>
> Find out why PAM is rejecting the users, all the server knows from
> rlm_pam is that the authentication failed.
>
> Alan DeKok.
>
>
> --__--__--
>
> Message: 19
> Date: Mon, 8 Apr 2002 15:55:14 -0500
> From: Steve Langasek <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Re: FreeRADIUS and PAM
> protocol="application/pgp-signature"; boundary="P+33d92oIH25kiaB"
> Reply-To: [EMAIL PROTECTED]
>
>
> --P+33d92oIH25kiaB
> Content-Type: text/plain; charset=us-ascii
> Content-Disposition: inline
> Content-Transfer-Encoding: quoted-printable
>
> Justin,
>
> On Mon, Apr 08, 2002 at 04:34:39PM -0400, Alan DeKok wrote:
> > "McNutt, Justin M." <[EMAIL PROTECTED]> wrote:
> > > So my original question, slightly reworded, is "If PAM is able to
> > > authenticate me correctly, which it does, why does FreeRADIUS still
> > > return a reject unless there is a local account?" This would seem to
be
> > > a function of what FreeRADIUS requests of PAM.
>
> > I'm not sure why. As I said before, the PAM code in FreeRADIUS is
> > copied pretty much verbatim from the Cistron source. And the
> > 'username/password' authentication part of PAM is pretty hard to get
> > wrong.
>
> > I would suggest looking at the PAM logs, to see why it decides to
> > not authenticate the user.
>
> PAM itself doesn't care about local vs. non-local accounts. If you're=20
> having trouble with this, you almost certainly have a module in your
PAM=20
> config which you shouldn't -- such as pam_unix, which by definition=20
> requires local accounts and will give you a failure for anything else.
>
> Someone on the list may be able to pinpoint the exact trouble if you=20
> dump us your PAM config for freeradius.
>
> Steve Langasek
> postmodern programmer
>
> --P+33d92oIH25kiaB
> Content-Type: application/pgp-signature
> Content-Disposition: inline
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE8sgOxKN6ufymYLloRAqiBAJ9ou9Eref3KQgxQ+Jt06yXppwzIsQCgwShn
> /j5YeeX/vcUFZLRCG6q1v1I=
> =cS9f
> -----END PGP SIGNATURE-----
>
> --P+33d92oIH25kiaB--
>
>
> --__--__--
>
> Message: 20
> charset="iso-8859-1"
> Subject: RE: FreeRADIUS and PAM
> Date: Mon, 8 Apr 2002 16:49:35 -0500
> From: "McNutt, Justin M." <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
>
> > "McNutt, Justin M." <[EMAIL PROTECTED]> wrote:
> > > So my original question, slightly reworded, is "If PAM is able to
> > > authenticate me correctly, which it does, why does FreeRADIUS still
> > > return a reject unless there is a local account?" This=20
> > would seem to be
> > > a function of what FreeRADIUS requests of PAM.
> >=20
> > I'm not sure why. As I said before, the PAM code in FreeRADIUS is
> > copied pretty much verbatim from the Cistron source. And the
> > 'username/password' authentication part of PAM is pretty hard to get
> > wrong.
> >=20
> > I would suggest looking at the PAM logs, to see why it decides to
> > not authenticate the user.
>
> Hrmmm... 'kay.
>
> > What, you say? There's no PAM logs? Or, at least, no
> > useful/helpful logs, and no way of debugging PAM's internals?
> >=20
> > I hate PAM.
>
> <grin> One other tack I was considering was setting up rlm_krb5, since =
> I'm really using PAM as a front end to our Kerberos servers. While PAM =
> gave me the additional fallback option of using a user's local password, =
> it may not be worth it (since the logging is indeed not very good...).
>
> > > The BayStack is *not* a piece of crap, despite the fact=20
> > that it doesn't
> > > do RADIUS authentication in the best possible way.
> >=20
> > They've gone out of their way to make it *harder* to use. That
> > disappoints me.
> >=20
> > Say your NAS comes back up after a power outage, and fires 5k
> > requests to the RADIUS server, when everyone dials in again. The
> > server MAY take a second or so to respond, under the high load. In
> > the mean time, the BayStack will time out (VERY quickly), and reject
> > many of the users.
> >=20
> > This is equipment you want to base your network on? That would make
> > *me* nervous...
>
> Except that in this case, the BayStack is not a NAS, it is merely a =
> RADIUS client. It uses RADIUS to authenticate users who attempt to log =
> into the switch for management purposes. This only happens a few times =
> per day (let alone per second).
>
> When the BayStack becomes a NAS - and it will, as EAP becomes more =
> practical for Ethernet-connected workstations - we will address the =
> effective DoS scenario with Nortel. In the meantime, though, I still =
> think it's a pretty good box.
>
> > > I agree, with the reservation that while FreeRADIUS works=20
> > very well and
> > > is highly configurable, there is a severe lack of=20
> > documentation (which
> > > is somewhat reasonable since it is still in 0.xx versions)
> >=20
> > Well, it *is* free software, which is generally well known for
> > having poor documentation.
>
> Yes and no, but it's certainly fair to say that free software in its =
> alpha version isn't going to have PDF manuals yet. :-) I mean the =
> thing isn't even finished yet! :-P
>
> As it comes closer to v1.0, though, documentation - hopefully =
> user-contributed - will become a necessity. I'll help where I can (I =
> plan to stick with this server until somebody pries it from my RedHat =
> box with a crowbar).
>
> > > and its developers are extremely opinionated and sensitive to
> > > criticism. :-/
> >=20
> > I can't speak for others here, but I know *I'm* sensitive to a lot
> > of things which aren't criticism. If you say "The server core dumped
> > on me, I hate it, it's crap", I'll most likely agree with you.
> >=20
> > On the other hand, many comments involve a lack of awareness of how
> > RADIUS works, or how Unix systems work. There's not much that can be
> > said there, other than "go read the OTHER guy's documentation, that's
> > not part of FreeRADIUS." Other comments involve people unwilling or
> > unable to read what documentation exists, and *those* get blunt
> > responses from me.
> >=20
> > > THEREFORE, my biggest worry at the moment is how I can use=20
> > FreeRADIUS to
> > > authenticate people logging into BayStacks, using PAM as the local
> > > authentication method on the RADIUS server side *without* having to
> > > create user accounts on the RADIUS server for every switch admin.
> >=20
> > Find out why PAM is rejecting the users, all the server knows from
> > rlm_pam is that the authentication failed.
>
> <nods> 'Kay. Fair enough.
>
> --J
>
>
>
> --__--__--
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
>
> End of Freeradius-Users Digest-
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
