Frank, One stupid question, from your explanation, we don't need to put the users' password is the database/users file in order to authenticate, do we? The radius server will just simply passes the users' password (which is entered by the user during login) to the authentication mechanism, is that correct? Sorry to be an annoyance.
Thanks -----Original Message----- From: Frank Cusack [mailto:[EMAIL PROTECTED]] Sent: Friday, May 24, 2002 10:13 AM To: [EMAIL PROTECTED] Subject: Re: radiusd allows users with any password On Thu, May 23, 2002 at 08:48:41PM -0400, Aamer Akhter wrote: > Frank, > > shouldn't it worry about the password? or am i missing something? freeradius does not care about the password, it passes on the password to PAM. PAM is authenticating the user, freeradius is merely relaying the response. Your PAM setup is allowing all users. What does your PAM config look like? Note that freeradius is using PAM service name 'radiusd' (from the logs). If you don't have rules for that service, PAM will use the rules for service 'other'. /fc > > ----- Original Message ----- > From: "Frank Cusack" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Thursday, May 23, 2002 8:35 PM > Subject: Re: radiusd allows users with any password > > > > Looks normal. Your PAM setup is authenticating the user. You can't have > > multiple auth-types, so the PAM one is the only one being used. > > > > /fc > > > > On Thu, May 23, 2002 at 08:04:20PM -0400, Aamer Akhter wrote: > > > Hello, > > > > > > I'm having a weird problem with the latest build from CVS. I admit that > this > > > problem may have been there for a while and i didn't know about it. > > > > > > so what's happening is that radiusd will send an Access-Acept as long as > the > > > user is valid (without regard for the password). So as long as I enter the > > > right username, the password doens't seem to matter. > > > > > > Here is the debug output > > > > > > > > > Thu May 23 10:25:53 2002 : Info: Ready to process requests. > > > rad_recv: Access-Request packet from host 10.13.0.1:1645, id=75, length=78 > > > NAS-IP-Address = 10.13.0.1 > > > NAS-Port = 67 > > > NAS-Port-Type = Virtual > > > User-Name = "aakhter" > > > Calling-Station-Id = "10.13.0.254" > > > User-Password = "*\213\256X\365g\363>2\022\342\264\307"\272\205" > > > Thu May 23 10:25:58 2002 : Debug: modcall: entering group authorize > > > Thu May 23 10:25:58 2002 : Debug: modcall[authorize]: module > "preprocess" > > > returns ok > > > Thu May 23 10:25:58 2002 : Debug: rlm_realm: Looking up realm NULL for > > > User-Name = "aakhter" > > > Thu May 23 10:25:58 2002 : Debug: rlm_realm: No such realm NULL > > > Thu May 23 10:25:58 2002 : Debug: modcall[authorize]: module "suffix" > > > returns noop > > > Thu May 23 10:25:58 2002 : Debug: users: Matched DEFAULT at 13 > > > Thu May 23 10:25:58 2002 : Debug: modcall[authorize]: module "files" > returns > > > ok > > > Thu May 23 10:25:58 2002 : Debug: modcall: group authorize returns ok > > > Thu May 23 10:25:58 2002 : Debug: rad_check_password: Found Auth-Type > Pam > > > Thu May 23 10:25:58 2002 : Debug: auth: type "Pam" > > > Thu May 23 10:25:58 2002 : Debug: modcall: entering group authenticate > > > Thu May 23 10:25:58 2002 : Debug: pam_pass: using pamauth string <radiusd> > for > > > pam.conf lookup > > > Thu May 23 10:25:58 2002 : Debug: pam_pass: authentication succeeded for > > > <aakhter> > > > Thu May 23 10:25:58 2002 : Debug: modcall[authenticate]: module "pam" > > > returns ok > > > Thu May 23 10:25:58 2002 : Debug: modcall: group authenticate returns ok > > > Sending Access-Accept of id 75 to 10.13.0.1:1645 > > > Service-Type = Administrative-User > > > Thu May 23 10:25:58 2002 : Debug: Finished request 0 > > > Thu May 23 10:25:58 2002 : Debug: Going to the next request > > > Thu May 23 10:25:58 2002 : Debug: --- Walking the entire request list --- > > > Thu May 23 10:25:58 2002 : Debug: Waking up in 6 seconds... > > > Thu May 23 10:26:04 2002 : Debug: --- Walking the entire request list --- > > > Thu May 23 10:26:04 2002 : Debug: Cleaning up request 0 ID 75 with > timestamp > > > 3cecfbf6 > > > Thu May 23 10:26:04 2002 : Debug: Nothing to do. Sleeping until we see a > > > request. > > > Thu May 23 10:26:24 2002 : Error: MASTER: exit on signal (2) > > > > > > and my config: > > > [root@nsite-mpls-1 /root]# more /etc/raddb/users > > > > > > > > > > > > ## PAM handles both local /etc/passwd stuff and NIS stuff. > > > ## Auth-Type needs to be on the same line as DEFAULT > > > > > > DEFAULT Auth-Type := Pam > > > Service-Type = Shell-user, > > > Fall-Through = YES > > > > > > > > > smartbits Auth-Type := Local, Password == "xx" > > > Service-Type == Login-user > > > > > > > > > ## these are script passwords, so don't need to be easy to use > > > cw2k Auth-Type := Local, Password == "xx" > > > aakhter-script Auth-Type := Local, Password == "xx" > > > rymcmaho-script Auth-Type := Local, Password == "xx" > > > mbrown-script Auth-Type := Local, Password == "xx" > > > jguy-script Auth-Type := Local, Password == "xx" > > > rajiva-script Auth-Type := Local, Password == "xx" > > > asharma-script Auth-Type := Local, Password == "xx" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
