Phil,
Thanks for the response. I checked radiusd.conf, which I never modified
after I installed freeradius, and the /etc/passwd et.al. entries were
commented out. I uncommented them, restarted radiusd, but still no go.
Regarding teh DEFAULT entry on line 152, I looked at the users file (which I
also never modified after installing freeradius); this entry is:
DEFAULT Auth-Type = System
Fall-Through = 1
which I understand to mean that authentication is done against /etc/passwd
etc.
BTW, someone suggesting restarting radiusd and even the system. I have done
this numerous times, so that is not a solution.
I ran radtest even against my account, but I still get Access-Reject. I
know for a fact, and have verified, that the passwords for accounts I have
tested against are valid..
Some other notes regarding the installation of freeradius that may lead to a
clue:
1. Fedora installed openssl-0.9.7a-23. I installed openssl-0.9.6l (by
compiling and building, not via rpm) into a separate area,
/usr/local/openssl, using the command:
./config --prefix=/usr/local/openssl shared
I used this version of openssl because config complained about not being
able to find 0.9.6 libs
2. The startup script /etc/rc.d/init.d/radiusd sets up the environment as
shown below, so it uses the openssl 0.9.6l libs:
---------------------------------------------------------------------
prefix=/usr/local/freeradius
exec_prefix=${prefix}
sbindir=${exec_prefix}/sbin
localstatedir=${prefix}/var
logdir=/var/log/radius
rundir=${localstatedir}/run/radiusd
sysconfdir=${prefix}/etc
RADIUSD=$sbindir/radiusd
RADDBDIR=${sysconfdir}/raddb
DESC="FreeRADIUS"
LD_LIBRARY_PATH=/usr/local/openssl/lib
LD_RUN_PATH=/usr/local/openssl/lib:
LD_PRELOAD=/usr/local/openssl/lib/libcrypto.so
export LD_LIBRARY_PATH LD_RUN_PATH LD_PRELOAD
#
# See 'man radiusd' for details on command-line options.
#
ARGS=""
test -f $RADIUSD || exit 0
test -f $RADDBDIR/radiusd.conf || exit 0
case "$1" in
start)
echo -n "Starting $RADIUSD $ARGS:"
$RADIUSD $ARGS
echo "radiusd"
;;
-------------------------------------------------------------------------
3. Links to openssl libraries:
# ls -l /lib/libcrypto*
lrwxrwxrwx 1 root root 14 Jan 6 16:59
/lib/libcrypto.so.0.9.6 -> libcrypto.so.4
-rwxr-xr-x 1 root root 994000 Sep 30 18:00
/lib/libcrypto.so.0.9.7a
lrwxrwxrwx 1 root root 19 Jan 6 16:59
/lib/libcrypto.so.4 -> libcrypto.so.0.9.7a
# ls -l /lib/libssl*
lrwxrwxrwx 1 root root 11 Jan 6 16:59
/lib/libssl.so.0.9.6 -> libssl.so.4
-rwxr-xr-x 1 root root 217512 Sep 30 18:00
/lib/libssl.so.0.9.7a
lrwxrwxrwx 1 root root 16 Jan 6 16:59 /lib/libssl.so.4 ->
libssl.so.0.9.7a
# ls -l /usr/lib/libcrypto*
-rw-r--r-- 1 root root 1893910 Sep 30 18:00 /usr/lib/libcrypto.a
-rw-r--r-- 1 root root 1893910 Sep 30 18:00
/usr/lib/libcrypto.a.orig
lrwxrwxrwx 1 root root 29 Jan 6 16:54
/usr/lib/libcrypto.so -> ../../lib/libcrypto.so.0.9.7a
lrwxrwxrwx 1 root root 31 Jan 5 22:24
/usr/lib/libcrypto.so.0.9.6 -> ../local/lib/libcrypto.so.0.9.6
lrwxrwxrwx 1 root root 31 Jan 5 22:23
/usr/lib/libcrypto.so.0.9.6.1 -> ../local/lib/libcrypto.so.0.9.6
lrwxrwxrwx 1 root root 19 Jan 6 17:28
/usr/lib/libcrypto.so.4 -> /lib/libcrypto.so.4
# ls -l /usr/lib/libssl*
-rwxr-xr-x 1 root root 123928 Oct 30 17:07 /usr/lib/libssl3.so
-rw-r--r-- 1 root root 329464 Sep 30 18:00 /usr/lib/libssl.a
-rw-r--r-- 1 root root 329464 Sep 30 18:00
/usr/lib/libssl.a.orig
lrwxrwxrwx 1 root root 26 Jan 6 16:54
/usr/lib/libssl.so -> ../../lib/libssl.so.0.9.7a
lrwxrwxrwx 1 root root 28 Jan 5 22:26
/usr/lib/libssl.so.0.9.6 -> ../local/lib/libssl.so.0.9.6
lrwxrwxrwx 1 root root 15 Jan 5 22:26
/usr/lib/libssl.so.0.9.6.1 -> libssl.so.0.9.6
lrwxrwxrwx 1 root root 15 Jan 5 17:44
/usr/lib/libssl.so.4 -> libssl.so.0.9.6
4. I built freeradius 0.9.3 as follows:
Modified ./src/modules/rlm_eap/types/rlm_eap_tls/Makefile
./src/modules/rlm_ldap/Makefile
./src/modules/rlm_x99_token/Makefile
./src/modules/rlm_krb5/Makefile
and added the following to the end of RLM_CFLAGS
-L/usr/local/openssl/lib -I/usr/local/openssl/include
Then ran:
LDFLAGS="-L/usr/local/openssl/lib" CPPFLAGS="-I/usr/local/openssl/include" \
./configure --with-experimental-modules --with-logdir=/var/log/radius --pref
ix=/usr/local/freeradius --sysconfdir=/etc
Again, I have gone through process traces (strace), debug output, and even
info from the O'Reilly RADIUS book to figure out what the heck is going on.
I'm trying to get a working RADIUS server going for a corporate security
project, which will eventually involve EAP/TLS,TTLS,PEAP.
Any other hints and advice that will help me resolve the problem are greatly
appreciated.
---john
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf
> Of Phillip
> Ames
> Sent: Thursday, January 08, 2004 6:33 PM
> To: [EMAIL PROTECTED]
> Subject: RE: Unable to do simple UNIX authentication
>
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On
> > Behalf Of John Sasso Jr
> > Sent: Friday, January 09, 2004 6:21 AM
> > To: [EMAIL PROTECTED]
> > Subject: Unable to do simple UNIX authentication
>
> [snip]
> > modcall[authorize]: module "suffix" returns noop for request 0
> > users: Matched DEFAULT at 152
> > modcall[authorize]: module "files" returns ok for request 0
> > modcall[authorize]: module "mschap" returns noop for request 0
> > modcall: group authorize returns ok for request 0
> > rad_check_password: Found Auth-Type System
> > auth: type "System"
> > modcall: entering group authenticate for request 0
> > rlm_unix: [test]: invalid password
> > modcall[authenticate]: module "unix" returns reject for request 0
> > modcall: group authenticate returns reject for request 0
> > auth: Failed to validate the user.
>
>
> Seems like the "unix" module is killing you. As Alan DeKok
> was kind enough
> to explain to me, in the users file, if "Auth-Type" is set to
> Local then it
> will authenticate against things in the users file (and from
> the logs it
> looks like your "files" module is allowing access). Is it
> perhaps set to
> "System" authentication? That might be trying to
> authenticate the user
> "test" against "t1e2s3t4" in your /etc/passwd. The other
> thing I saw of
> interest was that a "DEFAULT" was matched at line 152. I'd
> look into what
> that DEFAULT says to do.
>
> -Phil
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
