Hi, I'm trying to get the the pam radius module to work. I've built a test radius server (FreeRADIUS Version 2.1.9) and I've setup a linux box with the pam radius module (1.3.17)
The server seems to be setup properly to authenticate users: # radtest testing password 127.0.0.1 0 testing123 Sending Access-Request of id 87 to 127.0.0.1 port 1812 User-Name = "testing" User-Password = "password" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=87, length=20 I have the following config on the server to correspond to my pam radius client: clients.conf: client testclient1 { ipaddr = CLIENTIP secret = testing123 require_message_authenticator = no shortname = testc1 nastype = other # localhost isn't usually a NAS... } And on the client (using pam_radius_auth) I have the following in /etc/raddb/server: # server[:port] shared_secret timeout (s) SERVERIP testing123 4 Now, when I try to authenticate my pam radius client, I get this in the client logs: Jul 22 10:22:45 (none) pamtest: pam_radius_auth: Got user name testing Jul 22 10:22:54 (none) pamtest: pam_radius_auth: Sending RADIUS request code 1 Jul 22 10:22:54 (none) pamtest: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 267885588. Jul 22 10:22:55 (none) pamtest: pam_radius_auth: packet from RADIUS server SERVERIP fails verification: The shared secret is probably incorrect. Jul 22 10:22:55 (none) pamtest: pam_radius_auth: All RADIUS servers failed to respond. Jul 22 10:22:55 (none) pamtest: pam_radius_auth: authentication failed And I get this on the radius server (running in debug mode, i.e. radiusd -X) rad_recv: Access-Request packet from host CLIENTIP port 18580, id=32, length=72 User-Name = "testing" User-Password = "\237TqI\3335Q\231\025O\020bw\021;\362" NAS-Identifier = "other" NAS-Port = 17555 NAS-Port-Type = Virtual Service-Type = Authenticate-Only +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "testing", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry testing at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "?TqI�5Q??O?bw?; [pap] Using clear text password "password" [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> testing attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 32 to CLIENTIP port 18580 Waking up in 4.9 seconds. Cleaning up request 0 ID 32 with timestamp +24 Ready to process requests. Now obviously is says there's a problem with the secret, but I believe I've setup the secret correctly in the configs I've shown above. Does anybody have any ideas what I'm doing wrong? Thanks.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html