Re: strange PAM problem with Free Radius
On Mon, Dec 23, 2002 at 09:04:23PM -0300, Rodolfo Siviero Stein wrote: > To build these files I copy the login pam file and made changes > to system-auth and rename to smb-auth. > Only the radius users need to authenticate in NT Domain local > users are normal passwd/shadow users. > This is the server that works: > radiusd > #%PAM-1.0 > auth required /lib/security/pam_securetty.so > auth required /lib/security/pam_stack.so service=smb-auth > auth required /lib/security/pam_nologin.so > accountrequired /lib/security/pam_stack.so service=smb-auth > password required /lib/security/pam_stack.so service=smb-auth > sessionrequired /lib/security/pam_stack.so service=smb-auth > sessionoptional /lib/security/pam_console.so > > smb-auth > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > authrequired /lib/security/pam_env.so > authsufficient/lib/security/pam_winbind.so > authrequired /lib/security/pam_deny.so > > account sufficient /lib/security/pam_winbind.so > account required/lib/security/pam_unix.so > > passwordrequired /lib/security/pam_cracklib.so retry=3 type= > passwordsufficient/lib/security/pam_unix.so nullok use_authtok md5 > shadow > passwordrequired /lib/security/pam_deny.so > > session required /lib/security/pam_limits.so > session required /lib/security/pam_unix.so For starters, you seem to have a lot of unnecessary cruft in your PAM config that could cause problems later. I recommend trying this file for /etc/pam.d/radiusd, since it seems to be closer to what you want: #%PAM-1.0 # This line is only to keep root from logging in via radius (!) authrequiredpam_securetty.so authrequiredpam_winbind.so account requiredpam_winbind.so Note that you don't need /etc/pam.d/smb-auth -- or pam_stack -- at all. If you aren't using the same version of the PAM packages on each server, it's possible that pam_stack may be causing problems. I recommend trying the above config first on the machine where you already have RADIUS working, and if it does what you want, try it on the other machine as well. Do you have winbindd running on both machines? If I'm not mistaken, winbindd is needed for non-root users to access the NT domain information, but might *not* be required for nay tests that you ran as root. Regards, -- Steve Langasek postmodern programmer msg12359/pgp0.pgp Description: PGP signature
Re: FreeRADIUS with DEFAULT user
> Check out the default_user_profile directive in sql.conf. This feature has been > added in the latest versions of the sql module. The comments in sql.conf should > also be very helpfull. Ok, I've found it. After some tests, I've reached the situation: default profile works, in fact. But in my case, I need to set up a default profile with Auth-Type=Accept; the problem is FreeRadius applies default profile to all users, BEFORE verifying radcheck table. This way, everybody can log in, with any password, and falls in default profile. In this point, IC-Radius is more intelligent (or I'm more stupid, and didn't find the way): IC verifies radcheck table BEFORE, and if the supplied credentials are ok, authenticates the registered user; otherwise - since the credentials aren't in radcheck tables - the user falls in DEFAULT scope, going to a group according with radgroup table (where I can setup different pool, NAS filter, and so on) This is the puzzle. Maybe I've missed something, but as far as I've gone, there's no way to: a) if the login/pass EXISTS in radcheck, authenticate the user with the credentials; b) OTHERWISE, apply group features to this user, now a DEFAULT user. If there's any way to do this, I'll be very helpful. FreeRadius seems to be more functional than ICradius, but for now, I've switched back. -- Fernando - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: how the FreeRadius connect the PPPOE-server(RA-PPPOE)
Allan I doubt many people are going to have time to help you write a research paper. RADIUS is a well understood and documented protocol. I suggest you read the relevant RFC's and The RADIUS book first. Then read up on your PPPOE server. FreeRadius works with any access server via RADIUS. It is that simple. If I am not mistaken, the default configuration will do PAP authentication, so you really should not have a problem. Tim -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of allansSent: Wednesday, December 25, 2002 2:44 PMTo: [EMAIL PROTECTED]Subject: how the FreeRadius connect the PPPOE-server(RA-PPPOE) hello, I have set up a PPPOE-Server£¬and it can check the username and password by Pap-secret£¬what I don't know to do is how to make the freeRadius work with my PPPOE-server.Please help me,and I am a college student,this study about PPPOE-server and Radius System is my homework,please help me for detail,thank you very much! Best wish! allan
how the FreeRadius connect the PPPOE-server(RA-PPPOE)
hello, I have set up a PPPOE-Server£¬and it can check the username and password by Pap-secret£¬what I don't know to do is how to make the freeRadius work with my PPPOE-server.Please help me,and I am a college student,this study about PPPOE-server and Radius System is my homework,please help me for detail,thank you very much! Best wish! allan
RE: authorize/authenticate confusion in FR?
On Tue, 24 Dec 2002, Scott Bartlett wrote: > Those people watching closely in the past will know from my posts that > I'm neither a UNIX or C programmer (and unfortunately don't have much > spare time either for various reasons). And before you say it : Yes, I Jumping in because I am bored.. watching a NOC that ran on generators 3 times already this morning... MERRY CHRISTMAS ALL! - Unix is a Operating System (or family of OS's). C is a programming language. > Thanks for the practical response. I assume you also built your own > house, grow your own food and smelted the ore and refined the fuel to > build and run your own car. Oh, and wrote *all* the software on your own > computer. - I bought our NOC building in 1995.. an 1888 hotel building, with rotten floors, no windows and barely a roof. http://www.chattanoogametro.net/album/index.cgi?page=dsw02424&mode=m&dir=./VirtualBuilding I've done more than 50% of the work myself, including most of the electrical, plumbing.. generator install..etc.. - Of my 3 vehicles, 2 of them I have built from parts, an '84/86 Bronco, and a 196? Step Van/Camper/MobileShop (and a turret for mounting uplink dishes) - I do use common programming languages, C and Perl mostly, but I even wrote our own management/billing/accounting package and my main radius server is a much modified version of the original Livingston Radius server. Mods include real-time accounting into Sybase SQL on Linux. I'm playing with FreeRadius currently for a new system. My point being.. many of us live in a world where we do as much as we can ourselves as is possible. > (relatively) new to RADIUS let alone FreeRadius. If you're not open to > hearing reasonable ideas to maybe improve the software (either > technically or in how to make it accessible to users) then why are you > involved in an open source project??!? Why are you? I am using it because it looks interesting and my be customizable for my personal needs, without my creating one from scratch. If I get a few mods working that might be useful to the community, I'll submit them and see if others can/want-to use them... If you want an End-User Polished Ready-To-Use Radius server.. go buy one... and then complain to their tech-support and marketing department. > >Pushing the authorization step to AFTER authentication gains little. > >But note that in 0.8 and above, there's a post-authentication stage, > >in which anyone can do the extra post-authentication work that they > >desire. Makes sense to me.. heck, it's got more options than most of us have time explore.. It's a heck of a tool. > about the place which holds the passwords. They just do. Thus, if a user > is 'authenticating against an SQL database' they come unstuck wondering > why they put 'sql' in the 'authorize' section in radiusd.conf and not in > the 'authenticate' section. That was the point I was trying to make - > the users get confused over terminology, so would it be an idea to clear > it up a bit. Heck, it's only a small thing. Ok, so they eventually work > it out (my mail box testifies to that), but it would probably be easier > for them to go from A straight to B without diversions en route... > > Then go write your own server. > > Ah, as useful a tip as ever... It's standard philosophy in this world.. And it's why I learned how to code, because someone beat me over the head with that statement a few times. If Scott Bartlett's version of a radius server is better, and he's sharing, we'll all use it! > >FreeRADIUS will NEVER include 2-3 logical > >functions in one stage. If anything, the stages will be broken up even > >smaller, to allow administrators more control over packet processing. Scott, This is just good programming philosophy. It thusly works into the overall configuration and usage of FreeRadius as well. > > Great. You've re-designed the server to do exactly what it's doing > now, >but with the names changed. OK.. MOST of the software I use, and even the stuff I write has interestingly bad choices of words for things, often for historical reasons. Once in place, programmers are loath to change them. Why? One reason is all the people complaining because you change terminology on something and it confuses them more than the errant terminology. Another reason is: It works, why break it? Merry Christmas! [EMAIL PROTECTED] - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: fradius] RE: RPM for freeRADIUS
On Tue, 24 Dec 2002, Brian Johnson wrote: > You are obviously a RPM Jedi Master. :) -- More closely, young Pawadan, the Midichlorian you must heed. <(-_-)> ... I am just the RPM website master -- see eg the bottom of: http://www.rpm.org/ -- Russ Herrold - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS and SSH
i solve a problem with using radius to auth pop & smtp users in RedHat require : 1) cyrus-imap 2) cyrus-sasl 3)make your own pam_unix module general idea: in account stage i assign uid,guid,shell and etc. from template user (i added it to passwd) so now i don't need to add users in local machine p.s.: 3) is already done in FreeBSD by the such way I guess it's a good idea to have one passwd file to auth pop,smtp,www,ppp users %-) Simon White wrote: 18-Dec-02 at 15:58, Puchkov S.N. ([EMAIL PROTECTED]) wrote : from my point of view it's better to have one programm to authorize all kind of requests ofcourse you can use ldap+freeradius ... If you already have an authentication layer (PAM) that can talk to LDAP, why the insistence on radius in the first place? Jeez, radius is there to send attributes back to a NAS, not for SSH! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html