radiusd allows users with any password
Hello, I'm having a weird problem with the latest build from CVS. I admit that this problem may have been there for a while and i didn't know about it. so what's happening is that radiusd will send an Access-Acept as long as the user is valid (without regard for the password). So as long as I enter the right username, the password doens't seem to matter. Here is the debug output Thu May 23 10:25:53 2002 : Info: Ready to process requests. rad_recv: Access-Request packet from host 10.13.0.1:1645, id=75, length=78 NAS-IP-Address = 10.13.0.1 NAS-Port = 67 NAS-Port-Type = Virtual User-Name = aakhter Calling-Station-Id = 10.13.0.254 User-Password = *\213\256X\365g\3632\022\342\264\307\272\205 Thu May 23 10:25:58 2002 : Debug: modcall: entering group authorize Thu May 23 10:25:58 2002 : Debug: modcall[authorize]: module preprocess returns ok Thu May 23 10:25:58 2002 : Debug: rlm_realm: Looking up realm NULL for User-Name = aakhter Thu May 23 10:25:58 2002 : Debug: rlm_realm: No such realm NULL Thu May 23 10:25:58 2002 : Debug: modcall[authorize]: module suffix returns noop Thu May 23 10:25:58 2002 : Debug: users: Matched DEFAULT at 13 Thu May 23 10:25:58 2002 : Debug: modcall[authorize]: module files returns ok Thu May 23 10:25:58 2002 : Debug: modcall: group authorize returns ok Thu May 23 10:25:58 2002 : Debug: rad_check_password: Found Auth-Type Pam Thu May 23 10:25:58 2002 : Debug: auth: type Pam Thu May 23 10:25:58 2002 : Debug: modcall: entering group authenticate Thu May 23 10:25:58 2002 : Debug: pam_pass: using pamauth string radiusd for pam.conf lookup Thu May 23 10:25:58 2002 : Debug: pam_pass: authentication succeeded for aakhter Thu May 23 10:25:58 2002 : Debug: modcall[authenticate]: module pam returns ok Thu May 23 10:25:58 2002 : Debug: modcall: group authenticate returns ok Sending Access-Accept of id 75 to 10.13.0.1:1645 Service-Type = Administrative-User Thu May 23 10:25:58 2002 : Debug: Finished request 0 Thu May 23 10:25:58 2002 : Debug: Going to the next request Thu May 23 10:25:58 2002 : Debug: --- Walking the entire request list --- Thu May 23 10:25:58 2002 : Debug: Waking up in 6 seconds... Thu May 23 10:26:04 2002 : Debug: --- Walking the entire request list --- Thu May 23 10:26:04 2002 : Debug: Cleaning up request 0 ID 75 with timestamp 3cecfbf6 Thu May 23 10:26:04 2002 : Debug: Nothing to do. Sleeping until we see a request. Thu May 23 10:26:24 2002 : Error: MASTER: exit on signal (2) and my config: [root@nsite-mpls-1 /root]# more /etc/raddb/users ## PAM handles both local /etc/passwd stuff and NIS stuff. ## Auth-Type needs to be on the same line as DEFAULT DEFAULT Auth-Type := Pam Service-Type = Shell-user, Fall-Through = YES smartbits Auth-Type := Local, Password == xx Service-Type== Login-user ## these are script passwords, so don't need to be easy to use cw2kAuth-Type := Local, Password == xx aakhter-script Auth-Type := Local, Password == xx rymcmaho-script Auth-Type := Local, Password == xx mbrown-script Auth-Type := Local, Password == xx jguy-script Auth-Type := Local, Password == xx rajiva-script Auth-Type := Local, Password == xx asharma-script Auth-Type := Local, Password == xx any help would be greatly appreciated. -- Aamer Akhter / [EMAIL PROTECTED] NSITE - cisco Systems - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd allows users with any password
Frank, shouldn't it worry about the password? or am i missing something? - Original Message - From: Frank Cusack [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, May 23, 2002 8:35 PM Subject: Re: radiusd allows users with any password Looks normal. Your PAM setup is authenticating the user. You can't have multiple auth-types, so the PAM one is the only one being used. /fc On Thu, May 23, 2002 at 08:04:20PM -0400, Aamer Akhter wrote: Hello, I'm having a weird problem with the latest build from CVS. I admit that this problem may have been there for a while and i didn't know about it. so what's happening is that radiusd will send an Access-Acept as long as the user is valid (without regard for the password). So as long as I enter the right username, the password doens't seem to matter. Here is the debug output Thu May 23 10:25:53 2002 : Info: Ready to process requests. rad_recv: Access-Request packet from host 10.13.0.1:1645, id=75, length=78 NAS-IP-Address = 10.13.0.1 NAS-Port = 67 NAS-Port-Type = Virtual User-Name = aakhter Calling-Station-Id = 10.13.0.254 User-Password = *\213\256X\365g\3632\022\342\264\307\272\205 Thu May 23 10:25:58 2002 : Debug: modcall: entering group authorize Thu May 23 10:25:58 2002 : Debug: modcall[authorize]: module preprocess returns ok Thu May 23 10:25:58 2002 : Debug: rlm_realm: Looking up realm NULL for User-Name = aakhter Thu May 23 10:25:58 2002 : Debug: rlm_realm: No such realm NULL Thu May 23 10:25:58 2002 : Debug: modcall[authorize]: module suffix returns noop Thu May 23 10:25:58 2002 : Debug: users: Matched DEFAULT at 13 Thu May 23 10:25:58 2002 : Debug: modcall[authorize]: module files returns ok Thu May 23 10:25:58 2002 : Debug: modcall: group authorize returns ok Thu May 23 10:25:58 2002 : Debug: rad_check_password: Found Auth-Type Pam Thu May 23 10:25:58 2002 : Debug: auth: type Pam Thu May 23 10:25:58 2002 : Debug: modcall: entering group authenticate Thu May 23 10:25:58 2002 : Debug: pam_pass: using pamauth string radiusd for pam.conf lookup Thu May 23 10:25:58 2002 : Debug: pam_pass: authentication succeeded for aakhter Thu May 23 10:25:58 2002 : Debug: modcall[authenticate]: module pam returns ok Thu May 23 10:25:58 2002 : Debug: modcall: group authenticate returns ok Sending Access-Accept of id 75 to 10.13.0.1:1645 Service-Type = Administrative-User Thu May 23 10:25:58 2002 : Debug: Finished request 0 Thu May 23 10:25:58 2002 : Debug: Going to the next request Thu May 23 10:25:58 2002 : Debug: --- Walking the entire request list --- Thu May 23 10:25:58 2002 : Debug: Waking up in 6 seconds... Thu May 23 10:26:04 2002 : Debug: --- Walking the entire request list --- Thu May 23 10:26:04 2002 : Debug: Cleaning up request 0 ID 75 with timestamp 3cecfbf6 Thu May 23 10:26:04 2002 : Debug: Nothing to do. Sleeping until we see a request. Thu May 23 10:26:24 2002 : Error: MASTER: exit on signal (2) and my config: [root@nsite-mpls-1 /root]# more /etc/raddb/users ## PAM handles both local /etc/passwd stuff and NIS stuff. ## Auth-Type needs to be on the same line as DEFAULT DEFAULT Auth-Type := Pam Service-Type = Shell-user, Fall-Through = YES smartbits Auth-Type := Local, Password == xx Service-Type== Login-user ## these are script passwords, so don't need to be easy to use cw2kAuth-Type := Local, Password == xx aakhter-script Auth-Type := Local, Password == xx rymcmaho-script Auth-Type := Local, Password == xx mbrown-script Auth-Type := Local, Password == xx jguy-script Auth-Type := Local, Password == xx rajiva-script Auth-Type := Local, Password == xx asharma-script Auth-Type := Local, Password == xx any help would be greatly appreciated. -- Aamer Akhter / [EMAIL PROTECTED] NSITE - cisco Systems - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd allows users with any password
thanks frank, i think i've got it working with this config: # more radiusd #%PAM-1.0 auth required /lib/security/pam_stack.so service=system-auth accountrequired /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth # more system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authsufficient/lib/security/pam_unix.so likeauth nullok md5 shadow authrequired /lib/security/pam_deny.so account sufficient/lib/security/pam_unix.so account required /lib/security/pam_deny.so passwordrequired /lib/security/pam_cracklib.so retry=3 passwordsufficient/lib/security/pam_unix.so nullok use_authtok md5 shadow passwordrequired /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so - Original Message - From: Frank Cusack [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, May 23, 2002 11:12 PM Subject: Re: radiusd allows users with any password On Thu, May 23, 2002 at 08:48:41PM -0400, Aamer Akhter wrote: Frank, shouldn't it worry about the password? or am i missing something? freeradius does not care about the password, it passes on the password to PAM. PAM is authenticating the user, freeradius is merely relaying the response. Your PAM setup is allowing all users. What does your PAM config look like? Note that freeradius is using PAM service name 'radiusd' (from the logs). If you don't have rules for that service, PAM will use the rules for service 'other'. /fc - Original Message - From: Frank Cusack [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, May 23, 2002 8:35 PM Subject: Re: radiusd allows users with any password Looks normal. Your PAM setup is authenticating the user. You can't have multiple auth-types, so the PAM one is the only one being used. /fc On Thu, May 23, 2002 at 08:04:20PM -0400, Aamer Akhter wrote: Hello, I'm having a weird problem with the latest build from CVS. I admit that this problem may have been there for a while and i didn't know about it. so what's happening is that radiusd will send an Access-Acept as long as the user is valid (without regard for the password). So as long as I enter the right username, the password doens't seem to matter. Here is the debug output Thu May 23 10:25:53 2002 : Info: Ready to process requests. rad_recv: Access-Request packet from host 10.13.0.1:1645, id=75, length=78 NAS-IP-Address = 10.13.0.1 NAS-Port = 67 NAS-Port-Type = Virtual User-Name = aakhter Calling-Station-Id = 10.13.0.254 User-Password = *\213\256X\365g\3632\022\342\264\307\272\205 Thu May 23 10:25:58 2002 : Debug: modcall: entering group authorize Thu May 23 10:25:58 2002 : Debug: modcall[authorize]: module preprocess returns ok Thu May 23 10:25:58 2002 : Debug: rlm_realm: Looking up realm NULL for User-Name = aakhter Thu May 23 10:25:58 2002 : Debug: rlm_realm: No such realm NULL Thu May 23 10:25:58 2002 : Debug: modcall[authorize]: module suffix returns noop Thu May 23 10:25:58 2002 : Debug: users: Matched DEFAULT at 13 Thu May 23 10:25:58 2002 : Debug: modcall[authorize]: module files returns ok Thu May 23 10:25:58 2002 : Debug: modcall: group authorize returns ok Thu May 23 10:25:58 2002 : Debug: rad_check_password: Found Auth-Type Pam Thu May 23 10:25:58 2002 : Debug: auth: type Pam Thu May 23 10:25:58 2002 : Debug: modcall: entering group authenticate Thu May 23 10:25:58 2002 : Debug: pam_pass: using pamauth string radiusd for pam.conf lookup Thu May 23 10:25:58 2002 : Debug: pam_pass: authentication succeeded for aakhter Thu May 23 10:25:58 2002 : Debug: modcall[authenticate]: module pam returns ok Thu May 23 10:25:58 2002 : Debug: modcall: group authenticate returns ok Sending Access-Accept of id 75 to 10.13.0.1:1645 Service-Type = Administrative-User Thu May 23 10:25:58 2002 : Debug: Finished request 0 Thu May 23 10:25:58 2002 : Debug: Going to the next request Thu May 23 10:25:58 2002 : Debug: --- Walking the entire request list --- Thu May 23 10:25:58 2002 : Debug: Waking up in 6 seconds... Thu May 23 10:26:04 2002 : Debug: --- Walking the entire request list --- Thu May 23 10:26:04 2002 : Debug: Cleaning up request 0 ID 75 with timestamp 3cecfbf6 Thu May 23 10:26:04 2002 : Debug: Nothing to do. Sleeping until we see a request. Thu May 23 10:26:24 2002 : Error: MASTER: exit on signal (2) and my config: [root@nsite-mpls-1 /root]# more /etc/raddb/users ## PAM handles both local /etc
Re: problems with users after upgrading...
thanks Chris. I deleted the old files and started over. it took some redoing but it works fine now. thanks for all your help. Quoting Aamer Akhter ([EMAIL PROTECTED]): Chris, still problems. can you also CC me on the reply directly? I have to cut and past from the archive currently.. At 11:27 AM 5/10/2002 -0400, Aamer Akhter wrote: Hello, I just make the newest freeradius with the default settings, and something seems to have changed. Under the old freeradius this was working fine. What version are you upgrading from? : from 0.1 Here is the output from -X: rad_recv: Access-Request packet from host 10.13.0.41:1645, id=109, length=79 User-Name = as Password = \331\257\\\025\337\025\341\036\n\367\016syc\374j NAS-Port = 130 NAS-Port-Type = Virtual Calling-Station-Id = 10.13.0.254 Service-Type = Login-User NAS-IP-Address = 3640-PE-EAST-1 modcall: entering group authorize modcall[authorize]: module preprocess returns ok modcall[authorize]: module suffix returns ok Invalid operator for item : reverting to '==' Invalid operator for item : reverting to '==' Those should be fixed. : note that 0.1 isn't complaining about them. and i'm not really sure which lines the above : is complaining about. how do i find out? modcall[authorize]: module files returns notfound modcall: group authorize returns ok auth: No Auth-Type configuration for the request, rejecting the user That's the problem. Module 'files' returned 'notfound', so it didn't match the username for some reason. smartbits Auth-Type := Local Password == xxx, These should all be on one line. :fixed any ideas on what my next step should be? Perhaps you could try putting a blank line between each of the one-line user entries you have at the bottom of the users file? :fixed i've attached the complete users file time time. maybe i'm missing something major here -- Aamer Akhter / [EMAIL PROTECTED] NSITE - cisco Systems lab Auth-Type == Local, Password == xxx, Cisco-AVPair == shell:priv-lvl=0, Fall-Through = no #set console timeout be 20min DEFAULT NAS-Port == 0, Idle-Timeout == 20, Cisco-Idle-Limit == 20, Fall-Through = yes smartbits Auth-Type := Local, Password == xxx, Cisco-AVPair == shell:priv-lvl=0, Fall-Through = no DEFAULT Auth-Type := System, Service-Type == Login-user, Fall-Through = 1, Cisco-AVPair == priv-lvl=15 # Reply-Message = NSITE MPLS test network cw2k Auth-Type := Local, Password == xxx aakhter-scriptAuth-Type := Local, Password == xxx rymcmaho-script Auth-Type := Local, Password == xxx mbrown-script Auth-Type := Local, Password == xxx jguy-script Auth-Type := Local, Password == xxx rajiva-script Auth-Type := Local, Password == xxx asharma-script Auth-Type := Local, Password == xxx jmcglaug-script Auth-Type := Local, Password == xxx rrajamon-script Auth-Type := Local, Password == xxx vpnsc Auth-Type := Local, Password == xxx mbAuth-Type := Local, Password == mb jguy Auth-Type := Local, Password == jg raAuth-Type := Local, Password == ra rmAuth-Type := Local, Password == rm asAuth-Type := Local, Password == as rkAuth-Type := Local, Password == rk ssaran Auth-Type := Local, Password == ssaran vlimAuth-Type := Local, Password == vlim aaAuth-Type := Local, Password == aa fbovy Auth-Type := Local, Password == fbovy DEFAULT Auth-Type == Pam # On no match, the user is denied access. -- Aamer Akhter / [EMAIL PROTECTED] NSITE - cisco Systems - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: setting idle-time based on port
Chris, cool. thanks. i'll give it a try. - Original Message - From: Chris Parker [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, September 28, 2001 10:31 AM Subject: Re: setting idle-time based on port At 01:46 AM 9/28/2001 -0400, you wrote: Hello, I'm trying to configure freeradius to send a rule to allow a max idle time in an session to be 20 min for a certain port. So, if a user comes in to port 0, his/her idle times is 20 min If a user comes in anohter port. his/her idle time is unlimmited. is this dooable? You could put something along the lines of this in the 'users' file, with a Fall-Through. Any attribute that is sent in an Access-Request may be used as a Check-Item. If NAS-Port is sent by your NAS in the Access-Request you could try something like: DEFAULT NAS-Port == 0 Idle-Timeout = 20, Fall-Through = 1 DEFAULT Auth-Type := System ... standard attriubtes here ... -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
setting idle-time based on port
Hello, I'm trying to configure freeradius to send a rule to allow a max idle time in an session to be 20 min for a certain port. So, if a user comes in to port 0, his/her idle times is 20 min If a user comes in anohter port. his/her idle time is unlimmited. is this dooable? thanks. --- Aamer Akhter / [EMAIL PROTECTED] NSITE - cisco Systems - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html