RE: RADIUS PAM Module with RH9.
Thank you. I will look into some alternative configurations. Ken Mix > -Original Message- > From: Frank Cusack [mailto:[EMAIL PROTECTED] > Sent: Tuesday, September 23, 2003 11:08 PM > To: [EMAIL PROTECTED] > Subject: Re: RADIUS PAM Module with RH9. > > > On Tue, Sep 23, 2003 at 09:47:33AM -0600, Kenneth Mix wrote: > > Currently, when I try to authenticate a user using the PAM > RADIUS module, it hangs my freeradius server at: > > pam_pass: using pamauth string for pam.conf lookup > > > > After this it will not authenticate any other users, no > matter what type of authentication they are using. > > > > Also, the PAM module never even attempts to contact my AD server. > > Well I don't know about any of those problems, but PAM + freeradius is > a bad mix. PAM is broken in that every PAM call leaks memory, so > you have to restart your server once in a while. > > PAM should only be used if you HAVE TO. It doesn't sound like that's > the case for you, instead you should just figure out how to configure > freeradius to do what you need. It certainly can handle proxying > (via arbitrary criteria) and adding some av pairs. > > /fc > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS PAM Module with RH9.
On Tue, Sep 23, 2003 at 09:47:33AM -0600, Kenneth Mix wrote: > Currently, when I try to authenticate a user using the PAM RADIUS module, it hangs > my freeradius server at: > pam_pass: using pamauth string for pam.conf lookup > > After this it will not authenticate any other users, no matter what type of > authentication they are using. > > Also, the PAM module never even attempts to contact my AD server. Well I don't know about any of those problems, but PAM + freeradius is a bad mix. PAM is broken in that every PAM call leaks memory, so you have to restart your server once in a while. PAM should only be used if you HAVE TO. It doesn't sound like that's the case for you, instead you should just figure out how to configure freeradius to do what you need. It certainly can handle proxying (via arbitrary criteria) and adding some av pairs. /fc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS PAM Module with RH9.
"Kenneth Mix" <[EMAIL PROTECTED]> wrote: > For administrative users and script users I am using system > authentication. For lower-level users, I would like to authenticate > them via Active Directory, while still authorizing them via > freeradius. That should be trivial to do. > I initially set this up using realms and proxying the request to an IAS > server on our AD domain controller, but I was not able to find any way > to assign attribute values to users within the realm. I don't understand what you mean by that. The server allows you to check for the existence of any attribute in a packet, and to respond with any other attribute. It even allows you to check for a realm, and to respond with realm-specific attributes. > The only other way I can think of to authenticate users off of AD > while authorizing them via freeradius is to use PAM authentication > with the pam_radius_auth module. I don't see why. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RADIUS PAM Module with RH9.
I am currently using freeradius to authenticate users to the routers on our network. Depending on the user's role, he/she will be authorized at different privilege levels within the router. These privilege levels are assigned by attribute-pair values in freeradius (i.e. cisco-avpair = "shell:priv-lvl=3"). For administrative users and script users I am using system authentication. For lower-level users, I would like to authenticate them via Active Directory, while still authorizing them via freeradius. I initially set this up using realms and proxying the request to an IAS server on our AD domain controller, but I was not able to find any way to assign attribute values to users within the realm. The only other way I can think of to authenticate users off of AD while authorizing them via freeradius is to use PAM authentication with the pam_radius_auth module. I am fairly new to freeradius, so if anybody has any ideas or knows of another way to authenticate my users via AD, I would be most grateful. Currently, when I try to authenticate a user using the PAM RADIUS module, it hangs my freeradius server at: pam_pass: using pamauth string for pam.conf lookup After this it will not authenticate any other users, no matter what type of authentication they are using. Also, the PAM module never even attempts to contact my AD server. Ken Mix > -Original Message- > From: Alan DeKok [mailto:[EMAIL PROTECTED] > Sent: Tuesday, September 23, 2003 8:52 AM > To: [EMAIL PROTECTED] > Subject: Re: RADIUS PAM Module with RH9. > > > "Kenneth Mix" <[EMAIL PROTECTED]> wrote: > > I am using the freeradius server to authenticate users into > our routers > > for managment purposes. When the users are authenticated, > freeradius > > authorized them at a certain privilege level. > > So why do you need PAM? > > Are you going to describe what you're doing and why, or are you > going to parcel out dribs & drabs of information, so that no one can > possibly help you? > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS PAM Module with RH9.
"Kenneth Mix" <[EMAIL PROTECTED]> wrote: > I am using the freeradius server to authenticate users into our routers > for managment purposes. When the users are authenticated, freeradius > authorized them at a certain privilege level. So why do you need PAM? Are you going to describe what you're doing and why, or are you going to parcel out dribs & drabs of information, so that no one can possibly help you? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RADIUS PAM Module with RH9.
I am using the freeradius server to authenticate users into our routers for managment purposes. When the users are authenticated, freeradius authorized them at a certain privilege level. Ken Mix > -Original Message- > From: Alan DeKok [mailto:[EMAIL PROTECTED] > Sent: Monday, September 22, 2003 4:58 PM > To: [EMAIL PROTECTED] > Subject: Re: RADIUS PAM Module with RH9. > > > "Kenneth Mix" <[EMAIL PROTECTED]> wrote: > > I realize I am able to proxy, but I still want to be able > to control my > > attribute settings via my central freeradius server. > > I have no clue what you mean by that. > > > Is there any reason my PAM-Radius module would cause freeradius to > > hang? > > Not that I know of. But I've never used it that way, so I can't say > for sure. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS PAM Module with RH9.
"Kenneth Mix" <[EMAIL PROTECTED]> wrote: > I realize I am able to proxy, but I still want to be able to control my > attribute settings via my central freeradius server. I have no clue what you mean by that. > Is there any reason my PAM-Radius module would cause freeradius to > hang? Not that I know of. But I've never used it that way, so I can't say for sure. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RADIUS PAM Module with RH9.
Thank you. I realize I am able to proxy, but I still want to be able to control my attribute settings via my central freeradius server. Is there any reason my PAM-Radius module would cause freeradius to hang? Ken Mix > -Original Message- > From: Alan DeKok [mailto:[EMAIL PROTECTED] > Sent: Monday, September 22, 2003 7:48 AM > To: [EMAIL PROTECTED] > Subject: Re: RADIUS PAM Module with RH9. > > > "Kenneth Mix" <[EMAIL PROTECTED]> wrote: > > I want to maintain central control for my RADIUS users, with > > authentication for certain users happening via IAS. This > is the only > > way I know of to do it, unless there is another way to specify that > > certain users should be authenticated via a different RADIUS server. > > FreeRADIUS supports this. See the list archives & 'Proxy-To-Realm' > for examples. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS PAM Module with RH9.
"Kenneth Mix" <[EMAIL PROTECTED]> wrote: > I want to maintain central control for my RADIUS users, with > authentication for certain users happening via IAS. This is the only > way I know of to do it, unless there is another way to specify that > certain users should be authenticated via a different RADIUS server. FreeRADIUS supports this. See the list archives & 'Proxy-To-Realm' for examples. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RADIUS PAM Module with RH9.
I want to maintain central control for my RADIUS users, with authentication for certain users happening via IAS. This is the only way I know of to do it, unless there is another way to specify that certain users should be authenticated via a different RADIUS server. Ken Mix > -Original Message- > From: Alan DeKok [mailto:[EMAIL PROTECTED] > Sent: Saturday, September 20, 2003 8:19 AM > To: [EMAIL PROTECTED] > Subject: Re: RADIUS PAM Module with RH9. > > > "Kenneth Mix" <[EMAIL PROTECTED]> wrote: > > When I am running radiusd -X, it stops at: > > pam_pass: using pamauth string for pam.conf lookup > > Ok... so it's locking somewhere. > > > After this it will not authenticate any other users, PAM or other. > > Also, the PAM module never seems to contact my IAS server. > > Huh? Are you really doing radiusd -> pam -> pam_radius -> ias? > > Whatever the heck for? Why not just proxy the request directly in > FreeRADIUS? > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS PAM Module with RH9.
"Kenneth Mix" <[EMAIL PROTECTED]> wrote: > When I am running radiusd -X, it stops at: > pam_pass: using pamauth string for pam.conf lookup Ok... so it's locking somewhere. > After this it will not authenticate any other users, PAM or other. > Also, the PAM module never seems to contact my IAS server. Huh? Are you really doing radiusd -> pam -> pam_radius -> ias? Whatever the heck for? Why not just proxy the request directly in FreeRADIUS? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RADIUS PAM Module with RH9.
When I am running radiusd -X, it stops at: pam_pass: using pamauth string for pam.conf lookup After this it will not authenticate any other users, PAM or other. Also, the PAM module never seems to contact my IAS server. Thanks, Ken Mix > -Original Message- > From: Alan DeKok [mailto:[EMAIL PROTECTED] > Sent: Friday, September 19, 2003 2:35 PM > To: [EMAIL PROTECTED] > Subject: Re: RADIUS PAM Module with RH9. > > > "Kenneth Mix" <[EMAIL PROTECTED]> wrote: > > Also, freeradius still hangs when I use pam_radius_auth.so for > > authentication. > > "hangs" ? What do you mean by that? > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS PAM Module with RH9.
"Kenneth Mix" <[EMAIL PROTECTED]> wrote: > Also, freeradius still hangs when I use pam_radius_auth.so for > authentication. "hangs" ? What do you mean by that? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RADIUS PAM Module with RH9.
I am still unable to authenticate via this PAM module, nor is it logging. I know freeradius is configured properly, because I can use otehr PAM authentication sources. Is it possible I misconfigured something? It's a pretty simple config -- here's what I have: Server name and secret int /etc/raddb/server file. PAM module information int /etc/pam.d/radiusd Also, freeradius still hangs when I use pam_radius_auth.so for authentication. Thank you, Ken Mix > -Original Message- > From: Alan DeKok [mailto:[EMAIL PROTECTED] > Sent: Friday, September 19, 2003 8:52 AM > To: [EMAIL PROTECTED] > Subject: Re: RADIUS PAM Module with RH9. > > > "Kenneth Mix" <[EMAIL PROTECTED]> wrote: > > I am having problems with the PAM RADIUS module on a RedHat 9 > > server. > > An updated version of the module was released today, which should > fix that problem. See the FTP site. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS PAM Module with RH9.
"Kenneth Mix" <[EMAIL PROTECTED]> wrote: > I am having problems with the PAM RADIUS module on a RedHat 9 > server. An updated version of the module was released today, which should fix that problem. See the FTP site. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
