Re: Freeradius authentication question
"Le Gal Philippe" <[EMAIL PROTECTED]> wrote: > I'm trying to authenticate users login in a machine using ssh. I > have configured ssh & PAM on that server to autenticate against the > radius server (Redhat Application Server 2.1). ... > The Free radius server says : > > Login incorrect: [test/\010\n\INCORRECT] (from client us067.eudra.org port > 1500 cli 192.168.xx.xx) If that isn't the password you entered in SSH, then either SSH or PAM is changing the password to that "INCORRECT" string. There's nothing you can do to FreeRADIUS to fix the problem. Instead, find out why SSH or PAM is changing the password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius authentication question
hmm ok
a lot thank you..
regards :)
> - Original Message -
> From: "Le Gal Philippe" <[EMAIL PROTECTED]>
> To: "FreeRadius users mailing list"
> Subject: RE: Freeradius authentication question
> Date: Fri, 20 Jan 2006 12:08:59 -
>
>
>
> The Pam radius configuration file on the client machine should be
> located here: /etc/raddb/server (cf pam radius INSTALL)
>
> I can't see why the radius server can not decrypt the password when
> I know my shared secret is absolutely identical on the client and
> on the radius server.
>
> Anyone ?
>
> Philippe
>
> -Original Message-
> From:
> [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]
> dius.org]On Behalf Of Kai Geek
> Sent: 20 January 2006 12:00
> To: FreeRadius users mailing list
> Subject: Re: Freeradius authentication question
>
>
> Hello,
> [EMAIL PROTECTED] root]# vi /etc/raddb/server ??
>
> the config file will this be ?
> correct directory;
>
> #vi /etc/raddb/clients.conf
>
> oke.
>
> > ----- Original Message -
> > From: "Le Gal Philippe" <[EMAIL PROTECTED]>
> > To: "FreeRadius users mailing list"
> > Subject: Freeradius authentication question Date: Fri, 20 Jan
> > 2006 11:34:51 -
> >
> >
> >
> > Hi everybody,
> >
> > I'm trying to authenticate users login in a machine using ssh. I
> > have configured ssh & PAM on that server to autenticate against
> > the radius server (Redhat Application Server 2.1).
> >
> > Please find below the debug of the radius server as well as my conf files.
> >
> > The Free radius server says :
> >
> > Login incorrect: [test/\010\n\INCORRECT] (from client
> > us067.eudra.org port 1500 cli 192.168.xx.xx)
> >WARNING: Unprintable characters in the password. ?
> > Double-check the shared secret on the server and the NAS!
> >
> > So did I . I checked the secrets on the server and they are *IDENTICAL*...
> >
> > I used the NTRadPing utility with exactly the same parameters and
> > it works absolutely fine !
> >
> > Thank you for your help !
> >
> > my /etc/raddb/server file : (on the client machine) :
> >
> > [EMAIL PROTECTED] root]# vi /etc/raddb/server
> > # pam_radius_auth configuration file. Copy to: /etc/raddb/server
> > #
> > # For proper security, this file SHOULD have permissions 0600,
> > # that is readable by root, and NO ONE else. If anyone other than
> > # root can read this file, then they can spoof responses from the server!
> > #
> > # There are 3 fields per line in this file. There may be multiple
> > # lines. Blank lines or lines beginning with '#' are treated as
> > # comments, and are ignored. The fields are:
> > #
> > # server[:port] secret [timeout]
> > #
> > # the port name or number is optional. The default port name is
> > # "radius", and is looked up from /etc/services The timeout field is
> > # optional. The default timeout is 3 seconds.
> > #
> > # If multiple RADIUS server lines exist, they are tried in order. The
> > # first server to return success or failure causes the module to return
> > # success or failure. Only if a server fails to response is it skipped,
> > # and the next server in turn is used.
> > #
> > # The timeout field controls how many seconds the module waits before
> > # deciding that the server has failed to respond.
> > #
> > # server[:port] shared_secret timeout (s)
> > loginhost.eudra.org philippe123456 1
> > #
> > # having localhost in your radius configuration is a Good Thing.
> > #
> > # See the INSTALL file for pam.conf hints.
> >
> >
> > clients.conf :
> >
> > client us067.eudra.org {
> > secret = philippe123456
> > shortname = us067.eudra.org
> > }
> >
> >
> > [EMAIL PROTECTED] raddb]# radiusd -X
> > Starting - reading configuration files ...
> > reread_config: reading radiusd.conf
> > Config: including file: /usr/local/etc/raddb/proxy.conf
> > Config: including file: /usr/local/etc/raddb/clients.conf
> > Config: including file: /usr/local/etc/raddb/snmp.conf
> > Config: including file: /usr/local/etc/raddb/eap.conf
> > Config: including file: /usr/local/etc/raddb/sql.conf
> > main: prefix = "/usr/local"
> > main: localstatedir = "/usr/local/var"
> > main: logdir = "/usr/local/var/log/radius"
> > main: libd
RE: Freeradius authentication question
The Pam radius configuration file on the client machine should be located here:
/etc/raddb/server (cf pam radius INSTALL)
I can't see why the radius server can not decrypt the password when I know my
shared secret is absolutely identical on the client and on the radius server.
Anyone ?
Philippe
-Original Message-
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
dius.org]On Behalf Of Kai Geek
Sent: 20 January 2006 12:00
To: FreeRadius users mailing list
Subject: Re: Freeradius authentication question
Hello,
[EMAIL PROTECTED] root]# vi /etc/raddb/server ??
the config file will this be ?
correct directory;
#vi /etc/raddb/clients.conf
oke.
> - Original Message -
> From: "Le Gal Philippe" <[EMAIL PROTECTED]>
> To: "FreeRadius users mailing list"
> Subject: Freeradius authentication question
> Date: Fri, 20 Jan 2006 11:34:51 -
>
>
>
> Hi everybody,
>
> I'm trying to authenticate users login in a machine using ssh. I
> have configured ssh & PAM on that server to autenticate against the
> radius server (Redhat Application Server 2.1).
>
> Please find below the debug of the radius server as well as my conf files.
>
> The Free radius server says :
>
> Login incorrect: [test/\010\n\INCORRECT] (from client
> us067.eudra.org port 1500 cli 192.168.xx.xx)
>WARNING: Unprintable characters in the password. ? Double-check
> the shared secret on the server and the NAS!
>
> So did I . I checked the secrets on the server and they are *IDENTICAL*...
>
> I used the NTRadPing utility with exactly the same parameters and
> it works absolutely fine !
>
> Thank you for your help !
>
> my /etc/raddb/server file : (on the client machine) :
>
> [EMAIL PROTECTED] root]# vi /etc/raddb/server
> # pam_radius_auth configuration file. Copy to: /etc/raddb/server
> #
> # For proper security, this file SHOULD have permissions 0600,
> # that is readable by root, and NO ONE else. If anyone other than
> # root can read this file, then they can spoof responses from the server!
> #
> # There are 3 fields per line in this file. There may be multiple
> # lines. Blank lines or lines beginning with '#' are treated as
> # comments, and are ignored. The fields are:
> #
> # server[:port] secret [timeout]
> #
> # the port name or number is optional. The default port name is
> # "radius", and is looked up from /etc/services The timeout field is
> # optional. The default timeout is 3 seconds.
> #
> # If multiple RADIUS server lines exist, they are tried in order. The
> # first server to return success or failure causes the module to return
> # success or failure. Only if a server fails to response is it skipped,
> # and the next server in turn is used.
> #
> # The timeout field controls how many seconds the module waits before
> # deciding that the server has failed to respond.
> #
> # server[:port] shared_secret timeout (s)
> loginhost.eudra.org philippe123456 1
> #
> # having localhost in your radius configuration is a Good Thing.
> #
> # See the INSTALL file for pam.conf hints.
>
>
> clients.conf :
>
> client us067.eudra.org {
> secret = philippe123456
> shortname = us067.eudra.org
> }
>
>
> [EMAIL PROTECTED] raddb]# radiusd -X
> Starting - reading configuration files ...
> reread_config: reading radiusd.conf
> Config: including file: /usr/local/etc/raddb/proxy.conf
> Config: including file: /usr/local/etc/raddb/clients.conf
> Config: including file: /usr/local/etc/raddb/snmp.conf
> Config: including file: /usr/local/etc/raddb/eap.conf
> Config: including file: /usr/local/etc/raddb/sql.conf
> main: prefix = "/usr/local"
> main: localstatedir = "/usr/local/var"
> main: logdir = "/usr/local/var/log/radius"
> main: libdir = "/usr/local/lib"
> main: radacctdir = "/usr/local/var/log/radius/radacct"
> main: hostname_lookups = no
> main: max_request_time = 30
> main: cleanup_delay = 5
> main: max_requests = 1024
> main: delete_blocked_requests = 0
> main: port = 0
> main: allow_core_dumps = no
> main: log_stripped_names = no
> main: log_file = "/usr/local/var/log/radius/radius.log"
> main: log_auth = yes
> main: log_auth_badpass = yes
> main: log_auth_goodpass = yes
> main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
> main: user = "(null)"
> main: group = "(null)"
> main: usercollide = no
> main: lower_user = "no"
> main: lower_pass = "no"
> main: nospace_user = "no&quo
Re: Freeradius authentication question
Hello,
[EMAIL PROTECTED] root]# vi /etc/raddb/server ??
the config file will this be ?
correct directory;
#vi /etc/raddb/clients.conf
oke.
> - Original Message -
> From: "Le Gal Philippe" <[EMAIL PROTECTED]>
> To: "FreeRadius users mailing list"
> Subject: Freeradius authentication question
> Date: Fri, 20 Jan 2006 11:34:51 -
>
>
>
> Hi everybody,
>
> I'm trying to authenticate users login in a machine using ssh. I
> have configured ssh & PAM on that server to autenticate against the
> radius server (Redhat Application Server 2.1).
>
> Please find below the debug of the radius server as well as my conf files.
>
> The Free radius server says :
>
> Login incorrect: [test/\010\n\INCORRECT] (from client
> us067.eudra.org port 1500 cli 192.168.xx.xx)
>WARNING: Unprintable characters in the password. ? Double-check
> the shared secret on the server and the NAS!
>
> So did I . I checked the secrets on the server and they are *IDENTICAL*...
>
> I used the NTRadPing utility with exactly the same parameters and
> it works absolutely fine !
>
> Thank you for your help !
>
> my /etc/raddb/server file : (on the client machine) :
>
> [EMAIL PROTECTED] root]# vi /etc/raddb/server
> # pam_radius_auth configuration file. Copy to: /etc/raddb/server
> #
> # For proper security, this file SHOULD have permissions 0600,
> # that is readable by root, and NO ONE else. If anyone other than
> # root can read this file, then they can spoof responses from the server!
> #
> # There are 3 fields per line in this file. There may be multiple
> # lines. Blank lines or lines beginning with '#' are treated as
> # comments, and are ignored. The fields are:
> #
> # server[:port] secret [timeout]
> #
> # the port name or number is optional. The default port name is
> # "radius", and is looked up from /etc/services The timeout field is
> # optional. The default timeout is 3 seconds.
> #
> # If multiple RADIUS server lines exist, they are tried in order. The
> # first server to return success or failure causes the module to return
> # success or failure. Only if a server fails to response is it skipped,
> # and the next server in turn is used.
> #
> # The timeout field controls how many seconds the module waits before
> # deciding that the server has failed to respond.
> #
> # server[:port] shared_secret timeout (s)
> loginhost.eudra.org philippe123456 1
> #
> # having localhost in your radius configuration is a Good Thing.
> #
> # See the INSTALL file for pam.conf hints.
>
>
> clients.conf :
>
> client us067.eudra.org {
> secret = philippe123456
> shortname = us067.eudra.org
> }
>
>
> [EMAIL PROTECTED] raddb]# radiusd -X
> Starting - reading configuration files ...
> reread_config: reading radiusd.conf
> Config: including file: /usr/local/etc/raddb/proxy.conf
> Config: including file: /usr/local/etc/raddb/clients.conf
> Config: including file: /usr/local/etc/raddb/snmp.conf
> Config: including file: /usr/local/etc/raddb/eap.conf
> Config: including file: /usr/local/etc/raddb/sql.conf
> main: prefix = "/usr/local"
> main: localstatedir = "/usr/local/var"
> main: logdir = "/usr/local/var/log/radius"
> main: libdir = "/usr/local/lib"
> main: radacctdir = "/usr/local/var/log/radius/radacct"
> main: hostname_lookups = no
> main: max_request_time = 30
> main: cleanup_delay = 5
> main: max_requests = 1024
> main: delete_blocked_requests = 0
> main: port = 0
> main: allow_core_dumps = no
> main: log_stripped_names = no
> main: log_file = "/usr/local/var/log/radius/radius.log"
> main: log_auth = yes
> main: log_auth_badpass = yes
> main: log_auth_goodpass = yes
> main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
> main: user = "(null)"
> main: group = "(null)"
> main: usercollide = no
> main: lower_user = "no"
> main: lower_pass = "no"
> main: nospace_user = "no"
> main: nospace_pass = "no"
> main: checkrad = "/usr/local/sbin/checkrad"
> main: proxy_requests = yes
> proxy: retry_delay = 5
> proxy: retry_count = 3
> proxy: synchronous = no
> proxy: default_fallback = yes
> proxy: dead_time = 120
> proxy: post_proxy_authorize = yes
> proxy: wake_all_if_all_dead = no
> security: max_attributes = 200
> security: reject_delay = 1
> security: status_server = no
> main: debug_level = 0
> read_config_files:
Freeradius authentication question
Hi everybody,
I'm trying to authenticate users login in a machine using ssh. I have
configured ssh & PAM on that server to autenticate against the radius server
(Redhat Application Server 2.1).
Please find below the debug of the radius server as well as my conf files.
The Free radius server says :
Login incorrect: [test/\010\n\INCORRECT] (from client us067.eudra.org port 1500
cli 192.168.xx.xx)
WARNING: Unprintable characters in the password. ? Double-check the shared
secret on the server and the NAS!
So did I . I checked the secrets on the server and they are *IDENTICAL*...
I used the NTRadPing utility with exactly the same parameters and it works
absolutely fine !
Thank you for your help !
my /etc/raddb/server file : (on the client machine) :
[EMAIL PROTECTED] root]# vi /etc/raddb/server
# pam_radius_auth configuration file. Copy to: /etc/raddb/server
#
# For proper security, this file SHOULD have permissions 0600,
# that is readable by root, and NO ONE else. If anyone other than
# root can read this file, then they can spoof responses from the server!
#
# There are 3 fields per line in this file. There may be multiple
# lines. Blank lines or lines beginning with '#' are treated as
# comments, and are ignored. The fields are:
#
# server[:port] secret [timeout]
#
# the port name or number is optional. The default port name is
# "radius", and is looked up from /etc/services The timeout field is
# optional. The default timeout is 3 seconds.
#
# If multiple RADIUS server lines exist, they are tried in order. The
# first server to return success or failure causes the module to return
# success or failure. Only if a server fails to response is it skipped,
# and the next server in turn is used.
#
# The timeout field controls how many seconds the module waits before
# deciding that the server has failed to respond.
#
# server[:port] shared_secret timeout (s)
loginhost.eudra.org philippe123456 1
#
# having localhost in your radius configuration is a Good Thing.
#
# See the INSTALL file for pam.conf hints.
clients.conf :
client us067.eudra.org {
secret = philippe123456
shortname = us067.eudra.org
}
[EMAIL PROTECTED] raddb]# radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
unix: usegroup = no
u
Re: FreeRadius Authentication Question
Hamid Salim <[EMAIL PROTECTED]> wrote: > With the following setup to use eap-tls,do i need to enable mschap?w No. EAP-TLS doesn't use mschap. But if you're going to use PEAP, it needs mschap. Since mschap is enabled in the default configuration, I'm not sure why this is a problem. > the problem is that the radius is not receiving any requests from the > client! Then that has nothing to do with mschap or eap-tls, or anything in the server. Use "tcpdump" to see where the packets are going. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
