Authentication requests currently come from cisco routers and switches mostly,
probably would have to add servers as well in future.
Sodoes it mean that freeradius server will respond by default to the
requests from cisco routers and switches whose users I have added in
etc/shadow
Hi,
I am a newbie to free radius, I need to know what changes are required in
radiusd.conf or any other file in order to authenticate clients requests
through local machine users(etc/passwd or etc/shadow) instead of making users
in the raddb/users file.
Cheers
Hi,
I am a newbie to free radius, I need to know what changes are required in
radiusd.conf or any other file in order to authenticate clients requests
through local machine users(etc/passwd or etc/shadow) instead of making
users in the raddb/users file.
add users to the system
Thanks Alan, what I am actually trying to achieve is to authenticate users
against our Linux /etc/shadow or /etc/password/ files. I don't want to use the
USERS file as it stores passwords in clear text which is what we're trying to
avoid.
Hi,
I am a newbie to free radius, I
of.
From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org
[mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On
Behalf Of Raheel Itrat
Sent: Monday, March 21, 2011 3:11 PM
To: freeradius-users@lists.freeradius.org
Subject: RE: authenticate via etc/shadow
Hi,
Thanks Alan, what I am actually trying to achieve is to authenticate users
against our Linux /etc/shadow or /etc/password/ files. I don't want to use
the USERS file as it stores passwords in clear text which is what we're
trying to avoid.
it CAN store the passwords in clear
sbchem wrote:
shrug It's an error produces (sic) by the PAM subsystem. Ask them
what it means.
Sigh It turns out the error is caused by a typo in the radiusd file
provided in /redhat/radiusd-pam, NOT by the pam subsystem. In fact, the pam
subsystem was merely reporting the error in the
Hi,
I am part of a consortium of public and private universities and scientific
research facilities and our internal listserv on radius frequently talks
...as am I. but I inform people that they should read the documentation
and follow the basic information provided about how to troubleshoot
On Thu, May 27, 2010 at 01:51:44PM -0700, sbchem wrote:
our internal listserv on radius frequently talks people off of freeradius
solely because of the sarcastic and chip on the shoulder attitude of
some of the developers. Quit being such a Mordac Alan, it scares the
tourists and devalues the
On Fri 28 May 2010, John Dennis wrote:
On 05/27/2010 04:51 PM, sbchem wrote:
shrug It's an error produces (sic) by the PAM subsystem. Ask
them
what it means.
Sigh It turns out the error is caused by a typo in the radiusd file
provided in /redhat/radiusd-pam, NOT by the pam
://www.freeradius.org/list/users.html
--
View this message in context:
http://old.nabble.com/RADDB-2.1.7-and--etc-shadow-tp28640012p28708369.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Josip Rodin wrote:
The solution is to treat such projects, including FreeRADIUS, accordingly -
this forum is not what you might call a first-level helpdesk venue - it is
instead a venue where the user can be expected a lot from, including both
a technical proficiency and an ability to take
sbchem wrote:
No one is disparaging your work
See the other responses to your message: no one here agrees with the
above statement.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
this message in context:
http://old.nabble.com/RADDB-2.1.7-and--etc-shadow-tp28640012p28699725.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 05/27/2010 04:51 PM, sbchem wrote:
shrug It's an error produces (sic) by the PAM subsystem. Ask them
what it means.
Sigh It turns out the error is caused by a typo in the radiusd file
provided in /redhat/radiusd-pam, NOT by the pam subsystem. In fact, the pam
subsystem was merely
On 05/22/2010 05:37 PM, sbchem wrote:
you and John Dennis both mentioned PAM so I went ahead and commented out the
passwd entires and I am now looking at PAM per your suggestion.
Installed the pam-radius client per
http://freeradius.org/pam_radius_auth/
No, that's for authenticating against
://www.freeradius.org/list/users.html
--
View this message in context:
http://old.nabble.com/RADDB-2.1.7-and--etc-shadow-tp28640012p28650127.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
.
--
John Dennis jden...@redhat.com
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
View this message in context:
http://old.nabble.com/RADDB-2.1.7-and--etc-shadow
sbchem wrote:
So the entry:
pam_pass: function pam_authenticate FAILED for test. Reason: Module is
unknown
is obviously supposed to give me the clue I need but I have no idea what it
means.
shrug It's an error produces by the PAM subsystem. Ask them what
it means.
Blaming
On 05/21/2010 07:31 PM, sbchem wrote:
Greetings,
I installed a fresh copy of FreeRadius v 2.1.7 on CentOS 5. Ran radtest
locally as well as remotely and it works great. Now I want to point the
server to my /etc/shadow file which lives on the same machine. I have not
made any changes
sbchem wrote:
I installed a fresh copy of FreeRadius v 2.1.7 on CentOS 5. Ran radtest
locally as well as remotely and it works great. Now I want to point the
server to my /etc/shadow file which lives on the same machine. I have not
made any changes to the default config except to change
It's not a good idea to change the ownership of /etc/shadow from a
security and system perspective. Rather than using rlm_unix use rlm_pam
instead
Understood and agreed. This is not a production environment. I was just
trying to understand how the modules worked. That being said, I am now
You need to edit raddb/sites-available/inner-tunnel, too.
sites-available or sites-enabled? I did edit inner-tunnel in
sites-enabled as well as default
See raddb/modules/passwd instead
added the following to passwd:
unix {
filename = /etc/shadow
format = *User-Name
sbchem wrote:
You need to edit raddb/sites-available/inner-tunnel, too.
sites-available or sites-enabled? I did edit inner-tunnel in
sites-enabled as well as default
The original debug log you posted shows *no* reference to unix in
the inner-tunnel server. That's why authentication is
reject for request 0
Sending Access-Reject of id 252 to 127.0.0.1 port 60057
Waking up in 4.9 seconds.
Cleaning up request 0 ID 252 with timestamp +7
Ready to process requests.
Based on your prior mesage should I be putting the reference to /etc/shadow
in the unix module or the passwd module
sbchem wrote:
I would assume it means that the unix module could not find the user.
Yes. Is the user in /etc/passwd and /etc/shadow?
If so, check permissions, and maybe configure PAM.
If not...
Based on your prior mesage should I be putting the reference to /etc/shadow
in the unix
Is the user in /etc/passwd and /etc/shadow?
Yes
If so, check permissions
/etc/shadow was chgrp'd to radiusd in spite of John Dennis' warnings to the
contrary --
BUT I forgot to change the read permission -- my fault totally --
Which file did I tell you to modify?
modules/passwd edited
sbchem wrote:
you and John Dennis both mentioned PAM so I went ahead and commented out the
passwd entires and I am now looking at PAM per your suggestion.
Installed the pam-radius client per
http://freeradius.org/pam_radius_auth/
Uh... no. PLease *read* the documentation for
Greetings,
I installed a fresh copy of FreeRadius v 2.1.7 on CentOS 5. Ran radtest
locally as well as remotely and it works great. Now I want to point
the server to my /etc/shadow file which lives on the same machine. I
have not made any changes to the default config except to change
Greetings,
I installed a fresh copy of FreeRadius v 2.1.7 on CentOS 5. Ran radtest
locally as well as remotely and it works great. Now I want to point the
server to my /etc/shadow file which lives on the same machine. I have not
made any changes to the default config except to change
My current radius installation permits radius daemon read-only access to
/etc/shadow. But this introduces security risks.
-rw-r--r-- 1 root root 6514 Nov 18 16:52 /etc/shadow
I have been told to consider MySQL back-end. Is there a way to pull the
existing local users/passwords in MySQL? Or I
Norman Zhang wrote:
My current radius installation permits radius daemon read-only access to
/etc/shadow. But this introduces security risks.
Such as?
-rw-r--r-- 1 root root 6514 Nov 18 16:52 /etc/shadow
I have been told to consider MySQL back-end. Is there a way to pull the
existing
Alan DeKok wrote:
Norman Zhang wrote:
My current radius installation permits radius daemon read-only access to
/etc/shadow. But this introduces security risks.
Such as?
-rw-r--r-- 1 root root 6514 Nov 18 16:52 /etc/shadow
I have been told to consider MySQL back-end. Is there a way
Norman Zhang wrote:
Good point. I guess the security risk is to do with granting others +r
access to /etc/shadow. Maybe I can
chgrp /etc/shadow shadow
and changing radius.conf to
user = radius
group = shadow
would do the trick.
Which is recommended in the comments in radiusd.conf
Norman Zhang wrote:
Thanks. I edited users with the following entries
DEFAULT Auth-Type = System
Fall-Through = 1,
cisco-avpair = shell:priv-lvl=1,
Service-Type = Administrative-User
DEFAULT Group == user-ro
cisco-avpair := shell:priv-lvl=7
DEFAULT Group
shadow = /etc/shadow
group = /etc/group
radwtmp = ${logdir}/radwtmp
}
but I still cannot get in.
rad_recv: Access-Request packet from host 10.0.0.2:1645, id=27, length=79
NAS-IP-Address = 10.0.0.2
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name
}
unix {
cache = no
cache_reload = 600
passwd = /etc/passwd
shadow = /etc/shadow
group = /etc/group
radwtmp = ${logdir}/radwtmp
}
but I still cannot get in.
rad_recv: Access-Request packet from host 10.0.0.2:1645, id=27, length=79
NAS-IP-Address
[EMAIL PROTECTED] wrote:
Login OK: [tester] (from client test-network port 1 cli 10.0.0.1)
Sending Access-Accept of id 27 to 10.0.0.2:1645
You have got in. But you haven't returned any radius attributes. You
need to return something like Service-Type = Administrative-User or
NAS-Prompt-User
]
ists.freeradius.org] On Behalf Of Norman Zhang
Sent: Thursday, 26 April 2007 10:50
To: freeradius-users@lists.freeradius.org
Subject: Re: User /etc/shadow for Authentication
[EMAIL PROTECTED] wrote:
Login OK: [tester] (from client test-network port 1 cli 10.0.0.1)
Sending Access-Accept of id 27
How do I setup users tester-a to use /etc/shadow for authentication?
Currently I have
tester-a Auth-Type := Local, User-Password == superuser
cisco-avpair = shell:priv-lvl=15,
Service-Type = Administrative-User
Norman
-
List info/subscribe/unsubscribe? See http
Norman Zhang wrote:
How do I setup users tester-a to use /etc/shadow for authentication?
Currently I have
tester-a Auth-Type := Local, User-Password == superuser
cisco-avpair = shell:priv-lvl=15,
Service-Type = Administrative-User
I would start by reading radiusd.conf. Look
Dennis Skinner wrote:
Norman Zhang wrote:
How do I setup users tester-a to use /etc/shadow for authentication?
Currently I have
tester-a Auth-Type := Local, User-Password == superuser
cisco-avpair = shell:priv-lvl=15,
Service-Type = Administrative-User
I would start
with FreeRadius (/etc/shadow)
Nataniel Klug [EMAIL PROTECTED] wrote:
Now you have gived me a tip... At my Fedora there is no group shadow
$ vi /etc/group
add shadow ??
so I put radius to run as group root so it could read /etc/shadow
only if I set +r to group at shadow files.
It's
Subject: RE: Problems System Auth with FreeRadius (/etc/shadow)
You may read the doc wrong. The group you should look for is
radiusd. When you create user radiusd, the group radiusd
should also be created if you use adduser command to do the job.
You don't what user radiusd belong to group
-users@lists.freeradius.org
Sent: Wednesday, January 25, 2006 9:54 PM
Subject: Re: Problems System Auth with FreeRadius (/etc/shadow)
I'm glad it's working but it's not necessary to give radius write
permissions to either of those files. All radius needs to be able to
do is read them.
Mark
System Auth with FreeRadius (/etc/shadow)
Nataniel Klug [EMAIL PROTECTED] wrote:
Ok, it disagrees but I am SURE that I have set the password to user
nata.
How can this FreeRadius deny? where it is looking? Why when I install
Cistron Radius it works fine?
Because FreeRADIUS is more
Nataniel Klug [EMAIL PROTECTED] wrote:
I just have installed the package from Fedora Core 3, nothing else.
Then look at the configuration file. See how it's different from
what is shipped with FreeRADIUS.
And setting a+rw on /etc/passwd and /etc/shadow is probaby the
single worst thing
Alan,
Now you have gived me a tip... At my Fedora there is no group shadow, so I
put radius to run as group root so it could read /etc/shadow only if I set
+r to group at shadow files.
Att,
Nataniel Klug
- Original Message -
From: Alan DeKok [EMAIL PROTECTED]
To: FreeRadius users
You may read the doc wrong. The group you should look for is
radiusd. When you create user radiusd, the group radiusd
should also be created if you use adduser command to do the job.
You don't what user radiusd belong to group root. Do
chgrp radiusd /etc/shadow.
Min
-Original Message
Nataniel Klug [EMAIL PROTECTED] wrote:
Now you have gived me a tip... At my Fedora there is no group shadow
$ vi /etc/group
add shadow ??
so I put radius to run as group root so it could read /etc/shadow
only if I set +r to group at shadow files.
It's usually better to *not* run
is correct for this
user.
Att,
Nataniel Klug
- Original Message -
From: Alan DeKok [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Tuesday, January 24, 2006 3:21 PM
Subject: Re: Problems System Auth with FreeRadius (/etc/shadow)
Nataniel
Nataniel Klug [EMAIL PROTECTED] wrote:
rlm_unix: [nata]: invalid password
modcall[authenticate]: module unix returns reject for request 1
...
I could not understand what is going on. The password is correct for this
user.
The code running on your machine disagrees.
Alan DeKok.
-
List
I had the same issue. My problem turned out to be that radius didn't
have read access to the shadow password file.
Mark
Alan DeKok wrote:
Nataniel Klug [EMAIL PROTECTED] wrote:
rlm_unix: [nata]: invalid password
modcall[authenticate]: module unix returns reject for request 1
...
I could
25, 2006 5:25 PM
Subject: Re: Problems System Auth with FreeRadius (/etc/shadow)
I had the same issue. My problem turned out to be that radius didn't
have read access to the shadow password file.
Mark
Alan DeKok wrote:
Nataniel Klug [EMAIL PROTECTED] wrote:
rlm_unix: [nata]: invalid
: Alan DeKok [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Wednesday, January 25, 2006 4:25 PM
Subject: Re: Problems System Auth with FreeRadius (/etc/shadow)
Nataniel Klug [EMAIL PROTECTED] wrote:
rlm_unix: [nata]: invalid password
modcall
: Problems System Auth with FreeRadius (/etc/shadow)
I had the same issue. My problem turned out to be that radius didn't
have read access to the shadow password file.
Mark
Alan DeKok wrote:
Nataniel Klug [EMAIL PROTECTED] wrote:
rlm_unix: [nata]: invalid password
modcall[authenticate
Nataniel Klug [EMAIL PROTECTED] wrote:
Ok, it disagrees but I am SURE that I have set the password to user nata.
How can this FreeRadius deny? where it is looking? Why when I install
Cistron Radius it works fine?
Because FreeRADIUS is more configurable than Cistron, so there's
more potential
- Original Message -
From: Mark Tunnell [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Wednesday, January 25, 2006 5:25 PM
Subject: Re: Problems System Auth with FreeRadius (/etc/shadow)
I had the same issue. My problem turned out
Nataniel Klug [EMAIL PROTECTED] wrote:
[EMAIL PROTECTED] radius]# tail radius.log -n 2
Tue Jan 24 01:24:02 2006 : Auth: rlm_unix: [nata]: invalid password
Nice. Is there any particular reason you're refusing to run the
server in debugging mode, as suggested in the README, FAQ, and
INSTALL?
Alan DeKok wrote:
den [EMAIL PROTECTED] wrote:
But I want freeRADIUS to look for passwords in /etc/shadow. Can somebody
help me?
It does this in the default config. See the unix module.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
den [EMAIL PROTECTED] wrote:
I know, about unix module. But I need some examples related to 802.1x.
But you didn't say so in your first message.
Next time, try asking questions about what you want to do, not about
specific details of how to do it. The responses will be more helpful.
And
HI All. I`ve read this article: http://www.tldp.org/HOWTO/8021X-HOWTO,
and several related.
But I want freeRADIUS to look for passwords in /etc/shadow. Can somebody
help me?
v 1.0.2
Debian Sarge.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is it possible to use with freeradius the /etc/shadow (/etc/passwd) of
another server?
___
| | HOW? | |
-- | RADIUS | --- | /etc/shadow |
|__| |_|
Server 1
___
| | HOW? | |
-- | RADIUS | --- | /etc/shadow |
|__| |_|
Server 1 Server 2
I suppose there are always ways to achieve whatever you like
...)
TECHNICAL SOLUTION: Put another HD ;)
Thanks a lot,
Jon
On Tue, 1 Feb 2005, Stefan Winter wrote:
___
| | HOW? | |
-- | RADIUS | --- | /etc/shadow
Hi,
How can I use EAP-TTLS authentication in the case that the
user/md5_password file association (/etc/shadow) is in another server
different from the Radius Server machine? Is it possible?
thanks,
Jon
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
66 matches
Mail list logo