(RADIATOR) Radiatior and PAM authentication for Kerberos 5
Mike McCauley
mikem at open.com.au
Mon Sep 3 05:51:45 CDT 2001
Hello Mike,
I have retested PAM+Kerberos on RH7.1 with Radiator 2.18.3 and it works fine.
It looks a bit to me like your PAM service is not configured correctly: PAM
is failing to get the authentication information. You may need a dummy
account line like I have.
My PAM service file for the service 'radiator' looks like this:
# PAM config file to auth Radiator from Kerberos
auth required /lib/security/pam_krb5.so skip_first_pass
account required /lib/security/pam_permit.so
And my Radiator config file has this:
.....
<Realm DEFAULT>
# Authenticate from the PAM service called 'radiator'
# see above for details
<AuthBy PAM>
Service radiator
</AuthBy>
</Realm>
After adding the user 'mikem' to the Kerberos dataabse with kadmin, I can
authenticate like this:
Mon Sep 3 20:39:47 2001: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 32802 ....
Code: Access-Request
Identifier: 32
Authentic: 1234567890123456
Attributes:
User-Name = "mikem"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Async
User-Password =
"<159><249>:<201><175>\<4><246><188>8<9><160><216>}x<153>"
Mon Sep 3 20:39:47 2001: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Mon Sep 3 20:39:47 2001: DEBUG: Deleting session for mikem, 203.63.154.1,
1234Mon Sep 3 20:39:47 2001: DEBUG: Handling with PAM service radiator
Mon Sep 3 20:39:48 2001: DEBUG: PAM is asking for 'Password'
Mon Sep 3 20:39:48 2001: DEBUG: Access accepted for mikem
Mon Sep 3 20:39:48 2001: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 32802 ....
Code: Access-Accept
Identifier: 32
Authentic: 1234567890123456
Attributes:
On Sat, 1 Sep 2001 16:57, Hugh Irvine wrote:
> Hello Mike -
>
> Have you done everything that is mentioned in section 6.37 of the
> Radiator reference manual?
>
> I have also copied this to Mike for his comments.
>
> regards
>
> Hugh
>
> At 21:25 -0600 01/8/31, Forbes Mike wrote:
> >I am using Radiatior on Redhat 7.1 with PAM authentication. I have the
> >radius.cfg as
> >follows:
> >
> ><Realm DEFAULT>
> > <AuthBy PAM>
> > Service radiusd
> > </AuthBy>
> >
> > # Log accounting to a detail file
> > AcctLogFileName %L/detail
> ></Realm>
> >
> ><Client x.x.x.x>
> > Secret mysecret
> > NasType Cisco
> > DupInterval 0
> ></Client>
> >
> >
> >more /etc/pam.d/radiusd
> >auth required /lib/security/pam_krb5.so
> >
> >I get the following /var/messages
> >
> >Aug 31 21:10:54 radii perl: pam_krb5: authentication succeeds for forbeskm
> >
> >I get the following from radius logfile
> >
> >Fri Aug 31 21:10:54 2001: DEBUG: Handling request with Handler
> >'Realm=DEFAULT'
> >Fri Aug 31 21:10:54 2001: DEBUG: Deleting session for forbeskm,
> >x.x.x.x, 3
> >Fri Aug 31 21:10:54 2001: DEBUG: Handling with PAM service radiusd
> >Fri Aug 31 21:10:54 2001: DEBUG: PAM is asking for 'Password'
> >Fri Aug 31 21:10:54 2001: INFO: Access rejected for forbeskm:
> >Authentication service cannot retrieve authentication info.:
> >Fri Aug 31 21:10:54 2001: DEBUG: Packet dump:
> >
> >
> >Why is this failing, is it my krb5.conf that may be misconfigured. I did
> >not have any luck with getting more debug info from putting debug = true
> >in the [pam] section.
> >
> >Anybody else doing kerb5 authentication with the radiator??
> >
> >Thanks,
> >
> >Mike Forbes
> >
> >===
> >Archive at http://www.open.com.au/archives/radiator/
> >Announcements on radiator-announce at open.com.au
> >To unsubscribe, email 'majordomo at open.com.au' with
> >'unsubscribe radiator' in the body of the message.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list