[RADIATOR] pam_radius_auth and Radiator

Chris Bland chris at fdu.edu
Mon Mar 1 11:28:06 CST 2010 

Hi guys,

I am trying to setup a linux box to authenticate using radius.  I pulled 
down the pam_radius_auth module from freeradius.org.  It will not work, 
I keep getting bad encrypted password errors.  When I use radpwtst  
locallly I authenticate fine.  It's only comming from my server I have 
issues.  II verified all suggestions under 54 on 
http://www.open.com.au/faq.html   My config looks like this:

#Foreground
LogStdout
LogDir        /var/log/radius-test      
DbDir        .   
Trace        5
PidFile     /var/log/radius-test/radiusd.pid
AuthPort    5794
AcctPort    5795
DefineGlobalVar Max 7200
DictionaryFile /etc/radiator/dictionary

# Clients to suit your site.
<Client 132.238.3.162>
Secret xxxxx
DupInterval 0
</Client>
################################################################
<Client localhost>
    Secret xxxxxx
    DupInterval 0
</Client>
################################################################
<AuthBy SQL>
    Identifier LOCALDBAUTH
    DBSource    dbi:mysql:radius_test:localhost
    DBUsername     dbuser   
    DBAuth        xxxxxx
    DefaultSimultaneousUse 1
    AccountingTable    subscribers
    AuthSelect    select password from subscribers where username='%n'
</AuthBy>
################################################################
<Realm DEFAULT>
    AuthByPolicy ContinueAlways
    AuthBy LOCALDBAUTH
    MaxSessions 1
</Realm>

This what I see in the logs

Mon Mar  1 11:56:10 2010: DEBUG: Packet dump:
*** Received from 132.238.3.162 port 29364 ....

Packet length = 93
01 8e 00 5d 76 0d 15 43 90 f7 6b 52 bd 43 1a d8
67 9f 98 14 01 06 73 61 75 6c 02 12 50 f7 58 3d
76 84 db 2b 43 1d 81 ce d2 17 b1 2d 04 06 84 ee
03 ac 20 06 73 73 68 64 05 06 00 00 6e b3 3d 06
00 00 00 05 06 06 00 00 00 08 1f 13 65 6c 6c 73
77 6f 72 74 68 2e 66 64 75 2e 65 64 75
Code:       Access-Request
Identifier: 142
Authentic:  v<13><21>C<144><247>kR<189>C<26><216>g<159><152><20>
Attributes:
        User-Name = "test"
        User-Password = P<247>X=v<132><219>+C<29><129><206><210><23><177>-
        NAS-IP-Address = 132.238.3.162
        NAS-Identifier = "sshd"
        NAS-Port = 28339
        NAS-Port-Type = Virtual
        Service-Type = Authenticate-Only
        Calling-Station-Id = "bancroft1fl-usas-246t.fdu.edu"

Mon Mar  1 11:56:10 2010: DEBUG: Handling request with Handler 
'Realm=DEFAULT'
Mon Mar  1 11:56:10 2010: DEBUG:  Deleting session for test, 
132.238.3.162, 28339
Mon Mar  1 11:56:10 2010: DEBUG: Handling with Radius::AuthSQL
Mon Mar  1 11:56:10 2010: DEBUG: Handling with Radius::AuthSQL: LOCALDBAUTH
Mon Mar  1 11:56:10 2010: DEBUG: Query is: 'select password from 
subscribers where username='test'':
Mon Mar  1 11:56:10 2010: DEBUG: Radius::AuthSQL looks for match with 
test [test]
Mon Mar  1 11:56:10 2010: DEBUG: Radius::AuthSQL REJECT: Bad Password: 
test [test]
Mon Mar  1 11:56:10 2010: DEBUG: Query is: 'select password from 
subscribers where username='DEFAULT'':
Mon Mar  1 11:56:10 2010: DEBUG: AuthBy SQL result: REJECT, Bad Password
Mon Mar  1 11:56:10 2010: INFO: Access rejected for test: Bad Password
Mon Mar  1 11:56:10 2010: DEBUG: Packet dump:
*** Sending to 132.238.3.162 port 29364 ....

Packet length = 36
03 8e 00 24 4c 1e f9 0e a3 df 1a 71 dc 03 4c ed
a7 f2 d8 43 12 10 52 65 71 75 65 73 74 20 44 65
6e 69 65 64
Code:       Access-Reject
Identifier: 142
Authentic:  v<13><21>C<144><247>kR<189>C<26><216>g<159><152><20>
Attributes:
        Reply-Message = "Request Denied"

Mon Mar  1 11:56:48 2010: DEBUG: Packet dump:
*** Received from 132.238.3.162 port 29364 ....

Packet length = 93
01 7a 00 5d f0 3a b4 ed ff b7 af bd 6f 4c 73 2a
18 85 e1 ad 01 06 73 61 75 6c 02 12 71 ca ae a4
af 9e 6e 09 42 29 f4 b0 76 77 86 41 04 06 84 ee
03 ac 20 06 73 73 68 64 05 06 00 00 6e b3 3d 06
00 00 00 05 06 06 00 00 00 08 1f 13 65 6c 6c 73
77 6f 72 74 68 2e 66 64 75 2e 65 64 75


Code:       Access-Request
Identifier: 122
Authentic:  <240>:<180><237><255><183><175><189>oLs*<24><133><225><173>
Attributes:
        User-Name = "test"
        User-Password = q<202><174><164><175><158>n<9>B)<244><176>vw<134>A
        NAS-IP-Address = 132.238.3.162
        NAS-Identifier = "sshd"
        NAS-Port = 28339
        NAS-Port-Type = Virtual
        Service-Type = Authenticate-Only
        Calling-Station-Id = "bancroft1fl-usas-246t.fdu.edu"

Mon Mar  1 11:56:48 2010: DEBUG: Handling request with Handler 
'Realm=DEFAULT'
Mon Mar  1 11:56:48 2010: DEBUG:  Deleting session for test, 
132.238.3.162, 28339
Mon Mar  1 11:56:48 2010: DEBUG: Handling with Radius::AuthSQL
Mon Mar  1 11:56:48 2010: DEBUG: Handling with Radius::AuthSQL: LOCALDBAUTH
Mon Mar  1 11:56:48 2010: DEBUG: Query is: 'select password from 
subscribers where username='test'':
Mon Mar  1 11:56:48 2010: DEBUG: Radius::AuthSQL looks for match with 
test [test]
Mon Mar  1 11:56:48 2010: DEBUG: Radius::AuthSQL REJECT: Bad Password: 
test [test]
Mon Mar  1 11:56:48 2010: DEBUG: Query is: 'select password from 
subscribers where username='DEFAULT'':
Mon Mar  1 11:56:48 2010: DEBUG: AuthBy SQL result: REJECT, Bad Password
Mon Mar  1 11:56:48 2010: INFO: Access rejected for test: Bad Password
Mon Mar  1 11:56:48 2010: DEBUG: Packet dump:
*** Sending to 132.238.3.162 port 29364 ....

Packet length = 36
03 7a 00 24 eb 47 fb f9 35 8e 29 2d 79 4a e0 73
1e 85 f5 8a 12 10 52 65 71 75 65 73 74 20 44 65
6e 69 65 64
Code:       Access-Reject
Identifier: 122
Authentic:  <240>:<180><237><255><183><175><189>oLs*<24><133><225><173>
Attributes:
        Reply-Message = "Request Denied"

-Chris

More information about the radiator mailing list