[RADIATOR] pam_radius_auth and Radiator

Hugh Irvine hugh at open.com.au
Mon Mar 1 15:11:27 CST 2010 

Hello Chris -

If the same test with the same username and the same password works for radpwtst, then the only difference is the shared secrets.

Can you send me the contents of the user record and a trace 5 debug showing both tests?

regards

Hugh


On 2 Mar 2010, at 05:04, Christopher Bland wrote:

> Yes
> 
> Sami Keski-Kasari wrote:
>> Hi Chris, 
>> 
>> Are you sure that the secret is same in radiator config and in pam_radius-module config?
>> 
>> -- 
>> Sami
>> 
>> 
>> 1.3.2010 19.30, Christopher Bland kirjoitti:
>>> Forgot to mention that I am using pam_radius-1.3.17 on a Fedora 11 box for development.
>>> 
>>> -Chris
>>> 
>>> Chris Bland wrote:
>>>> Hi guys,
>>>> 
>>>> I am trying to setup a linux box to authenticate using radius.  I pulled 
>>>> down the pam_radius_auth module from freeradius.org.  It will not work, 
>>>> I keep getting bad encrypted password errors.  When I use radpwtst  
>>>> locallly I authenticate fine.  It's only comming from my server I have 
>>>> issues.  II verified all suggestions under 54 on 
>>>> 
>>>> http://www.open.com.au/faq.html
>>>>    My config looks like this:
>>>> 
>>>> #Foreground
>>>> LogStdout
>>>> LogDir        /var/log/radius-test      
>>>> DbDir        .   
>>>> Trace        5
>>>> PidFile     /var/log/radius-test/radiusd.pid
>>>> AuthPort    5794
>>>> AcctPort    5795
>>>> DefineGlobalVar Max 7200
>>>> DictionaryFile /etc/radiator/dictionary
>>>> 
>>>> # Clients to suit your site.
>>>> <Client 132.238.3.162>
>>>> Secret xxxxx
>>>> DupInterval 0
>>>> </Client>
>>>> ################################################################
>>>> <Client localhost>
>>>>     Secret xxxxxx
>>>>     DupInterval 0
>>>> </Client>
>>>> ################################################################
>>>> <AuthBy SQL>
>>>>     Identifier LOCALDBAUTH
>>>>     DBSource    dbi:mysql:radius_test:localhost
>>>>     DBUsername     dbuser   
>>>>     DBAuth        xxxxxx
>>>>     DefaultSimultaneousUse 1
>>>>     AccountingTable    subscribers
>>>>     AuthSelect    select password from subscribers where username='%n'
>>>> </AuthBy>
>>>> ################################################################
>>>> <Realm DEFAULT>
>>>>     AuthByPolicy ContinueAlways
>>>>     AuthBy LOCALDBAUTH
>>>>     MaxSessions 1
>>>> </Realm>
>>>> 
>>>> This what I see in the logs
>>>> 
>>>> Mon Mar  1 11:56:10 2010: DEBUG: Packet dump:
>>>> *** Received from 132.238.3.162 port 29364 ....
>>>> 
>>>> Packet length = 93
>>>> 01 8e 00 5d 76 0d 15 43 90 f7 6b 52 bd 43 1a d8
>>>> 67 9f 98 14 01 06 73 61 75 6c 02 12 50 f7 58 3d
>>>> 76 84 db 2b 43 1d 81 ce d2 17 b1 2d 04 06 84 ee
>>>> 03 ac 20 06 73 73 68 64 05 06 00 00 6e b3 3d 06
>>>> 00 00 00 05 06 06 00 00 00 08 1f 13 65 6c 6c 73
>>>> 77 6f 72 74 68 2e 66 64 75 2e 65 64 75
>>>> Code:       Access-Request
>>>> Identifier: 142
>>>> Authentic:  v<13><21>C<144><247>kR<189>C<26><216>g<159><152><20>
>>>> Attributes:
>>>>         User-Name = "test"
>>>>         User-Password = P<247>X=v<132><219>+C<29><129><206><210><23><177>-
>>>>         NAS-IP-Address = 132.238.3.162
>>>>         NAS-Identifier = "sshd"
>>>>         NAS-Port = 28339
>>>>         NAS-Port-Type = Virtual
>>>>         Service-Type = Authenticate-Only
>>>>         Calling-Station-Id = "bancroft1fl-usas-246t.fdu.edu"
>>>> 
>>>> Mon Mar  1 11:56:10 2010: DEBUG: Handling request with Handler 
>>>> 'Realm=DEFAULT'
>>>> Mon Mar  1 11:56:10 2010: DEBUG:  Deleting session for test, 
>>>> 132.238.3.162, 28339
>>>> Mon Mar  1 11:56:10 2010: DEBUG: Handling with Radius::AuthSQL
>>>> Mon Mar  1 11:56:10 2010: DEBUG: Handling with Radius::AuthSQL: LOCALDBAUTH
>>>> Mon Mar  1 11:56:10 2010: DEBUG: Query is: 'select password from 
>>>> subscribers where username='test'':
>>>> Mon Mar  1 11:56:10 2010: DEBUG: Radius::AuthSQL looks for match with 
>>>> test [test]
>>>> Mon Mar  1 11:56:10 2010: DEBUG: Radius::AuthSQL REJECT: Bad Password: 
>>>> test [test]
>>>> Mon Mar  1 11:56:10 2010: DEBUG: Query is: 'select password from 
>>>> subscribers where username='DEFAULT'':
>>>> Mon Mar  1 11:56:10 2010: DEBUG: AuthBy SQL result: REJECT, Bad Password
>>>> Mon Mar  1 11:56:10 2010: INFO: Access rejected for test: Bad Password
>>>> Mon Mar  1 11:56:10 2010: DEBUG: Packet dump:
>>>> *** Sending to 132.238.3.162 port 29364 ....
>>>> 
>>>> Packet length = 36
>>>> 03 8e 00 24 4c 1e f9 0e a3 df 1a 71 dc 03 4c ed
>>>> a7 f2 d8 43 12 10 52 65 71 75 65 73 74 20 44 65
>>>> 6e 69 65 64
>>>> Code:       Access-Reject
>>>> Identifier: 142
>>>> Authentic:  v<13><21>C<144><247>kR<189>C<26><216>g<159><152><20>
>>>> Attributes:
>>>>         Reply-Message = "Request Denied"
>>>> 
>>>> Mon Mar  1 11:56:48 2010: DEBUG: Packet dump:
>>>> *** Received from 132.238.3.162 port 29364 ....
>>>> 
>>>> Packet length = 93
>>>> 01 7a 00 5d f0 3a b4 ed ff b7 af bd 6f 4c 73 2a
>>>> 18 85 e1 ad 01 06 73 61 75 6c 02 12 71 ca ae a4
>>>> af 9e 6e 09 42 29 f4 b0 76 77 86 41 04 06 84 ee
>>>> 03 ac 20 06 73 73 68 64 05 06 00 00 6e b3 3d 06
>>>> 00 00 00 05 06 06 00 00 00 08 1f 13 65 6c 6c 73
>>>> 77 6f 72 74 68 2e 66 64 75 2e 65 64 75
>>>> 
>>>> 
>>>> Code:       Access-Request
>>>> Identifier: 122
>>>> Authentic:  <240>:<180><237><255><183><175><189>oLs*<24><133><225><173>
>>>> Attributes:
>>>>         User-Name = "test"
>>>>         User-Password = q<202><174><164><175><158>n<9>B)<244><176>vw<134>A
>>>>         NAS-IP-Address = 132.238.3.162
>>>>         NAS-Identifier = "sshd"
>>>>         NAS-Port = 28339
>>>>         NAS-Port-Type = Virtual
>>>>         Service-Type = Authenticate-Only
>>>>         Calling-Station-Id = "bancroft1fl-usas-246t.fdu.edu"
>>>> 
>>>> Mon Mar  1 11:56:48 2010: DEBUG: Handling request with Handler 
>>>> 'Realm=DEFAULT'
>>>> Mon Mar  1 11:56:48 2010: DEBUG:  Deleting session for test, 
>>>> 132.238.3.162, 28339
>>>> Mon Mar  1 11:56:48 2010: DEBUG: Handling with Radius::AuthSQL
>>>> Mon Mar  1 11:56:48 2010: DEBUG: Handling with Radius::AuthSQL: LOCALDBAUTH
>>>> Mon Mar  1 11:56:48 2010: DEBUG: Query is: 'select password from 
>>>> subscribers where username='test'':
>>>> Mon Mar  1 11:56:48 2010: DEBUG: Radius::AuthSQL looks for match with 
>>>> test [test]
>>>> Mon Mar  1 11:56:48 2010: DEBUG: Radius::AuthSQL REJECT: Bad Password: 
>>>> test [test]
>>>> Mon Mar  1 11:56:48 2010: DEBUG: Query is: 'select password from 
>>>> subscribers where username='DEFAULT'':
>>>> Mon Mar  1 11:56:48 2010: DEBUG: AuthBy SQL result: REJECT, Bad Password
>>>> Mon Mar  1 11:56:48 2010: INFO: Access rejected for test: Bad Password
>>>> Mon Mar  1 11:56:48 2010: DEBUG: Packet dump:
>>>> *** Sending to 132.238.3.162 port 29364 ....
>>>> 
>>>> Packet length = 36
>>>> 03 7a 00 24 eb 47 fb f9 35 8e 29 2d 79 4a e0 73
>>>> 1e 85 f5 8a 12 10 52 65 71 75 65 73 74 20 44 65
>>>> 6e 69 65 64
>>>> Code:       Access-Reject
>>>> Identifier: 122
>>>> Authentic:  <240>:<180><237><255><183><175><189>oLs*<24><133><225><173>
>>>> Attributes:
>>>>         Reply-Message = "Request Denied"
>>>> 
>>>> -Chris
>>>> 
>>>> _______________________________________________
>>>> radiator mailing list
>>>> 
>>>> radiator at open.com.au
>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>> 
>>>>   
>>>> 
>>> 
>>> 
>>> -- 
>>> <Mail Attachment.gif>	
>>> Christopher Bland
>>> Systems Manager
>>> Information Systems and Technology
>>> 1000 River Road, Teaneck NJ 07666
>>> Mail Stop: T-BH1-01
>>> <Mail Attachment.gif>: 201-692-2414 | <Mail Attachment.gif>: 201-692-2494 | <Mail Attachment.gif>: chris at fdu.edu
>>> "Fairleigh Dickinson University will never
>>>                                  ask for your password. Please do not share it with others!"
>>> 
>>> _______________________________________________
>>> radiator mailing list
>>> 
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>> 
>> 
>> _______________________________________________
>> radiator mailing list
>> 
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
> 
> 
> -- 
> <small-full-fdu.gif>	
> Christopher Bland
> Systems Manager
> Information Systems and Technology
> 1000 River Road, Teaneck NJ 07666
> Mail Stop: T-BH1-01
> <phone.gif>: 201-692-2414 | <fax.gif>: 201-692-2494 | <mail.gif>: chris at fdu.edu
> "Fairleigh Dickinson University will never
>                                  ask for your password. Please do not share it with others!"
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list