[RADIATOR] changing from auth by file to auth by pam
Heikki Vatiainen
hvn at open.com.au
Sun Aug 21 04:11:55 CDT 2011
On 08/19/2011 02:06 PM, Richard Dunne wrote:
Hello Richard,
> I have added the RewriteUsername s/^([^@]+).*/$1/ which does remove the
> linux.com realm . But still even withthis and the correct password i get a
> failure .
You need to change the config to support EAP-TTLS with PAP. When you
need to use a non-plaintext passwod store, such as /etc/shadow in Linux,
you can not use EAP-MSCHAP-V2 because EAP-MSCHAP-V2 also uses
non-plaintext passwords. In other words, both ends of authentication
process can not use differently hashed passwords.
<Handler TunnelledByTTLS=1, Realm=linux.com>
<AuthBy PAM>
Service passwd
UsernameMatchesWithoutRealm
AddToReply Extreme-Netlogin-Vlan = cccc
</AuthBy>
</Handler>
The tunnelling protocol is now TTLS and there's no need for EAPType anymore.
Fortunately Linux clients seem to support TTLS/PAP so this should be
possible. Both inner and outer identities should have @linux.com for
this configuration to work.
Note that TTLS/PAP is not the only protocol that supports plain text
tunnelled passwords, but it's widely available with Linux clients.
Thanks!
Heikki
> Fri Aug 19 11:35:56 2011: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1, Realm=linux.com'
>
> Fri Aug 19 11:35:56 2011: DEBUG: Rewrote user name to root
>
> Fri Aug 19 11:35:56 2011: DEBUG: Deleting session for root at linux.com,
> 172.30.3.251,
>
> Fri Aug 19 11:35:56 2011: DEBUG: Handling with PAM service passwd
>
> Fri Aug 19 11:35:56 2011: DEBUG: PAM is asking for 1: 'Password'
>
> Fri Aug 19 11:35:59 2011: DEBUG: AuthBy PAM result: REJECT, Authentication
> failure:
>
> Fri Aug 19 11:35:59 2011: INFO: Access rejected for root: Authentication
> failure:
>
> Fri Aug 19 11:35:59 2011: DEBUG: Returned PEAP tunnelled packet dump:
>
>
>
> From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au] On
> Behalf Of Richard Dunne
> Sent: 19 August 2011 11:05
> To: 'Heikki Vatiainen'
> Cc: radiator at open.com.au
> Subject: [RADIATOR] changing from auth by file to auth by pam
>
>
>
> Hello all
>
>
>
> Im having a problem moving from Auth by FILE to PAM
>
>
>
> The handler is <Handler TunnelledByPEAP=1, Realm=linux.com>
>
> <AuthBy FILE>
>
> Filename %D/users
>
> #Service passwd
>
> UsernameMatchesWithoutRealm
>
> AddToReply Extreme-Netlogin-Vlan = cccc
>
> EAPType MSCHAP-V2
>
> </AuthBy>
>
> </Handler>
>
>
>
> Works perfect and give the following, rewrites the username to pat. Which
> is perfect
>
>
>
> Fri Aug 19 11:13:31 2011: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1, Realm=linux.com'
>
> Fri Aug 19 11:13:31 2011: DEBUG: Deleting session for pat at linux.com,
> 172.30.3.251,
>
> Fri Aug 19 11:13:31 2011: DEBUG: Handling with Radius::AuthFILE:
>
> Fri Aug 19 11:13:31 2011: DEBUG: Handling with EAP: code 2, 233, 68, 26
>
> Fri Aug 19 11:13:31 2011: DEBUG: Response type 26
>
> Fri Aug 19 11:13:31 2011: DEBUG: Reading users file ./users
>
> Fri Aug 19 11:13:31 2011: DEBUG: Radius::AuthFILE looks for match with pat
> [pat at linux.com]
>
> Fri Aug 19 11:13:31 2011: DEBUG: Radius::AuthFILE REJECT: No such user: pat
> [pat at linux.com]
>
> Fri Aug 19 11:13:31 2011: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no
> such user pat
>
> Fri Aug 19 11:13:31 2011: DEBUG: AuthBy FILE result: REJECT, EAP MSCHAP V2
> failed: no such user pat
>
> Fri Aug 19 11:13:31 2011: INFO: Access rejected for pat at linux.com: EAP
> MSCHAP V2 failed: no such user pat
>
> Fri Aug 19 11:13:31 2011: DEBUG: Returned PEAP tunnelled packet dump:
>
>
>
>
>
>
>
> When I change it to auth by PAM
>
>
>
> Handler becomes
>
> The handler is <Handler TunnelledByPEAP=1, Realm=linux.com>
>
> <AuthBy PAM>
>
> Service passwd
>
> UsernameMatchesWithoutRealm
>
> AddToReply Extreme-Netlogin-Vlan = cccccccccccccc
>
> EAPType MSCHAP-V2
>
> </AuthBy>
>
> </Handler>
>
>
>
> I get an error which is using the full username pat at linux.com. I need the
> @linux.conm removed
>
> Fri Aug 19 11:25:21 2011: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1, Realm=linux.com'
>
> Fri Aug 19 11:25:21 2011: DEBUG: Deleting session for pat at linux.com,
> 172.30.3.251,
>
> Fri Aug 19 11:25:21 2011: DEBUG: Handling with PAM service login
>
> Fri Aug 19 11:25:21 2011: DEBUG: PAM is asking for 1: 'Password'
>
> Fri Aug 19 11:25:23 2011: DEBUG: AuthBy PAM result: REJECT, User not known
> to the underlying authentication module:
>
> Fri Aug 19 11:25:23 2011: INFO: Access rejected for pat at linux.com: User not
> known to the underlying authentication module:
>
> Fri Aug 19 11:25:23 2011: DEBUG: Returned PEAP tunnelled packet dump:
>
>
>
>
>
> IM using the UsernameMatchesWithoutRealm and some regexp rewrite , but the
> damn @linux won't go away .
>
>
>
>
>
>
>
> Any ideas ?
>
>
>
> Regards Richard
>
>
>
>
>
>
>
>
> This message has been scanned for content and viruses by the DIT Information
> Services E-Mail Scanning Service, and is believed to be clean.
> http://www.dit.ie
>
>
> This message has been scanned for content and viruses by the DIT Information
> Services E-Mail Scanning Service, and is believed to be clean.
> http://www.dit.ie
>
>
> This message has been scanned for content and viruses by the DIT Information Services E-Mail Scanning Service, and is believed to be clean. http://www.dit.ie
>
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list