newbie question basic passwd authentication

classic Classic list List threaded Threaded
3 messages Options
| Threaded
Open this post in threaded view
|

newbie question basic passwd authentication

Ramses van Pinxteren
Hi,

I am a complete newbie with radius. I need to configure this for use
with a PPTP VPN. The end goal will be that radius is running on a
fedora box, and authenticates against a SMBPASSWD file. PPTPd needs
chap.

but I am getting ahead of myself, irst I need to get a basic system
working. I installed the freeradius rpm, and tried to configure some
things:

file clients.conf:
client 127.0.0.1 {
        secret = testing123
        shortname = localhost
        nastype = other
}
client 192.168.1.0/24 {
        secret = testing123
        shortname = localnet
}

File naslist:
localhost local other

File users:
nothing changed, all seemed oke to me.

file radius.conf:
cutted away some text
unix {
        cache = no
        cache_reload = 600
        passwd = /etc/passwd
        shadow = /etc/shadow
        group = /etc/group
}

When I now start the daemon as root:
# radiusd -sfxxyz -l stdout.


When I tried to test it from the console again:
radtest ramses "OfCourseThisShouldBeSomethingLessObvious" localhost 1
testing123
I see this at my console:

rad_recv: Access-Request packet from host 127.0.0.1:32769, id=122, length=58
         User-Name = "ramses"
         User-Password = "OfCourseThisShouldBeSomethingLessObvious"
         NAS-IP-Address = 255.255.255.255
         NAS-Port = 1
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
   modcall[authorize]: module "preprocess" returns ok for request 0
   modcall[authorize]: module "chap" returns noop for request 0
   modcall[authorize]: module "mschap" returns noop for request 0
     rlm_realm: No '@' in User-Name = "ramses", looking up realm NULL
     rlm_realm: No such realm "NULL"
   modcall[authorize]: module "suffix" returns noop for request 0
   rlm_eap: No EAP-Message, not doing EAP
   modcall[authorize]: module "eap" returns noop for request 0
     users: Matched DEFAULT at 152
   modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns ok for request 0
   rad_check_password:  Found Auth-Type System
auth: type "System"
   Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_unix: [ramses]: invalid password
   modcall[authenticate]: module "unix" returns reject for request 0
modcall: group authenticate returns reject for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 122 to 127.0.0.1:32769
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 122 with timestamp 42ca3387
Nothing to do.  Sleeping until we see a request.


Ofcourse I tripple checked the typed in password, and I could find
nothing wrong with that one.

Now I think all I can do is shoult: HELPPPPPPP adoes anyone have any ideas?

kind regards,

Ramses
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: newbie question basic passwd authentication

Ramses van Pinxteren
Solved this step: It turns out that radius user has no rights to read
the shadow file (I feel stupid and will write 1000 lines "I will
first check the filepermissions before shouting for help" ;) )

ramses

>Hi,
>
>I am a complete newbie with radius. I need to configure this for use
>with a PPTP VPN. The end goal will be that radius is running on a
>fedora box, and authenticates against a SMBPASSWD file. PPTPd needs
>chap.
>
>but I am getting ahead of myself, irst I need to get a basic system
>working. I installed the freeradius rpm, and tried to configure some
>things:
>
>file clients.conf:
>client 127.0.0.1 {
> secret = testing123
> shortname = localhost
> nastype = other
>}
>client 192.168.1.0/24 {
> secret = testing123
> shortname = localnet
>}
>
>File naslist:
>localhost local other
>
>File users:
>nothing changed, all seemed oke to me.
>
>file radius.conf:
>cutted away some text
>unix {
> cache = no
> cache_reload = 600
> passwd = /etc/passwd
> shadow = /etc/shadow
> group = /etc/group
>}
>
>When I now start the daemon as root:
># radiusd -sfxxyz -l stdout.
>
>
>When I tried to test it from the console again:
>radtest ramses "OfCourseThisShouldBeSomethingLessObvious" localhost
>1 testing123
>I see this at my console:
>
>rad_recv: Access-Request packet from host 127.0.0.1:32769, id=122, length=58
>         User-Name = "ramses"
>         User-Password = "OfCourseThisShouldBeSomethingLessObvious"
>         NAS-IP-Address = 255.255.255.255
>         NAS-Port = 1
>   Processing the authorize section of radiusd.conf
>modcall: entering group authorize for request 0
>   modcall[authorize]: module "preprocess" returns ok for request 0
>   modcall[authorize]: module "chap" returns noop for request 0
>   modcall[authorize]: module "mschap" returns noop for request 0
>     rlm_realm: No '@' in User-Name = "ramses", looking up realm NULL
>     rlm_realm: No such realm "NULL"
>   modcall[authorize]: module "suffix" returns noop for request 0
>   rlm_eap: No EAP-Message, not doing EAP
>   modcall[authorize]: module "eap" returns noop for request 0
>     users: Matched DEFAULT at 152
>   modcall[authorize]: module "files" returns ok for request 0
>modcall: group authorize returns ok for request 0
>   rad_check_password:  Found Auth-Type System
>auth: type "System"
>   Processing the authenticate section of radiusd.conf
>modcall: entering group authenticate for request 0
>rlm_unix: [ramses]: invalid password
>   modcall[authenticate]: module "unix" returns reject for request 0
>modcall: group authenticate returns reject for request 0
>auth: Failed to validate the user.
>Delaying request 0 for 1 seconds
>Finished request 0
>Going to the next request
>--- Walking the entire request list ---
>Waking up in 1 seconds...
>--- Walking the entire request list ---
>Waking up in 1 seconds...
>--- Walking the entire request list ---
>Sending Access-Reject of id 122 to 127.0.0.1:32769
>Waking up in 4 seconds...
>--- Walking the entire request list ---
>Cleaning up request 0 ID 122 with timestamp 42ca3387
>Nothing to do.  Sleeping until we see a request.
>
>
>Ofcourse I tripple checked the typed in password, and I could find
>nothing wrong with that one.
>
>Now I think all I can do is shoult: HELPPPPPPP adoes anyone have any ideas?
>
>kind regards,
>
>Ramses
>- List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: newbie question basic passwd authentication

Ilia Chipitsine
In reply to this post by Ramses van Pinxteren
> Hi,
>
> I am a complete newbie with radius. I need to configure this for use with a
> PPTP VPN. The end goal will be that radius is running on a fedora box, and
> authenticates against a SMBPASSWD file. PPTPd needs chap.

I used to run it againts smbpasswd, now I'm running against LDAP :-)

samba and freeradius use the same password hashes. I can share
configuration if You want.

>
> but I am getting ahead of myself, irst I need to get a basic system working.
> I installed the freeradius rpm, and tried to configure some things:
>
> file clients.conf:
> client 127.0.0.1 {
> secret = testing123
> shortname = localhost
> nastype = other
> }
> client 192.168.1.0/24 {
> secret = testing123
> shortname = localnet
> }
>
> File naslist:
> localhost local other
>
> File users:
> nothing changed, all seemed oke to me.
>
> file radius.conf:
> cutted away some text
> unix {
> cache = no
> cache_reload = 600
> passwd = /etc/passwd
> shadow = /etc/shadow
> group = /etc/group
> }
>
> When I now start the daemon as root:
> # radiusd -sfxxyz -l stdout.
>
>
> When I tried to test it from the console again:
> radtest ramses "OfCourseThisShouldBeSomethingLessObvious" localhost 1
> testing123
> I see this at my console:
>
> rad_recv: Access-Request packet from host 127.0.0.1:32769, id=122, length=58
>        User-Name = "ramses"
>        User-Password = "OfCourseThisShouldBeSomethingLessObvious"
>        NAS-IP-Address = 255.255.255.255
>        NAS-Port = 1
>  Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
>  modcall[authorize]: module "preprocess" returns ok for request 0
>  modcall[authorize]: module "chap" returns noop for request 0
>  modcall[authorize]: module "mschap" returns noop for request 0
>    rlm_realm: No '@' in User-Name = "ramses", looking up realm NULL
>    rlm_realm: No such realm "NULL"
>  modcall[authorize]: module "suffix" returns noop for request 0
>  rlm_eap: No EAP-Message, not doing EAP
>  modcall[authorize]: module "eap" returns noop for request 0
>    users: Matched DEFAULT at 152
>  modcall[authorize]: module "files" returns ok for request 0
> modcall: group authorize returns ok for request 0
>  rad_check_password:  Found Auth-Type System
> auth: type "System"
>  Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 0
> rlm_unix: [ramses]: invalid password
>  modcall[authenticate]: module "unix" returns reject for request 0
> modcall: group authenticate returns reject for request 0
> auth: Failed to validate the user.
> Delaying request 0 for 1 seconds
> Finished request 0
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Sending Access-Reject of id 122 to 127.0.0.1:32769
> Waking up in 4 seconds...
> --- Walking the entire request list ---
> Cleaning up request 0 ID 122 with timestamp 42ca3387
> Nothing to do.  Sleeping until we see a request.
>
>
> Ofcourse I tripple checked the typed in password, and I could find nothing
> wrong with that one.
>
> Now I think all I can do is shoult: HELPPPPPPP adoes anyone have any ideas?
>
> kind regards,
>
> Ramses
> - List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html