Re: [OATH-Toolkit-help] FreeRadius integration

[Simon Josefsson]

Hailu Meng <address@hidden> writes:

> I found the problem. I comment the account command in pam. After I put
> in-system for account. The user root can authenticate successfully. It seems
> like I need create all the users in the server to get authentication
> successful.

Right -- real user accounts need to exist, I have also run into this
issue.  If anyone knows how to disable this check in FreeRadius, that
would be great to know.  Sometimes it is just a pain to create real user
accounts on the Radius server.

/Simon

> On Mon, Jun 13, 2011 at 8:52 AM, Hailu Meng <address@hidden> wrote:
>
>> Hi All,
>>
>> I'm getting there. But went into some problem. I have Freeradius 1.1.3. I'm
>> testing Radius --> PAM --> OATH. The oath toolkit got executed successfully
>> and return the "success" message to PAM stack but for some reason pam_pass
>> failed. Here is the debug from radiusd:
>>
>> rad_recv: Access-Request packet from host 127.0.0.1:53651, id=230,
>> length=56
>>         User-Name = "root"
>>         User-Password = "073348"
>>         NAS-IP-Address = 255.255.255.255
>>         NAS-Port = 1812
>>   Processing the authorize section of radiusd.conf
>> modcall: entering group authorize for request 2
>>   modcall[authorize]: module "preprocess" returns ok for request 2
>>   modcall[authorize]: module "chap" returns noop for request 2
>>   modcall[authorize]: module "mschap" returns noop for request 2
>>     rlm_realm: No '@' in User-Name = "root", looking up realm NULL
>>     rlm_realm: No such realm "NULL"
>>   modcall[authorize]: module "suffix" returns noop for request 2
>>   rlm_eap: No EAP-Message, not doing EAP
>>   modcall[authorize]: module "eap" returns noop for request 2
>>     users: Matched entry DEFAULT at line 152
>>   modcall[authorize]: module "files" returns ok for request 2
>> modcall: leaving group authorize (returns ok) for request 2
>>   rad_check_password:  Found Auth-Type pam
>> auth: type "PAM"
>>   Processing the authenticate section of radiusd.conf
>> modcall: entering group authenticate for request 2
>> pam_pass: using pamauth string <radiusd> for pam.conf lookup
>> [pam_oath.c:parse_cfg(118)] called.
>> [pam_oath.c:parse_cfg(119)] flags 0 argc 3
>> [pam_oath.c:parse_cfg(121)] argv[0]=debug
>> [pam_oath.c:parse_cfg(121)] argv[1]=usersfile=/etc/users.oath
>> [pam_oath.c:parse_cfg(121)] argv[2]=window=20
>> [pam_oath.c:parse_cfg(122)] debug=1
>> [pam_oath.c:parse_cfg(123)] alwaysok=0
>> [pam_oath.c:parse_cfg(124)] try_first_pass=0
>> [pam_oath.c:parse_cfg(125)] use_first_pass=0
>> [pam_oath.c:parse_cfg(126)] usersfile=/etc/users.oath
>> [pam_oath.c:parse_cfg(127)] digits=0
>> [pam_oath.c:parse_cfg(128)] window=20
>> [pam_oath.c:pam_sm_authenticate(157)] get user returned: root
>> [pam_oath.c:pam_sm_authenticate(232)] conv returned: 073348
>> [pam_oath.c:pam_sm_authenticate(292)] OTP: 073348
>> [pam_oath.c:pam_sm_authenticate(305)] authenticate rc 0 (OATH_OK:
>> Successful return) last otp Mon Jun 13 08:32:53 2011
>>
>> [pam_oath.c:pam_sm_authenticate(327)] done. [Success]
>> pam_pass: function pam_acct_mgmt FAILED for <root>. Reason: Authentication
>> failure
>>   modcall[authenticate]: module "pam" returns reject for request 2
>> modcall: leaving group authenticate (returns reject) for request 2
>> auth: Failed to validate the user.
>> Login incorrect: [root] (from client localhost port 1812)
>>
>> Any idea about this? Thanks for your help!!
>>
>> Lou
>>