oath-toolkit-help
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [OATH-Toolkit-help] FreeRadius integration

From: Hailu Meng
Subject: Re: [OATH-Toolkit-help] FreeRadius integration
Date: Tue, 14 Jun 2011 16:55:30 -0500
Simon,

New version of freeradius is still doing that. But anyway we can look at that part later.

At this point, my ldap and oath works well independently. But when I put them together in PAM, only the first module will get user name and password popped up. The second module doesn't give me the prompt for inputting user name and password. I'm testing with Juniper VPN. My /etc/pam.d/radiusd is:

#%PAM-1.0
auth       required     pam_ldap.so debug
auth       required     pam_oath.so     debug usersfile=/etc/users.oath window=20
account    include      system-auth
password   include     system-auth
session    include     system-auth

So when Juniper VPN pop up the user name prompt, I put ldap login but I saw the oath is taking that password too. It didn't give me the 2nd prompt. I guess I need do something after the pam_ldap finishes. Maybe I need modify the oath code to add conversation function to it?

Lou

On Tue, Jun 14, 2011 at 10:23 AM, Hailu Meng <address@hidden> wrote:
Let me upgrade my Freeradius and try one more time.


On Mon, Jun 13, 2011 at 11:51 PM, Simon Josefsson <address@hidden> wrote:
Hailu Meng <address@hidden> writes:

> I found the problem. I comment the account command in pam. After I put
> in-system for account. The user root can authenticate successfully. It seems
> like I need create all the users in the server to get authentication
> successful.

Right -- real user accounts need to exist, I have also run into this
issue.  If anyone knows how to disable this check in FreeRadius, that
would be great to know.  Sometimes it is just a pain to create real user
accounts on the Radius server.

/Simon

> On Mon, Jun 13, 2011 at 8:52 AM, Hailu Meng <address@hidden> wrote:
>
>> Hi All,
>>
>> I'm getting there. But went into some problem. I have Freeradius 1.1.3. I'm
>> testing Radius --> PAM --> OATH. The oath toolkit got executed successfully
>> and return the "success" message to PAM stack but for some reason pam_pass
>> failed. Here is the debug from radiusd:
>>
>> rad_recv: Access-Request packet from host 127.0.0.1:53651, id=230,
>> length=56
>>         User-Name = "root"
>>         User-Password = "073348"
>>         NAS-IP-Address = 255.255.255.255
>>         NAS-Port = 1812
>>   Processing the authorize section of radiusd.conf
>> modcall: entering group authorize for request 2
>>   modcall[authorize]: module "preprocess" returns ok for request 2
>>   modcall[authorize]: module "chap" returns noop for request 2
>>   modcall[authorize]: module "mschap" returns noop for request 2
>>     rlm_realm: No '@' in User-Name = "root", looking up realm NULL
>>     rlm_realm: No such realm "NULL"
>>   modcall[authorize]: module "suffix" returns noop for request 2
>>   rlm_eap: No EAP-Message, not doing EAP
>>   modcall[authorize]: module "eap" returns noop for request 2
>>     users: Matched entry DEFAULT at line 152
>>   modcall[authorize]: module "files" returns ok for request 2
>> modcall: leaving group authorize (returns ok) for request 2
>>   rad_check_password:  Found Auth-Type pam
>> auth: type "PAM"
>>   Processing the authenticate section of radiusd.conf
>> modcall: entering group authenticate for request 2
>> pam_pass: using pamauth string <radiusd> for pam.conf lookup
>> [pam_oath.c:parse_cfg(118)] called.
>> [pam_oath.c:parse_cfg(119)] flags 0 argc 3
>> [pam_oath.c:parse_cfg(121)] argv[0]=debug
>> [pam_oath.c:parse_cfg(121)] argv[1]=usersfile=/etc/users.oath
>> [pam_oath.c:parse_cfg(121)] argv[2]=window=20
>> [pam_oath.c:parse_cfg(122)] debug=1
>> [pam_oath.c:parse_cfg(123)] alwaysok=0
>> [pam_oath.c:parse_cfg(124)] try_first_pass=0
>> [pam_oath.c:parse_cfg(125)] use_first_pass=0
>> [pam_oath.c:parse_cfg(126)] usersfile=/etc/users.oath
>> [pam_oath.c:parse_cfg(127)] digits=0
>> [pam_oath.c:parse_cfg(128)] window=20
>> [pam_oath.c:pam_sm_authenticate(157)] get user returned: root
>> [pam_oath.c:pam_sm_authenticate(232)] conv returned: 073348
>> [pam_oath.c:pam_sm_authenticate(292)] OTP: 073348
>> [pam_oath.c:pam_sm_authenticate(305)] authenticate rc 0 (OATH_OK:
>> Successful return) last otp Mon Jun 13 08:32:53 2011
>>
>> [pam_oath.c:pam_sm_authenticate(327)] done. [Success]
>> pam_pass: function pam_acct_mgmt FAILED for <root>. Reason: Authentication
>> failure
>>   modcall[authenticate]: module "pam" returns reject for request 2
>> modcall: leaving group authenticate (returns reject) for request 2
>> auth: Failed to validate the user.
>> Login incorrect: [root] (from client localhost port 1812)
>>
>> Any idea about this? Thanks for your help!!
>>
>> Lou
>>


reply via email to
[Prev in Thread] Current Thread [Next in Thread]