search

rharmonson / richtech

Creative Commons Zero v1.0 Universal
264 stars 59 forks source link

CentOS 7 Minimal + 2FA FreeRADIUS 3, SSSD 1.12, & GAuth #12

Closed 6d61726b760a closed 7 years ago

6d61726b760a commented 7 years ago

Hi,

(admittedly, i am new to freeradius , so please excuse my ignorance)

Working through your instructions and testing freeradius against pam (first section)

When I configure /etc/raddb/users as suggested

[root@radius ~]# cat /etc/raddb/users | grep -vP '^#' | cat -s

DEFAULT         Group == "disabled", Auth-Type := Reject
                Reply-Message = "Your account has been disabled."

DEFAULT         Auth-Type := PAM

DEFAULT Framed-Protocol == PPP
        Framed-Protocol = PPP,
        Framed-Compression = Van-Jacobson-TCP-IP

DEFAULT Hint == "CSLIP"
        Framed-Protocol = SLIP,
        Framed-Compression = Van-Jacobson-TCP-IP

DEFAULT Hint == "SLIP"
        Framed-Protocol = SLIP

[root@radius ~]#

i am unable to auth: 

[root@radius ~]# radtest raduser p4ssw0rd localhost 0 testing123
Sending Access-Request Id 1 from 0.0.0.0:34941 to 127.0.0.1:1812
        User-Name = 'raduser'
        User-Password = 'p4ssw0rd'
        NAS-IP-Address = 10.52.10.1
        NAS-Port = 0
        Message-Authenticator = 0x00
Received Access-Reject Id 1 from 127.0.0.1:1812 to 127.0.0.1:34941 length 53
        Reply-Message = 'Your account has been disabled.'
(0) -: Expected Access-Accept got Access-Reject
[root@radius ~]#

reading the documentation around the updated lines in the file, it indicates

#
# Deny access for a group of users.
#
# Note that there is NO 'Fall-Through' attribute, so the user will not
# be given any additional resources.
#

so i tried the following

[root@radius ~]# cat /etc/raddb/users | grep -vP '^#' | cat -s

DEFAULT         Auth-Type := PAM

DEFAULT         Group == "disabled", Auth-Type := Reject
                Reply-Message = "Your account has been disabled."

DEFAULT Framed-Protocol == PPP
        Framed-Protocol = PPP,
        Framed-Compression = Van-Jacobson-TCP-IP

DEFAULT Hint == "CSLIP"
        Framed-Protocol = SLIP,
        Framed-Compression = Van-Jacobson-TCP-IP

DEFAULT Hint == "SLIP"
        Framed-Protocol = SLIP

[root@radius ~]#

and it works perfectly: 

[root@radius ~]# radtest raduser p4ssw0rd localhost 0 testing123
Sending Access-Request Id 159 from 0.0.0.0:34697 to 127.0.0.1:1812
        User-Name = 'raduser'
        User-Password = 'p4ssw0rd'
        NAS-IP-Address = 10.52.10.1
        NAS-Port = 0
        Message-Authenticator = 0x00
Received Access-Accept Id 159 from 127.0.0.1:1812 to 127.0.0.1:34697 length 20
[root@radius ~]#

Should the DEFAULT Auth-Type be added before the Default Group == "disabled section ?

rharmonson commented 7 years ago

At the time the article was authored, the example was working. However, I was using CentOS 7.0. With CentOS 7.4 to be released shortly, I am considering refreshing this article and others to post on rharmonson.github.io.

At initial glance, moving the two lines doesn't seem harmful but I would test functionality prior to placing into production.