shuliakovsky
commented
8 years ago also PPP must be disabled
Closed shuliakovsky closed 8 years ago
shuliakovsky
commented
8 years ago also PPP must be disabled
rharmonson
commented
8 years ago Not using Cisco implementation of RADIUS, I have no way to test. I do appreciate the information and others may find it useful. Thank you.
fhuzzy
commented
8 years ago With DEFAULT Group == "disabled", Auth-Type := Reject Reply-Message = "Your account has been disabled." DEFAULT Auth-Type := PAM
set as described in the wiki article the following error is generated:
[logintime] = noop (0) WARNING: pap : Auth-Type already set. Not setting to PAP (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = Reject (0) Auth-Type = Reject, rejecting user (0) Failed to authenticate the user
With
DEFAULT Auth-Type := PAM
radtest is successful
Can you clarify the setting?
Thank you for the article!
rharmonson
commented
8 years ago Hello fhuzzy!
I assume we are discussing "CentOS 7 Minimal & Two factor Authentication using FreeRADIUS 3, SSSD 1.12, & Google Authenticator" versus the older 6.5 article.
The authentication flow is client --> RADIUS --> PAM --> GAuth
"DEFAULT Auth-Type := PAM" directs FreeRADIUS to authenticate using PAM. PAM is configured to use the desired authentication mechanisms such as password+otp or otp. The test using the local user raduser validates successful configuration and uses PAM and /etc/shadow. The article follows with adding SSSD in the mix to support the use of AD authentication in place of the local account via PAM.
On Fri, Sep 23, 2016 at 7:06 PM, fhuzzy notifications@github.com wrote:
With DEFAULT Group == "disabled", Auth-Type := Reject Reply-Message = "Your account has been disabled." DEFAULT Auth-Type := PAM
set as described in the wiki article the following error is generated:
[logintime] = noop (0) WARNING: pap : Auth-Type already set. Not setting to PAP (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = Reject (0) Auth-Type = Reject, rejecting user (0) Failed to authenticate the user
With
DEFAULT Group == "disabled", Auth-Type := Reject
Reply-Message = "Your account has been disabled."
DEFAULT Auth-Type := PAM
radtest is successful
Can you clarify the setting?
Thank you for the article!
— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/rharmonson/richtech/issues/6#issuecomment-249338779, or mute the thread https://github.com/notifications/unsubscribe-auth/AHmNrnhsxGsedfQlLn5uCAfAzz7M2vQ4ks5qtIWugaJpZM4Icy5J .
rharmonson
commented
8 years ago Closing this incident. fhuzzy, you need further assistance, please open a new incident.
Hello, friend
In my case /etc/raddb/users DEFAULT Group == "disabled", Auth-Type := Reject Reply-Message = "Your account has been disabled." DEFAULT Auth-Type := PAM not working!!! with real CISCO ASA I mean RADIUS does not send respond to ASA after authorisation. but
If comment that strings in /etc/raddb/users
DEFAULT Group == "disabled", Auth-Type := Reject
Reply-Message = "Your account has been disabled."
we-ve got
[root@rad-01 ~]# tcpdump -n -i eth0 -vv -A -s 1500 udp and port 1812 and dst 10.30.246.240 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes 19:24:06.043099 IP (tos 0x0, ttl 64, id 64963, offset 0, flags [none], proto UDP (17), length 48) 10.30.243.31.radius > 10.30.246.240.18709: [bad udp cksum 0xfe79 -> 0x79a5!] RADIUS, length: 20 Access Accept (2), id: 0x92, Authenticator: 0a60eb66afce3068312be6489db5a9cd E..0....@.~. ... .....I....y.... `.f..0h1+.H....https://github.com/rharmonson/richtech/wiki/CentOS-7-Minimal-&-Two-factor-Authentication-using-FreeRADIUS-3,-SSSD-1.12,-&-Google-Authenticator
Also digest must be enabled for CISCO.
Thank You very much for Your article. You are the great!