# PAM Radius sshd



## komeylian (Jul 3, 2010)

I have more that 1000 user on my /etc/password I try to get centralize athutentication users by freeradius.

I passed install freeradius with mysql as was in http://wiki.freeradius.org/Basic_configuration_HOWTO
 also I pass radtest as well 


```
[root@client] /etc/pam.d #radtest admin admin 127.0.0.1 1 testing
Sending Access-Request of id 33 to 10.39.241.239 port 1812
        User-Name = "admin"
        User-Password = "admin"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 1
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=33, length=20
```


now I try to get change my sshd to get authenticate by pam modules as below


```
[root@client] /etc/pam.d #cat sshd2
auth            required        pam_radius.so
account         required        pam_radius.so
password        required        pam_radius.so

[root@client] /etc/pam.d #cat /etc/radius.conf
auth 127.0.0.1 testing 1
acct 127.0.0.1 testing 1
```

now I received below error 



```
[root@client] /etc/pam.d #ssh -l admin 127.0.0.1
RADIUS Password:
pam_radius: pam_sm_authenticate: Radius rejection


RADIUS Password:
pam_radius: pam_sm_authenticate: Radius rejection


RADIUS Password:
pam_radius: pam_sm_authenticate: Radius rejection


Permission denied (keyboard-interactive).
```


also my radius log is 



```
rad_recv: Access-Request packet from host 127.0.0.1:51482, id=103, length=68
        User-Name = "admin"
        User-Password = "\010\n\INCORRECT"
        NAS-Identifier = "client.adsl.com"
        Service-Type = Authenticate-Only
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
  modcall[authorize]: module "preprocess" returns ok for request 4
  modcall[authorize]: module "chap" returns noop for request 4
  modcall[authorize]: module "mschap" returns noop for request 4
    rlm_realm: No '@' in User-Name = "test", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 4
radius_xlat:  'test'
rlm_sql (sql): sql_set_user escaped user --> 'test'
radius_xlat:  'SELECT id, UserName, Attribute, Value, op           FROM radcheck           WHERE Username = 'test'           ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 0
radius_xlat:  'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op  FROM 
radgroupcheck,usergroup WHERE usergroup.Username = 'test' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql: Failed to create the pair: Unknown value other for attribute NAS-Port-Type
rlm_sql (sql): Error getting data from database
radius_xlat:  'SELECT id, UserName, Attribute, Value, op           FROM radreply           WHERE Username = 'test'           ORDER BY id'
radius_xlat:  'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op  FROM 
radgroupreply,usergroup WHERE usergroup.Username = 'test' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 0
  modcall[authorize]: module "sql" returns ok for request 4
modcall: leaving group authorize (returns ok) for request 4
auth: type Local
auth: user supplied User-Password does NOT match local User-Password
auth: Failed to validate the user.
  WARNING: Unprintable characters in the password. ?  Double-check the shared secret on the server and the NAS!
Delaying request 4 for 1 seconds
Finished request 4
Going to the next request
Waking up in 4 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:51482, id=103, length=68
Sending Access-Reject of id 103 to 127.0.0.1 port 51482
--- Walking the entire request list ---
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 3 ID 41 with timestamp 4c2f5fde
Waking up in 2 seconds...
--- Walking the entire request list ---
Cleaning up request 4 ID 103 with timestamp 4c2f5fe0
Nothing to do.  Sleeping until we see a request.
```



any one can get help me to solve it ?


----------



## gordon@ (Jul 4, 2010)

It looks like you've scrubbed your logs, but I suspect that the:

```
NAS-Identifier = "client.adsl.com"
```
Has something to do with it. Try using non-loopback addresses for testing. Get radtest working with your actual IP and not 127.0.0.1.


----------

