a little note fore Centos 7 Google auth
shuliakovsky opened this issue · comments
Hello, friend
In my case /etc/raddb/users
DEFAULT Group == "disabled", Auth-Type := Reject
Reply-Message = "Your account has been disabled."
DEFAULT Auth-Type := PAM
not working!!! with real CISCO ASA
I mean RADIUS does not send respond to ASA after authorisation.
but
If comment that strings in /etc/raddb/users
DEFAULT Group == "disabled", Auth-Type := Reject
Reply-Message = "Your account has been disabled."
we-ve got
[root@rad-01 ]# tcpdump -n -i eth0 -vv -A -s 1500 udp and port 1812 and dst 10.30.246.240.
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
19:24:06.043099 IP (tos 0x0, ttl 64, id 64963, offset 0, flags [none], proto UDP (17), length 48)
10.30.243.31.radius > 10.30.246.240.18709: [bad udp cksum 0xfe79 -> 0x79a5!] RADIUS, length: 20
Access Accept (2), id: 0x92, Authenticator: 0a60eb66afce3068312be6489db5a9cd
E..0....@.
...
.....I....y....
`.f..0h1+.H....https://github.com/rharmonson/richtech/wiki/CentOS-7-Minimal-&-Two-factor-Authentication-using-FreeRADIUS-3,-SSSD-1.12,-&-Google-Authenticator
Also digest must be enabled for CISCO.
Thank You very much for Your article. You are the great!
also PPP must be disabled
#DEFAULT Framed-Protocol == PPP
#Framed-Protocol = PPP,
Not using Cisco implementation of RADIUS, I have no way to test. I do appreciate the information and others may find it useful. Thank you.
With
DEFAULT Group == "disabled", Auth-Type := Reject
Reply-Message = "Your account has been disabled."
DEFAULT Auth-Type := PAM
set as described in the wiki article the following error is generated:
[logintime] = noop
(0) WARNING: pap : Auth-Type already set. Not setting to PAP
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = Reject
(0) Auth-Type = Reject, rejecting user
(0) Failed to authenticate the user
With
#DEFAULT Group == "disabled", Auth-Type := Reject
#Reply-Message = "Your account has been disabled."
DEFAULT Auth-Type := PAM
radtest is successful
Can you clarify the setting?
Thank you for the article!
Hello fhuzzy!
I assume we are discussing "CentOS 7 Minimal & Two factor Authentication
using FreeRADIUS 3, SSSD 1.12, & Google Authenticator" versus the older 6.5
article.
The authentication flow is client --> RADIUS --> PAM --> GAuth
"DEFAULT Auth-Type := PAM" directs FreeRADIUS to authenticate using PAM.
PAM is configured to use the desired authentication mechanisms such as
password+otp or otp. The test using the local user raduser validates
successful configuration and uses PAM and /etc/shadow. The article follows
with adding SSSD in the mix to support the use of AD authentication in
place of the local account via PAM.
On Fri, Sep 23, 2016 at 7:06 PM, fhuzzy notifications@github.com wrote:
With
DEFAULT Group == "disabled", Auth-Type := Reject
Reply-Message = "Your account has been disabled."
DEFAULT Auth-Type := PAMset as described in the wiki article the following error is generated:
[logintime] = noop
(0) WARNING: pap : Auth-Type already set. Not setting to PAP
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = Reject
(0) Auth-Type = Reject, rejecting user
(0) Failed to authenticate the userWith
#DEFAULT Group == "disabled", Auth-Type := Reject
#Reply-Message = "Your account has been disabled."DEFAULT Auth-Type := PAM
radtest is successful
Can you clarify the setting?
Thank you for the article!
—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub
#6 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AHmNrnhsxGsedfQlLn5uCAfAzz7M2vQ4ks5qtIWugaJpZM4Icy5J
.
Closing this incident. fhuzzy, you need further assistance, please open a new incident.