# basic freeradius problem

## xhon

my problem is really very simple  :Smile: 

System authentication doesn't work !

radius starts

it loads the unix module:

Module: Loaded System

 unix: cache = no

 unix: passwd = "/etc/passwd"

 unix: shadow = "/etc/shadow"

 unix: group = "/etc/group"                        <--- I had to enter these filenames in radiusd.conf !!!

 unix: radwtmp = "/var/log/radius/radwtmp"

 unix: usegroup = no

 unix: cache_reload = 600

Module: Instantiated unix (unix)

"users" file without any changes

so every user matches default and gets System authenticated

"clients.conf" also with no changes, with localhost and testing123 password

however, when I try to do radtest I get an Access-reject

it works, when I put mu username and password in users file

like this: 

xhon Password == "password"

    Reply-message = "hello"

I have exactly the same configuration on my laptop (fedora 4)

and it works  :Sad: 

anyone ? it must some stupid mistake ..

-- 

xhon

----------

## xhon

rad_recv: Access-Request packet from host 127.0.0.1:32769, id=129, length=56

        User-Name = "xhon"

        User-Password = "password"

        NAS-IP-Address = 255.255.255.255

        NAS-Port = 10

  Processing the authorize section of radiusd.conf

modcall: entering group authorize for request 1

  modcall[authorize]: module "preprocess" returns ok for request 1

  modcall[authorize]: module "chap" returns noop for request 1

  modcall[authorize]: module "mschap" returns noop for request 1

    rlm_realm: No '@' in User-Name = "xhon", looking up realm NULL

    rlm_realm: No such realm "NULL"

  modcall[authorize]: module "suffix" returns noop for request 1

  rlm_eap: No EAP-Message, not doing EAP

  modcall[authorize]: module "eap" returns noop for request 1

    users: Matched entry DEFAULT at line 157

  modcall[authorize]: module "files" returns ok for request 1

modcall: group authorize returns ok for request 1

  rad_check_password:  Found Auth-Type System

auth: type "System"

  Processing the authenticate section of radiusd.conf

modcall: entering group authenticate for request 1

rlm_unix: [xhon]: invalid password

  modcall[authenticate]: module "unix" returns reject for request 1

modcall: group authenticate returns reject for request 1

auth: Failed to validate the user.

Delaying request 1 for 1 seconds

Finished request 1

Going to the next request

--------------------------

rlm_unix reports "invalid password"

but the password is correct

another question: why NAS-IP-Address = 255.255.255.255 ?

why it is not localhost ip address ?

----------

## xhon

freeradius had to be started as root

http://marc.theaimsgroup.com/?l=freeradius-users&m=108973709319786&w=2

I don't know why. It works as dedicated radiusd user on fedora :-/

I prefer not to run it with root privileges, so if anyone can suggest anything....

-- 

xhon

----------

## neonknight

Indeed a good question.

I'm stuck with the same problem and I see two possible solutions this far: 

- either change ownershop of /etc/shadow (I don't really want to do this...)

- use PAM (which I can't get to work...)

----------

## neonknight

Wuahahaha, forget that lastone...

I've tried half of the afternoon to get it working. And I found out that PAM works under two conditions:

1) start radiusd as a non-privileged user and use the following /etc/pam.d/radiusd

```
auth   required        pam_permit.so

account        required        pam_permit.so

password       required        pam_permit.so

session        required        pam_permit.so
```

This will always say yes.

2) start radiusd as root and use the following /etc/pam.d/radiusd

```
auth    required        pam_unix.so shadow

account required        pam_unix.so

password        required        pam_unix.so shadow use_authok

session required        pam_unix.so
```

This will only accept the user, if the username and password match those in /etc/passwd.

Very funny, indeed. What a waste of time...  :Sad:  If I knew that before, then I would have used the unix-module, which also needs root-privileges anyway but is not such a pain to configure!

Why does radiusd need to be run as root, even if it authenticates via PAM?

----------

