pam-radius-auth problem

To: debian-user@lists.debian.org
Subject: pam-radius-auth problem
From: Joost De Cock <joost.decock@astrid.be>
Date: Mon, 10 Jan 2005 17:13:17 +0100
Message-id: <[🔎] 200501101713.17818.joost.decock@astrid.be>

Hello list,

first of all my best wishes to all,

I'm trying to use the pam_radius_auth PAM module on a Debian (Sarge) system to 
authenticate users to a Vasco radius server using their digipass tokens. 
When I try to authenticate, the following happens:

In the request:
 t:User Name(1): l:6, Value:"BOFH"
 t:User Password(2) l:18, value:<some_hash>
 t:NAS IP Address(4) l:6, Value:127.0.0.1
 t:NAS identifier(32) l:22, Value:"some_name"
 t:NAS Port(5) l:6, Value:16333
 t:NAS Port Type(61) l:6, Value:Virtual(5)
 t:Service Type(6) l:6, Value:Authenticate Only(8)
 t:Calling Station Id(31) l:14, Value:"10.100.1.149"

In the answer:
 t:Reply Message(18) l:50, Value:"Request denied - failed to obtain client 
details"


I'm a bit confused by the 'NAS IP Address' being 127.0.0.1, the loopback 
interface. In the RFC I read that the 'NAS IP Address', and I quote: "Should 
be unique to the NAS within the scope of the RADIUS server". I'm no native 
speaker, but it seems that this should be a unique value per host in the 
client list of the server, and thus not the loopback address but the 'real' 
ip address.
Since the RFC goes on to say that the source address of the request and not 
this value should be used to select the secret, that only strengthens my 
belief that this value should be the ip address of the machine.

Is there a way I can make the module sent out the IP address. Is this os 
related? The reason I'm asking this is because I tried to set up the 
mod-auth-radius apache module (another freeradius spinoff) since it supports 
the AuthRadiusBindAddress parameter that let's you specify the address to use 
for sending the requests.
However, after setting this parameter, requests where still sent out (by 
apache) with the loopback address, and I got the same error.

I've tested radius authentication from other systems (cisco and windows via 
pgina) and I have no problems there. They all sent out the correct ip address 
and I can authenticate without a problem.

Any ideas on how to force the ip address to be correct?

Kind regards,


joost

--
nodisclaimer

Reply to:

Prev by Date: Re: How to make dpkg forget a package was ever there?
Next by Date: Re: How to make dpkg forget a package was ever there?
Previous by thread: Re: Unable to burn DVDs with kernel 2.6.10
Next by thread: Is my hard disk about to crash?
Index(es):
- Date
- Thread