Problem with RADIUS authentication

i have RADIUS auth…and use Google Authenticator for 2-step verification .
Config on my VYOS 1.1.3 "set system login radius-server x.x.x.x secret 123 " and timeout 10 .
And i have next situation :

1 . when i try SSH my device with Radius connected - i can access the Vyos with local user and password also .
2 . when i use Radius user and password - also can access Vyos .
3 . when i use Radius user and WRONG password - i also can access my VYOS .

Radius answer to Vyos “access reject” - Vyos like disregard this message and still accept connection via SSH with wrong password also.
Also the Strange thing - user and password that used in Radius must be configured localy on Vyos exept additional code that i have from Google Authenticator .

I have few questions :
1 . Why Vyos accept local user and pass in SSH connection -when it use radius for this purpose .
2 . Why i need to configure user and passwords used in radius in Vyos also
3 . how i solve problem with “access reject” and make this to reject SSH login with wrong passwords ?

i use FreeRadius - that work excellent with other devices - like cisco , juniper .

I see that you are using freeradius with VYOS. Would you be able to assist me with how to configure it to get it working. I have it installed but I am getting an error with the password.

Here is the message:

[pap] login attempt with password “? INCORRECT”
[pap] Using clear text password “testing”
[pap] Passwords don’t match
++[pap] returns reject
Failed to authenticate the user.
Login incorrect (rlm_pap: CLEAR TEXT password check failed): [brads] (from client private-network-1 port 7583 cli 10.196.5.117)
WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!

Radius authentication don’t have the privilege level so you need the user to be configured as a local user.

The Radius Client could get the privilege level, but it’s not currently implemented. A feature enhancement could be nice here.

From the Vyatta 6.5 documentation:

[quote]
RADIUS Authentication
RADIUS servers are used only to authenticate user passwords. Using RADIUS
authentication does not affect a user’s configured privilege level. RADIUS
authentication is not supported for IPv6.
To configure RADIUS, you specify the location of the RADIUS server and specify the
secret to be used to authenticate the user on the RADIUS server. RADIUS secrets are
specified in plain text. They are stored in plain text on the system, and used as part
of a cryptographic operation for transferring authentication information securely
over the network. When you view RADIUS secrets, they are displayed in plain text.
RADIUS secrets must not contain spaces and are case-sensitive.
Where RADIUS authentication is used, some delay can be expected; the amount of
delay depends on the cumulative timeout values configured for all RADIUS servers.
If you are using RADIUS authentication, the users must still be configured in the
Vyatta login database; otherwise, the user is not able to access the Vyatta system and
therefore is not able to query the RADIUS server.[/quote]

But it should not accept the wrong password.

I might be entirely wrong here, but are you ssh’ing in with a key? If you have the correct SSH key for your user, OpenSSH will happily ignore PAM and just let you in without even considering any PAM modules (radius, etc).

This was addressed in OpenSSH 6.2 with AuthenticationMethods, but unfortunately VyOS doesn’t go higher than 5.5 at the moment and it’s a Very Bad Idea to go trying to update as OpenSSH requires a number of library updates. Maybe the VyOS team can backport in some way from unstable? :slight_smile:

But using ssh keys also require local users and keys. Radius could be implemented so no local user is required.

Thanks for the information. Does anyone know the right person to contact to see if we can fix this lack of centralized management scalability with Vyos/Vyatta RADIUS ?

It is open source, feel free to contribute. There is also the IRC channel vyos on FreeNode