ePMP GUI RADIUS AUTH - cli ssh access not working

andreas · August 23, 2023, 6:35pm

Hi,

I’m using FreeRadius to authenticate GUI users to our ePMP APs. Web GUI access works fine, I can login no problem. The problem is SSH - when I attempt to connect to the AP’s SSH port with the same user/pass I use to access the web GUI, my access is denied.

This is a debug log fragment from my radius server, sending the access-accept with reply attributes:

(1) Received Access-Request Id 0 from 10.x.x.3:36836 to 10.x.x.100:1812 length 66
(1) User-Name = “ph”
(1) User-Password = “hunter2”
(1) NAS-IP-Address = 10.x.x.3
(1) Message-Authenticator = 0x097d43afbd918bbe5f34519fe7121f20
(1) Sent Access-Accept Id 0 from 10.x.x.100:1812 to 10.x.x.3:36836 length 0
(1) Cambium-Auth-Role = System-Admin
(1) Cambium-ePMP-UserLevel = Admin

The AP sends a radius request for CLI SSH logins, the radius server returns “Access-Accept” in the same way as it does for a GUI login, but it doesn’t accept the login and prompts for password.

Are there any other radius reply attributes that I need to return in order to allow CLI access?

Also, the system log on the AP says:

Aug 23 12:50:02 dropbear[28635]: pam_unix(sshd:account): could not identify user (from getpwnam(ph))

If I create a radius user “admin” and attempt to SSH with that user, it completes successfully, so it must be able to “getpwnam(admin)” without error.

Douglas_Generous · September 3, 2023, 4:27pm

Ssh needs a special vsa to respond with the accept message or it ignores the virtual user and looks at the system users.

This is due to how linux defaults to PAM auth on radius response not complete.

I do question why you want virtual users having access to the cli?

andreas · September 5, 2023, 2:58pm

Do you happen to know which RADIUS VSA makes that possible? I had to scour the community forum archives to find the two attributes that I’m already using.

My virtual users are other network administrators at my company who I’d rather have login with their own user/pass rather than a common “admin” user. I have everyone login to the web GUI with their own user, why not CLI?

Douglas_Generous · September 7, 2023, 1:35pm

Your user should have this vsa as the second response

Attribute Name : Service-Type
Value : Administrative

Mike sure you use the follow through end of line character.

aka · September 11, 2023, 9:42am

To ssh with Radius enabled you have to have user “admin” on your Radius server. With this account only. It will not work to ssh with any other user name. There is a long story but it is due to security policies.

Could you tell me why do you need CLI? What exactly you need to do there you can not do in GUI?
Maybe we can do something better there.