SUMMARY: Password expiration and RADIUS

From: Enrique Vadillo (vadillo@rcp.net.pe)
Date: Mon Apr 19 1999 - 16:56:40 CDT


Sorry for the late summary but i was sick in bed, i posted originally:
----------------------------------------------------------------------
I was wondering if shadowed password expiration was taken into account by
radius for authentication, much in the same way telnetd abides by it.
Of course i am only speaking of users who i.e. have the profile
DEFAULT Password = "UNIX" and thus rely upon Solaris' shadowed
passwords for authentication.
Anyone knows if this is true? I'll summarize.
Enrique-
PS: BTW i use radiusd: RADIUS version 1.16 (plus Ascend extensions) 97/02/24
    BINARY_FILTERS ASCEND_SECRET ASCEND_LOGOUT sun SOLARIS
----------------------------------------------------------------------

I received some responses, but password aging/expiration only worked for
remote logins or alike, it did not work with RADIUS version 1.16 (plus
Ascend extensions) BINARY_FILTERS ASCEND_SECRET ASCEND_LOGOUT sun SOLARIS
i tested using a MAX TNT box with radius running on Solaris and expired logins
were accepted by radius while telnet did refuse them for example.

If anyone has code that enables password aging checkup by ascend radius,
please send it to me, i'll be glad to recompile my daemon.

Here are the responses i received:

---
scott@cdi.com.au (CDI Tech)
---
For memory expire_date locks a UNIX system password with either the * or !
character at the start of their encrypted password when you shadowed
support.  Much the same way as passwd -l works.  This means RADIUS or any
other authentication program will see the password as invalid and not auth
the user.

Therefore YES.

--- rdelaney@bbt.com (Ray Delaney) --- The last time I setup and used radius off the unix password it followed the same rules as unix. So if you have the password aging set to on once the password expires the user will no longer be validated through the radius server. Hope this helps.

--- assis@uel.br (Marcos Assis Silva) --- It depends on the Radius server source. I know by self experience that out-of-the-box Livingston Radius server version 1.16 will **NOT ** honor those shadow settings and I have tweaked it a bit to take password / account expiration into account when authenticating users. I can't remember, for sure & from the top of my mind, if Cistron Radius performs as you'd expect ... it seems to me that it does. HTH. Regards ...

--- rb@zkm.de (Rudi Boerner) --- It's depend on your Software. We use Livingston PD RADIUS It works, fine

Enrique- -- ---------------------------------------------- RCP - Internet Peru Tel: +51 1 422-4848 Dpto de Operaciones Fax: +51 1 421-8086 ----------------------------------------------



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:13:18 CDT