Install PrivacyIdea Radius module on Centos?

Hi,

We have setup a PrivacyIdea(Ubuntu) server and a LDAP(Centos) server and
have now setup a FreeRadius(Centos 7) server but are not sure how we go
about getting the Radius server to connect to our PrivacyIdea server. I
think we need to install the privacyIdea radius module but are not sure how
to go about this.

We had trouble getting PrivacyIdea install on Centos so went with Ubuntu
but would prefer to stay on Centos for the radius server. Could someone
provide us with some guidance as we’re a bit lost with the whole radius
thing.

Cheers
Keith

Hi Keef,

in fact it is rather simple.
Unfortunately it is split in two parts in the documentation.
I think we have to optimize the docs.

So. first get the plugin.

In fact you simply need one perl module:
https://raw.githubusercontent.com/privacyidea/FreeRADIUS/master/privacyidea_radius.pm

Now add the privacyIDEA plugin to FreeRADIUS:
http://privacyidea.readthedocs.org/en/latest/application_plugins/index.html#freeradius-plugin
The configuration of modules/perl needs to point to the
privacyidea_radius.pm perl module.

Now you can configure the plugin according to:
http://privacyidea.readthedocs.org/en/latest/application_plugins/radius.html#rlm-perl-ini

In your case you need to point the URL in your rlm_perl.ini to your
privacyIDEA server.

It is always a good idea to start freeRADIUS in debug mode, to test, if
everything is fine.

freeradius -X

or

radiusd -X

Kind regards
CorneliusAm Dienstag, den 15.12.2015, 06:05 -0800 schrieb Keef:

Hi,

We have setup a PrivacyIdea(Ubuntu) server and a LDAP(Centos) server
and have now setup a FreeRadius(Centos 7) server but are not sure how
we go about getting the Radius server to connect to our PrivacyIdea
server. I think we need to install the privacyIdea radius module but
are not sure how to go about this.

We had trouble getting PrivacyIdea install on Centos so went with
Ubuntu but would prefer to stay on Centos for the radius server. Could
someone provide us with some guidance as we’re a bit lost with the
whole radius thing.

Cheers
Keith


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/f97464d2-4d08-4a26-9a46-2201d2739f19%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hi, I am not having much luck with getting Freeradius to work with
PrivacyIDEA could someone help us ? Were using Centos7… Thanks Keith

echo
"User-Name=keith@test-ldap,User-Password=1234vviktrcgjlefrlnihfgklrfvbjvhcukggvekicnnjugf"
| radclient localhost:1812 auth testing123

$RAD_REQUEST{‘User-Password’} = &request:User-Password ->
‘1234vviktrcgjlefrlnihfgklrfvbjvhcukggvekicnnjugf’
(8) perl : &request:User-Name = $RAD_REQUEST{‘User-Name’} ->
‘keith@test-ldap’
(8) perl : &request:User-Password = $RAD_REQUEST{‘User-Password’} ->
‘1234vviktrcgjlefrlnihfgklrfvbjvhcukggvekicnnjugf’
(8) [perl] = ok
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix : Checking for suffix after “@”
(8) suffix : Looking up realm “test-ldap” for User-Name = “keith@test-ldap”
(8) suffix : No such realm “test-ldap”
(8) [suffix] = noop
(8) eap : No EAP-Message, not doing EAP
(8) [eap] = noop
(8) [files] = noop
(8) [expiration] = noop
(8) [logintime] = noop
(8) WARNING: pap : No “known good” password found for the user. Not
setting Auth-Type
(8) WARNING: pap : Authentication will fail unless a “known good” password
is available
(8) [pap] = noop
(8) } # authorize = ok
(8) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
Reject
(8) Failed to authenticate the user
(8) Using Post-Auth-Type Reject
(8) # Executing group from file /etc/raddb/sites-enabled/privacyidea
(8) Post-Auth-Type REJECT {
(8) attr_filter.access_reject : EXPAND %{User-Name}
(8) attr_filter.access_reject : --> keith@test-ldap
(8) attr_filter.access_reject : Matched entry DEFAULT at line 11
(8) [attr_filter.access_reject] = updated
(8) eap : Request didn’t contain an EAP-Message, not inserting EAP-Failure
(8) [eap] = noop
(8) remove_reply_message_if_eap remove_reply_message_if_eap {
(8) if (&reply:EAP-Message && &reply:Reply-Message)
(8) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(8) else else {
(8) [noop] = noop
(8) } # else else = noop
(8) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(8) } # Post-Auth-Type REJECT = updated
(8) Delaying response for 1 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(8) Sending delayed response
(8) Sending Access-Reject packet to host 127.0.0.1 port 52686, id=14,
length=0
Sending Access-Reject Id 14 from 127.0.0.1:1812 to 127.0.0.1:52686
Waking up in 3.9 seconds.
(8) Cleaning up request packet ID 14 with timestamp +526
Ready to process requests

Hi Keith,

we need some more of your configuration.
Please stick to this documentation.
http://privacyidea.readthedocs.org/en/latest/application_plugins/index.html#freeradius-plugin
If we can identify your problem, we might be able to improve the docs
where necessary.

You need the privacyidea radius perl module, which “translates” the
RADIUS request into the privacyIDEA API.

For this, you need to activate the freeradius “rlm_perl” and you need to
configure the rlm_perl to use the privacyidea’s perl module.

FreeRADIUS first “authorizes” the user and the “authenticates” the user.
It looks like you did not send the authorize debug output.

You try to authenticate with the user keith@test-ldap. Probably because
you have a privacyIDEA realm “test-ldap”. But freeradius also uses
@test-ldap as a FreeRADIUS realm.

So to keep things simple I recommend in the fist step to define
“test-ldap” as the default realm in your privacyIDEA server and then
authenticate only with “keith” (no realm).

See what happens.
If it still does not help, please send the complete debug output.

Kind regards
CorneliusAm Freitag, den 25.12.2015, 14:41 -0800 schrieb Keef:

Hi, I am not having much luck with getting Freeradius to work with
PrivacyIDEA could someone help us ? Were using Centos7… Thanks
Keith

echo
“User-Name=keith@test-ldap,User-Password=1234vviktrcgjlefrlnihfgklrfvbjvhcukggvekicnnjugf” | radclient localhost:1812 auth testing123

$RAD_REQUEST{‘User-Password’} = &request:User-Password ->
‘1234vviktrcgjlefrlnihfgklrfvbjvhcukggvekicnnjugf’
(8) perl : &request:User-Name = $RAD_REQUEST{‘User-Name’} ->
‘keith@test-ldap’
(8) perl : &request:User-Password = $RAD_REQUEST{‘User-Password’} ->
‘1234vviktrcgjlefrlnihfgklrfvbjvhcukggvekicnnjugf’
(8) [perl] = ok
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix : Checking for suffix after “@”
(8) suffix : Looking up realm “test-ldap” for User-Name =
“keith@test-ldap”
(8) suffix : No such realm “test-ldap”
(8) [suffix] = noop
(8) eap : No EAP-Message, not doing EAP
(8) [eap] = noop
(8) [files] = noop
(8) [expiration] = noop
(8) [logintime] = noop
(8) WARNING: pap : No “known good” password found for the user. Not
setting Auth-Type
(8) WARNING: pap : Authentication will fail unless a “known good”
password is available
(8) [pap] = noop
(8) } # authorize = ok
(8) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
Reject
(8) Failed to authenticate the user
(8) Using Post-Auth-Type Reject
(8) # Executing group from file /etc/raddb/sites-enabled/privacyidea
(8) Post-Auth-Type REJECT {
(8) attr_filter.access_reject : EXPAND %{User-Name}
(8) attr_filter.access_reject : --> keith@test-ldap
(8) attr_filter.access_reject : Matched entry DEFAULT at line 11
(8) [attr_filter.access_reject] = updated
(8) eap : Request didn’t contain an EAP-Message, not inserting
EAP-Failure
(8) [eap] = noop
(8) remove_reply_message_if_eap remove_reply_message_if_eap {
(8) if (&reply:EAP-Message && &reply:Reply-Message)
(8) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(8) else else {
(8) [noop] = noop
(8) } # else else = noop
(8) } # remove_reply_message_if_eap remove_reply_message_if_eap =
noop
(8) } # Post-Auth-Type REJECT = updated
(8) Delaying response for 1 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(8) Sending delayed response
(8) Sending Access-Reject packet to host 127.0.0.1 port 52686, id=14,
length=0
Sending Access-Reject Id 14 from 127.0.0.1:1812 to 127.0.0.1:52686
Waking up in 3.9 seconds.
(8) Cleaning up request packet ID 14 with timestamp +526
Ready to process requests


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/8f8abccb-77a2-4f98-8279-c27796ab02aa%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hi, Sorry for the delay in getting back in touch. I checked and test-ldap
was the default realm in PrivacyIdea. Anyway I tried authenticating without
the @test-ldap and got the following. Can help ?

echo “User-Name=keith,User-Password=742351” | radclient localhost:1812 auth
testing123
(0) -: Expected Access-Accept got Access-Reject

Received Access-Request Id 254 from 127.0.0.1:51650 to 127.0.0.1:1812
length 45
User-Name = 'keith’
User-Password = ‘742351’
(0) Received Access-Request packet from host 127.0.0.1 port 51650, id=254,
length=45
(0) User-Name = ‘keith’
(0) User-Password = ‘742351’
(0) # Executing section authorize from file
/etc/raddb/sites-enabled/privacyidea
(0) authorize {
(0) perl : $RAD_REQUEST{‘User-Name’} = &request:User-Name -> ‘keith’
(0) perl : $RAD_REQUEST{‘User-Password’} = &request:User-Password ->
‘742351’
(0) perl : &request:User-Name = $RAD_REQUEST{‘User-Name’} -> ‘keith’
(0) perl : &request:User-Password = $RAD_REQUEST{‘User-Password’} ->
‘742351’
(0) [perl] = ok
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix : Checking for suffix after “@”
(0) suffix : No ‘@’ in User-Name = “keith”, looking up realm NULL
(0) suffix : No such realm “NULL”
(0) [suffix] = noop
(0) eap : No EAP-Message, not doing EAP
(0) [eap] = noop
(0) [files] = noop
(0) [expiration] = noop
(0) [logintime] = noop
(0) WARNING: pap : No “known good” password found for the user. Not
setting Auth-Type
(0) WARNING: pap : Authentication will fail unless a “known good” password
is available
(0) [pap] = noop
(0) } # authorize = ok
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
Reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/privacyidea
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject : EXPAND %{User-Name}
(0) attr_filter.access_reject : --> keith
(0) attr_filter.access_reject : Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) eap : Request didn’t contain an EAP-Message, not inserting EAP-Failure
(0) [eap] = noop
(0) remove_reply_message_if_eap remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message)
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else else {
(0) [noop] = noop
(0) } # else else = noop
(0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sending Access-Reject packet to host 127.0.0.1 port 51650, id=254,
length=0
Sending Access-Reject Id 254 from 127.0.0.1:1812 to 127.0.0.1:51650
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 254 with timestamp +21
Ready to process requests

Thanks
Keith

Hi Keith,

configuration still missing.

What does all the eap-if-stuff do there?
This does not look like the default privacyIDEA freeradius config.

Kind regards
CorneliusAm Donnerstag, den 07.01.2016, 05:27 -0800 schrieb Keef:

Hi, Sorry for the delay in getting back in touch. I checked and
test-ldap was the default realm in PrivacyIdea. Anyway I tried
authenticating without the @test-ldap and got the following. Can
help ?

echo “User-Name=keith,User-Password=742351” | radclient localhost:1812
auth testing123
(0) -: Expected Access-Accept got Access-Reject

Received Access-Request Id 254 from 127.0.0.1:51650 to 127.0.0.1:1812
length 45
User-Name = ‘keith’
User-Password = ‘742351’
(0) Received Access-Request packet from host 127.0.0.1 port 51650,
id=254, length=45
(0) User-Name = ‘keith’
(0) User-Password = ‘742351’
(0) # Executing section authorize from
file /etc/raddb/sites-enabled/privacyidea
(0) authorize {
(0) perl : $RAD_REQUEST{‘User-Name’} = &request:User-Name -> ‘keith’
(0) perl : $RAD_REQUEST{‘User-Password’} = &request:User-Password ->
‘742351’
(0) perl : &request:User-Name = $RAD_REQUEST{‘User-Name’} -> ‘keith’
(0) perl : &request:User-Password = $RAD_REQUEST{‘User-Password’} ->
‘742351’
(0) [perl] = ok
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix : Checking for suffix after “@”
(0) suffix : No ‘@’ in User-Name = “keith”, looking up realm NULL
(0) suffix : No such realm “NULL”
(0) [suffix] = noop
(0) eap : No EAP-Message, not doing EAP
(0) [eap] = noop
(0) [files] = noop
(0) [expiration] = noop
(0) [logintime] = noop
(0) WARNING: pap : No “known good” password found for the user. Not
setting Auth-Type
(0) WARNING: pap : Authentication will fail unless a “known good”
password is available
(0) [pap] = noop
(0) } # authorize = ok
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
Reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/privacyidea
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject : EXPAND %{User-Name}
(0) attr_filter.access_reject : --> keith
(0) attr_filter.access_reject : Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) eap : Request didn’t contain an EAP-Message, not inserting
EAP-Failure
(0) [eap] = noop
(0) remove_reply_message_if_eap remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message)
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else else {
(0) [noop] = noop
(0) } # else else = noop
(0) } # remove_reply_message_if_eap remove_reply_message_if_eap =
noop
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sending Access-Reject packet to host 127.0.0.1 port 51650, id=254,
length=0
Sending Access-Reject Id 254 from 127.0.0.1:1812 to 127.0.0.1:51650
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 254 with timestamp +21
Ready to process requests

Thanks
Keith

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/1ea31d6a-4f9e-4971-ade0-5608d72e9319%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hi Keef,

Hi Again,

Yesterday I decided to try switching OS from Centos to Ubuntu to see
If I could get Freeradius / PrivacyIDEA Perl Module to work on a
different OS and it does !!!
We had a similar issue getting the PrivacyIDEA Server/App to work on
Centos and ended up swtiching to Ubuntu so I can’t see us switching
back to Centos alteast for anything PrivacyIDEA related.

There are a few issue that I need to sort out but so far I have
managed to get one of our Centos servers to authenticate using a htop
token !!! :>)
The two issues that are left are as follows, if you think we should
raise these seperatly then just say.

  1. We get the following error in the output from “radiusd -X” and am
    not sure if it’s a real issue or not but I couldn’t find any
    documentation about it as I am not sure where to look. ?
    rlm_perl: ERROR: Failed to create pair privacyIDEA-Serial =
    OATH000XXXXXX

You need to add additional RADIUS Value Pairs.

Create a file /etc/[radiusd|freeradius]/dictionary.netknights

with the following content:
–snip–
VENDOR NetKnights 44929

Backwards compatibility.

BEGIN-VENDOR NetKnights

ATTRIBUTE privacyIDEA-Serial 1 string
ATTRIBUTE privacyIDEA-Realm 2 string
ATTRIBUTE privacyIDEA-Resolver 3 string

END-VENDOR NetKnights
–snap–

In your dictionary file do

$INCLUDE dictionary.netknights

  1. The second issus is that we want to use TFA to log into our servers
    through a web remote desktop gateway called guacamole
    (http://guac-dev.org/). As we’ve got SSH Radius authentication working
    we’re now trying to get a SSH Terminal through
    guacamole to a server but the login process is hanging and we’re not
    sure why. Below is output of /var/log/messages from the server that we
    were trying to log into. It seems like the problem is that it’s trying
    to log in twice which breaked the otp policy we think.

Jan 14 11:23:01 Xserver sshd[9084]: pam_radius_auth: DEBUG:
getservbyname(radius, udp) returned -1475868288.
Jan 14 11:23:02 Xserver sshd[9084]: Accepted password for keith from
192.168.XX.6 port 33244 ssh2
Jan 14 11:23:02 Xserver sshd[9084]: pam_unix(sshd:session): session
opened for user keith by (uid=0)

Jan 14 11:23:07 Xserver sshd[9088]: pam_radius_auth: DEBUG:
getservbyname(radius, udp) returned 1080871296.
Jan 14 11:23:08 Xserver unix_chkpwd[9090]: password check failed for
user (keith)
Jan 14 11:23:08 Xserver sshd[9088]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=guacamole.XXXXXXXXXXXXXXXXXXXX user=keith
Jan 14 11:23:11 Xserver sshd[9088]: Failed password for keith from
192.168.XX.6 port 33245 ssh2
Jan 14 11:23:11 Xserver sshd[9089]: Connection closed by 192.168.XX.6

This does not sound good.
I heard this from another Remote-X-Server Vendor, that authentication
checks the password twice for some reason. (Design flaw?)

So at the moment there is no easy solution to this.

Way to go would be:
Dig into the guacamole (hm, yummy) and see and understand why this
happens. (maybe there could be some PAM voodoo)

At this point I can not tell anything more…

This is an old discussion, but I really do not like to break the sense
to one time passwords and allow a one time password to be used twice.

Kind regards
CorneliusAm Donnerstag, den 14.01.2016, 06:27 -0800 schrieb Keef:

Thanks for all your help.
Keith


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/9e85a3eb-7a8c-48aa-b65e-97ebc754aa52%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hi Again,

Yesterday I decided to try switching OS from Centos to Ubuntu to see If I
could get Freeradius / PrivacyIDEA Perl Module to work on a different OS
and it does !!!
We had a similar issue getting the PrivacyIDEA Server/App to work on Centos
and ended up swtiching to Ubuntu so I can’t see us switching back to Centos
alteast for anything PrivacyIDEA related.

There are a few issue that I need to sort out but so far I have managed to
get one of our Centos servers to authenticate using a htop token !!! :>)
The two issues that are left are as follows, if you think we should raise
these seperatly then just say.

  1. We get the following error in the output from “radiusd -X” and am not
    sure if it’s a real issue or not but I couldn’t find any documentation
    about it as I am not sure where to look. ?
    rlm_perl: ERROR: Failed to create pair privacyIDEA-Serial = OATH000XXXXXX

  2. The second issus is that we want to use TFA to log into our servers
    through a web remote desktop gateway called guacamole
    (http://guac-dev.org/). As we’ve got SSH Radius authentication working
    we’re now trying to get a SSH Terminal through
    guacamole to a server but the login process is hanging and we’re not sure
    why. Below is output of /var/log/messages from the server that we were
    trying to log into. It seems like the problem is that it’s trying to log in
    twice which breaked the otp policy we think.

Jan 14 11:23:01 Xserver sshd[9084]: pam_radius_auth: DEBUG:
getservbyname(radius, udp) returned -1475868288.
Jan 14 11:23:02 Xserver sshd[9084]: Accepted password for keith from
192.168.XX.6 port 33244 ssh2
Jan 14 11:23:02 Xserver sshd[9084]: pam_unix(sshd:session): session opened
for user keith by (uid=0)

Jan 14 11:23:07 Xserver sshd[9088]: pam_radius_auth: DEBUG:
getservbyname(radius, udp) returned 1080871296.
Jan 14 11:23:08 Xserver unix_chkpwd[9090]: password check failed for user
(keith)
Jan 14 11:23:08 Xserver sshd[9088]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=guacamole.XXXXXXXXXXXXXXXXXXXX user=keith
Jan 14 11:23:11 Xserver sshd[9088]: Failed password for keith from
192.168.XX.6 port 33245 ssh2
Jan 14 11:23:11 Xserver sshd[9089]: Connection closed by 192.168.XX.6

Thanks for all your help.
Keith