Hi all,
I am still attempting to figure out what is going on with this radius 0.6
installation. I had emailed the list a month ago with the same problem, got
no reply, upgraded from 0.5 to 0.6 and experienced the same issue so I
ignored it for the last few weeks hoping customers wouldn't notice...not a
chance.
The problem that persists is that occassionally and randomly (anywhere from
every 4 requests to every 50 requests) a user will not be authenticated even
when providing a correct username/password. There is only ONE entry in the
users file as a default as shown below but looking at the logs it seems that
failure is happening even before rlm_unix is being called so it doesn't even
get to that point. As shown in the log snippet below a user tried to login,
passed a CORRECT username/password and got denied access but then 6 seconds
later on a second attempt (ISDN) with the SAME username/password the user is
successful. This is completely random and happens on both ISDN and Modem
users..it is not picky between them.
The second attempt in the log below is an acceptable and understandable
failure in that it has gotten to rlm_unix and obviously not been passwd a
password and thus denied access.
What I cannot figure out is why in the world a user would be denied even
before hitting rlm_unix?
The contents of the users file and radiusd.conf is shown below...have I
something misconfigured causing this?
I can run it in debug mode if needed but the last time I did I noticed
nothing that stood out as odd...
radisud is running supervised...but I wouldn't guess that should matter at
all....does it?
Any help would be greatly appreciated.
-Dave
## radius log ##
Thu Jul 18 12:31:16 2002 : Auth: Login incorrect: [username/password] (from
client nas1 port 1879 cli xxxxxxxxxx)
Thu Jul 18 12:31:22 2002 : Auth: Login OK: [username/password] (from client
nas1 port 1879 cli xxxxxxxxxx)
Note on the above attempt the time difference in attempts and since we are
logging good/bad user/pass we can verify that attempt 1 and attempt 2 have
the identical same user/pass...no additional whitespace or anything between
the attempts...absolutely identical.
Thu Jul 18 11:39:17 2002 : Auth: rlm_unix: [username]: invalid password
Thu Jul 18 11:39:17 2002 : Auth: Login incorrect: [username/] (from client
nas1 port 1702 cli xxxxxxxxxx)
The above attempt is a obvious because it hits rlm_unix and the user has
obviously not provided a passsword.
## users (only 1 entry) ##
DEFAULT Auth-Type := System
Ascend-Client-Primary-DNS = "216.111.117.3",
Ascend-Client-Secondary-DNS = "216.111.117.34",
Idle-Timeout = 1800,
Session-Timeout = 28800
## radiusd.conf ##
regular_expressions = yes
extended_expressions = yes
log_stripped_names = yes
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
usercollide = no
lower_user = before
lower_pass = no
nospace_user = before
nospace_pass = before
proxy_requests = no
#$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 300
}
modules {
unix {
cache = no
#passwd = /home/passwd
#shadow = /etc/shadow
#group = /etc/group
radwtmp = ${logdir}/radwtmp
}
files {
usersfile = ${confdir}/users
#acctusersfile = ${confdir}/acct_users
compat = no
}
preprocess {
with_ascend_hack = yes
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port-Id"
}
radutmp {
filename = ${logdir}/radutmp
perm = 0600
callerid = "yes"
}
detail {
detailfile = ${radacctdir}/rad_%{Client-IP-Address}.log
detailperm = 0600
}
}
authorize {
preprocess
files
}
authenticate {
unix
}
preacct {
files
preprocess
}
accounting {
acct_unique
detail
unix
radutmp
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
