I just built freeradius 0.9.3 on my RedHat Fedora Core 1 box. radiusd
starts up
fine and I modified the /etc/raddb/clients to have:
localhost testing123
127.0.0.1 testing123
but when I use radtest against a test account (test) with a verifiably
good password (t1e2s3t4), I get and Access-Reject. I've started radiusd in
debug mode and examined the startup and authentication messages, but
cannot determine why simple UNIX authentication is failing. I've included
debug and radtest output below.
Any help would be greatly appreciated, as I've been pulling my hair out
since
yesterday trying to resolve this.
--john
----------------------------------------------------------------------------
---------
# /etc/rc.d/init.d/radiusd debug
Starting /usr/local/freeradius/sbin/radiusd in debug mode:Starting -
reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = "/usr/local/freeradius"
main: localstatedir = "/usr/local/freeradius/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/local/freeradius/lib"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = no
main: snmp = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/usr/local/freeradius/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/freeradius/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
Using deprecated clients file. Support for this will go away soon.
read_config_files: reading realms
Using deprecated realms file. Support for this will go away soon.
radiusd: entering modules setup
Module: Library search path is /usr/local/freeradius/lib
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "md5"
eap: timer_expire = 60
rlm_eap: Loaded and initialized the type md5
rlm_eap: Loaded and initialized the type leap
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/raddb/huntgroups"
preprocess: hints = "/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/etc/raddb/users"
files: acctusersfile = "/etc/raddb/acct_users"
files: preproxy_usersfile = "/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port-Id"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on
1814/udp.
Ready to process requests.
----------------------------------------------------------------------------
---------
$ /usr/local/freeradius/bin/radtest test t1e2s3t4 localhost 0 testing123
Sending Access-Request of id 28 to 127.0.0.1:1812
User-Name = "test"
User-Password = "t1e2s3t4"
NAS-IP-Address = aardvark
NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=28, length=20
----------------------------------------------------------------------------
---------
rad_recv: Access-Request packet from host 127.0.0.1:32769, id=28, length=56
User-Name = "test"
User-Password = "t1e2s3t4"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "eap" returns noop for request 0
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type System
auth: type "System"
modcall: entering group authenticate for request 0
rlm_unix: [test]: invalid password
modcall[authenticate]: module "unix" returns reject for request 0
modcall: group authenticate returns reject for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 28 to 127.0.0.1:32769
Waking up in 4 seconds...
----------------------------------------------------------------------------
---------
# lsof -p 7563
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
radiusd 7563 root cwd DIR 3,71 1024 40801 /tmp/freeradius-0.9.3
radiusd 7563 root rtd DIR 3,66 4096 2 /
radiusd 7563 root txt REG 3,67 137808 16391
/usr/local/freeradius/sbin/radiusd
radiusd 7563 root mem REG 3,67 46195 114817
/usr/local/freeradius/lib/rlm_mschap-0.9.3.so
radiusd 7563 root mem REG 3,66 240720 262473
/usr/lib/libsnmp-0.4.2.6.so
radiusd 7563 root mem REG 3,67 865952 163844
/usr/local/lib/libcrypto.so.0.9.6
radiusd 7563 root mem REG 3,67 57324 114762
/usr/local/freeradius/lib/rlm_eap_leap-0.9.3.so
radiusd 7563 root mem REG 3,67 41172 114847
/usr/local/freeradius/lib/rlm_preprocess-0.9.3.so
radiusd 7563 root mem REG 3,67 42225 114797
/usr/local/freeradius/lib/rlm_files-0.9.3.so
radiusd 7563 root mem REG 3,67 76962 114886
/usr/local/freeradius/lib/rlm_unix-0.9.3.so
radiusd 7563 root mem REG 3,67 31665 114717
/usr/local/freeradius/lib/rlm_chap-0.9.3.so
radiusd 7563 root mem REG 3,66 25084 263242
/usr/lib/libltdl.so.3.1.0
radiusd 7563 root mem REG 3,67 37387 114742
/usr/local/freeradius/lib/rlm_detail-0.9.3.so
radiusd 7563 root mem REG 3,66 107716 723747 /lib/ld-2.3.2.so
radiusd 7563 root mem REG 3,66 1575400 917807 /lib/tls/libc-2.3.2.so
radiusd 7563 root mem REG 3,66 16312 723748 /lib/libdl-2.3.2.so
radiusd 7563 root mem REG 3,67 38919 114862
/usr/local/freeradius/lib/rlm_realm-0.9.3.so
radiusd 7563 root mem REG 3,67 865952 442370
/usr/local/openssl/lib/libcrypto.so.0.9.6
radiusd 7563 root mem REG 3,66 99880 917809
/lib/tls/libpthread-0.60.so
radiusd 7563 root mem REG 3,66 78048 723750 /lib/libresolv-2.3.2.so
radiusd 7563 root mem REG 3,67 54833 114767
/usr/local/freeradius/lib/rlm_eap_md5-0.9.3.so
radiusd 7563 root mem REG 3,67 243478 114692
/usr/local/freeradius/lib/libradius-0.9.3.so
radiusd 7563 root mem REG 3,67 33119 114787
/usr/local/freeradius/lib/rlm_expr-0.9.3.so
radiusd 7563 root mem REG 3,67 40336 114857
/usr/local/freeradius/lib/rlm_radutmp-0.9.3.so
radiusd 7563 root mem REG 3,66 51152 720976
/lib/libnss_files-2.3.2.so
radiusd 7563 root mem REG 3,67 33535 114697
/usr/local/freeradius/lib/rlm_acct_unique-0.9.3.so
radiusd 7563 root mem REG 3,67 35518 114832
/usr/local/freeradius/lib/rlm_pap-0.9.3.so
radiusd 7563 root mem REG 3,67 109173 114757
/usr/local/freeradius/lib/rlm_eap-0.9.3.so
radiusd 7563 root mem REG 3,66 24848 723758 /lib/libcrypt-2.3.2.so
radiusd 7563 root mem REG 3,66 93028 723755 /lib/libnsl-2.3.2.so
radiusd 7563 root 0u CHR 136,1 3 /dev/pts/1
radiusd 7563 root 1u CHR 136,1 3 /dev/pts/1
radiusd 7563 root 2u CHR 136,1 3 /dev/pts/1
radiusd 7563 root 3u IPv4 28026 UDP *:radius
radiusd 7563 root 4u IPv4 28027 UDP *:radius-acct
radiusd 7563 root 5u IPv4 28028 UDP *:1814
strace output:
----------------------------------------------------------------------------
----
recvfrom(3, "\1/\0008\304\3\353F\301\261\323.\222#\2\372tp\232\221\1"...,
4096, 0, {sa_family=AF_INET, sin_port=htons(32769),
sin_addr=inet_addr("127.0.0.1")}, [16]) = 56
write(1, "rad_recv: Access-Request packet "..., 76) = 76
time(NULL) = 1073600816
write(1, "\tUser-Name = \"test\"\n", 20) = 20
write(1, "\tUser-Password = \"t1e2s3t4\"\n", 28) = 28
write(1, "\tNAS-IP-Address = 255.255.255.25"..., 34) = 34
write(1, "\tNAS-Port = 0\n", 14) = 14
time(NULL) = 1073600816
write(1, "modcall: entering group authoriz"..., 48) = 48
time(NULL) = 1073600816
write(1, " modcall[authorize]: module \"pr"..., 67) = 67
time(NULL) = 1073600816
write(1, " modcall[authorize]: module \"ch"..., 63) = 63
time(NULL) = 1073600816
write(1, " modcall[authorize]: module \"ea"..., 62) = 62
time(NULL) = 1073600816
write(1, " rlm_realm: No \'@\' in User-Na"..., 67) = 67
time(NULL) = 1073600816
time(NULL) = 1073600816
write(1, " rlm_realm: No such realm \"NU"..., 36) = 36
time(NULL) = 1073600816
write(1, " modcall[authorize]: module \"su"..., 65) = 65
time(NULL) = 1073600816
write(1, " users: Matched DEFAULT at 15"..., 34) = 34
time(NULL) = 1073600816
write(1, " modcall[authorize]: module \"fi"..., 62) = 62
time(NULL) = 1073600816
write(1, " modcall[authorize]: module \"ms"..., 65) = 65
time(NULL) = 1073600816
write(1, "modcall: group authorize returns"..., 50) = 50
time(NULL) = 1073600816
write(1, " rad_check_password: Found Aut"..., 46) = 46
time(NULL) = 1073600816
write(1, "auth: type \"System\"\n", 20) = 20
time(NULL) = 1073600816
write(1, "modcall: entering group authenti"..., 51) = 51
open("/etc/passwd", O_RDONLY) = 6
fcntl64(6, F_GETFD) = 0
fcntl64(6, F_SETFD, FD_CLOEXEC) = 0
fstat64(6, {st_mode=S_IFREG|0644, st_size=1736, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0xbf56b000
read(6, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1736
close(6) = 0
munmap(0xbf56b000, 4096) = 0
open("/etc/shadow", O_RDONLY) = 6
fcntl64(6, F_GETFD) = 0
fcntl64(6, F_SETFD, FD_CLOEXEC) = 0
fstat64(6, {st_mode=S_IFREG|0400, st_size=1163, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0xbf56b000
read(6, "root:xyxywhdhwjhjsjsjsdj"..., 4096) = 1163
close(6) = 0
munmap(0xbf56b000, 4096) = 0
open("/etc/shells", O_RDONLY) = 6
fstat64(6, {st_mode=S_IFREG|0644, st_size=80, ...}) = 0
fstat64(6, {st_mode=S_IFREG|0644, st_size=80, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0xbf56b000
read(6, "/bin/sh\n/bin/bash\n/sbin/nologin\n"..., 4096) = 80
close(6) = 0
munmap(0xbf56b000, 4096) = 0
time(NULL) = 1073600817
write(1, "rlm_unix: [test]: invalid passwo"..., 35) = 35
time(NULL) = 1073600817
write(1, " modcall[authenticate]: module "..., 68) = 68
time(NULL) = 1073600817
write(1, "modcall: group authenticate retu"..., 57) = 57
time(NULL) = 1073600817
write(1, "auth: Failed to validate the use"..., 35) = 35
time(NULL) = 1073600817
write(1, "Delaying request 2 for 1 seconds"..., 33) = 33
time(NULL) = 1073600817
write(1, "Finished request 2\n", 19) = 19
time(NULL) = 1073600817
write(1, "Going to the next request\n", 26) = 26
time(NULL) = 1073600817
time(NULL) = 1073600817
write(1, "--- Walking the entire request l"..., 40) = 40
time(NULL) = 1073600817
write(1, "Waking up in 1 seconds...\n", 26) = 26
select(6, [3 4 5], NULL, NULL, {1, 0}) = 0 (Timeout)
time(NULL) = 1073600818
time(NULL) = 1073600818
write(1, "--- Walking the entire request l"..., 40) = 40
write(1, "Sending Access-Reject of id 47 t"..., 50) = 50
sendto(3, "\3/\0\24\233!\372\201\317\34v?\241\304\331\210\25\7\256"..., 20,
0, {sa_family=AF_INET, sin_port=htons(32769),
sin_addr=inet_addr("127.0.0.1")}, 16) = 20
time(NULL) = 1073600818
----------------------------------------------------------------------------
----
[EMAIL PROTECTED] RADIUS]$
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
