radius server hangs after a correct login authenticated through p roxy

Fri, 07 May 2004 07:10:24 -0700 


I need to set up a Freeradius server proxying certain requests to another
radius server (Safeword Premier Access) in other to authenticate users with
tokens. All other users are to be authenticated locally.

My problem is: If I supply a correct password, the thread serving the
request gets into an infinite loop eating almost 100% of CPU time. Bad
passwords are rejected correctly.

The only thing I have configured (besides shared sercrets) is that I defined
"myrealm" in proxy.conf file:

realm myrealm {
        type            = radius
        authhost        = swpa.sbs.sk:1645
        accthost        = swpa.sbs.sk:1813
        secret          = mysecret
}

When I try to log into the router as [EMAIL PROTECTED] supplying an incorrect
password, the request is successfully refused. However, when I supply a
correct password, the thread serving the request receives an Access-Accept
packet from the home server, but following that it gets into an infinite
loop and fails to send any response to the NAS. After a while the master
process logs "WARNING: Unresponsive child (id XXXXX) for request YY". strace
or ltrace on the blocked thread did not yield anything.

My OS is SuSE 9.0. I tried both the SuSE package (version 0.9.0) and and a
binary compiled from the sources (version 0.9.3).

I suppose that I am missing something in my configuration (although the
server should not get into an infinite loop).

Any help will be appreciated.





the output from "radiusd -xx" is:


**************** Incorrect password supplied *********************

rad_recv: Access-Request packet from host 163.242.48.9:1645, id=105,
length=66
Thread 1 assigned request 0
--- Walking the entire request list ---
Threads: total/active/spare threads = 5/1/4
Waking up in 5 seconds...
Thread 1 handling request 0, (1 handled so far)
        NAS-IP-Address = 163.242.48.9
        NAS-Port = 0
        User-Name = "[EMAIL PROTECTED]"
        User-Password = "123456"
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "eap" returns noop for request 0
    rlm_realm: Looking up realm "myrealm" for User-Name = "[EMAIL PROTECTED]"
    rlm_realm: Found realm "myrealm"
    rlm_realm: Adding Stripped-User-Name = "robert"
    rlm_realm: Proxying request from user robert to realm myrealm
    rlm_realm: Adding Realm = "myrealm"
    rlm_realm: Preparing to proxy authentication request to realm "myrealm" 
  modcall[authorize]: module "suffix" returns updated for request 0
    users: Matched DEFAULT at 152
  modcall[authorize]: module "files" returns ok for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
modcall: group authorize returns updated for request 0
Sending Access-Request of id 1 to 163.242.54.177:1645
        User-Name = "robert"
        NAS-IP-Address = 163.242.48.9
        NAS-Port = 0
        User-Password = "123456"
        Proxy-State = 0x313035
Thread 1 waiting to be assigned a request
rad_recv: Access-Reject packet from host 163.242.54.177:1645, id=1,
length=28
Thread 2 assigned request 0
--- Walking the entire request list ---
Waking up in 5 seconds...
Thread 2 handling request 0, (1 handled so far)
        Reply-Message = "\n"
        Proxy-State = 0x313035
modcall: entering group post-proxy for request 0
  modcall[post-proxy]: module "eap" returns noop for request 0
modcall: group post-proxy returns noop for request 0
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
Thread 2 waiting to be assigned a request
--- Walking the entire request list ---
Threads: total/active/spare threads = 5/0/5
Sending Access-Reject of id 105 to 163.242.48.9:1645
        Reply-Message = "\n"
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 105 with timestamp 409b9368
Nothing to do.  Sleeping until we see a request.



**************** Correct password supplied *********************

rad_recv: Access-Request packet from host 163.242.48.9:1645, id=107,
length=66
Thread 1 assigned request 0
--- Walking the entire request list ---
Threads: total/active/spare threads = 5/1/4
Waking up in 5 seconds...
Thread 1 handling request 0, (1 handled so far)
        NAS-IP-Address = 163.242.48.9
        NAS-Port = 0
        User-Name = "[EMAIL PROTECTED]"
        User-Password = "fp5cp7"
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "eap" returns noop for request 0
    rlm_realm: Looking up realm "myrealm" for User-Name = "[EMAIL PROTECTED]"
    rlm_realm: Found realm "myrealm"
    rlm_realm: Adding Stripped-User-Name = "robert"
    rlm_realm: Proxying request from user robert to realm myrealm
    rlm_realm: Adding Realm = "myrealm"
    rlm_realm: Preparing to proxy authentication request to realm "myrealm" 
  modcall[authorize]: module "suffix" returns updated for request 0
    users: Matched DEFAULT at 152
  modcall[authorize]: module "files" returns ok for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
modcall: group authorize returns updated for request 0
Sending Access-Request of id 1 to 163.242.54.177:1645
        User-Name = "robert"
        NAS-IP-Address = 163.242.48.9
        NAS-Port = 0
        User-Password = "fp5cp7"
        Proxy-State = 0x313037
Thread 1 waiting to be assigned a request
rad_recv: Access-Accept packet from host 163.242.54.177:1645, id=1,
length=125
Thread 2 assigned request 0
--- Walking the entire request list ---
Waking up in 5 seconds...
Thread 2 handling request 0, (1 handled so far)
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Cisco-AVPair = "lcp:callback-dialstring="
        Cisco-AVPair = "lcp:nocallback-verify=1"
        Cisco-AVPair = "ip:addr-pool=main_pool"
modcall: entering group post-proxy for request 0
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 163.242.48.9:1645, id=107,
length=66
Discarding new request from client cisco2500:1645 - ID: 107 due to live
request 0
--- Walking the entire request list ---
Waking up in 5 seconds...
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 163.242.48.9:1645, id=107,
length=66
Discarding new request from client cisco2500:1645 - ID: 107 due to live
request 0
--- Walking the entire request list ---
Waking up in 5 seconds...
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 163.242.48.9:1645, id=107,
length=66
Discarding new request from client cisco2500:1645 - ID: 107 due to live
request 0
--- Walking the entire request list ---
Waking up in 5 seconds...
--- Walking the entire request list ---
WARNING: Unresponsive child (id 32771) for request 0
Server rejecting request 0.
Waking up in 5 seconds...
--- Walking the entire request list ---
Waking up in 5 seconds...
--- Walking the entire request list ---
Waking up in 5 seconds...
--- Walking the entire request list ---
Waking up in 5 seconds...






                Robert Szelepcs�nyi 
                Operation Related Services 
                Siemens Business Services s.r.o. 
                Stromov� 9 
                830 07 BRATISLAVA 
                Slovesk� republika 
                * (+421 2) 5968 4914 
                * (+421 903) 634 844 
                * [EMAIL PROTECTED] 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to