On Wed, 30 Sep 2009, Ivan Kalik wrote:
We have a client running FreeRadius 2.1.6 on a Linux box authenticating
against shadow passwords. I've gone over the radiusd.conf and it appears
that the expire module is enabled by default in the global config (there
are no virtual servers here). However, FreeRadius appears to be ignoring
this attribute and authenticating users with expired passwords anyway. I
tried expiring the account and that worked, but it would be much better to
have it respect expired passwords.
Debug?
Ivan Kalik
Ok, here's the output running with "-xx" debugging:
group = wheel
user = root
including dictionary file /usr/etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/usr/var"
logdir = "/var/log/radius"
libdir = "/usr/lib"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/usr/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = no
log {
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "DELETED"
nastype = "other"
}
client 216.1.12.66 {
require_message_authenticator = no
secret = "DELETED"
shortname = "cisco_pptp"
nastype = "cisco"
}
client 192.168.3.36 {
require_message_authenticator = no
secret = "DELETED"
shortname = "s036"
nastype = "other"
}
client 216.1.12.74 {
require_message_authenticator = no
secret = "DELETED"
shortname = "utopia"
nastype = "other"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = yes
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Ignoring EAP-Type/tls because we do not have OpenSSL support.
Ignoring EAP-Type/ttls because we do not have OpenSSL support.
Ignoring EAP-Type/peap because we do not have OpenSSL support.
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/usr/etc/raddb/users"
acctusersfile = "/usr/etc/raddb/acct_users"
preproxy_usersfile = "/usr/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/usr/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/usr/etc/raddb/huntgroups"
hints = "/usr/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NA
S-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_ippool
Module: Instantiating medium_pool
ippool medium_pool {
session-db = "/usr/etc/raddb/db.medium_ippool"
ip-index = "/usr/etc/raddb/db.medium_ipindex"
key = "%{NAS-IP-Address} %{NAS-Port}"
range-start = 172.16.31.101
range-stop = 172.16.31.253
netmask = 255.255.255.0
cache-size = 251
override = yes
maximum-timeout = 0
}
Module: Instantiating super_pool
ippool super_pool {
session-db = "/usr/etc/raddb/db.super_ippool"
ip-index = "/usr/etc/raddb/db.super_ipindex"
key = "%{NAS-IP-Address} %{NAS-Port}"
range-start = 172.16.30.101
range-stop = 172.16.30.253
netmask = 255.255.255.0
cache-size = 251
override = yes
maximum-timeout = 0
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = "/usr/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 300
cleanup_delay = 5
max_queue_size = 65536
}
Thread spawned new child 1. Total threads in pool: 1
Thread spawned new child 2. Total threads in pool: 2
Thread spawned new child 3. Total threads in pool: 3
Thread spawned new child 4. Total threads in pool: 4
Thread spawned new child 5. Total threads in pool: 5
Thread pool initialized
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 1812
Thread 1 waiting to be assigned a request
Thread 2 waiting to be assigned a request
Thread 5 waiting to be assigned a request
Re-wait 1
Thread 4 waiting to be assigned a request
Thread 3 waiting to be assigned a request
}
listen {
type = "acct"
ipaddr = *
port = 0
Re-wait 1
Re-wait 5
Re-wait 4
Re-wait 3
Re-wait 1
Re-wait 2
}
Re-wait 1
Re-wait 4
Re-wait 3
Re-wait 5
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Ready to process requests.
Threads: total/active/spare threads = 5/0/5
Waking up in 0.9 seconds.
Thread 1 got semaphore
Thread 1 handling request 0, (1 handled so far)
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns updated
[files] users: Matched entry test at line 173
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "DELETED"
[pap] Using CRYPT encryption.
[pap] User authenticated successfully
++[pap] returns ok
Login OK: [test] (from client cisco_pptp port 442)
+- entering group post-auth {...}
[medium_pool] Could not find Pool-Name attribute.
++[medium_pool] returns noop
[super_pool] Could not find Pool-Name attribute.
++[super_pool] returns noop
++[exec] returns noop
Finished request 0.
Going to the next request
Thread 1 waiting to be assigned a request
Waking up in 4.0 seconds.
Cleaning up request 0 ID 102 with timestamp +18
Ready to process requests.
James Smallacombe PlantageNet, Inc. CEO and Janitor
[email protected] http://3.am
=========================================================================
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
