Re: compiling freeradius with oracle support
Alexandre Chapellon wrote: > In fact i had to set RLM_SQL_LIBS to -L/opt/oracle/instantclient_11_1/ > -lclntsh -lm > in the Makefile of rlm_sql_oracle (which is done by configure script > when it works). It wasn't working? > and create a missing symlink in the oracle instantclient: libclntsh.so > -> libclntsh.so.11 That would help, yes. That was likely the cause of much of the problems. I'll bet that if you re-ran configure after making that change, it would Just Work. > the problem is, when you use wrapper as dpkg-buildpackage you can't run > configure first, change one Makefileand then make so at the moment > building without oracle support and have a tar.gz containing oracle > module (compiled afterwards) seems the only soutions it's a bit > tricky but works and is still helpfull for massive deployement. Ah. Another wrapper layer around the build system makes it even harder to get it to work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unknown AVPs
Jeffrey Sewell wrote:
> I've got a FreeRADIUS server that takes in Accounting data that is
> proxied to it from another server. In the Accounting packets I see AVPs
> that are tagged "Unknown-Attribute."
Hm... unknown attributes should be printed as Vendor-123-Attr-456.
> I assume that's because either the
> originating server or the FreeRADIUS server is missing a dictionary
> file/entry to identify the Attribute.
The proxying server is missing the dictionary entries.
> First question: is that assumption correct?
Yes.
> If so, who sets that Attribute, the originator or the target?
The originator sets the *number* of the attribute. The proxy uses
that number to look up a name in the dictionaries.
> And more generally: as these are written to the MySQL DB I see that they
> are pulled off the packet and stored as variables that are accessible in
> the sql.conf file for example:
>
> AcctSessionTime = '%{Acct-Session-Time}'
>
> Is that variable pulled directly from the packet? So that whatever
> attribute is in the packet, it will be named %{whatever} ?
It will look up the name in the dictionary, get the number, and then
look up the relevant numbered attribute from the packet.
> I've got other data coming in that I need to store in the SQL DB and
> suppose that I'll need to modify the sql.conf and the radacct table in
> order to get them in there.
Yes.
You may want to take a look at
raddb/sites-available/robust-proxy-accounting. It documents a method of
proxying transparently when the home server is up, and writing to local
disk when it's not. When the home server comes back up, the packets
written to disk are forwarded automagically.
You may also want to look at raddb/sites-available/buffered-sql for
the "write to SQL" portion. Some people have seen significant
performance improvements by using this method. i.e. writing all packets
directly to SQL can often thrash the SQL server.
Alan DeKok
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unknown AVPs
I've got a FreeRADIUS server that takes in Accounting data that is
proxied to it from another server. In the Accounting packets I see
AVPs that are tagged "Unknown-Attribute." I assume that's because
either the originating server or the FreeRADIUS server is missing a
dictionary file/entry to identify the Attribute.
First question: is that assumption correct?
If so, who sets that Attribute, the originator or the target?
And more generally: as these are written to the MySQL DB I see that
they are pulled off the packet and stored as variables that are
accessible in the sql.conf file for example:
AcctSessionTime = '%{Acct-Session-Time}'
Is that variable pulled directly from the packet? So that whatever
attribute is in the packet, it will be named %{whatever} ?
I've got other data coming in that I need to store in the SQL DB and
suppose that I'll need to modify the sql.conf and the radacct table in
order to get them in there.
Any insights/thoughts/direction would be appreciated.
Jeff
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compiling freeradius with oracle support
Alan DeKok a écrit : > Alexandre Chapellon wrote: > >> Oh my! Do you know what thoose commands are, or where i can find them.? >> > > Err.. "man ld"? Watch the output of running "make", and see what > commands it runs, then try variants of those? > OK. At last I got it! but how painfull it has been In fact i had to set RLM_SQL_LIBS to -L/opt/oracle/instantclient_11_1/ -lclntsh -lm in the Makefile of rlm_sql_oracle (which is done by configure script when it works). and create a missing symlink in the oracle instantclient: libclntsh.so -> libclntsh.so.11 Then you can run make. the problem is, when you use wrapper as dpkg-buildpackage you can't run configure first, change one Makefileand then make so at the moment building without oracle support and have a tar.gz containing oracle module (compiled afterwards) seems the only soutions it's a bit tricky but works and is still helpfull for massive deployement. > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unable to authenticate to 10.5.4 open directory
>modcall: entering group MS-CHAP for request 6 > rlm_mschap: No User-Password configured. Cannot create LM-Password. > rlm_mschap: No User-Password configured. Cannot create NT-Password. > rlm_mschap: Told to do MS-CHAPv2 for [EMAIL PROTECTED] with NT-Password > rlm_mschap: No NT-Password configured. Trying DirectoryService > Authentication. What is the password entry for this user in ldap? Is it encrypted? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unable to authenticate to 10.5.4 open directory
Hi there, I have been googling and searching the archives for help - no luck so far. I am trying to get Mac OS X 10.5.4 Server to authenticate against the Open Directory in order to provide "http://eduroam.org"; service - so far with no luck. I AM able to authenticate against my hardcoded users in the /users file so I know that part (most?) of the setup is working (firewall, proxying etc). Running radiusd in debug mode: (sudo /usr/sbin/radiusd -X -f) gives this good debug info (please help me find my problem as I am not yet an expert within the RADIUS - yet :-) Testclient is also Mac OS X 10.5.4 though a Client - not a Server :) rad_recv: Access-Request packet from host 130.225.242.107:1814, id=26, length=201 Received packet from 130.225.242.107 with invalid Message-Authenticator! (Shared secret is incorrect.) Dropping packet without response. Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 130.225.242.107:1814, id=27, length=201 Received packet from 130.225.242.107 with invalid Message-Authenticator! (Shared secret is incorrect.) Dropping packet without response. Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 4 seconds... rad_recv: Access-Request packet from host 130.225.242.107:1814, id=28, length=201 Received packet from 130.225.242.107 with invalid Message-Authenticator! (Shared secret is incorrect.) Dropping packet without response. Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 2 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 26 with timestamp 48b8514f Waking up in 2 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 27 with timestamp 48b85151 Waking up in 2 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 28 with timestamp 48b85153 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 130.225.242.106:1814, id=19, length=201 User-Name = "[EMAIL PROTECTED]" Calling-Station-Id = "00-14-51-7F-C3-A2" Called-Station-Id = "00-0B-85-84-19-E0:eduroam" NAS-Port = 29 NAS-IP-Address = 172.17.1.4 NAS-Identifier = "Cisco_ea:68:a3" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "\000800" EAP-Message = 0x0203001501746573747573657240627269632e646b Message-Authenticator = 0x5216ae078ddb62a4e787498caba6c2f6 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: Looking up realm "bric.dk" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "bric.dk" rlm_realm: Adding Stripped-User-Name = "testuser" rlm_realm: Proxying request from user testuser to realm bric.dk rlm_realm: Adding Realm = "bric.dk" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: EAP packet type response id 3 length 21 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 172 modcall[authorize]: module "files" returns ok for request 3 rlm_opendirectory: The SACL group "com.apple.access_radius" does not exist on this system. rlm_opendirectory: The host 130.225.242.106 does not have an access group. rlm_opendirectory: no access control groups, all users allowed. modcall[authorize]: module "opendirectory" returns ok for request 3 modcall: leaving group authorize (returns updated) for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 3 modcall: leaving group authenticate (returns handled) for request 3 Sending Access-Challenge of id 19 to 130.225.242.106 port 1814 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010400061520 Message-Authenticator = 0x State = 0x6b55b82a65c27423545059bd72c3a1a3 Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 130.22
Simultaneous-Use ..
Hello, how i can setup freeradius to disconnect previous session of user that has Simultaneous-Use = 1 ?! thanks -- Sds. Alexandre Jeronimo Correa Onda Internet - http://www.ondainternet.com.br OPinguim Hosting - http://www.opinguim.net Linux User ID #142329 UNOTEL S/A - http://www.unotel.com.br - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius not sending access-deny
It is there: >auth: Failed to validate the user. >Login incorrect (rlm_ldap: User not found): [test] (from client >NetworkEquipment port 0) >Delaying request 0 for 1 seconds >Finished request 0 >Going to the next request >--- Walking the entire request list --- >Waking up in 1 seconds... >--- Walking the entire request list --- >Waking up in 1 seconds... >--- Walking the entire request list --- >Sending Access-Reject of id 5 to 10.15.251.232 port 1337 Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with radzap
Hello,
I have a mistake with my freeradius. On server with 1.1.7 the command :
"radzap -u username -P port-nas 127.0.0.1 secret" work with no problem
On a new server with FR 2.0.5, with the same command i have this error
radclient:: failed to get value
I have no more message with the "-x" option and nothing in the log.
I have the same things if i replace "127.0.0.1" by "localhost"
my client.conf
client localhost {
ipaddr = 127.0.0.1
secret = secret
require_message_authenticator = no
shortname = localhost
nastype = other # localhost isn't usually a NAS...
}
I don't understand.
Thanks for your help.
ph
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Compile problems
You were right. Thanks. Running radiusd found the radiusd that had first been installed in the wrong location. Thanks so much. David > -Original Message- > From: freeradius-users- > [EMAIL PROTECTED] [mailto:freeradius- > [EMAIL PROTECTED] On Behalf Of > Alan DeKok > Sent: Thursday, August 28, 2008 11:54 PM > To: FreeRadius users mailing list > Subject: Re: Compile problems > > David Blood wrote: > > I wish what you said was true. I see that in Make.inc sysconfdir is > set to /etc. Great. The problem is when I run radius -X after > installing. It says it is looking for the config files in > /usr/local/etc/raddb. I can use radiusd -Xd /etc/raddb and things > work fine. The problem is making radiusd look in the right place > without using the -d setting. > > Are you sure you don't have two versions of radiusd installed? If > you > do, then you might be running one that is configured to use > /usr/local/etc, rather than /etc. > > Again, there's no magic here.See also src/include/radpaths.h. It > defines where the raddb directory is. If THAT also points to > /etc/raddb, then you MUST have two versions of radiusd installed. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius not sending access-deny
That setting was at the default of 1, I tried setting to zero, no affect.
Here is the debug output with first a successful user followed by the same
user with a bad pwd.
--
rad_recv: Access-Request packet from host 10.15.251.232:1387, id=6,
length=62
User-Name = "test"
User-Password = "test"
Message-Authenticator = 0x0adeae0c4cb8659e2aaede3adb6009a3
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat: '/var/log/radius-switch/radacct-switch/
10.15.251.232/auth-detail-20080829'
rlm_detail:
/var/log/radius-switch/radacct-switch/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius-switch/radacct-switch/
10.15.251.232/auth-detail-20080829
modcall[authorize]: module "auth_log" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_realm: No '\' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "ntdomain" returns noop for request 0
users: Matched entry DEFAULT at line 1
users: Matched entry test at line 33
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'ou=***,dc=**,dc=**'
radius_xlat: '(uid=test)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.2.16.156:389, authentication 0
rlm_ldap: bind as cn=ITDRADIUSC,ou=USERS,ou=ITD,dc=nd,dc=gov/X27wireless45
to 10.2.16.156:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=***,dc=nd,**=***, with filter (uid=test)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for test
radius_xlat: '(uid=test)'
radius_xlat: 'ou=***,dc=**,dc=***'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=***,**=nd,**=***, with filter (uid=test)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "" returns notfound for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type Local
auth: type Local
auth: user supplied User-Password matches local User-Password
Login OK: [test] (from client NetworkEquipment port 0)
Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 0
radius_xlat: '/var/log/radius-switch/radacct-switch/
10.15.251.232/reply-detail-20080829'
rlm_detail:
/var/log/radius-switch/radacct-switch/%{Client-IP-Address}/reply-detail-%Y%m%d
expands to /var/log/radius-switch/radacct-switch/
10.15.251.232/reply-detail-20080829
modcall[post-auth]: module "reply_log" returns ok for request 0
modcall: leaving group post-auth (returns ok) for request 0
Sending Access-Accept of id 6 to 10.15.251.232 port 1387
NS-Admin-Privilege = Root-Admin
APC-Service-Type = 1
Service-Type = Administrative-User
Cisco-AVPair = "shell:priv-lvl=15"
Filter-Id = "unlim"
Extreme-Shell-Command = "Enable"
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--
rad_recv: Access-Request packet from host 10.15.251.232:1337, id=5,
length=62
User-Name = "test"
User-Password = "test2"
Message-Authenticator = 0x9bb6290c9d5e7dcffeeafe87e2c65b40
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat: '/var/log/radius-switch/radacct-switch/
10.15.251.232/auth-detail-20080829'
rlm_detail:
/var/log/radius-switch/radacct-switch/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius-switch/radacct-switch/
10.15.251.232/auth-detail-20080829
modcall[authorize]: module "auth_log" returns ok
Re: FreeRadius not sending access-deny
Ryan Kramer wrote: > I recently discovered that my Freeradius 1.1.7 install is no longer > sending access-deny messages for bad passwords. This causes the device > to mark the radius server as down and move on to the next one, or just > marks it as down. I know its probably something I did in the config, > but for the life of me can't figure out how I managed to cause that. > Everything else on the install works great, just for the exception of no > access-deny packets ever move. Set "reject_delay = 0" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius not sending access-deny
Post the debug of the user that should be rejected. Ivan Kalik Kalik Informatika ISP Dana 29/8/2008, "Ryan Kramer" <[EMAIL PROTECTED]> piše: >Hello, > >I recently discovered that my Freeradius 1.1.7 install is no longer sending >access-deny messages for bad passwords. This causes the device to mark the >radius server as down and move on to the next one, or just marks it as >down. I know its probably something I did in the config, but for the life >of me can't figure out how I managed to cause that. Everything else on the >install works great, just for the exception of no access-deny packets ever >move. > >Any ideas? > >Ryan > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Equivalent of post_proxy_authorize in FR 2.0.5?
Thanks Alan. :) Was sql.authorize in our case. Cheers, Jezz. > -Original Message- > From: freeradius-users- > [EMAIL PROTECTED] > [mailto:freeradius-users- > [EMAIL PROTECTED] On Behalf Of > Alan DeKok > Sent: 29 August 2008 14:07 > To: FreeRadius users mailing list > Subject: Re: Equivalent of post_proxy_authorize in FR 2.0.5? > > Palmer J.D.F. wrote: > > In V1.1.7 we use the post_proxy_authorize directive in proxy.conf to > > re-run authorize to obtain the VLAN information, however this is > > depreciated in V2. > > Can someone tell me what method I should use to achieve this for > proxied > > requests in FR V2? > > If you have "users" in the "authorize" section, edit the "post-auth" > section, and add an entry "users.authorize". > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius not sending access-deny
Hello, I recently discovered that my Freeradius 1.1.7 install is no longer sending access-deny messages for bad passwords. This causes the device to mark the radius server as down and move on to the next one, or just marks it as down. I know its probably something I did in the config, but for the life of me can't figure out how I managed to cause that. Everything else on the install works great, just for the exception of no access-deny packets ever move. Any ideas? Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Equivalent of post_proxy_authorize in FR 2.0.5?
Palmer J.D.F. wrote: > In V1.1.7 we use the post_proxy_authorize directive in proxy.conf to > re-run authorize to obtain the VLAN information, however this is > depreciated in V2. > Can someone tell me what method I should use to achieve this for proxied > requests in FR V2? If you have "users" in the "authorize" section, edit the "post-auth" section, and add an entry "users.authorize". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Equivalent of post_proxy_authorize in FR 2.0.5?
http://freeradius.org/radiusd/man/unlang.html Ivan Kalik Kalik Informatika ISP Dana 29/8/2008, "Palmer J.D.F." <[EMAIL PROTECTED]> piše: >Hi, > >We are having an issue with inserting dynamic VLAN information in to >proxied Access-Accept packets with FR V2.0.5. >Local authentications do have VLAN info inserted into the accept packet. > >In V1.1.7 we use the post_proxy_authorize directive in proxy.conf to >re-run authorize to obtain the VLAN information, however this is >depreciated in V2. >Can someone tell me what method I should use to achieve this for proxied >requests in FR V2? > >Many thanks, >Jezz Palmer. > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Equivalent of post_proxy_authorize in FR 2.0.5?
Hi, We are having an issue with inserting dynamic VLAN information in to proxied Access-Accept packets with FR V2.0.5. Local authentications do have VLAN info inserted into the accept packet. In V1.1.7 we use the post_proxy_authorize directive in proxy.conf to re-run authorize to obtain the VLAN information, however this is depreciated in V2. Can someone tell me what method I should use to achieve this for proxied requests in FR V2? Many thanks, Jezz Palmer. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: MSCHAP module returns OK, authentication fails..
2008/8/28 <[EMAIL PROTECTED]>: > hi, > > whats wrong with that debug? looked fine here - that should > end with a happy connection. ntlm_auth got the correct > response. > > alan The problem is that when that log ends the WPA supplicant gets: -- EAP-MSCHAPV2: Invalid authenticator response in success request And the authentication fails. The full logs of the failure are at: http://jim.geezas.com/stuff/radius-debugging/eapol-ntlmuser-failure.log for the supplicant and: http://jim.geezas.com/stuff/radius-debugging/radius-ntlmuser-failure.log for radiusd. I'm going to try afew different distributions/versions of FreeRadius and Samba, perhaps compile from source - presumably this configuration is fairly common and working elsewhere, so it should work with some combination (if I find one I'll post it up). Thanks, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Ldap + attributes
Yes. Add the reply attributes to ldap.attrmap. Ivan Kalik Kalik Informatika ISP Dana 28/8/2008, "Ivan ." <[EMAIL PROTECTED]> piše: >Hi > >I have Freeradius configured with a backend of OpenLdap for user management. > >I would like to be able to pass attributes for Nortel and Juniper >gear, which when statically defining users in user file is done via: > >user Auth-type:=Local, User-Password := "test" >Juniper-Local-User-Name ="DEV", >Service-Type = Administrative-User > >Is there a way to pass these attributes when using Ldap for user management? > >thanks >Ivan >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compile problems
Hi, > I wish what you said was true. I see that in Make.inc sysconfdir is set to > /etc. Great. The problem is when I run radius -X after installing. It says > it is looking for the config files in /usr/local/etc/raddb. I can use > radiusd -Xd /etc/raddb and things work fine. The problem is making radiusd > look in the right place without using the -d setting. umm, you've previously ./configure'd, built and installed a previous version...so 2 things 1) check that you really are running the 'radiusd' you think you are running 2) the new install wouldnt overwrite any existing /etc/raddb files so ensure that the existing /etc/raddb/radiusd.conf doesnt have any silly PATHs defined in it. strace radiusd -X will show what files are actually being read by the radiusd daemon so you can see what games its playing alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
