radiusd dying
Hi there ! After 1.1.7 had been running for about a month without any problems, radiusd has now died silently or completely stuck (it has to be kill -9ed) a couple of times. In either case, I get no logs about what's wrong. My platform is Solaris 10/x64 with quite current patches. Are there any known issues? TIA fw - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem compiling freeradius 1.1.7
Patrice Oliver wrote: It breaks the build, so I can't use it from sources. I had similar problems which I could solve by $ ./configure --prefix=/opt/freeradius --with-gnu-ld --without-rlm_perl --without-rlm_sql --without-rlm_sqlippool I still didn't get whar I would need rlm_perl for ... On what platform are you compiling? Regards fw - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help
Alan DeKok wrote: Why are you looking at the client side? The README, INSTALL, FAQ, and daily messages on this list say that you should run in debug mode. What do we have to add to the documentation to convince you that this is a good idea? Why is the password displayed in plain text instead of hashed as on the old server? Because it helps with debugging. I think you didn't get the point of my question. I was wondering about the difference on two clients querying the same server for the same data. So... the passwords don't match? They do but the lookup seems to be incorrect. What I have in the file is the outout of smbencrypt but maybe that's not what the server is expecting. Post it here. Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:65271, id=108, length=57 User-Name = fwvpn User-Password = XXX NAS-IP-Address = 255.255.255.255 NAS-Port = 10 try to find in file rlm_passwd: Added LM-Password: '624AAC413795CDC1AAD3B435B51404EE' to config_items rlm_passwd: Added NT-Password: 'C5A237B7E9D8E708D8436B6148A25FA1' to config_items try to find in file Login incorrect: [fwvpn/[EMAIL PROTECTED] (from client localhost port 10) Sending Access-Reject of id 108 to 127.0.0.1 port 65271 The password is displayed in plain text. Regards fw - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help
Alan DeKok wrote:
Why have you massively edited the debug output?
I haven't - I just censored the password, that's all! But in fact, it seems
that I forgot one occurance :( ...
The password is displayed in plain text.
Which password? Could you explain which part of the edited output you
refer to?
The XXX above.
In any case, what little you've posted shows that the client is
sending a PAP authentication request. Are you sure that you have
configured the server to do PAP authentication using NT-hashed
I have tried PAP and CHAP - how do I tell him about NT-hashes? I think
that's exactly where it fails.
passwords? The debug output you've posted conveniently deletes EVERY
REFERENCE TO THE AUTHENTICATION PROCESS.
That's ll I get! But you're right ... I remember that there was much more
output when I tried it the last time. Oops, I accidentally typed -x
instead of -X.
Here we go again:
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:63689, id=86, length=57
User-Name = fwvpn
User-Password = XXX
NAS-IP-Address = 255.255.255.255
NAS-Port = 10
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
radius_xlat:
'/opt/freeradius/var/log/radius/radacct/127.0.0.1/auth-detail-20071105'
rlm_detail:
/opt/freeradius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/opt/freeradius/var/log/radius/radacct/127.0.0.1/auth-detail-20071105
modcall[authorize]: module auth_log returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
users: Matched entry DEFAULT at line 100
modcall[authorize]: module files returns ok for request 0
try to find in file
rlm_passwd: Added LM-Password: '624AAC413795CDC1AAD3B435B51404EE' to
config_items
rlm_passwd: Added NT-Password: 'C5A237B7E9D8E708D8436B6148A25FA1' to
config_items
try to find in file
modcall[authorize]: module radpasswd returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type System
auth: type System
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
modcall[authenticate]: module unix returns notfound for request 0
modcall: leaving group authenticate (returns notfound) for request 0
auth: Failed to validate the user.
Login incorrect: [fwvpn/XXX] (from client localhost port 10)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 86 to 127.0.0.1 port 63689
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 86 with timestamp 472ee8ce
Nothing to do. Sleeping until we see a request.
Auth-Type System sounds like the culprit ... but I can't find that in
radiusd.conf.
TIA
fw
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help
Alan DeKok wrote: It's in the users file. I've deleted it in CVS (what will be 1.1.8, and what will be 2.0). Indeed: DEFAULT Auth-Type = System Fall-Through = 1 Delete it, AND add pap as the last module in the authorize section. Also add pap in the authenticate section. That did the trick - many thanks! Just out of curiousity: would it also be possible to have both system and PAP? Does the order of the config entries influence the search order? TIA fw - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need help
Hi there !
Could someone please assisst me in configuring FreeRADIUS? I'm quite new to
FR and migrated a server from 0.6 on Solaris 8/SPARC to 1.1.7 on Solaris
10/x64.
On the old server, the users were authenticated by regular /etc/passwd
means. I got this working on the new server. As there are some new features
in the later versions, I'd prefer to move the RADIUS users to a separate
smbpasswd-like file but I can't get the authentication to work.
Some questions:
The old server querying itself for a /etc/passwd user:
[EMAIL PROTECTED] # ./radtest frank XXX localhost 10 test123
Sending Access-Request of id 161 to 127.0.0.1:1812
User-Name = frank
User-Password = D[\326\255h\016A\275\357%\367\027_y
NAS-IP-Address = XXX
NAS-Port-Id = 10
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=161, length=20
[EMAIL PROTECTED] #
The old server querying the new one for a /etc/passwd user:
[EMAIL PROTECTED] # ./radtest frank XXX new 10 test123
Sending Access-Request of id 216 to 10.1.1.12:1812
User-Name = frank
User-Password = T)n\244Lec\226\246)[EMAIL PROTECTED]%
NAS-IP-Address = XXX
NAS-Port-Id = 10
rad_recv: Access-Accept packet from host 10.1.1.12:1812, id=216, length=20
[EMAIL PROTECTED] #
The new server querying itself for the exact same user as above:
[EMAIL PROTECTED] ./radtest frank XXX localhost 10 test123
Sending Access-Request of id 177 to 127.0.0.1 port 1812
User-Name = frank
User-Password = XXX
NAS-IP-Address = 255.255.255.255
NAS-Port = 10
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=177, length=20
[EMAIL PROTECTED]
Why is the password displayed in plain text instead of hashed as on the old
server?
And how do I configure a separate user file? Currently, I have
passwd radpasswd {
filename = /opt/freeradius/etc/radpasswd
#format = *User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::
format = *User-Name:LM-Password:NT-Password:
delimiter = :
# authtype = MS-CHAP
authtype = PAP
hashsize = 0
ignorenislike = yes
allowmultiplekeys = no
}
with radpasswd looking like
frank:A:B:Frank Winkler
with A and B created by smbencrypt.
I'm pretty unsure about the authtype. I can post debug outout of radiusd
but it looks like it finds the user in the file but cannot authenticate the
password.
TIA
fw
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
