2.2.0 - Shared Secret is incorrect
Hi, I´m wondering, if I miss something or why do Info-Messages about Invalid-Message-Authenticator not appear in the default radius.log anymore? Even can´t get it with update control { Tmp-String-0 = %{debug:7} } in log section of radiusd.conf. It´s only shown in debug mode with radiusd -X: Info: Received packet from x.x.x.x with invalid Message-Authenticator! (Shared secret is incorrect.) Dropping packet without response. Kind regards, Anja - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.2.0 - Shared Secret is incorrect
Hi, I´m wondering, if I miss something or why do Info-Messages about Invalid-Message-Authenticator not appear in the default radius.log anymore? Even can´t get it with such messages only appear in debug mode as logging to file could be a DoS alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: 2.2.0 - Shared Secret is incorrect
But it DID appear in earlier versions of freeradius with default settings for logging. And I don´t see the difference to something logging Erros like Error: Ignoring request to authentication address * port 1812 from unknown client x.x.x.x port 1092 regarding the mentioned DoS problem. We´re using a logfile monitoring for years in order to find misconfigured NAS of ours. Seems we cannot do this with freeradius 2.2.0 anymore? Anja - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: 2.2.0 - Shared Secret is incorrect
Hi, But it DID appear in earlier versions of freeradius with default settings for logging. And I don´t see the difference to something logging Erros like Error: Ignoring request to authentication address * port 1812 from unknown client x.x.x.x port 1092 regarding the mentioned DoS problem. We´re using a logfile monitoring for years in order to find misconfigured NAS of ours. Seems we cannot do this with freeradius 2.2.0 anymore? if you dont like how it works and have a local use case, then just change the code. its only a few lines to log in normal mode rather than only when in debug. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.2.0 - Shared Secret is incorrect
On 19 Jul 2013, at 14:29, Anja Ruckdaeschel anja.ruckdaesc...@rz.uni-regensburg.de wrote: But it DID appear in earlier versions of freeradius with default settings for logging. Don't know. You're welcome to dig though the source to find out... And I don´t see the difference to something logging Erros like Error: Ignoring request to authentication address * port 1812 from unknown client x.x.x.x port 1092 Yep that shouldn't really be in there either. I believe the philosophy behind the main log is to only log server global errors and informational messages at the default level. regarding the mentioned DoS problem. We´re using a logfile monitoring for years in order to find misconfigured NAS of ours. Not entirely sure how that's related to DoS. But ok... That's, um, interesting. Seems we cannot do this with freeradius 2.2.0 anymore? You can however use the radmin socket to show invalid packet counters. If they're going up you've probably got a mis-configured NAS. The server also keeps stats on a per client basis too. This is a much saner and more robust way of doing that. There's no guarantee that log message formats won't change, even between sub versions, and then your log monitoring system would be stuffed. I'll talk to Alan D about it, I know triggers are rate limited in 3.0.0, I can actually see the utility in a client error trigger, there may even already be one. That'd be a much cleaner way to do what you want. PS: The debug level only goes up to 4 :) and you want %{debug: 4} ^ Note the space (I 3 monospaced fonts) Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Re: 2.2.0 - Shared Secret is incorrect
Sorry, but I only wanted to know why the behaviour has changed and if there is any way to do it by configuration or access it with unlang... BTW: If I remove the client completely, log in normal mode says): Fri Jul 19 16:32:29 2013 : Error: Ignoring request to authentication address * port 1812 from unknown client x.x.x.x port 45494 ... which could be used for a DoS with a radius server running port 1812 open for the world. If I add the client and use a wrong secret, log says: Fri Jul 19 16:33:09 2013 : Auth: Login incorrect: [radtestuser] (from client port 0) It´s a kind of misleading information, because it has nothing do do with users login, but with a wrong shared secret on the NAS. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.2.0 - Shared Secret is incorrect
If I add the client and use a wrong secret, log says: Fri Jul 19 16:33:09 2013 : Auth: Login incorrect: [radtestuser] (from client port 0) It´s a kind of misleading information, because it has nothing do do with users login, but with a wrong shared secret on the NAS. Did the request include a Message-Authenticator attribute? Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.2.0 - Shared Secret is incorrect
Dear Arran, Sorry, about the typo with debug I looked at the invalid packet counters. Only shows the requests with wrong shared secrets in rejects-Counter ... Same thing stats client auth x.x.x.x requests5 responses 5 accepts 1 rejects 4 challenges 0 dup 0 invalid 0 malformed 0 bad_signature 0 dropped 0 unknown_types 0 But thanks for the tipp I´m aware of that log formats change, but I couldn´t get A.L.M.s explanation, because of the unknown-Error appearing and the shared secret-Info not because of DoS prevention. If you have a lot of radius-servers running and a lot of switches, you are glad to do some syslog-collection and an automated-search for any string or character in a log line showing that x.x.x.x has a wrong secret or is not known to radius, so the problem can be fixed immediatly. The only two types of NAS-Misconfiguratin I´m interested in are: - The client is unknown o the RADIUS-Server (which is still logged). - The shared secret is wrong (which is not in the log anymore). So, I think I´ll change the code. Thanks for your time... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.2.0 - Shared Secret is incorrect
No. It didn´t inlcude a Message-Authneticator attrib... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.2.0 - Shared Secret is incorrect
On 19 Jul 2013, at 16:32, Anja Ruckdaeschel anja.ruckdaesc...@rz.uni-regensburg.de wrote: Dear Arran, Sorry, about the typo with debug I looked at the invalid packet counters. Only shows the requests with wrong shared secrets in rejects-Counter ... Same thing The RADIUS server cannot determine whether the shared secret is correct for Access-Requests without the Message-Authenticator attribute. The User-Password field is decrypted incorrectly and so comparison with the REFERENCE password fails which is why they're seen as a reject. This isn't an issue with the server, it's an issue with the protocol. Accounting-Requests are validated using the Authenticator field and so you get the error message. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html