--- Begin Message ---
- To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>
- Subject: upgrade broke the users file - being read only partially - FR1.1.7 to FR2.0.2
- From: Agent Smith <news8080@yahoo.com>
- Date: Wed, 20 Feb 2008 11:06:39 -0800 (PST)
- Authentication-results: mta516.mail.mud.yahoo.com from=yahoo.com; domainkeys=pass (ok)
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=GoICcmQWL7o8cvwKNh+SeWnjg7TUrjAKeRaToDzFqYjj4SEjG7cHzpYJK4i8qcru3JTOsleDXOJ9IrYKMQkOHZifbq6PupIeFJZ856vjCoFyo+i0FnYz2vlzwyjYOhDRWIUjy7RWQRroU4Fh8WvhvH4+8ySkyUrGdIaHKehQzoo=;
- In-reply-to: <a62d17300801031546m6ee0737vda615ba579302245@mail.gmail.com>
upgraded to FR2.0.2 to find out that users file is
being read but only partially. Went back to 1.1.7 and
works fine.
Here is the radiusd -fX output, the users/huntgroups
file and radiusd.conf from fr2.0.2.
user2 is proxied to another instant and works fine
when user1 is local user and it never works.
=================================================
rad_recv: Access-Request packet from host 10.9.3.29
port 32887, id=163, length=61
User-Name = "user1"
User-Password = "abc123"
NAS-IP-Address = 255.255.255.255
NAS-Port = 161
server SERVER-1760 {
+- entering group authorize
expand: %{Client-IP-Address} -> 10.9.3.29
++[preprocess] returns ok
users: Matched entry DEFAULT at line 8
++[files] returns ok
rad_check_password: Found Auth-Type Reject
rad_check_password: Auth-Type = Reject, rejecting
user
auth: Failed to validate the user.
Login incorrect: [user1/abc123] (from client
user2-linux port 161)
} # server SERVER-1760
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 163 to 10.9.3.29 port
32887
Waking up in 4.9 seconds.
Cleaning up request 0 ID 163 with timestamp +10
Ready to process requests.
rad_recv: Access-Request packet from host 10.9.3.29
port 32887, id=167, length=58
User-Name = "user2"
User-Password = "password2"
NAS-IP-Address = 255.255.255.255
NAS-Port = 161
server SERVER-1760 {
+- entering group authorize
expand: %{Client-IP-Address} -> 10.9.3.29
++[preprocess] returns ok
users: Matched entry user2 at line 3
++[files] returns ok
} # server SERVER-1760
Sending Access-Request of id 104 to 192.168.60.3 port
1760
User-Name = "user2"
User-Password = "password2"
NAS-IP-Address = 255.255.255.255
NAS-Port = 161
Proxy-State = 0x313637
Proxying request 1 to home server 192.168.60.3 port
1760
Sending Access-Request of id 104 to 192.168.60.3 port
1760
User-Name = "user2"
User-Password = "password2"
NAS-IP-Address = 255.255.255.255
NAS-Port = 161
Proxy-State = 0x313637
Going to the next request
Waking up in 0.9 seconds.
Waking up in 12.9 seconds.
rad_recv: Access-Accept packet from host 192.168.60.3
port 1760, id=104, length=82
Class =
0x53425232434ced8be19ce897d2f8bdc01180240180038198ce8002800781b59ccc97b385d812800e81ed8be19ce897d2f8bdc0808083b8
Proxy-State = 0x313637
server SERVER-1760 {
+- entering group authorize
expand: %{Client-IP-Address} -> 10.9.3.29
++[preprocess] returns ok
users: Matched entry user2 at line 3
++[files] returns ok
rad_check_password: Found Auth-Type
rad_check_password: Auth-Type = Accept, accepting
the user
Login OK: [user2/password2] (from client user2-linux
port 161)
} # server SERVER-1760
Sending Access-Accept of id 167 to 10.9.3.29 port
32887
Class =
0x53425232434ced8be19ce897d2f8bdc01180240180038198ce8002800781b59ccc97b385d812800e81ed8be19ce897d2f8bdc0808083b8
Finished request 1.
Going to the next request
Waking up in 0.9 seconds.
Waking up in 3.9 seconds.
=========================================================
users file
----------
user1 Auth-Type = Local, Cleartext-Password =
"abc123", Huntgroup-Name == "fetch"
user2 Proxy-To-Realm := "rsa"
DEFAULT Auth-Type := Reject
=========================================================
huntgroups file
----------------
fetch Client-IP-Address == "10.9.3.29"
======================================================
sites-enabled/server-1760
-------------------------
server SERVER-1760 {
listen {
ipaddr = *
port = 1760
type = auth
}
listen {
ipaddr = *
port = 1761
type = acct
}
client 10.9.3.29 {
secret = abc123
shortname = my-linux-test
}
authorize {
preprocess
files
#auth_log
}
authenticate {
files
#unix
}
preacct {
}
accounting {
#detail
#unix
radutmp
}
session {
radutmp
}
post-auth {
#reply_log
}
pre-proxy {
}
post-proxy {
}
}
===================================================
radiusd.conf
prefix = /usr/local/etc/RADIUS/CLOSET-SW-RSA-PAP-1760
exec_prefix = /usr/local
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
db_dir = $(raddbdir)
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log {
destination = files
syslog_facility = daemon
file = ${logdir}/radius.log
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
proxy_requests = yes
$INCLUDE proxy.conf
snmp = no
$INCLUDE snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
auto_header = no
encryption_scheme = clear
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
}
$INCLUDE eap.conf
mschap {
use_mppe = yes
authtype = MS-CHAP
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
ntlm_auth = "/path/to/ntlm_auth
--request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
}
ldap {
server = "ldap.your.domain"
basedn = "o=My Org,c=UA"
filter =
"(uid=%{Stripped-User-Name:-%{User-Name}})"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping =
${confdir}/ldap.attrmap
edir_account_policy_check = no
}
realm IPASS {
format = prefix
delimiter = "/"
ignore_default = no
ignore_null = no
}
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
}
realm realmpercent {
format = suffix
delimiter = "%"
ignore_default = no
ignore_null = no
}
realm ntdomain {
format = prefix
delimiter = "\\"
ignore_default = no
ignore_null = no
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = yes
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile =
${confdir}/preproxy_users
compat = no
}
detail {
detailfile =
${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
header = "%t"
}
detail auth_log {
detailfile =
${radacctdir}/auth-detail-%Y%m%d
}
detail reply_log {
detailfile =
${radacctdir}/reply-detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id,
NAS-IP-Address, Client-IP-Address, NAS-Port"
}
$INCLUDE sql.conf
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter attr_filter.post-proxy {
attrsfile = ${confdir}/attrs
}
attr_filter attr_filter.pre-proxy {
attrsfile = ${confdir}/attrs.pre-proxy
}
attr_filter attr_filter.access_reject {
key = %{User-Name}
attrsfile =
${confdir}/attrs.access_reject
}
attr_filter attr_filter.accounting_response {
key = %{User-Name}
attrsfile =
${confdir}/attrs.accounting_response
}
counter daily {
filename = ${db_dir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
reply-name = Session-Timeout
allowed-servicetype = Framed-User
cache-size = 5000
}
$INCLUDE sql/mysql/counter.conf
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always noop {
rcode = noop
}
always handled {
rcode = handled
}
always updated {
rcode = updated
}
always notfound {
rcode = notfound
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
digest {
}
expiration {
reply-message = "Password Has
Expired\r\n"
}
logintime {
reply-message = "You are calling
outside your allowed timespan\r\n"
minimum-timeout = 60
}
exec {
wait = yes
input_pairs = request
shell_escape = yes
output = none
}
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
shell_escape = yes
}
ippool main_pool {
range-start = 192.168.1.1
range-stop = 192.168.3.254
netmask = 255.255.255.0
cache-size = 800
session-db = ${db_dir}/db.ippool
ip-index = ${db_dir}/db.ipindex
override = no
maximum-timeout = 0
}
policy {
filename = ${confdir}/policy.txt
}
}
instantiate {
exec
expr
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/
____________________________________________________________________________________
Looking for last minute shopping deals?
Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping
--- End Message ---