FW: upgraded from freeradius 1.1.3 to 2.0.4

Frank van den Diepstraten frank.diepstraten at concepts-ict.nl
Thu Feb 19 12:20:31 CET 2009 

Well, I didn't expect this kind of reactions. I tried to give as much information as I had. First of all I upgraded to the newest packages of debian etch before I did a dist-upgrade to lenny. With the latest version of etch it still worked. The latest version in debian lenny is the 2.0.4 which I am running now. I do use the groupreply option (but no groupcheck option because the check has been done already in the usercheck option) so the mail of Alan doesn't solve the problem. The complete debug text is underneath, hopefully this makes it a bit more clear. Sorry for the inconvenience:


Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host x.x.x.x port 55116, id=108, length=66
	User-Name = "username"
	User-Password = "pass"
	NAS-IP-Address = 255.255.255.255
	NAS-Port = 1
+- entering group authorize
++[preprocess] returns ok
	expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/x.x.x.x/auth-detail-20090218
rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/x.x.x.x/auth-detail-20090218
	expand: %t -> Wed Feb 18 15:31:36 2009
++[auth_log] returns ok
++[chap] returns noop
    rlm_realm: Looking up realm "realm" for User-Name = "username"
    rlm_realm: No such realm "realm"
++[suffix] returns noop
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
	expand: %{User-Name} -> username
rlm_sql (sql): sql_set_user escaped user --> 'username'
rlm_sql (sql): Reserving sql socket id: 62
	expand: SELECT isp_ordernumber,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' and enabled='true' ORDER BY isp_ordernumber -> SELECT isp_ordernumber,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'username' and enabled='true' ORDER BY isp_ordernumber
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
rlm_sql (sql): User found in radcheck table
	expand: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'username' ORDER BY id
	expand: SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}' -> SELECT GroupName FROM usergroup WHERE UserName='username'
	expand:  -> 
rlm_sql (sql): Error generating query; rejecting user
rlm_sql (sql): Error processing groups; rejecting user
rlm_sql (sql): Released sql socket id: 62
++[sql] returns fail
Invalid user: [username] (from client host port 1)
  Found Post-Auth-Type Reject
+- entering group REJECT
rlm_sql (sql): Processing sql_postauth
	expand: %{User-Name} -> username
rlm_sql (sql): sql_set_user escaped user --> 'username'
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
	expand: INSERT into radpostauth (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW()) -> INSERT into radpostauth (id, user, pass, reply, date) values ('', 'username', 'password', 'Access-Reject', NOW())
rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id, user, pass, reply, date) values ('', 'username', 'password', 'Access-Reject', NOW())
rlm_sql (sql): Reserving sql socket id: 61
rlm_sql (sql): Released sql socket id: 61
++[sql] returns ok
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 108 to x.x.x.x port 55116
	Framed-IP-Address := x.x.x.x
	ERX-Atm-PCR := 8000
Waking up in 4.9 seconds.
Cleaning up request 0 ID 108 with timestamp +9
Ready to process requests.



-----Original Message-----
From: freeradius-users-bounces+frank.diepstraten=concepts-ict.nl at lists.freeradius.org [mailto:freeradius-users-bounces+frank.diepstraten=concepts-ict.nl at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: donderdag 19 februari 2009 11:59
To: FreeRadius users mailing list
Subject: Re: FW: upgraded from freeradius 1.1.3 to 2.0.4

Frank van den Diepstraten wrote:
> For a few years now, I use a freeradius/mysql server for the
> authentication of users which logon with their dsl line. This always
> went perfect till I tried to upgrade the machine from debian etch to
> debian lenny. The freeradius version went from 1.1.3 to 2.0.4. When I
> upgraded user couldn’t login anymore.

  Umm... you upgraded software across a major version number, and you
didn't do the migration manually?

  We've made serious attempts to make the configuration similar, but it
is *not* the same.  Automated upgrades are simply not possible.

  Also, 2.0.4 is an old version.  You want to use a more recent one.

> I didn’t change anything in the config file which we used on the 1.1.3
> version of freeradius.

  That's BAD.  You need to *upgrade* the configuration, not just blindly
copy it over.

> While searching for this error I found something about the
> groupchecktable which we never used. In the config this option is marked
> out:
...
> And in the database is no table called radgroupcheck because I never
> used it.

  So.. not using that shouldn't break the server.

> How can I get my freeradius working again and simply don’t let it do a
> thing with the groupcheck (which I guess is the problem of the empty
> expand  which I see in debug mode)

  Find out what the real problem is.  Looking at *part* of the debug log
doesn't help.  Some expansions are *allowed* to be empty.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No virus found in this incoming message.
Checked by AVG - www.avg.com 
Version: 8.0.237 / Virus Database: 270.11.0/1959 - Release Date: 02/18/09 20:55:00

More information about the Freeradius-Users mailing list