MSCHAP not working after weekly restart

Enrico Polesel polesel at poisson.phc.unipi.it
Sun Jun 12 13:30:37 CEST 2016 

Hello everyone,

we have a ubuntu 14.04 with freeradius 2.1.12+dfsg-1.2ubuntu8.1
configured to use Active Directory to do authentication (using winbind
and ntlm_auth), eap, pap and mschap.

Weekly the freeradius is restarted (with a signal HUP) by logrotate
and usually it works fine. But sometimes MSCHAP authentication stop
working after the restart (both plain with radtest and with PEAP from
wireless client) while PAP continues working.

We can detect the problem running `radtest -t pap ...` (it works) and
`radtest -t mschap ...` (it doesn't). The response we get is:

> rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=204, length=38  MS-CHAP-Error = "\000E=691 R=1"

and the log says:

> Login incorrect (mschap: External script says )

Restarting the freeradius solves the problem (with service freeradius
restart).

I'm unable to reproduce it (it just happens sometimes, like once every
two months) and I can't get a debug log with `freeradius -X` because
restarting solves the problem.

I've been able to log the parameters passed to the external program
ntlm_auth that are:

> --request-nt-key --username=someuser --challenge=00 --nt-response=00 --domain=OUR_DOMAIN

the configuration is:

> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{reply:AD-Samaccountname} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00} --domain=OUR_DOMAIN"

so I think that for some reason the mschap module brokes down and
stops putting the right values in the dictionary.

I noticed that this (for now) happened only with weekly logrotate
restarts and not with manual restarts (when I update the
configuration).

Another thing I noticed is that it happens only at the primary radius
server (~500k authentications every week, some local and some proxied)
and not on the secondary (~40k authentications every week, basically
just monitoring). The two radius server share the same configuration
(as in "I copied the files") and software version.


Any hint in how to debug it? (or resolve it)

Thanks for reading my mail and for any help you could provide.

Regards,
Enrico Polesel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160612/3ca632c3/attachment.sig>

More information about the Freeradius-Users mailing list