Problem with log and PEAP/MS-CHAPv2

Fri Apr 14 16:42:52 CEST 2017

you are not - you are getting some of the stuff that gets logged.   the
reason for 2  outputs is varied but usually seen with EAP tunneled methods
and the reaaon
for the auth failure AFTER things look okay is usually due to things like
failure for the server to log the event (in which case an error is seen and
the server
will reject the user).   if you run in full debug mode then you will get
the full pucture of what is happening....and you've been told this many
times. just runt he server in full debug mode (radiusd -X) see what is
going on. fix it, THEN run it in production mode, there is no other
sensible way to proceed.

alan

On 14 April 2017 at 10:21, Andrea Gabellini <
andrea.gabellini at telecomitalia.sm> wrote:

> Hi,
>
> the problem is the (0) and (1) in the log. I think this is the packet
> number. Using eap with wrong username or password logs some debug output
> (see previous posts). Alan DeKok says that this is a debug log, but
> radiusd isn't running debug mode.
>
> So the question is: why I got a debug output if the server is running
> without it?
>
> Thanks,
> Andrea
>
> Il 14/04/2017 11:03, Alan Buxey ha scritto:
> > hi,
> >
> > this is just the output of the standard freeradius logfile - which gives
> > you some basic info (with log_auth enabled) .
> >
> > you need to be looking at the output when you run the server in full
> debug
> > mode:
> >
> > radiusd -X
> > or
> > freeradiusd -X (if you're on debian/ubuntu builds)
> >
> > (and yes, thats just one big uppercase X)  - as that will tell you
> exactly
> > what is happening and why something doesnt work.
> >
> > if this is a vanilla install with no local confidential stuff etc then
> > theres no reason to not post the output in full to the list - there will
> be
> > one or 2 obvious things
> >
> >
> > alan
> >
> > On 14 April 2017 at 08:19, Andrea Gabellini <
> > andrea.gabellini at telecomitalia.sm> wrote:
> >
> >>
> >> Il 13/04/2017 13:18, Alan DeKok ha scritto:
> >>> On Apr 13, 2017, at 3:41 AM, Andrea Gabellini <andrea.gabellini@
> >> telecomitalia.sm> wrote:
> >>>> the server doesn't have any extra options:
> >>>   <shrug>  The server doesn't magically start printing all debug
> >> messages to the log file.
> >>>   You've made some change in your local configuration to cause this to
> >> happen.  Find it, and fix it.
> >>> $ cd /etc/raddb
> >>> $ grep -r debug .
> >>>
> >>>   Maybe that will help.
> >> Hi Alan,
> >>
> >> the search for the debug keyword in the config directory doesn't return
> >> any hint.
> >>
> >> I removed the raddb directory and reinstalled all with make install.
> >> Just modified "auth = yes" and enabled the user "bob" from the default
> >> configuration:
> >>
> >> [09:14:22][radius31:/usr/local/freeradius/etc/raddb] #systemctl restart
> >> radiusd
> >> [09:14:26][radius31:/usr/local/freeradius/etc/raddb] #tail -f
> >> /var/log/radius/radius.log
> >> Fri Apr 14 09:14:26 2017 : Info: Debugger not attached
> >> Fri Apr 14 09:14:26 2017 : Warning:
> >> [/usr/local/freeradius/etc/raddb/mods-config/attr_filter/
> access_reject]:11
> >> Check item "FreeRADIUS-Response-Delay"     found in filter list for
> >> realm "DEFAULT".
> >> Fri Apr 14 09:14:26 2017 : Warning:
> >> [/usr/local/freeradius/etc/raddb/mods-config/attr_filter/
> access_reject]:11
> >> Check item "FreeRADIUS-Response-Delay-USec" found in filter list for
> >> realm "DEFAULT".
> >> Fri Apr 14 09:14:26 2017 : Info: Loaded virtual server <default>
> >> Fri Apr 14 09:14:26 2017 : Warning: Ignoring "sql" (see
> >> raddb/mods-available/README.rst)
> >> Fri Apr 14 09:14:26 2017 : Warning: Ignoring "ldap" (see
> >> raddb/mods-available/README.rst)
> >> Fri Apr 14 09:14:26 2017 : Info: Loaded virtual server default
> >> Fri Apr 14 09:14:26 2017 : Info:  # Skipping contents of 'if' as it is
> >> always 'false' --
> >> /usr/local/freeradius/etc/raddb/sites-enabled/inner-tunnel:330
> >> Fri Apr 14 09:14:26 2017 : Info: Loaded virtual server inner-tunnel
> >> Fri Apr 14 09:14:26 2017 : Info: Ready to process requests
> >> Fri Apr 14 09:14:30 2017 : Auth: (0) Login OK: [bob] (from client
> >> localhost port 0)
> >> Fri Apr 14 09:14:32 2017 : Auth: (1) Login incorrect (pap: Cleartext
> >> password "hellox" does not match "known good" password): [bob] (from
> >> client localhost port 0)
> >>
> >> Freeradius was compiled on CentOS 7 server with: ./configure
> >> --prefix=/usr/local/freeradius --enable-static=no --localstatedir=/var
> >> --with-docdir=no --with-vmps=no
> >> --with-oracle-include-dir=/usr/local/oracle/sdk/include
> >> --with-oracle-lib-dir=/usr/local/oracle
> >>
> >> Any idea on what I can check?
> >>
> >> Thanks,
> >> Andrea
> >>
> >>>   Again, you *should* keep track of your local changes, and you
> *should*
> >> know what changes you made.
> >>>   Alan DeKok.
> >>>
> >>>
> >>> -
> >>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> >> list/users.html
> >>
> >> --
> >> ----------------------------------------------------------------
> >> The box said: 'install on Windows 95, NT 4.0 or better'. So I installed
> it
> >> on Linux.
> >>
> >> ----------------------------------------------------------------
> >>
> >> Ing. Andrea Gabellini
> >> Email: andrea.gabellini at telecomitalia.sm
> >> Skype: andreagabellini
> >> Tel: (+378) 0549 886111
> >> Fax: (+378) 0549 886188
> >>
> >> Telecom Italia San Marino S.p.A.
> >> Via XXVIII Luglio, 212 - Piano -2
> >> 47893 Borgo Maggiore
> >> Republic of San Marino
> >>
> >> http://www.telecomitalia.sm
> >>
> >> -
> >> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> >> list/users.html
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>
> --
> ----------------------------------------------------------------
> Hardware: The parts of a computer system that can be kicked.
>
> ----------------------------------------------------------------
>
> Ing. Andrea Gabellini
> Email: andrea.gabellini at telecomitalia.sm
> Skype: andreagabellini
> Tel: (+378) 0549 886111
> Fax: (+378) 0549 886188
>
> Telecom Italia San Marino S.p.A.
> Via XXVIII Luglio, 212 - Piano -2
> 47893 Borgo Maggiore
> Republic of San Marino
>
> http://www.telecomitalia.sm
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>