Problem with log and PEAP/MS-CHAPv2
Alan Buxey
alan.buxey at gmail.com
Tue Apr 18 09:18:49 CEST 2017
Why do you think those are debug logs?
If they are only meant to be in debug then either code needs changing so
it's print statement is changed, report a bug OR your server is running
with eg the -l stdout argument with a wrapper ensuring that output also
goes to the standard log file , i think systemd does that.
For better logging and control of logging, use the linelog module
alan
On 18 Apr 2017 7:48 am, "Andrea Gabellini" <
andrea.gabellini at telecomitalia.sm> wrote:
> Hi Alan,
>
> my problem is not what is going on. I'm forcing an error.
>
> My problem is why I get some debug errors in the log when the server is
> not running in debug mode.
>
> Andrea
>
> Il 14/04/2017 16:42, Alan Buxey ha scritto:
> > you are not - you are getting some of the stuff that gets logged. the
> > reason for 2 outputs is varied but usually seen with EAP tunneled
> methods
> > and the reaaon
> > for the auth failure AFTER things look okay is usually due to things like
> > failure for the server to log the event (in which case an error is seen
> and
> > the server
> > will reject the user). if you run in full debug mode then you will get
> > the full pucture of what is happening....and you've been told this many
> > times. just runt he server in full debug mode (radiusd -X) see what is
> > going on. fix it, THEN run it in production mode, there is no other
> > sensible way to proceed.
> >
> > alan
> >
> > On 14 April 2017 at 10:21, Andrea Gabellini <
> > andrea.gabellini at telecomitalia.sm> wrote:
> >
> >> Hi,
> >>
> >> the problem is the (0) and (1) in the log. I think this is the packet
> >> number. Using eap with wrong username or password logs some debug output
> >> (see previous posts). Alan DeKok says that this is a debug log, but
> >> radiusd isn't running debug mode.
> >>
> >> So the question is: why I got a debug output if the server is running
> >> without it?
> >>
> >> Thanks,
> >> Andrea
> >>
> >> Il 14/04/2017 11:03, Alan Buxey ha scritto:
> >>> hi,
> >>>
> >>> this is just the output of the standard freeradius logfile - which
> gives
> >>> you some basic info (with log_auth enabled) .
> >>>
> >>> you need to be looking at the output when you run the server in full
> >> debug
> >>> mode:
> >>>
> >>> radiusd -X
> >>> or
> >>> freeradiusd -X (if you're on debian/ubuntu builds)
> >>>
> >>> (and yes, thats just one big uppercase X) - as that will tell you
> >> exactly
> >>> what is happening and why something doesnt work.
> >>>
> >>> if this is a vanilla install with no local confidential stuff etc then
> >>> theres no reason to not post the output in full to the list - there
> will
> >> be
> >>> one or 2 obvious things
> >>>
> >>>
> >>> alan
> >>>
> >>> On 14 April 2017 at 08:19, Andrea Gabellini <
> >>> andrea.gabellini at telecomitalia.sm> wrote:
> >>>
> >>>> Il 13/04/2017 13:18, Alan DeKok ha scritto:
> >>>>> On Apr 13, 2017, at 3:41 AM, Andrea Gabellini <andrea.gabellini@
> >>>> telecomitalia.sm> wrote:
> >>>>>> the server doesn't have any extra options:
> >>>>> <shrug> The server doesn't magically start printing all debug
> >>>> messages to the log file.
> >>>>> You've made some change in your local configuration to cause this
> to
> >>>> happen. Find it, and fix it.
> >>>>> $ cd /etc/raddb
> >>>>> $ grep -r debug .
> >>>>>
> >>>>> Maybe that will help.
> >>>> Hi Alan,
> >>>>
> >>>> the search for the debug keyword in the config directory doesn't
> return
> >>>> any hint.
> >>>>
> >>>> I removed the raddb directory and reinstalled all with make install.
> >>>> Just modified "auth = yes" and enabled the user "bob" from the default
> >>>> configuration:
> >>>>
> >>>> [09:14:22][radius31:/usr/local/freeradius/etc/raddb] #systemctl
> restart
> >>>> radiusd
> >>>> [09:14:26][radius31:/usr/local/freeradius/etc/raddb] #tail -f
> >>>> /var/log/radius/radius.log
> >>>> Fri Apr 14 09:14:26 2017 : Info: Debugger not attached
> >>>> Fri Apr 14 09:14:26 2017 : Warning:
> >>>> [/usr/local/freeradius/etc/raddb/mods-config/attr_filter/
> >> access_reject]:11
> >>>> Check item "FreeRADIUS-Response-Delay" found in filter list for
> >>>> realm "DEFAULT".
> >>>> Fri Apr 14 09:14:26 2017 : Warning:
> >>>> [/usr/local/freeradius/etc/raddb/mods-config/attr_filter/
> >> access_reject]:11
> >>>> Check item "FreeRADIUS-Response-Delay-USec" found in filter list for
> >>>> realm "DEFAULT".
> >>>> Fri Apr 14 09:14:26 2017 : Info: Loaded virtual server <default>
> >>>> Fri Apr 14 09:14:26 2017 : Warning: Ignoring "sql" (see
> >>>> raddb/mods-available/README.rst)
> >>>> Fri Apr 14 09:14:26 2017 : Warning: Ignoring "ldap" (see
> >>>> raddb/mods-available/README.rst)
> >>>> Fri Apr 14 09:14:26 2017 : Info: Loaded virtual server default
> >>>> Fri Apr 14 09:14:26 2017 : Info: # Skipping contents of 'if' as it is
> >>>> always 'false' --
> >>>> /usr/local/freeradius/etc/raddb/sites-enabled/inner-tunnel:330
> >>>> Fri Apr 14 09:14:26 2017 : Info: Loaded virtual server inner-tunnel
> >>>> Fri Apr 14 09:14:26 2017 : Info: Ready to process requests
> >>>> Fri Apr 14 09:14:30 2017 : Auth: (0) Login OK: [bob] (from client
> >>>> localhost port 0)
> >>>> Fri Apr 14 09:14:32 2017 : Auth: (1) Login incorrect (pap: Cleartext
> >>>> password "hellox" does not match "known good" password): [bob] (from
> >>>> client localhost port 0)
> >>>>
> >>>> Freeradius was compiled on CentOS 7 server with: ./configure
> >>>> --prefix=/usr/local/freeradius --enable-static=no --localstatedir=/var
> >>>> --with-docdir=no --with-vmps=no
> >>>> --with-oracle-include-dir=/usr/local/oracle/sdk/include
> >>>> --with-oracle-lib-dir=/usr/local/oracle
> >>>>
> >>>> Any idea on what I can check?
> >>>>
> >>>> Thanks,
> >>>> Andrea
> >>>>
> >>>>> Again, you *should* keep track of your local changes, and you
> >> *should*
> >>>> know what changes you made.
> >>>>> Alan DeKok.
> >>>>>
> >>>>>
> >>>>> -
> >>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> >>>> list/users.html
> >>>>
> >>>> --
> >>>> ----------------------------------------------------------------
> >>>> The box said: 'install on Windows 95, NT 4.0 or better'. So I
> installed
> >> it
> >>>> on Linux.
> >>>>
> >>>> ----------------------------------------------------------------
> >>>>
> >>>> Ing. Andrea Gabellini
> >>>> Email: andrea.gabellini at telecomitalia.sm
> >>>> Skype: andreagabellini
> >>>> Tel: (+378) 0549 886111
> >>>> Fax: (+378) 0549 886188
> >>>>
> >>>> Telecom Italia San Marino S.p.A.
> >>>> Via XXVIII Luglio, 212 - Piano -2
> >>>> 47893 Borgo Maggiore
> >>>> Republic of San Marino
> >>>>
> >>>> http://www.telecomitalia.sm
> >>>>
> >>>> -
> >>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> >>>> list/users.html
> >>> -
> >>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> >> list/users.html
> >>
> >> --
> >> ----------------------------------------------------------------
> >> Hardware: The parts of a computer system that can be kicked.
> >>
> >> ----------------------------------------------------------------
> >>
> >> Ing. Andrea Gabellini
> >> Email: andrea.gabellini at telecomitalia.sm
> >> Skype: andreagabellini
> >> Tel: (+378) 0549 886111
> >> Fax: (+378) 0549 886188
> >>
> >> Telecom Italia San Marino S.p.A.
> >> Via XXVIII Luglio, 212 - Piano -2
> >> 47893 Borgo Maggiore
> >> Republic of San Marino
> >>
> >> http://www.telecomitalia.sm
> >>
> >> -
> >> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> >> list/users.html
> >>
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>
> --
> ----------------------------------------------------------------
> The statement below is true. The statement above is false.
>
> ----------------------------------------------------------------
>
> Ing. Andrea Gabellini
> Email: andrea.gabellini at telecomitalia.sm
> Skype: andreagabellini
> Tel: (+378) 0549 886111
> Fax: (+378) 0549 886188
>
> Telecom Italia San Marino S.p.A.
> Via XXVIII Luglio, 212 - Piano -2
> 47893 Borgo Maggiore
> Republic of San Marino
>
> http://www.telecomitalia.sm
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
More information about the Freeradius-Users
mailing list