<br><div class="gmail_quote">Background info:<br><br># uname -a<br>Linux <a href="http://removed.com" target="_blank">removed.com</a> 2.6.9-67.0.22.EL #1 Wed Jul 23 17:17:45 EDT 2008 i686 i686 i386 GNU/Linux<br><br>Free radius installed via a RPM:<br>
# rpm -qa | grep radius<br>
freeradius-1.0.1-3.RHEL4.5<br><br><br># radiusd -v<br>radiusd: FreeRADIUS Version 1.0.1, for host , built on Apr 25 2007 at 08:19:46<br>Copyright (C) 2000-2003 The FreeRADIUS server project.<br>There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A<br>
PARTICULAR PURPOSE.<br>You may redistribute copies of FreeRADIUS under the terms of the<br>GNU General Public License.<br>For more information about these matters, see the file named COPYRIGHT.<br><br><br>We start/stop it via the init.d script which states:<br>
RADIUSD=/usr/sbin/radiusd<br>LOCKF=/var/lock/subsys/radiusd<br>CONFIG=/etc/raddb/radiusd.conf<br><br>Our /etc/raddb/radiusd.conf clearly states to not log passwords:<br># allowed values: {no, yes}<br>#<br>log_auth_badpass = no<br>
log_auth_goodpass = no<br><br><br><br>However it's logging good password auth's still..<br><br># ll /etc/radacct/ | wc -l<br>631<br><br># cat auth-detail-20081023<br><br>Packet-Type = Access-Request<br><removed><br>
User-Name = "username"<br> User-Password = "password"<br> NAS-IP-Address = 127.0.0.1<br> Client-IP-Address = 127.0.0.1<br><br><br><br><br>Starting it manually with debug turned on here is what I see..<br>
<br># radiusd -X<br>Starting - reading configuration files ...<br>reread_config: reading radiusd.conf<br>Config: including file: /etc/raddb/proxy.conf<br>Config: including file: /etc/raddb/clients.conf<br>Config: including file: /etc/raddb/snmp.conf<br>
Config: including file: /etc/raddb/sql.conf<br> main: prefix = "/"<br> main: localstatedir = "//var"<br> main: logdir = "/var/log"<br> main: libdir = "//lib"<br> main: radacctdir = "/etc/radacct"<br>
main: hostname_lookups = no<br> main: max_request_time = 30<br> main: cleanup_delay = 5<br> main: max_requests = 1024<br> main: delete_blocked_requests = 0<br> main: port = 1812<br> main: allow_core_dumps = no<br> main: log_stripped_names = yes<br>
main: log_file = "/var/log/radius.log"<br> main: log_auth = yes<br> main: log_auth_badpass = no<br> main: log_auth_goodpass = no<br> main: pidfile = "//var/run/radiusd/radiusd.pid"<br> main: bind_address = 192.168.1.1 IP address [192.168.1.1]<br>
main: user = "(null)"<br> main: group = "(null)"<br> main: usercollide = no<br> main: lower_user = "no"<br> main: lower_pass = "no"<br> main: nospace_user = "no"<br> main: nospace_pass = "no"<br>
main: checkrad = "//sbin/checkrad"<br> main: proxy_requests = no<br> proxy: retry_delay = 5<br> proxy: retry_count = 3<br> proxy: synchronous = no<br> proxy: default_fallback = yes<br> proxy: dead_time = 120<br>
proxy: post_proxy_authorize = yes<br> proxy: wake_all_if_all_dead = no<br> security: max_attributes = 200<br> security: reject_delay = 1<br> security: status_server = no<br> main: debug_level = 0<br>read_config_files: reading dictionary<br>
read_config_files: reading naslist<br>Using deprecated naslist file. Support for this will go away soon.<br>read_config_files: reading clients<br>read_config_files: reading realms<br>radiusd: entering modules setup<br>
Module: Library search path is /lib<br>Module: Loaded expr<br>Module: Instantiated expr (expr)<br>Module: Loaded PAP<br> pap: encryption_scheme = "crypt"<br>Module: Instantiated pap (pap)<br>Module: Loaded CHAP<br>
Module: Instantiated chap (chap)<br>Module: Loaded MS-CHAP<br> mschap: use_mppe = yes<br> mschap: require_encryption = no<br> mschap: require_strong = no<br> mschap: with_ntdomain_hack = no<br> mschap: passwd = "(null)"<br>
mschap: authtype = "MS-CHAP"<br> mschap: ntlm_auth = "(null)"<br>Module: Instantiated mschap (mschap)<br>Module: Loaded System<br> unix: cache = no<br> unix: passwd = "(null)"<br> unix: shadow = "(null)"<br>
unix: group = "(null)"<br> unix: radwtmp = "/var/log/radwtmp"<br> unix: usegroup = no<br> unix: cache_reload = 600<br>Module: Instantiated unix (unix)<br>Module: Loaded eap<br> eap: default_eap_type = "md5"<br>
eap: timer_expire = 60<br> eap: ignore_unknown_eap_types = no<br> eap: cisco_accounting_username_bug = no<br>rlm_eap: Loaded and initialized type md5<br>rlm_eap: Loaded and initialized type leap<br>Module: Instantiated eap (eap)<br>
Module: Loaded preprocess<br> preprocess: huntgroups = "/etc/raddb/huntgroups"<br> preprocess: hints = "/etc/raddb/hints"<br> preprocess: with_ascend_hack = no<br> preprocess: ascend_channels_per_line = 23<br>
preprocess: with_ntdomain_hack = no<br> preprocess: with_specialix_jetstream_hack = no<br> preprocess: with_cisco_vsa_hack = no<br>Module: Instantiated preprocess (preprocess)<br>Module: Loaded detail<br> detail: detailfile = "/etc/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d"<br>
detail: detailperm = 384<br> detail: dirperm = 493<br> detail: locking = no<br>Module: Instantiated detail (auth_log)<br>Module: Loaded realm<br> realm: format = "suffix"<br> realm: delimiter = "@"<br>
realm: ignore_default = no<br> realm: ignore_null = no<br>Module: Instantiated realm (suffix)<br>Module: Loaded files<br> files: usersfile = "/etc/raddb/users"<br> files: acctusersfile = "/etc/raddb/acct_users"<br>
files: preproxy_usersfile = "/etc/raddb/preproxy_users"<br> files: compat = "no"<br>Module: Instantiated files (files)<br>Module: Loaded Acct-Unique-Session-Id<br> acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id"<br>
Module: Instantiated acct_unique (acct_unique)<br> detail: detailfile = "/etc/radacct/%{Client-IP-Address}/detail-%Y%m%d"<br> detail: detailperm = 384<br> detail: dirperm = 493<br> detail: locking = no<br>Module: Instantiated detail (detail)<br>
Module: Loaded radutmp<br> radutmp: filename = "/var/log/radutmp"<br> radutmp: username = "%{User-Name}"<br> radutmp: case_sensitive = yes<br> radutmp: check_with_nas = yes<br> radutmp: perm = 384<br>
radutmp: callerid = yes<br>
Module: Instantiated radutmp (radutmp)<br>Listening on authentication <a href="http://192.168.1.1:1812" target="_blank">192.168.1.1:1812</a><br>Listening on accounting <a href="http://192.168.1.1:1813" target="_blank">192.168.1.1:1813</a><br>
Ready to process requests.<br>
rad_recv: Access-Request packet from host <a href="http://10.10.10.10:2702" target="_blank">10.10.10.10:2702</a>, id=165, length=53<br> User-Name = "username"<br> User-Password = "removed"<br>
NAS-IP-Address = 10.10.10.10<br>
Processing the authorize section of radiusd.conf<br>modcall: entering group authorize for request 0<br> modcall[authorize]: module "preprocess" returns ok for request 0<br>radius_xlat: '/etc/radacct/<a href="http://10.10.10.10/auth-detail-20090106" target="_blank">10.10.10.10/auth-detail-20090106</a>'<br>
rlm_detail: /etc/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /etc/radacct/<a href="http://10.10.10.10/auth-detail-20090106" target="_blank">10.10.10.10/auth-detail-20090106</a><br> modcall[authorize]: module "auth_log" returns ok for request 0<br>
modcall[authorize]: module "chap" returns noop for request 0<br> rlm_eap: No EAP-Message, not doing EAP<br> modcall[authorize]: module "eap" returns noop for request 0<br> rlm_realm: No '@' in User-Name = "username", looking up realm NULL<br>
rlm_realm: No such realm "NULL"<br> modcall[authorize]: module "suffix" returns noop for request 0<br> users: Matched DEFAULT at 153<br> users: Matched username at 316<br> modcall[authorize]: module "files" returns ok for request 0<br>
modcall[authorize]: module "mschap" returns noop for request 0<br>modcall: group authorize returns ok for request 0<br> rad_check_password: Found Auth-Type System<br>auth: type "System"<br> Processing the authenticate section of radiusd.conf<br>
modcall: entering group authenticate for request 0<br> modcall[authenticate]: module "unix" returns ok for request 0<br>modcall: group authenticate returns ok for request 0<br>Login OK: [username] (from client <a href="http://hostname.com" target="_blank">hostname.com</a> port 0)<br>
Sending Access-Accept of id 165 to <a href="http://10.10.10.10:2702" target="_blank">10.10.10.10:2702</a><br> NS-Admin-Privilege = All-VSYS-Root-Admin<br>Finished request 0<br>Going to the next request<br>--- Walking the entire request list ---<br>
Waking up in 6 seconds...<br><br>You can see it touched and updated the file with the new record..<br><br># ll<br>total 4<br>-rw------- 1 root root 342 Jan 6 10:17 auth-detail-20090106<br><br><br>So why is it doing this? How can I stop it? Ideally I would like radius to NOT store passwords in plain-text..<br>
<br>Any help is appreciated, thanks all!<br><font color="#888888"><br>-Tim Eberhard<br><br>
</font></div><br>