Crash of server with RADSEC
hi, had a nasty Abort of the server when RADSEC configured: Opening new proxy (0.0.0.0, 0) -> home_server (192.168.100.2, 2083) Trying SSL to port 2083 Requiring Server certificate Waking up in 0.1 seconds. Listening on proxy (172.16.1.2, 42575) -> home_server (192.168.100.2, 2083) (1) Proxying request to home server 192.168.100.2 port 2083 Thread 53 waiting to be assigned a request Marking home server 192.168.100.2 port 2083 as zombie (it looks like it is dead). ASSERT FAILED process.c[2374]: home->proto != IPPROTO_TCP Aborted the remote server was up but just not responding at that time - the same test worked as expected when the remote end was answering a few minute later (have done about 100 auths through a RADSEC link now) PS the default config has the password 'testing123' for RADSEC - there is a proposed standard (think its waiting for ratification) - 'radsec' - though I believe that both RADIATOR and radsecproxy use 'mysecret' as the default - worth aligning? alan
Alan Buxey wrote: ...
Marking home server 192.168.100.2 port 2083 as zombie (it looks like it is dead). ASSERT FAILED process.c[2374]: home->proto != IPPROTO_TCP Aborted
Oops. I've deleted the assert. I think that should work...
PS the default config has the password 'testing123' for RADSEC - there is a proposed standard (think its waiting for ratification) - 'radsec' - though I believe that both RADIATOR and radsecproxy use 'mysecret' as the default - worth aligning?
Probably... Alan DeKok.
Hi, ..and another one uncovered (reproduce by allowing output port 2083 run FR to get an authentication and then drop port 2083 with iptables so that it cannot contact home server....) Waking up in 0.1 seconds. Marking home server 192.168.100.2 port 2083 as zombie (it looks like it is dead). PING: Zombie period is over Marking home server 192.168.100.2 port 2083 as dead. PING: Already pinging home server PING: Waiting 4 seconds for response to ping PING: Next status packet in 30 seconds Waking up in 3.3 seconds. (6) Cleaning up request packet ID 184 with timestamp +301 Waking up in 0.6 seconds. No response to status check 8 for home server 192.168.100.2 port 2083 Segmentation fault alan
Alan Buxey <a.l.m.buxey@lboro.ac.uk> wrote:
..and another one uncovered
(reproduce by allowing output port 2083 run FR to get an authentication and then drop port 2083 with iptables so that it cannot contact home server....)
Waking up in 0.1 seconds. Marking home server 192.168.100.2 port 2083 as zombie (it looks like it is dead). PING: Zombie period is over Marking home server 192.168.100.2 port 2083 as dead. PING: Already pinging home server PING: Waiting 4 seconds for response to ping PING: Next status packet in 30 seconds Waking up in 3.3 seconds. (6) Cleaning up request packet ID 184 with timestamp +301 Waking up in 0.6 seconds. No response to status check 8 for home server 192.168.100.2 port 2083 Segmentation fault
GDB is everyones friend (along with -O0 compiling) ;) Cheers -- Alexander Clouter .sigmonster says: Put cats in the coffee and mice in the tea!
hi, first up, quick little wierd niggle. if i define a client as a radsec client but make a silly error, eg i use ip6addr rather than ipv6addr, then the server still accepts the value and that remote IPv6 client can get access. if, however, I make the same mistake in the home_server section then radiusd barfs out saying /etc/raddb/sites-enabled/tls[309]: No ipaddr, ipv6addr, or virtual_server defined for home server "tls" I verified this with a deliberate break, grepping for the output: [root@server freeradius-server]# radiusd -fxx -l stdout | grep "IPv6 address" ipv6addr = roaming.me.com IPv6 address [2a01:600:100:128::188] ipv6addr = 2001:db8:101:80:20c:29ff::168 IPv6 address [2001:0db8:301:1080:20c:29ff::168] ipv6addr = :: IPv6 address [::] [root@server freeradius-server]# !vi vi /etc/raddb/sites-enabled/tls [root@server freeradius-server]# radiusd -fxx -l stdout | grep "IPv6 address" ipv6addr = roaming.me.com IPv6 address [2a01:600:100:128::188] ipv6addr = :: IPv6 address [::] also, for RADSEC the clients have their own configuration section......will these be able to go into eg SQL naslist at some point (our current clients are all in postgresql table....) or can the daemon handle them being defined and called in from eg clients-tls.conf ?? many thanks alan
participants (3)
-
Alan Buxey -
Alan DeKok -
Alexander Clouter