Hello, Please see the debug log: (log output from command >> freeradius -fxx -l stdout) and with "freeradius -X" it works fine. My issue is that debug mode "freeradius -X" the authentication works great but once I try with normal mode it doesn't. I have checked all the permissions all are correct. Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.99 port 50000, id=24, length=177 Threads: total/active/spare threads = 5/0/5 Waking up in 0.9 seconds. Thread 5 got semaphore Thread 5 handling request 0, (1 handled so far) User-Name = "TEST.COM\\user1" Calling-Station-Id = "0000005e5523" EAP-Message = 0x0200003f01544553542e434f4d5c75736572317676646a65687563697275656b63746a6869747568666365726465666c747269726668626775747464686467 Message-Authenticator = 0x07222d989a50a5ab3ad1a36ec1fe32d8 [<thread>] # Executing section authorize from file /etc/freeradius/sites-enabled/default [<thread>] +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "TEST.COM\user1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "TEST.COM" for User-Name = "TEST.COM\user1" [ntdomain] No such realm "TEST.COM" ++[ntdomain] returns noop [eap] EAP packet type response id 0 length 63 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rlm_perl: Added pair User-Name = TEST.COM\\user1 rlm_perl: Added pair EAP-Message = 0x0200003f01544553542e434f4d5c75736572317676646a65687563697275656b63746a6869747568666365726465666c747269726668626775747464686467 rlm_perl: Added pair EAP-Type = Identity rlm_perl: Added pair NAS-IP-Address = 192.168.1.99 rlm_perl: Added pair Calling-Station-Id = 0000005e5523 rlm_perl: Added pair Message-Authenticator = 0x07222d989a50a5ab3ad1a36ec1fe32d8 rlm_perl: Added pair Auth-Type = EAP ++[perl] returns ok [files] users: Matched entry DEFAULT at line 147 ++[files] returns ok [ldap] performing user authorization for TEST.COM\user1 [ldap] expand: (uid=%{mschap:User-Name:-%{User-Name}}) -> (uid=user1) [ldap] expand: dc=example,dc=com -> dc=example,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 192.168.1.120:389, authentication 0 [ldap] bind as cn=admin,dc=example,dc=com/yubico to 192.168.1.120:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=example,dc=com, with filter (uid=user1) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword -> Cleartext-Password == "yubico" [ldap] userPassword -> Password-With-Header == "yubico" [ldap] looking for reply items in directory... [ldap] user TEST.COM\user1 authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok [pap] Config already contains "known good" password. Ignoring Password-With-Header [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group EAP {...} rlm_perl: Added pair User-Name = TEST.COM\\user1 rlm_perl: Added pair EAP-Message = 0x0200003f01544553542e434f4d5c75736572317676646a65687563697275656b63746a6869747568666365726465666c747269726668626775747464686467 rlm_perl: Added pair Calling-Station-Id = 0000005e5523 rlm_perl: Added pair NAS-IP-Address = 192.168.1.99 rlm_perl: Added pair EAP-Type = Identity rlm_perl: Added pair Message-Authenticator = 0x07222d989a50a5ab3ad1a36ec1fe32d8 rlm_perl: Added pair Cleartext-Password = yubico rlm_perl: Added pair Password-With-Header = yubico rlm_perl: Added pair Ldap-UserDn = uid=user1,ou=people,dc=example,dc=com rlm_perl: Added pair Auth-Type = EAP ++[perl] returns noop [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 24 to 192.168.1.99 port 50000 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x122bbc42122aa5a2412bf0f529fb8dfe Finished request 0. Going to the next request Thread 5 waiting to be assigned a request rad_recv: Access-Request packet from host 192.168.1.99 port 50000, id=25, length=348 Waking up in 0.9 seconds. Thread 4 got semaphore Thread 4 handling request 1, (1 handled so far) User-Name = "TEST.COM\\user1" Calling-Station-Id = "0000005e5523" EAP-Message = 0x020100d8190016030100cd010000c9030151189e9c9fbe653e32873d8edf71da69da00c2f53aba302ad4fd7b82cc7df16d00005cc014c00a0039003800880087c00fc00500350084c012c00800160013c00dc003000ac013c00900330032009a009900450044c00ec004002f009600410007c011c007c00cc002000500040015001200090014001100080006000300ff01000044000b000403000102000a00340032000100020003000400050006000700080009000a000b000c000d000e000f001000110012001300140015001600170018001900230000 Message-Authenticator = 0x0455c39fc67f100bbe7b8bef15fbea80 State = 0x122bbc42122aa5a2412bf0f529fb8dfe [<thread>] # Executing section authorize from file /etc/freeradius/sites-enabled/default [<thread>] +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "TEST.COM\user1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "TEST.COM" for User-Name = "TEST.COM\user1" [ntdomain] No such realm "TEST.COM" ++[ntdomain] returns noop [eap] EAP packet type response id 1 length 216 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group EAP {...} rlm_perl: Added pair User-Name = [here the username is not getting ???] rlm_perl: Added pair EAP-Message = 0x020100d8190016030100cd010000c9030151189e9c9fbe653e32873d8edf71da69da00c2f53aba302ad4fd7b82cc7df16d00005cc014c00a0039003800880087c00fc00500350084c012c00800160013c00dc003000ac013c00900330032009a009900450044c00ec004002f009600410007c011c007c00cc002000500040015001200090014001100080006000300ff01000044000b000403000102000a00340032000100020003000400050006000700080009000a000b000c000d000e000f001000110012001300140015001600170018001900230000 rlm_perl: Added pair EAP-Type = PEAP rlm_perl: Added pair NAS-IP-Address = 192.168.1.99 rlm_perl: Added pair State = 0x122bbc42122aa5a2412bf0f529fb8dfe rlm_perl: Added pair Calling-Station-Id = 0000005e5523 rlm_perl: Added pair Message-Authenticator = 0x0455c39fc67f100bbe7b8bef15fbea80 rlm_perl: Added pair Auth-Type = EAP ++[perl] returns noop [eap] Request found, released from the list [eap] Identity does not match User-Name. Authentication failed. [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> ++[attr_filter.access_reject] returns noop Delaying reject of request 1 for 1 seconds Going to the next request Thread 4 waiting to be assigned a request rad_recv: Access-Request packet from host 192.168.1.99 port 50000, id=25, length=348 Waiting to send Access-Reject to client 14_192.168.1.99 port 50000 - ID: 25 Sending delayed reject for request 1 Sending Access-Reject of id 25 to 192.168.1.99 port 50000 Waking up in 3.9 seconds. Cleaning up request 0 ID 24 with timestamp +8 Waking up in 1.0 seconds. Cleaning up request 1 ID 25 with timestamp +8 Ready to process requests. ________________________________ From: Phil Mayers <p.mayers@imperial.ac.uk> To: freeradius-users@lists.freeradius.org Sent: Monday, 11 February 2013 3:57 PM Subject: Re: freeradius not working in normal mode but working in debug mode On 02/11/2013 10:11 AM, Nandkumar Palkar wrote:
version 2.1.10
You should upgrade; that version has a known security bug.
Module - LDAP
In this case debug log shows the username, but while i debug to stdout it shows no username.
freeradius -fxx -l stdout
Just to be clear - when you say it "works in debug mode" what *exactly* do you mean? In usual use, "debug mode" means: radiusd -X ...but you list a different command line. Which command line works, and which command line doesn't? When it doesn't work, what are the symptoms? Please show the debug output when it *does* work. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html