On Wed, 30 Sep 2009, Ivan Kalik wrote:
We have a client running FreeRadius 2.1.6 on a Linux box authenticating against shadow passwords. I've gone over the radiusd.conf and it appears that the expire module is enabled by default in the global config (there are no virtual servers here). However, FreeRadius appears to be ignoring this attribute and authenticating users with expired passwords anyway. I tried expiring the account and that worked, but it would be much better to have it respect expired passwords.
Debug?
Ivan Kalik
Ok, here's the output running with "-xx" debugging: group = wheel user = root including dictionary file /usr/etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/usr/var" logdir = "/var/log/radius" libdir = "/usr/lib" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/usr/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = no log { stripped_names = no auth = yes auth_badpass = yes auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "DELETED" nastype = "other" } client 216.1.12.66 { require_message_authenticator = no secret = "DELETED" shortname = "cisco_pptp" nastype = "cisco" } client 192.168.3.36 { require_message_authenticator = no secret = "DELETED" shortname = "s036" nastype = "other" } client 216.1.12.74 { require_message_authenticator = no secret = "DELETED" shortname = "utopia" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Ignoring EAP-Type/tls because we do not have OpenSSL support. Ignoring EAP-Type/ttls because we do not have OpenSSL support. Ignoring EAP-Type/peap because we do not have OpenSSL support. Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/usr/etc/raddb/users" acctusersfile = "/usr/etc/raddb/acct_users" preproxy_usersfile = "/usr/etc/raddb/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/usr/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/usr/etc/raddb/huntgroups" hints = "/usr/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NA S-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d " header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_ippool Module: Instantiating medium_pool ippool medium_pool { session-db = "/usr/etc/raddb/db.medium_ippool" ip-index = "/usr/etc/raddb/db.medium_ipindex" key = "%{NAS-IP-Address} %{NAS-Port}" range-start = 172.16.31.101 range-stop = 172.16.31.253 netmask = 255.255.255.0 cache-size = 251 override = yes maximum-timeout = 0 } Module: Instantiating super_pool ippool super_pool { session-db = "/usr/etc/raddb/db.super_ippool" ip-index = "/usr/etc/raddb/db.super_ipindex" key = "%{NAS-IP-Address} %{NAS-Port}" range-start = 172.16.30.101 range-stop = 172.16.30.253 netmask = 255.255.255.0 cache-size = 251 override = yes maximum-timeout = 0 } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/usr/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 300 cleanup_delay = 5 max_queue_size = 65536 } Thread spawned new child 1. Total threads in pool: 1 Thread spawned new child 2. Total threads in pool: 2 Thread spawned new child 3. Total threads in pool: 3 Thread spawned new child 4. Total threads in pool: 4 Thread spawned new child 5. Total threads in pool: 5 Thread pool initialized radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 1812 Thread 1 waiting to be assigned a request Thread 2 waiting to be assigned a request Thread 5 waiting to be assigned a request Re-wait 1 Thread 4 waiting to be assigned a request Thread 3 waiting to be assigned a request } listen { type = "acct" ipaddr = * port = 0 Re-wait 1 Re-wait 5 Re-wait 4 Re-wait 3 Re-wait 1 Re-wait 2 } Re-wait 1 Re-wait 4 Re-wait 3 Re-wait 5 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Ready to process requests. Threads: total/active/spare threads = 5/0/5 Waking up in 0.9 seconds. Thread 1 got semaphore Thread 1 handling request 0, (1 handled so far) +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns updated [files] users: Matched entry test at line 173 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "DELETED" [pap] Using CRYPT encryption. [pap] User authenticated successfully ++[pap] returns ok Login OK: [test] (from client cisco_pptp port 442) +- entering group post-auth {...} [medium_pool] Could not find Pool-Name attribute. ++[medium_pool] returns noop [super_pool] Could not find Pool-Name attribute. ++[super_pool] returns noop ++[exec] returns noop Finished request 0. Going to the next request Thread 1 waiting to be assigned a request Waking up in 4.0 seconds. Cleaning up request 0 ID 102 with timestamp +18 Ready to process requests. James Smallacombe PlantageNet, Inc. CEO and Janitor up@3.am http://3.am =========================================================================