I don't recall that being part of v2.
I got some free time yesterday, I looked through our old v2 config. I believe in v2, it was due to our config, which set Auth-Type to ldap, and since it failed to retrieve a non existent user from ldap it would log the ldap failure error. For our new config, we refrained from setting the Auth-Type to ldap as recommended by the documentation. We get no Auth-type found error because there is no Auth-Type found, since ldap can't provide a "known good" to pap.
But it's easy enough to add in unlang:
-ldap { if (notfound) { ... add a message here. }
I could not find which attribute/variable to update with my message, since there is no failure in the authorize santza. For now I have made the following linelog. linelog log_ldap_user_notfound { filename = ${logdir}/radius.log permissions = 0640 format = "%t : Login incorrect: (ldap: user %{User-Name} not found) Client-Mac = %{Calling-Station-Id}" } And added the following in the authorize santza after ldap. ldap if (notfound){ log_ldap_user_notfound } But this outputs an extra line in the radius.log since we use the auth = yes radius.conf. If there is better way to do this let know, in the mean time if I find a better solution I will post it to the mailing list. Thanks, Thomas On Mon, May 19, 2025 at 6:12 PM <freeradius-users-request@lists.freeradius.org> wrote:
Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit https://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Can Post-Auth-Type REJECT log LDAP user not found (thomas) 2. radiusd crashes. ASSERT FAILED src/main/threads.c[794] (Sergei Kodentsev) 3. Re: radiusd crashes. ASSERT FAILED src/main/threads.c[794] (Alan DeKok) 4. Re: radiusd crashes. ASSERT FAILED src/main/threads.c[794] (Sergei Kodentsev) 5. Re: radiusd crashes. ASSERT FAILED src/main/threads.c[794] (Alan DeKok) 6. Re: Can Post-Auth-Type REJECT log LDAP user not found (Alan DeKok)
----------------------------------------------------------------------
Message: 1 Date: Mon, 19 May 2025 14:07:19 +0200 From: thomas <thomas.nodon@gmail.com> To: freeradius-users@lists.freeradius.org Subject: Can Post-Auth-Type REJECT log LDAP user not found Message-ID: <CAOPTCcfeQKoZsJYCNywmA1QU524tuUZuMnON4f6yV4Ez-fkOrw@mail.gmail.com> Content-Type: text/plain; charset="UTF-8"
Hello everyone,
I have setup up a FreeRADIUS server with EAP-TTLS/PAP and OpenLDAP, the setup works fine.
I have a question regarding Post-Auth-Type REJECT, it correctly logs Login incorrect, but the &Module-Failure-Message is ambiguous for our needs when it comes to troubleshooting.
I get the following log if a user types their username incorrectly :
`Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [johndo@lab.local] (from client localhost port 0 via TLS tunnel)`
Is it possible to log something along the lines of "LDAP user not found" without making custom loglines? I believe this was possible on FreeRADIUS 2.x.x.
You can find the debug info below.
Thanks in advance !
--Thomas
(5) Received Access-Request Id 5 from 127.0.0.1:47099 to 127.0.0.1:1812 length 229 (5) User-Name = "anonymous@lab.local" (5) NAS-IP-Address = 127.0.0.1 (5) Calling-Station-Id = "02-00-00-00-00-01" (5) Framed-MTU = 1400 (5) NAS-Port-Type = Wireless-802.11 (5) Service-Type = Framed-User (5) Connect-Info = "CONNECT 11Mbps 802.11b" (5) EAP-Message = 0x02b2005315001703030048688da1ee57de5c653ec5b3ddb3fddaf954b25a2814726949f8960b9c81902198bf3054cc85cee621707608ab4bb4fecdd2dd6c1c55b33338264afb10435abffeb1198b43490adde2 (5) State = 0x5cf4dd435846c8abb4f3a6e2030e9f16 (5) Message-Authenticator = 0x161a97e6923da68704ab1e2c3048d6af (5) Restoring &session-state (5) &session-state:Framed-MTU = 1004 (5) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (5) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (5) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (5) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (5) &session-state:TLS-Session-Version = "TLS 1.2" (5) # Executing section authorize from file /etc/raddb/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) if !("%{User-Name}" =~ /@lab.local$/) { (5) EXPAND %{User-Name} (5) --> anonymous@lab.local (5) if !("%{User-Name}" =~ /@lab.local$/) -> FALSE (5) suffix: Checking for suffix after "@" (5) suffix: Looking up realm "lab.local" for User-Name = "anonymous@lab.local" (5) suffix: Found realm "lab.local" (5) suffix: Adding Realm = "lab.local" (5) suffix: Authentication realm is LOCAL (5) [suffix] = ok (5) eap: Peer sent EAP Response (code 2) ID 178 length 83 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/raddb/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0x5cf4dd435846c8ab (5) eap: Finished EAP session with state 0x5cf4dd435846c8ab (5) eap: Previous EAP request found for state 0x5cf4dd435846c8ab, released from the list (5) eap: Peer sent packet with method EAP TTLS (21) (5) eap: Calling submodule eap_ttls to process data (5) eap_ttls: Authenticate (5) eap_ttls: (TLS) EAP Done initial handshake (5) eap_ttls: Session established. Proceeding to decode tunneled attributes (5) eap_ttls: Got tunneled request (5) eap_ttls: User-Name = "johndo@lab.local" (5) eap_ttls: User-Password = "johndoe" (5) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1 (5) eap_ttls: Sending tunneled request (5) Virtual server inner-tunnel received request (5) User-Name = "johndo@lab.local" (5) User-Password = "johndoe" (5) FreeRADIUS-Proxied-To = 127.0.0.1 (5) server inner-tunnel { (5) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) suffix: Checking for suffix after "@" (5) suffix: Looking up realm "lab.local" for User-Name = "johndo@lab.local" (5) suffix: Found realm "lab.local" (5) suffix: Adding Realm = "lab.local" (5) suffix: Authentication realm is LOCAL (5) [suffix] = ok (5) update control { (5) &Proxy-To-Realm := LOCAL (5) } # update control = noop (5) eap: No EAP-Message, not doing EAP (5) [eap] = noop (5) [expiration] = noop (5) [logintime] = noop rlm_ldap (ldap): Reserved connection (0) (5) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (5) ldap: --> (uid=johndo@lab.local) (5) ldap: Performing search in "o=univ,dc=lab,dc=local" with filter "(uid=johndo@lab.local)", scope "sub" (5) ldap: Waiting for search result... (5) ldap: Search returned no results rlm_ldap (ldap): Released connection (0) Need 5 more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used rlm_ldap (ldap): Connecting to ldaps://ldap.lab.local:636 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (5) [ldap] = notfound (5) } # authorize = ok (5) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (5) Failed to authenticate the user (5) Using Post-Auth-Type Reject (5) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (5) Post-Auth-Type REJECT { (5) attr_filter.access_reject: EXPAND %{User-Name} (5) attr_filter.access_reject: --> johndo@lab.local (5) attr_filter.access_reject: Matched entry DEFAULT at line 11 (5) [attr_filter.access_reject] = updated (5) update outer.session-state { (5) &Module-Failure-Message := &request:Module-Failure-Message -> 'No Auth-Type found: rejecting the user via Post-Auth-Type = Reject' (5) } # update outer.session-state = noop (5) } # Post-Auth-Type REJECT = updated (5) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [johndo@lab.local] (from client localhost port 0 via TLS tunnel) (5) } # server inner-tunnel (5) Virtual server sending reply (5) eap_ttls: Got tunneled Access-Reject (5) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed (5) eap: Sending EAP Failure (code 4) ID 178 length 4 (5) eap: Failed in EAP select (5) [eap] = invalid (5) } # authenticate = invalid (5) Failed to authenticate the user (5) Using Post-Auth-Type Reject (5) # Executing group from file /etc/raddb/sites-enabled/default (5) Post-Auth-Type REJECT { (5) attr_filter.access_reject: EXPAND %{User-Name} (5) attr_filter.access_reject: --> anonymous@lab.local (5) attr_filter.access_reject: Matched entry DEFAULT at line 11 (5) [attr_filter.access_reject] = updated (5) policy remove_reply_message_if_eap { (5) if (&reply:EAP-Message && &reply:Reply-Message) { (5) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (5) else { (5) [noop] = noop (5) } # else = noop (5) } # policy remove_reply_message_if_eap = noop (5) } # Post-Auth-Type REJECT = updated (5) Login incorrect (eap: Failed continuing EAP TTLS (21) session. EAP sub-module failed): [anonymous@lab.local] (from client localhost port 0 cli 02-00-00-00-00-01) (5) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (5) Sending delayed response (5) Sent Access-Reject Id 5 from 127.0.0.1:1812 to 127.0.0.1:47099 length 44 (5) EAP-Message = 0x04b20004 (5) Message-Authenticator = 0x00000000000000000000000000000000
------------------------------
Message: 2 Date: Mon, 19 May 2025 15:32:51 +0300 From: Sergei Kodentsev <sergk@ic.vrn.ru> To: freeradius-users@lists.freeradius.org Subject: radiusd crashes. ASSERT FAILED src/main/threads.c[794] Message-ID: <a8cef70b-bccf-4c8b-876b-db7307fb9852@ic.vrn.ru> Content-Type: text/plain; charset=UTF-8; format=flowed
Hi, Freradius 3.2.7, Ubuntu 24.04.2 LTS How to solve this problem?
Mon May 19 09:17:25 2025 : Error: (11542) Ignoring duplicate packet from client dhcp port 68 - ID: 3396190219 due to unfinished request in component post-auth module dhcplog Mon May 19 09:17:25 2025 : Error: Received conflicting packet from client dhcp port 68 - ID: 734446164 due to unfinished request in module dhcplog.? Giving up on old request. Mon May 19 09:17:25 2025 : Error: Received conflicting packet from client dhcp port 68 - ID: 734446164 due to unfinished request in module <queue>.? Giving up on old request. Mon May 19 09:17:25 2025 : Error: ASSERT FAILED src/main/threads.c[794]: request->child_state == REQUEST_QUEUED CAUGHT SIGNAL: Aborted Backtrace of last 6 frames: /usr/local/radius3/lib/libfreeradius-radius.so(fr_fault+0x139)[0x71d729f4b3d6] /usr/local/radius3/lib/libfreeradius-server.so(rad_assert_fail+0x4d)[0x71d729fb9591] /usr/local/radius3/sbin/radiusd(+0x4cf9e)[0x63cb44340f9e] /usr/local/radius3/sbin/radiusd(+0x4d275)[0x63cb44341275] /lib/x86_64-linux-gnu/libc.so.6(+0x9caa4)[0x71d72969caa4] /lib/x86_64-linux-gnu/libc.so.6(+0x129c3c)[0x71d729729c3c] Calling: gdb -silent -x /usr/local/radius3/etc/raddb/panic.gdb /usr/local/radius3/sbin/radiusd 3026728 2>&1 | tee /usr/local/radius3/var/log/radius/gdb-radiusd-3026728.log Temporarily setting PR_DUMPABLE to 1 Mon May 19 09:17:25 2025 : WARNING: (11548) WARNING: Module dhcplog(rlm_sql) became unblocked Mon May 19 09:17:25 2025 : Error: (11571) Ignoring duplicate packet from client dhcp port 67 - ID: 3795885685 due to unfinished request in component <core> module Resetting PR_DUMPABLE to 0 Panic action exited with 0 _EXIT(0) CALLED src/lib/debug.c[811]
regards, Sergey Kodentsev
-- ? ?????????, ?????? ????????, ??????????? ?????, ??? ?? "???????????-??????????"
------------------------------
Message: 3 Date: Mon, 19 May 2025 08:28:02 -0500 From: Alan DeKok <aland@deployingradius.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: radiusd crashes. ASSERT FAILED src/main/threads.c[794] Message-ID: <8093EBD2-0BD3-4956-87CE-308964F73540@deployingradius.com> Content-Type: text/plain; charset=utf-8
On May 19, 2025, at 7:32?AM, Sergei Kodentsev <sergk@ic.vrn.ru> wrote:
Hi, Freradius 3.2.7, Ubuntu 24.04.2 LTS How to solve this problem?
For now, delete the assertion and recompile. We've pushed a fix to GitHub, and the fix will be in the next release.
Alan DeKok.
------------------------------
Message: 4 Date: Mon, 19 May 2025 16:52:52 +0300 From: Sergei Kodentsev <sergk@ic.vrn.ru> To: freeradius-users@lists.freeradius.org Subject: Re: radiusd crashes. ASSERT FAILED src/main/threads.c[794] Message-ID: <929d5521-86b1-47fb-92c7-293c25d5eb60@ic.vrn.ru> Content-Type: text/plain; charset=UTF-8; format=flowed
On 19.05.2025 16:28, Alan DeKok wrote:
On May 19, 2025, at 7:32?AM, Sergei Kodentsev <sergk@ic.vrn.ru> wrote: For now, delete the assertion and recompile. We've pushed a fix to GitHub, and the fix will be in the next release.
How to delete? assertion?
Sergey Kodentsev.
------------------------------
Message: 5 Date: Mon, 19 May 2025 09:11:36 -0500 From: Alan DeKok <aland@deployingradius.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: radiusd crashes. ASSERT FAILED src/main/threads.c[794] Message-ID: <C11286E6-6710-46D6-867A-94155C4DF7CA@deployingradius.com> Content-Type: text/plain; charset=utf-8
On May 19, 2025, at 8:52?AM, Sergei Kodentsev <sergk@ic.vrn.ru> wrote:
On 19.05.2025 16:28, Alan DeKok wrote:
On May 19, 2025, at 7:32?AM, Sergei Kodentsev <sergk@ic.vrn.ru> wrote: For now, delete the assertion and recompile. We've pushed a fix to GitHub, and the fix will be in the next release.
How to delete assertion?
Edit the source code.
Alan DeKok.
------------------------------
Message: 6 Date: Mon, 19 May 2025 11:10:15 -0500 From: Alan DeKok <aland@deployingradius.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Can Post-Auth-Type REJECT log LDAP user not found Message-ID: <3EF9709C-7D7E-43EE-968D-D2E7ADD46B3B@deployingradius.com> Content-Type: text/plain; charset=utf-8
On May 19, 2025, at 7:07?AM, thomas <thomas.nodon@gmail.com> wrote:
I have a question regarding Post-Auth-Type REJECT, it correctly logs Login incorrect, but the &Module-Failure-Message is ambiguous for our needs when it comes to troubleshooting.
You can always check the return code of the LDAP module, and then manually add a message.
Is it possible to log something along the lines of "LDAP user not found" without making custom loglines? I believe this was possible on FreeRADIUS 2.x.x.
I don't recall that being part of v2. But it's easy enough to add in unlang:
ldap if (notfound) { ... add a message here. }
Alan DeKok.
------------------------------
Subject: Digest Footer
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------
End of Freeradius-Users Digest, Vol 241, Issue 23 *************************************************