On 04/11/2014 07:24 PM, Matthew Newton wrote:
Hi,
On Fri, Apr 11, 2014 at 06:51:59PM -0400, Casey Daniels wrote:
On 04/11/2014 05:05 PM, Alan DeKok wrote:
Run the server in debug mode, as suggested in the FAQ, "man" page, web pages, and daily on this list. When you don't do that, you waste everyones time. I always run it in -X, and have the information sent to a file for review so that I don't have to try and watch items scroll past the screen. The implication here was that there is no point running it in debug mode, and then keeping the output to yourself...
The advice always on this list is to run it with -X, and post the full output to the list. That way people can help you much more easily.
Cheers,
Matthew
Sorry didn't want to send a huge message with a bunch of debugging stuff to clutter things up, but here it is. Starting FreeRadius Daemon...[1mradiusd: FreeRADIUS Version 3.0.0, for host x86_64-unknown-linux-gnu, built on Oct 26 2013 at 18:29:10[0m [1mCopyright (C) 1999-2013 The FreeRADIUS server project and contributors.[0m [1mThere is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A[0m [1mPARTICULAR PURPOSE.[0m [1mYou may redistribute copies of FreeRADIUS under the terms of the[0m [1mGNU General Public License.[0m [1mFor more information about these matters, see the file named COPYRIGHT.[0m [1mStarting - reading configuration files ...[0m including dictionary file /etc/raddb/dictionary including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/mods-enabled/ including configuration file /etc/raddb/mods-enabled/sradutmp including configuration file /etc/raddb/mods-enabled/expiration including configuration file /etc/raddb/mods-enabled/utf8 including configuration file /etc/raddb/mods-enabled/soh including configuration file /etc/raddb/mods-enabled/eap including configuration file /etc/raddb/mods-enabled/radutmp including configuration file /etc/raddb/mods-enabled/cache_eap including configuration file /etc/raddb/mods-enabled/mschap including configuration file /etc/raddb/mods-enabled/attr_filter including configuration file /etc/raddb/mods-enabled/detail including configuration file /etc/raddb/mods-enabled/always including configuration file /etc/raddb/mods-enabled/preprocess including configuration file /etc/raddb/mods-enabled/linelog including configuration file /etc/raddb/mods-enabled/detail.log including configuration file /etc/raddb/mods-enabled/files including configuration file /etc/raddb/mods-enabled/expr including configuration file /etc/raddb/mods-enabled/logintime including files in directory /etc/raddb/policy.d/ including configuration file /etc/raddb/policy.d/accounting including configuration file /etc/raddb/policy.d/filter including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/wifi main { security { user = "radius" group = "radius" chroot = "/srv/freeradius" allow_core_dumps = no } } main { name = "radiusd" prefix = "/usr/local" localstatedir = "/usr/local/var" sbindir = "/usr/local/sbin" logdir = "/var/log" run_dir = "/var/run" libdir = "/lib" radacctdir = "/var/log/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 5096 pidfile = "/var/run/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = no log { stripped_names = no auth = yes auth_badpass = yes auth_goodpass = no colourise = yes } security { max_attributes = 200 reject_delay = 3 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### radiusd: #### Loading Clients #### client localhost { ipv6addr = ::1 IPv6 address [::1] netmask = 128 require_message_authenticator = yes secret = "testing123" proto = "udp" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client wlan-west { ipaddr = 10.50.1.2 netmask = 32 require_message_authenticator = yes secret = "test123" proto = "udp" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } radiusd: #### Instantiating modules #### instantiate { } modules { # Loaded module rlm_radutmp # Instantiating module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_expiration # Instantiating module "expiration" from file /etc/raddb/mods-enabled/expiration # Loaded module rlm_utf8 # Instantiating module "utf8" from file /etc/raddb/mods-enabled/utf8 # Loaded module rlm_soh # Instantiating module "soh" from file /etc/raddb/mods-enabled/soh soh { dhcp = yes } # Loaded module rlm_eap # Instantiating module "eap" from file /etc/raddb/mods-enabled/eap eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no mod_accounting_username_bug = no max_sessions = 4096 } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 ca_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/prouter-radius.pem" certificate_file = "/etc/raddb/certs/prouter-radius_crt.pem" ca_file = "/etc/raddb/certs/cacert.pem" private_key_password = "2rU36=L-mdKYVbG" dh_file = "/etc/raddb/certs/dh_radius" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" ecdh_curve = "prime256v1" cache { enable = yes lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = yes } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_method = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Instantiating module "radutmp" from file /etc/raddb/mods-enabled/radutmp radutmp { filename = "/var/log/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_cache # Instantiating module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap cache cache_eap { key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 16384 epoch = 0 add_stats = no } # Loaded module rlm_mschap # Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes } # Loaded module rlm_attr_filter # Instantiating module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/raddb/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/raddb/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/raddb/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject # Instantiating module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/raddb/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/raddb/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response # Loaded module rlm_detail # Instantiating module "detail" from file /etc/raddb/mods-enabled/detail detail { filename = "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 dir_permissions = 493 locking = no log_packet_header = no } # Loaded module rlm_always # Instantiating module "fail" from file /etc/raddb/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Instantiating module "reject" from file /etc/raddb/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Instantiating module "noop" from file /etc/raddb/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Instantiating module "handled" from file /etc/raddb/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Instantiating module "updated" from file /etc/raddb/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Instantiating module "notfound" from file /etc/raddb/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Instantiating module "ok" from file /etc/raddb/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loaded module rlm_preprocess # Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess preprocess { with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loaded module rlm_linelog # Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog linelog { filename = "/var/log/linelog" permissions = 384 format = "This is a log message for %{User-Name}" reference = "%{%{Packet-Type}:-format}" } # Instantiating module "auth_log" from file /etc/raddb/mods-enabled/detail.log detail auth_log { filename = "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 dir_permissions = 493 locking = no log_packet_header = no } # Instantiating module "reply_log" from file /etc/raddb/mods-enabled/detail.log detail reply_log { filename = "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 dir_permissions = 493 locking = no log_packet_header = no } # Instantiating module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 dir_permissions = 493 locking = no log_packet_header = no } # Instantiating module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 dir_permissions = 493 locking = no log_packet_header = no } # Loaded module rlm_files # Instantiating module "files" from file /etc/raddb/mods-enabled/files files { filename = "/etc/raddb/mods-config/files/authorize" usersfile = "/etc/raddb/mods-config/files/authorize" acctusersfile = "/etc/raddb/mods-config/files/accounting" preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy" compat = "no" } reading pairlist file /etc/raddb/mods-config/files/authorize reading pairlist file /etc/raddb/mods-config/files/authorize reading pairlist file /etc/raddb/mods-config/files/accounting reading pairlist file /etc/raddb/mods-config/files/pre-proxy # Loaded module rlm_expr # Instantiating module "expr" from file /etc/raddb/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } # Loaded module rlm_logintime # Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime logintime { minimum_timeout = 60 } } # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/raddb/radiusd.conf } # server server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel # Loading authenticate {...} # Loading authorize {...} # Loading session {...} # Loading post-auth {...} } # server server default { # from file /etc/raddb/sites-enabled/default # Loading authenticate {...} # Loading authorize {...} # Loading virtual module filter_username # Loading preacct {...} # Loading virtual module acct_unique # Loading accounting {...} # Loading post-auth {...} # Loading virtual module remove_reply_message_if_eap # Loading virtual module remove_reply_message_if_eap } # server server wifi { # from file /etc/raddb/sites-enabled/wifi # Loading authenticate {...} # Loading authorize {...} # Loading virtual module filter_username # Loading preacct {...} # Loading virtual module acct_unique # Loading accounting {...} # Loading post-auth {...} # Loading virtual module remove_reply_message_if_eap # Loading virtual module remove_reply_message_if_eap } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipv6addr = ::1 IPv6 address [::1] port = 18120 } listen { type = "auth" ipaddr = 10.50.1.1 port = 0 } listen { type = "acct" ipaddr = 10.50.1.1 port = 0 } listen { type = "auth" ipv6addr = ::1 IPv6 address [::1] port = 1812 } listen { type = "acct" ipv6addr = ::1 IPv6 address [::1] port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Listening on auth address ::1 port 18120 as server inner-tunnel Listening on auth interface br0 address 10.50.1.1 port 1812 as server default Listening on acct interface br0 address 10.50.1.1 port 1813 as server default Listening on auth interface lo address ::1 port 1812 as server wifi Listening on acct interface lo address ::1 port 1813 as server wifi [1mReady to process requests.[0m rad_recv: Access-Request packet from host ::1 port 33053, id=230, length=180 User-Name = 'steve' NAS-IPv6-Address = ::1 Called-Station-Id = '6C-88-14-A8-C3-EC:kcfam' NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = '30-D6-C9-6C-44-4B' Connect-Info = 'CONNECT 54Mbps 802.11g' Acct-Session-Id = '53480235-00000077' Framed-MTU = 1400 EAP-Message = 0x024b000a017374657665 Message-Authenticator = 0x20f961946495ef0285ebaae426debb71 (0) # Executing section authorize from file /etc/raddb/sites-enabled/wifi (0) authorize { (0) filter_username filter_username { (0) ? if (User-Name != "%{tolower:%{User-Name}}") (0) expand: "%{tolower:%{User-Name}}" -> 'steve' (0) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (0) ? if (User-Name =~ / /) (0) ? if (User-Name =~ / /) -> FALSE (0) ? if (User-Name =~ /@.*@/ ) (0) ? if (User-Name =~ /@.*@/ ) -> FALSE (0) ? if (User-Name =~ /\\.\\./ ) (0) ? if (User-Name =~ /\\.\\./ ) -> FALSE (0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) ? if (User-Name =~ /\\.$/) (0) ? if (User-Name =~ /\\.$/) -> FALSE (0) ? if (User-Name =~ /@\\./) (0) ? if (User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = notfound (0) [preprocess] = ok (0) auth_log : expand: "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140411' (0) auth_log : /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140411 (0) auth_log : expand: "%t" -> 'Fri Apr 11 22:36:59 2014' (0) [auth_log] = ok (0) files : users: Matched entry steve at line 73 (0) [files] = ok (0) ? if (wifi_key != "true") (0) expand: "true" -> 'true' (0) ? if (wifi_key != "true") -> TRUE (0) if (wifi_key != "true") { (0) [reject] = reject (0) } # if (wifi_key != "true") = reject (0) } # authorize = reject [1m(0) Invalid user: [steve/<no User-Password attribute>] (from client localhost port 1 cli 30-D6-C9-6C-44-4B)[0m (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/raddb/sites-enabled/wifi (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject : expand: "%{User-Name}" -> 'steve' (0) attr_filter.access_reject : Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) eap : Request was previously rejected, inserting EAP-Failure (0) [eap] = updated (0) remove_reply_message_if_eap remove_reply_message_if_eap { (0) ? if (reply:EAP-Message && reply:Reply-Message) (0) ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE (0) else else { (0) [noop] = noop (0) } # else else = noop (0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Finished request 0. Waking up in 0.3 seconds. Waking up in 2.6 seconds. rad_recv: Access-Request packet from host ::1 port 33053, id=230, length=180 [31m(0) Discarding duplicate request from client localhost port 33053 - ID: 230 due to delayed reject[0m (0) Sending delayed reject Sending Access-Reject of id 230 from ::1 port 1812 to ::1 port 33053 EAP-Message = 0x044b0004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 4.9 seconds. (0) Cleaning up request packet ID 230 with timestamp +19 [1mReady to process requests.[0m rad_recv: Access-Request packet from host ::1 port 33053, id=231, length=180 User-Name = 'steve' NAS-IPv6-Address = ::1 Called-Station-Id = '6C-88-14-A8-C3-EC:kcfam' NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = '30-D6-C9-6C-44-4B' Connect-Info = 'CONNECT 54Mbps 802.11g' Acct-Session-Id = '53480235-00000078' Framed-MTU = 1400 EAP-Message = 0x0261000a017374657665 Message-Authenticator = 0x19c4400d77d1ef651ef9755cae9098b6 (1) # Executing section authorize from file /etc/raddb/sites-enabled/wifi (1) authorize { (1) filter_username filter_username { (1) ? if (User-Name != "%{tolower:%{User-Name}}") (1) expand: "%{tolower:%{User-Name}}" -> 'steve' (1) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (1) ? if (User-Name =~ / /) (1) ? if (User-Name =~ / /) -> FALSE (1) ? if (User-Name =~ /@.*@/ ) (1) ? if (User-Name =~ /@.*@/ ) -> FALSE (1) ? if (User-Name =~ /\\.\\./ ) (1) ? if (User-Name =~ /\\.\\./ ) -> FALSE (1) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (1) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (1) ? if (User-Name =~ /\\.$/) (1) ? if (User-Name =~ /\\.$/) -> FALSE (1) ? if (User-Name =~ /@\\./) (1) ? if (User-Name =~ /@\\./) -> FALSE (1) } # filter_username filter_username = notfound (1) [preprocess] = ok (1) auth_log : expand: "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140411' (1) auth_log : /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140411 (1) auth_log : expand: "%t" -> 'Fri Apr 11 22:37:09 2014' (1) [auth_log] = ok (1) files : users: Matched entry steve at line 73 (1) [files] = ok (1) ? if (wifi_key != "true") (1) expand: "true" -> 'true' (1) ? if (wifi_key != "true") -> TRUE (1) if (wifi_key != "true") { (1) [reject] = reject (1) } # if (wifi_key != "true") = reject (1) } # authorize = reject [1m(1) Invalid user: [steve/<no User-Password attribute>] (from client localhost port 1 cli 30-D6-C9-6C-44-4B)[0m (1) Using Post-Auth-Type Reject (1) # Executing group from file /etc/raddb/sites-enabled/wifi (1) Post-Auth-Type REJECT { (1) attr_filter.access_reject : expand: "%{User-Name}" -> 'steve' (1) attr_filter.access_reject : Matched entry DEFAULT at line 11 (1) [attr_filter.access_reject] = updated (1) eap : Request was previously rejected, inserting EAP-Failure (1) [eap] = updated (1) remove_reply_message_if_eap remove_reply_message_if_eap { (1) ? if (reply:EAP-Message && reply:Reply-Message) (1) ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE (1) else else { (1) [noop] = noop (1) } # else else = noop (1) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (1) } # Post-Auth-Type REJECT = updated (1) Finished request 1. Waking up in 0.3 seconds. Waking up in 2.6 seconds. rad_recv: Access-Request packet from host ::1 port 33053, id=231, length=180 [31m(1) Discarding duplicate request from client localhost port 33053 - ID: 231 due to delayed reject[0m (1) Sending delayed reject Sending Access-Reject of id 231 from ::1 port 1812 to ::1 port 33053 EAP-Message = 0x04610004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 4.9 seconds.