Hi Freeradius users, i have FR freeradius-2.2.0-0.fc17.i686 set up on fedora 17 machine. the wimax clients are supplying EAPttls Mschapv2 for authentication. a few weeks ago, the configuration was working and authenticating, but it suddenly stopped. the users are created in the users file and below is the radiusd -X output. any more info required will be promptly provided. could someone help me out on this? the wimax system is 4M alvarion and the CPe are well configured. ignore_null = no } Module: Checking accounting {...} for more modules to load Module: Instantiating module "detail" from file /etc/raddb/modules/detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/raddb/attrs.accounting_response Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/raddb/attrs.access_reject } # modules } # server server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/radiusd/radiusd.sock" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 46422 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 11.0.0.205 port 1812, id=153, length=196 User-Name = "{sm=1}rawlacurone@adn.com" EAP-Message = 0x0201001e017b736d3d317d7261776c616375726f6e654061646e2e636f6d Message-Authenticator = 0x39a7eb8d6128461e0fa6caf5dd5c26c3 NAS-Identifier = "201" NAS-IP-Address = 11.0.0.205 Calling-Station-Id = "AC-81-12-78-CA-6E" WiMAX-BS-Id = 0xfff329010102 NAS-Port-Type = Wireless-802.16 Framed-MTU = 2000 Service-Type = Framed-User WiMAX-GMT-Timezone-offset = 256 WiMAX-Release = "1.0" WiMAX-Accounting-Capabilities = IP-Session-Based WiMAX-Attr-1793 = 0x0000028a # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/11.0.0.205/auth-detail-20130501 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/11.0.0.205/auth-detail-20130501 [auth_log] expand: %t -> Wed May 1 17:46:27 2013 ++[auth_log] returns fail Using Post-Auth-Type REJECT # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> {sm=1}rawlacurone@adn.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 153 to 11.0.0.205 port 1812 Waking up in 4.9 seconds. Cleaning up request 0 ID 153 with timestamp +1 Ready to process requests. rad_recv: Access-Request packet from host 11.0.0.205 port 1812, id=154, length=196 User-Name = "{sm=1}rawlacurone@adn.com" EAP-Message = 0x0201001e017b736d3d317d7261776c616375726f6e654061646e2e636f6d Message-Authenticator = 0x0ddedece670902a6348d2b16c392c015 NAS-Identifier = "201" NAS-IP-Address = 11.0.0.205 Calling-Station-Id = "AC-81-12-78-CA-6E" WiMAX-BS-Id = 0xfff329010102 NAS-Port-Type = Wireless-802.16 Framed-MTU = 2000 Service-Type = Framed-User WiMAX-GMT-Timezone-offset = 256 WiMAX-Release = "1.0" WiMAX-Accounting-Capabilities = IP-Session-Based WiMAX-Attr-1793 = 0x0000028a # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/11.0.0.205/auth-detail-20130501 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/11.0.0.205/auth-detail-20130501 [auth_log] expand: %t -> Wed May 1 17:46:35 2013 ++[auth_log] returns fail Using Post-Auth-Type REJECT # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> {sm=1}rawlacurone@adn.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 154 to 11.0.0.205 port 1812 Waking up in 4.9 seconds. Cleaning up request 1 ID 154 with timestamp +9 Ready to process requests. rad_recv: Access-Request packet from host 11.0.0.205 port 1812, id=155, length=196 User-Name = "{sm=1}rawlacurone@adn.com" EAP-Message = 0x0201001e017b736d3d317d7261776c616375726f6e654061646e2e636f6d Message-Authenticator = 0x8cbc1a4105e88c044aaa7a95df6dc98a NAS-Identifier = "201" NAS-IP-Address = 11.0.0.205 Calling-Station-Id = "AC-81-12-78-CA-6E" WiMAX-BS-Id = 0xfff329010102 NAS-Port-Type = Wireless-802.16 Framed-MTU = 2000 Service-Type = Framed-User WiMAX-GMT-Timezone-offset = 256 WiMAX-Release = "1.0" WiMAX-Accounting-Capabilities = IP-Session-Based WiMAX-Attr-1793 = 0x0000028a # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/11.0.0.205/auth-detail-20130501 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/11.0.0.205/auth-detail-20130501 [auth_log] expand: %t -> Wed May 1 17:46:43 2013 ++[auth_log] returns fail Using Post-Auth-Type REJECT # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> {sm=1}rawlacurone@adn.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 2 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 2 Sending Access-Reject of id 155 to 11.0.0.205 port 1812 Waking up in 4.9 seconds. Cleaning up request 2 ID 155 with timestamp +17 Ready to process requests. rad_recv: Access-Request packet from host 11.0.0.205 port 1812, id=157, length=196 User-Name = "{sm=1}rawlacurone@adn.com" EAP-Message = 0x0201001e017b736d3d317d7261776c616375726f6e654061646e2e636f6d Message-Authenticator = 0xd84871a21825f994c68593b4d78ca653 NAS-Identifier = "201" NAS-IP-Address = 11.0.0.205 Calling-Station-Id = "AC-81-12-78-CA-6E" WiMAX-BS-Id = 0xfff329010102 NAS-Port-Type = Wireless-802.16 Framed-MTU = 2000 Service-Type = Framed-User WiMAX-GMT-Timezone-offset = 256 WiMAX-Release = "1.0" WiMAX-Accounting-Capabilities = IP-Session-Based WiMAX-Attr-1793 = 0x0000028a # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expan [auth_log] expand: %t -> Wed May 1 17:46:50 2013 ++[auth_log] returns fail Using Post-Auth-Type REJECT # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> {sm=1}rawlacurone@adn.co attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 3 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 3 Sending Access-Reject of id 157 to 11.0.0.205 port 1812 Waking up in 4.9 seconds. ^C [root@adn larry]#
Why does auth_log return fail? On May 4, 2013 8:04 PM, "larry tembu" <larrytembu@yahoo.com> wrote:
Hi Freeradius users, i have FR freeradius-2.2.0-0.fc17.i686 set up on fedora 17 machine. the wimax clients are supplying EAPttls Mschapv2 for authentication. a few weeks ago, the configuration was working and authenticating, but it suddenly stopped. the users are created in the users file and below is the radiusd -X output. any more info required will be promptly provided. could someone help me out on this? the wimax system is 4M alvarion and the CPe are well configured. ignore_null = no } Module: Checking accounting {...} for more modules to load Module: Instantiating module "detail" from file /etc/raddb/modules/detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/raddb/attrs.accounting_response Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/raddb/attrs.access_reject } # modules } # server server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/radiusd/radiusd.sock" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 46422 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 11.0.0.205 port 1812, id=153, length=196 User-Name = "{sm=1}rawlacurone@adn.com" EAP-Message = 0x0201001e017b736d3d317d7261776c616375726f6e654061646e2e636f6d Message-Authenticator = 0x39a7eb8d6128461e0fa6caf5dd5c26c3 NAS-Identifier = "201" NAS-IP-Address = 11.0.0.205 Calling-Station-Id = "AC-81-12-78-CA-6E" WiMAX-BS-Id = 0xfff329010102 NAS-Port-Type = Wireless-802.16 Framed-MTU = 2000 Service-Type = Framed-User WiMAX-GMT-Timezone-offset = 256 WiMAX-Release = "1.0" WiMAX-Accounting-Capabilities = IP-Session-Based WiMAX-Attr-1793 = 0x0000028a # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/11.0.0.205/auth-detail-20130501 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/11.0.0.205/auth-detail-20130501 [auth_log] expand: %t -> Wed May 1 17:46:27 2013 ++[auth_log] returns fail Using Post-Auth-Type REJECT # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> {sm= 1}rawlacurone@adn.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 153 to 11.0.0.205 port 1812 Waking up in 4.9 seconds. Cleaning up request 0 ID 153 with timestamp +1 Ready to process requests. rad_recv: Access-Request packet from host 11.0.0.205 port 1812, id=154, length=196 User-Name = "{sm=1}rawlacurone@adn.com" EAP-Message = 0x0201001e017b736d3d317d7261776c616375726f6e654061646e2e636f6d Message-Authenticator = 0x0ddedece670902a6348d2b16c392c015 NAS-Identifier = "201" NAS-IP-Address = 11.0.0.205 Calling-Station-Id = "AC-81-12-78-CA-6E" WiMAX-BS-Id = 0xfff329010102 NAS-Port-Type = Wireless-802.16 Framed-MTU = 2000 Service-Type = Framed-User WiMAX-GMT-Timezone-offset = 256 WiMAX-Release = "1.0" WiMAX-Accounting-Capabilities = IP-Session-Based WiMAX-Attr-1793 = 0x0000028a # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/11.0.0.205/auth-detail-20130501 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/11.0.0.205/auth-detail-20130501 [auth_log] expand: %t -> Wed May 1 17:46:35 2013 ++[auth_log] returns fail Using Post-Auth-Type REJECT # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> {sm= 1}rawlacurone@adn.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 154 to 11.0.0.205 port 1812 Waking up in 4.9 seconds. Cleaning up request 1 ID 154 with timestamp +9 Ready to process requests. rad_recv: Access-Request packet from host 11.0.0.205 port 1812, id=155, length=196 User-Name = "{sm=1}rawlacurone@adn.com" EAP-Message = 0x0201001e017b736d3d317d7261776c616375726f6e654061646e2e636f6d Message-Authenticator = 0x8cbc1a4105e88c044aaa7a95df6dc98a NAS-Identifier = "201" NAS-IP-Address = 11.0.0.205 Calling-Station-Id = "AC-81-12-78-CA-6E" WiMAX-BS-Id = 0xfff329010102 NAS-Port-Type = Wireless-802.16 Framed-MTU = 2000 Service-Type = Framed-User WiMAX-GMT-Timezone-offset = 256 WiMAX-Release = "1.0" WiMAX-Accounting-Capabilities = IP-Session-Based WiMAX-Attr-1793 = 0x0000028a # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/11.0.0.205/auth-detail-20130501 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/11.0.0.205/auth-detail-20130501 [auth_log] expand: %t -> Wed May 1 17:46:43 2013 ++[auth_log] returns fail Using Post-Auth-Type REJECT # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> {sm= 1}rawlacurone@adn.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 2 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 2 Sending Access-Reject of id 155 to 11.0.0.205 port 1812 Waking up in 4.9 seconds. Cleaning up request 2 ID 155 with timestamp +17 Ready to process requests. rad_recv: Access-Request packet from host 11.0.0.205 port 1812, id=157, length=196 User-Name = "{sm=1}rawlacurone@adn.com" EAP-Message = 0x0201001e017b736d3d317d7261776c616375726f6e654061646e2e636f6d Message-Authenticator = 0xd84871a21825f994c68593b4d78ca653 NAS-Identifier = "201" NAS-IP-Address = 11.0.0.205 Calling-Station-Id = "AC-81-12-78-CA-6E" WiMAX-BS-Id = 0xfff329010102 NAS-Port-Type = Wireless-802.16 Framed-MTU = 2000 Service-Type = Framed-User WiMAX-GMT-Timezone-offset = 256 WiMAX-Release = "1.0" WiMAX-Accounting-Capabilities = IP-Session-Based WiMAX-Attr-1793 = 0x0000028a # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expan [auth_log] expand: %t -> Wed May 1 17:46:50 2013 ++[auth_log] returns fail Using Post-Auth-Type REJECT # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> {sm= 1}rawlacurone@adn.co attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 3 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 3 Sending Access-Reject of id 157 to 11.0.0.205 port 1812 Waking up in 4.9 seconds. ^C [root@adn larry]#
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Sat, May 4, 2013 at 3:24 PM, Peter Lambrechtsen <peter@crypt.co.nz>wrote:
Why does auth_log return fail? On May 4, 2013 8:04 PM, "larry tembu" <larrytembu@yahoo.com> wrote:
a few weeks ago, the configuration was working and authenticating, but it suddenly stopped.
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/11.0.0.205/auth-detail-20130501 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/11.0.0.205/auth-detail-20130501 [auth_log] expand: %t -> Wed May 1 17:46:27 2013 ++[auth_log] returns fail Using Post-Auth-Type REJECT
My GUESS is that it's something as simple as disk full. Try "df -h" and "df -i". -- Fajar
Hi,
My GUESS is that it's something as simple as disk full. Try "df -h" and "df -i".
yep. thats the most common error. check in your change log for any changes made to your system , check revision control for any changes, check your 'gold reference' 'radiusd -X' output against what it looks like now etc. if none of tht has changed then you'll need to look elsewhere - such as system patches that have been applied.... BUT, the obvious failure would be lack of diskspace. and the defauly bahaviour is if the auth etc cannot be logged then the authentication will fail (otherwise you wont have audit trails of the connection/usage) ...and then advice that you start putting system monitoring into place for such things. alan
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Fajar A. Nugraha -
larry tembu -
Peter Lambrechtsen