should be inside of a 'server { ... }' block! after 3.0.7 upgrade
After upgrading from 3.0.6 to 3.0.7, I now see the following errors when loading my config that were not present before. radiusd: #### Loading Virtual Servers #### server { # from file /usr/local/etc/raddb/radiusd.conf /usr/local/etc/raddb/radiusd.conf[210]: The authenticate section should be inside of a 'server { ... }' block! # Loading authenticate {...} /usr/local/etc/raddb/radiusd.conf[204]: The authorize section should be inside of a 'server { ... }' block! # Loading authorize {...} /usr/local/etc/raddb/radiusd.conf[217]: The preacct section should be inside of a 'server { ... }' block! # Loading preacct {...} /usr/local/etc/raddb/radiusd.conf[222]: The accounting section should be inside of a 'server { ... }' block! # Loading accounting {...} /usr/local/etc/raddb/radiusd.conf[226]: The post-proxy section should be inside of a 'server { ... }' block! } # server radiusd: #### Opening IP addresses and Ports #### This has me rather perplexed, as clearly the sections are within a server { } block. The server still behaves and responds to requests correctly. Is there something obvious that I am overlooking? Below is full debug output and my conf: fbsd101-vm# radiusd -X Copyright (C) 1999-2015 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/local/share/freeradius/dictionary including dictionary file /usr/local/share/freeradius/dictionary.dhcp including dictionary file /usr/local/share/freeradius/dictionary.vqp including dictionary file /usr/local/etc/raddb/dictionary including configuration file /usr/local/etc/raddb/radiusd.conf main { security { user = "freeradius" group = "freeradius" allow_core_dumps = no } } main { name = "radiusd" prefix = "/usr/local" localstatedir = "/var" sbindir = "/usr/local/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/local/lib" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 10 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = no log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes allow_vulnerable_openssl = "no" } } radiusd: #### Loading Realms and Home Servers #### radiusd: #### Loading Clients #### client 192.168.92.0/24 { ipaddr = 192.168.92.0/24 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Debugger not attached # Creating Auth-Type = PERL radiusd: #### Instantiating modules #### # Loaded module rlm_perl # Instantiating module "perl" from file /usr/local/etc/raddb/radiusd.conf perl { filename = "/space/rxg/rxgd/bin/freeradius_hook" func_authorize = "authorize" func_authenticate = "authenticate" func_post_auth = "post_auth" func_accounting = "accounting" func_preacct = "preacct" func_checksimul = "checksimul" func_detach = "detach" func_xlat = "xlat" func_pre_proxy = "pre_proxy" func_post_proxy = "post_proxy" func_recv_coa = "recv_coa" func_send_coa = "send_coa" } # Loaded module rlm_detail # Instantiating module "detail" from file /usr/local/etc/raddb/radiusd.conf detail { filename = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" permissions = 420 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_expr # Instantiating module "expr" from file /usr/local/etc/raddb/radiusd.conf expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } # Loaded module rlm_eap # Instantiating module "eap" from file /usr/local/etc/raddb/radiusd.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no mod_accounting_username_bug = no max_sessions = 2048 } # Linked to sub-module rlm_eap_gtc gtc { challenge = "Password: " auth_type = "perl" } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/ssl/server.key" certificate_file = "/etc/ssl/server.crt" ca_file = "/etc/ssl/server.crt" dh_file = "/usr/local/etc/raddb/dhparam" random_file = "/space/rxg/rxgd/bin/random" fragment_size = 1024 include_length = yes check_crl = no ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = no use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "gtc" copy_request_to_tunnel = yes use_tunneled_reply = yes include_length = yes require_client_cert = no } Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_method = "gtc" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes soh = no require_client_cert = no } Using cached TLS configuration from previous invocation # Loaded module rlm_radutmp # Instantiating module "radutmp" from file /usr/local/etc/raddb/radiusd.conf radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = yes } # Instantiating module "sradutmp" from file /usr/local/etc/raddb/radiusd.conf radutmp sradutmp { filename = "/var/log/radius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_attr_filter # Instantiating module "attr_filter" from file /usr/local/etc/raddb/radiusd.conf attr_filter { filename = "/usr/local/etc/raddb/attrs" key = "%{Realm}" relaxed = no } reading pairlist file /usr/local/etc/raddb/attrs # Loaded module rlm_preprocess # Instantiating module "preprocess" from file /usr/local/etc/raddb/radiusd.conf preprocess { huntgroups = "/usr/local/etc/raddb/huntgroups" hints = "/usr/local/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /usr/local/etc/raddb/huntgroups reading pairlist file /usr/local/etc/raddb/hints radiusd: #### Loading Virtual Servers #### server { # from file /usr/local/etc/raddb/radiusd.conf /usr/local/etc/raddb/radiusd.conf[210]: The authenticate section should be inside of a 'server { ... }' block! # Loading authenticate {...} /usr/local/etc/raddb/radiusd.conf[204]: The authorize section should be inside of a 'server { ... }' block! # Loading authorize {...} /usr/local/etc/raddb/radiusd.conf[217]: The preacct section should be inside of a 'server { ... }' block! # Loading preacct {...} /usr/local/etc/raddb/radiusd.conf[222]: The accounting section should be inside of a 'server { ... }' block! # Loading accounting {...} /usr/local/etc/raddb/radiusd.conf[226]: The post-proxy section should be inside of a 'server { ... }' block! } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 1812 } listen { type = "acct" ipaddr = * port = 1813 } Listening on auth address * port 1812 Listening on acct address * port 1813 Ready to process requests cat /usr/local/etc/raddb/radiusd.conf client 192.168.92.0/24 { ipaddr = 192.168.92.0/24 secret = d0ee524f6cb9966ce134d251a3e820c7 } prefix = /usr/local exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct name = radiusd confdir = ${raddbdir} modconfdir = ${confdir}/mods-config certdir = ${confdir}/certs cadir = ${confdir}/certs run_dir = ${localstatedir}/run/${name} db_dir = ${raddbdir} pidfile = /var/run/radiusd/radiusd.pid checkrad = ${sbindir}/checkrad listen { ipaddr = * port = 1812 type = auth } listen { ipaddr = * port = 1813 type = acct } log { #destination = files #colourise = yes #file = ${logdir}/radius.log #syslog_facility = daemon stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } security { user = freeradius group = freeradius allow_core_dumps = no max_attributes = 200 reject_delay = 1 status_server = yes } thread pool { start_servers = 1 max_servers = 4 min_spare_servers = 1 max_spare_servers = 2 max_requests_per_server = 0 } max_request_time = 30 cleanup_delay = 5 max_requests = 10 hostname_lookups = no delete_blocked_requests = no regular_expressions = yes extended_expressions = yes usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no snmp = no proxy_requests = no modules { perl { filename = /space/rxg/rxgd/bin/freeradius_hook } detail { filename = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d permissions = 0644 } expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no gtc { challenge = "Password: " auth_type = perl } tls-config tls-common { private_key_password = private_key_file = /etc/ssl/server.key certificate_file = /etc/ssl/server.crt ca_file = /etc/ssl/server.crt dh_file = /usr/local/etc/raddb/dhparam random_file = /space/rxg/rxgd/bin/random } tls { tls = tls-common } ttls { tls = tls-common default_eap_type = gtc copy_request_to_tunnel = yes use_tunneled_reply = yes } peap { tls = tls-common default_eap_type = gtc default_method = gtc copy_request_to_tunnel = yes use_tunneled_reply = yes } } radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes caller_id = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp permissions = 0644 caller_id = "no" } attr_filter { filename = ${confdir}/attrs } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } } policy { class_value_prefix = 'ai:' acct_unique { if ("%{string:Class}" =~ /${policy.class_value_prefix}([0-9a-f]{32})/i) { update request { &Acct-Unique-Session-Id := "%{md5:%{1},%{Acct-Session-ID}}" } } else { update request { &Acct-Unique-Session-Id := "%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}" } } } insert_acct_class { update reply { &Class = "${policy.class_value_prefix}%{md5:%t,%I,%{Packet-Src-Port},%{Packet-Src-IP-Address},%{NAS-IP-Address},%{Calling-Station-ID},%{User-Name}}" } } acct_counters64.preacct { update request { &Acct-Input-Octets64 = "%{expr:(&Acct-Input-Gigawords << 32) | &Acct-Input-Octets}" &Acct-Output-Octets64 = "%{expr:(&Acct-Output-Gigawords << 32) | &Acct-Output-Octets}" } } } server { authorize { preprocess eap perl } authenticate { Auth-Type PERL { perl } eap } preacct { preprocess acct_unique } accounting { perl } post-proxy { eap perl } }
On Feb 19, 2015, at 5:56 PM, Nick Rogers <ncrogers@gmail.com> wrote:
After upgrading from 3.0.6 to 3.0.7, I now see the following errors when loading my config that were not present before.
These are warnings, not errors.
This has me rather perplexed, as clearly the sections are within a server { } block. The server still behaves and responds to requests correctly. Is there something obvious that I am overlooking?
The debug log prints out “server {“. But it might not be in radiusd.conf. I’ll do a test locally. For now, you can ignore the message. Alan DeKok.
On Thu, Feb 19, 2015 at 3:11 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Feb 19, 2015, at 5:56 PM, Nick Rogers <ncrogers@gmail.com> wrote:
After upgrading from 3.0.6 to 3.0.7, I now see the following errors when loading my config that were not present before.
These are warnings, not errors.
While it doesn't stop the server in its tracks, when running radiusd -XX, the log message is colorized red and is labeled as an "Error". Thu Feb 19 15:23:17 2015 : Error: /usr/local/etc/raddb/radiusd.conf[217]: The preacct section should be inside of a 'server { ... }' block!
This has me rather perplexed, as clearly the sections are within a server { } block. The server still behaves and responds to requests correctly. Is there something obvious that I am overlooking?
The debug log prints out “server {“. But it might not be in radiusd.conf.
I’ll do a test locally. For now, you can ignore the message.
Thanks. So I can safely assume that its still correctly loading the sections within the server?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Feb 19, 2015, at 6:28 PM, Nick Rogers <ncrogers@gmail.com> wrote:
While it doesn't stop the server in its tracks, when running radiusd -XX, the log message is colorized red and is labeled as an "Error”.
Yes.
Thanks. So I can safely assume that its still correctly loading the sections within the server?
Yes. Alan DeKok.
On Feb 19, 2015, at 5:56 PM, Nick Rogers <ncrogers@gmail.com> wrote:
After upgrading from 3.0.6 to 3.0.7, I now see the following errors when loading my config that were not present before.
I’ve pushed a fix which doesn’t print the messages for your configuration. The messages should now be printed only for the not recommended (i.e. incorrect) configuration. Alan DeKok.
On Thu, Feb 19, 2015 at 3:51 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Feb 19, 2015, at 5:56 PM, Nick Rogers <ncrogers@gmail.com> wrote:
After upgrading from 3.0.6 to 3.0.7, I now see the following errors when loading my config that were not present before.
I’ve pushed a fix which doesn’t print the messages for your configuration. The messages should now be printed only for the not recommended (i.e. incorrect) configuration.
Thank you.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Nick Rogers