Troubles when starting two virtual servers at the same time, both with mschap
I am trying to starting radius(default server) and tacacs at the same time, both with mschap.My tacacs server can work properly alone, so I just add the default file back to the sites-enabled dictionary. Also, according to the mschap module page, I put two attibutes parts in the mschap file(One for tacacs and One for radius). Debug Info is as followed: including configuration file /usr/local/etc/raddb/radiusd.conf Including files in directory "/usr/local/etc/raddb/template.d/" including configuration file /usr/local/etc/raddb/template.d/default including configuration file /usr/local/etc/raddb/clients.conf Including files in directory "/usr/local/etc/raddb/global.d/" including configuration file /usr/local/etc/raddb/global.d/ldap including configuration file /usr/local/etc/raddb/global.d/python Including files in directory "/usr/local/etc/raddb/mods-enabled/" including configuration file /usr/local/etc/raddb/mods-enabled/always including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter including configuration file /usr/local/etc/raddb/mods-enabled/cache_eap including configuration file /usr/local/etc/raddb/mods-enabled/chap including configuration file /usr/local/etc/raddb/mods-enabled/client including configuration file /usr/local/etc/raddb/mods-enabled/delay including configuration file /usr/local/etc/raddb/mods-enabled/detail including configuration file /usr/local/etc/raddb/mods-enabled/detail.log including configuration file /usr/local/etc/raddb/mods-enabled/digest including configuration file /usr/local/etc/raddb/mods-enabled/eap including configuration file /usr/local/etc/raddb/mods-enabled/eap_inner including configuration file /usr/local/etc/raddb/mods-enabled/echo including configuration file /usr/local/etc/raddb/mods-enabled/escape including configuration file /usr/local/etc/raddb/mods-enabled/exec including configuration file /usr/local/etc/raddb/mods-enabled/files including configuration file /usr/local/etc/raddb/mods-enabled/linelog including configuration file /usr/local/etc/raddb/mods-enabled/mschap including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth including configuration file /usr/local/etc/raddb/mods-enabled/pap including configuration file /usr/local/etc/raddb/mods-enabled/passwd including configuration file /usr/local/etc/raddb/mods-enabled/radutmp including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp including configuration file /usr/local/etc/raddb/mods-enabled/stats including configuration file /usr/local/etc/raddb/mods-enabled/unix including configuration file /usr/local/etc/raddb/mods-enabled/unpack including configuration file /usr/local/etc/raddb/mods-enabled/utf8 Including files in directory "/usr/local/etc/raddb/policy.d/" including configuration file /usr/local/etc/raddb/policy.d/abfab-tr including configuration file /usr/local/etc/raddb/policy.d/accounting including configuration file /usr/local/etc/raddb/policy.d/canonicalisation including configuration file /usr/local/etc/raddb/policy.d/control including configuration file /usr/local/etc/raddb/policy.d/cui including configuration file /usr/local/etc/raddb/policy.d/debug including configuration file /usr/local/etc/raddb/policy.d/dhcp including configuration file /usr/local/etc/raddb/policy.d/eap including configuration file /usr/local/etc/raddb/policy.d/filter including configuration file /usr/local/etc/raddb/policy.d/operator-name including configuration file /usr/local/etc/raddb/policy.d/time including configuration file /usr/local/etc/raddb/policy.d/vendor Including files in directory "/usr/local/etc/raddb/sites-enabled/" including configuration file /usr/local/etc/raddb/sites-enabled/default Loaded module process_radius including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel Loaded module process_tacacs including configuration file /usr/local/etc/raddb/sites-enabled/tacacs Parsing initial logging configuration. main { prefix = /usr/local log { destination = files syslog_facility = daemon local_state_dir = "/usr/local/var" logdir = "/usr/local/var/log" file = /usr/local/var/log/radius/radius.log suppress_secrets = no } } Parsing security rules to bootstrap UID / GID / chroot / etc. main { log { } security { allow_core_dumps = no allow_vulnerable_openssl = no openssl_fips_mode = no } name = radiusd local_state_dir = "/usr/local/var" run_dir = /usr/local/var/run/radiusd } Parsing main configuration main { server default { namespace = radius radius { Access-Request { log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no msg_denied = "You are already logged in - access denied" } session { timeout = 15 max = 4096 } } } Loaded module proto_radius listen { type = Access-Request type = Status-Server transport = udp Loaded module proto_radius_udp udp { ipaddr = * port = 1812 networks { allow = 127/8 allow = 192.0.2/24 } max_packet_size = 4096 max_attributes = 255 } limit { cleanup_delay = 5.0 idle_timeout = 60.0 nak_lifetime = 30.0 max_connections = 256 max_clients = 256 max_pending_packets = 256 } priority { Access-Request = high Accounting-Request = low CoA-Request = normal Disconnect-Request = low Status-Server = now } } listen tcp_auth { type = Access-Request type = Status-Server transport = tcp Loaded module proto_radius_tcp tcp { ipaddr = * port = 1812 networks { allow = 127/8 allow = 192.0.2/24 } max_packet_size = 4096 max_attributes = 255 } limit { cleanup_delay = 5.0 idle_timeout = 30.0 nak_lifetime = 30.0 max_connections = 1024 max_clients = 256 max_pending_packets = 256 } priority { Access-Request = high Accounting-Request = low CoA-Request = normal Disconnect-Request = low Status-Server = now } } listen udp_acct { type = Accounting-Request transport = udp udp { ipaddr = * port = 1813 networks { } max_packet_size = 4096 max_attributes = 255 } limit { cleanup_delay = 5.0 idle_timeout = 30.0 nak_lifetime = 30.0 max_connections = 1024 max_clients = 256 max_pending_packets = 256 } priority { Access-Request = high Accounting-Request = low CoA-Request = normal Disconnect-Request = low Status-Server = now } } } server inner-tunnel { namespace = tacacs tacacs { Authentication { log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no msg_denied = "You are already logged in - access denied" } session { timeout = 15 max = 4096 max_rounds = 4 } } } Loaded module proto_tacacs listen { type = Authentication-Start type = Authentication-Continue type = Authorization-Request type = Accounting-Request transport = tcp Loaded module proto_tacacs_tcp tcp { ipaddr = 127.0.0.1 port = 18121 networks { } max_packet_size = 4096 max_attributes = 256 } limit { idle_timeout = 30.0 max_connections = 1024 } priority { Authentication-Start = high Authentication-Continue = high Authorization-Request = normal Accounting-Request = low } } } server tacacs { namespace = tacacs tacacs { Authentication { log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no msg_denied = "You are already logged in - access denied" } session { timeout = 15 max = 4096 max_rounds = 4 } } } listen { type = Authentication-Start type = Authentication-Continue type = Authorization-Request type = Accounting-Request transport = tcp tcp { ipaddr = * port = 49 networks { } max_packet_size = 4096 max_attributes = 256 } limit { idle_timeout = 60.0 max_connections = 256 } priority { Authentication-Start = high Authentication-Continue = high Authorization-Request = normal Accounting-Request = low } } } log { colourise = yes } security { } sbin_dir = "/usr/local/sbin" logdir = /usr/local/var/log/radius radacctdir = /usr/local/var/log/radius/radacct reverse_lookups = no hostname_lookups = yes max_request_time = 30 pidfile = /usr/local/var/run/radiusd/radiusd.pid debug_level = 0 max_requests = 16384 resources { } thread pool { num_networks = 1 Dynamically determined thread.workers = 15 num_workers = 15 openssl_async_pool_init = 64 openssl_async_pool_max = 1024 } migrate { rewrite_update = false forbid_update = false } interpret { } } Switching to configured log settings radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 secret = <<< secret >>> require_message_authenticator = no proto = * limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost_ipv6 { ipv6addr = ::1 secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30s } } client test { ipaddr = 192.168.2.3 secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30s } } Debugger not attached trigger { ... } subsection not found, triggers will be disabled #### Instantiating libraries #### #### Bootstrapping process modules #### Bootstrapping process_radius "default" Creating Auth-Type = pap Creating Auth-Type = chap Creating Auth-Type = mschap Creating Auth-Type = digest Creating Auth-Type = ldap Creating Auth-Type = eap Bootstrapping process_tacacs "inner-tunnel" Bootstrapping process_tacacs "tacacs" Creating Auth-Type = MSCHAPv2 Creating Auth-Type = ASCII #### Bootstrapping protocol modules #### Bootstrapping proto_radius "default.radius" client localhost { ipaddr = 192.0.2.1 secret = <<< secret >>> shortname = sample limit { max_connections = 16 lifetime = 0 idle_timeout = 30s } } Bootstrapping proto_radius "default.tcp_auth" Bootstrapping proto_radius "default.udp_acct" Bootstrapping proto_tacacs "inner-tunnel.tacacs" Ignoring "nak_lifetime = 0", forcing to "nak_lifetime = 1" Bootstrapping proto_tacacs "tacacs.tacacs" Ignoring "nak_lifetime = 0", forcing to "nak_lifetime = 1" client tacacs { ipaddr = 192.168.2.3 secret = <<< secret >>> proto = tcp limit { max_connections = 16 lifetime = 0 idle_timeout = 30s } } #### Instantiating libraries #### #### Bootstrapping modules #### modules { Loaded module rlm_always always reject { rcode = reject simulcount = 0 mpp = no } always fail { rcode = fail simulcount = 0 mpp = no } always ok { rcode = ok simulcount = 0 mpp = no } always handled { rcode = handled simulcount = 0 mpp = no } always invalid { rcode = invalid simulcount = 0 mpp = no } always disallow { rcode = disallow simulcount = 0 mpp = no } always notfound { rcode = notfound simulcount = 0 mpp = no } always noop { rcode = noop simulcount = 0 mpp = no } always updated { rcode = updated simulcount = 0 mpp = no } Loaded module rlm_attr_filter attr_filter attr_filter.pre-proxy { filename = /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy key = "%{Realm}" relaxed = no } attr_filter attr_filter.post-proxy { filename = /usr/local/etc/raddb/mods-config/attr_filter/post-proxy key = "%{Realm}" relaxed = no } attr_filter attr_filter.access_reject { filename = /usr/local/etc/raddb/mods-config/attr_filter/access_reject key = "%{User-Name}" relaxed = no } attr_filter attr_filter.access_challenge { filename = /usr/local/etc/raddb/mods-config/attr_filter/access_challenge key = "%{User-Name}" relaxed = no } attr_filter attr_filter.accounting_response { filename = /usr/local/etc/raddb/mods-config/attr_filter/accounting_response key = "%{User-Name}" relaxed = no } Loaded module rlm_cache cache cache_eap { driver = rbtree Loaded module rlm_cache_rbtree key = %{&control.State || &reply.State || &State} ttl = 15 max_entries = 0 epoch = 0 add_stats = no } Loaded module rlm_chap chap { min_challenge_len = 16 } Loaded module rlm_client Loaded module rlm_delay delay { delay = 1.0s relative = no force_reschedule = no } delay delay_reject { delay = "%{&reply.FreeRADIUS-Response-Delay || 1}" relative = yes force_reschedule = no } Loaded module rlm_detail detail { filename = /usr/local/var/log/radius/radacct/%{Net.Src.IP}/detail-%Y-%m-%d header = %t permissions = 0600 locking = no escape_filenames = no log_packet_header = no } detail auth_log { filename = /usr/local/var/log/radius/radacct/%{Net.Src.IP}/auth-detail-%Y-%m-%d header = %t permissions = 0600 locking = no escape_filenames = no log_packet_header = no } detail reply_log { filename = /usr/local/var/log/radius/radacct/%{Net.Src.IP}/reply-detail-%Y-%m-%d header = %t permissions = 0600 locking = no escape_filenames = no log_packet_header = no } detail pre_proxy_log { filename = /usr/local/var/log/radius/radacct/%{Net.Src.IP}/pre-proxy-detail-%Y-%m-%d header = %t permissions = 0600 locking = no escape_filenames = no log_packet_header = no } detail post_proxy_log { filename = /usr/local/var/log/radius/radacct/%{Net.Src.IP}/post-proxy-detail-%Y-%m-%d header = %t permissions = 0600 locking = no escape_filenames = no log_packet_header = no } Loaded module rlm_digest Loaded module rlm_eap eap { require_identity_realm = nai type = md5 Loaded module rlm_eap_md5 type = gtc Loaded module rlm_eap_gtc gtc { challenge = "Password: " auth_type = PAP } type = tls Loaded module rlm_eap_tls tls { tls = tls-common require_client_cert = yes include_length = yes } type = ttls Loaded module rlm_eap_ttls ttls { tls = tls-common virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } type = mschapv2 Loaded module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no auth_type = mschap send_error = no } type = peap Loaded module rlm_eap_peap peap { tls = tls-common virtual_server = "inner-tunnel" require_client_cert = no } ignore_unknown_eap_types = no } eap inner-eap { require_identity_realm = nai default_eap_type = mschapv2 type = md5 type = gtc gtc { challenge = "Password: " auth_type = PAP } type = mschapv2 mschapv2 { with_ntdomain_hack = no auth_type = mschap send_error = no } type = tls tls { tls = tls-peer require_client_cert = yes include_length = yes } ignore_unknown_eap_types = no } Loaded module rlm_exec exec echo { wait = yes input_pairs = &request output_pairs = &reply shell_escape = yes env_inherit = no } Loaded module rlm_escape escape { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } exec { wait = yes input_pairs = &request shell_escape = yes env_inherit = no timeout = 10 } Loaded module rlm_files files { filename = /usr/local/etc/raddb/mods-config/files/authorize acctusersfile = /usr/local/etc/raddb/mods-config/files/accounting key = %{%{Stripped-User-Name}:-%{User-Name}} } Loaded module rlm_linelog linelog { destination = file delimiter = "\n" format = "This is a log message for %{User-Name}" reference = "messages.%{&reply.Packet-Type || 'default'}" file { filename = /usr/local/var/log/radius/linelog permissions = 0600 escape_filenames = no } syslog { severity = "info" } unix { } tcp { server = localhost port = 514 timeout = 2.0 } udp { server = localhost port = 514 timeout = 2.0 } } linelog log_accounting { destination = file delimiter = "\n" format = "" reference = "Accounting-Request.%{&Acct-Status-Type || 'unknown'}" file { filename = /usr/local/var/log/radius/linelog-accounting permissions = 0600 escape_filenames = no } syslog { severity = "info" } unix { } tcp { timeout = 1000 } udp { timeout = 1000 } } Loaded module rlm_mschap mschap { normalise = yes use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes winbind { } } exec ntlm_auth { wait = yes shell_escape = yes env_inherit = no } Loaded module rlm_pap pap { normalise = yes } Loaded module rlm_passwd passwd etc_passwd { filename = /etc/passwd format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } Loaded module rlm_radutmp radutmp { filename = /usr/local/var/log/radius/radutmp username = %{User-Name} check_with_nas = yes permissions = 0600 caller_id = no } radutmp sradutmp { filename = /usr/local/var/log/radius/sradutmp username = "%{User-Name}" check_with_nas = yes permissions = 0644 caller_id = no } Loaded module rlm_stats stats { } Loaded module rlm_unix unix { } Loaded module rlm_unpack Loaded module rlm_utf8 #### Bootstrapping rlm modules #### Bootstrapping rlm_cache "cache_eap" Bootstrapping rlm_chap "chap" Bootstrapping rlm_delay "delay" Bootstrapping rlm_delay "delay_reject" Bootstrapping rlm_always "disallow" Bootstrapping rlm_eap "eap" Bootstrapping rlm_exec "echo" Bootstrapping rlm_escape "escape" Bootstrapping rlm_exec "exec" Bootstrapping rlm_always "fail" Bootstrapping rlm_always "handled" Bootstrapping rlm_eap "inner-eap" Bootstrapping rlm_always "invalid" Bootstrapping rlm_linelog "linelog" Bootstrapping rlm_linelog "log_accounting" Bootstrapping rlm_mschap "mschap" Bootstrapping rlm_always "noop" Bootstrapping rlm_always "notfound" Bootstrapping rlm_exec "ntlm_auth" Bootstrapping rlm_always "ok" Bootstrapping rlm_always "reject" Bootstrapping rlm_unix "unix" Bootstrapping rlm_always "updated" } # modules #### Instantiating listeners #### Compiling policies in server default { ... } Instantiating proto_radius "default.radius" Instantiating proto_radius "default.tcp_auth" Instantiating proto_radius "default.udp_acct" Instantiating process_radius "default" Compiling policies in - recv Access-Request {...} /usr/local/etc/raddb/policy.d/time[13]: Skipping remaining instructions due to 'return' /usr/local/etc/raddb/policy.d/time[18]: Please use the 'filter' keyword for attribute filtering Compiling policies in - send Access-Accept {...} Compiling policies in - send Access-Challenge {...} Compiling policies in - send Access-Reject {...} Compiling policies in - recv Accounting-Request {...} Compiling policies in - send Accounting-Response {...} Compiling policies in - recv Status-Server {...} Compiling policies in - authenticate pap {...} Compiling policies in - authenticate chap {...} Compiling policies in - authenticate mschap {...} Compiling policies in - authenticate digest {...} Compiling policies in - authenticate ldap {...} Compiling policies in - authenticate eap {...} Compiling policies in - accounting Start {...} Compiling policies in - accounting Stop {...} Compiling policies in - accounting Interim-Update {...} Compiling policies in - accounting Accounting-On {...} Compiling policies in - accounting Accounting-Off {...} Compiling policies in - accounting Failed {...} /usr/local/etc/raddb/sites-enabled/default[80]: radius { ... } section is unused /usr/local/etc/raddb/sites-enabled/default[224]: dictionary { ... } section is unused Compiling policies in server inner-tunnel { ... } Instantiating proto_tacacs "inner-tunnel.tacacs" Instantiating process_tacacs "inner-tunnel" Compiling policies in - authenticate pap {...} Compiling policies in - authenticate chap {...} Compiling policies in - authenticate mschap {...} /usr/local/etc/raddb/mods-enabled/mschap[384]: Failed to parse configuration item 'chap_challenge = &Vendor-Specific.Microsoft.CHAP-Challenge': Attribute 'Vendor-Specific.Microsoft.CHAP-Challenge' not found. Searched in: TACACS, internal /usr/local/etc/raddb/mods-enabled/mschap[384]: Unresolved attributes are not allowed here /usr/local/etc/raddb/sites-enabled/inner-tunnel[201]: Invalid keyword "mschap". I guess i did not configure right to start two servers at the same time. Thanks for your help and I am looking forward to hearing your suggestions!! Licheng Huang 2071264258@qq.com
On Dec 2, 2024, at 3:30 AM, 黄立成 via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I am trying to starting radius(default server) and tacacs at the same time, both with mschap.My tacacs server can work properly alone, so I just add the default file back to the sites-enabled dictionary. Also, according to the mschap module page, I put two attibutes parts in the mschap file(One for tacacs and One for radius).
You only put one "attributes" section in.
prefix = /usr/local log {
Why HTML spaces?
/usr/local/etc/raddb/mods-enabled/mschap[384]: Failed to parse configuration item 'chap_challenge = &Vendor-Specific.Microsoft.CHAP-Challenge': Attribute 'Vendor-Specific.Microsoft.CHAP-Challenge' not found. Searched in: TACACS, internal
Yes, Vendor-Specific is not a TACACS+ attribute. Delete the entire "attributes" section which contains this entry. Alan DeKok.
participants (3)
-
2071264258 -
Alan DeKok -
黄立成