freeradius 2.1.10 WARNING: Internal sanity check failed
Hi, I am configuring a freeradius for a institution for eduroam purposes, using Fedora 13 and with freeradius 2.1.10. The only EAP type supported is EAP-TTLS/PAP. I attach the radius -X output: FreeRADIUS Version 2.1.10, for host x86_64-redhat-linux-gnu, built on Oct 19 2010 at 20:00:35 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/inner-tunnel main { user = "radiusd" group = "radiusd" allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = yes auth_goodpass = yes } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = yes dead_time = 120 wake_all_if_all_dead = no } realm NULL { nostrip authhost = LOCAL accthost = LOCAL } realm DEFAULT { nostrip authhost = X.X.X.X:1812 accthost = X.X.X.X:1813 secret = verysecret } realm irta.cat { nostrip authhost = 192.168.1.34 accthost = 192.168.1.34 secret = ****** } realm irta.es { nostrip authhost = 192.168.1.34 accthost = 192.168.1.34 secret = ****** } realm IRTA_NT { nostrip authhost = 192.168.1.34 accthost = 192.168.1.34 secret = ****** } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client X.X.X.X { require_message_authenticator = no secret = "******" shortname = "RADIUS_Anella" } client X.X.X.X0 { require_message_authenticator = no secret = "******" shortname = "ISA" } client X.X.X.X1 { require_message_authenticator = no secret = "******" shortname = "ISA" } client X.X.X.X2 { require_message_authenticator = no secret = "******" shortname = "ISA" } client 172.18.1.10 { require_message_authenticator = no secret = "******" shortname = "WLC_SSCC" } client 172.18.2.10 { require_message_authenticator = no secret = "******" shortname = "WLC_Cabrils" } client 172.18.3.10 { require_message_authenticator = no secret = "******" shortname = "WLC_Monells" } client 172.18.5.10 { require_message_authenticator = no secret = "******" shortname = "WLC_Lleida" } client 172.18.6.10 { require_message_authenticator = no secret = "******" shortname = "WLC_Mas_de_Bover" } client 172.18.8.10 { require_message_authenticator = no secret = "******" shortname = "WLC_Sant_Carles_Rapita_Ebre" } client 172.18.10.10 { require_message_authenticator = no secret = "******" shortname = "WLC_Torra_Marimon" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/raddb/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/raddb/modules/unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/raddb/eap.conf eap { default_eap_type = "ttls" timer_expire = 60 ignore_unknown_eap_types = yes cisco_accounting_username_bug = yes max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/raddb/certs/sr013_irta_es.key" certificate_file = "/etc/raddb/certs/certificat_es.cer" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "******" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Instantiating module "ntdomain" from file /etc/raddb/modules/realm realm ntdomain { format = "prefix" delimiter = "\" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/raddb/modules/files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking pre-proxy {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "pre_proxy_log" from file /etc/raddb/modules/detail.log detail pre_proxy_log { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Checking post-proxy {...} for more modules to load Module: Instantiating module "post_proxy_log" from file /etc/raddb/modules/detail.log detail post_proxy_log { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/post-proxy-detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { # from file /etc/raddb/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/raddb/modules/digest Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/raddb/modules/preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Instantiating module "detail" from file /etc/raddb/modules/detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "attr_filter.accounting_response" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = X.X.X.X port = 1812 } listen { type = "acct" ipaddr = X.X.X.X port = 1813 } listen { type = "control" listen { socket = "/var/run/radiusd/radiusd.sock" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on authentication address X.X.X.X port 1812 Listening on accounting address X.X.X.X port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address X.X.X.X port 1814 Ready to process requests. Using a client with Windows 7 and supplicant SecureW2 I get the next warning: rad_recv: Access-Request packet from host X.X.X.X port 46577, id=9, length=203 User-Name = ************ Calling-Station-Id = "00-26-B6-59-F1-EA" Called-Station-Id = "00-22-55-F1-80-B0:eduroam" NAS-Port = 1 NAS-IP-Address = 172.18.1.10 NAS-Identifier = "WLC_SSCC" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "50" EAP-Message = 0x0203001a0170726f7665735f697274614063657363612e636174 Message-Authenticator = 0xce819241867a6c729cd1ce2fbc6f1871 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "cesca.cat" for User-Name = ************ [suffix] Found realm "DEFAULT" [suffix] Adding Realm = "DEFAULT" [suffix] Proxying request from user ************ to realm DEFAULT [suffix] Preparing to proxy authentication request to realm "DEFAULT" ++[suffix] returns updated [eap] Request is supposed to be proxied to Realm DEFAULT. Not doing EAP. ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: Empty pre-proxy section. Using default return values. Sending Access-Request of id 158 to 84.88.0.19 port 1812 User-Name = ************ Calling-Station-Id = "00-26-B6-59-F1-EA" Called-Station-Id = "00-22-55-F1-80-B0:eduroam" NAS-Port = 1 NAS-IP-Address = 172.18.1.10 NAS-Identifier = "WLC_SSCC" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "50" EAP-Message = 0x0203001a0170726f7665735f697274614063657363612e636174 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x39 Proxying request 2 to home server 84.88.0.19 port 1812 Sending Access-Request of id 158 to 84.88.0.19 port 1812 User-Name = ************ Calling-Station-Id = "00-26-B6-59-F1-EA" Called-Station-Id = "00-22-55-F1-80-B0:eduroam" NAS-Port = 1 NAS-IP-Address = 172.18.1.10 NAS-Identifier = "WLC_SSCC" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "50" EAP-Message = 0x0203001a0170726f7665735f697274614063657363612e636174 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x39 Going to the next request Waking up in 0.9 seconds. Waking up in 12.9 seconds. rad_recv: Access-Request packet from host X.X.X.X port 46577, id=9, length=203 Sending duplicate proxied request to home server 84.88.0.19 port 1812 - ID: 158 Sending Access-Request of id 158 to 84.88.0.19 port 1812 User-Name = ************ Calling-Station-Id = "00-26-B6-59-F1-EA" Called-Station-Id = "00-22-55-F1-80-B0:eduroam" NAS-Port = 1 NAS-IP-Address = 172.18.1.10 NAS-Identifier = "WLC_SSCC" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "50" EAP-Message = 0x0203001a0170726f7665735f697274614063657363612e636174 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x39 Waking up in 11.9 seconds. rad_recv: Access-Request packet from host X.X.X.X port 46577, id=9, length=203 Sending duplicate proxied request to home server 84.88.0.19 port 1812 - ID: 158 Sending Access-Request of id 158 to 84.88.0.19 port 1812 User-Name = ************ Calling-Station-Id = "00-26-B6-59-F1-EA" Called-Station-Id = "00-22-55-F1-80-B0:eduroam" NAS-Port = 1 NAS-IP-Address = 172.18.1.10 NAS-Identifier = "WLC_SSCC" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "50" EAP-Message = 0x0203001a0170726f7665735f697274614063657363612e636174 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x39 Waking up in 9.9 seconds. rad_recv: Access-Request packet from host X.X.X.X port 46577, id=9, length=203 Sending duplicate proxied request to home server 84.88.0.19 port 1812 - ID: 158 Sending Access-Request of id 158 to 84.88.0.19 port 1812 User-Name = ************ Calling-Station-Id = "00-26-B6-59-F1-EA" Called-Station-Id = "00-22-55-F1-80-B0:eduroam" NAS-Port = 1 NAS-IP-Address = 172.18.1.10 NAS-Identifier = "WLC_SSCC" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "50" EAP-Message = 0x0203001a0170726f7665735f697274614063657363612e636174 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x39 Waking up in 7.9 seconds. rad_recv: Access-Request packet from host X.X.X.X port 46577, id=9, length=203 Sending duplicate proxied request to home server 84.88.0.19 port 1812 - ID: 158 Sending Access-Request of id 158 to 84.88.0.19 port 1812 User-Name = ************ Calling-Station-Id = "00-26-B6-59-F1-EA" Called-Station-Id = "00-22-55-F1-80-B0:eduroam" NAS-Port = 1 NAS-IP-Address = 172.18.1.10 NAS-Identifier = "WLC_SSCC" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "50" EAP-Message = 0x0203001a0170726f7665735f697274614063657363612e636174 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x39 Waking up in 5.9 seconds. rad_recv: Access-Request packet from host X.X.X.X port 46577, id=9, length=203 Sending duplicate proxied request to home server 84.88.0.19 port 1812 - ID: 158 Sending Access-Request of id 158 to 84.88.0.19 port 1812 User-Name = ************ Calling-Station-Id = "00-26-B6-59-F1-EA" Called-Station-Id = "00-22-55-F1-80-B0:eduroam" NAS-Port = 1 NAS-IP-Address = 172.18.1.10 NAS-Identifier = "WLC_SSCC" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "50" EAP-Message = 0x0203001a0170726f7665735f697274614063657363612e636174 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x39 Waking up in 3.9 seconds. WARNING: Internal sanity check failed in event handler for request 2: Discarding the request! Ready to process requests. So I have mainly tho doubts: First, one why this warning happens and how to solve it. Second one, is it normal that EAP-TTLS does not begin? Thanks in advance, Joan. -- View this message in context: http://freeradius.1045715.n5.nabble.com/freeradius-2-1-10-WARNING-Internal-s... Sent from the FreeRadius - User mailing list archive at Nabble.com.
-----Original Message----- On Behalf Of joanroldan
<snipped> Line breaks are your friend. Having everything all run together makes it extremely difficult to read the debug or your comments about it. I didn't try to read through it (my own sanity check :D), but try pasting your debug log here (with line breaks) and anything that comes up red will need to be fixed. If that doesn't turn up anything obvious, post back with a debug log that includes line breaks for others to see where you went wrong. http://networkradius.com/freeradius.html -- John D McDonnell Penn Cambria School District mcdonnjd@pcam.org O< ASCII Ribbon Campaign - http://www.asciiribbon.org/
I'm sorry! Try to rewrite the e-mail to a human mode ; ) Hi, I am configuring a freeradius for a institution for eduroam purposes, using Fedora 13 and with freeradius 2.1.10. The only EAP type supported is EAP-TTLS/PAP. I attach the radius -X output: FreeRADIUS Version 2.1.10, for host x86_64-redhat-linux-gnu, built on Oct 19 2010 at 20:00:35 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/inner-tunnel main { user = "radiusd" group = "radiusd" allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = yes auth_goodpass = yes } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = yes dead_time = 120 wake_all_if_all_dead = no } realm NULL { nostrip authhost = LOCAL accthost = LOCAL } realm DEFAULT { nostrip authhost = X.X.X.X:1812 accthost = X.X.X.X:1813 secret = verysecret } realm irta.cat { nostrip authhost = 192.168.1.34 accthost = 192.168.1.34 secret = ****** } realm irta.es { nostrip authhost = 192.168.1.34 accthost = 192.168.1.34 secret = ****** } realm IRTA_NT { nostrip authhost = 192.168.1.34 accthost = 192.168.1.34 secret = ****** } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client X.X.X.X { require_message_authenticator = no secret = "******" shortname = "RADIUS_Anella" } client X.X.X.X0 { require_message_authenticator = no secret = "******" shortname = "ISA" } client X.X.X.X1 { require_message_authenticator = no secret = "******" shortname = "ISA" } client X.X.X.X2 { require_message_authenticator = no secret = "******" shortname = "ISA" } client 172.18.1.10 { require_message_authenticator = no secret = "******" shortname = "WLC_SSCC" } client 172.18.2.10 { require_message_authenticator = no secret = "******" shortname = "WLC_Cabrils" } client 172.18.3.10 { require_message_authenticator = no secret = "******" shortname = "WLC_Monells" } client 172.18.5.10 { require_message_authenticator = no secret = "******" shortname = "WLC_Lleida" } client 172.18.6.10 { require_message_authenticator = no secret = "******" shortname = "WLC_Mas_de_Bover" } client 172.18.8.10 { require_message_authenticator = no secret = "******" shortname = "WLC_Sant_Carles_Rapita_Ebre" } client 172.18.10.10 { require_message_authenticator = no secret = "******" shortname = "WLC_Torra_Marimon" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/raddb/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/raddb/modules/unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/raddb/eap.conf eap { default_eap_type = "ttls" timer_expire = 60 ignore_unknown_eap_types = yes cisco_accounting_username_bug = yes max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/raddb/certs/sr013_irta_es.key" certificate_file = "/etc/raddb/certs/certificat_es.cer" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "******" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Instantiating module "ntdomain" from file /etc/raddb/modules/realm realm ntdomain { format = "prefix" delimiter = "\" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/raddb/modules/files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking pre-proxy {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "pre_proxy_log" from file /etc/raddb/modules/detail.log detail pre_proxy_log { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Checking post-proxy {...} for more modules to load Module: Instantiating module "post_proxy_log" from file /etc/raddb/modules/detail.log detail post_proxy_log { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/post-proxy-detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { # from file /etc/raddb/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/raddb/modules/digest Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/raddb/modules/preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Instantiating module "detail" from file /etc/raddb/modules/detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "attr_filter.accounting_response" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = X.X.X.X port = 1812 } listen { type = "acct" ipaddr = X.X.X.X port = 1813 } listen { type = "control" listen { socket = "/var/run/radiusd/radiusd.sock" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on authentication address X.X.X.X port 1812 Listening on accounting address X.X.X.X port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address X.X.X.X port 1814 Ready to process requests. Using a client with Windows 7 and supplicant SecureW2 I get the next warning: rad_recv: Access-Request packet from host X.X.X.X port 46577, id=9, length=203 User-Name = ************ Calling-Station-Id = "00-26-B6-59-F1-EA" Called-Station-Id = "00-22-55-F1-80-B0:eduroam" NAS-Port = 1 NAS-IP-Address = 172.18.1.10 NAS-Identifier = "WLC_SSCC" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "50" EAP-Message = 0x0203001a0170726f7665735f697274614063657363612e636174 Message-Authenticator = 0xce819241867a6c729cd1ce2fbc6f1871 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "cesca.cat" for User-Name = ************ [suffix] Found realm "DEFAULT" [suffix] Adding Realm = "DEFAULT" [suffix] Proxying request from user ************ to realm DEFAULT [suffix] Preparing to proxy authentication request to realm "DEFAULT" ++[suffix] returns updated [eap] Request is supposed to be proxied to Realm DEFAULT. Not doing EAP. ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: Empty pre-proxy section. Using default return values. Sending Access-Request of id 158 to 84.88.0.19 port 1812 User-Name = ************ Calling-Station-Id = "00-26-B6-59-F1-EA" Called-Station-Id = "00-22-55-F1-80-B0:eduroam" NAS-Port = 1 NAS-IP-Address = 172.18.1.10 NAS-Identifier = "WLC_SSCC" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "50" EAP-Message = 0x0203001a0170726f7665735f697274614063657363612e636174 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x39 Proxying request 2 to home server 84.88.0.19 port 1812 Sending Access-Request of id 158 to 84.88.0.19 port 1812 User-Name = ************ Calling-Station-Id = "00-26-B6-59-F1-EA" Called-Station-Id = "00-22-55-F1-80-B0:eduroam" NAS-Port = 1 NAS-IP-Address = 172.18.1.10 NAS-Identifier = "WLC_SSCC" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "50" EAP-Message = 0x0203001a0170726f7665735f697274614063657363612e636174 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x39 Going to the next request Waking up in 0.9 seconds. Waking up in 12.9 seconds. rad_recv: Access-Request packet from host X.X.X.X port 46577, id=9, length=203 Sending duplicate proxied request to home server 84.88.0.19 port 1812 - ID: 158 Sending Access-Request of id 158 to 84.88.0.19 port 1812 User-Name = ************ Calling-Station-Id = "00-26-B6-59-F1-EA" Called-Station-Id = "00-22-55-F1-80-B0:eduroam" NAS-Port = 1 NAS-IP-Address = 172.18.1.10 NAS-Identifier = "WLC_SSCC" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "50" EAP-Message = 0x0203001a0170726f7665735f697274614063657363612e636174 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x39 Waking up in 11.9 seconds. rad_recv: Access-Request packet from host X.X.X.X port 46577, id=9, length=203 Sending duplicate proxied request to home server 84.88.0.19 port 1812 - ID: 158 Sending Access-Request of id 158 to 84.88.0.19 port 1812 User-Name = ************ Calling-Station-Id = "00-26-B6-59-F1-EA" Called-Station-Id = "00-22-55-F1-80-B0:eduroam" NAS-Port = 1 NAS-IP-Address = 172.18.1.10 NAS-Identifier = "WLC_SSCC" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "50" EAP-Message = 0x0203001a0170726f7665735f697274614063657363612e636174 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x39 Waking up in 9.9 seconds. rad_recv: Access-Request packet from host X.X.X.X port 46577, id=9, length=203 Sending duplicate proxied request to home server 84.88.0.19 port 1812 - ID: 158 Sending Access-Request of id 158 to 84.88.0.19 port 1812 User-Name = ************ Calling-Station-Id = "00-26-B6-59-F1-EA" Called-Station-Id = "00-22-55-F1-80-B0:eduroam" NAS-Port = 1 NAS-IP-Address = 172.18.1.10 NAS-Identifier = "WLC_SSCC" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "50" EAP-Message = 0x0203001a0170726f7665735f697274614063657363612e636174 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x39 Waking up in 7.9 seconds. rad_recv: Access-Request packet from host X.X.X.X port 46577, id=9, length=203 Sending duplicate proxied request to home server 84.88.0.19 port 1812 - ID: 158 Sending Access-Request of id 158 to 84.88.0.19 port 1812 User-Name = ************ Calling-Station-Id = "00-26-B6-59-F1-EA" Called-Station-Id = "00-22-55-F1-80-B0:eduroam" NAS-Port = 1 NAS-IP-Address = 172.18.1.10 NAS-Identifier = "WLC_SSCC" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "50" EAP-Message = 0x0203001a0170726f7665735f697274614063657363612e636174 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x39 Waking up in 5.9 seconds. rad_recv: Access-Request packet from host X.X.X.X port 46577, id=9, length=203 Sending duplicate proxied request to home server 84.88.0.19 port 1812 - ID: 158 Sending Access-Request of id 158 to 84.88.0.19 port 1812 User-Name = ************ Calling-Station-Id = "00-26-B6-59-F1-EA" Called-Station-Id = "00-22-55-F1-80-B0:eduroam" NAS-Port = 1 NAS-IP-Address = 172.18.1.10 NAS-Identifier = "WLC_SSCC" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "50" EAP-Message = 0x0203001a0170726f7665735f697274614063657363612e636174 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x39 Waking up in 3.9 seconds. WARNING: Internal sanity check failed in event handler for request 2: Discarding the request! Ready to process requests. So I have mainly tho doubts: First, one why this warning happens and how to solve it. Second one, is it normal that EAP-TTLS does not begin? Thanks in advance, Joan. -- View this message in context: http://freeradius.1045715.n5.nabble.com/freeradius-2-1-10-WARNING-Internal-s... Sent from the FreeRadius - User mailing list archive at Nabble.com.
On 13/01/2011 18:26, joanroldan wrote:
I'm sorry! Try to rewrite the e-mail to a human mode ; ) Hi, I am configuring a freeradius for a institution for eduroam purposes, using Fedora 13 and with freeradius 2.1.10. The only EAP type supported is EAP-TTLS/PAP. I attach the radius -X output: ... So I have mainly tho doubts:
First, one why this warning happens and how to solve it. Second one, is it normal that EAP-TTLS does not begin?
Thanks in advance,
Joan.
Hi Joan, 1) This happens because you have made big changes to the default config. 2) You have configured FreeRADIUS to proxy the request to somewhere else. For eduroam, you usually need to configure it so that: * If the realm is one of your organisation's, the request is not proxied, but handled by FR * If the realm is blank or rubbish, the request can be immediately rejected. * If the realm is valid, and not your own organisations, you should proxy the request to your national RADIUS servers. I'd suggest going back to the default config. Read each file and get your TTLS/PAP working first, then add the proxying for other realms last. See also: http://www.ja.net/documents/services/janet-roaming/sussex-freeradius-case-st... Regards, James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk --
FreeRADIUS Version 2.1.10, for host x86_64-redhat-linux-gnu, built on Oct 19 2010 at 20:00:35 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/inner-tunnel main { user = "radiusd" group = "radiusd" allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = yes auth_goodpass = yes } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = yes dead_time = 120 wake_all_if_all_dead = no } realm NULL { nostrip authhost = LOCAL accthost = LOCAL } realm DEFAULT { nostrip authhost = X.X.X.X:1812 accthost = X.X.X.X:1813 secret = verysecret } realm irta.cat { nostrip authhost = 192.168.1.34 accthost = 192.168.1.34 secret = ****** } realm irta.es { nostrip authhost = 192.168.1.34 accthost = 192.168.1.34 secret = ****** } realm IRTA_NT { nostrip authhost = 192.168.1.34 accthost = 192.168.1.34 secret = ****** } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client X.X.X.X { require_message_authenticator = no secret = "******" shortname = "RADIUS_Anella" } client X.X.X.X0 { require_message_authenticator = no secret = "******" shortname = "ISA" } client X.X.X.X1 { require_message_authenticator = no secret = "******" shortname = "ISA" } client X.X.X.X2 { require_message_authenticator = no secret = "******" shortname = "ISA" } client 172.18.1.10 { require_message_authenticator = no secret = "******" shortname = "WLC_SSCC" } client 172.18.2.10 { require_message_authenticator = no secret = "******" shortname = "WLC_Cabrils" } client 172.18.3.10 { require_message_authenticator = no secret = "******" shortname = "WLC_Monells" } client 172.18.5.10 { require_message_authenticator = no secret = "******" shortname = "WLC_Lleida" } client 172.18.6.10 { require_message_authenticator = no secret = "******" shortname = "WLC_Mas_de_Bover" } client 172.18.8.10 { require_message_authenticator = no secret = "******" shortname = "WLC_Sant_Carles_Rapita_Ebre" } client 172.18.10.10 { require_message_authenticator = no secret = "******" shortname = "WLC_Torra_Marimon" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/raddb/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/raddb/modules/unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/raddb/eap.conf eap { default_eap_type = "ttls" timer_expire = 60 ignore_unknown_eap_types = yes cisco_accounting_username_bug = yes max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/raddb/certs/sr013_irta_es.key" certificate_file = "/etc/raddb/certs/certificat_es.cer" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "******" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Instantiating module "ntdomain" from file /etc/raddb/modules/realm realm ntdomain { format = "prefix" delimiter = "\" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/raddb/modules/files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking pre-proxy {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "pre_proxy_log" from file /etc/raddb/modules/detail.log detail pre_proxy_log { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Checking post-proxy {...} for more modules to load Module: Instantiating module "post_proxy_log" from file /etc/raddb/modules/detail.log detail post_proxy_log { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/post-proxy-detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { # from file /etc/raddb/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/raddb/modules/digest Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/raddb/modules/preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Instantiating module "detail" from file /etc/raddb/modules/detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "attr_filter.accounting_response" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = X.X.X.X port = 1812 } listen { type = "acct" ipaddr = X.X.X.X port = 1813 } listen { type = "control" listen { socket = "/var/run/radiusd/radiusd.sock" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on authentication address X.X.X.X port 1812 Listening on accounting address X.X.X.X port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address X.X.X.X port 1814 Ready to process requests. Using a client with Windows 7 and supplicant SecureW2 I get the next warning: rad_recv: Access-Request packet from host X.X.X.X port 46577, id=9, length=203 User-Name = ************ Calling-Station-Id = "00-26-B6-59-F1-EA" Called-Station-Id = "00-22-55-F1-80-B0:eduroam" NAS-Port = 1 NAS-IP-Address = 172.18.1.10 NAS-Identifier = "WLC_SSCC" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "50" EAP-Message = 0x0203001a0170726f7665735f697274614063657363612e636174 Message-Authenticator = 0xce819241867a6c729cd1ce2fbc6f1871 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "cesca.cat" for User-Name = ************ [suffix] Found realm "DEFAULT" [suffix] Adding Realm = "DEFAULT" [suffix] Proxying request from user ************ to realm DEFAULT [suffix] Preparing to proxy authentication request to realm "DEFAULT" ++[suffix] returns updated [eap] Request is supposed to be proxied to Realm DEFAULT. Not doing EAP. ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: Empty pre-proxy section. Using default return values. Sending Access-Request of id 158 to 84.88.0.19 port 1812 User-Name = ************ Calling-Station-Id = "00-26-B6-59-F1-EA" Called-Station-Id = "00-22-55-F1-80-B0:eduroam" NAS-Port = 1 NAS-IP-Address = 172.18.1.10 NAS-Identifier = "WLC_SSCC" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "50" EAP-Message = 0x0203001a0170726f7665735f697274614063657363612e636174 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x39 Proxying request 2 to home server 84.88.0.19 port 1812 Sending Access-Request of id 158 to 84.88.0.19 port 1812 User-Name = ************ Calling-Station-Id = "00-26-B6-59-F1-EA" Called-Station-Id = "00-22-55-F1-80-B0:eduroam" NAS-Port = 1 NAS-IP-Address = 172.18.1.10 NAS-Identifier = "WLC_SSCC" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "50" EAP-Message = 0x0203001a0170726f7665735f697274614063657363612e636174 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x39 Going to the next request Waking up in 0.9 seconds. Waking up in 12.9 seconds. rad_recv: Access-Request packet from host X.X.X.X port 46577, id=9, length=203 Sending duplicate proxied request to home server 84.88.0.19 port 1812 - ID: 158 Sending Access-Request of id 158 to 84.88.0.19 port 1812 User-Name = ************ Calling-Station-Id = "00-26-B6-59-F1-EA" Called-Station-Id = "00-22-55-F1-80-B0:eduroam" NAS-Port = 1 NAS-IP-Address = 172.18.1.10 NAS-Identifier = "WLC_SSCC" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "50" EAP-Message = 0x0203001a0170726f7665735f697274614063657363612e636174 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x39 Waking up in 11.9 seconds. rad_recv: Access-Request packet from host X.X.X.X port 46577, id=9, length=203 Sending duplicate proxied request to home server 84.88.0.19 port 1812 - ID: 158 Sending Access-Request of id 158 to 84.88.0.19 port 1812 User-Name = ************ Calling-Station-Id = "00-26-B6-59-F1-EA" Called-Station-Id = "00-22-55-F1-80-B0:eduroam" NAS-Port = 1 NAS-IP-Address = 172.18.1.10 NAS-Identifier = "WLC_SSCC" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "50" EAP-Message = 0x0203001a0170726f7665735f697274614063657363612e636174 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x39 Waking up in 9.9 seconds. rad_recv: Access-Request packet from host X.X.X.X port 46577, id=9, length=203 Sending duplicate proxied request to home server 84.88.0.19 port 1812 - ID: 158 Sending Access-Request of id 158 to 84.88.0.19 port 1812 User-Name = ************ Calling-Station-Id = "00-26-B6-59-F1-EA" Called-Station-Id = "00-22-55-F1-80-B0:eduroam" NAS-Port = 1 NAS-IP-Address = 172.18.1.10 NAS-Identifier = "WLC_SSCC" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "50" EAP-Message = 0x0203001a0170726f7665735f697274614063657363612e636174 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x39 Waking up in 7.9 seconds. rad_recv: Access-Request packet from host X.X.X.X port 46577, id=9, length=203 Sending duplicate proxied request to home server 84.88.0.19 port 1812 - ID: 158 Sending Access-Request of id 158 to 84.88.0.19 port 1812 User-Name = ************ Calling-Station-Id = "00-26-B6-59-F1-EA" Called-Station-Id = "00-22-55-F1-80-B0:eduroam" NAS-Port = 1 NAS-IP-Address = 172.18.1.10 NAS-Identifier = "WLC_SSCC" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "50" EAP-Message = 0x0203001a0170726f7665735f697274614063657363612e636174 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x39 Waking up in 5.9 seconds. rad_recv: Access-Request packet from host X.X.X.X port 46577, id=9, length=203 Sending duplicate proxied request to home server 84.88.0.19 port 1812 - ID: 158 Sending Access-Request of id 158 to 84.88.0.19 port 1812 User-Name = ************ Calling-Station-Id = "00-26-B6-59-F1-EA" Called-Station-Id = "00-22-55-F1-80-B0:eduroam" NAS-Port = 1 NAS-IP-Address = 172.18.1.10 NAS-Identifier = "WLC_SSCC" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "50" EAP-Message = 0x0203001a0170726f7665735f697274614063657363612e636174 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x39 Waking up in 3.9 seconds. WARNING: Internal sanity check failed in event handler for request 2: Discarding the request! Ready to process requests. So I have mainly two doubts: First, why this warning happens and how to solve it. Second one, is it normal that EAP-TTLS does not begin? Thanks in advance, Joan. -- View this message in context: http://freeradius.1045715.n5.nabble.com/freeradius-2-1-10-WARNING-Internal-s... Sent from the FreeRadius - User mailing list archive at Nabble.com.
participants (3)
-
James J J Hooper -
joanroldan -
John McDonnell