mschap : NT-Password has not been normalized by the 'pap' module.
Hello, Trying to get freeradius working for tls and mschap and ldap based authentication... seems the password is found correctly in LDAP, but fails to be decoded maybe? the passwords in LDAP look like: {MD4}6DDDA<an so on..> The pap module is enabled, by the default config, in the end of the authorize section in sites-enabled/default and inner-tunnel. Or is this not my problem at all? and I should be looking elsewhere? Thanks a lot, Mohamed. root@27840c0ba8ef:/data# freeradius -v freeradius: FreeRADIUS Version 3.0.3, for host x86_64-pc-linux-gnu, built on May 20 2014 at 11:59:21 freeradius -XXX : ... (8) ldap : --> ou=people,dc=georgetown,dc=edu (8) ldap : Performing search in 'ou=people,dc=georgetown,dc=edu' with filter '(uid=ml623)', scope 'sub' (8) ldap : Waiting for search result... (8) ldap : User object found at DN "uid=ml623,ou=People,dc=georgetown,dc=edu" (8) ldap : Processing user attributes (8) ldap : control:NT-Password := 0x7b4d44347d36444<and so on....> rlm_ldap (ldap): Released connection (4) (8) [ldap] = ok (8) [expiration] = noop (8) [logintime] = noop (8) WARNING: pap : Auth-Type already set. Not setting to PAP (8) [pap] = noop (8) } # authorize = updated (8) Found Auth-Type = EAP (8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (8) authenticate { (8) eap : Expiring EAP session with state 0xd374de30d37cc42e (8) eap : Finished EAP session with state 0xd374de30d37cc42e (8) eap : Previous EAP request found for state 0xd374de30d37cc42e, released from the list (8) eap : Peer sent MSCHAPv2 (26) (8) eap : EAP MSCHAPv2 (26) (8) eap : Calling eap_mschapv2 to process EAP data (8) eap_mschapv2 : # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (8) eap_mschapv2 : Auth-Type MS-CHAP { (8) WARNING: mschap : No Cleartext-Password configured. Cannot create LM-Password (8) WARNING: mschap : NT-Password has not been normalized by the 'pap' module. Authentication will fail (8) mschap : Creating challenge hash with username: ml623 (8) mschap : Client is using MS-CHAPv2 (8) ERROR: mschap : FAILED: No NT/LM-Password. Cannot perform authentication (8) ERROR: mschap : MS-CHAP2-Response is incorrect (8) [mschap] = reject
On 9 Mar 2015, at 15:42, Mohamed Lrhazi <Mohamed.Lrhazi@georgetown.edu> wrote:
Hello,
Trying to get freeradius working for tls and mschap and ldap based authentication... seems the password is found correctly in LDAP, but fails to be decoded maybe?
the passwords in LDAP look like: {MD4}6DDDA<an so on..>
Map the LDAP attribute to control:Password-With-Header instead of control:NT-Password, the PAP module should then normalise the NT Password string, by stripping off the header, converting the hex to binary, and copying it to control:NT-Password. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Thanks Arran. My error changed, which is good sign :) I believe I had this before: update { control:Password-With-Header += 'userPassword' control:NT-Password := 'gunthash' } which I changed to this: update { control:Password-With-Header += 'gunthash' } Not the log looks like: (8) ldap : User object found at DN "uid=ml623,ou=People,dc=georgetown,dc=edu" (8) ldap : Processing user attributes (8) ldap : control:Password-With-Header += ''{MD4}6DDDAFA<and so on>'' rlm_ldap (ldap): Released connection (4) (8) [ldap] = ok (8) if ((ok || updated) && User-Password) (8) if ((ok || updated) && User-Password) -> FALSE (8) [expiration] = noop (8) [logintime] = noop (8) WARNING: pap : Found unknown header {{MD4}}: Not doing anything (8) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password (8) WARNING: pap : Auth-Type already set. Not setting to PAP (8) [pap] = noop (8) } # authorize = updated (8) Found Auth-Type = EAP (8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (8) authenticate { (8) eap : Expiring EAP session with state 0x118e6e5211867494 (8) eap : Finished EAP session with state 0x118e6e5211867494 (8) eap : Previous EAP request found for state 0x118e6e5211867494, released from the list (8) eap : Peer sent MSCHAPv2 (26) (8) eap : EAP MSCHAPv2 (26) (8) eap : Calling eap_mschapv2 to process EAP data (8) eap_mschapv2 : # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (8) eap_mschapv2 : Auth-Type MS-CHAP { (8) mschap : Found Cleartext-Password, hashing to create LM-Password (8) mschap : Found Cleartext-Password, hashing to create NT-Password (8) mschap : Creating challenge hash with username: ml623 (8) mschap : Client is using MS-CHAPv2 (8) ERROR: mschap : MS-CHAP2-Response is incorrect (8) [mschap] = reject On Mon, Mar 9, 2015 at 3:48 PM, Arran Cudbard-Bell < a.cudbardb@freeradius.org> wrote:
On 9 Mar 2015, at 15:42, Mohamed Lrhazi <Mohamed.Lrhazi@georgetown.edu> wrote:
Hello,
Trying to get freeradius working for tls and mschap and ldap based authentication... seems the password is found correctly in LDAP, but fails to be decoded maybe?
the passwords in LDAP look like: {MD4}6DDDA<an so on..>
Map the LDAP attribute to control:Password-With-Header instead of control:NT-Password, the PAP module should then normalise the NT Password string, by stripping off the header, converting the hex to binary, and copying it to control:NT-Password.
-Arran
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 9 Mar 2015, at 21:05, Mohamed Lrhazi <Mohamed.Lrhazi@georgetown.edu> wrote:
Thanks Arran. My error changed, which is good sign :)
header should be {nt} or {nthash} not {md4}, unless you have an example of an application that inserts {md4} prefixed hashes into LDAP, in which case we could consider adding it. -Arran
That's bad news for me... I will try to find out and see if we can possibly change it in LDAP... Thanks, Mohamed. On Mon, Mar 9, 2015 at 9:09 PM, Arran Cudbard-Bell < a.cudbardb@freeradius.org> wrote:
On 9 Mar 2015, at 21:05, Mohamed Lrhazi <Mohamed.Lrhazi@georgetown.edu> wrote:
Thanks Arran. My error changed, which is good sign :)
header should be {nt} or {nthash} not {md4}, unless you have an example of an application that inserts {md4} prefixed hashes into LDAP, in which case we could consider adding it.
-Arran
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sorry for my newbie questions.... In this second phase of authentication, called inner tunnel, can I use 'bind to ldap with user creds", to avoid this password format issue in my LDAP system? Thanks, Mohamed. On Tue, Mar 10, 2015 at 12:35 AM, Mohamed Lrhazi < Mohamed.Lrhazi@georgetown.edu> wrote:
That's bad news for me... I will try to find out and see if we can possibly change it in LDAP...
Thanks, Mohamed.
On Mon, Mar 9, 2015 at 9:09 PM, Arran Cudbard-Bell < a.cudbardb@freeradius.org> wrote:
On 9 Mar 2015, at 21:05, Mohamed Lrhazi <Mohamed.Lrhazi@georgetown.edu> wrote:
Thanks Arran. My error changed, which is good sign :)
header should be {nt} or {nthash} not {md4}, unless you have an example of an application that inserts {md4} prefixed hashes into LDAP, in which case we could consider adding it.
-Arran
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi, I am evaluating v3.0.7. When running as a daemon, every time when I saw the following "Failing proxied request" message in the radius.log, the radius daemon aborted immediately. Tue Mar 10 16:51:43 2015 : Proxy: Marking home server x.x.x.x port yyyy as zombie (it has not responded in 30.000000 seconds). When running in debug mode, freeradius process never exited. The "Failing proxied request" message was still occasionally seen in the debug output. But it then followed with the received status-check response message and continued (see last 3 lines): (365) No proxy response, giving up on request and marking it done Marking home server x.x.x.x port yyyy as zombie (it has not responded in 30.000000 seconds). PING: Waiting 4 seconds for response to ping PING: Next status packet in 20 seconds (365) ERROR: Failing proxied request for user "145094624@wlan.network.org", due to lack of any response from home server x.x.x.x port yyyy (365) Found Post-Proxy-Type Fail-Authentication (365) There was no response configured: rejecting request (365) Using Post-Auth-Type Reject (365) # Executing group from file /usr/local/etc/raddb/sites-enabled/WiFi (365) Post-Auth-Type REJECT { (365) attr_filter.access_reject: EXPAND %{User-Name} (365) attr_filter.access_reject: --> 1454094624@wlan.network.org (365) attr_filter.access_reject: Matched entry DEFAULT at line 16 (365) [attr_filter.access_reject] = updated (365) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request (365) eap: Failed to get handler, probably already removed, not inserting EAP-Failure (365) [eap] = noop (365) policy remove_reply_message_if_eap { (365) if (&reply:EAP-Message && &reply:Reply-Message) { (365) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (365) else { (365) [noop] = noop (365) } # else = noop (365) } # policy remove_reply_message_if_eap = noop (365) } # Post-Auth-Type REJECT = updated (365) Sent Access-Reject Id 88 from z.z.z.z:aaaa to w.w.w.w:bbbb length 20 (365) Finished request (365) <done>: Cleaning up request packet ID 88 with timestamp +145 Waking up in 3.9 seconds. (449) Received response to status check 449 (1 in current sequence) (449) Marking home server x.x.x.x port yyyy alive Ready to process requests I guess it was due to a difference in timing when waiting for a status response from home servers. I tried different parameters in proxy.conf, but in vain. Can anyone suggest what parameters to adjust in proxy.conf? Or is it just a bug? Thanks in advance. Fu
On Mar 10, 2015, at 5:18 AM, Lai Fu Keung <tfklai@hku.hk> wrote:
I am evaluating v3.0.7.
When running as a daemon, every time when I saw the following "Failing proxied request" message in the radius.log, the radius daemon aborted immediately.
Tue Mar 10 16:51:43 2015 : Proxy: Marking home server x.x.x.x port yyyy as zombie (it has not responded in 30.000000 seconds).
When running in debug mode, freeradius process never exited. The "Failing proxied request" message was still occasionally seen in the debug output. But it then followed with the received status-check response message and continued (see last 3 lines):
Please try the v3.0.x branch from github: https://github.com/FreeRADIUS/freeradius-server/archive/v3.0.x.zip I believe this problem should be fixed. Alan DeKok.
I tried the github 3.0.x version and the problem still remains the same. Previously I had tried v3.0.4 and I didn't have this problem. I confirm that my firewall did not block the traffic, as this problem did not occur when evaluating v3.0.4 on the same machine. And freeradius did not abort when running in debug mode. I'll do more tests to understand the problem. But if you have a clue on what to look at, please let me know. Fu On Mar 10, 2015, at 5:18 AM, Lai Fu Keung <tfklai@hku.hk> wrote:
I am evaluating v3.0.7.
When running as a daemon, every time when I saw the following "Failing proxied request" message in the radius.log, the radius daemon aborted immediately.
Tue Mar 10 16:51:43 2015 : Proxy: Marking home server x.x.x.x port yyyy as zombie (it has not responded in 30.000000 seconds).
When running in debug mode, freeradius process never exited. The "Failing proxied request" message was still occasionally seen in the debug output. But it then followed with the received status-check response message and continued (see last 3 lines):
Please try the v3.0.x branch from github: https://github.com/FreeRADIUS/freeradius-server/archive/v3.0.x.zip I believe this problem should be fixed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi everyone, Le 11/03/2015 05:46, Lai Fu Keung a écrit :
I tried the github 3.0.x version and the problem still remains the same.
Same here with 3.0.x commit f4d1e488b182d005f9cd0c29f63c77feae6c8405. During a test, if I stop the home server, I'm getting "Failing proxied request" errors, then FreeRADIUS crashes. No log about zombie, though. Backtrace: #0 0x0000003535a0f3cb in raise () from /lib64/libpthread.so.0 #1 0x00007f6a00d216c6 in skgesigOSCrash () from /opt/oracle/instantclient_11_2/libclntsh.so.11.1 #2 0x00007f6a00fd2f79 in kpeDbgSignalHandler () from /opt/oracle/instantclient_11_2/libclntsh.so.11.1 #3 0x00007f6a00d218d6 in skgesig_sigactionHandler () from /opt/oracle/instantclient_11_2/libclntsh.so.11.1 #4 <signal handler called> #5 0x00007f6a029a0652 in fr_event_delete (el=0x19747f0, parent=0x66dd280) at /home/admwpsrs/src/freeradius-server-3.0.x-c10/src/lib/event.c:192 #6 0x00007f6a029a0766 in fr_event_run (el=0x19747f0, when=<value optimized out>) at /home/admwpsrs/src/freeradius-server-3.0.x-c10/src/lib/event.c:308 #7 0x00007f6a029a0a4d in fr_event_loop (el=0x19747f0) at /home/admwpsrs/src/freeradius-server-3.0.x-c10/src/lib/event.c:625 #8 0x000000000042598c in main (argc=3, argv=<value optimized out>) at /home/admwpsrs/src/freeradius-server-3.0.x-c10/src/main/radiusd.c:581 HTH, -- LRS This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
On Mar 11, 2015, at 3:45 AM, RESTOUX, Loïc <loic.restoux@capgemini.com> wrote:
During a test, if I stop the home server, I'm getting "Failing proxied request" errors, then FreeRADIUS crashes. No log about zombie, though.
Backtrace: #0 0x0000003535a0f3cb in raise () from /lib64/libpthread.so.0 #1 0x00007f6a00d216c6 in skgesigOSCrash () from /opt/oracle/instantclient_11_2/libclntsh.so.11.1 #2 0x00007f6a00fd2f79 in kpeDbgSignalHandler () from /opt/oracle/instantclient_11_2/libclntsh.so.11.1 #3 0x00007f6a00d218d6 in skgesig_sigactionHandler () from /opt/oracle/instantclient_11_2/libclntsh.so.11.1 #4 <signal handler called>
Uh… that’s bad. The Oracle client library grabs the signal handler for itself? It’s not the cause of the crash, but it’s terrible practice.
#5 0x00007f6a029a0652 in fr_event_delete (el=0x19747f0, parent=0x66dd280) at /home/admwpsrs/src/freeradius-server-3.0.x-c10/src/lib/event.c:192 #6 0x00007f6a029a0766 in fr_event_run (el=0x19747f0, when=<value optimized out>) at /home/admwpsrs/src/freeradius-server-3.0.x-c10/src/lib/event.c:308 #7 0x00007f6a029a0a4d in fr_event_loop (el=0x19747f0) at /home/admwpsrs/src/freeradius-server-3.0.x-c10/src/lib/event.c:625 #8 0x000000000042598c in main (argc=3, argv=<value optimized out>) at /home/admwpsrs/src/freeradius-server-3.0.x-c10/src/main/radiusd.c:581
That’s the problem we’ve been fighting for a while. Unfortunately, I can’t reproduce it here. What does the rest of the debug log say? Knowing that might also help. You could also try turning on DEBUG_STATE_MACHINE in src/main/process.c. It will cause the debug output to print out state transitions for each request. Alan DeKok.
Le 11/03/2015 15:15, Alan DeKok a écrit :
That’s the problem we’ve been fighting for a while. Unfortunately, I can’t reproduce it here.
FYI, the issue is no more reproduced with the last HEAD. Thank you, -- LRS This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
With the new version 3.0.8 running on our environment, I would say the problem is just slightly improved. Freeradius crashes from "several times an hour" in v3.0.7 to "once every several hours" in v3.0.8, after seeing "Proxy: Marking home server x.x.x.x as zombie (it has not responded in 30.000000 seconds)" message. We have more than 10 radius home servers configured. Some of them are quite busy servers and I understand that sometimes they may respond slowly or even do not respond to the proxied requests. I am not familiar with the logic inside freeradius. But can freeradius at least not to abort itself when handling proxy servers with no response. Sorry that I can't configure our production home servers in our testing environment to debug freeradius. But anything else I can do?? Fu -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+tfklai=hku.hk@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Wednesday, March 11, 2015 10:16 PM To: FreeRadius users mailing list Subject: Re: Aborted when seeing Failing proxied request On Mar 11, 2015, at 3:45 AM, RESTOUX, Loïc <loic.restoux@capgemini.com> wrote:
During a test, if I stop the home server, I'm getting "Failing proxied request" errors, then FreeRADIUS crashes. No log about zombie, though.
Backtrace: #0 0x0000003535a0f3cb in raise () from /lib64/libpthread.so.0 #1 0x00007f6a00d216c6 in skgesigOSCrash () from /opt/oracle/instantclient_11_2/libclntsh.so.11.1 #2 0x00007f6a00fd2f79 in kpeDbgSignalHandler () from /opt/oracle/instantclient_11_2/libclntsh.so.11.1 #3 0x00007f6a00d218d6 in skgesig_sigactionHandler () from /opt/oracle/instantclient_11_2/libclntsh.so.11.1 #4 <signal handler called>
Uh… that’s bad. The Oracle client library grabs the signal handler for itself? It’s not the cause of the crash, but it’s terrible practice.
#5 0x00007f6a029a0652 in fr_event_delete (el=0x19747f0, parent=0x66dd280) at /home/admwpsrs/src/freeradius-server-3.0.x-c10/src/lib/event.c:192 #6 0x00007f6a029a0766 in fr_event_run (el=0x19747f0, when=<value optimized out>) at /home/admwpsrs/src/freeradius-server-3.0.x-c10/src/lib/event.c:308 #7 0x00007f6a029a0a4d in fr_event_loop (el=0x19747f0) at /home/admwpsrs/src/freeradius-server-3.0.x-c10/src/lib/event.c:625 #8 0x000000000042598c in main (argc=3, argv=<value optimized out>) at /home/admwpsrs/src/freeradius-server-3.0.x-c10/src/main/radiusd.c:581
That’s the problem we’ve been fighting for a while. Unfortunately, I can’t reproduce it here. What does the rest of the debug log say? Knowing that might also help. You could also try turning on DEBUG_STATE_MACHINE in src/main/process.c. It will cause the debug output to print out state transitions for each request. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Apr 28, 2015, at 12:47 AM, Lai Fu Keung <tfklai@hku.hk> wrote:
With the new version 3.0.8 running on our environment, I would say the problem is just slightly improved. Freeradius crashes from "several times an hour" in v3.0.7 to "once every several hours" in v3.0.8, after seeing "Proxy: Marking home server x.x.x.x as zombie (it has not responded in 30.000000 seconds)" message.
That's better, but not very good.
We have more than 10 radius home servers configured. Some of them are quite busy servers and I understand that sometimes they may respond slowly or even do not respond to the proxied requests. I am not familiar with the logic inside freeradius. But can freeradius at least not to abort itself when handling proxy servers with no response.
Sorry that I can't configure our production home servers in our testing environment to debug freeradius. But anything else I can do??
See "panic_action" in radiusd.conf. You can get panic logs without running "radiusd -X". PLEASE first install the debugging symbols, so that the gdb logs are useful. You probably want to set: panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p > ${logdir}/gdb-${name}-%p.log 2>&1" And then send the logs to the list, or to me off-list. Alan DeKok.
See "panic_action" in radiusd.conf. You can get panic logs without running "radiusd -X". PLEASE first install the debugging symbols, so that the gdb logs are useful.
You probably want to set:
panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p > ${logdir}/gdb-${name}-%p.log 2>&1"
I've got the gdb log. But how to install the debugging symbols? Fu
See if the following gdb log (without debugging symbols) is good enough to trace down the problem. Fu -------------- Reading symbols from /usr/local/sbin/radiusd...done. Attaching to program: /usr/local/sbin/radiusd, process 28551 Reading symbols from /usr/local/lib/libfreeradius-server.so...done. Loaded symbols for /usr/local/lib/libfreeradius-server.so Reading symbols from /usr/local/lib/libfreeradius-radius.so...done. Loaded symbols for /usr/local/lib/libfreeradius-radius.so Reading symbols from /usr/local/lib/libfreeradius-eap.so...done. Loaded symbols for /usr/local/lib/libfreeradius-eap.so Reading symbols from /usr/lib64/libcrypto.so.10...(no debugging symbols found).. .done. Loaded symbols for /usr/lib64/libcrypto.so.10 Reading symbols from /usr/lib64/libssl.so.10...(no debugging symbols found)...do ne. Loaded symbols for /usr/lib64/libssl.so.10 Reading symbols from /usr/lib64/libtalloc.so.2...(no debugging symbols found)... done. Loaded symbols for /usr/lib64/libtalloc.so.2 Reading symbols from /lib64/libnsl.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libnsl.so.1 Reading symbols from /lib64/libresolv.so.2...(no debugging symbols found)...done . Loaded symbols for /lib64/libresolv.so.2 Reading symbols from /lib64/libdl.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libdl.so.2 Reading symbols from /lib64/libpthread.so.0...(no debugging symbols found)...don e. [New LWP 28556] [New LWP 28555] [New LWP 28554] [New LWP 28553] [New LWP 28552] [Thread debugging using libthread_db enabled] Loaded symbols for /lib64/libpthread.so.0 Reading symbols from /lib64/libreadline.so.6...(no debugging symbols found)...do ne. Loaded symbols for /lib64/libreadline.so.6 Reading symbols from /lib64/libcrypt.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libcrypt.so.1 Reading symbols from /lib64/libc.so.6...(no debugging symbols found)...done. Loaded symbols for /lib64/libc.so.6 Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging symbols found). ..done. Loaded symbols for /lib64/ld-linux-x86-64.so.2 Reading symbols from /lib64/libz.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libz.so.1 Reading symbols from /lib64/libgssapi_krb5.so.2...(no debugging symbols found).. .done. Loaded symbols for /lib64/libgssapi_krb5.so.2 Reading symbols from /lib64/libkrb5.so.3...(no debugging symbols found)...done. Loaded symbols for /lib64/libkrb5.so.3 Reading symbols from /lib64/libcom_err.so.2...(no debugging symbols found)...don e. Loaded symbols for /lib64/libcom_err.so.2 Reading symbols from /lib64/libk5crypto.so.3...(no debugging symbols found)...do ne. Loaded symbols for /lib64/libk5crypto.so.3 Reading symbols from /lib64/librt.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/librt.so.1 Reading symbols from /lib64/libtinfo.so.5...(no debugging symbols found)...done. Loaded symbols for /lib64/libtinfo.so.5 Reading symbols from /lib64/libfreebl3.so...(no debugging symbols found)...done. Loaded symbols for /lib64/libfreebl3.so Reading symbols from /lib64/libkrb5support.so.0...(no debugging symbols found).. .done. Loaded symbols for /lib64/libkrb5support.so.0 Reading symbols from /lib64/libkeyutils.so.1...(no debugging symbols found)...do ne. Loaded symbols for /lib64/libkeyutils.so.1 Reading symbols from /lib64/libselinux.so.1...(no debugging symbols found)...don e. Loaded symbols for /lib64/libselinux.so.1 Reading symbols from /lib64/libnss_files.so.2...(no debugging symbols found)...d one. Loaded symbols for /lib64/libnss_files.so.2 Reading symbols from /usr/local/lib/rlm_realm.so...done. Loaded symbols for /usr/local/lib/rlm_realm.so Reading symbols from /usr/local/lib/rlm_chap.so...done. Loaded symbols for /usr/local/lib/rlm_chap.so Reading symbols from /usr/local/lib/rlm_ldap.so...done. Loaded symbols for /usr/local/lib/rlm_ldap.so Reading symbols from /lib64/libldap-2.4.so.2...(no debugging symbols found)...do ne. Loaded symbols for /lib64/libldap-2.4.so.2 Reading symbols from /lib64/liblber-2.4.so.2...(no debugging symbols found)...do ne. Loaded symbols for /lib64/liblber-2.4.so.2 Reading symbols from /usr/lib64/libsasl2.so.2...(no debugging symbols found)...d one. Loaded symbols for /usr/lib64/libsasl2.so.2 Reading symbols from /usr/lib64/libssl3.so...(no debugging symbols found)...done . Loaded symbols for /usr/lib64/libssl3.so Reading symbols from /usr/lib64/libsmime3.so...(no debugging symbols found)...do ne. Loaded symbols for /usr/lib64/libsmime3.so Reading symbols from /usr/lib64/libnss3.so...(no debugging symbols found)...done . Loaded symbols for /usr/lib64/libnss3.so Reading symbols from /usr/lib64/libnssutil3.so...(no debugging symbols found)... done. Loaded symbols for /usr/lib64/libnssutil3.so Reading symbols from /lib64/libplds4.so...(no debugging symbols found)...done. Loaded symbols for /lib64/libplds4.so Reading symbols from /lib64/libplc4.so...(no debugging symbols found)...done. Loaded symbols for /lib64/libplc4.so Reading symbols from /lib64/libnspr4.so...(no debugging symbols found)...done. Loaded symbols for /lib64/libnspr4.so Reading symbols from /usr/local/lib/rlm_exec.so...done. Loaded symbols for /usr/local/lib/rlm_exec.so Reading symbols from /usr/local/lib/rlm_utf8.so...done. Loaded symbols for /usr/local/lib/rlm_utf8.so Reading symbols from /usr/local/lib/rlm_dhcp.so...done. Loaded symbols for /usr/local/lib/rlm_dhcp.so Reading symbols from /usr/local/lib/rlm_logintime.so...done. Loaded symbols for /usr/local/lib/rlm_logintime.so Reading symbols from /usr/local/lib/rlm_digest.so...done. Loaded symbols for /usr/local/lib/rlm_digest.so Reading symbols from /usr/local/lib/rlm_attr_filter.so...done. Loaded symbols for /usr/local/lib/rlm_attr_filter.so Reading symbols from /usr/local/lib/rlm_radutmp.so...done. Loaded symbols for /usr/local/lib/rlm_radutmp.so Reading symbols from /usr/local/lib/rlm_files.so...done. Loaded symbols for /usr/local/lib/rlm_files.so Reading symbols from /usr/local/lib/rlm_preprocess.so...done. Loaded symbols for /usr/local/lib/rlm_preprocess.so Reading symbols from /usr/local/lib/rlm_cache.so...done. Loaded symbols for /usr/local/lib/rlm_cache.so Reading symbols from /usr/local/lib/rlm_cache_rbtree.so...done. Loaded symbols for /usr/local/lib/rlm_cache_rbtree.so Reading symbols from /usr/local/lib/rlm_passwd.so...done. Loaded symbols for /usr/local/lib/rlm_passwd.so Reading symbols from /usr/local/lib/rlm_pap.so...done. Loaded symbols for /usr/local/lib/rlm_pap.so Reading symbols from /usr/local/lib/rlm_always.so...done. Loaded symbols for /usr/local/lib/rlm_always.so Reading symbols from /usr/local/lib/rlm_eap.so...done. Loaded symbols for /usr/local/lib/rlm_eap.so Reading symbols from /usr/local/lib/rlm_eap_md5.so...done. Loaded symbols for /usr/local/lib/rlm_eap_md5.so Reading symbols from /usr/local/lib/rlm_eap_gtc.so...done. Loaded symbols for /usr/local/lib/rlm_eap_gtc.so Reading symbols from /usr/local/lib/rlm_eap_tls.so...done. Loaded symbols for /usr/local/lib/rlm_eap_tls.so Reading symbols from /usr/local/lib/rlm_eap_ttls.so...done. Loaded symbols for /usr/local/lib/rlm_eap_ttls.so Reading symbols from /usr/local/lib/rlm_eap_peap.so...done. Loaded symbols for /usr/local/lib/rlm_eap_peap.so Reading symbols from /usr/local/lib/rlm_eap_mschapv2.so...done. Loaded symbols for /usr/local/lib/rlm_eap_mschapv2.so Reading symbols from /usr/local/lib/rlm_soh.so...done. Loaded symbols for /usr/local/lib/rlm_soh.so Reading symbols from /usr/local/lib/rlm_mschap.so...done. Loaded symbols for /usr/local/lib/rlm_mschap.so Reading symbols from /usr/local/lib/rlm_perl.so...done. Loaded symbols for /usr/local/lib/rlm_perl.so Reading symbols from /usr/lib64/perl5/CORE/libperl.so...(no debugging symbols fo und)...done. Loaded symbols for /usr/lib64/perl5/CORE/libperl.so Reading symbols from /lib64/libm.so.6...(no debugging symbols found)...done. Loaded symbols for /lib64/libm.so.6 Reading symbols from /lib64/libutil.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libutil.so.1 Reading symbols from /usr/lib64/perl5/auto/Data/Dumper/Dumper.so...(no debugging symbols found)...done. Loaded symbols for /usr/lib64/perl5/auto/Data/Dumper/Dumper.so Reading symbols from /usr/local/lib/rlm_detail.so...done. Loaded symbols for /usr/local/lib/rlm_detail.so Reading symbols from /usr/local/lib/rlm_replicate.so...done. Loaded symbols for /usr/local/lib/rlm_replicate.so Reading symbols from /usr/local/lib/rlm_expiration.so...done. Loaded symbols for /usr/local/lib/rlm_expiration.so Reading symbols from /usr/local/lib/rlm_dynamic_clients.so...done. Loaded symbols for /usr/local/lib/rlm_dynamic_clients.so Reading symbols from /usr/local/lib/rlm_unpack.so...done. Loaded symbols for /usr/local/lib/rlm_unpack.so Reading symbols from /usr/local/lib/rlm_expr.so...done. Loaded symbols for /usr/local/lib/rlm_expr.so Reading symbols from /usr/local/lib/rlm_unix.so...done. Loaded symbols for /usr/local/lib/rlm_unix.so Reading symbols from /usr/local/lib/rlm_linelog.so...done. Loaded symbols for /usr/local/lib/rlm_linelog.so 0x00000038374ac65d in waitpid () from /lib64/libc.so.6 No symbol table info available. No symbol table info available. Thread 6 (Thread 0x7f85468a6700 (LWP 28552)): #0 0x000000383780d930 in sem_wait () from /lib64/libpthread.so.0 No symbol table info available. #1 0x000000000042ba2c in request_handler_thread (arg=0x18072d0) at src/main/thr eads.c:621 self = 0x18072d0 #2 0x00000038378079d1 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #3 0x00000038374e88fd in clone () from /lib64/libc.so.6 No symbol table info available. Thread 5 (Thread 0x7f8545ea5700 (LWP 28553)): #0 0x000000383780d930 in sem_wait () from /lib64/libpthread.so.0 No symbol table info available. #1 0x000000000042ba2c in request_handler_thread (arg=0x18090c0) at src/main/thr eads.c:621 self = 0x18090c0 #2 0x00000038378079d1 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #3 0x00000038374e88fd in clone () from /lib64/libc.so.6 No symbol table info available. Thread 4 (Thread 0x7f85454a4700 (LWP 28554)): #0 0x000000383780d930 in sem_wait () from /lib64/libpthread.so.0 No symbol table info available. #1 0x000000000042ba2c in request_handler_thread (arg=0x1813450) at src/main/thr eads.c:621 self = 0x1813450 #2 0x00000038378079d1 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #3 0x00000038374e88fd in clone () from /lib64/libc.so.6 No symbol table info available. Thread 3 (Thread 0x7f8544aa3700 (LWP 28555)): #0 0x000000383780d930 in sem_wait () from /lib64/libpthread.so.0 No symbol table info available. #1 0x000000000042ba2c in request_handler_thread (arg=0x18135e0) at src/main/thr eads.c:621 self = 0x18135e0 #2 0x00000038378079d1 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #3 0x00000038374e88fd in clone () from /lib64/libc.so.6 No symbol table info available. Thread 2 (Thread 0x7f85440a2700 (LWP 28556)): #0 0x000000383780d930 in sem_wait () from /lib64/libpthread.so.0 No symbol table info available. #1 0x000000000042ba2c in request_handler_thread (arg=0x1813770) at src/main/thr eads.c:621 self = 0x1813770 #2 0x00000038378079d1 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #3 0x00000038374e88fd in clone () from /lib64/libc.so.6 No symbol table info available. Thread 1 (Thread 0x7f85519dd7e0 (LWP 28551)): #0 0x00000038374ac65d in waitpid () from /lib64/libc.so.6 No symbol table info available. #1 0x000000383743e609 in do_system () from /lib64/libc.so.6 No symbol table info available. #2 0x000000383743e940 in system () from /lib64/libc.so.6 No symbol table info available. #3 0x00007f8551c15469 in fr_fault (sig=11) at src/lib/debug.c:728 disable = true cmd = "gdb -silent -x /usr/local/etc/raddb/panic.gdb /usr/local/sbin/rad iusd 28551 > /usr/local/var/log/radius/gdb-radiusd-28551.log 2>&1", '\000' <repe ats 401 times> out = 0x7fffb634bfd9 ".log 2>&1" left = 411 ret = <value optimized out> p = 0x7f8551e427f3 ".log 2>&1" q = 0x0 code = <value optimized out> #4 <signal handler called> No symbol table info available. #5 _fr_cursor_init (cursor=0x7fffb634c6a0, vp=0x78) at src/lib/cursor.c:81 No locals. #6 0x00007f8551e5bdd4 in tmpl_cursor_init (err=0x7fffb634c708, cursor=0x7fffb63 4c6a0, request=0x190fce0, vpt=0x1910540) at src/main/tmpl.c:1713 vps = 0x78 vp = 0x0 #7 0x00007f8551e640c1 in xlat_getvp (ctx=0x1910a90, request=0x190fce0, node=0x1 910510, escape=0x7f8551e5f220 <rad_filename_escape>, escape_ctx=0x0, lvl=0) at s rc/main/xlat.c:1796 vp = 0x0 virtual = 0x0 packet = 0x0 dv = <value optimized out> ret = 0x0 err = 0 cursor = {first = 0x78, found = 0x0, last = 0x0, current = 0x0, next = 0 x0} quote = 0 '\000' return_null = true #8 xlat_aprint (ctx=0x1910a90, request=0x190fce0, node=0x1910510, escape=0x7f85 51e5f220 <rad_filename_escape>, escape_ctx=0x0, lvl=0) at src/main/xlat.c:2169 rcode = <value optimized out> str = 0x0 child = <value optimized out> p = <value optimized out> #9 0x00007f8551e63e69 in xlat_aprint (ctx=0x1910a90, request=0x190fce0, node=0x 19103b0, escape=0x7f8551e5f220 <rad_filename_escape>, escape_ctx=0x0, lvl=0) at src/main/xlat.c:2270 rcode = <value optimized out> str = 0x0 child = <value optimized out> p = <value optimized out> #10 0x00007f8551e64c68 in xlat_process (out=0x7fffb634c8b8, request=0x190fce0, h ead=<value optimized out>, escape=0x7f8551e5f220 <rad_filename_escape>, escape_c tx=0x0) at src/main/xlat.c:2354 i = <value optimized out> list = 7 total = <value optimized out> array = 0x1910a90 answer = <value optimized out> node = <value optimized out> #11 0x00007f8551e64e24 in xlat_expand_struct (out=0x7fffb634c968, outlen=10240, request=<value optimized out>, node=<value optimized out>, escape=<value optimiz ed out>, escape_ctx=<value optimized out>) at src/main/xlat.c:2408 buff = 0x0 len = <value optimized out> #12 0x00007f8551e6506b in xlat_expand (out=0x7fffb634c968, outlen=10240, request =0x190fce0, fmt=0x13928a0 "/usr/local/var/log/radius/log/radiusd-%{%{Virtual-Ser ver}:-DEFAULT}-%Y%m%d.log", escape=0x7f8551e5f220 <rad_filename_escape>, escape_ ctx=0x0) at src/main/xlat.c:2472 len = <value optimized out> node = 0x1910250 #13 0x00007f8551e651b3 in radius_xlat (out=0x7fffb634c9b0 "0", outlen=<value opt imized out>, request=<value optimized out>, fmt=<value optimized out>, escape=<v alue optimized out>, ctx=<value optimized out>) at src/main/xlat.c:2530 No locals. #14 0x00007f8551e561ad in vradlog_request (type=L_PROXY, lvl=<value optimized ou t>, request=0x190fce0, msg=0x451eb8 "Received response to status check %d (%d in current sequence)", ap=0x7fffb634f290) at src/main/log.c:665 rl = 0x7f8551e56100 <vradlog_request> filename = <value optimized out> fp = 0x0 buffer = "0\000\000\000\060\000\000\000\260\312\064\266\377\177\000\000\ 320\311\064\266\377\177\000\000\354\311\064\266\377\177\000\000\000\000\000\000\ 000\000\000\000\277\313\064\266\377\177\000\000?\363\064\266\001\000\000\000\021 XU78\000\000\000fXU78\000\000\000\300\367Q\001\000\000\000\000@\313\064\266\377\ 177\000\000\022", '\000' <repeats 15 times>, "`vR\001\000\000\000\000@\363\064\2 66\377\177\000\000\350\360D78\000\000\000\060\000\000\000\060\000\000\000 \313\0 64\266\377\177\000\000P\312\064\266\377\177\000\000\335p@U", '\000' <repeats 12 times>, "I\265M78", '\000' <repeats 11 times>"\323, \032G78\000\000\000Յ\346Q\20 5\177\000\000`vR\001\000\000\000\000\247\000\000\000\000\000\000\000\000p\237Q\2 05\177\000\000\022\000\000\000\000\000\000\000\232DG7\000\000\000\000\000\000\00 0\000\377\177", '\000' <repeats 18 times>... p = <value optimized out> extra = 0x7f8551e67749 "" indent = <value optimized out> aq = {{gp_offset = 7, fp_offset = 0, overflow_arg_area = 0x7fffb634f2f0, reg_save_area = 0xd0}} #15 0x00007f8551e56702 in radlog_request (type=<value optimized out>, lvl=<value optimized out>, request=<value optimized out>, msg=<value optimized out>) at sr c/main/log.c:789 ap = {{gp_offset = 32, fp_offset = 48, overflow_arg_area = 0x7fffb634f37 0, reg_save_area = 0x7fffb634f2b0}} #16 0x0000000000430a75 in request_ping (request=0x190fce0, action=<value optimiz ed out>) at src/main/process.c:3243 home = 0x13fc120 buffer = '\000' <repeats 64 times>"\320, \363\064\266\377\177\000\000\02 4\370?\266\377\177\000\000\240\364\064\266\377\177\000\000\000\000\000\000\000\0 00\000\000\360\363\064\266\377\177\000\000\274\370?\266\377\177\000\000\340\374\ 220\001\000\000\000\000@\375\220\001\000\000\000" __FUNCTION__ = "request_ping" #17 0x000000000042d9a5 in request_proxy_reply (packet=0x15278d0) at src/main/pro cess.c:2538 proxy_p = 0x190fd40 request = 0x190fce0 now = {tv_sec = 1430286557, tv_usec = 647413} buffer = '\000' <repeats 48 times>, "\003\362\000\024\020\000\000\000\02 0\000\000\000\205\177\063\222p\316B", '\000' <repeats 13 times>, "-\000\000\000\ 000\000\000\000\001\000\000\000\000\000\000\000\300\367\064\266\377\177\000\000\ 330\321L\001\000\000\000\000@\367\064\266\377\177\000\000\\y\302Q\205\177\000" #18 0x000000000041797f in proxy_socket_recv (listener=0x7f852c001b60) at src/mai n/listen.c:1980 packet = 0x15278d0 buffer = "\335p@U\000\000\000\000s\346\016\000\000\000\000\000\300\367Q\ 001\000\000\000\000\300\367Q\001\000\000\000\000\024\a\000\000\000\000\000\000\2 15\067C\000\000\000\000\000\024\a\000\000\000\000\000\000P\351@\000\000\000\000\ 000\036", '\000' <repeats 15 times>, "158.132.12.191", '\000' <repeats 26 times> "\353, W\000\031?\000\000" #19 0x000000000043017b in event_socket_handler (xel=<value optimized out>, fd=<v alue optimized out>, ctx=<value optimized out>) at src/main/process.c:4432 listener = <value optimized out> #20 0x00007f8551c3067b in fr_event_loop (el=0x14cd1c0) at src/lib/event.c:642 ef = <value optimized out> i = <value optimized out> rcode = 1 when = {tv_sec = 1430286557, tv_usec = 649241} wake = <value optimized out> maxfd = 45 read_fds = {fds_bits = {35184372088832, 0 <repeats 15 times>}} master_fds = {fds_bits = {37517613072384, 0 <repeats 15 times>}} #21 0x0000000000425efc in main (argc=3, argv=<value optimized out>) at src/main/ radiusd.c:581 rcode = 0 status = <value optimized out> argval = <value optimized out> spawn_flag = true write_pid = false display_version = false flag = 0 from_child = {4, 5} autofree = 0x11a9060 A debugging session is active. Inferior 1 [process 28551] will be detached. Quit anyway? (y or n) [answered Y; input not from terminal] -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+tfklai=hku.hk@lists.freeradius.org] On Behalf Of Lai Fu Keung Sent: Wednesday, April 29, 2015 11:42 AM To: FreeRadius users mailing list Subject: RE: Aborted when seeing Failing proxied request
See "panic_action" in radiusd.conf. You can get panic logs without running "radiusd -X". PLEASE first install the debugging symbols, so that the gdb logs are useful.
You probably want to set:
panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p > ${logdir}/gdb-${name}-%p.log 2>&1"
I've got the gdb log. But how to install the debugging symbols? Fu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Apr 29, 2015, at 2:27 AM, Lai Fu Keung <tfklai@hku.hk> wrote:
See if the following gdb log (without debugging symbols) is good enough to trace down the problem.
It's exactly what I needed to solve the problem. I've pushed a fix to the v3.0.x branch. Alan DeKok.
When running in debug mode, freeradius process never exited. The "Failing proxied request" message was still occasionally seen in the debug output. But it then followed with the received status-check response message and continued (see last 3 lines):
(365) No proxy response, giving up on request and marking it done Marking home server x.x.x.x port yyyy as zombie (it has not responded in 30.000000 seconds).
Well, is home server x.x.x.x listening on port yyyy? Have you tried to connect to it? Is there a firewall between you and the home server? If so, has it been configured to receive traffic on port yyyy? If not, sort that out first.
I guess it was due to a difference in timing when waiting for a status response from home servers. I tried different parameters in proxy.conf, but in vain. Can anyone suggest what parameters to adjust in proxy.conf? Or is it just a bug?
See above. Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
only for a plain text method - e.g. TTLS/PAP
You could, if your OS does not support TTLS/PAP, try TTLS/EAP-GTC (Generic Token Card) instead (which should support PAP). Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
Thank you guys. Am looking at my options trying to migrate existing setup from Juniper SBR... I found out that {MD4} header is a Juniper requirement.... Their support sites states this in a KB article. LDAP authentication method in SBR supports MS-CHAP-v2 only if the following two conditions are met: 1. If BINDNAME method is used in ldapauth.aut 2. If the LDAP server can return clear-text password or MD4 hash of Unicode form of password to SBR *Note:* If the LDAP database stores user password in MD4 hash format, {MD4} should be prepended in front of the hashed password that is stored in LDAP database. This is done in order to notify SBR that it is actually an MD4 hash password. Where do I request support for this header? github ticket? Thank you so much, Mohamed. On Tue, Mar 10, 2015 at 5:44 AM, Stefan Paetow <Stefan.Paetow@jisc.ac.uk> wrote:
only for a plain text method - e.g. TTLS/PAP
You could, if your OS does not support TTLS/PAP, try TTLS/EAP-GTC (Generic Token Card) instead (which should support PAP).
Stefan Paetow Moonshot Industry & Research Liaison Coordinator
t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Mar 10, 2015, at 8:31 AM, Mohamed Lrhazi <Mohamed.Lrhazi@georgetown.edu> wrote:
Thank you guys. Am looking at my options trying to migrate existing setup from Juniper SBR... I found out that {MD4} header is a Juniper requirement.... Their support sites states this in a KB article.
So edit the password. ... ldap # gets Password-With-Header if (&control:Password-With-Header =~ /^{md4}(.*)$/) { update control { Password-With-Header := “{nt}${1}" } } I’ll push a fix for rlm_pap so this won’t be needed for 3.0.8 Alan DeKok.
On 10 Mar 2015, at 09:57, Alan DeKok <aland@deployingradius.com> wrote:
On Mar 10, 2015, at 8:31 AM, Mohamed Lrhazi <Mohamed.Lrhazi@georgetown.edu> wrote:
Thank you guys. Am looking at my options trying to migrate existing setup from Juniper SBR... I found out that {MD4} header is a Juniper requirement.... Their support sites states this in a KB article.
So edit the password.
... ldap # gets Password-With-Header if (&control:Password-With-Header =~ /^{md4}(.*)$/) { update control { Password-With-Header := “{nt}${1}" } }
I’ll push a fix for rlm_pap so this won’t be needed for 3.0.8
Alan DeKok.
That should be ldap # gets Password-With-Header if (&control:Password-With-Header =~ /^{md4}(.*)$/) { update control { Password-With-Header := "{nt}%{1}"}} } } Teach apple mail not to use smart quotes too... Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On 10 Mar 2015, at 10:15, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
On 10 Mar 2015, at 09:57, Alan DeKok <aland@deployingradius.com> wrote:
On Mar 10, 2015, at 8:31 AM, Mohamed Lrhazi <Mohamed.Lrhazi@georgetown.edu> wrote:
Thank you guys. Am looking at my options trying to migrate existing setup from Juniper SBR... I found out that {MD4} header is a Juniper requirement.... Their support sites states this in a KB article.
So edit the password.
... ldap # gets Password-With-Header if (&control:Password-With-Header =~ /^{md4}(.*)$/) { update control { Password-With-Header := “{nt}${1}" } }
I’ll push a fix for rlm_pap so this won’t be needed for 3.0.8
Alan DeKok.
That should be
Teach apple mail not to use smart quotes too...
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
ldap # gets Password-With-Header if (&control:Password-With-Header =~ /^{md4}(.*)$/) { update control { Password-With-Header := "{nt}%{1}" } } pre-coffee *sigh* Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On Tue, Mar 10, 2015 at 10:16 AM, Arran Cudbard-Bell < a.cudbardb@freeradius.org> wrote:
ldap # gets Password-With-Header if (&control:Password-With-Header =~ /^{md4}(.*)$/) { update control { Password-With-Header := "{nt}%{1}" } }
Thanks Arran. This would go in my inner-tunnel server, authorize section? right? which I currently have as : ldap if ((ok || updated) && User-Password) { update { control:Auth-Type := ldap } } Or in my ldap module config, which I current have as: update { control:Password-With-Header += guntlmhash }
On 10 Mar 2015, at 10:24, Mohamed Lrhazi <Mohamed.Lrhazi@georgetown.edu> wrote:
On Tue, Mar 10, 2015 at 10:16 AM, Arran Cudbard-Bell < a.cudbardb@freeradius.org> wrote:
ldap # gets Password-With-Header if (&control:Password-With-Header =~ /^{md4}(.*)$/) { update control { Password-With-Header := "{nt}%{1}" } }
Thanks Arran. This would go in my inner-tunnel server, authorize section? right? which I currently have as :
Yep that's right. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
sorry... keyboard error :) So, the regex does not seem to compile: /etc/freeradius/sites-enabled/inner-tunnel[143]: Invalid regular expression ^{md4}(.*)$: Invalid preceding regular expression I tried this too, with same result: /^\{md4\}(.*)$/ On Tue, Mar 10, 2015 at 10:41 AM, Mohamed Lrhazi < Mohamed.Lrhazi@georgetown.edu> wrote:
On Tue, Mar 10, 2015 at 10:26 AM, Arran Cudbard-Bell < a.cudbardb@freeradius.org> wrote:
ldap # gets Password-With-Header if (&control:Password-With-Header =~ /^{md4}(.*)$/) { update control { Password-With-Header := "{nt}%{1}" } }
That gave me this error:
This seems to work, as far as regex being valid format: /^.MD4.(.*)$/ but my whole config is not quite right yet... (8) ldap : control:Password-With-Header += ''{MD4}6DDDAF<...>'' rlm_ldap (ldap): Released connection (4) (8) [ldap] = ok (8) if (&control:Password-With-Header =~ /^.MD4.(.*)$/) (8) if (&control:Password-With-Header =~ /^.MD4.(.*)$/) -> TRUE (8) if (&control:Password-With-Header =~ /^.MD4.(.*)$/) { (8) update control { (8) EXPAND {nt}%{1} (8) --> {nt}6DDDAF<...> (8) Password-With-Header := '"{nt}6DDDAFA0E<...>"' (8) } # update control = noop (8) } # if (&control:Password-With-Header =~ /^.MD4.(.*)$/) = noop (8) if ((ok || updated) && User-Password) (8) if ((ok || updated) && User-Password) -> FALSE (8) [expiration] = noop (8) [logintime] = noop (8) WARNING: pap : Auth-Type already set. Not setting to PAP (8) [pap] = noop (8) } # authorize = updated (8) Found Auth-Type = EAP What do I need to change this to: ldap if (&control:Password-With-Header =~ /^.MD4.(.*)$/) { update control { Password-With-Header := "{nt}%{1}" } } if ((ok || updated) && User-Password) { update { control:Auth-Type := ldap } } On Tue, Mar 10, 2015 at 10:43 AM, Mohamed Lrhazi < Mohamed.Lrhazi@georgetown.edu> wrote:
sorry... keyboard error :)
So, the regex does not seem to compile:
/etc/freeradius/sites-enabled/inner-tunnel[143]: Invalid regular expression ^{md4}(.*)$: Invalid preceding regular expression
I tried this too, with same result: /^\{md4\}(.*)$/
On Tue, Mar 10, 2015 at 10:41 AM, Mohamed Lrhazi < Mohamed.Lrhazi@georgetown.edu> wrote:
On Tue, Mar 10, 2015 at 10:26 AM, Arran Cudbard-Bell < a.cudbardb@freeradius.org> wrote:
ldap # gets Password-With-Header if (&control:Password-With-Header =~ /^{md4}(.*)$/) { update control { Password-With-Header := "{nt}%{1}" } }
That gave me this error:
I tried but it still failing to authenticate me... does this really mean my password is wrong? (8) ldap : Performing search in 'ou=people,dc=georgetown,dc=edu' with filter '(uid=ml623)', scope 'sub' (8) ldap : Waiting for search result... (8) ldap : User object found at DN "uid=ml623,ou=People,dc=georgetown,dc=edu" (8) ldap : Processing user attributes (8) ldap : control:Password-With-Header += ''{MD4}6DDDAF...'' rlm_ldap (ldap): Released connection (4) (8) [ldap] = ok (8) if (&control:Password-With-Header =~ /^.MD4.(.*)$/) (8) if (&control:Password-With-Header =~ /^.MD4.(.*)$/) -> TRUE (8) if (&control:Password-With-Header =~ /^.MD4.(.*)$/) { (8) update control { (8) EXPAND {nt}%{1} (8) --> {nt}6DDDAF... (8) Password-With-Header := '"{nt}6DDDAF..."' (8) } # update control = noop (8) } # if (&control:Password-With-Header =~ /^.MD4.(.*)$/) = noop (8) if ((ok || updated) && User-Password) (8) if ((ok || updated) && User-Password) -> FALSE (8) [expiration] = noop (8) [logintime] = noop (8) WARNING: pap : Auth-Type already set. Not setting to PAP (8) [pap] = noop (8) } # authorize = updated (8) Found Auth-Type = EAP (8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (8) authenticate { (8) eap : Expiring EAP session with state 0xc06f3685c0672c5f (8) eap : Finished EAP session with state 0xc06f3685c0672c5f (8) eap : Previous EAP request found for state 0xc06f3685c0672c5f, released from the list (8) eap : Peer sent MSCHAPv2 (26) (8) eap : EAP MSCHAPv2 (26) (8) eap : Calling eap_mschapv2 to process EAP data (8) eap_mschapv2 : # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (8) eap_mschapv2 : Auth-Type MS-CHAP { (8) WARNING: mschap : No Cleartext-Password configured. Cannot create LM-Password (8) WARNING: mschap : NT-Password has not been normalized by the 'pap' module. Authentication will fail (8) mschap : Creating challenge hash with username: ml623 (8) mschap : Client is using MS-CHAPv2 (8) ERROR: mschap : FAILED: No NT/LM-Password. Cannot perform authentication (8) ERROR: mschap : MS-CHAP2-Response is incorrect (8) [mschap] = reject (8) } # Auth-Type MS-CHAP = reject (8) eap : Freeing handler (8) [eap] = reject (8) } # authenticate = reject (8) Failed to authenticate the user. On Tue, Mar 10, 2015 at 10:57 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Mar 10, 2015, at 10:54 AM, Mohamed Lrhazi < Mohamed.Lrhazi@georgetown.edu> wrote:
What do I need to change this to:
Nothing. Try it and see.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Mar 10, 2015, at 11:23 AM, Mohamed Lrhazi <Mohamed.Lrhazi@georgetown.edu> wrote:
I tried but it still failing to authenticate me... does this really mean my password is wrong?
No. It means you didn’t do everything we suggested. You need to list “pap” AFTER the module which reads the password from the database. ldap if … update pap Alan DeKok.
I added 'pap' in few different places, one at time, until I made the RADIUS gods happy... Thank you so much guys. Mohamed. On Tue, Mar 10, 2015 at 11:28 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Mar 10, 2015, at 11:23 AM, Mohamed Lrhazi < Mohamed.Lrhazi@georgetown.edu> wrote:
I tried but it still failing to authenticate me... does this really mean my password is wrong?
No. It means you didn’t do everything we suggested.
You need to list “pap” AFTER the module which reads the password from the database.
ldap if … update pap
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Mar 10, 2015, at 10:43 AM, Mohamed Lrhazi <Mohamed.Lrhazi@georgetown.edu> wrote:
So, the regex does not seem to compile:
/etc/freeradius/sites-enabled/inner-tunnel[143]: Invalid regular expression ^{md4}(.*)$: Invalid preceding regular expression
Yeah… { is a special character for regexes.
I tried this too, with same result: /^\{md4\}(.*)$/
That should work for “correct_escapes = true” Alan DeKok.
Excellent! Thank you so much. On Tue, Mar 10, 2015 at 9:57 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Mar 10, 2015, at 8:31 AM, Mohamed Lrhazi <Mohamed.Lrhazi@georgetown.edu> wrote:
Thank you guys. Am looking at my options trying to migrate existing setup from Juniper SBR... I found out that {MD4} header is a Juniper requirement.... Their support sites states this in a KB article.
So edit the password.
... ldap # gets Password-With-Header if (&control:Password-With-Header =~ /^{md4}(.*)$/) { update control { Password-With-Header := “{nt}${1}" } }
I’ll push a fix for rlm_pap so this won’t be needed for 3.0.8
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (7)
-
"RESTOUX, Loïc" -
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Arran Cudbard-Bell -
Lai Fu Keung -
Mohamed Lrhazi -
Stefan Paetow