Log says "duplicate requests", CPU maxing out
Thanks to Alan, we are now running freeRADIUS 2.1.3 on our embedded network controller. The problem is that now it is less stable than the 1.1.7 version we had been using. Again, I am sure our config is screwed up. For example, the 'radius.log' file contains dozens of files saying: Error: Discarding duplicate request from client test-net port NNNN - ID: XX due to unfinished request YYY The client.conf file has this entry: client 192.168.0.232/24 { secret = testing123 shortname = test-net } The config uses a flat file with uernames and cleartext passwords. There is no SQL database in the backend. Also, when we have 40+ clients attempting to connect to RADIUS, the CPU utilization reaches 100% and the processor becomes unresponsive. The 'maxserver' parameter in radiusd.conf is set to 32 (as it was for the older version). I am upping it to 64 to see if that solves the CPU problem. Thanks for any insights. Regards, - Harshal
Chhaya, Harshal wrote:
For example, the 'radius.log' file contains dozens of files saying: Error: Discarding duplicate request from client test-net port NNNN - ID: XX due to unfinished request YYY
So... find out what's blocking the server, and why.
The config uses a flat file with uernames and cleartext passwords. There is no SQL database in the backend.
What else is in the configuration?
Also, when we have 40+ clients attempting to connect to RADIUS, the CPU utilization reaches 100% and the processor becomes unresponsive.
The 'maxserver' parameter in radiusd.conf is set to 32 (as it was for the older version). I am upping it to 64 to see if that solves the CPU problem.
That won't make a difference if one of the modules is locked. Find out which module is blocking the server, and why. Alan DeKok.
Alan,
Find out which module is blocking the server, and why.
Okay, here is a newbie question: How do I do this? The embedded network controller is should be able to support upto 50 concurrent wireless clients using WPA2-PEAP. Here is my config: (One thing that struck me as I was copying the config here is that I probably need to disable proxying because the set up does not proxy any requests) ========= clients.conf =============== client localhost { ipaddr = 127.0.0.1 secret = testing123 require_message_authenticator = no nastype = other } client 192.168.0.232/24 { secret = testing123 shortname = test-net } ========= radiusd.conf ========= prefix = /usr exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = /tmp sbindir = ${exec_prefix}/sbin logdir = ${localstatedir} raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct name = radiusd # Location of config and logfiles. confdir = ${raddbdir} run_dir = ${localstatedir} # Should likely be ${localstatedir}/lib/radiusd db_dir = ${raddbdir} libdir = ${exec_prefix}/lib pidfile = ${run_dir}/${name}.pid max_request_time = 30 cleanup_delay = 5 max_requests = 1024 listen { type = auth ipaddr = * port = 0 } listen { ipaddr = * port = 0 type = acct } hostname_lookups = no # Core dumps are a bad thing. This should only be set to 'yes' # if you're debugging a problem with the server. # # allowed values: {no, yes} # allow_core_dumps = no # Regular expressions # # These items are set at configure time. If they're set to "yes", # then setting them to "no" turns off regular expression support. # # If they're set to "no" at configure time, then setting them to "yes" # WILL NOT WORK. It will give you an error. # regular_expressions = yes extended_expressions = yes # # Logging section. The various "log_*" configuration items # will eventually be moved here. # log { destination = files file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = no auth_badpass = no auth_goodpass = no } # The program to execute to do concurrency checks. checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = yes } proxy_requests = yes $INCLUDE proxy.conf $INCLUDE clients.conf thread pool { start_servers = 5 max_servers = 64 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { $INCLUDE ${confdir}/modules/ $INCLUDE eap.conf } instantiate { exec expr expiration logintime } $INCLUDE policy.conf $INCLUDE sites-enabled/ ========= eap.conf ========= eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 md5 { } leap { } gtc { challenge = "Password: " } tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = whatever private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = ${certdir}/random cipher_list = "DEFAULT" make_cert_command = "${certdir}/bootstrap" cache { enable = no lifetime = 24 # hours max_entries = 255 } } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } mschapv2 { } }
Chhaya, Harshal wrote:
Alan,
Find out which module is blocking the server, and why.
Okay, here is a newbie question: How do I do this?
As suggested, debug mode is a start.
The embedded network controller is should be able to support upto 50 concurrent wireless clients using WPA2-PEAP.
OK.. did you modify ANY code to get it to build on the embedded system?
Here is my config: (One thing that struck me as I was copying the config here is that I probably need to disable proxying because the set up does not proxy any requests)
That doesn't matter. There are no CPU implications when not proxying.
========= radiusd.conf =========
Which doesn't list the modules you're using. As I said, one of the modules is likely blocking the server. Can you list the modules you're using? Alan DeKok.
OK.. did you modify ANY code to get it to build on the embedded system?
No. We had to change our build scripts a bit but haven't touched any of the freeRADIUS code.
As I said, one of the modules is likely blocking the server. Can you list the modules you're using?
Here is the output from from 'radiusd -X' before any of the clients try to connect: (The log made it obvious that the "$INCLUDE ${confdir}/modules/" directive in radiusd.conf is pulling in a bunch of modules that we don't need. I guess we need the 'mschap' and the 'inner-eap' module but nothing else. Are there other files in the '${confdir}/modules' that we need to include?) FreeRADIUS Version 2.1.3, for host arm-unknown-linux-gnu, built on Mar 5 2009 at 05:10:53 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/etc/raddb/radiusd.conf including configuration file /usr/etc/raddb/proxy.conf including configuration file /usr/etc/raddb/clients.conf including files in directory /usr/etc/raddb/modules/ including configuration file /usr/etc/raddb/modules/passwd including configuration file /usr/etc/raddb/modules/expiration including configuration file /usr/etc/raddb/modules/checkval including configuration file /usr/etc/raddb/modules/acct_unique including configuration file /usr/etc/raddb/modules/mac2vlan including configuration file /usr/etc/raddb/modules/echo including configuration file /usr/etc/raddb/modules/etc_group including configuration file /usr/etc/raddb/modules/perl including configuration file /usr/etc/raddb/modules/expr including configuration file /usr/etc/raddb/modules/krb5 including configuration file /usr/etc/raddb/modules/smbpasswd including configuration file /usr/etc/raddb/modules/exec including configuration file /usr/etc/raddb/modules/mschap including configuration file /usr/etc/raddb/modules/unix including configuration file /usr/etc/raddb/modules/linelog including configuration file /usr/etc/raddb/modules/pam including configuration file /usr/etc/raddb/modules/detail.example.com including configuration file /usr/etc/raddb/modules/policy including configuration file /usr/etc/raddb/modules/sql_log including configuration file /usr/etc/raddb/modules/always including configuration file /usr/etc/raddb/modules/logintime including configuration file /usr/etc/raddb/modules/chap including configuration file /usr/etc/raddb/modules/preprocess including configuration file /usr/etc/raddb/modules/attr_rewrite including configuration file /usr/etc/raddb/modules/inner-eap including configuration file /usr/etc/raddb/modules/wimax including configuration file /usr/etc/raddb/modules/mac2ip including configuration file /usr/etc/raddb/modules/radutmp including configuration file /usr/etc/raddb/modules/detail including configuration file /usr/etc/raddb/modules/ldap including configuration file /usr/etc/raddb/modules/detail.log including configuration file /usr/etc/raddb/modules/attr_filter including configuration file /usr/etc/raddb/modules/pap including configuration file /usr/etc/raddb/modules/ippool including configuration file /usr/etc/raddb/modules/realm including configuration file /usr/etc/raddb/modules/digest including configuration file /usr/etc/raddb/modules/counter including configuration file /usr/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/etc/raddb/modules/files including configuration file /usr/etc/raddb/modules/sradutmp including configuration file /usr/etc/raddb/eap.conf including configuration file /usr/etc/raddb/sql.conf including configuration file /usr/etc/raddb/sql/mysql/dialup.conf including configuration file /usr/etc/raddb/sql/mysql/counter.conf including configuration file /usr/etc/raddb/policy.conf including files in directory /usr/etc/raddb/sites-enabled/ including configuration file /usr/etc/raddb/sites-enabled/default including configuration file /usr/etc/raddb/sites-enabled/inner-tunnel including dictionary file /usr/etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/tmp" logdir = "/tmp" libdir = "/usr/lib" radacctdir = "/tmp/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/tmp/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 192.168.0.232/24 { require_message_authenticator = no secret = "testing123" shortname = "test-net" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/tmp/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/usr/etc/raddb/certs/server.pem" certificate_file = "/usr/etc/raddb/certs/server.pem" CA_file = "/usr/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/usr/etc/raddb/certs/dh" random_file = "/usr/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/usr/etc/raddb/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/tmp/users" acctusersfile = "/usr/etc/raddb/acct_users" preproxy_usersfile = "/usr/etc/raddb/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/tmp/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load } } modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/usr/etc/raddb/huntgroups" hints = "/usr/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/tmp/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/usr/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/usr/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. Thanks, - Harshal
Chhaya, Harshal wrote:
No. We had to change our build scripts a bit but haven't touched any of the freeRADIUS code.
Ok... can you say what platform you are running it on?
As I said, one of the modules is likely blocking the server. Can you list the modules you're using?
Here is the output from from 'radiusd -X' before any of the clients try to connect:
(The log made it obvious that the "$INCLUDE ${confdir}/modules/" directive in radiusd.conf is pulling in a bunch of modules that we don't need. I guess we need the 'mschap' and the 'inner-eap' module but nothing else. Are there other files in the '${confdir}/modules' that we need to include?)
No. I'd suspect radutmp and/or radwtmp. Why are you using those? Do you need them? Alan DeKok.
Ok... can you say what platform you are running it on?
It's an ARM running Montevista Linux.
I'd suspect radutmp and/or radwtmp. Why are you using those? Do you need them?
Nope. They were around because we didn't know enough to scrub the config files to remove unused modules. We have now removed references to these as well as all sql-related configs from radiusd.conf. We also moved out 'pam', 'sql-counter', 'detail.example.com', 'mac2vlan', 'krb5', 'sradutmp', 'wimax', 'perl' and 'ldap' from the 'modules' directory. And modified 'sites-available/inner-tunnel' and 'sites-available/default' to remove references to radutmp. The server seems faster but we still see some 'discarding duplicate request from client' messages in radius.log. The debug output for one such client is below: (chap/mschap/suffix returns noop. I don't know what that means.) Going to the next request Waking up in 2.1 seconds. rad_recv: Access-Request packet from host 192.168.0.232 port 1418, id=102, lengt h=296 Message-Authenticator = 0x6bf2d880bd907dd9b4e327b0ed7aff74 Service-Type = Framed-User User-Name = "000000093701b104" Framed-MTU = 1488 State = 0x86e621af86e7383ccbec5f2181722704 Called-Station-Id = "001E2AECC893:TI-NAV-N-001E2AECC893" Calling-Station-Id = "00093701B104" NAS-Identifier = "netgearecc892" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0201005619800000004c160301004701000043030145994871a26e9f222a077054ef1e14a22356d029fe14610021edf5d98291fb9400001c0016000a0005000400640062006100600015000900140008000600030100 NAS-IP-Address = 192.168.0.232 NAS-Port = 14 NAS-Port-Id = "STA port # 14" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "000000093701b104", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 86 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 76 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0047], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 102 to 192.168.0.232 port 1418 EAP-Message = 0x0102040019c000000aad160301002a02000026030100000aed4888c1cff2bdb0da7542f34c31902d463f1d1eeee7d047dfe83cdefd00001600160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3039303330333135343031345a170d3130303330333135343031345a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d594ca11035bb697ac3bea14f92ef0d99be18c91ece91b91b45f5c808d085b8aad053689568a31467824ce7780f857cb73d6f5135aa168909bef37632bfe EAP-Message = 0x122f1f84f886b92c864182ced13b7d6fe4954296e852df73db3a8993a2618bbc260154dd5940a3f8912843096b34afddff1458836918077190a78c5541fe624617140bdb41bfc66bd954521b3409fbabcbd74b26725daa8d9d82e6a3e28c617933a11f11fcdf3c49436a56aa9d6ef8fe7d8bb867c8d577520219558210c3e9bff4555dc6896f61e94fc404fa7287ebf7a128f969ac55a7b7ce3787e00ce21d7f718f4dffa93f60e0713f9ef723500f0c40bafb6bf23f236ea091479847914917d0130203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100764f73fbf1e2cddfcc EAP-Message = 0x284b9fea1ba135c65946f4e7a4ec44e45e8f3d16870048a1a55567ab5bf083fbd6d16a929ed4489238e24ecb66d97dbfa24998c1b661f68cb16f980cbccbc67984e6b807324fba5eee16a319d60390010c8259643b439fcc50c9fb30557c543b5633ee860777d8d3a0ba8a7f37010eaa7004e1e2257f7d028da6dc0adbd855586e6a4b2c0323e1df6337674a842e40c49eb01a77a13fc0eeda2687ba5beed8f093ba7e80f63376326737399ff4d28d18e56ccb42744ca8613e094bf56dc4d1a6a0de185928083aed0cd26da2f69d715da11a3d548794411efa1333dc5db9ae1e69208a357fefb7f79fa7cc959166e00efbb153eedf2cf70004ab308204 EAP-Message = 0xa73082038fa0030201020209 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x86e621af87e4383ccbec5f2181722704 Finished request 10. Going to the next request Waking up in 0.7 seconds. rad_recv: Access-Request packet from host 192.168.0.232 port 1418, id=102, length=296 Sending duplicate reply to client test-net port 1418 - ID: 102 Sending Access-Challenge of id 102 to 192.168.0.232 port 1418 Waking up in 0.7 seconds. rad_recv: Access-Request packet from host 192.168.0.232 port 1418, id=103, length=216 Message-Authenticator = 0xdfb75fac30c3d5eef250a17ce0bdb188 Service-Type = Framed-User User-Name = "000000093701b104" Framed-MTU = 1488 State = 0x86e621af87e4383ccbec5f2181722704 Called-Station-Id = "001E2AECC893:TI-NAV-N-001E2AECC893" Calling-Station-Id = "00093701B104" NAS-Identifier = "netgearecc892" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020200061900 NAS-IP-Address = 192.168.0.232 NAS-Port = 14 NAS-Port-Id = "STA port # 14" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "000000093701b104", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 103 to 192.168.0.232 port 1418 EAP-Message = 0x010303fc194000feada2bc5177f382300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039303330333135343031345a170d3130303330333135343031345a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504 EAP-Message = 0x071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100aff59b69f34f27a8922dd9474ccc00464f6d58db2e7cac620ede571d8f6bc87504156ee3ae44ddec37da512a67950fb70ec432f538d0c00a2694e266861ce097c968d1ab555ae9689f59e304311db4e5cb6f13574a56a7e20e4c624cf3b957bcb79f5b8b9e3bebd646cad0dd275bd6 EAP-Message = 0x70a4940f6ba964a7bc491065ecd81a0929c3590ef7c6f9dab1c323d72390bc63525b87e0b836874dd651c9df7619ae66d89547b080b8f435f512685a1c2aef6b1d18a35a3b46be61b89c22bed59c19549b5f3988b4d3c563767006775fdfca936ad2275767b0360e2a49d774b6bdf90ed8f53c8938d337c2f1614007c8a427d36ebf6ebbaa99551bd49b534bc4c165eacd0203010001a381fb3081f8301d0603551d0e04160414ec834741fc51f4a46b42740ec8f8aea3804c85a83081c80603551d230481c03081bd8014ec834741fc51f4a46b42740ec8f8aea3804c85a8a18199a48196308193310b3009060355040613024652310f300d06035504 EAP-Message = 0x0813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900feada2bc5177f382300c0603551d13040530030101ff300d06092a864886f70d010105050003820101008fb06746b5666f0c1d9e1da543a84973a01b5ef2a29b7ef92bd02c05867c980f61f7190422dc5f9428a3a03e1f56d06b339aca8940085e2de47976a248d74b210dc9ab686f7fe6e3fdad450f47a151555c4c EAP-Message = 0xef2dd79b865e6630 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x86e621af84e5383ccbec5f2181722704 Finished request 11. Going to the next request Waking up in 0.3 seconds. rad_recv: Access-Request packet from host 192.168.0.232 port 1418, id=104, length=216 Thanks, - Harshal
Hi,
The debug output for one such client is below: (chap/mschap/suffix returns noop. I don't know what that means.)
'no operation' - they had nothing to do, didnt see anything to do or didnt need to do anything (in basic speak). if your system is configured for one or 2 types of known auth then you can remove these - if you are planning on doing anything with suffix (usually proxy) then you need suffix. if you are using chap or mschap then likewise. whats the CPU speed? Whats the benchmark on it for openssl operations? alan
Sending Access-Challenge of id 102 to 192.168.0.232 port 1418 EAP-Message = 0x0102040019c000000aad160301002a02000026030100000aed4888c1cff2bdb0da7542f34c31902d463f1d1eeee7d047dfe83cdefd00001600160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3039303330333135343031345a170d3130303330333135343031345a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d594ca11035bb697ac3bea14f92ef0d99be18c91ece91b91b45f5c808d085b8aad053689568a31467824ce7780f857cb73d6f5135aa168909bef37632bfe EAP-Message = 0x122f1f84f886b92c864182ced13b7d6fe4954296e852df73db3a8993a2618bbc260154dd5940a3f8912843096b34afddff1458836918077190a78c5541fe624617140bdb41bfc66bd954521b3409fbabcbd74b26725daa8d9d82e6a3e28c617933a11f11fcdf3c49436a56aa9d6ef8fe7d8bb867c8d577520219558210c3e9bff4555dc6896f61e94fc404fa7287ebf7a128f969ac55a7b7ce3787e00ce21d7f718f4dffa93f60e0713f9ef723500f0c40bafb6bf23f236ea091479847914917d0130203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100764f73fbf1e2cddfcc EAP-Message = 0x284b9fea1ba135c65946f4e7a4ec44e45e8f3d16870048a1a55567ab5bf083fbd6d16a929ed4489238e24ecb66d97dbfa24998c1b661f68cb16f980cbccbc67984e6b807324fba5eee16a319d60390010c8259643b439fcc50c9fb30557c543b5633ee860777d8d3a0ba8a7f37010eaa7004e1e2257f7d028da6dc0adbd855586e6a4b2c0323e1df6337674a842e40c49eb01a77a13fc0eeda2687ba5beed8f093ba7e80f63376326737399ff4d28d18e56ccb42744ca8613e094bf56dc4d1a6a0de185928083aed0cd26da2f69d715da11a3d548794411efa1333dc5db9ae1e69208a357fefb7f79fa7cc959166e00efbb153eedf2cf70004ab308204 EAP-Message = 0xa73082038fa0030201020209 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x86e621af87e4383ccbec5f2181722704 Finished request 10. Going to the next request Waking up in 0.7 seconds. rad_recv: Access-Request packet from host 192.168.0.232 port 1418, id=102, length=296 Sending duplicate reply to client test-net port 1418 - ID: 102 Sending Access-Challenge of id 102 to 192.168.0.232 port 1418 Waking up in 0.7 seconds. rad_recv: Access-Request packet from host 192.168.0.232 port 1418, id=103, length=216
Ugh, your network is loosing packets. That challenge didn't reach the NAS so it resent the request. There is nothing wrong with your radius server. Ivan Kalik Kalik Informatika ISP
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Chhaya, Harshal -
tnt@kalik.net