Re: FW: upgraded from freeradius 1.1.3 to 2.0.4
Frank van den Diepstraten wrote:
For a few years now, I use a freeradius/mysql server for the authentication of users which logon with their dsl line. This always went perfect till I tried to upgrade the machine from debian etch to debian lenny. The freeradius version went from 1.1.3 to 2.0.4. When I upgraded user couldn’t login anymore.
Umm... you upgraded software across a major version number, and you didn't do the migration manually? We've made serious attempts to make the configuration similar, but it is *not* the same. Automated upgrades are simply not possible. Also, 2.0.4 is an old version. You want to use a more recent one.
I didn’t change anything in the config file which we used on the 1.1.3 version of freeradius.
That's BAD. You need to *upgrade* the configuration, not just blindly copy it over.
While searching for this error I found something about the groupchecktable which we never used. In the config this option is marked out: ... And in the database is no table called radgroupcheck because I never used it.
So.. not using that shouldn't break the server.
How can I get my freeradius working again and simply don’t let it do a thing with the groupcheck (which I guess is the problem of the empty expand which I see in debug mode)
Find out what the real problem is. Looking at *part* of the debug log doesn't help. Some expansions are *allowed* to be empty. Alan DeKok.
Well, I didn't expect this kind of reactions. I tried to give as much information as I had. First of all I upgraded to the newest packages of debian etch before I did a dist-upgrade to lenny. With the latest version of etch it still worked. The latest version in debian lenny is the 2.0.4 which I am running now. I do use the groupreply option (but no groupcheck option because the check has been done already in the usercheck option) so the mail of Alan doesn't solve the problem. The complete debug text is underneath, hopefully this makes it a bit more clear. Sorry for the inconvenience: Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host x.x.x.x port 55116, id=108, length=66 User-Name = "username" User-Password = "pass" NAS-IP-Address = 255.255.255.255 NAS-Port = 1 +- entering group authorize ++[preprocess] returns ok expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/x.x.x.x/auth-detail-20090218 rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/x.x.x.x/auth-detail-20090218 expand: %t -> Wed Feb 18 15:31:36 2009 ++[auth_log] returns ok ++[chap] returns noop rlm_realm: Looking up realm "realm" for User-Name = "username" rlm_realm: No such realm "realm" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop expand: %{User-Name} -> username rlm_sql (sql): sql_set_user escaped user --> 'username' rlm_sql (sql): Reserving sql socket id: 62 expand: SELECT isp_ordernumber,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' and enabled='true' ORDER BY isp_ordernumber -> SELECT isp_ordernumber,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'username' and enabled='true' ORDER BY isp_ordernumber WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. rlm_sql (sql): User found in radcheck table expand: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'username' ORDER BY id expand: SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}' -> SELECT GroupName FROM usergroup WHERE UserName='username' expand: -> rlm_sql (sql): Error generating query; rejecting user rlm_sql (sql): Error processing groups; rejecting user rlm_sql (sql): Released sql socket id: 62 ++[sql] returns fail Invalid user: [username] (from client host port 1) Found Post-Auth-Type Reject +- entering group REJECT rlm_sql (sql): Processing sql_postauth expand: %{User-Name} -> username rlm_sql (sql): sql_set_user escaped user --> 'username' WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: INSERT into radpostauth (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW()) -> INSERT into radpostauth (id, user, pass, reply, date) values ('', 'username', 'password', 'Access-Reject', NOW()) rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id, user, pass, reply, date) values ('', 'username', 'password', 'Access-Reject', NOW()) rlm_sql (sql): Reserving sql socket id: 61 rlm_sql (sql): Released sql socket id: 61 ++[sql] returns ok Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 108 to x.x.x.x port 55116 Framed-IP-Address := x.x.x.x ERX-Atm-PCR := 8000 Waking up in 4.9 seconds. Cleaning up request 0 ID 108 with timestamp +9 Ready to process requests. -----Original Message----- From: freeradius-users-bounces+frank.diepstraten=concepts-ict.nl@lists.freeradius.org [mailto:freeradius-users-bounces+frank.diepstraten=concepts-ict.nl@lists.freeradius.org] On Behalf Of Alan DeKok Sent: donderdag 19 februari 2009 11:59 To: FreeRadius users mailing list Subject: Re: FW: upgraded from freeradius 1.1.3 to 2.0.4 Frank van den Diepstraten wrote:
For a few years now, I use a freeradius/mysql server for the authentication of users which logon with their dsl line. This always went perfect till I tried to upgrade the machine from debian etch to debian lenny. The freeradius version went from 1.1.3 to 2.0.4. When I upgraded user couldn’t login anymore.
Umm... you upgraded software across a major version number, and you didn't do the migration manually? We've made serious attempts to make the configuration similar, but it is *not* the same. Automated upgrades are simply not possible. Also, 2.0.4 is an old version. You want to use a more recent one.
I didn’t change anything in the config file which we used on the 1.1.3 version of freeradius.
That's BAD. You need to *upgrade* the configuration, not just blindly copy it over.
While searching for this error I found something about the groupchecktable which we never used. In the config this option is marked out: ... And in the database is no table called radgroupcheck because I never used it.
So.. not using that shouldn't break the server.
How can I get my freeradius working again and simply don’t let it do a thing with the groupcheck (which I guess is the problem of the empty expand which I see in debug mode)
Find out what the real problem is. Looking at *part* of the debug log doesn't help. Some expansions are *allowed* to be empty. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.0.237 / Virus Database: 270.11.0/1959 - Release Date: 02/18/09 20:55:00
participants (2)
-
Alan DeKok -
Frank van den Diepstraten