Hi all, We just upgraded from freeRADIUS 1.1.7 to 2.1.10, and we're having issues getting freeRADIUS to work with a thread pool (see debug logs below). The thread pool config was working in version 1.1.7. Were there major changes on how threads were implemented from 1.1.7 to 2.1.10? Why might we be having this issue? Debug log with thread pool:
radiusd -fxx -l stdout FreeRADIUS Version 2.1.10, for host i586-wrs-linux-gnu, built on Nov 25 2010 at 01:29:23 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including configuration file /etc/raddb/snmp.conf including configuration file /etc/raddb/eap.conf main { allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log" libdir = "/usr/lib" radacctdir = "/var/log/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log_auth = yes log_auth_badpass = no log_auth_goodpass = no log_stripped_names = no security { max_attributes = 200 reject_delay = 1 status_server = no } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 1 retry_count = 2 default_fallback = no dead_time = 600 wake_all_if_all_dead = no } radiusd: #### Loading Clients #### client 0.0.0.0/0 { require_message_authenticator = no secret = "siren123" shortname = "this_Shelf" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/raddb/radiusd.conf exec { wait = yes input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/raddb/radiusd.conf } radiusd: #### Loading Virtual Servers #### server { # from file /etc/raddb/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/raddb/radiusd.conf pap { encryption_scheme = "crypt" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/raddb/radiusd.conf Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/raddb/radiusd.conf mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/raddb/radiusd.conf unix { radwtmp = "/var/log/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/raddb/eap.conf eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/raddb/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } verify { } } WARNING: rlm_eap_tls: Unable to set DH parameters. DH cipher suites may not work! WARNING: Fix this by running the OpenSSL command listed in eap.conf Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/raddb/radiusd.conf preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/raddb/radiusd.conf realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/raddb/radiusd.conf files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/raddb/radiusd.conf acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/raddb/radiusd.conf detail { detailfile = "/var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/raddb/radiusd.conf radutmp { filename = "/var/log/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load } # modules } # server thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 cleanup_delay = 5 max_queue_size = 65536 } Thread spawned new child 1. Total threads in pool: 1 Thread 1 waiting to be assigned a request Thread spawned new child 2. Total threads in pool: 2 Thread 2 waiting to be assigned a request Thread spawned new child 3. Total threads in pool: 3 Thread 3 waiting to be assigned a request Thread spawned new child 4. Total threads in pool: 4 Thread 4 waiting to be assigned a request Thread spawned new child 5. Total threads in pool: 5 Thread 5 waiting to be assigned a request Thread pool initialized radiusd: #### Opening IP addresses and Ports #### bind_address = * WARNING: The directive 'bind_address' is deprecated, and will be removed in future versions of FreeRADIUS. Please edit the configuration files to use the directive 'listen'.
Debug log without thread pool (commented out in radiusd.conf):
radiusd -fxx -l stdout FreeRADIUS Version 2.1.10, for host i586-wrs-linux-gnu, built on Nov 25 2010 at 01:29:23 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including configuration file /etc/raddb/snmp.conf including configuration file /etc/raddb/eap.conf main { allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log" libdir = "/usr/lib" radacctdir = "/var/log/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log_auth = yes log_auth_badpass = no log_auth_goodpass = no log_stripped_names = no security { max_attributes = 200 reject_delay = 1 status_server = no } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 1 retry_count = 2 default_fallback = no dead_time = 600 wake_all_if_all_dead = no } radiusd: #### Loading Clients #### client 0.0.0.0/0 { require_message_authenticator = no secret = "siren123" shortname = "this_Shelf" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/raddb/radiusd.conf exec { wait = yes input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/raddb/radiusd.conf } radiusd: #### Loading Virtual Servers #### server { # from file /etc/raddb/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/raddb/radiusd.conf pap { encryption_scheme = "crypt" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/raddb/radiusd.conf Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/raddb/radiusd.conf mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/raddb/radiusd.conf unix { radwtmp = "/var/log/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/raddb/eap.conf eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/raddb/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } verify { } } WARNING: rlm_eap_tls: Unable to set DH parameters. DH cipher suites may not work! WARNING: Fix this by running the OpenSSL command listed in eap.conf Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/raddb/radiusd.conf preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/raddb/radiusd.conf realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/raddb/radiusd.conf files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/raddb/radiusd.conf acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/raddb/radiusd.conf detail { detailfile = "/var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/raddb/radiusd.conf radutmp { filename = "/var/log/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### bind_address = * WARNING: The directive 'bind_address' is deprecated, and will be removed in future versions of FreeRADIUS. Please edit the configuration files to use the directive 'listen'. Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests.
Thanks, Keven ---------- Keven Smith-Worthylake Software Designer, SI23 GENBAND 3500 Carling Ave Ottawa, ON, Canada, K2H 8E9 office keven.smithworthylake@genband.com www.genband.com
Keven Smith-Worthylake wrote:
We just upgraded from freeRADIUS 1.1.7 to 2.1.10, and we're having issues getting freeRADIUS to work with a thread pool (see debug logs below). The thread pool config was working in version 1.1.7.
I don't see a problem with thread pools. And it would be *good* to describe the problem in a little more detail. "Something is wrong", followed by 100's of lines of debug output is unhelpful.
Were there major changes on how threads were implemented from 1.1.7 to 2.1.10? Why might we be having this issue?
No. What issue? Alan DeKok.
When we start radiusd with a thread pool configured, none of the requests from the pam-radius-auth proxy client are serviced/processed. The client never gets a reply from the server. From the server logs, the request is never seen. I noticed that when the server is started without the thread pool, the following logs are displayed (but they are not displayed when the thread pool is configured): Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. Thanks, Keven -----Original Message----- From: freeradius-users-bounces+keven.smith-worthylake=genband.com@lists.freeradius.org [mailto:freeradius-users-bounces+keven.smith-worthylake=genband.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Tuesday, December 07, 2010 3:42 PM To: FreeRadius users mailing list Subject: Re: thread pools in 2.1.10 Keven Smith-Worthylake wrote:
We just upgraded from freeRADIUS 1.1.7 to 2.1.10, and we're having issues getting freeRADIUS to work with a thread pool (see debug logs below). The thread pool config was working in version 1.1.7.
I don't see a problem with thread pools. And it would be *good* to describe the problem in a little more detail. "Something is wrong", followed by 100's of lines of debug output is unhelpful.
Were there major changes on how threads were implemented from 1.1.7 to 2.1.10? Why might we be having this issue?
No. What issue? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Keven Smith-Worthylake wrote:
When we start radiusd with a thread pool configured, none of the requests from the pam-radius-auth proxy client are serviced/processed. The client never gets a reply from the server. From the server logs, the request is never seen.
Because it's not listening on any ports. You appear to have copied your configuration from 1.1.7 nearly verbatim to 2.1.10. This is probably not a good idea.
I noticed that when the server is started without the thread pool, the following logs are displayed (but they are not displayed when the thread pool is configured):
You've also ignored the warning message before the text you quoted. Add a "listen" section, as given in the default config for 2.1.10. We don't really test 2.1.10 with copies of the 1.1.7 configuration. It's *intended* to mostly work. But if it doesn't work, well... people can always read the warnings, and/or use the 2.1.10 configuration. Alan DeKok.
I tested using the "listen" configuration, but still had the same result. But if I comment out the "thread pool" section and everything works fine. Any other ideas? Thanks, Keven -----Original Message----- From: freeradius-users-bounces+keven.smith-worthylake=genband.com@lists.freeradius.org [mailto:freeradius-users-bounces+keven.smith-worthylake=genband.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Tuesday, December 07, 2010 4:14 PM To: FreeRadius users mailing list Subject: Re: thread pools in 2.1.10 Keven Smith-Worthylake wrote:
When we start radiusd with a thread pool configured, none of the requests from the pam-radius-auth proxy client are serviced/processed. The client never gets a reply from the server. From the server logs, the request is never seen.
Because it's not listening on any ports. You appear to have copied your configuration from 1.1.7 nearly verbatim to 2.1.10. This is probably not a good idea.
I noticed that when the server is started without the thread pool, the following logs are displayed (but they are not displayed when the thread pool is configured):
You've also ignored the warning message before the text you quoted. Add a "listen" section, as given in the default config for 2.1.10. We don't really test 2.1.10 with copies of the 1.1.7 configuration. It's *intended* to mostly work. But if it doesn't work, well... people can always read the warnings, and/or use the 2.1.10 configuration. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Keven Smith-Worthylake wrote:
I tested using the "listen" configuration, but still had the same result.
"I did stuff and it didn't work"
But if I comment out the "thread pool" section and everything works fine.
Any other ideas?
Start with the default 2.1.x configuation, and gradually add in the pieces from your legacy system. Alan DeKok.
participants (2)
-
Alan DeKok -
Keven Smith-Worthylake