freeradius not working in normal mode but working in debug mode
Hi freeradius not working in normal mode but working in debug mode. Please suggest. Thanks, Nand
Hi freeradius not working in normal mode but working in debug mode. Please suggest. Thanks, Nand
version 2.1.10 Module - LDAP In this case debug log shows the username, but while i debug to stdout it shows no username. freeradius -fxx -l stdout Thanks. ________________________________ From: Phil Mayers <p.mayers@imperial.ac.uk> To: freeradius-users@lists.freeradius.org Sent: Monday, 11 February 2013 3:26 PM Subject: Re: freeradius not working in normal mode but working in debug mode On 02/11/2013 08:49 AM, Nandkumar Palkar wrote:
Hi
freeradius not working in normal mode but working in debug mode.
Please suggest.
Which version of FreeRADIUS? Which modules (SQL, LDAP, etc.) are you using? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 02/11/2013 10:11 AM, Nandkumar Palkar wrote:
version 2.1.10
You should upgrade; that version has a known security bug.
Module - LDAP
In this case debug log shows the username, but while i debug to stdout it shows no username.
freeradius -fxx -l stdout
Just to be clear - when you say it "works in debug mode" what *exactly* do you mean? In usual use, "debug mode" means: radiusd -X ...but you list a different command line. Which command line works, and which command line doesn't? When it doesn't work, what are the symptoms? Please show the debug output when it *does* work.
Hello, Please see the debug log: (log output from command >> freeradius -fxx -l stdout) and with "freeradius -X" it works fine. My issue is that debug mode "freeradius -X" the authentication works great but once I try with normal mode it doesn't. I have checked all the permissions all are correct. Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.99 port 50000, id=24, length=177 Threads: total/active/spare threads = 5/0/5 Waking up in 0.9 seconds. Thread 5 got semaphore Thread 5 handling request 0, (1 handled so far) User-Name = "TEST.COM\\user1" Calling-Station-Id = "0000005e5523" EAP-Message = 0x0200003f01544553542e434f4d5c75736572317676646a65687563697275656b63746a6869747568666365726465666c747269726668626775747464686467 Message-Authenticator = 0x07222d989a50a5ab3ad1a36ec1fe32d8 [<thread>] # Executing section authorize from file /etc/freeradius/sites-enabled/default [<thread>] +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "TEST.COM\user1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "TEST.COM" for User-Name = "TEST.COM\user1" [ntdomain] No such realm "TEST.COM" ++[ntdomain] returns noop [eap] EAP packet type response id 0 length 63 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rlm_perl: Added pair User-Name = TEST.COM\\user1 rlm_perl: Added pair EAP-Message = 0x0200003f01544553542e434f4d5c75736572317676646a65687563697275656b63746a6869747568666365726465666c747269726668626775747464686467 rlm_perl: Added pair EAP-Type = Identity rlm_perl: Added pair NAS-IP-Address = 192.168.1.99 rlm_perl: Added pair Calling-Station-Id = 0000005e5523 rlm_perl: Added pair Message-Authenticator = 0x07222d989a50a5ab3ad1a36ec1fe32d8 rlm_perl: Added pair Auth-Type = EAP ++[perl] returns ok [files] users: Matched entry DEFAULT at line 147 ++[files] returns ok [ldap] performing user authorization for TEST.COM\user1 [ldap] expand: (uid=%{mschap:User-Name:-%{User-Name}}) -> (uid=user1) [ldap] expand: dc=example,dc=com -> dc=example,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 192.168.1.120:389, authentication 0 [ldap] bind as cn=admin,dc=example,dc=com/yubico to 192.168.1.120:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=example,dc=com, with filter (uid=user1) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword -> Cleartext-Password == "yubico" [ldap] userPassword -> Password-With-Header == "yubico" [ldap] looking for reply items in directory... [ldap] user TEST.COM\user1 authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok [pap] Config already contains "known good" password. Ignoring Password-With-Header [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group EAP {...} rlm_perl: Added pair User-Name = TEST.COM\\user1 rlm_perl: Added pair EAP-Message = 0x0200003f01544553542e434f4d5c75736572317676646a65687563697275656b63746a6869747568666365726465666c747269726668626775747464686467 rlm_perl: Added pair Calling-Station-Id = 0000005e5523 rlm_perl: Added pair NAS-IP-Address = 192.168.1.99 rlm_perl: Added pair EAP-Type = Identity rlm_perl: Added pair Message-Authenticator = 0x07222d989a50a5ab3ad1a36ec1fe32d8 rlm_perl: Added pair Cleartext-Password = yubico rlm_perl: Added pair Password-With-Header = yubico rlm_perl: Added pair Ldap-UserDn = uid=user1,ou=people,dc=example,dc=com rlm_perl: Added pair Auth-Type = EAP ++[perl] returns noop [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 24 to 192.168.1.99 port 50000 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x122bbc42122aa5a2412bf0f529fb8dfe Finished request 0. Going to the next request Thread 5 waiting to be assigned a request rad_recv: Access-Request packet from host 192.168.1.99 port 50000, id=25, length=348 Waking up in 0.9 seconds. Thread 4 got semaphore Thread 4 handling request 1, (1 handled so far) User-Name = "TEST.COM\\user1" Calling-Station-Id = "0000005e5523" EAP-Message = 0x020100d8190016030100cd010000c9030151189e9c9fbe653e32873d8edf71da69da00c2f53aba302ad4fd7b82cc7df16d00005cc014c00a0039003800880087c00fc00500350084c012c00800160013c00dc003000ac013c00900330032009a009900450044c00ec004002f009600410007c011c007c00cc002000500040015001200090014001100080006000300ff01000044000b000403000102000a00340032000100020003000400050006000700080009000a000b000c000d000e000f001000110012001300140015001600170018001900230000 Message-Authenticator = 0x0455c39fc67f100bbe7b8bef15fbea80 State = 0x122bbc42122aa5a2412bf0f529fb8dfe [<thread>] # Executing section authorize from file /etc/freeradius/sites-enabled/default [<thread>] +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "TEST.COM\user1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "TEST.COM" for User-Name = "TEST.COM\user1" [ntdomain] No such realm "TEST.COM" ++[ntdomain] returns noop [eap] EAP packet type response id 1 length 216 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group EAP {...} rlm_perl: Added pair User-Name = [here the username is not getting ???] rlm_perl: Added pair EAP-Message = 0x020100d8190016030100cd010000c9030151189e9c9fbe653e32873d8edf71da69da00c2f53aba302ad4fd7b82cc7df16d00005cc014c00a0039003800880087c00fc00500350084c012c00800160013c00dc003000ac013c00900330032009a009900450044c00ec004002f009600410007c011c007c00cc002000500040015001200090014001100080006000300ff01000044000b000403000102000a00340032000100020003000400050006000700080009000a000b000c000d000e000f001000110012001300140015001600170018001900230000 rlm_perl: Added pair EAP-Type = PEAP rlm_perl: Added pair NAS-IP-Address = 192.168.1.99 rlm_perl: Added pair State = 0x122bbc42122aa5a2412bf0f529fb8dfe rlm_perl: Added pair Calling-Station-Id = 0000005e5523 rlm_perl: Added pair Message-Authenticator = 0x0455c39fc67f100bbe7b8bef15fbea80 rlm_perl: Added pair Auth-Type = EAP ++[perl] returns noop [eap] Request found, released from the list [eap] Identity does not match User-Name. Authentication failed. [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> ++[attr_filter.access_reject] returns noop Delaying reject of request 1 for 1 seconds Going to the next request Thread 4 waiting to be assigned a request rad_recv: Access-Request packet from host 192.168.1.99 port 50000, id=25, length=348 Waiting to send Access-Reject to client 14_192.168.1.99 port 50000 - ID: 25 Sending delayed reject for request 1 Sending Access-Reject of id 25 to 192.168.1.99 port 50000 Waking up in 3.9 seconds. Cleaning up request 0 ID 24 with timestamp +8 Waking up in 1.0 seconds. Cleaning up request 1 ID 25 with timestamp +8 Ready to process requests. ________________________________ From: Phil Mayers <p.mayers@imperial.ac.uk> To: freeradius-users@lists.freeradius.org Sent: Monday, 11 February 2013 3:57 PM Subject: Re: freeradius not working in normal mode but working in debug mode On 02/11/2013 10:11 AM, Nandkumar Palkar wrote:
version 2.1.10
You should upgrade; that version has a known security bug.
Module - LDAP
In this case debug log shows the username, but while i debug to stdout it shows no username.
freeradius -fxx -l stdout
Just to be clear - when you say it "works in debug mode" what *exactly* do you mean? In usual use, "debug mode" means: radiusd -X ...but you list a different command line. Which command line works, and which command line doesn't? When it doesn't work, what are the symptoms? Please show the debug output when it *does* work. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 11/02/13 10:43, Nandkumar Palkar wrote:
Hello,
Please see the debug log: (log output from command >> freeradius -fxx -l stdout) and with "freeradius -X" it works fine.
My issue is that debug mode "freeradius -X" the authentication works great but once I try with normal mode it doesn't. I have checked all the permissions all are correct.
Well, permissions are almost certainly the problem; check again. Try using a tool like "strace" to watch the server and look for errors e.g. strace -o rad.log -f /usr/sbin/radiusd ...then inspect "rad.log" for a an error. I note that you're using rlm_perl - check that - and EAP, so check the cert/key/etc. If you are on an SELinux-enabled distro, check for deny AVCs.
Hi,
freeradius not working in normal mode but working in debug mode. Please suggest.
when you try running it in normal mode, what do you see in the radius log file? what permissions does the radius log file have? what happens when you try running it in non debug mode but as a foreground process (ie dont just run it as a background service?) you will see SOMETHING printed to logfile or screen which will show you the issue - I'd expect its some configuration file or output file permissions problem alan
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Nandkumar Palkar -
Phil Mayers