Re: Freeradius-Users Digest, Vol 241, Issue 23
I don't recall that being part of v2.
I got some free time yesterday, I looked through our old v2 config. I believe in v2, it was due to our config, which set Auth-Type to ldap, and since it failed to retrieve a non existent user from ldap it would log the ldap failure error. For our new config, we refrained from setting the Auth-Type to ldap as recommended by the documentation. We get no Auth-type found error because there is no Auth-Type found, since ldap can't provide a "known good" to pap.
But it's easy enough to add in unlang:
-ldap { if (notfound) { ... add a message here. }
I could not find which attribute/variable to update with my message, since there is no failure in the authorize santza. For now I have made the following linelog. linelog log_ldap_user_notfound { filename = ${logdir}/radius.log permissions = 0640 format = "%t : Login incorrect: (ldap: user %{User-Name} not found) Client-Mac = %{Calling-Station-Id}" } And added the following in the authorize santza after ldap. ldap if (notfound){ log_ldap_user_notfound } But this outputs an extra line in the radius.log since we use the auth = yes radius.conf. If there is better way to do this let know, in the mean time if I find a better solution I will post it to the mailing list. Thanks, Thomas On Mon, May 19, 2025 at 6:12 PM <freeradius-users-request@lists.freeradius.org> wrote:
Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit https://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Can Post-Auth-Type REJECT log LDAP user not found (thomas) 2. radiusd crashes. ASSERT FAILED src/main/threads.c[794] (Sergei Kodentsev) 3. Re: radiusd crashes. ASSERT FAILED src/main/threads.c[794] (Alan DeKok) 4. Re: radiusd crashes. ASSERT FAILED src/main/threads.c[794] (Sergei Kodentsev) 5. Re: radiusd crashes. ASSERT FAILED src/main/threads.c[794] (Alan DeKok) 6. Re: Can Post-Auth-Type REJECT log LDAP user not found (Alan DeKok)
----------------------------------------------------------------------
Message: 1 Date: Mon, 19 May 2025 14:07:19 +0200 From: thomas <thomas.nodon@gmail.com> To: freeradius-users@lists.freeradius.org Subject: Can Post-Auth-Type REJECT log LDAP user not found Message-ID: <CAOPTCcfeQKoZsJYCNywmA1QU524tuUZuMnON4f6yV4Ez-fkOrw@mail.gmail.com> Content-Type: text/plain; charset="UTF-8"
Hello everyone,
I have setup up a FreeRADIUS server with EAP-TTLS/PAP and OpenLDAP, the setup works fine.
I have a question regarding Post-Auth-Type REJECT, it correctly logs Login incorrect, but the &Module-Failure-Message is ambiguous for our needs when it comes to troubleshooting.
I get the following log if a user types their username incorrectly :
`Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [johndo@lab.local] (from client localhost port 0 via TLS tunnel)`
Is it possible to log something along the lines of "LDAP user not found" without making custom loglines? I believe this was possible on FreeRADIUS 2.x.x.
You can find the debug info below.
Thanks in advance !
--Thomas
(5) Received Access-Request Id 5 from 127.0.0.1:47099 to 127.0.0.1:1812 length 229 (5) User-Name = "anonymous@lab.local" (5) NAS-IP-Address = 127.0.0.1 (5) Calling-Station-Id = "02-00-00-00-00-01" (5) Framed-MTU = 1400 (5) NAS-Port-Type = Wireless-802.11 (5) Service-Type = Framed-User (5) Connect-Info = "CONNECT 11Mbps 802.11b" (5) EAP-Message = 0x02b2005315001703030048688da1ee57de5c653ec5b3ddb3fddaf954b25a2814726949f8960b9c81902198bf3054cc85cee621707608ab4bb4fecdd2dd6c1c55b33338264afb10435abffeb1198b43490adde2 (5) State = 0x5cf4dd435846c8abb4f3a6e2030e9f16 (5) Message-Authenticator = 0x161a97e6923da68704ab1e2c3048d6af (5) Restoring &session-state (5) &session-state:Framed-MTU = 1004 (5) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (5) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (5) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (5) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (5) &session-state:TLS-Session-Version = "TLS 1.2" (5) # Executing section authorize from file /etc/raddb/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) if !("%{User-Name}" =~ /@lab.local$/) { (5) EXPAND %{User-Name} (5) --> anonymous@lab.local (5) if !("%{User-Name}" =~ /@lab.local$/) -> FALSE (5) suffix: Checking for suffix after "@" (5) suffix: Looking up realm "lab.local" for User-Name = "anonymous@lab.local" (5) suffix: Found realm "lab.local" (5) suffix: Adding Realm = "lab.local" (5) suffix: Authentication realm is LOCAL (5) [suffix] = ok (5) eap: Peer sent EAP Response (code 2) ID 178 length 83 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/raddb/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0x5cf4dd435846c8ab (5) eap: Finished EAP session with state 0x5cf4dd435846c8ab (5) eap: Previous EAP request found for state 0x5cf4dd435846c8ab, released from the list (5) eap: Peer sent packet with method EAP TTLS (21) (5) eap: Calling submodule eap_ttls to process data (5) eap_ttls: Authenticate (5) eap_ttls: (TLS) EAP Done initial handshake (5) eap_ttls: Session established. Proceeding to decode tunneled attributes (5) eap_ttls: Got tunneled request (5) eap_ttls: User-Name = "johndo@lab.local" (5) eap_ttls: User-Password = "johndoe" (5) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1 (5) eap_ttls: Sending tunneled request (5) Virtual server inner-tunnel received request (5) User-Name = "johndo@lab.local" (5) User-Password = "johndoe" (5) FreeRADIUS-Proxied-To = 127.0.0.1 (5) server inner-tunnel { (5) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) suffix: Checking for suffix after "@" (5) suffix: Looking up realm "lab.local" for User-Name = "johndo@lab.local" (5) suffix: Found realm "lab.local" (5) suffix: Adding Realm = "lab.local" (5) suffix: Authentication realm is LOCAL (5) [suffix] = ok (5) update control { (5) &Proxy-To-Realm := LOCAL (5) } # update control = noop (5) eap: No EAP-Message, not doing EAP (5) [eap] = noop (5) [expiration] = noop (5) [logintime] = noop rlm_ldap (ldap): Reserved connection (0) (5) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (5) ldap: --> (uid=johndo@lab.local) (5) ldap: Performing search in "o=univ,dc=lab,dc=local" with filter "(uid=johndo@lab.local)", scope "sub" (5) ldap: Waiting for search result... (5) ldap: Search returned no results rlm_ldap (ldap): Released connection (0) Need 5 more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used rlm_ldap (ldap): Connecting to ldaps://ldap.lab.local:636 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (5) [ldap] = notfound (5) } # authorize = ok (5) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (5) Failed to authenticate the user (5) Using Post-Auth-Type Reject (5) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (5) Post-Auth-Type REJECT { (5) attr_filter.access_reject: EXPAND %{User-Name} (5) attr_filter.access_reject: --> johndo@lab.local (5) attr_filter.access_reject: Matched entry DEFAULT at line 11 (5) [attr_filter.access_reject] = updated (5) update outer.session-state { (5) &Module-Failure-Message := &request:Module-Failure-Message -> 'No Auth-Type found: rejecting the user via Post-Auth-Type = Reject' (5) } # update outer.session-state = noop (5) } # Post-Auth-Type REJECT = updated (5) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [johndo@lab.local] (from client localhost port 0 via TLS tunnel) (5) } # server inner-tunnel (5) Virtual server sending reply (5) eap_ttls: Got tunneled Access-Reject (5) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed (5) eap: Sending EAP Failure (code 4) ID 178 length 4 (5) eap: Failed in EAP select (5) [eap] = invalid (5) } # authenticate = invalid (5) Failed to authenticate the user (5) Using Post-Auth-Type Reject (5) # Executing group from file /etc/raddb/sites-enabled/default (5) Post-Auth-Type REJECT { (5) attr_filter.access_reject: EXPAND %{User-Name} (5) attr_filter.access_reject: --> anonymous@lab.local (5) attr_filter.access_reject: Matched entry DEFAULT at line 11 (5) [attr_filter.access_reject] = updated (5) policy remove_reply_message_if_eap { (5) if (&reply:EAP-Message && &reply:Reply-Message) { (5) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (5) else { (5) [noop] = noop (5) } # else = noop (5) } # policy remove_reply_message_if_eap = noop (5) } # Post-Auth-Type REJECT = updated (5) Login incorrect (eap: Failed continuing EAP TTLS (21) session. EAP sub-module failed): [anonymous@lab.local] (from client localhost port 0 cli 02-00-00-00-00-01) (5) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (5) Sending delayed response (5) Sent Access-Reject Id 5 from 127.0.0.1:1812 to 127.0.0.1:47099 length 44 (5) EAP-Message = 0x04b20004 (5) Message-Authenticator = 0x00000000000000000000000000000000
------------------------------
Message: 2 Date: Mon, 19 May 2025 15:32:51 +0300 From: Sergei Kodentsev <sergk@ic.vrn.ru> To: freeradius-users@lists.freeradius.org Subject: radiusd crashes. ASSERT FAILED src/main/threads.c[794] Message-ID: <a8cef70b-bccf-4c8b-876b-db7307fb9852@ic.vrn.ru> Content-Type: text/plain; charset=UTF-8; format=flowed
Hi, Freradius 3.2.7, Ubuntu 24.04.2 LTS How to solve this problem?
Mon May 19 09:17:25 2025 : Error: (11542) Ignoring duplicate packet from client dhcp port 68 - ID: 3396190219 due to unfinished request in component post-auth module dhcplog Mon May 19 09:17:25 2025 : Error: Received conflicting packet from client dhcp port 68 - ID: 734446164 due to unfinished request in module dhcplog.? Giving up on old request. Mon May 19 09:17:25 2025 : Error: Received conflicting packet from client dhcp port 68 - ID: 734446164 due to unfinished request in module <queue>.? Giving up on old request. Mon May 19 09:17:25 2025 : Error: ASSERT FAILED src/main/threads.c[794]: request->child_state == REQUEST_QUEUED CAUGHT SIGNAL: Aborted Backtrace of last 6 frames: /usr/local/radius3/lib/libfreeradius-radius.so(fr_fault+0x139)[0x71d729f4b3d6] /usr/local/radius3/lib/libfreeradius-server.so(rad_assert_fail+0x4d)[0x71d729fb9591] /usr/local/radius3/sbin/radiusd(+0x4cf9e)[0x63cb44340f9e] /usr/local/radius3/sbin/radiusd(+0x4d275)[0x63cb44341275] /lib/x86_64-linux-gnu/libc.so.6(+0x9caa4)[0x71d72969caa4] /lib/x86_64-linux-gnu/libc.so.6(+0x129c3c)[0x71d729729c3c] Calling: gdb -silent -x /usr/local/radius3/etc/raddb/panic.gdb /usr/local/radius3/sbin/radiusd 3026728 2>&1 | tee /usr/local/radius3/var/log/radius/gdb-radiusd-3026728.log Temporarily setting PR_DUMPABLE to 1 Mon May 19 09:17:25 2025 : WARNING: (11548) WARNING: Module dhcplog(rlm_sql) became unblocked Mon May 19 09:17:25 2025 : Error: (11571) Ignoring duplicate packet from client dhcp port 67 - ID: 3795885685 due to unfinished request in component <core> module Resetting PR_DUMPABLE to 0 Panic action exited with 0 _EXIT(0) CALLED src/lib/debug.c[811]
regards, Sergey Kodentsev
-- ? ?????????, ?????? ????????, ??????????? ?????, ??? ?? "???????????-??????????"
------------------------------
Message: 3 Date: Mon, 19 May 2025 08:28:02 -0500 From: Alan DeKok <aland@deployingradius.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: radiusd crashes. ASSERT FAILED src/main/threads.c[794] Message-ID: <8093EBD2-0BD3-4956-87CE-308964F73540@deployingradius.com> Content-Type: text/plain; charset=utf-8
On May 19, 2025, at 7:32?AM, Sergei Kodentsev <sergk@ic.vrn.ru> wrote:
Hi, Freradius 3.2.7, Ubuntu 24.04.2 LTS How to solve this problem?
For now, delete the assertion and recompile. We've pushed a fix to GitHub, and the fix will be in the next release.
Alan DeKok.
------------------------------
Message: 4 Date: Mon, 19 May 2025 16:52:52 +0300 From: Sergei Kodentsev <sergk@ic.vrn.ru> To: freeradius-users@lists.freeradius.org Subject: Re: radiusd crashes. ASSERT FAILED src/main/threads.c[794] Message-ID: <929d5521-86b1-47fb-92c7-293c25d5eb60@ic.vrn.ru> Content-Type: text/plain; charset=UTF-8; format=flowed
On 19.05.2025 16:28, Alan DeKok wrote:
On May 19, 2025, at 7:32?AM, Sergei Kodentsev <sergk@ic.vrn.ru> wrote: For now, delete the assertion and recompile. We've pushed a fix to GitHub, and the fix will be in the next release.
How to delete? assertion?
Sergey Kodentsev.
------------------------------
Message: 5 Date: Mon, 19 May 2025 09:11:36 -0500 From: Alan DeKok <aland@deployingradius.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: radiusd crashes. ASSERT FAILED src/main/threads.c[794] Message-ID: <C11286E6-6710-46D6-867A-94155C4DF7CA@deployingradius.com> Content-Type: text/plain; charset=utf-8
On May 19, 2025, at 8:52?AM, Sergei Kodentsev <sergk@ic.vrn.ru> wrote:
On 19.05.2025 16:28, Alan DeKok wrote:
On May 19, 2025, at 7:32?AM, Sergei Kodentsev <sergk@ic.vrn.ru> wrote: For now, delete the assertion and recompile. We've pushed a fix to GitHub, and the fix will be in the next release.
How to delete assertion?
Edit the source code.
Alan DeKok.
------------------------------
Message: 6 Date: Mon, 19 May 2025 11:10:15 -0500 From: Alan DeKok <aland@deployingradius.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Can Post-Auth-Type REJECT log LDAP user not found Message-ID: <3EF9709C-7D7E-43EE-968D-D2E7ADD46B3B@deployingradius.com> Content-Type: text/plain; charset=utf-8
On May 19, 2025, at 7:07?AM, thomas <thomas.nodon@gmail.com> wrote:
I have a question regarding Post-Auth-Type REJECT, it correctly logs Login incorrect, but the &Module-Failure-Message is ambiguous for our needs when it comes to troubleshooting.
You can always check the return code of the LDAP module, and then manually add a message.
Is it possible to log something along the lines of "LDAP user not found" without making custom loglines? I believe this was possible on FreeRADIUS 2.x.x.
I don't recall that being part of v2. But it's easy enough to add in unlang:
ldap if (notfound) { ... add a message here. }
Alan DeKok.
------------------------------
Subject: Digest Footer
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------
End of Freeradius-Users Digest, Vol 241, Issue 23 *************************************************
On May 27, 2025, at 11:15 AM, thomas <thomas.nodon@gmail.com> wrote:
I believe in v2, it was due to our config, which set Auth-Type to ldap, and since it failed to retrieve a non existent user from ldap it would log the ldap failure error.
For our new config, we refrained from setting the Auth-Type to ldap as recommended by the documentation.
In most cases, the LDAP server can be queried, and can return the password to FreeRADIUS. If the LDAP server can't (or won't) do that, then you have to set Auth-Type to LDAP.
I could not find which attribute/variable to update with my message, since there is no failure in the authorize santza.
You can add an attribute to raddb/dictionary, and then set a value in an "update" section.
For now I have made the following linelog.
linelog log_ldap_user_notfound { filename = ${logdir}/radius.log permissions = 0640 format = "%t : Login incorrect: (ldap: user %{User-Name} not found) Client-Mac = %{Calling-Station-Id}" }
And added the following in the authorize santza after ldap.
ldap if (notfound){ log_ldap_user_notfound }
That works, too.
But this outputs an extra line in the radius.log since we use the auth = yes radius.conf.
If there is better way to do this let know, in the mean time if I find a better solution I will post it to the mailing list.
See raddb/radiusd.conf, and the "log" section. You can edit the "msg_goodpass" configuration item to include more text, or another attribute. Alan DeKok.
participants (2)
-
Alan DeKok -
thomas