Version 1.1.1 stops responding

King, Michael MKing at bridgew.edu
Mon Mar 27 15:42:31 CEST 2006 

Just for some reference (Trying to find commonalities):

What OS/Distro are you?

I'm Debian testing release

How did you Install?  (Prebuilt binary / created local package and install / install from source)

I created a local Debian package, and installed it.

What modules did you enable?
	PEAP, TTLS, and TLS

What is your authentication source?

Using ntlm_auth against Active Directory 2003

What is your supplicant?
98% Windows XP built in supplicant.  The rest are Linux / Mac clients.


I wonder if this has something to do with this bug that got squashed....

2006.03.20 v1.0.5, and v1.1.0 - A validation issue exists with the EAP-MSCHAPv2 module in all versions from 1.0.0 (where the module first appeared) to 1.1.0. Insufficient input validation was being done in the EAP-MSCHAPv2 state machine. A malicious attacker could manipulate their EAP-MSCHAPv2 client state machine to potentially convince the server to bypass authentication checks. This bypassing could also result in the server crashing. We recommend that administrators upgrade immediately.

> -----Original Message-----
> From: 
> freeradius-users-bounces+mking=bridgew.edu at lists.freeradius.or
> g 
> [mailto:freeradius-users-bounces+mking=bridgew.edu at lists.freer
> adius.org] On Behalf Of Stefan Winter
> Sent: Monday, March 27, 2006 1:49 AM
> To: FreeRadius users mailing list
> Subject: Re: Version 1.1.1 stops responding
> 
> > Mine seg faulted as well..
> > Here's the last few lines of the freeradius -X -A
> 
> > modcall: entering group authenticate for request 1002
> >   rlm_eap: Request found, released from the list
> >   rlm_eap: EAP/peap
> >   rlm_eap: processing type peap
> >   rlm_eap_peap: Authenticate
> >   rlm_eap_tls: processing TLS
> > rlm_eap_tls:  Length Included
> >   eaptls_verify returned 11
> 
> Interesting. This morning I encountered again that radiusd 
> was claiming to be still listening on its ports, but didn't 
> process anything any more. As other logs showed, someone 
> logged into an Access Point via TTLS at 8:22 and at 8:25 the 
> Nagios Monitoring system marked the RADIUS Server as 
> critical. Scan interval for Nagios is every three minutes. So 
> it could very well be that FreeRADIUS stopped processing 
> packets when it tried to do TTLS. Sounds similar to your 
> case, just that it didn't segfault. Note that we usually use 
> TTLS it several times a day, and FreeRADIUS shows this 
> behaviour only sporadically.
> I now reverted to 1.1.0 in the hope that it's better there. 
> The way it is now is... disturbing.
> 
> Greetings,
> 
> Stefan Winter
> 
> --
> Stefan WINTER
> 
> Stiftung RESTENA - Réseau Téléinformatique de l'Education 
> Nationale et de la Recherche Ingenieur Forschung & Entwicklung
> 
> 6, rue Richard Coudenhove-Kalergi
> L-1359 Luxembourg
> E-Mail: stefan.winter at restena.lu     Tel.:     +352 424409-1 
> http://www.restena.lu                Fax:      +352 422473
> 
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list