Freeradius hangs

Karthik R kartthikr at gmail.com
Thu Nov 2 01:38:55 CET 2006 

 <sigh> That's the message on the NAS.  And you're simply repeating
your earlier comment that it doesn't work.

 Again, what is the RADIUS server doing?  You can't expect to
understand what the RADIUS server is doing by looking at the NAS.  You
have to look at the RADIUS server.

Alan,

When I was observing the radius log, i was typing correct username and
password sometime it says "access was denied because username\password
invalid on the domain". I didnt see anything going wrong in the log message
but i didnt understand why i got the above error message.

bash3.0#radiusd -X -A
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: with_ntdomain_hack = yes
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --domain=%{mschap:NT-Domain}
--challenge=%{mschap:Challenge} --nt-re
sponse=%{mschap:NT-Response}"
Module: Instantiated mschap (mschap)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "peap"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/usr/local/etc/raddb/secert/cert- srv.pem"
tls: certificate_file = "/usr/local/etc/raddb/secert/cert-srv.pem"
tls: CA_file = "/usr/local/etc/raddb/secert/root.pem"
tls: private_key_password = "<removed>"
tls: dh_file = "/usr/local/etc/raddb/secert/dh"
tls: random_file = "/usr/local/etc/raddb/secert/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: Loaded and initialized type tls
peap: default_eap_type = "mschapv2"
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/usr/local/etc/raddb/users"
files: acctusersfile = "/usr/local/etc/raddb/acct_users"
files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/usr/local/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
rad_recv: Access-Request packet from host 192.168.0.1:4754, id=219,
length=151
        User-Name = "=<removed>"
        MS-CHAP2-Response =
0x9f006ad4cb39d121eec1ed2bbd5a6b72823d0000000000000000dc3beae19e85c047fc47796ffa8ce40de9cb3891d38887a3
        MS-CHAP-Challenge = 0x6ae823a6c2da2b7ca1f01d68109d2455
        NAS-Identifier = "Clavister"
        NAS-Port = 0
        NAS-Port-Type = Virtual
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 12
  modcall[authorize]: module "preprocess" returns ok for request 12
  modcall[authorize]: module "chap" returns noop for request 12
  rlm_mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = MS-CHAP'
  modcall[authorize]: module "mschap" returns ok for request 12
    rlm_realm: No '@' in User-Name = "<removed>", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 12
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 12
    users: Matched entry DEFAULT at line 152
  modcall[authorize]: module "files" returns ok for request 12
modcall: leaving group authorize (returns ok) for request 12
  rad_check_password:  Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 12
  rlm_mschap: No User-Password configured.  Cannot create LM-Password.
  rlm_mschap: No User-Password configured.  Cannot create NT-Password.
  rlm_mschap: Told to do MS-CHAPv2 for kartthikr with NT-Password
radius_xlat: Running registered xlat function of module mschap for string
'User-Name'
radius_xlat: Running registered xlat function of module mschap for string
'NT-Domain'
radius_xlat: Running registered xlat function of module mschap for string
'Challenge'
mschap2: 6a
radius_xlat: Running registered xlat function of module mschap for string
'NT-Response'
radius_xlat:  '/usr/bin/ntlm_auth --request-nt-key --username=<removed>
--domain=<removed> --challenge=a3ecf075a1ea699b --nt-response
=dc3beae19e85c047fc47796ffa8ce40de9cb3891d38887a3'
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=<removed>
--domain=<removed> --challenge=a3ecf075a1ea699b --nt-response=
dc3beae19e85c047fc47796ffa8ce40de9cb3891d38887a3
Exec-Program output: NT_KEY: 67F102C088FF660F615D1F9236DF9797
Exec-Program-Wait: plaintext: NT_KEY: 67F102C088FF660F615D1F9236DF9797
Exec-Program: returned: 0
rlm_mschap: adding MS-CHAPv2 MPPE keys
  modcall[authenticate]: module "mschap" returns ok for request 12
modcall: leaving group MS-CHAP (returns ok) for request 12
Sending Access-Accept of id 219 to 192.168.0.1 port 4754
        MS-CHAP2-Success =
0x9f533d41443033433538413845303733454132373045303043444441364531383431433344383938383938
        MS-MPPE-Recv-Key = 0xdc882e2dfa10109679e37fe4bafba95d
        MS-MPPE-Send-Key = 0xf3e3e6a91f2d6e4b64b8b2e5add4bdad
        MS-MPPE-Encryption-Policy = 0x00000002
        MS-MPPE-Encryption-Types = 0x00000004
Finished request 12
Going to the next request

--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.0.1:4754, id=219,
length=151
Sending duplicate reply to client dlink:4754 - ID: 219
Re-sending Access-Accept of id 219 to 192.168.0.1 port 4754
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.0.1:4754, id=219,
length=151
Sending duplicate reply to client dlink:4754 - ID: 219
Re-sending Access-Accept of id 219 to 192.168.0.1 port 4754
Waking up in 6 seconds...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20061101/63c3391d/attachment.html>

More information about the Freeradius-Users mailing list