non existing account can still login / freeradius only runs in debugmode ?

Tom De Wispelaere tom at besite.be
Fri Sep 15 16:46:55 CEST 2006


Hello guys,

we have a server setup running freeradius (= 1.1.2-2) with a mysql backend
on debian Linux.
We receive a lot of authorization requests and accounting requests from the
equipment of an isp.

Setup is as follows :

server A with master freeradius and mysql,
server B with backup radius that uses mysql on server A.

The mysql is of course still single point of failure.
We tried it first with a local mysql server on server B but
did find it difficult to process the accounting records in an easy and
simple way when they are scattered over two databases on two different
servers. Any suggestions on this setup would be greatly appreciated.

Everything seems to work except for the following:

- if we try to start the server threaded and as it is supposed to work (ie
/etc/init.d/freeradius start), it crashes regularly  under load without any
further explanation...
If we run freeradius in debugmode (/usr/sbin/freeradius -X) , everything
keeps working just fine... I have done several upgrades (coming from version
0.9) but i still see the same problem and i cannot get it to work without a
crash (sooner or later) in threaded mode.

Do any of you experience similar problems ? Is there a remedy or things i
could try to find the cause ?


- usernames that can't (and should not be able to) login (username not
present anymore in the mysql database, nor any passwd file) and get a "Login
incorrect" most of the time, sometimes get through and get authenticated
(!)...
Its very strange behavior and i have been trying to find a cause for this.
At first i thought the culprit would be the equipment at the other side that
did something wrong,
but apparently it receives explicitly a Login OK from our radius (togheter
with profile info etc) as i see in the packetflow.

I cannot find a single Login OK for these specific users in the debuginfo
however,
only the login incorrects and acct records (see below).

rlm_chap: login attempt by "USERNAME1" with CHAP password
  rlm_chap: Could not find clear text password for user USERNAME1
Login incorrect (rlm_chap: Clear text password not available):
[USERNAME1/<CHAP-Password>] (from clie
nt adsl port xxxxxxx)

The mysql acct records do show traffic and alive records for these logins (a
few) and a lot of Login Failures.
Is there an easy way to dig deeper into this problem and find the cause for
these spooky logins that should not happen ?
Any help or suggestions greatly appreciated,

Best regards,

Tom
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060915/3bc638ec/attachment.html>


More information about the Freeradius-Users mailing list