Moved from Debian 4.0 to Fedora 8, now Radius (1.1.7) is broken.

Piero Giobbi piero at news.fb.se
Tue Apr 1 00:25:08 CEST 2008 

Hi all.

have been enjoying radius for a while now. Had to make a severupgrade  
and move over to Fedora 8 for HW support. Still using 1.1.7 because it  
rocks. Well not quite any more, i moved over the configfiles i had on  
Debian and everything seems ok except for no users can login anymore  
via pptp on my firewall.

My config:
Linux ns.intern.fb.se 2.6.24.3-50.fc8 #1 SMP Thu Mar 20 14:47:10 EDT  
2008 i686 i686 i386 GNU/Linux
[root at ns usersdepot]# radiusd -X
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/raddb/proxy.conf
Config:   including file: /etc/raddb/clients.conf
Config:   including file: /etc/raddb/snmp.conf
Config:   including file: /etc/raddb/eap.conf
Config:   including file: /etc/raddb/sql.conf
  main: prefix = "/usr"
  main: localstatedir = "/var"
  main: logdir = "/var/log/radius"
  main: libdir = "/usr/lib"
  main: radacctdir = "/var/log/radius/radacct"
  main: hostname_lookups = yes
  main: snmp = no
  main: max_request_time = 30
  main: cleanup_delay = 5
  main: max_requests = 1024
  main: delete_blocked_requests = 0
  main: port = 0
  main: allow_core_dumps = no
  main: log_stripped_names = no
  main: log_file = "/var/log/radius/radius.log"
  main: log_auth = yes
  main: log_auth_badpass = yes
  main: log_auth_goodpass = no
  main: pidfile = "/var/run/radius/radiusd.pid"
  main: user = "(null)"
  main: group = "(null)"
  main: usercollide = no
  main: lower_user = "no"
  main: lower_pass = "no"
  main: nospace_user = "no"
  main: nospace_pass = "no"
  main: checkrad = "/usr/sbin/checkrad"
  main: proxy_requests = yes
  proxy: retry_delay = 5
  proxy: retry_count = 3
  proxy: synchronous = no
  proxy: default_fallback = yes
  proxy: dead_time = 120
  proxy: post_proxy_authorize = no
  proxy: wake_all_if_all_dead = no
  security: max_attributes = 200
  security: reject_delay = 1
  security: status_server = no
  main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
  exec: wait = yes
  exec: program = "(null)"
  exec: input_pairs = "request"
  exec: output_pairs = "(null)"
  exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
  pap: encryption_scheme = "crypt"
  pap: auto_header = yes
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
  mschap: use_mppe = yes
  mschap: require_encryption = no
  mschap: require_strong = no
  mschap: with_ntdomain_hack = no
  mschap: passwd = "(null)"
  mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
  unix: cache = no
  unix: passwd = "(null)"
  unix: shadow = "(null)"
  unix: group = "(null)"
  unix: radwtmp = "/var/log/radius/radwtmp"
  unix: usegroup = no
  unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
  eap: default_eap_type = "md5"
  eap: timer_expire = 60
  eap: ignore_unknown_eap_types = no
  eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
  gtc: challenge = "Password: "
  gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
  mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
  preprocess: huntgroups = "/etc/raddb/huntgroups"
  preprocess: hints = "/etc/raddb/hints"
  preprocess: with_ascend_hack = no
  preprocess: ascend_channels_per_line = 23
  preprocess: with_ntdomain_hack = no
  preprocess: with_specialix_jetstream_hack = no
  preprocess: with_cisco_vsa_hack = no
  preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
  realm: format = "suffix"
  realm: delimiter = "@"
  realm: ignore_default = no
  realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
  files: usersfile = "/etc/raddb/users"
  files: acctusersfile = "/etc/raddb/acct_users"
  files: preproxy_usersfile = "/etc/raddb/preproxy_users"
  files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
  acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,  
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
  detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/ 
detail-%Y%m%d"
  detail: detailperm = 384
  detail: dirperm = 493
  detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
  radutmp: filename = "/var/log/radius/radutmp"
  radutmp: username = "%{User-Name}"
  radutmp: case_sensitive = yes
  radutmp: check_with_nas = yes
  radutmp: perm = 384
  radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.

When a user login:
rad_recv: Access-Request packet from host 10.0.5.1:60461, id=3,  
length=181
	NAS-Identifier = "halon"
	NAS-IP-Address = 10.0.5.1
	Message-Authenticator = 0x18e8c7acd5db57751eb497c6d6c59503
	NAS-Port = 0
	NAS-Port-Type = Virtual
	Service-Type = Framed-User
	Framed-Protocol = PPP
	Calling-Station-Id = "212.247.38.166"
	User-Name = "giobbi"
	MS-CHAP-Challenge = 0xbb1e6823d2ae12e363e056523f30a6de
	MS-CHAP2-Response =  
0x01000357ec5a5b0eb534ea8682a730849e89000000000000000034ff990a30a4a24681b50b31d7da17a3d2634e2e55ad5e17
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
   modcall[authorize]: module "preprocess" returns ok for request 0
   modcall[authorize]: module "chap" returns noop for request 0
   rlm_mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
   modcall[authorize]: module "mschap" returns ok for request 0
     rlm_realm: No '@' in User-Name = "giobbi", looking up realm NULL
     rlm_realm: No such realm "NULL"
   modcall[authorize]: module "suffix" returns noop for request 0
   rlm_eap: No EAP-Message, not doing EAP
   modcall[authorize]: module "eap" returns noop for request 0
     users: Matched entry DEFAULT at line 185
     users: Matched entry giobbi at line 4
   modcall[authorize]: module "files" returns ok for request 0
rlm_pap: Found existing Auth-Type, not changing it.
   modcall[authorize]: module "pap" returns noop for request 0
modcall: leaving group authorize (returns ok) for request 0
   rad_check_password:  Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
   Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 0
   rlm_mschap: Told to do MS-CHAPv2 for giobbi with NT-Password
rlm_mschap: adding MS-CHAPv2 MPPE keys
   modcall[authenticate]: module "mschap" returns ok for request 0
modcall: leaving group MS-CHAP (returns ok) for request 0
Login OK: [giobbi] (from client fw-halon port 0 cli 212.247.38.166)
Sending Access-Accept of id 3 to 10.0.5.1 port 60461
	Framed-Protocol = PPP
	Framed-Compression = Van-Jacobson-TCP-IP
	Service-Type = Framed-User
	Framed-Route = "10.0.4.0/24 10.0.5.245  10.0.5.0/24 10.0.5.1   
10.0.8.0/24 10.0.5.245 10.0.9/24 10.0.5.245"
	MS-CHAP2-Success =  
0x01533d34444432314431443741453246333335453632323046463633304643464435463835353236393736
	MS-MPPE-Recv-Key = 0x9f2fb3fc6a24b8a5a5251de891f8ece8
	MS-MPPE-Send-Key = 0xd488a4ec77025f4c8c3e4defc4fbdf70
	MS-MPPE-Encryption-Policy = 0x00000001
	MS-MPPE-Encryption-Types = 0x00000006
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.0.5.1:60461, id=3,  
length=181
Sending duplicate reply to client fw-halon:60461 - ID: 3
Re-sending Access-Accept of id 3 to 10.0.5.1 port 60461
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.0.5.1:60461, id=3,  
length=181
Sending duplicate reply to client fw-halon:60461 - ID: 3
Re-sending Access-Accept of id 3 to 10.0.5.1 port 60461
Waking up in 6 seconds...

Firewall log:
halon(Firewall_GOT)# system logs pptp
PPTP: Incoming control connection from 212.247.38.166 55553 to  
212.247.38.166 1723
pptp0: attached to connection with 212.247.38.166 55553
[pptp0] Accepting PPTP connection
[pptp0] opening link "pptp0"...
[pptp0] link: OPEN event
[pptp0] LCP: Open event
[pptp0] LCP: state change Initial --> Starting
[pptp0] LCP: LayerStart
[pptp0] PPTP: attaching to peer's outgoing call
[pptp0] link: UP event
[pptp0] link: origination is remote
[pptp0] LCP: Up event
[pptp0] LCP: state change Starting --> Req-Sent
[pptp0] LCP: SendConfigReq #31
  ACFCOMP
  PROTOCOMP
  MRU 1460
  MAGICNUM a3e02c2f
  AUTHPROTO CHAP MSOFTv2
[pptp0] LCP: rec'd Configure Request #1 (Req-Sent)
  ACCMAP 0x00000000
  MAGICNUM c5887687
  PROTOCOMP
  ACFCOMP
[pptp0] LCP: SendConfigAck #1
  ACCMAP 0x00000000
  MAGICNUM c5887687
  PROTOCOMP
  ACFCOMP
[pptp0] LCP: state change Req-Sent --> Ack-Sent
[pptp0] LCP: SendConfigReq #32
  ACFCOMP
  PROTOCOMP
  MRU 1460
  MAGICNUM a3e02c2f
  AUTHPROTO CHAP MSOFTv2
[pptp0] LCP: rec'd Configure Ack #32 (Ack-Sent)
  ACFCOMP
  PROTOCOMP
  MRU 1460
  MAGICNUM a3e02c2f
  AUTHPROTO CHAP MSOFTv2
[pptp0] LCP: state change Ack-Sent --> Opened
[pptp0] LCP: auth: peer wants nothing, I want CHAP
[pptp0] CHAP: sending CHALLENGE len:17
[pptp0] LCP: LayerUp
[pptp0] CHAP: rec'd RESPONSE #1
  Name: "giobbi"
[pptp0] AUTH: Auth-Thread started
[pptp0] AUTH: Trying RADIUS
[pptp0] RADIUS: RadiusAuthenticate for: giobbi
[pptp0] RADIUS: rad_send_request failed: No valid RADIUS responses  
received
[pptp0] AUTH: RADIUS returned undefined
[pptp0] AUTH: Trying INTERNAL
AUTH: User "giobbi" not found in secret file
[pptp0] AUTH: INTERNAL returned failed
[pptp0] AUTH: ran out of backends
[pptp0] AUTH: Auth-Thread finished normally
[pptp0] CHAP: ChapInputFinish: status failed
  Reply message: E=691 R=0 M=Login incorrect
[pptp0] CHAP: sending FAILURE len:27
[pptp0] LCP: authorization failed
[pptp0] LCP: parameter negotiation failed
[pptp0] LCP: state change Opened --> Stopping
[pptp0] AUTH: Cleanup
[pptp0] LCP: SendTerminateReq #33
[pptp0] LCP: LayerDown
[pptp0] LCP: rec'd Terminate Request #2 (Stopping)
[pptp0] LCP: SendTerminateAck #34
[pptp0] LCP: rec'd Terminate Ack #33 (Stopping)
[pptp0] LCP: state change Stopping --> Stopped
[pptp0] LCP: LayerFinish
pptp0-0: clearing call
pptp0-0: killing channel
[pptp0] PPTP call terminated
[pptp0] link: DOWN event
[pptp0] LCP: Close event
[pptp0] LCP: state change Stopped --> Closed
[pptp0] LCP: Down event
[pptp0] LCP: state change Closed --> Initial
pptp0: closing connection with 212.247.38.166 55553
pptp0: ctrl connection closed by peer
pptp0: killing connection with 212.247.38.166 55553

So here's the problem, the firewall doesn't like the response it gets,  
isn't valid for some reason. I'm using the exact same configs as in  
the working Debian version (same radius, 1.1.7), so in theory these  
should work just as fine in my Fedora setup right?

Any clues or tip is greatly appreciated.

thx

p
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080401/53202e9f/attachment.html>

More information about the Freeradius-Users mailing list