checkrad not called after upgrade to 2.x

Alan DeKok aland at
Wed Jul 2 18:02:18 CEST 2008

oz wrote:
> I guess, I tracked it down. I started radiusd -X of version 2.0.3 in my
> 2.0.5 environment, and compared the console messages between the two
> versions.
> I noticed, that 2.0.5 didn't read in all my NAS clients. It stopped,
> where one client definition had no secret set, with this message:
> [...]
>  client as5200 {
>         ipaddr =
>         require_message_authenticator = no
>         shortname = "as5200"
>  }
> /usr/local/etc/raddb/clients.conf[310]: secret must be at least 1
> character long

  Ok... so that client definition was wrong.  Version 2.0.5 *should*
fail to start at that point.

  Hmm... I've tracked down the issue and committed a fix to CVS.

> Version 2.0.5 then rejects all users from *all the other* clients, when
> checkrad is invoked and when radiusd wasn't able to read in the
> clients.conf before completely:

  Well... yes.  If it can't read the clients, it doesn't know about them.

  So the underlying issue is that the client configuration was wrong,
and the server was too liberal in allowing an invalid configuration.
The checkrad code still works.

> When the clients.conf contains only valid clients, checkrad is invoked
> as it should:

  i.e. "when the server starts properly", checkrad works.  When the
server doesn't start properly, it doesn't.

> So it is not a severe bug of checkrad in 2.0.5, it just behaves strange,
> when some clients in clients.conf are no correctly defined.

  I've fixed it.  The server now refuses to start if the client
definitions are wrong.

  Alan DeKok.

More information about the Freeradius-Users mailing list