freeradius not working in normal mode but working in debug mode
Nandkumar Palkar
nandupalkar at yahoo.com
Mon Feb 11 11:43:50 CET 2013
Hello,
Please see the debug log: (log output from command >> freeradius -fxx -l stdout) and with "freeradius -X" it works fine.
My issue is that debug mode "freeradius -X" the authentication works great but once I try with normal mode it doesn't. I have checked all the permissions all are correct.
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.1.99 port 50000, id=24, length=177
Threads: total/active/spare threads = 5/0/5
Waking up in 0.9 seconds.
Thread 5 got semaphore
Thread 5 handling request 0, (1 handled so far)
User-Name = "TEST.COM\\user1"
Calling-Station-Id = "0000005e5523"
EAP-Message = 0x0200003f01544553542e434f4d5c75736572317676646a65687563697275656b63746a6869747568666365726465666c747269726668626775747464686467
Message-Authenticator = 0x07222d989a50a5ab3ad1a36ec1fe32d8
[<thread>] # Executing section authorize from file /etc/freeradius/sites-enabled/default
[<thread>] +- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "TEST.COM\user1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "TEST.COM" for User-Name = "TEST.COM\user1"
[ntdomain] No such realm "TEST.COM"
++[ntdomain] returns noop
[eap] EAP packet type response id 0 length 63
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
rlm_perl: Added pair User-Name = TEST.COM\\user1
rlm_perl: Added pair EAP-Message = 0x0200003f01544553542e434f4d5c75736572317676646a65687563697275656b63746a6869747568666365726465666c747269726668626775747464686467
rlm_perl: Added pair EAP-Type = Identity
rlm_perl: Added pair NAS-IP-Address = 192.168.1.99
rlm_perl: Added pair Calling-Station-Id = 0000005e5523
rlm_perl: Added pair Message-Authenticator = 0x07222d989a50a5ab3ad1a36ec1fe32d8
rlm_perl: Added pair Auth-Type = EAP
++[perl] returns ok
[files] users: Matched entry DEFAULT at line 147
++[files] returns ok
[ldap] performing user authorization for TEST.COM\user1
[ldap] expand: (uid=%{mschap:User-Name:-%{User-Name}}) -> (uid=user1)
[ldap] expand: dc=example,dc=com -> dc=example,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to 192.168.1.120:389, authentication 0
[ldap] bind as cn=admin,dc=example,dc=com/yubico to 192.168.1.120:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in dc=example,dc=com, with filter (uid=user1)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] userPassword -> Cleartext-Password == "yubico"
[ldap] userPassword -> Password-With-Header == "yubico"
[ldap] looking for reply items in directory...
[ldap] user TEST.COM\user1 authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
[pap] Config already contains "known good" password. Ignoring Password-With-Header
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group EAP {...}
rlm_perl: Added pair User-Name = TEST.COM\\user1
rlm_perl: Added pair EAP-Message = 0x0200003f01544553542e434f4d5c75736572317676646a65687563697275656b63746a6869747568666365726465666c747269726668626775747464686467
rlm_perl: Added pair Calling-Station-Id = 0000005e5523
rlm_perl: Added pair NAS-IP-Address = 192.168.1.99
rlm_perl: Added pair EAP-Type = Identity
rlm_perl: Added pair Message-Authenticator = 0x07222d989a50a5ab3ad1a36ec1fe32d8
rlm_perl: Added pair Cleartext-Password = yubico
rlm_perl: Added pair Password-With-Header = yubico
rlm_perl: Added pair Ldap-UserDn = uid=user1,ou=people,dc=example,dc=com
rlm_perl: Added pair Auth-Type = EAP
++[perl] returns noop
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 24 to 192.168.1.99 port 50000
EAP-Message = 0x010100061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x122bbc42122aa5a2412bf0f529fb8dfe
Finished request 0.
Going to the next request
Thread 5 waiting to be assigned a request
rad_recv: Access-Request packet from host 192.168.1.99 port 50000, id=25, length=348
Waking up in 0.9 seconds.
Thread 4 got semaphore
Thread 4 handling request 1, (1 handled so far)
User-Name = "TEST.COM\\user1"
Calling-Station-Id = "0000005e5523"
EAP-Message = 0x020100d8190016030100cd010000c9030151189e9c9fbe653e32873d8edf71da69da00c2f53aba302ad4fd7b82cc7df16d00005cc014c00a0039003800880087c00fc00500350084c012c00800160013c00dc003000ac013c00900330032009a009900450044c00ec004002f009600410007c011c007c00cc002000500040015001200090014001100080006000300ff01000044000b000403000102000a00340032000100020003000400050006000700080009000a000b000c000d000e000f001000110012001300140015001600170018001900230000
Message-Authenticator = 0x0455c39fc67f100bbe7b8bef15fbea80
State = 0x122bbc42122aa5a2412bf0f529fb8dfe
[<thread>] # Executing section authorize from file /etc/freeradius/sites-enabled/default
[<thread>] +- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "TEST.COM\user1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "TEST.COM" for User-Name = "TEST.COM\user1"
[ntdomain] No such realm "TEST.COM"
++[ntdomain] returns noop
[eap] EAP packet type response id 1 length 216
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group EAP {...}
rlm_perl: Added pair User-Name = [here the username is not getting ???]
rlm_perl: Added pair EAP-Message = 0x020100d8190016030100cd010000c9030151189e9c9fbe653e32873d8edf71da69da00c2f53aba302ad4fd7b82cc7df16d00005cc014c00a0039003800880087c00fc00500350084c012c00800160013c00dc003000ac013c00900330032009a009900450044c00ec004002f009600410007c011c007c00cc002000500040015001200090014001100080006000300ff01000044000b000403000102000a00340032000100020003000400050006000700080009000a000b000c000d000e000f001000110012001300140015001600170018001900230000
rlm_perl: Added pair EAP-Type = PEAP
rlm_perl: Added pair NAS-IP-Address = 192.168.1.99
rlm_perl: Added pair State = 0x122bbc42122aa5a2412bf0f529fb8dfe
rlm_perl: Added pair Calling-Station-Id = 0000005e5523
rlm_perl: Added pair Message-Authenticator = 0x0455c39fc67f100bbe7b8bef15fbea80
rlm_perl: Added pair Auth-Type = EAP
++[perl] returns noop
[eap] Request found, released from the list
[eap] Identity does not match User-Name. Authentication failed.
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} ->
++[attr_filter.access_reject] returns noop
Delaying reject of request 1 for 1 seconds
Going to the next request
Thread 4 waiting to be assigned a request
rad_recv: Access-Request packet from host 192.168.1.99 port 50000, id=25, length=348
Waiting to send Access-Reject to client 14_192.168.1.99 port 50000 - ID: 25
Sending delayed reject for request 1
Sending Access-Reject of id 25 to 192.168.1.99 port 50000
Waking up in 3.9 seconds.
Cleaning up request 0 ID 24 with timestamp +8
Waking up in 1.0 seconds.
Cleaning up request 1 ID 25 with timestamp +8
Ready to process requests.
________________________________
From: Phil Mayers <p.mayers at imperial.ac.uk>
To: freeradius-users at lists.freeradius.org
Sent: Monday, 11 February 2013 3:57 PM
Subject: Re: freeradius not working in normal mode but working in debug mode
On 02/11/2013 10:11 AM, Nandkumar Palkar wrote:
> version 2.1.10
You should upgrade; that version has a known security bug.
>
> Module - LDAP
>
> In this case debug log shows the username, but while i debug to stdout
> it shows no username.
>
> freeradius -fxx -l stdout
Just to be clear - when you say it "works in debug mode" what *exactly*
do you mean? In usual use, "debug mode" means:
radiusd -X
...but you list a different command line. Which command line works, and
which command line doesn't?
When it doesn't work, what are the symptoms?
Please show the debug output when it *does* work.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130211/c4d28356/attachment-0001.html>
More information about the Freeradius-Users
mailing list