Generating timing stats for ntlm_auth
John Douglass
john.douglass at oit.gatech.edu
Tue Oct 15 16:56:46 CEST 2013
On 10/15/2013 09:10 AM, A.L.M.Buxey at lboro.ac.uk wrote:
> Hi,
>
>> In any case, it's not new in 2.2.1. So I think it's time to release 2.2.2.
> just got latest 2.x.x HEAD and radiusd dies with this
>
> Tue Oct 15 12:59:45 2013 : Error: ASSERT FAILED rlm_eap.c[369]: request->proxy_reply == NULL
>
>
> (this was the second time running it..the first time it just went away with no Error msg)
>
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Earlier messages I posted to the list sound similar:
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg84313.html
and
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg84453.html
But this thread is DEFINITELY what we are experiencing here at Georgia
Tech. I was considering moving from using "ntlm_auth" to enabling radius
on the AD server and just proxying the auth through radius (getting rid
of samba/ntlm_auth altogether) and adding any attributes for my VLAN
assignment in the post-auth but other threads on this list indicate
there might be an issue with servers that proxy a lot (which has some
forward movement to fix soon I believe).
With a proxy configuration in test, this appears to work. Unsure if it
will improve our issues with load? when we are seeing:
Oct 12 06:54:54 newdvlanb radiusd[21299]: WARNING: Child is hung for
request 9395584 in component authenticate module peap.
Oct 12 06:54:54 newdvlanb radiusd[21299]: WARNING: Child is hung for
request 9395597 in component authenticate module peap.
Oct 12 06:54:54 newdvlanb radiusd[21299]: WARNING: Child is hung for
request 9395607 in component authenticate module peap.
Oct 12 06:54:57 newdvlanb radiusd[21299]: WARNING: Child is hung for
request 9394889 in component authenticate module peap.
Oct 12 06:54:58 newdvlanb radiusd[21299]: WARNING: Unresponsive child
for request 9394903, in component authenticate module peap
Oct 12 06:54:59 newdvlanb radiusd[21299]: WARNING: Child is hung for
request 9394903 in component authenticate module peap.
Oct 12 06:55:00 newdvlanb radiusd[21299]: WARNING: Child is hung for
request 9394945 in component authenticate module peap.
Oct 12 06:56:06 newdvlanb radiusd[21299]: WARNING: Module rlm_eap became
unblocked for request 9397816
Periodically through the day.
In case others are interested in this approach, I am including the
configuration notes from our admins to enable radius services on an AD
server. There are examples of proxying within "sites-available"
On ad-machine.domain.edu they did the following:
added "Network Policy And Access Services" role
radius config
in the Standard Configuration drop down select "RADIUS server for 802.1X
Wireless or Wired Connections"
click "Configure 802.1X"
Setup "Secure Wireless Connections"
added radius client rumble.snacks
In the "Configure an Authentication Method" screen, selected "Microsoft
Protected EAP (PEAP)"
In the "Specify Users Groups" screen, added "domain users
In the properties of the newly created network policy
unchecked "Enable auto-remediation of client computers"
Configured Accounting to Log to a txt file then took the defaults on the
remaining screens.
I have successfully used that as part of an auth-proxy configuration to
bypass the need for ntlm_auth (binary) completely.
More information about the Freeradius-Users
mailing list