3.0.6 strange bug causing infinite loop on "Ready to process requests" message
Nick Rogers
ncrogers at gmail.com
Tue Jan 6 22:48:55 CET 2015
Hello,
I am in the process of upgrading my freeradius 2.2 servers to the latest
3.x. I had things mostly working under 3.0.4, which happened to be the
latest net/freeradius3 port for FreeBSD until today. After upgrading to
3.0.6, I experience the following problem.
After sending the first test authentication request, generated by radtest
client, radiusd emits a second "Ready to process requests" line and
continues to repeat it over and over at will and without delay, until the
log filesystem is full. Stopping it requires a kill -9. This seems to
happen only when a request is received. The server does not send a response.
Again, this does not happen under 3.0.4... I tested by going back to 3.0.4
from 3.0.6 using the same configuration.
The only thing unusual about my config is that I am using rlm_perl with
threaded perl. However the server never seems to enter the rlm_perl module.
I'm hoping someone can help identify if this is actually a bug or something
dumb in my configuration, or a problem with my binary?
Here is relevant OS info and radiusd -X output
FreeBSD 10.1-RELEASE-p3 #3 r276161M: Tue Dec 23 20:32:25 EST 2014
root at fbsd_101_amd64_builder:/usr/obj/usr/src/sys/CUSTOM
fbsd101-vm# radiusd -X
radiusd: FreeRADIUS Version 3.0.6, for host amd64-portbld-freebsd10.1,
built on Jan 6 2015 at 19:19:50
Copyright (C) 1999-2014 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/local/share/freeradius/dictionary
including dictionary file /usr/local/share/freeradius/dictionary.dhcp
including dictionary file /usr/local/share/freeradius/dictionary.vqp
including dictionary file /usr/local/etc/raddb/dictionary
including configuration file /usr/local/etc/raddb/radiusd.conf
main {
security {
user = "freeradius"
group = "freeradius"
allow_core_dumps = no
}
}
main {
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/var"
sbindir = "/usr/local/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/local/lib"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 999999
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = no
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
allow_vulnerable_openssl = "no"
}
}
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Loading Clients ####
client 192.168.92.0/24 {
ipaddr = 192.168.92.0/24
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
radiusd: #### Instantiating modules ####
# Loaded module rlm_perl
# Instantiating module "perl" from file /usr/local/etc/raddb/radiusd.conf
perl {
filename = "/test/freeradius_hook"
func_authorize = "authorize"
func_authenticate = "authenticate"
func_post_auth = "post_auth"
func_accounting = "accounting"
func_preacct = "preacct"
func_checksimul = "checksimul"
func_detach = "detach"
func_xlat = "xlat"
func_pre_proxy = "pre_proxy"
func_post_proxy = "post_proxy"
func_recv_coa = "recv_coa"
func_send_coa = "send_coa"
}
# Loaded module rlm_detail
# Instantiating module "detail" from file
/usr/local/etc/raddb/radiusd.conf
detail {
filename = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
permissions = 420
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_expr
# Instantiating module "expr" from file /usr/local/etc/raddb/radiusd.conf
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_eap
# Instantiating module "eap" from file /usr/local/etc/raddb/radiusd.conf
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
mod_accounting_username_bug = no
max_sessions = 2048
}
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/ssl/server.key"
certificate_file = "/etc/ssl/server.crt"
ca_file = "/etc/ssl/server.crt"
dh_file = "/usr/local/etc/raddb/dhparam"
random_file = "/test/random"
fragment_size = 1024
include_length = yes
check_crl = no
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = no
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "gtc"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
include_length = yes
require_client_cert = no
}
Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_method = "gtc"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
soh = no
require_client_cert = no
}
Using cached TLS configuration from previous invocation
# Loaded module rlm_radutmp
# Instantiating module "radutmp" from file
/usr/local/etc/raddb/radiusd.conf
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = yes
}
# Instantiating module "sradutmp" from file
/usr/local/etc/raddb/radiusd.conf
radutmp sradutmp {
filename = "/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_attr_filter
# Instantiating module "attr_filter" from file
/usr/local/etc/raddb/radiusd.conf
attr_filter {
filename = "/usr/local/etc/raddb/attrs"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /usr/local/etc/raddb/attrs
# Loaded module rlm_preprocess
# Instantiating module "preprocess" from file
/usr/local/etc/raddb/radiusd.conf
preprocess {
huntgroups = "/usr/local/etc/raddb/huntgroups"
hints = "/usr/local/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /usr/local/etc/raddb/huntgroups
reading pairlist file /usr/local/etc/raddb/hints
radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/etc/raddb/radiusd.conf
# Creating Auth-Type = PERL
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 1812
}
listen {
type = "acct"
ipaddr = *
port = 1813
}
Listening on auth address * port 1812
Listening on acct address * port 1813
Ready to process requests
Ready to process requests
Ready to process requests
Ready to process requests
Ready to process requests
Ready to process requests
Ready to process requests
Ready to process requests
Ready to process requests
Ready to process requests
^^ Above log message repeats indefinitely
Here is full radiusd.conf
client 192.168.92.0/24 {
ipaddr = 192.168.92.0/24
secret = d0ee524f6cb9966ce134d251a3e820c7
}
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
name = radiusd
confdir = ${raddbdir}
modconfdir = ${confdir}/mods-config
certdir = ${confdir}/certs
cadir = ${confdir}/certs
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
pidfile = /var/run/radiusd/radiusd.pid
checkrad = ${sbindir}/checkrad
listen {
ipaddr = *
port = 1812
type = auth
}
listen {
ipaddr = *
port = 1813
type = acct
}
log {
destination = files
colourise = yes
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
}
security {
user = freeradius
group = freeradius
allow_core_dumps = no
max_attributes = 200
reject_delay = 1
status_server = yes
}
thread pool {
start_servers = 8
max_servers = 80
min_spare_servers = 4
max_spare_servers = 16
max_requests_per_server = 0
}
max_request_time = 30
cleanup_delay = 5
max_requests = 999999
hostname_lookups = no
delete_blocked_requests = no
regular_expressions = yes
extended_expressions = yes
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
snmp = no
proxy_requests = no
modules {
perl {
filename = /test/freeradius_hook
}
detail {
filename = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
permissions = 0644
}
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
gtc {
challenge = "Password: "
auth_type = PAP
}
tls-config tls-common {
private_key_password =
private_key_file = /etc/ssl/server.key
certificate_file = /etc/ssl/server.crt
ca_file = /etc/ssl/server.crt
dh_file = /usr/local/etc/raddb/dhparam
random_file = /test/random
}
tls {
tls = tls-common
}
ttls {
tls = tls-common
default_eap_type = gtc
copy_request_to_tunnel = yes
use_tunneled_reply = yes
}
peap {
tls = tls-common
default_eap_type = gtc
default_method = gtc
copy_request_to_tunnel = yes
use_tunneled_reply = yes
}
}
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
caller_id = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
permissions = 0644
caller_id = "no"
}
attr_filter {
filename = ${confdir}/attrs
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
}
policy {
class_value_prefix = 'ai:'
acct_unique {
if ("%{string:Class}" =~
/${policy.class_value_prefix}([0-9a-f]{32})/i) {
update request {
&Acct-Unique-Session-Id := "%{md5:%{1},%{Acct-Session-ID}}"
}
}
else {
update request {
&Acct-Unique-Session-Id :=
"%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}"
}
}
}
insert_acct_class {
update reply {
&Class =
"${policy.class_value_prefix}%{md5:%t,%I,%{Packet-Src-Port},%{Packet-Src-IP-Address},%{NAS-IP-Address},%{Calling-Station-ID},%{User-Name}}"
}
}
acct_counters64.preacct {
update request {
&Acct-Input-Octets64 = "%{expr:(&Acct-Input-Gigawords << 32) |
&Acct-Input-Octets}"
&Acct-Output-Octets64 = "%{expr:(&Acct-Output-Gigawords << 32)
| &Acct-Output-Octets}"
}
}
}
server {
authorize {
preprocess
eap
perl
}
authenticate {
Auth-Type PERL {
perl
}
eap
}
preacct {
preprocess
acct_unique
}
accounting {
perl
}
post-proxy {
eap
perl
}
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150106/bcd5159c/attachment-0001.html>
More information about the Freeradius-Users
mailing list