Problem with log and PEAP/MS-CHAPv2

Andrea Gabellini andrea.gabellini at telecomitalia.sm
Tue Apr 18 08:48:34 CEST 2017


Hi Alan,

my problem is not what is going on. I'm forcing an error.

My problem is why I get some debug errors in the log when the server is
not running in debug mode.

Andrea

Il 14/04/2017 16:42, Alan Buxey ha scritto:
> you are not - you are getting some of the stuff that gets logged.   the
> reason for 2  outputs is varied but usually seen with EAP tunneled methods
> and the reaaon
> for the auth failure AFTER things look okay is usually due to things like
> failure for the server to log the event (in which case an error is seen and
> the server
> will reject the user).   if you run in full debug mode then you will get
> the full pucture of what is happening....and you've been told this many
> times. just runt he server in full debug mode (radiusd -X) see what is
> going on. fix it, THEN run it in production mode, there is no other
> sensible way to proceed.
>
> alan
>
> On 14 April 2017 at 10:21, Andrea Gabellini <
> andrea.gabellini at telecomitalia.sm> wrote:
>
>> Hi,
>>
>> the problem is the (0) and (1) in the log. I think this is the packet
>> number. Using eap with wrong username or password logs some debug output
>> (see previous posts). Alan DeKok says that this is a debug log, but
>> radiusd isn't running debug mode.
>>
>> So the question is: why I got a debug output if the server is running
>> without it?
>>
>> Thanks,
>> Andrea
>>
>> Il 14/04/2017 11:03, Alan Buxey ha scritto:
>>> hi,
>>>
>>> this is just the output of the standard freeradius logfile - which gives
>>> you some basic info (with log_auth enabled) .
>>>
>>> you need to be looking at the output when you run the server in full
>> debug
>>> mode:
>>>
>>> radiusd -X
>>> or
>>> freeradiusd -X (if you're on debian/ubuntu builds)
>>>
>>> (and yes, thats just one big uppercase X)  - as that will tell you
>> exactly
>>> what is happening and why something doesnt work.
>>>
>>> if this is a vanilla install with no local confidential stuff etc then
>>> theres no reason to not post the output in full to the list - there will
>> be
>>> one or 2 obvious things
>>>
>>>
>>> alan
>>>
>>> On 14 April 2017 at 08:19, Andrea Gabellini <
>>> andrea.gabellini at telecomitalia.sm> wrote:
>>>
>>>> Il 13/04/2017 13:18, Alan DeKok ha scritto:
>>>>> On Apr 13, 2017, at 3:41 AM, Andrea Gabellini <andrea.gabellini@
>>>> telecomitalia.sm> wrote:
>>>>>> the server doesn't have any extra options:
>>>>>   <shrug>  The server doesn't magically start printing all debug
>>>> messages to the log file.
>>>>>   You've made some change in your local configuration to cause this to
>>>> happen.  Find it, and fix it.
>>>>> $ cd /etc/raddb
>>>>> $ grep -r debug .
>>>>>
>>>>>   Maybe that will help.
>>>> Hi Alan,
>>>>
>>>> the search for the debug keyword in the config directory doesn't return
>>>> any hint.
>>>>
>>>> I removed the raddb directory and reinstalled all with make install.
>>>> Just modified "auth = yes" and enabled the user "bob" from the default
>>>> configuration:
>>>>
>>>> [09:14:22][radius31:/usr/local/freeradius/etc/raddb] #systemctl restart
>>>> radiusd
>>>> [09:14:26][radius31:/usr/local/freeradius/etc/raddb] #tail -f
>>>> /var/log/radius/radius.log
>>>> Fri Apr 14 09:14:26 2017 : Info: Debugger not attached
>>>> Fri Apr 14 09:14:26 2017 : Warning:
>>>> [/usr/local/freeradius/etc/raddb/mods-config/attr_filter/
>> access_reject]:11
>>>> Check item "FreeRADIUS-Response-Delay"     found in filter list for
>>>> realm "DEFAULT".
>>>> Fri Apr 14 09:14:26 2017 : Warning:
>>>> [/usr/local/freeradius/etc/raddb/mods-config/attr_filter/
>> access_reject]:11
>>>> Check item "FreeRADIUS-Response-Delay-USec" found in filter list for
>>>> realm "DEFAULT".
>>>> Fri Apr 14 09:14:26 2017 : Info: Loaded virtual server <default>
>>>> Fri Apr 14 09:14:26 2017 : Warning: Ignoring "sql" (see
>>>> raddb/mods-available/README.rst)
>>>> Fri Apr 14 09:14:26 2017 : Warning: Ignoring "ldap" (see
>>>> raddb/mods-available/README.rst)
>>>> Fri Apr 14 09:14:26 2017 : Info: Loaded virtual server default
>>>> Fri Apr 14 09:14:26 2017 : Info:  # Skipping contents of 'if' as it is
>>>> always 'false' --
>>>> /usr/local/freeradius/etc/raddb/sites-enabled/inner-tunnel:330
>>>> Fri Apr 14 09:14:26 2017 : Info: Loaded virtual server inner-tunnel
>>>> Fri Apr 14 09:14:26 2017 : Info: Ready to process requests
>>>> Fri Apr 14 09:14:30 2017 : Auth: (0) Login OK: [bob] (from client
>>>> localhost port 0)
>>>> Fri Apr 14 09:14:32 2017 : Auth: (1) Login incorrect (pap: Cleartext
>>>> password "hellox" does not match "known good" password): [bob] (from
>>>> client localhost port 0)
>>>>
>>>> Freeradius was compiled on CentOS 7 server with: ./configure
>>>> --prefix=/usr/local/freeradius --enable-static=no --localstatedir=/var
>>>> --with-docdir=no --with-vmps=no
>>>> --with-oracle-include-dir=/usr/local/oracle/sdk/include
>>>> --with-oracle-lib-dir=/usr/local/oracle
>>>>
>>>> Any idea on what I can check?
>>>>
>>>> Thanks,
>>>> Andrea
>>>>
>>>>>   Again, you *should* keep track of your local changes, and you
>> *should*
>>>> know what changes you made.
>>>>>   Alan DeKok.
>>>>>
>>>>>
>>>>> -
>>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>>>> list/users.html
>>>>
>>>> --
>>>> ----------------------------------------------------------------
>>>> The box said: 'install on Windows 95, NT 4.0 or better'. So I installed
>> it
>>>> on Linux.
>>>>
>>>> ----------------------------------------------------------------
>>>>
>>>> Ing. Andrea Gabellini
>>>> Email: andrea.gabellini at telecomitalia.sm
>>>> Skype: andreagabellini
>>>> Tel: (+378) 0549 886111
>>>> Fax: (+378) 0549 886188
>>>>
>>>> Telecom Italia San Marino S.p.A.
>>>> Via XXVIII Luglio, 212 - Piano -2
>>>> 47893 Borgo Maggiore
>>>> Republic of San Marino
>>>>
>>>> http://www.telecomitalia.sm
>>>>
>>>> -
>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>>>> list/users.html
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>> list/users.html
>>
>> --
>> ----------------------------------------------------------------
>> Hardware: The parts of a computer system that can be kicked.
>>
>> ----------------------------------------------------------------
>>
>> Ing. Andrea Gabellini
>> Email: andrea.gabellini at telecomitalia.sm
>> Skype: andreagabellini
>> Tel: (+378) 0549 886111
>> Fax: (+378) 0549 886188
>>
>> Telecom Italia San Marino S.p.A.
>> Via XXVIII Luglio, 212 - Piano -2
>> 47893 Borgo Maggiore
>> Republic of San Marino
>>
>> http://www.telecomitalia.sm
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>> list/users.html
>>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
----------------------------------------------------------------
The statement below is true. The statement above is false.

----------------------------------------------------------------

Ing. Andrea Gabellini
Email: andrea.gabellini at telecomitalia.sm
Skype: andreagabellini
Tel: (+378) 0549 886111
Fax: (+378) 0549 886188

Telecom Italia San Marino S.p.A.
Via XXVIII Luglio, 212 - Piano -2
47893 Borgo Maggiore
Republic of San Marino

http://www.telecomitalia.sm



More information about the Freeradius-Users mailing list