Problem with log and PEAP/MS-CHAPv2

Andrea Gabellini andrea.gabellini at telecomitalia.sm
Tue Apr 18 09:32:03 CEST 2017



Il 18/04/2017 09:18, Alan Buxey ha scritto:
> Why do you think those are debug logs?

Alan DeKok said that :-)

>
> If they are only meant to be in debug then either code needs changing so
> it's print statement is changed, report a bug OR your server is running
> with eg the -l stdout argument with a wrapper ensuring that output also
> goes to the standard log file , i think systemd does that.

the server runs under systemd. I tried also to run the server manually
without systemd, but the problem  remains...

>
> For better logging and control of logging, use the linelog module

Thank you for the suggestion. I will try it.

>
> alan
>
> On 18 Apr 2017 7:48 am, "Andrea Gabellini" <
> andrea.gabellini at telecomitalia.sm> wrote:
>
>> Hi Alan,
>>
>> my problem is not what is going on. I'm forcing an error.
>>
>> My problem is why I get some debug errors in the log when the server is
>> not running in debug mode.
>>
>> Andrea
>>
>> Il 14/04/2017 16:42, Alan Buxey ha scritto:
>>> you are not - you are getting some of the stuff that gets logged.   the
>>> reason for 2  outputs is varied but usually seen with EAP tunneled
>> methods
>>> and the reaaon
>>> for the auth failure AFTER things look okay is usually due to things like
>>> failure for the server to log the event (in which case an error is seen
>> and
>>> the server
>>> will reject the user).   if you run in full debug mode then you will get
>>> the full pucture of what is happening....and you've been told this many
>>> times. just runt he server in full debug mode (radiusd -X) see what is
>>> going on. fix it, THEN run it in production mode, there is no other
>>> sensible way to proceed.
>>>
>>> alan
>>>
>>> On 14 April 2017 at 10:21, Andrea Gabellini <
>>> andrea.gabellini at telecomitalia.sm> wrote:
>>>
>>>> Hi,
>>>>
>>>> the problem is the (0) and (1) in the log. I think this is the packet
>>>> number. Using eap with wrong username or password logs some debug output
>>>> (see previous posts). Alan DeKok says that this is a debug log, but
>>>> radiusd isn't running debug mode.
>>>>
>>>> So the question is: why I got a debug output if the server is running
>>>> without it?
>>>>
>>>> Thanks,
>>>> Andrea
>>>>
>>>> Il 14/04/2017 11:03, Alan Buxey ha scritto:
>>>>> hi,
>>>>>
>>>>> this is just the output of the standard freeradius logfile - which
>> gives
>>>>> you some basic info (with log_auth enabled) .
>>>>>
>>>>> you need to be looking at the output when you run the server in full
>>>> debug
>>>>> mode:
>>>>>
>>>>> radiusd -X
>>>>> or
>>>>> freeradiusd -X (if you're on debian/ubuntu builds)
>>>>>
>>>>> (and yes, thats just one big uppercase X)  - as that will tell you
>>>> exactly
>>>>> what is happening and why something doesnt work.
>>>>>
>>>>> if this is a vanilla install with no local confidential stuff etc then
>>>>> theres no reason to not post the output in full to the list - there
>> will
>>>> be
>>>>> one or 2 obvious things
>>>>>
>>>>>
>>>>> alan
>>>>>
>>>>> On 14 April 2017 at 08:19, Andrea Gabellini <
>>>>> andrea.gabellini at telecomitalia.sm> wrote:
>>>>>
>>>>>> Il 13/04/2017 13:18, Alan DeKok ha scritto:
>>>>>>> On Apr 13, 2017, at 3:41 AM, Andrea Gabellini <andrea.gabellini@
>>>>>> telecomitalia.sm> wrote:
>>>>>>>> the server doesn't have any extra options:
>>>>>>>   <shrug>  The server doesn't magically start printing all debug
>>>>>> messages to the log file.
>>>>>>>   You've made some change in your local configuration to cause this
>> to
>>>>>> happen.  Find it, and fix it.
>>>>>>> $ cd /etc/raddb
>>>>>>> $ grep -r debug .
>>>>>>>
>>>>>>>   Maybe that will help.
>>>>>> Hi Alan,
>>>>>>
>>>>>> the search for the debug keyword in the config directory doesn't
>> return
>>>>>> any hint.
>>>>>>
>>>>>> I removed the raddb directory and reinstalled all with make install.
>>>>>> Just modified "auth = yes" and enabled the user "bob" from the default
>>>>>> configuration:
>>>>>>
>>>>>> [09:14:22][radius31:/usr/local/freeradius/etc/raddb] #systemctl
>> restart
>>>>>> radiusd
>>>>>> [09:14:26][radius31:/usr/local/freeradius/etc/raddb] #tail -f
>>>>>> /var/log/radius/radius.log
>>>>>> Fri Apr 14 09:14:26 2017 : Info: Debugger not attached
>>>>>> Fri Apr 14 09:14:26 2017 : Warning:
>>>>>> [/usr/local/freeradius/etc/raddb/mods-config/attr_filter/
>>>> access_reject]:11
>>>>>> Check item "FreeRADIUS-Response-Delay"     found in filter list for
>>>>>> realm "DEFAULT".
>>>>>> Fri Apr 14 09:14:26 2017 : Warning:
>>>>>> [/usr/local/freeradius/etc/raddb/mods-config/attr_filter/
>>>> access_reject]:11
>>>>>> Check item "FreeRADIUS-Response-Delay-USec" found in filter list for
>>>>>> realm "DEFAULT".
>>>>>> Fri Apr 14 09:14:26 2017 : Info: Loaded virtual server <default>
>>>>>> Fri Apr 14 09:14:26 2017 : Warning: Ignoring "sql" (see
>>>>>> raddb/mods-available/README.rst)
>>>>>> Fri Apr 14 09:14:26 2017 : Warning: Ignoring "ldap" (see
>>>>>> raddb/mods-available/README.rst)
>>>>>> Fri Apr 14 09:14:26 2017 : Info: Loaded virtual server default
>>>>>> Fri Apr 14 09:14:26 2017 : Info:  # Skipping contents of 'if' as it is
>>>>>> always 'false' --
>>>>>> /usr/local/freeradius/etc/raddb/sites-enabled/inner-tunnel:330
>>>>>> Fri Apr 14 09:14:26 2017 : Info: Loaded virtual server inner-tunnel
>>>>>> Fri Apr 14 09:14:26 2017 : Info: Ready to process requests
>>>>>> Fri Apr 14 09:14:30 2017 : Auth: (0) Login OK: [bob] (from client
>>>>>> localhost port 0)
>>>>>> Fri Apr 14 09:14:32 2017 : Auth: (1) Login incorrect (pap: Cleartext
>>>>>> password "hellox" does not match "known good" password): [bob] (from
>>>>>> client localhost port 0)
>>>>>>
>>>>>> Freeradius was compiled on CentOS 7 server with: ./configure
>>>>>> --prefix=/usr/local/freeradius --enable-static=no --localstatedir=/var
>>>>>> --with-docdir=no --with-vmps=no
>>>>>> --with-oracle-include-dir=/usr/local/oracle/sdk/include
>>>>>> --with-oracle-lib-dir=/usr/local/oracle
>>>>>>
>>>>>> Any idea on what I can check?
>>>>>>
>>>>>> Thanks,
>>>>>> Andrea
>>>>>>
>>>>>>>   Again, you *should* keep track of your local changes, and you
>>>> *should*
>>>>>> know what changes you made.
>>>>>>>   Alan DeKok.
>>>>>>>
>>>>>>>
>>>>>>> -
>>>>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>>>>>> list/users.html
>>>>>>
>>>>>> --
>>>>>> ----------------------------------------------------------------
>>>>>> The box said: 'install on Windows 95, NT 4.0 or better'. So I
>> installed
>>>> it
>>>>>> on Linux.
>>>>>>
>>>>>> ----------------------------------------------------------------
>>>>>>
>>>>>> Ing. Andrea Gabellini
>>>>>> Email: andrea.gabellini at telecomitalia.sm
>>>>>> Skype: andreagabellini
>>>>>> Tel: (+378) 0549 886111
>>>>>> Fax: (+378) 0549 886188
>>>>>>
>>>>>> Telecom Italia San Marino S.p.A.
>>>>>> Via XXVIII Luglio, 212 - Piano -2
>>>>>> 47893 Borgo Maggiore
>>>>>> Republic of San Marino
>>>>>>
>>>>>> http://www.telecomitalia.sm
>>>>>>
>>>>>> -
>>>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>>>>>> list/users.html
>>>>> -
>>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>>>> list/users.html
>>>>
>>>> --
>>>> ----------------------------------------------------------------
>>>> Hardware: The parts of a computer system that can be kicked.
>>>>
>>>> ----------------------------------------------------------------
>>>>
>>>> Ing. Andrea Gabellini
>>>> Email: andrea.gabellini at telecomitalia.sm
>>>> Skype: andreagabellini
>>>> Tel: (+378) 0549 886111
>>>> Fax: (+378) 0549 886188
>>>>
>>>> Telecom Italia San Marino S.p.A.
>>>> Via XXVIII Luglio, 212 - Piano -2
>>>> 47893 Borgo Maggiore
>>>> Republic of San Marino
>>>>
>>>> http://www.telecomitalia.sm
>>>>
>>>> -
>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>>>> list/users.html
>>>>
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>> list/users.html
>>
>> --
>> ----------------------------------------------------------------
>> The statement below is true. The statement above is false.
>>
>> ----------------------------------------------------------------
>>
>> Ing. Andrea Gabellini
>> Email: andrea.gabellini at telecomitalia.sm
>> Skype: andreagabellini
>> Tel: (+378) 0549 886111
>> Fax: (+378) 0549 886188
>>
>> Telecom Italia San Marino S.p.A.
>> Via XXVIII Luglio, 212 - Piano -2
>> 47893 Borgo Maggiore
>> Republic of San Marino
>>
>> http://www.telecomitalia.sm
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>> list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
----------------------------------------------------------------
All generalizations are false, including this one.

----------------------------------------------------------------

Ing. Andrea Gabellini
Email: andrea.gabellini at telecomitalia.sm
Skype: andreagabellini
Tel: (+378) 0549 886111
Fax: (+378) 0549 886188

Telecom Italia San Marino S.p.A.
Via XXVIII Luglio, 212 - Piano -2
47893 Borgo Maggiore
Republic of San Marino

http://www.telecomitalia.sm



More information about the Freeradius-Users mailing list