Problem after upgrade 3.0.4 -> 3.0.13

BASSAGET Cédric cedric.bassaget.ml at gmail.com
Thu Jan 18 09:53:33 CET 2018 

Hello,
I'm using freeradius on centos 7 to do AAA for L2TP/PPP services.

I've upgraded one of my two radius servers from official Centos Repos, and
since this upgrade, users are not able to authenticate.

here's the interesting part of "radiusd -Xx" :
Thu Jan 18 09:45:52 2018 : Debug: radiusd: #### Loading Virtual Servers ####
Thu Jan 18 09:45:52 2018 : Debug: server { # from file
/etc/raddb/radiusd.conf
Thu Jan 18 09:45:52 2018 : Debug: } # server
Thu Jan 18 09:45:52 2018 : Debug: server domain.dslnet.fr { # from file
/etc/raddb/sites-enabled/domain-lns
Thu Jan 18 09:45:52 2018 : Debug:  # Loading authenticate {...}
Thu Jan 18 09:45:52 2018 : Debug:   digest
Thu Jan 18 09:45:52 2018 : Debug:   eap
Thu Jan 18 09:45:52 2018 : Debug:  # Loading authorize {...}
Thu Jan 18 09:45:52 2018 : Debug:   policy filter_username {
Thu Jan 18 09:45:52 2018 : Debug:    if (!&User-Name) {
Thu Jan 18 09:45:52 2018 : Debug:     noop
Thu Jan 18 09:45:52 2018 : Debug:    }
Thu Jan 18 09:45:52 2018 : Debug:    if (&User-Name =~ / /) {
Thu Jan 18 09:45:52 2018 : Debug:     update {
Thu Jan 18 09:45:52 2018 : Debug:      &reply:Reply-Message += "Rejected:
Username contains whitespace"
Thu Jan 18 09:45:52 2018 : Debug:     }
Thu Jan 18 09:45:52 2018 : Debug:     reject
Thu Jan 18 09:45:52 2018 : Debug:    }
Thu Jan 18 09:45:52 2018 : Debug:    if (&User-Name =~ /@.*@/) {
Thu Jan 18 09:45:52 2018 : Debug:     update {
Thu Jan 18 09:45:52 2018 : Debug:      &reply:Reply-Message += "Rejected:
Multiple @ in username"
Thu Jan 18 09:45:52 2018 : Debug:     }
Thu Jan 18 09:45:52 2018 : Debug:     reject
Thu Jan 18 09:45:52 2018 : Debug:    }
Thu Jan 18 09:45:52 2018 : Debug:    if (&User-Name =~ /\\.\\./) {
Thu Jan 18 09:45:52 2018 : Debug:     update {
Thu Jan 18 09:45:52 2018 : Debug:      &reply:Reply-Message += "Rejected:
Username contains ..s"
Thu Jan 18 09:45:52 2018 : Debug:     }
Thu Jan 18 09:45:52 2018 : Debug:     reject
Thu Jan 18 09:45:52 2018 : Debug:    }
Thu Jan 18 09:45:52 2018 : Debug:    if (&User-Name =~ /@/ && !&User-Name
=~ /@(.+)\\.(.+)$/) {
Thu Jan 18 09:45:52 2018 : Debug:     update {
Thu Jan 18 09:45:52 2018 : Debug:      &reply:Reply-Message += "Rejected:
Realm does not have at least one dot separator"
Thu Jan 18 09:45:52 2018 : Debug:     }
Thu Jan 18 09:45:52 2018 : Debug:     reject
Thu Jan 18 09:45:52 2018 : Debug:    }
Thu Jan 18 09:45:52 2018 : Debug:    if (&User-Name =~ /\\.$/) {
Thu Jan 18 09:45:52 2018 : Debug:     update {
Thu Jan 18 09:45:52 2018 : Debug:      &reply:Reply-Message += "Rejected:
Realm ends with a dot"
Thu Jan 18 09:45:52 2018 : Debug:     }
Thu Jan 18 09:45:52 2018 : Debug:     reject
Thu Jan 18 09:45:52 2018 : Debug:    }
Thu Jan 18 09:45:52 2018 : Debug:    if (&User-Name =~ /@\\./) {
Thu Jan 18 09:45:52 2018 : Debug:     update {
Thu Jan 18 09:45:52 2018 : Debug:      &reply:Reply-Message += "Rejected:
Realm begins with a dot"
Thu Jan 18 09:45:52 2018 : Debug:     }
Thu Jan 18 09:45:52 2018 : Debug:     reject
Thu Jan 18 09:45:52 2018 : Debug:    }
Thu Jan 18 09:45:52 2018 : Debug:   }
Thu Jan 18 09:45:52 2018 : Debug:   preprocess
Thu Jan 18 09:45:52 2018 : Debug:   auth_log
Thu Jan 18 09:45:52 2018 : Debug:   chap
Thu Jan 18 09:45:52 2018 : Debug:   mschap
Thu Jan 18 09:45:52 2018 : Debug:   digest
Thu Jan 18 09:45:52 2018 : Debug:   suffix
Thu Jan 18 09:45:52 2018 : Debug:   eap
Thu Jan 18 09:45:52 2018 : Debug:   files
Thu Jan 18 09:45:52 2018 : Debug:   sql
Thu Jan 18 09:45:52 2018 : Debug:   expiration
Thu Jan 18 09:45:52 2018 : Debug:   logintime
Thu Jan 18 09:45:52 2018 : Debug:   pap
Thu Jan 18 09:45:52 2018 : Debug:  # Loading preacct {...}
Thu Jan 18 09:45:52 2018 : Debug:   preprocess
Thu Jan 18 09:45:52 2018 : Debug:   policy acct_unique {
Thu Jan 18 09:45:52 2018 : Debug:    if ("%{string:Class}" =~
/ai:([0-9a-f]{32})/) {
Thu Jan 18 09:45:52 2018 : Debug:     update {
Thu Jan 18 09:45:52 2018 : Debug:      &Acct-Unique-Session-Id :=
"%{md5:%{1},%{Acct-Session-ID}}"
Thu Jan 18 09:45:52 2018 : Debug:     }
Thu Jan 18 09:45:52 2018 : Debug:    }
Thu Jan 18 09:45:52 2018 : Debug:    else {
Thu Jan 18 09:45:52 2018 : Debug:     update {
Thu Jan 18 09:45:52 2018 : Debug:      &Acct-Unique-Session-Id :=
"%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}"
Thu Jan 18 09:45:52 2018 : Debug:     }
Thu Jan 18 09:45:52 2018 : Debug:    }
Thu Jan 18 09:45:52 2018 : Debug:   }
Thu Jan 18 09:45:52 2018 : Debug:   suffix
Thu Jan 18 09:45:52 2018 : Debug:   files
Thu Jan 18 09:45:52 2018 : Debug:  # Loading accounting {...}
Thu Jan 18 09:45:52 2018 : Debug:   sql
Thu Jan 18 09:45:52 2018 : Debug:   unix
Thu Jan 18 09:45:52 2018 : Debug:   exec
Thu Jan 18 09:45:52 2018 : Debug:   attr_filter.accounting_response
Thu Jan 18 09:45:52 2018 : Debug:  # Loading post-proxy {...}
Thu Jan 18 09:45:52 2018 : Debug:   eap
Thu Jan 18 09:45:52 2018 : Debug:  # Loading post-auth {...}
Thu Jan 18 09:45:52 2018 : Debug:   if (!"%{Packet-Src-IP-Address}" ==
192.168.156.9 && !"%{Packet-Src-IP-Address}" == 192.168.155.9) {
Thu Jan 18 09:45:52 2018 : Debug:    reply_log
Thu Jan 18 09:45:52 2018 : Debug:    sql
Thu Jan 18 09:45:52 2018 : Debug:   }
Thu Jan 18 09:45:52 2018 : Debug:   exec
Thu Jan 18 09:45:52 2018 : Warning: /etc/raddb/policy.d/eap[79]: Please
change attribute reference to '&Reply-Message !* ...'
Thu Jan 18 09:45:52 2018 : Debug:   policy remove_reply_message_if_eap {
Thu Jan 18 09:45:52 2018 : Debug:    if (&reply:EAP-Message &&
&reply:Reply-Message) {
Thu Jan 18 09:45:52 2018 : Debug:     update {
Thu Jan 18 09:45:52 2018 : Debug:      &reply:Reply-Message !* ANY
Thu Jan 18 09:45:52 2018 : Debug:     }
Thu Jan 18 09:45:52 2018 : Debug:    }
Thu Jan 18 09:45:52 2018 : Debug:    else {
Thu Jan 18 09:45:52 2018 : Debug:     noop
Thu Jan 18 09:45:52 2018 : Debug:    }
Thu Jan 18 09:45:52 2018 : Debug:   }
Thu Jan 18 09:45:52 2018 : Warning: /etc/raddb/policy.d/eap[79]: Please
change attribute reference to '&Reply-Message !* ...'
Thu Jan 18 09:45:52 2018 : Debug: } # server domain.dslnet.fr



When a user tries to authenticate, I get :

Debug: (23) suffix: Checking for suffix after "@"
Debug: (23) suffix: Looking up realm "domain.dslnet.fr" for User-Name = "
user at domain.dslnet.fr"
Debug: (23) suffix: No such realm "domain.dslnet.fr"

Can anybody tell me why it does not find the realm ? Does radiusd look in
sites-enabled/ or in proxy.conf ?

I have no problems with the same config files on 3.0.4

Regards
Cédric

More information about the Freeradius-Users mailing list