Troubles when starting two virtual servers at the same time, both with mschap
黄立成
2071264258 at qq.com
Mon Dec 2 08:30:50 UTC 2024
I am trying to starting radius(default server) and tacacs at the same time, both with mschap.My tacacs server can work properly alone, so I just add the default file back to the sites-enabled dictionary.
Also, according to the mschap module page, I put two attibutes parts in the mschap file(One for tacacs and One for radius).
Debug Info is as followed:
including configuration file /usr/local/etc/raddb/radiusd.conf
Including files in directory "/usr/local/etc/raddb/template.d/"
including configuration file /usr/local/etc/raddb/template.d/default
including configuration file /usr/local/etc/raddb/clients.conf
Including files in directory "/usr/local/etc/raddb/global.d/"
including configuration file /usr/local/etc/raddb/global.d/ldap
including configuration file /usr/local/etc/raddb/global.d/python
Including files in directory "/usr/local/etc/raddb/mods-enabled/"
including configuration file /usr/local/etc/raddb/mods-enabled/always
including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter
including configuration file /usr/local/etc/raddb/mods-enabled/cache_eap
including configuration file /usr/local/etc/raddb/mods-enabled/chap
including configuration file /usr/local/etc/raddb/mods-enabled/client
including configuration file /usr/local/etc/raddb/mods-enabled/delay
including configuration file /usr/local/etc/raddb/mods-enabled/detail
including configuration file /usr/local/etc/raddb/mods-enabled/detail.log
including configuration file /usr/local/etc/raddb/mods-enabled/digest
including configuration file /usr/local/etc/raddb/mods-enabled/eap
including configuration file /usr/local/etc/raddb/mods-enabled/eap_inner
including configuration file /usr/local/etc/raddb/mods-enabled/echo
including configuration file /usr/local/etc/raddb/mods-enabled/escape
including configuration file /usr/local/etc/raddb/mods-enabled/exec
including configuration file /usr/local/etc/raddb/mods-enabled/files
including configuration file /usr/local/etc/raddb/mods-enabled/linelog
including configuration file /usr/local/etc/raddb/mods-enabled/mschap
including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth
including configuration file /usr/local/etc/raddb/mods-enabled/pap
including configuration file /usr/local/etc/raddb/mods-enabled/passwd
including configuration file /usr/local/etc/raddb/mods-enabled/radutmp
including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp
including configuration file /usr/local/etc/raddb/mods-enabled/stats
including configuration file /usr/local/etc/raddb/mods-enabled/unix
including configuration file /usr/local/etc/raddb/mods-enabled/unpack
including configuration file /usr/local/etc/raddb/mods-enabled/utf8
Including files in directory "/usr/local/etc/raddb/policy.d/"
including configuration file /usr/local/etc/raddb/policy.d/abfab-tr
including configuration file /usr/local/etc/raddb/policy.d/accounting
including configuration file /usr/local/etc/raddb/policy.d/canonicalisation
including configuration file /usr/local/etc/raddb/policy.d/control
including configuration file /usr/local/etc/raddb/policy.d/cui
including configuration file /usr/local/etc/raddb/policy.d/debug
including configuration file /usr/local/etc/raddb/policy.d/dhcp
including configuration file /usr/local/etc/raddb/policy.d/eap
including configuration file /usr/local/etc/raddb/policy.d/filter
including configuration file /usr/local/etc/raddb/policy.d/operator-name
including configuration file /usr/local/etc/raddb/policy.d/time
including configuration file /usr/local/etc/raddb/policy.d/vendor
Including files in directory "/usr/local/etc/raddb/sites-enabled/"
including configuration file /usr/local/etc/raddb/sites-enabled/default
Loaded module process_radius
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
Loaded module process_tacacs
including configuration file /usr/local/etc/raddb/sites-enabled/tacacs
Parsing initial logging configuration.
main {
prefix = /usr/local
log {
destination = files
syslog_facility = daemon
local_state_dir = "/usr/local/var"
logdir = "/usr/local/var/log"
file = /usr/local/var/log/radius/radius.log
suppress_secrets = no
}
}
Parsing security rules to bootstrap UID / GID / chroot / etc.
main {
log {
}
security {
allow_core_dumps = no
allow_vulnerable_openssl = no
openssl_fips_mode = no
}
name = radiusd
local_state_dir = "/usr/local/var"
run_dir = /usr/local/var/run/radiusd
}
Parsing main configuration
main {
server default {
namespace = radius
radius {
Access-Request {
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
msg_denied = "You are already logged in - access denied"
}
session {
timeout = 15
max = 4096
}
}
}
Loaded module proto_radius
listen {
type = Access-Request
type = Status-Server
transport = udp
Loaded module proto_radius_udp
udp {
ipaddr = *
port = 1812
networks {
allow = 127/8
allow = 192.0.2/24
}
max_packet_size = 4096
max_attributes = 255
}
limit {
cleanup_delay = 5.0
idle_timeout = 60.0
nak_lifetime = 30.0
max_connections = 256
max_clients = 256
max_pending_packets = 256
}
priority {
Access-Request = high
Accounting-Request = low
CoA-Request = normal
Disconnect-Request = low
Status-Server = now
}
}
listen tcp_auth {
type = Access-Request
type = Status-Server
transport = tcp
Loaded module proto_radius_tcp
tcp {
ipaddr = *
port = 1812
networks {
allow = 127/8
allow = 192.0.2/24
}
max_packet_size = 4096
max_attributes = 255
}
limit {
cleanup_delay = 5.0
idle_timeout = 30.0
nak_lifetime = 30.0
max_connections = 1024
max_clients = 256
max_pending_packets = 256
}
priority {
Access-Request = high
Accounting-Request = low
CoA-Request = normal
Disconnect-Request = low
Status-Server = now
}
}
listen udp_acct {
type = Accounting-Request
transport = udp
udp {
ipaddr = *
port = 1813
networks {
}
max_packet_size = 4096
max_attributes = 255
}
limit {
cleanup_delay = 5.0
idle_timeout = 30.0
nak_lifetime = 30.0
max_connections = 1024
max_clients = 256
max_pending_packets = 256
}
priority {
Access-Request = high
Accounting-Request = low
CoA-Request = normal
Disconnect-Request = low
Status-Server = now
}
}
}
server inner-tunnel {
namespace = tacacs
tacacs {
Authentication {
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
msg_denied = "You are already logged in - access denied"
}
session {
timeout = 15
max = 4096
max_rounds = 4
}
}
}
Loaded module proto_tacacs
listen {
type = Authentication-Start
type = Authentication-Continue
type = Authorization-Request
type = Accounting-Request
transport = tcp
Loaded module proto_tacacs_tcp
tcp {
ipaddr = 127.0.0.1
port = 18121
networks {
}
max_packet_size = 4096
max_attributes = 256
}
limit {
idle_timeout = 30.0
max_connections = 1024
}
priority {
Authentication-Start = high
Authentication-Continue = high
Authorization-Request = normal
Accounting-Request = low
}
}
}
server tacacs {
namespace = tacacs
tacacs {
Authentication {
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
msg_denied = "You are already logged in - access denied"
}
session {
timeout = 15
max = 4096
max_rounds = 4
}
}
}
listen {
type = Authentication-Start
type = Authentication-Continue
type = Authorization-Request
type = Accounting-Request
transport = tcp
tcp {
ipaddr = *
port = 49
networks {
}
max_packet_size = 4096
max_attributes = 256
}
limit {
idle_timeout = 60.0
max_connections = 256
}
priority {
Authentication-Start = high
Authentication-Continue = high
Authorization-Request = normal
Accounting-Request = low
}
}
}
log {
colourise = yes
}
security {
}
sbin_dir = "/usr/local/sbin"
logdir = /usr/local/var/log/radius
radacctdir = /usr/local/var/log/radius/radacct
reverse_lookups = no
hostname_lookups = yes
max_request_time = 30
pidfile = /usr/local/var/run/radiusd/radiusd.pid
debug_level = 0
max_requests = 16384
resources {
}
thread pool {
num_networks = 1
Dynamically determined thread.workers = 15
num_workers = 15
openssl_async_pool_init = 64
openssl_async_pool_max = 1024
}
migrate {
rewrite_update = false
forbid_update = false
}
interpret {
}
}
Switching to configured log settings
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
secret = <<< secret >>>
require_message_authenticator = no
proto = *
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30s
}
}
client test {
ipaddr = 192.168.2.3
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30s
}
}
Debugger not attached
trigger { ... } subsection not found, triggers will be disabled
#### Instantiating libraries ####
#### Bootstrapping process modules ####
Bootstrapping process_radius "default"
Creating Auth-Type = pap
Creating Auth-Type = chap
Creating Auth-Type = mschap
Creating Auth-Type = digest
Creating Auth-Type = ldap
Creating Auth-Type = eap
Bootstrapping process_tacacs "inner-tunnel"
Bootstrapping process_tacacs "tacacs"
Creating Auth-Type = MSCHAPv2
Creating Auth-Type = ASCII
#### Bootstrapping protocol modules ####
Bootstrapping proto_radius "default.radius"
client localhost {
ipaddr = 192.0.2.1
secret = <<< secret >>>
shortname = sample
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30s
}
}
Bootstrapping proto_radius "default.tcp_auth"
Bootstrapping proto_radius "default.udp_acct"
Bootstrapping proto_tacacs "inner-tunnel.tacacs"
Ignoring "nak_lifetime = 0", forcing to "nak_lifetime = 1"
Bootstrapping proto_tacacs "tacacs.tacacs"
Ignoring "nak_lifetime = 0", forcing to "nak_lifetime = 1"
client tacacs {
ipaddr = 192.168.2.3
secret = <<< secret >>>
proto = tcp
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30s
}
}
#### Instantiating libraries ####
#### Bootstrapping modules ####
modules {
Loaded module rlm_always
always reject {
rcode = reject
simulcount = 0
mpp = no
}
always fail {
rcode = fail
simulcount = 0
mpp = no
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
always handled {
rcode = handled
simulcount = 0
mpp = no
}
always invalid {
rcode = invalid
simulcount = 0
mpp = no
}
always disallow {
rcode = disallow
simulcount = 0
mpp = no
}
always notfound {
rcode = notfound
simulcount = 0
mpp = no
}
always noop {
rcode = noop
simulcount = 0
mpp = no
}
always updated {
rcode = updated
simulcount = 0
mpp = no
}
Loaded module rlm_attr_filter
attr_filter attr_filter.pre-proxy {
filename = /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy
key = "%{Realm}"
relaxed = no
}
attr_filter attr_filter.post-proxy {
filename = /usr/local/etc/raddb/mods-config/attr_filter/post-proxy
key = "%{Realm}"
relaxed = no
}
attr_filter attr_filter.access_reject {
filename = /usr/local/etc/raddb/mods-config/attr_filter/access_reject
key = "%{User-Name}"
relaxed = no
}
attr_filter attr_filter.access_challenge {
filename = /usr/local/etc/raddb/mods-config/attr_filter/access_challenge
key = "%{User-Name}"
relaxed = no
}
attr_filter attr_filter.accounting_response {
filename = /usr/local/etc/raddb/mods-config/attr_filter/accounting_response
key = "%{User-Name}"
relaxed = no
}
Loaded module rlm_cache
cache cache_eap {
driver = rbtree
Loaded module rlm_cache_rbtree
key = %{&control.State || &reply.State || &State}
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
Loaded module rlm_chap
chap {
min_challenge_len = 16
}
Loaded module rlm_client
Loaded module rlm_delay
delay {
delay = 1.0s
relative = no
force_reschedule = no
}
delay delay_reject {
delay = "%{&reply.FreeRADIUS-Response-Delay || 1}"
relative = yes
force_reschedule = no
}
Loaded module rlm_detail
detail {
filename = /usr/local/var/log/radius/radacct/%{Net.Src.IP}/detail-%Y-%m-%d
header = %t
permissions = 0600
locking = no
escape_filenames = no
log_packet_header = no
}
detail auth_log {
filename = /usr/local/var/log/radius/radacct/%{Net.Src.IP}/auth-detail-%Y-%m-%d
header = %t
permissions = 0600
locking = no
escape_filenames = no
log_packet_header = no
}
detail reply_log {
filename = /usr/local/var/log/radius/radacct/%{Net.Src.IP}/reply-detail-%Y-%m-%d
header = %t
permissions = 0600
locking = no
escape_filenames = no
log_packet_header = no
}
detail pre_proxy_log {
filename = /usr/local/var/log/radius/radacct/%{Net.Src.IP}/pre-proxy-detail-%Y-%m-%d
header = %t
permissions = 0600
locking = no
escape_filenames = no
log_packet_header = no
}
detail post_proxy_log {
filename = /usr/local/var/log/radius/radacct/%{Net.Src.IP}/post-proxy-detail-%Y-%m-%d
header = %t
permissions = 0600
locking = no
escape_filenames = no
log_packet_header = no
}
Loaded module rlm_digest
Loaded module rlm_eap
eap {
require_identity_realm = nai
type = md5
Loaded module rlm_eap_md5
type = gtc
Loaded module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = PAP
}
type = tls
Loaded module rlm_eap_tls
tls {
tls = tls-common
require_client_cert = yes
include_length = yes
}
type = ttls
Loaded module rlm_eap_ttls
ttls {
tls = tls-common
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
type = mschapv2
Loaded module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
auth_type = mschap
send_error = no
}
type = peap
Loaded module rlm_eap_peap
peap {
tls = tls-common
virtual_server = "inner-tunnel"
require_client_cert = no
}
ignore_unknown_eap_types = no
}
eap inner-eap {
require_identity_realm = nai
default_eap_type = mschapv2
type = md5
type = gtc
gtc {
challenge = "Password: "
auth_type = PAP
}
type = mschapv2
mschapv2 {
with_ntdomain_hack = no
auth_type = mschap
send_error = no
}
type = tls
tls {
tls = tls-peer
require_client_cert = yes
include_length = yes
}
ignore_unknown_eap_types = no
}
Loaded module rlm_exec
exec echo {
wait = yes
input_pairs = &request
output_pairs = &reply
shell_escape = yes
env_inherit = no
}
Loaded module rlm_escape
escape {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
exec {
wait = yes
input_pairs = &request
shell_escape = yes
env_inherit = no
timeout = 10
}
Loaded module rlm_files
files {
filename = /usr/local/etc/raddb/mods-config/files/authorize
acctusersfile = /usr/local/etc/raddb/mods-config/files/accounting
key = %{%{Stripped-User-Name}:-%{User-Name}}
}
Loaded module rlm_linelog
linelog {
destination = file
delimiter = "\n"
format = "This is a log message for %{User-Name}"
reference = "messages.%{&reply.Packet-Type || 'default'}"
file {
filename = /usr/local/var/log/radius/linelog
permissions = 0600
escape_filenames = no
}
syslog {
severity = "info"
}
unix {
}
tcp {
server = localhost
port = 514
timeout = 2.0
}
udp {
server = localhost
port = 514
timeout = 2.0
}
}
linelog log_accounting {
destination = file
delimiter = "\n"
format = ""
reference = "Accounting-Request.%{&Acct-Status-Type || 'unknown'}"
file {
filename = /usr/local/var/log/radius/linelog-accounting
permissions = 0600
escape_filenames = no
}
syslog {
severity = "info"
}
unix {
}
tcp {
timeout = 1000
}
udp {
timeout = 1000
}
}
Loaded module rlm_mschap
mschap {
normalise = yes
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind {
}
}
exec ntlm_auth {
wait = yes
shell_escape = yes
env_inherit = no
}
Loaded module rlm_pap
pap {
normalise = yes
}
Loaded module rlm_passwd
passwd etc_passwd {
filename = /etc/passwd
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
Loaded module rlm_radutmp
radutmp {
filename = /usr/local/var/log/radius/radutmp
username = %{User-Name}
check_with_nas = yes
permissions = 0600
caller_id = no
}
radutmp sradutmp {
filename = /usr/local/var/log/radius/sradutmp
username = "%{User-Name}"
check_with_nas = yes
permissions = 0644
caller_id = no
}
Loaded module rlm_stats
stats {
}
Loaded module rlm_unix
unix {
}
Loaded module rlm_unpack
Loaded module rlm_utf8
#### Bootstrapping rlm modules ####
Bootstrapping rlm_cache "cache_eap"
Bootstrapping rlm_chap "chap"
Bootstrapping rlm_delay "delay"
Bootstrapping rlm_delay "delay_reject"
Bootstrapping rlm_always "disallow"
Bootstrapping rlm_eap "eap"
Bootstrapping rlm_exec "echo"
Bootstrapping rlm_escape "escape"
Bootstrapping rlm_exec "exec"
Bootstrapping rlm_always "fail"
Bootstrapping rlm_always "handled"
Bootstrapping rlm_eap "inner-eap"
Bootstrapping rlm_always "invalid"
Bootstrapping rlm_linelog "linelog"
Bootstrapping rlm_linelog "log_accounting"
Bootstrapping rlm_mschap "mschap"
Bootstrapping rlm_always "noop"
Bootstrapping rlm_always "notfound"
Bootstrapping rlm_exec "ntlm_auth"
Bootstrapping rlm_always "ok"
Bootstrapping rlm_always "reject"
Bootstrapping rlm_unix "unix"
Bootstrapping rlm_always "updated"
} # modules
#### Instantiating listeners ####
Compiling policies in server default { ... }
Instantiating proto_radius "default.radius"
Instantiating proto_radius "default.tcp_auth"
Instantiating proto_radius "default.udp_acct"
Instantiating process_radius "default"
Compiling policies in - recv Access-Request {...}
/usr/local/etc/raddb/policy.d/time[13]: Skipping remaining instructions due to 'return'
/usr/local/etc/raddb/policy.d/time[18]: Please use the 'filter' keyword for attribute filtering
Compiling policies in - send Access-Accept {...}
Compiling policies in - send Access-Challenge {...}
Compiling policies in - send Access-Reject {...}
Compiling policies in - recv Accounting-Request {...}
Compiling policies in - send Accounting-Response {...}
Compiling policies in - recv Status-Server {...}
Compiling policies in - authenticate pap {...}
Compiling policies in - authenticate chap {...}
Compiling policies in - authenticate mschap {...}
Compiling policies in - authenticate digest {...}
Compiling policies in - authenticate ldap {...}
Compiling policies in - authenticate eap {...}
Compiling policies in - accounting Start {...}
Compiling policies in - accounting Stop {...}
Compiling policies in - accounting Interim-Update {...}
Compiling policies in - accounting Accounting-On {...}
Compiling policies in - accounting Accounting-Off {...}
Compiling policies in - accounting Failed {...}
/usr/local/etc/raddb/sites-enabled/default[80]: radius { ... } section is unused
/usr/local/etc/raddb/sites-enabled/default[224]: dictionary { ... } section is unused
Compiling policies in server inner-tunnel { ... }
Instantiating proto_tacacs "inner-tunnel.tacacs"
Instantiating process_tacacs "inner-tunnel"
Compiling policies in - authenticate pap {...}
Compiling policies in - authenticate chap {...}
Compiling policies in - authenticate mschap {...}
/usr/local/etc/raddb/mods-enabled/mschap[384]: Failed to parse configuration item 'chap_challenge = &Vendor-Specific.Microsoft.CHAP-Challenge': Attribute 'Vendor-Specific.Microsoft.CHAP-Challenge' not found. Searched in: TACACS, internal
/usr/local/etc/raddb/mods-enabled/mschap[384]: Unresolved attributes are not allowed here
/usr/local/etc/raddb/sites-enabled/inner-tunnel[201]: Invalid keyword "mschap".
I guess i did not configure right to start two servers at the same time.
Thanks for your help and I am looking forward to hearing your suggestions!!
Licheng Huang
2071264258 at qq.com
More information about the Freeradius-Users
mailing list