Freeradius-Users Digest, Vol 241, Issue 23
thomas
thomas.nodon at gmail.com
Tue May 27 15:15:11 UTC 2025
> I don't recall that being part of v2.
I got some free time yesterday, I looked through our old v2 config.
I believe in v2, it was due to our config, which set Auth-Type to
ldap, and since it failed to retrieve a non existent user from ldap it
would log the ldap failure error.
For our new config, we refrained from setting the Auth-Type to ldap as
recommended by the documentation.
We get no Auth-type found error because there is no Auth-Type found,
since ldap can't provide a "known good" to pap.
> But it's easy enough to add in unlang:
> -ldap {
> if (notfound) {
> ... add a message here.
> }
I could not find which attribute/variable to update with my message,
since there is no failure in the authorize santza.
For now I have made the following linelog.
linelog log_ldap_user_notfound {
filename = ${logdir}/radius.log
permissions = 0640
format = "%t : Login incorrect: (ldap: user
%{User-Name} not found) Client-Mac = %{Calling-Station-Id}"
}
And added the following in the authorize santza after ldap.
ldap
if (notfound){
log_ldap_user_notfound
}
But this outputs an extra line in the radius.log since we use the auth
= yes radius.conf.
If there is better way to do this let know, in the mean time if I find
a better solution I will post it to the mailing list.
Thanks,
Thomas
On Mon, May 19, 2025 at 6:12 PM
<freeradius-users-request at lists.freeradius.org> wrote:
>
> Send Freeradius-Users mailing list submissions to
> freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. Can Post-Auth-Type REJECT log LDAP user not found (thomas)
> 2. radiusd crashes. ASSERT FAILED src/main/threads.c[794]
> (Sergei Kodentsev)
> 3. Re: radiusd crashes. ASSERT FAILED src/main/threads.c[794]
> (Alan DeKok)
> 4. Re: radiusd crashes. ASSERT FAILED src/main/threads.c[794]
> (Sergei Kodentsev)
> 5. Re: radiusd crashes. ASSERT FAILED src/main/threads.c[794]
> (Alan DeKok)
> 6. Re: Can Post-Auth-Type REJECT log LDAP user not found (Alan DeKok)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 19 May 2025 14:07:19 +0200
> From: thomas <thomas.nodon at gmail.com>
> To: freeradius-users at lists.freeradius.org
> Subject: Can Post-Auth-Type REJECT log LDAP user not found
> Message-ID:
> <CAOPTCcfeQKoZsJYCNywmA1QU524tuUZuMnON4f6yV4Ez-fkOrw at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Hello everyone,
>
> I have setup up a FreeRADIUS server with EAP-TTLS/PAP and OpenLDAP, the
> setup works fine.
>
> I have a question regarding Post-Auth-Type REJECT, it correctly logs Login
> incorrect, but the &Module-Failure-Message is ambiguous for our needs when
> it comes to troubleshooting.
>
> I get the following log if a user types their username incorrectly :
>
> `Login incorrect (No Auth-Type found: rejecting the user via
> Post-Auth-Type = Reject): [johndo at lab.local] (from client localhost port 0
> via TLS tunnel)`
>
> Is it possible to log something along the lines of "LDAP user not found"
> without making custom loglines? I believe this was possible on FreeRADIUS
> 2.x.x.
>
> You can find the debug info below.
>
> Thanks in advance !
>
> --Thomas
>
> (5) Received Access-Request Id 5 from 127.0.0.1:47099 to 127.0.0.1:1812
> length 229
> (5) User-Name = "anonymous at lab.local"
> (5) NAS-IP-Address = 127.0.0.1
> (5) Calling-Station-Id = "02-00-00-00-00-01"
> (5) Framed-MTU = 1400
> (5) NAS-Port-Type = Wireless-802.11
> (5) Service-Type = Framed-User
> (5) Connect-Info = "CONNECT 11Mbps 802.11b"
> (5) EAP-Message =
> 0x02b2005315001703030048688da1ee57de5c653ec5b3ddb3fddaf954b25a2814726949f8960b9c81902198bf3054cc85cee621707608ab4bb4fecdd2dd6c1c55b33338264afb10435abffeb1198b43490adde2
> (5) State = 0x5cf4dd435846c8abb4f3a6e2030e9f16
> (5) Message-Authenticator = 0x161a97e6923da68704ab1e2c3048d6af
> (5) Restoring &session-state
> (5) &session-state:Framed-MTU = 1004
> (5) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
> Handshake, ClientHello"
> (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
> Handshake, ServerHello"
> (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
> Handshake, Certificate"
> (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
> Handshake, ServerKeyExchange"
> (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
> Handshake, ServerHelloDone"
> (5) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2
> Handshake, ClientKeyExchange"
> (5) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2
> Handshake, Finished"
> (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
> ChangeCipherSpec"
> (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
> Handshake, Finished"
> (5) &session-state:TLS-Session-Cipher-Suite =
> "ECDHE-RSA-AES256-GCM-SHA384"
> (5) &session-state:TLS-Session-Version = "TLS 1.2"
> (5) # Executing section authorize from file /etc/raddb/sites-enabled/default
> (5) authorize {
> (5) policy filter_username {
> (5) if (&User-Name) {
> (5) if (&User-Name) -> TRUE
> (5) if (&User-Name) {
> (5) if (&User-Name =~ / /) {
> (5) if (&User-Name =~ / /) -> FALSE
> (5) if (&User-Name =~ /@[^@]*@/ ) {
> (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (5) if (&User-Name =~ /\.\./ ) {
> (5) if (&User-Name =~ /\.\./ ) -> FALSE
> (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
> FALSE
> (5) if (&User-Name =~ /\.$/) {
> (5) if (&User-Name =~ /\.$/) -> FALSE
> (5) if (&User-Name =~ /@\./) {
> (5) if (&User-Name =~ /@\./) -> FALSE
> (5) } # if (&User-Name) = notfound
> (5) } # policy filter_username = notfound
> (5) [preprocess] = ok
> (5) if !("%{User-Name}" =~ /@lab.local$/) {
> (5) EXPAND %{User-Name}
> (5) --> anonymous at lab.local
> (5) if !("%{User-Name}" =~ /@lab.local$/) -> FALSE
> (5) suffix: Checking for suffix after "@"
> (5) suffix: Looking up realm "lab.local" for User-Name =
> "anonymous at lab.local"
> (5) suffix: Found realm "lab.local"
> (5) suffix: Adding Realm = "lab.local"
> (5) suffix: Authentication realm is LOCAL
> (5) [suffix] = ok
> (5) eap: Peer sent EAP Response (code 2) ID 178 length 83
> (5) eap: Continuing tunnel setup
> (5) [eap] = ok
> (5) } # authorize = ok
> (5) Found Auth-Type = eap
> (5) # Executing group from file /etc/raddb/sites-enabled/default
> (5) authenticate {
> (5) eap: Expiring EAP session with state 0x5cf4dd435846c8ab
> (5) eap: Finished EAP session with state 0x5cf4dd435846c8ab
> (5) eap: Previous EAP request found for state 0x5cf4dd435846c8ab, released
> from the list
> (5) eap: Peer sent packet with method EAP TTLS (21)
> (5) eap: Calling submodule eap_ttls to process data
> (5) eap_ttls: Authenticate
> (5) eap_ttls: (TLS) EAP Done initial handshake
> (5) eap_ttls: Session established. Proceeding to decode tunneled attributes
> (5) eap_ttls: Got tunneled request
> (5) eap_ttls: User-Name = "johndo at lab.local"
> (5) eap_ttls: User-Password = "johndoe"
> (5) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
> (5) eap_ttls: Sending tunneled request
> (5) Virtual server inner-tunnel received request
> (5) User-Name = "johndo at lab.local"
> (5) User-Password = "johndoe"
> (5) FreeRADIUS-Proxied-To = 127.0.0.1
> (5) server inner-tunnel {
> (5) # Executing section authorize from file
> /etc/raddb/sites-enabled/inner-tunnel
> (5) authorize {
> (5) policy filter_username {
> (5) if (&User-Name) {
> (5) if (&User-Name) -> TRUE
> (5) if (&User-Name) {
> (5) if (&User-Name =~ / /) {
> (5) if (&User-Name =~ / /) -> FALSE
> (5) if (&User-Name =~ /@[^@]*@/ ) {
> (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (5) if (&User-Name =~ /\.\./ ) {
> (5) if (&User-Name =~ /\.\./ ) -> FALSE
> (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
> -> FALSE
> (5) if (&User-Name =~ /\.$/) {
> (5) if (&User-Name =~ /\.$/) -> FALSE
> (5) if (&User-Name =~ /@\./) {
> (5) if (&User-Name =~ /@\./) -> FALSE
> (5) } # if (&User-Name) = notfound
> (5) } # policy filter_username = notfound
> (5) suffix: Checking for suffix after "@"
> (5) suffix: Looking up realm "lab.local" for User-Name = "johndo at lab.local"
> (5) suffix: Found realm "lab.local"
> (5) suffix: Adding Realm = "lab.local"
> (5) suffix: Authentication realm is LOCAL
> (5) [suffix] = ok
> (5) update control {
> (5) &Proxy-To-Realm := LOCAL
> (5) } # update control = noop
> (5) eap: No EAP-Message, not doing EAP
> (5) [eap] = noop
> (5) [expiration] = noop
> (5) [logintime] = noop
> rlm_ldap (ldap): Reserved connection (0)
> (5) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> (5) ldap: --> (uid=johndo at lab.local)
> (5) ldap: Performing search in "o=univ,dc=lab,dc=local" with filter
> "(uid=johndo at lab.local)", scope "sub"
> (5) ldap: Waiting for search result...
> (5) ldap: Search returned no results
> rlm_ldap (ldap): Released connection (0)
> Need 5 more connections to reach 10 spares
> rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots
> used
> rlm_ldap (ldap): Connecting to ldaps://ldap.lab.local:636
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> (5) [ldap] = notfound
> (5) } # authorize = ok
> (5) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
> Reject
> (5) Failed to authenticate the user
> (5) Using Post-Auth-Type Reject
> (5) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> (5) Post-Auth-Type REJECT {
> (5) attr_filter.access_reject: EXPAND %{User-Name}
> (5) attr_filter.access_reject: --> johndo at lab.local
> (5) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (5) [attr_filter.access_reject] = updated
> (5) update outer.session-state {
> (5) &Module-Failure-Message := &request:Module-Failure-Message ->
> 'No Auth-Type found: rejecting the user via Post-Auth-Type = Reject'
> (5) } # update outer.session-state = noop
> (5) } # Post-Auth-Type REJECT = updated
> (5) Login incorrect (No Auth-Type found: rejecting the user via
> Post-Auth-Type = Reject): [johndo at lab.local] (from client localhost port 0
> via TLS tunnel)
> (5) } # server inner-tunnel
> (5) Virtual server sending reply
> (5) eap_ttls: Got tunneled Access-Reject
> (5) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module
> failed
> (5) eap: Sending EAP Failure (code 4) ID 178 length 4
> (5) eap: Failed in EAP select
> (5) [eap] = invalid
> (5) } # authenticate = invalid
> (5) Failed to authenticate the user
> (5) Using Post-Auth-Type Reject
> (5) # Executing group from file /etc/raddb/sites-enabled/default
> (5) Post-Auth-Type REJECT {
> (5) attr_filter.access_reject: EXPAND %{User-Name}
> (5) attr_filter.access_reject: --> anonymous at lab.local
> (5) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (5) [attr_filter.access_reject] = updated
> (5) policy remove_reply_message_if_eap {
> (5) if (&reply:EAP-Message && &reply:Reply-Message) {
> (5) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> (5) else {
> (5) [noop] = noop
> (5) } # else = noop
> (5) } # policy remove_reply_message_if_eap = noop
> (5) } # Post-Auth-Type REJECT = updated
> (5) Login incorrect (eap: Failed continuing EAP TTLS (21) session. EAP
> sub-module failed): [anonymous at lab.local] (from client localhost port 0 cli
> 02-00-00-00-00-01)
> (5) Delaying response for 1.000000 seconds
> Waking up in 0.3 seconds.
> Waking up in 0.6 seconds.
> (5) Sending delayed response
> (5) Sent Access-Reject Id 5 from 127.0.0.1:1812 to 127.0.0.1:47099 length 44
> (5) EAP-Message = 0x04b20004
> (5) Message-Authenticator = 0x00000000000000000000000000000000
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 19 May 2025 15:32:51 +0300
> From: Sergei Kodentsev <sergk at ic.vrn.ru>
> To: freeradius-users at lists.freeradius.org
> Subject: radiusd crashes. ASSERT FAILED src/main/threads.c[794]
> Message-ID: <a8cef70b-bccf-4c8b-876b-db7307fb9852 at ic.vrn.ru>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> Hi,
> Freradius 3.2.7, Ubuntu 24.04.2 LTS
> How to solve this problem?
>
> Mon May 19 09:17:25 2025 : Error: (11542) Ignoring duplicate packet from
> client dhcp port 68 - ID: 3396190219 due to unfinished request in
> component post-auth module dhcplog
> Mon May 19 09:17:25 2025 : Error: Received conflicting packet from
> client dhcp port 68 - ID: 734446164 due to unfinished request in module
> dhcplog.? Giving up on old request.
> Mon May 19 09:17:25 2025 : Error: Received conflicting packet from
> client dhcp port 68 - ID: 734446164 due to unfinished request in module
> <queue>.? Giving up on old request.
> Mon May 19 09:17:25 2025 : Error: ASSERT FAILED src/main/threads.c[794]:
> request->child_state == REQUEST_QUEUED
> CAUGHT SIGNAL: Aborted
> Backtrace of last 6 frames:
> /usr/local/radius3/lib/libfreeradius-radius.so(fr_fault+0x139)[0x71d729f4b3d6]
> /usr/local/radius3/lib/libfreeradius-server.so(rad_assert_fail+0x4d)[0x71d729fb9591]
> /usr/local/radius3/sbin/radiusd(+0x4cf9e)[0x63cb44340f9e]
> /usr/local/radius3/sbin/radiusd(+0x4d275)[0x63cb44341275]
> /lib/x86_64-linux-gnu/libc.so.6(+0x9caa4)[0x71d72969caa4]
> /lib/x86_64-linux-gnu/libc.so.6(+0x129c3c)[0x71d729729c3c]
> Calling: gdb -silent -x /usr/local/radius3/etc/raddb/panic.gdb
> /usr/local/radius3/sbin/radiusd 3026728 2>&1 | tee
> /usr/local/radius3/var/log/radius/gdb-radiusd-3026728.log
> Temporarily setting PR_DUMPABLE to 1
> Mon May 19 09:17:25 2025 : WARNING: (11548) WARNING: Module
> dhcplog(rlm_sql) became unblocked
> Mon May 19 09:17:25 2025 : Error: (11571) Ignoring duplicate packet from
> client dhcp port 67 - ID: 3795885685 due to unfinished request in
> component <core> module
> Resetting PR_DUMPABLE to 0
> Panic action exited with 0
> _EXIT(0) CALLED src/lib/debug.c[811]
>
> regards,
> Sergey Kodentsev
>
> --
> ? ?????????,
> ?????? ????????,
> ??????????? ?????,
> ??? ?? "???????????-??????????"
>
>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 19 May 2025 08:28:02 -0500
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: radiusd crashes. ASSERT FAILED src/main/threads.c[794]
> Message-ID: <8093EBD2-0BD3-4956-87CE-308964F73540 at deployingradius.com>
> Content-Type: text/plain; charset=utf-8
>
> On May 19, 2025, at 7:32?AM, Sergei Kodentsev <sergk at ic.vrn.ru> wrote:
> >
> > Hi,
> > Freradius 3.2.7, Ubuntu 24.04.2 LTS
> > How to solve this problem?
>
> For now, delete the assertion and recompile. We've pushed a fix to GitHub, and the fix will be in the next release.
>
> Alan DeKok.
>
>
>
> ------------------------------
>
> Message: 4
> Date: Mon, 19 May 2025 16:52:52 +0300
> From: Sergei Kodentsev <sergk at ic.vrn.ru>
> To: freeradius-users at lists.freeradius.org
> Subject: Re: radiusd crashes. ASSERT FAILED src/main/threads.c[794]
> Message-ID: <929d5521-86b1-47fb-92c7-293c25d5eb60 at ic.vrn.ru>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
>
> On 19.05.2025 16:28, Alan DeKok wrote:
> > On May 19, 2025, at 7:32?AM, Sergei Kodentsev <sergk at ic.vrn.ru> wrote:
> > For now, delete the assertion and recompile. We've pushed a fix to GitHub, and the fix will be in the next release.
>
> How to delete? assertion?
>
> Sergey Kodentsev.
>
>
>
> ------------------------------
>
> Message: 5
> Date: Mon, 19 May 2025 09:11:36 -0500
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: radiusd crashes. ASSERT FAILED src/main/threads.c[794]
> Message-ID: <C11286E6-6710-46D6-867A-94155C4DF7CA at deployingradius.com>
> Content-Type: text/plain; charset=utf-8
>
>
> On May 19, 2025, at 8:52?AM, Sergei Kodentsev <sergk at ic.vrn.ru> wrote:
> >
> > On 19.05.2025 16:28, Alan DeKok wrote:
> >> On May 19, 2025, at 7:32?AM, Sergei Kodentsev <sergk at ic.vrn.ru> wrote:
> >> For now, delete the assertion and recompile. We've pushed a fix to GitHub, and the fix will be in the next release.
> >
> > How to delete assertion?
>
> Edit the source code.
>
> Alan DeKok.
>
>
>
> ------------------------------
>
> Message: 6
> Date: Mon, 19 May 2025 11:10:15 -0500
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: Can Post-Auth-Type REJECT log LDAP user not found
> Message-ID: <3EF9709C-7D7E-43EE-968D-D2E7ADD46B3B at deployingradius.com>
> Content-Type: text/plain; charset=utf-8
>
> On May 19, 2025, at 7:07?AM, thomas <thomas.nodon at gmail.com> wrote:
> > I have a question regarding Post-Auth-Type REJECT, it correctly logs Login
> > incorrect, but the &Module-Failure-Message is ambiguous for our needs when
> > it comes to troubleshooting.
>
> You can always check the return code of the LDAP module, and then manually add a message.
>
> > Is it possible to log something along the lines of "LDAP user not found"
> > without making custom loglines? I believe this was possible on FreeRADIUS
> > 2.x.x.
>
> I don't recall that being part of v2. But it's easy enough to add in unlang:
>
> ldap
> if (notfound) {
> ... add a message here.
> }
>
> Alan DeKok.
>
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
> ------------------------------
>
> End of Freeradius-Users Digest, Vol 241, Issue 23
> *************************************************
More information about the Freeradius-Users
mailing list