FreeRADIUS InkBridge

Startup text

We start the server with -X. This option gives us the best combination of useful output, and readable output. Adding more -x gives more complex output, not more useful output.

$ radiusd -X 2>&1 | tee debugfile

The server prints out the version number, copyright, and license information:

Details 
FreeRADIUS Version 3.0.17
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT

Next, it prints out messages relating to debuggers (e.g. gdb). These messages are intended for developers, and can generally be ignored by everyone else.

Getting debug state failed: ptrace capability not set.  If debugger detection is required run as root or: setcap cap_sys_ptrace+ep <path_to_radiusd>

Reading the configuration files

The next block of messages is about the configuration files. The server prints out the name of each configuration file it loads.

This output lets you check that the server is loading the files which you think it’s loading. One common issue is that people install multiple versions of the server, and then edit one file while the server is loading a different one. Reading the debug output will let you verify that you’re editing the right file.

Starting - reading configuration files ...

It then reads the dictionaries. It does not print out the name of every dictionary file it reads, as there are over 100 files, but they are never the less still loaded.

Details 
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/raddb/dictionary

Next is loads the main radiusd.conf file, and some associated ones like proxy.conf and clients.conf

Details 
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf

It now loads all of the modules. The module configuration is usually stored in raddb/mods-enabled/, with one module configuration per file in that directory.

Sometimes the module you’re using does not seem to be loaded or used. In that case, you should check this section to see that the file is loaded.

Details 
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/pap
including configuration file /etc/raddb/mods-enabled/expiration
including configuration file /etc/raddb/mods-enabled/files
including configuration file /etc/raddb/mods-enabled/linelog
including configuration file /etc/raddb/mods-enabled/soh
including configuration file /etc/raddb/mods-enabled/attr_filter
including configuration file /etc/raddb/mods-enabled/ntlm_auth
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/digest
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/echo
including configuration file /etc/raddb/mods-enabled/unpack
including configuration file /etc/raddb/mods-enabled/detail
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/eap
including configuration file /etc/raddb/mods-enabled/mschap
including configuration file /etc/raddb/mods-enabled/unix
including configuration file /etc/raddb/mods-enabled/detail.log
including configuration file /etc/raddb/mods-enabled/passwd
including configuration file /etc/raddb/mods-enabled/date
including configuration file /etc/raddb/mods-enabled/logintime
including configuration file /etc/raddb/mods-enabled/utf8
including configuration file /etc/raddb/mods-enabled/dynamic_clients
including configuration file /etc/raddb/mods-enabled/realm
including configuration file /etc/raddb/mods-enabled/cache_eap
including configuration file /etc/raddb/mods-enabled/replicate

Next, some policies are loaded. These policies are ones which the server uses (for example) to canonicalize user names, and to do things like attribute re-writes, sanity checks, etc.

Details 
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/control
including configuration file /etc/raddb/policy.d/cui
including configuration file /etc/raddb/policy.d/debug
including configuration file /etc/raddb/policy.d/moonshot-targeted-ids
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/canonicalization
including configuration file /etc/raddb/policy.d/abfab-tr
including configuration file /etc/raddb/policy.d/operator-name
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/accounting
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel

Server Configuration

Once all of the configuration files are loaded, the server prints out the configuration it is parsing. Note that it only prints out what it is using. I.e. you can put foo = bar into radiusd.conf, and the server will load it, but will not print it out in the debug output.

The result is that if you set a configuration item, it will be printed out in the debug output. You should verify that this is the case, especially if it looks like the server is not using the setting you edited. If the configuration item does not appear in the debug output, then the server is not using it.

This is the "main" server configuration:

Details 
main {
	name = "radiusd"

Which directories the server is using,

prefix = "/"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib"
radacctdir = "/var/log/radius/radacct"

Next we have some generic configuration settings which don’t belong anywhere else.

Details 
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/sbin/checkrad"
debug_level = 0
proxy_requests = yes

And the logging configuration.

Details 
log {
	stripped_names = no
	auth = no
	auth_badpass = no
	auth_goodpass = no
	colourise = yes
	msg_denied = "You are already logged in - access denied"
}
resources {
}

The security settings.

Details 
 security {
 	max_attributes = 200
 	reject_delay = 1.000000
 	status_server = yes
 	allow_vulnerable_openssl = "yes"
 }
}

At this point, the server is well on it’s way to running.

Proxy Configuration

The server now loads its proxy configuration, as was defined in proxy.conf:

radiusd: #### Loading Realms and Home Servers ####

The over all proxy configuration is loaded.

Details 
proxy server {
	retry_delay = 5
	retry_count = 3
	default_fallback = no
	dead_time = 120
	wake_all_if_all_dead = no
}

Followed by home_server configurations.

Details 
home_server localhost {
	ipaddr = 127.0.0.1
	port = 1812
	type = "auth"
	secret = <<< secret >>>
	response_window = 20.000000
	response_timeouts = 1
	max_outstanding = 65536
	zombie_period = 40
	status_check = "status-server"
	ping_interval = 30
	check_interval = 30
	check_timeout = 4
	num_answers_to_alive = 3
	revive_interval = 120
 limit {
 	max_connections = 16
 	max_requests = 0
 	lifetime = 0
 	idle_timeout = 0
 }
 coa {
 	irt = 2
 	mrt = 16
 	mrc = 5
 	mrd = 30
 }
}

Followed by home_server_pool configurations.

Details 
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}

Followed by realm configurations.

Details 
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
realm int {
virtual_server = inner-tunnel
}

Clients

It now loads individual clients:

Details 
radiusd: #### Loading Clients ####
 client localhost {
 	ipaddr = 127.0.0.1
 	require_message_authenticator = no
 	secret = <<< secret >>>
 	nas_type = "other"
 	proto = "*"
  limit {
  	max_connections = 16
  	lifetime = 0
  	idle_timeout = 30
  }
 }
 client localhost_ipv6 {
 	ipv6addr = ::1
 	require_message_authenticator = no
 	secret = <<< secret >>>
  limit {
  	max_connections = 16
  	lifetime = 0
  	idle_timeout = 30
  }
 }

Auth-Type

The server then creates Auth-Type, as set in the virtual servers. These Auth-Type names and values are used by the modules, so they need to be created now.

Details 
# Creating Auth-Type = mschap
# Creating Auth-Type = digest
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP

Modules

When the server read the module configuration file above (from raddb/mods-enabled), that meant just reding the contents of the file. It is now ready to load the dynamic library which reads that configuration, and which parses the configuration to determine what to do with it.

Each module will print out it’s configuration, along with any errors or warnings it sees when it is loading itself.

radiusd: #### Instantiating modules ####
 modules {

Here is loads the pap module. There are multiple lines being printed at each stage of the process.

First, it discovers it has to load the pap module, and decides to do that.

# Loaded module rlm_pap

Second, it tells you which files is used to read the pap module configuration.

# Loading module "pap" from file /etc/raddb/mods-enabled/pap

Finally, it prints out the configuration that is used by the pap module.

pap {
  normalise = yes
}

When you are editing a module configuration, it is good to check the debug output for that module, to see:

  • Was the module loaded?

  • Is it using the file you edited?

  • Are the configuration changes you made showing up in the debug output?

Some modules like expiration do not have any configuration items, and therefore don’t print out any configuration when they are loaded.

# Loaded module rlm_expiration
# Loading module "expiration" from file /etc/raddb/mods-enabled/expiration

This module loads the users file.

Details 
# Loaded module rlm_files
# Loading module "files" from file /etc/raddb/mods-enabled/files
files {
	filename = "/etc/raddb/mods-config/files/authorize"
	acctusersfile = "/etc/raddb/mods-config/files/accounting"
	preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
}

The server loads a large number of modules, so we will omit them here.

Finally, it is done loading all modules, and prints this:

} # modules

Virtual Servers

Next, it loads "virtual servers".

radiusd: #### Loading Virtual Servers ####

It prints out the server, and name, along with which file it was loaded from.

server default { # from file /etc/raddb/sites-enabled/default

It then double-checks the various processing sections.

Details 
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}

The sql module is in the default configuration, even if the sql module is not enabled. This warning message is then printed out.

It can be ignored, or, in a production environment where you don’t use sql, you can just remove references to sql from the virtual servers.

Details 
Ignoring "sql" (see raddb/mods-available/README.rst)
 # Loading post-proxy {...}
 # Loading post-auth {...}
} # server default
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
 # Loading authenticate {...}
 # Loading authorize {...}
 # Loading session {...}
 # Loading post-auth {...}

In some situations, it tells you where the configuration can be simplified.

 # Skipping contents of 'if' as it is always 'false' -- /etc/raddb/sites-enabled/inner-tunnel:335
} # server inner-tunnel

Listen Sections

After loading all of the virtual servers, it then opens the various network sockets used to read and write packets.

radiusd: #### Opening IP addresses and Ports ####

First, it prints out the configuration for the listen sections.

Details 
listen {
  	type = "auth"
  	ipaddr = *
  	port = 0
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
}
listen {
  	type = "acct"
  	ipaddr = *
  	port = 0
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
}
listen {
  	type = "auth"
  	ipv6addr = ::
  	port = 0
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
}
listen {
  	type = "acct"
  	ipv6addr = ::
  	port = 0
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
}
listen {
  	type = "auth"
  	ipaddr = 127.0.0.1
  	port = 18120
}

After reading all of the configuration, it opens the ports, and prints out a list of IP addresses and ports which it is using.

Details 
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 39556
Listening on proxy address :: port 52609

And we finally get to this line.

Ready to process requests

Once this has been printed, the debug output changes to packet processing.

Note that if nothing is ever printed after this line, then the server is not receiving any packets. No amount of changing the server configuration will solve that problem. Instead, you must fix the firewall, SeLinux configuration, network routing, etc. so that the OS delivers RADIUS packets to the server.