[RADIATOR] Could not load EAP module Radius::EAP_
Barry Ard
bard at ualberta.ca
Mon Sep 16 15:55:34 CDT 2013
Hi Heikki,
I am including my sanitized radius configuration so maybe you can see
something that I can't. This has worked well for years. There are 2 radius
servers with 10 radiusd processes behind a proxy. On Saturday one process
was repeately receiving the "Could not load EAP module Radius::EAP_"
messages. I am running 4.11 but am in the process of scheduling a change to
move to 4.12. I do occasionally get messages like 'Could not load EAP
module Radius::EAP_16'.
I was thinking this was purely a client configuration issue but when
HUP'ing the process made it go away I became suspicious.
#LogStdout
#Foreground
Trace 3
AuthPort AUTH_PORT_NUMBER
AcctPort
LogDir /var/log/radiator/uws
DbDir /etc/radiator
BindAddress 127.0.0.1
LogFile %L/%Y%m%d-N.log
DictionaryFile /usr/local/radiator/dictionary
#User radius
#Group radius
DefineGlobalVar AuthCountsLogFile %L/authcounts-%Y%m%d-N.log
DefineGlobalVar AuthCountsLogInterval 300
DefineGlobalVar AuthCountsAuthNames LDAP,Local,Cache
MainLoopHook file:"%D/hooks/uws-mainloop.pl"
StartupHook file:"%D/hooks/uws-startup-hook.pl"
#
# Only accept requests from the head node. This may be 127.0.0.1 or a
# different host.
#
<Client 127.0.0.1>
Identifier UA-WISM
Secret notsecret
DupInterval 10
# from Radiator Ref Sec. 5.44.5
# When EAPBALANCE is used in a ServerFarm architecture to proxy
requests to
# a set of backend RADIUS servers, the duplicate detection in the back
end
# servers can be defeated by changes to requests made by the server
farm. It
# is therefore essential that all the backend servers in such an
# architecture have the UseContentsForDuplicateDetection flag set in the
# receiving Client clauses.
UseContentsForDuplicateDetection
</Client>
<Monitor>
Username nos
Port MONITOR_PORT_NUMBER
</Monitor>
<AuthBy FILE>
Identifier LocalAccount
AddToReply Reply-Message=AuthedByLocal
Filename %D/users-uws-local
NoDefault
</AuthBy>
<AuthBy LDAP2>
Identifier PEAPLDAPAuth
AddToReply Reply-Message=AuthedByLDAP
UsernameMatchesWithoutRealm
Host ******************
AuthDN ******************
AuthPassword ******************
BaseDN ou=people,dc=ualberta,dc=ca
UsernameAttr uid
PasswordAttr sambaNTPassword
TranslatePasswordHook sub { return "{nthash}$_[0]"; }
UseSSL
SSLVerify require
SSLCAPath /etc/ssl/certs
EAPType MSCHAP-V2
EAPTLS_MaxFragmentSize 1000
AutoMPPEKeys
Timeout 10
FailureBackoffTime 0
NoDefault
PostSearchHook file:"%D/hooks/ldap_postsearchhook.pl"
</AuthBy>
<AuthBy LDAP2>
Identifier LDAPBind
AddToReply Reply-Message=AuthedByLDAP
Host
BaseDN
ServerChecksPassword
UsernameMatchesWithoutRealm
UseSSL
SSLVerify require
SSLCAPath /etc/ssl/certs
Timeout 10
FailureBackoffTime 0
NoDefault
</AuthBy>
<AuthBy SQL>
Identifier CacheAuth
AddToReply Reply-Message=AuthedByCache
DBSource dbi:mysql:dbname=radius:host=127.0.0.1
DBUsername nos
DBAuth
TranslatePasswordHook sub { return "{nthash}$_[0]"; }
AuthSelect SELECT ntpassword FROM password_cache WHERE
username = %0
EAPType MSCHAP-V2
NoDefault
AutoMPPEKeys
</AuthBy>
<AuthBy RADIUS>
Identifier proxy_accounting
Host
Secret
AcctPort 1813
</AuthBy>
<Handler User-Name="cisco-probe" Service-Type="NAS-Prompt-User">
AccountingHandled
<AuthBy INTERNAL>
DefaultResult ACCEPT
</AuthBy>
</Handler>
<Handler Request-Type=Accounting-Request>
AcctLogFileName %L/%Y%m%d.detail
AccountingHandled
# AuthBy proxy_accounting
</Handler>
<Handler TunnelledByPEAP=1, Realm=/^(ualberta\.ca|)$/i>
AuthByPolicy ContinueWhileReject
AuthBy LocalAccount
AuthBy CacheAuth
AuthBy PEAPLDAPAuth
PostProcessingHook file:"%D/hooks/eap_deanon_hook.pl"
</Handler>
<Handler TunnelledByTTLS=1, Realm=/^(ualberta\.ca|)$/i>
AuthByPolicy ContinueWhileReject
AuthBy LocalAccount
AuthBy LDAPBind
PostProcessingHook file:"%D/hooks/eap_deanon_hook.pl"
</Handler>
<Handler>
<AuthBy FILE>
Filename /dev/null
EAPType PEAP,TTLS
EAPTLS_CAFile /etc/ssl/certs/my_intermediate.pem
EAPTLS_CertificateType PEM
EAPTLS_CertificateFile /etc/ssl/certs/%h-cert.pem
EAPTLS_PrivateKeyFile /etc/ssl/private/%h-key.pem
EAPTLS_RandomFile %D/random
EAPTLS_MaxFragmentSize 1000
EAPTLS_PEAPVersion 0
EAPTTLS_NoAckRequired
EAPAnonymous %0
AutoMPPEKeys
</AuthBy>
PostAuthHook file:"%D/hooks/increment_authcounts.pl"
</Handler>
On Mon, Sep 16, 2013 at 1:14 PM, Heikki Vatiainen <hvn at open.com.au> wrote:
> On 09/13/2013 11:19 PM, Barry Ard wrote:
>
> > I have noticed these messages in my radiator logs for EAP-PEAP handler
> >
> > Could not load EAP module Radius::EAP_: Can't locate Radius/EAP_.pm in
> > @INC (@INC contains: /etc/radiator/hooks/ /etc/radiator/hooks .
> > /etc/perl /usr/local/lib/perl/5.14.2 /usr/local/share/perl/5.14.2
> > /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.14 /usr/share/perl/5.14
> > /usr/local/lib/site_perl) at (eval 780513) line 2.
>
> Hello Barry,
>
> you should check how you have configured the EAPType option.
>
> For example, if you have:
> EAPType PAP, PEAP
>
> the error message can be triggered because PAP is not an EAP type.
> Unknown EAP types can cause the above error.
>
> Also, the EAP related messages have changed between versions. Which
> Radiator version are you using?
>
> > If I HUP the process the messages go away. A few days ago this appears
> > to be what was causing repeated authentication failures which was
> > resolved by the HUP. I looked back at old logs and this message has
> > existed for some time but there weren't any problems reported. Of
> > course, this being a school, with students back in full force, that may
> > account for the reporting of the problem.
>
> A different category are messages which complain about unknown EAP types
> such as Radius::EAP_123. These can be caused by out of sequence,
> corrupted or otherwise unexpected messages. These are sometimes seen.
>
> > I now have a process which monitors the log files (2 servers with 10
> > radiusd processes) and alarms if this message is noticed.
> >
> > I have trace level 4 debug logs if interested.
> >
> >
> > --
> >
> > Barry Ard barry.ard at ualberta.ca
> > <mailto:barry.ard at ualberta.ca>
> > Network Operations
> > Academic Information and Communication Technologies (AICT)
> > University of Alberta
> > Edmonton, Alberta Canada
> >
> >
> > _______________________________________________
> > radiator mailing list
> > radiator at open.com.au
> > http://www.open.com.au/mailman/listinfo/radiator
> >
>
>
> --
> Heikki Vatiainen <hvn at open.com.au>
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> NetWare etc.
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>
>
--
Barry Ard barry.ard at ualberta.ca
Network Operations
Academic Information and Communication Technologies (AICT)
University of Alberta
Edmonton, Alberta Canada
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20130916/5db05688/attachment-0001.html
More information about the radiator
mailing list