Hi Heikki, I am including my sanitized radius configuration so maybe you can see something that I can't. This has worked well for years. There are 2 radius servers with 10 radiusd processes behind a proxy. On Saturday one process was repeately receiving the "Could not load EAP module Radius::EAP_" messages. I am running 4.11 but am in the process of scheduling a change to move to 4.12. I do occasionally get messages like 'Could not load EAP module Radius::EAP_16'.
I was thinking this was purely a client configuration issue but when HUP'ing the process made it go away I became suspicious. #LogStdout #Foreground Trace 3 AuthPort AUTH_PORT_NUMBER AcctPort LogDir /var/log/radiator/uws DbDir /etc/radiator BindAddress 127.0.0.1 LogFile %L/%Y%m%d-N.log DictionaryFile /usr/local/radiator/dictionary #User radius #Group radius DefineGlobalVar AuthCountsLogFile %L/authcounts-%Y%m%d-N.log DefineGlobalVar AuthCountsLogInterval 300 DefineGlobalVar AuthCountsAuthNames LDAP,Local,Cache MainLoopHook file:"%D/hooks/uws-mainloop.pl" StartupHook file:"%D/hooks/uws-startup-hook.pl" # # Only accept requests from the head node. This may be 127.0.0.1 or a # different host. # <Client 127.0.0.1> Identifier UA-WISM Secret notsecret DupInterval 10 # from Radiator Ref Sec. 5.44.5 # When EAPBALANCE is used in a ServerFarm architecture to proxy requests to # a set of backend RADIUS servers, the duplicate detection in the back end # servers can be defeated by changes to requests made by the server farm. It # is therefore essential that all the backend servers in such an # architecture have the UseContentsForDuplicateDetection flag set in the # receiving Client clauses. UseContentsForDuplicateDetection </Client> <Monitor> Username nos Port MONITOR_PORT_NUMBER </Monitor> <AuthBy FILE> Identifier LocalAccount AddToReply Reply-Message=AuthedByLocal Filename %D/users-uws-local NoDefault </AuthBy> <AuthBy LDAP2> Identifier PEAPLDAPAuth AddToReply Reply-Message=AuthedByLDAP UsernameMatchesWithoutRealm Host ****************** AuthDN ****************** AuthPassword ****************** BaseDN ou=people,dc=ualberta,dc=ca UsernameAttr uid PasswordAttr sambaNTPassword TranslatePasswordHook sub { return "{nthash}$_[0]"; } UseSSL SSLVerify require SSLCAPath /etc/ssl/certs EAPType MSCHAP-V2 EAPTLS_MaxFragmentSize 1000 AutoMPPEKeys Timeout 10 FailureBackoffTime 0 NoDefault PostSearchHook file:"%D/hooks/ldap_postsearchhook.pl" </AuthBy> <AuthBy LDAP2> Identifier LDAPBind AddToReply Reply-Message=AuthedByLDAP Host BaseDN ServerChecksPassword UsernameMatchesWithoutRealm UseSSL SSLVerify require SSLCAPath /etc/ssl/certs Timeout 10 FailureBackoffTime 0 NoDefault </AuthBy> <AuthBy SQL> Identifier CacheAuth AddToReply Reply-Message=AuthedByCache DBSource dbi:mysql:dbname=radius:host=127.0.0.1 DBUsername nos DBAuth TranslatePasswordHook sub { return "{nthash}$_[0]"; } AuthSelect SELECT ntpassword FROM password_cache WHERE username = %0 EAPType MSCHAP-V2 NoDefault AutoMPPEKeys </AuthBy> <AuthBy RADIUS> Identifier proxy_accounting Host Secret AcctPort 1813 </AuthBy> <Handler User-Name="cisco-probe" Service-Type="NAS-Prompt-User"> AccountingHandled <AuthBy INTERNAL> DefaultResult ACCEPT </AuthBy> </Handler> <Handler Request-Type=Accounting-Request> AcctLogFileName %L/%Y%m%d.detail AccountingHandled # AuthBy proxy_accounting </Handler> <Handler TunnelledByPEAP=1, Realm=/^(ualberta\.ca|)$/i> AuthByPolicy ContinueWhileReject AuthBy LocalAccount AuthBy CacheAuth AuthBy PEAPLDAPAuth PostProcessingHook file:"%D/hooks/eap_deanon_hook.pl" </Handler> <Handler TunnelledByTTLS=1, Realm=/^(ualberta\.ca|)$/i> AuthByPolicy ContinueWhileReject AuthBy LocalAccount AuthBy LDAPBind PostProcessingHook file:"%D/hooks/eap_deanon_hook.pl" </Handler> <Handler> <AuthBy FILE> Filename /dev/null EAPType PEAP,TTLS EAPTLS_CAFile /etc/ssl/certs/my_intermediate.pem EAPTLS_CertificateType PEM EAPTLS_CertificateFile /etc/ssl/certs/%h-cert.pem EAPTLS_PrivateKeyFile /etc/ssl/private/%h-key.pem EAPTLS_RandomFile %D/random EAPTLS_MaxFragmentSize 1000 EAPTLS_PEAPVersion 0 EAPTTLS_NoAckRequired EAPAnonymous %0 AutoMPPEKeys </AuthBy> PostAuthHook file:"%D/hooks/increment_authcounts.pl" </Handler> On Mon, Sep 16, 2013 at 1:14 PM, Heikki Vatiainen <h...@open.com.au> wrote: > On 09/13/2013 11:19 PM, Barry Ard wrote: > > > I have noticed these messages in my radiator logs for EAP-PEAP handler > > > > Could not load EAP module Radius::EAP_: Can't locate Radius/EAP_.pm in > > @INC (@INC contains: /etc/radiator/hooks/ /etc/radiator/hooks . > > /etc/perl /usr/local/lib/perl/5.14.2 /usr/local/share/perl/5.14.2 > > /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.14 /usr/share/perl/5.14 > > /usr/local/lib/site_perl) at (eval 780513) line 2. > > Hello Barry, > > you should check how you have configured the EAPType option. > > For example, if you have: > EAPType PAP, PEAP > > the error message can be triggered because PAP is not an EAP type. > Unknown EAP types can cause the above error. > > Also, the EAP related messages have changed between versions. Which > Radiator version are you using? > > > If I HUP the process the messages go away. A few days ago this appears > > to be what was causing repeated authentication failures which was > > resolved by the HUP. I looked back at old logs and this message has > > existed for some time but there weren't any problems reported. Of > > course, this being a school, with students back in full force, that may > > account for the reporting of the problem. > > A different category are messages which complain about unknown EAP types > such as Radius::EAP_123. These can be caused by out of sequence, > corrupted or otherwise unexpected messages. These are sometimes seen. > > > I now have a process which monitors the log files (2 servers with 10 > > radiusd processes) and alarms if this message is noticed. > > > > I have trace level 4 debug logs if interested. > > > > > > -- > > > > Barry Ard barry....@ualberta.ca > > <mailto:barry....@ualberta.ca> > > Network Operations > > Academic Information and Communication Technologies (AICT) > > University of Alberta > > Edmonton, Alberta Canada > > > > > > _______________________________________________ > > radiator mailing list > > radiator@open.com.au > > http://www.open.com.au/mailman/listinfo/radiator > > > > > -- > Heikki Vatiainen <h...@open.com.au> > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, > DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, > NetWare etc. > _______________________________________________ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator > > -- Barry Ard barry....@ualberta.ca Network Operations Academic Information and Communication Technologies (AICT) University of Alberta Edmonton, Alberta Canada
_______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator