Jump to content
Калькуляторы

Freeradius не отдаёт параметры с radreply

Настраиваю Радиус.

Радтестом проверяю, параметры с radgroupreply отдаёт, а с radreply нет. По дебагу видно что даже не читает эту таблицу.

Почему так?

 

rad_recv: Access-Request packet from host 127.0.0.1 port 55588, id=70, length=98
User-Name = "10.230.51.15"
User-Password = "VasExperts.FastDPI"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Message-Authenticator = 0xb290d0abf4b714e3816e9ed04aa67282
# Executing section authorize from file /etc/freeradius/sites-enabled/sql
+group authorize {
[sql] 	expand: %{User-Name} -> 10.230.51.15
[sql] sql_set_user escaped user --> '10.230.51.15'
rlm_sql (sql): Reserving sql socket id: 12
[sql] 	expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '10.230.51.15'           ORDER BY id
[sql] 	expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = '10.230.51.15'           ORDER BY priority
[sql] 	expand: SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = '%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = 'subscribers'           ORDER BY id
[sql] User found in group subscribers
[sql] 	expand: SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = '%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = 'subscribers'           ORDER BY id
rlm_sql (sql): Released sql socket id: 12
++[sql] = ok
+} # group authorize = ok
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
# Executing section post-auth from file /etc/freeradius/sites-enabled/sql
+group post-auth {
[sql] 	expand: %{User-Name} -> 10.230.51.15
[sql] sql_set_user escaped user --> '10.230.51.15'
[sql] 	expand: %{User-Password} -> VasExperts.FastDPI
[sql] 	expand: INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           '%{User-Name}',                           '%{%{User-Password}:-%{Chap-Password}}',                           '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           '10.230.51.15',                           'VasExperts.FastDPI',                           'Access-Accept', '2017-07-17 20:01:28')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           '10.230.51.15',                           'VasExperts.FastDPI',                           'Access-Accept', '2017-07-17 20:01:28')
rlm_sql (sql): Reserving sql socket id: 11
rlm_sql (sql): Released sql socket id: 11
++[sql] = ok
+} # group post-auth = ok
Sending Access-Accept of id 70 to 127.0.0.1 port 55588
Finished request 14.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 14 ID 70 with timestamp +661
Ready to process requests.

Share this post


Link to post
Share on other sites

Так выдает?

user@host:/etc/freeradius/mods-enabled# grep authreply_table sql
authreply_table = "radreply"

 

И еще на проверку (сам не пользовался):

       # If set to 'yes' (default) we read the group tables unless Fall-Through = no in the reply table.
       # If set to 'no' we do not read the group tables unless Fall-Through = yes in the reply table.
#       read_groups = yes

       # If set to 'yes' (default) we read profiles unless Fall-Through = no in the groupreply table.
       # If set to 'no' we do not read profiles unless Fall-Through = yes in the groupreply table.
#       read_profiles = yes

Edited by snvoronkov

Share this post


Link to post
Share on other sites

Думал лыжи не едут потому что старый фрирадиус, обновил до крайнего, всё то же самое :(

 

Так выдает?

user@host:/etc/freeradius/mods-enabled# grep authreply_table sql
authreply_table = "radreply"

Выдаёт:

# grep authreply_table /etc/freeradius/3.0/mods-enabled/sql
       authreply_table = "radreply"

 

С Fall-Through с сотой попытки разобрался, не причем он тут, т.к. групповые ответы читаются уже после radreply, а Fall-Through надо писать в radreply, а radreply не читается...

Share this post


Link to post
Share on other sites

Вот сам лог, но в нем опять ни одного упоминания о radreply

(0) sql: EXPAND %{User-Name}
(0) sql:    --> 10.11.100.254
(0) sql: SQL-User-Name set to '10.11.100.254'
rlm_sql (sql): Reserved connection (1)
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '10.11.100.254' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '10.11.100.254' ORDER BY id
(0) sql: User found in radcheck table
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql:    --> SELECT groupname FROM radusergroup WHERE username = '10.11.100.254' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = '10.11.100.254' ORDER BY priority
(0) sql: User found in the group table
(0) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(0) sql:    --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'subscribers' ORDER BY id
(0) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'subscribers' ORDER BY id
(0) sql: Group "subscribers": Conditional check items matched
(0) sql: Group "subscribers": Merging assignment check items
(0) sql:   Auth-Type := Accept
(0) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
(0) sql:    --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'subscribers' ORDER BY id
(0) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'subscribers' ORDER BY id
(0) sql: Group "subscribers": Merging reply items
rlm_sql (sql): Released connection (1)
rlm_sql (sql): Need 4 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.23-MariaDB-9+deb9u1, protocol version 10
(0)     [sql] = ok
(0)     [expiration] = noop
(0)     [logintime] = noop
(0) pap: WARNING: Auth-Type already set.  Not setting to PAP
(0)     [pap] = noop
(0)   } # authorize = ok
(0) Found Auth-Type = Accept
(0) Auth-Type = Accept, accepting the user

Share this post


Link to post
Share on other sites

ThreeDHead, в группе "Auth-Type := Accept" вывешено? Еслида, то оно дальше и не смотрит. Все равно уже акцепт.

Share this post


Link to post
Share on other sites

В качестве бреда, указал в проверке операцию присвоения (:=), вместо сравнения (==) - заработало.

Видимо у меня еще нет понимания как как и где их применять.

 

snvoronkov, спасибо за диалог.

 

MariaDB [radius]> SELECT * FROM `radcheck`;
+----+---------------+--------------------+----+--------------------+
| id | username      | attribute          | op | value              |
+----+---------------+--------------------+----+--------------------+
|  1 | 10.11.100.254 | Cleartext-Password | := | VasExperts.FastDPI |
+----+---------------+--------------------+----+--------------------+
1 row in set (0.00 sec)

 

(0) sql: EXPAND %{User-Name}
(0) sql:    --> 10.11.100.254
(0) sql: SQL-User-Name set to '10.11.100.254'
rlm_sql (sql): Reserved connection (1)
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '10.11.100.254' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '10.11.100.254' ORDER BY id
(0) sql: User found in radcheck table
(0) sql: Conditional check items matched, merging assignment check items
(0) sql:   Cleartext-Password := "VasExperts.FastDPI"
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql:    --> SELECT id, username, attribute, value, op FROM radreply WHERE username = '10.11.100.254' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = '10.11.100.254' ORDER BY id
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql:    --> SELECT groupname FROM radusergroup WHERE username = '10.11.100.254' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = '10.11.100.254' ORDER BY priority
(0) sql: User found in the group table
(0) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(0) sql:    --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'subscribers' ORDER BY id
(0) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'subscribers' ORDER BY id
(0) sql: Group "subscribers": Conditional check items matched
(0) sql: Group "subscribers": Merging assignment check items
(0) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
(0) sql:    --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'subscribers' ORDER BY id
(0) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'subscribers' ORDER BY id
(0) sql: Group "subscribers": Merging reply items

Share this post


Link to post
Share on other sites

В качестве бреда, указал в проверке операцию присвоения (:=), вместо сравнения (==) - заработало.

Это не бред для 'Cleartext-Password'. Это так и должно быть!

 

Буквально на днях на те-же грабли наступил - перевожу сервис с freeradius 1.x с атрибутами "Password ==" на freeradius 3.x

 

Разницу в операциях смотреть тут:

 

https://wiki.freeradius.org/config/Operators

 

Для чек-атрибута:

'==' - не сравнение, а атрибут ЕСТЬ такой И у него ТАКОЕ значение. В запросах от брасов 'Cleartext-Password' не встречается ин зэ вайлд. :-)

':=' - для 'Cleartext-Password' самое оно! Значит, его надо ЗАДАТЬ для дальнейшей проверки.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this