vlad_odmin Posted July 2, 2010 Posted July 2, 2010 Здравствуйте пожалуйста всем! У меня следующая проблема - работаю не так давно у провайдера, решили запустить в сети dchp opt82 и прикрутить Freeradius Биллинг NetUP UTM5 - ОС CentOS-5.5 FreeRadius 2, на форуме netup.ru ,были скрипты чтоб радиус обращался к базе биллинга но что то у меня не получается даже привязать радиус к биллингу - вот ссылка на мой пост плиз посмотрите своим профессиональным взглядом скажите что не так? http://www.netup.ru/phpbb/viewtopic.php?t=...40b84126035cfc4 Вставить ник Quote
vlad_odmin Posted July 5, 2010 Author Posted July 5, 2010 (edited) Установил фрирадиус заново решил снуля протестировать - создал пользователя - проверяю радтестом - и меня реджектит скажите плиз кто с талкивался с этим - почему? ./radtest shad test 127.0.0.1 1812 123 Sending Access-Request of id 47 to 127.0.0.1 port 1812 User-Name = "shad" User-Password = "test" NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=47, length=20 вот что в дебаге пишет +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "shad", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. [files] users: Matched entry shad at line 76 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = Local WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. No "known good" password was configured for the user. As a result, we cannot authenticate the user. Login incorrect (No password configured for the user): [shad/test] (from client localhost port 1812) Failed to authenticate the user. Login incorrect: [shad/test] (from client localhost port 1812) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> shad attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 2 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 2 Sending Access-Reject of id 113 to 127.0.0.1 port 58368 Waking up in 4.9 seconds. Cleaning up request 2 ID 113 with timestamp +494 Ready to process requests. Edited July 5, 2010 by vlad_odmin Вставить ник Quote
vlad_odmin Posted July 5, 2010 Author Posted July 5, 2010 все нашел ошибку вот здесь - вдруг кому интересно http://www.linux.org.ru/forum/admin/4687789 в конфиге юзерс не так немного прописал у меня трабла в точности как в этом посте )))) (была) Вставить ник Quote
vlad_odmin Posted July 6, 2010 Author Posted July 6, 2010 сегодня переставил фрирадиус - действия записывал последовательно на будущее - посмотрел где лежат мускульные файлы [root@admin sbin]# whereis mysql mysql: /usr/bin/mysql /usr/lib/mysql /usr/include/mysql /usr/share/mysql /usr/share/man/man1/mysql.1.gz ./configure --prefix=/opt/freeradius --with-rlm-mysql-lib-dir=/usr/lib/mysql —with-rlm-mysql-include-dir=/usr/include/mysql make all install chown -R radiusd:radiusd /opt/freeradius Добавляю в файл users shad Auth-Type = Local, User-Password := "test" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 195.168.0.15, Framed-IP-Netmask = 255.255.255.0, В clients.conf правим secret = 123 shortname = localhost nastype = other правим radiusd.conf user=radiusd group=radiusd listen { ipaddr = * # ipv6addr = :: port = 18132 type = auth # interface = eth0 # clients = per_socket_clients listen { ipaddr = * # ipv6addr = :: port = 1813 type = acct # interface = eth0 # clients = per_socket_clients hostname_lookups = yes так вот посе установки и небольшой настройки при первом запуске пишет вот какие ошибки Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time .................................................................+........+..... ........+..........................................+..................+.........+ .....................+...+.......+.+..........................+...+.............. .......................................+.....................+................... .........................................+....................................... ..+............Child PID 20002 is taking too much time: forcing failure and killing child. rlm_eap: Failed to initialize type tls /opt/freeradius/etc/raddb/eap.conf[17]: Instantiation failed for module "eap" /opt/freeradius/etc/raddb/sites-enabled/inner-tunnel[223]: Failed to load module "eap". /opt/freeradius/etc/raddb/sites-enabled/inner-tunnel[176]: Errors parsing authenticate section. а вот после второго запуска - прям следом за первым попробывал - вот что выдал [root@admin sbin]# ./radiusd -X FreeRADIUS Version 2.1.9, for host i686-pc-linux-gnu, built on Jun 29 2010 at 10:43:06 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /opt/freeradius/etc/raddb/radiusd.conf including configuration file /opt/freeradius/etc/raddb/proxy.conf including configuration file /opt/freeradius/etc/raddb/clients.conf including files in directory /opt/freeradius/etc/raddb/modules/ including configuration file /opt/freeradius/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /opt/freeradius/etc/raddb/modules/sql_log including configuration file /opt/freeradius/etc/raddb/modules/counter including configuration file /opt/freeradius/etc/raddb/modules/acct_unique including configuration file /opt/freeradius/etc/raddb/modules/unix including configuration file /opt/freeradius/etc/raddb/modules/attr_rewrite including configuration file /opt/freeradius/etc/raddb/modules/echo including configuration file /opt/freeradius/etc/raddb/modules/sradutmp including configuration file /opt/freeradius/etc/raddb/modules/detail including configuration file /opt/freeradius/etc/raddb/modules/realm including configuration file /opt/freeradius/etc/raddb/modules/chap including configuration file /opt/freeradius/etc/raddb/modules/always including configuration file /opt/freeradius/etc/raddb/modules/ippool including configuration file /opt/freeradius/etc/raddb/modules/exec including configuration file /opt/freeradius/etc/raddb/modules/preprocess including configuration file /opt/freeradius/etc/raddb/modules/files including configuration file /opt/freeradius/etc/raddb/modules/smsotp including configuration file /opt/freeradius/etc/raddb/modules/mschap including configuration file /opt/freeradius/etc/raddb/modules/krb5 including configuration file /opt/freeradius/etc/raddb/modules/radutmp including configuration file /opt/freeradius/etc/raddb/modules/expiration including configuration file /opt/freeradius/etc/raddb/modules/detail.log including configuration file /opt/freeradius/etc/raddb/modules/mac2ip including configuration file /opt/freeradius/etc/raddb/modules/cui including configuration file /opt/freeradius/etc/raddb/modules/attr_filter including configuration file /opt/freeradius/etc/raddb/modules/etc_group including configuration file /opt/freeradius/etc/raddb/modules/logintime including configuration file /opt/freeradius/etc/raddb/modules/expr including configuration file /opt/freeradius/etc/raddb/modules/mac2vlan including configuration file /opt/freeradius/etc/raddb/modules/perl including configuration file /opt/freeradius/etc/raddb/modules/wimax including configuration file /opt/freeradius/etc/raddb/modules/pap including configuration file /opt/freeradius/etc/raddb/modules/checkval including configuration file /opt/freeradius/etc/raddb/modules/detail.example.com including configuration file /opt/freeradius/etc/raddb/modules/ntlm_auth including configuration file /opt/freeradius/etc/raddb/modules/smbpasswd including configuration file /opt/freeradius/etc/raddb/modules/policy including configuration file /opt/freeradius/etc/raddb/modules/passwd including configuration file /opt/freeradius/etc/raddb/modules/pam including configuration file /opt/freeradius/etc/raddb/modules/ldap including configuration file /opt/freeradius/etc/raddb/modules/otp including configuration file /opt/freeradius/etc/raddb/modules/linelog including configuration file /opt/freeradius/etc/raddb/modules/digest including configuration file /opt/freeradius/etc/raddb/modules/inner-eap including configuration file /opt/freeradius/etc/raddb/eap.conf including configuration file /opt/freeradius/etc/raddb/policy.conf including files in directory /opt/freeradius/etc/raddb/sites-enabled/ including configuration file /opt/freeradius/etc/raddb/sites-enabled/inner-tunnel including configuration file /opt/freeradius/etc/raddb/sites-enabled/default including configuration file /opt/freeradius/etc/raddb/sites-enabled/control-socket main { user = "radiusd" group = "radiusd" allow_core_dumps = no } including dictionary file /opt/freeradius/etc/raddb/dictionary main { prefix = "/opt/freeradius" localstatedir = "/opt/freeradius/var" logdir = "/opt/freeradius/var/log/radius" libdir = "/opt/freeradius/lib" radacctdir = "/opt/freeradius/var/log/radius/radacct" hostname_lookups = yes max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/opt/freeradius/var/run/radiusd/radiusd.pid" checkrad = "/opt/freeradius/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = no zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "123" shortname = "localhost" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/opt/freeradius/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/opt/freeradius/etc/raddb/certs/server.pem" certificate_file = "/opt/freeradius/etc/raddb/certs/server.pem" CA_file = "/opt/freeradius/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/opt/freeradius/etc/raddb/certs/dh" random_file = "/opt/freeradius/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/opt/freeradius/etc/raddb/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } Generating a 2048 bit RSA private key .................+++ ...............................+++ unable to write 'random state' writing new private key to 'server.key' ----- Generating a 2048 bit RSA private key ......................+++ ...........................................................+++ unable to write 'random state' writing new private key to 'ca.key' ----- Using configuration from ./server.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Jul 6 06:44:02 2010 GMT Not After : Jul 6 06:44:02 2011 GMT Subject: countryName = FR stateOrProvinceName = Radius organizationName = Example Inc. commonName = Example Server Certificate emailAddress = admin@example.com X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication Certificate is to be certified until Jul 6 06:44:02 2011 GMT (365 days) Write out database with 1 new entries Data Base Updated unable to write 'random state' unable to write 'random state' MAC verified OK Exec-Program output: openssl req -new -out server.csr -keyout server.key -config ./server.cnf openssl req -new -x509 -keyout ca.key -out ca.pem \ -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der Exec-Program-Wait: plaintext: openssl req -new -out server.csr -keyout server.key -config ./server.cnf openssl req -new -x509 -keyout ca.key -out ca.pem \ -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der Exec-Program: returned: 0 Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/opt/freeradius/etc/raddb/users" acctusersfile = "/opt/freeradius/etc/raddb/acct_users" preproxy_usersfile = "/opt/freeradius/etc/raddb/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/opt/freeradius/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/opt/freeradius/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/opt/freeradius/etc/raddb/huntgroups" hints = "/opt/freeradius/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/opt/freeradius/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/opt/freeradius/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 1812 } listen { type = "acct" ipaddr = * port = 1813 } listen { type = "control" listen { socket = "/opt/freeradius/var/run/radiusd/radiusd.sock" } } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /opt/freeradius/var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. ЧТо то не пойму почему так? может не правильно собрал? Собираю на CentOS 5.5 Вставить ник Quote
vlad_odmin Posted July 7, 2010 Author Posted July 7, 2010 делаю так authorize_check_query="SELECT ip_groups.ip_group_id, ip_groups.uname, 'Password', ip_groups.upass, ':=' FROM UTM5.ip_groups, UTM5.iptraffic_service_links, UTM5.service_links, UTM5.accounts WHERE ip_groups.uname = '%{SQL-User-Name}' AND ip_groups.is_deleted='0' AND iptraffic_service_links.is_deleted='0' AND service_links.is_deleted='0' AND accounts.is_deleted='0' AND accounts.is_blocked='0' AND ip_groups.ip_group_id=iptraffic_service_links.ip_group_id AND iptraffic_service_links.id=service_links.id AND service_links.account_id=accounts.id" authorize_reply_query="SELECT ip_group_id, uname, 'Framed-IP-Address', inet_ntoa(ip_groups.ip & 0xFFFFFFFF) AS a, ':=' FROM UTM5.ip_groups WHERE uname='%{SQL-User-Name}' AND is_deleted='0' AND av='' UNION SELECT ip_group_id, uname, 'Auth-Type', 'Reject' as a, ':=' FROM ip_groups WHERE uname='%{SQL-User-Name}' AND is_deleted='0' AND av='1'" accounting_stop_query="INSERT INTO dhs_sessions_log (account_id, recv_date, last_update_date, Framed_IP_Address, NAS_Port, Acct_Delay_Time, Acct_Session_Id, NAS_Port_Type, User_Name, Service_Type, Framed_Protocol, NAS_IP_Address, NAS_Id, Acct_Status_Type, Acct_Input_Packets, Acct_Input_Octets, Acct_Output_Packets, Acct_Output_Octets, Acct_Session_Time, Called_Station_Id, Calling_Station_Id) SELECT basic_account, (%l-%{Acct-Session-Time}), '%l', ((inet_aton('%{Framed-IP-Address}') &0xFFFFFFFF)-4294967296), '%{NAS-Port}', '%{Acct-Delay-Time}', '%{Acct-Session-Id}', '%{NAS-Port-Type}', '%{SQL-User-Name}', '%{Service-Type}', '%{Framed-Protocol}', ((inet_aton('%{NAS-IP-Address}')&0xFFFFFFFF)-4294967296), '%{NAS-IP-Address}', '2', '%{Acct-Input-Packets}', '%{Acct-Input-Octets}', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Acct-Session-Time}', '%{Tunnel-Server-Endpoint}', '%{Calling-Station-Id}%{Tunnel-Client-Endpoint}' FROM users WHERE login='%{SQL-User-Name}';" И получаю в ответ вот это rad_recv: Access-Request packet from host 172.16.2.40 port 1645, id=21, length=138 Framed-Protocol = PPP User-Name = "vlad" MS-CHAP-Challenge = 0xd21158a08b74e1aeef47a54468f7bf7b MS-CHAP2-Response = 0x01bf598b922c56c5d1e04a804a93df9fd82eb702000000295a6f72fd436d98cdb3fa4d6130d226 abc1713ab90cbbd2b9260e NAS-Port-Type = Virtual NAS-Port = 21 Service-Type = Framed-User NAS-IP-Address = 172.16.2.40 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok [suffix] No '@' in User-Name = "vlad", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 179 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for vlad with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Failed to authenticate the user. Login incorrect: [vlad/<via Auth-Type = mschap>] (from client cisco3660 port 21) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> vlad attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 21 to 172.16.2.40 port 1645 Waking up in 4.9 seconds. Cleaning up request 0 ID 21 with timestamp +20 Ready to process requests. помогите в чем тут проблема? Вставить ник Quote
terrible Posted July 7, 2010 Posted July 7, 2010 Ну круто, что ещё сказать... по логу видно, что sql не используется при авторизации пилите конфиг Вставить ник Quote
vlad_odmin Posted July 7, 2010 Author Posted July 7, 2010 устанавлявал радиус так yum install freeradius2 friradius2-mysql хотел импортировать из /usr/share/doc/freeradius/examples mysql.sql чтобы протестить.... но ее там нет постгри олдап есть авот мускуля нету - кто нить сталкивался уже и из исходников собирал все равно нету базы мускульной в examles ((((( Вставить ник Quote
terrible Posted July 7, 2010 Posted July 7, 2010 её там и не будет /usr/local/etc/raddb/sql/mysql - тут лежат дампы MySQL таблиц для радиуса /usr/local/etc/raddb/sites-available/default - конфиг авторизации, там и укажите, что авторизация у вас будет через SQL, остальное выключайте нафик и гуглите, гуглите и ещё раз гуглите, там всё что нужно сможете найти. Вставить ник Quote
vlad_odmin Posted July 8, 2010 Author Posted July 8, 2010 спасибо так и сделаю.... а гуглю я ужо давненько... трудно потому как в провайдерской сфере не оч долго, потому бывают тупики в некоторых вопросах... её там и не будет /usr/local/etc/raddb/sql/mysql - тут лежат дампы MySQL таблиц для радиуса /usr/local/etc/raddb/sites-available/default - конфиг авторизации, там и укажите, что авторизация у вас будет через SQL, остальное выключайте нафик и гуглите, гуглите и ещё раз гуглите, там всё что нужно сможете найти. usr/local/etc/raddb/sql/mysql - тутава у меня пусто вернее у меня в этом каталоге ничего нет usr/local/etc/raddb/ Вставить ник Quote
vlad_odmin Posted July 8, 2010 Author Posted July 8, 2010 (edited) основа моих действий - http://www.lissyara.su/articles/freebsd/security/mpd_10/ мои дейтсвия 1 - yum install freeradius2 freeradius2-mysql freeradius2-utils 2 - во т по этому мануалу проверил локального не скьэльного пользователя все гут - http://wiki.dodex.org/2009/07/21/freeradiusmysql/ 3 - mysql -u root > CREATE DATABASE radius; > CRANT ALL PRIVILEGES ON radius.* TO radius@localhost IDENTIFIED BY "123"; Поскольку при установке в examples у меня не появился дамп мускульной базы скачал фрирадиус версии 2-0-0 пре1 от куад и взял дамп mysql -u root radius < /tmp/examples/mysql.sql >INSERT INTO radcheck (UserName, Attribute, op, Value) VALUES ('testsql', 'Cleartext-Password', ':=', 'test123'); >INSERT INTO radreply (UserName, Attribute, op, Value) VALUES ('testsql', 'Framed-IP-Address', '=', '192.168.1.13'); >INSERT INTO radreply (UserName, Attribute, op, Value) VALUES ('testsql', 'Framed-IP-Netmask', '=', '255.255.255.255'); > INSERT INTO radreply (UserName, Attribute, op, Value) VALUES ('testsql', 'Framed-Protocol', '=', 'PPP'); > select * from radreply where UserName = 'testsql'; - проверил введеные данные mysql> select * from radreply; +----+----------+-------------------+----+-----------------+ | id | UserName | Attribute | op | Value | +----+----------+-------------------+----+-----------------+ | 1 | testsql | Framed-IP-Address | = | 192.168.1.13 | | 2 | testsql | Framed-IP-Netmask | = | 255.255.255.255 | | 3 | testsql | Framed-Protocol | = | PPP | +----+----------+-------------------+----+-----------------+ 3 rows in set (0.00 sec) >mysql> select id, UserName, Attribute, op, value FROM radcheck; +----+----------+--------------------+----+---------+ | id | UserName | Attribute | op | value | +----+----------+--------------------+----+---------+ | 1 | testsql | Cleartext-Password | := | test123 | +----+----------+--------------------+----+---------+ 4 - раскоментировал sql в raddb/sites-available/default в секциях authorize{}, accounting{}, session{}, post-auth{} 5 - d radius.conf раскоментировал $INCLUDE sql.conf 6 - /usr/sbin/./radiusd -X 7 - в другой консоли тестирую /usr/bin/./radtest testsql test123 localhost 1812 123 Вот что в дебаге пишет Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 49296, id=220, length=59 User-Name = "testsql" User-Password = "test123" NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "testsql", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop [sql] expand: %{User-Name} -> testsql [sql] sql_set_user escaped user --> 'testsql' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, op, value FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, op, value FROM radcheck WHERE username = 'testsql' ORDER BY id rlm_sql: Invalid operator "test123" for attribute Cleartext-Password rlm_sql (sql): Error getting data from database [sql] SQL query error; rejecting user rlm_sql (sql): Released sql socket id: 3 ++[sql] returns fail Invalid user: [testsql/test123] (from client localhost port 1812) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> testsql attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 220 to 127.0.0.1 port 49296 Waking up in 4.9 seconds. Не пойму вроде у всех получается - по тем же манам ставлю - у меня не выходит Правда в основном все ставят freeradius 1 - там не большие отличия freeradius 2 shad Auth-Type = Local, Cleartext-Password := "test" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 192.168.0.7, Framed-IP-Netmask = 255.255.255.0, freeradius 1 shad Auth-Type := Local, User-Password == “test” Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 192.168.0.7, Framed-IP-Netmask = 255.255.255.0 Edited July 8, 2010 by vlad_odmin Вставить ник Quote
terrible Posted July 8, 2010 Posted July 8, 2010 (edited) Ошибка походу дела тут: >INSERT INTO radcheck (UserName, Attribute, op, Value) VALUES ('testsql', 'Cleartext-Password', ':=', 'test123');>INSERT INTO radreply (UserName, Attribute, op, Value) VALUES ('testsql', 'Framed-IP-Address', '=', '192.168.1.13'); >INSERT INTO radreply (UserName, Attribute, op, Value) VALUES ('testsql', 'Framed-IP-Netmask', '=', '255.255.255.255'); > INSERT INTO radreply (UserName, Attribute, op, Value) VALUES ('testsql', 'Framed-Protocol', '=', 'PPP'); Пароль - сравнивается, а не назначается, значит op должен быть == Flamed атрибуты назначаются, а не сравниваются, значит op должны быть := Так-же проверьте руками вывод SQL запроса: SELECT id, username, attribute, op, value FROM radcheck WHERE username = 'testsql' ORDER BY id Всё ли он верно возвращает в ващем случае. Edited July 8, 2010 by terrible Вставить ник Quote
vlad_odmin Posted July 8, 2010 Author Posted July 8, 2010 (edited) ошбка идентична ((( mysql> SELECT id, username, attribute, op, value FROM radcheck WHERE username = 'vova' ORDER BY id; +----+----------+--------------------+----+-------+ | id | username | attribute | op | value | +----+----------+--------------------+----+-------+ | 4 | vova | Cleartext-Password | == | vvv | +----+----------+--------------------+----+-------+ 1 row in set (0.00 sec) Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 35617, id=69, length=56 User-Name = "vova" User-Password = "vvv" NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "vova", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop [sql] expand: %{User-Name} -> vova [sql] sql_set_user escaped user --> 'vova' rlm_sql (sql): Reserving sql socket id: 2 [sql] expand: SELECT id, username, attribute, op, value FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, op, value FROM radcheck WHERE username = 'vova' ORDER BY id rlm_sql: Invalid operator "vvv" for attribute Cleartext-Password rlm_sql (sql): Error getting data from database [sql] SQL query error; rejecting user rlm_sql (sql): Released sql socket id: 2 ++[sql] returns fail Invalid user: [vova/vvv] (from client localhost port 1812) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> vova attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 69 to 127.0.0.1 port 35617 Waking up in 4.9 seconds. Cleaning up request 1 ID 69 with timestamp +1114 Ready to process requests. Edited July 8, 2010 by vlad_odmin Вставить ник Quote
terrible Posted July 8, 2010 Posted July 8, 2010 Странный реквест на радиус, в логах у себя не нахожу такой атрибут: Wed May 12 14:32:20 2010 Packet-Type = Access-Request NAS-Identifier = "mpd" NAS-IP-Address = 192.168.49.36 Message-Authenticator = 0x39b678fa6d88acce1a38844bea14fd07 Acct-Session-Id = "3660340-P-2" NAS-Port = 2 NAS-Port-Type = Virtual Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "192.168.180.152" mpd-link = "P-2" Tunnel-Type:0 = PPTP Tunnel-Medium-Type:0 = IPv4 Tunnel-Server-Endpoint:0 = "192.168.49.36" Tunnel-Client-Endpoint:0 = "192.168.180.152" User-Name = "user33884772" MS-CHAP-Challenge = 0xbb1e68ce78a2360637af22a5823b9c22 MS-CHAP2-Response =0x0100ec4bc05e61461cfde1d9d05bf708ea38000000000000000058b5b53bcc564382fa96068c1 96ad6b455ced808a123b13a Вставить ник Quote
vlad_odmin Posted July 8, 2010 Author Posted July 8, 2010 (edited) terrible вроде аутентификация проходи т вот посмотри дебаг - но вот акцепт не выдает на экран видно затык в Post-Auth-Type Reject - скажи что это такое? Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 50103, id=157, length=59 User-Name = "testing" User-Password = "777" NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "testing", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop [sql] expand: %{User-Name} -> testing [sql] sql_set_user escaped user --> 'testing' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testing' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'testing' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'testing' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'static' ORDER BY id [sql] User found in group static [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'static' ORDER BY id rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "777" [pap] Using clear text password "777" [pap] User authenticated successfully ++[pap] returns ok Login OK: [testing] (from client localhost port 1812) +- entering group post-auth {...} [sql] expand: %{User-Name} -> testing [sql] sql_set_user escaped user --> 'testing' [sql] expand: %{User-Password} -> 777 [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testing', '777', 'Access-Accept', '2010-07-08 14:50:49') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testing', '777', 'Access-Accept', '2010-07-08 14:50:49') rlm_sql (sql): Reserving sql socket id: 2 rlm_sql_mysql: MYSQL check_error: 1054 received rlm_sql (sql) in sql_postauth: Database query error - Unknown column 'username' in 'field list' rlm_sql (sql): Released sql socket id: 2 ++[sql] returns fail Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> testing attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 157 to 127.0.0.1 port 50103 Waking up in 4.9 seconds. Cleaning up request 0 ID 157 with timestamp +9 Ready to process requests. Такое чувство что вот вот получится - кажется всего не чего - я вот еще чап и мсчап не настраивал... думаю для локальных тестов они не нужны? Edited July 8, 2010 by vlad_odmin Вставить ник Quote
vlad_odmin Posted July 8, 2010 Author Posted July 8, 2010 все ЗАМЕЧАТЕЛЬНО !!!!!!! все получилось!!!!!!!!!!!!! первый мой опыт локальной установки и тестирования сначла юзера с файла а затем и из базы данных увенчалась успехом..... спасибо огромное запомощь!!!!!!!! Как я говорил заминка была в Post-Auth в /raddb/sites-enable/default закоментировал sql - раскоментировал его я по мануалу нарытому в гугле... собственно у еня заременый вариант заработал Теперь буду пытаться прикрутить к базу NetUP UTM5.2.1-007 ))))) Вставить ник Quote
terrible Posted July 8, 2010 Posted July 8, 2010 Ну в логе же написано: [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testing', '777', 'Access-Accept', '2010-07-08 14:50:49') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testing', '777', 'Access-Accept', '2010-07-08 14:50:49') rlm_sql (sql): Reserving sql socket id: 2 rlm_sql_mysql: MYSQL check_error: 1054 received rlm_sql (sql) in sql_postauth: Database query error - Unknown column 'username' in 'field list' rlm_sql (sql): Released sql socket id: 2 У тебя таблица radpostauth кривая походу, что такой запрос не может быть выполнен. (нет поля username) Ты если видишь MYSQL check_error - ковыряйся с запросами и таблицами, в радиусе всё ровно. Вставить ник Quote
polmax Posted July 8, 2010 Posted July 8, 2010 (edited) А я вообще отказался от sql запросов средствами радиуса, навесил скриптов, которые всё это выполняют (запрос к базе, проверку, возврат результата), необходимость возникла в это из-за того что надо было выдавать динамические внешние ип (это можно сделать если использовать радиус от утм, но учитывая кривость самой утм, ещё брать их радиус - это просто приобретение геморроя на всё тело). Суть в том что при выдачи ип, скрипт выполняет урфа запрос к утм прописывая ип за клиентом, в общем всё работает как часы. И ещё пропатчил freeradius теперь при не правильной авторизации или иной другой ошибке (например отрицательный баланс или заблокирован администратором) выдаю любую ошибку винды а не 691. Edited July 8, 2010 by polmax Вставить ник Quote
shicoy Posted July 8, 2010 Posted July 8, 2010 А я вообще отказался от sql запросов средствами радиуса, навесил скриптов, которые всё это выполняют (запрос к базе, проверку, возврат результата), необходимость возникла в это из-за того что надо было выдавать динамические внешние ип (это можно сделать если использовать радиус от утм, но учитывая кривость самой утм, ещё брать их радиус - это просто приобретение геморроя на всё тело). Суть в том что при выдачи ип, скрипт выполняет урфа запрос к утм прописывая ип за клиентом, в общем всё работает как часы. И ещё пропатчил freeradius теперь при не правильной авторизации или иной другой ошибке (например отрицательный баланс или заблокирован администратором) выдаю любую ошибку винды а не 691. Где-то видел это решение на форуме Netup, ссылочку не подкините, может потребоваться для одного проекта. Вставить ник Quote
vlad_odmin Posted July 9, 2010 Author Posted July 9, 2010 (edited) terrible спасибо за совет про check_error - в sql - запросах не специалист, но в личное время изучаю язык sql http://www.netup.ru/phpbb/viewtopic.php?t=...cb7b07d850f8a31 вот как раз ссылка Edited July 9, 2010 by vlad_odmin Вставить ник Quote
vshell Posted July 9, 2010 Posted July 9, 2010 Где-то видел это решение на форуме Netup, ссылочку не подкините, может потребоваться для одного проекта. http://www.netup.ru/phpbb/viewtopic.php?t=7948 Вставить ник Quote
vlad_odmin Posted July 15, 2010 Author Posted July 15, 2010 делаю по этой ссылке только IP смени на свои 95.215.70.0 - 255 http://www.netup.ru/phpbb/viewtopic.php?t=...ql&start=15 оставил только запросы все остальное заремил Дебаг rad_recv: Access-Request packet from host 172.16.2.40 port 1645, id=73, length=138 Framed-Protocol = PPP User-Name = "vlad" MS-CHAP-Challenge = 0xde36c5ef55e18022613031affca5c2c4 MS-CHAP2-Response = 0x01bf637bfd891c9e7eb03b9e0d8835135180b70200000029fa44b57353e8631fdd2ce3b9c0b6e4 afe2857423624b910bf951 NAS-Port-Type = Virtual NAS-Port = 73 Service-Type = Framed-User NAS-IP-Address = 172.16.2.40 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok [sql] expand: %{User-Name} -> vlad [sql] sql_set_user escaped user --> 'vlad' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id,uname,'Cleartext-Password',upass,':=' FROM ip_groups WHERE uname='%{SQL-User-Name}' AND is_deleted='0' AND mask='-1' AND upass!='' AND (4294967295 & ip)>=INET_ATON('95.215.70.0') AND (4294967295 & ip)<=INET_ATON('95.215.70.255') AND allowed_cid!='' AND ('%{Calling-Station-Id}'=allowed_cid OR '%{Calling-Station-Id} REGEXP allowed_cid) -> SELECT id,uname,'Cleartext-Password',upass,':=' FROM ip_groups WHERE uname='vlad' AND is_deleted='0' AND mask='-1' AND upass!='' AND (4294967295 & ip)>=INET_ATON('95.215.70.0') AND (4294967295 & ip)<=INET_ATON('95.215.70.255') AND allowed_cid!='' AND (''=allowed_cid OR ' REGEXP allowed_cid) rlm_sql_mysql: MYSQL check_error: 1064 received rlm_sql_getvpdata: database query error [sql] SQL query error; rejecting user rlm_sql (sql): Released sql socket id: 4 ++[sql] returns fail Invalid user: [vlad/<via Auth-Type = mschap>] (from client cisco3660 port 73) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> vlad attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 73 to 172.16.2.40 port 1645 Waking up in 4.9 seconds. Cleaning up request 0 ID 73 with timestamp +8 Ready to process requests. Вставить ник Quote
vlad_odmin Posted July 19, 2010 Author Posted July 19, 2010 Есть ли у кого нибудь работающий вариант Freeradius + UTM5 (статические и динамические IP-адреса - pptp) , плюс ко всему чтобы динамические адреса хранились в базе данных mysql Либо в UTM5 либо в в другой и привязывался к клиенту чтоб подсчет трафика был по нетфлоу... да и адреса из одного диапазона 95.X.X.1/255,255,255,128 статика остальной блок адресов динамика Буду признателен любой помощи Вставить ник Quote
Cramac Posted February 21, 2025 Posted February 21, 2025 Подниму тему, интересен работающий конфиг фрирадиуса с базой UTM Вставить ник Quote
TheUser Posted February 21, 2025 Posted February 21, 2025 2 часа назад, Cramac сказал: Подниму тему, интересен работающий конфиг фрирадиуса с базой UTM А зачем, если не секрет? Вставить ник Quote
.png.5d2afa2996cc6a85d0f2c09b92dd0a28.png)
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.