Jump to content
Калькуляторы

Freeradius и MD5

Всем привет!

У меня есть Freeradius 1.0.1 и радиус-клиент, который посылает запросы на авторизацию с паролем MD5 вот такого вида:

 

Packet-Type = Access-Request

Wed Oct 27 08:31:27 2004

User-Name = "user"

NAS-IP-Address = 10.0.0.1

NAS-Port-Type = Async

Service-Type = Login-User

Cisco-AVPair = "xpgk-md5-auth=user/1076653854/09456456456daebe7e6a564083ebd7e6"

Cisco-AVPair = "xpgk-request-type=user"

Client-IP-Address = 10.0.0.1

 

Но радиус упорно не хочет понимать MD5, требует аттрибут User-Password. Вот лог:

 

rad_recv: Access-Request packet from host 10.0.0.1:1812, id=71, length=148

User-Name = "user"

NAS-IP-Address = 10.0.0.1

NAS-Port-Type = Async

Service-Type = Login-User

Cisco-AVPair = "xpgk-md5-auth=user/1076653854/09456456456daebe7e6a564083ebd7e6"

Cisco-AVPair = "xpgk-request-type=user"

Processing the authorize section of radiusd.conf

modcall: entering group authorize for request 4

modcall[authorize]: module "preprocess" returns ok for request 4

radius_xlat: '/var/log/freeradius/radacct/10.0.0.1/auth-detail-20041026'

rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/194.13

modcall[authorize]: module "auth_log" returns ok for request 4

modcall[authorize]: module "chap" returns noop for request 4

modcall[authorize]: module "mschap" returns noop for request 4

rlm_eap: No EAP-Message, not doing EAP

modcall[authorize]: module "eap" returns noop for request 4

radius_xlat: 'user'

rlm_sql (pgsql-voip): sql_set_user escaped user --> 'user'

radius_xlat: 'exec my_auth 'user''

rlm_sql (pgsql-voip): Reserving sql socket id: 20

query: exec my_auth 'user'

radius_xlat: ''

radius_xlat: ''

radius_xlat: ''

rlm_sql (pgsql-voip): Released sql socket id: 20

modcall[authorize]: module "pgsql-voip" returns ok for request 4

modcall: group authorize returns ok for request 4

auth: type Local

auth: No User-Password or CHAP-Password attribute in the request

auth: Failed to validate the user.

Login incorrect: [user/<no User-Password attribute>] (from client localhost port 0)

 

 

Подскажите, как научить Freeradius понимать MD5?

Share this post


Link to post
Share on other sites

Конфиг радиуса покажи в области modules { и authorize {

Share this post


Link to post
Share on other sites
authorize {

    preprocess

    auth_log

#    attr_filter

    chap

    mschap

#    digest

#    IPASS

#    suffix

#    ntdomain

    eap

#    files

    pgsql-voip

#    etc_smbpasswd

#    ldap

#    daily

#    checkval

}



.....



modules {

    pap {

 encryption_scheme = md5

    }



    chap {

 authtype = CHAP

    }



    pam {

 pam_auth = radiusd

    }



    unix {

 cache = no

 cache_reload = 600

 radwtmp = ${logdir}/radwtmp

    }



$INCLUDE ${confdir}/eap.conf



    mschap {

 authtype = MS-CHAP

 #use_mppe = no

 #require_encryption = yes

 #require_strong = yes

 #with_ntdomain_hack = no

 #ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"

    }



    realm IPASS {

 format = prefix

 delimiter = "/"

 ignore_default = no

 ignore_null = no

    }



    #  'username@realm'

    #

    realm suffix {

 format = suffix

 delimiter = "@"

 ignore_default = no

 ignore_null = no

    }



    #  'username%realm'

    #

    realm realmpercent {

 format = suffix

 delimiter = "%"

 ignore_default = no

 ignore_null = no

    }



    #

    #  'domainuser'

    #

    realm ntdomain {

 format = prefix

 delimiter = ""

 ignore_default = no

 ignore_null = no

    }    



    checkval {

 # The attribute to look for in the request

 item-name = Calling-Station-Id



 # The attribute to look for in check items. Can be multi valued

 check-name = Calling-Station-Id



 # The data type. Can be

 # string,integer,ipaddr,date,abinary,octets

 data-type = string



 # If set to yes and we dont find the item-name attribute in the

 # request then we send back a reject

 # DEFAULT is no

 #notfound-reject = no

    }

    



    attr_rewrite  h323_setup_time  {

 attribute = h323-setup-time 

 # may be "packet", "reply", "proxy", "proxy_reply" or "config"

 searchin = packet

 searchfor = "[a-zA-Z]"

 replacewith = ""

 ignore_case = no

 new_attribute = no

 max_matches = 6

 ## If set to yes then the replace string will be appended to the original string

 append = no

    }

    attr_rewrite  h323_setup_time1  {

 attribute = h323-setup-time 

 # may be "packet", "reply", "proxy", "proxy_reply" or "config"

 searchin = packet

 searchfor = "^[.*]"

 replacewith = ""

 ignore_case = no

 new_attribute = no

 max_matches = 1

 ## If set to yes then the replace string will be appended to the original string

 append = no

    }

    attr_rewrite  h323_connect_time  {

 attribute = h323-connect-time 

 # may be "packet", "reply", "proxy", "proxy_reply" or "config"

 searchin = packet

 searchfor = "[a-zA-Z]"

 replacewith = ""

 ignore_case = no

 new_attribute = no

 max_matches = 6

 ## If set to yes then the replace string will be appended to the original string

 append = no

    }

    attr_rewrite  h323_connect_time1  {

 attribute = h323-connect-time 

 # may be "packet", "reply", "proxy", "proxy_reply" or "config"

 searchin = packet

 searchfor = "^[.*]"

 replacewith = ""

 ignore_case = no

 new_attribute = no

 max_matches = 1

 ## If set to yes then the replace string will be appended to the original string

 append = no

    }

    attr_rewrite  h323_disconnect_time  {

 attribute = h323-disconnect-time 

 # may be "packet", "reply", "proxy", "proxy_reply" or "config"

 searchin = packet

 searchfor = "[a-zA-Z]"

 replacewith = ""

 ignore_case = no

 new_attribute = no

 max_matches = 6

 ## If set to yes then the replace string will be appended to the original string

 append = no

    }

    attr_rewrite  h323_disconnect_time1  {

 attribute = h323-connect-time 

 # may be "packet", "reply", "proxy", "proxy_reply" or "config"

 searchin = packet

 searchfor = "^[.*]"

 replacewith = ""

 ignore_case = no

 new_attribute = no

 max_matches = 1

 ## If set to yes then the replace string will be appended to the original string

 append = no

    }



    preprocess {

 huntgroups = ${confdir}/huntgroups

 hints = ${confdir}/hints



 with_ascend_hack = no

 ascend_channels_per_line = 23



 with_ntdomain_hack = no



 with_specialix_jetstream_hack = no



 with_cisco_vsa_hack = yes

    }



    files {

 usersfile = ${confdir}/users

 acctusersfile = ${confdir}/acct_users

 compat = no

    }



    detail {

 detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d

 detailperm = 0600

    }



    detail auth_log {

     detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d

     detailperm = 0600

    }

    acct_unique {

 key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"

    }





    $INCLUDE  ${confdir}/mssql-voip.conf



    radutmp {

 filename = ${logdir}/radutmp

 username = %{User-Name}

 case_sensitive = yes

 check_with_nas = yes  

 perm = 0600

 callerid = "yes"

    }

    radutmp sradutmp {

 filename = ${logdir}/sradutmp

 perm = 0644

 callerid = "no"

    }

    attr_filter {

 attrsfile = ${confdir}/attrs

    }



    counter daily {

 filename = ${raddbdir}/db.daily

 key = User-Name

 count-attribute = Acct-Session-Time

 reset = daily

 counter-name = Daily-Session-Time

 check-name = Max-Daily-Session

 allowed-servicetype = Framed-User

 cache-size = 5000

    }

    always fail {

 rcode = fail

    }

    always reject {

 rcode = reject

    }

    always ok {

 rcode = ok

 simulcount = 0

 mpp = no

    }



    expr {

    }

    digest {

    }

    exec {

 wait = yes

 input_pairs = request

    }

    exec echo {

 wait = yes

 program = "/bin/echo %{User-Name}"

 input_pairs = request

 output_pairs = reply

    }





}

Share this post


Link to post
Share on other sites

и в догонку eap.conf

 

Хотя freeradius его не использует, говорит :

rlm_eap: No EAP-Message, not doing EAP

 

#

#  Whatever you do, do NOT set 'Auth-Type := EAP'.  The server

#  is smart enough to figure this out on its own.  The most

#  common side effect of setting 'Auth-Type := EAP' is that the

#  users then cannot use ANY other authentication method.

#

#    $Id: eap.conf,v 1.4 2004/04/15 18:34:41 aland Exp $

#

    eap {

 default_eap_type = md5

 timer_expire     = 60

 ignore_unknown_eap_types = no

 cisco_accounting_username_bug = no

 md5 {



 }

 leap {

 }

 gtc {

     #challenge = "Password: "

     auth_type = PAP

 }



 mschapv2 {

 }

    }

Share this post


Link to post
Share on other sites

Прошу прощения, но где у тебя пользователи хранятся?

Share this post


Link to post
Share on other sites

в mssql в открытом виде.

 

если пароль приходит аттрибутом User-Password, то все нармально

Share this post


Link to post
Share on other sites
в mssql в открытом виде.
А где у тебя это написано?

 

У меня так:

 

authorize {

sql

mschap

}

Share this post


Link to post
Share on other sites

у меня тоже:

 

authorize {

preprocess

auth_log

chap

mschap

eap

pgsql-voip <---

}

 

стукни мне в асю 98188683

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this