Nie jesteś zalogowany.
Jeśli nie posiadasz konta, zarejestruj je już teraz! Pozwoli Ci ono w pełni korzystać z naszego serwisu. Spamerom dziękujemy!
Ogłoszenie
Prosimy o pomoc dla małej Julki — przekaż 1% podatku na Fundacji Dzieciom zdazyć z Pomocą.
Więcej informacji na dug.net.pl/pomagamy/.
#1 2010-11-17 15:39:31
m00n - Użytkownik
- m00n
- Użytkownik
- Zarejestrowany: 2010-11-17
Freeradius+PPPoE+Mysql+Crypt
Witam wszystkich
Zostałem skierowany na to forum z forum goldenline.pl, mam nadzieje ze ktos bedzie znal rozwiazanie :)
Ale po kolei:
-Mam router na pfsense, ktory robi za serwer PPPoE
-Serwer na Debianie Lenny, na ktorym jest Radius
-Serwer Mysql z baza uzytkownikow, gdzie przechowywane sa hasla w postaci crypt generowane z php
Przy testowaniu na haslach nieszyfrowanych wszystko dzialalo wiec czas na testy z haslami zaszyfrowanymi i tu zaczynaja sie schody ...
Zainstalowalem z backportow freeradius, freeradius-utils, freeradius-mysql
Tak wyglada tabela radcheck
id username attribute op value
1 testsql Crypt-Password := $1$8anHvU.......
Tutaj radreply
id username attribute op value
1 testsql Framed-IP-Address == 192.168.33.100
2 testsql Framed-Protocol == PPP
3 testsql Service-Type == Framed-User
Oto log przy probie polaczenia sie
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.33.254 port 62051, id=18, length=132
NAS-Identifier = "fw"
NAS-Port = 0
NAS-Port-Type = Virtual
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "0018f33cefff"
User-Name = "testsql"
CHAP-Password = 0x01b73ec34391365c215d3a00336cfb31f6
CHAP-Challenge = 0xbb1e68dd146b169eec918e2b4cc7594d
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testsql", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[sql] expand: %{User-Name} -> testsql
[sql] sql_set_user escaped user --> 'testsql'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM radius_radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radius_radcheck WHERE username = 'testsql' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radius_radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radius_radreply WHERE username = 'testsql' ORDER BY id
[sql] expand: SELECT groupname FROM radius_radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radius_radusergroup WHERE username = 'testsql' ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = CHAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group CHAP {...}
[chap] login attempt by "testsql" with CHAP password
[chap] Cleartext-Password is required for authentication
++[chap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[sql] expand: %{User-Name} -> testsql
[sql] sql_set_user escaped user --> 'testsql'
[sql] expand: %{User-Password} ->
[sql] ... expanding second conditional
[sql] expand: %{Chap-Password} -> 0x01b73ec34391365c215d3a00336cfb31f6
[sql] expand: INSERT INTO radius_radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radius_radpostauth (username, pass, reply, authdate) VALUES ( 'testsql', '0x01b73ec34391365c215d3a00336cfb31f6', 'Access-Reject', '2010-11-17 15:36:32')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radius_radpostauth (username, pass, reply, authdate) VALUES ( 'testsql', '0x01b73ec34391365c215d3a00336cfb31f6', 'Access-Reject', '2010-11-17 15:36:32')
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
[attr_filter.access_reject] expand: %{User-Name} -> testsql
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
W plikach radiusd.conf sites-enabled/default i sql.conf odkomentowalem tylko sql, nic nie usuwalem i nic nie zmienialem
Po dodaniu do tabeli radcheck
testsql Auth-Type := PAP
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.33.254 port 49062, id=120, length=143
NAS-Identifier = "ds-firewall.pwsz.elblag.pl"
NAS-Port = 0
NAS-Port-Type = Virtual
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "0018f33cefff"
User-Name = "testsql"
CHAP-Password = 0x01a5e48c8230880b0340178bfd4344a1be
CHAP-Challenge = 0xbb1e68926bf7d55452474ed184a73ad1bc6ae8bcc47032ed81939b
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testsql", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[sql] expand: %{User-Name} -> testsql
[sql] sql_set_user escaped user --> 'testsql'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM radius_radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radius_radcheck WHERE username = 'testsql' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radius_radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radius_radreply WHERE username = 'testsql' ORDER BY id
[sql] expand: SELECT groupname FROM radius_radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radius_radusergroup WHERE username = 'testsql' ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = CHAP
Found Auth-Type = PAP
Warning: Found 2 auth-types on request for user 'testsql'
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] ERROR: You set 'Auth-Type = PAP' for a request that does not contain a User-Password attribute!
++[pap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[sql] expand: %{User-Name} -> testsql
[sql] sql_set_user escaped user --> 'testsql'
[sql] expand: %{User-Password} ->
[sql] ... expanding second conditional
[sql] expand: %{Chap-Password} -> 0x01a5e48c8230880b0340178bfd4344a1be
[sql] expand: INSERT INTO radius_radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radius_radpostauth (username, pass, reply, authdate) VALUES ( 'testsql', '0x01a5e48c8230880b0340178bfd4344a1be', 'Access-Reject', '2010-11-17 15:41:44')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radius_radpostauth (username, pass, reply, authdate) VALUES ( 'testsql', '0x01a5e48c8230880b0340178bfd4344a1be', 'Access-Reject', '2010-11-17 15:41:44')
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
[attr_filter.access_reject] expand: %{User-Name} -> testsql
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 120 to 192.168.33.254 port 49062
Waking up in 4.9 seconds.
Cleaning up request 0 ID 120 with timestamp +6
Ready to process requests.
Probowalem tez
testsql Auth-Type := Crypt-Local
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = CHAP
Found Auth-Type = Crypt-Local
Warning: Found 2 auth-types on request for user 'testsql'
WARNING: Please update your configuration, and remove 'Auth-Type = Crypt'
WARNING: Use the PAP module instead.
Failed to authenticate the user.
Using Post-Auth-Type Reject
Niemam juz sily ;]
Z tego co wyczytalem to musze wymusic uzywanie PAP, ale niemam pomyslu juz jak to zrobic, czy to mozliwe ze pfsense nie przepuszcza PAP ? gdy w windowsowym kliencie zaznacze ze ma wysylac tylko zadania PAP to mi odrazu pluje bledem 619
Ostatnio edytowany przez m00n (2010-11-17 15:49:04)
Offline
#2 2010-11-17 16:01:25
zlyZwierz - 
Moderator
#3 2010-11-17 16:08:38
m00n - Użytkownik
- m00n
- Użytkownik
- Zarejestrowany: 2010-11-17
Re: Freeradius+PPPoE+Mysql+Crypt
hmmm z tego wynika inaczej :) wiec sam juz niewiem :P
http://forum.dug.net.pl/viewtopic.php?id=11477
Offline
#4 2010-11-17 17:02:28
zlyZwierz - Moderator
#5 2010-11-17 17:58:23
m00n - Użytkownik
- m00n
- Użytkownik
- Zarejestrowany: 2010-11-17
Re: Freeradius+PPPoE+Mysql+Crypt
A czy ja napisalem cos o MSCHAP ?
Napisalemze potrzebuj PAP-a bo z tegoc o wyczytalem tylko sie do tego nada
Offline
#6 2010-11-17 18:41:28
zlyZwierz - Moderator
Re: Freeradius+PPPoE+Mysql+Crypt
Piszesz, że potrzebujesz PAP, ale serwer pppoe wymusza CHAP.
Nie wiem co jest dla Ciebie priorytetem - trzymanie w bazie haseł w postaci crypt i przesyłanie ich otwartym tekstem, czy trzymanie haseł w postaci tekstowej a przesyłanie ich w postaci zaszyfrowanej.. ;)
W jakiej wersji masz freeradiusa ?
Offline
#7 2010-11-17 18:46:40
m00n - Użytkownik
- m00n
- Użytkownik
- Zarejestrowany: 2010-11-17
Re: Freeradius+PPPoE+Mysql+Crypt
priorytetem jest trzymanie w bazie hasel w postaci crypt i przesylanie ich otwartym tekstem :)
Jak zrobic zeby serwer pppoe wymuszal PAP-a ?
Pozdrawiam
2.1.10
Ostatnio edytowany przez m00n (2010-11-17 18:47:56)
Offline
#8 2010-11-17 19:58:52
zlyZwierz - Moderator
#9 2010-11-18 11:08:43
m00n - Użytkownik
- m00n
- Użytkownik
- Zarejestrowany: 2010-11-17
Re: Freeradius+PPPoE+Mysql+Crypt
Ok udalo mi sie wymusic PAP, polaczenie sie zestawia widac przesylane haslo w logach
ale radius mowi do mnie
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Problem rozwiazny
Usuniecie z radcheck opcji Fall-Through == pomoglo
Dzieki za zainteresowanie
Ostatnio edytowany przez m00n (2010-11-18 11:17:47)
Offline