Nie jesteś zalogowany.
Jeśli nie posiadasz konta, zarejestruj je już teraz! Pozwoli Ci ono w pełni korzystać z naszego serwisu. Spamerom dziękujemy!
Prosimy o pomoc dla małej Julki — przekaż 1% podatku na Fundacji Dzieciom zdazyć z Pomocą.
Więcej informacji na dug.net.pl/pomagamy/.
Jak zrobić w radius aby powiązać mac klienta z jego IP dla serwera PPPoE.
chodzi mi o to aby userzy nie logowali sie wielokrotnie na to samo konto oraz niewymieniali kontami midzy sobą
Offline
przymiezylem sie do dialupadmina i powiem ze kupsko.
ukasz:/usr/share/freeradius-dialupadmin/sql# mysql -u radius -p radius < badusers.sql Enter password: ERROR 1067 (42000) at line 4: Invalid default value for 'id'
jak wy dodajecie odejmujecie userow w radiusie uzywajacym mysqla ?
Offline
wywal default z bazy , tu objaśnienie : http://forums.mysql.com/read.php?121,85307,93507
Offline
Mam zainstalowanego radiusa z repo z etcha skonfigurowany jest na utoryzację PEAP bez baz danych
Wszystko niby ok ale przy radteście mnie nie wpuszcza:
krzysiek:~# radtest 127.0.0.1 testing123 127.0.0.1 0 testing123 Sending Access-Request of id 40 to 127.0.0.1 port 1812 User-Name = "127.0.0.1" User-Password = "testing123" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Re-sending Access-Request of id 40 to 127.0.0.1 port 1812 User-Name = "127.0.0.1" User-Password = "testing123" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=40, length=20
Mon Aug 20 23:02:56 2007 : Info: Using deprecated naslist file. Support for this will go away soon. Mon Aug 20 23:02:56 2007 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Mon Aug 20 23:02:57 2007 : Info: Ready to process requests. Tue Aug 21 12:58:21 2007 : Auth: Login incorrect: [127.0.0.1/testing123] (from client localhost port 0)
konfigi mam defaultowe a peap mam ustawiony tak http://canabsd.org/wp-content/files/radius/eap.conf.txt
Ale dlaczego mnie nie wpuszcza?
Offline
mam problem z połączeniem radiusa z pppoe, nie chce tego opierać na bazie danych tylko na pliku users, moje configi wyglądają tak:
radius.conf
client.conf
eap.conf
users
błąd jaki mi wywala przy próbie wdzwonienia nalogin:siarka haslo:zaqwsx
jest następujący:
Trwa weryfikowanie nazwy użytkownika i hasła... Błąd 691: Dosęp został wzbroniony ponieważ nazwa użytkownika i/lub hasło nie są prawidłowe w tej domenie.
polecenie daje następujące wyniki
debian1:/home/siarka# radtest siarka zaqwsx localhost 0 zaqwsx Sending Access-Request of id 254 to 127.0.0.1 port 1812 User-Name = "siarka" User-Password = "zaqwsx" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Re-sending Access-Request of id 254 to 127.0.0.1 port 1812 User-Name = "siarka" User-Password = "zaqwsx" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=254, length=20 rad_verify: Received Access-Reject packet from client 127.0.0.1 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) debian1:/home/siarka#
ma ktoś może jakies pomysły
Offline
no ok robie to na mysql, jak testuje usera z serwera radtestem to jest ok:
debian1:/usr/share/freeradius-dialupadmin/sql# radtest siarka zaqwsx 127.0.0.1 0 testing123 Sending Access-Request of id 16 to 127.0.0.1 port 1812 User-Name = "siarka" User-Password = "zaqwsx" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=16, length=44 Framed-Protocol = PPP Framed-IP-Address = 10.0.128.11 Framed-MTU = 1492 Framed-IP-Netmask = 255.255.255.254
a to log z serwera radius:
Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/freeradius/proxy.conf Config: including file: /etc/freeradius/clients.conf Config: including file: /etc/freeradius/snmp.conf Config: including file: /etc/freeradius/eap.conf Config: including file: /etc/freeradius/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/freeradius" main: libdir = "/usr/lib/freeradius" main: radacctdir = "/var/log/freeradius/radacct" main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/freeradius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/freeradius/freeradius.pid" main: user = "freerad" main: group = "freerad" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/freeradius/certs/cert-srv.pem" tls: certificate_file = "/etc/freeradius/certs/cert-srv.pem" tls: CA_file = "/etc/freeradius/certs/demoCA/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/etc/freeradius/certs/dh" tls: random_file = "/etc/freeradius/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain WARNING: rlm_eap_tls: Unable to set DH parameters. DH cipher suites may not work! WARNING: Fix this by running the OpenSSL command listed in eap.conf rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded MS-CHAP mschap: use_mppe = no mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded SQL sql: driver = "rlm_sql_mysql" sql: server = "localhost" sql: port = "" sql: login = "root" sql: password = "miki" sql: radius_db = "radius" sql: nas_table = "nas" sql: sqltrace = no sql: sqltracefile = "/var/log/freeradius/sqltrace.sql" sql: readclients = no sql: deletestalesessions = yes sql: num_sql_socks = 5 sql: sql_user_name = "%{User-Name}" sql: default_user_profile = "" sql: query_on_not_found = no sql: authorize_check_query = "SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id" sql: authorize_reply_query = "SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id" sql: authorize_group_check_query = "SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id" sql: authorize_group_reply_query = "SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id" sql: accounting_onoff_query = "UPDATE radacct SET AcctStopTime='%S', AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime), AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime <= '%S'" sql: accounting_update_query = " UPDATE radacct SET FramedIPAddress = '%{Framed-IP-Address}', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Gigawords:-0}' << 32 | '%{Acct-Input-Octets:-0}', AcctOutputOctets = '%{Acct-Output-Gigawords:-0}' << 32 | '%{Acct-Output-Octets:-0}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'" sql: accounting_update_query_alt = " INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, XAscendSessionSvrKey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Acct-Input-Gigawords:-0}' << 32 | '%{Acct-Input-Octets:-0}', '%{Acct-Output-Gigawords:-0}' << 32 | '%{Acct-Output-Octets:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{X-Ascend-Session-Svr-Key}')" sql: accounting_start_query = " INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay, XAscendSessionSvrKey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time:-0}', '0', '%{X-Ascend-Session-Svr-Key}')" sql: accounting_start_query_alt = "UPDATE radacct SET AcctStartTime = '%S', AcctStartDelay = '%{Acct-Delay-Time}', ConnectInfo_start = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'" sql: accounting_stop_query = " UPDATE radacct SET AcctStopTime = '%S', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Gigawords:-0}' << 32 | '%{Acct-Input-Octets:-0}', AcctOutputOctets = '%{Acct-Output-Gigawords:-0}' << 32 | '%{Acct-Output-Octets:-0}', AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time:-0}', ConnectInfo_stop = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'" sql: accounting_stop_query_alt = " INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{Acct-Input-Gigawords:-0}' << 32 | '%{Acct-Input-Octets:-0}', '%{Acct-Output-Gigawords:-0}' << 32 | '%{Acct-Output-Octets:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{Acct-Delay-Time:-0}')" sql: group_membership_query = "SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}'" sql: connect_failure_retry_delay = 60 sql: simul_count_query = "" sql: simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM radacct WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0" sql: postauth_query = "INSERT into radpostauth (user, pass, reply, date) values ('%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW())" sql: safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to root@localhost:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 Module: Instantiated sql (sql) Module: Loaded radutmp radutmp: filename = "/var/log/freeradius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:32817, id=30, length=58 User-Name = "siarka" User-Password = "zaqwsx" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 radius_xlat: 'siarka' rlm_sql (sql): sql_set_user escaped user --> 'siarka' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'siarka' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'siarka' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'siarka' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'siarka' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: type Local auth: user supplied User-Password matches local User-Password Sending Access-Accept of id 30 to 127.0.0.1 port 32817 Framed-Protocol = PPP Framed-IP-Address = 10.0.128.11 Framed-MTU = 1492 Framed-IP-Netmask = 255.255.255.254 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 30 with timestamp 48256824 Nothing to do. Sleeping until we see a request.
natomiast jak loguje się z windowsa dostaje błąd taki jak w poście wyżej, a radius odpalony freeradius -X nie zwraca nic, tak jakby serwer pppoe nie komunikował się z nim, moje pliki konfiguracyjne to
#radius.conf prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/freeradius log_file = ${logdir}/radius.log libdir = /usr/lib/freeradius pidfile = ${run_dir}/freeradius.pid user = freerad group = freerad max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf snmp = no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { encryption_scheme = clear } chap { authtype = CHAP } $INCLUDE ${confdir}/eap.conf mschap { authtype = MS-CHAP use_mppe = no with_ntdomain_hack = no } realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } $INCLUDE ${confdir}/sql.conf radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } sqlcounter dailycounter { counter-name = Daily-Session-Time check-name = Max-Daily-Session sqlmod-inst = sql key = User-Name reset = daily query = "SELECT SUM(AcctSessionTime - \ GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \ FROM radacct WHERE UserName='%{%k}' AND \ UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } sqlcounter monthlycounter { counter-name = Monthly-Session-Time check-name = Max-Monthly-Session sqlmod-inst = sql key = User-Name reset = monthly query = "SELECT SUM(AcctSessionTime - \ GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \ FROM radacct WHERE UserName='%{%k}' AND \ UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply } } instantiate { } authorize { sql mschap } authenticate { eap mschap } preacct { } accounting { sql } session { radutmp } post-auth { } pre-proxy { } post-proxy { }
#clients.conf client 127.0.0.1 { secret = testing123 shortname = localhost }
#eap.conf eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random } peap { default_eap_type = mschapv2 } mschapv2 { } }
#sql.conf sql { driver = "rlm_sql_mysql" server = "localhost" login = "root" password = "miki" radius_db = "radius" acct_table1 = "radacct" acct_table2 = "radacct" postauth_table = "radpostauth" authcheck_table = "radcheck" authreply_table = "radreply" groupcheck_table = "radgroupcheck" groupreply_table = "radgroupreply" usergroup_table = "usergroup" nas_table = "nas" deletestalesessions = yes sqltrace = no sqltracefile = ${logdir}/sqltrace.sql num_sql_socks = 5 connect_failure_retry_delay = 60 sql_user_name = "%{User-Name}" authorize_check_query = "SELECT id, UserName, Attribute, Value, op \ FROM ${authcheck_table} \ WHERE Username = '%{SQL-User-Name}' \ ORDER BY id" authorize_reply_query = "SELECT id, UserName, Attribute, Value, op \ FROM ${authreply_table} \ WHERE Username = '%{SQL-User-Name}' \ ORDER BY id" authorize_group_check_query = "SELECT ${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Attri$ authorize_group_reply_query = "SELECT ${groupreply_table}.id,${groupreply_table}.GroupName,${groupreply_table}.Attri$ accounting_onoff_query = "UPDATE ${acct_table1} SET AcctStopTime='%S', AcctSessionTime=unix_timestamp('%S') - unix_t$ accounting_update_query = " \ UPDATE ${acct_table1} \ SET \ FramedIPAddress = '%{Framed-IP-Address}', \ AcctSessionTime = '%{Acct-Session-Time}', \ AcctInputOctets = '%{Acct-Input-Gigawords:-0}' << 32 | \ '%{Acct-Input-Octets:-0}', \ AcctOutputOctets = '%{Acct-Output-Gigawords:-0}' << 32 | \ '%{Acct-Output-Octets:-0}' \ WHERE AcctSessionId = '%{Acct-Session-Id}' \ AND UserName = '%{SQL-User-Name}' \ AND NASIPAddress = '%{NAS-IP-Address}'" accounting_update_query_alt = " \ INSERT INTO ${acct_table1} \ (AcctSessionId, AcctUniqueId, UserName, \ Realm, NASIPAddress, NASPortId, \ NASPortType, AcctStartTime, AcctSessionTime, \ AcctAuthentic, ConnectInfo_start, AcctInputOctets, \ AcctOutputOctets, CalledStationId, CallingStationId, \ ServiceType, FramedProtocol, FramedIPAddress, \ AcctStartDelay, XAscendSessionSvrKey) \ VALUES \ ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', \ '%{SQL-User-Name}', \ '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', \ '%{NAS-Port-Type}', \ DATE_SUB('%S', \ INTERVAL (%{Acct-Session-Time:-0} + \ %{Acct-Delay-Time:-0}) SECOND), \ '%{Acct-Session-Time}', \ '%{Acct-Authentic}', '', \ '%{Acct-Input-Gigawords:-0}' << 32 | \ '%{Acct-Input-Octets:-0}', \ '%{Acct-Output-Gigawords:-0}' << 32 | \ '%{Acct-Output-Octets:-0}', \ '%{Called-Station-Id}', '%{Calling-Station-Id}', \ '%{Service-Type}', '%{Framed-Protocol}', \ '%{Framed-IP-Address}', \ '0', '%{X-Ascend-Session-Svr-Key}')" accounting_start_query = " \ INSERT INTO ${acct_table1} \ (AcctSessionId, AcctUniqueId, UserName, \ Realm, NASIPAddress, NASPortId, \ NASPortType, AcctStartTime, AcctStopTime, \ AcctSessionTime, AcctAuthentic, ConnectInfo_start, \ ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, \ CalledStationId, CallingStationId, AcctTerminateCause, \ ServiceType, FramedProtocol, FramedIPAddress, \ AcctStartDelay, AcctStopDelay, XAscendSessionSvrKey) \ VALUES \ ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', \ '%{SQL-User-Name}', \ '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', \ '%{NAS-Port-Type}', '%S', '0', \ '0', '%{Acct-Authentic}', '%{Connect-Info}', \ '', '0', '0', \ '%{Called-Station-Id}', '%{Calling-Station-Id}', '', \ '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', \ '%{Acct-Delay-Time:-0}', '0', '%{X-Ascend-Session-Svr-Key}')" accounting_start_query_alt = "UPDATE ${acct_table1} SET AcctStartTime = '%S', AcctStartDelay = '%{Acct-Delay-Time}'$ accounting_stop_query = " \ UPDATE ${acct_table2} SET \ AcctStopTime = '%S', \ AcctSessionTime = '%{Acct-Session-Time}', \ AcctInputOctets = '%{Acct-Input-Gigawords:-0}' << 32 | \ '%{Acct-Input-Octets:-0}', \ AcctOutputOctets = '%{Acct-Output-Gigawords:-0}' << 32 | \ '%{Acct-Output-Octets:-0}', \ AcctTerminateCause = '%{Acct-Terminate-Cause}', \ AcctStopDelay = '%{Acct-Delay-Time:-0}', \ ConnectInfo_stop = '%{Connect-Info}' \ WHERE AcctSessionId = '%{Acct-Session-Id}' \ AND UserName = '%{SQL-User-Name}' \ AND NASIPAddress = '%{NAS-IP-Address}'" accounting_stop_query_alt = " \ INSERT INTO ${acct_table2} \ (AcctSessionId, AcctUniqueId, UserName, \ Realm, NASIPAddress, NASPortId, \ NASPortType, AcctStartTime, AcctStopTime, \ AcctSessionTime, AcctAuthentic, ConnectInfo_start, \ ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, \ CalledStationId, CallingStationId, AcctTerminateCause, \ ServiceType, FramedProtocol, FramedIPAddress, \ AcctStartDelay, AcctStopDelay) \ VALUES \ ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', \ '%{SQL-User-Name}', \ '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', \ '%{NAS-Port-Type}', \ DATE_SUB('%S', \ INTERVAL (%{Acct-Session-Time:-0} + \ %{Acct-Delay-Time:-0}) SECOND), \ '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', \ '%{Connect-Info}', \ '%{Acct-Input-Gigawords:-0}' << 32 | \ '%{Acct-Input-Octets:-0}', \ '%{Acct-Output-Gigawords:-0}' << 32 | \ '%{Acct-Output-Octets:-0}', \ '%{Called-Station-Id}', '%{Calling-Station-Id}', \ '%{Acct-Terminate-Cause}', \ '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', \ '0', '%{Acct-Delay-Time:-0}')" simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, \ NASIPAddress, NASPortId, FramedIPAddress, \ CallingStationId, FramedProtocol \ FROM ${acct_table1} \ WHERE UserName='%{SQL-User-Name}' \ AND AcctStopTime = 0" group_membership_query = "SELECT GroupName FROM ${usergroup_table} WHERE UserName='%{SQL-User-Name}'" postauth_query = "INSERT into ${postauth_table} (user, pass, reply, date) values ('%{User-Name}', '%{User-Password:-$ }
#/etc/ppp/options plugin radius.so plugin radattr.so plugin rp-pppoe.so require-mschap-v2 ms-dns 194.204.152.34 ms-dns 194.204.159.1 auth crtscts lock mru 1492 mtu 1492 debug lcp-echo-interval 60 lcp-echo-failure 8 noipx nobsdcomp nodeflate nopcomp
#/etc/ppp/pppoe-server-options require-mschap-v2 mtu 1492 mru 1492
już nie mam do tego mocy jakby pppoe nie komunikowało się z radiusem, no ale tak jakby wszystko było ok bo w logach widać że moduły się ładują
#cat /var/log/mesages ... May 10 10:56:06 debian1 pppd[4343]: Plugin radius.so loaded. May 10 10:56:06 debian1 pppd[4343]: RADIUS plugin initialized. May 10 10:56:06 debian1 pppd[4343]: Plugin radattr.so loaded. May 10 10:56:06 debian1 pppd[4343]: RADATTR plugin initialized. May 10 10:56:06 debian1 pppd[4343]: Plugin rp-pppoe.so loaded. May 10 10:56:06 debian1 pppd[4343]: pppd 2.4.4 started by root, uid 0 May 10 10:56:06 debian1 pppd[4343]: Using interface ppp0 May 10 10:56:06 debian1 pppd[4343]: Connect: ppp0 <--> /dev/pts/1 May 10 10:56:08 debian1 pppd[4343]: Peer siarka failed CHAP authentication May 10 10:56:08 debian1 pppd[4343]: Connection terminated. May 10 10:56:08 debian1 pppd[4343]: Terminating on signal 15 May 10 10:56:08 debian1 pppd[4343]: Exit. May 10 11:12:25 debian1 -- MARK -- May 10 11:32:25 debian1 -- MARK --
a
#cat /var/log/pppoe-connect-errors ... pppoe: read (asyncReadFromPPP): Session 6: Input/output error pppoe: read (asyncReadFromPPP): Session 2: Input/output error pppoe: read (asyncReadFromPPP): Session 2: Input/output error pppoe: read (asyncReadFromPPP): Session 7: Input/output error pppoe: read (asyncReadFromPPP): Session 3: Input/output error pppoe: read (asyncReadFromPPP): Session 8: Input/output error pppoe: read (asyncReadFromPPP): Session 1: Input/output error pppoe: read (asyncReadFromPPP): Session 1: Input/output error pppoe: read (asyncReadFromPPP): Session 9: Input/output error pppoe: read (asyncReadFromPPP): Session 3: Input/output error pppoe: read (asyncReadFromPPP): Session 2: Input/output error pppoe: read (asyncReadFromPPP): Session 2: Input/output error pppoe: read (asyncReadFromPPP): Session 10: Input/output error pppoe: read (asyncReadFromPPP): Session 4: Input/output error pppoe: read (asyncReadFromPPP): Session 3: Input/output error pppoe: read (asyncReadFromPPP): Session 11: Input/output error pppoe: read (asyncReadFromPPP): Session 12: Input/output error pppoe: read (asyncReadFromPPP): Session 4: Input/output error pppoe: read (asyncReadFromPPP): Session 3: Input/output error pppoe: read (asyncReadFromPPP): Session 13: Input/output error pppoe: read (asyncReadFromPPP): Session 2: Input/output error pppoe: read (asyncReadFromPPP): Session 3: Input/output error pppoe: read (asyncReadFromPPP): Session 4: Input/output error pppoe: read (asyncReadFromPPP): Session 4: Input/output error pppoe: read (asyncReadFromPPP): Session 14: Input/output error pppoe: read (asyncReadFromPPP): Session 5: Input/output error pppoe: read (asyncReadFromPPP): Session 6: Input/output error pppoe: read (asyncReadFromPPP): Session 7: Input/output error pppoe: read (asyncReadFromPPP): Session 8: Input/output error pppoe: read (asyncReadFromPPP): Session 5: Input/output error
co mam z tym zrobić, już nie mam mocy do tego
Offline
Witam! wyczesałem w sieci jakiś panel do zarządzania freeradiusem. Czy ktoś to już instalował? Jakie wrażenia? Bardziej funkcjonalne niż dialupadmin?
Ostatnio edytowany przez siarka2107 (2008-09-18 14:44:51)
Offline
Czy ma ktoś działająca konfigurację freeradiusa z mysql-em u mnie się dziwnie zachowuje, przy radteście mam Access Accept, ale przy próbie połączenie poprzez Access Pointa jest już Access Reject
a tutaj kawałek log-a z próby autoryzacji
rad_recv: Access-Request packet from host 192.168.0.50 port 3072, id=88, length=171 User-Name = "testowy" NAS-IP-Address = 192.168.0.50 NAS-Port = 0 Called-Station-Id = "00195b54c564" Calling-Station-Id = "001f5bb7c6a0" NAS-Identifier = "Realtek Access Point. 8181" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200000c01746573746f7779 Message-Authenticator = 0x9c403cb938f9054d2a4b88c47904f41a # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "testowy", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 12 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [sql] expand: %{User-Name} -> testowy [sql] sql_set_user escaped user --> 'testowy' rlm_sql (sql): Reserving sql socket id: 0 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testowy' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'testowy' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'testowy' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'dynamic' ORDER BY id [sql] User found in group dynamic [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'dynamic' ORDER BY id rlm_sql (sql): Released sql socket id: 0 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 88 to 192.168.0.50 port 3072 Framed-Compression := Van-Jacobson-TCP-IP Framed-Protocol := PPP Service-Type := Framed-User Acct-Interim-Interval = 60 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa1f64f15a1f7569a763d1454183188c5 Finished request 118. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 3072, id=89, length=283 User-Name = "testowy" NAS-IP-Address = 192.168.0.50 NAS-Port = 0 Called-Station-Id = "00195b54c564" Calling-Station-Id = "001f5bb7c6a0" NAS-Identifier = "Realtek Access Point. 8181" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0201007019800000006616030100610100005d03014e2eb385e01a6d91147621ac4747a7f9ec5fcb0fee10b8935142bc28fe6801e2000036002f000500040035000a000900030008000600320033003800390016001500140013001200110034003a0018001b001a0017001900010100 State = 0xa1f64f15a1f7569a763d1454183188c5 Message-Authenticator = 0xb1da151f82e55fe55f786db876bd6f7e # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "testowy", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 112 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 102 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0061], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0898], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 89 to 192.168.0.50 port 3072 EAP-Message = 0x0102040019c0000008d5160301002a0200002603014e2eb37e08f5db2f5210fe1870e7f5dc20f2c53bfc1a4f4a24d5161174a3835500002f0016030108980b0008940008910003c0308203bc308202a4a003020102020101300d06092a864886f70d010104050030819d310b300906035504061302504c311e301c06035504081315546573746f77792d7365727765722d5261646975733110300e06035504071307476c697769636531173015060355040a130e6d6f6a616669726d612e6d7366743123302106092a864886f70d010901161461646d696e406d6f6a616669726d612e6d736674311e301c06035504031315546573746f777920736572 EAP-Message = 0x77657220526164697573301e170d3131303732353130323930375a170d3132303732343130323930375a30818b310b300906035504061302504c311e301c06035504081315546573746f77792d7365727765722d52616469757331173015060355040a130e6d6f6a616669726d612e6d736674311e301c06035504031315546573746f777920736572776572205261646975733123302106092a864886f70d010901161461646d696e406d6f6a616669726d612e6d73667430820122300d06092a864886f70d01010105000382010f003082010a0282010100e2daabd09ce51c439f8b5eff0f219cb0b782791c81281a0b42e84fa516c122f19b29c859 EAP-Message = 0x97646cf76979ff20847d16eaf70b028d15accb75fb7b5ae623765dedc22d46fd10afe8eed1659383fc9fe93d17072214d7aa64e56cdeea4ebba50aa4936226af2351151408732af5c49b9d8c874c4d0a6ac4a743d1a2590b321e9212cb0844e63504504c087475cd7cf38cf53741becf07e86dd2d8b32b99cb8786bb9fda40165c6965c5ce55e146a4e560ceed8a8c3d86257a6a7b1deec35e7716ca15375abe3358967d95aa64008c97ad99f32028d0ee980ed8a7f7cd2fe0e416e3aa0bf3df51819fb9a41931332fa150dd4a31e784d2fb77ed8828926e2a51b0eb0203010001a317301530130603551d25040c300a06082b06010505070301300d06 EAP-Message = 0x092a864886f70d01010405000382010100397fe79947a20eb81767871d27ccbf7227b1b1f0ef95a39b467f94d4d103292e49648c220f75de08d3c84d5eadd7648c9244da352ab3ba1618d21ef74d755c44e19ff3b3ae8a9f5e216c94b3ff50fdc575f20cb793aa9d8709595896e0a19b684658aae559b49b3c7279bc791fe235842094a43bc9a0fef8ee680fe8d0bb22cc472f3fac8b54075eaf69f3301815ab105e0b20f44b05aad8f278d8a96b3402bade97f1cf0aea85a700b170383d55e1e07abdbcbd26abbe876dc2b357fd70a48180e32290b552a67b0dcfe107065bf491041b40d3f275e30aaaa72d9e0fd1ecbed7a9dbc5960a2c3b7283808c EAP-Message = 0xb7796012c194c0cbc1bc07f2 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa1f64f15a0f4569a763d1454183188c5 Finished request 119. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 3072, id=90, length=177 User-Name = "testowy" NAS-IP-Address = 192.168.0.50 NAS-Port = 0 Called-Station-Id = "00195b54c564" Calling-Station-Id = "001f5bb7c6a0" NAS-Identifier = "Realtek Access Point. 8181" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020200061900 State = 0xa1f64f15a0f4569a763d1454183188c5 Message-Authenticator = 0x8d765c32a362553b1338592dd4e9998e # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "testowy", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 90 to 192.168.0.50 port 3072 EAP-Message = 0x010303fc194060dd6ceffa0fcbb70004cb308204c7308203afa003020102020900c4f93f99acb1433b300d06092a864886f70d010105050030819d310b300906035504061302504c311e301c06035504081315546573746f77792d7365727765722d5261646975733110300e06035504071307476c697769636531173015060355040a130e6d6f6a616669726d612e6d7366743123302106092a864886f70d010901161461646d696e406d6f6a616669726d612e6d736674311e301c06035504031315546573746f77792073657277657220526164697573301e170d3131303732353130323930375a170d3236303732313130323930375a30819d310b EAP-Message = 0x300906035504061302504c311e301c06035504081315546573746f77792d7365727765722d5261646975733110300e06035504071307476c697769636531173015060355040a130e6d6f6a616669726d612e6d7366743123302106092a864886f70d010901161461646d696e406d6f6a616669726d612e6d736674311e301c06035504031315546573746f7779207365727765722052616469757330820122300d06092a864886f70d01010105000382010f003082010a0282010100d37fd65285c8d264144f2981c919946b1a810793c7eea5b9e67243e5f26ec536e68626abcd36d96397df5fdcc25a318f5db45e8921442df37e143370e10273dcfd EAP-Message = 0x27f50c323e87ff976c268327b0e6efb197c55b3fc1cade1eeb938fca34d6c51c4ee12d3bee873aa243e9b987ac219ff3b739401cc0bd28b7600ea3ca089a8c8412fc2ba3db1e335070ec1ec7b723db4a9cc75aa010e42f4cb64fe4fb4f3e63a48ee794deac87e9058ff0dac274e79d1d304eed69430c4b28c62588dfb93f8cc9a4c586842e64bf47fac091b6118dc6c061c4e626ff54bf6c1bcca2a996f0e636403c898d7ad307daf73b6beeebb1becac34a81d95036304732d97ae04ae7d90203010001a382010630820102301d0603551d0e0416041441994cd3908979a0b145821ee2bd07dbfdf2fb4b3081d20603551d230481ca3081c780144199 EAP-Message = 0x4cd3908979a0b145821ee2bd07dbfdf2fb4ba181a3a481a030819d310b300906035504061302504c311e301c06035504081315546573746f77792d7365727765722d5261646975733110300e06035504071307476c697769636531173015060355040a130e6d6f6a616669726d612e6d7366743123302106092a864886f70d010901161461646d696e406d6f6a616669726d612e6d736674311e301c06035504031315546573746f77792073657277657220526164697573820900c4f93f99acb1433b300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100af01bbe56fe921b4b636d5f06a6bc92ad8547d3d4c8515a0 EAP-Message = 0x073275103cc352ce Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa1f64f15a3f5569a763d1454183188c5 Finished request 120. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 3072, id=91, length=177 User-Name = "testowy" NAS-IP-Address = 192.168.0.50 NAS-Port = 0 Called-Station-Id = "00195b54c564" Calling-Station-Id = "001f5bb7c6a0" NAS-Identifier = "Realtek Access Point. 8181" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020300061900 State = 0xa1f64f15a3f5569a763d1454183188c5 Message-Authenticator = 0x072ba593db5f551081e4a539ef55ce3f # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "testowy", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 91 to 192.168.0.50 port 3072 EAP-Message = 0x010400ef1900bf7e96d7d1c36f3afa6a41334f5cf78ceb22788df7ebc7f30b8ae507f69277b05542d1361b766ce5e276af295b9ce45615d4441da9b8f0ce286eaa0708d7e1c50688f7b979323b9783a6b0fcb2d74a1ec50b729e9e826afb0af7915fcc47286d07a4ed6fe09b78bdaef7a28628f3d75e096af8f7ccdb69b26b20afd6a2346846fba6f4d97ed754659b9bec954ec4321eb3d7f04b70bcb9da83c515e955e3c599895c088a14b762376b7b573f25627bae4b6ff964e5c0f64a9a61ee806e2547fd839706a651dac2b0c84b8a85ec9f928562bda0f805a727f585f966664f11f5d516030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa1f64f15a2f2569a763d1454183188c5 Finished request 121. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 3072, id=92, length=509 User-Name = "testowy" NAS-IP-Address = 192.168.0.50 NAS-Port = 0 Called-Station-Id = "00195b54c564" Calling-Station-Id = "001f5bb7c6a0" NAS-Identifier = "Realtek Access Point. 8181" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0204015019800000014616030101061000010201006c81b0b55f5b762cc0225d9be7fad24bc92b9d2226eea855517e912c8230d252a4561cd8a3d98fb60f2e45c3b45fd5f0ae303fdd2ec8669ed4c60c5230dc81765a4403126c56b2577d4776edab68ee6ecfbc9bfb6682318f83a14883033a9bf3b9f3fbe8515bf151cff3a04beaadceeed58042af667d6f2545952dc876d80a1c6d79ecfb80a3b48e9513f9a481d0f49a1ca347aa719c2a2769400e4bdfec0bdd7d3ae724532ed511f14ba50537181cdd94ef833b064aa22b3a0c105e8ee662010b0a4c0199ebc9fdb0f47de9267cf3db6524ae26891a9d702e82bd3c6f70f7423901ef985924c113 EAP-Message = 0x081a24ed3a67ce7f11ec4e7da4ed605fdbd0f4b34783ac02140301000101160301003015dcbf9358d4287cf0bf23785b28cf8a28671ae8bf26ca0bcbb83736e86a167046897ccde6a1cc302fdff63dbea1e8a7 State = 0xa1f64f15a2f2569a763d1454183188c5 Message-Authenticator = 0xd3f1bcee2e135d6e0dd7cea12df40ddd # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "testowy", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 326 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 92 to 192.168.0.50 port 3072 EAP-Message = 0x01050041190014030100010116030100307df718c3da88cc588aa69f49af0ad1ee2e9ef675ceac06b98ce9f62d4c3ea9e30fb8b8f7bc4a32f1e85437cf756f4c85 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa1f64f15a5f3569a763d1454183188c5 Finished request 122. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 3072, id=93, length=177 User-Name = "testowy" NAS-IP-Address = 192.168.0.50 NAS-Port = 0 Called-Station-Id = "00195b54c564" Calling-Station-Id = "001f5bb7c6a0" NAS-Identifier = "Realtek Access Point. 8181" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020500061900 State = 0xa1f64f15a5f3569a763d1454183188c5 Message-Authenticator = 0xb91f8ce515ac62637a97fab9fd09df68 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "testowy", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 93 to 192.168.0.50 port 3072 EAP-Message = 0x0106002b19001703010020dab3397299de0ff2a8bc993ef3250be1783b962e2f8b9213f4052a7f0836982f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa1f64f15a4f0569a763d1454183188c5 Finished request 123. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 3072, id=94, length=214 User-Name = "testowy" NAS-IP-Address = 192.168.0.50 NAS-Port = 0 Called-Station-Id = "00195b54c564" Calling-Station-Id = "001f5bb7c6a0" NAS-Identifier = "Realtek Access Point. 8181" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0206002b1900170301002073013cd164215fe70aafece2409f5cb656fbdbeee8eaf7cf4a01bc23269fc929 State = 0xa1f64f15a4f0569a763d1454183188c5 Message-Authenticator = 0xc38c3462115c3733d063822d28edcd59 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "testowy", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - testowy [peap] Got inner identity 'testowy' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0206000c01746573746f7779 server { PEAP: Setting User-Name to testowy Sending tunneled request EAP-Message = 0x0206000c01746573746f7779 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "testowy" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "testowy", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 6 length 12 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010700211a0107001c100d3171aed7cc4a741658563681eff1b4746573746f7779 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xab8ed8b9ab89c27fcbed212554a26243 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010700211a0107001c100d3171aed7cc4a741658563681eff1b4746573746f7779 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xab8ed8b9ab89c27fcbed212554a26243 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 94 to 192.168.0.50 port 3072 EAP-Message = 0x0107004b19001703010040c27b75ea78def78485b1e95577aa62dc38af48af5bf9a9e18b33be0fd6709e05e21fae5cddb7dcd5741126944242af85ce9f54bc7c7a6690c7b867be0a5d4663 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa1f64f15a7f1569a763d1454183188c5 Finished request 124. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 3072, id=95, length=278 User-Name = "testowy" NAS-IP-Address = 192.168.0.50 NAS-Port = 0 Called-Station-Id = "00195b54c564" Calling-Station-Id = "001f5bb7c6a0" NAS-Identifier = "Realtek Access Point. 8181" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0207006b190017030100609b1f2a3f7907e240599b271f3e99dae14174040de3a1918a8db023876c52843d32809d42d378235a00db9176364141a9d72119b5ed0eb9b788f919d163d4d7dccb094836db84e1390e34e8029b17177cdf4950a6c6eeaec91aa3ea226d059542 State = 0xa1f64f15a7f1569a763d1454183188c5 Message-Authenticator = 0xa975c53e429a60a6ef74f5c2dc6e786d # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "testowy", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 107 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020700421a0207003d3150a2951cda46745b42f5b251faba81680000000000000000290c72834deca6154e610e7a4f8bcf1c265a0ab0ee48336400746573746f7779 server { PEAP: Setting User-Name to testowy Sending tunneled request EAP-Message = 0x020700421a0207003d3150a2951cda46745b42f5b251faba81680000000000000000290c72834deca6154e610e7a4f8bcf1c265a0ab0ee48336400746573746f7779 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "testowy" State = 0xab8ed8b9ab89c27fcbed212554a26243 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "testowy", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 7 length 66 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: testowy [mschap] Told to do MS-CHAPv2 for testowy with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 95 to 192.168.0.50 port 3072 EAP-Message = 0x0108002b1900170301002014d288641077ffd09e9abc0e8776dfd6a3b9684b81c2db249aa4e44971301bb1 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa1f64f15a6fe569a763d1454183188c5 Finished request 125. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 3072, id=96, length=214 User-Name = "testowy" NAS-IP-Address = 192.168.0.50 NAS-Port = 0 Called-Station-Id = "00195b54c564" Calling-Station-Id = "001f5bb7c6a0" NAS-Identifier = "Realtek Access Point. 8181" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0208002b19001703010020667f53d9bbc455f185465e9c8b592b6ec9d3f3ab929c44b802644e424a511ddc State = 0xa1f64f15a6fe569a763d1454183188c5 Message-Authenticator = 0x46bb46cf4d16a6ae01d58f09fda4856a # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "testowy", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> testowy attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 126 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 126 Sending Access-Reject of id 96 to 192.168.0.50 port 3072 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.8 seconds. Cleaning up request 118 ID 88 with timestamp +296 Cleaning up request 119 ID 89 with timestamp +296 Cleaning up request 120 ID 90 with timestamp +296 Cleaning up request 121 ID 91 with timestamp +296 Cleaning up request 122 ID 92 with timestamp +296 Cleaning up request 123 ID 93 with timestamp +296 Cleaning up request 124 ID 94 with timestamp +296 Cleaning up request 125 ID 95 with timestamp +296 Waking up in 1.0 seconds. Cleaning up request 126 ID 96 with timestamp +296 Ready to process requests.
Ten sam użytkownik radtest:
FreeRADIUS Version 2.1.10, for host i486-pc-linux-gnu, built on Nov 14 2010 at 20:41:03 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/sql.conf including configuration file /etc/freeradius/sql/mysql/dialup.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 192.168.0.0/24 { require_message_authenticator = no secret = "testing123" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/freeradius/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/freeradius/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/modules/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.key" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "testing123" dh_file = "/etc/freeradius/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } verify { } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/modules/files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { # from file /etc/freeradius/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/freeradius/modules/digest Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_sql Module: Instantiating module "sql" from file /etc/freeradius/sql.conf sql { driver = "rlm_sql_mysql" server = "localhost" port = "" login = "root" password = "zaq12wsx" radius_db = "radius" read_groups = yes sqltrace = no sqltracefile = "/var/log/freeradius/sqltrace.sql" readclients = no deletestalesessions = yes num_sql_socks = 5 lifetime = 0 max_queries = 0 sql_user_name = "%{User-Name}" default_user_profile = "" nas_query = "SELECT id, nasname, shortname, type, secret, server FROM nas" authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id" authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id" accounting_onoff_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = unix_timestamp('%S') - unix_timestamp(acctstarttime), acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = %{%{Acct-Delay-Time}:-0} WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= '%S'" accounting_update_query = " UPDATE radacct SET framedipaddress = '%{Framed-IP-Address}', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_update_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctsessiontime, acctauthentic, connectinfo_start, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, servicetype, framedprotocol, framedipaddress, acctstartdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{X-Ascend-Session-Svr-Key}')" accounting_start_query = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}')" accounting_start_query_alt = " UPDATE radacct SET acctstarttime = '%S', acctstartdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_start = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_stop_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_stop = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_stop_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{%{Acct-Delay-Time}:-0}')" group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority" connect_failure_retry_delay = 60 simul_count_query = "" simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" postauth_query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')" safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to root@localhost:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/freeradius/modules/detail detail { detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 53148, id=5, length=59 User-Name = "testowy" User-Password = "password" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "testowy", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [sql] expand: %{User-Name} -> testowy [sql] sql_set_user escaped user --> 'testowy' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testowy' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'testowy' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'testowy' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'dynamic' ORDER BY id [sql] User found in group dynamic [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'dynamic' ORDER BY id rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "password" [pap] Using clear text password "password" [pap] User authenticated successfully ++[pap] returns ok # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} [sql] expand: %{User-Name} -> testowy [sql] sql_set_user escaped user --> 'testowy' [sql] expand: %{User-Password} -> password [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testowy', 'password', 'Access-Accept', '2011-07-26 14:38:36') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testowy', 'password', 'Access-Accept', '2011-07-26 14:38:36') rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[exec] returns noop Sending Access-Accept of id 5 to 127.0.0.1 port 53148 Framed-Compression := Van-Jacobson-TCP-IP Framed-Protocol := PPP Service-Type := Framed-User Acct-Interim-Interval = 60 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 5 with timestamp +13 Ready to process requests.
Ostatnio edytowany przez czeri (2011-07-26 14:39:56)
Offline