Неверные параметры радиуса, сообственно нужна помощь профи

[Vugl]

Помогите чайнику, скажите что нужно все предоставлю, все логи
Получуется сообственно на выходе вот:

Код: Выделить всё

Fri Sep 12 12:18:03 2008
        Service-Type = Framed-User
        Framed-Protocol = PPP
        NAS-Port = 118
        NAS-Port-Type = Virtual
        User-Name = "vugl2"
        Calling-Station-Id = "192.168.0.200"
        Called-Station-Id = "192.168.0.143"
        Acct-Session-Id = "81900000"
        Framed-IP-Address = 0.0.0.0
        Acct-Authentic = RADIUS
        Acct-Status-Type = Start
        NAS-Identifier = "MikroTik"
        NAS-IP-Address = 192.168.0.143
        Acct-Delay-Time = 0
        Client-IP-Address = 192.168.0.143
        Acct-Unique-Session-Id = "5fa65149c4027d6b"
        Timestamp = 1221207483

[lasik]

как бы сказал наш незабвенный ran
radius -x

[Vugl]

Это уже победил, щас скину что в данный момент происходит:

Код: Выделить всё

Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/raddb/proxy.conf
Config:   including file: /etc/raddb/clients.conf
Config:   including file: /etc/raddb/snmp.conf
Config:   including file: /etc/raddb/eap.conf
Config:   including file: /etc/raddb/sql.conf
 main: prefix = "/usr"
 main: localstatedir = "/var"
 main: logdir = "/var/log/radius"
 main: libdir = "/usr/lib"
 main: radacctdir = "/var/log/radius/radacct"
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = yes
 main: log_file = "/var/log/radius/radius.log"
 main: log_auth = yes
 main: log_auth_badpass = yes
 main: log_auth_goodpass = yes
 main: pidfile = "/var/run/radiusd/radiusd.pid"
 main: user = "radiusd"
 main: group = "radiusd"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/usr/sbin/checkrad"
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = no
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec 
 exec: wait = yes
 exec: program = "(null)"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec) 
Module: Loaded expr 
Module: Instantiated expr (expr) 
Module: Loaded PAP 
 pap: encryption_scheme = "crypt"
 pap: auto_header = yes
Module: Instantiated pap (pap) 
Module: Loaded CHAP 
Module: Instantiated chap (chap) 
Module: Loaded MS-CHAP 
 mschap: use_mppe = yes
 mschap: require_encryption = no
 mschap: require_strong = no
 mschap: with_ntdomain_hack = no
 mschap: passwd = "(null)"
 mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap) 
Module: Loaded System 
 unix: cache = no
 unix: passwd = "(null)"
 unix: shadow = "(null)"
 unix: group = "(null)"
 unix: radwtmp = "/var/log/radius/radwtmp"
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix) 
Module: Loaded eap 
 eap: default_eap_type = "md5"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
 gtc: challenge = "Password: "
 gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
 mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap) 
Module: Loaded preprocess 
 preprocess: huntgroups = "/etc/raddb/huntgroups"
 preprocess: hints = "/etc/raddb/hints"
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
 preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess) 
Module: Loaded realm 
 realm: format = "suffix"
 realm: delimiter = "@"
 realm: ignore_default = no
 realm: ignore_null = no
Module: Instantiated realm (suffix) 
Module: Loaded files 
 files: usersfile = "/etc/raddb/users"
 files: acctusersfile = "/etc/raddb/acct_users"
 files: preproxy_usersfile = "/etc/raddb/preproxy_users"
 files: compat = "no"
Module: Instantiated files (files) 
Module: Loaded Acct-Unique-Session-Id 
 acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique) 
Module: Loaded detail 
 detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
 detail: detailperm = 384
 detail: dirperm = 493
 detail: locking = no
Module: Instantiated detail (detail) 
Module: Loaded radutmp 
 radutmp: filename = "/var/log/radius/radutmp"
 radutmp: username = "%{User-Name}"
 radutmp: case_sensitive = yes
 radutmp: check_with_nas = yes
 radutmp: perm = 384
 radutmp: callerid = yes
Module: Instantiated radutmp (radutmp) 
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.0.143:32769, id=209, length=134
        Service-Type = Framed-User
        Framed-Protocol = PPP
        NAS-Port = 182
        NAS-Port-Type = Virtual
        User-Name = "vugl2"
        Calling-Station-Id = "192.168.0.200"
        Called-Station-Id = "192.168.0.143"
        CHAP-Challenge = 0xf4a3119b6e36046fe69259424ce30ad7
        CHAP-Password = 0x01b653fcbe8b99d7ec926c7479bb36cb27
        NAS-Identifier = "MikroTik"
        NAS-IP-Address = 192.168.0.143
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  rlm_chap: Setting 'Auth-Type := CHAP'
  modcall[authorize]: module "chap" returns ok for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: No '@' in User-Name = "vugl2", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
    users: Matched entry DEFAULT at line 153
  modcall[authorize]: module "files" returns ok for request 0
rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 0
modcall: leaving group authorize (returns ok) for request 0
  rad_check_password:  Found Auth-Type CHAP
auth: type "CHAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group CHAP for request 0
  rlm_chap: login attempt by "vugl2" with CHAP password
  rlm_chap: Could not find clear text password for user vugl2
  modcall[authenticate]: module "chap" returns invalid for request 0
modcall: leaving group CHAP (returns invalid) for request 0
auth: Failed to validate the user.
Login incorrect (rlm_chap: Clear text password not available): [vugl2/<CHAP-Password>] (from client vpn-pool0 port 182 cli 192.168.0.200)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request

[Vugl]

при этом по pppoe с pap все работает, chap отказывается лог выше

[ran]

как бы сказал наш незабвенный ran

ты ещё скажи: пусть земля ему будет пухом... НЕ ДОЖДЁТЕСЬ!

2Vugl:

между этим:

Код: Выделить всё

  modcall[authorize]: module "preprocess" returns ok for request 0 

и ватетим:

Код: Выделить всё

  rlm_chap: Setting 'Auth-Type := CHAP' 

должно быть ещё и ватета:

Код: Выделить всё

Exec-Program output: User-Password == "******"
Exec-Program-Wait: value-pairs: User-Password == "******"
Exec-Program: returned: 0

что говорит об успешном вызове rauth.pl, которого у тебя не наблюдается. Вывод: нада смотреть exec pre_auth, exec post_auth секции modules radiusd.conf и файл users

[Vugl]

Вот радиус:

Код: Выделить всё

prefix = /usr
exec_prefix = ${prefix}
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
user = radiusd
group = radiusd
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions	= yes
extended_expressions	= yes
log_stripped_names = yes
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
	
	reject_delay = 1
	status_server = no
}

proxy_requests  = yes
$INCLUDE  ${confdir}/proxy.conf
$INCLUDE  ${confdir}/clients.conf
snmp	= no
$INCLUDE  ${confdir}/snmp.conf
thread pool {
	
	start_servers = 5
	
	max_servers = 32
	max_requests_per_server = 0
}
modules {
	
	pap {
		auto_header = yes
	}

	
	chap {
		authtype = CHAP
	}
	pam {
	
		pam_auth = radiusd
	}
	unix {
		
		cache = no
		cache_reload = 600
		
		radwtmp = ${logdir}/radwtmp
	}

	
$INCLUDE ${confdir}/eap.conf
	mschap {
		
		
	}

	ldap {
		server = "ldap.your.domain"
		
		basedn = "o=My Org,c=UA"
		filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
		
		start_tls = no

		
		access_attr = "dialupAccess"

		
		dictionary_mapping = ${raddbdir}/ldap.attrmap

		ldap_connections_number = 5
		edir_account_policy_check=no
		
		timeout = 4
		timelimit = 3
		net_timeout = 1
		
	}

	
	realm IPASS {
		format = prefix
		delimiter = "/"
		ignore_default = no
		ignore_null = no
	}

	
	realm suffix {
		format = suffix
		delimiter = "@"
		ignore_default = no
		ignore_null = no
	}

	realm realmpercent {
		format = suffix
		delimiter = "%"
		ignore_default = no
		ignore_null = no
	}

	realm ntdomain {
		format = prefix
		delimiter = "\\"
		ignore_default = no
		ignore_null = no
	}	

	
	checkval {
		# The attribute to look for in the request
		item-name = Calling-Station-Id

		# The attribute to look for in check items. Can be multi valued
		check-name = Calling-Station-Id

		# The data type. Can be
		# string,integer,ipaddr,date,abinary,octets
		data-type = string

		# If set to yes and we dont find the item-name attribute in the
		# request then we send back a reject
		# DEFAULT is no
		#notfound-reject = no
	}
	
	
	preprocess {
		huntgroups = ${confdir}/huntgroups
		hints = ${confdir}/hints

		
		with_ascend_hack = no
		ascend_channels_per_line = 23
		with_ntdomain_hack = no
		with_specialix_jetstream_hack = no

		
		with_cisco_vsa_hack = no
	}

	
	files {
		usersfile = ${confdir}/users
		acctusersfile = ${confdir}/acct_users
		preproxy_usersfile = ${confdir}/preproxy_users

		
		compat = no
	}

	
	detail {
		
		detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
		detailperm = 0600
	}
	acct_unique {
		key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
	}
	$INCLUDE  ${confdir}/sql.conf
	radutmp {
	
		filename = ${logdir}/radutmp
		username = %{User-Name}
		case_sensitive = yes
		check_with_nas = yes		
		perm = 0600

		callerid = "yes"
	}

	radutmp sradutmp {
		filename = ${logdir}/sradutmp
		perm = 0644
		callerid = "no"
	}
	attr_filter {
		attrsfile = ${confdir}/attrs
	}
	counter daily {
		filename = ${raddbdir}/db.daily
		key = User-Name
		count-attribute = Acct-Session-Time
		reset = daily
		counter-name = Daily-Session-Time
		check-name = Max-Daily-Session
		allowed-servicetype = Framed-User
		cache-size = 5000
	}
	sqlcounter dailycounter {
		counter-name = Daily-Session-Time
		check-name = Max-Daily-Session
		reply-name = Session-Timeout
		sqlmod-inst = sql
		key = User-Name
		reset = daily

		
		query = "SELECT SUM(AcctSessionTime - \
                 GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
                 FROM radacct WHERE UserName='%{%k}' AND \
                 UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"

	}

	sqlcounter monthlycounter {
		counter-name = Monthly-Session-Time
		check-name = Max-Monthly-Session
		reply-name = Session-Timeout
		sqlmod-inst = sql
		key = User-Name
		reset = monthly

	
		query = "SELECT SUM(AcctSessionTime - \
                 GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
                 FROM radacct WHERE UserName='%{%k}' AND \
                 UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"

	}

	
	always fail {
		rcode = fail
	}
	always reject {
		rcode = reject
	}
	always ok {
		rcode = ok
		simulcount = 0
		mpp = no
	}
	expr {
	}
	digest {
	}
	exec {
		wait = yes
		input_pairs = request
	}
	exec echo {
	
		wait = yes
		program = "/bin/echo %{User-Name}"
		input_pairs = request
		output_pairs = reply
	}
	ippool main_pool {

		range-start = 192.168.3.1
		range-stop = 192.168.6.254
		netmask = 255.255.255.0
		cache-size = 800
		session-db = ${raddbdir}/db.ippool
		ip-index = ${raddbdir}/db.ipindex
		override = no
		maximum-timeout = 0
	}

}

instantiate {
	
	exec
	expr
}

authorize {
	
	preprocess
	chap
	mschap
	suffix
	eap
	files
	pap
}
authenticate {
	Auth-Type PAP {
		pap
	}
	Auth-Type CHAP {
		chap
	}
	Auth-Type MS-CHAP {
		mschap
	}
	unix
	eap
}

preacct {
	preprocess

	acct_unique
	suffix
	files
}
accounting {
	
	detail
	unix
	radutmp
}

session {
	radutmp

}


post-auth {

}
pre-proxy {
}
post-proxy {
	eap
}
bind_address = 192.168.0.142

authorize {
  preprocess
  chap
  pap
#  counter
#  attr_filter
#  eap
#  suffix
  files
# etc_smbpasswd
# sql
# mschap
}

[ran]

не мля... совесть есть, а? если я сказал, что надо смотреть - это не значит вывалить свои конфиги - на типа ковыряй... Самому смотреть! Это читал?

[Vugl]

Вот users

Код: Выделить всё

DEFAULT Auth-Type = Accept
  Exec-Program-Wait = "/usr/abills/libexec/rauth.pl"
DEFAULT	Service-Type == Framed-User
	Framed-IP-Address = 255.255.255.254,
	Framed-MTU = 576,
	Service-Type = Framed-User,
	Fall-Through = Yes
DEFAULT	Framed-Protocol == PPP
	Framed-Protocol = PPP,
	Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT	Hint == "CSLIP"
	Framed-Protocol = SLIP,
	Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT	Hint == "SLIP"
	Framed-Protocol = SLIP

[Vugl]

не мля... совесть есть, а? если я сказал, что надо смотреть - это не значит вывалить свои конфиги - на типа ковыряй... Самому смотреть! Это читал?

Ну я ж не навязываю, я помощи проши!
Я все мануалы ужо изучил, если бы я знал где поправить, я б не просил. Если нет возможности или желания можно не отвечать!

[ran]

Это читал?

Если вы желаете использовать MPPE, MPPC, MS-Chap V2 (протоколы шифрования и компрессии от M$ - для VPN очень желательно) то в файл /etc/raddb/radiusd.conf вносятся следующие изменения:

Вывод: нада смотреть exec pre_auth, exec post_auth секции modules radiusd.conf и файл users

я ж тебе всё рассказал...

[lasik]

как бы сказал наш незабвенный ran

ты ещё скажи: пусть земля ему будет пухом... НЕ ДОЖДЁТЕСЬ!

Я по любому моложе, так что если ничего со мной не случится противоестественного, то я дождусь ^_^

[ran]

если ничего со мной не случится

правильное уточнение...

[lasik]

если ничего со мной не случится

правильное уточнение...

будем надеятся что не случится ничего