2 сервера

Вопросы и пожелания
Ответить
maxtr
Сообщения: 22
Зарегистрирован: Пн сен 21, 2009 5:43 pm

2 сервера

Сообщение maxtr »

1 сервер - Abills (192.168.0.1)
2 сервер - MPD + ng_car (192.168.0.2)

Проблема следующая:
авторизация на первом сервере проходит и все работает (MPD + ng_car), а на дополнительном 2 691 ошибка.

1) radtest успешно ходит на первый сервер и возвращает ответ:
radtest ttt 123456 192.168.0.1:1812 0 ************** 0 192.168.0.2
Sending Access-Request of id 205 to 192.168.0.1 port 1812
User-Name = "ttt"
User-Password = "123456"
NAS-IP-Address = 192.168.0.2
NAS-Port = 0
Framed-Protocol = PPP
Re-sending Access-Request of id 205 to 192.168.0.1 port 1812
User-Name = "ttt"
User-Password = "123456"
NAS-IP-Address = 192.168.0.2
NAS-Port = 0
Framed-Protocol = PPP
rad_recv: Access-Accept packet from host 192.168.0.1:1812, id=205, length=137
Session-Timeout = 2275927
Framed-IP-Address = 10.110.34.29
Framed-IP-Netmask = 255.255.255.255
mpd-limit = "in#1=all rate-limit 1024000 192000 384000"
mpd-limit = "out#1=all rate-limit 1024000 192000 384000"
2) mpd.conf
startup:
# enable TCP-Wrapper (hosts_access(5)) to block unfriendly clients
set global enable tcp-wrapper
# configure the console
set console self 127.0.0.1 5005
set user admin ******** admin
set console open
#WEB managment
#set web self 0.0.0.0 5006
#set web open
#Netflow options
set netflow peer 127.0.0.1 9996
set netflow self 127.0.0.1 9990
set netflow timeouts 15 15
set netflow hook 9000
#set netflow node netflow


default:
load pptp_server

pptp_server:
# Define dynamic IP address pool.
set ippool add pool1 10.110.0.0 10.110.254.254
# Create clonable bundle template named B
create bundle template B
set iface enable proxy-arp
set iface idle 1800
set iface enable tcpmssfix
set iface up-script "/usr/abills/libexec/linkupdown mpd up"
set iface down-script "/usr/abills/libexec/linkupdown mpd down"
set ipcp yes vjcomp
# Specify IP address pool for dynamic assigment.
set ipcp ranges 10.110.0.0/16 ippool pool1
set ipcp dns 192.168.0.1
# The five lines below enable Microsoft Point-to-Point encryption
# (MPPE) using the ng_mppc(8) netgraph node type.
set bundle disable compression
set ccp no mppc
set mppc no e40
set mppc no e128
set bundle disable crypt-reqd
set mppc no stateless


# Create clonable link template named L
create link template L pptp
# Set bundle template to use

set link action bundle B
set link enable peer-as-calling
# Calling-Station-Id = "10.0.4.16 / 00:18:f3:5a:9f:6a / em0"
# set link enable report-mac
# Multilink adds some overhead, but gives full 1500 MTU.
set link enable multilink
set link yes acfcomp protocomp
set link no pap chap
set link enable chap
set link keep-alive 10 60
# We reducing link mtu to avoid GRE packet fragmentation
set link mtu 1460
# Configure PPTP
# чОЕЫОЙК IP ОБ ЛПФПТПН ВХДЕФ РТПУМХЫЙЧБФУС УПЕДЙОЕОЙЕ
set pptp self 192.168.0.2
# Allow to accept calls
set link enable incoming
#load server_common
load radius


server_common:
set link no pap eap
set link yes chap-md5
set link keep-alive 20 60
set link enable incoming
set link no acfcomp protocomp
load radius



radius:
#IP, пароль и порты RADIUS-сервера
#set radius server 127.0.0.1 radsecret 1812 1813
set radius config /etc/radius.conf
set radius retries 3
set radius timeout 10
set auth acct-update 300
set auth enable radius-auth
set auth enable radius-acct
set auth disable internal
3) /etc/radius.conf
auth 192.168.0.1:1812 ************** 4 4
acct 192.168.0.1:1813 ************** 4 4
4) mpd.log
Oct 5 16:19:33 lan-plus mpd: [L-1] LCP: state change Ack-Sent --> Opened
Oct 5 16:19:33 lan-plus mpd: [L-1] LCP: auth: peer wants nothing, I want CHAP
Oct 5 16:19:33 lan-plus mpd: [L-1] CHAP: sending CHALLENGE #1 len: 21
Oct 5 16:19:33 lan-plus mpd: [L-1] LCP: LayerUp
Oct 5 16:19:33 lan-plus mpd: [L-1] LCP: rec'd Ident #2 (Opened)
Oct 5 16:19:33 lan-plus mpd: [L-1] MESG: MSRASV5.20
Oct 5 16:19:33 lan-plus mpd: [L-1] LCP: rec'd Ident #3 (Opened)
Oct 5 16:19:33 lan-plus mpd: [L-1] MESG: MSRAS-0-SERVER-BD42CAAB
Oct 5 16:19:33 lan-plus mpd: [L-1] CHAP: rec'd RESPONSE #1 len: 57
Oct 5 16:19:33 lan-plus mpd: [L-1] Name: "ttt"
Oct 5 16:19:33 lan-plus mpd: [L-1] AUTH: Trying RADIUS
Oct 5 16:19:33 lan-plus mpd: [L-1] RADIUS: Authenticating user 'ttt'
Oct 5 16:19:35 lan-plus mpd: [L-1] CHAP: rec'd RESPONSE #1 len: 57
Oct 5 16:19:35 lan-plus mpd: [L-1] Name: "ttt"
Oct 5 16:19:35 lan-plus mpd: [L-1] CHAP: Auth return status: busy
Oct 5 16:19:37 lan-plus mpd: [L-1] CHAP: rec'd RESPONSE #1 len: 57
Oct 5 16:19:37 lan-plus mpd: [L-1] Name: "ttt"
Oct 5 16:19:37 lan-plus mpd: [L-1] CHAP: Auth return status: busy
Oct 5 16:19:37 lan-plus mpd: [L-1] RADIUS: rad_send_request for user 'ttt' failed: No valid RADIUS responses received
Oct 5 16:19:37 lan-plus mpd: [L-1] AUTH: RADIUS returned error
Oct 5 16:19:37 lan-plus mpd: [L-1] AUTH: ran out of backends
Oct 5 16:19:37 lan-plus mpd: [L-1] CHAP: Auth return status: failed
Oct 5 16:19:37 lan-plus mpd: [L-1] CHAP: Reply message: E=691 R=0 M=Login incorrect
Oct 5 16:19:37 lan-plus mpd: [L-1] CHAP: sending FAILURE #1 len: 31
Oct 5 16:19:37 lan-plus mpd: [L-1] LCP: authorization failed
Oct 5 16:19:37 lan-plus mpd: [L-1] LCP: parameter negotiation failed
Oct 5 16:19:37 lan-plus mpd: [L-1] LCP: state change Opened --> Stopping
Oct 5 16:19:37 lan-plus mpd: [L-1] LCP: SendTerminateReq #4
Oct 5 16:19:37 lan-plus mpd: [L-1] LCP: LayerDown
Oct 5 16:19:37 lan-plus mpd: [L-1] LCP: rec'd Terminate Ack #4 (Stopping)
Oct 5 16:19:37 lan-plus mpd: [L-1] LCP: state change Stopping --> Stopped
Oct 5 16:19:37 lan-plus mpd: [L-1] LCP: LayerFinish
Oct 5 16:19:37 lan-plus mpd: [L-1] PPTP call terminated
5) На первом сервере там где радиус видно что авторизация проходит:

2011-10-05 16:19:39 LOG_INFO AUTH ttt CID: 192.168.224.241 GT: 3.52281

Причина в том что MPD не получает ответ от radius(хотя radtest получает), кто может сказать почему ?

maxtr
Сообщения: 22
Зарегистрирован: Пн сен 21, 2009 5:43 pm

Re: 2 сервера

Сообщение maxtr »

Во время попытки установить VPN:

tcpdump на первом сервере (192.168.0.1)
tcpdump -i bge1 -s 1500 port 1813 or port 1812
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bge1, link-type EN10MB (Ethernet), capture size 1500 bytes
17:42:57.909868 IP 192.168.0.2.26832 > 192.168.0.1.radius: RADIUS, Access Request (1), id: 0x53 length: 250
17:43:00.760295 IP 192.168.0.1.radius > 192.168.0.2.26832: RADIUS, Access Accept (2), id: 0x53 length: 296
17:43:00.760692 IP 192.168.0.2.26832 > 192.168.0.1.radius: RADIUS, Access Request (1), id: 0x53 length: 250
17:43:00.760810 IP 192.168.0.1.radius > 192.168.0.2.26832: RADIUS, Access Accept (2), id: 0x53 length: 296
17:43:00.761133 IP 192.168.0.2.26832 > 192.168.0.1.radius: RADIUS, Access Request (1), id: 0x53 length: 250
17:43:00.761188 IP 192.168.0.1.radius > 192.168.0.2.26832: RADIUS, Access Accept (2), id: 0x53 length: 296
tcpdump на втором сервере (192.168.0.2)
tcpdump -i bge1 -s 1500 port 1813 or port 1812
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bge1, link-type EN10MB (Ethernet), capture size 1500 bytes
17:42:56.534421 IP 192.168.0.2.26832 > 192.168.0.1.radius: RADIUS, Access Request (1), id: 0x53 length: 250
17:42:59.384965 IP 192.168.0.1.radius > 192.168.0.2.26832: RADIUS, Access Accept (2), id: 0x53 length: 296
17:42:59.385065 IP 192.168.0.2.26832 > 192.168.0.1.radius: RADIUS, Access Request (1), id: 0x53 length: 250
17:42:59.385551 IP 192.168.0.1.radius > 192.168.0.2.26832: RADIUS, Access Accept (2), id: 0x53 length: 296
17:42:59.385591 IP 192.168.0.2.26832 > 192.168.0.1.radius: RADIUS, Access Request (1), id: 0x53 length: 250
17:42:59.385845 IP 192.168.0.1.radius > 192.168.0.2.26832: RADIUS, Access Accept (2), id: 0x53 length: 296

~AsmodeuS~
Site Admin
Сообщения: 5746
Зарегистрирован: Пт янв 28, 2005 3:11 pm
Контактная информация:

Re: 2 сервера

Сообщение ~AsmodeuS~ »

radiusd -X

maxtr
Сообщения: 22
Зарегистрирован: Пн сен 21, 2009 5:43 pm

Re: 2 сервера

Сообщение maxtr »

~AsmodeuS~ писал(а):radiusd -X
rad_recv: Access-Request packet from host 192.168.0.2:49625, id=132, length=250
NAS-Identifier = "test.net"
Acct-Session-Id = "7883756-L-1"
NAS-Port = 1
NAS-Port-Type = Virtual
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "192.168.224.241"
Called-Station-Id = ""
NAS-Port-Id = "bge1"
mpd-link = "L-1"
Tunnel-Type:0 = PPTP
Tunnel-Medium-Type:0 = IPv4
Tunnel-Server-Endpoint:0 = "192.168.0.2"
Tunnel-Client-Endpoint:0 = "192.168.224.241"
Tunnel-Server-Auth-Id:0 = "test.net"
User-Name = "ttt"
MS-CHAP-Challenge = 0xbb1e683698ca5ce02e4f7440258e7b32
MS-CHAP2-Response = 0x0100fc589e285ba35a81a443172e228a6fac000000000000000002bf41748183503f616e4064d350470c2ba0161bb7f63156
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 27
modcall[authorize]: module "preprocess" returns ok for request 27
Exec-Program output: User-Password == "123456"
Exec-Program-Wait: value-pairs: User-Password == "123456"
Exec-Program: returned: 0
modcall[authorize]: module "pre_auth" returns ok for request 27
rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
modcall[authorize]: module "mschap" returns ok for request 27
users: Matched entry DEFAULT at line 1
modcall[authorize]: module "files" returns ok for request 27
modcall: leaving group authorize (returns ok) for request 27
rad_check_password: Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 27
rlm_mschap: Told to do MS-CHAPv2 for ttt with NT-Password
rlm_mschap: adding MS-CHAPv2 MPPE keys
modcall[authenticate]: module "mschap" returns ok for request 27
modcall: leaving group MS-CHAP (returns ok) for request 27

Exec-Program output: Session-Timeout = 2214642, Framed-IP-Address = 10.110.9.215, Framed-IP-Netmask = 255.255.255.255, mpd-limit += "in#1=all rate-limit 1024000 192000 384000", mpd-limit += "out#1=all rate-limit 1024000 192000 384000",
Exec-Program-Wait: value-pairs: Session-Timeout = 2214642, Framed-IP-Address = 10.110.9.215, Framed-IP-Netmask = 255.255.255.255, mpd-limit += "in#1=all rate-limit 1024000 192000 384000", mpd-limit += "out#1=all rate-limit 1024000 192000 384000",
Exec-Program: returned: 0
Sending Access-Accept of id 132 to 192.168.0.2 port 49625
MS-CHAP2-Success = 0x01533d38343242363335393536413438393044333442353245424437374642424143344438434635394141
MS-MPPE-Recv-Key = 0x571d8583e44b8a7bda3eaa4f0c7b0af1
MS-MPPE-Send-Key = 0xa71f8c85e0582465758b2a0c38183b76
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
Session-Timeout = 2214642
Framed-IP-Address = 10.110.9.215
Framed-IP-Netmask = 255.255.255.255
mpd-limit += "in#1=all rate-limit 1024000 192000 384000"
mpd-limit += "out#1=all rate-limit 1024000 192000 384000"
Finished request 27
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.0.2:49625, id=132, length=250
Sending duplicate reply to client shorrname:49625 - ID: 132
Re-sending Access-Accept of id 132 to 192.168.0.2 port 49625
--- Walking the entire request list ---
Waking up in 4 seconds...
rad_recv: Access-Request packet from host 192.168.0.2:49625, id=132, length=250
Sending duplicate reply to client shorrname:49625 - ID: 132
Re-sending Access-Accept of id 132 to 192.168.0.2 port 49625
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 27 ID 132 with timestamp 4e8d4f6d
Nothing to do. Sleeping until we see a request.
Ответ от радиуса не принимает Nas MPD (192.168.0.2)

Nas MPD (192.168.0.2) ipfw просто и не закрывает доступ bge0 - внешний, bge1 - внутренний(по нему и передаются запросы радиуса) :
00100 255373 24347536 deny udp from any 135-139 to any via bge1
00200 0 0 deny tcp from any 135-139,445 to any via bge1
00300 0 0 deny udp from any to any dst-port 135-139 via bge1
00400 0 0 deny tcp from any to any dst-port 135-139,445 via bge1
00500 0 0 deny ip from any to me dst-port 3306 via bge1
00600 0 0 deny ip from any to me dst-port 3306 via bge0
00900 0 0 deny ip from any to me dst-port 80 via bge1
01000 6 316 deny ip from any to me dst-port 80 via bge0
01100 0 0 deny ip from any to me dst-port 22 via bge1
01200 3 144 deny ip from any to me dst-port 22 via bge0
01300 0 0 deny ip from any to me dst-port 21 via bge1
01400 1 48 deny ip from any to me dst-port 21 via bge0
01500 0 0 nat 100 ip from table(1) to any
01600 98622 5834353 nat 100 ip from any to ХХ.ХХХ.ХХХ.ХХХ
01700 263600 24629801 allow ip from any to any
65535 0 0 deny ip from any to any
P.S. На первом сервере с Радиусом ipfw такой же.

~AsmodeuS~
Site Admin
Сообщения: 5746
Зарегистрирован: Пт янв 28, 2005 3:11 pm
Контактная информация:

Re: 2 сервера

Сообщение ~AsmodeuS~ »

назад от радиуса не идут пакеты на мпд посмотрите что маршруты фаерволы тсп дамп на сервер доступа еще можно глянуть как идёт ответ

maxtr
Сообщения: 22
Зарегистрирован: Пн сен 21, 2009 5:43 pm

Re: 2 сервера

Сообщение maxtr »

~AsmodeuS~ писал(а):назад от радиуса не идут пакеты на мпд посмотрите что маршруты фаерволы тсп дамп на сервер доступа еще можно глянуть как идёт ответ
Tcpdump второй пост, ответы ходят отлично, но MPD не принимает их ...

~AsmodeuS~
Site Admin
Сообщения: 5746
Зарегистрирован: Пт янв 28, 2005 3:11 pm
Контактная информация:

Re: 2 сервера

Сообщение ~AsmodeuS~ »

для тест попробуйте сменить адресацию

maxtr
Сообщения: 22
Зарегистрирован: Пн сен 21, 2009 5:43 pm

Re: 2 сервера

Сообщение maxtr »

проблема решилась! закавыка была в том что радиус пасс был очень длинный + может еще и shortname одинаковые raddb/clients.conf
client 127.0.0.1 {
secret = radsecret
shortname = shortname
}
client 192.168.0.2 {
secret = dfHrfktYdfhhef57764fdgrvb432hn
shortname = shortname
}
Вот так заработало.
client 192.168.0.2 {
secret = fhti6lrer
shortname = rezerv
}

Ответить