ядерный rppppoe + freeradius проблемма
Добавлено: Чт авг 09, 2007 7:01 am
Настраиваю rppppoe + freeradius
Конфиги:
Для pppoe
pppoe-server-options
запускаю:
Для радиуса:
raddb/acct_users
raddb/clients
raddb/clients.conf
raddb/radiusd.conf
radiusclient/radiusclient.conf
radiusclient/servers
На клиетне не пускает говорит ошибка 691 (не верный логин или паро ль)
Радиус отвечает на это следующим:
Конфиги:
Для pppoe
pppoe-server-options
Код: Выделить всё
logfile /var/log/pppoe.log
debug
mtu 1472
mru 1472
auth
#require-pap
require-mschap
#require-chap
default-asyncmap
lcp-echo-interval 20
lcp-echo-failure 2
plugin radius.so
plugin radattr.so
#ktune
#ms-dns 192.168.0.1
ms-dns 87.229.141.2
192.168.0.1:
nobsdcomp
noccp
noendpoint
noipdefault
noipx
novj
receive-all
Код: Выделить всё
/usr/sbin/pppoe-server -k -I eth1 -L 192.168.0.1 -R 192.168.2.10
raddb/acct_users
Код: Выделить всё
DEFAULT Acct-Status-Type == Start
Exec-Program = "/usr/abills/libexec/racctl.pl"
DEFAULT Acct-Status-Type == Stop
Exec-Program = "/usr/abills/libexec/racctl.pl"
DEFAULT Acct-Status-Type == Alive
Exec-Program = "/usr/abills/libexec/racctl.pl"
Код: Выделить всё
localhost nas129k12
Код: Выделить всё
client 127.0.0.1 {
secret = nas129k12
shortname = localhost
}
Код: Выделить всё
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
#user = nobody
#group = nobody
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = 127.0.0.1
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp = no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
auto_header = yes
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
radwtmp = ${logdir}/radwtmp
}
$INCLUDE ${confdir}/eap.conf
mschap {
#use_mppe = no
#require_encryption = yes
#require_strong = yes
#with_ntdomain_hack = no
#ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
}
realm IPASS {
format = prefix
delimiter = "/"
ignore_default = no
ignore_null = no
}
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
}
realm realmpercent {
format = suffix
delimiter = "%"
ignore_default = no
ignore_null = no
}
realm ntdomain {
format = prefix
delimiter = "\\"
ignore_default = no
ignore_null = no
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
#notfound-reject = no
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
compat = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
detail auth_log {
detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
# detailperm = 0600
}
detail reply_log {
detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d
# detailperm = 0600
}
detail pre_proxy_log {
detailfile = ${radacctdir}/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d
# detailperm = 0600
}
detail post_proxy_log {
detailfile = ${radacctdir}/%{Client-IP-Address}/post-proxy-detail-%Y%m%d
# detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
# $INCLUDE ${confdir}/sql.conf
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
exec {
wait = yes
input_pairs = request
}
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
#packet_type = Access-Accept
}
ippool main_pool {
range-start = 192.168.1.1
range-stop = 192.168.3.254
netmask = 255.255.255.0
cache-size = 800
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = no
maximum-timeout = 0
}
}
instantiate {
exec
# expr
# daily
}
authorize {
preprocess
# auth_log
# attr_filter
# chap
# mschap
# digest
# IPASS
# suffix
# ntdomain
# eap
files
# sql
# etc_smbpasswd
# daily
# pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
# digest
# pam
unix
# Auth-Type LDAP {
# ldap
# }
eap
}
preacct {
preprocess
acct_unique
# IPASS
suffix
# ntdomain
files
}
accounting {
detail
# daily
unix
radutmp
# sradutmp
# main_pool
# sql
# sql_log
# pgsql-voip
}
session {
radutmp
# sql
}
post-auth {
# main_pool
# reply_log
# sql
# sql_log
# ldap
# Post-Auth-Type REJECT {
# insert-module-name-here
# }
}
pre-proxy {
# attr_rewrite
# files
# pre_proxy_log
}
post-proxy {
# post_proxy_log
# attr_rewrite
# attr_filter
eap
}
Код: Выделить всё
auth_order radius,local
login_tries 4
login_timeout 60
nologin /etc/nologin
issue /etc/radiusclient/issue
# RADIUS settings
authserver localhost:1812
acctserver localhost:1812
servers /etc/radiusclient/servers
dictionary /etc/radiusclient/dictionary
login_radius /usr/sbin/login.radius
seqfile /var/run/radius.seq
mapfile /etc/radiusclient/port-id-map
default_realm
radius_timeout 10
radius_retries 3
login_local /bin/login
Код: Выделить всё
127.0.0.1 nas192k12
Радиус отвечает на это следующим:
Код: Выделить всё
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
main: bind_address = 127.0.0.1 IP address [127.0.0.1]
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
Using deprecated clients file. Support for this will go away soon.
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
pap: auto_header = yes
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "md5"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded files
files: usersfile = "/usr/local/etc/raddb/users"
files: acctusersfile = "/usr/local/etc/raddb/acct_users"
files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded detail
detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/usr/local/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication 127.0.0.1:1812
Listening on accounting 127.0.0.1:1813
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:1027, id=241, length=70
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "user1"
Calling-Station-Id = "00:18:F3:1F:18:93"
NAS-IP-Address = 192.168.0.1
NAS-Port = 1
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
users: Matched entry DEFAULT at line 153
modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type Accept
rad_check_password: Auth-Type = Accept, accepting the user
Exec-Program output: Reply-Message = "Unknow server '192.168.0.1'"
Exec-Program-Wait: value-pairs: Reply-Message = "Unknow server '192.168.0.1'"
Exec-Program: returned: 1
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:1026, id=240, length=70
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "user1"
Calling-Station-Id = "00:18:F3:1F:18:93"
NAS-IP-Address = 192.168.0.1
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
users: Matched entry DEFAULT at line 153
modcall[authorize]: module "files" returns ok for request 1
modcall: leaving group authorize (returns ok) for request 1
rad_check_password: Found Auth-Type Accept
rad_check_password: Auth-Type = Accept, accepting the user
Exec-Program output: Reply-Message = "Unknow server '192.168.0.1'"
Exec-Program-Wait: value-pairs: Reply-Message = "Unknow server '192.168.0.1'"
Exec-Program: returned: 1
Delaying request 1 for 1 seconds
Finished request 1
Going to the next request
--- Walking the entire request list ---
Sending Access-Reject of id 241 to 127.0.0.1 port 1027
Reply-Message = "Unknow server '192.168.0.1'"
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 240 to 127.0.0.1 port 1026
Reply-Message = "Unknow server '192.168.0.1'"
Waking up in 2 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 241 with timestamp 46bbda75
Waking up in 2 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 240 with timestamp 46bbda77
Nothing to do. Sleeping until we see a request.
Exec-Program output: Reply-Message = "Unknow server '192.168.0.1'"