Система ubuntu 8.04, появилась необходимость обновить snmpd, вследствии чего он за собой зависимостями потянул ешо кучу всего, в том числе и freeradius, теперь:
Код: Выделить всё
dpkg -l | grep radius
ii freeradius 2.1.0+dfsg-0ubuntu4 a high-performance and highly configurable R
ii freeradius-common 2.1.0+dfsg-0ubuntu4 FreeRadius common files
ii freeradius-mysql 2.1.0+dfsg-0ubuntu4 MySQL module for FreeRADIUS server
ii freeradius-utils 2.1.0+dfsg-0ubuntu4 FreeRadius client utilities
ii libfreeradius2 2.1.0+dfsg-0ubuntu4 FreeRADIUS shared library
ii libradius1 0.3.2-11.1 /bin/login replacement with RADIUS. Shared l
ii radiusclient1 0.3.2-11.1 /bin/login replacement which uses the RADIUS
1. Файл /etc/freeradius/radiusd.conf привел к следующему виду (здесь и далее по тексу красным выделяю то что изменил):
2. Файл /etc/freeradius/modules/exec привел к следующему виду:prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
type = auth
ipaddr = *
port = 0
}
listen {
ipaddr = *
port = 0
type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
proxy_requests = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
abills_preauth
exec abills_preauth {
program = "/usr/abills/libexec/rauth.pl pre_auth"
wait = yes
input_pairs = request
shell_escape = yes
output_pairs = config
}
abills_postauth
exec abills_postauth {
program = "/usr/abills/libexec/rauth.pl post_auth"
wait = yes
input_pairs = request
shell_escape = yes
output_pairs = config
}
abills_auth
exec abills_auth {
program = "/usr/abills/libexec/rauth.pl"
wait = yes
input_pairs = request
shell_escape = yes
output = no
output_pairs = reply
}
abills_acc
exec abills_acc {
program = "/usr/abills/libexec/racct.pl"
wait = yes
input_pairs = request
shell_escape = yes
output = no
output_pairs = reply
}
$INCLUDE ${confdir}/modules/
$INCLUDE eap.conf
$INCLUDE sql.conf
$INCLUDE sql/mysql/counter.conf
}
instantiate {
exec
expr
expiration
logintime
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/
3. Файл /etc/freeradius/sites-available/default привел к следующему виду:exec {
wait = yes
input_pairs = request
shell_escape = yes
output = none
output_pairs = reply
}
4. Файл /etc/freeradius/dictionary привел к следующему виду:authorize {
preprocess
abills_preauth
mschap
files
abills_auth
}
preacct {
preprocess
abills_acc
}
post-auth {
Post-Auth-Type REJECT {
abills_postauth
}
}
accounting {
unix
radutmp
}
5. Файл /usr/abills/Abills/mysql/Auth.pm привел к следующему виду, привожу тока часть кода в которой вносились изменения:$INCLUDE /usr/share/freeradius/dictionary
ATTRIBUTE Session-Octets-Limit 227 integer
ATTRIBUTE Octets-Direction 228 integer
ATTRIBUTE PPPD-Upstream-Speed-Limit 230 integer
ATTRIBUTE PPPD-Downstream-Speed-Limit 231 integer
ATTRIBUTE PPPD-Upstream-Speed-Limit-1 232 integer
ATTRIBUTE PPPD-Downstream-Speed-Limit-1 233 integer
ATTRIBUTE PPPD-Upstream-Speed-Limit-2 234 integer
ATTRIBUTE PPPD-Downstream-Speed-Limit-2 235 integer
ATTRIBUTE PPPD-Upstream-Speed-Limit-3 236 integer
ATTRIBUTE PPPD-Downstream-Speed-Limit-3 237 integer
ATTRIBUTE Acct-Interim-Interval 85 integer
6. Файл /etc/radiusclient/servers привел к следующему виду:#*******************************************************************
# Authorization module
# pre_auth()
#*******************************************************************
sub pre_auth {
my ($self, $RAD, $attr)=@_;
if (defined($RAD->{MS_CHAP_CHALLENGE}) || defined($RAD->{EAP_MESSAGE})) {
my $login = $RAD->{USER_NAME};
if ($RAD->{USER_NAME} =~ /:(.+)/) {
$login = $1;
}
$self->query($db, "SELECT DECODE(password, '$CONF->{secretkey}') FROM users WHERE id='$login';");
if ($self->{TOTAL} > 0) {
my $list = $self->{list}->[0];
my $password = $list->[0];
$self->{'RAD_CHECK'}{'User-Password'}="$password";
print "Cleartext-Password := \"$password\"";
return 0;
}
$self->{errno} = 1;
$self->{errstr} = "USER: '$login' not exist";
return 1;
}
$self->{'RAD_CHECK'}{'Auth-Type'}="Accept";
print "Auth-Type := Accept\n";
return 0;
}
7. Файл /etc/radiusclient/dictionary привел к следующему виду:localhost testing123
8. В каталог /etc/radiusclient/ добавляю файл dictionary.microsoft следующего содержания:ATTRIBUTE User-Name 1 string
ATTRIBUTE Password 2 string
ATTRIBUTE CHAP-Password 3 string
ATTRIBUTE NAS-IP-Address 4 ipaddr
ATTRIBUTE NAS-Port-Id 5 integer
ATTRIBUTE Service-Type 6 integer
ATTRIBUTE Framed-Protocol 7 integer
ATTRIBUTE Framed-IP-Address 8 ipaddr
ATTRIBUTE Framed-IP-Netmask 9 ipaddr
ATTRIBUTE Framed-Routing 10 integer
ATTRIBUTE Filter-Id 11 string
ATTRIBUTE Framed-MTU 12 integer
ATTRIBUTE Framed-Compression 13 integer
ATTRIBUTE Login-IP-Host 14 ipaddr
ATTRIBUTE Login-Service 15 integer
ATTRIBUTE Login-TCP-Port 16 integer
ATTRIBUTE Reply-Message 18 string
ATTRIBUTE Callback-Number 19 string
ATTRIBUTE Callback-Id 20 string
ATTRIBUTE Framed-Route 22 string
ATTRIBUTE Framed-IPX-Network 23 ipaddr
ATTRIBUTE State 24 string
ATTRIBUTE Session-Timeout 27 integer
ATTRIBUTE Idle-Timeout 28 integer
ATTRIBUTE Termination-Action 29 integer
ATTRIBUTE Called-Station-Id 30 string
ATTRIBUTE Calling-Station-Id 31 string
ATTRIBUTE Acct-Status-Type 40 integer
ATTRIBUTE Acct-Delay-Time 41 integer
ATTRIBUTE Acct-Input-Octets 42 integer
ATTRIBUTE Acct-Output-Octets 43 integer
ATTRIBUTE Acct-Session-Id 44 string
ATTRIBUTE Acct-Authentic 45 integer
ATTRIBUTE Acct-Session-Time 46 integer
ATTRIBUTE Acct-Input-Packets 47 integer
ATTRIBUTE Acct-Output-Packets 48 integer
ATTRIBUTE Acct-Terminate-Cause 49 integer
ATTRIBUTE Chap-Challenge 60 string
ATTRIBUTE NAS-Port-Type 61 integer
ATTRIBUTE Port-Limit 62 integer
ATTRIBUTE Connect-Info 77 string
ATTRIBUTE Huntgroup-Name 221 string
ATTRIBUTE User-Category 1029 string
ATTRIBUTE Group-Name 1030 string
ATTRIBUTE Simultaneous-Use 1034 integer
ATTRIBUTE Strip-User-Name 1035 integer
ATTRIBUTE Fall-Through 1036 integer
ATTRIBUTE Add-Port-To-IP-Address 1037 integer
ATTRIBUTE Exec-Program 1038 string
ATTRIBUTE Exec-Program-Wait 1039 string
ATTRIBUTE Hint 1040 string
ATTRIBUTE Expiration 21 date
ATTRIBUTE Auth-Type 1000 integer
ATTRIBUTE Menu 1001 string
ATTRIBUTE Termination-Menu 1002 string
ATTRIBUTE Prefix 1003 string
ATTRIBUTE Suffix 1004 string
ATTRIBUTE Group 1005 string
ATTRIBUTE Crypt-Password 1006 string
ATTRIBUTE Connect-Rate 1007 integer
VALUE Service-Type Login-User 1
VALUE Service-Type Framed-User 2
VALUE Service-Type Callback-Login-User 3
VALUE Service-Type Callback-Framed-User 4
VALUE Service-Type Outbound-User 5
VALUE Service-Type Administrative-User 6
VALUE Service-Type NAS-Prompt-User 7
VALUE Framed-Protocol PPP 1
VALUE Framed-Protocol SLIP 2
VALUE Framed-Routing None 0
VALUE Framed-Routing Broadcast 1
VALUE Framed-Routing Listen 2
VALUE Framed-Routing Broadcast-Listen 3
VALUE Framed-Compression None 0
VALUE Framed-Compression Van-Jacobson-TCP-IP 1
VALUE Login-Service Telnet 0
VALUE Login-Service Rlogin 1
VALUE Login-Service TCP-Clear 2
VALUE Login-Service PortMaster 3
VALUE Acct-Status-Type Start 1
VALUE Acct-Status-Type Stop 2
VALUE Acct-Status-Type Accounting-On 7
VALUE Acct-Status-Type Accounting-Off 8
VALUE Acct-Authentic RADIUS 1
VALUE Acct-Authentic Local 2
VALUE Acct-Authentic PowerLink128 100
VALUE Termination-Action Default 0
VALUE Termination-Action RADIUS-Request 1
VALUE NAS-Port-Type Async 0
VALUE NAS-Port-Type Sync 1
VALUE NAS-Port-Type ISDN 2
VALUE NAS-Port-Type ISDN-V120 3
VALUE NAS-Port-Type ISDN-V110 4
VALUE Acct-Terminate-Cause User-Request 1
VALUE Acct-Terminate-Cause Lost-Carrier 2
VALUE Acct-Terminate-Cause Lost-Service 3
VALUE Acct-Terminate-Cause Idle-Timeout 4
VALUE Acct-Terminate-Cause Session-Timeout 5
VALUE Acct-Terminate-Cause Admin-Reset 6
VALUE Acct-Terminate-Cause Admin-Reboot 7
VALUE Acct-Terminate-Cause Port-Error 8
VALUE Acct-Terminate-Cause NAS-Error 9
VALUE Acct-Terminate-Cause NAS-Request 10
VALUE Acct-Terminate-Cause NAS-Reboot 11
VALUE Acct-Terminate-Cause Port-Unneeded 12
VALUE Acct-Terminate-Cause Port-Preempted 13
VALUE Acct-Terminate-Cause Port-Suspended 14
VALUE Acct-Terminate-Cause Service-Unavailable 15
VALUE Acct-Terminate-Cause Callback 16
VALUE Acct-Terminate-Cause User-Error 17
VALUE Acct-Terminate-Cause Host-Request 18
VALUE Auth-Type Local 0
VALUE Auth-Type System 1
VALUE Auth-Type SecurID 2
VALUE Auth-Type Crypt-Local 3
VALUE Auth-Type Reject 4
VALUE Auth-Type Pam 253
VALUE Auth-Type None 254
VALUE Fall-Through No 0
VALUE Fall-Through Yes 1
VALUE Add-Port-To-IP-Address No 0
VALUE Add-Port-To-IP-Address Yes 1
ATTRIBUTE Acct-Interim-Interval 85 integer
ATTRIBUTE Session-Octets-Limit 227 integer
ATTRIBUTE Octets-Direction 228 integer
ATTRIBUTE PPPD-Upstream-Speed-Limit 230 integer
ATTRIBUTE PPPD-Downstream-Speed-Limit 231 integer
ATTRIBUTE PPPD-Upstream-Speed-Limit-1 232 integer
ATTRIBUTE PPPD-Downstream-Speed-Limit-1 233 integer
ATTRIBUTE PPPD-Upstream-Speed-Limit-2 234 integer
ATTRIBUTE PPPD-Downstream-Speed-Limit-2 235 integer
ATTRIBUTE PPPD-Upstream-Speed-Limit-3 236 integer
ATTRIBUTE PPPD-Downstream-Speed-Limit-3 237 integer
INCLUDE /etc/radiusclient/dictionary.merit
INCLUDE /etc/radiusclient/dictionary.microsoft
Код: Выделить всё
#
# Microsoft's VSA's, from RFC 2548
#
# $Id: dictionary.microsoft,v 1.1 2002/03/06 13:23:09 dfs Exp $
#
VENDOR Microsoft 311 Microsoft
ATTRIBUTE MS-CHAP-Response 1 string Microsoft
ATTRIBUTE MS-CHAP-Error 2 string Microsoft
ATTRIBUTE MS-CHAP-CPW-1 3 string Microsoft
ATTRIBUTE MS-CHAP-CPW-2 4 string Microsoft
ATTRIBUTE MS-CHAP-LM-Enc-PW 5 string Microsoft
ATTRIBUTE MS-CHAP-NT-Enc-PW 6 string Microsoft
ATTRIBUTE MS-MPPE-Encryption-Policy 7 string Microsoft
# This is referred to as both singular and plural in the RFC.
# Plural seems to make more sense.
ATTRIBUTE MS-MPPE-Encryption-Type 8 string Microsoft
ATTRIBUTE MS-MPPE-Encryption-Types 8 string Microsoft
ATTRIBUTE MS-RAS-Vendor 9 integer Microsoft
ATTRIBUTE MS-CHAP-Domain 10 string Microsoft
ATTRIBUTE MS-CHAP-Challenge 11 string Microsoft
ATTRIBUTE MS-CHAP-MPPE-Keys 12 string Microsoft
ATTRIBUTE MS-BAP-Usage 13 integer Microsoft
ATTRIBUTE MS-Link-Utilization-Threshold 14 integer Microsoft
ATTRIBUTE MS-Link-Drop-Time-Limit 15 integer Microsoft
ATTRIBUTE MS-MPPE-Send-Key 16 string Microsoft
ATTRIBUTE MS-MPPE-Recv-Key 17 string Microsoft
ATTRIBUTE MS-RAS-Version 18 string Microsoft
ATTRIBUTE MS-Old-ARAP-Password 19 string Microsoft
ATTRIBUTE MS-New-ARAP-Password 20 string Microsoft
ATTRIBUTE MS-ARAP-PW-Change-Reason 21 integer Microsoft
ATTRIBUTE MS-Filter 22 string Microsoft
ATTRIBUTE MS-Acct-Auth-Type 23 integer Microsoft
ATTRIBUTE MS-Acct-EAP-Type 24 integer Microsoft
ATTRIBUTE MS-CHAP2-Response 25 string Microsoft
ATTRIBUTE MS-CHAP2-Success 26 string Microsoft
ATTRIBUTE MS-CHAP2-CPW 27 string Microsoft
ATTRIBUTE MS-Primary-DNS-Server 28 ipaddr Microsoft
ATTRIBUTE MS-Secondary-DNS-Server 29 ipaddr Microsoft
ATTRIBUTE MS-Primary-NBNS-Server 30 ipaddr Microsoft
ATTRIBUTE MS-Secondary-NBNS-Server 31 ipaddr Microsoft
#ATTRIBUTE MS-ARAP-Challenge 33 string Microsoft
#
# Integer Translations
#
# MS-BAP-Usage Values
VALUE MS-BAP-Usage Not-Allowed 0
VALUE MS-BAP-Usage Allowed 1
VALUE MS-BAP-Usage Required 2
# MS-ARAP-Password-Change-Reason Values
VALUE MS-ARAP-PW-Change-Reason Just-Change-Password 1
VALUE MS-ARAP-PW-Change-Reason Expired-Password 2
VALUE MS-ARAP-PW-Change-Reason Admin-Requires-Password-Change 3
VALUE MS-ARAP-PW-Change-Reason Password-Too-Short 4
# MS-Acct-Auth-Type Values
VALUE MS-Acct-Auth-Type PAP 1
VALUE MS-Acct-Auth-Type CHAP 2
VALUE MS-Acct-Auth-Type MS-CHAP-1 3
VALUE MS-Acct-Auth-Type MS-CHAP-2 4
VALUE MS-Acct-Auth-Type EAP 5
# MS-Acct-EAP-Type Values
VALUE MS-Acct-EAP-Type MD5 4
VALUE MS-Acct-EAP-Type OTP 5
VALUE MS-Acct-EAP-Type Generic-Token-Card 6
VALUE MS-Acct-EAP-Type TLS 13
Код: Выделить всё
rad_recv: Access-Request packet from host 127.0.0.1 port 60094, id=107, length=145
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "123"
MS-CHAP-Challenge = 0x7c5280745ebc569de38e52113152bddb
MS-CHAP2-Response = 0xc9000c9033e0d879d188c0863f53c757ea6100000000000000006b7504e8984c7dd95e6e8437a8b7d44c2ccb3c4b28feda15
Calling-Station-Id = "192.168.0.77"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1
+- entering group authorize {...}
++[preprocess] returns ok
Exec-Program output: Cleartext-Password := "123123"
Exec-Program-Wait: value-pairs: Cleartext-Password := "123123"
Exec-Program: returned: 0
++[abills_preauth] returns ok
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
Exec-Program output: Session-Timeout = 2439581, MS-MPPE-Encryption-Types = 0x00000006, Session-Octets-Limit = 2146435072, MS-CHAP2-SUCCESS = 0xc9533d38413044424542383344333536333534344342454136394241333139324232333341393338464634, MS-MPPE-Encryption-Policy = 0x00000001, Acct-Interim-Interval = 120, Octets-Direction = 0, Framed-IP-Address = 172.16.0.18, Framed-IP-Netmask = 255.255.255.255,
Exec-Program-Wait: value-pairs: Session-Timeout = 2439581, MS-MPPE-Encryption-Types = 0x00000006, Session-Octets-Limit = 2146435072, MS-CHAP2-SUCCESS = 0xc9533d38413044424542383344333536333534344342454136394241333139324232333341393338464634, MS-MPPE-Encryption-Policy = 0x00000001, Acct-Interim-Interval = 120, Octets-Direction = 0, Framed-IP-Address = 172.16.0.18, Framed-IP-Netmask = 255.255.255.255,
Exec-Program: returned: 0
++[abills_auth] returns ok
Found Auth-Type = MSCHAP
WARNING: Unknown value specified for Auth-Type. Cannot perform requested action.
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
Exec-Program output:
Exec-Program: returned: 0
++[abills_postauth] returns ok
Sending Access-Reject of id 107 to 127.0.0.1 port 60094
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
Session-Timeout = 2439581
MS-MPPE-Encryption-Types = 0x00000006
Session-Octets-Limit = 2146435072
MS-CHAP2-Success = 0xc9533d38413044424542383344333536333534344342454136394241333139324232333341393338464634
MS-MPPE-Encryption-Policy = 0x00000001
Acct-Interim-Interval = 120
Octets-Direction = Route-IP-No
Framed-IP-Address = 172.16.0.18
Framed-IP-Netmask = 255.255.255.255
Finished request 0.
Going to the next request
Waking up in 4.5 seconds.
Cleaning up request 0 ID 107 with timestamp +25
Ready to process requests.
11. В лог абиллса пишется:Plugin radattr.so loaded.
RADATTR plugin initialized.
Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
pptpd-logwtmp: $Version$
using channel 29
Using interface ppp1
Connect: ppp1 <--> /dev/pts/3
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x4e90e303> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x0 <mru 1400> <magic 0x1c6e2d4d> <pcomp> <accomp> <callback CBCP>]
sent [LCP ConfRej id=0x0 <callback CBCP>]
rcvd [LCP ConfReq id=0x1 <mru 1400> <magic 0x1c6e2d4d> <pcomp> <accomp>]
sent [LCP ConfAck id=0x1 <mru 1400> <magic 0x1c6e2d4d> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x4e90e303> <pcomp> <accomp>]
rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x4e90e303> <pcomp> <accomp>]
sent [LCP EchoReq id=0x0 magic=0x4e90e303]
sent [CHAP Challenge id=0xc9 <7c5280745ebc569de38e52113152bddb>, name = "pptpd"]
rcvd [LCP Ident id=0x2 magic=0x1c6e2d4d "MSRASV5.20"]
rcvd [LCP Ident id=0x3 magic=0x1c6e2d4d "MSRAS-0-LKHARLAMOV-PC"]
rcvd [LCP Ident id=0x4 magic=0x1c6e2d4d "\37777777770\37777777643\37777777612|S\37777777742\031F\37777777615Bf\37777777764nj\37777777642E"]
rcvd [LCP EchoRep id=0x0 magic=0x1c6e2d4d]
rcvd [CHAP Response id=0xc9 <0c9033e0d879d188c0863f53c757ea6100000000000000006b7504e8984c7dd95e6e8437a8b7d44c2ccb3c4b28feda1500>, name = "123"]
rc_check_reply: received invalid reply digest from RADIUS server
Peer 123 failed CHAP authentication
sent [CHAP Failure id=0xc9 ""]
sent [LCP TermReq id=0x2 "Authentication failed"]
rcvd [CHAP Response id=0xc9 <0c9033e0d879d188c0863f53c757ea6100000000000000006b7504e8984c7dd95e6e8437a8b7d44c2ccb3c4b28feda1500>, name = "123"]
Discarded non-LCP packet when LCP not open
rcvd [LCP TermAck id=0x2 "Authentication failed"]
Connection terminated.
RADATTR plugin removed file /var/run/radattr.ppp1.
Код: Выделить всё
2009-04-02 18:20:20 LOG_WARNING: AUTH [123] REJECT Wrong password CID 192.168.0.77
Шо же ему нехватает то для работоспособности ещё?
...в надежде на чудо...