freeradius2
Добавлено: Чт апр 02, 2009 12:34 pm
Доброго времени суток!
Система ubuntu 8.04, появилась необходимость обновить snmpd, вследствии чего он за собой зависимостями потянул ешо кучу всего, в том числе и freeradius, теперь:
Соответственно авторизация перестала работать, почитав форум сделал следующие шаги:
1. Файл /etc/freeradius/radiusd.conf привел к следующему виду (здесь и далее по тексу красным выделяю то что изменил):
9. Далее запускаю радиус в режиме отладки freeradius -X, при подключении к моему впн серверу выдаётся ошибка 691, вывод радиуса в терминал:
10. В логе /var/log/pptpd.log пишется:
Извиняюсь за столь большой пост, но хотелось предоставить максимальную информацию на суд общественности.
Шо же ему нехватает то для работоспособности ещё?
...в надежде на чудо...
Система ubuntu 8.04, появилась необходимость обновить snmpd, вследствии чего он за собой зависимостями потянул ешо кучу всего, в том числе и freeradius, теперь:
Код: Выделить всё
dpkg -l | grep radius
ii freeradius 2.1.0+dfsg-0ubuntu4 a high-performance and highly configurable R
ii freeradius-common 2.1.0+dfsg-0ubuntu4 FreeRadius common files
ii freeradius-mysql 2.1.0+dfsg-0ubuntu4 MySQL module for FreeRADIUS server
ii freeradius-utils 2.1.0+dfsg-0ubuntu4 FreeRadius client utilities
ii libfreeradius2 2.1.0+dfsg-0ubuntu4 FreeRADIUS shared library
ii libradius1 0.3.2-11.1 /bin/login replacement with RADIUS. Shared l
ii radiusclient1 0.3.2-11.1 /bin/login replacement which uses the RADIUS
1. Файл /etc/freeradius/radiusd.conf привел к следующему виду (здесь и далее по тексу красным выделяю то что изменил):
2. Файл /etc/freeradius/modules/exec привел к следующему виду:prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
type = auth
ipaddr = *
port = 0
}
listen {
ipaddr = *
port = 0
type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
proxy_requests = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
abills_preauth
exec abills_preauth {
program = "/usr/abills/libexec/rauth.pl pre_auth"
wait = yes
input_pairs = request
shell_escape = yes
output_pairs = config
}
abills_postauth
exec abills_postauth {
program = "/usr/abills/libexec/rauth.pl post_auth"
wait = yes
input_pairs = request
shell_escape = yes
output_pairs = config
}
abills_auth
exec abills_auth {
program = "/usr/abills/libexec/rauth.pl"
wait = yes
input_pairs = request
shell_escape = yes
output = no
output_pairs = reply
}
abills_acc
exec abills_acc {
program = "/usr/abills/libexec/racct.pl"
wait = yes
input_pairs = request
shell_escape = yes
output = no
output_pairs = reply
}
$INCLUDE ${confdir}/modules/
$INCLUDE eap.conf
$INCLUDE sql.conf
$INCLUDE sql/mysql/counter.conf
}
instantiate {
exec
expr
expiration
logintime
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/
3. Файл /etc/freeradius/sites-available/default привел к следующему виду:exec {
wait = yes
input_pairs = request
shell_escape = yes
output = none
output_pairs = reply
}
4. Файл /etc/freeradius/dictionary привел к следующему виду:authorize {
preprocess
abills_preauth
mschap
files
abills_auth
}
preacct {
preprocess
abills_acc
}
post-auth {
Post-Auth-Type REJECT {
abills_postauth
}
}
accounting {
unix
radutmp
}
5. Файл /usr/abills/Abills/mysql/Auth.pm привел к следующему виду, привожу тока часть кода в которой вносились изменения:$INCLUDE /usr/share/freeradius/dictionary
ATTRIBUTE Session-Octets-Limit 227 integer
ATTRIBUTE Octets-Direction 228 integer
ATTRIBUTE PPPD-Upstream-Speed-Limit 230 integer
ATTRIBUTE PPPD-Downstream-Speed-Limit 231 integer
ATTRIBUTE PPPD-Upstream-Speed-Limit-1 232 integer
ATTRIBUTE PPPD-Downstream-Speed-Limit-1 233 integer
ATTRIBUTE PPPD-Upstream-Speed-Limit-2 234 integer
ATTRIBUTE PPPD-Downstream-Speed-Limit-2 235 integer
ATTRIBUTE PPPD-Upstream-Speed-Limit-3 236 integer
ATTRIBUTE PPPD-Downstream-Speed-Limit-3 237 integer
ATTRIBUTE Acct-Interim-Interval 85 integer
6. Файл /etc/radiusclient/servers привел к следующему виду:#*******************************************************************
# Authorization module
# pre_auth()
#*******************************************************************
sub pre_auth {
my ($self, $RAD, $attr)=@_;
if (defined($RAD->{MS_CHAP_CHALLENGE}) || defined($RAD->{EAP_MESSAGE})) {
my $login = $RAD->{USER_NAME};
if ($RAD->{USER_NAME} =~ /:(.+)/) {
$login = $1;
}
$self->query($db, "SELECT DECODE(password, '$CONF->{secretkey}') FROM users WHERE id='$login';");
if ($self->{TOTAL} > 0) {
my $list = $self->{list}->[0];
my $password = $list->[0];
$self->{'RAD_CHECK'}{'User-Password'}="$password";
print "Cleartext-Password := \"$password\"";
return 0;
}
$self->{errno} = 1;
$self->{errstr} = "USER: '$login' not exist";
return 1;
}
$self->{'RAD_CHECK'}{'Auth-Type'}="Accept";
print "Auth-Type := Accept\n";
return 0;
}
7. Файл /etc/radiusclient/dictionary привел к следующему виду:localhost testing123
8. В каталог /etc/radiusclient/ добавляю файл dictionary.microsoft следующего содержания:ATTRIBUTE User-Name 1 string
ATTRIBUTE Password 2 string
ATTRIBUTE CHAP-Password 3 string
ATTRIBUTE NAS-IP-Address 4 ipaddr
ATTRIBUTE NAS-Port-Id 5 integer
ATTRIBUTE Service-Type 6 integer
ATTRIBUTE Framed-Protocol 7 integer
ATTRIBUTE Framed-IP-Address 8 ipaddr
ATTRIBUTE Framed-IP-Netmask 9 ipaddr
ATTRIBUTE Framed-Routing 10 integer
ATTRIBUTE Filter-Id 11 string
ATTRIBUTE Framed-MTU 12 integer
ATTRIBUTE Framed-Compression 13 integer
ATTRIBUTE Login-IP-Host 14 ipaddr
ATTRIBUTE Login-Service 15 integer
ATTRIBUTE Login-TCP-Port 16 integer
ATTRIBUTE Reply-Message 18 string
ATTRIBUTE Callback-Number 19 string
ATTRIBUTE Callback-Id 20 string
ATTRIBUTE Framed-Route 22 string
ATTRIBUTE Framed-IPX-Network 23 ipaddr
ATTRIBUTE State 24 string
ATTRIBUTE Session-Timeout 27 integer
ATTRIBUTE Idle-Timeout 28 integer
ATTRIBUTE Termination-Action 29 integer
ATTRIBUTE Called-Station-Id 30 string
ATTRIBUTE Calling-Station-Id 31 string
ATTRIBUTE Acct-Status-Type 40 integer
ATTRIBUTE Acct-Delay-Time 41 integer
ATTRIBUTE Acct-Input-Octets 42 integer
ATTRIBUTE Acct-Output-Octets 43 integer
ATTRIBUTE Acct-Session-Id 44 string
ATTRIBUTE Acct-Authentic 45 integer
ATTRIBUTE Acct-Session-Time 46 integer
ATTRIBUTE Acct-Input-Packets 47 integer
ATTRIBUTE Acct-Output-Packets 48 integer
ATTRIBUTE Acct-Terminate-Cause 49 integer
ATTRIBUTE Chap-Challenge 60 string
ATTRIBUTE NAS-Port-Type 61 integer
ATTRIBUTE Port-Limit 62 integer
ATTRIBUTE Connect-Info 77 string
ATTRIBUTE Huntgroup-Name 221 string
ATTRIBUTE User-Category 1029 string
ATTRIBUTE Group-Name 1030 string
ATTRIBUTE Simultaneous-Use 1034 integer
ATTRIBUTE Strip-User-Name 1035 integer
ATTRIBUTE Fall-Through 1036 integer
ATTRIBUTE Add-Port-To-IP-Address 1037 integer
ATTRIBUTE Exec-Program 1038 string
ATTRIBUTE Exec-Program-Wait 1039 string
ATTRIBUTE Hint 1040 string
ATTRIBUTE Expiration 21 date
ATTRIBUTE Auth-Type 1000 integer
ATTRIBUTE Menu 1001 string
ATTRIBUTE Termination-Menu 1002 string
ATTRIBUTE Prefix 1003 string
ATTRIBUTE Suffix 1004 string
ATTRIBUTE Group 1005 string
ATTRIBUTE Crypt-Password 1006 string
ATTRIBUTE Connect-Rate 1007 integer
VALUE Service-Type Login-User 1
VALUE Service-Type Framed-User 2
VALUE Service-Type Callback-Login-User 3
VALUE Service-Type Callback-Framed-User 4
VALUE Service-Type Outbound-User 5
VALUE Service-Type Administrative-User 6
VALUE Service-Type NAS-Prompt-User 7
VALUE Framed-Protocol PPP 1
VALUE Framed-Protocol SLIP 2
VALUE Framed-Routing None 0
VALUE Framed-Routing Broadcast 1
VALUE Framed-Routing Listen 2
VALUE Framed-Routing Broadcast-Listen 3
VALUE Framed-Compression None 0
VALUE Framed-Compression Van-Jacobson-TCP-IP 1
VALUE Login-Service Telnet 0
VALUE Login-Service Rlogin 1
VALUE Login-Service TCP-Clear 2
VALUE Login-Service PortMaster 3
VALUE Acct-Status-Type Start 1
VALUE Acct-Status-Type Stop 2
VALUE Acct-Status-Type Accounting-On 7
VALUE Acct-Status-Type Accounting-Off 8
VALUE Acct-Authentic RADIUS 1
VALUE Acct-Authentic Local 2
VALUE Acct-Authentic PowerLink128 100
VALUE Termination-Action Default 0
VALUE Termination-Action RADIUS-Request 1
VALUE NAS-Port-Type Async 0
VALUE NAS-Port-Type Sync 1
VALUE NAS-Port-Type ISDN 2
VALUE NAS-Port-Type ISDN-V120 3
VALUE NAS-Port-Type ISDN-V110 4
VALUE Acct-Terminate-Cause User-Request 1
VALUE Acct-Terminate-Cause Lost-Carrier 2
VALUE Acct-Terminate-Cause Lost-Service 3
VALUE Acct-Terminate-Cause Idle-Timeout 4
VALUE Acct-Terminate-Cause Session-Timeout 5
VALUE Acct-Terminate-Cause Admin-Reset 6
VALUE Acct-Terminate-Cause Admin-Reboot 7
VALUE Acct-Terminate-Cause Port-Error 8
VALUE Acct-Terminate-Cause NAS-Error 9
VALUE Acct-Terminate-Cause NAS-Request 10
VALUE Acct-Terminate-Cause NAS-Reboot 11
VALUE Acct-Terminate-Cause Port-Unneeded 12
VALUE Acct-Terminate-Cause Port-Preempted 13
VALUE Acct-Terminate-Cause Port-Suspended 14
VALUE Acct-Terminate-Cause Service-Unavailable 15
VALUE Acct-Terminate-Cause Callback 16
VALUE Acct-Terminate-Cause User-Error 17
VALUE Acct-Terminate-Cause Host-Request 18
VALUE Auth-Type Local 0
VALUE Auth-Type System 1
VALUE Auth-Type SecurID 2
VALUE Auth-Type Crypt-Local 3
VALUE Auth-Type Reject 4
VALUE Auth-Type Pam 253
VALUE Auth-Type None 254
VALUE Fall-Through No 0
VALUE Fall-Through Yes 1
VALUE Add-Port-To-IP-Address No 0
VALUE Add-Port-To-IP-Address Yes 1
ATTRIBUTE Acct-Interim-Interval 85 integer
ATTRIBUTE Session-Octets-Limit 227 integer
ATTRIBUTE Octets-Direction 228 integer
ATTRIBUTE PPPD-Upstream-Speed-Limit 230 integer
ATTRIBUTE PPPD-Downstream-Speed-Limit 231 integer
ATTRIBUTE PPPD-Upstream-Speed-Limit-1 232 integer
ATTRIBUTE PPPD-Downstream-Speed-Limit-1 233 integer
ATTRIBUTE PPPD-Upstream-Speed-Limit-2 234 integer
ATTRIBUTE PPPD-Downstream-Speed-Limit-2 235 integer
ATTRIBUTE PPPD-Upstream-Speed-Limit-3 236 integer
ATTRIBUTE PPPD-Downstream-Speed-Limit-3 237 integer
INCLUDE /etc/radiusclient/dictionary.merit
INCLUDE /etc/radiusclient/dictionary.microsoft
Код: Выделить всё
#
# Microsoft's VSA's, from RFC 2548
#
# $Id: dictionary.microsoft,v 1.1 2002/03/06 13:23:09 dfs Exp $
#
VENDOR Microsoft 311 Microsoft
ATTRIBUTE MS-CHAP-Response 1 string Microsoft
ATTRIBUTE MS-CHAP-Error 2 string Microsoft
ATTRIBUTE MS-CHAP-CPW-1 3 string Microsoft
ATTRIBUTE MS-CHAP-CPW-2 4 string Microsoft
ATTRIBUTE MS-CHAP-LM-Enc-PW 5 string Microsoft
ATTRIBUTE MS-CHAP-NT-Enc-PW 6 string Microsoft
ATTRIBUTE MS-MPPE-Encryption-Policy 7 string Microsoft
# This is referred to as both singular and plural in the RFC.
# Plural seems to make more sense.
ATTRIBUTE MS-MPPE-Encryption-Type 8 string Microsoft
ATTRIBUTE MS-MPPE-Encryption-Types 8 string Microsoft
ATTRIBUTE MS-RAS-Vendor 9 integer Microsoft
ATTRIBUTE MS-CHAP-Domain 10 string Microsoft
ATTRIBUTE MS-CHAP-Challenge 11 string Microsoft
ATTRIBUTE MS-CHAP-MPPE-Keys 12 string Microsoft
ATTRIBUTE MS-BAP-Usage 13 integer Microsoft
ATTRIBUTE MS-Link-Utilization-Threshold 14 integer Microsoft
ATTRIBUTE MS-Link-Drop-Time-Limit 15 integer Microsoft
ATTRIBUTE MS-MPPE-Send-Key 16 string Microsoft
ATTRIBUTE MS-MPPE-Recv-Key 17 string Microsoft
ATTRIBUTE MS-RAS-Version 18 string Microsoft
ATTRIBUTE MS-Old-ARAP-Password 19 string Microsoft
ATTRIBUTE MS-New-ARAP-Password 20 string Microsoft
ATTRIBUTE MS-ARAP-PW-Change-Reason 21 integer Microsoft
ATTRIBUTE MS-Filter 22 string Microsoft
ATTRIBUTE MS-Acct-Auth-Type 23 integer Microsoft
ATTRIBUTE MS-Acct-EAP-Type 24 integer Microsoft
ATTRIBUTE MS-CHAP2-Response 25 string Microsoft
ATTRIBUTE MS-CHAP2-Success 26 string Microsoft
ATTRIBUTE MS-CHAP2-CPW 27 string Microsoft
ATTRIBUTE MS-Primary-DNS-Server 28 ipaddr Microsoft
ATTRIBUTE MS-Secondary-DNS-Server 29 ipaddr Microsoft
ATTRIBUTE MS-Primary-NBNS-Server 30 ipaddr Microsoft
ATTRIBUTE MS-Secondary-NBNS-Server 31 ipaddr Microsoft
#ATTRIBUTE MS-ARAP-Challenge 33 string Microsoft
#
# Integer Translations
#
# MS-BAP-Usage Values
VALUE MS-BAP-Usage Not-Allowed 0
VALUE MS-BAP-Usage Allowed 1
VALUE MS-BAP-Usage Required 2
# MS-ARAP-Password-Change-Reason Values
VALUE MS-ARAP-PW-Change-Reason Just-Change-Password 1
VALUE MS-ARAP-PW-Change-Reason Expired-Password 2
VALUE MS-ARAP-PW-Change-Reason Admin-Requires-Password-Change 3
VALUE MS-ARAP-PW-Change-Reason Password-Too-Short 4
# MS-Acct-Auth-Type Values
VALUE MS-Acct-Auth-Type PAP 1
VALUE MS-Acct-Auth-Type CHAP 2
VALUE MS-Acct-Auth-Type MS-CHAP-1 3
VALUE MS-Acct-Auth-Type MS-CHAP-2 4
VALUE MS-Acct-Auth-Type EAP 5
# MS-Acct-EAP-Type Values
VALUE MS-Acct-EAP-Type MD5 4
VALUE MS-Acct-EAP-Type OTP 5
VALUE MS-Acct-EAP-Type Generic-Token-Card 6
VALUE MS-Acct-EAP-Type TLS 13
Код: Выделить всё
rad_recv: Access-Request packet from host 127.0.0.1 port 60094, id=107, length=145
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "123"
MS-CHAP-Challenge = 0x7c5280745ebc569de38e52113152bddb
MS-CHAP2-Response = 0xc9000c9033e0d879d188c0863f53c757ea6100000000000000006b7504e8984c7dd95e6e8437a8b7d44c2ccb3c4b28feda15
Calling-Station-Id = "192.168.0.77"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1
+- entering group authorize {...}
++[preprocess] returns ok
Exec-Program output: Cleartext-Password := "123123"
Exec-Program-Wait: value-pairs: Cleartext-Password := "123123"
Exec-Program: returned: 0
++[abills_preauth] returns ok
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
Exec-Program output: Session-Timeout = 2439581, MS-MPPE-Encryption-Types = 0x00000006, Session-Octets-Limit = 2146435072, MS-CHAP2-SUCCESS = 0xc9533d38413044424542383344333536333534344342454136394241333139324232333341393338464634, MS-MPPE-Encryption-Policy = 0x00000001, Acct-Interim-Interval = 120, Octets-Direction = 0, Framed-IP-Address = 172.16.0.18, Framed-IP-Netmask = 255.255.255.255,
Exec-Program-Wait: value-pairs: Session-Timeout = 2439581, MS-MPPE-Encryption-Types = 0x00000006, Session-Octets-Limit = 2146435072, MS-CHAP2-SUCCESS = 0xc9533d38413044424542383344333536333534344342454136394241333139324232333341393338464634, MS-MPPE-Encryption-Policy = 0x00000001, Acct-Interim-Interval = 120, Octets-Direction = 0, Framed-IP-Address = 172.16.0.18, Framed-IP-Netmask = 255.255.255.255,
Exec-Program: returned: 0
++[abills_auth] returns ok
Found Auth-Type = MSCHAP
WARNING: Unknown value specified for Auth-Type. Cannot perform requested action.
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
Exec-Program output:
Exec-Program: returned: 0
++[abills_postauth] returns ok
Sending Access-Reject of id 107 to 127.0.0.1 port 60094
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
Session-Timeout = 2439581
MS-MPPE-Encryption-Types = 0x00000006
Session-Octets-Limit = 2146435072
MS-CHAP2-Success = 0xc9533d38413044424542383344333536333534344342454136394241333139324232333341393338464634
MS-MPPE-Encryption-Policy = 0x00000001
Acct-Interim-Interval = 120
Octets-Direction = Route-IP-No
Framed-IP-Address = 172.16.0.18
Framed-IP-Netmask = 255.255.255.255
Finished request 0.
Going to the next request
Waking up in 4.5 seconds.
Cleaning up request 0 ID 107 with timestamp +25
Ready to process requests.
11. В лог абиллса пишется:Plugin radattr.so loaded.
RADATTR plugin initialized.
Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
pptpd-logwtmp: $Version$
using channel 29
Using interface ppp1
Connect: ppp1 <--> /dev/pts/3
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x4e90e303> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x0 <mru 1400> <magic 0x1c6e2d4d> <pcomp> <accomp> <callback CBCP>]
sent [LCP ConfRej id=0x0 <callback CBCP>]
rcvd [LCP ConfReq id=0x1 <mru 1400> <magic 0x1c6e2d4d> <pcomp> <accomp>]
sent [LCP ConfAck id=0x1 <mru 1400> <magic 0x1c6e2d4d> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x4e90e303> <pcomp> <accomp>]
rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x4e90e303> <pcomp> <accomp>]
sent [LCP EchoReq id=0x0 magic=0x4e90e303]
sent [CHAP Challenge id=0xc9 <7c5280745ebc569de38e52113152bddb>, name = "pptpd"]
rcvd [LCP Ident id=0x2 magic=0x1c6e2d4d "MSRASV5.20"]
rcvd [LCP Ident id=0x3 magic=0x1c6e2d4d "MSRAS-0-LKHARLAMOV-PC"]
rcvd [LCP Ident id=0x4 magic=0x1c6e2d4d "\37777777770\37777777643\37777777612|S\37777777742\031F\37777777615Bf\37777777764nj\37777777642E"]
rcvd [LCP EchoRep id=0x0 magic=0x1c6e2d4d]
rcvd [CHAP Response id=0xc9 <0c9033e0d879d188c0863f53c757ea6100000000000000006b7504e8984c7dd95e6e8437a8b7d44c2ccb3c4b28feda1500>, name = "123"]
rc_check_reply: received invalid reply digest from RADIUS server
Peer 123 failed CHAP authentication
sent [CHAP Failure id=0xc9 ""]
sent [LCP TermReq id=0x2 "Authentication failed"]
rcvd [CHAP Response id=0xc9 <0c9033e0d879d188c0863f53c757ea6100000000000000006b7504e8984c7dd95e6e8437a8b7d44c2ccb3c4b28feda1500>, name = "123"]
Discarded non-LCP packet when LCP not open
rcvd [LCP TermAck id=0x2 "Authentication failed"]
Connection terminated.
RADATTR plugin removed file /var/run/radattr.ppp1.
Код: Выделить всё
2009-04-02 18:20:20 LOG_WARNING: AUTH [123] REJECT Wrong password CID 192.168.0.77
Шо же ему нехватает то для работоспособности ещё?
...в надежде на чудо...