Итак, имею:
Gentoo 2006, kernel 2.6.17, ABillS 0.33b, pptpd v1.2.3, pppd version 2.4.4, FreeRADIUS Version 1.1.0
w2k клиент логинится по MS-CHAPv2, однако, пинги на сервак не проходят. При выключенном шифровании все ОК, однако это не есть гуд... Очень хочется поиметь реальный VPN!
Да, еще, при авторизации из /etс/ppp/chap-secrets все работет (MS-CHAPv2 + MPPE 128-bit stateless compression)
Конфиги:
##
## radiusd.conf -- FreeRADIUS server configuration file.
##
## http://www.freeradius.org/
## $Id: radiusd.conf.in,v 1.188.2.4.2.4 2005/12/28 19:51:07 aland Exp $
##
# The location of other config files and
# logfiles are declared in this file
#
# Also general configuration for modules can be done
# in this file, it is exported through the API to
# modules that ask for it.
#
# The configuration variables defined here are of the form ${foo}
# They are local to this file, and do not change from request to
# request.
#
# The per-request variables are of the form %{Attribute-Name}, and
# are taken from the values of the attribute in the incoming
# request. See 'doc/variables.txt' for more information.
prefix = /usr
exec_prefix = ${prefix}
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
# Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
#
# The logging messages for the server are appended to the
# tail of this file.
#
log_file = ${logdir}/radius.log
#
# libdir: Where to find the rlm_* modules.
#
# This should be automatically set at configuration time.
#
# If the server builds and installs, but fails at execution time
# with an 'undefined symbol' error, then you can use the libdir
# directive to work around the problem.
#
# The cause is usually that a library has been installed on your
# system in a place where the dynamic linker CANNOT find it. When
# executing as root (or another user), your personal environment MAY
# be set up to allow the dynamic linker to find the library. When
# executing as a daemon, FreeRADIUS MAY NOT have the same
# personalized configuration.
#
# To work around the problem, find out which library contains that symbol,
# and add the directory containing that library to the end of 'libdir',
# with a colon separating the directory names. NO spaces are allowed.
#
# e.g. libdir = /usr/local/lib:/opt/package/lib
#
# You can also try setting the LD_LIBRARY_PATH environment variable
# in a script which starts the server.
#
# If that does not work, then you can re-configure and re-build the
# server to NOT use shared libraries, via:
#
# ./configure --disable-shared
# make
# make install
#
libdir = ${exec_prefix}/lib
# pidfile: Where to place the PID of the RADIUS server.
#
# The server may be signalled while it's running by using this
# file.
#
# This file is written when ONLY running in daemon mode.
#
# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid`
#
pidfile = ${run_dir}/radiusd.pid
# user/group: The name (or #number) of the user/group to run radiusd as.
#
# If these are commented out, the server will run as the user/group
# that started it. In order to change to a different user/group, you
# MUST be root ( or have root privleges ) to start the server.
#
# We STRONGLY recommend that you run the server with as few permissions
# as possible. That is, if you're not using shadow passwords, the
# user and group items below should be set to 'nobody'.
#
# On SCO (ODT 3) use "user = nouser" and "group = nogroup".
#
# NOTE that some kernels refuse to setgid(group) when the value of
# (unsigned)group is above 60000; don't use group nobody on these systems!
#
# On systems with shadow passwords, you might have to set 'group = shadow'
# for the server to be able to read the shadow password file. If you can
# authenticate users while in debug mode, but not in daemon mode, it may be
# that the debugging mode server is running as a user that can read the
# shadow info, and the user listed below can not.
#
user = radiusd
group = radiusd
# max_request_time: The maximum time (in seconds) to handle a request.
#
# Requests which take more time than this to process may be killed, and
# a REJECT message is returned.
#
# WARNING: If you notice that requests take a long time to be handled,
# then this MAY INDICATE a bug in the server, in one of the modules
# used to handle a request, OR in your local configuration.
#
# This problem is most often seen when using an SQL database. If it takes
# more than a second or two to receive an answer from the SQL database,
# then it probably means that you haven't indexed the database. See your
# SQL server documentation for more information.
#
# Useful range of values: 5 to 120
#
max_request_time = 30
# delete_blocked_requests: If the request takes MORE THAN 'max_request_time'
# to be handled, then maybe the server should delete it.
#
# If you're running in threaded, or thread pool mode, this setting
# should probably be 'no'. Setting it to 'yes' when using a threaded
# server MAY cause the server to crash!
#
delete_blocked_requests = no
# cleanup_delay: The time to wait (in seconds) before cleaning up
# a reply which was sent to the NAS.
#
# The RADIUS request is normally cached internally for a short period
# of time, after the reply is sent to the NAS. The reply packet may be
# lost in the network, and the NAS will not see it. The NAS will then
# re-send the request, and the server will respond quickly with the
# cached reply.
#
# If this value is set too low, then duplicate requests from the NAS
# MAY NOT be detected, and will instead be handled as seperate requests.
#
# If this value is set too high, then the server will cache too many
# requests, and some new requests may get blocked. (See 'max_requests'.)
#
# Useful range of values: 2 to 10
#
cleanup_delay = 5
# max_requests: The maximum number of requests which the server keeps
# track of. This should be 256 multiplied by the number of clients.
# e.g. With 4 clients, this number should be 1024.
#
# If this number is too low, then when the server becomes busy,
# it will not respond to any new requests, until the 'cleanup_delay'
# time has passed, and it has removed the old requests.
#
# If this number is set too high, then the server will use a bit more
# memory for no real benefit.
#
# If you aren't sure what it should be set to, it's better to set it
# too high than too low. Setting it to 1000 per client is probably
# the highest it should be.
#
# Useful range of values: 256 to infinity
#
max_requests = 1024
# bind_address: Make the server listen on a particular IP address, and
# send replies out from that address. This directive is most useful
# for machines with multiple IP addresses on one interface.
#
# It can either contain "*", or an IP address, or a fully qualified
# Internet domain name. The default is "*"
#
# As of 1.0, you can also use the "listen" directive. See below for
# more information.
#
bind_address = *
# port: Allows you to bind FreeRADIUS to a specific port.
#
# The default port that most NAS boxes use is 1645, which is historical.
# RFC 2138 defines 1812 to be the new port. Many new servers and
# NAS boxes use 1812, which can create interoperability problems.
#
# The port is defined here to be 0 so that the server will pick up
# the machine's local configuration for the radius port, as defined
# in /etc/services.
#
# If you want to use the default RADIUS port as defined on your server,
# (usually through 'grep radius /etc/services') set this to 0 (zero).
#
# A port given on the command-line via '-p' over-rides this one.
#
# As of 1.0, you can also use the "listen" directive. See below for
# more information.
#
port = 0
#
# By default, the server uses "bind_address" to listen to all IP's
# on a machine, or just one IP. The "port" configuration is used
# to select the authentication port used when listening on those
# addresses.
#
# If you want the server to listen on additional addresses, you can
# use the "listen" section. A sample section (commented out) is included
# below. This "listen" section duplicates the functionality of the
# "bind_address" and "port" configuration entries, but it only listens
# for authentication packets.
#
# If you comment out the "bind_address" and "port" configuration entries,
# then it becomes possible to make the server accept only accounting,
# or authentication packets. Previously, it always listened for both
# types of packets, and it was impossible to make it listen for only
# one type of packet.
#
#listen {
# IP address on which to listen.
# Allowed values are:
# dotted quad (1.2.3.4)
# hostname (radius.example.com)
# wildcard (*)
# ipaddr = *
# Port on which to listen.
# Allowed values are:
# integer port number (1812)
# 0 means "use /etc/services for the proper port"
# port = 0
# Type of packets to listen for.
# Allowed values are:
# auth listen for authentication packets
# acct listen for accounting packets
#
# type = auth
#}
# hostname_lookups: Log the names of clients or just their IP addresses
# e.g., www.freeradius.org (on) or 206.47.27.232 (off).
#
# The default is 'off' because it would be overall better for the net
# if people had to knowingly turn this feature on, since enabling it
# means that each client request will result in AT LEAST one lookup
# request to the nameserver. Enabling hostname_lookups will also
# mean that your server may stop randomly for 30 seconds from time
# to time, if the DNS requests take too long.
#
# Turning hostname lookups off also means that the server won't block
# for 30 seconds, if it sees an IP address which has no name associated
# with it.
#
# allowed values: {no, yes}
#
hostname_lookups = no
# Core dumps are a bad thing. This should only be set to 'yes'
# if you're debugging a problem with the server.
#
# allowed values: {no, yes}
#
allow_core_dumps = no
# Regular expressions
#
# These items are set at configure time. If they're set to "yes",
# then setting them to "no" turns off regular expression support.
#
# If they're set to "no" at configure time, then setting them to "yes"
# WILL NOT WORK. It will give you an error.
#
regular_expressions = yes
extended_expressions = yes
# Log the full User-Name attribute, as it was found in the request.
#
# allowed values: {no, yes}
#
log_stripped_names = no
# Log authentication requests to the log file.
#
# allowed values: {no, yes}
#
log_auth = no
# Log passwords with the authentication requests.
# log_auth_badpass - logs password if it's rejected
# log_auth_goodpass - logs password if it's correct
#
# allowed values: {no, yes}
#
log_auth_badpass = no
log_auth_goodpass = no
# usercollide: Turn "username collision" code on and off. See the
# "doc/duplicate-users" file
#
# WARNING
# !!!!!!! Setting this to "yes" may result in the server behaving
# !!!!!!! strangely. The "username collision" code will ONLY work
# !!!!!!! with clear-text passwords. Even then, it may not do what
# !!!!!!! you want, or what you expect.
# !!!!!!!
# !!!!!!! We STRONGLY RECOMMEND that you do not use this feature,
# !!!!!!! and that you find another way of acheiving the same goal.
# !!!!!!!
# !!!!!!! e,g. module fail-over. See 'doc/configurable_failover'
# WARNING
#
usercollide = no
# lower_user / lower_pass:
# Lower case the username/password "before" or "after"
# attempting to authenticate.
#
# If "before", the server will first modify the request and then try
# to auth the user. If "after", the server will first auth using the
# values provided by the user. If that fails it will reprocess the
# request after modifying it as you specify below.
#
# This is as close as we can get to case insensitivity. It is the
# admin's job to ensure that the username on the auth db side is
# *also* lowercase to make this work
#
# Default is 'no' (don't lowercase values)
# Valid values = "before" / "after" / "no"
#
lower_user = no
lower_pass = no
# nospace_user / nospace_pass:
#
# Some users like to enter spaces in their username or password
# incorrectly. To save yourself the tech support call, you can
# eliminate those spaces here:
#
# Default is 'no' (don't remove spaces)
# Valid values = "before" / "after" / "no" (explanation above)
#
nospace_user = no
nospace_pass = no
# The program to execute to do concurrency checks.
checkrad = ${sbindir}/checkrad
# SECURITY CONFIGURATION
#
# There may be multiple methods of attacking on the server. This
# section holds the configuration items which minimize the impact
# of those attacks
#
security {
#
# max_attributes: The maximum number of attributes
# permitted in a RADIUS packet. Packets which have MORE
# than this number of attributes in them will be dropped.
#
# If this number is set too low, then no RADIUS packets
# will be accepted.
#
# If this number is set too high, then an attacker may be
# able to send a small number of packets which will cause
# the server to use all available memory on the machine.
#
# Setting this number to 0 means "allow any number of attributes"
max_attributes = 200
#
# delayed_reject: When sending an Access-Reject, it can be
# delayed for a few seconds. This may help slow down a DoS
# attack. It also helps to slow down people trying to brute-force
# crack a users password.
#
# Setting this number to 0 means "send rejects immediately"
#
# If this number is set higher than 'cleanup_delay', then the
# rejects will be sent at 'cleanup_delay' time, when the request
# is deleted from the internal cache of requests.
#
# Useful ranges: 1 to 5
reject_delay = 1
#
# status_server: Whether or not the server will respond
# to Status-Server requests.
#
# Normally this should be set to "no", because they're useless.
# See: http://www.freeradius.org/rfc/rfc2865.html#Keep-Alives
#
# However, certain NAS boxes may require them.
#
# When sent a Status-Server message, the server responds with
# an Access-Accept packet, containing a Reply-Message attribute,
# which is a string describing how long the server has been
# running.
#
status_server = no
}
# PROXY CONFIGURATION
#
# proxy_requests: Turns proxying of RADIUS requests on or off.
#
# The server has proxying turned on by default. If your system is NOT
# set up to proxy requests to another server, then you can turn proxying
# off here. This will save a small amount of resources on the server.
#
# If you have proxying turned off, and your configuration files say
# to proxy a request, then an error message will be logged.
#
# To disable proxying, change the "yes" to "no", and comment the
# $INCLUDE line.
#
# allowed values: {no, yes}
#
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
# CLIENTS CONFIGURATION
#
# Client configuration is defined in "clients.conf".
#
# The 'clients.conf' file contains all of the information from the old
# 'clients' and 'naslist' configuration files. We recommend that you
# do NOT use 'client's or 'naslist', although they are still
# supported.
#
# Anything listed in 'clients.conf' will take precedence over the
# information from the old-style configuration files.
#
$INCLUDE ${confdir}/clients.conf
# SNMP CONFIGURATION
#
# Snmp configuration is only valid if SNMP support was enabled
# at compile time.
#
# To enable SNMP querying of the server, set the value of the
# 'snmp' attribute to 'yes'
#
snmp = no
$INCLUDE ${confdir}/snmp.conf
# THREAD POOL CONFIGURATION
#
# The thread pool is a long-lived group of threads which
# take turns (round-robin) handling any incoming requests.
#
# You probably want to have a few spare threads around,
# so that high-load situations can be handled immediately. If you
# don't have any spare threads, then the request handling will
# be delayed while a new thread is created, and added to the pool.
#
# You probably don't want too many spare threads around,
# otherwise they'll be sitting there taking up resources, and
# not doing anything productive.
#
# The numbers given below should be adequate for most situations.
#
thread pool {
# Number of servers to start initially --- should be a reasonable
# ballpark figure.
start_servers = 5
# Limit on the total number of servers running.
#
# If this limit is ever reached, clients will be LOCKED OUT, so it
# should NOT BE SET TOO LOW. It is intended mainly as a brake to
# keep a runaway server from taking the system with it as it spirals
# down...
#
# You may find that the server is regularly reaching the
# 'max_servers' number of threads, and that increasing
# 'max_servers' doesn't seem to make much difference.
#
# If this is the case, then the problem is MOST LIKELY that
# your back-end databases are taking too long to respond, and
# are preventing the server from responding in a timely manner.
#
# The solution is NOT do keep increasing the 'max_servers'
# value, but instead to fix the underlying cause of the
# problem: slow database, or 'hostname_lookups=yes'.
#
# For more information, see 'max_request_time', above.
#
max_servers = 32
# Server-pool size regulation. Rather than making you guess
# how many servers you need, FreeRADIUS dynamically adapts to
# the load it sees, that is, it tries to maintain enough
# servers to handle the current load, plus a few spare
# servers to handle transient load spikes.
#
# It does this by periodically checking how many servers are
# waiting for a request. If there are fewer than
# min_spare_servers, it creates a new spare. If there are
# more than max_spare_servers, some of the spares die off.
# The default values are probably OK for most sites.
#
min_spare_servers = 3
max_spare_servers = 10
# There may be memory leaks or resource allocation problems with
# the server. If so, set this value to 300 or so, so that the
# resources will be cleaned up periodically.
#
# This should only be necessary if there are serious bugs in the
# server which have not yet been fixed.
#
# '0' is a special value meaning 'infinity', or 'the servers never
# exit'
max_requests_per_server = 0
}
# MODULE CONFIGURATION
#
# The names and configuration of each module is located in this section.
#
# After the modules are defined here, they may be referred to by name,
# in other sections of this configuration file.
#
modules {
exec pre_auth {
wait = yes
program = "/usr/abills/libexec/rauth.pl pre_auth"
input_pairs = request
output_pairs = config
}
exec post_auth {
wait = yes
program = "/usr/abills/libexec/rauth.pl post_auth"
input_pairs = request
output_pairs = config
}
#
# Each module has a configuration as follows:
#
# name [ instance ] {
# config_item = value
# ...
# }
#
# The 'name' is used to load the 'rlm_name' library
# which implements the functionality of the module.
#
# The 'instance' is optional. To have two different instances
# of a module, it first must be referred to by 'name'.
# The different copies of the module are then created by
# inventing two 'instance' names, e.g. 'instance1' and 'instance2'
#
# The instance names can then be used in later configuration
# INSTEAD of the original 'name'. See the 'radutmp' configuration
# below for an example.
#
# PAP module to authenticate users based on their stored password
#
# Supports multiple encryption schemes
# clear: Clear text
# crypt: Unix crypt
# md5: MD5 ecnryption
# sha1: SHA1 encryption.
# DEFAULT: crypt
pap {
encryption_scheme = crypt
}
# CHAP module
#
# To authenticate requests containing a CHAP-Password attribute.
#
chap {
authtype = CHAP
}
# Pluggable Authentication Modules
#
# For Linux, see:
# http://www.kernel.org/pub/linux/libs/pam/index.html
#
# WARNING: On many systems, the system PAM libraries have
# memory leaks! We STRONGLY SUGGEST that you do not
# use PAM for authentication, due to those memory leaks.
#
pam {
#
# The name to use for PAM authentication.
# PAM looks in /etc/pam.d/${pam_auth_name}
# for it's configuration. See 'redhat/radiusd-pam'
# for a sample PAM configuration file.
#
# Note that any Pam-Auth attribute set in the 'authorize'
# section will over-ride this one.
#
pam_auth = radiusd
}
# Unix /etc/passwd style authentication
#
unix {
#
# Cache /etc/passwd, /etc/shadow, and /etc/group
#
# The default is to NOT cache them.
#
# For FreeBSD and NetBSD, you do NOT want to enable
# the cache, as it's password lookups are done via a
# database, so set this value to 'no'.
#
# Some systems (e.g. RedHat Linux with pam_pwbd) can
# take *seconds* to check a password, when th passwd
# file containing 1000's of entries. For those systems,
# you should set the cache value to 'yes', and set
# the locations of the 'passwd', 'shadow', and 'group'
# files, below.
#
# allowed values: {no, yes}
cache = no
# Reload the cache every 600 seconds (10mins). 0 to disable.
cache_reload = 600
#
# Define the locations of the normal passwd, shadow, and
# group files.
#
# 'shadow' is commented out by default, because not all
# systems have shadow passwords.
#
# To force the module to use the system password functions,
# instead of reading the files, leave the following entries
# commented out.
#
# This is required for some systems, like FreeBSD,
# and Mac OSX.
#
# passwd = /etc/passwd
# shadow = /etc/shadow
# group = /etc/group
#
# The location of the "wtmp" file.
# This should be moved to it's own module soon.
#
# The only use for 'radlast'. If you don't use
# 'radlast', then you can comment out this item.
#
radwtmp = ${logdir}/radwtmp
}
# Extensible Authentication Protocol
#
# For all EAP related authentications.
# Now in another file, because it is very large.
#
$INCLUDE ${confdir}/eap.conf
# Microsoft CHAP authentication
#
# This module supports MS-CHAP and MS-CHAPv2 authentication.
# It also enforces the SMB-Account-Ctrl attribute.
#
mschap {
#
# As of 0.9, the mschap module does NOT support
# reading from /etc/smbpasswd.
#
# If you are using /etc/smbpasswd, see the 'passwd'
# module for an example of how to use /etc/smbpasswd
# authtype value, if present, will be used
# to overwrite (or add) Auth-Type during
# authorization. Normally should be MS-CHAP
authtype = MS-CHAP
# if use_mppe is not set to no mschap will
# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
#
#use_mppe = no
use_mppe = yes
# if mppe is enabled require_encryption makes
# encryption moderate
#
#require_encryption = yes
require_encryption = yes
# require_strong always requires 128 bit key
# encryption
#
#require_strong = yes
require_strong = yes
# Windows sends us a username in the form of
# DOMAIN\user, but sends the challenge response
# based on only the user portion. This hack
# corrects for that incorrect behavior.
#
#with_ntdomain_hack = no
# The module can perform authentication itself, OR
# use a Windows Domain Controller. This configuration
# directive tells the module to call the ntlm_auth
# program, which will do the authentication, and return
# the NT-Key. Note that you MUST have "winbindd" and
# "nmbd" running on the local machine for ntlm_auth
# to work. See the ntlm_auth program documentation
# for details.
#
# Be VERY careful when editing the following line!
#
#ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
}
# Lightweight Directory Access Protocol (LDAP)
#
# This module definition allows you to use LDAP for
# authorization and authentication (Auth-Type := LDAP)
#
# See doc/rlm_ldap for description of configuration options
# and sample authorize{} and authenticate{} blocks
ldap {
server = "ldap.your.domain"
# identity = "cn=admin,o=My Org,c=UA"
# password = mypass
basedn = "o=My Org,c=UA"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
# base_filter = "(objectclass=radiusprofile)"
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with normal
# ldap connections instead of using ldaps (port 689) connections
start_tls = no
# tls_cacertfile = /path/to/cacert.pem
# tls_cacertdir = /path/to/ca/dir/
# tls_certfile = /path/to/radius.crt
# tls_keyfile = /path/to/radius.key
# tls_randfile = /path/to/rnd
# tls_require_cert = "demand"
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
#
# NOTICE: The password_header directive is NOT case insensitive
#
# password_header = "{clear}"
#
# Set:
# password_attribute = nspmPassword
#
# to get the user's password from a Novell eDirectory
# backend. This will work *only if* freeRADIUS is
# configured to build with --with-edir option.
#
#
# The server can usually figure this out on its own, and pull
# the correct User-Password or NT-Password from the database.
#
# Note that NT-Passwords MUST be stored as a 32-digit hex
# string, and MUST start off with "0x", such as:
#
# 0x000102030405060708090a0b0c0d0e0f
#
# Without the leading "0x", NT-Passwords will not work.
# This goes for NT-Passwords stored in SQL, too.
#
# password_attribute = userPassword
#
# Un-comment the following to disable Novell eDirectory account
# policy check and intruder detection. This will work *only if*
# FreeRADIUS is configured to build with --with-edir option.
#
# edir_account_policy_check=no
#
# groupname_attribute = cn
# groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
#
# By default, if the packet contains a User-Password,
# and no other module is configured to handle the
# authentication, the LDAP module sets itself to do
# LDAP bind for authentication.
#
# You can disable this behavior by setting the following
# configuration entry to "no".
#
# allowed values: {no, yes}
# set_auth_type = yes
}
# passwd module allows to do authorization via any passwd-like
# file and to extract any attributes from these modules
#
# parameters are:
# filename - path to filename
# format - format for filename record. This parameters
# correlates record in the passwd file and RADIUS
# attributes.
#
# Field marked as '*' is key field. That is, the parameter
# with this name from the request is used to search for
# the record from passwd file
# Attribute marked as '=' is added to reply_itmes instead
# of default configure_itmes
# Attribute marked as '~' is added to request_items
#
# Field marked as ',' may contain a comma separated list
# of attributes.
# authtype - if record found this Auth-Type is used to authenticate
# user
# hashsize - hashtable size. If 0 or not specified records are not
# stored in memory and file is red on every request.
# allowmultiplekeys - if few records for every key are allowed
# ignorenislike - ignore NIS-related records
# delimiter - symbol to use as a field separator in passwd file,
# for format ':' symbol is always used. '\0', '\n' are
# not allowed
#
# An example configuration for using /etc/smbpasswd.
#
#passwd etc_smbpasswd {
# filename = /etc/smbpasswd
# format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
# authtype = MS-CHAP
# hashsize = 100
# ignorenislike = no
# allowmultiplekeys = no
#}
# Similar configuration, for the /etc/group file. Adds a Group-Name
# attribute for every group that the user is member of.
#
#passwd etc_group {
# filename = /etc/group
# format = "=Group-Name:::*,User-Name"
# hashsize = 50
# ignorenislike = yes
# allowmultiplekeys = yes
# delimiter = ":"
#}
# Realm module, for proxying.
#
# You can have multiple instances of the realm module to
# support multiple realm syntaxs at the same time. The
# search order is defined by the order in the authorize and
# preacct sections.
#
# Four config options:
# format - must be 'prefix' or 'suffix'
# delimiter - must be a single character
# ignore_default - set to 'yes' or 'no'
# ignore_null - set to 'yes' or 'no'
#
# ignore_default and ignore_null can be set to 'yes' to prevent
# the module from matching against DEFAULT or NULL realms. This
# may be useful if you have have multiple instances of the
# realm module.
#
# They both default to 'no'.
#
# 'realm/username'
#
# Using this entry, IPASS users have their realm set to "IPASS".
realm IPASS {
format = prefix
delimiter = "/"
ignore_default = no
ignore_null = no
}
# 'username@realm'
#
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
}
# 'username%realm'
#
realm realmpercent {
format = suffix
delimiter = "%"
ignore_default = no
ignore_null = no
}
#
# 'domain\user'
#
realm ntdomain {
format = prefix
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# A simple value checking module
#
# It can be used to check if an attribute value in the request
# matches a (possibly multi valued) attribute in the check
# items This can be used for example for caller-id
# authentication. For the module to run, both the request
# attribute and the check items attribute must exist
#
# i.e.
# A user has an ldap entry with 2 radiusCallingStationId
# attributes with values "12345678" and "12345679". If we
# enable rlm_checkval, then any request which contains a
# Calling-Station-Id with one of those two values will be
# accepted. Requests with other values for
# Calling-Station-Id will be rejected.
#
# Regular expressions in the check attribute value are allowed
# as long as the operator is '=~'
#
checkval {
# The attribute to look for in the request
item-name = Calling-Station-Id
# The attribute to look for in check items. Can be multi valued
check-name = Calling-Station-Id
# The data type. Can be
# string,integer,ipaddr,date,abinary,octets
data-type = string
# If set to yes and we dont find the item-name attribute in the
# request then we send back a reject
# DEFAULT is no
#notfound-reject = no
}
# rewrite arbitrary packets. Useful in accounting and authorization.
#
#
# The module can also use the Rewrite-Rule attribute. If it
# is set and matches the name of the module instance, then
# that module instance will be the only one which runs.
#
# Also if new_attribute is set to yes then a new attribute
# will be created containing the value replacewith and it
# will be added to searchin (packet, reply, proxy, proxy_reply or config).
# searchfor,ignore_case and max_matches will be ignored in that case.
#
# Backreferences are supported: %{0} will contain the string the whole match
# and %{1} to %{8} will contain the contents of the 1st to the 8th parentheses
#
# If max_matches is greater than one the backreferences will correspond to the
# first match
#
#attr_rewrite sanecallerid {
# attribute = Called-Station-Id
# may be "packet", "reply", "proxy", "proxy_reply" or "config"
# searchin = packet
# searchfor = "[+ ]"
# replacewith = ""
# ignore_case = no
# new_attribute = no
# max_matches = 10
# ## If set to yes then the replace string will be appended to the original string
# append = no
#}
# Preprocess the incoming RADIUS request, before handing it off
# to other modules.
#
# This module processes the 'huntgroups' and 'hints' files.
# In addition, it re-writes some weird attributes created
# by some NASes, and converts the attributes into a form which
# is a little more standard.
#
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
# This hack changes Ascend's wierd port numberings
# to standard 0-??? port numbers so that the "+" works
# for IP address assignments.
with_ascend_hack = no
ascend_channels_per_line = 23
# Windows NT machines often authenticate themselves as
# NT_DOMAIN\username
#
# If this is set to 'yes', then the NT_DOMAIN portion
# of the user-name is silently discarded.
#
# This configuration entry SHOULD NOT be used.
# See the "realms" module for a better way to handle
# NT domains.
with_ntdomain_hack = no
# Specialix Jetstream 8500 24 port access server.
#
# If the user name is 10 characters or longer, a "/"
# and the excess characters after the 10th are
# appended to the user name.
#
# If you're not running that NAS, you don't need
# this hack.
with_specialix_jetstream_hack = no
# Cisco (and Quintum in Cisco mode) sends it's VSA attributes
# with the attribute name *again* in the string, like:
#
# H323-Attribute = "h323-attribute=value".
#
# If this configuration item is set to 'yes', then
# the redundant data in the the attribute text is stripped
# out. The result is:
#
# H323-Attribute = "value"
#
# If you're not running a Cisco or Quintum NAS, you don't
# need this hack.
with_cisco_vsa_hack = no
}
# Livingston-style 'users' file
#
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
# If you want to use the old Cistron 'users' file
# with FreeRADIUS, you should change the next line
# to 'compat = cistron'. You can the copy your 'users'
# file from Cistron.
compat = no
}
# Write a detailed log of all accounting records received.
#
detail {
# Note that we do NOT use NAS-IP-Address here, as
# that attribute MAY BE from the originating NAS, and
# NOT from the proxy which actually sent us the
# request. The Client-IP-Address attribute is ALWAYS
# the address of the client which sent us the
# request.
#
# The following line creates a new detail file for
# every radius client (by IP address or hostname).
# In addition, a new detail file is created every
# day, so that the detail file doesn't have to go
# through a 'log rotation'
#
# If your detail files are large, you may also want
# to add a ':%H' (see doc/variables.txt) to the end
# of it, to create a new detail file every hour, e.g.:
#
# ..../detail-%Y%m%d:%H
#
# This will create a new detail file for every hour.
#
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
#
# The Unix-style permissions on the 'detail' file.
#
# The detail file often contains secret or private
# information about users. So by keeping the file
# permissions restrictive, we can prevent unwanted
# people from seeing that information.
detailperm = 0600
}
#
# Many people want to log authentication requests.
# Rather than modifying the server core to print out more
# messages, we can use a different instance of the 'detail'
# module, to log the authentication requests to a file.
#
# You will also need to un-comment the 'auth_log' line
# in the 'authorize' section, below.
#
# detail auth_log {
# detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
# detailperm = 0600
# }
#
# This module logs authentication reply packets sent
# to a NAS. Both Access-Accept and Access-Reject packets
# are logged.
#
# You will also need to un-comment the 'reply_log' line
# in the 'post-auth' section, below.
#
# detail reply_log {
# detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
# detailperm = 0600
# }
#
# This module logs packets proxied to a home server.
#
# You will also need to un-comment the 'pre_proxy_log' line
# in the 'pre-proxy' section, below.
#
# detail pre_proxy_log {
# detailfile = ${radacctdir}/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
# detailperm = 0600
# }
#
# This module logs response packets from a home server.
#
# You will also need to un-comment the 'post_proxy_log' line
# in the 'post-proxy' section, below.
#
# detail post_proxy_log {
# detailfile = ${radacctdir}/%{Client-IP-Address}/post-proxy-detail-%Y%m%d
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
# detailperm = 0600
# }
#
# The rlm_sql_log module appends the SQL queries in a log
# file which is read later by the radsqlrelay program.
#
# This module only performs the dynamic expansion of the
# variables found in the SQL statements. No operation is
# executed on the database server. (this could be done
# later by an external program) That means the module is
# useful only with non-"SELECT" statements.
#
# See rlm_sql_log(5) manpage.
#
# sql_log {
# path = ${radacctdir}/sql-relay
# acct_table = "radacct"
# postauth_table = "radpostauth"
#
# Start = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \
# NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
# AcctSessionTime, AcctTerminateCause) VALUES \
# ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
# '%{Framed-IP-Address}', '%S', '0', '0', '');"
# Stop = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \
# NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
# AcctSessionTime, AcctTerminateCause) VALUES \
# ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
# '%{Framed-IP-Address}', '0', '%S', '%{Acct-Session-Time}', \
# '%{Acct-Terminate-Cause}');"
# Alive = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \
# NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
# AcctSessionTime, AcctTerminateCause) VALUES \
# ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
# '%{Framed-IP-Address}', '0', '0', '%{Acct-Session-Time}','');"
#
# Post-Auth = "INSERT INTO ${postauth_table} \
# (user, pass, reply, date) VALUES \
# ('%{User-Name}', '%{User-Password:-Chap-Password}', \
# '%{reply:Packet-Type}', '%S');"
# }
#
# Create a unique accounting session Id. Many NASes re-use
# or repeat values for Acct-Session-Id, causing no end of
# confusion.
#
# This module will add a (probably) unique session id
# to an accounting packet based on the attributes listed
# below found in the packet. See doc/rlm_acct_unique for
# more information.
#
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
# Include another file that has the SQL-related configuration.
# This is another file only because it tends to be big.
#
# The following configuration file is for use with MySQL.
#
# For Postgresql, use: ${confdir}/postgresql.conf
# For MS-SQL, use: ${confdir}/mssql.conf
# For Oracle, use: ${confdir}/oraclesql.conf
#
$INCLUDE ${confdir}/sql.conf
# For Cisco VoIP specific accounting with Postgresql,
# use: ${confdir}/pgsql-voip.conf
#
# You will also need the sql schema from:
# src/billing/cisco_h323_db_schema-postgres.sql
# Note: This config can be use AS WELL AS the standard sql
# config if you need SQL based Auth
# Write a 'utmp' style file, of which users are currently
# logged in, and where they've logged in from.
#
# This file is used mainly for Simultaneous-Use checking,
# and also 'radwho', to see who's currently logged in.
#
radutmp {
# Where the file is stored. It's not a log file,
# so it doesn't need rotating.
#
filename = ${logdir}/radutmp
# The field in the packet to key on for the
# 'user' name, If you have other fields which you want
# to use to key on to control Simultaneous-Use,
# then you can use them here.
#
# Note, however, that the size of the field in the
# 'utmp' data structure is small, around 32
# characters, so that will limit the possible choices
# of keys.
#
# You may want instead: %{Stripped-User-Name:-%{User-Name}}
username = %{User-Name}
# Whether or not we want to treat "user" the same
# as "USER", or "User". Some systems have problems
# with case sensitivity, so this should be set to
# 'no' to enable the comparisons of the key attribute
# to be case insensitive.
#
case_sensitive = yes
# Accounting information may be lost, so the user MAY
# have logged off of the NAS, but we haven't noticed.
# If so, we can verify this information with the NAS,
#
# If we want to believe the 'utmp' file, then this
# configuration entry can be set to 'no'.
#
check_with_nas = yes
# Set the file permissions, as the contents of this file
# are usually private.
perm = 0600
callerid = "yes"
}
# "Safe" radutmp - does not contain caller ID, so it can be
# world-readable, and radwho can work for normal users, without
# exposing any information that isn't already exposed by who(1).
#
# This is another 'instance' of the radutmp module, but it is given
# then name "sradutmp" to identify it later in the "accounting"
# section.
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
# attr_filter - filters the attributes received in replies from
# proxied servers, to make sure we send back to our RADIUS client
# only allowed attributes.
attr_filter {
attrsfile = ${confdir}/attrs
}
# counter module:
# This module takes an attribute (count-attribute).
# It also takes a key, and creates a counter for each unique
# key. The count is incremented when accounting packets are
# received by the server. The value of the increment depends
# on the attribute type.
# If the attribute is Acct-Session-Time or of an integer type we add the
# value of the attribute. If it is anything else we increase the
# counter by one.
#
# The 'reset' parameter defines when the counters are all reset to
# zero. It can be hourly, daily, weekly, monthly or never.
#
# hourly: Reset on 00:00 of every hour
# daily: Reset on 00:00:00 every day
# weekly: Reset on 00:00:00 on sunday
# monthly: Reset on 00:00:00 of the first day of each month
#
# It can also be user defined. It should be of the form:
# num[hdwm] where:
# h: hours, d: days, w: weeks, m: months
# If the letter is ommited days will be assumed. In example:
# reset = 10h (reset every 10 hours)
# reset = 12 (reset every 12 days)
#
#
# The check-name attribute defines an attribute which will be
# registered by the counter module and can be used to set the
# maximum allowed value for the counter after which the user
# is rejected.
# Something like:
#
# DEFAULT Max-Daily-Session := 36000
# Fall-Through = 1
#
# You should add the counter module in the instantiate
# section so that it registers check-name before the files
# module reads the users file.
#
# If check-name is set and the user is to be rejected then we
# send back a Reply-Message and we log a Failure-Message in
# the radius.log
# If the count attribute is Acct-Session-Time then on each login
# we send back the remaining online time as a Session-Timeout attribute
#
# The counter-name can also be used instead of using the check-name
# like below:
#
# DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject
# Reply-Message = "You've used up more than one hour today"
#
# The allowed-servicetype attribute can be used to only take
# into account specific sessions. For example if a user first
# logs in through a login menu and then selects ppp there will
# be two sessions. One for Login-User and one for Framed-User
# service type. We only need to take into account the second one.
#
# The module should be added in the instantiate, authorize and
# accounting sections. Make sure that in the authorize
# section it comes after any module which sets the
# 'check-name' attribute.
#
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
#
# This module is an SQL enabled version of the counter module.
#
# Rather than maintaining seperate (GDBM) databases of
# accounting info for each counter, this module uses the data
# stored in the raddacct table by the sql modules. This
# module NEVER does any database INSERTs or UPDATEs. It is
# totally dependent on the SQL module to process Accounting
# packets.
#
# The 'sqlmod_inst' parameter holds the instance of the sql
# module to use when querying the SQL database. Normally it
# is just "sql". If you define more and one SQL module
# instance (usually for failover situations), you can
# specify which module has access to the Accounting Data
# (radacct table).
#
# The 'reset' parameter defines when the counters are all
# reset to zero. It can be hourly, daily, weekly, monthly or
# never. It can also be user defined. It should be of the
# form:
# num[hdwm] where:
# h: hours, d: days, w: weeks, m: months
# If the letter is ommited days will be assumed. In example:
# reset = 10h (reset every 10 hours)
# reset = 12 (reset every 12 days)
#
# The 'key' parameter specifies the unique identifier for the
# counter records (usually 'User-Name').
#
# The 'query' parameter specifies the SQL query used to get
# the current Counter value from the database. There are 3
# parameters that can be used in the query:
# %k 'key' parameter
# %b unix time value of beginning of reset period
# %e unix time value of end of reset period
#
# The 'check-name' parameter is the name of the 'check'
# attribute to use to access the counter in the 'users' file
# or SQL radcheck or radcheckgroup tables.
#
# DEFAULT Max-Daily-Session > 3600, Auth-Type = Reject
# Reply-Message = "You've used up more than one hour today"
#
sqlcounter dailycounter {
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
sqlmod-inst = sql
key = User-Name
reset = daily
# This query properly handles calls that span from the
# previous reset period into the current period but
# involves more work for the SQL server than those
# below
query = "SELECT SUM(AcctSessionTime - \
GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
FROM radacct WHERE UserName='%{%k}' AND \
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
# This query ignores calls that started in a previous
# reset period and continue into into this one. But it
# is a little easier on the SQL server
# query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE \
# UserName='%{%k}' AND AcctStartTime > FROM_UNIXTIME('%b')"
# This query is the same as above, but demonstrates an
# additional counter parameter '%e' which is the
# timestamp for the end of the period
# query = "SELECT SUM(AcctSessionTime) FROM radacct \
# WHERE UserName='%{%k}' AND AcctStartTime BETWEEN \
# FROM_UNIXTIME('%b') AND FROM_UNIXTIME('%e')"
}
sqlcounter monthlycounter {
counter-name = Monthly-Session-Time
check-name = Max-Monthly-Session
sqlmod-inst = sql
key = User-Name
reset = monthly
# This query properly handles calls that span from the
# previous reset period into the current period but
# involves more work for the SQL server than those
# below
query = "SELECT SUM(AcctSessionTime - \
GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
FROM radacct WHERE UserName='%{%k}' AND \
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
# This query ignores calls that started in a previous
# reset period and continue into into this one. But it
# is a little easier on the SQL server
# query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE \
# UserName='%{%k}' AND AcctStartTime > FROM_UNIXTIME('%b')"
# This query is the same as above, but demonstrates an
# additional counter parameter '%e' which is the
# timestamp for the end of the period
# query = "SELECT SUM(AcctSessionTime) FROM radacct \
# WHERE UserName='%{%k}' AND AcctStartTime BETWEEN \
# FROM_UNIXTIME('%b') AND FROM_UNIXTIME('%e')"
}
#
# The "always" module is here for debugging purposes. Each
# instance simply returns the same result, always, without
# doing anything.
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
#
# The 'expression' module currently has no configuration.
#
# This module is useful only for 'xlat'. To use it,
# put 'exec' into the 'instantiate' section. You can then
# do dynamic translation of attributes like:
#
# Attribute-Name = `%{expr:2 + 3 + %{exec: uid -u}}`
#
# The value of the attribute will be replaced with the output
# of the program which is executed. Due to RADIUS protocol
# limitations, any output over 253 bytes will be ignored.
expr {
}
#
# The 'digest' module currently has no configuration.
#
# "Digest" authentication against a Cisco SIP server.
# See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details
# on performing digest authentication for Cisco SIP servers.
#
digest {
}
#
# Execute external programs
#
# This module is useful only for 'xlat'. To use it,
# put 'exec' into the 'instantiate' section. You can then
# do dynamic translation of attributes like:
#
# Attribute-Name = `%{exec:/path/to/program args}`
#
# The value of the attribute will be replaced with the output
# of the program which is executed. Due to RADIUS protocol
# limitations, any output over 253 bytes will be ignored.
#
# The RADIUS attributes from the user request will be placed
# into environment variables of the executed program, as
# described in 'doc/variables.txt'
#
exec {
wait = yes
input_pairs = request
}
#
# This is a more general example of the execute module.
#
# This one is called "echo".
#
# Attribute-Name = `%{echo:/path/to/program args}`
#
# If you wish to execute an external program in more than
# one section (e.g. 'authorize', 'pre_proxy', etc), then it
# is probably best to define a different instance of the
# 'exec' module for every section.
#
exec echo {
#
# Wait for the program to finish.
#
# If we do NOT wait, then the program is "fire and
# forget", and any output attributes from it are ignored.
#
# If we are looking for the program to output
# attributes, and want to add those attributes to the
# request, then we MUST wait for the program to
# finish, and therefore set 'wait=yes'
#
# allowed values: {no, yes}
wait = yes
#
# The name of the program to execute, and it's
# arguments. Dynamic translation is done on this
# field, so things like the following example will
# work.
#
program = "/bin/echo %{User-Name}"
#
# The attributes which are placed into the
# environment variables for the program.
#
# Allowed values are:
#
# request attributes from the request
# config attributes from the configuration items list
# reply attributes from the reply
# proxy-request attributes from the proxy request
# proxy-reply attributes from the proxy reply
#
# Note that some attributes may not exist at some
# stages. e.g. There may be no proxy-reply
# attributes if this module is used in the
# 'authorize' section.
#
input_pairs = request
#
# Where to place the output attributes (if any) from
# the executed program. The values allowed, and the
# restrictions as to availability, are the same as
# for the input_pairs.
#
output_pairs = reply
#
# When to execute the program. If the packet
# type does NOT match what's listed here, then
# the module does NOT execute the program.
#
# For a list of allowed packet types, see
# the 'dictionary' file, and look for VALUEs
# of the Packet-Type attribute.
#
# By default, the module executes on ANY packet.
# Un-comment out the following line to tell the
# module to execute only if an Access-Accept is
# being sent to the NAS.
#
#packet_type = Access-Accept
}
# Do server side ip pool management. Should be added in post-auth and
# accounting sections.
#
# The module also requires the existance of the Pool-Name
# attribute. That way the administrator can add the Pool-Name
# attribute in the user profiles and use different pools
# for different users. The Pool-Name attribute is a *check* item not
# a reply item.
#
# Example:
# radiusd.conf: ippool students { [...] }
# users file : DEFAULT Group == students, Pool-Name := "students"
#
# ********* IF YOU CHANGE THE RANGE PARAMETERS YOU MUST *********
# ********* THEN ERASE THE DB FILES *********
#
ippool main_pool {
# range-start,range-stop: The start and end ip
# addresses for the ip pool
range-start = 192.168.1.1
range-stop = 192.168.3.254
# netmask: The network mask used for the ip's
netmask = 255.255.255.0
# cache-size: The gdbm cache size for the db
# files. Should be equal to the number of ip's
# available in the ip pool
cache-size = 800
# session-db: The main db file used to allocate ip's to clients
session-db = ${raddbdir}/db.ippool
# ip-index: Helper db index file used in multilink
ip-index = ${raddbdir}/db.ipindex
# override: Will this ippool override a Framed-IP-Address already set
override = no
# maximum-timeout: If not zero specifies the maximum time in seconds an
# entry may be active. Default: 0
maximum-timeout = 0
}
# OTP token support. Not included by default.
# $INCLUDE ${confdir}/otp.conf
}
# Instantiation
#
# This section orders the loading of the modules. Modules
# listed here will get loaded BEFORE the later sections like
# authorize, authenticate, etc. get examined.
#
# This section is not strictly needed. When a section like
# authorize refers to a module, it's automatically loaded and
# initialized. However, some modules may not be listed in any
# of the following sections, so they can be listed here.
#
# Also, listing modules here ensures that you have control over
# the order in which they are initalized. If one module needs
# something defined by another module, you can list them in order
# here, and ensure that the configuration will be OK.
#
instantiate {
#
# Allows the execution of external scripts.
# The entire command line (and output) must fit into 253 bytes.
#
# e.g. Framed-Pool = `%{exec:/bin/echo foo}`
exec
#
# The expression module doesn't do authorization,
# authentication, or accounting. It only does dynamic
# translation, of the form:
#
# Session-Timeout = `%{expr:2 + 3}`
#
# So the module needs to be instantiated, but CANNOT be
# listed in any other section. See 'doc/rlm_expr' for
# more information.
#
expr
#
# We add the counter module here so that it registers
# the check-name attribute before any module which sets
# it
# daily
}
# Authorization. First preprocess (hints and huntgroups files),
# then realms, and finally look in the "users" file.
#
# The order of the realm modules will determine the order that
# we try to find a matching realm.
#
# Make *sure* that 'preprocess' comes before any realm if you
# need to setup hints for the remote radius server
authorize {
pre_auth
preprocess
mschap
suffix
files
}
# Authentication.
#
#
# This section lists which modules are available for authentication.
# Note that it does NOT mean 'try each module in order'. It means
# that a module from the 'authorize' section adds a configuration
# attribute 'Auth-Type := FOO'. That authentication type is then
# used to pick the apropriate module from the list below.
#
# In general, you SHOULD NOT set the Auth-Type attribute. The server
# will figure it out on its own, and will do the right thing. The
# most common side effect of erroneously setting the Auth-Type
# attribute is that one authentication method will work, but the
# others will not.
#
# The common reasons to set the Auth-Type attribute by hand
# is to either forcibly reject the user, or forcibly accept him.
#
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}
#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authorize' section.
# digest
#
# Pluggable Authentication Modules.
# pam
#
# See 'man getpwent' for information on how the 'unix'
# module checks the users password. Note that packets
# containing CHAP-Password attributes CANNOT be authenticated
# against /etc/passwd! See the FAQ for details.
#
unix
# Uncomment it if you want to use ldap for authentication
#
# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.
# Auth-Type LDAP {
# ldap
# }
#
# Allow EAP authentication.
eap
}
#
# Pre-accounting. Decide which accounting type to use.
#
preacct {
preprocess
#
# Ensure that we have a semi-unique identifier for every
# request, and many NAS boxes are broken.
acct_unique
#
# Look for IPASS-style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
#
# Accounting requests are generally proxied to the same
# home server as authentication requests.
# IPASS
suffix
# ntdomain
#
# Read the 'acct_users' file
files
}
#
# Accounting. Log the accounting data.
#
accounting {
#
# Create a 'detail'ed log of the packets.
# Note that accounting requests which are proxied
# are also logged in the detail file.
detail
# daily
# Update the wtmp file
#
# If you don't use "radlast", you can delete this line.
unix
#
# For Simultaneous-Use tracking.
#
# Due to packet losses in the network, the data here
# may be incorrect. There is little we can do about it.
radutmp
# sradutmp
# Return an address to the IP Pool when we see a stop record.
# main_pool
#
# Log traffic to an SQL database.
#
# See "Accounting queries" in sql.conf
# sql
#
# Instead of sending the query to the SQL server,
# write it into a log file.
#
# sql_log
# Cisco VoIP specific bulk accounting
# pgsql-voip
}
# Session database, used for checking Simultaneous-Use. Either the radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
radutmp
#
# See "Simultaneous Use Checking Querie" in sql.conf
# sql
}
# Post-Authentication
# Once we KNOW that the user has been authenticated, there are
# additional steps we can take.
post-auth {
Post-Auth-Type REJECT {
post_auth
}
}
#
# When the server decides to proxy a request to a home server,
# the proxied request is first passed through the pre-proxy
# stage. This stage can re-write the request, or decide to
# cancel the proxy.
#
# Only a few modules currently have this method.
#
pre-proxy {
# attr_rewrite
# Uncomment the following line if you want to change attributes
# as defined in the preproxy_users file.
# files
# If you want to have a log of packets proxied to a home
# server, un-comment the following line, and the
# 'detail pre_proxy_log' section, above.
# pre_proxy_log
}
#
# When the server receives a reply to a request it proxied
# to a home server, the request may be massaged here, in the
# post-proxy stage.
#
post-proxy {
# If you want to have a log of replies from a home server,
# un-comment the following line, and the 'detail post_proxy_log'
# section, above.
# post_proxy_log
# attr_rewrite
# Uncomment the following line if you want to filter replies from
# remote proxies based on the rules defined in the 'attrs' file.
# attr_filter
#
# If you are proxying LEAP, you MUST configure the EAP
# module, and you MUST list it here, in the post-proxy
# stage.
#
# You MUST also use the 'nostrip' option in the 'realm'
# configuration. Otherwise, the User-Name attribute
# in the proxied request will not match the user name
# hidden inside of the EAP packet, and the end server will
# reject the EAP request.
#
eap
}
/etc/pptpd.conf
ppp /opt/ppp/sbin/pppd
option /etc/ppp/options.pptpd
debug
speed 115200
localip 12.0.0.1
noipparam
/etc/ppp/options
lock
debug 4
require-mppe-128
require-mschap-v2
mtu 1454
/etc/ppp/options.pptpd
plugin radius.so
plugin radattr.so
nobsdcomp
nodeflate
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
proxyarp
dump
ms-dns 12.0.0.254
debug 4
И логи:
/var/log/syslog
Jul 19 15:35:44 [pptpd] MGR: Manager process started
Jul 19 15:35:44 [pptpd] MGR: Maximum of 100 connections available
Jul 19 15:36:03 [pptpd] CTRL: Client 10.69.101.118 control connection started
Jul 19 15:36:03 [pptpd] CTRL: Starting call (launching pppd, opening GRE)
Jul 19 15:36:03 [pppd] Plugin radius.so loaded.
Jul 19 15:36:03 [pppd] RADIUS plugin initialized.
Jul 19 15:36:03 [pppd] Plugin radattr.so loaded.
Jul 19 15:36:03 [pppd] RADATTR plugin initialized.
Jul 19 15:36:03 [pppd] pppd options in effect:
Jul 19 15:36:03 [pppd] debug debug__# (from /etc/ppp/options.pptpd)
Jul 19 15:36:03 [pppd] dump__# (from /etc/ppp/options.pptpd)
Jul 19 15:36:03 [pppd] plugin radi
и опять mppe...
-
Гость
Продолжение "и опять mppe"
И логи:
/var/log/syslog
Jul 19 15:35:44 [pptpd] MGR: Manager process started
Jul 19 15:35:44 [pptpd] MGR: Maximum of 100 connections available
Jul 19 15:36:03 [pptpd] CTRL: Client 10.69.101.118 control connection started
Jul 19 15:36:03 [pptpd] CTRL: Starting call (launching pppd, opening GRE)
Jul 19 15:36:03 [pppd] Plugin radius.so loaded.
Jul 19 15:36:03 [pppd] RADIUS plugin initialized.
Jul 19 15:36:03 [pppd] Plugin radattr.so loaded.
Jul 19 15:36:03 [pppd] RADATTR plugin initialized.
Jul 19 15:36:03 [pppd] pppd options in effect:
Jul 19 15:36:03 [pppd] debug debug__# (from /etc/ppp/options.pptpd)
Jul 19 15:36:03 [pppd] dump__# (from /etc/ppp/options.pptpd)
Jul 19 15:36:03 [pppd] plugin radius.so__# (from /etc/ppp/options.pptpd)
Jul 19 15:36:03 [pppd] plugin radattr.so__# (from /etc/ppp/options.pptpd)
Jul 19 15:36:03 [pppd] require-mschap-v2__# (from /etc/ppp/options.pptpd)
Jul 19 15:36:03 [pppd] refuse-pap__# (from /etc/ppp/options.pptpd)
Jul 19 15:36:03 [pppd] refuse-chap__# (from /etc/ppp/options.pptpd)
Jul 19 15:36:03 [pppd] refuse-mschap__# (from /etc/ppp/options.pptpd)
Jul 19 15:36:03 [pppd] 115200__# (from command line)
Jul 19 15:36:03 [pppd] lock__# (from /etc/ppp/options)
Jul 19 15:36:03 [pppd] local__# (from command line)
Jul 19 15:36:03 [pppd] mtu 1454__# (from /etc/ppp/options)
Jul 19 15:36:03 [pppd] ms-dns xxx # [don't know how to print value]__# (from /etc/ppp/options.pptpd)
Jul 19 15:36:03 [pppd] proxyarp__# (from /etc/ppp/options.pptpd)
Jul 19 15:36:03 [pppd] 12.0.0.1:192.168.1.1__# (from command line)
Jul 19 15:36:03 [pppd] nobsdcomp__# (from /etc/ppp/options.pptpd)
Jul 19 15:36:03 [pppd] nodeflate__# (from /etc/ppp/options.pptpd)
Jul 19 15:36:03 [pppd] require-mppe-128__# (from /etc/ppp/options)
Jul 19 15:36:03 [pppd] pppd 2.4.4 started by root, uid 0
Jul 19 15:36:03 [pppd] Using interface ppp0
Jul 19 15:36:03 [pppd] Connect: ppp0 <--> /dev/pts/8
Jul 19 15:36:03 [pptpd] GRE: Bad checksum from pppd.
Jul 19 15:36:06 [pptpd] CTRL: Ignored a SET LINK INFO packet with real ACCMs!
Jul 19 15:36:07 [pppd] MPPE 128-bit stateless compression enabled
Jul 19 15:36:08 [pppd] Cannot determine ethernet address for proxy ARP
Jul 19 15:36:08 [pppd] local IP address 12.0.0.1
Jul 19 15:36:08 [pppd] remote IP address 12.0.0.5
Jul 19 15:36:08 [pppd] Unsupported protocol 0x71 received
Jul 19 15:36:09 [pppd] Unsupported protocol 0xf1 received
Jul 19 15:36:09 [pppd] Unsupported protocol 0x11 received
Jul 19 15:36:10 [pppd] Unsupported protocol 0xe07d received
Jul 19 15:36:12 [pppd] Unsupported protocol 0x9637 received
Jul 19 15:36:13 [pppd] Unsupported protocol 0xf24e received
Jul 19 15:36:15 [pppd] Unsupported protocol 0x222c received
Jul 19 15:36:16 [pppd] Unsupported protocol 0xa22e received
Jul 19 15:36:18 [pppd] Unsupported protocol 0xe401 received
Jul 19 15:36:19 [pppd] Unsupported protocol 0x37 received
Jul 19 15:36:22 [pppd] Unsupported protocol 0x8210 received
Jul 19 15:36:24 [pppd] Unsupported protocol 0xf1 received
Jul 19 15:36:24 [pppd] Unsupported protocol 0xae2f received
Jul 19 15:36:24 [pppd] Unsupported protocol 0x77 received
Jul 19 15:36:24 [pppd] Unsupported protocol 0xcb received
Jul 19 15:36:25 [pppd] Unsupported protocol 0x58d8 received
Jul 19 15:36:27 [pppd] Unsupported protocol 0x5a62 received
Jul 19 15:36:28 [pppd] Unsupported protocol 0x9b received
Jul 19 15:36:30 [pppd] Unsupported protocol 0xbf received
Jul 19 15:36:31 [pppd] Unsupported protocol 0x5a1e received
Jul 19 15:36:33 [pppd] Unsupported protocol 0x5ea6 received
Jul 19 15:36:34 [pppd] Unsupported protocol 'NETBIOS Framing' (0x3f) received
Jul 19 15:36:36 [pppd] Unsupported protocol 0x89 received
Jul 19 15:36:37 [pppd] Unsupported protocol 0x5a49 received
Jul 19 15:36:39 [pppd] Unsupported protocol 0x8868 received
Jul 19 15:36:39 [pppd] Unsupported protocol 'RTP IPHC Full Header' (0x61) received
Jul 19 15:36:40 [pppd] Unsupported protocol 0xaa9f received
Jul 19 15:36:42 [pppd] Unsupported protocol 0xb8ef received
Jul 19 15:36:43 [pppd] Unsupported protocol 0x5081 received
Jul 19 15:36:45 [pppd] Unsupported protocol 0x9b received
Jul 19 15:36:46 [pppd] Unsupported protocol 0x4e64 received
Jul 19 15:36:47 [pppd] Unsupported protocol 'RTP IPHC Compressed non-TCP' (0x65) received
Jul 19 15:36:48 [pppd] Unsupported protocol 0x7 received
Jul 19 15:36:49 [pppd] Unsupported protocol 0xc3 received
Jul 19 15:36:51 [pppd] Unsupported protocol 'RTP IPHC Compressed TCP' (0x63) received
Jul 19 15:36:52 [pppd] Unsupported protocol 0x7cdb received
Jul 19 15:36:54 [pppd] Unsupported protocol 0xa447 received
и т.д....
вот что говорит radiusd -xxx
Wed Jul 19 15:36:06 2006 : Debug: --- Walking the entire request list ---
Wed Jul 19 15:36:06 2006 : Debug: Cleaning up request 0 ID 203 with timestamp 44bdfcef
Wed Jul 19 15:36:06 2006 : Debug: Waking up in 31 seconds...
Wed Jul 19 15:36:06 2006 : Debug: Thread 2 got semaphore
Wed Jul 19 15:36:06 2006 : Debug: Thread 2 handling request 1, (1 handled so far)
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "test1"
MS-CHAP-Challenge = 0x439f2a356e32dfd767a10d1b740532b4
MS-CHAP2-Response = 0x3c00eb7369d710960488c51fe44f15c5be2b000000000000000046b435bc2d00787e62c8f9489e911bab34f9391729f7305c
NAS-IP-Address = 10.69.101.197
NAS-Port = 0
Wed Jul 19 15:36:06 2006 : Debug: Processing the authorize section of radiusd.conf
Wed Jul 19 15:36:06 2006 : Debug: modcall: entering group authorize for request 1
Wed Jul 19 15:36:06 2006 : Debug: modsingle[authorize]: calling pre_auth (rlm_exec) for request 1
Wed Jul 19 15:36:06 2006 : Debug: radius_xlat: '/usr/abills/libexec/rauth.pl pre_auth'
Wed Jul 19 15:36:06 2006 : Debug: Exec-Program: /usr/abills/libexec/rauth.pl pre_auth
Wed Jul 19 15:36:06 2006 : Debug: Exec-Program output: User-Password == "12345678"
Wed Jul 19 15:36:06 2006 : Debug: Exec-Program-Wait: value-pairs: User-Password == "12345678"
Wed Jul 19 15:36:06 2006 : Debug: Exec-Program: returned: 0
Wed Jul 19 15:36:06 2006 : Debug: modsingle[authorize]: returned from pre_auth (rlm_exec) for request 1
Wed Jul 19 15:36:06 2006 : Debug: modcall[authorize]: module "pre_auth" returns ok for request 1
Wed Jul 19 15:36:06 2006 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 1
Wed Jul 19 15:36:06 2006 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 1
Wed Jul 19 15:36:06 2006 : Debug: modcall[authorize]: module "preprocess" returns ok for request 1
Wed Jul 19 15:36:06 2006 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 1
Wed Jul 19 15:36:06 2006 : Debug: rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = MS-CHAP'
Wed Jul 19 15:36:06 2006 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 1
Wed Jul 19 15:36:06 2006 : Debug: modcall[authorize]: module "mschap" returns ok for request 1
Wed Jul 19 15:36:06 2006 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 1
Wed Jul 19 15:36:06 2006 : Debug: rlm_realm: No '@' in User-Name = "test1", looking up realm NULL
Wed Jul 19 15:36:06 2006 : Debug: rlm_realm: No such realm "NULL"
Wed Jul 19 15:36:06 2006 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 1
Wed Jul 19 15:36:06 2006 : Debug: modcall[authorize]: module "suffix" returns noop for request 1
Wed Jul 19 15:36:06 2006 : Debug: modsingle[authorize]: calling files (rlm_files) for request 1
Wed Jul 19 15:36:06 2006 : Debug: users: Matched entry DEFAULT at line 1
Wed Jul 19 15:36:06 2006 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 1
Wed Jul 19 15:36:06 2006 : Debug: modcall[authorize]: module "files" returns ok for request 1
Wed Jul 19 15:36:06 2006 : Debug: modcall: leaving group authorize (returns ok) for request 1
Wed Jul 19 15:36:06 2006 : Debug: rad_check_password: Found Auth-Type MS-CHAP
Wed Jul 19 15:36:06 2006 : Debug: auth: type "MS-CHAP"
Wed Jul 19 15:36:06 2006 : Debug: Processing the authenticate section of radiusd.conf
Wed Jul 19 15:36:06 2006 : Debug: modcall: entering group MS-CHAP for request 1
Wed Jul 19 15:36:06 2006 : Debug: modsingle[authenticate]: calling mschap (rlm_mschap) for request 1
Wed Jul 19 15:36:06 2006 : Debug: rlm_mschap: Told to do MS-CHAPv2 for test1 with NT-Password
Wed Jul 19 15:36:06 2006 : Debug: rlm_mschap: adding MS-CHAPv2 MPPE keys
Wed Jul 19 15:36:06 2006 : Debug: modsingle[authenticate]: returned from mschap (rlm_mschap) for request 1
Wed Jul 19 15:36:06 2006 : Debug: modcall[authenticate]: module "mschap" returns ok for request 1
Wed Jul 19 15:36:06 2006 : Debug: modcall: leaving group MS-CHAP (returns ok) for request 1
Wed Jul 19 15:36:06 2006 : Debug: radius_xlat: '/usr/abills/libexec/rauth.pl'
Wed Jul 19 15:36:06 2006 : Debug: Exec-Program: /usr/abills/libexec/rauth.pl
Character in 'C' format wrapped in pack at /usr/abills/libexec/..//Abills/DES.pm line 550.
Character in 'C' format wrapped in pack at /usr/abills/libexec/..//Abills/DES.pm line 550.
Character in 'C' format wrapped in pack at /usr/abills/libexec/..//Abills/DES.pm line 550.
Character in 'C' format wrapped in pack at /usr/abills/libexec/..//Abills/DES.pm line 550.
Character in 'C' format wrapped in pack at /usr/abills/libexec/..//Abills/DES.pm line 550.
Character in 'C' format wrapped in pack at /usr/abills/libexec/..//Abills/DES.pm line 550.
Character in 'C' format wrapped in pack at /usr/abills/libexec/..//Abills/DES.pm line 550.
Character in 'C' format wrapped in pack at /usr/abills/libexec/..//Abills/DES.pm line 550.
Character in 'C' format wrapped in pack at /usr/abills/libexec/..//Abills/DES.pm line 550.
Character in 'C' format wrapped in pack at /usr/abills/libexec/..//Abills/DES.pm line 550.
Character in 'C' format wrapped in pack at /usr/abills/libexec/..//Abills/DES.pm line 550.
Character in 'C' format wrapped in pack at /usr/abills/libexec/..//Abills/DES.pm line 550.
Character in 'C' format wrapped in pack at /usr/abills/libexec/..//Abills/DES.pm line 550.
Character in 'C' format wrapped in pack at /usr/abills/libexec/..//Abills/DES.pm line 550.
Character in 'C' format wrapped in pack at /usr/abills/libexec/..//Abills/DES.pm line 550.
Character in 'C' format wrapped in pack at /usr/abills/libexec/..//Abills/DES.pm line 550.
Character in 'C' format wrapped in pack at /usr/abills/libexec/..//Abills/DES.pm line 550.
Character in 'C' format wrapped in pack at /usr/abills/libexec/..//Abills/DES.pm line 550.
Character in 'C' format wrapped in pack at /usr/abills/libexec/..//Abills/DES.pm line 550.
Character in 'C' format wrapped in pack at /usr/abills/libexec/..//Abills/DES.pm line 550.
Wed Jul 19 15:36:07 2006 : Debug: Exec-Program output: Session-Timeout = 1067033, MS-MPPE-Encryption-Types = 0x00000006, Session-Octets-Limit = 51559949.9264, MS-CHAP2-SUCCESS = 0x3c533d42363631334542423245344432353445463641374645373031324442454430303142374535383544, MS-MPPE-Encryption-Policy = 0x00000001, Octets-Direction = 1, Framed-IP-Address = 12.0.0.5, Framed-IP-Netmask = 255.255.255.255, MS-CHAP-MPPE-Keys = 0x0182bd0bd4444bf86b2562426193337426d747e0e9f4ab180000000000000000,
Wed Jul 19 15:36:07 2006 : Debug: Exec-Program-Wait: value-pairs: Session-Timeout = 1067033, MS-MPPE-Encryption-Types = 0x00000006, Session-Octets-Limit = 51559949.9264, MS-CHAP2-SUCCESS = 0x3c533d42363631334542423245344432353445463641374645373031324442454430303142374535383544, MS-MPPE-Encryption-Policy = 0x00000001, Octets-Direction = 1, Framed-IP-Address = 12.0.0.5, Framed-IP-Netmask = 255.255.255.255, MS-CHAP-MPPE-Keys = 0x0182bd0bd4444bf86b2562426193337426d747e0e9f4ab180000000000000000,
Wed Jul 19 15:36:07 2006 : Debug: Exec-Program: returned: 0
Sending Access-Accept of id 204 to 127.0.0.1 port 1025
MS-CHAP2-Success = 0x3c533d42363631334542423245344432353445463641374645373031324442454430303142374535383544
MS-MPPE-Recv-Key = 0x03e794ca9f953372f7a17b85225f07ab
MS-MPPE-Send-Key = 0x560a3dc5cd0ef47ddc9b274438473fb5
MS-MPPE-Encryption-Policy = 0x00000002
MS-MPPE-Encryption-Types = 0x00000004
Session-Timeout = 1067033
Session-Octets-Limit = 51559949
Octets-Direction = Route-IP-Yes
Framed-IP-Address = 12.0.0.5
Framed-IP-Netmask = 255.255.255.255
MS-CHAP-MPPE-Keys = 0x0182bd0bd4444bf86b2562426193337426d747e0e9f4ab180000000000000000
Wed Jul 19 15:36:07 2006 : Debug: Finished request 1
Wed Jul 19 15:36:07 2006 : Debug: Going to the next request
Wed Jul 19 15:36:07 2006 : Debug: Thread 2 waiting to be assigned a request
rad_recv: Accounting-Request packet from host 127.0.0.1:1025, id=205, length=97
Wed Jul 19 15:36:08 2006 : Debug: --- Walking the entire request list ---
Wed Jul 19 15:36:08 2006 : Debug: Waking up in 4 seconds...
Wed Jul 19 15:36:08 2006 : Debug: Thread 3 got semaphore
Wed Jul 19 15:36:08 2006 : Debug: Thread 3 handling request 2, (1 handled so far)
Acct-Session-Id = "44BDFD08701000"
User-Name = "test1"
Acct-Status-Type = Start
Service-Type = Framed-User
Framed-Protocol = PPP
Acct-Authentic = RADIUS
NAS-Port-Type = Async
Framed-IP-Address = 12.0.0.5
NAS-IP-Address = 10.69.101.197
NAS-Port = 0
Acct-Delay-Time = 0
Wed Jul 19 15:36:08 2006 : Debug: Processing the preacct section of radiusd.conf
Wed Jul 19 15:36:08 2006 : Debug: modcall: entering group preacct for request 2
Wed Jul 19 15:36:08 2006 : Debug: modsingle[preacct]: calling preprocess (rlm_preprocess) for request 2
Wed Jul 19 15:36:08 2006 : Debug: modsingle[preacct]: returned from preprocess (rlm_preprocess) for request 2
Wed Jul 19 15:36:08 2006 : Debug: modcall[preacct]: module "preprocess" returns noop for request 2
Wed Jul 19 15:36:08 2006 : Debug: modsingle[preacct]: calling acct_unique (rlm_acct_unique) for request 2
Wed Jul 19 15:36:08 2006 : Debug: rlm_acct_unique: Hashing 'NAS-Port = 0,Client-IP-Address = 127.0.0.1,NAS-IP-Address = 10.69.101.197,Acct-Session-Id = "44BDFD08701000",User-Name = "test1"'
Wed Jul 19 15:36:08 2006 : Debug: rlm_acct_unique: Acct-Unique-Session-ID = "e55937ac76ee7a28".
Wed Jul 19 15:36:08 2006 : Debug: modsingle[preacct]: returned from acct_unique (rlm_acct_unique) for request 2
Wed Jul 19 15:36:08 2006 : Debug: modcall[preacct]: module "acct_unique" returns ok for request 2
Wed Jul 19 15:36:08 2006 : Debug: modsingle[preacct]: calling suffix (rlm_realm) for request 2
Wed Jul 19 15:36:08 2006 : Debug: rlm_realm: No '@' in User-Name = "test1", looking up realm NULL
Wed Jul 19 15:36:08 2006 : Debug: rlm_realm: No such realm "NULL"
Wed Jul 19 15:36:08 2006 : Debug: modsingle[preacct]: returned from suffix (rlm_realm) for request 2
Wed Jul 19 15:36:08 2006 : Debug: modcall[preacct]: module "suffix" returns noop for request 2
Wed Jul 19 15:36:08 2006 : Debug: modsingle[preacct]: calling files (rlm_files) for request 2
Wed Jul 19 15:36:08 2006 : Debug: acct_users: Matched entry DEFAULT at line 1
Wed Jul 19 15:36:08 2006 : Debug: modsingle[preacct]: returned from files (rlm_files) for request 2
Wed Jul 19 15:36:08 2006 : Debug: modcall[preacct]: module "files" returns ok for request 2
Wed Jul 19 15:36:08 2006 : Debug: modcall: leaving group preacct (returns ok) for request 2
Wed Jul 19 15:36:08 2006 : Debug: Processing the accounting section of radiusd.conf
Wed Jul 19 15:36:08 2006 : Debug: modcall: entering group accounting for request 2
Wed Jul 19 15:36:08 2006 : Debug: modsingle[accounting]: calling detail (rlm_detail) for request 2
Wed Jul 19 15:36:08 2006 : Debug: radius_xlat: '/var/log/radius/radacct/127.0.0.1/detail-20060719'
Wed Jul 19 15:36:08 2006 : Debug: rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/detail-20060719
Wed Jul 19 15:36:08 2006 : Debug: modsingle[accounting]: returned from detail (rlm_detail) for request 2
Wed Jul 19 15:36:08 2006 : Debug: modcall[accounting]: module "detail" returns ok for request 2
Wed Jul 19 15:36:08 2006 : Debug: modsingle[accounting]: calling unix (rlm_unix) for request 2
Wed Jul 19 15:36:08 2006 : Debug: modsingle[accounting]: returned from unix (rlm_unix) for request 2
Wed Jul 19 15:36:08 2006 : Debug: modcall[accounting]: module "unix" returns ok for request 2
Wed Jul 19 15:36:08 2006 : Debug: modsingle[accounting]: calling radutmp (rlm_radutmp) for request 2
Wed Jul 19 15:36:08 2006 : Debug: radius_xlat: '/var/log/radius/radutmp'
Wed Jul 19 15:36:08 2006 : Debug: radius_xlat: 'test1'
Wed Jul 19 15:36:08 2006 : Debug: modsingle[accounting]: returned from radutmp (rlm_radutmp) for request 2
Wed Jul 19 15:36:08 2006 : Debug: modcall[accounting]: module "radutmp" returns ok for request 2
Wed Jul 19 15:36:08 2006 : Debug: modcall: leaving group accounting (returns ok) for request 2
Wed Jul 19 15:36:08 2006 : Debug: radius_xlat: '/usr/abills/libexec/racct.pl'
Wed Jul 19 15:36:08 2006 : Debug: Exec-Program: /usr/abills/libexec/racct.pl
Sending Accounting-Response of id 205 to 127.0.0.1 port 1025
Wed Jul 19 15:36:08 2006 : Debug: Finished request 2
Wed Jul 19 15:36:08 2006 : Debug: Going to the next request
Wed Jul 19 15:36:08 2006 : Debug: Thread 3 waiting to be assigned a request
Wed Jul 19 15:36:12 2006 : Debug: --- Walking the entire request list ---
Wed Jul 19 15:36:12 2006 : Debug: Cleaning up request 1 ID 204 with timestamp 44bdfd06
Wed Jul 19 15:36:12 2006 : Debug: Waking up in 2 seconds...
Wed Jul 19 15:36:14 2006 : Debug: --- Walking the entire request list ---
Wed Jul 19 15:36:14 2006 : Debug: Cleaning up request 2 ID 205 with timestamp 44bdfd08
Wed Jul 19 15:36:14 2006 : Debug: Nothing to do. Sleeping until we see a request.
ну и /usr/abills/var/log/abills.log
2006-07-19 15:36:06 LOG_INFO: AUTH [test1] NAS: 2 (10.69.101.197) GT: 0.13290
все настраивал по
http://abills.asmodeus.com.ua/wiki/doku ... install:ru
http://abills.asmodeus.com.ua/wiki/doku ... bills:docs:
/var/log/syslog
Jul 19 15:35:44 [pptpd] MGR: Manager process started
Jul 19 15:35:44 [pptpd] MGR: Maximum of 100 connections available
Jul 19 15:36:03 [pptpd] CTRL: Client 10.69.101.118 control connection started
Jul 19 15:36:03 [pptpd] CTRL: Starting call (launching pppd, opening GRE)
Jul 19 15:36:03 [pppd] Plugin radius.so loaded.
Jul 19 15:36:03 [pppd] RADIUS plugin initialized.
Jul 19 15:36:03 [pppd] Plugin radattr.so loaded.
Jul 19 15:36:03 [pppd] RADATTR plugin initialized.
Jul 19 15:36:03 [pppd] pppd options in effect:
Jul 19 15:36:03 [pppd] debug debug__# (from /etc/ppp/options.pptpd)
Jul 19 15:36:03 [pppd] dump__# (from /etc/ppp/options.pptpd)
Jul 19 15:36:03 [pppd] plugin radius.so__# (from /etc/ppp/options.pptpd)
Jul 19 15:36:03 [pppd] plugin radattr.so__# (from /etc/ppp/options.pptpd)
Jul 19 15:36:03 [pppd] require-mschap-v2__# (from /etc/ppp/options.pptpd)
Jul 19 15:36:03 [pppd] refuse-pap__# (from /etc/ppp/options.pptpd)
Jul 19 15:36:03 [pppd] refuse-chap__# (from /etc/ppp/options.pptpd)
Jul 19 15:36:03 [pppd] refuse-mschap__# (from /etc/ppp/options.pptpd)
Jul 19 15:36:03 [pppd] 115200__# (from command line)
Jul 19 15:36:03 [pppd] lock__# (from /etc/ppp/options)
Jul 19 15:36:03 [pppd] local__# (from command line)
Jul 19 15:36:03 [pppd] mtu 1454__# (from /etc/ppp/options)
Jul 19 15:36:03 [pppd] ms-dns xxx # [don't know how to print value]__# (from /etc/ppp/options.pptpd)
Jul 19 15:36:03 [pppd] proxyarp__# (from /etc/ppp/options.pptpd)
Jul 19 15:36:03 [pppd] 12.0.0.1:192.168.1.1__# (from command line)
Jul 19 15:36:03 [pppd] nobsdcomp__# (from /etc/ppp/options.pptpd)
Jul 19 15:36:03 [pppd] nodeflate__# (from /etc/ppp/options.pptpd)
Jul 19 15:36:03 [pppd] require-mppe-128__# (from /etc/ppp/options)
Jul 19 15:36:03 [pppd] pppd 2.4.4 started by root, uid 0
Jul 19 15:36:03 [pppd] Using interface ppp0
Jul 19 15:36:03 [pppd] Connect: ppp0 <--> /dev/pts/8
Jul 19 15:36:03 [pptpd] GRE: Bad checksum from pppd.
Jul 19 15:36:06 [pptpd] CTRL: Ignored a SET LINK INFO packet with real ACCMs!
Jul 19 15:36:07 [pppd] MPPE 128-bit stateless compression enabled
Jul 19 15:36:08 [pppd] Cannot determine ethernet address for proxy ARP
Jul 19 15:36:08 [pppd] local IP address 12.0.0.1
Jul 19 15:36:08 [pppd] remote IP address 12.0.0.5
Jul 19 15:36:08 [pppd] Unsupported protocol 0x71 received
Jul 19 15:36:09 [pppd] Unsupported protocol 0xf1 received
Jul 19 15:36:09 [pppd] Unsupported protocol 0x11 received
Jul 19 15:36:10 [pppd] Unsupported protocol 0xe07d received
Jul 19 15:36:12 [pppd] Unsupported protocol 0x9637 received
Jul 19 15:36:13 [pppd] Unsupported protocol 0xf24e received
Jul 19 15:36:15 [pppd] Unsupported protocol 0x222c received
Jul 19 15:36:16 [pppd] Unsupported protocol 0xa22e received
Jul 19 15:36:18 [pppd] Unsupported protocol 0xe401 received
Jul 19 15:36:19 [pppd] Unsupported protocol 0x37 received
Jul 19 15:36:22 [pppd] Unsupported protocol 0x8210 received
Jul 19 15:36:24 [pppd] Unsupported protocol 0xf1 received
Jul 19 15:36:24 [pppd] Unsupported protocol 0xae2f received
Jul 19 15:36:24 [pppd] Unsupported protocol 0x77 received
Jul 19 15:36:24 [pppd] Unsupported protocol 0xcb received
Jul 19 15:36:25 [pppd] Unsupported protocol 0x58d8 received
Jul 19 15:36:27 [pppd] Unsupported protocol 0x5a62 received
Jul 19 15:36:28 [pppd] Unsupported protocol 0x9b received
Jul 19 15:36:30 [pppd] Unsupported protocol 0xbf received
Jul 19 15:36:31 [pppd] Unsupported protocol 0x5a1e received
Jul 19 15:36:33 [pppd] Unsupported protocol 0x5ea6 received
Jul 19 15:36:34 [pppd] Unsupported protocol 'NETBIOS Framing' (0x3f) received
Jul 19 15:36:36 [pppd] Unsupported protocol 0x89 received
Jul 19 15:36:37 [pppd] Unsupported protocol 0x5a49 received
Jul 19 15:36:39 [pppd] Unsupported protocol 0x8868 received
Jul 19 15:36:39 [pppd] Unsupported protocol 'RTP IPHC Full Header' (0x61) received
Jul 19 15:36:40 [pppd] Unsupported protocol 0xaa9f received
Jul 19 15:36:42 [pppd] Unsupported protocol 0xb8ef received
Jul 19 15:36:43 [pppd] Unsupported protocol 0x5081 received
Jul 19 15:36:45 [pppd] Unsupported protocol 0x9b received
Jul 19 15:36:46 [pppd] Unsupported protocol 0x4e64 received
Jul 19 15:36:47 [pppd] Unsupported protocol 'RTP IPHC Compressed non-TCP' (0x65) received
Jul 19 15:36:48 [pppd] Unsupported protocol 0x7 received
Jul 19 15:36:49 [pppd] Unsupported protocol 0xc3 received
Jul 19 15:36:51 [pppd] Unsupported protocol 'RTP IPHC Compressed TCP' (0x63) received
Jul 19 15:36:52 [pppd] Unsupported protocol 0x7cdb received
Jul 19 15:36:54 [pppd] Unsupported protocol 0xa447 received
и т.д....
вот что говорит radiusd -xxx
Wed Jul 19 15:36:06 2006 : Debug: --- Walking the entire request list ---
Wed Jul 19 15:36:06 2006 : Debug: Cleaning up request 0 ID 203 with timestamp 44bdfcef
Wed Jul 19 15:36:06 2006 : Debug: Waking up in 31 seconds...
Wed Jul 19 15:36:06 2006 : Debug: Thread 2 got semaphore
Wed Jul 19 15:36:06 2006 : Debug: Thread 2 handling request 1, (1 handled so far)
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "test1"
MS-CHAP-Challenge = 0x439f2a356e32dfd767a10d1b740532b4
MS-CHAP2-Response = 0x3c00eb7369d710960488c51fe44f15c5be2b000000000000000046b435bc2d00787e62c8f9489e911bab34f9391729f7305c
NAS-IP-Address = 10.69.101.197
NAS-Port = 0
Wed Jul 19 15:36:06 2006 : Debug: Processing the authorize section of radiusd.conf
Wed Jul 19 15:36:06 2006 : Debug: modcall: entering group authorize for request 1
Wed Jul 19 15:36:06 2006 : Debug: modsingle[authorize]: calling pre_auth (rlm_exec) for request 1
Wed Jul 19 15:36:06 2006 : Debug: radius_xlat: '/usr/abills/libexec/rauth.pl pre_auth'
Wed Jul 19 15:36:06 2006 : Debug: Exec-Program: /usr/abills/libexec/rauth.pl pre_auth
Wed Jul 19 15:36:06 2006 : Debug: Exec-Program output: User-Password == "12345678"
Wed Jul 19 15:36:06 2006 : Debug: Exec-Program-Wait: value-pairs: User-Password == "12345678"
Wed Jul 19 15:36:06 2006 : Debug: Exec-Program: returned: 0
Wed Jul 19 15:36:06 2006 : Debug: modsingle[authorize]: returned from pre_auth (rlm_exec) for request 1
Wed Jul 19 15:36:06 2006 : Debug: modcall[authorize]: module "pre_auth" returns ok for request 1
Wed Jul 19 15:36:06 2006 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 1
Wed Jul 19 15:36:06 2006 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 1
Wed Jul 19 15:36:06 2006 : Debug: modcall[authorize]: module "preprocess" returns ok for request 1
Wed Jul 19 15:36:06 2006 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 1
Wed Jul 19 15:36:06 2006 : Debug: rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = MS-CHAP'
Wed Jul 19 15:36:06 2006 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 1
Wed Jul 19 15:36:06 2006 : Debug: modcall[authorize]: module "mschap" returns ok for request 1
Wed Jul 19 15:36:06 2006 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 1
Wed Jul 19 15:36:06 2006 : Debug: rlm_realm: No '@' in User-Name = "test1", looking up realm NULL
Wed Jul 19 15:36:06 2006 : Debug: rlm_realm: No such realm "NULL"
Wed Jul 19 15:36:06 2006 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 1
Wed Jul 19 15:36:06 2006 : Debug: modcall[authorize]: module "suffix" returns noop for request 1
Wed Jul 19 15:36:06 2006 : Debug: modsingle[authorize]: calling files (rlm_files) for request 1
Wed Jul 19 15:36:06 2006 : Debug: users: Matched entry DEFAULT at line 1
Wed Jul 19 15:36:06 2006 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 1
Wed Jul 19 15:36:06 2006 : Debug: modcall[authorize]: module "files" returns ok for request 1
Wed Jul 19 15:36:06 2006 : Debug: modcall: leaving group authorize (returns ok) for request 1
Wed Jul 19 15:36:06 2006 : Debug: rad_check_password: Found Auth-Type MS-CHAP
Wed Jul 19 15:36:06 2006 : Debug: auth: type "MS-CHAP"
Wed Jul 19 15:36:06 2006 : Debug: Processing the authenticate section of radiusd.conf
Wed Jul 19 15:36:06 2006 : Debug: modcall: entering group MS-CHAP for request 1
Wed Jul 19 15:36:06 2006 : Debug: modsingle[authenticate]: calling mschap (rlm_mschap) for request 1
Wed Jul 19 15:36:06 2006 : Debug: rlm_mschap: Told to do MS-CHAPv2 for test1 with NT-Password
Wed Jul 19 15:36:06 2006 : Debug: rlm_mschap: adding MS-CHAPv2 MPPE keys
Wed Jul 19 15:36:06 2006 : Debug: modsingle[authenticate]: returned from mschap (rlm_mschap) for request 1
Wed Jul 19 15:36:06 2006 : Debug: modcall[authenticate]: module "mschap" returns ok for request 1
Wed Jul 19 15:36:06 2006 : Debug: modcall: leaving group MS-CHAP (returns ok) for request 1
Wed Jul 19 15:36:06 2006 : Debug: radius_xlat: '/usr/abills/libexec/rauth.pl'
Wed Jul 19 15:36:06 2006 : Debug: Exec-Program: /usr/abills/libexec/rauth.pl
Character in 'C' format wrapped in pack at /usr/abills/libexec/..//Abills/DES.pm line 550.
Character in 'C' format wrapped in pack at /usr/abills/libexec/..//Abills/DES.pm line 550.
Character in 'C' format wrapped in pack at /usr/abills/libexec/..//Abills/DES.pm line 550.
Character in 'C' format wrapped in pack at /usr/abills/libexec/..//Abills/DES.pm line 550.
Character in 'C' format wrapped in pack at /usr/abills/libexec/..//Abills/DES.pm line 550.
Character in 'C' format wrapped in pack at /usr/abills/libexec/..//Abills/DES.pm line 550.
Character in 'C' format wrapped in pack at /usr/abills/libexec/..//Abills/DES.pm line 550.
Character in 'C' format wrapped in pack at /usr/abills/libexec/..//Abills/DES.pm line 550.
Character in 'C' format wrapped in pack at /usr/abills/libexec/..//Abills/DES.pm line 550.
Character in 'C' format wrapped in pack at /usr/abills/libexec/..//Abills/DES.pm line 550.
Character in 'C' format wrapped in pack at /usr/abills/libexec/..//Abills/DES.pm line 550.
Character in 'C' format wrapped in pack at /usr/abills/libexec/..//Abills/DES.pm line 550.
Character in 'C' format wrapped in pack at /usr/abills/libexec/..//Abills/DES.pm line 550.
Character in 'C' format wrapped in pack at /usr/abills/libexec/..//Abills/DES.pm line 550.
Character in 'C' format wrapped in pack at /usr/abills/libexec/..//Abills/DES.pm line 550.
Character in 'C' format wrapped in pack at /usr/abills/libexec/..//Abills/DES.pm line 550.
Character in 'C' format wrapped in pack at /usr/abills/libexec/..//Abills/DES.pm line 550.
Character in 'C' format wrapped in pack at /usr/abills/libexec/..//Abills/DES.pm line 550.
Character in 'C' format wrapped in pack at /usr/abills/libexec/..//Abills/DES.pm line 550.
Character in 'C' format wrapped in pack at /usr/abills/libexec/..//Abills/DES.pm line 550.
Wed Jul 19 15:36:07 2006 : Debug: Exec-Program output: Session-Timeout = 1067033, MS-MPPE-Encryption-Types = 0x00000006, Session-Octets-Limit = 51559949.9264, MS-CHAP2-SUCCESS = 0x3c533d42363631334542423245344432353445463641374645373031324442454430303142374535383544, MS-MPPE-Encryption-Policy = 0x00000001, Octets-Direction = 1, Framed-IP-Address = 12.0.0.5, Framed-IP-Netmask = 255.255.255.255, MS-CHAP-MPPE-Keys = 0x0182bd0bd4444bf86b2562426193337426d747e0e9f4ab180000000000000000,
Wed Jul 19 15:36:07 2006 : Debug: Exec-Program-Wait: value-pairs: Session-Timeout = 1067033, MS-MPPE-Encryption-Types = 0x00000006, Session-Octets-Limit = 51559949.9264, MS-CHAP2-SUCCESS = 0x3c533d42363631334542423245344432353445463641374645373031324442454430303142374535383544, MS-MPPE-Encryption-Policy = 0x00000001, Octets-Direction = 1, Framed-IP-Address = 12.0.0.5, Framed-IP-Netmask = 255.255.255.255, MS-CHAP-MPPE-Keys = 0x0182bd0bd4444bf86b2562426193337426d747e0e9f4ab180000000000000000,
Wed Jul 19 15:36:07 2006 : Debug: Exec-Program: returned: 0
Sending Access-Accept of id 204 to 127.0.0.1 port 1025
MS-CHAP2-Success = 0x3c533d42363631334542423245344432353445463641374645373031324442454430303142374535383544
MS-MPPE-Recv-Key = 0x03e794ca9f953372f7a17b85225f07ab
MS-MPPE-Send-Key = 0x560a3dc5cd0ef47ddc9b274438473fb5
MS-MPPE-Encryption-Policy = 0x00000002
MS-MPPE-Encryption-Types = 0x00000004
Session-Timeout = 1067033
Session-Octets-Limit = 51559949
Octets-Direction = Route-IP-Yes
Framed-IP-Address = 12.0.0.5
Framed-IP-Netmask = 255.255.255.255
MS-CHAP-MPPE-Keys = 0x0182bd0bd4444bf86b2562426193337426d747e0e9f4ab180000000000000000
Wed Jul 19 15:36:07 2006 : Debug: Finished request 1
Wed Jul 19 15:36:07 2006 : Debug: Going to the next request
Wed Jul 19 15:36:07 2006 : Debug: Thread 2 waiting to be assigned a request
rad_recv: Accounting-Request packet from host 127.0.0.1:1025, id=205, length=97
Wed Jul 19 15:36:08 2006 : Debug: --- Walking the entire request list ---
Wed Jul 19 15:36:08 2006 : Debug: Waking up in 4 seconds...
Wed Jul 19 15:36:08 2006 : Debug: Thread 3 got semaphore
Wed Jul 19 15:36:08 2006 : Debug: Thread 3 handling request 2, (1 handled so far)
Acct-Session-Id = "44BDFD08701000"
User-Name = "test1"
Acct-Status-Type = Start
Service-Type = Framed-User
Framed-Protocol = PPP
Acct-Authentic = RADIUS
NAS-Port-Type = Async
Framed-IP-Address = 12.0.0.5
NAS-IP-Address = 10.69.101.197
NAS-Port = 0
Acct-Delay-Time = 0
Wed Jul 19 15:36:08 2006 : Debug: Processing the preacct section of radiusd.conf
Wed Jul 19 15:36:08 2006 : Debug: modcall: entering group preacct for request 2
Wed Jul 19 15:36:08 2006 : Debug: modsingle[preacct]: calling preprocess (rlm_preprocess) for request 2
Wed Jul 19 15:36:08 2006 : Debug: modsingle[preacct]: returned from preprocess (rlm_preprocess) for request 2
Wed Jul 19 15:36:08 2006 : Debug: modcall[preacct]: module "preprocess" returns noop for request 2
Wed Jul 19 15:36:08 2006 : Debug: modsingle[preacct]: calling acct_unique (rlm_acct_unique) for request 2
Wed Jul 19 15:36:08 2006 : Debug: rlm_acct_unique: Hashing 'NAS-Port = 0,Client-IP-Address = 127.0.0.1,NAS-IP-Address = 10.69.101.197,Acct-Session-Id = "44BDFD08701000",User-Name = "test1"'
Wed Jul 19 15:36:08 2006 : Debug: rlm_acct_unique: Acct-Unique-Session-ID = "e55937ac76ee7a28".
Wed Jul 19 15:36:08 2006 : Debug: modsingle[preacct]: returned from acct_unique (rlm_acct_unique) for request 2
Wed Jul 19 15:36:08 2006 : Debug: modcall[preacct]: module "acct_unique" returns ok for request 2
Wed Jul 19 15:36:08 2006 : Debug: modsingle[preacct]: calling suffix (rlm_realm) for request 2
Wed Jul 19 15:36:08 2006 : Debug: rlm_realm: No '@' in User-Name = "test1", looking up realm NULL
Wed Jul 19 15:36:08 2006 : Debug: rlm_realm: No such realm "NULL"
Wed Jul 19 15:36:08 2006 : Debug: modsingle[preacct]: returned from suffix (rlm_realm) for request 2
Wed Jul 19 15:36:08 2006 : Debug: modcall[preacct]: module "suffix" returns noop for request 2
Wed Jul 19 15:36:08 2006 : Debug: modsingle[preacct]: calling files (rlm_files) for request 2
Wed Jul 19 15:36:08 2006 : Debug: acct_users: Matched entry DEFAULT at line 1
Wed Jul 19 15:36:08 2006 : Debug: modsingle[preacct]: returned from files (rlm_files) for request 2
Wed Jul 19 15:36:08 2006 : Debug: modcall[preacct]: module "files" returns ok for request 2
Wed Jul 19 15:36:08 2006 : Debug: modcall: leaving group preacct (returns ok) for request 2
Wed Jul 19 15:36:08 2006 : Debug: Processing the accounting section of radiusd.conf
Wed Jul 19 15:36:08 2006 : Debug: modcall: entering group accounting for request 2
Wed Jul 19 15:36:08 2006 : Debug: modsingle[accounting]: calling detail (rlm_detail) for request 2
Wed Jul 19 15:36:08 2006 : Debug: radius_xlat: '/var/log/radius/radacct/127.0.0.1/detail-20060719'
Wed Jul 19 15:36:08 2006 : Debug: rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/detail-20060719
Wed Jul 19 15:36:08 2006 : Debug: modsingle[accounting]: returned from detail (rlm_detail) for request 2
Wed Jul 19 15:36:08 2006 : Debug: modcall[accounting]: module "detail" returns ok for request 2
Wed Jul 19 15:36:08 2006 : Debug: modsingle[accounting]: calling unix (rlm_unix) for request 2
Wed Jul 19 15:36:08 2006 : Debug: modsingle[accounting]: returned from unix (rlm_unix) for request 2
Wed Jul 19 15:36:08 2006 : Debug: modcall[accounting]: module "unix" returns ok for request 2
Wed Jul 19 15:36:08 2006 : Debug: modsingle[accounting]: calling radutmp (rlm_radutmp) for request 2
Wed Jul 19 15:36:08 2006 : Debug: radius_xlat: '/var/log/radius/radutmp'
Wed Jul 19 15:36:08 2006 : Debug: radius_xlat: 'test1'
Wed Jul 19 15:36:08 2006 : Debug: modsingle[accounting]: returned from radutmp (rlm_radutmp) for request 2
Wed Jul 19 15:36:08 2006 : Debug: modcall[accounting]: module "radutmp" returns ok for request 2
Wed Jul 19 15:36:08 2006 : Debug: modcall: leaving group accounting (returns ok) for request 2
Wed Jul 19 15:36:08 2006 : Debug: radius_xlat: '/usr/abills/libexec/racct.pl'
Wed Jul 19 15:36:08 2006 : Debug: Exec-Program: /usr/abills/libexec/racct.pl
Sending Accounting-Response of id 205 to 127.0.0.1 port 1025
Wed Jul 19 15:36:08 2006 : Debug: Finished request 2
Wed Jul 19 15:36:08 2006 : Debug: Going to the next request
Wed Jul 19 15:36:08 2006 : Debug: Thread 3 waiting to be assigned a request
Wed Jul 19 15:36:12 2006 : Debug: --- Walking the entire request list ---
Wed Jul 19 15:36:12 2006 : Debug: Cleaning up request 1 ID 204 with timestamp 44bdfd06
Wed Jul 19 15:36:12 2006 : Debug: Waking up in 2 seconds...
Wed Jul 19 15:36:14 2006 : Debug: --- Walking the entire request list ---
Wed Jul 19 15:36:14 2006 : Debug: Cleaning up request 2 ID 205 with timestamp 44bdfd08
Wed Jul 19 15:36:14 2006 : Debug: Nothing to do. Sleeping until we see a request.
ну и /usr/abills/var/log/abills.log
2006-07-19 15:36:06 LOG_INFO: AUTH [test1] NAS: 2 (10.69.101.197) GT: 0.13290
все настраивал по
http://abills.asmodeus.com.ua/wiki/doku ... install:ru
http://abills.asmodeus.com.ua/wiki/doku ... bills:docs:
-
tarasnn
и еще в догонку...
# lsmod
Module Size Used by
pppoe 8768 0
pppox 2568 1 pppoe
sha512 9472 0
sha256 9088 0
des 15360 0
ppp_synctty 6272 0
ppp_deflate 4352 0
zlib_deflate 18328 1 ppp_deflate
bsd_comp 4992 0
ppp_async 7552 1
crc_ccitt 1920 1 ppp_async
nfs 184396 1
lockd 48392 2 nfs
nfs_acl 2688 1 nfs
sunrpc 116284 4 nfs,lockd,nfs_acl
sha1 2176 2
arc4 1792 2
ppp_mppe 5508 2
ppp_generic 19988 11 pppoe,pppox,ppp_synctty,ppp_deflate,bsd_comp,ppp_async,ppp_mppe
slhc 5504 1 ppp_generic
8139too 19968 0
Module Size Used by
pppoe 8768 0
pppox 2568 1 pppoe
sha512 9472 0
sha256 9088 0
des 15360 0
ppp_synctty 6272 0
ppp_deflate 4352 0
zlib_deflate 18328 1 ppp_deflate
bsd_comp 4992 0
ppp_async 7552 1
crc_ccitt 1920 1 ppp_async
nfs 184396 1
lockd 48392 2 nfs
nfs_acl 2688 1 nfs
sunrpc 116284 4 nfs,lockd,nfs_acl
sha1 2176 2
arc4 1792 2
ppp_mppe 5508 2
ppp_generic 19988 11 pppoe,pppox,ppp_synctty,ppp_deflate,bsd_comp,ppp_async,ppp_mppe
slhc 5504 1 ppp_generic
8139too 19968 0
-
Гость
Gentoo 2.6.20 , Abils 0.36 , pppd 2.4.4 , pptpd 1.2.3 , radius 1.1.6
Все тоже самое что описано выше.
но не работает MS-CHAP-V2
MS-CHAP работает.... без MPPE трафик нормально ходит все ок.
с MPPE есть конект но пакеты не бегают...
Мне тож надо что то закоментить?
Все тоже самое что описано выше.
но не работает MS-CHAP-V2
MS-CHAP работает.... без MPPE трафик нормально ходит все ок.
с MPPE есть конект но пакеты не бегают...
Мне тож надо что то закоментить?
Слаб тот кто не пробует, смешон тот кто не хочет, и только тот силен , кто стараеться.
-
~AsmodeuS~
- Site Admin
- Сообщения: 5749
- Зарегистрирован: Пт янв 28, 2005 3:11 pm
- Контактная информация: