Проблема при аутентификации через freeradius2.
Код: Выделить всё
rad_recv: Access-Request packet from host 127.0.0.1 port 49642, id=219, length=133
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "testy"
MS-CHAP-Challenge = "\242\311>\267C\336\311Y\256E\257/ka\376z"
MS-CHAP2-Response = "R\0006@0v\3153\2062w\255s\361\206\210щ╪\000\000\000\000\000\000\000\000\2041\002\236\377nB\360g!\"\205\021\224\334\355i\362\005\027?0\231O"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
+- entering group authorize
++[preprocess] returns ok
Exec-Program output: User-Password == "123456"
Exec-Program-Wait: value-pairs: User-Password == "123456"
Exec-Program: returned: 0
++[pre_auth] returns ok
rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
users: Matched entry DEFAULT at line 204
++[files] returns ok
rad_check_password: Found Auth-Type mschap
auth: type "MSCHAP"
+- entering group MS-CHAP
rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password.
rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for testy with NT-Password
rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
auth: Failed to validate the user.
Login incorrect: [testy/<via Auth-Type = mschap>] (from client localhost port 0)
Found Post-Auth-Type Reject
+- entering group REJECT
Exec-Program output:
Exec-Program: returned: 0
++[abills_postauth] returns ok
Sending Access-Reject of id 219 to 127.0.0.1 port 49642
MS-CHAP-Error = "RE=691 R=1"
Finished request 0.
Going to the next request
Waking up in 3.6 seconds.
Cleaning up request 0 ID 219 with timestamp +4
Ready to process requests.
radiusd.conf
Код: Выделить всё
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
name = radiusd
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/local/lib/freeradius-2.1.6
pidfile = ${run_dir}/${name}.pid
user = freeradius
group = freeradius
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
type = auth
ipaddr = *
port = 0
}
listen {
ipaddr = *
port = 0
type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
proxy_requests = no
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
$INCLUDE ${confdir}/modules/
$INCLUDE eap.conf
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/freeradius/attrs.accounting_response"
key = "%{User-Name}"
}
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
digest {
}
exec {
wait = yes
input_pairs = request
}
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
}
unix {
cache = no
cache_reload = 600
radwtmp = ${logdir}/radwtmp
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
compat = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
abills_preauth
exec abills_preauth {
program = "/usr/abills/libexec/rauth.pl pre_auth"
wait = yes
input_pairs = request
shell_escape = yes
output_pairs = config
}
exec pre_auth {
wait = yes
program = "/usr/abills/libexec/rauth.pl pre_auth"
input_pairs = request
output_pairs = config
}
exec post_auth {
wait = yes
program = "/usr/abills/libexec/rauth.pl post_auth"
input_pairs = request
output_pairs = config
}
abills_postauth
exec abills_postauth {
program = "/usr/abills/libexec/rauth.pl post_auth"
wait = yes
input_pairs = request
shell_escape = yes
output_pairs = config
}
abills_auth
exec abills_auth {
program = "/usr/abills/libexec/rauth.pl"
wait = yes
input_pairs = request
shell_escape = yes
output = no
output_pairs = reply
}
abills_acc
exec abills_acc {
program = "/usr/abills/libexec/racct.pl"
wait = yes
input_pairs = request
shell_escape = yes
output = no
output_pairs = reply
}
}
instantiate {
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/abills_default
Код: Выделить всё
authorize {
preprocess
pre_auth
mschap
files
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
unix
}
preacct {
preprocess
abills_acc
}
accounting {
detail
unix
radutmp
attr_filter.accounting_response
}
session {
radutmp
}
post-auth {
Post-Auth-Type REJECT {
post_auth
}
}
pre-proxy {
}
post-proxy {
eap
}
Код: Выделить всё
radtest testy 123456 127.0.0.1:1812 0 testing123 0 127.0.0.1
Sending Access-Request of id 96 to 127.0.0.1 port 1812
User-Name = "testy"
User-Password = "123456"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Framed-Protocol = PPP
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=96, length=20