- FreeNIBS+FreeRadius+pptpd на Debian 4.0, Fresh, 16:00 , 05-Апр-08 (1)
- FreeNIBS+FreeRadius+pptpd на Debian 4.0, thehangedman, 16:18 , 05-Апр-08 (2)
- FreeNIBS+FreeRadius+pptpd на Debian 4.0, xoma, 01:47 , 06-Апр-08 (3)
- FreeNIBS+FreeRadius+pptpd на Debian 4.0, Xramovnik, 10:02 , 06-Апр-08 (4)
>>Apr 5 18:07:59 localhost pppd[3294]: rc_avpair_gen: received unknown attribute 85 of >>length 4: 0x0000003C > >попробуй добавить в "/etc/radiusclient/dictionary" строчку "ATTRIBUTE >Acct-Interim-Interval 85 integer" Ошибка: Apr 5 18:07:59 localhost pppd[3294]: rc_avpair_gen: received unknown attribute 85 of length 4: 0x0000003C из логов ушла, но авторизация по прежнему не проходит. Появились следующие ошибки в логах: Sun Apr 6 12:28:09 2008 : Auth: rlm_nibs (rlm_nibs_authenticate): Zero length password not permitted for user `chernobaev' [127.0.0.1:0] |192.168.104.5| Sun Apr 6 12:28:09 2008 : Auth: Login incorrect: [chernobaev/<no User-Password attribute>] (from client localhost port 0 cli 192.168.104.5) Apr 6 12:28:09 localhost pppd[2959]: Plugin radius.so loaded. Apr 6 12:28:09 localhost pppd[2959]: RADIUS plugin initialized. Apr 6 12:28:09 localhost pppd[2959]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded. Apr 6 12:28:09 localhost pppd[2959]: pppd 2.4.4 started by root, uid 0 Apr 6 12:28:09 localhost pppd[2959]: Using interface ppp0 Apr 6 12:28:09 localhost pppd[2959]: Connect: ppp0 <--> /dev/pts/2 Apr 6 12:28:19 localhost pppd[2959]: Peer chernobaev failed CHAP authentication Apr 6 12:28:19 localhost pppd[2959]: Connection terminated. Apr 6 12:28:19 localhost pppd[2959]: Exit. Выкладываю конфиги //=========================================================================== pptpd: #ppp /usr/sbin/pppd speed 115200 option /etc/ppp/pptpd-options
debug # stimeout 10 #noipparam logwtmp bcrelay eth1 localip 192.168.104.1 remoteip 192.168.20.10-23 //============================================================================ PPTPD-OPTIONS: ppptp-options: name pptpd plugin radius.so plugin radattr.so #chapms-strip-domain #require-pap #refuse-chap require-mschap require-mschap-v2 require-mppe-128 # }}} ms-dns 192.168.104.1 #ms-dns 10.0.0.2
#ms-wins 10.0.0.3 #ms-wins 10.0.0.4 proxyarp nodefaultroute # Logging
#debug #dump # Miscellaneous
lock # Disable BSD-Compress compression nobsdcomp nodeflate novj novjccomp //================================================================================== radiusd.conf: prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/freeradius log_file = ${logdir}/radius.log libdir = /usr/lib/freeradius pidfile = ${run_dir}/freeradius.pid user = freerad group = freerad max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = yes log_auth_badpass = yes log_auth_goodpass = yes usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf snmp = no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { encryption_scheme = crypt } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 shadow = /etc/shadow radwtmp = ${logdir}/radwtmp } $INCLUDE ${confdir}/eap.conf mschap { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes #ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } ldap { server = "ldap.your.domain" # identity = "cn=admin,o=My Org,c=UA" # password = mypass basedn = "o=My Org,c=UA" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" start_tls = no access_attr = "dialupAccess" dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes } realm IPASS { format = prefix delimiter = "/" ignore_default = no ignore_null = no } realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } realm realmpercent { format = suffix delimiter = "%" ignore_default = no ignore_null = no } realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = no } checkval { # The attribute to look for in the request item-name = Calling-Station-Id # The attribute to look for in check items. Can be multi valued check-name = Calling-Station-Id # The data type. Can be # string,integer,ipaddr,date,abinary,octets data-type = string # If set to yes and we dont find the item-name attribute in the # request then we send back a reject # DEFAULT is no #notfound-reject = no } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } # NiBS Support $INCLUDE ${confdir}/nibs.conf radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply #packet_type = Access-Accept } ippool main_pool { range-start = 192.168.1.1 range-stop = 192.168.3.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no maximum-timeout = 0 } } instantiate { exec expr # daily } authorize { preprocess # auth_log nibs # attr_filter # chap mschap # digest # IPASS # suffix # ntdomain # eap # files # sql # etc_smbpasswd # ldap # daily # checkval } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } Auth-Type NIBS { nibs } } preacct { preprocess acct_unique # IPASS # suffix # ntdomain # files } accounting { acct_unique detail # daily # unix radutmp # sradutmp # main_pool # sql nibs # pgsql-voip } session { # radutmp # sql # NiBS zap nibs } post-auth { # main_pool # reply_log # sql nibs # Post-Auth-Type REJECT { # insert-module-name-here # } } pre-proxy { } post-proxy { eap }
- FreeNIBS+FreeRadius+pptpd на Debian 4.0, thehangedman, 11:30 , 06-Апр-08 (5)
- FreeNIBS+FreeRadius+pptpd на Debian 4.0, Xramovnik, 12:51 , 06-Апр-08 (6)
>>Sun Apr 6 12:28:09 2008 : Auth: rlm_nibs (rlm_nibs_authenticate): Zero length >>password not permitted for user `chernobaev' [127.0.0.1:0] |192.168.104.5| >>Sun Apr 6 12:28:09 2008 : Auth: Login incorrect: [chernobaev/<no User-Password attribute>] (from client localhost port 0 cli 192.168.104.5) > >Похоже что авторизация mschap не происходит, поэтому нет атрибута User-Password. Попробуй поставить >mschap до nibs, а не после, в модуле authorize. > >И еще все-таки стоит посмотреть дебаг-вывод. Извините за тупой вопрос, а где его искать этот вывод?
- FreeNIBS+FreeRadius+pptpd на Debian 4.0, thehangedman, 16:26 , 06-Апр-08 (7)
- FreeNIBS+FreeRadius+pptpd на Debian 4.0, Xramovnik, 09:07 , 07-Апр-08 (8)
>И мне кажется, все-таки может помочь махнуть местами nibs и mschap в >секции authorize, попробуйте. Попробовал... Вот что выдал радиус при отладке: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:32771, id=123, length=71 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "chernobaev" Calling-Station-Id = "192.168.104.5" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 radius_xlat: 'chernobaev' rlm_nibs (sql_set_user): sql_set_user escaped user --> 'chernobaev' rlm_nibs (nibs_fill_user): begin for user `chernobaev' ------------ radius_xlat: 'SELECT user, password, crypt_method, uid, gid, deposit, credit, unix_timestamp(add_date), blocked, activated, unix_timestamp(expired), total_time, total_traffic, total_money, unix_timestamp(last_connection), framed_ip, framed_mask, callback_number FROM users WHERE user = 'chernobaev'' sql_als->sql_get_socket (nibs): Reserving sql socket id: 12 sql_als->sql_release_socket: Released sql socket id: 12 radius_xlat: 'SELECT tos, do_with_tos, direction, fixed, fixed_cost, activation_time, total_time_limit, month_time_limit, week_time_limit, day_time_limit, total_traffic_limit, month_traffic_limit, week_traffic_limit, day_traffic_limit, total_money_limit, month_money_limit, week_money_limit, day_money_limit, login_time, huntgroup_name, simultaneous_use, port_limit, session_timeout, idle_timeout, allowed_prefixes, no_pass, no_acct, allow_callback, other_params, allowed_servers FROM users WHERE user = 'chernobaev'' rlm_nibs (nibs_fill_user): ----- prof mode begin for user `chernobaev' ----- sql_als->sql_get_socket (nibs): Reserving sql socket id: 11 sql_als->sql_release_socket: Released sql socket id: 11 rlm_nibs (nibs_fill_user): ----- prof mode end for user `chernobaev' ----- rlm_nibs (nibs_fill_user): end for user `chernobaev' ------------ rlm_nibs (nibs_add_attrs): begin for user `chernobaev' ------------ rlm_nibs (nibs_add_attrs): add PW_FRAMED_IP_ADDRESS rlm_nibs (nibs_add_attrs): add PW_FRAMED_IP_NETMASK rlm_nibs (nibs_add_attrs): add PW_SIMULTANEOUS_USE rlm_nibs (nibs_add_attrs): add PW_SESSION_TIMEOUT rlm_nibs (nibs_add_attrs): add all other params rlm_nibs (nibs_add_attrs): end for user `chernobaev' ------------ modcall[authorize]: module "nibs" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type Nibs auth: type "NIBS" Processing the authenticate section of radiusd.conf modcall: entering group NIBS for request 0 radius_xlat: 'chernobaev' rlm_nibs (sql_set_user): sql_set_user escaped user --> 'chernobaev' radius_xlat: 'SELECT user, password, gid, crypt_method FROM users WHERE user = 'chernobaev'' sql_als->sql_get_socket (nibs): Reserving sql socket id: 10 radius_xlat: 'rlm_nibs (rlm_nibs_authenticate): Zero length password not permitted for user `chernobaev' [127.0.0.1:0]%s%s%s' rlm_nibs (rlm_nibs_authenticate): Zero length password not permitted for user `chernobaev' [127.0.0.1:0] |192.168.104.5| sql_als->sql_release_socket: Released sql socket id: 10 modcall[authenticate]: module "nibs" returns invalid for request 0 modcall: leaving group NIBS (returns invalid) for request 0 auth: Failed to validate the user. Login incorrect: [chernobaev/<no User-Password attribute>] (from client localhost port 0 cli 192.168.104.5) Возникает вопрос, почему возвращается пароль нулевой длины?
- FreeNIBS+FreeRadius+pptpd на Debian 4.0, thehangedman, 13:25 , 07-Апр-08 (9)
- FreeNIBS+FreeRadius+pptpd на Debian 4.0, Den, 16:59 , 07-Апр-08 (10)
- FreeNIBS+FreeRadius+pptpd на Debian 4.0, thehangedman, 17:33 , 07-Апр-08 (11)
- FreeNIBS+FreeRadius+pptpd на Debian 4.0, Xramovnik, 17:48 , 08-Апр-08 (12)
>я давно ушел с freenibs - утечки памяти под большой нагрузкой, низкая >маштабируемость, ну и кривость движка - запихивать щиталку в радиус это >дыбилизм, развитие = 0. У каждого приложения должны быть свои задачи, >а делать из велосипеда тактор, не наш метод. Поробуйте лучше http://abills.net.ua/wiki/doku.php >Можно конечно долго посмеяться но у Abills та же самая ошибка - не воспринимает авторризацию по VPN. Вот вывод радиуса при авторизации: rad_recv: Access-Request packet from host 127.0.0.1:32771, id=25, length=84 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "qwerty" User-Password = "qwerty" Calling-Station-Id = "192.168.2.13" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 radius_xlat: '/usr/abills/libexec/rauth.pl pre_auth' Exec-Program: /usr/abills/libexec/rauth.pl pre_auth Exec-Program output: Auth-Type := Accept Exec-Program-Wait: value-pairs: Auth-Type := Accept Exec-Program: returned: 0 modcall[authorize]: module "pre_auth" returns ok for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_realm: No '@' in User-Name = "qwerty", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 users: Matched entry DEFAULT at line 155 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user radius_xlat: '/usr/abills/libexec/rauth.pl' Exec-Program: /usr/abills/libexec/rauth.pl Exec-Program output: Reply-Message = "Unknow server '127.0.0.1'" Exec-Program-Wait: value-pairs: Reply-Message = "Unknow server '127.0.0.1'" Exec-Program: returned: 1 Found Post-Auth-Type Processing the post-auth section of radiusd.conf modcall: entering group REJECT for request 0 radius_xlat: '/usr/abills/libexec/rauth.pl post_auth' Exec-Program: /usr/abills/libexec/rauth.pl post_auth Exec-Program output: Exec-Program: returned: 0 modcall[post-auth]: module "post_auth" returns ok for request 0 modcall: leaving group REJECT (returns ok) for request 0
|