Вот решил отказаться от штатного утм_радиуса и попытаться завести на фрирадиусе. Информации на форуме много вычитал по этому вопросу, и собственно отталкивался от статьи вингман, только лишь разница в том, что не хочу пулы заводить на циске.
У меня есть рабочие пулы они работают на выдачу по дцхп(опция82), со статикой тоже отрабатывает, а вот с динамикой выходят ошибки...
собственно запрос рабочий от вингмана, немного правда измененый.
Код: Выделить всё
SELECT '','test','Framed-IP-Address',inet_ntoa( ip_groups.ip & 0xffffffff ) AS ip,'=' FROM UTM5007.ip_groups WHERE uname ='test' AND is_deleted = '0' AND inet_ntoa( ip_groups.ip & 0xffffffff ) LIKE '93.215.%' UNION SELECT '', 'test', 'Framed-Pool', 'mainpool', '=' FROM ip_groups WHERE uname ='test' AND inet_ntoa( ip_groups.ip & 0xffffffff ) NOT LIKE '93.215.%' UNION select '', 'test', 'Cisco-Rate-Limit', radius_data.value, '=' FROM radius_data WHERE radius_data.owner_id=( select sl.service_id FROM ip_groups ig, iptraffic_service_links isl, service_links sl where ig.uname='test' and ig.is_deleted=0 and ig.ip_group_id=isl.ip_group_id and isl.is_deleted=0 and isl.id=sl.id and sl.is_deleted=0) AND radius_data.vendor=9
Код: Выделить всё
rad_recv: Access-Request packet from host 172.16.2.40 port 1645, id=44, length=154
Framed-Protocol = PPP
User-Name = "test"
MS-CHAP-Challenge = 0x2ea387a8e4d6395b8b31950356f4fa24
MS-CHAP2-Response = 0x01004c5939a6770e9b87df414ee058e87aee00000000000000002751d650f8d2700622fa5731233ac1c684bddfadc33fe9bd
NAS-Port-Type = Virtual
NAS-Port = 44
NAS-Port-Id = "Uniq-Sess-ID44"
Service-Type = Framed-User
NAS-IP-Address = 172.16.2.40
# Executing section authorize from file /opt/freeradius/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /opt/freeradius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /opt/freeradius/var/log/radius/radacct/172.16.2.40/auth-detail-20120717
[auth_log] /opt/freeradius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /opt/freeradius/var/log/radius/radacct/172.16.2.40/auth-detail-20120717
[auth_log] expand: %t -> Tue Jul 17 16:16:40 2012
++[auth_log] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
[sql] expand: %{User-Name} -> test
[sql] sql_set_user escaped user --> 'test'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT ig.ip_group_id, ig.uname, 'Cleartext-Password', ig.upass, ':=' FROM iptraffic_service_links il, ip_groups ig, service_links sl, accounts a WHERE ig.uname='%{SQL-User-Name}' AND ig.ip_group_id=il.ip_group_id AND sl.account_id=a.id AND a.is_deleted=0 AND a.balance>0 and a.int_status=1 and sl.id=il.id and ig.is_deleted=0 and il.is_deleted=0 and sl.is_deleted=0 -> SELECT ig.ip_group_id, ig.uname, 'Cleartext-Password', ig.upass, ':=' FROM iptraffic_service_links il, ip_groups ig, service_links sl, accounts a WHERE ig.uname='test' AND ig.ip_group_id=il.ip_group_id AND sl.account_id=a.id AND a.is_deleted=0 AND a.balance>0 and a.int_status=1 and sl.id=il.id and ig.is_deleted=0 and il.is_deleted=0 and sl.is_deleted=0
[sql] User found in radcheck table
[sql] WARNING: Unknown variable '%'': See 'doc/variables.txt'
[sql] WARNING: Unknown variable '%'': See 'doc/variables.txt'
[sql] expand: SELECT '','%{SQL-User-Name}','Framed-IP-Address',inet_ntoa( ip_groups.ip & 0xffffffff ) AS ip,'=' FROM UTM5007.ip_groups WHERE uname ='%{SQL-User-Name}' AND is_deleted = '0' AND inet_ntoa( ip_groups.ip & 0xffffffff ) LIKE '95.215.%' UNION SELECT '', '%{SQL-User-Name}', 'Framed-Pool', 'dialup_pool', '=' FROM ip_groups WHERE uname ='%{SQL-User-Name}' AND inet_ntoa( ip_groups.ip & 0xffffffff ) NOT LIKE '95.215.%' -> SELECT '','test','Framed-IP-Address',inet_ntoa( ip_groups.ip & 0xffffffff ) AS ip,'=' FROM UTM5007.ip_groups WHERE uname ='test' AND is_deleted = '0' AND inet_ntoa( ip_groups.ip & 0xffffffff ) LIKE '95.215.%' UNION SELECT '', 'test', 'Framed-Pool', 'dialup_pool', '=' FROM ip_groups WHERE uname ='test' AND inet_ntoa( ip_groups.ip & 0xffffffff ) NOT LIKE '95.215.%'
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Dynamic_Test_Freeradius' ORDER BY id
[sql] User found in group Dynamic_Test_Freeradius
[sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Dynamic_Test_Freeradius' ORDER BY id
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /opt/freeradius/etc/raddb/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: test
[mschap] Told to do MS-CHAPv2 for test with NT-Password
++[mschap] returns ok
Login OK: [test/<via Auth-Type = mschap>] (from client cisco_test port 44)
# Executing section post-auth from file /opt/freeradius/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
[dialup_pool] expand: %{NAS-IP-Address} %{NAS-Port} -> 172.16.2.40 44
[dialup_pool] MD5 on 'key' directive maps to: 8890b7dd165888dd0e3a63d5e9cdc8b0
[dialup_pool] Searching for an entry for key: '8890b7dd165888dd0e3a63d5e9cdc8b0'
[dialup_pool] Found Framed-IP-Address attribute in reply attribute list.
[dialup_pool] override is set to no. Return NOOP.
++[dialup_pool] returns noop
++[dhcp_pool] returns noop
[reply_log] expand: /opt/freeradius/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> /opt/freeradius/var/log/radius/radacct/172.16.2.40/reply-detail-20120717
[reply_log] /opt/freeradius/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /opt/freeradius/var/log/radius/radacct/172.16.2.40/reply-detail-20120717
[reply_log] expand: %t -> Tue Jul 17 16:16:40 2012
++[reply_log] returns ok
Sending Access-Accept of id 44 to 172.16.2.40 port 1645
Framed-IP-Address = 95.215.68.253
Service-Type := Framed-User
Framed-Protocol := PPP
Framed-Compression := Van-Jacobson-TCP-IP
MS-CHAP2-Success = 0x01533d32314246333738393035394644433936363141333133353630433444393235313430414541463831
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 172.16.2.40 port 1646, id=12, length=145
Acct-Session-Id = "0000003F"
Tunnel-Medium-Type:0 = IPv4
Tunnel-Server-Endpoint:0 = "172.16.2.40"
Tunnel-Client-Endpoint:0 = "172.16.2.24"
Tunnel-Assignment-Id:0 = "PPTP1"
Framed-Protocol = PPP
Framed-IP-Address = 95.215.68.253
User-Name = "test"
Acct-Authentic = RADIUS
Acct-Status-Type = Start
NAS-Port-Type = Virtual
NAS-Port = 44
NAS-Port-Id = "Uniq-Sess-ID44"
Service-Type = Framed-User
NAS-IP-Address = 172.16.2.40
Acct-Delay-Time = 0
# Executing section preacct from file /opt/freeradius/etc/raddb/sites-enabled/default
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 44,Client-IP-Address = 172.16.2.40,NAS-IP-Address = 172.16.2.40,Acct-Session-Id = "0000003F",User-Name = "test"'
[acct_unique] Acct-Unique-Session-ID = "aa9cce81dbb118b6".
++[acct_unique] returns ok
# Executing section accounting from file /opt/freeradius/etc/raddb/sites-enabled/default
+- entering group accounting {...}
[detail] expand: %{Packet-Src-IP-Address} -> 172.16.2.40
[detail] expand: /opt/freeradius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /opt/freeradius/var/log/radius/radacct/172.16.2.40/detail-20120717
[detail] /opt/freeradius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /opt/freeradius/var/log/radius/radacct/172.16.2.40/detail-20120717
[detail] expand: %t -> Tue Jul 17 16:16:41 2012
++[detail] returns ok
rlm_counter: We only run on Accounting-Stop packets.
++[daily] returns noop
[radutmp] expand: /opt/freeradius/var/log/radius/radutmp -> /opt/freeradius/var/log/radius/radutmp
[radutmp] expand: %{User-Name} -> test
++[radutmp] returns ok
[dialup_pool] This is not an Accounting-Stop. Return NOOP.
++[dialup_pool] returns noop
[dhcp_pool] This is not an Accounting-Stop. Return NOOP.
++[dhcp_pool] returns noop
[sql] expand: %{User-Name} -> test
[sql] sql_set_user escaped user --> 'test'
[sql] expand: %{Acct-Delay-Time} -> 0
[sql] expand: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql_mysql: MYSQL check_error: 1054 received
[sql] Couldn't insert SQL accounting START record - Unknown column 'xascendsessionsvrkey' in 'field list'
[sql] expand: %{Acct-Delay-Time} -> 0
[sql] expand: UPDATE radacct SET acctstarttime = '%S', acctstartdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_start = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}' -> UPDATE radacct SET acctstarttime = '2012-07-17 16:16:41', acctstartdelay = '0', connectinfo_start = '' WHERE acctsessionid = '0000003F' AND username = 'test' AND nasipaddress = '172.16.2.40'
rlm_sql (sql): Released sql socket id: 2
++[sql] returns noop
[sql_log] Processing sql_log_accounting
[sql_log] expand: %{User-Name} -> test
[sql_log] expand: %{%{User-Name}:-DEFAULT} -> test
[sql_log] sql_set_user escaped user --> 'test'
[sql_log] expand: INSERT INTO radacct (AcctSessionId, UserName, NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, AcctSessionTime, AcctTerminateCause) VALUES ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', '%{Framed-IP-Address}', '%S', '0', '0', ''); -> INSERT INTO radacct (AcctSessionId, UserName, NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, AcctSessionTime, AcctTerminateCause) VALUES ('0000003F', 'test', '172.16.2.40', '95.215.68.253', '2012-07-17 16:16:41', '0', '0', '');
[sql_log] expand: /opt/freeradius/var/log/radius/radacct/sql-relay -> /opt/freeradius/var/log/radius/radacct/sql-relay
++[sql_log] returns ok
[attr_filter.accounting_response] expand: %{User-Name} -> test
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 12 to 172.16.2.40 port 1646
Finished request 2.
Cleaning up request 2 ID 12 with timestamp +2225
Going to the next request
Waking up in 4.7 seconds.
Cleaning up request 1 ID 44 with timestamp +2224
Ready to process requests.
Код: Выделить всё
rad_recv: Access-Request packet from host 172.16.2.40 port 1645, id=46, length=154
Framed-Protocol = PPP
User-Name = "test"
MS-CHAP-Challenge = 0x0a790aa073e23d94c4e5fc3a40253add
MS-CHAP2-Response = 0x010082c13567faad81f3b98ca3faa04bff860000000000000000ddb614e994ad1eece1623f7a2093259813b9291b05c6ccf5
NAS-Port-Type = Virtual
NAS-Port = 46
NAS-Port-Id = "Uniq-Sess-ID46"
Service-Type = Framed-User
NAS-IP-Address = 172.16.2.40
# Executing section authorize from file /opt/freeradius/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /opt/freeradius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /opt/freeradius/var/log/radius/radacct/172.16.2.40/auth-detail-20120717
[auth_log] /opt/freeradius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /opt/freeradius/var/log/radius/radacct/172.16.2.40/auth-detail-20120717
[auth_log] expand: %t -> Tue Jul 17 16:54:23 2012
++[auth_log] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
[sql] expand: %{User-Name} -> test
[sql] sql_set_user escaped user --> 'test'
rlm_sql (sql): Reserving sql socket id: 1
[sql] expand: SELECT ig.ip_group_id, ig.uname, 'Cleartext-Password', ig.upass, ':=' FROM iptraffic_service_links il, ip_groups ig, service_links sl, accounts a WHERE ig.uname='%{SQL-User-Name}' AND ig.ip_group_id=il.ip_group_id AND sl.account_id=a.id AND a.is_deleted=0 AND a.balance>0 and a.int_status=1 and sl.id=il.id and ig.is_deleted=0 and il.is_deleted=0 and sl.is_deleted=0 -> SELECT ig.ip_group_id, ig.uname, 'Cleartext-Password', ig.upass, ':=' FROM iptraffic_service_links il, ip_groups ig, service_links sl, accounts a WHERE ig.uname='test' AND ig.ip_group_id=il.ip_group_id AND sl.account_id=a.id AND a.is_deleted=0 AND a.balance>0 and a.int_status=1 and sl.id=il.id and ig.is_deleted=0 and il.is_deleted=0 and sl.is_deleted=0
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Dynamic_Test_Freeradius' ORDER BY id
[sql] User found in group Dynamic_Test_Freeradius
[sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Dynamic_Test_Freeradius' ORDER BY id
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /opt/freeradius/etc/raddb/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: test
[mschap] Told to do MS-CHAPv2 for test with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Failed to authenticate the user.
Login incorrect: [test/<via Auth-Type = mschap>] (from client cisco_test port 46)
Using Post-Auth-Type Reject
# Executing group from file /opt/freeradius/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> test
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 3 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 3
Sending Access-Reject of id 46 to 172.16.2.40 port 1645
MS-CHAP-Error = "\001E=691 R=1"
Waking up in 4.9 seconds.
Cleaning up request 3 ID 46 with timestamp +247
Ready to process requests.
в таблицах соответствия тоже user - dyn_pool. и тд.
Подскажите пожалуйста в чем трабла...