Freeradius при выдаче динамики выдает ошибки

Технические вопросы по UTM 5.0
Ответить
solomon
Сообщения: 316
Зарегистрирован: Вт мар 16, 2010 08:39

Freeradius при выдаче динамики выдает ошибки

Сообщение solomon »

Здравствуйте форумчане!
Вот решил отказаться от штатного утм_радиуса и попытаться завести на фрирадиусе. Информации на форуме много вычитал по этому вопросу, и собственно отталкивался от статьи вингман, только лишь разница в том, что не хочу пулы заводить на циске.
У меня есть рабочие пулы они работают на выдачу по дцхп(опция82), со статикой тоже отрабатывает, а вот с динамикой выходят ошибки...
собственно запрос рабочий от вингмана, немного правда измененый.

Код: Выделить всё

SELECT '','test','Framed-IP-Address',inet_ntoa( ip_groups.ip & 0xffffffff ) AS ip,'=' FROM UTM5007.ip_groups WHERE uname ='test' AND is_deleted = '0' AND inet_ntoa( ip_groups.ip & 0xffffffff ) LIKE '93.215.%'  UNION SELECT '', 'test', 'Framed-Pool', 'mainpool', '=' FROM ip_groups WHERE uname ='test' AND inet_ntoa( ip_groups.ip & 0xffffffff ) NOT LIKE '93.215.%' UNION select '', 'test', 'Cisco-Rate-Limit', radius_data.value, '=' FROM radius_data   WHERE radius_data.owner_id=( select sl.service_id FROM ip_groups ig, iptraffic_service_links isl, service_links sl where ig.uname='test' and ig.is_deleted=0 and ig.ip_group_id=isl.ip_group_id and isl.is_deleted=0 and isl.id=sl.id and sl.is_deleted=0)  AND radius_data.vendor=9
Вот лог при авторизации статики

Код: Выделить всё

rad_recv: Access-Request packet from host 172.16.2.40 port 1645, id=44, length=154
        Framed-Protocol = PPP
        User-Name = "test"
        MS-CHAP-Challenge = 0x2ea387a8e4d6395b8b31950356f4fa24
        MS-CHAP2-Response = 0x01004c5939a6770e9b87df414ee058e87aee00000000000000002751d650f8d2700622fa5731233ac1c684bddfadc33fe9bd
        NAS-Port-Type = Virtual
        NAS-Port = 44
        NAS-Port-Id = "Uniq-Sess-ID44"
        Service-Type = Framed-User
        NAS-IP-Address = 172.16.2.40
# Executing section authorize from file /opt/freeradius/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]      expand: /opt/freeradius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /opt/freeradius/var/log/radius/radacct/172.16.2.40/auth-detail-20120717
[auth_log] /opt/freeradius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /opt/freeradius/var/log/radius/radacct/172.16.2.40/auth-detail-20120717
[auth_log]      expand: %t -> Tue Jul 17 16:16:40 2012
++[auth_log] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] returns ok
[sql]   expand: %{User-Name} -> test
[sql] sql_set_user escaped user --> 'test'
rlm_sql (sql): Reserving sql socket id: 3
[sql]   expand: SELECT ig.ip_group_id, ig.uname, 'Cleartext-Password', ig.upass, ':='       FROM iptraffic_service_links il, ip_groups ig, service_links sl, accounts a       WHERE ig.uname='%{SQL-User-Name}' AND ig.ip_group_id=il.ip_group_id AND sl.account_id=a.id      AND a.is_deleted=0 AND a.balance>0 and a.int_status=1 and sl.id=il.id and ig.is_deleted=0 and il.is_deleted=0 and sl.is_deleted=0 -> SELECT ig.ip_group_id, ig.uname, 'Cleartext-Password', ig.upass, ':='          FROM iptraffic_service_links il, ip_groups ig, service_links sl, accounts a       WHERE ig.uname='test' AND ig.ip_group_id=il.ip_group_id AND sl.account_id=a.id          AND a.is_deleted=0 AND a.balance>0 and a.int_status=1 and sl.id=il.id and ig.is_deleted=0 and il.is_deleted=0 and sl.is_deleted=0
[sql] User found in radcheck table
[sql] WARNING: Unknown variable '%'': See 'doc/variables.txt'
[sql] WARNING: Unknown variable '%'': See 'doc/variables.txt'
[sql]   expand: SELECT '','%{SQL-User-Name}','Framed-IP-Address',inet_ntoa( ip_groups.ip & 0xffffffff ) AS ip,'='            FROM UTM5007.ip_groups WHERE uname ='%{SQL-User-Name}' AND is_deleted = '0'       AND inet_ntoa( ip_groups.ip & 0xffffffff ) LIKE '95.215.%'              UNION SELECT '', '%{SQL-User-Name}', 'Framed-Pool', 'dialup_pool', '=' FROM ip_groups             WHERE uname ='%{SQL-User-Name}' AND inet_ntoa( ip_groups.ip & 0xffffffff ) NOT LIKE '95.215.%' -> SELECT '','test','Framed-IP-Address',inet_ntoa( ip_groups.ip & 0xffffffff ) AS ip,'='             FROM UTM5007.ip_groups WHERE uname ='test' AND is_deleted = '0'         AND inet_ntoa( ip_groups.ip & 0xffffffff ) LIKE '95.215.%'        UNION SELECT '', 'test', 'Framed-Pool', 'dialup_pool', '=' FROM ip_groups       WHERE uname ='test' AND inet_ntoa( ip_groups.ip & 0xffffffff ) NOT LIKE '95.215.%'
[sql]   expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'test'           ORDER BY priority
[sql]   expand: SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = '%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = 'Dynamic_Test_Freeradius'           ORDER BY id
[sql] User found in group Dynamic_Test_Freeradius
[sql]   expand: SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = '%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = 'Dynamic_Test_Freeradius'           ORDER BY id
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /opt/freeradius/etc/raddb/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: test
[mschap] Told to do MS-CHAPv2 for test with NT-Password
++[mschap] returns ok
Login OK&#58; &#91;test/<via Auth-Type = mschap>&#93; &#40;from client cisco_test port 44&#41;
# Executing section post-auth from file /opt/freeradius/etc/raddb/sites-enabled/default
+- entering group post-auth &#123;...&#125;
&#91;dialup_pool&#93;   expand&#58; %&#123;NAS-IP-Address&#125; %&#123;NAS-Port&#125; -> 172.16.2.40 44
&#91;dialup_pool&#93; MD5 on 'key' directive maps to&#58; 8890b7dd165888dd0e3a63d5e9cdc8b0
&#91;dialup_pool&#93; Searching for an entry for key&#58; '8890b7dd165888dd0e3a63d5e9cdc8b0'
&#91;dialup_pool&#93; Found Framed-IP-Address attribute in reply attribute list.
&#91;dialup_pool&#93; override is set to no. Return NOOP.
++&#91;dialup_pool&#93; returns noop
++&#91;dhcp_pool&#93; returns noop
&#91;reply_log&#93;     expand&#58; /opt/freeradius/var/log/radius/radacct/%&#123;Client-IP-Address&#125;/reply-detail-%Y%m%d -> /opt/freeradius/var/log/radius/radacct/172.16.2.40/reply-detail-20120717
&#91;reply_log&#93; /opt/freeradius/var/log/radius/radacct/%&#123;Client-IP-Address&#125;/reply-detail-%Y%m%d expands to /opt/freeradius/var/log/radius/radacct/172.16.2.40/reply-detail-20120717
&#91;reply_log&#93;     expand&#58; %t -> Tue Jul 17 16&#58;16&#58;40 2012
++&#91;reply_log&#93; returns ok
Sending Access-Accept of id 44 to 172.16.2.40 port 1645
        Framed-IP-Address = 95.215.68.253
        Service-Type &#58;= Framed-User
        Framed-Protocol &#58;= PPP
        Framed-Compression &#58;= Van-Jacobson-TCP-IP
        MS-CHAP2-Success = 0x01533d32314246333738393035394644433936363141333133353630433444393235313430414541463831
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv&#58; Accounting-Request packet from host 172.16.2.40 port 1646, id=12, length=145
        Acct-Session-Id = "0000003F"
        Tunnel-Medium-Type&#58;0 = IPv4
        Tunnel-Server-Endpoint&#58;0 = "172.16.2.40"
        Tunnel-Client-Endpoint&#58;0 = "172.16.2.24"
        Tunnel-Assignment-Id&#58;0 = "PPTP1"
        Framed-Protocol = PPP
        Framed-IP-Address = 95.215.68.253
        User-Name = "test"
        Acct-Authentic = RADIUS
        Acct-Status-Type = Start
        NAS-Port-Type = Virtual
        NAS-Port = 44
        NAS-Port-Id = "Uniq-Sess-ID44"
        Service-Type = Framed-User
        NAS-IP-Address = 172.16.2.40
        Acct-Delay-Time = 0
# Executing section preacct from file /opt/freeradius/etc/raddb/sites-enabled/default
+- entering group preacct &#123;...&#125;
++&#91;preprocess&#93; returns ok
&#91;acct_unique&#93; Hashing 'NAS-Port = 44,Client-IP-Address = 172.16.2.40,NAS-IP-Address = 172.16.2.40,Acct-Session-Id = "0000003F",User-Name = "test"'
&#91;acct_unique&#93; Acct-Unique-Session-ID = "aa9cce81dbb118b6".
++&#91;acct_unique&#93; returns ok
# Executing section accounting from file /opt/freeradius/etc/raddb/sites-enabled/default
+- entering group accounting &#123;...&#125;
&#91;detail&#93;        expand&#58; %&#123;Packet-Src-IP-Address&#125; -> 172.16.2.40
&#91;detail&#93;        expand&#58; /opt/freeradius/var/log/radius/radacct/%&#123;%&#123;Packet-Src-IP-Address&#125;&#58;-%&#123;Packet-Src-IPv6-Address&#125;&#125;/detail-%Y%m%d -> /opt/freeradius/var/log/radius/radacct/172.16.2.40/detail-20120717
&#91;detail&#93; /opt/freeradius/var/log/radius/radacct/%&#123;%&#123;Packet-Src-IP-Address&#125;&#58;-%&#123;Packet-Src-IPv6-Address&#125;&#125;/detail-%Y%m%d expands to /opt/freeradius/var/log/radius/radacct/172.16.2.40/detail-20120717
&#91;detail&#93;        expand&#58; %t -> Tue Jul 17 16&#58;16&#58;41 2012
++&#91;detail&#93; returns ok
rlm_counter&#58; We only run on Accounting-Stop packets.
++&#91;daily&#93; returns noop
&#91;radutmp&#93;       expand&#58; /opt/freeradius/var/log/radius/radutmp -> /opt/freeradius/var/log/radius/radutmp
&#91;radutmp&#93;       expand&#58; %&#123;User-Name&#125; -> test
++&#91;radutmp&#93; returns ok
&#91;dialup_pool&#93; This is not an Accounting-Stop. Return NOOP.
++&#91;dialup_pool&#93; returns noop
&#91;dhcp_pool&#93; This is not an Accounting-Stop. Return NOOP.
++&#91;dhcp_pool&#93; returns noop
&#91;sql&#93;   expand&#58; %&#123;User-Name&#125; -> test
&#91;sql&#93; sql_set_user escaped user --> 'test'
&#91;sql&#93;   expand&#58; %&#123;Acct-Delay-Time&#125; -> 0
&#91;sql&#93;   expand&#58;            INSERT INTO radacct             &#40;acctsessionid,    acctuniqueid,     username,              realm,            nasipaddress,     nasportid,              nasporttype,      acctstarttime,    acctstoptime,              acctsessiontime,  acctauthentic,    connectinfo_start,              connectinfo_stop, acctinputoctets,  acctoutputoctets,              calledstationid,  callingstationid, acctterminatecause,              servicetype,      framedprotocol,   framedipaddress,              acctstartdelay,   acctstopdelay,    xascendsessionsvrkey&#41;           VALUES             &#40;'%&#123;Acct-Session-Id&#125;', '%&#123;Acct-Unique-Session-Id&#125;',              '%&#123;SQL-User-Name&#125;',              '%&#123;Realm&#125;', '%&#123;NAS-IP-Address&#125;', '%&#123;NAS-Port&#125;',              '%&#123;NAS-Port-Type&#125;', '%S', NULL,              '0', '%&#123;Acct-Authentic&#125;', '%&#123;Connect-Info&#125;',              '', '0', '0',              '%&#123;Called-Station-Id&#125;', '%&#123;Calling-Station-Id&#125;', '',              '%&#123;Service-Type&#125;', '%&#123;Framed-Protocol&#125;', '%&#123;Framed-IP-Address&#125;',      
rlm_sql &#40;sql&#41;&#58; Reserving sql socket id&#58; 2
rlm_sql_mysql&#58; MYSQL check_error&#58; 1054 received
&#91;sql&#93; Couldn't insert SQL accounting START record - Unknown column 'xascendsessionsvrkey' in 'field list'
&#91;sql&#93;   expand&#58; %&#123;Acct-Delay-Time&#125; -> 0
&#91;sql&#93;   expand&#58;            UPDATE radacct SET              acctstarttime     = '%S',              acctstartdelay    = '%&#123;%&#123;Acct-Delay-Time&#125;&#58;-0&#125;',              connectinfo_start = '%&#123;Connect-Info&#125;'           WHERE acctsessionid  = '%&#123;Acct-Session-Id&#125;'           AND username         = '%&#123;SQL-User-Name&#125;'           AND nasipaddress     = '%&#123;NAS-IP-Address&#125;' ->            UPDATE radacct SET              acctstarttime     = '2012-07-17 16&#58;16&#58;41',              acctstartdelay    = '0',              connectinfo_start = ''           WHERE acctsessionid  = '0000003F'           AND username         = 'test'           AND nasipaddress     = '172.16.2.40'
rlm_sql &#40;sql&#41;&#58; Released sql socket id&#58; 2
++&#91;sql&#93; returns noop
&#91;sql_log&#93; Processing sql_log_accounting
&#91;sql_log&#93;       expand&#58; %&#123;User-Name&#125; -> test
&#91;sql_log&#93;       expand&#58; %&#123;%&#123;User-Name&#125;&#58;-DEFAULT&#125; -> test
&#91;sql_log&#93; sql_set_user escaped user --> 'test'
&#91;sql_log&#93;       expand&#58; INSERT INTO radacct &#40;AcctSessionId, UserName,    NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime,     AcctSessionTime, AcctTerminateCause&#41; VALUES                       &#40;'%&#123;Acct-Session-Id&#125;', '%&#123;User-Name&#125;', '%&#123;NAS-IP-Address&#125;',     '%&#123;Framed-IP-Address&#125;', '%S', '0', '0', ''&#41;; -> INSERT INTO radacct &#40;AcctSessionId, UserName,     NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime,       AcctSessionTime, AcctTerminateCause&#41; VALUES                     &#40;'0000003F', 'test', '172.16.2.40',     '95.215.68.253', '2012-07-17 16&#58;16&#58;41', '0', '0', ''&#41;;
&#91;sql_log&#93;       expand&#58; /opt/freeradius/var/log/radius/radacct/sql-relay -> /opt/freeradius/var/log/radius/radacct/sql-relay
++&#91;sql_log&#93; returns ok
&#91;attr_filter.accounting_response&#93;       expand&#58; %&#123;User-Name&#125; -> test
 attr_filter&#58; Matched entry DEFAULT at line 12
++&#91;attr_filter.accounting_response&#93; returns updated
Sending Accounting-Response of id 12 to 172.16.2.40 port 1646
Finished request 2.
Cleaning up request 2 ID 12 with timestamp +2225
Going to the next request
Waking up in 4.7 seconds.
Cleaning up request 1 ID 44 with timestamp +2224
Ready to process requests.
Вот лог при попытке подключиться динамическому клиенту

Код: Выделить всё

rad_recv&#58; Access-Request packet from host 172.16.2.40 port 1645, id=46, length=154
        Framed-Protocol = PPP
        User-Name = "test"
        MS-CHAP-Challenge = 0x0a790aa073e23d94c4e5fc3a40253add
        MS-CHAP2-Response = 0x010082c13567faad81f3b98ca3faa04bff860000000000000000ddb614e994ad1eece1623f7a2093259813b9291b05c6ccf5
        NAS-Port-Type = Virtual
        NAS-Port = 46
        NAS-Port-Id = "Uniq-Sess-ID46"
        Service-Type = Framed-User
        NAS-IP-Address = 172.16.2.40
# Executing section authorize from file /opt/freeradius/etc/raddb/sites-enabled/default
+- entering group authorize &#123;...&#125;
++&#91;preprocess&#93; returns ok
&#91;auth_log&#93;      expand&#58; /opt/freeradius/var/log/radius/radacct/%&#123;Client-IP-Address&#125;/auth-detail-%Y%m%d -> /opt/freeradius/var/log/radius/radacct/172.16.2.40/auth-detail-20120717
&#91;auth_log&#93; /opt/freeradius/var/log/radius/radacct/%&#123;Client-IP-Address&#125;/auth-detail-%Y%m%d expands to /opt/freeradius/var/log/radius/radacct/172.16.2.40/auth-detail-20120717
&#91;auth_log&#93;      expand&#58; %t -> Tue Jul 17 16&#58;54&#58;23 2012
++&#91;auth_log&#93; returns ok
++&#91;chap&#93; returns noop
&#91;mschap&#93; Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++&#91;mschap&#93; returns ok
&#91;sql&#93;   expand&#58; %&#123;User-Name&#125; -> test
&#91;sql&#93; sql_set_user escaped user --> 'test'
rlm_sql &#40;sql&#41;&#58; Reserving sql socket id&#58; 1
&#91;sql&#93;   expand&#58; SELECT ig.ip_group_id, ig.uname, 'Cleartext-Password', ig.upass, '&#58;='       FROM iptraffic_service_links il, ip_groups ig, service_links sl, accounts a            WHERE ig.uname='%&#123;SQL-User-Name&#125;' AND ig.ip_group_id=il.ip_group_id AND sl.account_id=a.id             AND a.is_deleted=0 AND a.balance>0 and a.int_status=1 and sl.id=il.id and ig.is_deleted=0 and il.is_deleted=0 and sl.is_deleted=0 -> SELECT ig.ip_group_id, ig.uname, 'Cleartext-Password', ig.upass, '&#58;='             FROM iptraffic_service_links il, ip_groups ig, service_links sl, accounts a            WHERE ig.uname='test' AND ig.ip_group_id=il.ip_group_id AND sl.account_id=a.id         AND a.is_deleted=0 AND a.balance>0 and a.int_status=1 and sl.id=il.id and ig.is_deleted=0 and il.is_deleted=0 and sl.is_deleted=0
&#91;sql&#93;   expand&#58; SELECT groupname           FROM radusergroup           WHERE username = '%&#123;SQL-User-Name&#125;'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'test'           ORDER BY priority
&#91;sql&#93;   expand&#58; SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = '%&#123;Sql-Group&#125;'           ORDER BY id -> SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = 'Dynamic_Test_Freeradius'           ORDER BY id
&#91;sql&#93; User found in group Dynamic_Test_Freeradius
&#91;sql&#93;   expand&#58; SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = '%&#123;Sql-Group&#125;'           ORDER BY id -> SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = 'Dynamic_Test_Freeradius'           ORDER BY id
rlm_sql &#40;sql&#41;&#58; Released sql socket id&#58; 1
++&#91;sql&#93; returns ok
++&#91;expiration&#93; returns noop
++&#91;logintime&#93; returns noop
&#91;pap&#93; WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++&#91;pap&#93; returns noop
Found Auth-Type = MSCHAP
# Executing group from file /opt/freeradius/etc/raddb/sites-enabled/default
+- entering group MS-CHAP &#123;...&#125;
&#91;mschap&#93; No Cleartext-Password configured.  Cannot create LM-Password.
&#91;mschap&#93; No Cleartext-Password configured.  Cannot create NT-Password.
&#91;mschap&#93; Creating challenge hash with username&#58; test
&#91;mschap&#93; Told to do MS-CHAPv2 for test with NT-Password
&#91;mschap&#93; FAILED&#58; No NT/LM-Password.  Cannot perform authentication.
&#91;mschap&#93; FAILED&#58; MS-CHAP2-Response is incorrect
++&#91;mschap&#93; returns reject
Failed to authenticate the user.
Login incorrect&#58; &#91;test/<via Auth-Type = mschap>&#93; &#40;from client cisco_test port 46&#41;
Using Post-Auth-Type Reject
# Executing group from file /opt/freeradius/etc/raddb/sites-enabled/default
+- entering group REJECT &#123;...&#125;
&#91;attr_filter.access_reject&#93;     expand&#58; %&#123;User-Name&#125; -> test
 attr_filter&#58; Matched entry DEFAULT at line 11
++&#91;attr_filter.access_reject&#93; returns updated
Delaying reject of request 3 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 3
Sending Access-Reject of id 46 to 172.16.2.40 port 1645
        MS-CHAP-Error = "\001E=691 R=1"
Waking up in 4.9 seconds.
Cleaning up request 3 ID 46 with timestamp +247
Ready to process requests.
в ippool все прописано
в таблицах соответствия тоже user - dyn_pool. и тд.
Подскажите пожалуйста в чем трабла...

Ответить