HELP FreeRadius 2 +UTM5.2.1-007 помогите подружить их

Технические вопросы по UTM 5.0
solomon
Сообщения: 316
Зарегистрирован: Вт мар 16, 2010 08:39

HELP FreeRadius 2 +UTM5.2.1-007 помогите подружить их

Сообщение solomon »

всем привет! Сегодня решил подружить freeradius and utm5-007 установливал на CentOS5-4 так:
1 - ./configure --prefix=/opt/freeradius --with-rlm-mysql-lib-dir=/usr/lib/mysql —with-rlm-mysql-include-dir=/usr/include/mysql
2 — make all install
3 - root@cake# chown -R radiusd:radiusd /opt/freeradius
в конфиге radius.conf изменил следующие параметры
user и group = radiusd
(auth) listen port=1822
(accnt)listen port=1833
(log) request - раскоментировал
auth=yes , auth_badpass=yes, auth_goodpass=yes
Скажите куда мне теперь дальше копать?
Как протестить его работоспособность - и как я увижу что он заработал с UTM
Последний раз редактировалось solomon Ср июл 07, 2010 08:17, всего редактировалось 1 раз.

solomon
Сообщения: 316
Зарегистрирован: Вт мар 16, 2010 08:39

Сообщение solomon »

Извините забыл сообщить данные CentOS UTM5.2.1-007
Если я правильно понял то код необходимо вписать в dialup.conf.....
Скажите Уважаемый Magnum72 если я приведу ваш запрос оптимизированный ds'ом к такому виду то значит ли это что фрирадиус будет работать как коробочный НЕТАПОВСКИЙ радиус? сможет ли он выдавать статические и динамические адреса при ВПН подключении? сильно не ругайте никогда с запросами в плотную не работал только начал изучать SQL язык
authorize_reply_query

Код: Выделить всё

Код:
SELECT g1.ip_group_id, g1.uname 
    FROM ip_groups g1, iptraffic_service_links i, service_links s, account_tariff_link a, tariffs t 
    WHERE ( g1.uname = 'user' 
            AND g1.is_deleted = '0' 
            AND i.ip_group_id = g1.ip_group_id 
            AND i.is_deleted = '0' 
            AND s.id = i.id 
            AND s.is_deleted = '0' 
            AND a.id = s.tariff_link_id 
            AND a.is_deleted = '0' 
            AND t.id = a.tariff_id ) 
        AND (( AND ( g1.ab = '' OR g1.ab IS NULL  ) AND ( g1.av != '2' OR g1.av IS NULL  )) 
            OR (t.lan = '1' 
             AND ( g1.ab = '' OR g1.ab IS NULL  ) AND ( g1.av != '2' OR g1.av IS NULL  )) 
            OR ( g1.ab = '' OR g1.ab IS NULL  AND g1.av = '1' ) 
            OR (g1.ab != '')) 
UNION SELECT g1.ip_group_id, g1.uname 
    FROM ip_groups g1 
    WHERE g1.uname = 'user' 
        AND g1.is_deleted = '0' 
UNION SELECT g1.ip_group_id, g1.uname
    FROM ip_groups g1 
    LEFT JOIN ip_groups g2 
        ON ( g1.rg = g2.rg 
            AND g2.ip = if&#40; inet_aton&#40; '10.1.1.6' &#41; <=2147483648, inet_aton&#40; '10.1.1.6' &#41; , inet_aton&#40; '10.1.1.6' &#41; - 0x100000000 &#41; 
            AND g2.is_deleted = '0' &#41; 
    LEFT JOIN ip_groups g3 
        ON &#40; g3.ip = if&#40; inet_aton&#40; '10.1.1.6' &#41; <=2147483648, inet_aton&#40; '10.1.1.6' &#41; , inet_aton&#40; '10.1.1.6' &#41; - 0x100000000 &#41; 
            AND g3.freevpn = '1'   AND g3.is_deleted = '0' &#41;
    WHERE g1.uname = 'user' 
        AND g1.is_deleted = '0' 
        AND &#40; g1.freevpn = '' OR g1.freevpn IS NULL  &#41; 
        AND &#40; g1.ab = '' OR g1.ab IS NULL  &#41; 
        AND &#40; g1.av != '2' OR g1.av IS NULL  &#41; 
        AND &#40; g1.freevpn = '' OR g1.freevpn IS NULL  &#41; 
        AND &#40; g3.freevpn = '' OR g3.freevpn IS NULL  &#41; 
        AND g2.ip IS NULL 
UNION SELECT g1.ip_group_id, g1.uname, 'Framed-IP-Address', inet_aton&#40; g1.ip & 0xFFFFFFFF &#41; AS a, '&#58;=' 
    FROM ip_groups g1 
    LEFT JOIN ip_groups g2 
        ON &#40; g1.rg = g2.rg 
            AND g2.ip = if&#40; inet_aton&#40; '10.1.1.6' &#41; <=2147483648, inet_aton&#40; '10.1.1.6' &#41; , inet_aton&#40; '10.1.1.6' &#41; - 0x100000000 &#41; 
            AND g2.is_deleted = '0' &#41; 
    LEFT JOIN ip_groups g3 
        ON &#40; g3.ip = if&#40; inet_aton&#40; '10.1.1.6' &#41; <=2147483648, inet_aton&#40; '10.1.1.6' &#41; , inet_aton&#40; '10.1.1.6' &#41; - 0x100000000 &#41; 
            AND g3.freevpn = '1' 
            AND g3.is_deleted = '0' &#41; 
    WHERE g1.uname = 'user' 
        AND g1.is_deleted = '0' 
        AND &#40; g1.ab = '' OR g1.ab IS NULL  &#41;  AND &#40; g1.av = '' OR g1.av IS NULL  &#41; 
        AND &#40; g2.id IS NOT NULL  OR g1.freevpn = '1' OR g3.ip IS NOT NULL  &#41; 
        AND &#40; g1.av IS NULL  OR g1.av != '2' &#41;

authorize_check_query
Код&#58;
SELECT i.ip_group_id, i.uname, 'Password', i.upass, '&#58;=' 
    FROM ip_groups i 
    WHERE i.uname = 'user' 
        AND i.is_deleted = '0' 
        AND &#40; i.av IS NULL  OR i.av != '2' &#41; 
        AND 'user' != '' 
UNION SELECT '1000', 'user', 'Simultaneous-Use', '1', '&#58;=' FROM ip_groups WHERE uname='user';
еще вопрос назрел что значит inet_aton и 10.1.1.6

solomon
Сообщения: 316
Зарегистрирован: Вт мар 16, 2010 08:39

Сообщение solomon »

хелп!!! запустил freeradius
запускаю radtest - выдает ошибки - объясните плиз что за ошибки
[

Код: Выделить всё

root@admin bin&#93;# ./radtest test test 127.0.0.1 2 test
Sending Access-Request of id 118 to 127.0.0.1 port 1812
        User-Name = "test"
        User-Password = "test"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 2
rad_recv&#58; Access-Reject packet from host 127.0.0.1 port 1812, id=118, length=20
rad_verify&#58; Received Access-Reject packet from client 127.0.0.1 port 1812 with invalid signature &#40;err=2&#41;!  &#40;Shared secret is incorrect.&#41;
Sending Access-Request of id 118 to 127.0.0.1 port 1812
        User-Name = "test"
        User-Password = "test"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 2
rad_recv&#58; Access-Reject packet from host 127.0.0.1 port 1812, id=118, length=20
rad_verify&#58; Received Access-Reject packet from client 127.0.0.1 port 1812 with invalid signature &#40;err=2&#41;!  &#40;Shared secret is incorrect.&#41;
Sending Access-Request of id 118 to 127.0.0.1 port 1812
        User-Name = "test"
        User-Password = "test"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 2
rad_recv&#58; Access-Reject packet from host 127.0.0.1 port 1812, id=118, length=20
rad_verify&#58; Received Access-Reject packet from client 127.0.0.1 port 1812 with invalid signature &#40;err=2&#41;!  &#40;Shared secret is incorrect.&#41;
radclient&#58; no response from server for ID 118 socket 4

Аватара пользователя
TiRider
Сообщения: 568
Зарегистрирован: Сб июн 07, 2008 12:43

Сообщение TiRider »

Четко же написано - Shared secret is incorrect.

solomon
Сообщения: 316
Зарегистрирован: Вт мар 16, 2010 08:39

Сообщение solomon »

спс - разобрался )))
продолжаю тестировать фрирадиус + утм5

solomon
Сообщения: 316
Зарегистрирован: Вт мар 16, 2010 08:39

Сообщение solomon »

Пожалуйста помогите разобраться с настройка вношу изменения в dialup.conf
viewtopic.php?t=2518&highlight=freeradius+sql

Вот что он мне говорит

Код: Выделить всё

rad_recv&#58; Access-Request packet from host 172.16.2.40 port 1645, id=21, length=138
        Framed-Protocol = PPP
        User-Name = "vlad"
        MS-CHAP-Challenge = 0xd21158a08b74e1aeef47a54468f7bf7b
        MS-CHAP2-Response = 0x01bf598b922c56c5d1e04a804a93df9fd82eb702000000295a6f72fd436d98cdb3fa4d6130d226abc1713ab90cbbd2b9260e
        NAS-Port-Type = Virtual
        NAS-Port = 21
        Service-Type = Framed-User
        NAS-IP-Address = 172.16.2.40
+- entering group authorize &#123;...&#125;
++&#91;preprocess&#93; returns ok
++&#91;chap&#93; returns noop
&#91;mschap&#93; Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++&#91;mschap&#93; returns ok
&#91;suffix&#93; No '@' in User-Name = "vlad", looking up realm NULL
&#91;suffix&#93; No such realm "NULL"
++&#91;suffix&#93; returns noop
&#91;eap&#93; No EAP-Message, not doing EAP
++&#91;eap&#93; returns noop
++&#91;unix&#93; returns notfound
&#91;files&#93; users&#58; Matched entry DEFAULT at line 179
++&#91;files&#93; returns ok
++&#91;expiration&#93; returns noop
++&#91;logintime&#93; returns noop
&#91;pap&#93; WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++&#91;pap&#93; returns noop
Found Auth-Type = MSCHAP
+- entering group MS-CHAP &#123;...&#125;
&#91;mschap&#93; No Cleartext-Password configured.  Cannot create LM-Password.
&#91;mschap&#93; No Cleartext-Password configured.  Cannot create NT-Password.
&#91;mschap&#93; Told to do MS-CHAPv2 for vlad with NT-Password
&#91;mschap&#93; FAILED&#58; No NT/LM-Password.  Cannot perform authentication.
&#91;mschap&#93; FAILED&#58; MS-CHAP2-Response is incorrect
++&#91;mschap&#93; returns reject
Failed to authenticate the user.
Login incorrect&#58; &#91;vlad/<via Auth-Type = mschap>&#93; &#40;from client cisco3660 port 21&#41;
Using Post-Auth-Type Reject
+- entering group REJECT &#123;...&#125;
&#91;attr_filter.access_reject&#93;     expand&#58; %&#123;User-Name&#125; -> vlad
 attr_filter&#58; Matched entry DEFAULT at line 11
++&#91;attr_filter.access_reject&#93; returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 21 to 172.16.2.40 port 1645
Waking up in 4.9 seconds.
Cleaning up request 0 ID 21 with timestamp +20
Ready to process requests.

solomon
Сообщения: 316
Зарегистрирован: Вт мар 16, 2010 08:39

Сообщение solomon »

Знаю есть здесь гуру которые могут помочь
но вот не получается уменя настроить фрирадиус с мускулем
основа моих действий - http://www.lissyara.su/articles/freebsd ... ty/mpd_10/
мои дейтсвия

Код: Выделить всё

1 - yum install freeradius2 freeradius2-mysql freeradius2-utils
2 - во т по этому мануалу проверил локального не скьэльного пользователя все гут - http&#58;//wiki.dodex.org/2009/07/21/freeradiusmysql/
3 - mysql -u root
> CREATE DATABASE radius;
> CRANT ALL PRIVILEGES ON radius.* TO radius@localhost IDENTIFIED BY "123";
Поскольку при установке в examples у меня не появился дамп мускульной базы скачал фрирадиус версии 2-0-0 пре1 от куад и взял дамп
mysql -u root radius < /tmp/examples/mysql.sql 
>INSERT INTO radcheck &#40;UserName, Attribute, op, Value&#41; VALUES &#40;'testsql', 'Cleartext-Password', '&#58;=', 'test123'&#41;;
>INSERT INTO radreply &#40;UserName, Attribute, op, Value&#41; VALUES &#40;'testsql', 'Framed-IP-Address', '=', '192.168.1.13'&#41;;
>INSERT INTO radreply &#40;UserName, Attribute, op, Value&#41; VALUES &#40;'testsql', 'Framed-IP-Netmask', '=', '255.255.255.255'&#41;;
> INSERT INTO radreply &#40;UserName, Attribute, op, Value&#41; VALUES &#40;'testsql', 'Framed-Protocol', '=', 'PPP'&#41;;
> select * from radreply where UserName = 'testsql'; - проверил введеные данные
mysql> select * from radreply;
+----+----------+-------------------+----+-----------------+
| id | UserName | Attribute         | op | Value           |
+----+----------+-------------------+----+-----------------+
|  1 | testsql  | Framed-IP-Address | =  | 192.168.1.13    | 
|  2 | testsql  | Framed-IP-Netmask | =  | 255.255.255.255 | 
|  3 | testsql  | Framed-Protocol   | =  | PPP             | 
+----+----------+-------------------+----+-----------------+
3 rows in set &#40;0.00 sec&#41;

>mysql> select id, UserName, Attribute, op, value FROM radcheck;
+----+----------+--------------------+----+---------+
| id | UserName | Attribute          | op | value   |
+----+----------+--------------------+----+---------+
|  1 | testsql  | Cleartext-Password | &#58;= | test123 | 
+----+----------+--------------------+----+---------+

4 - раскоментировал sql в raddb/sites-available/default в секциях authorize&#123;&#125;, accounting&#123;&#125;, session&#123;&#125;, post-auth&#123;&#125;
5 - d radius.conf раскоментировал $INCLUDE sql.conf
6 - /usr/sbin/./radiusd -X
7 - в другой консоли тестирую /usr/bin/./radtest testsql test123 localhost 1812 123

Вот что в дебаге пишет

Код: Выделить всё

Ready to process requests.
rad_recv&#58; Access-Request packet from host 127.0.0.1 port 49296, id=220, length=59
        User-Name = "testsql"
        User-Password = "test123"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 1812
+- entering group authorize &#123;...&#125;
++&#91;preprocess&#93; returns ok
++&#91;chap&#93; returns noop
++&#91;mschap&#93; returns noop
&#91;suffix&#93; No '@' in User-Name = "testsql", looking up realm NULL
&#91;suffix&#93; No such realm "NULL"
++&#91;suffix&#93; returns noop
&#91;eap&#93; No EAP-Message, not doing EAP
++&#91;eap&#93; returns noop
++&#91;unix&#93; returns notfound
++&#91;files&#93; returns noop
&#91;sql&#93;   expand&#58; %&#123;User-Name&#125; -> testsql
&#91;sql&#93; sql_set_user escaped user --> 'testsql'
rlm_sql &#40;sql&#41;&#58; Reserving sql socket id&#58; 3
&#91;sql&#93;   expand&#58; SELECT id, username, attribute, op, value           FROM radcheck           WHERE username = '%&#123;SQL-User-Name&#125;'           ORDER BY id -> SELECT id, username, attribute, op, value           FROM radcheck           WHERE username = 'testsql'           ORDER BY id
rlm_sql&#58; Invalid operator "test123" for attribute Cleartext-Password
rlm_sql &#40;sql&#41;&#58; Error getting data from database
&#91;sql&#93; SQL query error; rejecting user
rlm_sql &#40;sql&#41;&#58; Released sql socket id&#58; 3
++&#91;sql&#93; returns fail
Invalid user&#58; &#91;testsql/test123&#93; &#40;from client localhost port 1812&#41;
Using Post-Auth-Type Reject
+- entering group REJECT &#123;...&#125;
&#91;attr_filter.access_reject&#93;     expand&#58; %&#123;User-Name&#125; -> testsql
attr_filter&#58; Matched entry DEFAULT at line 11
++&#91;attr_filter.access_reject&#93; returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 220 to 127.0.0.1 port 49296
Waking up in 4.9 seconds.

Не пойму вроде у всех получается - по тем же манам ставлю - у меня не выходит
Правда в основном все ставят freeradius 1 - там не большие отличия

Код: Выделить всё

freeradius 2 
shad  Auth-Type = Local, Cleartext-Password &#58;= "test"
   Service-Type = Framed-User,
   Framed-Protocol = PPP,
   Framed-IP-Address = 192.168.0.7,
   Framed-IP-Netmask = 255.255.255.0,

freeradius 1

shad  Auth-Type &#58;= Local, User-Password == “test”
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 192.168.0.7,
Framed-IP-Netmask = 255.255.255.0

solomon
Сообщения: 316
Зарегистрирован: Вт мар 16, 2010 08:39

Сообщение solomon »

после определенных настроек вроде как в дампе авторизуется и кушает даже пароль но вот аксес-акцепт выдавать не хочет (((

Код: Выделить всё

Ready to process requests.
rad_recv&#58; Access-Request packet from host 127.0.0.1 port 50103, id=157, length=59
        User-Name = "testing"
        User-Password = "777"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 1812
+- entering group authorize &#123;...&#125;
++&#91;preprocess&#93; returns ok
++&#91;chap&#93; returns noop
++&#91;mschap&#93; returns noop
&#91;suffix&#93; No '@' in User-Name = "testing", looking up realm NULL
&#91;suffix&#93; No such realm "NULL"
++&#91;suffix&#93; returns noop
&#91;eap&#93; No EAP-Message, not doing EAP
++&#91;eap&#93; returns noop
++&#91;unix&#93; returns notfound
++&#91;files&#93; returns noop
&#91;sql&#93;   expand&#58; %&#123;User-Name&#125; -> testing
&#91;sql&#93; sql_set_user escaped user --> 'testing'
rlm_sql &#40;sql&#41;&#58; Reserving sql socket id&#58; 3
&#91;sql&#93;   expand&#58; SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%&#123;SQL-User-Name&#125;'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'testing'           ORDER BY id
&#91;sql&#93; User found in radcheck table
&#91;sql&#93;   expand&#58; SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%&#123;SQL-User-Name&#125;'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'testing'           ORDER BY id
&#91;sql&#93;   expand&#58; SELECT groupname           FROM radusergroup           WHERE username = '%&#123;SQL-User-Name&#125;'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'testing'           ORDER BY priority
&#91;sql&#93;   expand&#58; SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = '%&#123;Sql-Group&#125;'           ORDER BY id -> SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = 'static'           ORDER BY id
&#91;sql&#93; User found in group static
&#91;sql&#93;   expand&#58; SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = '%&#123;Sql-Group&#125;'           ORDER BY id -> SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = 'static'           ORDER BY id
rlm_sql &#40;sql&#41;&#58; Released sql socket id&#58; 3
++&#91;sql&#93; returns ok
++&#91;expiration&#93; returns noop
++&#91;logintime&#93; returns noop
++&#91;pap&#93; returns updated
Found Auth-Type = PAP
+- entering group PAP &#123;...&#125;
&#91;pap&#93; login attempt with password "777"
&#91;pap&#93; Using clear text password "777"
&#91;pap&#93; User authenticated successfully
++&#91;pap&#93; returns ok
Login OK&#58; &#91;testing&#93; &#40;from client localhost port 1812&#41;
+- entering group post-auth &#123;...&#125;
&#91;sql&#93;   expand&#58; %&#123;User-Name&#125; -> testing
&#91;sql&#93; sql_set_user escaped user --> 'testing'
&#91;sql&#93;   expand&#58; %&#123;User-Password&#125; -> 777
&#91;sql&#93;   expand&#58; INSERT INTO radpostauth                           &#40;username, pass, reply, authdate&#41;                           VALUES &#40;                           '%&#123;User-Name&#125;',                           '%&#123;%&#123;User-Password&#125;&#58;-%&#123;Chap-Password&#125;&#125;',                           '%&#123;reply&#58;Packet-Type&#125;', '%S'&#41; -> INSERT INTO radpostauth                           &#40;username, pass, reply, authdate&#41;                           VALUES &#40;                           'testing',                           '777',                           'Access-Accept', '2010-07-08 14&#58;50&#58;49'&#41;
rlm_sql &#40;sql&#41; in sql_postauth&#58; query is INSERT INTO radpostauth                           &#40;username, pass, reply, authdate&#41;                           VALUES &#40;                           'testing',                           '777',                           'Access-Accept', '2010-07-08 14&#58;50&#58;49'&#41;
rlm_sql &#40;sql&#41;&#58; Reserving sql socket id&#58; 2
rlm_sql_mysql&#58; MYSQL check_error&#58; 1054 received
rlm_sql &#40;sql&#41; in sql_postauth&#58; Database query error - Unknown column 'username' in 'field list'
rlm_sql &#40;sql&#41;&#58; Released sql socket id&#58; 2
++&#91;sql&#93; returns fail
Using Post-Auth-Type Reject
+- entering group REJECT &#123;...&#125;
&#91;attr_filter.access_reject&#93;     expand&#58; %&#123;User-Name&#125; -> testing
attr_filter&#58; Matched entry DEFAULT at line 11
++&#91;attr_filter.access_reject&#93; returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 157 to 127.0.0.1 port 50103
Waking up in 4.9 seconds.
Cleaning up request 0 ID 157 with timestamp +9
Ready to process requests.

Такое чувство что вот вот получится - кажется всего не чего - я вот еще чап и мсчап не настраивал... думаю для локальных тестов они не нужны?[/code]

solomon
Сообщения: 316
Зарегистрирован: Вт мар 16, 2010 08:39

Сообщение solomon »

нашел в чем затык не зная для чего нужен post-auth расскоментировал sql в /raddb/sites-enable/default ))))

Код: Выделить всё

&#91;root@admin radius&#93;# /usr/bin/./radtest testing 777 127.0.0.1 1812 123
Sending Access-Request of id 194 to 127.0.0.1 port 1812
        User-Name = "testing"
        User-Password = "777"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 1812
rad_recv&#58; Access-Accept packet from host 127.0.0.1 port 1812, id=194, length=50
        Framed-IP-Address = 1.1.1.1
        Framed-IP-Netmask = 255.255.255.255
        Framed-Protocol = PPP
        Service-Type = Framed-User
        Framed-Compression = Van-Jacobson-TCP-IP
это мой первый опыт настройки freeradius2 - в инете в основном настройки под первую версию, немного сначала путался а теперь понял что к чему))))
Ну чтож приступлю к привязке к биллингу )))) удачи мне в бою )))

Blackmore
Сообщения: 365
Зарегистрирован: Вс фев 06, 2005 09:24
Откуда: подмосковье

Сообщение Blackmore »

пеши исчо =)
скоро тоже предстоит такое же

gil
Сообщения: 355
Зарегистрирован: Вт ноя 11, 2008 14:28

Сообщение gil »

Пишите больше все, вдруг тут кто еще на кваллифицированной рабочей силе экономить пытается.

solomon
Сообщения: 316
Зарегистрирован: Вт мар 16, 2010 08:39

Сообщение solomon »

gil писал(а):Пишите больше все, вдруг тут кто еще на кваллифицированной рабочей силе экономить пытается.
Дружисче в нашей области все знать не возможно, квалификация приходит с опытом, иногда некоторым не квалифицированным специалистам необходимо срочно поднять проект - но по пральному на изучение уйдет куча времени, только по этому и спрашивают я так думаю.... поставив проект ччеловек будет саморазвиваться и познает сей инстремент - так как его необходимо будет ему же и поддерживать (это конечно мое сугубо личное мнение),
Я как раз неквалифицированный спец. ставил фрирадиус нагуглив вроде кое что полезное и конечно же прокурив сам офф сайт... В sql язык изучаю плотно в личное время от работы... поэтому бывают вопросы... да и траблы у меня с буржуйским языком - что в школе что в колледже что в универе изучал немецкий - поэтому приходится пользоваться переводчиком гугла и по смыслу догадываться что куда втыкать ))))

solomon
Сообщения: 316
Зарегистрирован: Вт мар 16, 2010 08:39

Сообщение solomon »

Господа успешные тесты авторизации локального пользователя в базе мускульной - это были последние успешные мои рывки - выкурил весь форум (((( ну не получается завязать с биллингом
Скажите пожалуйста какие конфиги необходимо мне править куда что внести - все способы перепробывал с этого форума (((( ужо отчаялся в конец

Есть на тестовом компе ( Centos 5.5 UTM5.2.1-007 Freeradius 2.1.7 ) клиентом является Cisco 3660 (172.16.x.y)
Мне необходимо чтобы хотя бы функциональность штатного сохранилась, выдача статических и динамических белых IP по VPN

Если не трудно киньте плиз рабочие конфиги на мыло - soloman1 (a) rambler.ru

solomon
Сообщения: 316
Зарегистрирован: Вт мар 16, 2010 08:39

Сообщение solomon »

Видно это настолько простая задача прикрутить freeradius к UTM5 что ни кто не хочет помочь непосвященному ((((
Еще такой вопрос могу ли я проверить радтестом работоспособность связки фрирадиуса и утм5 ? если указать логин и пароль из базы

solomon
Сообщения: 316
Зарегистрирован: Вт мар 16, 2010 08:39

Сообщение solomon »

радиус поставил настрои вот по этому ману - при запуске ошибок не выдал

Код: Выделить всё

Starting - reading configuration files ...
including configuration file /opt/freeradius/etc/raddb/radiusd.conf
including configuration file /opt/freeradius/etc/raddb/proxy.conf
including configuration file /opt/freeradius/etc/raddb/clients.conf
including files in directory /opt/freeradius/etc/raddb/modules/
including configuration file /opt/freeradius/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /opt/freeradius/etc/raddb/modules/sql_log
including configuration file /opt/freeradius/etc/raddb/modules/counter
including configuration file /opt/freeradius/etc/raddb/modules/acct_unique
including configuration file /opt/freeradius/etc/raddb/modules/unix
including configuration file /opt/freeradius/etc/raddb/modules/attr_rewrite
including configuration file /opt/freeradius/etc/raddb/modules/echo
including configuration file /opt/freeradius/etc/raddb/modules/sradutmp
including configuration file /opt/freeradius/etc/raddb/modules/detail
including configuration file /opt/freeradius/etc/raddb/modules/realm
including configuration file /opt/freeradius/etc/raddb/modules/chap
including configuration file /opt/freeradius/etc/raddb/modules/always
including configuration file /opt/freeradius/etc/raddb/modules/ippool
including configuration file /opt/freeradius/etc/raddb/modules/exec
including configuration file /opt/freeradius/etc/raddb/modules/preprocess
including configuration file /opt/freeradius/etc/raddb/modules/files
including configuration file /opt/freeradius/etc/raddb/modules/smsotp
including configuration file /opt/freeradius/etc/raddb/modules/mschap
including configuration file /opt/freeradius/etc/raddb/modules/krb5
including configuration file /opt/freeradius/etc/raddb/modules/radutmp
including configuration file /opt/freeradius/etc/raddb/modules/expiration
including configuration file /opt/freeradius/etc/raddb/modules/detail.log
including configuration file /opt/freeradius/etc/raddb/modules/mac2ip
including configuration file /opt/freeradius/etc/raddb/modules/cui
including configuration file /opt/freeradius/etc/raddb/modules/attr_filter
including configuration file /opt/freeradius/etc/raddb/modules/etc_group
including configuration file /opt/freeradius/etc/raddb/modules/logintime
including configuration file /opt/freeradius/etc/raddb/modules/expr
including configuration file /opt/freeradius/etc/raddb/modules/mac2vlan
including configuration file /opt/freeradius/etc/raddb/modules/perl
including configuration file /opt/freeradius/etc/raddb/modules/wimax
including configuration file /opt/freeradius/etc/raddb/modules/pap
including configuration file /opt/freeradius/etc/raddb/modules/checkval
including configuration file /opt/freeradius/etc/raddb/modules/detail.example.com
including configuration file /opt/freeradius/etc/raddb/modules/ntlm_auth
including configuration file /opt/freeradius/etc/raddb/modules/smbpasswd
including configuration file /opt/freeradius/etc/raddb/modules/policy
including configuration file /opt/freeradius/etc/raddb/modules/passwd
including configuration file /opt/freeradius/etc/raddb/modules/pam
including configuration file /opt/freeradius/etc/raddb/modules/ldap
including configuration file /opt/freeradius/etc/raddb/modules/otp
including configuration file /opt/freeradius/etc/raddb/modules/linelog
including configuration file /opt/freeradius/etc/raddb/modules/digest
including configuration file /opt/freeradius/etc/raddb/modules/inner-eap
including configuration file /opt/freeradius/etc/raddb/eap.conf
including configuration file /opt/freeradius/etc/raddb/sql.conf
including configuration file /opt/freeradius/etc/raddb/sql/mysql/dialup.conf
including configuration file /opt/freeradius/etc/raddb/policy.conf
including files in directory /opt/freeradius/etc/raddb/sites-enabled/
including configuration file /opt/freeradius/etc/raddb/sites-enabled/inner-tunnel
including configuration file /opt/freeradius/etc/raddb/sites-enabled/default
including configuration file /opt/freeradius/etc/raddb/sites-enabled/control-socket
main &#123;
        allow_core_dumps = no
&#125;
including dictionary file /opt/freeradius/etc/raddb/dictionary
main &#123;
        prefix = "/opt/freeradius"
        localstatedir = "/opt/freeradius/var"
        logdir = "/opt/freeradius/var/log/radius"
        libdir = "/opt/freeradius/lib"
        radacctdir = "/opt/freeradius/var/log/radius/radacct"
        hostname_lookups = no
        max_request_time = 30
        cleanup_delay = 5
        max_requests = 1024
        pidfile = "/opt/freeradius/var/run/radiusd/radiusd.pid"
        checkrad = "/opt/freeradius/sbin/checkrad"
        debug_level = 0
        proxy_requests = yes
 log &#123;
        stripped_names = no
        auth = no
        auth_badpass = no
        auth_goodpass = no
 &#125;
 security &#123;
        max_attributes = 200
        reject_delay = 1
        status_server = yes
 &#125;
&#125;
radiusd&#58; #### Loading Realms and Home Servers ####
 proxy server &#123;
        retry_delay = 5
        retry_count = 3
        default_fallback = no
        dead_time = 120
        wake_all_if_all_dead = no
 &#125;
 home_server localhost &#123;
        ipaddr = 127.0.0.1
        port = 1812
        type = "auth"
        secret = "testing123"
        response_window = 20
        max_outstanding = 65536
        require_message_authenticator = no
        zombie_period = 40
        status_check = "status-server"
        ping_interval = 30
        check_interval = 30
        num_answers_to_alive = 3
        num_pings_to_alive = 3
        revive_interval = 120
        status_check_timeout = 4
        irt = 2
        mrt = 16
        mrc = 5
        mrd = 30
 &#125;
 home_server_pool my_auth_failover &#123;
        type = fail-over
        home_server = localhost
 &#125;
 realm example.com &#123;
        auth_pool = my_auth_failover
 &#125;
 realm LOCAL &#123;
 &#125;
radiusd&#58; #### Loading Clients ####
 client cisco3660 &#123;
        ipaddr = 172.16.2.40
        netmask = 32
        require_message_authenticator = no
        secret = "secret"
        shortname = "cisco"
        nastype = "cisco"
 &#125;
 client localhost &#123;
        ipaddr = 127.0.0.1
        require_message_authenticator = no
        secret = "testing123"
        nastype = "other"
 &#125;
radiusd&#58; #### Instantiating modules ####
 instantiate &#123;
 Module&#58; Linked to module rlm_exec
 Module&#58; Instantiating exec
  exec &#123;
        wait = no
        input_pairs = "request"
        shell_escape = yes
  &#125;
 Module&#58; Linked to module rlm_expr
 Module&#58; Instantiating expr
 Module&#58; Linked to module rlm_expiration
 Module&#58; Instantiating expiration
  expiration &#123;
        reply-message = "Password Has Expired  "
  &#125;
 Module&#58; Linked to module rlm_logintime
 Module&#58; Instantiating logintime
  logintime &#123;
        reply-message = "You are calling outside your allowed timespan  "
        minimum-timeout = 60
  &#125;
 &#125;
radiusd&#58; #### Loading Virtual Servers ####
server inner-tunnel &#123;
 modules &#123;
 Module&#58; Checking authenticate &#123;...&#125; for more modules to load
 Module&#58; Linked to module rlm_pap
 Module&#58; Instantiating pap
  pap &#123;
        encryption_scheme = "auto"
        auto_header = no
  &#125;
 Module&#58; Linked to module rlm_chap
 Module&#58; Instantiating chap
 Module&#58; Linked to module rlm_mschap
 Module&#58; Instantiating mschap
  mschap &#123;
        use_mppe = yes
        require_encryption = no
        require_strong = no
        with_ntdomain_hack = no
  &#125;
 Module&#58; Linked to module rlm_unix
 Module&#58; Instantiating unix
  unix &#123;
        radwtmp = "/opt/freeradius/var/log/radius/radwtmp"
  &#125;
 Module&#58; Linked to module rlm_eap
 Module&#58; Instantiating eap
  eap &#123;
        default_eap_type = "md5"
        timer_expire = 60
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
        max_sessions = 4096
  &#125;
 Module&#58; Linked to sub-module rlm_eap_md5
 Module&#58; Instantiating eap-md5
 Module&#58; Linked to sub-module rlm_eap_leap
 Module&#58; Instantiating eap-leap
 Module&#58; Linked to sub-module rlm_eap_gtc
 Module&#58; Instantiating eap-gtc
   gtc &#123;
        challenge = "Password&#58; "
        auth_type = "PAP"
   &#125;
 Module&#58; Linked to sub-module rlm_eap_tls
 Module&#58; Instantiating eap-tls
   tls &#123;
        rsa_key_exchange = no
        dh_key_exchange = yes
        rsa_key_length = 512
        dh_key_length = 512
        verify_depth = 0
        pem_file_type = yes
        private_key_file = "/opt/freeradius/etc/raddb/certs/server.pem"
        certificate_file = "/opt/freeradius/etc/raddb/certs/server.pem"
        CA_file = "/opt/freeradius/etc/raddb/certs/ca.pem"
        private_key_password = "whatever"
        dh_file = "/opt/freeradius/etc/raddb/certs/dh"
        random_file = "/opt/freeradius/etc/raddb/certs/random"
        fragment_size = 1024
        include_length = yes
        check_crl = no
        cipher_list = "DEFAULT"
        make_cert_command = "/opt/freeradius/etc/raddb/certs/bootstrap"
    cache &#123;
        enable = no
        lifetime = 24
        max_entries = 255
    &#125;
   &#125;
 Module&#58; Linked to sub-module rlm_eap_ttls
 Module&#58; Instantiating eap-ttls
   ttls &#123;
        default_eap_type = "md5"
        copy_request_to_tunnel = no
        use_tunneled_reply = no
        virtual_server = "inner-tunnel"
        include_length = yes
   &#125;
 Module&#58; Linked to sub-module rlm_eap_peap
 Module&#58; Instantiating eap-peap
   peap &#123;
        default_eap_type = "mschapv2"
        copy_request_to_tunnel = no
        use_tunneled_reply = no
        proxy_tunneled_request_as_eap = yes
        virtual_server = "inner-tunnel"
   &#125;
 Module&#58; Linked to sub-module rlm_eap_mschapv2
 Module&#58; Instantiating eap-mschapv2
   mschapv2 &#123;
        with_ntdomain_hack = no
   &#125;
 Module&#58; Checking authorize &#123;...&#125; for more modules to load
 Module&#58; Linked to module rlm_realm
 Module&#58; Instantiating suffix
  realm suffix &#123;
        format = "suffix"
        delimiter = "@"
        ignore_default = no
        ignore_null = no
  &#125;
 Module&#58; Linked to module rlm_files
 Module&#58; Instantiating files
  files &#123;
        usersfile = "/opt/freeradius/etc/raddb/users"
        acctusersfile = "/opt/freeradius/etc/raddb/acct_users"
        preproxy_usersfile = "/opt/freeradius/etc/raddb/preproxy_users"
        compat = "no"
  &#125;
 Module&#58; Checking session &#123;...&#125; for more modules to load
 Module&#58; Linked to module rlm_radutmp
 Module&#58; Instantiating radutmp
  radutmp &#123;
        filename = "/opt/freeradius/var/log/radius/radutmp"
        username = "%&#123;User-Name&#125;"
        case_sensitive = yes
        check_with_nas = yes
        perm = 384
        callerid = yes
  &#125;
 Module&#58; Checking post-proxy &#123;...&#125; for more modules to load
 Module&#58; Checking post-auth &#123;...&#125; for more modules to load
 Module&#58; Linked to module rlm_attr_filter
 Module&#58; Instantiating attr_filter.access_reject
  attr_filter attr_filter.access_reject &#123;
        attrsfile = "/opt/freeradius/etc/raddb/attrs.access_reject"
        key = "%&#123;User-Name&#125;"
  &#125;
 &#125; # modules
&#125; # server
server &#123;
 modules &#123;
 Module&#58; Checking authenticate &#123;...&#125; for more modules to load
 Module&#58; Checking authorize &#123;...&#125; for more modules to load
 Module&#58; Linked to module rlm_preprocess
 Module&#58; Instantiating preprocess
  preprocess &#123;
        huntgroups = "/opt/freeradius/etc/raddb/huntgroups"
        hints = "/opt/freeradius/etc/raddb/hints"
        with_ascend_hack = no
        ascend_channels_per_line = 23
        with_ntdomain_hack = no
        with_specialix_jetstream_hack = no
        with_cisco_vsa_hack = no
        with_alvarion_vsa_hack = no
  &#125;
 Module&#58; Checking preacct &#123;...&#125; for more modules to load
 Module&#58; Linked to module rlm_acct_unique
 Module&#58; Instantiating acct_unique
  acct_unique &#123;
        key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
  &#125;
 Module&#58; Checking accounting &#123;...&#125; for more modules to load
 Module&#58; Linked to module rlm_detail
 Module&#58; Instantiating detail
  detail &#123;
        detailfile = "/opt/freeradius/var/log/radius/radacct/%&#123;Client-IP-Address&#125;/detail-%Y%m%d"
        header = "%t"
        detailperm = 384
        dirperm = 493
        locking = no
        log_packet_header = no
  &#125;
 Module&#58; Linked to module rlm_perl
 Module&#58; Instantiating perl
  perl &#123;
        module = "/opt/freeradius/etc/raddb/rad.pl"
        func_authorize = "authorize"
        func_authenticate = "authenticate"
        func_accounting = "accounting"
        func_preacct = "preacct"
        func_checksimul = "checksimul"
        func_detach = "detach"
        func_xlat = "xlat"
        func_pre_proxy = "pre_proxy"
        func_post_proxy = "post_proxy"
        func_post_auth = "post_auth"
        func_recv_coa = "recv_coa"
        func_send_coa = "send_coa"
  &#125;
DBI connect&#40;'database=UTM5;host=localhost','xxx',...&#41; failed&#58; Access denied for user 'xxx'@'localhost' &#40;using password&#58; YES&#41; at /opt/freeradius/etc/raddb/rad.pl line 30
 Module&#58; Linked to module rlm_sql
 Module&#58; Instantiating sql
  sql &#123;
        driver = "rlm_sql_mysql"
        server = "localhost"
        port = "3306"
        login = "root"
        password = ""
        radius_db = "UTM5"
        read_groups = yes
        sqltrace = no
        sqltracefile = "/opt/freeradius/var/log/radius/sqltrace.sql"
        readclients = no
        deletestalesessions = yes
        num_sql_socks = 5
        lifetime = 0
        max_queries = 0
        sql_user_name = "%&#123;User-Name&#125;"
        default_user_profile = ""
        nas_query = "SELECT id, nasname, shortname, type, secret, server FROM nas"
        authorize_check_query = "SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%&#123;SQL-User-Name&#125;'           ORDER BY id"
        authorize_reply_query = "SELECT '','%&#123;SQL-User-Name&#125;','Framed-IP-Address',inet_ntoa&#40; ip_groups.ip & 0xffffffff &#41; AS ip,'=' FROM UTM5.ip_groups WHERE uname ='%&#123;SQL-User-Name&#125;' AND is_deleted = '0' AND inet_ntoa&#40; ip_groups.ip & 0xffffffff &#41; LIKE '95.215.%' UNION SELECT '', '%&#123;SQL-User-Name&#125;', 'Framed-Pool', 'mainpool', '=' FROM ip_groups WHERE uname ='%&#123;SQL-User-Name&#125;' AND inet_ntoa&#40; ip_groups.ip & 0xffffffff &#41; NOT LIKE '95.215.%' UNION select '', '%&#123;SQL-User-Name&#125;', 'Mikrotik-Rate-Limit', radius_data.value, '=' FROM radius_data WHERE radius_data.owner_id=&#40; select sl.service_id FROM ip_groups ig, iptraffic_service_links isl, service_links sl where ig.uname='%&#123;SQL-User-Name&#125;' and ig.is_deleted=0 and ig.ip_group_id=isl.ip_group_id and isl.is_deleted=0 and isl.id=sl.id and sl.is_deleted=0&#41; AND radius_data.vendor=14988"
        authorize_group_check_query = "SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = '%&#123;Sql-Group&#125;'           ORDER BY id"
        authorize_group_reply_query = "SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = '%&#123;Sql-Group&#125;'           ORDER BY id"
        accounting_onoff_query = "          UPDATE radacct           SET              acctstoptime       =  '%S',              acctsessiontime    =  unix_timestamp&#40;'%S'&#41; -                                    unix_timestamp&#40;acctstarttime&#41;,              acctterminatecause =  '%&#123;Acct-Terminate-Cause&#125;',              acctstopdelay      =  %&#123;%&#123;Acct-Delay-Time&#125;&#58;-0&#125;           WHERE acctstoptime IS NULL           AND nasipaddress      =  '%&#123;NAS-IP-Address&#125;'           AND acctstarttime     <= '%S'"
        accounting_update_query = "           UPDATE radacct           SET              framedipaddress = '%&#123;Framed-IP-Address&#125;',              acctsessiontime     = '%&#123;Acct-Session-Time&#125;',              acctinputoctets     = '%&#123;%&#123;Acct-Input-Gigawords&#125;&#58;-0&#125;'  << 32 |                                    '%&#123;%&#123;Acct-Input-Octets&#125;&#58;-0&#125;',              acctoutputoctets    = '%&#123;%&#123;Acct-Output-Gigawords&#125;&#58;-0&#125;' << 32 |                                    '%&#123;%&#123;Acct-Output-Octets&#125;&#58;-0&#125;'           WHERE acctsessionid = '%&#123;Acct-Session-Id&#125;'           AND username        = '%&#123;SQL-User-Name&#125;'           AND nasipaddress    = '%&#123;NAS-IP-Address&#125;'"
        accounting_update_query_alt = "           INSERT INTO radacct             &#40;acctsessionid,    acctuniqueid,      username,              realm,            nasipaddress,      nasportid,              nasporttype,      acctstarttime,     acctsessiontime,              acctauthentic,    connectinfo_start, acctinputoctets,              acctoutputoctets, calledstationid,   callingstationid,              servicetype,      framedprotocol,    framedipaddress,              acctstartdelay,   xascendsessionsvrkey&#41;           VALUES             &#40;'%&#123;Acct-Session-Id&#125;', '%&#123;Acct-Unique-Session-Id&#125;',              '%&#123;SQL-User-Name&#125;',              '%&#123;Realm&#125;', '%&#123;NAS-IP-Address&#125;', '%&#123;NAS-Port&#125;',              '%&#123;NAS-Port-Type&#125;',              DATE_SUB&#40;'%S',                       INTERVAL &#40;%&#123;%&#123;Acct-Session-Time&#125;&#58;-0&#125; +                                 %&#123;%&#123;Acct-Delay-Time&#125;&#58;-0&#125;&#41; SECOND&#41;,                       '%&#123;Acct-Session-Time&#125;',              '%&#123;Acct-Authentic&#125;', '',              '%&#123;%&#123;Acct-Input-Gigawords&#125;&#58;-0&#125;' << 32 |              '%&#123;%&#123;Acct-Input-Octets&#125;&#58;-0&#125;',              '%&#123;%&#123;Acct-Output-Gigawords&#125;&#58;-0&#125;' << 32 |              '%&#123;%&#123;Acct-Output-Octets&#125;&#58;-0&#125;',              '%&#123;Called-Station-Id&#125;', '%&#123;Calling-Station-Id&#125;',              '%&#123;Service-Type&#125;', '%&#123;Framed-Protocol&#125;',              '%&#123;Framed-IP-Address&#125;',              '0', '%&#123;X-Ascend-Session-Svr-Key&#125;'&#41;"
        accounting_start_query = "           INSERT INTO radacct             &#40;acctsessionid,    acctuniqueid,     username,              realm,            nasipaddress,     nasportid,              nasporttype,      acctstarttime,    acctstoptime,              acctsessiontime,  acctauthentic,    connectinfo_start,              connectinfo_stop, acctinputoctets,  acctoutputoctets,              calledstationid,  callingstationid, acctterminatecause,              servicetype,      framedprotocol,   framedipaddress,              acctstartdelay,   acctstopdelay,    xascendsessionsvrkey&#41;           VALUES             &#40;'%&#123;Acct-Session-Id&#125;', '%&#123;Acct-Unique-Session-Id&#125;',              '%&#123;SQL-User-Name&#125;',              '%&#123;Realm&#125;', '%&#123;NAS-IP-Address&#125;', '%&#123;NAS-Port&#125;',              '%&#123;NAS-Port-Type&#125;', '%S', NULL,              '0', '%&#123;Acct-Authentic&#125;', '%&#123;Connect-Info&#125;',              '', '0', '0',              '%&#123;Called-Station-Id&#125;', '%&#123;Calling-Station-Id&#125;', '',              '%&#123;Service-Type&#125;', '%&#123;Framed-Protocol&#125;', '%&#123;Framed-IP-Address&#125;',              '%&#123;%&#123;Acct-Delay-Time&#125;&#58;-0&#125;', '0', '%&#123;X-Ascend-Session-Svr-Key&#125;'&#41;"
        accounting_start_query_alt = "           UPDATE radacct SET              acctstarttime     = '%S',              acctstartdelay    = '%&#123;%&#123;Acct-Delay-Time&#125;&#58;-0&#125;',              connectinfo_start = '%&#123;Connect-Info&#125;'           WHERE acctsessionid  = '%&#123;Acct-Session-Id&#125;'           AND username         = '%&#123;SQL-User-Name&#125;'           AND nasipaddress     = '%&#123;NAS-IP-Address&#125;'"
        accounting_stop_query = "           UPDATE radacct SET              acctstoptime       = '%S',              acctsessiontime    = '%&#123;Acct-Session-Time&#125;',              acctinputoctets    = '%&#123;%&#123;Acct-Input-Gigawords&#125;&#58;-0&#125;' << 32 |                                   '%&#123;%&#123;Acct-Input-Octets&#125;&#58;-0&#125;',              acctoutputoctets   = '%&#123;%&#123;Acct-Output-Gigawords&#125;&#58;-0&#125;' << 32 |                                   '%&#123;%&#123;Acct-Output-Octets&#125;&#58;-0&#125;',              acctterminatecause = '%&#123;Acct-Terminate-Cause&#125;',              acctstopdelay      = '%&#123;%&#123;Acct-Delay-Time&#125;&#58;-0&#125;',              connectinfo_stop   = '%&#123;Connect-Info&#125;'           WHERE acctsessionid   = '%&#123;Acct-Session-Id&#125;'           AND username          = '%&#123;SQL-User-Name&#125;'           AND nasipaddress      = '%&#123;NAS-IP-Address&#125;'"
        accounting_stop_query_alt = "           INSERT INTO radacct             &#40;acctsessionid, acctuniqueid, username,              realm, nasipaddress, nasportid,              nasporttype, acctstarttime, acctstoptime,              acctsessiontime, acctauthentic, connectinfo_start,              connectinfo_stop, acctinputoctets, acctoutputoctets,              calledstationid, callingstationid, acctterminatecause,              servicetype, framedprotocol, framedipaddress,              acctstartdelay, acctstopdelay&#41;           VALUES             &#40;'%&#123;Acct-Session-Id&#125;', '%&#123;Acct-Unique-Session-Id&#125;',              '%&#123;SQL-User-Name&#125;',              '%&#123;Realm&#125;', '%&#123;NAS-IP-Address&#125;', '%&#123;NAS-Port&#125;',              '%&#123;NAS-Port-Type&#125;',              DATE_SUB&#40;'%S',                  INTERVAL &#40;%&#123;%&#123;Acct-Session-Time&#125;&#58;-0&#125; +                  %&#123;%&#123;Acct-Delay-Time&#125;&#58;-0&#125;&#41; SECOND&#41;,              '%S', '%&#123;Acct-Session-Time&#125;', '%&#123;Acct-Authentic&#125;', '',              '%&#123;Connect-Info&#125;',              '%&#123;%&#123;Acct-Input-Gigawords&#125;&#58;-0&#125;' << 32 |              '%&#123;%&#123;Acct-Input-Octets&#125;&#58;-0&#125;',              '%&#123;%&#123;Acct-Output-Gigawords&#125;&#58;-0&#125;' << 32 |              '%&#123;%&#123;Acct-Output-Octets&#125;&#58;-0&#125;',              '%&#123;Called-Station-Id&#125;', '%&#123;Calling-Station-Id&#125;',              '%&#123;Acct-Terminate-Cause&#125;',              '%&#123;Service-Type&#125;', '%&#123;Framed-Protocol&#125;', '%&#123;Framed-IP-Address&#125;',              '0', '%&#123;%&#123;Acct-Delay-Time&#125;&#58;-0&#125;'&#41;"
        group_membership_query = "SELECT groupname           FROM radusergroup           WHERE username = '%&#123;SQL-User-Name&#125;'           ORDER BY priority"
        connect_failure_retry_delay = 60
        simul_count_query = ""
        simul_verify_query = "SELECT radacctid, acctsessionid, username,                                nasipaddress, nasportid, framedipaddress,                                callingstationid, framedprotocol                                FROM radacct                                WHERE username = '%&#123;SQL-User-Name&#125;'                                AND acctstoptime IS NULL"
        postauth_query = "INSERT INTO radpostauth                           &#40;username, pass, reply, authdate&#41;                           VALUES &#40;                           '%&#123;User-Name&#125;',                           '%&#123;%&#123;User-Password&#125;&#58;-%&#123;Chap-Password&#125;&#125;',                           '%&#123;reply&#58;Packet-Type&#125;', '%S'&#41;"
        safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_&#58; /"
  &#125;
rlm_sql &#40;sql&#41;&#58; Driver rlm_sql_mysql &#40;module rlm_sql_mysql&#41; loaded and linked
rlm_sql &#40;sql&#41;&#58; Attempting to connect to root@localhost&#58;3306/UTM5
rlm_sql &#40;sql&#41;&#58; starting 0
rlm_sql &#40;sql&#41;&#58; Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql&#58; Starting connect to MySQL server for #0
rlm_sql &#40;sql&#41;&#58; Connected new DB handle, #0
rlm_sql &#40;sql&#41;&#58; starting 1
rlm_sql &#40;sql&#41;&#58; Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql&#58; Starting connect to MySQL server for #1
rlm_sql &#40;sql&#41;&#58; Connected new DB handle, #1
rlm_sql &#40;sql&#41;&#58; starting 2
rlm_sql &#40;sql&#41;&#58; Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql&#58; Starting connect to MySQL server for #2
rlm_sql &#40;sql&#41;&#58; Connected new DB handle, #2
rlm_sql &#40;sql&#41;&#58; starting 3
rlm_sql &#40;sql&#41;&#58; Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql&#58; Starting connect to MySQL server for #3
rlm_sql &#40;sql&#41;&#58; Connected new DB handle, #3
rlm_sql &#40;sql&#41;&#58; starting 4
rlm_sql &#40;sql&#41;&#58; Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql&#58; Starting connect to MySQL server for #4
rlm_sql &#40;sql&#41;&#58; Connected new DB handle, #4
 Module&#58; Instantiating attr_filter.accounting_response
  attr_filter attr_filter.accounting_response &#123;
        attrsfile = "/opt/freeradius/etc/raddb/attrs.accounting_response"
        key = "%&#123;User-Name&#125;"
  &#125;
 Module&#58; Checking session &#123;...&#125; for more modules to load
 Module&#58; Checking post-proxy &#123;...&#125; for more modules to load
 Module&#58; Checking post-auth &#123;...&#125; for more modules to load
 &#125; # modules
&#125; # server
radiusd&#58; #### Opening IP addresses and Ports ####
listen &#123;
        type = "auth"
        ipaddr = *
        port = 0
&#125;
listen &#123;
        type = "acct"
        ipaddr = *
        port = 0
&#125;
listen &#123;
        type = "control"
 listen &#123;
        socket = "/opt/freeradius/var/run/radiusd/radiusd.sock"
 &#125;
&#125;
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /opt/freeradius/var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.
пытался подключиться пользователем со статическим адресом 95.215.
вот как выругался - как это лечить?

Код: Выделить всё

rad_recv&#58; Access-Request packet from host 172.16.2.40 port 1645, id=138, length=138
        Framed-Protocol = PPP
        User-Name = "vlad"
        MS-CHAP-Challenge = 0xd1f2fe9c5f4aa1cead2379be8a6ae54f
        MS-CHAP2-Response = 0x01bfdabd0be37c2d5c5efed15c6ce3467d1db70200000029eacf00fc7cc54f1f5b8bf5b5fed79870fa21f98c3ed2f0451366
        NAS-Port-Type = Virtual
        NAS-Port = 140
        Service-Type = Framed-User
        NAS-IP-Address = 172.16.2.40
+- entering group authorize &#123;...&#125;
++&#91;preprocess&#93; returns ok
++&#91;chap&#93; returns noop
&#91;mschap&#93; Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++&#91;mschap&#93; returns ok
&#91;suffix&#93; No '@' in User-Name = "vlad", looking up realm NULL
&#91;suffix&#93; No such realm "NULL"
++&#91;suffix&#93; returns noop
&#91;eap&#93; No EAP-Message, not doing EAP
++&#91;eap&#93; returns noop
++&#91;unix&#93; returns notfound
&#91;files&#93; users&#58; Matched entry DEFAULT at line 172
++&#91;files&#93; returns ok
++&#91;expiration&#93; returns noop
++&#91;logintime&#93; returns noop
&#91;pap&#93; WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++&#91;pap&#93; returns noop
Found Auth-Type = MSCHAP
+- entering group MS-CHAP &#123;...&#125;
&#91;mschap&#93; No Cleartext-Password configured.  Cannot create LM-Password.
&#91;mschap&#93; No Cleartext-Password configured.  Cannot create NT-Password.
&#91;mschap&#93; Told to do MS-CHAPv2 for vlad with NT-Password
&#91;mschap&#93; FAILED&#58; No NT/LM-Password.  Cannot perform authentication.
&#91;mschap&#93; FAILED&#58; MS-CHAP2-Response is incorrect
++&#91;mschap&#93; returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT &#123;...&#125;
&#91;attr_filter.access_reject&#93;     expand&#58; %&#123;User-Name&#125; -> vlad
 attr_filter&#58; Matched entry DEFAULT at line 11
++&#91;attr_filter.access_reject&#93; returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 138 to 172.16.2.40 port 1645
Waking up in 4.9 seconds.
Cleaning up request 0 ID 138 with timestamp +8
Ready to process requests.

Закрыто