LINUX.ORG.RU

Freeradius + Mikrotik

 ,


0

1

вот логи радиуса.

        Service-Type = Framed-User
        Framed-Protocol = PPP
        NAS-Port = 15728640
        NAS-Port-Type = Ethernet
        User-Name = "udal1"
        Calling-Station-Id = "1C:AF:F7:70:01:F4"
        Called-Station-Id = "pppoe_vid11"
        NAS-Port-Id = "vlan11"
        MS-CHAP-Challenge = 0x5f878b72711e9404018166138e2841a0
        MS-CHAP2-Response = 0x0100529ad514970adfea296a6256bb672a6b00000000000000                                                                                        0096c5da9f3fdd149dcc26ec1428df8856e1a4d051b456d36d
        NAS-Identifier = "kyahulay nas2"
        NAS-IP-Address = 10.90.92.2
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] = ok
++[digest] = noop
[suffix] No '@' in User-Name = "udal1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[files] users: Matched entry DEFAULT at line 115
++[files] = ok
[sql]   expand: %{User-Name} -> udal1
[sql] sql_set_user escaped user --> 'udal1'
rlm_sql (sql): Reserving sql socket id: 18
[sql]   expand: SELECT id, username, attribute, value, op           FROM radchec                                                                                        k           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT                                                                                         id, username, attribute, value, op           FROM radcheck           WHERE usern                                                                                        ame = 'udal1'           ORDER BY id
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[sql] User found in radcheck table
[sql]   expand: SELECT id, username, attribute, value, op           FROM radrepl                                                                                        y           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT                                                                                         id, username, attribute, value, op           FROM radreply           WHERE usern                                                                                        ame = 'udal1'           ORDER BY id
[sql]   expand: SELECT groupname           FROM radusergroup           WHERE use                                                                                        rname = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname                                                                                                   FROM radusergroup           WHERE username = 'udal1'           ORDER BY pri                                                                                        ority
rlm_sql (sql): Released sql socket id: 18
++[sql] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] = noop
+} # group authorize = ok
Found Auth-Type = MSCHAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!    Replacing User-Password in config items with Cleartext-Password.     !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"               !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Executing group from file /etc/freeradius/sites-enabled/default
+group MS-CHAP {
[mschap] Creating challenge hash with username: udal1
[mschap] Client is using MS-CHAPv2 for udal1, we need NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] = ok
+} # group MS-CHAP = ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+group post-auth {
[sql]   expand: %{User-Name} -> udal1
[sql] sql_set_user escaped user --> 'udal1'
[sql]   expand: %{User-Password} ->
[sql]   ... expanding second conditional
[sql]   expand: %{Chap-Password} ->
[sql]   expand: INSERT INTO radpostauth                           (username, pas                                                                                        s, reply, authdate)                           VALUES (                                                                                                                   '%{User-Name}',                           '%{%{User-Password}:-%{Chap-Password}                                                                                        }',                           '%{reply:Packet-Type}', '%S') -> INSERT INTO radpo                                                                                        stauth                           (username, pass, reply, authdate)                                                                                                                   VALUES (                           'udal1',                                                                                                                   '',                           'Access-Accept', '2016-09-07 21:47:53')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth                                                                                                                   (username, pass, reply, authdate)                           VALUES (                                                                                                                   'udal1',                           '',                                                                                                                   'Access-Accept', '2016-09-07 21:47:53')
rlm_sql (sql): Reserving sql socket id: 17
rlm_sql (sql): Released sql socket id: 17
++[sql] = ok
++[exec] = noop
+} # group post-auth = ok
Sending Access-Accept of id 24 to 10.90.92.2 port 50840
        Framed-Protocol = PPP
        Framed-Compression = Van-Jacobson-TCP-IP
        Filter-Id = "25000"
        Mikrotik-Rate-Limit = "25000k"
        MS-CHAP2-Success = 0x01533d324335304143353337373637423241383639344638373                                                                                        64630353941453842303846384135423645
        MS-MPPE-Recv-Key = 0xb78b960fe88c12bb5b213f305bcb131c
        MS-MPPE-Send-Key = 0xbb7fc41553d12a1665c16de0b54a910c
        MS-MPPE-Encryption-Policy = 0x00000001
        MS-MPPE-Encryption-Types = 0x00000006
Finished request 22.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.90.92.2 port 50840, id=24, length=1                                                                                        94
Sending duplicate reply to client testclient port 50840 - ID: 24
Sending Access-Accept of id 24 to 10.90.92.2 port 50840
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 10.90.92.2 port 50840, id=24, length=1                                                                                        94
Sending duplicate reply to client testclient port 50840 - ID: 24
Sending Access-Accept of id 24 to 10.90.92.2 port 50840
Waking up in 4.3 seconds.
Cleaning up request 22 ID 24 with timestamp +248
Ready to process requests.

а микротик в логах пишет user udal1 authentication failed - radius timeout

как лечить это?

может файрволом где-то пакеты ответные режутся?

Pinkbyte ★★★★★ ()

10.90.92.2 и радиус в одной подсети ?

vel ★★★★★ ()
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.