LINUX.ORG.RU
ФорумAdmin

freeradius не открывает сессию

 


0

1

Запустил freeradius с параметром -X

/usr/sbin/freeradius -X 2>&1 | tee ./rad.log

(0) Received Access-Request Id 229 from 127.0.0.1:32837 to 127.0.0.1:1812 length 57
(0)   User-Name = "bruno"
(0)   User-Password = "boss123"
(0)   Acct-Status-Type = Start
(0)   Framed-IP-Address = 10.11.12.13
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "bruno", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0)     [files] = noop
(0) sql: EXPAND %{User-Name}
(0) sql:    --> bruno
(0) sql: SQL-User-Name set to 'bruno'
rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for 178 seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (2): Hit idle_timeout, was idle for 178 seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (3): Hit idle_timeout, was idle for 178 seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (4): Hit idle_timeout, was idle for 178 seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (0): Hit idle_timeout, was idle for 178 seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (5): Hit idle_timeout, was idle for 178 seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): 0 of 0 connections in use.  You  may need to increase "spare"
rlm_sql (sql): Opening additional connection (6), 1 of 32 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 8.0.23, protocol version 10
rlm_sql (sql): Reserved connection (6)
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'bruno' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'bruno' ORDER BY id
(0) sql: User found in radcheck table
(0) sql: Conditional check items matched, merging assignment check items
(0) sql:   Cleartext-Password := "boss123"
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql:    --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'bruno' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'bruno' ORDER BY id
(0) sql: User found in radreply table, merging reply items
(0) sql:   Framed-IP-Address = 1.2.3.4
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql:    --> SELECT groupname FROM radusergroup WHERE username = 'bruno' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'bruno' ORDER BY priority
(0) sql: User not found in any groups
rlm_sql (sql): Released connection (6)
Need 2 more connections to reach min connections (3)
rlm_sql (sql): Opening additional connection (7), 1 of 31 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 8.0.23, protocol version 10
(0)     [sql] = ok
(0)     [expiration] = noop
(0)     [logintime] = noop
(0)     [pap] = updated
(0)   } # authorize = updated
(0) Found Auth-Type = PAP
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   Auth-Type PAP {
(0) pap: Login attempt with password
(0) pap: Comparing with "known good" Cleartext-Password
(0) pap: User authenticated successfully
(0)     [pap] = ok
(0)   } # Auth-Type PAP = ok
(0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(0)   post-auth {
(0)     update {
(0)       No attributes updated
(0)     } # update = noop
(0) sql: EXPAND .query
(0) sql:    --> .query
(0) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (6)
(0) sql: EXPAND %{User-Name}
(0) sql:    --> bruno
(0) sql: SQL-User-Name set to 'bruno'
(0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(0) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'bruno', 'boss123', 'Access-Accept', '2021-03-18 01:23:57')
(0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'bruno', 'boss123', 'Access-Accept', '2021-03-18 01:23:57')
(0) sql: SQL query returned: success
(0) sql: 1 record(s) updated
rlm_sql (sql): Released connection (6)
(0)     [sql] = ok
(0)     [exec] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # post-auth = ok
(0) Sent Access-Accept Id 229 from 127.0.0.1:1812 to 127.0.0.1:32837 length 0
(0)   Framed-IP-Address = 1.2.3.4
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 229 with timestamp +178
Ready to process requests

То есть он говорит ОК, но сессию не открывает, в чем дело?

https://networkradius.com/assets/img/diagram/radius_diagram_acct_3424x2018.png

Ответ на: комментарий от anonymous

я так понял что в спец таблице должны появляться строки типа от понятия третьей A – accounting, время трафик и вот это все?

Авторы задания просят с помощью radclient пронаблюдать запуск сессий, возможно ли это?

Shulman ()
Последнее исправление: Shulman (всего исправлений: 2)
Ответ на: комментарий от iliyap
root@radius:/home/user# radclient -x -f ./start_packet.rad localhost:1812 auth testing123
Sent Access-Request Id 46 from 0.0.0.0:57907 to 127.0.0.1:1812 length 57
        User-Name = "bruno"
        User-Password = "boss123"
        Acct-Status-Type = Start
        Framed-IP-Address = 10.11.12.13
        Cleartext-Password = "boss123"
Received Access-Accept Id 46 from 127.0.0.1:1812 to 127.0.0.1:57907 length 26
        Framed-IP-Address = 1.2.3.4

посылаю

Shulman ()
Ответ на: комментарий от iliyap

О! Прогресс. Смотрю что ему не так

Receive - Invalid packet code 4 sent to authentication port from client localhost port 35278
Ready to process requests
Receive - Invalid packet code 4 sent to authentication port from client localhost port 35278
Ready to process requests
Receive - Invalid packet code 4 sent to authentication port from client localhost port 35278
Ready to process requests

Shulman ()
Ответ на: комментарий от Shulman

Либо указывай правильный порт 1813 для Accounting-Request запросов, либо не указывай порт вообще. radclient и так по умолчанию шлёт Access-request на порт 1812, а Accounting-request на порт 1813.

iliyap ★★★★★ ()
Последнее исправление: iliyap (всего исправлений: 1)
Ответ на: комментарий от iliyap
Ready to process requests
(1) Received Accounting-Request Id 84 from 127.0.0.1:48128 to 127.0.0.1:1813 length 57
(1)   User-Name = "bruno"
(1)   User-Password = ">\267\345$\006\302`-Td\332s\303ܱ\024"
(1)   Acct-Status-Type = Start
(1)   Framed-IP-Address = 10.11.12.13
(1) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default
(1)   preacct {
(1)     [preprocess] = ok
(1)     policy acct_unique {
(1)       update request {
(1)         &Tmp-String-9 := "ai:"
(1)       } # update request = noop
(1)       if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&       ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(1)       EXPAND %{hex:&Class}
(1)          -->
(1)       EXPAND ^%{hex:&Tmp-String-9}
(1)          --> ^61693a
(1)       if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&       ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i))  -> FALSE
(1)       else {
(1)         update request {
(1)           EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(1)              --> 36d3de4891d285a42134e5fbb6127a14
(1)           &Acct-Unique-Session-Id := 36d3de4891d285a42134e5fbb6127a14
(1)         } # update request = noop
(1)       } # else = noop
(1)     } # policy acct_unique = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "bruno", looking up realm NULL
(1) suffix: No such realm "NULL"
(1)     [suffix] = noop
(1)     [files] = noop
(1)   } # preacct = ok
(1) # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/default
(1)   accounting {
(1) detail: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
(1) detail:    --> /var/log/freeradius/radacct/127.0.0.1/detail-20210318
(1) detail: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/detail-20210318
(1) detail: EXPAND %t
(1) detail:    --> Thu Mar 18 06:59:06 2021
(1)     [detail] = ok
(1)     [unix] = ok
(1) sql: EXPAND %{tolower:type.%{Acct-Status-Type}.query}
(1) sql:    --> type.start.query
(1) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (2)
(1) sql: EXPAND %{User-Name}
(1) sql:    --> bruno
(1) sql: SQL-User-Name set to 'bruno'
(1) sql: EXPAND INSERT INTO radacct (acctsessionid,             acctuniqueid,           username, realm,                        nasipaddress,           nasportid, nasporttype,         acctstarttime,               acctupdatetime, acctstoptime,           acctsessiontime,        acctauthentic, connectinfo_start,       connectinfo_stop,       acctinputoctets, acctoutputoctets,  calledstationid,         callingstationid, acctterminatecause,   servicetype,            framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}), FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')
(1) sql:    --> INSERT INTO radacct (acctsessionid,             acctuniqueid,           username, realm,                        nasipaddress,           nasportid, nasporttype,         acctstarttime,               acctupdatetime, acctstoptime,           acctsessiontime,        acctauthentic, connectinfo_start,       connectinfo_stop,       acctinputoctets, acctoutputoctets,  calledstationid,         callingstationid, acctterminatecause,   servicetype,            framedprotocol, framedipaddress) VALUES ('', '36d3de4891d285a42134e5fbb6127a14', 'bruno', '', '127.0.0.1', '', '', FROM_UNIXTIME(1616065146), FROM_UNIXTIME(1616065146), NULL, '0', '', '', '', '0', '0', '', '', '', '', '', '10.11.12.13')
(1) sql: Executing query: INSERT INTO radacct (acctsessionid,           acctuniqueid,           username, realm,                        nasipaddress,           nasportid, nasporttype,     acctstarttime,           acctupdatetime, acctstoptime,           acctsessiontime,        acctauthentic, connectinfo_start,       connectinfo_stop,       acctinputoctets, acctoutputoctets,  calledstationid,         callingstationid, acctterminatecause,   servicetype,            framedprotocol, framedipaddress) VALUES ('', '36d3de4891d285a42134e5fbb6127a14', 'bruno', '', '127.0.0.1', '', '', FROM_UNIXTIME(1616065146), FROM_UNIXTIME(1616065146), NULL, '0', '', '', '', '0', '0', '', '', '', '', '', '10.11.12.13')
(1) sql: ERROR: rlm_sql_mysql: ERROR 1054 (Unknown column 'acctupdatetime' in 'field list'): 42S22
(1) sql: SQL query returned: server error
rlm_sql (sql): Released connection (2)
Need 3 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (7), 1 of 25 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 8.0.23, protocol version 10
(1)     [sql] = fail
(1)   } # accounting = fail
(1) Not sending reply to client.
(1) Finished request
(1) Cleaning up request packet ID 84 with timestamp +12
Ready to process requests

(1) sql: ERROR: rlm_sql_mysql: ERROR 1054 (Unknown column ‘acctupdatetime’ in ‘field list’): 42S22

а откуда может это взяться?

Shulman ()
Последнее исправление: Shulman (всего исправлений: 1)