LINUX.ORG.RU
ФорумAdmin

freeradius2 и abills


0

0

Клиента кидает с 691 неправильными логин\пароль.

rad_recv: Access-Request packet from host 127.0.0.1 port 39885, id=191, length=132
        Service-Type = Framed-User
        Framed-Protocol = PPP
        User-Name = "test"
        MS-CHAP-Challenge = "o~\253\235z-1\356A\3031\224R\247\324)"
        MS-CHAP2-Response = ")\000[\246\202\211\355\241\370\330\365Z;\362о─\355\030\000\000\000\000\000\000\000\000\363h\205\253|\th\322.^\306\350r\014\361\360\010\327.\324\034\332Io"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 0
+- entering group authorize
++[preprocess] returns ok
Exec-Program output: User-Password == "123456"
Exec-Program-Wait: value-pairs: User-Password == "123456"
Exec-Program: returned: 0
++[pre_auth] returns ok
  rlm_mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] returns ok
    users: Matched entry DEFAULT at line 204
++[files] returns ok
  rad_check_password:  Found Auth-Type mschap
auth: type "MSCHAP"
+- entering group MS-CHAP
  rlm_mschap: No Cleartext-Password configured.  Cannot create LM-Password.
  rlm_mschap: No Cleartext-Password configured.  Cannot create NT-Password.
  rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password
  rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform authentication.
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
auth: Failed to validate the user.
Login incorrect: [test/<via Auth-Type = mschap>] (from client localhost port 0)
  Found Post-Auth-Type Reject
+- entering group REJECT
Exec-Program output:
Exec-Program: returned: 0
++[post_auth] returns ok
Delaying reject of request 0 for 1 seconds
Going to the next request
Sending delayed reject for request 0
Sending Access-Reject of id 191 to 127.0.0.1 port 39885
        MS-CHAP-Error = ")E=691 R=1"
Waking up in 3.7 seconds.
Cleaning up request 0 ID 191 with timestamp +5
Ready to process requests.

кусок из radius.conf 

mschap {
        authtype = MS-CHAP
        use_mppe = yes
 require_encryption = no
 require_strong = no
 with_ntdomain_hack = no
}

кусок из sites-enables/abills 

authorize { 
  preprocess
  pre_auth 
  mschap 
  files 
} 
...

authenticate {
         Auth-Type MS-CHAP {
                mschap
        }
}

И что непонятно?

 
+- entering group MS-CHAP 
rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. 
rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. 
rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password
rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect 
++[mschap] returns reject
leave ★★★★★
()
Ответ на: комментарий от leave

Клиент не хочет Cleartext-Password, то есть ошибка в модуле auth и клиенту не надо его предлагать? Как чинить-то ковырять модуль авторизации в абилсе, клиент винда. У меня маленький опыт работы с радиусом, подскажи поконкретнее.

testuser123
() автор топика
Ответ на: комментарий от leave 
+- entering group MS-CHAP
  rlm_mschap: Told to do MS-СHAPv2 for test with NT-Password
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[\code]

Ругаться на Cleartext-Password перестал, но пароль от этого не принял.
testuser123
() автор топика
Ответ на: комментарий от testuser123 
rad_recv: Access-Request packet from host 127.0.0.1 port 39554, id=192, length=132
        Service-Type = Framed-User
        Framed-Protocol = PPP
        User-Name = "test"
        MS-CHAP-Challenge = "\025\372MN\323J\327\346Z\227\003\032x:\302?"
        MS-CHAP2-Response = "g\000\225\034i\005\216sf\211\222\361@\377\003}\266\313\000\000\000\000\000\000\000\000B;\177Jн•\355z\0268щє\354\020T\341\301\276\352\352\237\317T\\"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 0
+- entering group authorize
++[preprocess] returns ok
Exec-Program output: Cleartext-Password := "123456"
Exec-Program-Wait: value-pairs: Cleartext-Password := "123456"
Exec-Program: returned: 0
++[pre_auth] returns ok
  rlm_mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] returns ok
    users: Matched entry DEFAULT at line 204
++[files] returns ok
  rad_check_password:  Found Auth-Type mschap
auth: type "MSCHAP"
+- entering group MS-CHAP
  rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
auth: Failed to validate the user.
Login incorrect: [test/<via Auth-Type = mschap>] (from client localhost port 0)
  Found Post-Auth-Type Reject
+- entering group REJECT
Exec-Program output:
Exec-Program: returned: 0
++[post_auth] returns ok
Delaying reject of request 0 for 1 seconds
Going to the next request
Sending delayed reject for request 0
Sending Access-Reject of id 192 to 127.0.0.1 port 39554
        MS-CHAP-Error = "gE=691 R=1"
testuser123
() автор топика
Ответ на: комментарий от leave

Радтест работает, мсчап все портит.

radtest testy 123456  127.0.0.1:1812 0 testing123 0 127.0.0.1
Sending Access-Request of id 238 to 127.0.0.1 port 1812
        User-Name = "testy"
        User-Password = "123456"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 0
        Framed-Protocol = PPP
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=238, length=20


_____________

rad_recv: Access-Request packet from host 127.0.0.1 port 42928, id=238, length=63
        User-Name = "testy"
        User-Password = "123456"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 0
        Framed-Protocol = PPP
+- entering group authorize
++[preprocess] returns ok
Exec-Program output: Auth-Type := Accept
Exec-Program-Wait: value-pairs: Auth-Type := Accept
Exec-Program: returned: 0
++[pre_auth] returns ok
++[mschap] returns noop
    users: Matched entry DEFAULT at line 204
++[files] returns ok
  rad_check_password:  Found Auth-Type Accept
  rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [testy/123456] (from client localhost port 0)
Sending Access-Accept of id 238 to 127.0.0.1 port 42928
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 238 with timestamp +3
Ready to process requests.

radiusd.conf 

prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
name = radiusd
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/local/lib/freeradius-2.1.6
pidfile = ${run_dir}/${name}.pid
user = freeradius
group = freeradius
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
        type = auth
        ipaddr = *
        port = 0
}
listen {
        ipaddr = *
        port = 0
        type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions     = yes
extended_expressions    = yes
log {
        destination = files
        file = ${logdir}/radius.log
        syslog_facility = daemon
        stripped_names = no
        auth = yes
        auth_badpass = no
        auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
        max_attributes = 200
        reject_delay = 1
        status_server = yes
}
proxy_requests  = no
$INCLUDE clients.conf
thread pool {
        start_servers = 5
        max_servers = 32
        min_spare_servers = 3
        max_spare_servers = 10
        max_requests_per_server = 0
}
modules {
        $INCLUDE ${confdir}/modules/
        $INCLUDE eap.conf
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/freeradius/attrs.accounting_response"
key = "%{User-Name}"
}
radutmp {
        filename = ${logdir}/radutmp
        username = %{User-Name}
        case_sensitive = yes
        check_with_nas = yes
        perm = 0600
        callerid = "yes"
}
radutmp sradutmp {
        filename = ${logdir}/sradutmp
        perm = 0644
        callerid = "no"
}
attr_filter {
        attrsfile = ${confdir}/attrs
}
counter daily {
        filename = ${raddbdir}/db.daily
        key = User-Name
        count-attribute = Acct-Session-Time
        reset = daily
        counter-name = Daily-Session-Time
        check-name = Max-Daily-Session
        allowed-servicetype = Framed-User
        cache-size = 5000
}
always fail {
        rcode = fail
}
always reject {
        rcode = reject
}
always ok {
        rcode = ok
        simulcount = 0
        mpp = no
}
expr {
      }
digest {
       }
exec {
       wait = yes
       input_pairs = request
}
exec echo {
       wait = yes
       program = "/bin/echo %{User-Name}"
       input_pairs = request
       output_pairs = reply
}
unix {
       cache = no
       cache_reload = 600
       radwtmp = ${logdir}/radwtmp
}
preprocess {
       huntgroups = ${confdir}/huntgroups
       hints = ${confdir}/hints
       with_ascend_hack = no
       ascend_channels_per_line = 23
       with_ntdomain_hack = no
       with_specialix_jetstream_hack = no
       with_cisco_vsa_hack = no
}
files {
       usersfile = ${confdir}/users
       acctusersfile = ${confdir}/acct_users
       preproxy_usersfile = ${confdir}/preproxy_users
       compat = no
}
detail {
       detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
       detailperm = 0600
}
mschap {
        authtype = MS-CHAP
        use_mppe = yes
 require_encryption = no
 require_strong = no
 with_ntdomain_hack = no
}
attr_filter {
       attrsfile = ${confdir}/attrs
}
counter daily {
       filename = ${raddbdir}/db.daily
       key = User-Name
       count-attribute = Acct-Session-Time
       reset = daily
       counter-name = Daily-Session-Time
       check-name = Max-Daily-Session
       allowed-servicetype = Framed-User
       cache-size = 5000
}
abills_preauth
exec abills_preauth {
  program = "/usr/abills/libexec/rauth.pl pre_auth"
  wait = yes
  input_pairs = request
  shell_escape = yes
  output_pairs = config
}
abills_postauth
exec abills_postauth {
  program = "/usr/abills/libexec/rauth.pl post_auth"
  wait = yes
  input_pairs = request
  shell_escape = yes
  output_pairs = config
}
abills_auth
exec abills_auth {
  program = "/usr/abills/libexec/rauth.pl"
  wait = yes
  input_pairs = request
  shell_escape = yes
  output = no
  output_pairs = reply
}
abills_acc
  exec abills_acc {
  program = "/usr/abills/libexec/racct.pl"
  wait = yes
  input_pairs = request
  shell_escape = yes
  output = no
  output_pairs = reply
}
exec pre_auth {
  wait = yes
  program = "/usr/abills/libexec/rauth.pl pre_auth"
  input_pairs = request
  output_pairs = config
}
exec post_auth {
  wait = yes
  program = "/usr/abills/libexec/rauth.pl post_auth"
  input_pairs = request
  output_pairs = config
}
}
instantiate {
        exec
        preprocess
        files
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/abills_default

sites-enabled/abills_default 

authorize {
        preprocess
        pre_auth
        mschap
        files
}
authenticate {
        Auth-Type MS-CHAP {
                mschap
        }
}
preacct {
        preprocess
        abills_acc
}
accounting {
        detail
        unix
        radutmp
        attr_filter.accounting_response
}
session {
        radutmp
}
post-auth {
        Post-Auth-Type REJECT {
                 post_auth
        }
}
pre-proxy {
}
post-proxy {
        eap
}

testuser123
() автор топика
Ответ на: комментарий от testuser123

рабочий конфиг

/etc/freeradius/radiusd.conf 

modules {
abills_preauth
exec abills_preauth {
program = "/usr/abills/libexec/rauth.pl pre_auth"
wait = yes
input_pairs = request
shell_escape = yes
#output = no
output_pairs = config
}

abills_postauth
exec abills_postauth {
program = "/usr/abills/libexec/rauth.pl post_auth"
wait = yes
input_pairs = request
shell_escape = yes
#output = no
output_pairs = config
}

abills_auth
exec abills_auth {
program = "/usr/abills/libexec/rauth.pl"
wait = yes
input_pairs = request
shell_escape = yes
output = no
output_pairs = reply
}

abills_acc
exec abills_acc {
program = "/usr/abills/libexec/racct.pl"
wait = yes
input_pairs = request
shell_escape = yes
output = no
output_pairs = reply
}
 $INCLUDE ${confdir}/modules/

        $INCLUDE eap.conf

#       $INCLUDE sql.conf

        #
#       $INCLUDE sql/mysql/counter.conf
        #$INCLUDE sql/postgresql/counter.conf

        #$INCLUDE sqlippool.conf

        # $INCLUDE otp.conf
cat /etc/freeradius/sites-enabled/default 
authorize {
        preprocess
        abills_preauth
        mschap
        eap {
                ok = return
        }
        files
        abills_auth
}
authenticate {
        Auth-Type PAP {
                pap
        }
        Auth-Type CHAP {
                chap
        }
        Auth-Type MS-CHAP {
                mschap
        }
        unix
}
preacct {
        preprocess
        abills_acc
}
accounting {
        detail
        unix
        radutmp
        attr_filter.accounting_response
}
session {
        radutmp
}
post-auth {
        Post-Auth-Type REJECT {
                abills_postauth
        }
}
pre-proxy {
}
post-proxy {
        eap
}

сие рабочие конфиги radius2 для абилс мб с неточностями, но точно работают

veliarfl
()
Ответ на: рабочий конфиг от veliarfl

тут не хватает описания 

preprocessp
detail 
unix 
radutmp 
attr_filter.accounting_response
и самое главное mschap. Было бы очень круто получить эти конфиги.

testuser123
() автор топика
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.
Admin