請教一個FreeRadius的問題,謝謝。
最近在玩FreeRadius,有個問題向大家請教,詳述如下:
fedora下配置FreeRadius,採用users進行驗證;
使用系統用戶/密碼,驗證可以通過;
編輯users,在其中添加test1用戶,則驗證失敗。
不知原因出在哪裡?
# radiusd -v
radiusd: FreeRADIUS Version 2.1.3, for host i686-pc-linux-gnu, built on Jan 24 2009 at 17:21:45
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
#
使用系統用戶authen時。# radtest test test 127.0.0.1:1812 2001 testing123
Sending Access-Request of id 75 to 127.0.0.1 port 1812
User-Name = "test"
User-Password = "test"
NAS-IP-Address = 127.0.0.1
NAS-Port = 2001
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=75, length=20
#
radius -X,啟動debug模式無報錯,輸出如下。
rad_recv: Access-Request packet from host 127.0.0.1 port 37646, id=75, length=56
User-Name = "test"
User-Password = "test"
NAS-IP-Address = 127.0.0.1
NAS-Port = 2001
+- entering group authorize {...}
++ returns ok
++ returns noop
++ returns noop
No '@' in User-Name = "test", looking up realm NULL
No such realm "NULL"
++ returns noop
No EAP-Message, not doing EAP
++ returns noop
++ returns updated
++ returns noop
++ returns noop
++ returns noop
++ returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
login attempt with password "test"
Using CRYPT encryption.
User authenticated successfully
++ returns ok
+- entering group post-auth {...}
++ returns noop
Sending Access-Accept of id 75 to 127.0.0.1 port 37646
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 75 with timestamp +107
Ready to process requests.
---------------------------------------------------------------------------------------
使用users驗證時:
在users中添加如下:
"test1" Auth-Type = Local,Password == "test1"
Fall-Through = Yes
radius -X,啟動debug模式無報錯,輸出如下。
# radtest test1 test1 127.0.0.1:1812 2001 testing123
Sending Access-Request of id 50 to 127.0.0.1 port 1812
User-Name = "test1"
User-Password = "test1"
NAS-IP-Address = 127.0.0.1
NAS-Port = 2001
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=50, length=20
#
rad_recv: Access-Request packet from host 127.0.0.1 port 52926, id=50, length=57
User-Name = "test1"
User-Password = "test1"
NAS-IP-Address = 127.0.0.1
NAS-Port = 2001
+- entering group authorize {...}
++ returns ok
++ returns noop
++ returns noop
No '@' in User-Name = "test1", looking up realm NULL
No such realm "NULL"
++ returns noop
No EAP-Message, not doing EAP
++ returns noop
++ returns notfound
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
users: Matched entry test1 at line 61
++ returns ok
++ returns noop
++ returns noop
WARNING! No "known good" password found for the user. Authentication may fail because of this.
++ returns noop
Found Auth-Type = Local
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
No "known good" password was configured for the user.
As a result, we cannot authenticate the user.
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
expand: %{User-Name} -> test1
attr_filter: Matched entry DEFAULT at line 11
++ returns updated
Delaying reject of request 2 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 2
Sending Access-Reject of id 50 to 127.0.0.1 port 52926
Waking up in 4.9 seconds.
Cleaning up request 2 ID 50 with timestamp +418
Ready to process requests.
《解決方案》
回復 #1 hjp0021 的帖子
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=75, length=20
應該是配置文件問題
《解決方案》
回復 #2 kns1024wh 的帖子
我想也是配置的問題,那麼什麼地方出錯呢?
radiusd.conf是默認的,沒有改動;users僅僅增加了這兩行。
"test1" Auth-Type = Local,Password == "test1"
Fall-Through = Yes
# grep -v '#' radiusd.conf | sed '/^$/d'
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
name = radiusd
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
db_dir = ${raddbdir}
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/${name}.pid
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
type = auth
ipaddr = *
port = 0
}
listen {
ipaddr = *
port = 0
type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
proxy_requests = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
$INCLUDE ${confdir}/modules/
$INCLUDE eap.conf
$INCLUDE sql.conf
$INCLUDE sql/mysql/counter.conf
}
instantiate {
exec
expr
expiration
logintime
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/
# grep -v '#' users | sed '/^$/d'
"test1" Auth-Type = Local,Password == "test1"
Fall-Through = Yes
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
[ 本帖最後由 hjp0021 於 2009-2-5 21:05 編輯 ]
《解決方案》
已經搞定了,是users文件的語法問題,修改後就OK。
