Nie jesteś zalogowany.
Jeśli nie posiadasz konta, zarejestruj je już teraz! Pozwoli Ci ono w pełni korzystać z naszego serwisu. Spamerom dziękujemy!
Prosimy o pomoc dla małej Julki — przekaż 1% podatku na Fundacji Dzieciom zdazyć z Pomocą.
Więcej informacji na dug.net.pl/pomagamy/.
Wiem juz gdzie jest problem ale nie wiem jak go rozwiazac :(
TLS nie dziala na ldapie, tam jest SSL.
Niby ustawilem all w radiusd.confie dla SSL, a nie dla TLS ale nadal to samo :(
Jakies pomysly ?
Pozdrawiam
Offline
Nie ... Radius jest na innej maszynie niz ldap.
Dlatego upieram sie nad tym SSL.
Pozdrawiam
Offline
Nie wiem czy googlowałeś , czy nie , znalazłem coś takiego , może bedzie pomocne , ja sam z LDAP nie korzystam , więc w tej materii nic więcej nie zdziałam.
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html
http://www.openldap.org/faq/data/cache/185.html
http://www.auug.org.au/saauug/events/2005/meetings/ldap/ssl.html
http://www.gentoo.org/doc/en/ldap-howto.xml
http://home.subnet.at/~max/ldap/
good luck ..
Offline
Dzieki za linki ... zaraz bede patrzyl ...
A co do googlowania, to juz jakis czas szukam rozwiazania na googlach :) tyle ze nie moge zmienic SSL na ldapie na TLS i w tym jest caly problem :(
Pozdrawiam
Offline
Czy może ktoś uruchamiał już [url=http://www.freeradius.org/dialupadmin.html]interfejs webowy[/url] do freeradiusa?
Offline
Uruchomilem.
Ale powiem szczerze ze to crap na maksa, beznadzieny wyglad i IMO mala funkcjonalnosc. Wole z reki w plikach zmieniac. No ale moze nie odkrylem jeszcze jego funkcji :P
[url]http://www.pervasive-network.org/SPIP/Installation-de-Freeradius-sur-une[/url]
Tutaj nawet znajduje sie opis jak zainstalowac freeradiusa + dialupadmin.
Offline
Przez monitor nie śmierdzi :), a userów może dodawać jakiś łosiu, który nie ma ochoty poznawać szczegółów technincznych serwera
dzięki, za link
Offline
Szit, nie szit, spiąłem to wszytko z serverem ftp i działa. Pisać nie muszę. :]
Offline
zlyZwierz: dokladnie mam to samo, wyglad i jego funkcje (dialup) od razu mnie zniechecily ... no ale jak juz mowilem, moze za krotko sie nim bawilem.
Pozdrawiam
Offline
Zło :) jak zobaczyłem dialupadmin to postanowiłem nigdy go nie używać , tak samo skryptów z inet.ll.pl i wielu innych rzeczy ..[/quote]
skrypty z inet.ll.pl za zajebiste, pod warunkiem, ze ktos nie posiada takiej sieci jak TY(ponad 1000 userow) ... jak sie ma mala siec TO spisuja sie one doskonale !
PS:Kod:
tak sie zastanawiam, jak zrobic w pppoe, podobnie jak w neo, zeby przy podlaczeniu pokazywalo dana predkosc, a nie tak jak teraz, pokazuje predkosc polaczenia taka jak ma karta sieciowa, czyli np: 100mb.
Offline
Zło :) jak zobaczyłem dialupadmin to postanowiłem nigdy go nie używać , tak samo skryptów z inet.ll.pl i wielu innych rzeczy ..[/quote]
skrypty z inet.ll.pl za zajebiste, pod warunkiem, ze ktos nie posiada takiej sieci jak TY(ponad 1000 userow) ... jak sie ma mala siec TO spisuja sie one doskonale !
[/quote]
Zrobiłem na nie kupę kiedy miałem ich koło 200 ;)
[url=http://www.netfix.pro]www.netfix.pro[/url]Offline
Tez prubowalam uzywac tego DialupAdmin ale powiem tak zero funkcjonalnosci normlanie porazka syf jak nic :P
mam takie zadanie lepiej cos samemu klepnac bo przynajmniej czlowiek bedie wiedzial jak to dziala :]
Jak narazie temat PPPoE+freerdius zarzucony z wielu przyczyn wiec wiele wiecej sie nie ede wypowiadac
(Nie ma to jak autoryzowac usera na poziomie modemu :} )
Offline
ja teraz szukam jakis docow dla pppoe. wiem ze mozna przekazywac zmienne do skryptow ktore sa odpalane po stronie serwera kiedy ktos sie wdzwoni albo odlaczy.
bede wdzieczny za jakies linki na ten temat
udalo sie komus zespawac tandem pppoe + radius ?
Offline
Mi sie udało.[/quote]
to moze udostepnisz swoje configi?
skoro duzo ludzi ma z tym problem, beda mieli na czym sie wzorowac.
...
[url]http://poptop.sourceforge.net/dox/radius_mysql.html[/url]
Offline
router ~ # cat /etc/ppp/pppoe-server-options |grep -v "#" plugin radius.so plugin radattr.so debug require-mschap-v2 lcp-echo-interval 10 lcp-echo-failure 2 ms-dns 10.1.1.201
router ~ # cat /etc/raddb/radiusd.conf |grep -v "#" prefix = /usr exec_prefix = ${prefix} sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = ${exec_prefix}/lib pidfile = ${run_dir}/radiusd.pid user = radiusd group = radiusd max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 listen { ipaddr = 127.0.0.1 port = 1812 type = auth } listen { ipaddr = 10.1.1.201 port = 1812 type = auth } listen { ipaddr = 10.1.1.201 port = 1645 type = auth } hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = yes log_auth_badpass = yes log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = no $INCLUDE ${confdir}/clients.conf snmp = no thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { $INCLUDE ${confdir}/sql.conf $INCLUDE ${confdir}/eap.conf radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } sqlcounter dailycounter { counter-name = Daily-Session-Time check-name = Max-Daily-Session sqlmod-inst = sql key = User-Name reset = daily query = "SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } sqlcounter monthlycounter { counter-name = Monthly-Session-Time check-name = Max-Monthly-Session sqlmod-inst = sql key = User-Name reset = monthly query = "SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply } mschap { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes } } instantiate { } authorize { sql_default_orinoco sql_default_cisco sql_default_zuo_mt sql_default_tonze sql_apeki_orinoco sql_apeki_cisco sql_apeki_zuo_mt mschap } authenticate { eap mschap } preacct { } accounting { sql_default_acct } session { radutmp } post-auth { } pre-proxy { } post-proxy { }
router ~ # cat /etc/raddb/sql.conf |grep -v "#" sql sql_default_orinoco { driver = "rlm_sql_mysql" server = "localhost" login = "wifi" password = "aaa" radius_db = "wlan_users" deletestalesessions = yes sqltrace = yes sqltracefile = ${logdir}/sqltrace.sql num_sql_socks = 10 connect_failure_retry_delay = 60 sql_user_name = "%{User-Name}" sql_set_password = "" authorize_check_query = "SELECT id, mac as UserName , 'User-Password' as Attribute, '12345678' as Value, '==' as op FROM users WHERE mac = '%{SQL-User-Name}' and active='ON' ORDER by id" } sql sql_default_cisco { driver = "rlm_sql_mysql" server = "localhost" login = "wifi" password = "aaa" radius_db = "wlan_users" deletestalesessions = yes sqltrace = yes sqltracefile = ${logdir}/sqltrace.sql num_sql_socks = 10 connect_failure_retry_delay = 60 sql_user_name = "%{User-Name}" sql_set_password = "" authorize_check_query = "SELECT id, replace(lower(mac),':','') as UserName , 'User-Password' as Attribute, replace(lower(mac),':','') as Value, '==' as op FROM users WHERE replace(lower(mac),':','') = '%{SQL-User-Name}' and active='ON' ORDER by id" } sql sql_default_zuo_mt { driver = "rlm_sql_mysql" server = "localhost" login = "wifi" password = "aaa" radius_db = "wlan_users" deletestalesessions = yes sqltrace = yes sqltracefile = ${logdir}/sqltrace.sql num_sql_socks = 10 connect_failure_retry_delay = 60 sql_user_name = "%{User-Name}" sql_set_password = "" authorize_check_query = "SELECT id, mac as UserName , 'User-Password' as Attribute, '' as Value, '==' as op FROM users WHERE mac = '%{SQL-User-Name}' and active='ON' ORDER by id" } sql sql_default_tonze { driver = "rlm_sql_mysql" server = "localhost" login = "aaa" password = "aaa" radius_db = "radius" deletestalesessions = yes sqltrace = yes sqltracefile = ${logdir}/sqltrace.sql num_sql_socks = 10 connect_failure_retry_delay = 60 sql_user_name = "%{User-Name}" sql_set_password = "" authorize_check_query = "SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id" } sql sql_apeki_orinoco { driver = "rlm_sql_mysql" server = "localhost" login = "wifi" password = "aaa" radius_db = "wlan_users" deletestalesessions = yes sqltrace = yes sqltracefile = ${logdir}/sqltrace.sql num_sql_socks = 10 connect_failure_retry_delay = 60 sql_user_name = "%{User-Name}" sql_set_password = "" authorize_check_query = "SELECT id, mac as UserName , 'User-Password' as Attribute, '12345678' as Value, '==' as op FROM apeki WHERE mac = '%{SQL-User-Name}' ORDER by id" } sql sql_apeki_cisco { driver = "rlm_sql_mysql" server = "localhost" login = "wifi" password = "aaa" radius_db = "wlan_users" deletestalesessions = yes sqltrace = yes sqltracefile = ${logdir}/sqltrace.sql num_sql_socks = 10 connect_failure_retry_delay = 60 sql_user_name = "%{User-Name}" sql_set_password = "" authorize_check_query = "SELECT id, replace(lower(mac),':','') as UserName , 'User-Password' as Attribute, replace(lower(mac),':','') as Value, '==' as op FROM apeki WHERE replace(lower(mac),':','') = '%{SQL-User-Name}' ORDER by id" } sql sql_apeki_zuo_mt { driver = "rlm_sql_mysql" server = "localhost" login = "wifi" password = "aaa" radius_db = "wlan_users" deletestalesessions = yes sqltrace = yes sqltracefile = ${logdir}/sqltrace.sql num_sql_socks = 10 connect_failure_retry_delay = 60 sql_user_name = "%{User-Name}" sql_set_password = "" authorize_check_query = "SELECT id, lower(mac) as UserName , 'User-Password' as Attribute, '' as Value, '==' as op FROM apeki WHERE lower(mac) = '%{SQL-User-Name}' ORDER by id" } sql sql_default_acct { driver = "rlm_sql_mysql" server = "localhost" login = "aaa" password = "aaa" radius_db = "radius" acct_table1 = "radacct" acct_table2 = "radacct" deletestalesessions = yes sqltrace = no sqltracefile = ${logdir}/sqltrace.sql num_sql_socks = 5 connect_failure_retry_delay = 60 sql_user_name = "%{User-Name}" accounting_onoff_query = "UPDATE ${acct_table1} SET AcctStopTime='%S', AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime), AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime <= '%S'" accounting_update_query = "UPDATE ${acct_table1} SET FramedIPAddress = '%{Framed-IP-Address}', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress= '%{NAS-IP-Address}'" accounting_update_query_alt = "INSERT into ${acct_table1} (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S',INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0')" accounting_start_query = "INSERT into ${acct_table1} (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0')" accounting_start_query_alt = "UPDATE ${acct_table1} SET AcctStartTime = '%S', AcctStartDelay = '%{Acct-Delay-Time}', ConnectInfo_start = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'" accounting_stop_query = "UPDATE ${acct_table2} SET AcctStopTime = '%S', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}', AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'" accounting_stop_query_alt = "INSERT into ${acct_table2} (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{Acct-Delay-Time}')" simul_count_query = "SELECT COUNT(*) FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = '0000-00-00 00:00:00'" simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = '0000-00-00 00:00:00'" }
za czytanie danych dla pppoe z bazy odpowiada sql_default_tonze (nie pytajceie , czemu nie chciało i sie zmienic na cos bardziej intuicyjnego), wyciąga dane z radcheck i radreply
radcheck i radreply wyglądają tak (mysqldump):
LOCK TABLES `radcheck` WRITE; /*!40000 ALTER TABLE `radcheck` DISABLE KEYS */; INSERT INTO `radcheck` VALUES (5,'skibwr','Password','==','12345678'), (7,'aaa','User-Password','==','12345678'), (6,'skibwr','Auth-Type','==','EAP'), (9,'aaa','Auth-Type','==','mschap'); /*!40000 ALTER TABLE `radcheck` ENABLE KEYS */; UNLOCK TABLES;
LOCK TABLES `radreply` WRITE; /*!40000 ALTER TABLE `radreply` DISABLE KEYS */; INSERT INTO `radreply` VALUES (2,'aaa','Framed-IP-Address','==','192.168.123.123'), (12,'aaa','Framed-Protocol','==','PPP'), (11,'aaa','Service-Type','==','Framed-User'), (7,'aaa','Framed-Routing','==','None'); /*!40000 ALTER TABLE `radreply` ENABLE KEYS */; UNLOCK TABLES;
Offline
Witam
Po kilku dniach walki, jakis czas temu udalo mi sie spiac FreeRadiusa z AP Linksys-a + EAP/TLS wraz z certyfikatami :) Ale mam do was jedno pytanie, w jaki sposob teraz skonfigurowac server radiusa, aby nadawal adresy IP zautoryzowanym klientom ? Napewno sie da ale moze ktos z was zna latwy sposob?
zlyZwierz: czy u ciebie w momencie autoryzacji userow/kientow wyskakuje w systemie klienta okno logowania ? Podaje on usera i haslo i dopiero wtedy jest sprawdzany w bazie czy sie zgadza, a nastepnie co sie dzieje ? dostaje ip z dhcp ?
Pozdrawiam
Offline
Tak , zwyczajnie z DHCP.
Jak chcesz mieć adresy IP z RADIUSA to zapodaj PPPoE , albo DHCP + RADIUS (nie bawiłem się).
Ja konfig dla dhcp generuje na podstawie zawartości bazy danych..
//edit
BTW , zadne okienko samo nie wyskakuje :) trzeba to ustawić we właściwościach połączenia , w autoryzacji ..
Offline
U mnie akurat ma to dzialac na podstawie autoryzacji uzytkownikow z LDAP-em, czyli user laczy sie do AP, ten z radiusem, ten nastepnie sprawdza w LDAP-ie czy user jest poprawny i haslo tez, i go dopiero wtedy autoryzuje. W tym momencie mam wygenerowane certyfikaty: servera-radius oraz klienta podpisany przez CA i w taki sposob sie autoryzuje. Ale chcialbym zrobic aby wyskakiwalo okienko gdzie bedzie podawane user i haslo, i na podstawie tego radius bedzie sprawdzal w ldapie. Czy wiesz jak to zrobic ? Jak ustawic konfigi ? A no i jak rozwiazales dhcp ? Skoro sprawdza na podstawie wpisow w bazie to gdzie wpisales w radiusie (pewnie w users.conf?) zeby po autoryzacji nadawal ip z poli ?
Pozdrawiam
Offline
PEAP+MS-CHAP-v2
opis uwierzytelniania:
http://www.microsoft.com/technet/community/columns/cableguy/cg0702.mspx#E3D
konfig:
http://www.tldp.org/HOWTO/8021X-HOWTO/freeradius.html
mój konfig:
router ~ # cat /etc/raddb/eap.conf # -*- text -*- # # Whatever you do, do NOT set 'Auth-Type := EAP'. The server # is smart enough to figure this out on its own. The most # common side effect of setting 'Auth-Type := EAP' is that the # users then cannot use ANY other authentication method. # # $Id: eap.conf,v 1.4.4.1 2006/01/04 14:29:29 nbk Exp $ # eap { default_eap_type = peap md5 { } tls { private_key_password = haslodocertyfikatu private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem # Trusted Root CA list CA_file = ${raddbdir}/certs/root.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes # check_crl = yes # check_cert_cn = %{User-Name} } peap { default_eap_type = mschapv2 } mschapv2 { } }
router ~ # cat /etc/raddb/radiusd.conf prefix = /usr exec_prefix = ${prefix} sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = ${exec_prefix}/lib pidfile = ${run_dir}/radiusd.pid user = radiusd group = radiusd max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 #bind_address = * #port = 0 listen { ipaddr = 127.0.0.1 port = 1812 type = auth } listen { ipaddr = 10.1.1.201 port = 1812 type = auth } listen { ipaddr = 10.1.1.201 port = 1645 type = auth } hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = yes log_auth_badpass = yes log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = no $INCLUDE ${confdir}/clients.conf snmp = no thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { $INCLUDE ${confdir}/sql.conf $INCLUDE ${confdir}/eap.conf radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } sqlcounter dailycounter { counter-name = Daily-Session-Time check-name = Max-Daily-Session sqlmod-inst = sql key = User-Name reset = daily query = "SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } sqlcounter monthlycounter { counter-name = Monthly-Session-Time check-name = Max-Monthly-Session sqlmod-inst = sql key = User-Name reset = monthly query = "SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply } mschap { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes } } instantiate { # exec # expr } authorize { sql_default_orinoco sql_default_cisco sql_default_zuo_mt sql_default_tonze sql_apeki_orinoco sql_apeki_cisco sql_apeki_zuo_mt mschap } authenticate { # Auth-Type MS-CHAP { # mschap # } eap mschap } preacct { } accounting { sql_default_acct } session { radutmp } post-auth { } pre-proxy { } post-proxy { }
<--- kawałek sql.conf sql sql_default_tonze { driver = "rlm_sql_mysql" server = "localhost" login = "aaa" password = "aaa" radius_db = "radius" deletestalesessions = yes sqltrace = yes sqltracefile = ${logdir}/sqltrace.sql num_sql_socks = 10 connect_failure_retry_delay = 60 sql_user_name = "%{User-Name}" sql_set_password = "" authorize_check_query = "SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id" #authorize_check_query = "SELECT id, lower(mac) as UserName, 'User-Name' as Attribute, lower(mac) as Value, '==' as op FROM users WHERE lower(mac) = '%{SQL-User-Name}' ORDER by id" authorize_reply_query = "SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id" }
<----- zawartość bazy mysql> select * from radcheck; +----+----------+---------------+----+----------+ | id | UserName | Attribute | op | Value | +----+----------+---------------+----+----------+ | 5 | skibwr | Password | == | 12345678 | | 7 | aaa | User-Password | == | 12345678 | | 6 | skibwr | Auth-Type | == | EAP | | 9 | aaa | Auth-Type | == | mschap | +----+----------+---------------+----+----------+ 4 rows in set (0.00 sec)
Offline
Zrobilem ze w Windowsie pokazuje sie okienko logowania :)
Jednak w momencie przesylania danych z linksysa do radiusa nie jest wysylane haslo :(
rad_recv: Access-Request packet from host 192.168.1.245:3072, id=0, length=119 User-Name = "rka" NAS-IP-Address = 192.168.1.245 Called-Station-Id = "001217694588" Calling-Station-Id = "0014a41e7112" NAS-Identifier = "001217694588" NAS-Port = 61 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000801726b61 Message-Authenticator = 0x935d96fb44fccc41767e4667570ff8f2
Co powoduje takowy blad, poniewaz ldap nie moze potwierdzic usera bez hasla :(
Auth: Login incorrect: [rka/<no User-Password attribute>] (from client linksys port 61 cli 0014a41e7112)
Jak zrobic w EAP zeby haslo bylo przesylane, bez uzycia certyfikatow ?
W momencie gdy uzywam certyfikatow wszystko dziala looz, tak samo jak z innej maszyny odpale radtesta to radtest wysyla do radiusa i usera i haslo, co powoduje ze jest autoryzowany przez ldapa.
Wiesz moze jak zrobic aby eap wysyalal oprcz usera tez haslo ?
Offline
czy jest konieczne kompilowanie pppoe do radiusa ?
czy radius moze korzystac z sqla dla autoryzacji mschap v2 ?
jsli tak to czy musze pisac adresy ip i hasla w secrets dla pppoe /
Offline
Time (s) | Query |
---|---|
0.00009 | SET CHARSET latin2 |
0.00004 | SET NAMES latin2 |
0.00087 | SELECT u.*, g.*, o.logged FROM punbb_users AS u INNER JOIN punbb_groups AS g ON u.group_id=g.g_id LEFT JOIN punbb_online AS o ON o.ident='18.219.47.239' WHERE u.id=1 |
0.00072 | UPDATE punbb_online SET logged=1732353988 WHERE ident='18.219.47.239' |
0.00048 | SELECT * FROM punbb_online WHERE logged<1732353688 |
0.00057 | SELECT topic_id FROM punbb_posts WHERE id=45698 |
0.00007 | SELECT id FROM punbb_posts WHERE topic_id=5075 ORDER BY posted |
0.00058 | SELECT t.subject, t.closed, t.num_replies, t.sticky, f.id AS forum_id, f.forum_name, f.moderators, fp.post_replies, 0 FROM punbb_topics AS t INNER JOIN punbb_forums AS f ON f.id=t.forum_id LEFT JOIN punbb_forum_perms AS fp ON (fp.forum_id=f.id AND fp.group_id=3) WHERE (fp.read_forum IS NULL OR fp.read_forum=1) AND t.id=5075 AND t.moved_to IS NULL |
0.00007 | SELECT search_for, replace_with FROM punbb_censoring |
0.00738 | SELECT u.email, u.title, u.url, u.location, u.use_avatar, u.signature, u.email_setting, u.num_posts, u.registered, u.admin_note, p.id, p.poster AS username, p.poster_id, p.poster_ip, p.poster_email, p.message, p.hide_smilies, p.posted, p.edited, p.edited_by, g.g_id, g.g_user_title, o.user_id AS is_online FROM punbb_posts AS p INNER JOIN punbb_users AS u ON u.id=p.poster_id INNER JOIN punbb_groups AS g ON g.g_id=u.group_id LEFT JOIN punbb_online AS o ON (o.user_id=u.id AND o.user_id!=1 AND o.idle=0) WHERE p.topic_id=5075 ORDER BY p.id LIMIT 25,25 |
0.00080 | UPDATE punbb_topics SET num_views=num_views+1 WHERE id=5075 |
Total query time: 0.01167 s |