Nie jesteś zalogowany.
Jeśli nie posiadasz konta, zarejestruj je już teraz! Pozwoli Ci ono w pełni korzystać z naszego serwisu. Spamerom dziękujemy!
Ogłoszenie
Prosimy o pomoc dla małej Julki — przekaż 1% podatku na Fundacji Dzieciom zdazyć z Pomocą.
Więcej informacji na dug.net.pl/pomagamy/.
#26 2006-11-30 16:20:07
Kamyk_^ - 
Użytkownik
Re: radius z czym to sie je ?
Wiem juz gdzie jest problem ale nie wiem jak go rozwiazac :(
TLS nie dziala na ldapie, tam jest SSL.
Niby ustawilem all w radiusd.confie dla SSL, a nie dla TLS ale nadal to samo :(
Jakies pomysly ?
Pozdrawiam
----------------------------------------------------------------------------------------
Debian BePOWER v. 1.0
Offline
#27 2006-11-30 16:33:43
zlyZwierz - Moderator
#28 2006-11-30 18:33:38
Kamyk_^ - Użytkownik
Re: radius z czym to sie je ?
Nie ... Radius jest na innej maszynie niz ldap.
Dlatego upieram sie nad tym SSL.
Pozdrawiam
----------------------------------------------------------------------------------------
Debian BePOWER v. 1.0
Offline
#29 2006-11-30 18:56:19
zlyZwierz - Moderator
Re: radius z czym to sie je ?
Nie wiem czy googlowałeś , czy nie , znalazłem coś takiego , może bedzie pomocne , ja sam z LDAP nie korzystam , więc w tej materii nic więcej nie zdziałam.
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html
http://www.openldap.org/faq/data/cache/185.html
http://www.auug.org.au/saauug/events/2005/meetings/ldap/ssl.html
http://www.gentoo.org/doc/en/ldap-howto.xml
http://home.subnet.at/~max/ldap/
good luck ..
[url=http://www.netfix.pro]www.netfix.pro[/url]
Offline
#30 2006-12-01 08:49:04
Kamyk_^ - Użytkownik
Re: radius z czym to sie je ?
Dzieki za linki ... zaraz bede patrzyl ...
A co do googlowania, to juz jakis czas szukam rozwiazania na googlach :) tyle ze nie moge zmienic SSL na ldapie na TLS i w tym jest caly problem :(
Pozdrawiam
----------------------------------------------------------------------------------------
Debian BePOWER v. 1.0
Offline
#31 2006-12-05 21:33:14
czadman - Bicycle repairman
- czadman
- Bicycle repairman
- Skąd: Wrocław
- Zarejestrowany: 2005-07-08
Re: radius z czym to sie je ?
Czy może ktoś uruchamiał już [url=http://www.freeradius.org/dialupadmin.html]interfejs webowy[/url] do freeradiusa?
[url=http://www.debian.org/][img]http://www.debian.org/logos/openlogo-nd-50.png[/img][/url]
Offline
#32 2006-12-06 08:48:00
Kamyk_^ - Użytkownik
Re: radius z czym to sie je ?
Uruchomilem.
Ale powiem szczerze ze to crap na maksa, beznadzieny wyglad i IMO mala funkcjonalnosc. Wole z reki w plikach zmieniac. No ale moze nie odkrylem jeszcze jego funkcji :P
[url]http://www.pervasive-network.org/SPIP/Installation-de-Freeradius-sur-une[/url]
Tutaj nawet znajduje sie opis jak zainstalowac freeradiusa + dialupadmin.
----------------------------------------------------------------------------------------
Debian BePOWER v. 1.0
Offline
#33 2006-12-06 16:38:20
czadman - Bicycle repairman
- czadman
- Bicycle repairman
- Skąd: Wrocław
- Zarejestrowany: 2005-07-08
Re: radius z czym to sie je ?
Przez monitor nie śmierdzi :), a userów może dodawać jakiś łosiu, który nie ma ochoty poznawać szczegółów technincznych serwera
dzięki, za link
[url=http://www.debian.org/][img]http://www.debian.org/logos/openlogo-nd-50.png[/img][/url]
Offline
#34 2006-12-06 19:40:07
zlyZwierz - Moderator
#35 2006-12-06 19:49:56
czadman - Bicycle repairman
- czadman
- Bicycle repairman
- Skąd: Wrocław
- Zarejestrowany: 2005-07-08
Re: radius z czym to sie je ?
Szit, nie szit, spiąłem to wszytko z serverem ftp i działa. Pisać nie muszę. :]
[url=http://www.debian.org/][img]http://www.debian.org/logos/openlogo-nd-50.png[/img][/url]
Offline
#36 2006-12-06 20:21:44
zlyZwierz - Moderator
#37 2006-12-07 08:42:05
Kamyk_^ - Użytkownik
Re: radius z czym to sie je ?
zlyZwierz: dokladnie mam to samo, wyglad i jego funkcje (dialup) od razu mnie zniechecily ... no ale jak juz mowilem, moze za krotko sie nim bawilem.
Pozdrawiam
----------------------------------------------------------------------------------------
Debian BePOWER v. 1.0
Offline
#38 2006-12-08 01:23:21
bolos_11 - Użytkownik
- bolos_11
- Użytkownik
- Zarejestrowany: 2006-10-30
Re: radius z czym to sie je ?
Zło :) jak zobaczyłem dialupadmin to postanowiłem nigdy go nie używać , tak samo skryptów z inet.ll.pl i wielu innych rzeczy ..[/quote]
skrypty z inet.ll.pl za zajebiste, pod warunkiem, ze ktos nie posiada takiej sieci jak TY(ponad 1000 userow) ... jak sie ma mala siec TO spisuja sie one doskonale !
PS:Kod:
tak sie zastanawiam, jak zrobic w pppoe, podobnie jak w neo, zeby przy podlaczeniu pokazywalo dana predkosc, a nie tak jak teraz, pokazuje predkosc polaczenia taka jak ma karta sieciowa, czyli np: 100mb.
Offline
#39 2006-12-08 13:32:08
zlyZwierz - Moderator
Re: radius z czym to sie je ?
Zło :) jak zobaczyłem dialupadmin to postanowiłem nigdy go nie używać , tak samo skryptów z inet.ll.pl i wielu innych rzeczy ..[/quote]
skrypty z inet.ll.pl za zajebiste, pod warunkiem, ze ktos nie posiada takiej sieci jak TY(ponad 1000 userow) ... jak sie ma mala siec TO spisuja sie one doskonale !
[/quote]
Zrobiłem na nie kupę kiedy miałem ich koło 200 ;)
[url=http://www.netfix.pro]www.netfix.pro[/url]Offline
#40 2006-12-08 21:10:06
BiExi - matka przelozona
Re: radius z czym to sie je ?
Tez prubowalam uzywac tego DialupAdmin ale powiem tak zero funkcjonalnosci normlanie porazka syf jak nic :P
mam takie zadanie lepiej cos samemu klepnac bo przynajmniej czlowiek bedie wiedzial jak to dziala :]
Jak narazie temat PPPoE+freerdius zarzucony z wielu przyczyn wiec wiele wiecej sie nie ede wypowiadac
(Nie ma to jak autoryzowac usera na poziomie modemu :} )
[url=http://dug.net.pl][b]DUG[/b][/url]
Offline
#41 2007-01-05 20:57:29
ukasz - Użytkownik
- ukasz
- Użytkownik
- Skąd: wroclaw
- Zarejestrowany: 2006-06-21
Re: radius z czym to sie je ?
ja teraz szukam jakis docow dla pppoe. wiem ze mozna przekazywac zmienne do skryptow ktore sa odpalane po stronie serwera kiedy ktos sie wdzwoni albo odlaczy.
bede wdzieczny za jakies linki na ten temat
udalo sie komus zespawac tandem pppoe + radius ?
[img]http://wiblo.pl/wilk/userbars/debian_user_black.png[/img]
Offline
#42 2007-01-06 20:27:10
zlyZwierz - Moderator
#43 2007-01-06 22:06:08
bolos_11 - Użytkownik
- bolos_11
- Użytkownik
- Zarejestrowany: 2006-10-30
Re: radius z czym to sie je ?
Mi sie udało.[/quote]
to moze udostepnisz swoje configi?
skoro duzo ludzi ma z tym problem, beda mieli na czym sie wzorowac.
...
[url]http://poptop.sourceforge.net/dox/radius_mysql.html[/url]
Offline
#44 2007-01-08 13:21:26
zlyZwierz - Moderator
Re: radius z czym to sie je ?
Kod:
router ~ # cat /etc/ppp/pppoe-server-options |grep -v "#" plugin radius.so plugin radattr.so debug require-mschap-v2 lcp-echo-interval 10 lcp-echo-failure 2 ms-dns 10.1.1.201
Kod:
router ~ # cat /etc/raddb/radiusd.conf |grep -v "#"
prefix = /usr
exec_prefix = ${prefix}
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
user = radiusd
group = radiusd
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
listen {
ipaddr = 127.0.0.1
port = 1812
type = auth
}
listen {
ipaddr = 10.1.1.201
port = 1812
type = auth
}
listen {
ipaddr = 10.1.1.201
port = 1645
type = auth
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = no
$INCLUDE ${confdir}/clients.conf
snmp = no
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
$INCLUDE ${confdir}/sql.conf
$INCLUDE ${confdir}/eap.conf
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
sqlcounter dailycounter {
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
sqlmod-inst = sql
key = User-Name
reset = daily
query = "SELECT SUM(AcctSessionTime -
GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0))
FROM radacct WHERE UserName='%{%k}' AND
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
}
sqlcounter monthlycounter {
counter-name = Monthly-Session-Time
check-name = Max-Monthly-Session
sqlmod-inst = sql
key = User-Name
reset = monthly
query = "SELECT SUM(AcctSessionTime -
GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0))
FROM radacct WHERE UserName='%{%k}' AND
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
digest {
}
exec {
wait = yes
input_pairs = request
}
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
}
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
}
}
instantiate {
}
authorize {
sql_default_orinoco
sql_default_cisco
sql_default_zuo_mt
sql_default_tonze
sql_apeki_orinoco
sql_apeki_cisco
sql_apeki_zuo_mt
mschap
}
authenticate {
eap
mschap
}
preacct {
}
accounting {
sql_default_acct
}
session {
radutmp
}
post-auth {
}
pre-proxy {
}
post-proxy {
}
Kod:
router ~ # cat /etc/raddb/sql.conf |grep -v "#"
sql sql_default_orinoco {
driver = "rlm_sql_mysql"
server = "localhost"
login = "wifi"
password = "aaa"
radius_db = "wlan_users"
deletestalesessions = yes
sqltrace = yes
sqltracefile = ${logdir}/sqltrace.sql
num_sql_socks = 10
connect_failure_retry_delay = 60
sql_user_name = "%{User-Name}"
sql_set_password = ""
authorize_check_query = "SELECT id, mac as UserName , 'User-Password' as Attribute, '12345678' as Value, '==' as op FROM users WHERE mac = '%{SQL-User-Name}' and active='ON' ORDER by id"
}
sql sql_default_cisco {
driver = "rlm_sql_mysql"
server = "localhost"
login = "wifi"
password = "aaa"
radius_db = "wlan_users"
deletestalesessions = yes
sqltrace = yes
sqltracefile = ${logdir}/sqltrace.sql
num_sql_socks = 10
connect_failure_retry_delay = 60
sql_user_name = "%{User-Name}"
sql_set_password = ""
authorize_check_query = "SELECT id, replace(lower(mac),':','') as UserName , 'User-Password' as Attribute, replace(lower(mac),':','') as Value, '==' as op FROM users WHERE replace(lower(mac),':','') = '%{SQL-User-Name}' and active='ON' ORDER by id"
}
sql sql_default_zuo_mt {
driver = "rlm_sql_mysql"
server = "localhost"
login = "wifi"
password = "aaa"
radius_db = "wlan_users"
deletestalesessions = yes
sqltrace = yes
sqltracefile = ${logdir}/sqltrace.sql
num_sql_socks = 10
connect_failure_retry_delay = 60
sql_user_name = "%{User-Name}"
sql_set_password = ""
authorize_check_query = "SELECT id, mac as UserName , 'User-Password' as Attribute, '' as Value, '==' as op FROM users WHERE mac = '%{SQL-User-Name}' and active='ON' ORDER by id"
}
sql sql_default_tonze {
driver = "rlm_sql_mysql"
server = "localhost"
login = "aaa"
password = "aaa"
radius_db = "radius"
deletestalesessions = yes
sqltrace = yes
sqltracefile = ${logdir}/sqltrace.sql
num_sql_socks = 10
connect_failure_retry_delay = 60
sql_user_name = "%{User-Name}"
sql_set_password = ""
authorize_check_query = "SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id"
}
sql sql_apeki_orinoco {
driver = "rlm_sql_mysql"
server = "localhost"
login = "wifi"
password = "aaa"
radius_db = "wlan_users"
deletestalesessions = yes
sqltrace = yes
sqltracefile = ${logdir}/sqltrace.sql
num_sql_socks = 10
connect_failure_retry_delay = 60
sql_user_name = "%{User-Name}"
sql_set_password = ""
authorize_check_query = "SELECT id, mac as UserName , 'User-Password' as Attribute, '12345678' as Value, '==' as op FROM apeki WHERE mac = '%{SQL-User-Name}' ORDER by id"
}
sql sql_apeki_cisco {
driver = "rlm_sql_mysql"
server = "localhost"
login = "wifi"
password = "aaa"
radius_db = "wlan_users"
deletestalesessions = yes
sqltrace = yes
sqltracefile = ${logdir}/sqltrace.sql
num_sql_socks = 10
connect_failure_retry_delay = 60
sql_user_name = "%{User-Name}"
sql_set_password = ""
authorize_check_query = "SELECT id, replace(lower(mac),':','') as UserName , 'User-Password' as Attribute, replace(lower(mac),':','') as Value, '==' as op FROM apeki WHERE replace(lower(mac),':','') = '%{SQL-User-Name}' ORDER by id"
}
sql sql_apeki_zuo_mt {
driver = "rlm_sql_mysql"
server = "localhost"
login = "wifi"
password = "aaa"
radius_db = "wlan_users"
deletestalesessions = yes
sqltrace = yes
sqltracefile = ${logdir}/sqltrace.sql
num_sql_socks = 10
connect_failure_retry_delay = 60
sql_user_name = "%{User-Name}"
sql_set_password = ""
authorize_check_query = "SELECT id, lower(mac) as UserName , 'User-Password' as Attribute, '' as Value, '==' as op FROM apeki WHERE lower(mac) = '%{SQL-User-Name}' ORDER by id"
}
sql sql_default_acct {
driver = "rlm_sql_mysql"
server = "localhost"
login = "aaa"
password = "aaa"
radius_db = "radius"
acct_table1 = "radacct"
acct_table2 = "radacct"
deletestalesessions = yes
sqltrace = no
sqltracefile = ${logdir}/sqltrace.sql
num_sql_socks = 5
connect_failure_retry_delay = 60
sql_user_name = "%{User-Name}"
accounting_onoff_query = "UPDATE ${acct_table1} SET AcctStopTime='%S', AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime), AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime <= '%S'"
accounting_update_query = "UPDATE ${acct_table1}
SET FramedIPAddress = '%{Framed-IP-Address}',
AcctSessionTime = '%{Acct-Session-Time}',
AcctInputOctets = '%{Acct-Input-Octets}',
AcctOutputOctets = '%{Acct-Output-Octets}'
WHERE AcctSessionId = '%{Acct-Session-Id}'
AND UserName = '%{SQL-User-Name}'
AND NASIPAddress= '%{NAS-IP-Address}'"
accounting_update_query_alt = "INSERT into ${acct_table1} (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S',INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0')"
accounting_start_query = "INSERT into ${acct_table1} (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0')"
accounting_start_query_alt = "UPDATE ${acct_table1} SET AcctStartTime = '%S', AcctStartDelay = '%{Acct-Delay-Time}', ConnectInfo_start = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'"
accounting_stop_query = "UPDATE ${acct_table2} SET AcctStopTime = '%S', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}', AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'"
accounting_stop_query_alt = "INSERT into ${acct_table2} (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{Acct-Delay-Time}')"
simul_count_query = "SELECT COUNT(*) FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = '0000-00-00 00:00:00'"
simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = '0000-00-00 00:00:00'"
}
za czytanie danych dla pppoe z bazy odpowiada sql_default_tonze (nie pytajceie , czemu nie chciało i sie zmienic na cos bardziej intuicyjnego), wyciąga dane z radcheck i radreply
radcheck i radreply wyglądają tak (mysqldump):
Kod:
LOCK TABLES `radcheck` WRITE; /*!40000 ALTER TABLE `radcheck` DISABLE KEYS */; INSERT INTO `radcheck` VALUES (5,'skibwr','Password','==','12345678'), (7,'aaa','User-Password','==','12345678'), (6,'skibwr','Auth-Type','==','EAP'), (9,'aaa','Auth-Type','==','mschap'); /*!40000 ALTER TABLE `radcheck` ENABLE KEYS */; UNLOCK TABLES;
Kod:
LOCK TABLES `radreply` WRITE; /*!40000 ALTER TABLE `radreply` DISABLE KEYS */; INSERT INTO `radreply` VALUES (2,'aaa','Framed-IP-Address','==','192.168.123.123'), (12,'aaa','Framed-Protocol','==','PPP'), (11,'aaa','Service-Type','==','Framed-User'), (7,'aaa','Framed-Routing','==','None'); /*!40000 ALTER TABLE `radreply` ENABLE KEYS */; UNLOCK TABLES;
[url=http://www.netfix.pro]www.netfix.pro[/url]
Offline
#45 2007-01-21 13:49:06
Kamyk_^ - Użytkownik
Re: radius z czym to sie je ?
Witam
Po kilku dniach walki, jakis czas temu udalo mi sie spiac FreeRadiusa z AP Linksys-a + EAP/TLS wraz z certyfikatami :) Ale mam do was jedno pytanie, w jaki sposob teraz skonfigurowac server radiusa, aby nadawal adresy IP zautoryzowanym klientom ? Napewno sie da ale moze ktos z was zna latwy sposob?
zlyZwierz: czy u ciebie w momencie autoryzacji userow/kientow wyskakuje w systemie klienta okno logowania ? Podaje on usera i haslo i dopiero wtedy jest sprawdzany w bazie czy sie zgadza, a nastepnie co sie dzieje ? dostaje ip z dhcp ?
Pozdrawiam
----------------------------------------------------------------------------------------
Debian BePOWER v. 1.0
Offline
#46 2007-01-21 14:04:06
zlyZwierz - Moderator
Re: radius z czym to sie je ?
Tak , zwyczajnie z DHCP.
Jak chcesz mieć adresy IP z RADIUSA to zapodaj PPPoE , albo DHCP + RADIUS (nie bawiłem się).
Ja konfig dla dhcp generuje na podstawie zawartości bazy danych..
//edit
BTW , zadne okienko samo nie wyskakuje :) trzeba to ustawić we właściwościach połączenia , w autoryzacji ..
[url=http://www.netfix.pro]www.netfix.pro[/url]
Offline
#47 2007-01-21 14:10:15
Kamyk_^ - Użytkownik
Re: radius z czym to sie je ?
U mnie akurat ma to dzialac na podstawie autoryzacji uzytkownikow z LDAP-em, czyli user laczy sie do AP, ten z radiusem, ten nastepnie sprawdza w LDAP-ie czy user jest poprawny i haslo tez, i go dopiero wtedy autoryzuje. W tym momencie mam wygenerowane certyfikaty: servera-radius oraz klienta podpisany przez CA i w taki sposob sie autoryzuje. Ale chcialbym zrobic aby wyskakiwalo okienko gdzie bedzie podawane user i haslo, i na podstawie tego radius bedzie sprawdzal w ldapie. Czy wiesz jak to zrobic ? Jak ustawic konfigi ? A no i jak rozwiazales dhcp ? Skoro sprawdza na podstawie wpisow w bazie to gdzie wpisales w radiusie (pewnie w users.conf?) zeby po autoryzacji nadawal ip z poli ?
Pozdrawiam
----------------------------------------------------------------------------------------
Debian BePOWER v. 1.0
Offline
#48 2007-01-21 14:48:59
zlyZwierz - Moderator
Re: radius z czym to sie je ?
PEAP+MS-CHAP-v2
opis uwierzytelniania:
http://www.microsoft.com/technet/community/columns/cableguy/cg0702.mspx#E3D
konfig:
http://www.tldp.org/HOWTO/8021X-HOWTO/freeradius.html
mój konfig:
Kod:
router ~ # cat /etc/raddb/eap.conf
# -*- text -*-
#
# Whatever you do, do NOT set 'Auth-Type := EAP'. The server
# is smart enough to figure this out on its own. The most
# common side effect of setting 'Auth-Type := EAP' is that the
# users then cannot use ANY other authentication method.
#
# $Id: eap.conf,v 1.4.4.1 2006/01/04 14:29:29 nbk Exp $
#
eap {
default_eap_type = peap
md5 {
}
tls {
private_key_password = haslodocertyfikatu
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
# Trusted Root CA list
CA_file = ${raddbdir}/certs/root.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
# check_crl = yes
# check_cert_cn = %{User-Name}
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
Kod:
router ~ # cat /etc/raddb/radiusd.conf
prefix = /usr
exec_prefix = ${prefix}
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
user = radiusd
group = radiusd
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
#bind_address = *
#port = 0
listen {
ipaddr = 127.0.0.1
port = 1812
type = auth
}
listen {
ipaddr = 10.1.1.201
port = 1812
type = auth
}
listen {
ipaddr = 10.1.1.201
port = 1645
type = auth
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = no
$INCLUDE ${confdir}/clients.conf
snmp = no
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
$INCLUDE ${confdir}/sql.conf
$INCLUDE ${confdir}/eap.conf
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
sqlcounter dailycounter {
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
sqlmod-inst = sql
key = User-Name
reset = daily
query = "SELECT SUM(AcctSessionTime -
GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0))
FROM radacct WHERE UserName='%{%k}' AND
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
}
sqlcounter monthlycounter {
counter-name = Monthly-Session-Time
check-name = Max-Monthly-Session
sqlmod-inst = sql
key = User-Name
reset = monthly
query = "SELECT SUM(AcctSessionTime -
GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0))
FROM radacct WHERE UserName='%{%k}' AND
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
digest {
}
exec {
wait = yes
input_pairs = request
}
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
}
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
}
}
instantiate {
# exec
# expr
}
authorize {
sql_default_orinoco
sql_default_cisco
sql_default_zuo_mt
sql_default_tonze
sql_apeki_orinoco
sql_apeki_cisco
sql_apeki_zuo_mt
mschap
}
authenticate {
# Auth-Type MS-CHAP {
# mschap
# }
eap
mschap
}
preacct {
}
accounting {
sql_default_acct
}
session {
radutmp
}
post-auth {
}
pre-proxy {
}
post-proxy {
}
Kod:
<--- kawałek sql.conf
sql sql_default_tonze {
driver = "rlm_sql_mysql"
server = "localhost"
login = "aaa"
password = "aaa"
radius_db = "radius"
deletestalesessions = yes
sqltrace = yes
sqltracefile = ${logdir}/sqltrace.sql
num_sql_socks = 10
connect_failure_retry_delay = 60
sql_user_name = "%{User-Name}"
sql_set_password = ""
authorize_check_query = "SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id"
#authorize_check_query = "SELECT id, lower(mac) as UserName, 'User-Name' as Attribute, lower(mac) as Value, '==' as op FROM users WHERE lower(mac) = '%{SQL-User-Name}' ORDER by id"
authorize_reply_query = "SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id"
}
Kod:
<----- zawartość bazy mysql> select * from radcheck; +----+----------+---------------+----+----------+ | id | UserName | Attribute | op | Value | +----+----------+---------------+----+----------+ | 5 | skibwr | Password | == | 12345678 | | 7 | aaa | User-Password | == | 12345678 | | 6 | skibwr | Auth-Type | == | EAP | | 9 | aaa | Auth-Type | == | mschap | +----+----------+---------------+----+----------+ 4 rows in set (0.00 sec)
[url=http://www.netfix.pro]www.netfix.pro[/url]
Offline
#49 2007-01-22 11:57:34
Kamyk_^ - Użytkownik
Re: radius z czym to sie je ?
Zrobilem ze w Windowsie pokazuje sie okienko logowania :)
Jednak w momencie przesylania danych z linksysa do radiusa nie jest wysylane haslo :(
Kod:
rad_recv: Access-Request packet from host 192.168.1.245:3072, id=0, length=119
User-Name = "rka"
NAS-IP-Address = 192.168.1.245
Called-Station-Id = "001217694588"
Calling-Station-Id = "0014a41e7112"
NAS-Identifier = "001217694588"
NAS-Port = 61
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0201000801726b61
Message-Authenticator = 0x935d96fb44fccc41767e4667570ff8f2Co powoduje takowy blad, poniewaz ldap nie moze potwierdzic usera bez hasla :(
Kod:
Auth: Login incorrect: [rka/<no User-Password attribute>] (from client linksys port 61 cli 0014a41e7112)
Jak zrobic w EAP zeby haslo bylo przesylane, bez uzycia certyfikatow ?
W momencie gdy uzywam certyfikatow wszystko dziala looz, tak samo jak z innej maszyny odpale radtesta to radtest wysyla do radiusa i usera i haslo, co powoduje ze jest autoryzowany przez ldapa.
Wiesz moze jak zrobic aby eap wysyalal oprcz usera tez haslo ?
----------------------------------------------------------------------------------------
Debian BePOWER v. 1.0
Offline
#50 2007-03-27 11:18:52
ukasz - Użytkownik
- ukasz
- Użytkownik
- Skąd: wroclaw
- Zarejestrowany: 2006-06-21
Re: radius z czym to sie je ?
czy jest konieczne kompilowanie pppoe do radiusa ?
czy radius moze korzystac z sqla dla autoryzacji mschap v2 ?
jsli tak to czy musze pisac adresy ip i hasla w secrets dla pppoe /
[img]http://wiblo.pl/wilk/userbars/debian_user_black.png[/img]
Offline
Informacje debugowania
| Time (s) | Query |
|---|---|
| 0.00008 | SET CHARSET latin2 |
| 0.00004 | SET NAMES latin2 |
| 0.00134 | SELECT u.*, g.*, o.logged FROM punbb_users AS u INNER JOIN punbb_groups AS g ON u.group_id=g.g_id LEFT JOIN punbb_online AS o ON o.ident='3.147.71.175' WHERE u.id=1 |
| 0.00065 | REPLACE INTO punbb_online (user_id, ident, logged) VALUES(1, '3.147.71.175', 1732195888) |
| 0.00042 | SELECT * FROM punbb_online WHERE logged<1732195588 |
| 0.00036 | SELECT topic_id FROM punbb_posts WHERE id=46289 |
| 0.00008 | SELECT id FROM punbb_posts WHERE topic_id=5075 ORDER BY posted |
| 0.00042 | SELECT t.subject, t.closed, t.num_replies, t.sticky, f.id AS forum_id, f.forum_name, f.moderators, fp.post_replies, 0 FROM punbb_topics AS t INNER JOIN punbb_forums AS f ON f.id=t.forum_id LEFT JOIN punbb_forum_perms AS fp ON (fp.forum_id=f.id AND fp.group_id=3) WHERE (fp.read_forum IS NULL OR fp.read_forum=1) AND t.id=5075 AND t.moved_to IS NULL |
| 0.00006 | SELECT search_for, replace_with FROM punbb_censoring |
| 0.00151 | SELECT u.email, u.title, u.url, u.location, u.use_avatar, u.signature, u.email_setting, u.num_posts, u.registered, u.admin_note, p.id, p.poster AS username, p.poster_id, p.poster_ip, p.poster_email, p.message, p.hide_smilies, p.posted, p.edited, p.edited_by, g.g_id, g.g_user_title, o.user_id AS is_online FROM punbb_posts AS p INNER JOIN punbb_users AS u ON u.id=p.poster_id INNER JOIN punbb_groups AS g ON g.g_id=u.group_id LEFT JOIN punbb_online AS o ON (o.user_id=u.id AND o.user_id!=1 AND o.idle=0) WHERE p.topic_id=5075 ORDER BY p.id LIMIT 25,25 |
| 0.00073 | UPDATE punbb_topics SET num_views=num_views+1 WHERE id=5075 |
| Total query time: 0.00569 s | |