Debian + FreeRadius

[MarcusMaciel]

Quando voce fez o radtest oq apareceu do lado do freeradius ?

[brunobelas]

ficou assim no debug

[MarcusMaciel]

Como voce pode ver o problema é bem obvio a shared secret esta errada.

Corrige ela que vai resolver.

[brunobelas]

Como Marcus pediu, o client.conf

Código :

# -*- text -*-
##
## clients.conf -- client configuration directives
##
##    $Id$
 
 
#######################################################################
#
#  Define RADIUS clients (usually a NAS, Access Point, etc.).
 
 
#
#  Defines a RADIUS client.
#
#  '127.0.0.1' is another name for 'localhost'.  It is enabled by default,
#  to allow testing of the server after an initial installation.  If you
#  are not going to be permitting RADIUS queries from localhost, we suggest
#  that you delete, or comment out, this entry.
#
#
 
 
#
#  Each client has a "short name" that is used to distinguish it from
#  other clients.
#
#  In version 1.x, the string after the word "client" was the IP
#  address of the client.  In 2.0, the IP address is configured via
#  the "ipaddr" or "ipv6addr" fields.  For compatibility, the 1.x
#  format is still accepted.
#
client localhost {
    #  Allowed values are:
    #    dotted quad (1.2.3.4)
    #       hostname    (radius.example.com)
    ipaddr = 127.0.0.1
 
 
    #  OR, you can use an IPv6 address, but not both
    #  at the same time.
#    ipv6addr = ::    # any.  ::1 == localhost
 
 
    #
    #  A note on DNS:  We STRONGLY recommend using IP addresses
    #  rather than host names.  Using host names means that the
    #  server will do DNS lookups when it starts, making it
    #  dependent on DNS.  i.e. If anything goes wrong with DNS,
    #  the server won't start!
    #
    #  The server also looks up the IP address from DNS once, and
    #  only once, when it starts.  If the DNS record is later
    #  updated, the server WILL NOT see that update.
    #
 
 
    #  One client definition can be applied to an entire network.
    #  e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and
    #  "netmask = 8"
    #
    #  If not specified, the default netmask is 32 (i.e. /32)
    #
    #  We do NOT recommend using anything other than 32.  There
    #  are usually other, better ways to achieve the same goal.
    #  Using netmasks of other than 32 can cause security issues.
    #
    #  You can specify overlapping networks (127/8 and 127.0/16)
    #  In that case, the smallest possible network will be used
    #  as the "best match" for the client.
    #
    #  Clients can also be defined dynamically at run time, based
    #  on any criteria.  e.g. SQL lookups, keying off of NAS-Identifier,
    #  etc.
    #  See raddb/sites-available/dynamic-clients for details.
    #
 
 
#    netmask = 32
 
 
    #
    #  The shared secret use to "encrypt" and "sign" packets between
    #  the NAS and FreeRADIUS.  You MUST change this secret from the
    #  default, otherwise it's not a secret any more!
    #
    #  The secret can be any string, up to 8k characters in length.
    #
    #  Control codes can be entered vi octal encoding,
    #    e.g. "\101\102" == "AB"
    #  Quotation marks can be entered by escaping them,
    #    e.g. "foo\"bar"
    #
    #  A note on security:  The security of the RADIUS protocol
    #  depends COMPLETELY on this secret!  We recommend using a
    #  shared secret that is composed of:
    #
    #    upper case letters
    #    lower case letters
    #    numbers
    #
    #  And is at LEAST 8 characters long, preferably 16 characters in
    #  length.  The secret MUST be random, and should not be words,
    #  phrase, or anything else that is recognizable.
    #
    #  The default secret below is only for testing, and should
    #  not be used in any real environment.
    #
    secret        = testing123
 
 
    #
    #  Old-style clients do not send a Message-Authenticator
    #  in an Access-Request.  RFC 5080 suggests that all clients
    #  SHOULD include it in an Access-Request.  The configuration
    #  item below allows the server to require it.  If a client
    #  is required to include a Message-Authenticator and it does
    #  not, then the packet will be silently discarded.
    #
    #  allowed values: yes, no
    require_message_authenticator = no
 
 
    #
    #  The short name is used as an alias for the fully qualified
    #  domain name, or the IP address.
    #
    #  It is accepted for compatibility with 1.x, but it is no
    #  longer necessary in 2.0
    #
#    shortname    = localhost
 
 
    #
    # the following three fields are optional, but may be used by
    # checkrad.pl for simultaneous use checks
    #
 
 
    #
    # The nastype tells 'checkrad.pl' which NAS-specific method to
    #  use to query the NAS for simultaneous use.
    #
    #  Permitted NAS types are:
    #
    #    cisco
    #    computone
    #    livingston
    #    max40xx
    #    multitech
    #    netserver
    #    pathras
    #    patton
    #    portslave
    #    tc
    #    usrhiper
    #    other        # for all other types
 
 
    #
    nastype     = other    # localhost isn't usually a NAS...
 
 
    #
    #  The following two configurations are for future use.
    #  The 'naspasswd' file is currently used to store the NAS
    #  login name and password, which is used by checkrad.pl
    #  when querying the NAS for simultaneous use.
    #
#    login       = !root
#    password    = someadminpas
 
 
    #
    #  As of 2.0, clients can also be tied to a virtual server.
    #  This is done by setting the "virtual_server" configuration
    #  item, as in the example below.
    #
#    virtual_server = home1
 
 
    #
    #  A pointer to the "home_server_pool" OR a "home_server"
    #  section that contains the CoA configuration for this
    #  client.  For an example of a coa home server or pool,
    #  see raddb/sites-available/originate-coa
#    coa_server = coa
}
 
 
# IPv6 Client
[URL="https://under-linux.org/usertag.php?do=list&action=hash&hash=client"]#client[/URL]  ::1 {
#    secret        = testing123
#    shortname    = localhost
#}
#
# All IPv6 Site-local clients
[URL="https://under-linux.org/usertag.php?do=list&action=hash&hash=client"]#client[/URL]  fe80::/16 {
#    secret        = testing123
#    shortname    = localhost
#}
 
 
[URL="https://under-linux.org/usertag.php?do=list&action=hash&hash=client"]#client[/URL]  some.host.org {
#    secret        = testing123
#    shortname    = localhost
#}
 
 
#
#  You can now specify one secret for a network of clients.
#  When a client request comes in, the BEST match is chosen.
#  i.e. The entry from the smallest possible network.
#
[URL="https://under-linux.org/usertag.php?do=list&action=hash&hash=client"]#client[/URL]  192.168.0.0/24 {
#    secret        = testing123-1
#    shortname    = private-network-1
#}
#
client  192.168.40.1 {
    secret        = 123456
    shortname    = RB750
}
 
 
 
 
[URL="https://under-linux.org/usertag.php?do=list&action=hash&hash=client"]#client[/URL]  10.10.10.10 {
#    # secret and password are mapped through the "secrets" file.
#    secret      = testing123
#    shortname   = liv1
#       # the following three fields are optional, but may be used by
#       # checkrad.pl for simultaneous usage checks
#    nastype     = livingston
#    login       = !root
#    password    = someadminpas
#}
 
 
#######################################################################
#
#  Per-socket client lists.  The configuration entries are exactly
#  the same as above, but they are nested inside of a section.
#
#  You can have as many per-socket client lists as you have "listen"
#  sections, or you can re-use a list among multiple "listen" sections.
#
#  Un-comment this section, and edit a "listen" section to add:
#  "clients = per_socket_clients".  That IP address/port combination
#  will then accept ONLY the clients listed in this section.
#
[URL="https://under-linux.org/usertag.php?do=list&action=hash&hash=client"]#client[/URL] s per_socket_clients {
#    client 192.168.3.4 {
#        secret = testing123
#        }
#}

[brunobelas]

Quando tento logar pelo Hotspot o freeradius fica assim

[brunobelas]

Fiz a modificaçao no client.conf

client 192.168.40.1 {
ipaddr = 192.168.40.1
nastype = other
secret = 123456
shortname = RB750
}


dei ctrl+C
e freeradius -X novamente


tentei logar pelo hotspot

[brunobelas]

freeradius -X


depois que tento logar

[brunobelas]

Tabela do db

[brunobelas]

Mudei Auth-Type para PAP

Código :

 
rad_recv: Access-Request packet from host 192.168.40.1 port 40085, id=24, length=191
        NAS-Port-Type = Wireless-802.11
        Calling-Station-Id = "80:EE:73:1B:CD:CC"
        Called-Station-Id = "hotspot1"
        NAS-Port-Id = "teste"
        User-Name = "teste"
        NAS-Port = 2147483669
        Acct-Session-Id = "80000015"
        Framed-IP-Address = 10.0.5.254
        Mikrotik-Host-IP = 10.0.5.254
        CHAP-Challenge = 0x1a07368e7ad9033c2c3afc83f78eab52
        CHAP-Password = 0x66af1b7658d5787074736308e564e3900b
        Service-Type = Login-User
        WISPr-Logoff-URL = "http://10.0.5.1/logout"
        NAS-Identifier = "jatonet"
        NAS-IP-Address = 192.168.40.1
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "teste", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql]   expand: %{User-Name} -> teste
[sql] sql_set_user escaped user --> 'teste'
rlm_sql (sql): Reserving sql socket id: 4
[sql]   expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'teste'           ORDER BY id
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[sql] User found in radcheck table
[sql]   expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'teste'           ORDER BY id
[sql]   expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'teste'           ORDER BY priority
[sql]   expand: SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = '%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = 'bandalarga'           ORDER BY id
[sql] User found in group bandalarga
[sql]   expand: SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = '%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = 'bandalarga'           ORDER BY id
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = PAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!    Replacing User-Password in config items with Cleartext-Password.     !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"               !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] ERROR: You set 'Auth-Type = PAP' for a request that does not contain a User-Password attribute!
++[pap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> teste
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 192.168.40.1 port 40085, id=24, length=191
Waiting to send Access-Reject to client RB750 port 40085 - ID: 24
Waking up in 0.6 seconds.
rad_recv: Access-Request packet from host 192.168.40.1 port 40085, id=24, length=191
Waiting to send Access-Reject to client RB750 port 40085 - ID: 24
Waking up in 0.3 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 24 to 192.168.40.1 port 40085
Waking up in 4.9 seconds.
Cleaning up request 0 ID 24 with timestamp +37
Ready to process requests.

apresentou isso

[oracl3]

me adiciona no skype

[email protected]

[brunobelas]

Intão pessoal o @MarcusMaciel me deu uma grande ajuda, vou postar agora as correçoes que foram feitas.


O tutorial que segui foi esse


http://getlan.blogspot.com.br/2012/0...ao-de-uma.html


as correçoes feitas foram




no client.conf


client 192.168.40.1 {
ipaddr = 192.168.40.1
nastype = other
secret = 123456
shortname = RB750
}




e modifiquei o auth-type no banco de dados


Auth-Type = CHAP

@oracl3 ja add no skype