+ Responder ao Tópico



  1. Estou implementando um servidor de autenticação Freeradius com lista de usuários em uma _base_ mysql.
    Sempre que tento logar na rede sem fio, mesmo passando usuário e senha corretos o freeradius informa que está apresentando erro no login, conforme log abaixo.

    Alguém já passou por isso?
    Alguma sugestão ?

    Inseri no mysql o usuário teste com senha teste.
    Configurei o AP Dlink DI524 como WPA2(AES) e servidor RADIUS (ip, porta e senha).
    Inseri este AP como cliente freeradius e as solicitações de autenticação estão chegando, porém não autentica.

    Estou utilizando Debian 6.
    Segue o log do freeradius e o arquivo radiusd.conf que estou utilizando.
    Configurei também o /etc/freeradius/sites-enabled/default, descomentando as opções de sql.
    também o sql.conf, onde inseri o ip, usuário e senha do mysql.


    LOG FREERADIUS

    rad_recv: Access-Request packet from host 192.168.254.150 port 65477, id=98, length=159
    User-Name = "teste"
    NAS-Port-Type = Wireless-802.11
    Called-Station-Id = "F0-7D-68-DE-61-36"
    Calling-Station-Id = "00-17-C4-D5-BD-0C"
    NAS-IP-Address = 192.168.254.150
    _frame_d-MTU = 1400
    State = 0xd1a6913dd7ae8861f8697a9f708854fd
    EAP-Message = 0x020800261900170301001b4a99f77f99a0cd35053469923583b0298457602d93943dd80252ff
    Message-Authenticator = 0x66668c3dbffce63e6dde5c47ed540a8f
    # Executing section authorize from file /etc/freeradius/sites-enabled/default
    +- entering group authorize {...}
    ++[preprocess] returns ok
    ++[chap] returns noop
    ++[mschap] returns noop
    ++[digest] returns noop
    [suffix] No '@' in User-Name = "teste", looking up realm NULL
    [suffix] No such realm "NULL"
    ++[suffix] returns noop
    [eap] EAP packet type response id 8 length 38
    [eap] Continuing tunnel setup.
    ++[eap] returns ok
    Found Auth-Type = EAP
    # Executing group from file /etc/freeradius/sites-enabled/default
    +- entering group authenticate {...}
    [eap] Request found, released from the list
    [eap] EAP/peap
    [eap] processing type peap
    [peap] processing EAP-TLS
    [peap] eaptls_verify returned 7
    [peap] Done initial handshake
    [peap] eaptls_process returned 7
    [peap] EAPTLS_OK
    [peap] Session established. Decoding tunneled attributes.
    [peap] Peap state send tlv failure
    [peap] Received EAP-TLV response.
    [peap] The users session was previously rejected: returning reject (again.)
    [peap] *** This means you need to read the PREVIOUS messages in the debug output
    [peap] *** to find out the reason why the user was rejected.
    [peap] *** Look for "reject" or "fail". Those earlier messages will tell you.
    [peap] *** what went wrong, and how to fix the problem.
    [eap] Handler failed in EAP/peap
    [eap] Failed in EAP select
    ++[eap] returns invalid
    Failed to authenticate the user.
    Login incorrect: [teste/] (from client ap port 0 cli 00-17-C4-D5-BD-0C)
    Using Post-Auth-Type Reject
    # Executing group from file /etc/freeradius/sites-enabled/default
    +- entering group REJECT {...}
    [sql] expand: %{User-Name} -> teste
    [sql] sql_set_user escaped user --> 'teste'
    [sql] expand: %{User-Password} ->
    [sql] ... expanding second conditional
    [sql] expand: %{Chap-Password} ->
    [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{replyacket-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'teste', '', 'Access-Reject', '2011-12-30 18:44:58')
    rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'teste', '', 'Access-Reject', '2011-12-30 18:44:58')
    rlm_sql (sql): Reserving sql socket id: 0
    rlm_sql (sql): Released sql socket id: 0
    ++[sql] returns ok
    [attr_filter.access_reject] expand: %{User-Name} -> teste
    attr_filter: Matched entry DEFAULT at line 11
    ++[attr_filter.access_reject] returns updated
    Delaying reject of request 19 for 1 seconds
    Going to the next request
    Waking up in 0.8 seconds.
    Sending delayed reject for request 19
    Sending Access-Reject of id 98 to 192.168.254.150 port 65477
    EAP-Message = 0x04080004
    Message-Authenticator = 0x00000000000000000000000000000000
    Waking up in 2.9 seconds.
    Cleaning up request 12 ID 91 with timestamp +579
    Waking up in 0.1 seconds.
    Cleaning up request 13 ID 92 with timestamp +579
    Waking up in 0.1 seconds.
    Cleaning up request 14 ID 93 with timestamp +579
    Waking up in 0.1 seconds.
    Cleaning up request 15 ID 94 with timestamp +579
    Cleaning up request 16 ID 95 with timestamp +579
    Waking up in 0.1 seconds.
    Cleaning up request 17 ID 96 with timestamp +580
    Waking up in 0.2 seconds.
    Cleaning up request 18 ID 97 with timestamp +580
    Waking up in 1.0 seconds.
    Cleaning up request 19 ID 98 with timestamp +580
    Ready to process requests.



    RADIUSD.CONF

    prefix = /usr
    exec_prefix = /usr
    sysconfdir = /etc
    localstatedir = /var
    sbindir = ${exec_prefix}/sbin
    logdir = /var/log/freeradius
    raddbdir = /etc/freeradius
    radacctdir = ${logdir}/radacct

    name = freeradius

    # Location of config and logfiles.
    confdir = ${raddbdir}
    run_dir = ${localstatedir}/run/${name}

    # Should likely be ${localstatedir}/lib/radiusd
    db_dir = ${raddbdir}

    libdir = /usr/lib/freeradius

    pidfile = ${run_dir}/${name}.pid

    # The server will also try to use "initgroups" to read /etc/groups.
    # It will join all groups where "user" is a member. This can allow
    # for some finer-grained access controls.
    #
    user = freerad
    group = freerad

    # max_request_time: The maximum time (in seconds) to handle a request.
    # Useful range of values: 5 to 120
    #
    max_request_time = 30

    # cleanup_delay: The time to wait (in seconds) before cleaning up
    # a reply which was sent to the NAS.
    #
    # Useful range of values: 2 to 10
    #
    cleanup_delay = 5

    # max_requests: The maximum number of requests which the server keeps
    # track of. This should be 256 multiplied by the number of clients.
    # e.g. With 4 clients, this number should be 1024.
    # Useful range of values: 256 to infinity
    #
    max_requests = 1024

    listen {
    # Type of packets to listen for.
    # Allowed values are:
    # auth listen for authentication packets
    # acct listen for accounting packets
    # proxy IP to use for sending proxied packets
    # detail Read from the detail file. For examples, see
    # raddb/sites-available/copy-acct-to-home-server
    # status listen for Status-Server packets. For examples,
    # see raddb/sites-available/status
    # coa listen for CoA-Request and Disconnect-Request
    # packets. For examples, see the file
    # raddb/sites-available/coa-server
    #
    type = auth

    # IP address on which to listen.
    # Allowed values are:
    # dotted quad (1.2.3.4)
    # hostname (radius.example.com)
    # wildcard (*)
    ipaddr = 192.168.254.13

    # OR, you can use an IPv6 address, but not both
    # at the same time.
    # ipv6addr = :: # any. ::1 == localhost

    # Port on which to listen.
    # Allowed values are:
    # integer port number (1812)
    # 0 means "use /etc/services for the proper port"
    port = 1812

    # interface = eth0

    }

    # This second "listen" section is for listening on the accounting
    # port, too.
    #
    listen {
    ipaddr = *
    # ipv6addr = ::
    port = 0
    type = acct
    # interface = eth0
    # clients = per_socket_clients
    }

    #
    # allowed values: {no, yes}
    #
    hostname_lookups = no

    # Core dumps are a bad thing. This should only be set to 'yes'
    # if you're debugging a problem with the server.
    #
    # allowed values: {no, yes}
    #
    allow_core_dumps = no

    # Regular expressions
    #
    regular_expressions = yes
    extended_expressions = yes

    #
    # Logging section. The various "log_*" configuration items
    # will eventually be moved here.
    #
    log {
    destination = files

    #
    #
    file = ${logdir}/radius.log

    syslog_facility = daemon

    stripped_names = no

    # Log authentication requests to the log file.
    #
    # allowed values: {no, yes}
    #
    auth = yes

    # allowed values: {no, yes}
    #
    auth_badpass = yes
    auth_goodpass = yes


    # msg_goodpass = ""
    # msg_badpass = ""
    }

    # The program to execute to do concurrency checks.
    checkrad = ${sbindir}/checkrad

    # SECURITY CONFIGURATION
    security {
    #
    #
    # Setting this number to 0 means "allow any number of attributes"
    max_attributes = 200

    #
    reject_delay = 1
    #
    # See also raddb/sites-available/status
    #
    status_server = yes
    }

    # PROXY CONFIGURATION
    #
    proxy_requests = yes
    $INCLUDE proxy.conf


    # CLIENTS CONFIGURATION
    #
    # Client configuration is defined in "clients.conf".
    #

    $INCLUDE clients.conf

    # THREAD POOL CONFIGURATION
    #
    #
    thread pool {
    # Number of servers to start initially --- should be a reasonable
    # ballpark figure.
    start_servers = 5

    max_servers = 32

    min_spare_servers = 3
    max_spare_servers = 10

    max_requests_per_server = 0
    }

    # MODULE CONFIGURATION
    #
    modules {
    #
    $INCLUDE ${confdir}/modules/

    $INCLUDE eap.conf

    $INCLUDE sql.conf

    # $INCLUDE sql/mysql/counter.conf

    #
    # IP addresses managed in an SQL table.
    #
    # $INCLUDE sqlippool.conf
    }

    # Instantiation
    #
    instantiate {
    #
    # Allows the execution of external scripts.
    # The entire command line (and output) must fit into 253 bytes.
    #
    # e.g. Framed-Pool = `%{exec:/bin/echo foo}`
    exec

    #
    expr

    #

    # daily
    expiration
    logintime

    #redundant redundant_sql {
    # sql1
    # sql2
    #}
    }

    ######################################################################
    $INCLUDE policy.conf

    ######################################################################
    $INCLUDE sites-enabled/

    http://img.vivaolinux.com.br/comunid.../edit_ico1.png

  2. Ainda não consegui resolver.

    Alguma idéia ?



  3. Ja experimentou remover o modulo EAP ??? comenta ele ai no seu radius.conf... vc precisa de um ok so do modulo do sql não ? ?

  4. O módulo sql é para o freeradius conseguir interagir com a base de dados do mysql, onde estão os usuários e senhas.
    Acho que ainda assim o freeradius utiliza o eap para autenticar também.

    Mais de toda forma eu comentei a linha do módulo eap, com isso o freeradius nem inicia.

    Valeu.. Vou tentar instalar em outra distribuição aqui.



  5. Estava com o mesmo problema e para resolver foi necessário editar o arquivo /etc/freeradius/sites-enabled/inner-tunnel, descomentar a entrada sql e restartar o freeradius.

    Espero que ajude

    [ ] 's






Tópicos Similares

  1. Freeradius - adicionar 3º campo no login
    Por 2fast4youbr no fórum Servidores de Rede
    Respostas: 4
    Último Post: 04-06-2013, 09:41
  2. Respostas: 4
    Último Post: 09-01-2012, 20:49
  3. Somente uma conta não autentica no pop.
    Por juniovitorino no fórum Servidores de Rede
    Respostas: 5
    Último Post: 24-08-2006, 11:20
  4. Socorro!!! pppoe naõ autentica no FreeRadius
    Por pasternak no fórum Redes
    Respostas: 5
    Último Post: 14-08-2006, 11:08
  5. squid nao autentica user terra no speedy...
    Por frugoni no fórum Servidores de Rede
    Respostas: 0
    Último Post: 06-01-2006, 23:32

Visite: BR-Linux ·  VivaOLinux ·  Dicas-L