Freeradius + AD

Проблемы установки, настройки и работы Правильной Операционной Системы

Модератор: terminus

Правила форума
Убедительная просьба юзать теги [cоde] при оформлении листингов.
Сообщения не оформленные должным образом имеют все шансы быть незамеченными.
Аватара пользователя
FoxDW
мл. сержант
Сообщения: 106
Зарегистрирован: 2008-08-04 4:42:43
Откуда: Красноярск
Контактная информация:

Freeradius + AD

Непрочитанное сообщение FoxDW » 2008-08-04 4:47:52

Freebsd 7.0

В логах радиуса

Код: Выделить всё

Error:  rlm_attr_filter: Authorize method will be deprecated.

attrs

DEFAULT
    Service-Type == Framed-User,
    Service-Type == Login-User,
    Login-Service == Telnet,
    Login-Service == Rlogin,
    Login-Service == TCP-Clear,
    Login-TCP-Port <= 65536,
    Framed-IP-Address == 255.255.255.254,
    Framed-IP-Netmask == 255.255.255.255,
    Framed-Protocol == PPP,
    Framed-Protocol == SLIP,
    Framed-Compression == Van-Jacobson-TCP-IP,
    Framed-MTU >= 576,
    Framed-Filter-ID =* ANY,
    Reply-Message =* ANY,
    Proxy-State =* ANY,
    EAP-Message =* ANY,
    State =* ANY,
    Session-Timeout <= 28800,
    Idle-Timeout <= 600,
    Port-Limit <= 2
Ни кто не сталкивался ?

Хостинговая компания Host-Food.ru
Хостинг HostFood.ru
 

Услуги хостинговой компании Host-Food.ru

Хостинг HostFood.ru

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/

Аватара пользователя
Alex Keda
стреляли...
Сообщения: 35267
Зарегистрирован: 2004-10-18 14:25:19
Откуда: Made in USSR
Контактная информация:

Re: Freeradius + AD

Непрочитанное сообщение Alex Keda » 2008-08-04 7:58:22

сообщение нормально оформите.
Убей их всех! Бог потом рассортирует...

Гость
проходил мимо

Re: Freeradius + AD

Непрочитанное сообщение Гость » 2008-08-04 8:34:01

radiusd -X

Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/users
Config: including file: /usr/local/etc/raddb/eap.conf
main: prefix = "/usr/local"
main: localstatedir = "/var"
main: logdir = "/var/log"
main: libdir = "/usr/local/lib"
main: radacctdir = "/var/log/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: bind_address = 127.0.0.1 IP address [127.0.0.1]
main: user = "root"
main: group = "wheel"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
Using deprecated clients file. Support for this will go away soon.
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded PAP
pap: encryption_scheme = "crypt"
pap: auto_header = no
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: with_ntdomain_hack = yes
mschap: passwd = "(null)"
mschap: ntlm_auth = "/usr/local/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00}--nt-response=%{mschap:NT-Response:-00}"
Module: Instantiated mschap (mschap)
Module: Loaded Pam
pam: pam_auth = "radiusd"
Module: Instantiated pam (pam)
Module: Loaded eap
eap: default_eap_type = "md5"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = yes
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded detail
detail: detailfile = "/var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (auth_log)
Module: Loaded attr_filter
attr_filter: attrsfile = "/usr/local/etc/raddb/attrs"
rlm_attr_filter: Authorize method will be deprecated.
Module: Instantiated attr_filter (attr_filter)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded files
files: usersfile = "/usr/local/etc/raddb/users"
files: acctusersfile = "/usr/local/etc/raddb/acct_users"
files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
detail: detailfile = "/var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded IPPOOL
ippool: session-db = "/usr/local/etc/raddb/db.ippool"
ippool: ip-index = "/usr/local/etc/raddb/db.ipindex"
ippool: range-start = 192.168.200.160 IP address [192.168.200.160]
ippool: range-stop = 192.168.200.170 IP address [192.168.200.170]
ippool: netmask = 255.255.255.0 IP address [255.255.255.0]
ippool: cache-size = 800
ippool: override = no
ippool: maximum-timeout = 0
Module: Instantiated ippool (main_pool)
Module: Loaded radutmp
radutmp: filename = "/var/log/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
detail: detailfile = "/var/log/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (reply_log)
Listening on authentication 127.0.0.1:1812
Listening on accounting 127.0.0.1:1813
Ready to process requests.


radiusd.conf

prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
user = root
group = wheel
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024

bind_address = 127.0.0.1

port = 0


hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad

security {
max_attributes = 200
reject_delay = 1
status_server = no
}

proxy_requests = no
$INCLUDE ${confdir}/clients.conf
$INCLUDE ${confdir}/users

thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}

modules {

pap {
encryption_scheme = crypt
}

chap {
authtype = CHAP
}

pam {
pam_auth = radiusd
}

unix {
cache = no
cache_reload = 600
radwtmp = ${logdir}/radwtmp
}

$INCLUDE ${confdir}/eap.conf

mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth="/usr/local/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00}--nt-response=%{mschap:NT-Response:-00}"

}

preprocess {
huntgroups= ${confdir}/huntgroups
hints= ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = yes
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}

files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
compat = no
}

detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}

detail auth_log {
detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
detailperm = 0600
}

detail reply_log {
detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d
detailperm = 0600
}

detail pre_proxy_log {
detailfile = ${radacctdir}/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d
detailperm = 0600
}

detail post_proxy_log {
detailfile = ${radacctdir}/%{Client-IP-Address}/post-proxy-detail-%Y%m%d
detailperm = 0600
}

acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}


radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}

radutmp sradutmp {
filename= ${logdir}/sradutmp
perm = 0644
callerid = "no"
}

attr_filter {
attrsfile = ${confdir}/attrs
}

counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}

always fail {
rcode = fail
}

always reject {
rcode = reject
}

always ok {
rcode = ok
simulcount = 0
mpp = no
}

expr {
}

digest {
}

exec {
wait = yes
input_pairs = request
}

ippool main_pool {
range-start = 192.168.200.160
range-stop = 192.168.200.170
netmask = 255.255.255.0
cache-size = 800
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = no
maximum-timeout = 0
}
}

instantiate {
}

authorize {
preprocess
auth_log
attr_filter
mschap
eap
}

authenticate {
Auth-Type PAP {
pap
}

Auth-Type CHAP {
chap
}

Auth-Type MS-CHAP {
mschap
}

pam

eap
}

preacct {
preprocess
acct_unique
files
}

accounting {
detail
main_pool
}

session {
radutmp
}

post-auth {
main_pool
reply_log
}

pre-proxy {
}

post-proxy {
eap
}

eap.conf

eap {
default_eap_type = md5
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no

md5 {
}

leap {
}

gtc {
auth_type = PAP
}

mschapv2 {
}

}

clients
localhost passwd
127.0.0.1 passwd

Аватара пользователя
Alex Keda
стреляли...
Сообщения: 35267
Зарегистрирован: 2004-10-18 14:25:19
Откуда: Made in USSR
Контактная информация:

Re: Freeradius + AD

Непрочитанное сообщение Alex Keda » 2008-08-04 9:01:16

lissyara писал(а):сообщение нормально оформите.
Убей их всех! Бог потом рассортирует...

Аватара пользователя
FoxDW
мл. сержант
Сообщения: 106
Зарегистрирован: 2008-08-04 4:42:43
Откуда: Красноярск
Контактная информация:

Re: Freeradius + AD

Непрочитанное сообщение FoxDW » 2008-08-06 6:39:47

При попытки соединения с виндовс машины выдает следующее в дебаг режиме

в логах пишет
Info: Ready to process requests.
Wed Jul 30 17:29:46 2008 : Auth: Login incorrect (rlm_mschap: Logon failure (0xc000006d)): [fox/<no User-Password attribute>] (from client 127.0.0.1 port 0 cli 192.168.2.18)
Wed Jul 30 17:29:47 2008 : Auth: Login incorrect (rlm_mschap: Logon failure (0xc000006d)): [fox/<no User-Password attribute>] (from client 127.0.0.1 port 0)
Wed Jul 30 17:29:50 2008 : Auth: Login incorrect (rlm_mschap: Logon failure (0xc000006d)): [fox/<no User-Password attribute>] (from client 127.0.0.1 port 0)
ntlm_auth авторизация проходит нормально

при запуске Радиуса в логах
Info: Ready to process requests.
Wed Jul 30 17:48:06 2008 : Info: Using deprecated naslist file. Support for this will go away soon.
Wed Jul 30 17:48:06 2008 : Info: Using deprecated clients file. Support for this will go away soon.
Wed Jul 30 17:48:06 2008 : Error: rlm_attr_filter: Authorize method will be deprecated.
Wed Jul 30 17:48:06 2008 : Info: Ready to process requests.
radiusd -X
rad_recv: Access-Request packet from host 127.0.0.1:64677, id=61, length=156
NAS-Identifier = "bsd.eliteautocompany.ru"
NAS-Port = 0
NAS-Port-Type = Virtual
Service-Type = 2
Framed-Protocol = PPP
User-Name = "fox"
MS-CHAP-Challenge = 0xbb1e6876282c03380389f27802ce5d32
MS-CHAP2-Response = 0x0100ebfe3bdd8df1132dc04d2d164a306a17000000000000000064ba37e3414e3227be413b44f771fef8edbb816220fff353
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
radius_xlat: '/var/log/radacct/127.0.0.1/auth-detail-20080806'
rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radacct/127.0.0.1/auth-detail-20080806
modcall[authorize]: module "auth_log" returns ok for request 1
modcall[authorize]: module "attr_filter" returns noop for request 1
rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
modcall[authorize]: module "mschap" returns ok for request 1
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 1
modcall: leaving group authorize (returns ok) for request 1
rad_check_password: Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 1
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for fox with NT-Password
radius_xlat: '--username=fox'
radius_xlat: Running registered xlat function of module mschap for string 'Challenge'
mschap2: bb
radius_xlat: Running registered xlat function of module mschap for string 'NT-Response'
radius_xlat: '--challenge=266245b55b05420f--nt-response=64ba37e3414e3227be413b44f771fef8edbb816220fff353'
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Exec-Program: returned: 1
rlm_mschap: External script failed.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module "mschap" returns reject for request 1
modcall: leaving group MS-CHAP (returns reject) for request 1
auth: Failed to validate the user.
Login incorrect (rlm_mschap: Logon failure (0xc000006d)): [fox/<no User-Password attribute>] (from client 127.0.0.1 port 0)
Delaying request 1 for 1 seconds
Finished request 1
Going to the next request
Waking up in 4 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:64677, id=61, length=156
Sending Access-Reject of id 61 to 127.0.0.1 port 64677
--- Walking the entire request list ---
Cleaning up request 0 ID 181 with timestamp 48991a57
Waking up in 2 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:55794, id=187, length=156
NAS-Identifier = "bsd.eliteautocompany.ru"
NAS-Port = 0
NAS-Port-Type = Virtual
Service-Type = 2
Framed-Protocol = PPP
User-Name = "fox"
MS-CHAP-Challenge = 0xbb1e6876282c03380389f27802ce5d32
MS-CHAP2-Response = 0x0100ebfe3bdd8df1132dc04d2d164a306a17000000000000000064ba37e3414e3227be413b44f771fef8edbb816220fff353
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
radius_xlat: '/var/log/radacct/127.0.0.1/auth-detail-20080806'
rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radacct/127.0.0.1/auth-detail-20080806
modcall[authorize]: module "auth_log" returns ok for request 2
modcall[authorize]: module "attr_filter" returns noop for request 2
rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
modcall[authorize]: module "mschap" returns ok for request 2
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 2
modcall: leaving group authorize (returns ok) for request 2
rad_check_password: Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 2
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for fox with NT-Password
radius_xlat: '--username=fox'
radius_xlat: Running registered xlat function of module mschap for string 'Challenge'
mschap2: bb
radius_xlat: Running registered xlat function of module mschap for string 'NT-Response'
radius_xlat: '--challenge=266245b55b05420f--nt-response=64ba37e3414e3227be413b44f771fef8edbb816220fff353'
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Exec-Program: returned: 1
rlm_mschap: External script failed.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module "mschap" returns reject for request 2
modcall: leaving group MS-CHAP (returns reject) for request 2
auth: Failed to validate the user.
Login incorrect (rlm_mschap: Logon failure (0xc000006d)): [fox/<no User-Password attribute>] (from client 127.0.0.1 port 0)
Delaying request 2 for 1 seconds
Finished request 2
Going to the next request
Waking up in 2 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 61 with timestamp 48991a59
Sending Access-Reject of id 187 to 127.0.0.1 port 55794
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 2 ID 187 with timestamp 48991a5d
Вот как то так