Сейчас саботает несколько ВПН серверов, авторизация и аккаунтинг на Freeradius2. Пользователи хранятся в файле, ИП адреса выдаются динамически из пула радиуса. Надо систему переделать так, чтобы пользователи хранились в базе. Собрал я тестовый стэнд - настроил 1 ВПН сервер на базе Микротика, на др. компе поставил Freebsd, Freeradius2, MySql5, залил таблицы для хранения пользователей и запустил эту систему.
Код: Выделить всё
Module: Linked to module rlm_sql
Module: Instantiating sql
sql {
driver = "rlm_sql_mysql"
server = "localhost"
port = ""
login = "root"
password = ""
radius_db = "radius"
read_groups = yes
sqltrace = no
sqltracefile = "/var/log/sqltrace.sql"
readclients = yes
deletestalesessions = yes
num_sql_socks = 5
lifetime = 0
max_queries = 0
sql_user_name = ""
default_user_profile = ""
nas_query = "SELECT id,nasname,shortname,type,secret FROM nas"
authorize_check_query = ""
authorize_group_check_query = ""
authorize_group_reply_query = ""
accounting_onoff_query = ""
accounting_update_query = ""
accounting_update_query_alt = ""
accounting_start_query = ""
accounting_start_query_alt = ""
accounting_stop_query = ""
accounting_stop_query_alt = ""
connect_failure_retry_delay = 60
simul_count_query = ""
simul_verify_query = ""
postauth_query = ""
safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to root@localhost:/radius
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id,nasname,shortname,type,secret FROM nas
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Read entry nasname=127.0.0.1,shortname=localhost,secret=whoiswho
rlm_sql (sql): Adding client 127.0.0.1 (localhost, server=<none>) to clients list
rlm_sql (sql): Read entry nasname=172.16.0.101,shortname=172.16.0.101,secret=whoiswho
rlm_sql (sql): Adding client 172.16.0.101 (172.16.0.101, server=<none>) to clients list
................
................
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.Вроде бы все без ошибок.
При подключении пользователя коннекта не происходит, видимо что то не донастроил.
Код: Выделить всё
rad_recv: Access-Request packet from host 112.41.32.124 port 60298, id=6, length=136
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 25
NAS-Port-Type = Virtual
User-Name = "test"
Calling-Station-Id = "172.20.31.254"
Called-Station-Id = "172.16.0.101"
CHAP-Challenge = 0x439f9d2626601ba560bac30f923ffb18
CHAP-Password = 0x01b4cbe946b07ea9b8cb0143f1947be8e8
NAS-Identifier = "MikroTik-124"
NAS-IP-Address = 112.41.32.124
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: ->
[sql] Error generating query; rejecting user
rlm_sql (sql): Released sql socket id: 3
++[sql] returns fail
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> test
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 112.41.32.124 port 60298, id=6, length=136
Waiting to send Access-Reject to client 112.41.32.124 port 60298 - ID: 6
Waking up in 0.6 seconds.
rad_recv: Access-Request packet from host 112.41.32.124 port 60298, id=6, length=136
Waiting to send Access-Reject to client 112.41.32.124 port 60298 - ID: 6
Waking up in 0.3 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 6 to 112.41.32.124 port 60298
Waking up in 4.9 seconds.
Cleaning up request 0 ID 6 with timestamp +494
Ready to process requests.Код: Выделить всё
mysql> select * from radcheck;
+----+----------+--------------------+----+---------+
| id | username | attribute | op | value |
+----+----------+--------------------+----+---------+
| 1 | testsql | Cleartext-Password | := | test123 |
| 2 | test | Password | == | test |
+----+----------+--------------------+----+---------+Код: Выделить всё
mysql> select * from radgroupcheck;
+----+-----------+-----------+----+-------+
| id | groupname | attribute | op | value |
+----+-----------+-----------+----+-------+
| 1 | dynamic | Auth-Type | := | Local |
+----+-----------+-----------+----+-------+Код: Выделить всё
mysql> select * from nas;
+----+---------------+---------------+---------------+-------+----------+-----------+---------------+
| id | nasname | shortname | type | ports | secret | community | description |
+----+---------------+---------------+---------------+-------+----------+-----------+---------------+
| 1 | 127.0.0.1 | localhost | other | NULL | whoiswho | NULL | RADIUS Client |
| 2 | 172.16.0.101 | 172.16.0.101 | mikrotik_snmp | NULL | whoiswho | NULL | RADIUS Client | 
Мне хотелось бы настроить систему таким образом, чтобы пользователи хранились в базе и получали динамически адреса из пула, по аналогии как это у меня сделано в файле.
Типа так
Код: Выделить всё
vpn-test2 User-Password == "passw2", Simultaneous-Use := 1, Calling-Station-Id == "172.20.24.7", Pool-Name := "private_ip_pool"
Mikrotik-Rate-Limit += "4096k/4096k"
