[Inclusão Digital]Versão FreeRadius
Robson F. Ramaldes
robson em netnew.com.br
Quinta Março 8 07:36:52 BRT 2012
Isaac
Voce possui algum NAT entre o MK até o Servidor?
Já vi
casos em que aparece Login OK e no MK retorna "Radius Timeout"
Ocorria
devido ao pacote ser enviado para IP X e retornar pelo IP Y, aí o MK não
aceita o pacote.
Voce pode conferir pelo Torch isso
Att.
---
Robson F. Ramaldes
Net New Ltda.
On Thu, 8 Mar 2012 06:11:37
-0300, Isaac Sampaio wrote:
> Olá Pedro, respondendo sua pergunta, não
tem nada firewall configurado
> ainda, acabei de instalar tudo. Pior é
que já tenho outros servidor pppoe e
> nunca tive esse problema.
>
>
Marcelo eu fiz o que você sugeriu e pelo menos para mim que não sou
nenhum
> especialista no assunto não consegui identificar nada no
freeradius, ao que
> me parece o problema é na recepção dos dados no MK.
Vou colocar o retorno
> do que me pediu, quem sabe um olhar de quem
entende mais que eu possa
> encontrar o problema.
>
> rad_recv:
Access-Request packet from host 10.0.1.252 port 59064, id=40,
>
length=194
> Service-Type = Framed-User
> Framed-Protocol = PPP
>
NAS-Port = 33
> NAS-Port-Type = Ethernet
> User-Name = "isaac"
>
Calling-Station-Id = "78:44:76:00:30:F8"
> Called-Station-Id =
"pppoe-server"
> NAS-Port-Id = "BRIDGE"
> MS-CHAP-Challenge =
0xceecd27bc38b86782fea1cff8b828f75
> MS-CHAP2-Response =
>
0x0100c3ac459cf91f54d1034002d93d7a972b0000000000000000e265b5340aa4f424cd88740ae9411cef5e861176954a55e3
>
NAS-Identifier = "servidor-new"
> NAS-IP-Address = 10.0.1.252
> #
Executing section authorize from file
>
/etc/freeradius/sites-enabled/default
> +- entering group authorize
{...}
> ++[preprocess] returns ok
> [auth_log] expand:
>
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
>
/var/log/freeradius/radacct/10.0.1.252/auth-detail-20120308
>
[auth_log]
>
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands
> to
/var/log/freeradius/radacct/10.0.1.252/auth-detail-20120308
> [auth_log]
expand: %t -> Thu Mar 8 05:43:33 2012
> ++[auth_log] returns ok
>
++[chap] returns noop
> [mschap] Found MS-CHAP attributes. Setting
'Auth-Type = mschap'
> ++[mschap] returns ok
> [suffix] No '@' in
User-Name = "isaac", looking up realm NULL
> [suffix] No such realm
"NULL"
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
>
++[eap] returns noop
> [sql] expand: %{User-Name} -> isaac
> [sql]
sql_set_user escaped user --> 'isaac'
> rlm_sql (sql): Reserving sql
socket id: 4
> [sql] expand: SELECT id, username, attribute, value, op
FROM
> radcheck WHERE username = '%{SQL-User-Name}' ORDER BY
> id ->
SELECT
> id, username, attribute, value, op FROM radcheck WHERE
>
username = 'isaac' ORDER BY id
> [sql] User found in radcheck table
>
[sql] expand: SELECT id, username, attribute, value, op FROM
> radreply
WHERE username = '%{SQL-User-Name}' ORDER BY
> id -> SELECT
> id,
username, attribute, value, op FROM radreply WHERE
> username = 'isaac'
ORDER BY id
> [sql] expand: SELECT groupname FROM radusergroup
> WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
> groupname
>
FROM radusergroup WHERE username = 'isaac' ORDER
> BY priority
> [sql]
expand: SELECT id, groupname, attribute, Value, op
> FROM radgroupcheck
WHERE groupname = '%{Sql-Group}'
> ORDER BY
> id -> SELECT id,
groupname, attribute, Value, op FROM
> radgroupcheck WHERE groupname =
'300k' ORDER BY id
> [sql] User found in group 300k
> [sql] expand:
SELECT id, groupname, attribute, value, op
> FROM radgroupreply WHERE
groupname = '%{Sql-Group}'
> ORDER BY
> id -> SELECT id, groupname,
attribute, value, op FROM
> radgroupreply WHERE groupname = '300k' ORDER
BY id
> rlm_sql (sql): Released sql socket id: 4
> ++[sql] returns ok
>
++[expiration] returns noop
> ++[logintime] returns noop
> Found
Auth-Type = Accept
> Auth-Type = Accept, accepting the user
> #
Executing section session from file
/etc/freeradius/sites-enabled/default
> +- entering group session
{...}
> [radutmp] expand: /var/log/freeradius/radutmp ->
>
/var/log/freeradius/radutmp
> [radutmp] expand: %{User-Name} -> isaac
>
++[radutmp] returns ok
> Login OK: [isaac] (from client servidor-new
port 33 cli 78:44:76:00:30:F8)
> # Executing section post-auth from
file
> /etc/freeradius/sites-enabled/default
> +- entering group
post-auth {...}
> [sql] expand: %{User-Name} -> isaac
> [sql]
sql_set_user escaped user --> 'isaac'
> [sql] expand: %{User-Password}
->
> [sql] ... expanding second conditional
> [sql] expand:
%{Chap-Password} ->
> [sql] expand: INSERT INTO radpostauth
> (username,
pass, reply, authdate) VALUES (
>
> '%{User-Name}',
>
'%{%{User-Password}:-%{Chap-Password}}',
> '%{reply:Packet-Type}', '%S')
-> INSERT INTO radpo
> stauth (username, pass, reply, authdate)
> VALUES
( 'isaac',
>
> '', 'Access-Accept', '2012-03-08 05:43:33')
> rlm_sql
(sql) in sql_postauth: query is INSERT INTO radpostauth
> (username,
pass, reply, authdate)
> VALUES (
> 'isaac', '',
> 'Access-Accept',
'2012-03-08 05:43:33')
> rlm_sql (sql): Reserving sql socket id: 3
>
rlm_sql (sql): Released sql socket id: 3
> ++[sql] returns ok
> ++[exec]
returns noop
> Sending Access-Accept of id 40 to 10.0.1.252 port 59064
>
Framed-IP-Address := 10.254.10.100
> Framed-IP-Netmask :=
255.255.255.0
> Mikrotik-Rate-Limit := "100k/300k 0/0 0/0 20/20 8
50k/128k"
> Port-Limit := 1
> Framed-Compression :=
Van-Jacobson-TCP-IP
> Framed-Protocol := PPP
> Service-Type :=
Framed-User
> Framed-MTU := 1480
> Finished request 0.
> Going to the
next request
> Waking up in 4.9 seconds.
> rad_recv: Accounting-Request
packet from host 10.0.1.252 port 48283, id=41,
> length=158
>
Service-Type = Framed-User
> Framed-Protocol = PPP
> NAS-Port = 33
>
NAS-Port-Type = Ethernet
> User-Name = "isaac"
> Calling-Station-Id =
"78:44:76:00:30:F8"
> Called-Station-Id = "pppoe-server"
> NAS-Port-Id =
"BRIDGE"
> Acct-Session-Id = "81f00016"
> Framed-IP-Address =
10.254.10.100
> Framed-IP-Netmask = 255.255.255.0
> Acct-Authentic =
RADIUS
> Event-Timestamp = "Mar 8 2012 05:44:13 BRT"
> Acct-Status-Type
= Start
> NAS-Identifier = "servidor-new"
> Acct-Delay-Time = 0
>
NAS-IP-Address = 10.0.1.252
> # Executing section preacct from file
/etc/freeradius/sites-enabled/default
> +- entering group preacct
{...}
> ++[preprocess] returns ok
> [acct_unique] Hashing 'NAS-Port =
33,Client-IP-Address =
> 10.0.1.252,NAS-IP-Address =
10.0.1.252,Acct-Session-Id =
> "81f00016",User-Name = "isaac"'
>
[acct_unique] Acct-Unique-Session-ID = "d8f9a714fdb84ddf".
>
++[acct_unique] returns ok
> [suffix] No '@' in User-Name = "isaac",
looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix]
returns noop
> # Executing section accounting from file
>
/etc/freeradius/sites-enabled/default
> +- entering group accounting
{...}
> [detail] expand:
>
/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
>
/var/log/freeradius/radacct/10.0.1.252/detail-20120308
> [detail]
/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d
> expands
to /var/log/freeradius/radacct/10.0.1.252/detail-20120308
> [detail]
expand: %t -> Thu Mar 8 05:43:33 2012
> ++[detail] returns ok
> ++[unix]
returns ok
> [radutmp] expand: /var/log/freeradius/radutmp ->
>
/var/log/freeradius/radutmp
> [radutmp] expand: %{User-Name} -> isaac
>
++[radutmp] returns ok
> [sql] expand: %{User-Name} -> isaac
> [sql]
sql_set_user escaped user --> 'isaac'
> [sql] expand: %{Acct-Delay-Time}
-> 0
> [sql] expand: INSERT INTO radacct (acctsessionid,
> acctuniqueid,
username, realm, nasipaddress,
> naspo
> rtid, nasporttype,
acctstarttime, acctstoptime,
> acctsessiontime, acctauthentic,
connectinfo_start,
> connectinf
> o_stop, acctinputoctets,
acctoutputoctets, calledstationid,
> callingstationid,
acctterminatecause, servicetype,
> framedprotocol,
> framedipaddress,
acctstartdelay, acctstopdelay,
> xascendsessionsvrkey) VALUES
('%{Acct-Session-Id}',
> '%{Acct-Unique-Ses
> sion-Id}',
'%{SQL-User-Name}', '%{Realm}',
> '%{NAS-IP-Address}', '%{NAS-Port}',
'%{NAS-Port-Type}', '%S',
> NULL,
> '0', '%{Acct-Authentic}',
'%{Connect-Info}', '', '0', '0',
> '%{Called-Station-Id}',
'%{Calling-Station-Id}', '',
> '%{Ser
> vice-Type}',
'%{Framed-Protocol}', '%{Framed-IP-Address}',
> rlm_sql (sql): Reserving
sql socket id: 2
> rlm_sql (sql): Released sql socket id: 2
> ++[sql]
returns ok
> ++[exec] returns noop
> [attr_filter.accounting_response]
expand: %{User-Name} -> isaac
> attr_filter: Matched entry DEFAULT at
line 12
> ++[attr_filter.accounting_response] returns updated
> Sending
Accounting-Response of id 41 to 10.0.1.252 port 48283
> Finished request
1.
> Cleaning up request 1 ID 41 with timestamp +43
> Going to the next
request
> Waking up in 4.9 seconds.
> rad_recv: Accounting-Request
packet from host 10.0.1.252 port 40441, id=42,
> length=206
>
Service-Type = Framed-User
> Framed-Protocol = PPP
> NAS-Port = 33
>
NAS-Port-Type = Ethernet
> User-Name = "isaac"
> Calling-Station-Id =
"78:44:76:00:30:F8"
> Called-Station-Id = "pppoe-server"
> NAS-Port-Id =
"BRIDGE"
> Acct-Session-Id = "81f00016"
> Framed-IP-Address =
10.254.10.100
> Framed-IP-Netmask = 255.255.255.0
> Acct-Authentic =
RADIUS
> Event-Timestamp = "Mar 8 2012 05:44:13 BRT"
> Acct-Session-Time
= 0
> Acct-Input-Octets = 0
> Acct-Input-Gigawords = 0
>
Acct-Input-Packets = 0
> Acct-Output-Octets = 28
> Acct-Output-Gigawords
= 0
> Acct-Output-Packets = 3
> Acct-Status-Type = Stop
>
Acct-Terminate-Cause = User-Request
> NAS-Identifier = "servidor-new"
>
Acct-Delay-Time = 0
> NAS-IP-Address = 10.0.1.252
> # Executing section
preacct from file /etc/freeradius/sites-enabled/default
> +- entering
group preacct {...}
> ++[preprocess] returns ok
> [acct_unique] Hashing
'NAS-Port = 33,Client-IP-Address =
> 10.0.1.252,NAS-IP-Address =
10.0.1.252,Acct-Session-Id =
> "81f00016",User-Name = "isaac"'
>
[acct_unique] Acct-Unique-Session-ID = "d8f9a714fdb84ddf".
>
++[acct_unique] returns ok
> [suffix] No '@' in User-Name = "isaac",
looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix]
returns noop
> # Executing section accounting from file
>
/etc/freeradius/sites-enabled/default
> +- entering group accounting
{...}
> [detail] expand:
>
/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
>
/var/log/freeradius/radacct/10.0.1.252/detail-20120308
> [detail]
/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d
> expands
to /var/log/freeradius/radacct/10.0.1.252/detail-20120308
> [detail]
expand: %t -> Thu Mar 8 05:43:33 2012
> ++[detail] returns ok
> ++[unix]
returns ok
> [radutmp] expand: /var/log/freeradius/radutmp ->
>
/var/log/freeradius/radutmp
> [radutmp] expand: %{User-Name} -> isaac
>
++[radutmp] returns ok
> [sql] expand: %{User-Name} -> isaac
> [sql]
sql_set_user escaped user --> 'isaac'
> [sql] expand:
%{Acct-Input-Gigawords} -> 0
> [sql] expand: %{Acct-Input-Octets} -> 0
>
[sql] expand: %{Acct-Output-Gigawords} -> 0
> [sql] expand:
%{Acct-Output-Octets} -> 28
> [sql] expand: %{Acct-Delay-Time} -> 0
>
[sql] expand: UPDATE radacct SET acctstoptime
> = '%S', acctsessiontime
= '%{Acct-Session-Time}',
> tinputoctets =
'%{%{Acct-Input-Gigawords}:-0}' UPDATE radacct SET
> acctstoptime =
'2012-03-08 05:43:33',
> acctsessiontime = '0', acctinputoctets = '0'
Não tem nenhum DROP na OUTPUT do firewall do radius? Pedro Angones Em
07/03/2012, às 22:19, Isaac Sampaio escreveu:
>>
>>> Putz!! Estou
desde 14:00 brigando com um aqui que não quer funcionar por nada. Pior é
que não gera erro. Quando coloco o secrets no MK, funciona, mas quando
desabilito ele vai buscar no FreeRadius, dá a mensagem abaixo: Wed Mar 7
22:09:17 2012 : Auth: Login OK: [usertest] (from client servidor-new
port 28 cli 78:44:76:00:30:F8) Mas dá erro na conexão e no MK não cria
nada. vlw Em 7 de março de 2012 22:12, Alexandre J. Correa - Onda
Internet < alexandre em onda.net.br [1]> escreveu:
>>>
>>>> uso aqui...
funciona blz !! Em 07/03/2012 21:51, Isaac Sampaio escreveu:
>>>>
>>>>> Olá amigos, alguém de vocês usam o freeradius na versão 2.1.10
>>
juntamento
>>
>>>>> com o mikrotik? Grato. Isaac
______________________________**_________________ Inclusaodigital
mailing list Inclusaodigital em anid.com.br [2] http://mail.anid.com.br/
[3]**mailman/listinfo/**inclusaodigital
>>
http://mail.anid.com.br/mailman/listinfo/inclusaodigital [7]> -- Sds.
Alexandre Jeronimo Correa Socio-Administrador Onda Internet
www.onda.net.br [8] IPV6 Ready !
______________________________**_________________ Inclusaodigital mai
>>
>>>
nid.com.br/">http://mail.anid.com.br/**mailman/listinfo/**inclusaodigital
_______________________________________________ Inclusaodigital mailing
list Inclusaodigital em anid.com.br [5]
>>
.com.br/mailman/listinfo/inclusaodigital">http://mail.anid.com.br/mailman/listinfo/inclusaodigital
-- This message has been scanned for viruses and dangerous content by
MailScanner, and is believed to be clean. -- This message has been
scanned for viruses and dangerous content by MailScanner, and is
believed to be clean. _______________________________________________
Inclusaodigital mailing list Inclusaodigital em anid.com.br [9] http:/
>>
>>>
>
> _______________________________________________
>
Inclusaodigital mailing list
> Inclusaodigital em anid.com.br [11]
>
http://mail.anid.com.br/mailman/listinfo/inclusaodigital [12]
>
>
Links:
------
[1]
mailto:alexandre em onda.net.br
[2] mailto:Inclusaodigital em anid.com.br
[3]
http://mail.anid.com.br/
[4]
http://mail.anid.com.br/mailman/listinfo/inclusaodigital
[5]
mailto:Inclusaodigital em anid.com.br
[6]
mailto:isaac.sampaio em gmail.com
[7]
http://mail.anid.com.br/mailman/listinfo/inclusaodigital
[8]
http://www.onda.net.br
[9] mailto:Inclusaodigital em anid.com.br
[10]
mailto:pedro em globalwave.com.br
[11]
mailto:Inclusaodigital em anid.com.br
[12]
http://mail.anid.com.br/mailman/listinfo/inclusaodigital
!DSPAM:4f588bc4146327442261251!
Mais detalhes sobre a lista de discussão Inclusaodigital