FreeRADIUS配置过程中出现的问题
- 1. 按照官方文档搭建起来,却无法通过认证,服务器调试信息如下:
|
Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 54488, id=39, length=77 User-Name = "testing" User-Password = "password" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Message-Authenticator = 0xb47f65635d266c403fe803e56f9d47f3 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "testing", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] No EAP-Message, not doing EAP ++[eap] = noop ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = ok ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type REJECT # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> testing attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 39 to 127.0.0.1 port 54488 Waking up in 4.9 seconds. Cleaning up request 0 ID 39 with timestamp +43 Ready to process requests. |
分析以上文档,感觉加粗题是问题的关键。没有给该用户找到密码。而用户和密码存放的位置在/usr/local/etc/raddb/users中,所以感觉该文件可能存在问题。
阅读该文件的文档../doc/processing_users_file。
后面问题解决了:
删掉 /etc下所有raddb的文件,重新安装,就可以了。
原因:
之前的残余文件的影响。
成功的服务器日志如下:
|
rad_recv: Access-Request packet from host 127.0.0.1 port 34207, id=96, length=77 User-Name = "testing" User-Password = "password" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Message-Authenticator = 0xf83323b295800691a21dc45e81ef57ee # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "testing", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] No EAP-Message, not doing EAP ++[eap] = noop [files] users: Matched entry testing at line 1 ++[files] = ok ++[expiration] = noop ++[logintime] = noop ++[pap] = updated +} # group authorize = updated Found Auth-Type = PAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group PAP { [pap] login attempt with password "password" [pap] Using clear text password "password" [pap] User authenticated successfully ++[pap] = ok +} # group PAP = ok # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default +group post-auth { ++[exec] = noop +} # group post-auth = noop Sending Access-Accept of id 96 to 127.0.0.1 port 34207 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 96 with timestamp +20 Ready to process requests. |
- 2. 用SQL配置后,报以下错误
|
Could not link driver rlm_sql_mysql: rlm_sql_mysql.so: cannot open shared object file: No such file or directory Make sure it (and all its dependent libraries!) are in the search path of your system's ld. /usr/local/etc/raddb/sql.conf[22]: Instantiation failed for module "sql" /usr/local/etc/raddb/sites-enabled/default[177]: Failed to find "sql" in the "modules" section. /usr/local/etc/raddb/sites-enabled/default[69]: Errors parsing authorize section. |
原因,没有安装mysql-devel.
解决方法:安装编译之前,先安装mysql-devel.
sudo apt-get install libmysqld-dev
3.用上交换机后,SQL模块无法验证,但是file文件里面的用户名密码可以验证。
查看错误debug日志:
|
mschapv2] # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel [mschapv2] +group MS-CHAP { [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: lz [mschap] Client is using MS-CHAPv2 for lz, we need NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] = reject +} # group MS-CHAP = reject [eap] Freeing handler ++[eap] = reject +} # group authenticate = reject Failed to authenticate the user. Using Post-Auth-Type REJECT # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel |
发现加粗题是出现问题的部分。应该是inner-tunnel的SQL模块没有启动,导致无法读到SQL密码。去掉后成功。
4.daloRADIUS配置时无法读取FreeRADIUS 的log问题
问题如下:
Notice: Use of undefined constant SCRIPT_NAME - assumed 'SCRIPT_NAME' in /var/www/daloradius/library/exten-radius_log.php on line 45
error reading log file:
looked for log file in '/var/log/freeradius/radius.log, /usr/local/var/log/radius/radius.log, /var/log/radius/radius.log' but couldn't find it.
if you know where your freeradius log file is located, set it's location in /daloradius/rep-logs-radius.php
问题在于权限,而这个权限问题不仅是文件的权限,而是以上三个文件某个目录权限木有x权限,加上x权限就OK。比如chmod a+x /usr/local/var/log/radius
