最近在研究radius,出现了一些问题,写一篇博客求助大家,请知道错误原因的牛人解答一下。
系统环境:centos5.7 64bit
ip:192.168.90.12
***客户端测试环境是:xp 客户端是系统自带的***拨号
未贴出来的配置都使用默认的配置文件
pptp ***直接下载相关的rpm包即,相关步骤略
相关配置文件(我直接帖配置好了的文件,一般是先安装pptp然后radius,再radius客户端,然后在pptp的配置文件中添加相关radius认证的配置)
[root@radius raddb]# cat /etc/pptpd.conf option /etc/ppp/options.pptpd ppp /usr/sbin/pppd stimeout 10 debug connections 10 logwtmp localip 192.168.90.12 remoteip 192.168.90.55-60 [root@radius raddb]# cat /etc/ppp/options.pptpd name pptpd refuse-pap refuse-chap refuse-mschap require-mschap-v2 require-mppe-128 proxyarp lock nobsdcomp novj novjccomp nologfd ms-dns 8.8.8.8 plugin /usr/lib64/pppd/2.4.4/radius.so radius-config-file /usr/local/radius/etc/radiusclient/radiusclient.conf
因为使用radius的账户认证***,所以未在/etc/ppp/chap-secrets文件中添加转户和密码,ip转发也打开了
[root@radius raddb]# sysctl -p net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 kernel.sysrq = 0 kernel.core_uses_pid = 1 net.ipv4.tcp_syncookies = 1 kernel.msgmnb = 65536 kernel.msgmax = 65536 kernel.shmmax = 68719476736 kernel.shmall = 4294967296
安装freeradius:
wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.12.tar.gz tar zxf freeradius-server-2.1.12.tar.gz cd freeradius-server-2.1.12 ./configure --prefix=/usr/local/radius make && make install
更新库文件
echo "/usr/local/radius/lib" >> /etc/ld.so.conf ldconfig
本地添加2个测试账户
[root@radius raddb]# tail -2 /etc/passwd test001:x:500:500::/home/test001:/bin/bash test002:x:501:501::/home/test002:/bin/bash
freeradius的客户端的安装与配置
wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-client-1.1.6.tar.gz tar -zxf freeradius-client-1.1.6.tar.gz cd freeradius-client-1.1.6 ./configure --prefix=/usr/local/radius make && make install
设置通讯密码
cat >>/usr/local/radius/etc/radiusclient/servers<<EOF localhost testing123 EOF
添加windows客户端拨***的支持
去软件包的解压路径下的share目录拷贝dictionary.microsoft,复制到/usr/local/radius/etc/radiusclient/
并且
cat >>/usr/local/radius/etc/radiusclient/dictionary<<EOF INCLUDE /usr/local/radius/etc/radiusclient/dictionary.sip INCLUDE /usr/local/radius/etc/radiusclient/dictionary.ascend INCLUDE /usr/local/radius/etc/radiusclient/dictionary.merit INCLUDE /usr/local/radius/etc/radiusclient/dictionary.compat INCLUDE /usr/local/radius/etc/radiusclient/dictionary.microsoft EOF
radius客户端开启pptp的支持,如果设置会报错
sed -i 's/radius_deadtime/\#radius_deadtime/g' /usr/local/radius/etc/radiusclient/radiusclient.conf sed -i 's/bindaddr/\#bindaddr/g' /usr/local/radius/etc/radiusclient/radiusclient.conf
添加使用本地系统转户做认证账户的配置
cat >> /usr/local/radius/etc/raddb/radiusd.conf<<EOF user = root group = root cache = yes passwd = /etc/passwd group = /etc/group shadow = /etc/shadow EOF
防火墙配置:
[root@radius ~]# cat /etc/sysconfig/iptables # Generated by iptables-save v1.3.5 on Mon May 20 13:03:42 2013 *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -s 192.168.90.0/255.255.255.0 -o eth0 -j SNAT --to-source 192.168.90.12 COMMIT # Completed on Mon May 20 13:03:42 2013 # Generated by iptables-save v1.3.5 on Mon May 20 13:03:42 2013 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [454:61612] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -i ppp0 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.0.0/24 -j ACCEPT -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -p gre -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 47 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 1723 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -p esp -j ACCEPT -A RH-Firewall-1-INPUT -p ah -j ACCEPT -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Mon May 20 13:03:42 2013
本地测试:
[root@radius ~]# /usr/local/radius/bin/radtest test001 test001 localhost 0 testing123 Sending Access-Request of id 154 to 127.0.0.1 port 1812 User-Name = "test001" User-Password = "test001" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=154, length=20
在***客户端使用test001账户登录的报错如下
报错日志:
rad_recv: Access-Request packet from host 127.0.0.1 port 34472, id=20, length=151 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "test002" MS-CHAP-Challenge = 0x627153d635b6173bfca748bb82e7dd89 MS-CHAP2-Response = 0x2a00ceba0a3c849afbc92daa5379a01f5413000000000000000013fa684b8a50835eb6732bacad79e3067e810be712bc5b55 Calling-Station-Id = "192.168.90.128" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 # Executing section authorize from file /usr/local/radius/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = "test002", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 173 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = MSCHAP # Executing group from file /usr/local/radius/etc/raddb/sites-enabled/default +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: test002 [mschap] Client is using MS-CHAPv2 for test002, we need NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Failed to authenticate the user. Using Post-Auth-Type REJECT # Executing group from file /usr/local/radius/etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> test002 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 20 to 127.0.0.1 port 34472 MS-CHAP-Error = "*E=691 R=1" Waking up in 4.9 seconds. Cleaning up request 1 ID 20 with timestamp +68 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 60590, id=21, length=151 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "test002" MS-CHAP-Challenge = 0x7ea1dc9f4a481b3b7f05219a03016612 MS-CHAP2-Response = 0x1300a93d05dde45307f71bfaf819d9695b890000000000000000753fc0bbd670a0bd44022beaa9dfa5f54fc21a46876b805f Calling-Station-Id = "192.168.90.128" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 # Executing section authorize from file /usr/local/radius/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = "test002", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 173 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = MSCHAP # Executing group from file /usr/local/radius/etc/raddb/sites-enabled/default +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: test002 [mschap] Client is using MS-CHAPv2 for test002, we need NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Failed to authenticate the user. Using Post-Auth-Type REJECT # Executing group from file /usr/local/radius/etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> test002 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 2 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 2 Sending Access-Reject of id 21 to 127.0.0.1 port 60590 MS-CHAP-Error = "\023E=691 R=1" Waking up in 4.9 seconds. Cleaning up request 2 ID 21 with timestamp +133 Ready to process requests.
但是
在users文件中添加账户做认证却可以正常连接:
[root@radius raddb]#tail -1 users test002 Cleartext-Password := "test002"
users配置文件中的账户做认证成功的日志:
May 21 16:46:33 radius pptpd[13091]: CTRL: Client 192.168.90.128 control connection started May 21 16:46:33 radius pptpd[13091]: CTRL: Starting call (launching pppd, opening GRE) May 21 16:46:33 radius pppd[13092]: Plugin /usr/lib64/pppd/2.4.4/radius.so loaded. May 21 16:46:33 radius pppd[13092]: RADIUS plugin initialized. May 21 16:46:33 radius pppd[13092]: Plugin /usr/lib64/pptpd/pptpd-logwtmp.so loaded. May 21 16:46:33 radius pppd[13092]: pppd 2.4.4 started by root, uid 0 May 21 16:46:33 radius pppd[13092]: Using interface ppp0 May 21 16:46:33 radius pppd[13092]: Connect: ppp0 <--> /dev/pts/2 May 21 16:46:33 radius pptpd[13091]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! May 21 16:46:33 radius pppd[13092]: MPPE 128-bit stateless compression enabled May 21 16:46:35 radius pppd[13092]: found interface eth0 for proxy arp May 21 16:46:35 radius pppd[13092]: local IP address 192.168.90.12 May 21 16:46:35 radius pppd[13092]: remote IP address 192.168.90.55
转载于:https://blog.51cto.com/ontheway2015/1208138