Contenu | Rechercher | Menus

Annonce

Si vous avez des soucis pour rester connecté, déconnectez-vous puis reconnectez-vous depuis ce lien en cochant la case
Me connecter automatiquement lors de mes prochaines visites.

À propos de l'équipe du forum.

Pages : 1

#1 Le 16/10/2012, à 22:36

sabnac

Problème freeradius

Bonjour,

Je recontre un problème avec l'utilisation de freeradius.

J'ai suivi le tutoriel suivant:
http://www.pervasive-network.org/SPIP/I … radius-2-4

Tout fonctionne très bien, cependant j'étais en train de faire des tests lorsque je me suis rendu compte de quelquechose d'étrange.
En base de donnée je n'ai qu'un utilisateur (remy) qui à pour mot de passe testtest:

mysql> select * from radcheck ;
+----+----------+----------------+----+---------------+
| id | username | attribute      | op | value         |
+----+----------+----------------+----+---------------+
|  3 | remy     | Crypt-Password | := | gD1R.u2lSuhcQ |
|  4 | remy     | Auth-Type      | := | Crypt-Local   |
+----+----------+----------------+----+---------------+

Je met radius en débug freeradius -X et je m'authentifie avec le login est pass correspondant et tout est ok:

client:

root@debian-test:~# radtest -t pap  remy testtest 127.0.0.1 0 secret
Sending Access-Request of id 204 to 127.0.0.1 port 1812
	User-Name = "remy"
	User-Password = "testtest"
	NAS-IP-Address = 127.0.1.1
	NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=204, length=20
root@debian-test:~#

serveur:

rad_recv: Access-Request packet from host 127.0.0.1 port 52120, id=33, length=56
	User-Name = "remy"
	User-Password = "testtest"
	NAS-IP-Address = 127.0.1.1
	NAS-Port = 0
# Executing section authorize from file /etc/freeradius/sites-enabled/radius.foobar.com
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[suffix] No '@' in User-Name = "remy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql] 	expand: %{User-Name} -> remy
[sql] sql_set_user escaped user --> 'remy'
rlm_sql (sql): Reserving sql socket id: 3
[sql] 	expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'remy'           ORDER BY id
[sql] User found in radcheck table
[sql] 	expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'remy'           ORDER BY id
[sql] 	expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'remy'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = Crypt-Local
WARNING: Please update your configuration, and remove 'Auth-Type = Crypt'
WARNING: Use the PAP module instead.
# Executing section post-auth from file /etc/freeradius/sites-enabled/radius.foobar.com
+- entering group post-auth {...}
[sql] 	expand: %{User-Name} -> remy
[sql] sql_set_user escaped user --> 'remy'
[sql] 	expand: %{User-Password} -> testtest
[sql] 	expand: INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           '%{User-Name}',                           '%{%{User-Password}:-%{Chap-Password}}',                           '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           'remy',                           'testtest',                           'Access-Accept', '2012-10-16 22:32:36')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           'remy',                           'testtest',                           'Access-Accept', '2012-10-16 22:32:36')
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[exec] returns noop
Sending Access-Accept of id 33 to 127.0.0.1 port 52120
Finished request 9.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 9 ID 33 with timestamp +495
Ready to process requests.

Le problème c'est que si je met un autre mot de passe mais qui y ressemble ça passe aussi!:

client:

root@debian-test:~# radtest -t pap  remy testtestfsfds 127.0.0.1 0 secret
Sending Access-Request of id 86 to 127.0.0.1 port 1812
	User-Name = "remy"
	User-Password = "testtestfsfds"
	NAS-IP-Address = 127.0.1.1
	NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=86, length=20

Serveur:

rad_recv: Access-Request packet from host 127.0.0.1 port 53464, id=86, length=56
	User-Name = "remy"
	User-Password = "testtestfsfds"
	NAS-IP-Address = 127.0.1.1
	NAS-Port = 0
# Executing section authorize from file /etc/freeradius/sites-enabled/radius.foobar.com
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[suffix] No '@' in User-Name = "remy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql] 	expand: %{User-Name} -> remy
[sql] sql_set_user escaped user --> 'remy'
rlm_sql (sql): Reserving sql socket id: 4
[sql] 	expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'remy'           ORDER BY id
[sql] User found in radcheck table
[sql] 	expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'remy'           ORDER BY id
[sql] 	expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'remy'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = Crypt-Local
WARNING: Please update your configuration, and remove 'Auth-Type = Crypt'
WARNING: Use the PAP module instead.
# Executing section post-auth from file /etc/freeradius/sites-enabled/radius.foobar.com
+- entering group post-auth {...}
[sql] 	expand: %{User-Name} -> remy
[sql] sql_set_user escaped user --> 'remy'
[sql] 	expand: %{User-Password} -> testtestfsfds
[sql] 	expand: INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           '%{User-Name}',                           '%{%{User-Password}:-%{Chap-Password}}',                           '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           'remy',                           'testtestfsfds',                           'Access-Accept', '2012-10-16 22:33:37')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           'remy',                           'testtestfsfds',                           'Access-Accept', '2012-10-16 22:33:37')
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[exec] returns noop
Sending Access-Accept of id 86 to 127.0.0.1 port 53464
Finished request 11.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 11 ID 86 with timestamp +556
Ready to process requests.

table radpostauth:

| 17 | remy     | testtestt     | Access-Accept | 2012-10-16 22:25:33 |
| 18 | remy     | testtestt     | Access-Accept | 2012-10-16 22:25:45 |
| 19 | remy     | testtestt     | Access-Accept | 2012-10-16 22:29:51 |
| 20 | remy     | testtest      | Access-Accept | 2012-10-16 22:29:59 |
| 21 | remy     | testtest      | Access-Accept | 2012-10-16 22:32:36 |
| 22 | remy     | testtestfsfds | Access-Accept | 2012-10-16 22:33:28 |
| 23 | remy     | testtestfsfds | Access-Accept | 2012-10-16 22:33:37 |
+----+----------+---------------+---------------+---------------------+
23 rows in set (0.00 sec)

Vous pourriez m'aiguiller sur ce qui pose problème?

Merci d'avance.

Hors ligne

#2 Le 17/10/2012, à 23:55

Maisondouf

Re : Problème freeradius

J'ai utilisé radius il y a quelques mois pour tester un point d'accès et je me rappelle qu'il y a une subtilité dans l'opérateur de la table radcheck.

Il y a une différence entre le '=' simple et le ':=', mais excuses moi je ne m'en souviens plus. (ou peut-être '==')

Fouilles vers là....

ASUS M5A88-v EVO avec AMD FX(tm)-8120 Eight-Core Processor,  OS principal Precise 12.04.1 LTS 63bits½
Bricoleur, menteur, inculte, inadapté social et mythomane, enfin d'après certains....
"the secret of my form is summed up in two words, no sport" (Winston Churchill)

Hors ligne

#3 Le 18/10/2012, à 08:39

sabnac

Re : Problème freeradius

Merci maisondouf,
j'ai tenté de changer les opérateurs en "==" mais j'obtiens toujours le même résultat:(

Hors ligne

Pages : 1