Pages : 1
#1 Le 16/10/2012, à 22:36
- sabnac
Problème freeradius
Bonjour,
Je recontre un problème avec l'utilisation de freeradius.
J'ai suivi le tutoriel suivant:
http://www.pervasive-network.org/SPIP/I … radius-2-4
Tout fonctionne très bien, cependant j'étais en train de faire des tests lorsque je me suis rendu compte de quelquechose d'étrange.
En base de donnée je n'ai qu'un utilisateur (remy) qui à pour mot de passe testtest:
mysql> select * from radcheck ;
+----+----------+----------------+----+---------------+
| id | username | attribute | op | value |
+----+----------+----------------+----+---------------+
| 3 | remy | Crypt-Password | := | gD1R.u2lSuhcQ |
| 4 | remy | Auth-Type | := | Crypt-Local |
+----+----------+----------------+----+---------------+
Je met radius en débug freeradius -X et je m'authentifie avec le login est pass correspondant et tout est ok:
client:
root@debian-test:~# radtest -t pap remy testtest 127.0.0.1 0 secret
Sending Access-Request of id 204 to 127.0.0.1 port 1812
User-Name = "remy"
User-Password = "testtest"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=204, length=20
root@debian-test:~#
serveur:
rad_recv: Access-Request packet from host 127.0.0.1 port 52120, id=33, length=56
User-Name = "remy"
User-Password = "testtest"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
# Executing section authorize from file /etc/freeradius/sites-enabled/radius.foobar.com
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[suffix] No '@' in User-Name = "remy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql] expand: %{User-Name} -> remy
[sql] sql_set_user escaped user --> 'remy'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'remy' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'remy' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'remy' ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = Crypt-Local
WARNING: Please update your configuration, and remove 'Auth-Type = Crypt'
WARNING: Use the PAP module instead.
# Executing section post-auth from file /etc/freeradius/sites-enabled/radius.foobar.com
+- entering group post-auth {...}
[sql] expand: %{User-Name} -> remy
[sql] sql_set_user escaped user --> 'remy'
[sql] expand: %{User-Password} -> testtest
[sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'remy', 'testtest', 'Access-Accept', '2012-10-16 22:32:36')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'remy', 'testtest', 'Access-Accept', '2012-10-16 22:32:36')
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[exec] returns noop
Sending Access-Accept of id 33 to 127.0.0.1 port 52120
Finished request 9.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 9 ID 33 with timestamp +495
Ready to process requests.
Le problème c'est que si je met un autre mot de passe mais qui y ressemble ça passe aussi!:
client:
root@debian-test:~# radtest -t pap remy testtestfsfds 127.0.0.1 0 secret
Sending Access-Request of id 86 to 127.0.0.1 port 1812
User-Name = "remy"
User-Password = "testtestfsfds"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=86, length=20
Serveur:
rad_recv: Access-Request packet from host 127.0.0.1 port 53464, id=86, length=56
User-Name = "remy"
User-Password = "testtestfsfds"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
# Executing section authorize from file /etc/freeradius/sites-enabled/radius.foobar.com
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[suffix] No '@' in User-Name = "remy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql] expand: %{User-Name} -> remy
[sql] sql_set_user escaped user --> 'remy'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'remy' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'remy' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'remy' ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = Crypt-Local
WARNING: Please update your configuration, and remove 'Auth-Type = Crypt'
WARNING: Use the PAP module instead.
# Executing section post-auth from file /etc/freeradius/sites-enabled/radius.foobar.com
+- entering group post-auth {...}
[sql] expand: %{User-Name} -> remy
[sql] sql_set_user escaped user --> 'remy'
[sql] expand: %{User-Password} -> testtestfsfds
[sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'remy', 'testtestfsfds', 'Access-Accept', '2012-10-16 22:33:37')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'remy', 'testtestfsfds', 'Access-Accept', '2012-10-16 22:33:37')
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[exec] returns noop
Sending Access-Accept of id 86 to 127.0.0.1 port 53464
Finished request 11.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 11 ID 86 with timestamp +556
Ready to process requests.
table radpostauth:
| 17 | remy | testtestt | Access-Accept | 2012-10-16 22:25:33 |
| 18 | remy | testtestt | Access-Accept | 2012-10-16 22:25:45 |
| 19 | remy | testtestt | Access-Accept | 2012-10-16 22:29:51 |
| 20 | remy | testtest | Access-Accept | 2012-10-16 22:29:59 |
| 21 | remy | testtest | Access-Accept | 2012-10-16 22:32:36 |
| 22 | remy | testtestfsfds | Access-Accept | 2012-10-16 22:33:28 |
| 23 | remy | testtestfsfds | Access-Accept | 2012-10-16 22:33:37 |
+----+----------+---------------+---------------+---------------------+
23 rows in set (0.00 sec)
Vous pourriez m'aiguiller sur ce qui pose problème?
Merci d'avance.
Hors ligne
#2 Le 17/10/2012, à 23:55
- Maisondouf
Re : Problème freeradius
J'ai utilisé radius il y a quelques mois pour tester un point d'accès et je me rappelle qu'il y a une subtilité dans l'opérateur de la table radcheck.
Il y a une différence entre le '=' simple et le ':=', mais excuses moi je ne m'en souviens plus. (ou peut-être '==')
Fouilles vers là....
ASUS M5A88-v EVO avec AMD FX(tm)-8120 Eight-Core Processor, OS principal Precise 12.04.1 LTS 63bits½
Bricoleur, menteur, inculte, inadapté social et mythomane, enfin d'après certains....
"the secret of my form is summed up in two words, no sport" (Winston Churchill)
Hors ligne
#3 Le 18/10/2012, à 08:39
- sabnac
Re : Problème freeradius
Merci maisondouf,
j'ai tenté de changer les opérateurs en "==" mais j'obtiens toujours le même résultat:(
Hors ligne
Pages : 1