最近在研究radius,出现了一些问题,写一篇博客求助大家,请知道错误原因的牛人解答一下。
系统环境:centos5.7 64bit
ip:192.168.90.12
***客户端测试环境是:xp 客户端是系统自带的***拨号
未贴出来的配置都使用默认的配置文件
pptp ***直接下载相关的rpm包即,相关步骤略
相关配置文件(我直接帖配置好了的文件,一般是先安装pptp然后radius,再radius客户端,然后在pptp的配置文件中添加相关radius认证的配置)
[root@radius raddb]# cat /etc/pptpd.confoption /etc/ppp/options.pptpdppp /usr/sbin/pppdstimeout 10debugconnections 10logwtmplocalip 192.168.90.12remoteip 192.168.90.55-60[root@radius raddb]# cat /etc/ppp/options.pptpdname pptpdrefuse-paprefuse-chaprefuse-mschaprequire-mschap-v2require-mppe-128proxyarplocknobsdcompnovjnovjccompnologfdms-dns 8.8.8.8plugin /usr/lib64/pppd/2.4.4/radius.soradius-config-file /usr/local/radius/etc/radiusclient/radiusclient.conf
因为使用radius的账户认证***,所以未在/etc/ppp/chap-secrets文件中添加转户和密码,ip转发也打开了
[root@radius raddb]# sysctl -pnet.ipv4.ip_forward = 1net.ipv4.conf.default.rp_filter = 1net.ipv4.conf.default.accept_source_route = 0kernel.sysrq = 0kernel.core_uses_pid = 1net.ipv4.tcp_syncookies = 1kernel.msgmnb = 65536kernel.msgmax = 65536kernel.shmmax = 68719476736kernel.shmall = 4294967296
安装freeradius:
wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.12.tar.gztar zxf freeradius-server-2.1.12.tar.gzcd freeradius-server-2.1.12./configure --prefix=/usr/local/radiusmake && make install
更新库文件
echo "/usr/local/radius/lib" >> /etc/ld.so.confldconfig
本地添加2个测试账户
[root@radius raddb]# tail -2 /etc/passwdtest001:x:500:500::/home/test001:/bin/bashtest002:x:501:501::/home/test002:/bin/bash
freeradius的客户端的安装与配置
wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-client-1.1.6.tar.gztar -zxf freeradius-client-1.1.6.tar.gzcd freeradius-client-1.1.6./configure --prefix=/usr/local/radiusmake && make install
设置通讯密码
cat >>/usr/local/radius/etc/radiusclient/servers<
添加windows客户端拨***的支持
去软件包的解压路径下的share目录拷贝dictionary.microsoft,复制到/usr/local/radius/etc/radiusclient/
并且
cat >>/usr/local/radius/etc/radiusclient/dictionary<
radius客户端开启pptp的支持,如果设置会报错
sed -i 's/radius_deadtime/\#radius_deadtime/g' /usr/local/radius/etc/radiusclient/radiusclient.confsed -i 's/bindaddr/\#bindaddr/g' /usr/local/radius/etc/radiusclient/radiusclient.conf
添加使用本地系统转户做认证账户的配置
cat >> /usr/local/radius/etc/raddb/radiusd.conf<
防火墙配置:
[root@radius ~]# cat /etc/sysconfig/iptables# Generated by iptables-save v1.3.5 on Mon May 20 13:03:42 2013*nat:PREROUTING ACCEPT [0:0]:POSTROUTING ACCEPT [0:0]:OUTPUT ACCEPT [0:0]-A POSTROUTING -s 192.168.90.0/255.255.255.0 -o eth0 -j SNAT --to-source 192.168.90.12COMMIT# Completed on Mon May 20 13:03:42 2013# Generated by iptables-save v1.3.5 on Mon May 20 13:03:42 2013*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [454:61612]:RH-Firewall-1-INPUT - [0:0]-A INPUT -j RH-Firewall-1-INPUT-A FORWARD -j RH-Firewall-1-INPUT-A RH-Firewall-1-INPUT -i lo -j ACCEPT-A RH-Firewall-1-INPUT -i ppp0 -j ACCEPT-A RH-Firewall-1-INPUT -s 192.168.0.0/24 -j ACCEPT-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT-A RH-Firewall-1-INPUT -p gre -j ACCEPT-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 47 -j ACCEPT-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 1723 -j ACCEPT-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT-A RH-Firewall-1-INPUT -p esp -j ACCEPT-A RH-Firewall-1-INPUT -p ah -j ACCEPT-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibitedCOMMIT# Completed on Mon May 20 13:03:42 2013
本地测试:
[root@radius ~]# /usr/local/radius/bin/radtest test001 test001 localhost 0 testing123Sending Access-Request of id 154 to 127.0.0.1 port 1812 User-Name = "test001" User-Password = "test001" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Message-Authenticator = 0x00000000000000000000000000000000rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=154, length=20
在***客户端使用test001账户登录的报错如下
报错日志:
rad_recv: Access-Request packet from host 127.0.0.1 port 34472, id=20, length=151 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "test002" MS-CHAP-Challenge = 0x627153d635b6173bfca748bb82e7dd89 MS-CHAP2-Response = 0x2a00ceba0a3c849afbc92daa5379a01f5413000000000000000013fa684b8a50835eb6732bacad79e3067e810be712bc5b55 Calling-Station-Id = "192.168.90.128" NAS-IP-Address = 127.0.0.1 NAS-Port = 0# Executing section authorize from file /usr/local/radius/etc/raddb/sites-enabled/default+- entering group authorize {...}++[preprocess] returns ok++[chap] returns noop[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'++[mschap] returns ok++[digest] returns noop[suffix] No '@' in User-Name = "test002", looking up realm NULL[suffix] No such realm "NULL"++[suffix] returns noop[eap] No EAP-Message, not doing EAP++[eap] returns noop[files] users: Matched entry DEFAULT at line 173++[files] returns ok++[expiration] returns noop++[logintime] returns noop[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.++[pap] returns noopFound Auth-Type = MSCHAP# Executing group from file /usr/local/radius/etc/raddb/sites-enabled/default+- entering group MS-CHAP {...}[mschap] No Cleartext-Password configured. Cannot create LM-Password.[mschap] No Cleartext-Password configured. Cannot create NT-Password.[mschap] Creating challenge hash with username: test002[mschap] Client is using MS-CHAPv2 for test002, we need NT-Password[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.[mschap] FAILED: MS-CHAP2-Response is incorrect++[mschap] returns rejectFailed to authenticate the user.Using Post-Auth-Type REJECT# Executing group from file /usr/local/radius/etc/raddb/sites-enabled/default+- entering group REJECT {...}[attr_filter.access_reject] expand: %{User-Name} -> test002attr_filter: Matched entry DEFAULT at line 11++[attr_filter.access_reject] returns updatedDelaying reject of request 1 for 1 secondsGoing to the next requestWaking up in 0.9 seconds.Sending delayed reject for request 1Sending Access-Reject of id 20 to 127.0.0.1 port 34472 MS-CHAP-Error = "*E=691 R=1"Waking up in 4.9 seconds.Cleaning up request 1 ID 20 with timestamp +68Ready to process requests.rad_recv: Access-Request packet from host 127.0.0.1 port 60590, id=21, length=151 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "test002" MS-CHAP-Challenge = 0x7ea1dc9f4a481b3b7f05219a03016612 MS-CHAP2-Response = 0x1300a93d05dde45307f71bfaf819d9695b890000000000000000753fc0bbd670a0bd44022beaa9dfa5f54fc21a46876b805f Calling-Station-Id = "192.168.90.128" NAS-IP-Address = 127.0.0.1 NAS-Port = 0# Executing section authorize from file /usr/local/radius/etc/raddb/sites-enabled/default+- entering group authorize {...}++[preprocess] returns ok++[chap] returns noop[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'++[mschap] returns ok++[digest] returns noop[suffix] No '@' in User-Name = "test002", looking up realm NULL[suffix] No such realm "NULL"++[suffix] returns noop[eap] No EAP-Message, not doing EAP++[eap] returns noop[files] users: Matched entry DEFAULT at line 173++[files] returns ok++[expiration] returns noop++[logintime] returns noop[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.++[pap] returns noopFound Auth-Type = MSCHAP# Executing group from file /usr/local/radius/etc/raddb/sites-enabled/default+- entering group MS-CHAP {...}[mschap] No Cleartext-Password configured. Cannot create LM-Password.[mschap] No Cleartext-Password configured. Cannot create NT-Password.[mschap] Creating challenge hash with username: test002[mschap] Client is using MS-CHAPv2 for test002, we need NT-Password[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.[mschap] FAILED: MS-CHAP2-Response is incorrect++[mschap] returns rejectFailed to authenticate the user.Using Post-Auth-Type REJECT# Executing group from file /usr/local/radius/etc/raddb/sites-enabled/default+- entering group REJECT {...}[attr_filter.access_reject] expand: %{User-Name} -> test002attr_filter: Matched entry DEFAULT at line 11++[attr_filter.access_reject] returns updatedDelaying reject of request 2 for 1 secondsGoing to the next requestWaking up in 0.9 seconds.Sending delayed reject for request 2Sending Access-Reject of id 21 to 127.0.0.1 port 60590 MS-CHAP-Error = "\023E=691 R=1"Waking up in 4.9 seconds.Cleaning up request 2 ID 21 with timestamp +133Ready to process requests. 但是
在users文件中添加账户做认证却可以正常连接:
[root@radius raddb]#tail -1 userstest002 Cleartext-Password := "test002"
users配置文件中的账户做认证成功的日志:
May 21 16:46:33 radius pptpd[13091]: CTRL: Client 192.168.90.128 control connection startedMay 21 16:46:33 radius pptpd[13091]: CTRL: Starting call (launching pppd, opening GRE)May 21 16:46:33 radius pppd[13092]: Plugin /usr/lib64/pppd/2.4.4/radius.so loaded.May 21 16:46:33 radius pppd[13092]: RADIUS plugin initialized.May 21 16:46:33 radius pppd[13092]: Plugin /usr/lib64/pptpd/pptpd-logwtmp.so loaded.May 21 16:46:33 radius pppd[13092]: pppd 2.4.4 started by root, uid 0May 21 16:46:33 radius pppd[13092]: Using interface ppp0May 21 16:46:33 radius pppd[13092]: Connect: ppp0 <--> /dev/pts/2May 21 16:46:33 radius pptpd[13091]: CTRL: Ignored a SET LINK INFO packet with real ACCMs!May 21 16:46:33 radius pppd[13092]: MPPE 128-bit stateless compression enabledMay 21 16:46:35 radius pppd[13092]: found interface eth0 for proxy arpMay 21 16:46:35 radius pppd[13092]: local IP address 192.168.90.12May 21 16:46:35 radius pppd[13092]: remote IP address 192.168.90.55