FreeRADIUS配置过程中出现的问题

1. 1.       按照官方文档搭建起来，却无法通过认证，服务器调试信息如下：

Ready to process   requests.

rad_recv:   Access-Request packet from host 127.0.0.1 port 54488, id=39, length=77

        User-Name = "testing"

        User-Password = "password"

        NAS-IP-Address = 127.0.0.1

        NAS-Port = 0

        Message-Authenticator =   0xb47f65635d266c403fe803e56f9d47f3

# Executing   section authorize from file /usr/local/etc/raddb/sites-enabled/default

+group authorize   {

++[preprocess] =   ok

++[chap] = noop

++[mschap] = noop

++[digest] = noop

[suffix] No '@'   in User-Name = "testing", looking up realm NULL

[suffix] No such   realm "NULL"

++[suffix] = noop

[eap] No EAP-Message,   not doing EAP

++[eap] = noop

++[expiration] =   noop

++[logintime] =   noop

[pap] WARNING! No "known good" password   found for the user.  Authentication may   fail because of this.

++[pap] = noop

+} # group   authorize = ok

ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user

Failed to   authenticate the user.

Using   Post-Auth-Type REJECT

# Executing group   from file /usr/local/etc/raddb/sites-enabled/default

+group REJECT {

[attr_filter.access_reject]     expand: %{User-Name} -> testing

attr_filter:   Matched entry DEFAULT at line 11

++[attr_filter.access_reject]   = updated

+} # group REJECT   = updated

Delaying reject   of request 0 for 1 seconds

Going to the next   request

Waking up in 0.9   seconds.

Sending delayed   reject for request 0

Sending   Access-Reject of id 39 to 127.0.0.1 port 54488

Waking up in 4.9   seconds.

Cleaning up   request 0 ID 39 with timestamp +43

Ready to process   requests.

         分析以上文档，感觉加粗题是问题的关键。没有给该用户找到密码。而用户和密码存放的位置在/usr/local/etc/raddb/users中，所以感觉该文件可能存在问题。

         阅读该文件的文档../doc/processing_users_file。

后面问题解决了：

         删掉 /etc下所有raddb的文件，重新安装，就可以了。

原因：

         之前的残余文件的影响。

成功的服务器日志如下：

rad_recv:   Access-Request packet from host 127.0.0.1 port 34207, id=96, length=77

        User-Name = "testing"

        User-Password = "password"

        NAS-IP-Address = 127.0.0.1

        NAS-Port = 0

        Message-Authenticator =   0xf83323b295800691a21dc45e81ef57ee

# Executing   section authorize from file /usr/local/etc/raddb/sites-enabled/default

+group authorize   {

++[preprocess] =   ok

++[chap] = noop

++[mschap] = noop

++[digest] = noop

[suffix] No '@'   in User-Name = "testing", looking up realm NULL

[suffix] No such   realm "NULL"

++[suffix] = noop

[eap] No   EAP-Message, not doing EAP

++[eap] = noop

[files] users:   Matched entry testing at line 1

++[files] = ok

++[expiration] =   noop

++[logintime] =   noop

++[pap] = updated

+} # group   authorize = updated

Found Auth-Type =   PAP

# Executing group   from file /usr/local/etc/raddb/sites-enabled/default

+group PAP {

[pap] login   attempt with password "password"

[pap] Using clear   text password "password"

[pap] User   authenticated successfully

++[pap] = ok

+} # group PAP =   ok

# Executing   section post-auth from file /usr/local/etc/raddb/sites-enabled/default

+group post-auth   {

++[exec] = noop

+} # group   post-auth = noop

Sending   Access-Accept of id 96 to 127.0.0.1 port 34207

Finished request   0.

Going to the next   request

Waking up in 4.9   seconds.

Cleaning up   request 0 ID 96 with timestamp +20

Ready to process   requests.

 

 

1. 2.       用SQL配置后，报以下错误

Could not link driver rlm_sql_mysql:   rlm_sql_mysql.so: cannot open shared object file: No such file or directory

Make sure it (and all its dependent   libraries!) are in the search path of your system's ld.

/usr/local/etc/raddb/sql.conf[22]:   Instantiation failed for module "sql"

/usr/local/etc/raddb/sites-enabled/default[177]:   Failed to find "sql" in the "modules" section.

/usr/local/etc/raddb/sites-enabled/default[69]:   Errors parsing authorize section.

原因，没有安装mysql-devel.

解决方法：安装编译之前，先安装mysql-devel.

sudo apt-get install libmysqld-dev

 

 

3．用上交换机后，SQL模块无法验证，但是file文件里面的用户名密码可以验证。

         查看错误debug日志：

mschapv2]   # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel

[mschapv2]   +group MS-CHAP {

[mschap]   No Cleartext-Password configured.    Cannot create LM-Password.

[mschap]   No Cleartext-Password configured.    Cannot create NT-Password.

[mschap] Creating challenge hash with   username: lz

[mschap] Client is using MS-CHAPv2 for   lz, we need NT-Password

[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.

[mschap] FAILED: MS-CHAP2-Response is   incorrect

++[mschap] = reject

+} # group MS-CHAP = reject

[eap] Freeing handler

++[eap] = reject

+} # group authenticate = reject

Failed to authenticate the user.

Using Post-Auth-Type REJECT

# Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel

发现加粗题是出现问题的部分。应该是inner-tunnel的SQL模块没有启动，导致无法读到SQL密码。去掉后成功。

4．daloRADIUS配置时无法读取FreeRADIUS 的log问题

问题如下：

Notice: Use of undefined constant SCRIPT_NAME - assumed 'SCRIPT_NAME' in /var/www/daloradius/library/exten-radius_log.php on line 45

 

error reading log file:

 

looked for log file in '/var/log/freeradius/radius.log, /usr/local/var/log/radius/radius.log, /var/log/radius/radius.log' but couldn't find it.

if you know where your freeradius log file is located, set it's location in /daloradius/rep-logs-radius.php

问题在于权限，而这个权限问题不仅是文件的权限，而是以上三个文件某个目录权限木有x权限，加上x权限就OK。比如chmod a+x /usr/local/var/log/radius