FreeRADIUS配置過程中出現的問題

1. 1.       按照官方文檔搭建起來，卻無法通過認證，服務器調試信息如下：

Ready to process   requests.

rad_recv:   Access-Request packet from host 127.0.0.1 port 54488, id=39, length=77

        User-Name = "testing"

        User-Password = "password"

        NAS-IP-Address = 127.0.0.1

        NAS-Port = 0

        Message-Authenticator =   0xb47f65635d266c403fe803e56f9d47f3

# Executing   section authorize from file /usr/local/etc/raddb/sites-enabled/default

+group authorize   {

++[preprocess] =   ok

++[chap] = noop

++[mschap] = noop

++[digest] = noop

[suffix] No '@'   in User-Name = "testing", looking up realm NULL

[suffix] No such   realm "NULL"

++[suffix] = noop

[eap] No EAP-Message,   not doing EAP

++[eap] = noop

++[expiration] =   noop

++[logintime] =   noop

[pap] WARNING! No "known good" password   found for the user.  Authentication may   fail because of this.

++[pap] = noop

+} # group   authorize = ok

ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user

Failed to   authenticate the user.

Using   Post-Auth-Type REJECT

# Executing group   from file /usr/local/etc/raddb/sites-enabled/default

+group REJECT {

[attr_filter.access_reject]     expand: %{User-Name} -> testing

attr_filter:   Matched entry DEFAULT at line 11

++[attr_filter.access_reject]   = updated

+} # group REJECT   = updated

Delaying reject   of request 0 for 1 seconds

Going to the next   request

Waking up in 0.9   seconds.

Sending delayed   reject for request 0

Sending   Access-Reject of id 39 to 127.0.0.1 port 54488

Waking up in 4.9   seconds.

Cleaning up   request 0 ID 39 with timestamp +43

Ready to process   requests.

         分析以上文檔，感覺加粗題是問題的關鍵。沒有給該用戶找到密碼。而用戶和密碼存放的位置在/usr/local/etc/raddb/users中，所以感覺該文件可能存在問題。

         閱讀該文件的文檔../doc/processing_users_file。

后面問題解決了：

         刪掉 /etc下所有raddb的文件，重新安裝，就可以了。

原因：

         之前的殘余文件的影響。

成功的服務器日志如下：

rad_recv:   Access-Request packet from host 127.0.0.1 port 34207, id=96, length=77

        User-Name = "testing"

        User-Password = "password"

        NAS-IP-Address = 127.0.0.1

        NAS-Port = 0

        Message-Authenticator =   0xf83323b295800691a21dc45e81ef57ee

# Executing   section authorize from file /usr/local/etc/raddb/sites-enabled/default

+group authorize   {

++[preprocess] =   ok

++[chap] = noop

++[mschap] = noop

++[digest] = noop

[suffix] No '@'   in User-Name = "testing", looking up realm NULL

[suffix] No such   realm "NULL"

++[suffix] = noop

[eap] No   EAP-Message, not doing EAP

++[eap] = noop

[files] users:   Matched entry testing at line 1

++[files] = ok

++[expiration] =   noop

++[logintime] =   noop

++[pap] = updated

+} # group   authorize = updated

Found Auth-Type =   PAP

# Executing group   from file /usr/local/etc/raddb/sites-enabled/default

+group PAP {

[pap] login   attempt with password "password"

[pap] Using clear   text password "password"

[pap] User   authenticated successfully

++[pap] = ok

+} # group PAP =   ok

# Executing   section post-auth from file /usr/local/etc/raddb/sites-enabled/default

+group post-auth   {

++[exec] = noop

+} # group   post-auth = noop

Sending   Access-Accept of id 96 to 127.0.0.1 port 34207

Finished request   0.

Going to the next   request

Waking up in 4.9   seconds.

Cleaning up   request 0 ID 96 with timestamp +20

Ready to process   requests.

 

 

1. 2.       用SQL配置后，報以下錯誤

Could not link driver rlm_sql_mysql:   rlm_sql_mysql.so: cannot open shared object file: No such file or directory

Make sure it (and all its dependent   libraries!) are in the search path of your system's ld.

/usr/local/etc/raddb/sql.conf[22]:   Instantiation failed for module "sql"

/usr/local/etc/raddb/sites-enabled/default[177]:   Failed to find "sql" in the "modules" section.

/usr/local/etc/raddb/sites-enabled/default[69]:   Errors parsing authorize section.

原因，沒有安裝mysql-devel.

解決方法：安裝編譯之前，先安裝mysql-devel.

sudo apt-get install libmysqld-dev

 

 

3．用上交換機后，SQL模塊無法驗證，但是file文件里面的用戶名密碼可以驗證。

         查看錯誤debug日志：

mschapv2]   # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel

[mschapv2]   +group MS-CHAP {

[mschap]   No Cleartext-Password configured.    Cannot create LM-Password.

[mschap]   No Cleartext-Password configured.    Cannot create NT-Password.

[mschap] Creating challenge hash with   username: lz

[mschap] Client is using MS-CHAPv2 for   lz, we need NT-Password

[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.

[mschap] FAILED: MS-CHAP2-Response is   incorrect

++[mschap] = reject

+} # group MS-CHAP = reject

[eap] Freeing handler

++[eap] = reject

+} # group authenticate = reject

Failed to authenticate the user.

Using Post-Auth-Type REJECT

# Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel

發現加粗題是出現問題的部分。應該是inner-tunnel的SQL模塊沒有啟動，導致無法讀到SQL密碼。去掉后成功。

4．daloRADIUS配置時無法讀取FreeRADIUS 的log問題

問題如下：

Notice: Use of undefined constant SCRIPT_NAME - assumed 'SCRIPT_NAME' in /var/www/daloradius/library/exten-radius_log.php on line 45

 

error reading log file:

 

looked for log file in '/var/log/freeradius/radius.log, /usr/local/var/log/radius/radius.log, /var/log/radius/radius.log' but couldn't find it.

if you know where your freeradius log file is located, set it's location in /daloradius/rep-logs-radius.php

問題在於權限，而這個權限問題不僅是文件的權限，而是以上三個文件某個目錄權限木有x權限，加上x權限就OK。比如chmod a+x /usr/local/var/log/radius