Доброго дня!
Начинаю постигать дзен freeradius для доступа на коммутаторы. Не могу понять, почему Failed to authenticate the user:
Код:
radcheck
+----+----------+--------------------+----+-----------+
| id | username | attribute | op | value |
+----+----------+--------------------+----+-----------+
| 3 | metal | Cleartext-Password | := | metalpass |
+----+----------+--------------------+----+-----------+
radusergroup
+----------+-----------+----------+
| username | groupname | priority |
+----------+-----------+----------+
| metal | users | 1 |
+----------+-----------+----------+
radgroupcheck
+----+-----------+-----------------------+----+-------+
| id | groupname | attribute | op | value |
+----+-----------+-----------------------+----+-------+
| 2 | users | Auth-Type | := | Local |
+----+-----------+-----------------------+----+-------+
radgroupreply
+----+-----------+-----------------------+----+-------+
| id | groupname | attribute | op | value |
+----+-----------+-----------------------+----+-------+
| 1 | users | dlink-Privelege-Level | = | 3 |
+----+-----------+-----------------------+----+-------+
radiusd -X - debug mode
Код:
(2) Received Access-Request Id 137 from 172.16.1.50:1025 to 10.128.1.100:1812 length 84
(2) User-Name = "metal"
(2) User-Password = "metalpass"
(2) NAS-IP-Address = 172.16.1.50
(2) NAS-Identifier = "Alphanetworks"
(2) NAS-Port-Type = Virtual
(2) Service-Type = Framed-User
(2) Framed-Protocol = PPP
(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /@\./) {
(2) if (&User-Name =~ /@\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) eap: No EAP-Message, not doing EAP
(2) [eap] = noop
(2) sql: EXPAND %{User-Name}
(2) sql: --> metal
(2) sql: SQL-User-Name set to 'metal'
rlm_sql (sql): Reserved connection (7)
(2) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(2) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'metal' ORDER BY id
(2) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'metal' ORDER BY id
(2) sql: User found in radcheck table
(2) sql: Conditional check items matched, merging assignment check items
(2) sql: Cleartext-Password := "metalpass"
(2) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(2) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'metal' ORDER BY id
(2) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'metal' ORDER BY id
(2) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(2) sql: --> SELECT groupname FROM radusergroup WHERE username = 'metal' ORDER BY priority
(2) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'metal' ORDER BY priority
(2) sql: User found in the group table
(2) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(2) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'users' ORDER BY id
(2) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'users' ORDER BY id
(2) sql: Group "users": Conditional check items matched
(2) sql: Group "users": Merging assignment check items
(2) sql: dlink-Privelege-Level := User
(2) sql: Auth-Type := Local
(2) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
(2) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'users' ORDER BY id
(2) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'users' ORDER BY id
(2) sql: Group "users": Merging reply items
(2) sql: dlink-Privelege-Level = User
rlm_sql (sql): Released connection (7)
Need 1 more connections to reach min connections (3)
rlm_sql (sql): Opening additional connection (9), 1 of 30 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 8.0.20-alt1, protocol version 10
(2) [sql] = ok
(2) pap: WARNING: Auth-Type already set. Not setting to PAP
(2) [pap] = noop
(2) } # authorize = ok
(2) Found Auth-Type = Local
(2) Auth-Type sub-section not found. Ignoring.
(2) Failed to authenticate the user
(2) Using Post-Auth-Type Reject
(2) Post-Auth-Type sub-section not found. Ignoring.
(2) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(2) Sending delayed response
(2) Sent Access-Reject Id 137 from 10.128.1.100:1812 to 172.16.1.50:1025 length 32
(2) dlink-Privelege-Level = User
Waking up in 3.9 seconds.
(2) Cleaning up request packet ID 137 with timestamp +55650
Ready to process requests
Вроде бы # authorize = ok, Found Auth-Type = Local, уровень доступа определяется, но тут же (2) Failed to authenticate the user