Доброго времени суток! Помогите пожалуйста!Настраиваю сервер доступа на базе FreeBSD 7.1 и биллинга Netup UTM5. Настроил PPPoE сервер через демон mpd5. Клиенты подключаются, если их логин и пароль вписаны в файл mpd.secret.
Сконфигурировал radius. Убираю mpd.secret, создаю в админке юзера, пароль, однако клиент уже подключиться не может.
Задавал этот вопрос на форуме нетапа, но там не отвечают уже неделю.
Приведу конфиги, логи и последовательность действий:
============mpd.conf ================
startup:
#configure mpd users
set user admin PASSWORD
#configure the console
set console self 127.0.0.1 5005
set console open
#configure the web server
set web self 0.0.0.0 5006
set web open
default:
load def_conf
def_conf:
create bundle template B
#set iface up-script /usr/local/etc/mpd5/mpd-up.sh
#set iface down-script /usr/local/etc/mpd5/mpd-down.sh
set bundle enable compression
set bundle enable encryption
set iface idle 0
set iface disable proxy-arp
set iface enable tcpmssfix
set ipcp yes vjcomp
set ipcp ranges 10.0.0.1/24 10.0.0.254/24
set ipcp dns 127.0.0.1 192.168.0.1 91.187.152.1
set ccp yes mppc
set mppc yes e40
set mppc yes e56
set mppc yes e128
set mppc yes stateless
set ecp disable dese-bis dese-old
log -echo -ipv6cp -radius -rep
load radius
load common
common:
create link template PPPoE pppoe
set link enable no-orig-auth
set link max-children 300
set auth max-logins 0
load pppoe
pppoe:
set link action bundle B
set link enable multilink
set link yes acfcomp protocomp
set link disable chap pap eap
set link enable chap chap-msv1 chap-msv2 chap-md5
set link keep-alive 10 60
#pppoe on bge1 with service name "service_name0"
create link template bge1_0 PPPoE
set pppoe iface bge1
set link enable incoming
set pppoe service service_name0
#pppoe on bge1 with service name "service_name1"
create link template vr0_1 PPPoE
set pppoe iface vr0
set link enable incoming
radius:
set radius config /usr/local/etc/mpd5/radius.conf
set radius server 127.0.0.1 qqqqqq 1812 1813
set radius retries 3
set radius timeout 10
set radius me 127.0.0.1
set auth acct-update 300
set auth enable radius-auth
set auth enable radius-acct
set radius enable message-authentic
set ipcp enable radius-ip
===========================================
====================/mpd5/radius.conf================
auth 127.0.0.1:1812 qqqqqq
acct 127.0.0.1:1813 qqqqqq
==================================================
Добавляем в файл utm5.cfg:
===================utm5.cfg=====================
##radius
radius_port=1812
radius_host=127.0.0.1
radius_secret_key=qqqqqq
password_store_method=plain_text
============================================
Настраиваем radius:
======================/etc/radiusclient/radiusclient.conf=======================
auth_order radius,local
login_tries 4
login_timeout 60
nologin /etc/nologin
issue /etc/radiusclient/issue
authserver 127.0.0.1:1812
acctserver 127.0.0.1:1813
servers /etc/radiusclient/servers
dictionary /etc/radiusclient/dictionary
login_radius /usr/sbin/login.radius
seqfile /var/run/radius.seq
mapfile /etc/radiusclient/port-id-map
default_realm
radius_timeout 10
radius_retries 3
login_local /bin/login
127.0.0.1 qqqqqq
===============================================
==============/etc/radiusclient/servers/=================
127.0.0.1 qqqqqq
==============================================
Настраиваем словари:
================/etc/radiusclient/dictionary.merit==========
#
# Experimental extensions, configuration only (for check-items)
# Names/numbers as per the MERIT extensions (if possible).
#
ATTRIBUTE NAS-Identifier 32 string
ATTRIBUTE Proxy-State 33 string
ATTRIBUTE Login-LAT-Service 34 string
ATTRIBUTE Login-LAT-Node 35 string
ATTRIBUTE Login-LAT-Group 36 string
ATTRIBUTE Framed-AppleTalk-Link 37 integer
ATTRIBUTE Framed-AppleTalk-Network 38 integer
ATTRIBUTE Framed-AppleTalk-Zone 39 string
ATTRIBUTE Acct-Input-Packets 47 integer
ATTRIBUTE Acct-Output-Packets 48 integer
# 8 is a MERIT extension.
VALUE Service-Type Authenticate-Only 8
===============================================
====================================/etc/radiusclient/dictionary.ms=======================
# Microsoft's VSA's, from RFC 2548
#
# $Id: dictionary.microsoft,v 1.1 2002/03/06 13:23:09 dfs Exp $
#
VENDOR Microsoft 311 Microsoft
ATTRIBUTE MS-CHAP-Response 1 string Microsoft
ATTRIBUTE MS-CHAP-Error 2 string Microsoft
ATTRIBUTE MS-CHAP-CPW-1 3 string Microsoft
ATTRIBUTE MS-CHAP-CPW-2 4 string Microsoft
ATTRIBUTE MS-CHAP-LM-Enc-PW 5 string Microsoft
ATTRIBUTE MS-CHAP-NT-Enc-PW 6 string Microsoft
ATTRIBUTE MS-MPPE-Encryption-Policy 7 string Microsoft
# This is referred to as both singular and plural in the RFC.
# Plural seems to make more sense.
ATTRIBUTE MS-MPPE-Encryption-Type 8 string Microsoft
ATTRIBUTE MS-MPPE-Encryption-Types 8 string Microsoft
ATTRIBUTE MS-RAS-Vendor 9 integer Microsoft
ATTRIBUTE MS-CHAP-Domain 10 string Microsoft
ATTRIBUTE MS-CHAP-Challenge 11 string Microsoft
ATTRIBUTE MS-CHAP-MPPE-Keys 12 string Microsoft
ATTRIBUTE MS-BAP-Usage 13 integer Microsoft
ATTRIBUTE MS-Link-Utilization-Threshold 14 integer Microsoft
ATTRIBUTE MS-Link-Drop-Time-Limit 15 integer Microsoft
ATTRIBUTE MS-MPPE-Send-Key 16 string Microsoft
ATTRIBUTE MS-MPPE-Recv-Key 17 string Microsoft
ATTRIBUTE MS-RAS-Version 18 string Microsoft
ATTRIBUTE MS-Old-ARAP-Password 19 string Microsoft
ATTRIBUTE MS-New-ARAP-Password 20 string Microsoft
ATTRIBUTE MS-ARAP-PW-Change-Reason 21 integer Microsoft
ATTRIBUTE MS-Filter 22 string Microsoft
ATTRIBUTE MS-Acct-Auth-Type 23 integer Microsoft
ATTRIBUTE MS-Acct-EAP-Type 24 integer Microsoft
ATTRIBUTE MS-CHAP2-Response 25 string Microsoft
ATTRIBUTE MS-CHAP2-Success 26 string Microsoft
ATTRIBUTE MS-CHAP2-CPW 27 string Microsoft
ATTRIBUTE MS-Primary-DNS-Server 28 ipaddr Microsoft
ATTRIBUTE MS-Secondary-DNS-Server 29 ipaddr Microsoft
ATTRIBUTE MS-Primary-NBNS-Server 30 ipaddr Microsoft
ATTRIBUTE MS-Secondary-NBNS-Server 31 ipaddr Microsoft
#ATTRIBUTE MS-ARAP-Challenge 33 string Microsoft
#
# Integer Translations
#
# MS-BAP-Usage Values
VALUE MS-BAP-Usage Not-Allowed 0
VALUE MS-BAP-Usage Allowed 1
VALUE MS-BAP-Usage Required 2
# MS-ARAP-Password-Change-Reason Values
VALUE MS-ARAP-PW-Change-Reason Just-Change-Password 1
VALUE MS-ARAP-PW-Change-Reason Expired-Password 2
VALUE MS-ARAP-PW-Change-Reason Admin-Requires-Password-Change 3
VALUE MS-ARAP-PW-Change-Reason Password-Too-Short 4
# MS-Acct-Auth-Type Values
VALUE MS-Acct-Auth-Type PAP 1
VALUE MS-Acct-Auth-Type CHAP 2
VALUE MS-Acct-Auth-Type MS-CHAP-1 3
VALUE MS-Acct-Auth-Type MS-CHAP-2 4
VALUE MS-Acct-Auth-Type EAP 5
# MS-Acct-EAP-Type Values
VALUE MS-Acct-EAP-Type MD5 4
VALUE MS-Acct-EAP-Type OTP 5
VALUE MS-Acct-EAP-Type Generic-Token-Card 6
VALUE MS-Acct-EAP-Type TLS 13
=====================================================================================
=======================================/etc/radiusclient/dictionary======================
INCLUDE /etc/radiusclient/dictionary.merit
INCLUDE /etc/radiusclient/dictionary.ms
===================================
Вносим в админку пароль для радиуса для системного юзера.
Создаем пользователя, и подключения нет: клиентская винда пишет, что данное имя пользователя и пароль недопустимы в данном домене.
Привожу tcpdump на серверном интерфейсе:
=================================tcpdump============================
listening on vr0, link-type EN10MB (Ethernet), capture size 96 bytes
15:57:56.233246 PPPoE PADI [Service-Name] [Host-Uniq 0x1A00000032000000]
15:57:56.235492 PPPoE PADO [AC-Name "NONAME"] [Service-Name] [Service-Name "*"] [Host-Uniq 0x1A00000032000000] [AC-Cookie 0x4000DBC2]
15:57:56.235780 PPPoE PADR [Service-Name] [Host-Uniq 0x1A00000033000000] [AC-Cookie 0x4000DBC2]
15:57:56.235886 PPPoE PADS [ses 0x7] [AC-Name "NONAME"] [Service-Name] [Host-Uniq 0x1A00000033000000] [AC-Cookie 0x4000DBC2]
15:57:56.239466 PPPoE [ses 0x7] LCP, Conf-Request (0x01), id 1, length 38
15:57:56.244583 PPPoE [ses 0x7] LCP, Conf-Request (0x01), id 0, length 19
15:57:56.244732 PPPoE [ses 0x7] LCP, Conf-Reject (0x04), id 1, length 23
15:57:56.246013 PPPoE [ses 0x7] LCP, Conf-Reject (0x04), id 0, length 9
15:57:56.247489 PPPoE [ses 0x7] LCP, Conf-Request (0x01), id 2, length 21
15:57:56.247594 PPPoE [ses 0x7] LCP, Conf-Request (0x01), id 1, length 16
15:57:56.248609 PPPoE [ses 0x7] LCP, Conf-Ack (0x02), id 1, length 16
15:57:56.249585 PPPoE [ses 0x7] LCP, Conf-Ack (0x02), id 2, length 21
15:57:56.250157 PPPoE [ses 0x7] LCP, Ident (0x0c), id 2, length 20
15:57:56.250303 PPPoE [ses 0x7] LCP, Ident (0x0c), id 3, length 33
15:57:56.252665 PPPoE [ses 0x7] CHAP, Challenge (0x01), id 1, Value bb1e6802bbb1389998c985e851efce10, Name
15:57:56.254842 PPPoE [ses 0x7] CHAP, Response (0x02), id 1, Value e85c3d0b50148ab4fe54edc0cb8ea7690000000000000000cdff9d067b462d71eb0acb88c57f66bdb445ad4634971e9d00, Name test
15:57:56.259001 PPPoE [ses 0x7] CHAP, Fail (0x04), id 1, Msg E=691 R=0 M=Login incorrect
15:57:56.259982 PPPoE [ses 0x7] LCP, Term-Request (0x05), id 3, length 6
15:57:56.261662 PPPoE [ses 0x7] LCP, Term-Ack (0x06), id 3, length 6
15:57:56.262813 PPPoE PADT [ses 0x7] [Generic-Error "session closed"]
15:57:56.263058 PPPoE PADT [ses 0x7]
===========================================
судя по tcpdump, мпд просто игнорирует все строки про радиус.
внес небольшие изменения в mpd.conf, переставив строку load radius в блок с меткой рррое.
теперь получил следующий результат: при подключении клиента с виндой хрю вылезает ошибка 718: соединение прервано, т.к. удаленный комп не ответил вовремя.
а на tcpdump во FreeBSD вылезает следующее:
15:35:47.266972 PPPoE PADI [Service-Name] [Host-Uniq 0x140000001E000000]
15:35:47.269126 PPPoE PADO [AC-Name "NONAME"] [Service-Name] [Service-Name "*"] [Host-Uniq 0x140000001E000000] [AC-Cookie 0x00B33CC2]
15:35:47.269398 PPPoE PADR [Service-Name] [Host-Uniq 0x140000001F000000] [AC-Cookie 0x00B33CC2]
15:35:47.269471 PPPoE PADS [ses 0x3] [AC-Name "NONAME"] [Service-Name] [Host-Uniq 0x140000001F000000] [AC-Cookie 0x00B33CC2]
15:35:47.273151 PPPoE [ses 0x3] LCP, Conf-Request (0x01), id 1, length 38
15:35:47.282626 PPPoE [ses 0x3] LCP, Conf-Request (0x01), id 0, length 19
15:35:47.283068 PPPoE [ses 0x3] LCP, Conf-Reject (0x04), id 1, length 23
15:35:47.284148 PPPoE [ses 0x3] LCP, Conf-Reject (0x04), id 0, length 9
15:35:47.285670 PPPoE [ses 0x3] LCP, Conf-Request (0x01), id 2, length 21
15:35:47.286031 PPPoE [ses 0x3] LCP, Conf-Request (0x01), id 1, length 16
15:35:47.287957 PPPoE [ses 0x3] LCP, Conf-Ack (0x02), id 2, length 21
15:35:47.289068 PPPoE [ses 0x3] LCP, Conf-Ack (0x02), id 1, length 16
15:35:47.290568 PPPoE [ses 0x3] CHAP, Challenge (0x01), id 1, Value bb1e6853aa174d6923f1843011a15384, Name
15:35:47.291019 PPPoE [ses 0x3] LCP, Ident (0x0c), id 2, length 20
15:35:47.291183 PPPoE [ses 0x3] LCP, Ident (0x0c), id 3, length 33
15:35:47.293087 PPPoE [ses 0x3] CHAP, Response (0x02), id 1, Value 1388d74f0651fd2177d25b9800bb3d5d0000000000000000809ceebc6a877eaa9c59203ac79b68eed37ac1feacef71ed00, Name test
15:35:49.293017 PPPoE [ses 0x3] CHAP, Response (0x02), id 1, Value 1388d74f0651fd2177d25b9800bb3d5d0000000000000000809ceebc6a877eaa9c59203ac79b68eed37ac1feacef71ed00, Name test
15:35:51.292968 PPPoE [ses 0x3] CHAP, Response (0x02), id 1, Value 1388d74f0651fd2177d25b9800bb3d5d0000000000000000809ceebc6a877eaa9c59203ac79b68eed37ac1feacef71ed00, Name test
15:35:53.292927 PPPoE [ses 0x3] CHAP, Response (0x02), id 1, Value 1388d74f0651fd2177d25b9800bb3d5d0000000000000000809ceebc6a877eaa9c59203ac79b68eed37ac1feacef71ed00, Name test
15:35:55.292907 PPPoE [ses 0x3] CHAP, Response (0x02), id 1, Value 1388d74f0651fd2177d25b9800bb3d5d0000000000000000809ceebc6a877eaa9c59203ac79b68eed37ac1feacef71ed00, Name test
15:35:57.292845 PPPoE [ses 0x3] CHAP, Response (0x02), id 1, Value 1388d74f0651fd2177d25b9800bb3d5d0000000000000000809ceebc6a877eaa9c59203ac79b68eed37ac1feacef71ed00, Name test
15:35:59.292799 PPPoE [ses 0x3] CHAP, Response (0x02), id 1, Value 1388d74f0651fd2177d25b9800bb3d5d0000000000000000809ceebc6a877eaa9c59203ac79b68eed37ac1feacef71ed00, Name test
15:36:01.292751 PPPoE [ses 0x3] CHAP, Response (0x02), id 1, Value 1388d74f0651fd2177d25b9800bb3d5d0000000000000000809ceebc6a877eaa9c59203ac79b68eed37ac1feacef71ed00, Name test
15:36:03.292714 PPPoE [ses 0x3] CHAP, Response (0x02), id 1, Value 1388d74f0651fd2177d25b9800bb3d5d0000000000000000809ceebc6a877eaa9c59203ac79b68eed37ac1feacef71ed00, Name test
15:36:05.292674 PPPoE [ses 0x3] CHAP, Response (0x02), id 1, Value 1388d74f0651fd2177d25b9800bb3d5d0000000000000000809ceebc6a877eaa9c59203ac79b68eed37ac1feacef71ed00, Name test
15:36:07.295681 PPPoE [ses 0x3] LCP, Term-Request (0x05), id 4, length 18
15:36:07.297210 PPPoE [ses 0x3] LCP, Term-Ack (0x06), id 3, length 6
15:36:09.283662 PPPoE [ses 0x3] LCP, Term-Request (0x05), id 5, length 18
15:36:09.285213 PPPoE [ses 0x3] LCP, Term-Ack (0x06), id 4, length 6
15:36:09.300985 PPPoE PADT [ses 0x3] [Generic-Error "session closed"]
15:36:09.301268 PPPoE PADT [ses 0x3]
при этом и при подключении через существующий mpd.secret ошибка та же. что-то не так в конфигах радиуса? помогите плиз