radtest Access-Accept accel-ppp Access-Reject

IPoE related questions
Post Reply
fet4
Posts: 35
Joined: 05 Dec 2016, 07:35

radtest Access-Accept accel-ppp Access-Reject

Post by fet4 » 05 Dec 2016, 07:47

Доброго дня!
Подскажите что я упускаю в моей конфигурации. Поднимаю bras accel-ppp-ipoe на нем же стоит freeradius и подключается к удаленной базе, вроде бы все настроил, но через accel-ppp Access-Reject, хотя radtest Access-Accept.

Code: Select all

# cat /etc/accel-ppp.conf
[modules]
log_file
ipoe
radius
shaper

[core]
log-error=/var/log/accel-ppp/core.log
thread-count=2

[common]
single-session=replace

[ipoe]
verbose=1
username=lua:username
lua-file=/etc/accel-ppp.lua
shared=1
ifcfg=1
mode=L2
ip-unnumbered=1
start=dhcpv4
interface=vlan200
attr-dhcp-client-ip=Framed-IP-Address
gw-ip-address=10.194.0.1/20

[dns]
dns1=172.30.0.1
dns2=172.30.1.1

[radius]
dictionary=/usr/local/share/accel-ppp/radius/dictionary
nas-identifier=accel-ppp-ipoe
nas-ip-address=172.20.0.2
server=172.20.0.2,dEoSGodupaHOelCI,auth-port=1812,acct-port=1813,req-limit=0,fail-timeout=0,max-fail=0,weight=1
dae-server=172.20.0.2:3799,dEoSGodupaHOelCI
acct-interim-interval=60
verbose=1
interim-verbose=1

[log]
log-file=/var/log/accel-ppp/accel-ppp.log
log-emerg=/var/log/accel-ppp/emerg.log
log-fail-file=/var/log/accel-ppp/auth-fail.log
copy=1
level=5

[shaper]
attr=Filter-Id
up-limiter=police
down-limiter=tbf
verbose=1

Code: Select all

~# radtest 74:e5:43:8f:c1:17 '' 172.20.0.2 0 dEoSGodupaHOelCI
Sending Access-Request of id 150 to 172.20.0.2 port 1812
        User-Name = "74:e5:43:8f:c1:17"
        User-Password = ""
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 0
        Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 172.20.0.2 port 1812, id=150, length=32
        Framed-IP-Address = 10.194.114.207
        Session-Timeout = 600

Code: Select all

~# cat /var/log/accel-ppp/auth-fail.log
[2016-12-05 09:45:16]:  info: ipoe0: create interface ipoe0 parent vlan200
[2016-12-05 09:45:16]:  info: ipoe0: send [RADIUS(1) Access-Request id=1 <User-Name "74:e5:43:8f:c1:17"> <NAS-Identifier "accel-ppp-ipoe"> <NAS-IP-Address 172.20.0.2> <NAS-Port 83> <NAS-Port-Id "ipoe0"> <NAS-Port-Type Ethernet> <Calling-Station-Id "74:e5:43:8f:c1:17"> <Called-Station-Id "vlan200"> <User-Password >]
[2016-12-05 09:45:17]:  info: ipoe0: recv [RADIUS(1) Access-Reject id=1 <Framed-IP-Address 10.194.5.216> <Session-Timeout 600>]
[2016-12-05 09:45:17]: debug: ipoe0: terminate
[2016-12-05 09:45:17]:  info: ipoe0: ipoe: session finished

dimka88
Posts: 409
Joined: 13 Oct 2014, 05:51
Contact:

Re: radtest Access-Accept accel-ppp Access-Reject

Post by dimka88 » 05 Dec 2016, 08:40

Остановите freeradius, и запустите freeradius -X покажите что выведет freeradius при авторизации через accel-ppp.
А чего localhost не хотите использовать для связки freeradius и accel-ppp?

fet4
Posts: 35
Joined: 05 Dec 2016, 07:35

Re: radtest Access-Accept accel-ppp Access-Reject

Post by fet4 » 05 Dec 2016, 09:55

localhost использовал сначала, тоже самое. Кажется я понял в чем проблема в User-Password = ""
Это radtest

Code: Select all

rad_recv: Access-Request packet from host 172.20.0.2 port 41480, id=202, length=87
        User-Name = "74:e5:43:8f:c1:17"
        User-Password = ""
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 0
        Message-Authenticator = 0x4dec5f0c6bc36e1653f0698ffb57f63e
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
rlm_sql (sql): Reserving sql socket id: 31
[sql]   expand: call radcheck_dhcp('%{User-Name}') -> call radcheck_dhcp('74:e5:43:8f:c1:17')
[sql] User found in radcheck table
[sql]   expand: call radreply_dhcp('%{User-Name}') -> call radreply_dhcp('74:e5:43:8f:c1:17')
rlm_sql (sql): Released sql socket id: 31
++[sql] = ok
+} # group authorize = ok
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
User-Password in the request is correct.
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+group post-auth {
[sql]   expand: call radupdate_dhcp('%{User-Name}','%{reply:Framed-IP-Address}',                'nas=%{NAS-IP-Address}') -> call radupdate_dhcp('74:e5:43:8f:c1:17','10.194.13.234',                'nas=127.0.1.1')
rlm_sql (sql) in sql_postauth: query is call radupdate_dhcp('74:e5:43:8f:c1:17','10.194.13.234',                'nas=127.0.1.1')
rlm_sql (sql): Reserving sql socket id: 30
rlm_sql (sql): Released sql socket id: 30
++[sql] = ok
+} # group post-auth = ok
Sending Access-Accept of id 202 to 172.20.0.2 port 41480
        Framed-IP-Address = 10.194.13.234
        Session-Timeout = 600
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 202 with timestamp +9
А это если указать password=empty в [ipoe] то User-Password = "" вообще нет, если password убрать то там мак-устройства, если password="" то кавычки экранируются слэшами.

Code: Select all

rad_recv: Access-Request packet from host 172.20.0.2 port 45003, id=1, length=110
        User-Name = "74:e5:43:8f:c1:17"
        NAS-Identifier = "accel-ppp-ipoe"
        NAS-IP-Address = 172.20.0.2
        NAS-Port = 211
        NAS-Port-Id = "ipoe0"
        NAS-Port-Type = Ethernet
        Calling-Station-Id = "74:e5:43:8f:c1:17"
        Called-Station-Id = "vlan200"
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
rlm_sql (sql): Reserving sql socket id: 30
[sql]   expand: call radcheck_dhcp('%{User-Name}') -> call radcheck_dhcp('74:e5:43:8f:c1:17')
[sql] User found in radcheck table
[sql]   expand: call radreply_dhcp('%{User-Name}') -> call radreply_dhcp('74:e5:43:8f:c1:17')
rlm_sql (sql): Released sql socket id: 30
++[sql] = ok
+} # group authorize = ok
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
No User-Password or CHAP-Password attribute in the request.
Cannot perform authentication.
Failed to authenticate the user.
Using Post-Auth-Type REJECT
  WARNING: Unknown value specified for Post-Auth-Type.  Cannot perform requested action.
# Executing group from file /etc/freeradius/sites-enabled/default
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 1 to 172.20.0.2 port 45003
        Framed-IP-Address = 10.194.7.128
        Session-Timeout = 600
Waking up in 4.9 seconds.
Cleaning up request 1 ID 1 with timestamp +10
А это sql процедура биллинга, я так понимаю проще ее изменить, чем в accel, что бы вообще User-Password = "" не проверялся или ровнялся mac? в sql не силен, я так понимаю пароль в ipoe режиме не нужен.

Code: Select all

CREATE PROCEDURE `radcheck` (IN login VARCHAR(64))
BEGIN
  SELECT Null, login, 'Cleartext-Password' AS Attribute, '' AS Value,':=';
END$$
DELIMITER ;

hugleo
Posts: 58
Joined: 13 Apr 2016, 14:28

Re: radtest Access-Accept accel-ppp Access-Reject

Post by hugleo » 05 Dec 2016, 12:42

You can set a non empty password for radius user like the password string and configure accel-ppp to send the password string

[ipoe]
username=lua:username
lua-file=/etc/accel-ppp.lua
password=password

simplesinternet
Posts: 2
Joined: 27 Aug 2018, 22:39

Re: radtest Access-Accept accel-ppp Access-Reject

Post by simplesinternet » 27 Aug 2018, 22:42

Привет, извините, мой русский текст трудно понять, я бразилец, и у меня с проблемой, похожей на вашу, имя интерфейса vlan попадает в радиус, а не в UN mac, как я могу его организовать?

[2018-08-27 19:40:44.423] enp3s0f1.100: : recv [DHCPv4 Discover xid=16554555 chaddr=ac:84:c6:6e:0a:61 <Message-Type Discover> <Max-Message-Size 1024> <Client-ID 01ac84c66e0a61> <Host-Name TL-WR849N> <Vendor-Class 4d53465420352e30> <Request-List Subnet,Router,DNS,Domain-Name,Vendor-Specific,44,46,47,Route,Classless-Route,249>]
[2018-08-27 19:40:44.423] ipoe0: 8E186C59A3C47A6C: create interface ipoe0 parent enp3s0f1.100
[2018-08-27 19:40:44.423] ipoe0: 8E186C59A3C47A6C: radius(1): req_enter 1
[2018-08-27 19:40:44.423] ipoe0: 8E186C59A3C47A6C: send [RADIUS(1) Access-Request id=1 <User-Name "enp3s0f1.100"> <NAS-Identifier "accel02"> <NAS-IP-Address 177.92.136.6> <NAS-Port 1003> <NAS-Port-Id "ipoe0"> <NAS-Port-Type Ethernet> <Calling-Station-Id "ac:84:c6:6e:0a:61"> <Called-Station-Id "enp3s0f1.100"> <User-Password 0xbc7a47695950b55344f5c124fcfba953>]
[2018-08-27 19:40:45.455] ipoe0: 8E186C59A3C47A6C: radius(1): req_exit 0
[2018-08-27 19:40:45.455] ipoe0: 8E186C59A3C47A6C: recv [RADIUS(1) Access-Reject id=1]
[2018-08-27 19:40:45.455] ipoe0: 8E186C59A3C47A6C: terminate
[2018-08-27 19:40:45.455] ipoe0: 8E186C59A3C47A6C: ipoe: session finished

dimka88
Posts: 409
Joined: 13 Oct 2014, 05:51
Contact:

Re: radtest Access-Accept accel-ppp Access-Reject

Post by dimka88 » 28 Aug 2018, 05:46

Привет, создайте файл
Hi, create file

Code: Select all

touch /etc/accel-ppp.lua
Edit /etc/accel-ppp.lua

Code: Select all

#!lua
function username(pkt)
return pkt:hdr('chaddr')
end
then edit
/etc/accel-ppp.conf

Code: Select all

[ipoe]
username=lua:username
lua-file=/etc/accel-ppp.lua

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests