Назад | Перейти на главную страницу

Freeradius 3.0.12 не отправляет данные через mysql

После обновления с v 2.x у меня перестала работать freeradius. Я выполнил несколько шагов по устранению ошибок, которые заставили меня поверить в то, что приложение не отправляет никаких данных через MySQL, даже если оно заявляет об этом.

Итак, я обнаружил, что freeradius должен отправлять запрос в БД каждый раз, когда пользователь пытается пройти аутентификацию. Собственно несколько запросов.

Чтобы проверить, идет ли какой-либо трафик на сервер MySQL, я сделал tcpdmp:

tcpdump -i eth0 -n | grep 192.168.32.13 | grep -v ARP

После перезапуска службы и попытки аутентификации с помощью радиуса tcpdump ничего не зарегистрировал. Он работает, если я делаю это вручную (поэтому ни подключение, ни учетные данные не являются проблемой).

Freeradius не устает повторять, что пользователя нет ни в одной группе:

(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'naven' ORDER BY priority
(0) sql: User not found in any groups

Но запрос прямо в БД дает результат:

MariaDB [radius]> SELECT groupname FROM radusergroup WHERE username = 'naven' ORDER BY priority;
+-----------+
| groupname |
+-----------+
| admin     |
+-----------+
1 row in set (0.00 sec)

Кроме того, приведенный ниже запрос INSERT никогда не сохраняется в базе данных.

(0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(0) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'naven', 'XXXXXXXXXXXXXX', 'Access-Reject', '2019-10-19 16:44:03')
(0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'naven', 'XXXXXXXXXXXXXX', 'Access-Reject', '2019-10-19 16:44:03')


mysql -u radius -pEpyGju6EogSFua4u -h 192.168.32.13
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 16773
Server version: 10.1.41-MariaDB-0+deb9u1 Debian 9.9

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> SELECT groupname FROM radusergroup WHERE username = 'naven' ORDER BY priority;
ERROR 1046 (3D000): No database selected
MariaDB [(none)]> use radius;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [radius]> SELECT groupname FROM radusergroup WHERE username = 'naven' ORDER BY priority;
+-----------+
| groupname |
+-----------+
| admin     |
+-----------+
1 row in set (0.00 sec)

MariaDB [radius]> select * from radpostauth;
+----+----------+--------------------------------------+---------------+---------------------+
| id | username | pass                                 | reply         | authdate            |
+----+----------+--------------------------------------+---------------+---------------------+
|  1 | naven    | XXXXXXXXXXXXXX | Access-Reject | 2019-10-19 15:59:45 |
+----+----------+--------------------------------------+---------------+---------------------+
1 row in set (0.00 sec)

Я добавил запись radpostauth вручную. Я скопировал запрос из предыдущего журнала, чтобы убедиться, что он работает. Также использование указанного выше метода для подключения к MySQL подтвердило, что мой tcpdump работает правильно - я мог видеть законный трафик MySQL между серверами.

На протяжении всего сообщения я отредактировал только некоторые имена хостов и пропустил его из radpostauth.

Ошибка сервера ограничивает мое сообщение до 30 тыс. Строк, поэтому я не могу опубликовать весь журнал freeradius -X. 

freeradius -X
FreeRADIUS Version 3.0.12
Copyright (C) 1999-2016 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/3.0/dictionary
including configuration file /etc/freeradius/3.0/radiusd.conf
including configuration file /etc/freeradius/3.0/proxy.conf
including configuration file /etc/freeradius/3.0/clients.conf
including files in directory /etc/freeradius/3.0/mods-enabled/
including configuration file /etc/freeradius/3.0/mods-enabled/radutmp
including configuration file /etc/freeradius/3.0/mods-enabled/linelog
including configuration file /etc/freeradius/3.0/mods-enabled/unix
including configuration file /etc/freeradius/3.0/mods-enabled/expiration
including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap
including configuration file /etc/freeradius/3.0/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/3.0/mods-enabled/mschap
including configuration file /etc/freeradius/3.0/mods-enabled/detail.log
including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp
including configuration file /etc/freeradius/3.0/mods-enabled/detail
including configuration file /etc/freeradius/3.0/mods-enabled/files
including configuration file /etc/freeradius/3.0/mods-enabled/pap
including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter
including configuration file /etc/freeradius/3.0/mods-enabled/echo
including configuration file /etc/freeradius/3.0/mods-enabled/digest
including configuration file /etc/freeradius/3.0/mods-enabled/logintime
including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/3.0/mods-enabled/soh
including configuration file /etc/freeradius/3.0/mods-enabled/eap
including configuration file /etc/freeradius/3.0/mods-enabled/preprocess
including configuration file /etc/freeradius/3.0/mods-enabled/replicate
including configuration file /etc/freeradius/3.0/mods-enabled/sql
including configuration file /etc/freeradius/3.0/mods-config/sql/main/mysql/queries.conf
including configuration file /etc/freeradius/3.0/mods-enabled/unpack
including configuration file /etc/freeradius/3.0/mods-enabled/always
including configuration file /etc/freeradius/3.0/mods-enabled/exec
including configuration file /etc/freeradius/3.0/mods-enabled/utf8
including configuration file /etc/freeradius/3.0/mods-enabled/expr
including configuration file /etc/freeradius/3.0/mods-enabled/realm
including configuration file /etc/freeradius/3.0/mods-enabled/chap
including configuration file /etc/freeradius/3.0/mods-enabled/passwd
including files in directory /etc/freeradius/3.0/policy.d/
including configuration file /etc/freeradius/3.0/policy.d/moonshot-targeted-ids
including configuration file /etc/freeradius/3.0/policy.d/debug
including configuration file /etc/freeradius/3.0/policy.d/accounting
including configuration file /etc/freeradius/3.0/policy.d/cui
including configuration file /etc/freeradius/3.0/policy.d/filter
including configuration file /etc/freeradius/3.0/policy.d/dhcp
including configuration file /etc/freeradius/3.0/policy.d/eap
including configuration file /etc/freeradius/3.0/policy.d/abfab-tr
including configuration file /etc/freeradius/3.0/policy.d/control
including configuration file /etc/freeradius/3.0/policy.d/canonicalization
including configuration file /etc/freeradius/3.0/policy.d/operator-name
including files in directory /etc/freeradius/3.0/sites-enabled/
including configuration file /etc/freeradius/3.0/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/3.0/sites-enabled/default
main {
 security {
    user = "freerad"
    group = "freerad"
    allow_core_dumps = no
 }
    name = "freeradius"
    prefix = "/usr"
    localstatedir = "/var"
    logdir = "/var/log/freeradius"
    run_dir = "/var/run/freeradius"
}
main {
    name = "freeradius"
    prefix = "/usr"
    localstatedir = "/var"
    sbindir = "/usr/sbin"
    logdir = "/var/log/freeradius"
    run_dir = "/var/run/freeradius"
    libdir = "/usr/lib/freeradius"
    radacctdir = "/var/log/freeradius/radacct"
    hostname_lookups = no
    max_request_time = 30
    cleanup_delay = 5
    max_requests = 16384
    pidfile = "/var/run/freeradius/freeradius.pid"
    checkrad = "/usr/sbin/checkrad"
    debug_level = 0
    proxy_requests = yes
 log {
    stripped_names = no
    auth = no
    auth_badpass = no
    auth_goodpass = no
    colourise = yes
    msg_denied = "You are already logged in - access denied"
 }
 resources {
 }
 security {
    max_attributes = 200
    reject_delay = 1.000000
    status_server = yes
 }
}
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
    retry_delay = 5
    retry_count = 3
    default_fallback = no
    dead_time = 120
    wake_all_if_all_dead = no
 }
 home_server localhost {
    ipaddr = 127.0.0.1
    port = 1812
    type = "auth"
    secret = <<< secret >>>
    response_window = 20.000000
    response_timeouts = 1
    max_outstanding = 65536
    zombie_period = 40
    status_check = "status-server"
    ping_interval = 30
    check_interval = 30
    check_timeout = 4
    num_answers_to_alive = 3
    revive_interval = 120
  limit {
    max_connections = 16
    max_requests = 0
    lifetime = 0
    idle_timeout = 0
  }
  coa {
    irt = 2
    mrt = 16
    mrc = 5
    mrd = 30
  }
 }
 home_server_pool my_auth_failover {
    type = fail-over
    home_server = localhost
 }
 realm example.com {
    auth_pool = my_auth_failover
 }
 realm LOCAL {
 }
radiusd: #### Loading Clients ####
 client localhost {
    ipaddr = 127.0.0.1
    require_message_authenticator = no
    secret = <<< secret >>>
    nas_type = "other"
    proto = "*"
  limit {
    max_connections = 16
    lifetime = 0
    idle_timeout = 30
  }
 }
 client localhost_ipv6 {
    ipv6addr = ::1
    require_message_authenticator = no
    secret = <<< secret >>>
  limit {
    max_connections = 16
    lifetime = 0
    idle_timeout = 30
  }
 }
 client 192.168.32.0/23 {
    ipaddr = 192.168.32.0
    netmask = 23
    require_message_authenticator = no
    secret = <<< secret >>>
  limit {
    max_connections = 16
    lifetime = 0
    idle_timeout = 30
  }
 }
 client 192.168.35.0/24 {
    ipaddr = 192.168.35.0
    netmask = 24
    require_message_authenticator = no
    secret = <<< secret >>>
  limit {
    max_connections = 16
    lifetime = 0
    idle_timeout = 30
  }
 }
Debugger not attached
 # Creating Auth-Type = mschap
 # Creating Auth-Type = eap
 # Creating Auth-Type = PAP
 # Creating Auth-Type = CHAP
 # Creating Auth-Type = MS-CHAP
 # Creating Auth-Type = digest
radiusd: #### Instantiating modules ####
 modules {
  # Loaded module rlm_radutmp
  # Loading module "radutmp" from file /etc/freeradius/3.0/mods-enabled/radutmp
  radutmp {
    filename = "/var/log/freeradius/radutmp"
    username = "%{User-Name}"
    case_sensitive = yes
    check_with_nas = yes
    permissions = 384
    caller_id = yes
  }
  # Loaded module rlm_linelog
  # Loading module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog
  linelog {
    filename = "/var/log/freeradius/linelog"
    escape_filenames = no
    syslog_severity = "info"
    permissions = 384
    format = "This is a log message for %{User-Name}"
    reference = "messages.%{%{reply:Packet-Type}:-default}"
  }

Не могли бы вы помочь мне заставить это работать?

P.S. Можете посоветовать, как отправить остальные логи? Журналы довольно обширны, а комментарии ограничены несколькими сотнями символов.

Итак, что не говорится в руководстве по установке - вам нужно изменить драйвер mysql в /etc/freeradius/3.0/mods-enabled/sql

swap driver = "rlm_sql_null" на driver = "rlm_sql_mysql"

Если вы используете mysql. Если вам понадобится еще один SQL-сервер, это список с комментариями выше.

Если вы получаете сообщения об ошибках при запуске, убедитесь, что у вас установлен пакет freeradius-mysql.