Bonjour à tous,
Je suis en train d'effectuer une installation d'un serveur FreeRadius dans ma VM Ubuntu Server 14.04. Une fois l'installation terminée, j'ai modifié quelques fichiers de configuration (defaut, proxy.conf, policy.conf, clients.conf et users) et ensuite j'ai essayé de lancer la commande
radtest user Abcd1234 127.0.0.1 0 testing123
afin de tester ma configuration. Pendant mes plusieurs essayes j'ai deux types de réponses :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
| root@ALPR:/# radtest user Abcd1234 127.0.0.1 0 testing123
Sending Access-Request of id 152 to 127.0.0.1 port 1812
User-Name = "user"
User-Password = "Abcd1234"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
Sending Access-Request of id 152 to 127.0.0.1 port 1812
User-Name = "user"
User-Password = "Abcd1234"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
Sending Access-Request of id 152 to 127.0.0.1 port 1812
User-Name = "user"
User-Password = "Abcd1234"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
radclient: no response from server for ID 152 socket 3 |
et parfois
1 2 3 4 5 6 7 8
| root@ALPR:/# radtest user Abcd1234 localhost 0 testing123
Sending Access-Request of id 147 to 127.0.0.1 port 1812
User-Name = "user"
User-Password = "Abcd1234"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=147, length=20 |
Voici les fichiers de conf qui j'ai modifié (les modifications sont en bleu) :
defaut
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85
| authorize {
auth_log
inweboradius
if ( !User-Password || User-Password =~ /^[0-9a-zA-Z]{6,8}$/ || User-Password =~ /^ *$/ ) {
update control {
Proxy-To-Realm := "inweboradius"
}
}
elsif (User-Password =~ /^[0-9a-zA-Z]{9,12}$/) {
update control {
Proxy-To-Realm := "RSA"
}
}
else {
reject
}
preprocess
chap
mschap
digest
suffix
eap {
ok = return
}
files
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
digest
unix
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
radutmp
exec
attr_filter.accounting_response
}
session {
radutmp
}
post-auth {
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
} |
proxy.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76
| proxy server {
default_fallback = no
retry_delay = 21
retry_count = 3
}
realm inweboradius {
authhost = 127.0.0.1:2181
secret = Abcd1234
require_message_authenticator = yes
response_window = 70
zombie_period = 70
revive_interval = 120
status_check = status-server
check_interval = 30
num_answers_to_alive = 3
max_outstanding = 65536
}
home_server RSA {
type = auth
ipaddr = 1.1.1.1
port = 1812
secret = RSA_shared_secret
}
home_server RSA2 {
type = auth
ipaddr = 2.2.2.2
port = 1812
secret = RSA_shared_secret
}
home_server_pool RSAPOOL {
type = fail-over
home_server = RSA
home_server = RSA2
}
realm RSA {
auth_pool = RSAPOOL
}
home_server localhost {
type = auth
ipaddr = 127.0.0.1
port = 1812
secret = testing123
require_message_authenticator = yes
response_window = 20
zombie_period = 40
revive_interval = 120
status_check = status-server
check_interval = 30
num_answers_to_alive = 3
max_outstanding = 65536
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
} |
policy.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130
| policy {
inweboradius {
update request {
NAS-IP-Address := "%{Packet-Src-IP-Address}"
NAS-Identifier := "%{Client-Shortname}"
}
updated
}
forbid_eap {
if (EAP-Message) {
reject
}
}
permit_only_eap {
if (!EAP-Message) {
if (!"%{outer.request:EAP-Message}") {
reject
}
}
}
deny_realms {
if (User-Name =~ /@|\\/) {
reject
}
}
do_not_respond {
update control {
Response-Packet-Type := Do-Not-Respond
}
handled
}
filter_username {
if (User-Name =~ /^ /) {
reject
}
if (User-Name =~ / $$/) {
reject
}
if (User-Name != "%{tolower:%{User-Name}}") {
reject
}
}
cui_authorize {
update request {
Chargeable-User-Identity:='\\000'
}
}
cui_postauth {
if (FreeRadius-Proxied-To == 127.0.0.1) {
if (outer.request:Chargeable-User-Identity) {
update outer.reply {
Chargeable-User-Identity:="%{md5:%{config:cui_hash_key}%{User-Name}}"
}
}
}
else {
if (Chargeable-User-Identity) {
update reply {
Chargeable-User-Identity="%{md5:%{config:cui_hash_key}%{User-Name}}"
}
}
}
}
cui_updatedb {
if (reply:Chargeable-User-Identity) {
cui
}
}
cui_accounting {
if (!Chargeable-User-Identity) {
update control {
Chargable-User-Identity := "%{cui: SELECT cui FROM cui WHERE clientipaddress = '%{Client-IP-Address}' AND callingstationid = '%{Calling-Station-Id}' AND username = '%{User-Name}'}"
}
}
if (Chargeable-User-Identity && (Chargeable-User-Identity != "")) {
cui
}
}
mac-addr = ([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})
rewrite.called_station_id {
if((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) {
update request {
Called-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}"
}
if ("%{8}") {
update request {
Called-Station-Id := "%{Called-Station-Id}:%{8}"
}
}
updated
}
else {
noop
}
}
rewrite.calling_station_id {
if((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) {
update request {
Calling-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}"
}
updated
}
else {
noop
}
}
} |
clients.conf
1 2 3 4 5 6 7 8 9 10 11
| client localhost {
ipaddr = 127.0.0.1
secret = testing123
require_message_authenticator = no
nastype = other
}
client posteclient {
ipaddr = 10.2.0.84
secret = Abcd1234
} |
users
1 2 3 4 5 6 7 8 9 10 11 12
| user Cleartext-Password := "Abcd1234"
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP |
Je suis vraiment débutant avec FreeRadius, est-ce que quelqu'un pourrais m'aider svp ?
Merci d'avance pour votre aide,
Marc
Partager