由freeradius2授权的Mpd作为pppoe服务器

Question

我安装了freeradius2，添加到raddb/user：

test Cleartext-Password := "test1"
    Service-Type = Framed-User,
    Framed-Protocol = PPP,
    Framed-IP-Address = 10.36.0.2,
    Framed-IP-Netmask = 255.255.255.0,

启动无线电，并检查：

radtest test test1 127.0.0.1 1002 testing123                            
Sending Access-Request of id 199 to 127.0.0.1 port 1812
        User-Name = "test"
        User-Password = "test1"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 1002
        Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=199, length=44
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Framed-IP-Address = 10.36.0.2
        Framed-IP-Netmask = 255.255.255.0

效果很好。

下一步。添加到mpd.conf中：

radius: 
    set auth disable internal
    set auth max-logins 1 CI
    set auth enable radius-auth 
    set radius timeout 90 
    set radius retries 2   
    set radius server 127.0.0.1 testing123 1812 1813 
    set radius me 127.0.0.1  

 create link template L pppoe 
    set link action bundle B  
    set link max-children 1000
    set link no multilink 
    set link no shortseq  
    set link no pap chap-md5 chap-msv1 chap-msv2 
    set link enable chap 
    set pppoe acname Internet  
    load radius 

 create link template em1 L   
    set pppoe iface em1 
    set link enable incoming  

试图连接，我们失败了，下面是mpd日志：

mpd: [em1-2] LCP: auth: peer wants nothing, I want CHAP
mpd: [em1-2] CHAP: sending CHALLENGE #1 len: 21
mpd: [em1-2] LCP: LayerUp
mpd: [em1-2] CHAP: rec'd RESPONSE #1 len: 58
mpd: [em1-2]   Name: "test"
mpd: [em1-2] AUTH: Trying RADIUS
mpd: [em1-2] RADIUS: Authenticating user 'test'
mpd: [em1-2] RADIUS: Rec'd RAD_ACCESS_REJECT for user 'test'
mpd: [em1-2] AUTH: RADIUS returned: failed
mpd: [em1-2] AUTH: ran out of backends
mpd: [em1-2] CHAP: Auth return status: failed
mpd: [em1-2] CHAP: Reply message: ^AE=691 R=1
mpd: [em1-2] CHAP: sending FAILURE #1 len: 14
mpd: [em1-2] LCP: authorization failed

然后，我以radiusd -fX的形式启动freeradius，并获得以下日志：

rad_recv: Access-Request packet from host 127.0.0.1 port 46400, id=223, length=282
        NAS-Identifier = "rubin.svyaz-nt.ru"
        NAS-IP-Address = 127.0.0.1
        Message-Authenticator = 0x14d36639bed8074ec2988118125367ea
        Acct-Session-Id = "815965-em1-2"
        NAS-Port = 2
        NAS-Port-Type = Ethernet
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Calling-Station-Id = "00e05290b3e3 / 00:e0:52:90:b3:e3 / em1"
        NAS-Port-Id = "em1"
        Vendor-12341-Attr-12 = 0x656d312d32
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Client-Endpoint:0 = "00:e0:52:90:b3:e3"
        User-Name = "test"
        MS-CHAP-Challenge = 0xbb1e68d5bbc30f228725a133877de83e
        MS-CHAP2-Response = 0x010088746ae65b68e435e9d045ad6f9569b60000000000000000b56991b4f20704cb6c68e5982eec5e98a7f4b470c109c1b9
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
Found Auth-Type = MSCHAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Creating challenge hash with username: test
[mschap] Client is using MS-CHAPv2 for test, we need NT-Password
[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Failed to authenticate the user.
Login incorrect: [test] (from client localhost port 2 cli 00e05290b3e3 / 00:e0:52:90:b3:e3 / em1)
Using Post-Auth-Type REJECT
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> test
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 2
Sending Access-Reject of id 223 to 127.0.0.1 port 46400
        MS-CHAP-Error = "\001E=691 R=1"

为什么我有错误"mschap没有明文密码配置。不能创建LM密码。“？我在用户中定义了明文密码。

我检查raddb/sites启用/默认

authorize { 
chap
mschap
    eap {
        ok = return 
    }  
files
}

对我来说没问题。

mpd/chap/radius有什么问题？

Answer 1

[files] users: Matched entry DEFAULT at line 172

它不是在users文件中选择条目。在以“默认”开头的第一行之前插入了条目吗？我认为在检查项中还需要==而不是=，如下所示：

test Cleartext-Password := "test1",
    Service-Type == Framed-User, Framed-Protocol == PPP,
    Framed-IP-Address == 10.36.0.2, Framed-IP-Netmask == 255.255.255.0