1. 首页
  2. 问答
  3. Freeradius服务器不拒绝用户

Freeradius服务器不拒绝用户

2017-08-31 118 views
1

我的Freeradius服务器应该拒绝超出其使用限制的用户访问,但服务器接受它们,而用户超出其限制的返回消息正在被设置。Freeradius服务器不拒绝用户

调试日志:

rad_recv: Access-Request packet from host 1.2.3.4 port 46010, id=13, length=197 
    NAS-Port-Type = Wireless-802.11 
    Calling-Station-Id = "80:ED:2C:E5:EB:C6" 
    Called-Station-Id = "hotspot1" 
    NAS-Port-Id = "bridge" 
    User-Name = "USERNAME" 
    NAS-Port = 2151677955 
    Acct-Session-Id = "80400003" 
    Framed-IP-Address = 192.168.8.251 
    Mikrotik-Host-IP = 192.168.8.251 
    CHAP-Challenge = 0xa484e5a94500de0751545d5a69777d03 
    CHAP-Password = 0xb99d22e3c7c8cef532b70f9f514eef029c 
    Service-Type = Login-User 
    WISPr-Logoff-URL = "http://192.168.8.1/logout" 
    NAS-Identifier = "ROUTER" 
    NAS-IP-Address = 10.0.0.114 
# Executing section authorize from file /etc/freeradius/sites-enabled/default 
+group authorize { 
++[preprocess] = ok 
[chap] Setting 'Auth-Type := CHAP' 
++[chap] = ok 
++[mschap] = noop 
++[digest] = noop 
[suffix] No '@' in User-Name = "USERNAME", looking up realm NULL 
[suffix] No such realm "NULL" 
++[suffix] = noop 
[eap] No EAP-Message, not doing EAP 
++[eap] = noop 
++[files] = noop 
[sql] expand: %{User-Name} -> USERNAME 
[sql] sql_set_user escaped user --> 'USERNAME' 
rlm_sql (sql): Reserving sql socket id: 31 
[sql] expand: SELECT id, username, attribute, value, op   FROM radcheck   WHERE username = '%{SQL-User-Name}'   ORDER BY id -> SELECT id, username, attribute, value, op   FROM radcheck   WHERE username = 'USERNAME'   ORDER BY id 
rlm_sql_mysql: query: SELECT id, username, attribute, value, op   FROM radcheck   WHERE username = 'USERNAME'   ORDER BY id 
[sql] User found in radcheck table 
[sql] expand: SELECT id, username, attribute, value, op   FROM radreply   WHERE username = '%{SQL-User-Name}'   ORDER BY id -> SELECT id, username, attribute, value, op   FROM radreply   WHERE username = 'USERNAME'   ORDER BY id 
rlm_sql_mysql: query: SELECT id, username, attribute, value, op   FROM radreply   WHERE username = 'USERNAME'   ORDER BY id 
[sql] expand: SELECT groupname   FROM radusergroup   WHERE username = '%{SQL-User-Name}'   ORDER BY priority -> SELECT groupname   FROM radusergroup   WHERE username = 'USERNAME'   ORDER BY priority 
rlm_sql_mysql: query: SELECT groupname   FROM radusergroup   WHERE username = 'USERNAME'   ORDER BY priority 
rlm_sql (sql): Released sql socket id: 31 
++[sql] = ok 
++[expiration] = noop 
++[logintime] = noop 
[pap] WARNING: Auth-Type already set. Not setting to PAP 
++[pap] = noop 
rlm_sqlcounter: Entering module authorize code 
rlm_sqlcounter: Could not find Check item value pair 
++[dailycounter] = noop 
++? if (reject) 
? Evaluating (reject) -> FALSE 
++? if (reject) -> FALSE 
rlm_sqlcounter: Entering module authorize code 
rlm_sqlcounter: Could not find Check item value pair 
++[weeklycounter] = noop 
++? if (reject) 
? Evaluating (reject) -> FALSE 
++? if (reject) -> FALSE 
rlm_sqlcounter: Entering module authorize code 
rlm_sqlcounter: Could not find Check item value pair 
++[monthlycounter] = noop 
++? if (reject) 
? Evaluating (reject) -> FALSE 
++? if (reject) -> FALSE 
rlm_sqlcounter: Entering module authorize code 
rlm_sqlcounter: Could not find Check item value pair 
++[noresetcounter] = noop 
++? if (reject) 
? Evaluating (reject) -> FALSE 
++? if (reject) -> FALSE 
rlm_sqlcounter: Entering module authorize code 
rlm_sqlcounter: Could not find Check item value pair 
++[dailyBytecounter] = noop 
++? if (reject) 
? Evaluating (reject) -> FALSE 
++? if (reject) -> FALSE 
rlm_sqlcounter: Entering module authorize code 
rlm_sqlcounter: Could not find Check item value pair 
++[weeklyBytecounter] = noop 
++? if (reject) 
? Evaluating (reject) -> FALSE 
++? if (reject) -> FALSE 
rlm_sqlcounter: Entering module authorize code 
sqlcounter_expand: 'SELECT (IFNULL(SUM(AcctInputOctets), 0) + IFNULL(SUM(AcctOutputOctets), 0)) as used_data FROM (SELECT * FROM radacct b WHERE username = '%{User-Name}' AND dateformat_ym(acctstarttime) = dateformat_ym(CURDATE()) GROUP BY acctuniqueid) a' 
[monthlyBytecounter] expand: SELECT (IFNULL(SUM(AcctInputOctets), 0) + IFNULL(SUM(AcctOutputOctets), 0)) as used_data FROM (SELECT * FROM radacct b WHERE username = '%{User-Name}' AND dateformat_ym(acctstarttime) = dateformat_ym(CURDATE()) GROUP BY acctuniqueid) a -> SELECT (IFNULL(SUM(AcctInputOctets), 0) + IFNULL(SUM(AcctOutputOctets), 0)) as used_data FROM (SELECT * FROM radacct b WHERE username = 'USERNAME' AND dateformat_ym(acctstarttime) = dateformat_ym(CURDATE()) GROUP BY acctuniqueid) a 
WARNING: Please replace '%S' with '${sqlmod-inst}' 
sqlcounter_expand: '%{sql:SELECT (IFNULL(SUM(AcctInputOctets), 0) + IFNULL(SUM(AcctOutputOctets), 0)) as used_data FROM (SELECT * FROM radacct b WHERE username = 'USERNAME' AND dateformat_ym(acctstarttime) = dateformat_ym(CURDATE()) GROUP BY acctuniqueid) a}' 
[monthlyBytecounter] sql_xlat 
[monthlyBytecounter] expand: %{User-Name} -> USERNAME 
[monthlyBytecounter] sql_set_user escaped user --> 'USERNAME' 
[monthlyBytecounter] expand: SELECT (IFNULL(SUM(AcctInputOctets), 0) + IFNULL(SUM(AcctOutputOctets), 0)) as used_data FROM (SELECT * FROM radacct b WHERE username = 'USERNAME' AND dateformat_ym(acctstarttime) = dateformat_ym(CURDATE()) GROUP BY acctuniqueid) a -> SELECT (IFNULL(SUM(AcctInputOctets), 0) + IFNULL(SUM(AcctOutputOctets), 0)) as used_data FROM (SELECT * FROM radacct b WHERE username = 'USERNAME' AND dateformat_ym(acctstarttime) = dateformat_ym(CURDATE()) GROUP BY acctuniqueid) a 
[monthlyBytecounter] expand: /var/log/freeradius/sqltrace.sql -> /var/log/freeradius/sqltrace.sql 
rlm_sql (sql): Reserving sql socket id: 30 
rlm_sql_mysql: query: SELECT (IFNULL(SUM(AcctInputOctets), 0) + IFNULL(SUM(AcctOutputOctets), 0)) as used_data FROM (SELECT * FROM radacct b WHERE username = 'USERNAME' AND dateformat_ym(acctstarttime) = dateformat_ym(CURDATE()) GROUP BY acctuniqueid) a 
[monthlyBytecounter] sql_xlat finished 
rlm_sql (sql): Released sql socket id: 30 
[monthlyBytecounter] expand: %{sql:SELECT (IFNULL(SUM(AcctInputOctets), 0) + IFNULL(SUM(AcctOutputOctets), 0)) as used_data FROM (SELECT * FROM radacct b WHERE username = 'USERNAME' AND dateformat_ym(acctstarttime) = dateformat_ym(CURDATE()) GROUP BY acctuniqueid) a} -> 3111228361 
rlm_sqlcounter: (Check item - counter) is less than zero 
rlm_sqlcounter: Rejected user USERNAME, check_item=1048576000, counter=3111228361 
++[monthlyBytecounter] = reject 
++? if (reject) 
? Evaluating (reject) -> TRUE 
++? if (reject) -> TRUE 
++if (reject) { 
+++update reply { 
+++} # update reply = noop 
++} # if (reject) = noop 
rlm_sqlcounter: Entering module authorize code 
rlm_sqlcounter: Could not find Check item value pair 
++[noresetBytecounter] = noop 
++? if (reject) 
? Evaluating (reject) -> FALSE 
++? if (reject) -> FALSE 
+} # group authorize = ok 
Found Auth-Type = CHAP 
# Executing group from file /etc/freeradius/sites-enabled/default 
+group CHAP { 
[chap] login attempt by "USERNAME" with CHAP password 
[chap] Using clear text password "PASSWORD" for user USERNAME authentication. 
[chap] chap user USERNAME authenticated succesfully 
++[chap] = ok 
+} # group CHAP = ok 
# Executing section post-auth from file /etc/freeradius/sites-enabled/default 
+group post-auth { 
[sql] expand: %{User-Name} -> USERNAME 
[sql] sql_set_user escaped user --> 'USERNAME' 
[sql] expand: %{User-Password} -> 
[sql] ... expanding second conditional 
[sql] expand: %{Chap-Password} -> 0xb99d22e3c7c8cef532b70f9f514eef029c 
[sql] expand: INSERT INTO radpostauth       (username, pass, reply, authdate)       VALUES (       '%{User-Name}',       '%{%{User-Password}:-%{Chap-Password}}',       '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth       (username, pass, reply, authdate)       VALUES (       'USERNAME',       '0xb99d22e3c7c8cef532b70f9f514eef029c',       'Access-Accept', '2017-08-31 10:59:03') 
[sql] expand: /var/log/freeradius/sqltrace.sql -> /var/log/freeradius/sqltrace.sql 
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth       (username, pass, reply, authdate)       VALUES (       'USERNAME',       '0xb99d22e3c7c8cef532b70f9f514eef029c',       'Access-Accept', '2017-08-31 10:59:03') 
rlm_sql (sql): Reserving sql socket id: 29 
rlm_sql_mysql: query: INSERT INTO radpostauth       (username, pass, reply, authdate)       VALUES (       'USERNAME',       '0xb99d22e3c7c8cef532b70f9f514eef029c',       'Access-Accept', '2017-08-31 10:59:03') 
rlm_sql (sql): Released sql socket id: 29 
++[sql] = ok 
++[exec] = noop 
+} # group post-auth = ok 
Sending Access-Accept of id 13 to 1.2.3.4 port 46010 
    Mikrotik-Total-Limit = 1048576000 
    Reply-Message = "You have exceeded your usage limit this month."

看来,使用限制被正确检查,但不知何故,返回被设置为接受?启用站点-

Sending Access-Accept of id 13 to 1.2.3.4 port 46010 
    Mikrotik-Total-Limit = 1048576000 
    Reply-Message = "You have exceeded your usage limit this month."

在特定部分的配置/默认是这样的:在Ubuntu 16.04版本FreeRADIUS的2.2.8 LTS

任何想法:

monthlyBytecounter { 
     reject = 1 
} 
if (reject) { 
     update reply { 
       Reply-Message := "You have exceeded your usage limit this month." 
     } 
     reject 
}

我运行的freeradius什么可能导致问题?

来源

2017-08-31 Sander

回答

0

可能是counter.conf有毛病monthlyBytecounter

我的在这里(每天)

sqlcounter counterChilliSpotMaxTotalOctetsDaily { 
         counter-name = ChilliSpot-Max-Total-Octets-Daily 
         check-name = CS-Total-Octets-Daily 
         counter-type = data 
         reply-name = ChilliSpot-Max-Total-Octets 
         sqlmod-inst = sql 
         key = User-Name 
         reset = daily 
         query = "SELECT IFNULL((SUM(AcctInputOctets + AcctOutputOctets)),0) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" 
     }

但我确实在radcheck定义限制CS-Total-Octets-Daily特定用户。

来源

2017-09-06 16:24:33

0

您只返回monthlyBytecounter回复消息,而不是monthlyBytecounter返回值。如果超出使用限制,则必须返回0(零)或发送如下的断开连接请求。

echo \“User-Name ='$ username'\”| radclient -x -c 1 -n 3 -r -t 3 3“127.0.0.1:3997'脱节 '是testing123'

安置自己的monthlyBytecounter代码,如果这不能解决您的问题

来源

2017-09-19 14:32:38 Prathmesh

相关问题

 相关问题