我的Freeradius
服务器应该拒绝超出其使用限制的用户访问,但服务器接受它们,而用户超出其限制的返回消息正在被设置。Freeradius服务器不拒绝用户
调试日志:
rad_recv: Access-Request packet from host 1.2.3.4 port 46010, id=13, length=197
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "80:ED:2C:E5:EB:C6"
Called-Station-Id = "hotspot1"
NAS-Port-Id = "bridge"
User-Name = "USERNAME"
NAS-Port = 2151677955
Acct-Session-Id = "80400003"
Framed-IP-Address = 192.168.8.251
Mikrotik-Host-IP = 192.168.8.251
CHAP-Challenge = 0xa484e5a94500de0751545d5a69777d03
CHAP-Password = 0xb99d22e3c7c8cef532b70f9f514eef029c
Service-Type = Login-User
WISPr-Logoff-URL = "http://192.168.8.1/logout"
NAS-Identifier = "ROUTER"
NAS-IP-Address = 10.0.0.114
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] = ok
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "USERNAME", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
++[files] = noop
[sql] expand: %{User-Name} -> USERNAME
[sql] sql_set_user escaped user --> 'USERNAME'
rlm_sql (sql): Reserving sql socket id: 31
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'USERNAME' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'USERNAME' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'USERNAME' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'USERNAME' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'USERNAME' ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'USERNAME' ORDER BY priority
rlm_sql (sql): Released sql socket id: 31
++[sql] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[dailycounter] = noop
++? if (reject)
? Evaluating (reject) -> FALSE
++? if (reject) -> FALSE
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[weeklycounter] = noop
++? if (reject)
? Evaluating (reject) -> FALSE
++? if (reject) -> FALSE
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[monthlycounter] = noop
++? if (reject)
? Evaluating (reject) -> FALSE
++? if (reject) -> FALSE
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[noresetcounter] = noop
++? if (reject)
? Evaluating (reject) -> FALSE
++? if (reject) -> FALSE
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[dailyBytecounter] = noop
++? if (reject)
? Evaluating (reject) -> FALSE
++? if (reject) -> FALSE
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[weeklyBytecounter] = noop
++? if (reject)
? Evaluating (reject) -> FALSE
++? if (reject) -> FALSE
rlm_sqlcounter: Entering module authorize code
sqlcounter_expand: 'SELECT (IFNULL(SUM(AcctInputOctets), 0) + IFNULL(SUM(AcctOutputOctets), 0)) as used_data FROM (SELECT * FROM radacct b WHERE username = '%{User-Name}' AND dateformat_ym(acctstarttime) = dateformat_ym(CURDATE()) GROUP BY acctuniqueid) a'
[monthlyBytecounter] expand: SELECT (IFNULL(SUM(AcctInputOctets), 0) + IFNULL(SUM(AcctOutputOctets), 0)) as used_data FROM (SELECT * FROM radacct b WHERE username = '%{User-Name}' AND dateformat_ym(acctstarttime) = dateformat_ym(CURDATE()) GROUP BY acctuniqueid) a -> SELECT (IFNULL(SUM(AcctInputOctets), 0) + IFNULL(SUM(AcctOutputOctets), 0)) as used_data FROM (SELECT * FROM radacct b WHERE username = 'USERNAME' AND dateformat_ym(acctstarttime) = dateformat_ym(CURDATE()) GROUP BY acctuniqueid) a
WARNING: Please replace '%S' with '${sqlmod-inst}'
sqlcounter_expand: '%{sql:SELECT (IFNULL(SUM(AcctInputOctets), 0) + IFNULL(SUM(AcctOutputOctets), 0)) as used_data FROM (SELECT * FROM radacct b WHERE username = 'USERNAME' AND dateformat_ym(acctstarttime) = dateformat_ym(CURDATE()) GROUP BY acctuniqueid) a}'
[monthlyBytecounter] sql_xlat
[monthlyBytecounter] expand: %{User-Name} -> USERNAME
[monthlyBytecounter] sql_set_user escaped user --> 'USERNAME'
[monthlyBytecounter] expand: SELECT (IFNULL(SUM(AcctInputOctets), 0) + IFNULL(SUM(AcctOutputOctets), 0)) as used_data FROM (SELECT * FROM radacct b WHERE username = 'USERNAME' AND dateformat_ym(acctstarttime) = dateformat_ym(CURDATE()) GROUP BY acctuniqueid) a -> SELECT (IFNULL(SUM(AcctInputOctets), 0) + IFNULL(SUM(AcctOutputOctets), 0)) as used_data FROM (SELECT * FROM radacct b WHERE username = 'USERNAME' AND dateformat_ym(acctstarttime) = dateformat_ym(CURDATE()) GROUP BY acctuniqueid) a
[monthlyBytecounter] expand: /var/log/freeradius/sqltrace.sql -> /var/log/freeradius/sqltrace.sql
rlm_sql (sql): Reserving sql socket id: 30
rlm_sql_mysql: query: SELECT (IFNULL(SUM(AcctInputOctets), 0) + IFNULL(SUM(AcctOutputOctets), 0)) as used_data FROM (SELECT * FROM radacct b WHERE username = 'USERNAME' AND dateformat_ym(acctstarttime) = dateformat_ym(CURDATE()) GROUP BY acctuniqueid) a
[monthlyBytecounter] sql_xlat finished
rlm_sql (sql): Released sql socket id: 30
[monthlyBytecounter] expand: %{sql:SELECT (IFNULL(SUM(AcctInputOctets), 0) + IFNULL(SUM(AcctOutputOctets), 0)) as used_data FROM (SELECT * FROM radacct b WHERE username = 'USERNAME' AND dateformat_ym(acctstarttime) = dateformat_ym(CURDATE()) GROUP BY acctuniqueid) a} -> 3111228361
rlm_sqlcounter: (Check item - counter) is less than zero
rlm_sqlcounter: Rejected user USERNAME, check_item=1048576000, counter=3111228361
++[monthlyBytecounter] = reject
++? if (reject)
? Evaluating (reject) -> TRUE
++? if (reject) -> TRUE
++if (reject) {
+++update reply {
+++} # update reply = noop
++} # if (reject) = noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[noresetBytecounter] = noop
++? if (reject)
? Evaluating (reject) -> FALSE
++? if (reject) -> FALSE
+} # group authorize = ok
Found Auth-Type = CHAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group CHAP {
[chap] login attempt by "USERNAME" with CHAP password
[chap] Using clear text password "PASSWORD" for user USERNAME authentication.
[chap] chap user USERNAME authenticated succesfully
++[chap] = ok
+} # group CHAP = ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+group post-auth {
[sql] expand: %{User-Name} -> USERNAME
[sql] sql_set_user escaped user --> 'USERNAME'
[sql] expand: %{User-Password} ->
[sql] ... expanding second conditional
[sql] expand: %{Chap-Password} -> 0xb99d22e3c7c8cef532b70f9f514eef029c
[sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'USERNAME', '0xb99d22e3c7c8cef532b70f9f514eef029c', 'Access-Accept', '2017-08-31 10:59:03')
[sql] expand: /var/log/freeradius/sqltrace.sql -> /var/log/freeradius/sqltrace.sql
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'USERNAME', '0xb99d22e3c7c8cef532b70f9f514eef029c', 'Access-Accept', '2017-08-31 10:59:03')
rlm_sql (sql): Reserving sql socket id: 29
rlm_sql_mysql: query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'USERNAME', '0xb99d22e3c7c8cef532b70f9f514eef029c', 'Access-Accept', '2017-08-31 10:59:03')
rlm_sql (sql): Released sql socket id: 29
++[sql] = ok
++[exec] = noop
+} # group post-auth = ok
Sending Access-Accept of id 13 to 1.2.3.4 port 46010
Mikrotik-Total-Limit = 1048576000
Reply-Message = "You have exceeded your usage limit this month."
看来,使用限制被正确检查,但不知何故,返回被设置为接受?启用站点-
Sending Access-Accept of id 13 to 1.2.3.4 port 46010
Mikrotik-Total-Limit = 1048576000
Reply-Message = "You have exceeded your usage limit this month."
在特定部分的配置/默认是这样的:在Ubuntu 16.04版本FreeRADIUS的2.2.8 LTS
任何想法:
monthlyBytecounter {
reject = 1
}
if (reject) {
update reply {
Reply-Message := "You have exceeded your usage limit this month."
}
reject
}
我运行的freeradius什么可能导致问题?