Freeradius 3.0.12 不通過 mysql 發送任何數據
從 v 2.x 升級後,freeradius 停止為我工作。我已經完成了多個 tshooting 步驟,這使我相信應用程序沒有通過 MySQL 發送任何數據,即使它聲明要這樣做。
所以我發現,每次使用者嘗試進行身份驗證時,freeradius 都應該向 DB 發送查詢。實際上有幾個查詢。
為了驗證是否有任何流量流向 MySQL 伺服器,我執行了 tcpdmp:
tcpdump -i eth0 -n | grep 192.168.32.13 | grep -v ARP
重新啟動服務並嘗試使用 radius 進行身份驗證後,tcpdump 沒有記錄任何內容。如果我手動執行它就可以工作(因此連接和憑據都不是問題)。
Freeradius 一直說在任何組中都找不到該使用者:
(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'naven' ORDER BY priority (0) sql: User not found in any groups
但是直接在數據庫中的查詢會產生結果:
MariaDB [radius]> SELECT groupname FROM radusergroup WHERE username = 'naven' ORDER BY priority; +-----------+ | groupname | +-----------+ | admin | +-----------+ 1 row in set (0.00 sec)
此外,下面的 INSERT 查詢永遠不會保存到數據庫中。
(0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'naven', 'XXXXXXXXXXXXXX', 'Access-Reject', '2019-10-19 16:44:03') (0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'naven', 'XXXXXXXXXXXXXX', 'Access-Reject', '2019-10-19 16:44:03')
mysql -u radius -pEpyGju6EogSFua4u -h 192.168.32.13 Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 16773 Server version: 10.1.41-MariaDB-0+deb9u1 Debian 9.9 Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> SELECT groupname FROM radusergroup WHERE username = 'naven' ORDER BY priority; ERROR 1046 (3D000): No database selected MariaDB [(none)]> use radius; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed MariaDB [radius]> SELECT groupname FROM radusergroup WHERE username = 'naven' ORDER BY priority; +-----------+ | groupname | +-----------+ | admin | +-----------+ 1 row in set (0.00 sec) MariaDB [radius]> select * from radpostauth; +----+----------+--------------------------------------+---------------+---------------------+ | id | username | pass | reply | authdate | +----+----------+--------------------------------------+---------------+---------------------+ | 1 | naven | XXXXXXXXXXXXXX | Access-Reject | 2019-10-19 15:59:45 | +----+----------+--------------------------------------+---------------+---------------------+ 1 row in set (0.00 sec)
我已經手動添加了 radpostauth 條目。我從以前的一些日誌中複製了查詢以確保它有效。同樣使用上述方法連接到 MySQL 確認了我的 tcpdump 工作正常——我可以看到伺服器之間的合法 MySQL 流量。
在整個文章中,我只編輯了一些主機名並從 radpostauth 中“通過”。
伺服器故障將我的消息限制為 30k 行,因此我無法發布整個 freeradius -X 日誌。
freeradius -X FreeRADIUS Version 3.0.12 Copyright (C) 1999-2016 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/freeradius/3.0/dictionary including configuration file /etc/freeradius/3.0/radiusd.conf including configuration file /etc/freeradius/3.0/proxy.conf including configuration file /etc/freeradius/3.0/clients.conf including files in directory /etc/freeradius/3.0/mods-enabled/ including configuration file /etc/freeradius/3.0/mods-enabled/radutmp including configuration file /etc/freeradius/3.0/mods-enabled/linelog including configuration file /etc/freeradius/3.0/mods-enabled/unix including configuration file /etc/freeradius/3.0/mods-enabled/expiration including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap including configuration file /etc/freeradius/3.0/mods-enabled/dynamic_clients including configuration file /etc/freeradius/3.0/mods-enabled/mschap including configuration file /etc/freeradius/3.0/mods-enabled/detail.log including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp including configuration file /etc/freeradius/3.0/mods-enabled/detail including configuration file /etc/freeradius/3.0/mods-enabled/files including configuration file /etc/freeradius/3.0/mods-enabled/pap including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter including configuration file /etc/freeradius/3.0/mods-enabled/echo including configuration file /etc/freeradius/3.0/mods-enabled/digest including configuration file /etc/freeradius/3.0/mods-enabled/logintime including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth including configuration file /etc/freeradius/3.0/mods-enabled/soh including configuration file /etc/freeradius/3.0/mods-enabled/eap including configuration file /etc/freeradius/3.0/mods-enabled/preprocess including configuration file /etc/freeradius/3.0/mods-enabled/replicate including configuration file /etc/freeradius/3.0/mods-enabled/sql including configuration file /etc/freeradius/3.0/mods-config/sql/main/mysql/queries.conf including configuration file /etc/freeradius/3.0/mods-enabled/unpack including configuration file /etc/freeradius/3.0/mods-enabled/always including configuration file /etc/freeradius/3.0/mods-enabled/exec including configuration file /etc/freeradius/3.0/mods-enabled/utf8 including configuration file /etc/freeradius/3.0/mods-enabled/expr including configuration file /etc/freeradius/3.0/mods-enabled/realm including configuration file /etc/freeradius/3.0/mods-enabled/chap including configuration file /etc/freeradius/3.0/mods-enabled/passwd including files in directory /etc/freeradius/3.0/policy.d/ including configuration file /etc/freeradius/3.0/policy.d/moonshot-targeted-ids including configuration file /etc/freeradius/3.0/policy.d/debug including configuration file /etc/freeradius/3.0/policy.d/accounting including configuration file /etc/freeradius/3.0/policy.d/cui including configuration file /etc/freeradius/3.0/policy.d/filter including configuration file /etc/freeradius/3.0/policy.d/dhcp including configuration file /etc/freeradius/3.0/policy.d/eap including configuration file /etc/freeradius/3.0/policy.d/abfab-tr including configuration file /etc/freeradius/3.0/policy.d/control including configuration file /etc/freeradius/3.0/policy.d/canonicalization including configuration file /etc/freeradius/3.0/policy.d/operator-name including files in directory /etc/freeradius/3.0/sites-enabled/ including configuration file /etc/freeradius/3.0/sites-enabled/inner-tunnel including configuration file /etc/freeradius/3.0/sites-enabled/default main { security { user = "freerad" group = "freerad" allow_core_dumps = no } name = "freeradius" prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" } main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 16384 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost_ipv6 { ipv6addr = ::1 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 192.168.32.0/23 { ipaddr = 192.168.32.0 netmask = 23 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 192.168.35.0/24 { ipaddr = 192.168.35.0 netmask = 24 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Debugger not attached # Creating Auth-Type = mschap # Creating Auth-Type = eap # Creating Auth-Type = PAP # Creating Auth-Type = CHAP # Creating Auth-Type = MS-CHAP # Creating Auth-Type = digest radiusd: #### Instantiating modules #### modules { # Loaded module rlm_radutmp # Loading module "radutmp" from file /etc/freeradius/3.0/mods-enabled/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_linelog # Loading module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog linelog { filename = "/var/log/freeradius/linelog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}" }
你能幫我解決這個問題嗎?
PS你能告訴我應該如何發送其餘的日誌嗎?日誌非常廣泛,評論最多只有幾百個字元。
所以安裝手冊沒有說 - 你需要在 /etc/freeradius/3.0/mods-enabled/sql 中更改 mysql 驅動程序
交換驅動程序 = “rlm_sql_null” 與驅動程序 = “rlm_sql_mysql”
如果你使用的是 mysql。如果您需要另一個 SQL 伺服器,上面有一個註釋列表。
如果您在啟動時收到錯誤消息,請確保您已安裝 freeradius-mysql 軟體包。