Bonjour à tous,
J’utilise freeradius avec mon AP wifi et tout fonctionne bien.
La configuration est simple et les utilisateurs se trouvent dans le fichier users.
Dans le cadre d’une refonte de la partie authentification j’ai décidé de mettre les utilisateurs dans une base mysql afin que cela soit plus propre et je rencontre des soucis.
Impossible de m’y connecter et je ne trouve pas le pourquoi du comment.
Voila ma conf:
radiusd.conf
prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct name = freeradius confdir = ${raddbdir} run_dir = ${localstatedir}/run/${name} db_dir = ${raddbdir} libdir = /usr/lib/freeradius pidfile = ${run_dir}/${name}.pid user = freerad group = freerad max_request_time = 30 cleanup_delay = 5 max_requests = 1024 listen { type = auth ipaddr = * port = 0 } listen { ipaddr = * port = 0 type = acct } hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log { destination = files file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = yes auth_badpass = yes auth_goodpass = yes } checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = yes allow_vulnerable_openssl = no } proxy_requests = yes $INCLUDE proxy.conf $INCLUDE clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { $INCLUDE ${confdir}/modules/ $INCLUDE eap.conf $INCLUDE sql.conf } instantiate { exec expr expiration logintime } $INCLUDE policy.conf $INCLUDE sites-enabled/
eap.conf:
eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = yes cisco_accounting_username_bug = no max_sessions = 4096 tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_file = ${certdir}/radius/radius_priv.key certificate_file = ${certdir}/radius/radius.certificate CA_file = ${certdir}/radius/ca.pem dh_file = ${certdir}/dh random_file = /dev/urandom CA_path = ${cadir} cipher_list = "DEFAULT" make_cert_command = "${certdir}/bootstrap" ecdh_curve = "prime256v1" cache { enable = no max_entries = 255 } } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } mschapv2 { } }
sites-available /remy:
`authorize {
preprocess
chap
suffix
sql
expiration
logintime
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
eap
}
preacct {
preprocess
acct_unique
suffix
}
accounting {
detail
radutmp
sql
}
`
debug de la commande Freeradius -X lors d’une tentative d’authentification:
rad_recv: Access-Request packet from host 192.168.5.10 port 3079, id=223, length=126 User-Name = "rem" NAS-IP-Address = 192.168.3.10 NAS-Identifier = "RalinkAP0" NAS-Port = 0 Called-Station-Id = "00-14-D1-9D-0F-10" Calling-Station-Id = "C0-EE-FB-D0-83-DA" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020100080172656d Message-Authenticator = 0xccc0b32d0d4a2c889dc59355d4a92ce0 Executing section authorize from file /etc/freeradius/sites-enabled/remy +group authorize { ++[preprocess] = ok ++[chap] = noop [suffix] No '@' in User-Name = "rem", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [sql] expand: %{User-Name} -> rem [sql] sql_set_user escaped user --> 'rem' rlm_sql (sql): Reserving sql socket id: 30 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'rem' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'rem' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'rem' ORDER BY priority rlm_sql (sql): Released sql socket id: 30 ++[sql] = ok ++[expiration] = noop ++[logintime] = noop +} # group authorize = ok WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. No User-Password or CHAP-Password attribute in the request. Cannot perform authentication. Failed to authenticate the user. Login incorrect: [rem/<no User-Password attribute>] (from client ap_wifi port 0 cli C0-EE-FB-D0-83-DA) Using Post-Auth-Type REJECT
Je ne sais pas pourquoi j’ai ce message d’erreur.
J’ai bien un utilisateur dans ma bdd pourtant :
Je dois me louper sur quelque chose mais je ne trouve pas. J’aurais besoin de votre aide.
Merci d’avance et n’hésitez pas si vous avez besoin de plus d’infos.
Merci d’avance.
