我有一个奇怪的情况。在包含文件中提供用户时,该文件中某个点的所有密码似乎都被“忽略”。
设置: - 默认配置,最小更改(仅限clients.conf和用户) - 用户配置文件包含第三个文件($ INCLUDE / etc / raddb / users-pppoe) - 第三个文件包含所有用户信息
这就是我发现自己/事实: - 用户文件由bash脚本生成 - 配置检查说一切都很好 - 前17个用户工作正常(或:约190行,或:约6800字节/字符) - 在这些新用户上,radius守护程序给出错误:FAILED:No NT / LM-Password。 - 这些新用户确实拥有所需的Cleartext-Password选项 - 当我将新用户移动到文件顶部时,它可以正常工作 - (我的临时解决方案)我将文件分成四个,分别包括它们。现在一切正常! - 这个拆分是由生成文件本身的相同bash脚本完成的,所以如果出现任何问题(例如错误的隐藏字符),它也应该在这些新文件中。
当然,我想知道造成这种情况的原因,但主要是,当用户数量增加时,我会遇到麻烦。最后我会有约。 200个用户不会有太大变化,所以运行SQL服务器是相当矫枉过正的。基本上,这是一个可接受的解决方法,但必须解决这个问题。如果有人有想法,请告诉我。
谢谢大家!
/ etc / raddb / users-pppoe(示例条目):
user-00000005 Cleartext-Password := "oHs0sECre7"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 10.0.0.5,
Framed-Route = 172.14.5.0/24,
Framed-Routing = Broadcast-Listen,
Framed-Filter-Id = "std.ppp",
Framed-MTU = 1500,
Rate-Limit = "20M",
Framed-Compression = Van-Jacobsen-TCP-IP
radiusd -X
FreeRADIUS Version 3.0.13
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
[...]
(0) Received Access-Request Id 40 from 192.168.0.10:56726 to 192.168.0.235:1812 length 209
(0) Service-Type = Framed-User
(0) Framed-Protocol = PPP
(0) NAS-Port = 15729311
(0) NAS-Port-Type = Ethernet
(0) User-Name = "user-00000005"
(0) Calling-Station-Id = "XX:XX:XX:XX:XX:XX"
(0) Called-Station-Id = "XXXXX"
(0) NAS-Port-Id = "XXXXXXXX"
(0) MS-CHAP-Challenge = 0x3a9fbb09c454698c577ecda8de0a6c5e
(0) MS-CHAP2-Response = 0x01000c96d60e85b8b37cfe9da70ab58f7f50000000000000000039177e3ff8b31533f8fe81dd126a5b553e4a9e76474b0757
(0) NAS-Identifier = "HOSTxxxx"
(0) NAS-IP-Address = 192.168.0.10
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (!&User-Name) {
(0) if (!&User-Name) -> FALSE
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@.*@/ ) {
(0) if (&User-Name =~ /@.*@/ ) -> FALSE
(0) if (&User-Name =~ /\\.\\./ ) {
(0) if (&User-Name =~ /\\.\\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\\.$/) {
(0) if (&User-Name =~ /\\.$/) -> FALSE
(0) if (&User-Name =~ /@\\./) {
(0) if (&User-Name =~ /@\\./) -> FALSE
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
(0) [mschap] = ok
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "user-00000005", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) files: users: Matched entry DEFAULT at line 187
(0) [files] = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is available
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = MS-CHAP
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Auth-Type MS-CHAP {
(0) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
(0) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password
(0) mschap: Creating challenge hash with username: user-00000005
(0) mschap: Client is using MS-CHAPv2
(0) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication
(0) mschap: ERROR: MS-CHAP2-Response is incorrect
(0) [mschap] = reject
(0) } # Auth-Type MS-CHAP = reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> user-00000005
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) [eap] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
(0) (0) Discarding duplicate request from client HOSTxxxx port 56726 - ID: 40 due to delayed response
Waking up in 0.6 seconds.
(0) (0) Discarding duplicate request from client HOSTxxxx port 56726 - ID: 40 due to delayed response
Waking up in 0.4 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 40 from 192.168.0.235:1812 to 192.168.0.10:56726 length 101
(0) MS-CHAP-Error = "\001E=691 R=1 C=ab1fa89cc9439fe9c076aebb6a5e2532 V=3 M=Authentication failed"
Waking up in 3.9 seconds.
我有类似的问题,经过一些测试后,它看起来像包含的配置文件被“同时”解析为包含的。
我在包含文件中有类似的东西:
ONT_TEST Cleartext-Password := "...", Service-Type := Framed-User
Framed-IP-Address := ...,
MS-Primary-DNS-Server := 8.8.4.4,
MS-Secondary-DNS-Server := 8.8.8.8,
Fall-Through = Yes
并在第240行附近的mods-config / files / authorize中:
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
现在奇怪的是: - 如果“ONT_TEST”行(在包含文件中)高于第240行,它就可以了, - 如果“ONT_TEST”行低于行号240(它甚至可能是“Enters”之前的一行)它不起作用,FreeRadius匹配“authorize”文件中的“DEFAULT” - 如果我将“DEFAULT”行移到较低的位置,我可以使用更长的文件。
Ferrerdsa.0.13-9.alhkh。X86_64
我将在稍后填写错误报告,现在我有解决方法(不需要“DEFAULT”行,所以我已经评论了它)。