freeradius - Mikrotik -PPPoE nepripoji

[zvukarmiso]

Ahojte
Snazime sa spustit freeradius ale nejak nám to nejde (chceme prehodit ludi ktorý maju PPPoE na radius),
konfiguracia radiusu vyzera byt ok

root@radiusServer1:/etc/freeradius/3.0/mods-available# radtest Fi_V Filip159 localhost 0 testing123
Sent Access-Request Id 210 from 0.0.0.5228 to 127.0.0.1:1812 length 78
User-Name = "Fi_V"
User-Password = "Filip159"
NAS-IP-Address = 192.168.102.16
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "Filip159"
Received Access-Accept Id 210 from 127.0.0.1:1812 to 0.0.0.0:0 length 56
Framed-IP-Address = 10.200.0.2
Framed-IP-Netmask = 255.255.255.255
MS-Primary-DNS-Server = 192.168.101.250
MS-Secondary-DNS-Server = 8.8.8.8

Ked sa pozriem na nastavenie radiusu tak stale tam nevidim parameter accepts nabiehat, je tam 0 (zaha je aj to že rejects je tiez nula)
prikladam nastavenie MK

00:29:25 pppoe,info PPPoE connection established from B8:69:F4:A3:2F:0A
00:29:31 pppoe,ppp,error <1cf6>: user MojTest authentication failed - radius timeout
00:29:41 pppoe,info PPPoE connection established from B8:69:F4:A3:2F:0A
00:29:45 pppoe,info PPPoE connection established from B0:4E:26:80:97:EB
00:30:21 pppoe,info PPPoE connection established from B8:69:F4:A3:2F:0A
00:30:48 pppoe,ppp,error <1cf8>: user Fi_V authentication failed - radius timeout
00:30:48 pppoe,ppp,error <1cf9>: user MojTest authentication failed - radius timeout

takto to mam nastavene

/radius
add address=192.168.102.16 secret=M#pokus> service=ppp src-address=10.200.0.1 timeout=2s

/radius incoming
set accept=yes

/ppp profileadd change-tcp-mss=yes local-address=10.200.0.1 name=PPPoEprofil use-compression=no use-encryption=no use-mpls=no/ppp aaaset interim-update=5m use-radius=yes
/interface pppoe-server serveradd default-profile=PPPoEprofil disabled=no interface=ether10 max-mru=1492 max-mtu=1492 mrru=1600 service-name=PPPoEserver

Viete mi poradit kde robim chybu ?
Ďakujem
Michal

[pgb]

koukni se do logů na tom freeradiusu a uvidíš hned, jestli tam ten požadavek došel, jestli byl nas akceptovaný, pokud ti píše radius timeout, tak jestli naslouchá na té správné ip .... jestli je dobře heslo od nasu .....

[zvukarmiso]

podla logov:

Mon Apr 8 13:03:55 2019 : Error: Ignoring request to auth address * port 1812 bound to server default from unknown client 10.200.0.1 port 60354 proto udp
Mon Apr 8 13:03:57 2019 : Error: Ignoring request to auth address * port 1812 bound to server default from unknown client 10.200.0.1 port 60354 proto udp
Mon Apr 8 13:05:10 2019 : Error: Ignoring request to auth address * port 1812 bound to server default from unknown client 10.200.0.1 port 55311 proto udp

V connections tam to vidim ze sa snazi pripojit ale proste spojenie sa nenadviaže.

[pgb]

Pust si freeradius v debugovacim režimu. Jinak to co jsi poslal vypadá, že freeradius neakceptuje data z mk. Adresa mk (radius klienta 10.200.0.1) musí být v konfiguraci freeradiusu povolena jako nas. Teprve pak bude dávat klientské IP. To co jsi poslal je trochu divoké. Rozepiš více konfiguraci mk a cobfig z freeradiusu.

[zvukarmiso]

Konfig MK je tu

# model = 2011iLS
# serial number = 71D506083D1A
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ppp profile
add change-tcp-mss=yes local-address=10.200.0.1 name=PPPoEprofil use-compression=no use-encryption=no use-mpls=no
/ip firewall connection tracking
set enabled=yes
/interface pppoe-server server
add default-profile=PPPoEprofil disabled=no interface=ether10 max-mru=1492 max-mtu=1492 mrru=1600 service-name=PPPoEserver
/ip address
add address=192.168.100.106/30 interface=ether6 network=192.168.100.104
add address=10.200.0.1/24 interface=ether10 network=10.200.0.0
/ip route
add distance=1 gateway=192.168.100.105
/ip ssh
set allow-none-crypto=yes
/ppp aaa
set interim-update=5m use-radius=yes
/radius
add address=192.168.102.16 secret=M#pokus> service=ppp src-address=10.200.0.1 timeout=2s
/radius incoming
set accept=yes
/system identity
set name=Test_Radius

V prílohe je freeradius

radius_debug.txt

(33.56 KiB) Staženo 84 x

Prikladam log po restarte freeradius

Mon Apr 8 15:13:53 2019 : Info: Signalled to terminate
Mon Apr 8 15:13:53 2019 : Info: Exiting normally
Mon Apr 8 15:13:53 2019 : Info: rlm_sql (sql): Closing connection (7)
Mon Apr 8 15:13:53 2019 : Info: rlm_sql (sql): Closing connection (6)
Mon Apr 8 15:13:58 2019 : Info: Debugger not attached
Mon Apr 8 15:13:58 2019 : Info: rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
Mon Apr 8 15:13:58 2019 : Info: rlm_sql_mysql: libmysql version: 10.1.37-MariaDB
Mon Apr 8 15:13:58 2019 : Info: rlm_sql (sql): Attempting to connect to database "radius"
Mon Apr 8 15:13:58 2019 : Info: rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used
Mon Apr 8 15:13:58 2019 : Info: rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used
Mon Apr 8 15:13:58 2019 : Info: rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used
Mon Apr 8 15:13:58 2019 : Info: rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used
Mon Apr 8 15:13:58 2019 : Info: rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used
Mon Apr 8 15:13:58 2019 : Info: rlm_sql (sql): Need 5 more connections to reach 10 spares
Mon Apr 8 15:13:58 2019 : Info: rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
Mon Apr 8 15:13:58 2019 : Warning: [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
Mon Apr 8 15:13:58 2019 : Warning: [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
Mon Apr 8 15:13:58 2019 : Info: Loaded virtual server <default>
Mon Apr 8 15:13:58 2019 : Warning: Ignoring "ldap" (see raddb/mods-available/README.rst)
Mon Apr 8 15:13:58 2019 : Info: Loaded virtual server default
Mon Apr 8 15:13:58 2019 : Info: Loaded virtual server inner-tunnel
Mon Apr 8 15:13:58 2019 : Info: Ready to process requests
Mon Apr 8 15:13:59 2019 : Error: Ignoring request to auth address * port 1812 bound to server default from unknown client 10.200.0.1 port 47188 proto udp
Mon Apr 8 15:14:01 2019 : Error: Ignoring request to auth address * port 1812 bound to server default from unknown client 10.200.0.1 port 47188 proto udp
Mon Apr 8 15:14:03 2019 : Error: Ignoring request to auth address * port 1812 bound to server default from unknown client 10.200.0.1 port 47188 proto udp
Mon Apr 8 15:14:15 2019 : Error: Ignoring request to auth address * port 1812 bound to server default from unknown client 10.200.0.1 port 55665 proto udp
Mon Apr 8 15:14:17 2019 : Error: Ignoring request to auth address * port 1812 bound to server default from unknown client 10.200.0.1 port 55665 proto udp

[zvukarmiso]

Este prikladam koniec vypisu ked zastavim servis freeradius

radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 57461
Listening on proxy address :: port 50740
Ready to process requests
Ignoring request to auth address * port 1812 bound to server default from unknown client 10.200.0.1 port 58814 proto udp

[pgb]

tak znovu, odpověď se nemění, posíláš data z NAS 10.200.0.1 na server s freeradius 192.168.102.16, který ti říká, že NEMÁŠ V KONFIGURACI ZAPSANÉHO KLIENTA 10.200.0.1.

Pro ujasnění
1. máš server s freeradius který pokud bere data z sql nebo konfigu tak musí mít "povoleného/přidaného" klienta, který se může dotazovat (buď v konfigu nebo v sql => pozor, dle dokumentace se načítá tento údaj pouze při restartu freeradius)

Kód: Vybrat vše

insert into nas (nasname,shortname,secret) values ("10.200.0.1","MIKROTIK","123456");

2. mk jakožto nas (network access server) přistupuje k freeradius a získává od něho informace, jak mají být nastaveni klienti

Kód: Vybrat vše

insert into radcheck (username,attribute,op,value) values ("Franta","Cleartext-Password",":=","1234");
insert into radreply (username,attribute,value) values ("Franta","Framed-IP-Address","192.168.30.1");

3. mk připojí klienta s parametry získanými z radiusu

[zvukarmiso]

DAKUJEM
Funguje to,
Problém co som si neuvedomil je v tom ze ta IP je localna a chyba mi tam natovacie pravidlo.