在 CentOS 6.4 VPS 上,pptp 和 freeradiuss 出现了一个奇怪的问题。我有 1 个 VPS 作为主 freeradius 服务器。另外 2 个 VPS 用于通过 pptp 连接,使用远程 freeradius 进行身份验证。1 个 VPS 运行正常,但另一个在尝试连接时出现以下问题:
rad_recv: Access-Request packet from host xxxxx port 49241, id=223, length=76
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "xxxxx"
Calling-Station-Id = "xxxxx"
NAS-IP-Address = xxxxx
NAS-Port = 0
# Executing section authorize from file /etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "xxxxx" for User-Name = "xxxxx"
[suffix] No such realm "xxxxx"
++[suffix] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[files] users: Matched entry DEFAULT at line 172
++[files] = ok
[sql] expand: %{User-Name} -> xxxxx
[sql] sql_set_user escaped user --> 'xxxxx'
rlm_sql (sql): Reserving sql socket id: 24
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'xxxxx' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'xxxxx' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'xxxxx' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'basic' ORDER BY id
[sql] User found in group basic
[sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'basic' ORDER BY id
rlm_sql (sql): Released sql socket id: 24
++[sql] = ok
++[expiration] = noop
++[logintime] = noop
[pap] No clear-text password in the request. Not performing PAP.
++[pap] = noop
+} # group authorize = ok
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good" !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
No User-Password or CHAP-Password attribute in the request.
Cannot perform authentication.
Failed to authenticate the user.
Using Post-Auth-Type REJECT
# Executing group from file /etc/raddb/sites-enabled/default
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> xxxxx
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 7 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 7
Sending Access-Reject of id 223 to xxxxx port 49241
Waking up in 4.9 seconds.
Cleaning up request 7 ID 223 with timestamp +570
Ready to process requests.
有人能指出我修复此问题的正确方法吗?
用户文件:
#
# Default for PPP: dynamic IP address, PPP mode, VJ-compression.
# NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected
# by the terminal server in which case there may not be a "P" suffix.
# The terminal server sends "Framed-Protocol = PPP" for auto PPP.
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
#
# Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
#
# Default for SLIP: dynamic IP address, SLIP mode.
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
答案1
请求中没有用户密码或 CHAP 密码属性。
这就是请求失败的原因,请求没有提供任何密码!