早上好,
我已经运行 freeradius 3.0 实例,以便在我的无线局域网上使用 WPA2-Enterprise 身份验证。使用 ntlm_auth 进行 AD 身份验证非常有效,但现在我正尝试通过 sql 对不在 AD 中的用户进行身份验证。查看 freeradius 的调试输出,似乎 freeradius 可以对 sql 服务器进行身份验证,但在第二步尝试对 ntlm_auth 进行身份验证,当然会失败。为什么在授权 sql 数据库后服务器不会停止?有人能帮我吗?
(6) eap_peap: EAP-Message = 0x024a00441a024a003f315a1ec9d6d261d4863243398e6d42e7270000000000000000081f156ef53b49e3f40ad099328680b4cbe74d674a7279cc00746573747573657232
(6) eap_peap: Setting User-Name to testuser2
(6) eap_peap: Sending tunneled request to inner-tunnel
(6) eap_peap: EAP-Message = 0x024a00441a024a003f315a1ec9d6d261d4863243398e6d42e7270000000000000000081f156ef53b49e3f40ad099328680b4cbe74d674a7279cc00746573747573657232
(6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(6) eap_peap: User-Name = "testuser2"
(6) eap_peap: State = 0xda5f2291da153815c9b3938e14e46d4e
(6) Virtual server inner-tunnel received request
(6) EAP-Message = 0x024a00441a024a003f315a1ec9d6d261d4863243398e6d42e7270000000000000000081f156ef53b49e3f40ad099328680b4cbe74d674a7279cc00746573747573657232
(6) FreeRADIUS-Proxied-To = 127.0.0.1
(6) User-Name = "testuser2"
(6) State = 0xda5f2291da153815c9b3938e14e46d4e
(6) server inner-tunnel {
(6) session-state: No cached attributes
(6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [chap] = noop
(6) [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "testuser2", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) update control {
(6) &Proxy-To-Realm := LOCAL
(6) } # update control = noop
(6) eap: Peer sent EAP Response (code 2) ID 74 length 68
(6) eap: No EAP Start, assuming it's an on-going EAP conversation
(6) [eap] = updated
(6) [files] = noop
(6) sql: EXPAND %{User-Name}
(6) sql: --> testuser2
(6) sql: SQL-User-Name set to 'testuser2'
rlm_sql (sql): Reserved connection (0)
(6) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(6) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testuser2' ORDER BY id
(6) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testuser2' ORDER BY id
(6) sql: User found in radcheck table
(6) sql: Conditional check items matched, merging assignment check items
(6) sql: Cleartext-Password := "test123"
(6) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(6) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'testuser2' ORDER BY id
(6) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'testuser2' ORDER BY id
(6) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(6) sql: --> SELECT groupname FROM radusergroup WHERE username = 'testuser2' ORDER BY priority
(6) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'testuser2' ORDER BY priority
(6) sql: User found in the group table
(6) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(6) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'dynamic' ORDER BY id
(6) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'dynamic' ORDER BY id
(6) sql: Group "dynamic": Conditional check items matched
(6) sql: Group "dynamic": Merging assignment check items
(6) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
(6) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'dynamic' ORDER BY id
(6) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'dynamic' ORDER BY id
(6) sql: Group "dynamic": Merging reply items
(6) sql: Framed-Compression := Van-Jacobson-TCP-IP
(6) sql: Framed-Protocol := PPP
(6) sql: Service-Type := Framed-User
(6) sql: Acct-Interim-Interval = 60
rlm_sql (sql): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on wsrv01.wiesneth.local via TCP/IP, server version 5.5.57-MariaDB, protocol version 10
(6) [sql] = ok
(6) [expiration] = noop
(6) [logintime] = noop
(6) pap: WARNING: Auth-Type already set. Not setting to PAP
(6) [pap] = noop
(6) } # authorize = updated
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(6) authenticate {
(6) eap: Expiring EAP session with state 0xda5f2291da153815
(6) eap: Finished EAP session with state 0xda5f2291da153815
(6) eap: Previous EAP request found for state 0xda5f2291da153815, released from the list
(6) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(6) eap: Calling submodule eap_mschapv2 to process data
(6) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(6) eap_mschapv2: authenticate {
(6) mschap: Found Cleartext-Password, hashing to create NT-Password
(6) mschap: Found Cleartext-Password, hashing to create LM-Password
(6) mschap: Creating challenge hash with username: testuser2
(6) mschap: Client is using MS-CHAPv2
(6) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:
(6) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
(6) mschap: --> --username=testuser2
(6) mschap: Creating challenge hash with username: testuser2
(6) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(6) mschap: --> --challenge=bdc871a668fce458
(6) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(6) mschap: --> --nt-response=081f156ef53b49e3f40ad099328680b4cbe74d674a7279cc
(6) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'
(6) mschap: External script failed
(6) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)
(6) mschap: ERROR: MS-CHAP2-Response is incorrect
(6) [mschap] = reject
(6) } # authenticate = reject
(6) eap: Sending EAP Failure (code 4) ID 74 length 4
(6) eap: Freeing handler
(6) [eap] = reject
(6) } # authenticate = reject
(6) Failed to authenticate the user
(6) Using Post-Auth-Type Reject
(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(6) Post-Auth-Type REJECT {
(6) sql: EXPAND .query
(6) sql: --> .query
(6) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (1)
(6) sql: EXPAND %{User-Name}
(6) sql: --> testuser2
(6) sql: SQL-User-Name set to 'testuser2'
(6) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(6) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testuser2', '', 'Access-Reject', '2020-11-28 10:36:44')
(6) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testuser2', '', 'Access-Reject', '2020-11-28 10:36:44')
(6) sql: SQL query returned: success
(6) sql: 1 record(s) updated
rlm_sql (sql): Released connection (1)
(6) [sql] = ok
(6) attr_filter.access_reject: EXPAND %{User-Name}
(6) attr_filter.access_reject: --> testuser2
(6) attr_filter.access_reject: Matched entry DEFAULT at line 11
(6) [attr_filter.access_reject] = updated
(6) update outer.session-state {
(6) &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: Program returned code (1) and output \'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)\''
(6) } # update outer.session-state = noop
(6) } # Post-Auth-Type REJECT = updated
(6) } # server inner-tunnel