Versions Compared

Old Version 9

changes.mady.by.user Anton Vinokurov

Saved on

compared with

New Version 10

changes.mady.by.user Anton Vinokurov

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

После завершения настройки pfSence необходимо создать сервер доступа в конфигурации WNAM, указав соответствующий тип, и внешний (WAN) адрес pfSense. Пароль не нужен.

Внимание! Если у вас используются пересекающиеся IP-подсети, необходимо модифицировать под pfSense (первый раз, и каждый раз после обновления) для включения возможности передачи в RADIUS-пакетах идентификатора площадки.

Допустим, площадка оказания услуги имеет номер 9.

Зайдите в интерфейс командной строки и установите редактор:
pkg add http://pkg.freebsd.org/freebsd:10:x86:64/release_3/All/nano-2.4.3.txz

Затем необходимо отредактировать файлы:

[2.3.2-RELEASE][admin@pfsense.k18.netams.com]/etc/inc: nano /usr/local/captiveportal/radius_authentication.inc

// Extra data to identify the client and nas
$rauth->putAttribute(RADIUS_FRAMED_IP_ADDRESS, $clientip, addr);
$rauth->putAttribute(RADIUS_CALLED_STATION_ID, $calledstationid);
$rauth->putAttribute(RADIUS_CALLING_STATION_ID, $callingstationid);
$rauth->putVendorAttribute(14122, 1, "9");

// Send request
$result = $rauth->send();

и далее:
[2.3.2-RELEASE][admin@pfsense.k18.netams.com]/etc/inc: nano /usr/local/captiveportal/radius_accounting.inc
$racct->putAttribute(RADIUS_FRAMED_IP_ADDRESS, $clientip, "addr");
$racct->putAttribute(RADIUS_CALLED_STATION_ID, $calledstationid);
$racct->putAttribute(RADIUS_CALLING_STATION_ID, $callingstationid);
$racct->putVendorAttribute(14122, 1, "9");

// Send request
$result = $racct->send();

// Evaluation of the response

После сохранения при попытке авторизации в лог-файле RADIUS-сервера получится:

rad_recv: Access-Request packet from host 172.16.130.4 port 40167, id=96, length=138
NAS-IP-Address = 172.16.130.4
NAS-Identifier = "pfsense"
User-Name = "4C:57:CA:2C:0F:4C"
User-Password = "password"
Service-Type = Login-User
NAS-Port-Type = Ethernet
NAS-Port = 2042
Framed-IP-Address = 172.16.70.48
Called-Station-Id = "172.16.130.4"
Calling-Station-Id = "4c:57:ca:2c:0f:4c"
WISPr-Location-ID = "9"
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] = noop
++[chap] = noop
rlm_perl: WNAM Q: AUTH NAS-Port-Type=Ethernet Called-Station-Id=172.16.130.4 NAS-IP-Address=172.16.130.4 Calling-Station-Id=4c:57:ca:2c:0f:4c Framed-IP-Address=172.16.70.48 NAS-Identifier=pfsense User-Name=4C:57:CA:2C:0F:4C User-Password=password Service-Type=Login-User WISPr-Location-ID=9 NAS-Port=2042
rlm_perl: RECV: IO::Socket::INET=GLOB(0x1456770)
rlm_perl: WNAM A: OK Acct-Interim-Interval=300 Session-Timeout=300 (48)
rlm_perl: authorize reply: .OK.
rlm_perl: Added pair NAS-Port-Type = Ethernet
rlm_perl: Added pair Called-Station-Id = 172.16.130.4
rlm_perl: Added pair NAS-IP-Address = 172.16.130.4
rlm_perl: Added pair Calling-Station-Id = 4c:57:ca:2c:0f:4c
rlm_perl: Added pair Framed-IP-Address = 172.16.70.48
rlm_perl: Added pair NAS-Identifier = pfsense
rlm_perl: Added pair User-Name = 4C:57:CA:2C:0F:4C
rlm_perl: Added pair User-Password = password
rlm_perl: Added pair Service-Type = Login-User
rlm_perl: Added pair WISPr-Location-ID = 9
rlm_perl: Added pair NAS-Port = 2042
rlm_perl: Added pair Acct-Interim-Interval = 300
rlm_perl: Added pair Session-Timeout = 300
rlm_perl: Added pair Cleartext-Password = password
rlm_perl: Added pair Auth-Type = PAP
++[perl] = ok
+} # group authorize = ok
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group PAP {
[pap] login attempt with password "password"
[pap] Using clear text password "password"
[pap] User authenticated successfully
++[pap] = ok
+} # group PAP = ok
WARNING: Empty post-auth section. Using default return values.
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
Sending Access-Accept of id 96 to 172.16.130.4 port 40167
Acct-Interim-Interval += 300
Session-Timeout += 300
Finished request 36.
Going to the next request
Waking up in 4.9 seconds.
 


rad_recv: Accounting-Request packet from host 172.16.130.4 port 64326, id=19, length=159
NAS-IP-Address = 172.16.130.4
NAS-Identifier = "pfsense"
User-Name = "4C:57:CA:2C:0F:4C"
Acct-Status-Type = Start
Acct-Authentic = RADIUS
NAS-IP-Address = 172.16.130.4
NAS-Identifier = "pfsense"
NAS-Port-Type = Ethernet
NAS-Port = 2042
Acct-Session-Id = "214606a2575e53cd"
Framed-IP-Address = 172.16.70.48
Called-Station-Id = "172.16.130.4"
Calling-Station-Id = "4c:57:ca:2c:0f:4c"
WISPr-Location-ID = "9"
# Executing section preacct from file /etc/freeradius/sites-enabled/default
+group preacct {
++[preprocess] = ok
[acct_unique] Hashing 'NAS-Port = 2042,NAS-Identifier = "pfsense",NAS-IP-Address = 172.16.130.4,Acct-Session-Id = "214606a2575e53cd",User-Name = "4C:57:CA:2C:0F:4C"'
[acct_unique] Acct-Unique-Session-ID = "5e89ff48449fd085".
++[acct_unique] = ok
+} # group preacct = ok
# Executing section accounting from file /etc/freeradius/sites-enabled/default
+group accounting {
[detail] expand: %{Packet-Src-IP-Address} -> 172.16.130.4
[detail] expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/freeradius/radacct/172.16.130.4/detail-20170209
[detail] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/freeradius/radacct/172.16.130.4/detail-20170209
[detail] expand: %t -> Thu Feb 9 19:51:29 2017
++[detail] = ok
[radutmp] expand: /var/log/freeradius/radutmp -> /var/log/freeradius/radutmp
[radutmp] expand: %{User-Name} -> 4C:57:CA:2C:0F:4C
++[radutmp] = ok
rlm_perl: WNAM Q: ACCT NAS-Port-Type=Ethernet Called-Station-Id=172.16.130.4 Acct-Session-Id=214606a2575e53cd Acct-Status-Type=Start NAS-IP-Address=172.16.130.4 Calling-Station-Id=4c:57:ca:2c:0f:4c Framed-IP-Address=172.16.70.48 NAS-Identifier=pfsense Acct-Authentic=RADIUS User-Name=4C:57:CA:2C:0F:4C WISPr-Location-ID=9 NAS-Port=2042 Acct-Unique-Session-Id=5e89ff48449fd085
rlm_perl: RECV: IO::Socket::INET=GLOB(0x1456770)
rlm_perl: WNAM A: OK (2)
rlm_perl: Added pair NAS-Port-Type = Ethernet
rlm_perl: Added pair Called-Station-Id = 172.16.130.4
rlm_perl: Added pair Acct-Session-Id = 214606a2575e53cd
rlm_perl: Added pair Acct-Status-Type = Start
rlm_perl: Added pair NAS-IP-Address = 172.16.130.4
rlm_perl: Added pair NAS-IP-Address = 172.16.130.4
rlm_perl: Added pair Calling-Station-Id = 4c:57:ca:2c:0f:4c
rlm_perl: Added pair Framed-IP-Address = 172.16.70.48
rlm_perl: Added pair NAS-Identifier = pfsense
rlm_perl: Added pair NAS-Identifier = pfsense
rlm_perl: Added pair Acct-Authentic = RADIUS
rlm_perl: Added pair User-Name = 4C:57:CA:2C:0F:4C
rlm_perl: Added pair WISPr-Location-ID = 9
rlm_perl: Added pair NAS-Port = 2042
rlm_perl: Added pair Acct-Unique-Session-Id = 5e89ff48449fd085
++[perl] = ok
[attr_filter.accounting_response] expand: %{User-Name} -> 4C:57:CA:2C:0F:4C
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] = updated
+} # group accounting = updated
Sending Accounting-Response of id 19 to 172.16.130.4 port 64326
Finished request 37.
Cleaning up request 37 ID 19 with timestamp +1486
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 36 ID 96 with timestamp +1486
Ready to process requests.