Есть KVM ATEN KN2124VA и настроенный Freeradius. Задача - пускать пользователей домена на KVM. Пользователь проходит авторизацию через радиус, получает Access-Accept, KVM же, в свою очередь, не пускает пользователя к себе на интерфейс.
Лог радиуса:
(1) Received Access-Request Id 94 from 10.0.0.101:1812 to 10.0.0.88:1812 length 56
(1) User-Name = "test_user"
(1) CHAP-Password = 0x5e7ca0dc5deb59ef6159aaae743c5abf4
(1) NAS-IP-Address = 10.0.0.88
(1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(1) auth_log: --> /var/log/freeradius/radacct/10.0.0.101/auth-detail-20210118
(1) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.0.0.101/auth-detail-20210118
(1) auth_log: EXPAND %t
(1) auth_log: --> Mon Jan 18 16:33:55 2021
(1) [auth_log] = ok
(1) chap: &control:Auth-Type := CHAP
(1) [chap] = ok
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "test_user", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: No EAP-Message, not doing EAP
(1) [eap] = noop
(1) files: users: Matched entry test_user at line 1
(1) [files] = ok
(1) sql: EXPAND %{User-Name}
(1) sql: --> test_user
(1) sql: SQL-User-Name set to 'test_user'
rlm_sql (sql): Closing connection (3): Hit idle_timeout, was idle for 1540 seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (4): Hit idle_timeout, was idle for 1540 seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (0): Hit idle_timeout, was idle for 1540 seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (5): Hit idle_timeout, was idle for 1540 seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for 1534 seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (6): Hit idle_timeout, was idle for 1534 seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (2): Hit idle_timeout, was idle for 1534 seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): 0 of 0 connections in use. You may need to increase "spare"
rlm_sql (sql): Opening additional connection (7), 1 of 32 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.3.25-MariaDB-0+deb10u1, protocol version 10
rlm_sql (sql): Reserved connection (7)
(1) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(1) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test_user' ORDER BY id
(1) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test_user' ORDER BY id
(1) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(1) sql: --> SELECT groupname FROM radusergroup WHERE username = 'test_user' ORDER BY priority
(1) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'test_user' ORDER BY priority
(1) sql: User not found in any groups
rlm_sql (sql): Released connection (7)
Need 2 more connections to reach min connections (3)
rlm_sql (sql): Opening additional connection (8), 1 of 31 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.3.25-MariaDB-0+deb10u1, protocol version 10
(1) [sql] = notfound
(1) [expiration] = noop
(1) [logintime] = noop
(1) policy ntlm_auth.authorize {
(1) if (!control:Auth-Type && User-Password) {
(1) if (!control:Auth-Type && User-Password) -> FALSE
(1) } # policy ntlm_auth.authorize = ok
(1) } # authorize = ok
(1) Found Auth-Type = CHAP
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) Auth-Type CHAP {
(1) chap: Comparing with "known good" Cleartext-Password
(1) chap: CHAP user "rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.3.25-MariaDB-0+deb10u1, protocol version 10
(1) [sql] = notfound
(1) [expiration] = noop
(1) [logintime] = noop
(1) policy ntlm_auth.authorize {
(1) if (!control:Auth-Type && User-Password) {
(1) if (!control:Auth-Type && User-Password) -> FALSE
(1) } # policy ntlm_auth.authorize = ok
(1) } # authorize = ok
(1) Found Auth-Type = CHAP
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) Auth-Type CHAP {
(1) chap: Comparing with "known good" Cleartext-Password
(1) chap: CHAP user "test_user" authenticated successfully
(1) [chap] = ok
(1) } # Auth-Type CHAP = ok
(1) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(1) post-auth {
(1) update {
(1) No attributes updated
(1) } # update = noop
(1) sql: EXPAND .query
(1) sql: --> .query
(1) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (7)
(1) sql: EXPAND %{User-Name}
(1) sql: --> test_user
(1) sql: SQL-User-Name set to 'test_user'
(1) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(1) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'test_user', '0x5e7ca0dc5deb59ef6159aaae743c5abf4', 'Access-Accept', '2021-01-18 16:33:55')
(1) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'test_user', '0x5e7ca0dc5deb59ef6159aaae743c5abf4', 'Access-Accept', '2021-01-18 16:33:55')
(1) sql: SQL query returned: success
(1) sql: 1 record(s) updated
rlm_sql (sql): Released connection (7)
(1) [sql] = ok
(1) [exec] = noop
(1) policy remove_reply_message_if_eap {
(1) if (&reply:EAP-Message && &reply:Reply-Message) {
(1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(1) else {
(1) [noop] = noop
(1) } # else = noop
(1) } # policy remove_reply_message_if_eap = noop
(1) } # post-auth = ok
(1) Sent Access-Accept Id 94 from 10.0.0.88:1812 to 10.0.0.101:1812 length 0
(1) Finished request
Waking up in 4.9 seconds.
(1) Cleaning up request packet ID 94 with timestamp +1540
Ready to process requests" authenticated successfully
(1) [chap] = ok
(1) } # Auth-Type CHAP = ok
(1) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(1) post-auth {
(1) update {
(1) No attributes updated
(1) } # update = noop
(1) sql: EXPAND .query
(1) sql: --> .query
(1) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (7)
(1) sql: EXPAND %{User-Name}
(1) sql: --> test_user
(1) sql: SQL-User-Name set to 'test_user'
(1) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(1) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'test_user', '0x5e7ca0dc5deb59ef6159aaae743c5abf4', 'Access-Accept', '2021-01-18 16:33:55')
(1) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'test_user', '0x5e7ca0dc5deb59ef6159aaae743c5abf4', 'Access-Accept', '2021-01-18 16:33:55')
(1) sql: SQL query returned: success
(1) sql: 1 record(s) updated
rlm_sql (sql): Released connection (7)
(1) [sql] = ok
(1) [exec] = noop
(1) policy remove_reply_message_if_eap {
(1) if (&reply:EAP-Message && &reply:Reply-Message) {
(1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(1) else {
(1) [noop] = noop
(1) } # else = noop
(1) } # policy remove_reply_message_if_eap = noop
(1) } # post-auth = ok
(1) Sent Access-Accept Id 94 from 10.0.0.88:1812 to 10.0.0.101:1812 length 0
(1) Finished request
Waking up in 4.9 seconds.
(1) Cleaning up request packet ID 94 with timestamp +1540
Ready to process requests
Пользователь стучится (вывод веба)
Invalid Username or Password. Please try again.
В это время в интерфейсе KVM:
OP: User test_user from 10.0.0.163 (10-BF-48-19-A4-DF) attempting to login via browser.
Спустя 2-3 минуты простоя там же:
OP: Session of user test_user (10.0.0.163 10-BF-48-19-A4-DF) has expired.
Вывод /var/log/freeradius/radacct/:
Mon Jan 18 16:33:55 2021
Packet-Type = Access-Request
User-Name = "test_user"
CHAP-Password = 0x5e7ca0dc5deb59ef6159aaae743c5abf4
NAS-IP-Address = 10.0.0.88
Event-Timestamp = "Jan 18 2021 16:33:55 MSK"
CHAP-Challenge = 0x656137368926899366361623762386435
Timestamp = 1610976835
SSH у этой KVM довольно слабый (там некуда идти), логирование слабое. Может, есть какой-то способ достучаться до нутра KVM, чтобы увидеть более подробные логи?
Сталкивался ли кто-то с подобной задачей и, может быть, знает ее решение и сможет подсказать, куда копать?
Сама KVM поддерживает только PAP и CHAP.
