我正在建立一个无线实验室。用户guest123密码guest123使用802.1X身份验证通过无线进行身份验证。 FreeRadius也应该返回FilterId=>labguest。无线控制器的规则将用户角色设置为在FilterId交换期间返回的任何RADIUS。
相反,请求/响应会生成十次,并为用户分配默认角色"authenticated"。
在发布细节之前的简短问题是我做错了什么,是否有一个自动化工具来解析FreeRadius -X输出并提出建议?
来自无线控制器和freeradius的简单命令行测试显示身份验证和返回的属性。
root@ubuntu/etc/freeradius@ radtest guest123 guest123 localhost 0 testing123
User-Name = "guest123"
User-Password = "guest123"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "guest123"
Received Access-Accept Id 184 from 127.0.0.1:1812 to 0.0.0.0:0 length 36
Service-Type = Framed-User
Filter-Id = "labguest"
“labguest”这个角色在这里定义:
user-role labguest
access-list session global-sacl
access-list session apprf-labguest-sacl
access-list session "Cant ping controller"
access-list session allowall
access-list session v6-allowall
基于FilterId分配用户角色的规则如下:
aaa server-group "lab-emp_srvgrp-kqh72"
auth-server radius1
set role condition Filter-Id value-of
通过无线和802.1X进行身份验证后,用户将收到默认的802.1X角色,“已验证”而非“labguest”。
(Master1) # show user mac 44:39:c4:59:e5:64
Name: guest123, IP: 192.168.16.23, MAC: 44:39:c4:59:e5:64, Age: 00:00:05
Role: authenticated (how: ROLE_DERIVATION_DOT1X), ACL: 70/0
Authentication: Yes, status: successful, method: 802.1x, protocol: EAP-PEAP, server: radius1
Authentication Servers: dot1x authserver: radius1, mac authserver:
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: ROLE_DERIVATION_DOT1X
VLAN Derivation: Default VLAN
FreeRADIUS Version 3.0.15
<<<deleted debug output>>>
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# server default
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 50900
Listening on proxy address :: port 60069
Ready to process requests
(0) Received Access-Request Id 42 from 192.168.18.254:40607 to
192.168.18.249:1812 length 175
(0) User-Name = "guest123"
(0) NAS-IP-Address = 192.168.18.254
(0) NAS-Port = 0
(0) NAS-Identifier = "192.168.18.254"
(0) NAS-Port-Type = Wireless-802.11
(0) Calling-Station-Id = "4439C459E564"
(0) Called-Station-Id = "000B86BE91F0"
(0) Service-Type = Framed-User
(0) Framed-MTU = 1100
(0) EAP-Message = 0x0202000d016775657374313233
(0) Aruba-Essid-Name = "lab-emp"
(0) Aruba-Location-Id = "AP1"
(0) Aruba-AP-Group = "lab1"
(0) Message-Authenticator = 0x6780aa98cfe6f147e8334301882c9c1f
(0) # Executing section authorize from file /etc/freeradius/sites-enabled
/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "guest123", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 2 length 13
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest
of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_ttls to process data
(0) eap_ttls: Initiating new EAP-TLS session
(0) eap_ttls: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 3 length 6
(0) eap: EAP session adding &reply:State = 0xedb76556edb4700e
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 42 from 192.168.18.249:1812 to
192.168.18.254:40607 length 0
(0) EAP-Message = 0x010300061520
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0xedb76556edb4700e88dcdd844646037b
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 43 from 192.168.18.254:40607 to
192.168.18.249:1812 length 186
(1) User-Name = "guest123"
(1) NAS-IP-Address = 192.168.18.254
(1) NAS-Port = 0
(1) NAS-Identifier = "192.168.18.254"
(1) NAS-Port-Type = Wireless-802.11
(1) Calling-Station-Id = "4439C459E564"
(1) Called-Station-Id = "000B86BE91F0"
(1) Service-Type = Framed-User
(1) Framed-MTU = 1100
(1) EAP-Message = 0x020300060319
(1) State = 0xedb76556edb4700e88dcdd844646037b
(1) Aruba-Essid-Name = "lab-emp"
(1) Aruba-Location-Id = "AP1"
(1) Aruba-AP-Group = "lab1"
(1) Message-Authenticator = 0xfe39826a334b5ddbe8fa4012037a87d8
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/freeradius/sites-enabled
/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "guest123", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 3 length 6
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) files: users: Matched entry guest123 at line 82
(1) [files] = ok
(1) sql: EXPAND %{User-Name}
(1) sql: --> guest123
(1) sql: SQL-User-Name set to 'guest123'
rlm_sql (sql): Reserved connection (0)
(1) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id
(1) sql: --> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'guest123' ORDER BY id
(1) sql: Executing select query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'guest123' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
(1) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-
User-Name}' ORDER BY priority
(1) sql: --> SELECT groupname FROM radusergroup WHERE username =
'guest123' ORDER BY priority
(1) sql: Executing select query: SELECT groupname FROM radusergroup WHERE
username = 'guest123' ORDER BY priority
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 1
(1) sql: User not found in any groups
rlm_sql (sql): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
rlm_sql_postgresql: Connecting using parameters: dbname=radius
host=localhost user=radius password=********
Connected to database 'radius' on 'localhost' server version 90510, protocol
version 3, backend PID 1714
(1) [sql] = notfound
(1) [expiration] = noop
(1) [logintime] = noop
(1) pap: WARNING: Auth-Type already set. Not setting to PAP
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0xedb76556edb4700e
(1) eap: Finished EAP session with state 0xedb76556edb4700e
(1) eap: Previous EAP request found for state 0xedb76556edb4700e, released
from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Initiating new EAP-TLS session
(1) eap_peap: [eaptls start] = request
(1) eap: Sending EAP Request (code 1) ID 4 length 6
(1) eap: EAP session adding &reply:State = 0xedb76556ecb37c0e
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1) Challenge { ... } # empty sub-section is ignored
(1) Sent Access-Challenge Id 43 from 192.168.18.249:1812 to
192.168.18.254:40607 length 0
(1) Service-Type = Framed-User
(1) Framed-Filter-Id = "labguest"
(1) EAP-Message = 0x010400061920
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0xedb76556ecb37c0e88dcdd844646037b
(1) Finished request
Waking up in 4.9 seconds.
<<<deleted generally repeating debug output>>>
(10) Received Access-Request Id 52 from 192.168.18.254:40607 to 192.168.18.249:1812 length 223
(10) User-Name = "guest123"
(10) NAS-IP-Address = 192.168.18.254
(10) NAS-Port = 0
(10) NAS-Identifier = "192.168.18.254"
(10) NAS-Port-Type = Wireless-802.11
(10) Calling-Station-Id = "4439C459E564"
(10) Called-Station-Id = "000B86BE91F0"
(10) Service-Type = Framed-User
(10) Framed-MTU = 1100
(10) EAP-Message =
0x020c002b190017030100209568f164a54cf0e2aa3c<<<more deleted>>>
(10) State = 0xedb76556e4bb7c0e88dcdd844646037b
(10) Aruba-Essid-Name = "lab-emp"
(10) Aruba-Location-Id = "AP1"
(10) Aruba-AP-Group = "lab1"
(10) Message-Authenticator = 0x2277c43d40495abc84afcfee2d7af56b
(10) session-state: No cached attributes
(10) # Executing section authorize from file /etc/freeradius/sites-enabled
/default
(10) authorize {
(10) policy filter_username {
(10) if (&User-Name) {
(10) if (&User-Name) -> TRUE
(10) if (&User-Name) {
(10) if (&User-Name =~ / /) {
(10) if (&User-Name =~ / /) -> FALSE
(10) if (&User-Name =~ /@[^@]*@/ ) {
(10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(10) if (&User-Name =~ /\.\./ ) {
(10) if (&User-Name =~ /\.\./ ) -> FALSE
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(10) if (&User-Name =~ /\.$/) {
(10) if (&User-Name =~ /\.$/) -> FALSE
(10) if (&User-Name =~ /@\./) {
(10) if (&User-Name =~ /@\./) -> FALSE
(10) } # if (&User-Name) = notfound
(10) } # policy filter_username = notfound
(10) [preprocess] = ok
(10) [chap] = noop
(10) [mschap] = noop
(10) [digest] = noop
(10) suffix: Checking for suffix after "@"
(10) suffix: No '@' in User-Name = "guest123", looking up realm NULL
(10) suffix: No such realm "NULL"
(10) [suffix] = noop
(10) eap: Peer sent EAP Response (code 2) ID 12 length 43
(10) eap: Continuing tunnel setup
(10) [eap] = ok
(10) } # authorize = ok
(10) Found Auth-Type = eap
(10) # Executing group from file /etc/freeradius/sites-enabled/default
(10) authenticate {
(10) eap: Expiring EAP session with state 0xedb76556e4bb7c0e
(10) eap: Finished EAP session with state 0xedb76556e4bb7c0e
(10) eap: Previous EAP request found for state 0xedb76556e4bb7c0e, released
from the list
(10) eap: Peer sent packet with method EAP PEAP (25)
(10) eap: Calling submodule eap_peap to process data
(10) eap_peap: Continuing EAP-TLS
(10) eap_peap: [eaptls verify] = ok
(10) eap_peap: Done initial handshake
(10) eap_peap: [eaptls process] = ok
(10) eap_peap: Session established. Decoding tunneled attributes
(10) eap_peap: PEAP state send tlv success
(10) eap_peap: Received EAP-TLV response
(10) eap_peap: Success
(10) eap: Sending EAP Success (code 3) ID 12 length 4
(10) eap: Freeing handler
(10) [eap] = ok
(10) } # authenticate = ok
(10) # Executing section post-auth from file /etc/freeradius/sites-enabled
/default
(10) post-auth {
(10) update {
(10) No attributes updated
(10) } # update = noop
(10) sql: EXPAND .query
(10) sql: --> .query
(10) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (4)
(10) sql: EXPAND %{User-Name}
(10) sql: --> guest123
(10) sql: SQL-User-Name set to 'guest123'
(10) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S')
(10) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( 'guest123', ', 'Access-Accept', '2017-12-06 05:15:26')
(10) sql: Executing query: INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES ( 'guest123', ', 'Access-Accept', '2017-12-06 05:15:26')
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: query affected rows = 1
(10) sql: SQL query returned: success
(10) sql: 1 record(s) updated
rlm_sql (sql): Released connection (4)
(10) [sql] = ok
(10) [exec] = noop
(10) policy remove_reply_message_if_eap {
(10) if (&reply:EAP-Message && &reply:Reply-Message) {
(10) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(10) else {
(10) [noop] = noop
(10) } # else = noop
(10) } # policy remove_reply_message_if_eap = noop
(10) } # post-auth = ok
(10) Sent Access-Accept Id 52 from 192.168.18.249:1812 to
192.168.18.254:40607 length 0
(10) MS-MPPE-Recv-Key =
0xa5ded2c64f1026f75e105877bcc5715f3712051d16c7977a680fd50a2bd53352
(10) MS-MPPE-Send-Key =
0x5ccf08fba6d8803a9ac0478c8b02bd8c9ea5829c6c3d389410eed4f36fb06692
(10) EAP-Message = 0x030c0004
(10) Message-Authenticator = 0x00000000000000000000000000000000
(10) User-Name = "guest123"
(10) Finished request
Waking up in 4.8 seconds.
(0) Cleaning up request packet ID 42 with timestamp +29
(1) Cleaning up request packet ID 43 with timestamp +29
(2) Cleaning up request packet ID 44 with timestamp +29
(3) Cleaning up request packet ID 45 with timestamp +29
(4) Cleaning up request packet ID 46 with timestamp +29
(5) Cleaning up request packet ID 47 with timestamp +29
(6) Cleaning up request packet ID 48 with timestamp +29
(7) Cleaning up request packet ID 49 with timestamp +29
(8) Cleaning up request packet ID 50 with timestamp +29
(9) Cleaning up request packet ID 51 with timestamp +29
(10)) Cleaning up request packet ID 52 with timestamp +29
Ready to process requests
(Master1) # show user mac 44:39:c4:59:e5:64
Name: guest123, IP: 192.168.16.23, MAC: 44:39:c4:59:e5:64, Age: 00:00:05
Role: labguest (how: ROLE_DERIVATION_DOT1X_SDR)
(Master1) # show user mac 44:39:c4:59:e5:64
Name: guest123, IP: 192.168.16.23, MAC: 44:39:c4:59:e5:64, Age: 00:00:05
Role: authenticated (how: ROLE_DERIVATION_DOT1X)
我发布了Aruba Airheads博客,然后开启了Aruba / HPE支持案例。分析了日志和数据包捕获后,Aruba / HPE支持工程师说,
“我想通知您,我已经完成了数据包捕获,并根据我们观察到的内容附加了相同的屏幕截图;如CP-Accept屏幕截图所示,我们看到Radius Accept,用户在进行身份验证时使用强制网络门户。我们在接受数据包中看到,服务器正在向控制器发送属性“labguest”,以便分配用户角色。
在Dot1x-Accept屏幕截图的情况下,当用户使用dot1x身份验证进行身份验证时,我们看不到服务器在接受数据包中发送任何属性。
如果我们需要为MSCHAPv2启用发送属性以及PAP协议,或者服务器上有任何特定配置根据身份验证类型处理要发送的属性,请检查服务器端。
然后我发布到FreeRADIUS用户列表。响应:
“解决方案是将”文件“模块移到”eap“之前。编辑网站已启用/默认。看看“授权”部分。“
这样可行。已编辑网站的摘录已启用/默认:
#
# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
# authentication.
#
# It also sets the EAP-Type attribute in the request
# attribute list to the EAP type from the packet.
#
# The EAP module returns "ok" or "updated" if it is not yet ready
# to authenticate the user. The configuration below checks for
# "ok", and stops processing the "authorize" section if so.
#
# Any LDAP and/or SQL servers will not be queried for the
# initial set of packets that go back and forth to set up
# TTLS or PEAP.
#
# The "updated" check is commented out for compatibility with
# previous versions of this configuration, but you may wish to
# uncomment it as well; this will further reduce the number of
# LDAP and/or SQL queries for TTLS or PEAP.
#
files
eap {
ok = return
# updated = return
}
#
# Pull crypt'd passwords from /etc/passwd or /etc/shadow,
# using the system API's to get the password. If you want
# to read /etc/passwd or /etc/shadow directly, see the
# mods-available/passwd module.
#
# unix
#
# Read the 'users' file. In v3, this is located in
# raddb/mods-config/files/authorize
# files
来自Aruba控制器的测试:
(Master1) #aaa test-server mschapv2 radius1 guest123 guest123 verbose
Authentication Successful
Processing time (ms) : 6.407
Attribute value pairs in request
--------------------------------
Vendor Attribute Value
------ --------- -----
NAS-IP-Address 192.168.18.254
NAS-Port-Id 0
NAS-Port-Type Wireless-IEEE802.11
User-Name guest123
Service-Type Login-User
Calling-Station-Id 0.0.0.0
Called-Station-Id 000B86BE91F0
Microsoft MS-CHAP-Challenge \032\241\007[\002(\\321j5\001v\221lf\236
Microsoft MS-CHAP2-Response
Aruba Aruba-Essid-Name
Aruba Aruba-Location-Id N/A
Aruba Aruba-AP-Group N/A
Aruba Aruba-Device-Type
Message-Auth I\365\262\357\365o{s\264\270\246\022Cz\264-
PW_RADIUS_ID H
Rad-Length 199
Attribute value pairs in response
---------------------------------
Vendor Attribute Value
------ --------- -----
Service-Type Framed-User
Filter-Id labguest
Microsoft MS-CHAP2-Success
Microsoft MS-MPPE-Recv-Key \205g8\374\333\260\031\306\3379\321\220\273\273\355\024\277\210Q\003\226\004M>\372\307p6\273&\322\231N\253
Microsoft MS-MPPE-Send-Key \215\277d\301f\207A\215!\376\345.\324\177BM\364\310\251p\263\224\315 \012\001\035:\327\253\314\016\026\243
Microsoft MS-MPPE-Encryption-Policy
Microsoft MS-MPPE-Encryption-Types
PW_RADIUS_ID H
Rad-Length 195
PW_RADIUS_CODE \002
PW_RAD_AUTHENTICATOR }\203!\353\244}\215,\216\203J]\027\247\325\272
(Master1) # show user mac fc:c2:de:13:d6:15
Name: guest123, IP: 192.168.16.3, MAC: fc:c2:de:13:d6:15, Age: 00:00:00
Role: labguest (how: ROLE_DERIVATION_DOT1X_SDR), ACL: 71/0
Authentication: Yes, status: successful, method: 802.1x, protocol: EAP-PEAP, server: radius1
Authentication Servers: dot1x authserver: radius1, mac authserver:
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: ROLE_DERIVATION_DOT1X_SDR
VLAN Derivation: Default VLAN
请注意,编辑到sites-enabled / default是在一个干净的FreeRADIUS安装之后,而不是对任何monkeying的修正。