经过几天在谷歌搜索我不得不辞职并问:/
我们正在使用安装了openldap和radius的debian服务器。当我使用radtest连接到半径时,一切都很好,但是当我使用接入点(并且连接通过隧道)时,我得到了下面的结果。内部隧道看起来像这样:
authorize {
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
files
ldap {
ok = return
}
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
unix
eap
}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
TLS Length 134
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
[ttls] TLS_accept: SSLv3 read client key exchange A
[ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] <<< TLS 1.0 Handshake [length 0010], Finished
[ttls] TLS_accept: SSLv3 read finished A
[ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] TLS_accept: SSLv3 write change cipher spec A
[ttls] >>> TLS 1.0 Handshake [length 0010], Finished
[ttls] TLS_accept: SSLv3 write finished A
[ttls] TLS_accept: SSLv3 flush data
[ttls] (other): SSL negotiation finished successfully
SSL Connection Established
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 172 to 192.168.2.110 port 33954
EAP-Message = 0x0113004515800000003b14030100010116030100307485d545d269c20cba37d5a8e3f3dda1d7b0d7909407079307a1977c0d4a2a5960f66bd0a04ca5abe9493a46744ba417
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x37c6679131d5723a9d1ac717c8b684a5
Finished request 6.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.2.110 port 33954, id=244, length=430
Acct-Session-Id = "f9dbf293-00000006"
NAS-Port = 7
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "CN35D335T4"
NAS-IP-Address = 192.168.2.110
Framed-MTU = 1496
User-Name = "cwalonka"
Calling-Station-Id = "88-63-DF-16-A1-C8"
Called-Station-Id = "2C-44-FD-3C-E6-D1"
Service-Type = Framed-User
EAP-Message = 0x0213009f1580000000951703010090d5e4e84e029bbae0b1439267d5aafc0d726c399d77cba2eafa00c2a4b017bc8534ce405e39415114d39c5c1ef019a6230fb218df0fb61140d9d9be0a1d4b9b860fe559bd90083a5b618b2643300fa5da12094d111e77dabdcbfe5f7312675206636f235a111e0b6f9ca670cf825e8a6813a8693187457432e4dae68c5be7704a7f5c716bce9c75b96179b583744b0d28
State = 0x37c6679131d5723a9d1ac717c8b684a5
Colubris-AVPair = "ssid=Radius"
Colubris-AVPair = "group=Default Group"
Colubris-AVPair = "vsc-unique-id=2"
Colubris-AVPair = "phytype=IEEE802dot11 "
Colubris-Attr-250 = 0x00000000
Colubris-Attr-249 = 0x00000000
Message-Authenticator = 0x8a74e1eca7f77b377dacbdf3ec8c1a24
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[eap] EAP packet type response id 19 length 159
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
TLS Length 149
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] eaptls_process returned 7
[ttls] Session established. Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
User-Name = "cwalonka"
MS-CHAP-Challenge = 0xe1db13f5d45cce97c79199bd3790b982
MS-CHAP2-Response = 0xdd00848963a64af42b41addc23a3202156b00000000000000000403cd5a0ad7604a4b22c4b9c54e7912e23850b2878155faf
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
User-Name = "cwalonka"
MS-CHAP-Challenge = 0xe1db13f5d45cce97c79199bd3790b982
MS-CHAP2-Response = 0xdd00848963a64af42b41addc23a3202156b00000000000000000403cd5a0ad7604a4b22c4b9c54e7912e23850b2878155faf
FreeRADIUS-Proxied-To = 127.0.0.1
Acct-Session-Id = "f9dbf293-00000006"
NAS-Port = 7
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "CN35D335T4"
NAS-IP-Address = 192.168.2.110
Framed-MTU = 1496
Calling-Station-Id = "88-63-DF-16-A1-C8"
Called-Station-Id = "2C-44-FD-3C-E6-D1"
Service-Type = Framed-User
Colubris-AVPair = "ssid=Radius"
Colubris-AVPair = "group=Default Group"
Colubris-AVPair = "vsc-unique-id=2"
Colubris-AVPair = "phytype=IEEE802dot11 "
Colubris-Attr-250 = 0x00000000
Colubris-Attr-249 = 0x00000000
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[control] returns notfound
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[ldap] performing user authorization for cwalonka
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> cwalonka
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=cwalonka)
[ldap] expand: dc=it-economics,dc=de -> dc=it-economics,dc=de
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=it-economics,dc=de, with filter (uid=cwalonka)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] userPassword -> Password-With-Header == "{SSHA}ylX1rj9cfubaHAFc6XeV1Ne+tBFX36VA"
[ldap] looking for reply items in directory...
[ldap] user cwalonka authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Failed to authenticate the user.
} # server inner-tunnel
[ttls] Got tunneled reply code 3
[ttls] Got tunneled Access-Reject
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
谢谢你的帮助
我意识到,当你可以对ldap服务器进行身份验证时,没有必要把pap配置。官方文件说,当你有“密码”时,你需要pap,但它不是必需的。
这是我在文件/ etc / raddb / sites-available / default中的设置,测试并从连接到redhat目录10(ldap)的freeradius 3运行
server default {
listen {
type = auth
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipaddr = *
port = 0
type = acct
limit {
}
}
authorize {
if (!control:Auth-Type) {
ldap
if (ok && User-Password) {
update {
control:Auth-Type := LDAP
}
}
}
expiration
logintime
}
authenticate {
Auth-Type LDAP {
ldap
}
}
preacct {
preprocess
acct_unique
}
accounting {
detail
unix
radutmp
exec
attr_filter.accounting_response
}
session {
radutmp
}
post-auth {
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
}
LDAP模块调用应该是:
authorize {
ldap
if (ok) {
update control {
Auth-Type := LDAP
}
return
}
}
您还必须在身份验证部分列出LDAP。
authenticate {
ldap
}
FreeRADIUS中的所有模块都有多种方法,可以在不同的请求处理阶段调用。
授权中的方法用于从数据库收集附加订户信息。身份验证中的方法用于验证用户凭据,后验证中的方法用于设置授权策略(VLAN,会话超时等...)。
对于某些模块,authorize方法告诉服务器使用哪个模块进行身份验证。对于其他人,这需要手动完成。
我无法对之前的答案发表评论,因为我没有足够的声誉,但我在this mailing list post.中找到了替代语法,但是,这没有用。相反,我使用Auth-Type作为条件,如下所示:
authorize {
files
if (ok && User-Password) {
update {
control:Auth-Type := pap
}
}
if (!control:Auth-Type) {
ldap_files
ldap
if (ok && User-Password) {
update {
control:Auth-Type := LDAP
}
}
}
pap
}
这似乎实现了我正确设置Auth-Type以及能够限制授权所触及的模块的目标。
添加/etc/freeradius/3.0/users线 -
ubuntu version
username Cleartext-Password := "passwordofuser"
再次测试。