Мне нужна помощь с подключением к RADIUS через точку доступа LevelOne EAP-110.
Я настроил RADIUS + LDAP, попробовал с radiusd -X
Я получаю это сообщение:
radtest fsobarzo ********** localhost 100 testing123
Sending Access-Request of id 243 to 127.0.0.1 port 1812
User-Name = "fsobarzo"
User-Password = "***********"
NAS-IP-Address = 10.10.0.119
NAS-Port = 100
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=243, length=20
Затем в отладке freeradius получите это сообщение:
rad_recv: Access-Request packet from host 127.0.0.1 port 42229, id=243, length=78
User-Name = "fsobarzo"
User-Password = "**********"
NAS-IP-Address = 10.10.0.119
NAS-Port = 100
Message-Authenticator = 0xb5333cce6b6870d3e08794835b1f2719
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "fsobarzo", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[ldap] performing user authorization for fsobarzo
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> fsobarzo
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=fsobarzo)
[ldap] expand: ou=inf,o=utfsm,c=cl -> ou=inf,o=utfsm,c=cl
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to 10.10.0.122:389, authentication 0
[ldap] bind as cn=Directory Manager/holahola to 10.10.0.122:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in ou=inf,o=utfsm,c=cl, with filter (uid=fsobarzo)
[ldap] looking for check items in directory...
[ldap] userPassword -> Password-With-Header == "{SSHA}4IO5oaEY64B+mjoaWbTzZFl0Z0Gnj08cAN2RQQ=="
[ldap] looking for reply items in directory...
[ldap] Setting Auth-Type = LDAP
[ldap] user fsobarzo authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
Found Auth-Type = LDAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group LDAP {...}
[ldap] login attempt by "fsobarzo" with password "epilef17702"
[ldap] user DN: uid=fsobarzo,ou=cuentas,ou=valparaiso,ou=alumnos,ou=inf,o=utfsm,c=cl
[ldap] (re)connect to 10.10.0.122:389, authentication 1
[ldap] bind as uid=fsobarzo,ou=cuentas,ou=valparaiso,ou=alumnos,ou=inf,o=utfsm,c=cl/epilef17702 to 10.10.0.122:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] user fsobarzo authenticated succesfully
++[ldap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 243 to 127.0.0.1 port 42229
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 243 with timestamp +48
Ready to process requests.
Это ответ от RADIUS + LDAP без AP.
Затем, когда я пытаюсь подключиться через AP, не работает. Я получаю это:
rad_recv: Access-Request packet from host 10.10.10.87 port 3072, id=185, length=136
User-Name = "fsobarzo"
NAS-IP-Address = 10.10.10.87
NAS-Identifier = "RalinkAP0"
NAS-Port = 0
Called-Station-Id = "00-1F-D4-02-D9-C0"
Calling-Station-Id = "B4-52-7D-D4-76-8D"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0201000d0166736f6261727a6f
Message-Authenticator = 0x49fa779829c40803d885138cf112971d
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "fsobarzo", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[ldap] performing user authorization for fsobarzo
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> fsobarzo
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=fsobarzo)
[ldap] expand: ou=inf,o=utfsm,c=cl -> ou=inf,o=utfsm,c=cl
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=inf,o=utfsm,c=cl, with filter (uid=fsobarzo)
[ldap] looking for check items in directory...
[ldap] userPassword -> Password-With-Header == "{SSHA}4IO5oaEY64B+mjoaWbTzZFl0Z0Gnj08cAN2RQQ=="
[ldap] looking for reply items in directory...
[ldap] user fsobarzo authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
[eap] EAP packet type response id 1 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
Found Auth-Type = EAP
Found Auth-Type = EAP
Warning: Found 2 auth-types on request for user 'fsobarzo'
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 185 to 10.10.10.87 port 3072
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0133a0760131b9340c4aebd2ec9d5479
Finished request 12.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.87 port 3072, id=186, length=349
User-Name = "fsobarzo"
NAS-IP-Address = 10.10.10.87
NAS-Identifier = "RalinkAP0"
NAS-Port = 0
Called-Station-Id = "00-1F-D4-02-D9-C0"
Calling-Station-Id = "B4-52-7D-D4-76-8D"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020200d01980000000c616030100c1010000bd0301546e5195b1497083040fe964e706bcfefd2360bfe3361e123dab868f9481b907000054c014c00ac022c02100390038c00fc0050035c012c008c01cc01b00160013c00dc003000ac013c009c01fc01e00330032c00ec004002fc011c007c00cc002000500040015001200090014001100080006000300ff01000040000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f00100011
State = 0x0133a0760131b9340c4aebd2ec9d5479
Message-Authenticator = 0xb7b3606d6c040314e7f506c32b240f45
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "fsobarzo", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 208
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 198
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 00c1], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0039], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 186 to 10.10.10.87 port 3072
EAP-Message = 0x0103040019c0000009fa1603010039020000350301546e51cde6b2807eeb6eb046ec77af768311847ee4c6fc76a48e74de3cb37e6800c01400000dff01000100000b000403000102160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966
EAP-Message = 0x696361746520417574686f72697479301e170d3134313132303034303834385a170d3135303131393034303834385a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100abed61a5c45a3b24107a586b28a6327b18df32c2c890bd30f936a9d618cb4cbe4b63c4e78bac4ae97109e21e3338b5
EAP-Message = 0x29c58b480f71def645952eff1dfa992c92f81295141c8968aadeb7392473854472dc1052fc660c1fe9bb1ac77ab78da2ff9fd9c5d28b916080cd41005291a89c8a4ed41ffc899524e78a9a8de37120c0fa2af9a24863a1ceb9bbf25f57fb83f2f27a1ae0805c1ad1ae1306c6f685d81ea376c6ab06e9c6cf7013fd14d24440ccbe0c1ee9330744e70060b6adb56ea93221b1d2438e53951e58f14e4d53136d8b4df783d0ccf411798f4eed5523492a6f0dc087cec9fc60ea5f8b88406e3fad97da3b2f52584d213878282da0f6b54c80690203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010505
EAP-Message = 0x00038201010043f8255083f0bfd416918c26c579198bce73f19b1ea612a9da3d27ca5ad9ccb5d8e27d3ebf2320916c07c1b4aab575060d6c31af741d783f3a1ace48dca975c671e8a007a104f758b6ef1fe8d01d5dc71092aaed7a96f94becf8ad10e60f5a8732a135d28731908162cd767a38581f390ec9fcc677be5471bcc2dc46c1d9f49d6a5c5da2d5f8af14ed11db74294e3b17ad3668a9690ccca6d5ad0273c144f8de3ca9497cc238c9bcf5248b03f982d45881dc00c5b810b4f10baa496ef727ae9fb00a089143e74781f15e5d55f3c378380104681a873446517b2d4489c326e1bded47df82b8695106c4762c98772e39b84da6a6f8dd8631
EAP-Message = 0xb05c3cda20e60ac5330004ab
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0133a0760030b9340c4aebd2ec9d5479
Finished request 13.
Going to the next request
Waking up in 4.9 seconds.
.......
Many log here. :'(
.......
rad_recv: Access-Request packet from host 10.10.10.87 port 3072, id=193, length=221
User-Name = "fsobarzo"
NAS-IP-Address = 10.10.10.87
NAS-Identifier = "RalinkAP0"
NAS-Port = 0
Called-Station-Id = "00-1F-D4-02-D9-C0"
Calling-Station-Id = "B4-52-7D-D4-76-8D"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0209005019001703010020087ae0c7152592a866de5c13fb7b4e30349b34c623dc847a8598f0a420057ba717030100204bea371d95badb4d4ff30dc41d27992109533be65daa117509fbe04133334ed6
State = 0x0133a076063ab9340c4aebd2ec9d5479
Message-Authenticator = 0x4698457f36ab884b48d6c3900edbd6c1
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "fsobarzo", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap] The users session was previously rejected: returning reject (again.)
[peap] *** This means you need to read the PREVIOUS messages in the debug output
[peap] *** to find out the reason why the user was rejected.
[peap] *** Look for "reject" or "fail". Those earlier messages will tell you.
[peap] *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> fsobarzo
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 20 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.87 port 3072, id=193, length=221
Waiting to send Access-Reject to client AP-RADIUS port 3072 - ID: 193
Waking up in 0.1 seconds.
Sending delayed reject for request 20
Sending Access-Reject of id 193 to 10.10.10.87 port 3072
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.8 seconds.
Cleaning up request 12 ID 185 with timestamp +277
Cleaning up request 13 ID 186 with timestamp +277
Cleaning up request 14 ID 187 with timestamp +277
Cleaning up request 15 ID 188 with timestamp +277
Cleaning up request 16 ID 189 with timestamp +277
Cleaning up request 17 ID 190 with timestamp +277
Cleaning up request 18 ID 191 with timestamp +277
Cleaning up request 19 ID 192 with timestamp +277
Waking up in 1.0 seconds.
Cleaning up request 20 ID 193 with timestamp +277
Ready to process requests.
Всегда получайте это сообщение ... LDAP всегда отвечает ОК, но я не знаю.
Я не понимаю, почему работает без AP, а AP не работает. :(
При отправке тестовых пакетов на сервер вы используете протокол RADIUS-PAP.
Этот протокол будет работать, если пароль в вашем каталоге ldap хеширован.
Протокол, который вы используете при аутентификации с помощью точки доступа, скорее всего, EAP-PEAP через RADIUS.
PEAP не будет работать, если сервер RADIUS не имеет доступа к формам пароля пользователя NT-Password или Cleartext.
Если вы просто хотите, чтобы что-то работало локально, вы можете установить соискатель SecureW2 и настроить его для использования EAP-TTLS-PAP, который, как и RADIUS-PAP, будет работать с хешированным паролем.