FreeRadius3.0 带 ldap 配置
Posted
技术标签:
【中文标题】FreeRadius3.0 带 ldap 配置【英文标题】:FreeRadius3.0 with ldap configuration 【发布时间】:2021-09-17 01:39:09 【问题描述】:设置几乎如标题所述。在同一个虚拟机上,我有从 LDAP 目录获取用户的 OpenLDAP 和 FreeRadius3.0 服务器。
在我的 UniFi 控制器上,我将身份验证服务器指向 FreeRadius。
这里的奇怪之处在于,将 EAP 方法设置为 TTLS 并将 Phase2 设置为 PAP 的 android 手机可以正常工作。另一方面,我无法验证 iPhone 设备。
我已附上两者的日志文件。请注意,由于字符限制,我从两个文件中删除了几次重试以便发布:
iPhone安卓(36) Received Access-Request Id 68 from 192.168.1.45:11929 to 192.168.2.6:1812 length 285 (36) User-Name = "user" (36) NAS-IP-Address = 192.168.0.16 (36) NAS-Identifier = "1ae82968d827" (36) Called-Station-Id = "1A-E8-29-68-D8-27:TestNet" (36) NAS-Port-Type = Wireless-802.11 (36) Service-Type = Framed-User (36) Calling-Station-Id = "56-7E-6E-74-19-66" (36) Connect-Info = "CONNECT 0Mbps 802.11b" (36) Acct-Session-Id = "7920B3C56618BB67" (36) Acct-Multi-Session-Id = "31C198EF71C46ED1" (36) WLAN-Pairwise-Cipher = 1027076 (36) WLAN-Group-Cipher = 1027076 (36) WLAN-AKM-Suite = 1027073 (36) Framed-MTU = 1400 (36) EAP-Message = 0x02c1003715800000002d17030300289d5b6e7c1b6d76eee5a570e1dd5dab9ce96cf13e3974ea5a14c116425106079c9adabe1aef8b357c (36) State = 0x25b700c8237615504ad2b47e6e37541e (36) Message-Authenticator = 0xc4d8a828f8ee36dadd47cafc2a456311 (36) session-state: No cached attributes (36) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (36) authorize (36) policy filter_username (36) if (&User-Name) (36) if (&User-Name) -> TRUE (36) if (&User-Name) (36) if (&User-Name =~ / /) (36) if (&User-Name =~ / /) -> FALSE (36) if (&User-Name =~ /@[^@]*@/ ) (36) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (36) if (&User-Name =~ /\.\./ ) (36) if (&User-Name =~ /\.\./ ) -> FALSE (36) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) (36) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (36) if (&User-Name =~ /\.$/) (36) if (&User-Name =~ /\.$/) -> FALSE (36) if (&User-Name =~ /@\./) (36) if (&User-Name =~ /@\./) -> FALSE (36) # if (&User-Name) = notfound (36) # policy filter_username = notfound (36) [preprocess] = ok (36) [chap] = noop (36) [mschap] = noop (36) [digest] = noop (36) suffix: Checking for suffix after "@" (36) suffix: No '@' in User-Name = "user", looking up realm NULL (36) suffix: No such realm "NULL" (36) [suffix] = noop (36) eap: Peer sent EAP Response (code 2) ID 193 length 55 (36) eap: Continuing tunnel setup (36) [eap] = ok (36) # authorize = ok (36) Found Auth-Type = eap (36) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (36) authenticate (36) eap: Expiring EAP session with state 0x41848598418590ad (36) eap: Finished EAP session with state 0x25b700c823761550 (36) eap: Previous EAP request found for state 0x25b700c823761550, released from the list (36) eap: Peer sent packet with method EAP TTLS (21) (36) eap: Calling submodule eap_ttls to process data (36) eap_ttls: Authenticate (36) eap_ttls: Continuing EAP-TLS (36) eap_ttls: Peer indicated complete TLS record size will be 45 bytes (36) eap_ttls: Got complete TLS record (45 bytes) (36) eap_ttls: [eaptls verify] = length included (36) eap_ttls: [eaptls process] = ok (36) eap_ttls: Session established. Proceeding to decode tunneled attributes (36) eap_ttls: Got tunneled request (36) eap_ttls: EAP-Message = 0x02010006031a (36) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1 (36) eap_ttls: Sending tunneled request (36) Virtual server default received request (36) EAP-Message = 0x02010006031a (36) FreeRADIUS-Proxied-To = 127.0.0.1 (36) User-Name = "user" (36) State = 0x41848598418590ad5f5257f699cb08cd (36) NAS-IP-Address = 192.168.0.16 (36) NAS-Identifier = "1ae82968d827" (36) Called-Station-Id = "1A-E8-29-68-D8-27:TestNet" (36) NAS-Port-Type = Wireless-802.11 (36) Service-Type = Framed-User (36) Calling-Station-Id = "56-7E-6E-74-19-66" (36) Connect-Info = "CONNECT 0Mbps 802.11b" (36) Acct-Session-Id = "7920B3C56618BB67" (36) Acct-Multi-Session-Id = "31C198EF71C46ED1" (36) WLAN-Pairwise-Cipher = 1027076 (36) WLAN-Group-Cipher = 1027076 (36) WLAN-AKM-Suite = 1027073 (36) Framed-MTU = 1400 (36) Event-Timestamp = "Jul 6 2021 13:49:41 EEST" (36) WARNING: Outer and inner identities are the same. User privacy is compromised. (36) server default (36) session-state: No cached attributes (36) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (36) authorize (36) policy filter_username (36) if (&User-Name) (36) if (&User-Name) -> TRUE (36) if (&User-Name) (36) if (&User-Name =~ / /) (36) if (&User-Name =~ / /) -> FALSE (36) if (&User-Name =~ /@[^@]*@/ ) (36) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (36) if (&User-Name =~ /\.\./ ) (36) if (&User-Name =~ /\.\./ ) -> FALSE (36) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) (36) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (36) if (&User-Name =~ /\.$/) (36) if (&User-Name =~ /\.$/) -> FALSE (36) if (&User-Name =~ /@\./) (36) if (&User-Name =~ /@\./) -> FALSE (36) # if (&User-Name) = notfound (36) # policy filter_username = notfound (36) [preprocess] = ok (36) [chap] = noop (36) [mschap] = noop (36) [digest] = noop (36) suffix: Checking for suffix after "@" (36) suffix: No '@' in User-Name = "user", looking up realm NULL (36) suffix: No such realm "NULL" (36) [suffix] = noop (36) eap: Peer sent EAP Response (code 2) ID 1 length 6 (36) eap: Ignoring NAK with request for unknown EAP type (36) [eap] = noop (36) [files] = noop rlm_ldap (ldap): Closing connection (8): Hit idle_timeout, was idle for 84 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (9): Hit idle_timeout, was idle for 84 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase "spare" rlm_ldap (ldap): Opening additional connection (10), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldap://127.0.0.1:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Reserved connection (10) (36) ldap: EXPAND (uid=%%Stripped-User-Name:-%User-Name) (36) ldap: --> (uid=user) (36) ldap: Performing search in "ou=People,dc=domain,dc=net" with filter "(uid=user)", scope "sub" (36) ldap: Waiting for search result... (36) ldap: User object found at DN "cn=user,ou=People,dc=domain,dc=net" (36) ldap: Processing user attributes (36) ldap: control:Password-With-Header += 'SHAjNcioN4OBp8h7ZqsEqIjBoxKy8Y=' rlm_ldap (ldap): Released connection (10) Need 2 more connections to reach min connections (3) rlm_ldap (ldap): Opening additional connection (11), 1 of 31 pending slots used rlm_ldap (ldap): Connecting to ldap://127.0.0.1:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (36) [ldap] = updated (36) [expiration] = noop (36) [logintime] = noop (36) pap: Converted: &control:Password-With-Header -> &control:SHA1-Password (36) pap: Removing &control:Password-With-Header (36) pap: Normalizing SHA1-Password from base64 encoding, 28 bytes -> 20 bytes (36) pap: No User-Password attribute in the request. Cannot do PAP (36) [pap] = noop (36) # authorize = updated (36) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (36) Failed to authenticate the user (36) Using Post-Auth-Type Reject (36) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (36) Post-Auth-Type REJECT (36) attr_filter.access_reject: EXPAND %User-Name (36) attr_filter.access_reject: --> user (36) attr_filter.access_reject: Matched entry DEFAULT at line 11 (36) [attr_filter.access_reject] = updated (36) eap: Expiring EAP session with state 0x41848598418590ad (36) eap: Finished EAP session with state 0x41848598418590ad (36) eap: Previous EAP request found for state 0x41848598418590ad, released from the list (36) eap: Request was previously rejected, inserting EAP-Failure (36) eap: Sending EAP Failure (code 4) ID 1 length 4 (36) [eap] = updated (36) policy remove_reply_message_if_eap (36) if (&reply:EAP-Message && &reply:Reply-Message) (36) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (36) else (36) [noop] = noop (36) # else = noop (36) # policy remove_reply_message_if_eap = noop (36) # Post-Auth-Type REJECT = updated (36) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type =Reject): [user] (from client localhost port 0 cli 56-7E-6E-74-19-66 via TLS tunnel) (36) # server default (36) Virtual server sending reply (36) EAP-Message = 0x04010004 (36) Message-Authenticator = 0x00000000000000000000000000000000 (36) eap_ttls: Got tunneled Access-Reject (36) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed (36) eap: Sending EAP Failure (code 4) ID 193 length 4 (36) eap: Failed in EAP select (36) [eap] = invalid (36) # authenticate = invalid (36) Failed to authenticate the user (36) Using Post-Auth-Type Reject (36) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (36) Post-Auth-Type REJECT (36) attr_filter.access_reject: EXPAND %User-Name (36) attr_filter.access_reject: --> user (36) attr_filter.access_reject: Matched entry DEFAULT at line 11 (36) [attr_filter.access_reject] = updated (36) [eap] = noop (36) policy remove_reply_message_if_eap (36) if (&reply:EAP-Message && &reply:Reply-Message) (36) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (36) else (36) [noop] = noop (36) # else = noop (36) # policy remove_reply_message_if_eap = noop (36) # Post-Auth-Type REJECT = updated (36) Login incorrect (eap: Failed continuing EAP TTLS (21) session. EAP sub-module failed): [user] (from client localhost port 0 cli 56-7E-6E-74-19-66) (36) Delaying response for 1.000000 seconds Waking up in 0.6 seconds. Waking up in 0.3 seconds. (36) Sending delayed response (36) Sent Access-Reject Id 68 from 192.168.2.6:1812 to 192.168.1.45:11929 length 44 (36) EAP-Message = 0x04c10004 (36) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.8 seconds. (29) Cleaning up request packet ID 61 with timestamp +383 (30) Cleaning up request packet ID 62 with timestamp +383 (31) Cleaning up request packet ID 63 with timestamp +383 (32) Cleaning up request packet ID 64 with timestamp +383 (33) Cleaning up request packet ID 65 with timestamp +383 (34) Cleaning up request packet ID 66 with timestamp +383 (35) Cleaning up request packet ID 67 with timestamp +383 (36) Cleaning up request packet ID 68 with timestamp +383 Ready to process requests
(22) Received Access-Request Id 54 from 192.168.1.45:63948 to 192.168.2.6:1812 length 226 (22) User-Name = "user" (22) NAS-IP-Address = 192.168.0.16 (22) NAS-Identifier = "1ae82968d827" (22) Called-Station-Id = "1A-E8-29-68-D8-27:TestNet" (22) NAS-Port-Type = Wireless-802.11 (22) Service-Type = Framed-User (22) Calling-Station-Id = "30-07-4D-96-97-1B" (22) Connect-Info = "CONNECT 0Mbps 802.11b" (22) Acct-Session-Id = "873598953FB6DD96" (22) Acct-Multi-Session-Id = "02DA1835116F75BF" (22) WLAN-Pairwise-Cipher = 1027076 (22) WLAN-Group-Cipher = 1027076 (22) WLAN-AKM-Suite = 1027073 (22) Framed-MTU = 1400 (22) EAP-Message = 0x02ab000e016c64617061646d696e (22) Message-Authenticator = 0x466ab990741ed6cebb6c5a58af53cca1 (22) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (22) authorize (22) policy filter_username (22) if (&User-Name) (22) if (&User-Name) -> TRUE (22) if (&User-Name) (22) if (&User-Name =~ / /) (22) if (&User-Name =~ / /) -> FALSE (22) if (&User-Name =~ /@[^@]*@/ ) (22) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (22) if (&User-Name =~ /\.\./ ) (22) if (&User-Name =~ /\.\./ ) -> FALSE (22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) (22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (22) if (&User-Name =~ /\.$/) (22) if (&User-Name =~ /\.$/) -> FALSE (22) if (&User-Name =~ /@\./) (22) if (&User-Name =~ /@\./) -> FALSE (22) # if (&User-Name) = notfound (22) # policy filter_username = notfound (22) [preprocess] = ok (22) [chap] = noop (22) [mschap] = noop (22) [digest] = noop (22) suffix: Checking for suffix after "@" (22) suffix: No '@' in User-Name = "user", looking up realm NULL (22) suffix: No such realm "NULL" (22) [suffix] = noop (22) eap: Peer sent EAP Response (code 2) ID 171 length 14 (22) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (22) [eap] = ok (22) # authorize = ok (22) Found Auth-Type = eap (22) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (22) authenticate (22) eap: Peer sent packet with method EAP Identity (1) (22) eap: Calling submodule eap_ttls to process data (22) eap_ttls: Initiating new EAP-TLS session (22) eap_ttls: [eaptls start] = request (22) eap: Sending EAP Request (code 1) ID 172 length 6 (22) eap: EAP session adding &reply:State = 0x912db4839181a1fa (22) [eap] = handled (22) # authenticate = handled (22) Using Post-Auth-Type Challenge (22) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (22) Challenge ... # empty sub-section is ignored (22) Sent Access-Challenge Id 54 from 192.168.2.6:1812 to 192.168.1.45:63948 length 0 (22) EAP-Message = 0x01ac00061520 (22) Message-Authenticator = 0x00000000000000000000000000000000 (22) State = 0x912db4839181a1fac5f853532e9c45a7 (22) Finished request Waking up in 4.8 seconds. (28) Received Access-Request Id 60 from 192.168.1.45:63948 to 192.168.2.6:1812 length 309 (28) User-Name = "user" (28) NAS-IP-Address = 192.168.0.16 (28) NAS-Identifier = "1ae82968d827" (28) Called-Station-Id = "1A-E8-29-68-D8-27:TestNet" (28) NAS-Port-Type = Wireless-802.11 (28) Service-Type = Framed-User (28) Calling-Station-Id = "30-07-4D-96-97-1B" (28) Connect-Info = "CONNECT 0Mbps 802.11b" (28) Acct-Session-Id = "873598953FB6DD96" (28) Acct-Multi-Session-Id = "02DA1835116F75BF" (28) WLAN-Pairwise-Cipher = 1027076 (28) WLAN-Group-Cipher = 1027076 (28) WLAN-AKM-Suite = 1027073 (28) Framed-MTU = 1400 (28) EAP-Message = 0x02b1004f150017030300440000000000000001374e029fa0b1517e6088f6e72cf0c4cd4ae4e2c3d2d7e064ce17eee6a8eaedff66ea36e77f18f69f9245bbb2f0fc391a7291c4d95111197d35ab8c85 (28) State = 0x912db483949ca1fac5f853532e9c45a7 (28) Message-Authenticator = 0x42b24c717e99eb8b3221698b2b94c453 (28) session-state: No cached attributes (28) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (28) authorize (28) policy filter_username (28) if (&User-Name) (28) if (&User-Name) -> TRUE (28) if (&User-Name) (28) if (&User-Name =~ / /) (28) if (&User-Name =~ / /) -> FALSE (28) if (&User-Name =~ /@[^@]*@/ ) (28) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (28) if (&User-Name =~ /\.\./ ) (28) if (&User-Name =~ /\.\./ ) -> FALSE (28) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) (28) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (28) if (&User-Name =~ /\.$/) (28) if (&User-Name =~ /\.$/) -> FALSE (28) if (&User-Name =~ /@\./) (28) if (&User-Name =~ /@\./) -> FALSE (28) # if (&User-Name) = notfound (28) # policy filter_username = notfound (28) [preprocess] = ok (28) [chap] = noop (28) [mschap] = noop (28) [digest] = noop (28) suffix: Checking for suffix after "@" (28) suffix: No '@' in User-Name = "user", looking up realm NULL (28) suffix: No such realm "NULL" (28) [suffix] = noop (28) eap: Peer sent EAP Response (code 2) ID 177 length 79 (28) eap: Continuing tunnel setup (28) [eap] = ok (28) # authorize = ok (28) Found Auth-Type = eap (28) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (28) authenticate (28) eap: Expiring EAP session with state 0x912db483949ca1fa (28) eap: Finished EAP session with state 0x912db483949ca1fa (28) eap: Previous EAP request found for state 0x912db483949ca1fa, released from the list (28) eap: Peer sent packet with method EAP TTLS (21) (28) eap: Calling submodule eap_ttls to process data (28) eap_ttls: Authenticate (28) eap_ttls: Continuing EAP-TLS (28) eap_ttls: [eaptls verify] = ok (28) eap_ttls: Done initial handshake (28) eap_ttls: [eaptls process] = ok (28) eap_ttls: Session established. Proceeding to decode tunneled attributes (28) eap_ttls: Got tunneled request (28) eap_ttls: User-Name = "user" (28) eap_ttls: User-Password = "Password1!!!" (28) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1 (28) eap_ttls: Sending tunneled request (28) Virtual server default received request (28) User-Name = "user" (28) User-Password = "Password1!!!" (28) FreeRADIUS-Proxied-To = 127.0.0.1 (28) NAS-IP-Address = 192.168.0.16 (28) NAS-Identifier = "1ae82968d827" (28) Called-Station-Id = "1A-E8-29-68-D8-27:TestNet" (28) NAS-Port-Type = Wireless-802.11 (28) Service-Type = Framed-User (28) Calling-Station-Id = "30-07-4D-96-97-1B" (28) Connect-Info = "CONNECT 0Mbps 802.11b" (28) Acct-Session-Id = "873598953FB6DD96" (28) Acct-Multi-Session-Id = "02DA1835116F75BF" (28) WLAN-Pairwise-Cipher = 1027076 (28) WLAN-Group-Cipher = 1027076 (28) WLAN-AKM-Suite = 1027073 (28) Framed-MTU = 1400 (28) Event-Timestamp = "Jul 6 2021 13:48:17 EEST" (28) WARNING: Outer and inner identities are the same. User privacy is compromised. (28) server default (28) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (28) authorize (28) policy filter_username (28) if (&User-Name) (28) if (&User-Name) -> TRUE (28) if (&User-Name) (28) if (&User-Name =~ / /) (28) if (&User-Name =~ / /) -> FALSE (28) if (&User-Name =~ /@[^@]*@/ ) (28) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (28) if (&User-Name =~ /\.\./ ) (28) if (&User-Name =~ /\.\./ ) -> FALSE (28) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) (28) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (28) if (&User-Name =~ /\.$/) (28) if (&User-Name =~ /\.$/) -> FALSE (28) if (&User-Name =~ /@\./) (28) if (&User-Name =~ /@\./) -> FALSE (28) # if (&User-Name) = notfound (28) # policy filter_username = notfound (28) [preprocess] = ok (28) [chap] = noop (28) [mschap] = noop (28) [digest] = noop (28) suffix: Checking for suffix after "@" (28) suffix: No '@' in User-Name = "user", looking up realm NULL (28) suffix: No such realm "NULL" (28) [suffix] = noop (28) eap: No EAP-Message, not doing EAP (28) [eap] = noop (28) [files] = noop rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for 299 seconds rlm_ldap (ldap): Closing connection (4): Hit idle_timeout, was idle for 299 seconds rlm_ldap (ldap): Closing connection (0): Hit idle_timeout, was idle for 296 seconds rlm_ldap (ldap): Closing connection (5): Hit idle_timeout, was idle for 296 seconds rlm_ldap (ldap): Closing connection (1): Hit idle_timeout, was idle for 285 seconds rlm_ldap (ldap): Closing connection (6): Hit idle_timeout, was idle for 285 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 278 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (7): Hit idle_timeout, was idle for 278 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase "spare" rlm_ldap (ldap): Opening additional connection (8), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldap://127.0.0.1:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Reserved connection (8) (28) ldap: EXPAND (uid=%%Stripped-User-Name:-%User-Name) (28) ldap: --> (uid=user) (28) ldap: Performing search in "ou=People,dc=domain,dc=net" with filter "(uid=user)", scope "sub" (28) ldap: Waiting for search result... (28) ldap: User object found at DN "cn=user,ou=People,dc=domain,dc=net" (28) ldap: Processing user attributes (28) ldap: control:Password-With-Header += 'SHAjNcioN4OBp8h7ZqsEqIjBoxKy8Y=' rlm_ldap (ldap): Released connection (8) Need 2 more connections to reach min connections (3) rlm_ldap (ldap): Opening additional connection (9), 1 of 31 pending slots used rlm_ldap (ldap): Connecting to ldap://127.0.0.1:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (28) [ldap] = updated (28) [expiration] = noop (28) [logintime] = noop (28) pap: Converted: &control:Password-With-Header -> &control:SHA1-Password (28) pap: Removing &control:Password-With-Header (28) pap: Normalizing SHA1-Password from base64 encoding, 28 bytes -> 20 bytes (28) [pap] = updated (28) # authorize = updated (28) Found Auth-Type = PAP (28) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (28) Auth-Type PAP (28) pap: Login attempt with password (28) pap: Comparing with "known-good" SHA-Password (28) pap: User authenticated successfully (28) [pap] = ok (28) # Auth-Type PAP = ok (28) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (28) post-auth (28) update (28) No attributes updated (28) # update = noop (28) [exec] = noop (28) policy remove_reply_message_if_eap (28) if (&reply:EAP-Message && &reply:Reply-Message) (28) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (28) else (28) [noop] = noop (28) # else = noop (28) # policy remove_reply_message_if_eap = noop (28) # post-auth = noop (28) Login OK: [user] (from client localhost port 0 cli 30-07-4D-96-97-1B via TLS tunnel) (28) # server default (28) Virtual server sending reply (28) eap_ttls: Got tunneled Access-Accept (28) eap: Sending EAP Success (code 3) ID 177 length 4 (28) eap: Freeing handler (28) [eap] = ok (28) # authenticate = ok (28) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (28) post-auth (28) update (28) No attributes updated (28) # update = noop (28) [exec] = noop (28) policy remove_reply_message_if_eap (28) if (&reply:EAP-Message && &reply:Reply-Message) (28) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (28) else (28) [noop] = noop (28) # else = noop (28) # policy remove_reply_message_if_eap = noop (28) # post-auth = noop (28) Login OK: [user] (from client localhost port 0 cli 30-07-4D-96-97-1B) (28) Sent Access-Accept Id 60 from 192.168.2.6:1812 to 192.168.1.45:63948 length 0 (28) MS-MPPE-Recv-Key = 0x56707e44ad2b97f1e40d4f4be67454a69e744d1b58ea60bf71ea080a9a55c4a6 (28) MS-MPPE-Send-Key = 0x2a0f6c6d576690859d4c73b3fdaccc5bb59de87760266ad0728cd9438623e0ae (28) EAP-Message = 0x03b10004 (28) Message-Authenticator = 0x00000000000000000000000000000000 (28) User-Name = "user" (28) Finished request Waking up in 4.8 seconds. (22) Cleaning up request packet ID 54 with timestamp +299 (23) Cleaning up request packet ID 55 with timestamp +299 (24) Cleaning up request packet ID 56 with timestamp +299 (25) Cleaning up request packet ID 57 with timestamp +299 (26) Cleaning up request packet ID 58 with timestamp +299 (27) Cleaning up request packet ID 59 with timestamp +299 (28) Cleaning up request packet ID 60 with timestamp +299 Ready to process requests
你看到了我没看到的东西吗?请注意,这是我的第一个半径服务器,所以如果你能详细指导我解决这个问题。我将不胜感激。
【问题讨论】:
【参考方案1】:由于字符限制,我在这里发布我的配置文件:
网站可用/默认mods-available/ldapserver default listen type = auth ipaddr = * port = 0 limit max_connections = 16 lifetime = 0 idle_timeout = 30 listen ipaddr = * port = 0 type = acct limit authorize filter_username preprocess chap mschap digest suffix eap ok = return files ldap expiration logintime pap authenticate Auth-Type PAP pap Auth-Type CHAP chap Auth-Type MS-CHAP mschap mschap digest eap ldap preacct preprocess acct_unique suffix files accounting detail unix radutmp exec attr_filter.accounting_response session radutmp post-auth update &reply: += &session-state: exec remove_reply_message_if_eap Post-Auth-Type REJECT attr_filter.access_reject eap remove_reply_message_if_eap Post-Auth-Type Challenge pre-proxy post-proxy eap
ldap server = '127.0.0.1' port = 389 identity = 'cn=admin,dc=domain,dc=net' password = hdf87dfgyd87g98df89 base_dn = 'dc=domain,dc=net' sasl update control:Password-With-Header += 'userPassword' control:NT-Password := 'sambaNTPassword' control: += 'radiusControlAttribute' request: += 'radiusRequestAttribute' reply: += 'radiusReplyAttribute' user base_dn = "ou=People,dc=domain,dc=net" filter = "(uid=%%Stripped-User-Name:-%User-Name)" sasl group base_dn = "cn=wifi-users,ou=group,dc=domain,dc=net" filter = '(objectClass=posixGroup)' membership_attribute = 'memberOf' profile client base_dn = "$..base_dn" filter = '(objectClass=radiusClient)' template attribute ipaddr = 'radiusClientIdentifier' secret = 'radiusClientSecret' accounting reference = "%tolower:type.%Acct-Status-Type" type start update description := "Online at %S" interim-update update description := "Last seen at %S" stop update description := "Offline at %S" post-auth update description := "Authenticated at %S" options chase_referrals = yes rebind = yes res_timeout = 10 srv_timelimit = 3 net_timeout = 1 idle = 60 probes = 3 interval = 3 ldap_debug = 0x0028 tls pool start = $thread[pool].start_servers min = $thread[pool].min_spare_servers max = $thread[pool].max_servers spare = $thread[pool].max_spare_servers uses = 0 retry_delay = 30 lifetime = 0 idle_timeout = 60
【讨论】:
【参考方案2】:我在 EAP 中进行了此更改,它在 iphone 上有效,在 android 上我将其设置为 GTC,它也有效,但我没有在装有 Windows 10 的 LAPTOP 上获得它。
【讨论】:
以上是关于FreeRadius3.0 带 ldap 配置的主要内容,如果未能解决你的问题,请参考以下文章