Active-Directory

Freeradius 3 找不到 pfSense OpenVPN Auth-Requests 的 Auth-Type

  • September 27, 2017

我已經針對 Samba 4.5.8 AD 域控制器成功設置了帶有 NTLM-Auth 的 Freeradius 3.0.12。Radtest 適用於每個使用者和正確的密碼。當我嘗試在 pfSense 上針對 Freeradius 伺服器對 OpenVPN 使用者進行身份驗證時,它很難為使用者找到正確的 Auth-Type。Freeradius -X 產生以下結果:

(8) Received Access-Request Id 186 from 10.100.0.254:25983 to 10.100.0.32:1812 length 115
(8)   NAS-IP-Address = 192.168.1.25
(8)   NAS-Identifier = "openVPN"
(8)   NAS-Port-Type = Virtual
(8)   NAS-Port = 1194
(8)   Called-Station-Id = "192.168.1.25:1194"
(8)   User-Name = "user@samdom.example.com"
(8)   User-Password = "XXXXXX"
(8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(8)   authorize {
(8)     policy filter_username {
(8)       if (&User-Name) {
(8)       if (&User-Name)  -> TRUE
(8)       if (&User-Name)  {
(8)         if (&User-Name =~ / /) {
(8)         if (&User-Name =~ / /)  -> FALSE
(8)         if (&User-Name =~ /@[^@]*@/ ) {
(8)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(8)         if (&User-Name =~ /\.\./ ) {
(8)         if (&User-Name =~ /\.\./ )  -> FALSE
(8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(8)         if (&User-Name =~ /\.$/)  {
(8)         if (&User-Name =~ /\.$/)   -> FALSE
(8)         if (&User-Name =~ /@\./)  {
(8)         if (&User-Name =~ /@\./)   -> FALSE
(8)       } # if (&User-Name)  = notfound
(8)     } # policy filter_username = notfound
(8)     [preprocess] = ok
(8)     [chap] = noop
(8)     [mschap] = noop
(8)     [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: Looking up realm "samdom.example.com" for User-Name = "user@samdom.example.com"
(8) suffix: No such realm "samdom.example.com"
(8)     [suffix] = noop
(8) eap: No EAP-Message, not doing EAP
(8)     [eap] = noop
(8)     [files] = noop
(8)     [expiration] = noop
(8)     [logintime] = noop
(8) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
(8) pap: WARNING: Authentication will fail unless a "known good" password is available
(8)     [pap] = noop
(8)   } # authorize = ok
(8) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(8) Failed to authenticate the user
(8) Using Post-Auth-Type Reject
(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(8)   Post-Auth-Type REJECT {
(8) attr_filter.access_reject: EXPAND %{User-Name}
(8) attr_filter.access_reject:    --> user@samdom.example.com
(8) attr_filter.access_reject: Matched entry DEFAULT at line 11
(8)     [attr_filter.access_reject] = updated
(8)     [eap] = noop
(8)     policy remove_reply_message_if_eap {
(8)       if (&reply:EAP-Message && &reply:Reply-Message) {
(8)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(8)       else {
(8)         [noop] = noop
(8)       } # else = noop
(8)     } # policy remove_reply_message_if_eap = noop
(8)   } # Post-Auth-Type REJECT = updated
(8) Delaying response for 1.000000 seconds

我嘗試使用和不使用使用者名中的領域,結果日誌沒有改變。freeradius 伺服器的配置如下所述:http: //deployingradius.com/documents/configuration/active_directory.html

我讀到設置預設的 Auth-Type 是個壞主意,因為它會破壞任何其他形式的身份驗證。我也想使用伺服器進行 WiFi 身份驗證,所以我至少需要 PEAP-MSCHAPv2 才能工作。

在上面的範例中,您正在執行 PAP 而不是 PEAP。沒有模組會自動將 ntlm_auth 設置為身份驗證類型,因此您需要使用策略語言進行設置,即

authorize {
   if (&User-Password) {
       update control {
           Auth-Type := ntlm_auth
       }
   }
   eap
}

引用自:https://serverfault.com/questions/875709