Cisco
Cisco Aironet AP1260 無法訪問 FreeRADIUS 伺服器
我在使用 Cisco Aironet AP1260 獨立接入點和 FreeRADIUS 伺服器時遇到問題。我正在嘗試在 FreeRADIUS 伺服器上設置具有身份驗證的 802.11x 接入點。我已經設置了 AP 和伺服器,在其中創建了一個臨時使用者並使用實用程序
/etc/raddb/users測試了 RADIUS 伺服器。radtest但是當我嘗試連接到我的 AP 時,我被拒絕了,並且根本沒有登錄FreeRADIUS。我確定我的日誌配置沒問題(啟用了非常詳細的日誌)。我嘗試執行radiusd -X以實時查看活動,但它沒有給我任何結果:radtest活動顯示良好,但 AP 沒有活動。我確實檢查了 UDP 流量
tcpdump,並且 AP 的請求到達了伺服器,但被 FreeRADIUS 守護程序忽略了。埠也設置正確(預設1812為 auth)。那麼,如何讓 FreeRADIUS 接受 Cisco 的認證請求呢?
更新:
radtest命令僅適用於本地主機。即使我直接將兩台機器與 Linux 連接並radiusd -X在第一台上執行,然後嘗試radtest在第二台上執行,FreeRADIUS 伺服器也不會有任何反應。我認為 FreeRADIUS 中存在一些錯誤配置,但它在哪裡?有我的配置:
sasaika#sh run Building configuration... Current configuration : 2030 bytes ! version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname sasaika ! logging rate-limit console 9 enable secret 5 *omitted* ! aaa new-model ! ! aaa group server radius rad_eap server 172.16.10.13 auth-port 1812 acct-port 1813 ! aaa authentication login eap_methods group rad_eap ! aaa session-id common ip domain name ex.example.com ! ! dot11 syslog ! dot11 ssid Edhelwen authentication open eap eap_methods authentication network-eap eap_methods authentication key-management wpa version 2 guest-mode ! ! ! username *omitted* privilege 15 secret 5 *omitted* ! ! ip ssh time-out 60 ip ssh version 2 bridge irb ! ! interface Dot11Radio0 description Test-WiFi no ip address no ip route-cache ! encryption mode ciphers aes-ccm ! ssid Edhelwen ! antenna gain 0 station-role root access-point bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface Dot11Radio1 no ip address no ip route-cache shutdown antenna gain 0 station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface GigabitEthernet0 no ip address no ip route-cache duplex auto speed auto no keepalive bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface BVI1 ip address 172.16.10.12 255.255.255.128 no ip route-cache ! ip http server no ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag radius-server host 172.16.10.13 auth-port 1812 acct-port 1813 key 7 *omitted* bridge 1 route ip ! ! ! line con 0 line vty 0 4 transport input ssh line vty 5 15 transport input ssh ! end
/etc/raddb/radiusd.conf:prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = /usr/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct name = radiusd confdir = ${raddbdir} run_dir = ${localstatedir}/run/${name} db_dir = ${raddbdir} libdir = /usr/lib/freeradius pidfile = ${run_dir}/${name}.pid user = radiusd group = radiusd max_request_time = 30 cleanup_delay = 5 max_requests = 1024 listen { type = auth ipaddr = * port = 1812 } listen { ipaddr = * port = 1813 type = acct } hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log { destination = files file = ${logdir}/radius.log requests = ${logdir}/radiusd-%Y%m%d.log syslog_facility = daemon stripped_names = yes auth = yes auth_badpass = yes auth_goodpass = yes msg_goodpass = "Good: " msg_badpass = "Bad: " } checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = yes } proxy_requests = off $INCLUDE clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { $INCLUDE ${confdir}/modules/ $INCLUDE eap.conf } instantiate { exec expr expiration logintime } $INCLUDE policy.conf $INCLUDE sites-enabled/
/etc/raddb/clients.conf:client cisco-ap { ipaddr = 172.16.10.12 nastype = cisco # i tried to disable it, no effect secret = *omitted* require_message_authenticator = no } client localhost { ipaddr = 127.0.0.1 secret = *omitted* require_message_authenticator = no }
問題解決了。我是 CentOS 的新手,我不知道
-A INPUT -j REJECT預設情況下它會在防火牆中應用規則。編輯後(作為測試伺服器註釋掉)這一行 RADIUS 檢測到身份驗證數據包。
實際上,對於 802.1x,您需要
aaa authentication ppp <...>線路,而不是login.