Cisco

Cisco Aironet AP1260 無法訪問 FreeRADIUS 伺服器

  • November 25, 2014

我在使用 Cisco Aironet AP1260 獨立接入點和 FreeRADIUS 伺服器時遇到問題。我正在嘗試在 FreeRADIUS 伺服器上設置具有身份驗證的 802.11x 接入點。我已經設置了 AP 和伺服器,在其中創建了一個臨時使用者並使用實用程序/etc/raddb/users測試了 RADIUS 伺服器。radtest但是當我嘗試連接到我的 AP 時,我被拒絕了,並且根本沒有登錄FreeRADIUS。我確定我的日誌配置沒問題(啟用了非常詳細的日誌)。我嘗試執行radiusd -X以實時查看活動,但它沒有給我任何結果:radtest活動顯示良好,但 AP 沒有活動。

我確實檢查了 UDP 流量tcpdump,並且 AP 的請求到達了伺服器,但被 FreeRADIUS 守護程序忽略了。埠也設置正確(預設1812為 auth)。

那麼,如何讓 FreeRADIUS 接受 Cisco 的認證請求呢?

更新radtest命令僅適用於本地主機。即使我直接將兩台機器與 Linux 連接並radiusd -X在第一台上執行,然後嘗試radtest在第二台上執行,FreeRADIUS 伺服器也不會有任何反應。我認為 FreeRADIUS 中存在一些錯誤配置,但它在哪裡?

有我的配置:

sasaika#sh run
Building configuration...

Current configuration : 2030 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname sasaika
!
logging rate-limit console 9
enable secret 5 *omitted*
!
aaa new-model
!
!
aaa group server radius rad_eap
server 172.16.10.13 auth-port 1812 acct-port 1813
!
aaa authentication login eap_methods group rad_eap
!
aaa session-id common
ip domain name ex.example.com
!
!
dot11 syslog
!
dot11 ssid Edhelwen
  authentication open eap eap_methods
  authentication network-eap eap_methods
  authentication key-management wpa version 2
  guest-mode
!
!
!
username *omitted* privilege 15 secret 5 *omitted*
!
!
ip ssh time-out 60
ip ssh version 2
bridge irb
!
!
interface Dot11Radio0
description Test-WiFi
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
!
ssid Edhelwen
!
antenna gain 0
station-role root access-point
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
antenna gain 0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 172.16.10.12 255.255.255.128
no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
radius-server host 172.16.10.13 auth-port 1812 acct-port 1813 key 7 *omitted*
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
transport input ssh
line vty 5 15
transport input ssh
!
end

/etc/raddb/radiusd.conf:

prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
name = radiusd
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/${name}.pid
user = radiusd
group = radiusd
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
       type = auth
       ipaddr = *
       port = 1812
}

listen {
       ipaddr = *
       port = 1813
       type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions     = yes
extended_expressions    = yes
log {
   destination = files
   file = ${logdir}/radius.log
   requests = ${logdir}/radiusd-%Y%m%d.log
   syslog_facility = daemon
   stripped_names = yes
   auth = yes
   auth_badpass = yes
   auth_goodpass = yes
   msg_goodpass = "Good: "
   msg_badpass = "Bad: "
}
checkrad = ${sbindir}/checkrad
security {
       max_attributes = 200
       reject_delay = 1
       status_server = yes
}
proxy_requests  = off
$INCLUDE clients.conf
thread pool {
       start_servers = 5
       max_servers = 32
       min_spare_servers = 3
       max_spare_servers = 10
       max_requests_per_server = 0
}
modules {
       $INCLUDE ${confdir}/modules/
       $INCLUDE eap.conf
}
instantiate {
       exec
       expr
       expiration
       logintime
}

$INCLUDE policy.conf
$INCLUDE sites-enabled/

/etc/raddb/clients.conf:

client cisco-ap {
       ipaddr = 172.16.10.12
       nastype = cisco # i tried to disable it, no effect
       secret = *omitted*
       require_message_authenticator = no
}

client localhost {
       ipaddr = 127.0.0.1
       secret = *omitted*
       require_message_authenticator = no
}

問題解決了。我是 CentOS 的新手,我不知道-A INPUT -j REJECT預設情況下它會在防火牆中應用規則。編輯後(作為測試伺服器註釋掉)這一行 RADIUS 檢測到身份驗證數據包。

實際上,對於 802.1x,您需要aaa authentication ppp <...>線路,而不是login.

引用自:https://serverfault.com/questions/645458