Debian

freeradius mac 身份驗證錯誤(找不到mac地址?)

  • April 28, 2022

因此,我按照此處此處的官方文件在 Debian 9 上設置了一個 freeradius 3.0 伺服器。我有一個authorized_mac 文件,其中包含我的設備地址,並且在該文件中/etc/freeradius/3.0/mods-enabled/files我指出了我的mac 地址在哪個文件中:

files authorized_macs {
   # The default key attribute to use for matches.  The content
   # of this attribute is used to match the "name" of the
   # entry.
   key = "%{Calling-Station-ID}"

   usersfile = ${confdir}/authorized_macs

   #  If you want to use the old Cistron 'users' file
   #  with FreeRADIUS, you should change the next line
   #  to 'compat = cistron'.  You can the copy your 'users'
   #  file from Cistron.
   #compat = no
}

我的 WiFi 接入點以 1A:2B:3C:4D:5E:6F 的格式將 MAC 地址發送到 radius 伺服器,但為了確保問題不是來自那裡,我的authorized_macs文件如下所示:

1A:2B:3C:4D:5E:6F
   Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized for network access"

1a:2b:3c:4d:5e:6f
   Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized for network access"

1A2B3C4D5E6F
   Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized for network access"

1a2b3c4d5e6f
   Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized for network access"

1A-2B-3C-4D-5E-6F
   Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized for network access"

1a-2b-3c-4d-5e-6f
   Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized for network access"

因此,當我以調試模式 ( freeradius -X) 啟動 freeradius 伺服器並嘗試使用我的設備連接到 SSID 時,會出現錯誤:

[...] -- line 777
(0) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is available
(0)     [pap] = noop
(0)   } # authorize = ok
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
[...] -- line 783

此處提供完整日誌。有關資訊,10.42.0.7 是我的 freeradius 伺服器,10.42.0.22 是我的 WiFi 接入點。SSID 被命名為“testtt”。

TL;DR:根據官方文件,配置是正確的。WiFi接入點和freeradius相互連接良好,但radius伺服器似乎不知道地址,即使它們已經給出……


編輯

這是文件的結尾/etc/freeradius/3.0/sites-enabled/default

server {
       authorize {
               preprocess

               # If cleaning up the Calling-Station-Id...
               rewrite_calling_station_id

               # Now check against the authorized_macs file
               authorized_macs

               if (!ok) {
                       # No match was found, so reject
                       reject
               }
               else {
                       # The MAC address was found, so update Auth-Type
                       # to accept this auth.
                       update control {
                               Auth-Type := Accept
                       }
               }
       }
}

問題解決了。

我在 EDIT 中顯示的那段程式碼不應添加到文件末尾。事實上,“授權”部分已經存在,只應在其後添加(第 281 行):

rewrite_calling_station_id
      # Now check against the authorized_macs file
      authorized_macs
      if (!ok) {
              # No match was found, so reject
              reject
      }
      else {
              # The MAC address was found, so update Auth-Type
              # to accept this auth.
              update control {
                      Auth-Type := Accept
              }
      }

引用自:https://serverfault.com/questions/964170