Debian
freeradius mac 身份驗證錯誤(找不到mac地址?)
因此,我按照此處和此處的官方文件在 Debian 9 上設置了一個 freeradius 3.0 伺服器。我有一個authorized_mac 文件,其中包含我的設備地址,並且在該文件中
/etc/freeradius/3.0/mods-enabled/files
我指出了我的mac 地址在哪個文件中:files authorized_macs { # The default key attribute to use for matches. The content # of this attribute is used to match the "name" of the # entry. key = "%{Calling-Station-ID}" usersfile = ${confdir}/authorized_macs # If you want to use the old Cistron 'users' file # with FreeRADIUS, you should change the next line # to 'compat = cistron'. You can the copy your 'users' # file from Cistron. #compat = no }
我的 WiFi 接入點以 1A:2B:3C:4D:5E:6F 的格式將 MAC 地址發送到 radius 伺服器,但為了確保問題不是來自那裡,我的
authorized_macs
文件如下所示:1A:2B:3C:4D:5E:6F Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized for network access" 1a:2b:3c:4d:5e:6f Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized for network access" 1A2B3C4D5E6F Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized for network access" 1a2b3c4d5e6f Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized for network access" 1A-2B-3C-4D-5E-6F Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized for network access" 1a-2b-3c-4d-5e-6f Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized for network access"
因此,當我以調試模式 (
freeradius -X
) 啟動 freeradius 伺服器並嘗試使用我的設備連接到 SSID 時,會出現錯誤:[...] -- line 777 (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject [...] -- line 783
此處提供完整日誌。有關資訊,10.42.0.7 是我的 freeradius 伺服器,10.42.0.22 是我的 WiFi 接入點。SSID 被命名為“testtt”。
TL;DR:根據官方文件,配置是正確的。WiFi接入點和freeradius相互連接良好,但radius伺服器似乎不知道地址,即使它們已經給出……
編輯
這是文件的結尾
/etc/freeradius/3.0/sites-enabled/default
:server { authorize { preprocess # If cleaning up the Calling-Station-Id... rewrite_calling_station_id # Now check against the authorized_macs file authorized_macs if (!ok) { # No match was found, so reject reject } else { # The MAC address was found, so update Auth-Type # to accept this auth. update control { Auth-Type := Accept } } } }
問題解決了。
我在 EDIT 中顯示的那段程式碼不應添加到文件末尾。事實上,“授權”部分已經存在,只應在其後添加(第 281 行):
rewrite_calling_station_id # Now check against the authorized_macs file authorized_macs if (!ok) { # No match was found, so reject reject } else { # The MAC address was found, so update Auth-Type # to accept this auth. update control { Auth-Type := Accept } }