Auth-Type :- RADIUS 使用者文件中的拒絕匹配內部隧道請求但發送 Access-Accept
我在與 OpenLDAP 對話的 Ubuntu 10.04.4 上使用 FreeRADIUS 2.1.8 設置了 WPA2 802.11x EAP 身份驗證設置,並且可以使用 PEAP/MSCHAPv2、TTLS/MSCHAPv2 和 TTLS/PAP 成功進行身份驗證(通過 AP 和使用eapol_test)。我現在嘗試根據使用者所屬的 LDAP 組限制對特定 SSID 的訪問。
我已經
/etc/freeradius/modules/ldap
像這樣配置了組成員身份簽入:groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=posixGroup)(memberUid=%{User-Name}))(&(objectClass=posixGroup)(uniquemember=%{User-Name})))"
並且我已經根據Mac Auth wiki 頁面配置了將 SSID 從 Called-Station-Id 提取到 Called-Station-SSID 中。在
/etc/freeradius/eap.conf
我已啟用將屬性從外部隧道複製到內部隧道中,並在外部隧道中使用內部隧道響應(對於 PEAP 和 TTLS)。但是,在更改這些選項之前,我有相同的行為。copy_request_to_tunnel = yes use_tunneled_reply = yes
我正在
eapol_test
這樣執行以測試設置:eapol_test -c peap-mschapv2.conf -a 172.16.0.16 -s testing123 -N 30:s:01-23-45-67-89-01:Example-EAP
使用以下
peap-mschapv2.conf
文件:network={ ssid="Example-EAP" key_mgmt=WPA-EAP eap=PEAP identity="mgorven" anonymous_identity="anonymous" password="foobar" phase2="autheap=MSCHAPV2" }
使用以下內容
/etc/freeradius/users
:DEFAULT Ldap-Group == "employees"
並執行
freeradius-Xx
,我可以看到 LDAP 組檢索工作,並且提取了 SSID。Debug: [ldap] performing search in dc=example,dc=com, with filter (&(cn=employees)(|(&(objectClass=posixGroup)(memberUid=mgorven))(&(objectClass=posixGroup)(uniquemember=mgorven)))) Debug: rlm_ldap::ldap_groupcmp: User found in group employees ... Info: expand: %{7} -> Example-EAP
接下來我嘗試只允許訪問
employees
組中的使用者(不管 SSID),所以我將以下內容放入/etc/freeradius/users
:DEFAULT Ldap-Group == "employees" DEFAULT Auth-Type := Reject
但這會立即拒絕外部隧道中的訪問請求,因為
anonymous
使用者不在employees
組中。所以我將其修改為僅匹配內部隧道請求,如下所示:DEFAULT Ldap-Group == "employees" DEFAULT FreeRADIUS-Proxied-To == "127.0.0.1" Auth-Type := Reject, Reply-Message = "User does not belong to any groups which may access this SSID."
現在,組中的使用者已
employees
通過身份驗證,但不在employees
組中的使用者也是如此。我看到拒絕條目被匹配,並且設置了回复消息,但客戶端收到了訪問接受。Debug: rlm_ldap::ldap_groupcmp: Group employees not found or user is not a member. Info: [files] users: Matched entry DEFAULT at line 209 Info: ++[files] returns ok ... Auth: Login OK: [mgorven] (from client test port 0 cli 02-00-00-00-00-01 via TLS tunnel) Info: WARNING: Empty section. Using default return values. ... Info: [peap] Got tunneled reply code 2 Auth-Type := Reject Reply-Message = "User does not belong to any groups which may access this SSID." ... Info: [peap] Got tunneled reply RADIUS code 2 Auth-Type := Reject Reply-Message = "User does not belong to any groups which may access this SSID." ... Info: [peap] Tunneled authentication was successful. Info: [peap] SUCCESS Info: [peap] Saving tunneled attributes for later ... Sending Access-Accept of id 11 to 172.16.2.44 port 60746 Reply-Message = "User does not belong to any groups which may access this SSID." User-Name = "mgorven"
並
eapol_test
報告:RADIUS message: code=2 (Access-Accept) identifier=11 length=233 Attribute 18 (Reply-Message) length=64 Value: 'User does not belong to any groups which may access this SSID.' Attribute 1 (User-Name) length=9 Value: 'mgorven' ... SUCCESS
為什麼請求沒有被拒絕,這是實現這一點的正確方法嗎?
出於某種奇怪的原因,設置
Auth-Type
是檢查項,而不是回复項,因此必須在規則的第一行進行。以下工作正常:DEFAULT FreeRADIUS-Proxied-To == "127.0.0.1", Auth-Type := Reject Reply-Message = "User does not belong to any groups which may access this SSID."