Ldap

Auth-Type :- RADIUS 使用者文件中的拒絕匹配內部隧道請求但發送 Access-Accept

  • June 12, 2012

我在與 OpenLDAP 對話的 Ubuntu 10.04.4 上使用 FreeRADIUS 2.1.8 設置了 WPA2 802.11x EAP 身份驗證設置,並且可以使用 PEAP/MSCHAPv2、TTLS/MSCHAPv2 和 TTLS/PAP 成功進行身份驗證(通過 AP 和使用eapol_test)。我現在嘗試根據使用者所屬的 LDAP 組限制對特定 SSID 的訪問。

我已經/etc/freeradius/modules/ldap像這樣配置了組成員身份簽入:

groupname_attribute = cn
groupmembership_filter = "(|(&(objectClass=posixGroup)(memberUid=%{User-Name}))(&(objectClass=posixGroup)(uniquemember=%{User-Name})))"

並且我已經根據Mac Auth wiki 頁面配置了將 SSID 從 Called-Station-Id 提取到 Called-Station-SSID 中。在/etc/freeradius/eap.conf我已啟用將屬性從外部隧道複製到內部隧道中,並在外部隧道中使用內部隧道響應(對於 PEAP 和 TTLS)。但是,在更改這些選項之前,我有相同的行為。

copy_request_to_tunnel = yes
use_tunneled_reply = yes

我正在eapol_test這樣執行以測試設置:

eapol_test -c peap-mschapv2.conf -a 172.16.0.16 -s testing123 -N 30:s:01-23-45-67-89-01:Example-EAP

使用以下peap-mschapv2.conf文件:

network={
   ssid="Example-EAP"
   key_mgmt=WPA-EAP
   eap=PEAP
   identity="mgorven"
   anonymous_identity="anonymous"
   password="foobar"
   phase2="autheap=MSCHAPV2"
}

使用以下內容/etc/freeradius/users

DEFAULT Ldap-Group == "employees"

並執行freeradius-Xx,我可以看到 LDAP 組檢索工作,並且提取了 SSID。

Debug:   [ldap] performing search in dc=example,dc=com, with filter (&(cn=employees)(|(&(objectClass=posixGroup)(memberUid=mgorven))(&(objectClass=posixGroup)(uniquemember=mgorven))))
Debug: rlm_ldap::ldap_groupcmp: User found in group employees
...
Info:        expand: %{7} -> Example-EAP

接下來我嘗試只允許訪問employees組中的使用者(不管 SSID),所以我將以下內容放入/etc/freeradius/users

DEFAULT Ldap-Group == "employees"

DEFAULT Auth-Type := Reject

但這會立即拒絕外部隧道中的訪問請求,因為anonymous使用者不在employees組中。所以我將其修改為僅匹配內部隧道請求,如下所示:

DEFAULT Ldap-Group == "employees"

DEFAULT FreeRADIUS-Proxied-To == "127.0.0.1"
       Auth-Type := Reject, Reply-Message = "User does not belong to any groups which may access this SSID."

現在,組中的使用者已employees通過身份驗證,但不在employees組中的使用者也是如此。我看到拒絕條目被匹配,並且設置了回复消息,但客戶端收到了訪問接受。

Debug: rlm_ldap::ldap_groupcmp: Group employees not found or user is not a member.
Info: [files] users: Matched entry DEFAULT at line 209
Info: ++[files] returns ok
...
Auth: Login OK: [mgorven] (from client test port 0 cli 02-00-00-00-00-01 via TLS tunnel)
Info:   WARNING: Empty section.  Using default return values.
...
Info: [peap] Got tunneled reply code 2
       Auth-Type := Reject
       Reply-Message = "User does not belong to any groups which may access this SSID."
...
Info: [peap] Got tunneled reply RADIUS code 2
       Auth-Type := Reject
       Reply-Message = "User does not belong to any groups which may access this SSID."
...
Info: [peap] Tunneled authentication was successful.
Info: [peap] SUCCESS
Info: [peap] Saving tunneled attributes for later
...
Sending Access-Accept of id 11 to 172.16.2.44 port 60746
       Reply-Message = "User does not belong to any groups which may access this SSID."
       User-Name = "mgorven"

eapol_test報告:

RADIUS message: code=2 (Access-Accept) identifier=11 length=233
  Attribute 18 (Reply-Message) length=64
     Value: 'User does not belong to any groups which may access this SSID.'
  Attribute 1 (User-Name) length=9
     Value: 'mgorven'
...
SUCCESS

為什麼請求沒有被拒絕,這是實現這一點的正確方法嗎?

出於某種奇怪的原因,設置Auth-Type檢查項,而不是回复項,因此必須在規則的第一行進行。以下工作正常:

DEFAULT FreeRADIUS-Proxied-To == "127.0.0.1", Auth-Type := Reject
   Reply-Message = "User does not belong to any groups which may access this SSID."

引用自:https://serverfault.com/questions/397087