Proxy
使用領域的 FreeRadius MSCHAP 身份驗證失敗
我有帶有 AD 作為使用者儲存的 FreeRadius 2.0 伺服器。使用 EAP-PEAP-MSCHAP2 進行身份驗證。本地領域在 proxy.conf 中定義。身份驗證工作正常,無需將領域添加到使用者名。一旦我使用帶有領域的使用者名進行身份驗證,即使用者名@realm.com,身份驗證就會失敗。失敗的原因很清楚,它失敗是因為 radius 伺服器 mschap 模組使用包含領域的使用者名創建挑戰雜湊。我需要 radius mschap 模組從剝離的使用者名創建雜湊,即不包括領域。有任何想法嗎?請參閱下面的半徑調試日誌:
rad_recv: Access-Request packet from host 192.168.1.254 port 55769, id=138, length=376 Service-Type = Framed-User Framed-MTU = 1400 User-Name = "user5@contoso.local" State = 0x3ce95d9d3fed44ec4019661d07f2a324 NAS-Port-Id = "wlan1" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "5C-3C-27-29-AE-0B" Called-Station-Id = "D4-CA-6D-A6-53-7B:eduroam test" EAP-Message = 0x020400d01980000000c61603010086100000820080791cc56766422be7f48414f5942dda519afd607aea2fae890f9236e8af61cf71c66f4f80a5d427672d7f949a3fa163b959f0f1957f382f533a3f9c23d576dafcb5d36ca04dc7d0002203513a23b9394b75cf98f241a6c585583593f6622829a39a736160f0f83b567fa7bbc253558191630071d1889827f6118f366040f69d8814030100010116030100307173492977a9f772a302c0ecb7d2612700f9433dce8e08ff0e74b84dbc62de5fe5a95921f364f8c68dd38484550022ae Message-Authenticator = 0x9a61469cb26792ebd980f294bd9a64c9 NAS-Identifier = "MikroTik" NAS-IP-Address = 192.168.1.254 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.1.254/auth-detail-20140313 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.254/auth-detail-20140313 [auth_log] expand: %t -> Thu Mar 13 16:17:17 2014 ++[auth_log] returns ok ++[mschap] returns noop [suffix] Looking up realm "contoso.local" for User-Name = "user5@contoso.local" [suffix] Found realm "contoso.local" [suffix] Adding Stripped-User-Name = "user5" [suffix] Adding Realm = "contoso.local" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 4 length 208 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 198 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED
問題是內部隧道虛擬伺服器沒有剝離領域。為了修復它,我在內部隧道中指定了後綴命令,如下所示:
server inner-tunnel { authorize { ... suffix ... } }