Wifi

帶有 FreeRADIUS 3 的 EAP-PWD

  • April 19, 2015

我正在嘗試使用 FreeRADIUS 3 設置 EAP-PWD。

但是,我無法讓它工作,並且文件幾乎不存在。因此,我不知道我遇到的問題是配置錯誤還是實際錯誤。

配置

這是我的配置(至少是相關的部分):

啟用模組/eap:

eap {
   pwd {
   #group = 19

   server_id = example@example.com

   #  This has the same meaning as for TLS.
   fragment_size = 1020

   # The virtual server which determines the "known good" password for the user.
   # Note that unlike TLS, only the "authorize" section is processed.
   # EAP-PWD requests can be distinguished by having a User-Name, but no User-Password, CHAP-Password, EAP-Message, etc.
   #virtual_server = "inner-tunnel"
}

我不知道group = 19應該是什麼意思。(這裡沒有解釋)

網站啟用/預設:

authorize {
   filter_username
   preprocess

   #  Look in an SQL database.
   sql

   #permit_only_eap
   eap {
       ok = return
   }

   logintime
}

authenticate {
   #  Allow EAP authentication.
   eap
}

啟用站點/內部隧道:

authorize {
   eap {
       ok = return
   }

   #  Look in an SQL database.
   sql

   expiration
}

authenticate {
   mschap

   #  Allow EAP authentication.
   eap
}

老實說,我不明白 EAP-PWD 是否/為什麼需要隧道請求。我設置了它,因為我也使用 PEAPv0/MS-CHAPv2。我嘗試了兩個虛擬伺服器(預設和內部隧道)

問題

嗯,問題。我收到請求者的身份驗證錯誤。這是我在日誌中看到的:

(2) eap: Peer sent method PWD (52)
(2) eap: EAP PWD (52)
(2) eap: Calling eap_pwd to process EAP data
(2) eap_pwd: Sending tunneled request
(2) eap_pwd: server default {
(2) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(2)   authorize {
(2)     policy filter_username {
(2)       if (!&User-Name) {
(2)       if (!&User-Name)  -> TRUE
(2)       if (!&User-Name)  {
(2)         [noop] = noop
(2)       } # if (!&User-Name)  = noop
(2)       if (&User-Name =~ / /) {
(2)       ERROR: Failed retrieving values required to evaluate condition
(2)       if (&User-Name =~ /@.*@/ ) {
(2)       ERROR: Failed retrieving values required to evaluate condition
(2)       if (&User-Name =~ /\.\./ ) {
(2)       ERROR: Failed retrieving values required to evaluate condition
(2)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(2)       ERROR: Failed retrieving values required to evaluate condition
(2)       if (&User-Name =~ /\.$/)  {
(2)       ERROR: Failed retrieving values required to evaluate condition
(2)       if (&User-Name =~ /@\./)  {
(2)       ERROR: Failed retrieving values required to evaluate condition
(2)     } # policy filter_username = noop
(2)     [preprocess] = ok
(2) sql: EXPAND %{User-Name}
(2) sql:    -->
(2) sql: SQL-User-Name set to ''
rlm_sql (sql): Reserved connection (4)
(2) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(2) sql:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '' ORDER BY id
(2) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '' ORDER BY id
(2) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(2) sql:    --> SELECT groupname FROM radusergroup WHERE username = '' ORDER BY priority
(2) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = '' ORDER BY priority
(2) sql: User not found in any groups
rlm_sql (sql): Released connection (4)
(2)     [sql] = notfound
(2) eap: No EAP-Message, not doing EAP
(2)     [eap] = noop
(2)     [logintime] = noop
(2)   } # authorize = ok
(2) eap_pwd: } # server default
(2) eap_pwd: Got tunneled reply code 0
failed to find password for lars to do pwd authentication
(2) eap: ERROR: Failed continuing EAP PWD (52) session. EAP sub-module failed
(2) eap: Failed in EAP select
(2)     [eap] = invalid
(2)   } # authenticate = invalid
(2) Failed to authenticate the user
(2) Login incorrect (eap: Failed continuing EAP PWD (52) session. EAP sub-module failed): [lars] (from client LARS-RANNOCH port 4 cli 48-59-29-F6-BA-89)

第一個授權部分(未在上面的日誌中顯示)執行正常,但之後 EAP-PWD 似乎執行了另一個隧道請求。(為什麼?我認為這只是 PEAP 和 EAP-TTLS 所必需的)。在這種情況下,我已經對 EAP 配置中的“虛擬伺服器”行進行了註釋,因此該請求由預設虛擬伺服器處理。

可以看出,User-Name屬性為空(SQL-User-Name set to ''),這導致 sql 模組無法獲取正確的記錄:failed to find password for lars to do pwd authentication

我的 EAP-PWD 配置是否正確?是什麼導致了這個錯誤?

這是一個錯誤。開發原始 PWD 程式碼的人只是將 User-Name VALUE_PAIR 添加到請求的使用者名記憶體指針中,而不是實際的請求列表中。

一些模組忽略了指針,這是很久以前的糟糕優化。

將這對添加到請求列表可解決此問題。這是送出

感謝您幫助追踪此問題。該修復程序將作為 v3.0.8 的一部分發布。同時,您可以下載v3.0.x HEAD並嘗試一下。

在內部隧道中設置後control:Cleartext-Password,我獲得了成功的身份驗證。希望它對你有用。

引用自:https://serverfault.com/questions/683897