帶有 FreeRADIUS 3 的 EAP-PWD
我正在嘗試使用 FreeRADIUS 3 設置 EAP-PWD。
但是,我無法讓它工作,並且文件幾乎不存在。因此,我不知道我遇到的問題是配置錯誤還是實際錯誤。
配置
這是我的配置(至少是相關的部分):
啟用模組/eap:
eap { pwd { #group = 19 server_id = example@example.com # This has the same meaning as for TLS. fragment_size = 1020 # The virtual server which determines the "known good" password for the user. # Note that unlike TLS, only the "authorize" section is processed. # EAP-PWD requests can be distinguished by having a User-Name, but no User-Password, CHAP-Password, EAP-Message, etc. #virtual_server = "inner-tunnel" }
我不知道
group = 19
應該是什麼意思。(這裡沒有解釋)網站啟用/預設:
authorize { filter_username preprocess # Look in an SQL database. sql #permit_only_eap eap { ok = return } logintime } authenticate { # Allow EAP authentication. eap }
啟用站點/內部隧道:
authorize { eap { ok = return } # Look in an SQL database. sql expiration } authenticate { mschap # Allow EAP authentication. eap }
老實說,我不明白 EAP-PWD 是否/為什麼需要隧道請求。我設置了它,因為我也使用 PEAPv0/MS-CHAPv2。我嘗試了兩個虛擬伺服器(預設和內部隧道)
問題
嗯,問題。我收到請求者的身份驗證錯誤。這是我在日誌中看到的:
(2) eap: Peer sent method PWD (52) (2) eap: EAP PWD (52) (2) eap: Calling eap_pwd to process EAP data (2) eap_pwd: Sending tunneled request (2) eap_pwd: server default { (2) # Executing section authorize from file /etc/freeradius/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (!&User-Name) { (2) if (!&User-Name) -> TRUE (2) if (!&User-Name) { (2) [noop] = noop (2) } # if (!&User-Name) = noop (2) if (&User-Name =~ / /) { (2) ERROR: Failed retrieving values required to evaluate condition (2) if (&User-Name =~ /@.*@/ ) { (2) ERROR: Failed retrieving values required to evaluate condition (2) if (&User-Name =~ /\.\./ ) { (2) ERROR: Failed retrieving values required to evaluate condition (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) ERROR: Failed retrieving values required to evaluate condition (2) if (&User-Name =~ /\.$/) { (2) ERROR: Failed retrieving values required to evaluate condition (2) if (&User-Name =~ /@\./) { (2) ERROR: Failed retrieving values required to evaluate condition (2) } # policy filter_username = noop (2) [preprocess] = ok (2) sql: EXPAND %{User-Name} (2) sql: --> (2) sql: SQL-User-Name set to '' rlm_sql (sql): Reserved connection (4) (2) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (2) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '' ORDER BY id (2) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '' ORDER BY id (2) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (2) sql: --> SELECT groupname FROM radusergroup WHERE username = '' ORDER BY priority (2) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = '' ORDER BY priority (2) sql: User not found in any groups rlm_sql (sql): Released connection (4) (2) [sql] = notfound (2) eap: No EAP-Message, not doing EAP (2) [eap] = noop (2) [logintime] = noop (2) } # authorize = ok (2) eap_pwd: } # server default (2) eap_pwd: Got tunneled reply code 0 failed to find password for lars to do pwd authentication (2) eap: ERROR: Failed continuing EAP PWD (52) session. EAP sub-module failed (2) eap: Failed in EAP select (2) [eap] = invalid (2) } # authenticate = invalid (2) Failed to authenticate the user (2) Login incorrect (eap: Failed continuing EAP PWD (52) session. EAP sub-module failed): [lars] (from client LARS-RANNOCH port 4 cli 48-59-29-F6-BA-89)
第一個授權部分(未在上面的日誌中顯示)執行正常,但之後 EAP-PWD 似乎執行了另一個隧道請求。(為什麼?我認為這只是 PEAP 和 EAP-TTLS 所必需的)。在這種情況下,我已經對 EAP 配置中的“虛擬伺服器”行進行了註釋,因此該請求由預設虛擬伺服器處理。
可以看出,User-Name屬性為空(
SQL-User-Name set to ''
),這導致 sql 模組無法獲取正確的記錄:failed to find password for lars to do pwd authentication
。我的 EAP-PWD 配置是否正確?是什麼導致了這個錯誤?
這是一個錯誤。開發原始 PWD 程式碼的人只是將 User-Name VALUE_PAIR 添加到請求的使用者名記憶體指針中,而不是實際的請求列表中。
一些模組忽略了指針,這是很久以前的糟糕優化。
將這對添加到請求列表可解決此問題。這是送出。
感謝您幫助追踪此問題。該修復程序將作為 v3.0.8 的一部分發布。同時,您可以下載v3.0.x HEAD並嘗試一下。
在內部隧道中設置後
control:Cleartext-Password
,我獲得了成功的身份驗證。希望它對你有用。