我需要一个小小的帮助来了解我使用RADIUS + LDAP的无线登录是否足够安全。
我有这样的基础设施:PC客户端(Linux)+华硕AP无线+ FreeRadius和OPENLDAP在云中的同一台机器上。
我配置了所有内容,现在我可以使用LDAP凭据登录了。 客户端使用带有TTLS + PAP的WPA2 Enterprise,因为PAP是唯一可用的协议,因为LDAP中的密码是加密的(ssha)。
即使我使用PAP,一切都安全吗?
这是登录后radiusd -x的回复:
rad_recv: Access-Request packet from host MYHOST port 34321, id=46, length=144
User-Name = "MYUSERNAME"
NAS-IP-Address = 192.168.3.14
NAS-Identifier = "RalinkAP0"
NAS-Port = 0
Called-Station-Id = "10-BF-48-81-BC-F4"
Calling-Station-Id = "D8-0F-99-5F-62-A1"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020100110163696363696f2e62656c6c6f
Message-Authenticator = 0x54067f60041b728d4922c41eb47701f9
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "MYUSERNAME", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 1 length 17
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[ldap] performing user authorization for MYUSERNAME
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> MYUSERNAME
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=MYUSERNAME)
[ldap] expand: dc=MYCOMPANYNAME,dc=XX -> dc=MYCOMPANYNAME,dc=XX
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to localhost:389, authentication 0
[ldap] bind as / to localhost:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in dc=MYCOMPANYNAME,dc=XX, with filter (uid=MYUSERNAME)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
[ldap] radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] radiusPortLimit -> Port-Limit = 2
[ldap] radiusIdleTimeout -> Idle-Timeout = 10
[ldap] radiusFramedCompression -> Framed-Compression = Van-Jacobson-TCP-IP
[ldap] radiusFramedMTU -> Framed-MTU = 1500
[ldap] radiusFramedIPAddress -> Framed-IP-Address = 255.255.255.254
[ldap] radiusFramedProtocol -> Framed-Protocol = PPP
[ldap] radiusServiceType -> Service-Type = Framed-User
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 46 to MYHOST port 34321
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Type:0 = VLAN
Port-Limit = 2
Idle-Timeout = 10
Framed-Compression = Van-Jacobson-TCP-IP
Framed-MTU = 1500
Framed-IP-Address = 255.255.255.254
Framed-Protocol = PPP
Service-Type = Framed-User
EAP-Message = 0x010200160410b148152ba08ab4607e84d55f739a3ef3
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb4961f26b4941b04a1bc4b208f20b4e7
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host MYHOST port 34321, id=47, length=151
User-Name = "MYUSERNAME"
NAS-IP-Address = 192.168.3.14
NAS-Identifier = "RalinkAP0"
NAS-Port = 0
Called-Station-Id = "10-BF-48-81-BC-F4"
Calling-Station-Id = "D8-0F-99-5F-62-A1"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020200060315
State = 0xb4961f26b4941b04a1bc4b208f20b4e7
Message-Authenticator = 0x9f0f65b2a2f87074e97b124376e7f431
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "MYUSERNAME", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 2 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[ldap] performing user authorization for MYUSERNAME
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> MYUSERNAME
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=MYUSERNAME)
[ldap] expand: dc=MYCOMPANYNAME,dc=XX -> dc=MYCOMPANYNAME,dc=XX
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=MYCOMPANYNAME,dc=XX, with filter (uid=MYUSERNAME)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
[ldap] radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] radiusPortLimit -> Port-Limit = 2
[ldap] radiusIdleTimeout -> Idle-Timeout = 10
[ldap] radiusFramedCompression -> Framed-Compression = Van-Jacobson-TCP-IP
[ldap] radiusFramedMTU -> Framed-MTU = 1500
[ldap] radiusFramedIPAddress -> Framed-IP-Address = 255.255.255.254
[ldap] radiusFramedProtocol -> Framed-Protocol = PPP
[ldap] radiusServiceType -> Service-Type = Framed-User
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/ttls
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 47 to MYHOST port 34321
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Type:0 = VLAN
Port-Limit = 2
Idle-Timeout = 10
Framed-Compression = Van-Jacobson-TCP-IP
Framed-MTU = 1500
Framed-IP-Address = 255.255.255.254
Framed-Protocol = PPP
Service-Type = Framed-User
EAP-Message = 0x010300061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb4961f26b5950a04a1bc4b208f20b4e7
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host MYHOST port 34321, id=48, length=454
User-Name = "MYUSERNAME"
NAS-IP-Address = 192.168.3.14
NAS-Identifier = "RalinkAP0"
NAS-Port = 0
Called-Station-Id = "10-BF-48-81-BC-F4"
Calling-Station-Id = "D8-0F-99-5F-62-A1"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0203013315001603010128010001240303bd970c3385ad96ee42e8b049f8b6d02e349ddd6cd3a78eb60d855a1894029fdc0000aac030c02cc028c024c014c00a00a500a300a1009f006b006a0069006800390038003700360088008700860085c032c02ec02ac026c00fc005009d003d00350084c02fc02bc027c023c013c00900a400a200a0009e00670040003f003e0033003200310030009a0099009800970045004400430042c031c02dc029c025c00ec004009c003c002f00960041c011c007c00cc00200050004c012c008001600130010000dc00dc003000a00ff01000051000b000403000102000a001c001a00170019001c001b0018001a00
EAP-Message = 0x16000e000d000b000c0009000a000d0020001e060106020603050105020503040104020403030103020303020102020203000f000101
State = 0xb4961f26b5950a04a1bc4b208f20b4e7
Message-Authenticator = 0x9f5728a6902c6f16485f2eed80c4652c
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "MYUSERNAME", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 3 length 253
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] (other): before/accept initialization
[ttls] TLS_accept: before/accept initialization
[ttls] <<< TLS 1.0 Handshake [length 0128], ClientHello
[ttls] TLS_accept: unknown state
[ttls] >>> TLS 1.0 Handshake [length 003e], ServerHello
[ttls] TLS_accept: unknown state
[ttls] >>> TLS 1.0 Handshake [length 030e], Certificate
[ttls] TLS_accept: unknown state
[ttls] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
[ttls] TLS_accept: unknown state
[ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: Need to read more data: unknown state
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 48 to MYHOST port 34321
EAP-Message = 0x0104040015c0000004af160301003e0200003a0301a0453991b0cb983f4e977681153035970084cc099e869e8a26f3284792b25f0200c014000012ff01000100000b000403000102000f000101160301030e0b00030a00030700030430820300308201e8a003020102020900d12977d60c576812300d06092a864886f70d01010b050030383136303406035504030c2d69702d3137322d33312d32312d37302e65752d63656e7472616c2d312e636f6d707574652e696e7465726e616c301e170d3136303730353137313635305a170d3236303730333137313635305a30383136303406035504030c2d69702d3137322d33312d32312d37302e65752d
EAP-Message = 0x63656e7472616c2d312e636f6d707574652e696e7465726e616c30820122300d06092a864886f70d01010105000382010f003082010a0282010100b6cfaf705b881279fe399ed9e708a2f0e361cd6d2586a1e7cad4b46629f5377efc81ef0d4e2a149d42bc523210a3ed52833a93caf7de7f06a624eb654bcb6b64453e390b56bc3af10e61620f21f51bf1d0cc218e5a49c10d59c611ee50f33928863d5434453c737a10a3d30f42a859414ba511d3ab2f2ce85f2ef390c30b48c702aa16cff36f3f058c14cdfca5c9fa12ec6d3c2be86e1178932320b4013e1b96a86bb9cc5848622f4b4989e1b5783c30d2e1dd295a2d57a94de3c5df10669a033db6
EAP-Message = 0xc86669db8bf2cce122d8d278957e776e0b8ff0c0244f6978d3f591b3b08fc78b1be33d412a9065ade04d35760e6d79738d7d2ebbaee3d0d9c9b5ba49ba170203010001a30d300b30090603551d1304023000300d06092a864886f70d01010b050003820101006f8d780bdb5ad970c6aa702db236aaddd55b203ca7c4cbbebb1a34d93404179d1e3dd9d0b27847e10655b9665a5c98d5d8b63d0498121268a025ef8e117f13b51d41d0967d25726913bb9d1011e6e7d9a065e71591f79ee2fed93b9d679f7e2dadbcc8775047ff3c783766a2f30e71f330ae03189a80d94cf8f421ce29235eb7261287ac168d6127c4eeb246a07e6e3baa2605f67fcc88
EAP-Message = 0xe5e700071625adca3796d40956b2fc990f4cc93132c5af0d2a0fc3d47ea7ad833888c4bf80839fc76b88870ce099de01acae3d6c7a36a249fcca2d69351dc20d230ae5d6211a174caa3a6b23eaaff74e4225ad3522daba22ba2ea152b4680f8ea23617a5b80072f538160301014b0c0001470300174104f0ffcd7da5999c754ac670b357e6f23a863c32d1224650000ed329805dd577a87a66b94267470889ad6f13e5aecb0c75fd9bcca9baf5b387dff35911a9cbe38601007913b21ea8de618fcecbb3c81b2a5f96611704a797ae4a3886d69ad31bae811a82954c9abf4e020077dee057372e51638e91a0919d1f80cfdcebddcd9473562070ad1193
EAP-Message = 0x41c2388a034111e89a66df84
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb4961f26b6920a04a1bc4b208f20b4e7
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host MYHOST port 34321, id=49, length=151
User-Name = "MYUSERNAME"
NAS-IP-Address = 192.168.3.14
NAS-Identifier = "RalinkAP0"
NAS-Port = 0
Called-Station-Id = "10-BF-48-81-BC-F4"
Calling-Station-Id = "D8-0F-99-5F-62-A1"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020400061500
State = 0xb4961f26b6920a04a1bc4b208f20b4e7
Message-Authenticator = 0x5e54e734a23f7d5eccd994dd6b3b1c64
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "MYUSERNAME", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 49 to MYHOST port 34321
EAP-Message = 0x010500c31580000004af95618a570ca1af462abbae65491a7eb4fb54855bc38d7d24ea3dfe0d6b2317db0291ab32cd3581def62f41f0818af0265db92e9373e6dedd2d9ac109c70c69abb65f98a9a2adc612f44f5dae42077752ca2da44d1d65edbe3eae84131e843b0cb0cf0f67a7cba37fd53b52ab087329c20bf41212f8bcf644e3b0f947c7efb6c48c3a47ee2e9b82e90d6ca712388d32a1ad2547b8d9c58f14ccbc9ea73ac1368389bd19f30524e3fc34ca63323234538e16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb4961f26b7930a04a1bc4b208f20b4e7
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host MYHOST port 34321, id=50, length=285
User-Name = "MYUSERNAME"
NAS-IP-Address = 192.168.3.14
NAS-Identifier = "RalinkAP0"
NAS-Port = 0
Called-Station-Id = "10-BF-48-81-BC-F4"
Calling-Station-Id = "D8-0F-99-5F-62-A1"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0205008c15001603010046100000424104ad07a8afc3f54a25ad1e2d16cb82d7fee22bbd5d29230586f6bd74c5b5f63ab583d2893d5d929ddbfbccd3d979ab1991aa327bdb1bbfde3b911474ec4e40ba1b1403010001011603010030e4ade37cae91ee44ea813a08bccd336330ea8f0e683e27671ebc192531fb39d497ad24e18a55aef6ac9196abdc07ba11
State = 0xb4961f26b7930a04a1bc4b208f20b4e7
Message-Authenticator = 0xcc67db6ecf8d276c1e1dcfe3b174ae5f
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "MYUSERNAME", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 5 length 140
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: unknown state
[ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] <<< TLS 1.0 Handshake [length 0010], Finished
[ttls] TLS_accept: unknown state
[ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] TLS_accept: unknown state
[ttls] >>> TLS 1.0 Handshake [length 0010], Finished
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: unknown state
[ttls] (other): SSL negotiation finished successfully
SSL Connection Established
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 50 to MYHOST port 34321
EAP-Message = 0x0106004515800000003b1403010001011603010030c80d41290431875efa6f9b95f93e9efe6caca8b619ff85be8774b5005d6d7d9407a83820d5f0491f4c0b6d6eba1571bc
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb4961f26b0900a04a1bc4b208f20b4e7
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host MYHOST port 34321, id=51, length=273
User-Name = "MYUSERNAME"
NAS-IP-Address = 192.168.3.14
NAS-Identifier = "RalinkAP0"
NAS-Port = 0
Called-Station-Id = "10-BF-48-81-BC-F4"
Calling-Station-Id = "D8-0F-99-5F-62-A1"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x02060080150017030100201b68b351df52aa520d5cef2e67154f1634828faa63b4015ff1c95858612fd2da1703010050cc8afe5516e1093bc38f7c72ad9451ad667a8f87c79b1cb571d501733c12840822aa82249accb65441ebeeb2b7830406351dd0c1921e46682bb2c50cacdd4e2ac89519e4032fd9ee46c06f6c3ae87cc0
State = 0xb4961f26b0900a04a1bc4b208f20b4e7
Message-Authenticator = 0x01b3a063376dd33133836e9662c60a85
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "MYUSERNAME", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 6 length 128
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] eaptls_process returned 7
[ttls] Session established. Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
User-Name = "MYUSERNAME"
User-Password = "MYPASSWORD"
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
User-Name = "MYUSERNAME"
User-Password = "MYPASSWORD"
FreeRADIUS-Proxied-To = 127.0.0.1
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "MYUSERNAME", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++update control {
++} # update control = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
++[files] = noop
[ldap] performing user authorization for MYUSERNAME
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> MYUSERNAME
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=MYUSERNAME)
[ldap] expand: dc=MYCOMPANYNAME,dc=XX -> dc=MYCOMPANYNAME,dc=XX
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=MYCOMPANYNAME,dc=XX, with filter (uid=MYUSERNAME)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
[ldap] radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] radiusPortLimit -> Port-Limit = 2
[ldap] radiusIdleTimeout -> Idle-Timeout = 10
[ldap] radiusFramedCompression -> Framed-Compression = Van-Jacobson-TCP-IP
[ldap] radiusFramedMTU -> Framed-MTU = 1500
[ldap] radiusFramedIPAddress -> Framed-IP-Address = 255.255.255.254
[ldap] radiusFramedProtocol -> Framed-Protocol = PPP
[ldap] radiusServiceType -> Service-Type = Framed-User
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
[ldap] Setting Auth-Type = LDAP
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
++[pap] = noop
+} # group authorize = ok
Found Auth-Type = LDAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group LDAP {
[ldap] login attempt by "MYUSERNAME" with password "MYPASSWORD"
[ldap] user DN: uid=MYUSERNAME,ou=people,dc=MYCOMPANYNAME,dc=XX
[ldap] (re)connect to localhost:389, authentication 1
[ldap] bind as uid=MYUSERNAME,ou=people,dc=MYCOMPANYNAME,dc=XX/MYPASSWORD to localhost:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] user MYUSERNAME authenticated succesfully
++[ldap] = ok
+} # group LDAP = ok
Login OK: [MYUSERNAME] (from client Bologna port 0 via TLS tunnel)
WARNING: Empty post-auth section. Using default return values.
# Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel
} # server inner-tunnel
[ttls] Got tunneled reply code 2
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Type:0 = VLAN
Port-Limit = 2
Idle-Timeout = 10
Framed-Compression = Van-Jacobson-TCP-IP
Framed-MTU = 1500
Framed-IP-Address = 255.255.255.254
Framed-Protocol = PPP
Service-Type = Framed-User
[ttls] Got tunneled Access-Accept
[eap] Freeing handler
++[eap] = ok
+} # group authenticate = ok
Login OK: [MYUSERNAME] (from client Bologna port 0 cli D8-0F-99-5F-62-A1)
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+group post-auth {
++[exec] = noop
+} # group post-auth = noop
Sending Access-Accept of id 51 to MYHOST port 34321
MS-MPPE-Recv-Key = 0x28aa4458b67ba2c51a43a0b0d444edd7ca1857a316904ab88670ea72b10bb375
MS-MPPE-Send-Key = 0x476389374dc15fb4cc34d491493b43db273451ce228245ea384c04a5db15ff9b
EAP-Message = 0x03060004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "MYUSERNAME"
Finished request 5.
Going to the next request
Waking up in 4.8 seconds.
Cleaning up request 0 ID 46 with timestamp +165
Cleaning up request 1 ID 47 with timestamp +165
Cleaning up request 2 ID 48 with timestamp +165
Cleaning up request 3 ID 49 with timestamp +165
Cleaning up request 4 ID 50 with timestamp +165
Cleaning up request 5 ID 51 with timestamp +165
Ready to process requests.
非常感谢您的帮助。
答案 0 :(得分:0)
如果客户端/请求者设置为正确验证RADIUS服务器提供的证书,则EAP-TTLS才是安全的。通常唯一的方法是在连接到网络的任何设备上预先配置无线配置文件和请求者设置。
如果您想要安全身份验证,请使用OpenLDAP的PKI模块,并为每个用户/设备生成证书并使用EAP-TLS。
有关当前请求者行为的信息,请参阅this presentation。