我正在建立一个无线实验室。密码为guest123的用户guest123
使用802.1X身份验证通过无线进行身份验证。 FreeRadius应该
也返回FilterId=>labguest。无线控制器的规则设置
在FilterId交换期间返回的RADIUS用户角色。
相反,请求/响应会生成十次,并为用户分配了
默认角色"authenticated"。
在详细介绍之前的简短问题是我做错了什么,
是否有一个自动化工具来解析FreeRadius -X输出和。{
提出建议?
来自无线控制器和freeradius的简单命令行测试显示 身份验证和返回的属性。
root@ubuntu/etc/freeradius@ radtest guest123 guest123 localhost 0 testing123
User-Name = "guest123"
User-Password = "guest123"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "guest123"
Received Access-Accept Id 184 from 127.0.0.1:1812 to 0.0.0.0:0 length 36
Service-Type = Framed-User
Filter-Id = "labguest"
“labguest”这个角色定义如下:
user-role labguest
access-list session global-sacl
access-list session apprf-labguest-sacl
access-list session "Cant ping controller"
access-list session allowall
access-list session v6-allowall
基于FilterId分配用户角色的规则如下:
aaa server-group "lab-emp_srvgrp-kqh72"
auth-server radius1
set role condition Filter-Id value-of
通过无线和802.1X进行身份验证后,用户将收到默认值 802.1X角色,“经过身份验证”而不是“labguest”。
(Master1) # show user mac 44:39:c4:59:e5:64
Name: guest123, IP: 192.168.16.23, MAC: 44:39:c4:59:e5:64, Age: 00:00:05
Role: authenticated (how: ROLE_DERIVATION_DOT1X), ACL: 70/0
Authentication: Yes, status: successful, method: 802.1x, protocol: EAP-PEAP, server: radius1
Authentication Servers: dot1x authserver: radius1, mac authserver:
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: ROLE_DERIVATION_DOT1X
VLAN Derivation: Default VLAN
FreeRADIUS Version 3.0.15
<<<deleted debug output>>>
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# server default
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 50900
Listening on proxy address :: port 60069
Ready to process requests
(0) Received Access-Request Id 42 from 192.168.18.254:40607 to
192.168.18.249:1812 length 175
(0) User-Name = "guest123"
(0) NAS-IP-Address = 192.168.18.254
(0) NAS-Port = 0
(0) NAS-Identifier = "192.168.18.254"
(0) NAS-Port-Type = Wireless-802.11
(0) Calling-Station-Id = "4439C459E564"
(0) Called-Station-Id = "000B86BE91F0"
(0) Service-Type = Framed-User
(0) Framed-MTU = 1100
(0) EAP-Message = 0x0202000d016775657374313233
(0) Aruba-Essid-Name = "lab-emp"
(0) Aruba-Location-Id = "AP1"
(0) Aruba-AP-Group = "lab1"
(0) Message-Authenticator = 0x6780aa98cfe6f147e8334301882c9c1f
(0) # Executing section authorize from file /etc/freeradius/sites-enabled
/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "guest123", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 2 length 13
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest
of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_ttls to process data
(0) eap_ttls: Initiating new EAP-TLS session
(0) eap_ttls: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 3 length 6
(0) eap: EAP session adding &reply:State = 0xedb76556edb4700e
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 42 from 192.168.18.249:1812 to
192.168.18.254:40607 length 0
(0) EAP-Message = 0x010300061520
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0xedb76556edb4700e88dcdd844646037b
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 43 from 192.168.18.254:40607 to
192.168.18.249:1812 length 186
(1) User-Name = "guest123"
(1) NAS-IP-Address = 192.168.18.254
(1) NAS-Port = 0
(1) NAS-Identifier = "192.168.18.254"
(1) NAS-Port-Type = Wireless-802.11
(1) Calling-Station-Id = "4439C459E564"
(1) Called-Station-Id = "000B86BE91F0"
(1) Service-Type = Framed-User
(1) Framed-MTU = 1100
(1) EAP-Message = 0x020300060319
(1) State = 0xedb76556edb4700e88dcdd844646037b
(1) Aruba-Essid-Name = "lab-emp"
(1) Aruba-Location-Id = "AP1"
(1) Aruba-AP-Group = "lab1"
(1) Message-Authenticator = 0xfe39826a334b5ddbe8fa4012037a87d8
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/freeradius/sites-enabled
/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "guest123", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 3 length 6
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) files: users: Matched entry guest123 at line 82
(1) [files] = ok
(1) sql: EXPAND %{User-Name}
(1) sql: --> guest123
(1) sql: SQL-User-Name set to 'guest123'
rlm_sql (sql): Reserved connection (0)
(1) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id
(1) sql: --> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'guest123' ORDER BY id
(1) sql: Executing select query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'guest123' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
(1) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-
User-Name}' ORDER BY priority
(1) sql: --> SELECT groupname FROM radusergroup WHERE username =
'guest123' ORDER BY priority
(1) sql: Executing select query: SELECT groupname FROM radusergroup WHERE
username = 'guest123' ORDER BY priority
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 1
(1) sql: User not found in any groups
rlm_sql (sql): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
rlm_sql_postgresql: Connecting using parameters: dbname=radius
host=localhost user=radius password=********
Connected to database 'radius' on 'localhost' server version 90510, protocol
version 3, backend PID 1714
(1) [sql] = notfound
(1) [expiration] = noop
(1) [logintime] = noop
(1) pap: WARNING: Auth-Type already set. Not setting to PAP
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0xedb76556edb4700e
(1) eap: Finished EAP session with state 0xedb76556edb4700e
(1) eap: Previous EAP request found for state 0xedb76556edb4700e, released
from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Initiating new EAP-TLS session
(1) eap_peap: [eaptls start] = request
(1) eap: Sending EAP Request (code 1) ID 4 length 6
(1) eap: EAP session adding &reply:State = 0xedb76556ecb37c0e
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1) Challenge { ... } # empty sub-section is ignored
(1) Sent Access-Challenge Id 43 from 192.168.18.249:1812 to
192.168.18.254:40607 length 0
(1) Service-Type = Framed-User
(1) Framed-Filter-Id = "labguest"
(1) EAP-Message = 0x010400061920
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0xedb76556ecb37c0e88dcdd844646037b
(1) Finished request
Waking up in 4.9 seconds.
<<<deleted generally repeating debug output>>>
(10) Received Access-Request Id 52 from 192.168.18.254:40607 to 192.168.18.249:1812 length 223
(10) User-Name = "guest123"
(10) NAS-IP-Address = 192.168.18.254
(10) NAS-Port = 0
(10) NAS-Identifier = "192.168.18.254"
(10) NAS-Port-Type = Wireless-802.11
(10) Calling-Station-Id = "4439C459E564"
(10) Called-Station-Id = "000B86BE91F0"
(10) Service-Type = Framed-User
(10) Framed-MTU = 1100
(10) EAP-Message =
0x020c002b190017030100209568f164a54cf0e2aa3c<<<more deleted>>>
(10) State = 0xedb76556e4bb7c0e88dcdd844646037b
(10) Aruba-Essid-Name = "lab-emp"
(10) Aruba-Location-Id = "AP1"
(10) Aruba-AP-Group = "lab1"
(10) Message-Authenticator = 0x2277c43d40495abc84afcfee2d7af56b
(10) session-state: No cached attributes
(10) # Executing section authorize from file /etc/freeradius/sites-enabled
/default
(10) authorize {
(10) policy filter_username {
(10) if (&User-Name) {
(10) if (&User-Name) -> TRUE
(10) if (&User-Name) {
(10) if (&User-Name =~ / /) {
(10) if (&User-Name =~ / /) -> FALSE
(10) if (&User-Name =~ /@[^@]*@/ ) {
(10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(10) if (&User-Name =~ /\.\./ ) {
(10) if (&User-Name =~ /\.\./ ) -> FALSE
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(10) if (&User-Name =~ /\.$/) {
(10) if (&User-Name =~ /\.$/) -> FALSE
(10) if (&User-Name =~ /@\./) {
(10) if (&User-Name =~ /@\./) -> FALSE
(10) } # if (&User-Name) = notfound
(10) } # policy filter_username = notfound
(10) [preprocess] = ok
(10) [chap] = noop
(10) [mschap] = noop
(10) [digest] = noop
(10) suffix: Checking for suffix after "@"
(10) suffix: No '@' in User-Name = "guest123", looking up realm NULL
(10) suffix: No such realm "NULL"
(10) [suffix] = noop
(10) eap: Peer sent EAP Response (code 2) ID 12 length 43
(10) eap: Continuing tunnel setup
(10) [eap] = ok
(10) } # authorize = ok
(10) Found Auth-Type = eap
(10) # Executing group from file /etc/freeradius/sites-enabled/default
(10) authenticate {
(10) eap: Expiring EAP session with state 0xedb76556e4bb7c0e
(10) eap: Finished EAP session with state 0xedb76556e4bb7c0e
(10) eap: Previous EAP request found for state 0xedb76556e4bb7c0e, released
from the list
(10) eap: Peer sent packet with method EAP PEAP (25)
(10) eap: Calling submodule eap_peap to process data
(10) eap_peap: Continuing EAP-TLS
(10) eap_peap: [eaptls verify] = ok
(10) eap_peap: Done initial handshake
(10) eap_peap: [eaptls process] = ok
(10) eap_peap: Session established. Decoding tunneled attributes
(10) eap_peap: PEAP state send tlv success
(10) eap_peap: Received EAP-TLV response
(10) eap_peap: Success
(10) eap: Sending EAP Success (code 3) ID 12 length 4
(10) eap: Freeing handler
(10) [eap] = ok
(10) } # authenticate = ok
(10) # Executing section post-auth from file /etc/freeradius/sites-enabled
/default
(10) post-auth {
(10) update {
(10) No attributes updated
(10) } # update = noop
(10) sql: EXPAND .query
(10) sql: --> .query
(10) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (4)
(10) sql: EXPAND %{User-Name}
(10) sql: --> guest123
(10) sql: SQL-User-Name set to 'guest123'
(10) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S')
(10) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( 'guest123', ', 'Access-Accept', '2017-12-06 05:15:26')
(10) sql: Executing query: INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES ( 'guest123', ', 'Access-Accept', '2017-12-06 05:15:26')
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: query affected rows = 1
(10) sql: SQL query returned: success
(10) sql: 1 record(s) updated
rlm_sql (sql): Released connection (4)
(10) [sql] = ok
(10) [exec] = noop
(10) policy remove_reply_message_if_eap {
(10) if (&reply:EAP-Message && &reply:Reply-Message) {
(10) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(10) else {
(10) [noop] = noop
(10) } # else = noop
(10) } # policy remove_reply_message_if_eap = noop
(10) } # post-auth = ok
(10) Sent Access-Accept Id 52 from 192.168.18.249:1812 to
192.168.18.254:40607 length 0
(10) MS-MPPE-Recv-Key =
0xa5ded2c64f1026f75e105877bcc5715f3712051d16c7977a680fd50a2bd53352
(10) MS-MPPE-Send-Key =
0x5ccf08fba6d8803a9ac0478c8b02bd8c9ea5829c6c3d389410eed4f36fb06692
(10) EAP-Message = 0x030c0004
(10) Message-Authenticator = 0x00000000000000000000000000000000
(10) User-Name = "guest123"
(10) Finished request
Waking up in 4.8 seconds.
(0) Cleaning up request packet ID 42 with timestamp +29
(1) Cleaning up request packet ID 43 with timestamp +29
(2) Cleaning up request packet ID 44 with timestamp +29
(3) Cleaning up request packet ID 45 with timestamp +29
(4) Cleaning up request packet ID 46 with timestamp +29
(5) Cleaning up request packet ID 47 with timestamp +29
(6) Cleaning up request packet ID 48 with timestamp +29
(7) Cleaning up request packet ID 49 with timestamp +29
(8) Cleaning up request packet ID 50 with timestamp +29
(9) Cleaning up request packet ID 51 with timestamp +29
(10)) Cleaning up request packet ID 52 with timestamp +29
Ready to process requests
(Master1) # show user mac 44:39:c4:59:e5:64
Name: guest123, IP: 192.168.16.23, MAC: 44:39:c4:59:e5:64, Age: 00:00:05
Role: labguest (how: ROLE_DERIVATION_DOT1X_SDR)
(Master1) # show user mac 44:39:c4:59:e5:64
Name: guest123, IP: 192.168.16.23, MAC: 44:39:c4:59:e5:64, Age: 00:00:05
Role: authenticated (how: ROLE_DERIVATION_DOT1X)
答案 0 :(得分:1)
我发布了Aruba Airheads博客,然后开启了Aruba / HPE支持案例。在分析了日志和数据包捕获之后,Aruba / HPE支持工程师说,
“我想通知您,我已经完成了数据包捕获,并根据我们观察到的内容附加了相同的屏幕截图; 如CP-Accept屏幕截图所示,当用户使用Captive Portal进行身份验证时,我们会看到Radius Accept。我们在accept数据包中看到,服务器正在向控制器发送属性“labguest”,以便分配用户角色。
对于Dot1x-Accept屏幕截图,当用户使用dot1x身份验证进行身份验证时,我们看不到服务器在接受数据包中发送任何属性。
请检查服务器端是否需要启用MSCHAPv2的发送属性以及PAP协议,或者服务器上是否有任何特定配置根据身份验证类型处理要发送的属性“
然后我发布到FreeRADIUS用户列表。响应:
“解决方案是将”files“模块移到”eap“之前。编辑网站已启用/默认。请查看“授权”部分。“
有效。已编辑网站的摘录已启用/默认:
#
# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
# authentication.
#
# It also sets the EAP-Type attribute in the request
# attribute list to the EAP type from the packet.
#
# The EAP module returns "ok" or "updated" if it is not yet ready
# to authenticate the user. The configuration below checks for
# "ok", and stops processing the "authorize" section if so.
#
# Any LDAP and/or SQL servers will not be queried for the
# initial set of packets that go back and forth to set up
# TTLS or PEAP.
#
# The "updated" check is commented out for compatibility with
# previous versions of this configuration, but you may wish to
# uncomment it as well; this will further reduce the number of
# LDAP and/or SQL queries for TTLS or PEAP.
#
files
eap {
ok = return
# updated = return
}
#
# Pull crypt'd passwords from /etc/passwd or /etc/shadow,
# using the system API's to get the password. If you want
# to read /etc/passwd or /etc/shadow directly, see the
# mods-available/passwd module.
#
# unix
#
# Read the 'users' file. In v3, this is located in
# raddb/mods-config/files/authorize
# files
来自Aruba控制器的测试:
(Master1) #aaa test-server mschapv2 radius1 guest123 guest123 verbose
Authentication Successful
Processing time (ms) : 6.407
Attribute value pairs in request
--------------------------------
Vendor Attribute Value
------ --------- -----
NAS-IP-Address 192.168.18.254
NAS-Port-Id 0
NAS-Port-Type Wireless-IEEE802.11
User-Name guest123
Service-Type Login-User
Calling-Station-Id 0.0.0.0
Called-Station-Id 000B86BE91F0
Microsoft MS-CHAP-Challenge \032\241\007[\002(\\321j5\001v\221lf\236
Microsoft MS-CHAP2-Response
Aruba Aruba-Essid-Name
Aruba Aruba-Location-Id N/A
Aruba Aruba-AP-Group N/A
Aruba Aruba-Device-Type
Message-Auth I\365\262\357\365o{s\264\270\246\022Cz\264-
PW_RADIUS_ID H
Rad-Length 199
Attribute value pairs in response
---------------------------------
Vendor Attribute Value
------ --------- -----
Service-Type Framed-User
Filter-Id labguest
Microsoft MS-CHAP2-Success
Microsoft MS-MPPE-Recv-Key \205g8\374\333\260\031\306\3379\321\220\273\273\355\024\277\210Q\003\226\004M>\372\307p6\273&\322\231N\253
Microsoft MS-MPPE-Send-Key \215\277d\301f\207A\215!\376\345.\324\177BM\364\310\251p\263\224\315 \012\001\035:\327\253\314\016\026\243
Microsoft MS-MPPE-Encryption-Policy
Microsoft MS-MPPE-Encryption-Types
PW_RADIUS_ID H
Rad-Length 195
PW_RADIUS_CODE \002
PW_RAD_AUTHENTICATOR }\203!\353\244}\215,\216\203J]\027\247\325\272
(Master1) # show user mac fc:c2:de:13:d6:15
Name: guest123, IP: 192.168.16.3, MAC: fc:c2:de:13:d6:15, Age: 00:00:00
Role: labguest (how: ROLE_DERIVATION_DOT1X_SDR), ACL: 71/0
Authentication: Yes, status: successful, method: 802.1x, protocol: EAP-PEAP, server: radius1
Authentication Servers: dot1x authserver: radius1, mac authserver:
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: ROLE_DERIVATION_DOT1X_SDR
VLAN Derivation: Default VLAN
请注意,对网站启用/默认的编辑是在干净的FreeRADIUS安装之后,而不是对任何编组修正。
答案 1 :(得分:0)
如果此属性是由 freeradius 必须代理的半径服务器设置的,则必须修改文件:
mods-config/attr_filter/pre-proxy 和 post-proxy
在您必须代理的属性中添加:
Filter-Id =* ANY