WPA2-EAP авторизация FreeRadius + MikroTik, где туплю?
Приветствую друзья.
Пытаюсь поднять WPA2-EAP на микротике, freeradius отрабатывает нормально при авторизации на свитчах и куче сетевых железок но вот настроить WPA2-EAP не получается.
В логе имеет:
(220) Received Access-Request Id 234 from 10.10.3.189:42134 to 172.17.0.2:1812 length 264 (220) Service-Type = Framed-User (220) Framed-MTU = 1400 (220) User-Name = «sys» (220) State = 0x9c1eed869b17f40c954b4359550f8eb4 (220) NAS-Port-Id = «radius» (220) NAS-Port-Type = Wireless-802.11 (220) Acct-Session-Id = «82000020» (220) Acct-Multi-Session-Id = «6E-3B-6B-F2-A3-84-80-A5-89-00-3D-A3-82-00-00-00-00-00-00-1D» (220) Calling-Station-Id = «80-A5-89-00-3D-A3» (220) Called-Station-Id = «6E-3B-6B-F2-A3-84:Radius» (220) EAP-Message = 0x0209002b19001703010020f6f18e3b9d1144351e61353162621a3e6de737d51713a7746737b0d5689bf84d (220) Message-Authenticator = 0x24d64cf0c1f4b2596164e3b4faca09d1 (220) NAS-Identifier = «MikroTik» (220) NAS-IP-Address = 10.10.3.189 (220) Restoring &session-state (220) &session-state:Module-Failure-Message := «No Auth-Type found: rejecting the user via Post-Auth-Type = Reject» (220) # Executing section authorize from file /radius/conf/sites-enabled/default (220) authorize { (220) policy filter_username { (220) if (&User-Name) { (220) if (&User-Name) -> TRUE (220) if (&User-Name) { (220) if (&User-Name =~ / /) { (220) if (&User-Name =~ / /) -> FALSE (220) if (&User-Name =~ /@[^@]*@/ ) { (220) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (220) if (&User-Name =~ /\.\./ ) { (220) if (&User-Name =~ /\.\./ ) -> FALSE (220) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (220) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (220) if (&User-Name =~ /\.$/) { (220) if (&User-Name =~ /\.$/) -> FALSE (220) if (&User-Name =~ /@\./) { (220) if (&User-Name =~ /@\./) -> FALSE (220) } # if (&User-Name) = notfound (220) } # policy filter_username = notfound (220) [preprocess] = ok (220) [chap] = noop (220) [mschap] = noop (220) [digest] = noop (220) suffix: Checking for suffix after "@" (220) suffix: No '@' in User-Name = «sys», looking up realm NULL (220) suffix: No such realm «NULL» (220) [suffix] = noop (220) eap: Peer sent EAP Response (code 2) ID 9 length 43 (220) eap: Continuing tunnel setup (220) [eap] = ok (220) } # authorize = ok (220) Found Auth-Type = eap (220) # Executing group from file /radius/conf/sites-enabled/default (220) authenticate { (220) eap: Expiring EAP session with state 0x9c1eed869b17f40c (220) eap: Finished EAP session with state 0x9c1eed869b17f40c (220) eap: Previous EAP request found for state 0x9c1eed869b17f40c, released from the list (220) eap: Peer sent packet with method EAP PEAP (25) (220) eap: Calling submodule eap_peap to process data (220) eap_peap: Continuing EAP-TLS (220) eap_peap: [eaptls verify] = ok (220) eap_peap: Done initial handshake (220) eap_peap: [eaptls process] = ok (220) eap_peap: Session established. Decoding tunneled attributes (220) eap_peap: PEAP state send tlv failure (220) eap_peap: Received EAP-TLV response (220) eap_peap: The users session was previously rejected: returning reject (again.) (220) eap_peap: This means you need to read the PREVIOUS messages in the debug output (220) eap_peap: to find out the reason why the user was rejected (220) eap_peap: Look for «reject» or «fail». Those earlier messages will tell you (220) eap_peap: what went wrong, and how to fix the problem (220) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (220) eap: Sending EAP Failure (code 4) ID 9 length 4 (220) eap: Failed in EAP select (220) [eap] = invalid (220) } # authenticate = invalid (220) Failed to authenticate the user (220) Using Post-Auth-Type Reject (220) # Executing group from file /radius/conf/sites-enabled/default (220) Post-Auth-Type REJECT { (220) sql: EXPAND .query (220) sql: --> .query (220) sql: Using query template 'query' rlm_sql (sql): Reserved connection (30) (220) sql: EXPAND %{User-Name} (220) sql: --> sys (220) sql: SQL-User-Name set to 'sys' (220) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES('%{User-Name}', '%{%{User-Password}:-Chap-Password}', '%{reply:Packet-Type}', NOW()) (220) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES('sys', 'Chap-Password', 'Access-Reject', NOW()) (220) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES('sys', 'Chap-Password', 'Access-Reject', NOW()) rlm_sql_postgresql: Status: PGRES_COMMAND_OK rlm_sql_postgresql: query affected rows = 1 (220) sql: SQL query returned: success (220) sql: 1 record(s) updated rlm_sql (sql): Released connection (30) (220) [sql] = ok (220) attr_filter.access_reject: EXPAND %{User-Name} (220) attr_filter.access_reject: --> sys (220) attr_filter.access_reject: Matched entry DEFAULT at line 11 (220) [attr_filter.access_reject] = updated (220) policy remove_reply_message_if_eap { (220) if (&reply:EAP-Message && &reply:Reply-Message) { (220) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (220) else { (220) [noop] = noop (220) } # else = noop (220) } # policy remove_reply_message_if_eap = noop (220) } # Post-Auth-Type REJECT = updated (220) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. (220) Discarding duplicate request from client 0.0.0.0/0 port 42134 — ID: 234 due to delayed response Waking up in 0.6 seconds. (220) Discarding duplicate request from client 0.0.0.0/0 port 42134 — ID: 234 due to delayed response Waking up in 0.4 seconds. (220) Sending delayed response (220) Sent Access-Reject Id 234 from 172.17.0.2:1812 to 10.10.3.189:42134 length 44 (220) EAP-Message = 0x04090004 (220) Message-Authenticator = 0x00000000000000000000000000000000
Смущает строка
(220) eap_peap: PEAP state send tlv failure
но гугл что-то не прояснил ситуацию.
В качестве клиента выступает Windows7, настройки подключения
Mikrosoft EAP(PEAP) + EAP-MSCHAPv2
Прошу поделится опытом, какие конфиги нужны, покажу.
Решение:
mods-avaliable/eap, строку
default_eap_type = tls
необходимо привести к виду
default_eap_type = tls,peap
(с третьей версии разделитель запятая а не пробел)
и потом собственно настроить и сам mschap
mods-avaliable/mschap
use_mppe = yes require_encryption = yes require_strong = yes
Пытаюсь поднять WPA2-EAP на микротике, freeradius отрабатывает нормально при авторизации на свитчах и куче сетевых железок но вот настроить WPA2-EAP не получается.
В логе имеет:
(220) Received Access-Request Id 234 from 10.10.3.189:42134 to 172.17.0.2:1812 length 264 (220) Service-Type = Framed-User (220) Framed-MTU = 1400 (220) User-Name = «sys» (220) State = 0x9c1eed869b17f40c954b4359550f8eb4 (220) NAS-Port-Id = «radius» (220) NAS-Port-Type = Wireless-802.11 (220) Acct-Session-Id = «82000020» (220) Acct-Multi-Session-Id = «6E-3B-6B-F2-A3-84-80-A5-89-00-3D-A3-82-00-00-00-00-00-00-1D» (220) Calling-Station-Id = «80-A5-89-00-3D-A3» (220) Called-Station-Id = «6E-3B-6B-F2-A3-84:Radius» (220) EAP-Message = 0x0209002b19001703010020f6f18e3b9d1144351e61353162621a3e6de737d51713a7746737b0d5689bf84d (220) Message-Authenticator = 0x24d64cf0c1f4b2596164e3b4faca09d1 (220) NAS-Identifier = «MikroTik» (220) NAS-IP-Address = 10.10.3.189 (220) Restoring &session-state (220) &session-state:Module-Failure-Message := «No Auth-Type found: rejecting the user via Post-Auth-Type = Reject» (220) # Executing section authorize from file /radius/conf/sites-enabled/default (220) authorize { (220) policy filter_username { (220) if (&User-Name) { (220) if (&User-Name) -> TRUE (220) if (&User-Name) { (220) if (&User-Name =~ / /) { (220) if (&User-Name =~ / /) -> FALSE (220) if (&User-Name =~ /@[^@]*@/ ) { (220) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (220) if (&User-Name =~ /\.\./ ) { (220) if (&User-Name =~ /\.\./ ) -> FALSE (220) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (220) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (220) if (&User-Name =~ /\.$/) { (220) if (&User-Name =~ /\.$/) -> FALSE (220) if (&User-Name =~ /@\./) { (220) if (&User-Name =~ /@\./) -> FALSE (220) } # if (&User-Name) = notfound (220) } # policy filter_username = notfound (220) [preprocess] = ok (220) [chap] = noop (220) [mschap] = noop (220) [digest] = noop (220) suffix: Checking for suffix after "@" (220) suffix: No '@' in User-Name = «sys», looking up realm NULL (220) suffix: No such realm «NULL» (220) [suffix] = noop (220) eap: Peer sent EAP Response (code 2) ID 9 length 43 (220) eap: Continuing tunnel setup (220) [eap] = ok (220) } # authorize = ok (220) Found Auth-Type = eap (220) # Executing group from file /radius/conf/sites-enabled/default (220) authenticate { (220) eap: Expiring EAP session with state 0x9c1eed869b17f40c (220) eap: Finished EAP session with state 0x9c1eed869b17f40c (220) eap: Previous EAP request found for state 0x9c1eed869b17f40c, released from the list (220) eap: Peer sent packet with method EAP PEAP (25) (220) eap: Calling submodule eap_peap to process data (220) eap_peap: Continuing EAP-TLS (220) eap_peap: [eaptls verify] = ok (220) eap_peap: Done initial handshake (220) eap_peap: [eaptls process] = ok (220) eap_peap: Session established. Decoding tunneled attributes (220) eap_peap: PEAP state send tlv failure (220) eap_peap: Received EAP-TLV response (220) eap_peap: The users session was previously rejected: returning reject (again.) (220) eap_peap: This means you need to read the PREVIOUS messages in the debug output (220) eap_peap: to find out the reason why the user was rejected (220) eap_peap: Look for «reject» or «fail». Those earlier messages will tell you (220) eap_peap: what went wrong, and how to fix the problem (220) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (220) eap: Sending EAP Failure (code 4) ID 9 length 4 (220) eap: Failed in EAP select (220) [eap] = invalid (220) } # authenticate = invalid (220) Failed to authenticate the user (220) Using Post-Auth-Type Reject (220) # Executing group from file /radius/conf/sites-enabled/default (220) Post-Auth-Type REJECT { (220) sql: EXPAND .query (220) sql: --> .query (220) sql: Using query template 'query' rlm_sql (sql): Reserved connection (30) (220) sql: EXPAND %{User-Name} (220) sql: --> sys (220) sql: SQL-User-Name set to 'sys' (220) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES('%{User-Name}', '%{%{User-Password}:-Chap-Password}', '%{reply:Packet-Type}', NOW()) (220) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES('sys', 'Chap-Password', 'Access-Reject', NOW()) (220) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES('sys', 'Chap-Password', 'Access-Reject', NOW()) rlm_sql_postgresql: Status: PGRES_COMMAND_OK rlm_sql_postgresql: query affected rows = 1 (220) sql: SQL query returned: success (220) sql: 1 record(s) updated rlm_sql (sql): Released connection (30) (220) [sql] = ok (220) attr_filter.access_reject: EXPAND %{User-Name} (220) attr_filter.access_reject: --> sys (220) attr_filter.access_reject: Matched entry DEFAULT at line 11 (220) [attr_filter.access_reject] = updated (220) policy remove_reply_message_if_eap { (220) if (&reply:EAP-Message && &reply:Reply-Message) { (220) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (220) else { (220) [noop] = noop (220) } # else = noop (220) } # policy remove_reply_message_if_eap = noop (220) } # Post-Auth-Type REJECT = updated (220) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. (220) Discarding duplicate request from client 0.0.0.0/0 port 42134 — ID: 234 due to delayed response Waking up in 0.6 seconds. (220) Discarding duplicate request from client 0.0.0.0/0 port 42134 — ID: 234 due to delayed response Waking up in 0.4 seconds. (220) Sending delayed response (220) Sent Access-Reject Id 234 from 172.17.0.2:1812 to 10.10.3.189:42134 length 44 (220) EAP-Message = 0x04090004 (220) Message-Authenticator = 0x00000000000000000000000000000000
Смущает строка
(220) eap_peap: PEAP state send tlv failure
но гугл что-то не прояснил ситуацию.
В качестве клиента выступает Windows7, настройки подключения
Mikrosoft EAP(PEAP) + EAP-MSCHAPv2
Прошу поделится опытом, какие конфиги нужны, покажу.
Решение:
mods-avaliable/eap, строку
default_eap_type = tls
необходимо привести к виду
default_eap_type = tls,peap
(с третьей версии разделитель запятая а не пробел)
и потом собственно настроить и сам mschap
mods-avaliable/mschap
use_mppe = yes require_encryption = yes require_strong = yes
Похожие публикации
Mikrotik. Балансировка нагрузки. PPPoE + L2TP, как настроить?
Mikrotik: 2шлюза. Нет пинга между промаркированными локальными адресами. Как быть?
Не работает проброс портов mikrotik. Где ошибка?
Ovpn client на микротике. DNS request timed out до КД?
Mikrotik отваливается vpn интерфейс. Почему?
Нет комментариев