WPA2-EAP авторизация FreeRadius + MikroTik, где туплю?
Приветствую друзья.
Пытаюсь поднять WPA2-EAP на микротике, freeradius отрабатывает нормально при авторизации на свитчах и куче сетевых железок но вот настроить WPA2-EAP не получается.
В логе имеет:
(220) Received Access-Request Id 234 from 10.10.3.189:42134 to 172.17.0.2:1812 length 264 (220) Service-Type = Framed-User (220) Framed-MTU = 1400 (220) User-Name = «sys» (220) State = 0x9c1eed869b17f40c954b4359550f8eb4 (220) NAS-Port-Id = «radius» (220) NAS-Port-Type = Wireless-802.11 (220) Acct-Session-Id = «82000020» (220) Acct-Multi-Session-Id = «6E-3B-6B-F2-A3-84-80-A5-89-00-3D-A3-82-00-00-00-00-00-00-1D» (220) Calling-Station-Id = «80-A5-89-00-3D-A3» (220) Called-Station-Id = «6E-3B-6B-F2-A3-84:Radius» (220) EAP-Message = 0x0209002b19001703010020f6f18e3b9d1144351e61353162621a3e6de737d51713a7746737b0d5689bf84d (220) Message-Authenticator = 0x24d64cf0c1f4b2596164e3b4faca09d1 (220) NAS-Identifier = «MikroTik» (220) NAS-IP-Address = 10.10.3.189 (220) Restoring &session-state (220) &session-state:Module-Failure-Message := «No Auth-Type found: rejecting the user via Post-Auth-Type = Reject» (220) # Executing section authorize from file /radius/conf/sites-enabled/default (220) authorize { (220) policy filter_username { (220) if (&User-Name) { (220) if (&User-Name) -> TRUE (220) if (&User-Name) { (220) if (&User-Name =~ / /) { (220) if (&User-Name =~ / /) -> FALSE (220) if (&User-Name =~ /@[^@]*@/ ) { (220) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (220) if (&User-Name =~ /\.\./ ) { (220) if (&User-Name =~ /\.\./ ) -> FALSE (220) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (220) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (220) if (&User-Name =~ /\.$/) { (220) if (&User-Name =~ /\.$/) -> FALSE (220) if (&User-Name =~ /@\./) { (220) if (&User-Name =~ /@\./) -> FALSE (220) } # if (&User-Name) = notfound (220) } # policy filter_username = notfound (220) [preprocess] = ok (220) [chap] = noop (220) [mschap] = noop (220) [digest] = noop (220) suffix: Checking for suffix after "@" (220) suffix: No '@' in User-Name = «sys», looking up realm NULL (220) suffix: No such realm «NULL» (220) [suffix] = noop (220) eap: Peer sent EAP Response (code 2) ID 9 length 43 (220) eap: Continuing tunnel setup (220) [eap] = ok (220) } # authorize = ok (220) Found Auth-Type = eap (220) # Executing group from file /radius/conf/sites-enabled/default (220) authenticate { (220) eap: Expiring EAP session with state 0x9c1eed869b17f40c (220) eap: Finished EAP session with state 0x9c1eed869b17f40c (220) eap: Previous EAP request found for state 0x9c1eed869b17f40c, released from the list (220) eap: Peer sent packet with method EAP PEAP (25) (220) eap: Calling submodule eap_peap to process data (220) eap_peap: Continuing EAP-TLS (220) eap_peap: [eaptls verify] = ok (220) eap_peap: Done initial handshake (220) eap_peap: [eaptls process] = ok (220) eap_peap: Session established. Decoding tunneled attributes (220) eap_peap: PEAP state send tlv failure (220) eap_peap: Received EAP-TLV response (220) eap_peap: The users session was previously rejected: returning reject (again.) (220) eap_peap: This means you need to read the PREVIOUS messages in the debug output (220) eap_peap: to find out the reason why the user was rejected (220) eap_peap: Look for «reject» or «fail». Those earlier messages will tell you (220) eap_peap: what went wrong, and how to fix the problem (220) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (220) eap: Sending EAP Failure (code 4) ID 9 length 4 (220) eap: Failed in EAP select (220) [eap] = invalid (220) } # authenticate = invalid (220) Failed to authenticate the user (220) Using Post-Auth-Type Reject (220) # Executing group from file /radius/conf/sites-enabled/default (220) Post-Auth-Type REJECT { (220) sql: EXPAND .query (220) sql: --> .query (220) sql: Using query template 'query' rlm_sql (sql): Reserved connection (30) (220) sql: EXPAND %{User-Name} (220) sql: --> sys (220) sql: SQL-User-Name set to 'sys' (220) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES('%{User-Name}', '%{%{User-Password}:-Chap-Password}', '%{reply:Packet-Type}', NOW()) (220) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES('sys', 'Chap-Password', 'Access-Reject', NOW()) (220) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES('sys', 'Chap-Password', 'Access-Reject', NOW()) rlm_sql_postgresql: Status: PGRES_COMMAND_OK rlm_sql_postgresql: query affected rows = 1 (220) sql: SQL query returned: success (220) sql: 1 record(s) updated rlm_sql (sql): Released connection (30) (220) [sql] = ok (220) attr_filter.access_reject: EXPAND %{User-Name} (220) attr_filter.access_reject: --> sys (220) attr_filter.access_reject: Matched entry DEFAULT at line 11 (220) [attr_filter.access_reject] = updated (220) policy remove_reply_message_if_eap { (220) if (&reply:EAP-Message && &reply:Reply-Message) { (220) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (220) else { (220) [noop] = noop (220) } # else = noop (220) } # policy remove_reply_message_if_eap = noop (220) } # Post-Auth-Type REJECT = updated (220) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. (220) Discarding duplicate request from client 0.0.0.0/0 port 42134 — ID: 234 due to delayed response Waking up in 0.6 seconds. (220) Discarding duplicate request from client 0.0.0.0/0 port 42134 — ID: 234 due to delayed response Waking up in 0.4 seconds. (220) Sending delayed response (220) Sent Access-Reject Id 234 from 172.17.0.2:1812 to 10.10.3.189:42134 length 44 (220) EAP-Message = 0x04090004 (220) Message-Authenticator = 0x00000000000000000000000000000000
Смущает строка
(220) eap_peap: PEAP state send tlv failure
но гугл что-то не прояснил ситуацию.
В качестве клиента выступает Windows7, настройки подключения
Mikrosoft EAP(PEAP) + EAP-MSCHAPv2
Прошу поделится опытом, какие конфиги нужны, покажу.
Решение:
mods-avaliable/eap, строку
default_eap_type = tls
необходимо привести к виду
default_eap_type = tls,peap
(с третьей версии разделитель запятая а не пробел)
и потом собственно настроить и сам mschap
mods-avaliable/mschap
use_mppe = yes require_encryption = yes require_strong = yes
Пытаюсь поднять WPA2-EAP на микротике, freeradius отрабатывает нормально при авторизации на свитчах и куче сетевых железок но вот настроить WPA2-EAP не получается.
В логе имеет:
(220) Received Access-Request Id 234 from 10.10.3.189:42134 to 172.17.0.2:1812 length 264 (220) Service-Type = Framed-User (220) Framed-MTU = 1400 (220) User-Name = «sys» (220) State = 0x9c1eed869b17f40c954b4359550f8eb4 (220) NAS-Port-Id = «radius» (220) NAS-Port-Type = Wireless-802.11 (220) Acct-Session-Id = «82000020» (220) Acct-Multi-Session-Id = «6E-3B-6B-F2-A3-84-80-A5-89-00-3D-A3-82-00-00-00-00-00-00-1D» (220) Calling-Station-Id = «80-A5-89-00-3D-A3» (220) Called-Station-Id = «6E-3B-6B-F2-A3-84:Radius» (220) EAP-Message = 0x0209002b19001703010020f6f18e3b9d1144351e61353162621a3e6de737d51713a7746737b0d5689bf84d (220) Message-Authenticator = 0x24d64cf0c1f4b2596164e3b4faca09d1 (220) NAS-Identifier = «MikroTik» (220) NAS-IP-Address = 10.10.3.189 (220) Restoring &session-state (220) &session-state:Module-Failure-Message := «No Auth-Type found: rejecting the user via Post-Auth-Type = Reject» (220) # Executing section authorize from file /radius/conf/sites-enabled/default (220) authorize { (220) policy filter_username { (220) if (&User-Name) { (220) if (&User-Name) -> TRUE (220) if (&User-Name) { (220) if (&User-Name =~ / /) { (220) if (&User-Name =~ / /) -> FALSE (220) if (&User-Name =~ /@[^@]*@/ ) { (220) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (220) if (&User-Name =~ /\.\./ ) { (220) if (&User-Name =~ /\.\./ ) -> FALSE (220) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (220) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (220) if (&User-Name =~ /\.$/) { (220) if (&User-Name =~ /\.$/) -> FALSE (220) if (&User-Name =~ /@\./) { (220) if (&User-Name =~ /@\./) -> FALSE (220) } # if (&User-Name) = notfound (220) } # policy filter_username = notfound (220) [preprocess] = ok (220) [chap] = noop (220) [mschap] = noop (220) [digest] = noop (220) suffix: Checking for suffix after "@" (220) suffix: No '@' in User-Name = «sys», looking up realm NULL (220) suffix: No such realm «NULL» (220) [suffix] = noop (220) eap: Peer sent EAP Response (code 2) ID 9 length 43 (220) eap: Continuing tunnel setup (220) [eap] = ok (220) } # authorize = ok (220) Found Auth-Type = eap (220) # Executing group from file /radius/conf/sites-enabled/default (220) authenticate { (220) eap: Expiring EAP session with state 0x9c1eed869b17f40c (220) eap: Finished EAP session with state 0x9c1eed869b17f40c (220) eap: Previous EAP request found for state 0x9c1eed869b17f40c, released from the list (220) eap: Peer sent packet with method EAP PEAP (25) (220) eap: Calling submodule eap_peap to process data (220) eap_peap: Continuing EAP-TLS (220) eap_peap: [eaptls verify] = ok (220) eap_peap: Done initial handshake (220) eap_peap: [eaptls process] = ok (220) eap_peap: Session established. Decoding tunneled attributes (220) eap_peap: PEAP state send tlv failure (220) eap_peap: Received EAP-TLV response (220) eap_peap: The users session was previously rejected: returning reject (again.) (220) eap_peap: This means you need to read the PREVIOUS messages in the debug output (220) eap_peap: to find out the reason why the user was rejected (220) eap_peap: Look for «reject» or «fail». Those earlier messages will tell you (220) eap_peap: what went wrong, and how to fix the problem (220) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (220) eap: Sending EAP Failure (code 4) ID 9 length 4 (220) eap: Failed in EAP select (220) [eap] = invalid (220) } # authenticate = invalid (220) Failed to authenticate the user (220) Using Post-Auth-Type Reject (220) # Executing group from file /radius/conf/sites-enabled/default (220) Post-Auth-Type REJECT { (220) sql: EXPAND .query (220) sql: --> .query (220) sql: Using query template 'query' rlm_sql (sql): Reserved connection (30) (220) sql: EXPAND %{User-Name} (220) sql: --> sys (220) sql: SQL-User-Name set to 'sys' (220) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES('%{User-Name}', '%{%{User-Password}:-Chap-Password}', '%{reply:Packet-Type}', NOW()) (220) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES('sys', 'Chap-Password', 'Access-Reject', NOW()) (220) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES('sys', 'Chap-Password', 'Access-Reject', NOW()) rlm_sql_postgresql: Status: PGRES_COMMAND_OK rlm_sql_postgresql: query affected rows = 1 (220) sql: SQL query returned: success (220) sql: 1 record(s) updated rlm_sql (sql): Released connection (30) (220) [sql] = ok (220) attr_filter.access_reject: EXPAND %{User-Name} (220) attr_filter.access_reject: --> sys (220) attr_filter.access_reject: Matched entry DEFAULT at line 11 (220) [attr_filter.access_reject] = updated (220) policy remove_reply_message_if_eap { (220) if (&reply:EAP-Message && &reply:Reply-Message) { (220) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (220) else { (220) [noop] = noop (220) } # else = noop (220) } # policy remove_reply_message_if_eap = noop (220) } # Post-Auth-Type REJECT = updated (220) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. (220) Discarding duplicate request from client 0.0.0.0/0 port 42134 — ID: 234 due to delayed response Waking up in 0.6 seconds. (220) Discarding duplicate request from client 0.0.0.0/0 port 42134 — ID: 234 due to delayed response Waking up in 0.4 seconds. (220) Sending delayed response (220) Sent Access-Reject Id 234 from 172.17.0.2:1812 to 10.10.3.189:42134 length 44 (220) EAP-Message = 0x04090004 (220) Message-Authenticator = 0x00000000000000000000000000000000
Смущает строка
(220) eap_peap: PEAP state send tlv failure
но гугл что-то не прояснил ситуацию.
В качестве клиента выступает Windows7, настройки подключения
Mikrosoft EAP(PEAP) + EAP-MSCHAPv2
Прошу поделится опытом, какие конфиги нужны, покажу.
Решение:
mods-avaliable/eap, строку
default_eap_type = tls
необходимо привести к виду
default_eap_type = tls,peap
(с третьей версии разделитель запятая а не пробел)
и потом собственно настроить и сам mschap
mods-avaliable/mschap
use_mppe = yes require_encryption = yes require_strong = yes
Похожие публикации
MikroTik RB750 + RouterOS v 5.6 + регулярные выражения = ?
Микротик. Как настроить проброс до веб сервера?
Как настроить приоретизацию траффика на микротике?
Mikrotik. Балансировка нагрузки. PPPoE + L2TP, как настроить?
Mikrotik: 2шлюза. Нет пинга между промаркированными локальными адресами. Как быть?
Нет комментариев