使用 PAP 对 Windows Server 2012 R2 RADIUS 进行身份验证失败

使用 PAP 对 Windows Server 2012 R2 RADIUS 进行身份验证失败

我正在尝试(未成功)使用 PAP 对基于 Linux 的网络交换机进行 Windows Server 2012 R2 RADIUS 远程身份验证。出现以下事件日志:

活动 1

The audit log was cleared.
Subject:
    Security ID:    <account domain>\<account name>
    Account Name:   <account name>
    Domain Name:    <account domain>
    Logon ID:   0x67364F48

活动 2

The computer attempted to validate the credentials for an account.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:  <account name>
Source Workstation: 
Error Code: 0x0

活动 3

A logon was attempted using explicit credentials.

Subject:
    Security ID:        SYSTEM
    Account Name:       AuthenticationServer$
    Account Domain:     <account domain>
    Logon ID:       0x3E7
    Logon GUID:     {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
    Account Name:       <account name>
    Account Domain:     <account domain>
    Logon GUID:     {00000000-0000-0000-0000-000000000000}

Target Server:
    Target Server Name: localhost
    Additional Information: localhost

Process Information:
    Process ID:     0x3e4
    Process Name:       C:\Windows\System32\svchost.exe

Network Information:
    Network Address:    -
    Port:           -

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials.  This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.

活动 4

An account was successfully logged on.

Subject:
    Security ID:        SYSTEM
    Account Name:       AuthenticationServer$
    Account Domain:     <account domain>
    Logon ID:       0x3E7

Logon Type:         3

Impersonation Level:        Impersonation

New Logon:
    Security ID:        <account domain>\<account name>
    Account Name:       <account name>
    Account Domain:     <account domain>
    Logon ID:       0x675FF2EE
    Logon GUID:     {00000000-0000-0000-0000-000000000000}

Process Information:
    Process ID:     0x3e4
    Process Name:       C:\Windows\System32\svchost.exe

Network Information:
    Workstation Name:   
    Source Network Address: -
    Source Port:        -

Detailed Authentication Information:
    Logon Process:      IAS
    Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    Transited Services: -
    Package Name (NTLM only):   -
    Key Length:     0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The impersonation level field indicates the extent to which a process in the logon session can impersonate.

The authentication information fields provide detailed information about this specific logon request.
    - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
    - Transited services indicate which intermediate services have participated in this logon request.
    - Package name indicates which sub-protocol was used among the NTLM protocols.
    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

活动 5

Special privileges assigned to new logon.

Subject:
    Security ID:        <account domain>\<account name>
    Account Name:       <account name>
    Account Domain:     <account domain>
    Logon ID:       0x675FF2EE

Privileges:     SeSecurityPrivilege
            SeTakeOwnershipPrivilege
            SeLoadDriverPrivilege
            SeBackupPrivilege
            SeRestorePrivilege
            SeDebugPrivilege
            SeSystemEnvironmentPrivilege
            SeEnableDelegationPrivilege
            SeImpersonatePrivilege

活动 6

An account was logged off.

Subject:
    Security ID:        <account domain>\<account name>
    Account Name:       <account name>
    Account Domain:     <account domain>
    Logon ID:       0x675FF2EE

Logon Type:         3

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.

这些日志条目似乎表明身份验证请求成功。然而,Wireshark 捕获的结果却恰恰相反:

以下是访问请求(代码 1)属性值对,其中一些实际值已用占位符替换:

t=User-Name(1): <user name>
t=User-Password(2): Decrypted: <password>
t=NAS-IP-Address(4): 192.168.1.1
t=NAS-Identifier(32): <hostname>
t=Calling-Station-Id(31): 192.168.1.2
t=NAS-Port(5): 5451
t=NAS-Port-Type(61): virtual(5)

作为回应,我收到了访问拒绝(代码 3)。

仅交换这两个 RADIUS 数据包。我希望看到提供我已配置的供应商特定属性的 Access-Accept。

在“Active Directory 用户和计算机”中,我创建了一个“全局”组范围和“安全”组类型的角色。该角色具有相应类型的成员。

在“网络策略服务器”中,我创建并启用了一个不使用共享密钥模板的 RADIUS 客户端,并手动配置了共享密钥。供应商名称的类型为“RADIUS 标准”。

在“网络策略服务器”中,我创建了一个具有以下属性的启用网络策略:

 - Grant access
 - Type of network access server: Unspecified
 - A condition specifying the connecting user is a member of a Windows Group (which it is)
 - Authentication Methods: PAP
 - Standard RADIUS attribute FramedProtocol=PPP
 - Vendor-Specific RADIUS attributes: As appropriate for the device
 - NAP Enforcement: Allow full network access
 - Multilink and Bandwidth Allocation Protocol: Server settings determine Multilink usage
 - Encryption (all choices selected): "Basic encryption (MPPE 40-bit)", "Strong encryption (MPPE 56-bit)", "Strongest encryption (MPPE 128-bit)", "No encryption"
 - IP Settings: Server settings determine IP address assignment

有人对我如何隔离问题有什么建议吗?

先感谢您!

答案1

对于那些偶然发现这一点并且可能有帮助的人来说......

事实证明问题出在我的网络策略中。创建网络策略的一个可选部分是,在“条件”选项卡上,创建一个与您设置的 RADIUS 客户端匹配的“客户端友好名称”(与网络策略一起,也在“网络策略服务”下完成)。您可以使用通配符,以便使“客户端友好名称”可以匹配多个 RADIUS 客户端。

但是,似乎只能在“客户端友好名称”末尾使用通配符“*”。

举例来说,假设我设置了两个 RADIUS 客户端:Dave-Desktop-Home 和 Dave-Laptop-Home。如果我在网络策略中指定“客户端友好名称”为“Dave-*-Home”,Windows Server 2012 将创建一个事件日志,表明我已成功通过身份验证,但实际上会向我发送 RADIUS 访问拒绝消息。

另一方面,指定“客户端友好名称”为“Dave-*”即可很好地匹配两个 RADIUS 客户端。两者都可以执行成功的 RADIUS 身份验证。

相关内容