Auth-Type:- RADIUS 用户文件中的拒绝与内部隧道请求匹配,但发送 Access-Accept

Auth-Type:- RADIUS 用户文件中的拒绝与内部隧道请求匹配,但发送 Access-Accept

我在 Ubuntu 10.04.4 上使用 FreeRADIUS 2.1.8 设置了 WPA2 802.11x EAP 身份验证,并与 OpenLDAP 通信,并且能够成功使用 PEAP/MSCHAPv2、TTLS/MSCHAPv2 和 TTLS/PAP 进行身份验证(通过 AP 和使用eapol_测试我现在尝试根据用户所属的 LDAP 组来限制对特定 SSID 的访问。

我已经配置了群组成员资格签到,/etc/freeradius/modules/ldap如下所示:

groupname_attribute = cn
groupmembership_filter = "(|(&(objectClass=posixGroup)(memberUid=%{User-Name}))(&(objectClass=posixGroup)(uniquemember=%{User-Name})))"

并且我已经配置了从 Called-Station-Id 中提取 SSID 到 Called-Station-SSID 的Mac 身份验证wiki 页面。/etc/freeradius/eap.conf我已启用将属性从外部隧道复制到内部隧道,并在外部隧道中使用内部隧道响应(对于 PEAP 和 TTLS)。然而,在更改这些选项之前,我遇到了同样的问题。

copy_request_to_tunnel = yes
use_tunneled_reply = yes

我正在eapol_test像这样运行以测试设置:

eapol_test -c peap-mschapv2.conf -a 172.16.0.16 -s testing123 -N 30:s:01-23-45-67-89-01:Example-EAP

使用以下peap-mschapv2.conf文件:

network={
    ssid="Example-EAP"
    key_mgmt=WPA-EAP
    eap=PEAP
    identity="mgorven"
    anonymous_identity="anonymous"
    password="foobar"
    phase2="autheap=MSCHAPV2"
}

内容如下/etc/freeradius/users

DEFAULT Ldap-Group == "employees"

并运行freeradius-Xx,我可以看到 LDAP 组检索有效,并且 SSID 已被提取。

Debug:   [ldap] performing search in dc=example,dc=com, with filter (&(cn=employees)(|(&(objectClass=posixGroup)(memberUid=mgorven))(&(objectClass=posixGroup)(uniquemember=mgorven))))
Debug: rlm_ldap::ldap_groupcmp: User found in group employees
...
Info:        expand: %{7} -> Example-EAP

接下来我尝试仅允许组中的用户访问employees(无论 SSID 是什么),因此我输入以下内容/etc/freeradius/users

DEFAULT Ldap-Group == "employees"

DEFAULT Auth-Type := Reject

但这会立即拒绝外部隧道中的访问请求,因为用户anonymous不在该employees组中。因此我将其修改为仅匹配内部隧道请求,如下所示:

DEFAULT Ldap-Group == "employees"

DEFAULT FreeRADIUS-Proxied-To == "127.0.0.1"
        Auth-Type := Reject, Reply-Message = "User does not belong to any groups which may access this SSID."

现在,组中的用户employees已通过身份验证,但不在该employees组中的用户也已通过身份验证。我看到拒绝条目已匹配,并且设置了 Reply-Message,但客户端收到了 Access-Accept。

Debug: rlm_ldap::ldap_groupcmp: Group employees not found or user is not a member.
Info: [files] users: Matched entry DEFAULT at line 209
Info: ++[files] returns ok
...
Auth: Login OK: [mgorven] (from client test port 0 cli 02-00-00-00-00-01 via TLS tunnel)
Info:   WARNING: Empty section.  Using default return values.
...
Info: [peap] Got tunneled reply code 2
        Auth-Type := Reject
        Reply-Message = "User does not belong to any groups which may access this SSID."
...
Info: [peap] Got tunneled reply RADIUS code 2
        Auth-Type := Reject
        Reply-Message = "User does not belong to any groups which may access this SSID."
...
Info: [peap] Tunneled authentication was successful.
Info: [peap] SUCCESS
Info: [peap] Saving tunneled attributes for later
...
Sending Access-Accept of id 11 to 172.16.2.44 port 60746
        Reply-Message = "User does not belong to any groups which may access this SSID."
        User-Name = "mgorven"

eapol_test报告:

RADIUS message: code=2 (Access-Accept) identifier=11 length=233
   Attribute 18 (Reply-Message) length=64
      Value: 'User does not belong to any groups which may access this SSID.'
   Attribute 1 (User-Name) length=9
      Value: 'mgorven'
...
SUCCESS

为什么请求没有被拒绝,这是正确的实现方法吗?

答案1

由于某些奇怪的原因,设置Auth-Type查看项目,而不是回复项目,因此必须在规则的第一行完成此操作。以下操作可以正常工作:

DEFAULT FreeRADIUS-Proxied-To == "127.0.0.1", Auth-Type := Reject
    Reply-Message = "User does not belong to any groups which may access this SSID."

相关内容