配置

配置

我正在尝试使用 FreeRADIUS 3 设置 EAP-PWD。

但是,我无法让它工作,而且文档几乎不存在。因此,我不知道我遇到的问题是配置错误还是实际错误。

配置

这是我的配置(至少是相关的部分):

mods-enabled/eap:

eap {
    pwd {
    #group = 19

    server_id = [email protected]

    #  This has the same meaning as for TLS.
    fragment_size = 1020

    # The virtual server which determines the "known good" password for the user.
    # Note that unlike TLS, only the "authorize" section is processed.
    # EAP-PWD requests can be distinguished by having a User-Name, but no User-Password, CHAP-Password, EAP-Message, etc.
    #virtual_server = "inner-tunnel"
}

我不知道这group = 19是什么意思。(没有任何地方解释)

站点启用/默认:

authorize {
    filter_username
    preprocess

    #  Look in an SQL database.
    sql

    #permit_only_eap
    eap {
        ok = return
    }

    logintime
}

authenticate {
    #  Allow EAP authentication.
    eap
}

已启用站点/内部隧道:

authorize {
    eap {
        ok = return
    }

    #  Look in an SQL database.
    sql

    expiration
}

authenticate {
    mschap

    #  Allow EAP authentication.
    eap
}

说实话,我不明白 EAP-PWD 是否/为什么需要隧道请求。我之所以设置它,是因为我也使用 PEAPv0/MS-CHAPv2。我尝试了两个虚拟服务器(默认和内部隧道)

问题

好了,问题来了。我在请求方上遇到了身份验证错误。这是我在日志中看到的内容:

(2) eap: Peer sent method PWD (52)
(2) eap: EAP PWD (52)
(2) eap: Calling eap_pwd to process EAP data
(2) eap_pwd: Sending tunneled request
(2) eap_pwd: server default {
(2) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(2)   authorize {
(2)     policy filter_username {
(2)       if (!&User-Name) {
(2)       if (!&User-Name)  -> TRUE
(2)       if (!&User-Name)  {
(2)         [noop] = noop
(2)       } # if (!&User-Name)  = noop
(2)       if (&User-Name =~ / /) {
(2)       ERROR: Failed retrieving values required to evaluate condition
(2)       if (&User-Name =~ /@.*@/ ) {
(2)       ERROR: Failed retrieving values required to evaluate condition
(2)       if (&User-Name =~ /\.\./ ) {
(2)       ERROR: Failed retrieving values required to evaluate condition
(2)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(2)       ERROR: Failed retrieving values required to evaluate condition
(2)       if (&User-Name =~ /\.$/)  {
(2)       ERROR: Failed retrieving values required to evaluate condition
(2)       if (&User-Name =~ /@\./)  {
(2)       ERROR: Failed retrieving values required to evaluate condition
(2)     } # policy filter_username = noop
(2)     [preprocess] = ok
(2) sql: EXPAND %{User-Name}
(2) sql:    -->
(2) sql: SQL-User-Name set to ''
rlm_sql (sql): Reserved connection (4)
(2) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(2) sql:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '' ORDER BY id
(2) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '' ORDER BY id
(2) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(2) sql:    --> SELECT groupname FROM radusergroup WHERE username = '' ORDER BY priority
(2) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = '' ORDER BY priority
(2) sql: User not found in any groups
rlm_sql (sql): Released connection (4)
(2)     [sql] = notfound
(2) eap: No EAP-Message, not doing EAP
(2)     [eap] = noop
(2)     [logintime] = noop
(2)   } # authorize = ok
(2) eap_pwd: } # server default
(2) eap_pwd: Got tunneled reply code 0
failed to find password for lars to do pwd authentication
(2) eap: ERROR: Failed continuing EAP PWD (52) session. EAP sub-module failed
(2) eap: Failed in EAP select
(2)     [eap] = invalid
(2)   } # authenticate = invalid
(2) Failed to authenticate the user
(2) Login incorrect (eap: Failed continuing EAP PWD (52) session. EAP sub-module failed): [lars] (from client LARS-RANNOCH port 4 cli 48-59-29-F6-BA-89)

第一个授权部分(未显示在上述日志中)运行正常,但此后 EAP-PWD 似乎又发出了另一个隧道请求。(为什么?我认为这只对 PEAP 和 EAP-TTLS 是必要的)。在这种情况下,我在 EAP 配置中注释掉了“虚拟服务器”行,因此请求由默认虚拟服务器处理。

可以看出,用户名属性为空(SQL-User-Name set to ''),导致 sql 模块无法获取正确的记录:failed to find password for lars to do pwd authentication

我的 EAP-PWD 配置正确吗?是什么导致了此错误?

答案1

这是一个错误。开发原始 PWD 代码的人只将用户名 VALUE_PAIR 添加到请求的用户名缓存指针中,而不是添加到实际的请求列表中。

一些模块忽略了指针,这是很久以前的糟糕的优化。

将这对添加到请求列表中可以解决此问题。以下是犯罪

感谢您帮助追踪此问题。修复将作为 v3.0.8 的一部分发布。同时您可以下载v3.0.x 头部然后尝试一下。

control:Cleartext-Password在设置内部隧道后,我获得了成功的服务器身份验证。希望它能对你有用。

相关内容