我正在使用 Freeradius 对 PEAP-GTC 中的用户进行身份验证,并且我希望它为身份验证器提供一个 VLAN ID,该 ID 将分配给经过身份验证的客户端的端口。
验证器已配置为将 radius 服务器接收到的 VLAN ID 分配给客户端的端口,如果不存在则创建 vlan。
在 Freeradius 服务器上,我尝试了在互联网上找到的几种方法将 VLAN ID 发送给身份验证器:
在用户文件中:
DEFAULT Auth-Type := EAP # and also DEFAULT NAS-Port-Type == "Ethernet" Tunnel-Type = 13, Tunnel-Medium-TYpe=6, Tunnel-Private-Group-Id=5
在 eap 模块文件中:
eap { use_tunneled_reply = yes .... peap { use_tunneled_reply = yes
在隧道内站点文件中:
post-auth { .... update { &outer.session-state.Tunnel-Type := Tunnel-Type[*] &outer.session-state.Tunnel-Medium-Type := Tunnel-Medium-Type[*] &outer.session-state.Tunnel-Private-Group-Id := Tunnel-Private-Group-Id[*] &outer.session-state.User-Name := Use-Name[*] &outer.session-state: += &rpely: }
验证器不断为连接的用户分配默认 vlan,但 freeradius 似乎没有这样做,因此发送 vlan id。
您知道 freeradius 如何为经过身份验证的用户分配 VLAN 吗?
答案1
在现代 freeradius 3 中 -use_tunneled_reply = yes
已弃用。正确的内部隧道后认证应在“sites-available/inner-tunnel”中处理。不要设置use_tunneled_reply = yes
,而是取消if(0)
注释post-auth {}
post-auth {
- - - - 8< - - - -
#
# Instead of "use_tunneled_reply", change this "if (0)" to an
# "if (1)".
#
#if (0) {
if (1) {
#
# These attributes are for the inner-tunnel only,
# and MUST NOT be copied to the outer reply.
#
- - - - 8< - - - -
}
答案2
我正在使用数据库来存储用户的凭据。我需要在其中配置 freeradius 回复,而不是用户文件。
该表radusergroup
将用户与组联系起来。该表radgroupreply
将对发送给验证者的验证消息的响应添加到所有组成员的验证中。
这是一个你可以加载(根据需要编辑)的 SQL 文件mysql -u root -p database < vlan_file.sql
:
-- link a user to a group
INSERT INTO radusergroup (username,groupname) VALUES ('username', 'mygroup');
-- link a group to replies
INSERT INTO radgroupreply (groupname, attribute, op, value)
VALUES ('mygroup', 'Tunnel-Type', ':=', '13');
INSERT INTO radgroupreply (groupname, attribute, op, value)
VALUES ('mygroup', 'Tunnel-Medium-Type', ':=', '6');
INSERT INTO radgroupreply (groupname, attribute, op, value)
VALUES ('mygroup', 'Tunnel-Private-Group-Id', ':=', 'VLAN ID');
这是我的表格:
mysql> select * from radusergroup;
+----------+-----------+----------+
| username | groupname | priority |
+----------+-----------+----------+
| test | mygroup | 1 |
+----------+-----------+----------+
1 row in set (0.00 sec)
mysql>
mysql> select * from radgroupreply;
+----+-----------+-------------------------+----+-------+
| id | groupname | attribute | op | value |
+----+-----------+-------------------------+----+-------+
| 5 | mygroup | Tunnel-Type | := | 13 |
| 6 | mygroup | Tunnel-Medium-Type | := | 6 |
| 9 | mygroup | Tunnel-Private-Group-Id | := | 5 |
+----+-----------+-------------------------+----+-------+
3 rows in set (0.00 sec)
mysql> exit
Bye
当我尝试使用该命令时radtest
,我得到了 VLAN ID 的回复:
root@Debian10n2:# radtest test motdepasse 192.168.150.1 1812 passroot
Sent Access-Request Id 243 from 0.0.0.0:54448 to 192.168.150.1: 1812 length 74
User-Name = "test"
User-Password = "motdepasse"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = "motdepasse"
Received Access-Accept Id 243 from 192.168.150.1:1812 to 192.168.150.30:54448 length 35
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "5"
root@Debian10n2: #