我正在实施认证协议和自由RADIUS 3.0.21。设备能够连接,服务器正在运行。但是,FreeRADIUS 抱怨其启动日志消息中 TLS 1.0/1.1 仍然可用。以下是systemctl status freeradius命令的输出:
● freeradius.service - FreeRADIUS multi-protocol policy server
Loaded: loaded (/lib/systemd/system/freeradius.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2023-03-09 17:22:55 UTC; 2h 33min ago
Docs: man:radiusd(8)
man:radiusd.conf(5)
http://wiki.freeradius.org/
http://networkradius.com/doc/
Process: 783 ExecStartPre=/usr/sbin/freeradius $FREERADIUS_OPTIONS -Cx -lstdout (code=exited, status=0/SUCCESS)
Main PID: 786 (freeradius)
Status: "Processing requests"
Tasks: 6 (limit: 2101)
Memory: 81.7M (limit: 2.0G)
CPU: 1.621s
CGroup: /system.slice/freeradius.service
└─786 /usr/sbin/freeradius -f
Mar 09 17:22:54 rpi4-20230308 freeradius[783]: rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
Mar 09 17:22:54 rpi4-20230308 freeradius[783]: rlm_sql (sql): Attempting to connect to database "radius"
Mar 09 17:22:54 rpi4-20230308 freeradius[783]: rlm_sql (sql): Initialising connection pool
Mar 09 17:22:54 rpi4-20230308 freeradius[783]: Ignoring "ldap" (see raddb/mods-available/README.rst)
Mar 09 17:22:54 rpi4-20230308 freeradius[783]: # Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/3.0/sites-enabled/inner-tunnel:336
Mar 09 17:22:54 rpi4-20230308 freeradius[783]: radiusd: #### Skipping IP addresses and Ports ####
Mar 09 17:22:54 rpi4-20230308 freeradius[783]: The configuration allows TLS 1.0 and/or TLS 1.1. We STRONGLY recommned using only TLS 1.2 for security
Mar 09 17:22:54 rpi4-20230308 freeradius[783]: Please set: tls_min_version = "1.2"
Mar 09 17:22:54 rpi4-20230308 freeradius[783]: Configuration appears to be OK
Mar 09 17:22:55 rpi4-20230308 systemd[1]: Started FreeRADIUS multi-protocol policy server.
尽管我tls_min_version = "1.2"在mods-available/eap文件中设置了推荐选项,但 FreeRADIUS 仍然会抱怨。以下是文件:
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = ${max_requests}
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls-config tls-common {
private_key_password = secretpassword
private_key_file = ${certdir}/freeradius.key.pem
certificate_file = ${certdir}/freeradius.pem
ca_file = ${certdir}/ca.pem
dh_file = ${certdir}/dh
random_file = /dev/urandom
ca_path = ${cadir}
cipher_list = "DEFAULT"
#cipher_list = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-CAMELLIA128-SHA"
cipher_server_preference = no
tls_min_version = "1.2"
tls_max_version = "1.2"
ecdh_curve = "secp384r1"
cache {
enable = no
lifetime = 24 # hours
persist_dir = "${logdir}/tlscache"
store {
Tunnel-Private-Group-Id
}
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
}
}
tls {
tls = tls-common
}
ttls {
tls = tls-common
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
peap {
tls = tls-common
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
mschapv2 {
}
}
此外,这是我的sites-available/tls文件:
listen {
ipaddr = *
port = 2083
type = auth+acct
proto = tcp
virtual_server = default
clients = radsec
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
tls {
private_key_password = secretpassword
private_key_file = ${certdir}/freeradius.key.pem
certificate_file = ${certdir}/freeradius.pem
ca_file = ${certdir}/ca.pem
dh_file = ${certdir}/dh
random_file = /dev/urandom
fragment_size = 8192
ca_path = ${cadir}
cipher_list = "DEFAULT"
cipher_server_preference = no
cache {
enable = no
lifetime = 24 # hours
}
require_client_cert = yes
verify {
}
}
}
clients radsec {
client 127.0.0.1 {
ipaddr = 127.0.0.1
proto = tls
secret = radsec
}
}
home_server tls {
ipaddr = 127.0.0.1
port = 2083
type = auth
secret = radsec
proto = tcp
status_check = none
tls {
private_key_password = whatever
private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
ca_file = /etc/ssl/certs/ca-certificates.crt
dh_file = ${certdir}/dh
random_file = /dev/urandom
fragment_size = 8192
ca_path = ${cadir}
cipher_list = "DEFAULT"
}
}
home_server_pool tls {
type = fail-over
home_server = tls
}
realm tls {
auth_pool = tls
}
FreeRADIUS 服务器在 RaspberryPi4 上的 Debian 上运行。以下是uname -a命令的输出:
Linux rpi4-20230308 5.10.0-21-arm64 #1 SMP Debian 5.10.162-1 (2023-01-21) aarch64 GNU/Linux
命令的输出openssl version如下:
OpenSSL 1.1.1n 15 Mar 2022
请问,有人能帮我找出配置出了什么问题(如果有的话)以及为什么 FreeRADIUS 服务器认为它可以接受处理 TLS 1.0/1.1 握手吗?
以下是针对 Konrad Gajewski 的建议所采取的措施的 wireshark 截图
答案1
可能你不必在 mods-available/eap 中进行更改,而是在 mods-enabled/eap 中进行更改。对于在 Ubuntu 16 上运行的 freeradius 3.0.12,此方法对我有用(在此旧版 freeradius 中,语法为disable_tlsv1_0=yesand disable_tlsv1_1=yesand not tls_min_version = "1.2")。
试一试!
答案2
跑步时Debian 上的 FreeRADIUS,你必须记住,默认版本不支持开箱即用的 TLS。它没有报告任何特定的错误,只是没有已编译使用它。
为了解决这个问题,你需要编译 FreeRADIUS 并启用 SSL/TLS 支持。本质上创建你自己的 deb,安装它们,然后确保在升级服务器时它们不会被覆盖。
(如何做到这一点是另一回事 - 但如果您遇到困难,请告诉我们)