配置 Strongswan eap-radius 的 RADIUS 重传次数或超时

配置 Strongswan eap-radius 的 RADIUS 重传次数或超时

我有以下连接方案:

Site A (radius server) <--> Site B (gateway) <--> Roadwarrior (Bob)

站点 B 使用 eap-radius 插件进行 RADIUS 身份验证和记帐。

            eap-radius {
              dae {
                  enable = yes
                  listen = 0.0.0.0
                  port = 3799
                  secret = verystrongsecret
              }
              class_group = yes
              eap_start = no
              load = yes
              accounting = yes
              servers {
                server-a {
                  address = xx.xx.xx.xx
                  auth_port = 1812
                  acct_port = 1813
                  secret = verystrongsecret
                  nas_identifier = gw
                  sockets = 5
                }
              }
            }

配置了站点 A 和站点 B 之间的陷阱策略。

children {
  net-net {
    local_ts = xx.xx.xx.xx/xx
    remote_ts = xx.xx.xx.xx/xx

    start_action = trap|start
    ...
  }
}

然后我强制终止 Radius 服务器和网关之间的连接:swanctl -t -i radius

当 Bob 连接到网关时,RADIUS Auth 在建立 RADIUS 服务器和网关之间的连接之前失败。看起来直到 EAP_RADIUS 失败后才启动与 RADIUS 服务器的 IKE_SA。

Nov 03 05:41:43 gw: received EAP identity 'user'
Nov 03 05:41:43 gw: sending RADIUS Access-Request to server 'server-a'
Nov 03 05:41:43 gw: creating acquire job for policy xx.xx.xx.xx/xx[udp/52470] === xx.xx.xx.xx/xx[udp/radius] with reqid {1}
Nov 03 05:41:44 gw: ignoring request with ID 2, already processing
Nov 03 05:41:45 gw: retransmit 1 of RADIUS Access-Request (timeout: 2.8s)
Nov 03 05:41:46 gw: ignoring request with ID 2, already processing
Nov 03 05:41:47 gw: retransmit 2 of RADIUS Access-Request (timeout: 3.9s)
Nov 03 05:41:50 gw: ignoring request with ID 2, already processing
Nov 03 05:41:51 gw: retransmit 3 of RADIUS Access-Request (timeout: 5.5s)
Nov 03 05:41:57 gw: RADIUS Access-Request timed out after 4 attempts
Nov 03 05:41:57 gw: initiating EAP_RADIUS method failed
Nov 03 05:41:57 gw: generating IKE_AUTH response 2 [ EAP/FAIL ]
Nov 03 05:41:57 gw: sending packet: from xx.xx.xx.xx[4500] to xx.xx.xx.xx[23811] (80 bytes)
Nov 03 05:41:57 gw: initiating IKE_SA radius[31] to xx.xx.xx.xx

由于在第一次连接尝试后站点 A 和站点 B 之间的连接已经建立,因此 Bob 第二次连接成功。

如何克服此问题,以确保客户端连接到网关时站点到站点隧道已启动?是否可以增加 RADIUS 身份验证超时(如果有帮助的话)?

相关内容