IPsec 客户端与 OpenWRT 路由器上的 VPN 服务器以及 FreeRADIUS 之间的带证书 + EAP 的 IKEv2 - 身份验证问题

IPsec 客户端与 OpenWRT 路由器上的 VPN 服务器以及 FreeRADIUS 之间的带证书 + EAP 的 IKEv2 - 身份验证问题

我需要您的帮助和专业知识来解决我面临的情况。我目前正在使用带证书 + EAP 的 IKEv2 在 IPsec 客户端 (TheGreenBow)、OpenWRT 路由器上的 VPN 服务器和 FreeRADIUS 服务器之间测试 IPsec 隧道。当我使用带证书 + XAuth 的 IKEv1 执行测试时,隧道成功建立,整个链似乎运行正常。但是,当我切换到带 EAP 的 IKEv2 时,隧道无法建立,并且我收到路由器发送到 RADIUS 服务器的异常格式。以下是来自客户端、VPN 服务器和 RADIUS 服务器的日志。

日志客户端

TIKEV2_Ikev2Gateway SEND IKE_SA_INIT [HDR][SA][KE][NONCE][N(NAT_DETECTION_SOURCE_IP)][N(NAT_DETECTION_DESTINATION_IP)][VID][N(SIGNATURE_HASH_ALGORITHMS)]
TIKEV2_Ikev2Gateway RECV IKE_SA_INIT [HDR][SA][KE][NONCE][N(NAT_DETECTION_SOURCE_IP)][N(NAT_DETECTION_DESTINATION_IP)][CERTREQ][N(MULTIPLE_AUTH_SUPPORTED)][VID][VID]
TIKEV2_Ikev2Gateway IKE SA I-SPI 661715392CB994EF R-SPI 892874DACC2BB2A0
TIKEV2_Ikev2Gateway SEND IKE_AUTH [HDR][IDi][CERT][N(INITIAL_CONTACT)][CERTREQ][AUTH][SA]
[TSi][TSr][N(ESP_TFC_PADDING_NOT_SUPPORTED)][N(ANOTHER_AUTH_FOLLOWS)]
TIKEV2_Ikev2Gateway RECV IKE_AUTH [HDR][IDr][CERT][AUTH]
TIKEV2_Ikev2Gateway SEND IKE_AUTH [HDR][IDi]
TIKEV2_Ikev2Gateway RECV IKE_AUTH [HDR][EAP(REQUEST/MS-EAP-Authentication/Challenge)]
TIKEV2_Ikev2Gateway SEND IKE_AUTH [HDR][EAP(RESPONSE/MS-EAP-Authentication/Response)]
TIKEV2_Ikev2Gateway RECV IKE_AUTH [HDR][EAP(FAILURE)]
TIKEV2_Ikev2Gateway Remote endpoint sent EAP FAILURE code

日志服务器

ipsec: 01[IKE] <Test-VPN|1> authentication of 'CN=fenix' with RSA signature successful
ipsec: 01[IKE] <Test-VPN|1> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
ipsec: 01[IKE] <Test-VPN|1> authentication of 'CN=server' (myself) with RSA signature successful
ipsec: 01[IKE] <Test-VPN|1> sending end entity cert "CN=server"
ipsec: 01[ENC] <Test-VPN|1> generating IKE_AUTH response 1 [ IDr CERT AUTH ]
ipsec: 03[ENC] <Test-VPN|1> parsed IKE_AUTH request 2 [ IDi ]
ipsec: 03[CFG] <Test-VPN|1> sending RADIUS Access-Request to server 'PISERVER2'
ipsec: 03[CFG] <Test-VPN|1> received RADIUS Access-Challenge from server 'PISERVER2'
ipsec: 03[IKE] <Test-VPN|1> initiating EAP_MSCHAPV2 method (id 0x01)
ipsec: 03[ENC] <Test-VPN|1> generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
ipsec: 12[ENC] <Test-VPN|1> parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
ipsec: 12[CFG] <Test-VPN|1> sending RADIUS Access-Request to server 'PISERVER2'
ipsec: 12[CFG] <Test-VPN|1> received RADIUS Access-Reject from server 'PISERVER2'
ipsec: 12[IKE] <Test-VPN|1> RADIUS authentication of 'CN=fenix' failed
ipsec: 12[IKE] <Test-VPN|1> EAP method EAP_MSCHAPV2 failed for peer CN=fenix
ipsec: 12[ENC] <Test-VPN|1> generating IKE_AUTH response 3 [ EAP/FAIL ]
ipsec: 12[IKE] <Test-VPN|1> destroying IKE_SA in state CONNECTING without notification

记录 Freeradius

(32) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(32)   authenticate {
(32) eap: Expiring EAP session with state 0x581fe34d581ef956
(32) eap: Finished EAP session with state 0x581fe34d581ef956
(32) eap: Previous EAP request found for state 0x581fe34d581ef956, released from the list
(32) eap: Broken NAS did not set User-Name, setting from EAP Identity
(32) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(32) eap: Calling submodule eap_mschapv2 to process data
(32) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(32) eap_mschapv2:   authenticate {
(32) mschap: WARNING: No Cleartext-Password configured.  Cannot create NT-Password
(32) mschap: WARNING: User-Name (0?1?0???U????fenix) is not the same as MS-CHAP Name
 (alice) from EAP-MSCHAPv2
(32) mschap: Creating challenge hash with username: alice
(32) mschap: Client is using MS-CHAPv2
(32) mschap: ERROR: FAILED: No NT-Password.  Cannot perform authentication
(32) mschap: ERROR: MS-CHAP2-Response is incorrect
(32) eap_mschapv2:     [mschap] = reject
(32) eap_mschapv2:   } # authenticate = reject
(32) eap: Sending EAP Failure (code 4) ID 1 length 4
(32) eap: Freeing handler
(32)     [eap] = reject
(32)   } # authenticate = reject
(32) Failed to authenticate the user
(32) Using Post-Auth-Type Reject
(32) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(32)   Post-Auth-Type REJECT {
(32) attr_filter.access_reject: EXPAND %{User-Name}
(32) attr_filter.access_reject:    --> 0\0201\0160\014\006\003U\004\003\014\005fenix
(32) attr_filter.access_reject: Matched entry DEFAULT at line 11
(32)     [attr_filter.access_reject] = updated
(32)     [eap] = noop
(32)     policy remove_reply_message_if_eap {
(32)       if (&reply:EAP-Message && &reply:Reply-Message) {
(32)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(32)       else {
(32)         [noop] = noop
(32)       } # else = noop
(32)     } # policy remove_reply_message_if_eap = noop
(32)   } # Post-Auth-Type REJECT = updated
(32) Login incorrect (mschap: FAILED: No NT-Password.  Cannot perform authentication): [0?1?0???U????fenix/<via Auth-Type = eap>] (from client any port 0)
(32) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
(32) Sent Access-Reject Id 238 from 192.168.100.20:1812 to 192.168.100.1:48596 length 127
(32)   MS-CHAP-Error = "\001E=691 R=1 C=8dd1e38e788b7fd823ab10a4fa9fff70 V=3 M=Authentication rejected"

我还进行了其他测试,使用(StrongSwan 客户端 + StrongSwan 服务器 + FreeRADIUS)和(TheGreenBow 客户端 + OpenWRT StrongSwan 服务器 + 链接到 Active Directory 的 NPS),但我总是遇到相同的用户名格式,而我的 RADIUS 服务器不接受该格式。

> 0\0201\0160\014\006\003U\004\003\014\005fenix

与 Xauth 不同,客户端根据其证书的 CN 发送用户名,而不是真实用户名。infos client --> username : alice, CN=fenix

如能得到您的帮助以解决此事,我们将不胜感激。

此致

相关内容