WPA2-EAP авторизация FreeRadius + MikroTik, где туплю?

Question

ТыжСисАдмин @POS_troi

СадоМазо Админ, флудер, троль.

WPA2-EAP авторизация FreeRadius + MikroTik, где туплю?

Приветствую друзья.
Пытаюсь поднять WPA2-EAP на микротике, freeradius отрабатывает нормально при авторизации на свитчах и куче сетевых железок но вот настроить WPA2-EAP не получается.

В логе имеет:

(220) Received Access-Request Id 234 from 10.10.3.189:42134 to 172.17.0.2:1812 length 264
(220)   Service-Type = Framed-User
(220)   Framed-MTU = 1400
(220)   User-Name = "sys"
(220)   State = 0x9c1eed869b17f40c954b4359550f8eb4
(220)   NAS-Port-Id = "radius"
(220)   NAS-Port-Type = Wireless-802.11
(220)   Acct-Session-Id = "82000020"
(220)   Acct-Multi-Session-Id = "6E-3B-6B-F2-A3-84-80-A5-89-00-3D-A3-82-00-00-00-00-00-00-1D"
(220)   Calling-Station-Id = "80-A5-89-00-3D-A3"
(220)   Called-Station-Id = "6E-3B-6B-F2-A3-84:Radius"
(220)   EAP-Message = 0x0209002b19001703010020f6f18e3b9d1144351e61353162621a3e6de737d51713a7746737b0d5689bf84d
(220)   Message-Authenticator = 0x24d64cf0c1f4b2596164e3b4faca09d1
(220)   NAS-Identifier = "MikroTik"
(220)   NAS-IP-Address = 10.10.3.189
(220) Restoring &session-state
(220)   &session-state:Module-Failure-Message := "No Auth-Type found: rejecting the user via Post-Auth-Type = Reject"
(220) # Executing section authorize from file /radius/conf/sites-enabled/default
(220)   authorize {
(220)     policy filter_username {
(220)       if (&User-Name) {
(220)       if (&User-Name)  -> TRUE
(220)       if (&User-Name)  {
(220)         if (&User-Name =~ / /) {
(220)         if (&User-Name =~ / /)  -> FALSE
(220)         if (&User-Name =~ /@[^@]*@/ ) {
(220)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(220)         if (&User-Name =~ /\.\./ ) {
(220)         if (&User-Name =~ /\.\./ )  -> FALSE
(220)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(220)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(220)         if (&User-Name =~ /\.$/)  {
(220)         if (&User-Name =~ /\.$/)   -> FALSE
(220)         if (&User-Name =~ /@\./)  {
(220)         if (&User-Name =~ /@\./)   -> FALSE
(220)       } # if (&User-Name)  = notfound
(220)     } # policy filter_username = notfound
(220)     [preprocess] = ok
(220)     [chap] = noop
(220)     [mschap] = noop
(220)     [digest] = noop
(220) suffix: Checking for suffix after "@"
(220) suffix: No '@' in User-Name = "sys", looking up realm NULL
(220) suffix: No such realm "NULL"
(220)     [suffix] = noop
(220) eap: Peer sent EAP Response (code 2) ID 9 length 43
(220) eap: Continuing tunnel setup
(220)     [eap] = ok
(220)   } # authorize = ok
(220) Found Auth-Type = eap
(220) # Executing group from file /radius/conf/sites-enabled/default
(220)   authenticate {
(220) eap: Expiring EAP session with state 0x9c1eed869b17f40c
(220) eap: Finished EAP session with state 0x9c1eed869b17f40c
(220) eap: Previous EAP request found for state 0x9c1eed869b17f40c, released from the list
(220) eap: Peer sent packet with method EAP PEAP (25)
(220) eap: Calling submodule eap_peap to process data
(220) eap_peap: Continuing EAP-TLS
(220) eap_peap: [eaptls verify] = ok
(220) eap_peap: Done initial handshake
(220) eap_peap: [eaptls process] = ok
(220) eap_peap: Session established.  Decoding tunneled attributes
(220) eap_peap: PEAP state send tlv failure
(220) eap_peap: Received EAP-TLV response
(220) eap_peap:   The users session was previously rejected: returning reject (again.)
(220) eap_peap:   This means you need to read the PREVIOUS messages in the debug output
(220) eap_peap:   to find out the reason why the user was rejected
(220) eap_peap:   Look for "reject" or "fail".  Those earlier messages will tell you
(220) eap_peap:   what went wrong, and how to fix the problem
(220) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module failed
(220) eap: Sending EAP Failure (code 4) ID 9 length 4
(220) eap: Failed in EAP select
(220)     [eap] = invalid
(220)   } # authenticate = invalid
(220) Failed to authenticate the user
(220) Using Post-Auth-Type Reject
(220) # Executing group from file /radius/conf/sites-enabled/default
(220)   Post-Auth-Type REJECT {
(220) sql: EXPAND .query
(220) sql:    --> .query
(220) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (30)
(220) sql: EXPAND %{User-Name}
(220) sql:    --> sys
(220) sql: SQL-User-Name set to 'sys'
(220) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES('%{User-Name}', '%{%{User-Password}:-Chap-Password}', '%{reply:Packet-Type}', NOW())
(220) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES('sys', 'Chap-Password', 'Access-Reject', NOW())
(220) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES('sys', 'Chap-Password', 'Access-Reject', NOW())
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: query affected rows = 1
(220) sql: SQL query returned: success
(220) sql: 1 record(s) updated
rlm_sql (sql): Released connection (30)
(220)     [sql] = ok
(220) attr_filter.access_reject: EXPAND %{User-Name}
(220) attr_filter.access_reject:    --> sys
(220) attr_filter.access_reject: Matched entry DEFAULT at line 11
(220)     [attr_filter.access_reject] = updated
(220)     policy remove_reply_message_if_eap {
(220)       if (&reply:EAP-Message && &reply:Reply-Message) {
(220)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(220)       else {
(220)         [noop] = noop
(220)       } # else = noop
(220)     } # policy remove_reply_message_if_eap = noop
(220)   } # Post-Auth-Type REJECT = updated
(220) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
(220) Discarding duplicate request from client 0.0.0.0/0 port 42134 - ID: 234 due to delayed response
Waking up in 0.6 seconds.
(220) Discarding duplicate request from client 0.0.0.0/0 port 42134 - ID: 234 due to delayed response
Waking up in 0.4 seconds.
(220) Sending delayed response
(220) Sent Access-Reject Id 234 from 172.17.0.2:1812 to 10.10.3.189:42134 length 44
(220)   EAP-Message = 0x04090004
(220)   Message-Authenticator = 0x00000000000000000000000000000000

Смущает строка
(220) eap_peap: PEAP state send tlv failure
но гугл что-то не прояснил ситуацию.

В качестве клиента выступает Windows7, настройки подключения
Mikrosoft EAP(PEAP) + EAP-MSCHAPv2

Прошу поделится опытом, какие конфиги нужны, покажу.

Решение:
mods-avaliable/eap, строку
default_eap_type = tls
необходимо привести к виду
default_eap_type = tls,peap
(с третьей версии разделитель запятая а не пробел)

и потом собственно настроить и сам mschap
mods-avaliable/mschap

use_mppe = yes
require_encryption = yes
require_strong = yes

Вопрос задан более трёх лет назад
2491 просмотр

Комментировать

Подписаться 1 Оценить Комментировать

Решения вопроса 1

1 комментарий

ТыжСисАдмин @POS_troi Автор вопроса
Почти правы :)
Вся проблема была в том что я забыл дописать peap аунтетификацию к tls-у
тоесть в mods-avaliable/eap, строку
default_eap_type = tls
необходимо привести к виду
default_eap_type = tls,peap
(с третьей версии разделитель запятая а не пробел)

и потом собственно настроить и сам mschap
mods-avaliable/mschap
use_mppe = yes require_encryption = yes require_strong = yes

Как говорится, лги читать нужно все - пока не выкурил лог с начала первого хэндшейка авторизации, нифига не понял :)
Написано более трёх лет назад