Authentication 使用freeradius的基于FilterId的服务器派生角色不起作用
我正在建立一个无线实验室。用户Authentication 使用freeradius的基于FilterId的服务器派生角色不起作用,authentication,freeradius,Authentication,Freeradius,我正在建立一个无线实验室。用户guest123密码guest123 使用802.1X身份验证通过无线进行身份验证。自由半径应 还返回FilterId=>labguest。无线控制器上的规则设置 在RADIUS交换期间,将用户角色返回到任何FilterId中 相反,请求/响应搅动了十次,用户被分配了 默认角色,“已验证” 在开始讨论细节之前的简短问题是我做错了什么, 是否有一个自动工具可以通过FreeRadius-X输出和 提出建议 来自无线控制器和freeradius show的简单命令行测试
guest123
密码guest123
使用802.1X
身份验证通过无线进行身份验证。自由半径应
还返回FilterId=>labguest
。无线控制器上的规则设置
在RADIUS
交换期间,将用户角色返回到任何FilterId
中
相反,请求/响应搅动了十次,用户被分配了
默认角色,“已验证”
在开始讨论细节之前的简短问题是我做错了什么,
是否有一个自动工具可以通过FreeRadius-X
输出和
提出建议
来自无线控制器和freeradius show的简单命令行测试
身份验证和返回的属性
这是有效的部分
从自由半径:
阿鲁巴财务主任:
此处定义了角色“labguest”:
user-role labguest
access-list session global-sacl
access-list session apprf-labguest-sacl
access-list session "Cant ping controller"
access-list session allowall
access-list session v6-allowall
根据FilterId分配用户角色的规则如下:
aaa server-group "lab-emp_srvgrp-kqh72"
auth-server radius1
set role condition Filter-Id value-of
这是坏掉的部分
通过无线和802.1X进行身份验证后,用户将收到默认值
802.1X角色,“已验证”而不是“labguest”
实际结果:
我在Aruba Airheads博客上发表了文章,然后打开了一个Aruba/HPE支持的案例。在分析日志和数据包捕获后,阿鲁巴/HPE支持工程师说 “我想告诉你,我仔细查看了数据包截图,并根据我们观察到的内容附上了截图; 如CP Accept屏幕截图所示,我们看到了Radius Accept,用于用户使用Capture Portal进行身份验证。我们在Accept数据包中看到,服务器正在向控制器发送属性“labguest”,以便分配用户角色 在Dot1x Accept屏幕截图的情况下,当用户使用Dot1x身份验证进行身份验证时,我们在Accept数据包中看不到服务器发送的任何属性 如果我们需要为MSCHAPv2启用发送属性以及PAP协议,或者服务器上是否有任何特定配置根据身份验证类型处理要发送的属性,请检查服务器端。” 然后我发布到FreeRADIUS用户列表。答复: “解决方案是将“文件”模块移动到“eap”之前。编辑站点启用/默认。查看“授权”部分。” 这很有效。已启用/默认编辑站点摘录:
#
# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
# authentication.
#
# It also sets the EAP-Type attribute in the request
# attribute list to the EAP type from the packet.
#
# The EAP module returns "ok" or "updated" if it is not yet ready
# to authenticate the user. The configuration below checks for
# "ok", and stops processing the "authorize" section if so.
#
# Any LDAP and/or SQL servers will not be queried for the
# initial set of packets that go back and forth to set up
# TTLS or PEAP.
#
# The "updated" check is commented out for compatibility with
# previous versions of this configuration, but you may wish to
# uncomment it as well; this will further reduce the number of
# LDAP and/or SQL queries for TTLS or PEAP.
#
files
eap {
ok = return
# updated = return
}
#
# Pull crypt'd passwords from /etc/passwd or /etc/shadow,
# using the system API's to get the password. If you want
# to read /etc/passwd or /etc/shadow directly, see the
# mods-available/passwd module.
#
# unix
#
# Read the 'users' file. In v3, this is located in
# raddb/mods-config/files/authorize
# files
来自阿鲁巴控制器的测试:
(Master1) #aaa test-server mschapv2 radius1 guest123 guest123 verbose
Authentication Successful
Processing time (ms) : 6.407
Attribute value pairs in request
--------------------------------
Vendor Attribute Value
------ --------- -----
NAS-IP-Address 192.168.18.254
NAS-Port-Id 0
NAS-Port-Type Wireless-IEEE802.11
User-Name guest123
Service-Type Login-User
Calling-Station-Id 0.0.0.0
Called-Station-Id 000B86BE91F0
Microsoft MS-CHAP-Challenge \032\241\007[\002(\\321j5\001v\221lf\236
Microsoft MS-CHAP2-Response
Aruba Aruba-Essid-Name
Aruba Aruba-Location-Id N/A
Aruba Aruba-AP-Group N/A
Aruba Aruba-Device-Type
Message-Auth I\365\262\357\365o{s\264\270\246\022Cz\264-
PW_RADIUS_ID H
Rad-Length 199
Attribute value pairs in response
---------------------------------
Vendor Attribute Value
------ --------- -----
Service-Type Framed-User
Filter-Id labguest
Microsoft MS-CHAP2-Success
Microsoft MS-MPPE-Recv-Key \205g8\374\333\260\031\306\3379\321\220\273\273\355\024\277\210Q\003\226\004M>\372\307p6\273&\322\231N\253
Microsoft MS-MPPE-Send-Key \215\277d\301f\207A\215!\376\345.\324\177BM\364\310\251p\263\224\315 \012\001\035:\327\253\314\016\026\243
Microsoft MS-MPPE-Encryption-Policy
Microsoft MS-MPPE-Encryption-Types
PW_RADIUS_ID H
Rad-Length 195
PW_RADIUS_CODE \002
PW_RAD_AUTHENTICATOR }\203!\353\244}\215,\216\203J]\027\247\325\272
(Master1) # show user mac fc:c2:de:13:d6:15
Name: guest123, IP: 192.168.16.3, MAC: fc:c2:de:13:d6:15, Age: 00:00:00
Role: labguest (how: ROLE_DERIVATION_DOT1X_SDR), ACL: 71/0
Authentication: Yes, status: successful, method: 802.1x, protocol: EAP-PEAP, server: radius1
Authentication Servers: dot1x authserver: radius1, mac authserver:
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: ROLE_DERIVATION_DOT1X_SDR
VLAN Derivation: Default VLAN
请注意,启用/默认的站点编辑是在干净的FreeRADIUS安装之后,而不是对任何欺骗行为的更正。如果此属性由FreeRADIUS必须代理的radius服务器设置,则必须修改文件: mods config/attr_filter/pre-proxy和post-proxy 在必须代理的属性中添加:
过滤器Id=*ANY欢迎使用SO。我冒昧地重新格式化了您的问题,以增加其可读性。我感谢您的编辑。我想知道问题是否在于我启用EAP/TTLS/mschapv2的方式。我遵循了来自的步骤。我试过使用freeradius 2.2.8和3.0.15。我也尝试过使用基于文件的用户和postgresql,但并不相关。缺乏新证书是否与这些症状有关?更多解决方案尝试:新版本,FreeRADIUS 3.0.15/Ubuntu服务器16.04.3。抛弃了有问题的EAP设置。以下是默认FreeRADIUS配置的唯一更改:添加了客户端、添加了用户并创建了新证书(使用新密码更新启用的mods)。对于用户,尝试了两种用于回复AVP的语法:
(Master1) # show user mac 44:39:c4:59:e5:64
Name: guest123, IP: 192.168.16.23, MAC: 44:39:c4:59:e5:64, Age: 00:00:05
Role: labguest (how: ROLE_DERIVATION_DOT1X_SDR)
(Master1) # show user mac 44:39:c4:59:e5:64
Name: guest123, IP: 192.168.16.23, MAC: 44:39:c4:59:e5:64, Age: 00:00:05
Role: authenticated (how: ROLE_DERIVATION_DOT1X)
#
# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
# authentication.
#
# It also sets the EAP-Type attribute in the request
# attribute list to the EAP type from the packet.
#
# The EAP module returns "ok" or "updated" if it is not yet ready
# to authenticate the user. The configuration below checks for
# "ok", and stops processing the "authorize" section if so.
#
# Any LDAP and/or SQL servers will not be queried for the
# initial set of packets that go back and forth to set up
# TTLS or PEAP.
#
# The "updated" check is commented out for compatibility with
# previous versions of this configuration, but you may wish to
# uncomment it as well; this will further reduce the number of
# LDAP and/or SQL queries for TTLS or PEAP.
#
files
eap {
ok = return
# updated = return
}
#
# Pull crypt'd passwords from /etc/passwd or /etc/shadow,
# using the system API's to get the password. If you want
# to read /etc/passwd or /etc/shadow directly, see the
# mods-available/passwd module.
#
# unix
#
# Read the 'users' file. In v3, this is located in
# raddb/mods-config/files/authorize
# files
(Master1) #aaa test-server mschapv2 radius1 guest123 guest123 verbose
Authentication Successful
Processing time (ms) : 6.407
Attribute value pairs in request
--------------------------------
Vendor Attribute Value
------ --------- -----
NAS-IP-Address 192.168.18.254
NAS-Port-Id 0
NAS-Port-Type Wireless-IEEE802.11
User-Name guest123
Service-Type Login-User
Calling-Station-Id 0.0.0.0
Called-Station-Id 000B86BE91F0
Microsoft MS-CHAP-Challenge \032\241\007[\002(\\321j5\001v\221lf\236
Microsoft MS-CHAP2-Response
Aruba Aruba-Essid-Name
Aruba Aruba-Location-Id N/A
Aruba Aruba-AP-Group N/A
Aruba Aruba-Device-Type
Message-Auth I\365\262\357\365o{s\264\270\246\022Cz\264-
PW_RADIUS_ID H
Rad-Length 199
Attribute value pairs in response
---------------------------------
Vendor Attribute Value
------ --------- -----
Service-Type Framed-User
Filter-Id labguest
Microsoft MS-CHAP2-Success
Microsoft MS-MPPE-Recv-Key \205g8\374\333\260\031\306\3379\321\220\273\273\355\024\277\210Q\003\226\004M>\372\307p6\273&\322\231N\253
Microsoft MS-MPPE-Send-Key \215\277d\301f\207A\215!\376\345.\324\177BM\364\310\251p\263\224\315 \012\001\035:\327\253\314\016\026\243
Microsoft MS-MPPE-Encryption-Policy
Microsoft MS-MPPE-Encryption-Types
PW_RADIUS_ID H
Rad-Length 195
PW_RADIUS_CODE \002
PW_RAD_AUTHENTICATOR }\203!\353\244}\215,\216\203J]\027\247\325\272
(Master1) # show user mac fc:c2:de:13:d6:15
Name: guest123, IP: 192.168.16.3, MAC: fc:c2:de:13:d6:15, Age: 00:00:00
Role: labguest (how: ROLE_DERIVATION_DOT1X_SDR), ACL: 71/0
Authentication: Yes, status: successful, method: 802.1x, protocol: EAP-PEAP, server: radius1
Authentication Servers: dot1x authserver: radius1, mac authserver:
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: ROLE_DERIVATION_DOT1X_SDR
VLAN Derivation: Default VLAN