Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

freeradius rest 模块认证失败 #170

Open
G-Akiraka opened this issue Apr 29, 2024 · 3 comments
Open

freeradius rest 模块认证失败 #170

G-Akiraka opened this issue Apr 29, 2024 · 3 comments

Comments

@G-Akiraka
Copy link

G-Akiraka commented Apr 29, 2024
edited
Loading

描述

wifi对接freeradius,然后使用 rlm_rest 模块,按照下面链接说明进行设置并且测试,wifi认证过程中提示下面内容

 eap: Peer sent EAP Response (code 2) ID 2 length 6
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1)     [eap] = updated
(1) pap: WARNING: Auth-Type already set.  Not setting to PAP
(1)     [pap] = noop
(1)   } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1)   authenticate {
(1) eap: Expiring EAP session with state 0x2f4d81322f4f9b0c
(1) eap: Finished EAP session with state 0x2f4d81322f4f9b0c
(1) eap: Previous EAP request found for state 0x2f4d81322f4f9b0c, released from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Peer NAK'd asking for unsupported EAP type PEAP (25), skipping...
(1) eap: ERROR: No mutually acceptable types found
(1) eap: Sending EAP Failure (code 4) ID 2 length 4
(1) eap: Failed in EAP select
(1)     [eap] = invalid
(1)   } # authenticate = invalid
(1) Failed to authenticate the user
(1) Using Post-Auth-Type Reject

错误信息

Waking up in 4.9 seconds.
(1) Received Access-Request Id 64 from 192.168.1.252:39146 to 192.168.1.151:1812 length 377
(1)   User-Name = "aka"
(1)   Service-Type = Framed-User
(1)   Framed-Protocol = PPP
(1)   NAS-Identifier = "cm-0-1587586-219801A2GF8229E0001P"
(1)   NAS-IP-Address = 192.168.1.252
(1)   NAS-Port = 16778427
(1)   NAS-Port-Type = Wireless-802.11
(1)   NAS-Port-Id = "0100000000001211"
(1)   Calling-Station-Id = "92-9F-4E-2A-BC-7A"
(1)   Called-Station-Id = "40-FE-95-E6-15-80:AKA-TEST"
(1)   H3C-NAS-Startup-Timestamp = 1689660515
(1)   Acct-Session-Id = "0000000420240429062308002491fa08108063"
(1)   Attr-26.25506.133 = 0x000004bb
(1)   EAP-Message = 0x020200060319
(1)   Message-Authenticator = 0x74fe17953c50f2b6e6d8de40fc0fae37
(1)   Framed-MTU = 1450
(1)   H3C-Ip-Host-Addr = "0.0.0.0 92:9f:4e:2a:bc:7a"
(1)   State = 0x4f3013b04f3209d2ade8771d058c504c
(1)   Attr-26.25506.150 = 0xab509b8b6c7f31b46fd93d45c4b4d25e44a783c6fad42c115bce5f6896d50a87122441f8705803ba8ea5698f25d75aec
(1)   H3C-Product-ID = "H3C WX2560X"
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(1)   authorize {
(1) auth_log: EXPAND /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(1) auth_log:    --> /usr/local/var/log/radius/radacct/192.168.1.252/auth-detail-20240429
(1) auth_log: /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.1.252/auth-detail-20240429
(1) auth_log: EXPAND %t
(1) auth_log:    --> Mon Apr 29 14:23:43 2024
(1)     [auth_log] = ok
rlm_rest (rest): Reserved connection (1)
(1) rest: Expanding URI components
(1) rest: EXPAND http://192.168.1.166:4000
(1) rest:    --> http://192.168.1.166:4000
(1) rest: EXPAND /freeradius/authorize
(1) rest:    --> freeradius/authorize
(1) rest: Sending HTTP POST to "http://192.168.1.166:4000/freeradius/authorize"
(1) rest: EXPAND username=%{urlquote:%{User-Name}}&nasip=%{urlquote:%{NAS-IP-Address}}&nasid=%{urlquote:%{NAS-Identifier}}
(1) rest:    --> username=aka&nasip=192.168.1.252&nasid=cm-0-1587586-219801A2GF8229E0001P
(1) rest: Processing response header
(1) rest:   Status : 200 (OK)
(1) rest:   Type   : json (application/json)
(1) rest: Adding reply:REST-HTTP-Status-Code = "200"
(1) rest: Parsing attribute "control:Cleartext-Password"
(1) rest: EXPAND 123
(1) rest:    --> 123
(1) rest: Cleartext-Password := "123"
(1) rest: Parsing attribute "reply:Acct-Interim-Interval"
(1) rest: EXPAND 120
(1) rest:    --> 120
(1) rest: Acct-Interim-Interval := 120
(1) rest: Parsing attribute "reply:Session-Timeout"
(1) rest: EXPAND 3600
(1) rest:    --> 3600
(1) rest: Session-Timeout := 3600
rlm_rest (rest): Released connection (1)
(1)     [rest] = updated
(1)     [chap] = noop
(1)     [mschap] = noop
(1) eap: Peer sent EAP Response (code 2) ID 2 length 6
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1)     [eap] = updated
(1) pap: WARNING: Auth-Type already set.  Not setting to PAP
(1)     [pap] = noop
(1)   } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1)   authenticate {
(1) eap: Expiring EAP session with state 0x4f3013b04f3209d2
(1) eap: Finished EAP session with state 0x4f3013b04f3209d2
(1) eap: Previous EAP request found for state 0x4f3013b04f3209d2, released from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Peer NAK'd asking for unsupported EAP type PEAP (25), skipping...
(1) eap: ERROR: No mutually acceptable types found
(1) eap: Sending EAP Failure (code 4) ID 2 length 4
(1) eap: Failed in EAP select
(1)     [eap] = invalid
(1)   } # authenticate = invalid
(1) Failed to authenticate the user
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1)   Post-Auth-Type REJECT {
(1) attr_filter.access_reject: EXPAND %{User-Name}
(1) attr_filter.access_reject:    --> aka
(1) attr_filter.access_reject: Matched entry DEFAULT at line 11
(1)     [attr_filter.access_reject] = updated
(1)     [eap] = noop
(1)     policy remove_reply_message_if_eap {
(1)       if (&reply:EAP-Message && &reply:Reply-Message) {
(1)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(1)       else {
(1)         [noop] = noop
(1)       } # else = noop
(1)     } # policy remove_reply_message_if_eap = noop
(1)   } # Post-Auth-Type REJECT = updated
(1) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(1) Sending delayed response
(1) Sent Access-Reject Id 64 from 192.168.1.151:1812 to 192.168.1.252:39146 length 44
(1)   EAP-Message = 0x04020004
(1)   Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
@jamiesun
Copy link
Contributor

eap: Peer NAK'd asking for unsupported EAP type PEAP (25), skipping...

看起来应该是eap 方法不支持, 这个需要独立配置的,比较复杂 ,默认freeradius 的 eap 可以支持 简单的md5 mschapv2

peap 需要配置好才能用

@G-Akiraka
Copy link
Author

eap: Peer NAK'd asking for unsupported EAP type PEAP (25), skipping...

看起来应该是eap 方法不支持, 这个需要独立配置的,比较复杂 ,默认freeradius 的 eap 可以支持 简单的md5 mschapv2

peap 需要配置好才能用

大佬有什么建议去配置 peap吗?关于这块的参考几乎没有。现在toughradius 支持 peap+mschv2 认证了吗?支持就不费那个功夫了。

@G-Akiraka
Copy link
Author

测试了tls+mschapv2可以认证通过,但是iphone设备就无法使用了

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jamiesun @G-Akiraka