search

talkincode / toughradius

toughradius provides radius server, tr069 acs
http://www.toughradius.net
GNU General Public License v3.0
564 stars 272 forks source link

freeradius rest 模块认证失败 #170

Open G-Akiraka opened 5 months ago

G-Akiraka commented 5 months ago

描述

wifi对接freeradius,然后使用 rlm_rest 模块,按照下面链接说明进行设置并且测试,wifi认证过程中提示下面内容

 eap: Peer sent EAP Response (code 2) ID 2 length 6
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1)     [eap] = updated
(1) pap: WARNING: Auth-Type already set.  Not setting to PAP
(1)     [pap] = noop
(1)   } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1)   authenticate {
(1) eap: Expiring EAP session with state 0x2f4d81322f4f9b0c
(1) eap: Finished EAP session with state 0x2f4d81322f4f9b0c
(1) eap: Previous EAP request found for state 0x2f4d81322f4f9b0c, released from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Peer NAK'd asking for unsupported EAP type PEAP (25), skipping...
(1) eap: ERROR: No mutually acceptable types found
(1) eap: Sending EAP Failure (code 4) ID 2 length 4
(1) eap: Failed in EAP select
(1)     [eap] = invalid
(1)   } # authenticate = invalid
(1) Failed to authenticate the user
(1) Using Post-Auth-Type Reject

错误信息

Waking up in 4.9 seconds.
(1) Received Access-Request Id 64 from 192.168.1.252:39146 to 192.168.1.151:1812 length 377
(1)   User-Name = "aka"
(1)   Service-Type = Framed-User
(1)   Framed-Protocol = PPP
(1)   NAS-Identifier = "cm-0-1587586-219801A2GF8229E0001P"
(1)   NAS-IP-Address = 192.168.1.252
(1)   NAS-Port = 16778427
(1)   NAS-Port-Type = Wireless-802.11
(1)   NAS-Port-Id = "0100000000001211"
(1)   Calling-Station-Id = "92-9F-4E-2A-BC-7A"
(1)   Called-Station-Id = "40-FE-95-E6-15-80:AKA-TEST"
(1)   H3C-NAS-Startup-Timestamp = 1689660515
(1)   Acct-Session-Id = "0000000420240429062308002491fa08108063"
(1)   Attr-26.25506.133 = 0x000004bb
(1)   EAP-Message = 0x020200060319
(1)   Message-Authenticator = 0x74fe17953c50f2b6e6d8de40fc0fae37
(1)   Framed-MTU = 1450
(1)   H3C-Ip-Host-Addr = "0.0.0.0 92:9f:4e:2a:bc:7a"
(1)   State = 0x4f3013b04f3209d2ade8771d058c504c
(1)   Attr-26.25506.150 = 0xab509b8b6c7f31b46fd93d45c4b4d25e44a783c6fad42c115bce5f6896d50a87122441f8705803ba8ea5698f25d75aec
(1)   H3C-Product-ID = "H3C WX2560X"
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(1)   authorize {
(1) auth_log: EXPAND /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(1) auth_log:    --> /usr/local/var/log/radius/radacct/192.168.1.252/auth-detail-20240429
(1) auth_log: /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.1.252/auth-detail-20240429
(1) auth_log: EXPAND %t
(1) auth_log:    --> Mon Apr 29 14:23:43 2024
(1)     [auth_log] = ok
rlm_rest (rest): Reserved connection (1)
(1) rest: Expanding URI components
(1) rest: EXPAND http://192.168.1.166:4000
(1) rest:    --> http://192.168.1.166:4000
(1) rest: EXPAND /freeradius/authorize
(1) rest:    --> freeradius/authorize
(1) rest: Sending HTTP POST to "http://192.168.1.166:4000/freeradius/authorize"
(1) rest: EXPAND username=%{urlquote:%{User-Name}}&nasip=%{urlquote:%{NAS-IP-Address}}&nasid=%{urlquote:%{NAS-Identifier}}
(1) rest:    --> username=aka&nasip=192.168.1.252&nasid=cm-0-1587586-219801A2GF8229E0001P
(1) rest: Processing response header
(1) rest:   Status : 200 (OK)
(1) rest:   Type   : json (application/json)
(1) rest: Adding reply:REST-HTTP-Status-Code = "200"
(1) rest: Parsing attribute "control:Cleartext-Password"
(1) rest: EXPAND 123
(1) rest:    --> 123
(1) rest: Cleartext-Password := "123"
(1) rest: Parsing attribute "reply:Acct-Interim-Interval"
(1) rest: EXPAND 120
(1) rest:    --> 120
(1) rest: Acct-Interim-Interval := 120
(1) rest: Parsing attribute "reply:Session-Timeout"
(1) rest: EXPAND 3600
(1) rest:    --> 3600
(1) rest: Session-Timeout := 3600
rlm_rest (rest): Released connection (1)
(1)     [rest] = updated
(1)     [chap] = noop
(1)     [mschap] = noop
(1) eap: Peer sent EAP Response (code 2) ID 2 length 6
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1)     [eap] = updated
(1) pap: WARNING: Auth-Type already set.  Not setting to PAP
(1)     [pap] = noop
(1)   } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1)   authenticate {
(1) eap: Expiring EAP session with state 0x4f3013b04f3209d2
(1) eap: Finished EAP session with state 0x4f3013b04f3209d2
(1) eap: Previous EAP request found for state 0x4f3013b04f3209d2, released from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Peer NAK'd asking for unsupported EAP type PEAP (25), skipping...
(1) eap: ERROR: No mutually acceptable types found
(1) eap: Sending EAP Failure (code 4) ID 2 length 4
(1) eap: Failed in EAP select
(1)     [eap] = invalid
(1)   } # authenticate = invalid
(1) Failed to authenticate the user
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1)   Post-Auth-Type REJECT {
(1) attr_filter.access_reject: EXPAND %{User-Name}
(1) attr_filter.access_reject:    --> aka
(1) attr_filter.access_reject: Matched entry DEFAULT at line 11
(1)     [attr_filter.access_reject] = updated
(1)     [eap] = noop
(1)     policy remove_reply_message_if_eap {
(1)       if (&reply:EAP-Message && &reply:Reply-Message) {
(1)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(1)       else {
(1)         [noop] = noop
(1)       } # else = noop
(1)     } # policy remove_reply_message_if_eap = noop
(1)   } # Post-Auth-Type REJECT = updated
(1) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(1) Sending delayed response
(1) Sent Access-Reject Id 64 from 192.168.1.151:1812 to 192.168.1.252:39146 length 44
(1)   EAP-Message = 0x04020004
(1)   Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
jamiesun commented 5 months ago

eap: Peer NAK'd asking for unsupported EAP type PEAP (25), skipping...

看起来应该是eap 方法不支持, 这个需要独立配置的,比较复杂 ,默认freeradius 的 eap 可以支持 简单的md5 mschapv2

peap 需要配置好才能用

G-Akiraka commented 4 months ago

eap: Peer NAK'd asking for unsupported EAP type PEAP (25), skipping...

看起来应该是eap 方法不支持, 这个需要独立配置的,比较复杂 ,默认freeradius 的 eap 可以支持 简单的md5 mschapv2

peap 需要配置好才能用

大佬有什么建议去配置 peap吗?关于这块的参考几乎没有。现在toughradius 支持 peap+mschv2 认证了吗?支持就不费那个功夫了。

G-Akiraka commented 4 months ago

测试了tls+mschapv2可以认证通过,但是iphone设备就无法使用了