损坏的 802.1x Windows Server 2008 R2

Question

mohrphium

Asked: 2012-07-03 00:27:12 +0800 CST2012-07-03 00:27:12 +0800 CST 2012-07-03 00:27:12 +0800 CST

针对 ActiveDirectory 和用户文件的 Radius 授权

772

我的 freeradius 服务器配置有问题。我希望能够根据 Windows ActiveDirectory (2008 R2) 和用户文件对用户进行身份验证，因为我的一些同事未在 AD 中列出。

我们使用 freeradius 服务器来验证 WLAN 用户。(PEAP/MSCHAPv2)

AD 身份验证效果很好，但 /etc/freeradius/users 文件仍然存在问题

当我运行 freeradius -X -x 时，我得到以下信息：

Mon Jul  2 09:15:58 2012 : Info: ++++[chap] returns noop
Mon Jul  2 09:15:58 2012 : Info: ++++[mschap] returns noop
Mon Jul  2 09:15:58 2012 : Info: [suffix] No '@' in User-Name = "testtest", looking up realm NULL
Mon Jul  2 09:15:58 2012 : Info: [suffix] Found realm "NULL"
Mon Jul  2 09:15:58 2012 : Info: [suffix] Adding Stripped-User-Name = "testtest"
Mon Jul  2 09:15:58 2012 : Info: [suffix] Adding Realm = "NULL"
Mon Jul  2 09:15:58 2012 : Info: [suffix] Authentication realm is LOCAL.
Mon Jul  2 09:15:58 2012 : Info: ++++[suffix] returns ok
Mon Jul  2 09:15:58 2012 : Info: [eap] EAP packet type response id 1 length 13
Mon Jul  2 09:15:58 2012 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation
Mon Jul  2 09:15:58 2012 : Info: ++++[eap] returns updated
Mon Jul  2 09:15:58 2012 : Info: [files] users: Matched entry testtest at line 1
Mon Jul  2 09:15:58 2012 : Info: ++++[files] returns ok
Mon Jul  2 09:15:58 2012 : Info: ++++[expiration] returns noop
Mon Jul  2 09:15:58 2012 : Info: ++++[logintime] returns noop
Mon Jul  2 09:15:58 2012 : Info: [pap] WARNING: Auth-Type already set.  Not setting to PAP
Mon Jul  2 09:15:58 2012 : Info: ++++[pap] returns noop
Mon Jul  2 09:15:58 2012 : Info: +++- else else returns updated
Mon Jul  2 09:15:58 2012 : Info: ++- else else returns updated
Mon Jul  2 09:15:58 2012 : Info: Found Auth-Type = EAP
Mon Jul  2 09:15:58 2012 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Mon Jul  2 09:15:58 2012 : Info: +- entering group authenticate {...}
Mon Jul  2 09:15:58 2012 : Info: [eap] EAP Identity
Mon Jul  2 09:15:58 2012 : Info: [eap] processing type tls
Mon Jul  2 09:15:58 2012 : Info: [tls] Initiate
Mon Jul  2 09:15:58 2012 : Info: [tls] Start returned 1
Mon Jul  2 09:15:58 2012 : Info: ++[eap] returns handled
Sending Access-Challenge of id 199 to 192.168.61.11 port 3072
    EAP-Message = 0x010200061920
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x85469e2a854487589fb1196910cb8ae3
Mon Jul  2 09:15:58 2012 : Info: Finished request 125.
Mon Jul  2 09:15:58 2012 : Debug: Going to the next request
Mon Jul  2 09:15:58 2012 : Debug: Waking up in 2.4 seconds.

之后它重复登录尝试，并在某个时候尝试使用 ntlm 对 ActiveDirectory 进行身份验证，这不起作用，因为用户仅存在于用户文件中。

有人可以帮我吗？

谢谢。

PS：希望这会有所帮助，freeradius 试图针对 AD 进行身份验证：

Mon Jul  2 09:15:58 2012 : Info: ++[chap] returns noop
Mon Jul  2 09:15:58 2012 : Info: ++[mschap] returns noop
Mon Jul  2 09:15:58 2012 : Info: [suffix] No '@' in User-Name = "testtest", looking up realm NULL
Mon Jul  2 09:15:58 2012 : Info: [suffix] Found realm "NULL"
Mon Jul  2 09:15:58 2012 : Info: [suffix] Adding Stripped-User-Name = "testtest"
Mon Jul  2 09:15:58 2012 : Info: [suffix] Adding Realm = "NULL"
Mon Jul  2 09:15:58 2012 : Info: [suffix] Authentication realm is LOCAL.
Mon Jul  2 09:15:58 2012 : Info: ++[suffix] returns ok
Mon Jul  2 09:15:58 2012 : Info: ++[control] returns ok
Mon Jul  2 09:15:58 2012 : Info: [eap] EAP packet type response id 7 length 67
Mon Jul  2 09:15:58 2012 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation
Mon Jul  2 09:15:58 2012 : Info: ++[eap] returns updated
Mon Jul  2 09:15:58 2012 : Info: [files] users: Matched entry testtest at line 1
Mon Jul  2 09:15:58 2012 : Info: ++[files] returns ok
Mon Jul  2 09:15:58 2012 : Info: ++[smbpasswd] returns notfound
Mon Jul  2 09:15:58 2012 : Info: ++[expiration] returns noop
Mon Jul  2 09:15:58 2012 : Info: ++[logintime] returns noop
Mon Jul  2 09:15:58 2012 : Info: [pap] WARNING: Auth-Type already set.  Not setting to PAP
Mon Jul  2 09:15:58 2012 : Info: ++[pap] returns noop
Mon Jul  2 09:15:58 2012 : Info: Found Auth-Type = EAP
Mon Jul  2 09:15:58 2012 : Info: # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
Mon Jul  2 09:15:58 2012 : Info: +- entering group authenticate {...}
Mon Jul  2 09:15:58 2012 : Info: [eap] Request found, released from the list
Mon Jul  2 09:15:58 2012 : Info: [eap] EAP/mschapv2
Mon Jul  2 09:15:58 2012 : Info: [eap] processing type mschapv2
Mon Jul  2 09:15:58 2012 : Info: [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
Mon Jul  2 09:15:58 2012 : Info: [mschapv2] +- entering group MS-CHAP {...}
Mon Jul  2 09:15:58 2012 : Info: [mschap] Creating challenge hash with username: testtest
Mon Jul  2 09:15:58 2012 : Info: [mschap] Told to do MS-CHAPv2 for testtest with NT-Password
Mon Jul  2 09:15:58 2012 : Info: [mschap]   expand: --username=%{mschap:User-Name:-None} -> --username=testtest
Mon Jul  2 09:15:58 2012 : Info: [mschap] No NT-Domain was found in the User-Name.
Mon Jul  2 09:15:58 2012 : Info: [mschap]   expand: %{mschap:NT-Domain} -> 
Mon Jul  2 09:15:58 2012 : Info: [mschap]   ... expanding second conditional
Mon Jul  2 09:15:58 2012 : Info: [mschap]   expand: --domain=%{%{mschap:NT-Domain}:-DC.COMP.COM} -> --domain=DC.COMP.COM
Mon Jul  2 09:15:58 2012 : Info: [mschap]  mschap2: 82
Mon Jul  2 09:15:58 2012 : Info: [mschap] Creating challenge hash with username: testtest
Mon Jul  2 09:15:58 2012 : Info: [mschap]   expand: --challenge=%{mschap:Challenge:-00} -> --challenge=dd441972f987d68b
Mon Jul  2 09:15:58 2012 : Info: [mschap]   expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=7e6c537cd5c26093789cf7831715d378e16ea3e6c5b1f579
Mon Jul  2 09:15:58 2012 : Debug: Exec-Program output: Logon failure (0xc000006d) 
Mon Jul  2 09:15:58 2012 : Debug: Exec-Program-Wait: plaintext: Logon failure (0xc000006d) 
Mon Jul  2 09:15:58 2012 : Debug: Exec-Program: returned: 1
Mon Jul  2 09:15:58 2012 : Info: [mschap] External script failed.
Mon Jul  2 09:15:58 2012 : Info: [mschap] FAILED: MS-CHAP2-Response is incorrect
Mon Jul  2 09:15:58 2012 : Info: ++[mschap] returns reject
Mon Jul  2 09:15:58 2012 : Info: [eap] Freeing handler
Mon Jul  2 09:15:58 2012 : Info: ++[eap] returns reject
Mon Jul  2 09:15:58 2012 : Info: Failed to authenticate the user.
Mon Jul  2 09:15:58 2012 : Auth: Login incorrect (mschap: External script says Logon failure (0xc000006d)): [testtest] (from client techap01 port 0 via TLS tunnel)

PPS：也许问题出在这里：在 /etc/freeradius/modules/ntlm_auth 中，我将 ntlm 设置为：

program = "/usr/bin/ntlm_auth --request-nt-key --domain=DC.COMP.COM --username=%{mschap:User-Name} --password=%{User-Password}"

我需要这个，这样用户就可以在不将 @DC.COMP.COM 添加到他们的用户名的情况下登录。但是我怎么能告诉 freeradius 尝试两个登录，[email protected]（应该失败）testtest（针对用户文件 - 应该工作）

1 个回答

Voted

mohrphium · Answer 1 · 2012-07-03T21:57:37+08:00

Best Answer

mohrphium

2012-07-03T21:57:37+08:002012-07-03T21:57:37+08:00

没关系，我找到了解决问题的方法。

在 /etc/freeradius/users 我改变了用户

test01 Cleartext-Password := "1231231"

至

test01 Cleartext-Password := "1231231", MS-CHAP-Use-NTLM-Auth := No

现在一切正常！

1

针对 ActiveDirectory 和用户文件的 Radius 授权

新安装后 postgres 的默认超级用户用户名/密码是什么？

SFTP 使用什么端口？

命令行列出 Windows Active Directory 组中的用户？

什么是 Pem 文件，它与其他 OpenSSL 生成的密钥文件格式有何不同？

如何确定bash变量是否为空？

针对 ActiveDirectory 和用户文件的 Radius 授权

1 个回答

相关问题