主页 / server / 问题

问题[peap](server)

Martin Hope
mnet
Asked: 2021-11-22 12:12:21 +0800 CST
  • 0

我正在尝试使用 PEAP-MSChapv2 将我的 Microsoft Server 2016 网络策略服务器配置修复为半径服务器。

众所周知一些现代设备无法“验证”服务器证书,因为该选项太弱并且已被禁用(例如某些android 11 设备

据我所知,应该有向这些(非域)设备添加内部 CA 证书的解决方案,以便它们可以验证 nps 服务器证书(并避免管理客户端证书)。

我发现由内部 CA 颁发的 nps 服务器证书,并且该内部 CA 的证书是自签名的(由自己颁发)。我尝试导出 ca 证书(不带私钥),并将其导入设备中,但现在,没有成功我收到错误 22:服务器无法处理 Eap 类型或错误 265:颁发了证书链由不受信任的权威

不清楚我是否仅在将客户端上的字段域更改为仅在 nps 服务器证书的 cn 名称中的 FQDN 的域时才获得 265。

我怎样才能正确实现这一点(PEAP-MSchapv2 在非域客户端上具有服务器身份验证)?

注意:现在它可以正常工作,对于“旧”无线客户端:它们正确地作为 AD 用户进行身份验证,并获得网络访问权限,所以我希望只为这些较新的设备更正设置,而不是从根本上改变它。

radius windows-server-2016 android nps peap
Martin Hope
mohrphium
Asked: 2012-07-03 00:27:12 +0800 CST
  • 0

我的 freeradius 服务器配置有问题。我希望能够根据 Windows ActiveDirectory (2008 R2) 和用户文件对用户进行身份验证,因为我的一些同事未在 AD 中列出。

我们使用 freeradius 服务器来验证 WLAN 用户。(PEAP/MSCHAPv2)

AD 身份验证效果很好,但 /etc/freeradius/users 文件仍然存在问题

当我运行 freeradius -X -x 时,我得到以下信息:

Mon Jul  2 09:15:58 2012 : Info: ++++[chap] returns noop
Mon Jul  2 09:15:58 2012 : Info: ++++[mschap] returns noop
Mon Jul  2 09:15:58 2012 : Info: [suffix] No '@' in User-Name = "testtest", looking up realm NULL
Mon Jul  2 09:15:58 2012 : Info: [suffix] Found realm "NULL"
Mon Jul  2 09:15:58 2012 : Info: [suffix] Adding Stripped-User-Name = "testtest"
Mon Jul  2 09:15:58 2012 : Info: [suffix] Adding Realm = "NULL"
Mon Jul  2 09:15:58 2012 : Info: [suffix] Authentication realm is LOCAL.
Mon Jul  2 09:15:58 2012 : Info: ++++[suffix] returns ok
Mon Jul  2 09:15:58 2012 : Info: [eap] EAP packet type response id 1 length 13
Mon Jul  2 09:15:58 2012 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation
Mon Jul  2 09:15:58 2012 : Info: ++++[eap] returns updated
Mon Jul  2 09:15:58 2012 : Info: [files] users: Matched entry testtest at line 1
Mon Jul  2 09:15:58 2012 : Info: ++++[files] returns ok
Mon Jul  2 09:15:58 2012 : Info: ++++[expiration] returns noop
Mon Jul  2 09:15:58 2012 : Info: ++++[logintime] returns noop
Mon Jul  2 09:15:58 2012 : Info: [pap] WARNING: Auth-Type already set.  Not setting to PAP
Mon Jul  2 09:15:58 2012 : Info: ++++[pap] returns noop
Mon Jul  2 09:15:58 2012 : Info: +++- else else returns updated
Mon Jul  2 09:15:58 2012 : Info: ++- else else returns updated
Mon Jul  2 09:15:58 2012 : Info: Found Auth-Type = EAP
Mon Jul  2 09:15:58 2012 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Mon Jul  2 09:15:58 2012 : Info: +- entering group authenticate {...}
Mon Jul  2 09:15:58 2012 : Info: [eap] EAP Identity
Mon Jul  2 09:15:58 2012 : Info: [eap] processing type tls
Mon Jul  2 09:15:58 2012 : Info: [tls] Initiate
Mon Jul  2 09:15:58 2012 : Info: [tls] Start returned 1
Mon Jul  2 09:15:58 2012 : Info: ++[eap] returns handled
Sending Access-Challenge of id 199 to 192.168.61.11 port 3072
    EAP-Message = 0x010200061920
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x85469e2a854487589fb1196910cb8ae3
Mon Jul  2 09:15:58 2012 : Info: Finished request 125.
Mon Jul  2 09:15:58 2012 : Debug: Going to the next request
Mon Jul  2 09:15:58 2012 : Debug: Waking up in 2.4 seconds.

之后它重复登录尝试,并在某个时候尝试使用 ntlm 对 ActiveDirectory 进行身份验证,这不起作用,因为用户仅存在于用户文件中。

有人可以帮我吗?

谢谢。

PS:希望这会有所帮助,freeradius 试图针对 AD 进行身份验证:

Mon Jul  2 09:15:58 2012 : Info: ++[chap] returns noop
Mon Jul  2 09:15:58 2012 : Info: ++[mschap] returns noop
Mon Jul  2 09:15:58 2012 : Info: [suffix] No '@' in User-Name = "testtest", looking up realm NULL
Mon Jul  2 09:15:58 2012 : Info: [suffix] Found realm "NULL"
Mon Jul  2 09:15:58 2012 : Info: [suffix] Adding Stripped-User-Name = "testtest"
Mon Jul  2 09:15:58 2012 : Info: [suffix] Adding Realm = "NULL"
Mon Jul  2 09:15:58 2012 : Info: [suffix] Authentication realm is LOCAL.
Mon Jul  2 09:15:58 2012 : Info: ++[suffix] returns ok
Mon Jul  2 09:15:58 2012 : Info: ++[control] returns ok
Mon Jul  2 09:15:58 2012 : Info: [eap] EAP packet type response id 7 length 67
Mon Jul  2 09:15:58 2012 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation
Mon Jul  2 09:15:58 2012 : Info: ++[eap] returns updated
Mon Jul  2 09:15:58 2012 : Info: [files] users: Matched entry testtest at line 1
Mon Jul  2 09:15:58 2012 : Info: ++[files] returns ok
Mon Jul  2 09:15:58 2012 : Info: ++[smbpasswd] returns notfound
Mon Jul  2 09:15:58 2012 : Info: ++[expiration] returns noop
Mon Jul  2 09:15:58 2012 : Info: ++[logintime] returns noop
Mon Jul  2 09:15:58 2012 : Info: [pap] WARNING: Auth-Type already set.  Not setting to PAP
Mon Jul  2 09:15:58 2012 : Info: ++[pap] returns noop
Mon Jul  2 09:15:58 2012 : Info: Found Auth-Type = EAP
Mon Jul  2 09:15:58 2012 : Info: # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
Mon Jul  2 09:15:58 2012 : Info: +- entering group authenticate {...}
Mon Jul  2 09:15:58 2012 : Info: [eap] Request found, released from the list
Mon Jul  2 09:15:58 2012 : Info: [eap] EAP/mschapv2
Mon Jul  2 09:15:58 2012 : Info: [eap] processing type mschapv2
Mon Jul  2 09:15:58 2012 : Info: [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
Mon Jul  2 09:15:58 2012 : Info: [mschapv2] +- entering group MS-CHAP {...}
Mon Jul  2 09:15:58 2012 : Info: [mschap] Creating challenge hash with username: testtest
Mon Jul  2 09:15:58 2012 : Info: [mschap] Told to do MS-CHAPv2 for testtest with NT-Password
Mon Jul  2 09:15:58 2012 : Info: [mschap]   expand: --username=%{mschap:User-Name:-None} -> --username=testtest
Mon Jul  2 09:15:58 2012 : Info: [mschap] No NT-Domain was found in the User-Name.
Mon Jul  2 09:15:58 2012 : Info: [mschap]   expand: %{mschap:NT-Domain} -> 
Mon Jul  2 09:15:58 2012 : Info: [mschap]   ... expanding second conditional
Mon Jul  2 09:15:58 2012 : Info: [mschap]   expand: --domain=%{%{mschap:NT-Domain}:-DC.COMP.COM} -> --domain=DC.COMP.COM
Mon Jul  2 09:15:58 2012 : Info: [mschap]  mschap2: 82
Mon Jul  2 09:15:58 2012 : Info: [mschap] Creating challenge hash with username: testtest
Mon Jul  2 09:15:58 2012 : Info: [mschap]   expand: --challenge=%{mschap:Challenge:-00} -> --challenge=dd441972f987d68b
Mon Jul  2 09:15:58 2012 : Info: [mschap]   expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=7e6c537cd5c26093789cf7831715d378e16ea3e6c5b1f579
Mon Jul  2 09:15:58 2012 : Debug: Exec-Program output: Logon failure (0xc000006d) 
Mon Jul  2 09:15:58 2012 : Debug: Exec-Program-Wait: plaintext: Logon failure (0xc000006d) 
Mon Jul  2 09:15:58 2012 : Debug: Exec-Program: returned: 1
Mon Jul  2 09:15:58 2012 : Info: [mschap] External script failed.
Mon Jul  2 09:15:58 2012 : Info: [mschap] FAILED: MS-CHAP2-Response is incorrect
Mon Jul  2 09:15:58 2012 : Info: ++[mschap] returns reject
Mon Jul  2 09:15:58 2012 : Info: [eap] Freeing handler
Mon Jul  2 09:15:58 2012 : Info: ++[eap] returns reject
Mon Jul  2 09:15:58 2012 : Info: Failed to authenticate the user.
Mon Jul  2 09:15:58 2012 : Auth: Login incorrect (mschap: External script says Logon failure (0xc000006d)): [testtest] (from client techap01 port 0 via TLS tunnel)

PPS:也许问题出在这里:在 /etc/freeradius/modules/ntlm_auth 中,我将 ntlm 设置为:

program = "/usr/bin/ntlm_auth --request-nt-key --domain=DC.COMP.COM --username=%{mschap:User-Name} --password=%{User-Password}"

我需要这个,这样用户就可以在不将 @DC.COMP.COM 添加到他们的用户名的情况下登录。但是我怎么能告诉 freeradius 尝试两个登录,[email protected](应该失败)testtest(针对用户文件 - 应该工作)

radius freeradius peap