Linux 板


LINE

作者ehomeii (ddqual)
看板Linux
标题

[问题] 如何使用FreeRADIUS实做EAP-PWD加密连线

时间Sun Oct 29 18:50:53 2017
想求教大家,最近在研究Wi-Fi的WPA2-Enterprise加密连线实做, 我已经在笔电上用Vitual Box安装好了Ubuntu-16.04.2 + FreeRADIUS-3.0.15,还有一台 支援WPA2-Enterprise的杂牌AP。 目前我用Android手机来做测试,TTLS、PEAP都可以顺利连线成功,但手机UI上有一项"PWD",目前一直无法顺利完成认证连线, FreeRADIUS中的设定似乎也只有"eap"这个档案里的PWD{}程式码需要Uncomment来开启PWD 功能, 我想PWD认证的帐号密码应该是和TTLS、PEAP一样只需要设定在"users"档案中吧, 但就是无法成功,Android 5 & 7都无法连上,不过我使用Wpa_supplicant中的 eapol_test这只测试程式来验证,却是成功的,所以现在不知道问题究竟是出在哪里?? 请问EAP-PWD是不是需要搭配特殊厂牌的AP(或软韧体)才能使用?还是我还有哪些地方需 要设定吗? 以下是FreeRADIUS的Fail logs Ready to process requests (0) Received Access-Request Id 19 from 192.168.1.1:65514 to 192.168.1.48:1812 length 113 (0) User-Name = "steve" (0) NAS-Port-Type = Wireless-802.11 (0) Called-Station-Id = "00-0A-79-98-19-1F" (0) Calling-Station-Id = "90-B6-86-8E-8E-F2" (0) NAS-IP-Address = 192.168.1.1 (0) Framed-MTU = 1400 (0) EAP-Message = 0x0201000a017374657665 (0) Message-Authenticator = 0xfc142f419a003e1f32c49845e2b47148 (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "steve", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 1 length 10 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_md5 to process data (0) eap_md5: Issuing MD5 Challenge (0) eap: Sending EAP Request (code 1) ID 2 length 22 (0) eap: EAP session adding &reply:State = 0x0920d2120922d68e (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) Challenge { ... } # empty sub-section is ignored (0) Sent Access-Challenge Id 19 from 192.168.1.48:1812 to 192.168.1.1:65514 length 0 (0) EAP-Message = 0x01020016041003e295427e4313c871b5357ea94cb0cd (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x0920d2120922d68e7c074922ee6197b2 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 20 from 192.168.1.1:65515 to 192.168.1.48:1812 length 127 (1) User-Name = "steve" (1) NAS-Port-Type = Wireless-802.11 (1) Called-Station-Id = "00-0A-79-98-19-1F" (1) Calling-Station-Id = "90-B6-86-8E-8E-F2" (1) NAS-IP-Address = 192.168.1.1 (1) Framed-MTU = 1400 (1) State = 0x0920d2120922d68e7c074922ee6197b2 (1) EAP-Message = 0x020200060334 (1) Message-Authenticator = 0x957e6bdb393fe8c0829f734afa134684 (1) session-state: No cached attributes (1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "steve", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 2 length 6 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) files: users: Matched entry steve at line 73 (1) [files] = ok (1) [expiration] = noop (1) [logintime] = noop (1) pap: WARNING: Auth-Type already set. Not setting to PAP (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x0920d2120922d68e (1) eap: Finished EAP session with state 0x0920d2120922d68e (1) eap: Previous EAP request found for state 0x0920d2120922d68e, released from the list (1) eap: Peer sent packet with method EAP NAK (3) (1) eap: Found mutually acceptable type PWD (52) (1) eap: Calling submodule eap_pwd to process data (1) eap: Sending EAP Request (code 1) ID 3 length 36 (1) eap: EAP session adding &reply:State = 0x0920d2120823e68e (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (1) Challenge { ... } # empty sub-section is ignored (1) Sent Access-Challenge Id 20 from 192.168.1.48:1812 to 192.168.1.1:65515 length 0 (1) EAP-Message = 0x010300243401001301015bd0471300746865736572766572406578616d706c652e636f6d (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x0920d2120823e68e7c074922ee6197b2 (1) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 19 with timestamp +59 (1) Cleaning up request packet ID 20 with timestamp +59 Ready to process requests 希望有大大能提供建议指点指点,先谢谢啦!! --



※ 发信站: 批踢踢实业坊(ptt.cc), 来自: 1.168.43.160 ※ 文章网址: https://webptt.com/cn.aspx?n=bbs/Linux/M.1509274256.A.2C2.html
1F:→ hizuki: log太多不想看,去看一下openwrt文档即可 10/29 19:37




热门看板

赞助商连结






like.gif 您可能会有兴趣的文章
icon.png[问题/行为] 猫晚上进房间会不会有憋尿问题
icon.pngRe: [闲聊] 选了错误的女孩成为魔法少女 XDDDDDDDDDD
icon.png[正妹] 瑞典 一张
icon.png[心得] EMS高领长版毛衣.墨小楼MC1002
icon.png[分享] 丹龙隔热纸GE55+33+22
icon.png[问题] 清洗洗衣机
icon.png[寻物] 窗台下的空间
icon.png[闲聊] 双极の女神1 木魔爵
icon.png[售车] 新竹 1997 march 1297cc 白色 四门
icon.png[讨论] 能从照片感受到摄影者心情吗
icon.png[狂贺] 贺贺贺贺 贺!岛村卯月!总选举NO.1
icon.png[难过] 羡慕白皮肤的女生
icon.png阅读文章
icon.png[黑特]
icon.png[问题] SBK S1安装於安全帽位置
icon.png[分享] 旧woo100绝版开箱!!
icon.pngRe: [无言] 关於小包卫生纸
icon.png[开箱] E5-2683V3 RX480Strix 快睿C1 简单测试
icon.png[心得] 苍の海贼龙 地狱 执行者16PT
icon.png[售车] 1999年Virage iO 1.8EXi
icon.png[心得] 挑战33 LV10 狮子座pt solo
icon.png[闲聊] 手把手教你不被桶之新手主购教学
icon.png[分享] Civic Type R 量产版官方照无预警流出
icon.png[售车] Golf 4 2.0 银色 自排
icon.png[出售] Graco提篮汽座(有底座)2000元诚可议
icon.png[问题] 请问补牙材质掉了还能再补吗?(台中半年内
icon.png[问题] 44th 单曲 生写竟然都给重复的啊啊!
icon.png[心得] 华南红卡/icash 核卡
icon.png[问题] 拔牙矫正这样正常吗
icon.png[赠送] 老莫高业 初业 102年版
icon.png[情报] 三大行动支付 本季掀战火
icon.png[宝宝] 博客来Amos水蜡笔5/1特价五折
icon.pngRe: [心得] 新鲜人一些面试分享
icon.png[心得] 苍の海贼龙 地狱 麒麟25PT
icon.pngRe: [闲聊] (君の名は。雷慎入) 君名二创漫画翻译
icon.pngRe: [闲聊] OGN中场影片:失踪人口局 (英文字幕)
icon.png[问题] 台湾大哥大4G讯号差
icon.png[出售] [全国]全新千寻侘草LED灯, 水草

请输入看板名称,例如:WOW站内搜寻

TOP