作者ehomeii (ddqual)
看板Linux
標題[問題] 如何使用FreeRADIUS實做EAP-PWD加密連線
時間Sun Oct 29 18:50:53 2017
想求教大家,最近在研究Wi-Fi的WPA2-Enterprise加密連線實做,
我已經在筆電上用Vitual Box安裝好了Ubuntu-16.04.2 + FreeRADIUS-3.0.15,還有一台
支援WPA2-Enterprise的雜牌AP。
目前我用Android手機來做測試,TTLS、PEAP都可以順利連線成功,但手機UI上有一項"PWD",目前一直無法順利完成認證連線,
FreeRADIUS中的設定似乎也只有"eap"這個檔案裡的PWD{}程式碼需要Uncomment來開啟PWD
功能,
我想PWD認證的帳號密碼應該是和TTLS、PEAP一樣只需要設定在"users"檔案中吧,
但就是無法成功,Android 5 & 7都無法連上,不過我使用Wpa_supplicant中的
eapol_test這隻測試程式來驗證,卻是成功的,所以現在不知道問題究竟是出在哪裡??
請問EAP-PWD是不是需要搭配特殊廠牌的AP(或軟韌體)才能使用?還是我還有哪些地方需
要設定嗎?
以下是FreeRADIUS的Fail logs
Ready to process requests
(0) Received Access-Request Id 19 from 192.168.1.1:65514 to 192.168.1.48:1812
length 113
(0) User-Name = "steve"
(0) NAS-Port-Type = Wireless-802.11
(0) Called-Station-Id = "00-0A-79-98-19-1F"
(0) Calling-Station-Id = "90-B6-86-8E-8E-F2"
(0) NAS-IP-Address = 192.168.1.1
(0) Framed-MTU = 1400
(0) EAP-Message = 0x0201000a017374657665
(0) Message-Authenticator = 0xfc142f419a003e1f32c49845e2b47148
(0) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "steve", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 1 length 10
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest
of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_md5 to process data
(0) eap_md5: Issuing MD5 Challenge
(0) eap: Sending EAP Request (code 1) ID 2 length 22
(0) eap: EAP session adding &reply:State = 0x0920d2120922d68e
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 19 from 192.168.1.48:1812 to 192.168.1.1:65514
length 0
(0) EAP-Message = 0x01020016041003e295427e4313c871b5357ea94cb0cd
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x0920d2120922d68e7c074922ee6197b2
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 20 from 192.168.1.1:65515 to 192.168.1.48:1812
length 127
(1) User-Name = "steve"
(1) NAS-Port-Type = Wireless-802.11
(1) Called-Station-Id = "00-0A-79-98-19-1F"
(1) Calling-Station-Id = "90-B6-86-8E-8E-F2"
(1) NAS-IP-Address = 192.168.1.1
(1) Framed-MTU = 1400
(1) State = 0x0920d2120922d68e7c074922ee6197b2
(1) EAP-Message = 0x020200060334
(1) Message-Authenticator = 0x957e6bdb393fe8c0829f734afa134684
(1) session-state: No cached attributes
(1) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "steve", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 2 length 6
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) files: users: Matched entry steve at line 73
(1) [files] = ok
(1) [expiration] = noop
(1) [logintime] = noop
(1) pap: WARNING: Auth-Type already set. Not setting to PAP
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0x0920d2120922d68e
(1) eap: Finished EAP session with state 0x0920d2120922d68e
(1) eap: Previous EAP request found for state 0x0920d2120922d68e, released
from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type PWD (52)
(1) eap: Calling submodule eap_pwd to process data
(1) eap: Sending EAP Request (code 1) ID 3 length 36
(1) eap: EAP session adding &reply:State = 0x0920d2120823e68e
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) Challenge { ... } # empty sub-section is ignored
(1) Sent Access-Challenge Id 20 from 192.168.1.48:1812 to 192.168.1.1:65515
length 0
(1) EAP-Message =
0x010300243401001301015bd0471300746865736572766572406578616d706c652e636f6d
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x0920d2120823e68e7c074922ee6197b2
(1) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 19 with timestamp +59
(1) Cleaning up request packet ID 20 with timestamp +59
Ready to process requests
希望有大大能提供建議指點指點,先謝謝啦!!
--
※ 發信站: 批踢踢實業坊(ptt.cc), 來自: 1.168.43.160
※ 文章網址: https://webptt.com/m.aspx?n=bbs/Linux/M.1509274256.A.2C2.html
1F:→ hizuki: log太多不想看,去看一下openwrt文檔即可 10/29 19:37