我想先执行 EAP-TTLS,然后使用 EAP/MD5-Challenge(参见RFC 5281 第 15.2 节)作为隧道用户身份验证机制。
我使用 eapol_test 并使用此配置文件测试了服务器:
network={
eap=TTLS
ssid="test"
key_mgmt=WPA-EAP
identity="bob"
password="hello"
ca_cert="/usr/local/etc/raddb/certs/ca.pem"
phase2="auth=md5"
anonymous_identity="anonymous"
}
但是,服务器返回 Access-Reject,如下所示:
(1) Received Access-Request Id 1 from 127.0.0.1:35476 to 127.0.0.1:1812 length 142
(1) User-Name = "anonymous"
(1) NAS-IP-Address = 127.0.0.1
(1) Calling-Station-Id = "02-00-00-00-00-01"
(1) Framed-MTU = 1400
(1) NAS-Port-Type = Wireless-802.11
(1) Service-Type = Framed-User
(1) Connect-Info = "CONNECT 11Mbps 802.11b"
(1) EAP-Message = 0x02c900060300
(1) State = 0x4a289ea24ae18bd2b2af9a368b7b2de6
(1) Message-Authenticator = 0x2b1c65828fb95caad666d3b85208b106
(1) Restoring &session-state
(1) &session-state:Framed-MTU = 994
(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 201 length 6
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) [files] = noop
(1) [expiration] = noop
(1) [logintime] = noop
Not doing PAP as Auth-Type is already set.
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0x4a289ea24ae18bd2
(1) eap: Finished EAP session with state 0x4a289ea24ae18bd2
(1) eap: Previous EAP request found for state 0x4a289ea24ae18bd2, released from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Peer NAK'd indicating it is not willing to continue
(1) eap: Sending EAP Failure (code 4) ID 201 length 4
(1) eap: Failed in EAP select
(1) [eap] = invalid
(1) } # authenticate = invalid
(1) Failed to authenticate the user
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) Post-Auth-Type REJECT {
(1) attr_filter.access_reject: EXPAND %{User-Name}
(1) attr_filter.access_reject: --> anonymous
(1) attr_filter.access_reject: Matched entry DEFAULT at line 11
(1) [attr_filter.access_reject] = updated
(1) [eap] = noop
(1) policy remove_reply_message_if_eap {
(1) if (&reply:EAP-Message && &reply:Reply-Message) {
(1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(1) else {
(1) [noop] = noop
(1) } # else = noop
(1) } # policy remove_reply_message_if_eap = noop
(1) } # Post-Auth-Type REJECT = updated
(1) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(1) Sending delayed response
(1) Sent Access-Reject Id 1 from 127.0.0.1:1812 to 127.0.0.1:35476 length 44
(1) EAP-Message = 0x04c90004
(1) Message-Authenticator = 0x00000000000000000000000000000000
正如您在上面看到的,服务器没有调用 md5 模块,而是刚刚终止,因为它收到了 EAP-NAK 类型。我回到客户端,发现 md5 不受支持:
RADIUS packet matching with station
decapsulated EAP packet (code=1 id=201 len=6) from RADIUS server: EAP-Request-TTLS (21)
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=201 method=21 vendor=0 vendorMethod=0
EAP: EAP entering state GET_METHOD
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
EAP: Status notification: accept proposed method (param=TTLS)
EAP: Initialize selected EAP method: vendor 0 method 21 (TTLS)
**EAP-TTLS: Unsupported Phase2 type 'md5'**
EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)
EAP: Building EAP-Nak (requested type 21 vendor=0 method=0 not allowed)
EAP: allowed methods - hexdump(len=0):
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=6)
TX EAP -> RADIUS - hexdump(len=6): 02 c9 00 06 03 00
Encapsulating EAP message into a RADIUS packet
Copied RADIUS State Attribute
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=1 length=142
Attribute 1 (User-Name) length=11
Value: 'anonymous'
Attribute 4 (NAS-IP-Address) length=6
Value: 127.0.0.1
Attribute 31 (Calling-Station-Id) length=19
Value: '02-00-00-00-00-01'
Attribute 12 (Framed-MTU) length=6
Value: 1400
Attribute 61 (NAS-Port-Type) length=6
Value: 19
Attribute 6 (Service-Type) length=6
Value: 2
Attribute 77 (Connect-Info) length=24
Value: 'CONNECT 11Mbps 802.11b'
Attribute 79 (EAP-Message) length=8
Value: 02c900060300
Attribute 24 (State) length=18
Value: 4a289ea24ae18bd2b2af9a368b7b2de6
Attribute 80 (Message-Authenticator) length=18
Value: 2b1c65828fb95caad666d3b85208b106
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
Received 44 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=3 (Access-Reject) identifier=1 length=44
Attribute 79 (EAP-Message) length=6
Value: 04c90004
Attribute 80 (Message-Authenticator) length=18
Value: 39dfa8521731369db5e32e272f766f36
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 1.00 sec
RADIUS packet matching with station
decapsulated EAP packet (code=4 id=201 len=4) from RADIUS server: EAP Failure
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Failure
EAP: Status notification: completion (param=failure)
EAP: EAP entering state FAILURE
CTRL-EVENT-EAP-FAILURE EAP authentication failed
EAPOL: SUPP_PAE entering state HELD
EAPOL: SUPP_BE entering state RECEIVE
EAPOL: SUPP_BE entering state FAIL
EAPOL: SUPP_BE entering state IDLE
eapol_sm_cb: result=0
EAPOL: EAP key not available
EAPOL: EAP Session-Id not available
WPA: Clear old PMK and PTK
MPPE keys OK: 0 mismatch: 1
FAILURE
如果我在配置过程中遗漏了什么,你能告诉我吗?(根据代码,似乎 wpa_supplicant 不支持 EAP-TTLS 的隧道 EAP/md5 方法...)如果我想在 wpa_supplicant 上演示具有隧道 EAP 身份验证的 EAP-TTLS,我应该选择哪种方法作为身份验证-在 wpa_supplicant 配置中输入?
谢谢!