0

我正在尝试将 LDAP 与 freeRADIUS 连接,以便 freeRADIUS 可以使用 LDAP 搜索用户并在用户 ID 和密码正确的情况下对其进行身份验证。我可以在 localhost 上运行 radtest,并且当给出有效的用户 ID 和密码时,它会正确地给出 Access-Accept 响应,但是当我使用实际的客户端(这里是 ARUBA-AP)进行身份验证时,它会给出以下错误。我尝试了很多,但它不起作用。您能否提供一些有价值的见解?由于字符限制,我删除了一些错误行。

(0) Received Access-Request Id 122 from 192.168.20.40:52684 to 192.168.20.57:1812 length 210
(0)   User-Name = "myadav"
(0)   NAS-IP-Address = 192.168.20.40
(0)   NAS-Port = 0
(0)   NAS-Identifier = "192.168.20.40"
(0)   NAS-Port-Type = Wireless-802.11
(0)   Calling-Station-Id = "204ef6703bf7"
(0)   Called-Station-Id = "904c81c66872"
(0)   Service-Type = Login-User
(0)   Framed-MTU = 1100
(0)   EAP-Message = 0x0202000b016d7961646176
(0)   Aruba-Essid-Name = "test-aruba-network"
(0)   Aruba-Location-Id = "90:4c:81:c6:68:72"
(0)   Aruba-AP-Group = "aruba"
(0)   Aruba-Device-Type = "Win 10"
(0)   Message-Authenticator = 0xafb1481e6af4e359d01829203e9c49eb
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "myadav", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 2 length 11
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0)     [eap] = ok
(0)   } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_md5 to process data
(0) eap_md5: Issuing MD5 Challenge
(0) eap: Sending EAP Request (code 1) ID 3 length 22
(0) eap: EAP session adding &reply:State = 0x9b57e8189b54ecd7
(0)     [eap] = handled
(0)   } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 122 from 192.168.20.57:1812 to 192.168.20.40:52684 length 0
(0)   EAP-Message = 0x010300160410f4531143c5a4554de7e16e7ab196d9b3
(0)   Message-Authenticator = 0x00000000000000000000000000000000
(0)   State = 0x9b57e8189b54ecd78bdaca715fff9488
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 123 from 192.168.20.40:52684 to 192.168.20.57:1812 length 224
(1)   User-Name = "myadav"
(1)   NAS-IP-Address = 192.168.20.40
(1)   NAS-Port = 0
(1)   NAS-Identifier = "192.168.20.40"
(1)   NAS-Port-Type = Wireless-802.11
(1)   Calling-Station-Id = "204ef6703bf7"
(1)   Called-Station-Id = "904c81c66872"
(1)   Service-Type = Login-User
(1)   Framed-MTU = 1100
(1)   EAP-Message = 0x02030007031915
(1)   State = 0x9b57e8189b54ecd78bdaca715fff9488
(1)   Aruba-Essid-Name = "test-aruba-network"
(1)   Aruba-Location-Id = "90:4c:81:c6:68:72"
(1)   Aruba-AP-Group = "aruba"
(1)   Aruba-Device-Type = "Win 10"
(1)   Message-Authenticator = 0xb4b5b75f90db6747111ada9a673fc162
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(1)   authorize {
(1)     policy filter_username {
(1)       if (&User-Name) {
(1)       if (&User-Name)  -> TRUE
(1)       if (&User-Name)  {
(1)         if (&User-Name =~ / /) {
(1)         if (&User-Name =~ / /)  -> FALSE
(1)         if (&User-Name =~ /@[^@]*@/ ) {
(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(1)         if (&User-Name =~ /\.\./ ) {
(1)         if (&User-Name =~ /\.\./ )  -> FALSE
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(1)         if (&User-Name =~ /\.$/)  {
(1)         if (&User-Name =~ /\.$/)   -> FALSE
(1)         if (&User-Name =~ /@\./)  {
(1)         if (&User-Name =~ /@\./)   -> FALSE
(1)       } # if (&User-Name)  = notfound
(1)     } # policy filter_username = notfound
(1)     [preprocess] = ok
(1)     [chap] = noop
(1)     [mschap] = noop
(1)     [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "myadav", looking up realm NULL
(1) suffix: No such realm "NULL"
(1)     [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 3 length 7
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1)     [eap] = updated
(1)     [files] = noop
rlm_ldap (ldap): Reserved connection (0)
(1) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(1) ldap:    --> (uid=myadav)
(1) ldap: Performing search in "dc=testdomain,dc=com" with filter "(uid=myadav)", scope "sub"
(1) ldap: Waiting for search result...
(1) ldap: User object found at DN "cn=manish yadav,ou=users,dc=testdomain,dc=com"
(1) ldap: Processing user attributes
(1) ldap: control:Password-With-Header += '{MD5}QYyEpgb0QN7flOhLbgLu9Q=='
rlm_ldap (ldap): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
rlm_ldap (ldap): Connecting to ldap://127.0.0.1:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(1)     [ldap] = updated
(1)     [expiration] = noop
(1)     [logintime] = noop
(1) pap: Converted: &control:Password-With-Header -> &control:MD5-Password
(1) pap: Removing &control:Password-With-Header
(1) pap: Normalizing MD5-Password from base64 encoding, 24 bytes -> 16 bytes
(1) pap: WARNING: Auth-Type already set.  Not setting to PAP
(1)     [pap] = noop
(1)   } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1)   authenticate {
(1) eap: Expiring EAP session with state 0x9b57e8189b54ecd7
(1) eap: Finished EAP session with state 0x9b57e8189b54ecd7
(1) eap: Previous EAP request found for state 0x9b57e8189b54ecd7, released from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Initiating new TLS session
(1) eap_peap: [eaptls start] = request
(1) eap: Sending EAP Request (code 1) ID 4 length 6
(1) eap: EAP session adding &reply:State = 0x9b57e8189a53f1d7
(1)     [eap] = handled
(1)   } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1)   Challenge { ... } # empty sub-section is ignored
(1) Sent Access-Challenge Id 123 from 192.168.20.57:1812 to 192.168.20.40:52684 length 0
(1)   EAP-Message = 0x010400061920
(1)   Message-Authenticator = 0x00000000000000000000000000000000
(1)   State = 0x9b57e8189a53f1d78bdaca715fff9488
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 124 from 192.168.20.40:52684 to 192.168.20.57:1812 length 389
(2)   User-Name = "myadav"
(2)   NAS-IP-Address = 192.168.20.40
(2)   NAS-Port = 0
(2)   NAS-Identifier = "192.168.20.40"
(2)   NAS-Port-Type = Wireless-802.11
(2)   Calling-Station-Id = "204ef6703bf7"
(2)   Called-Station-Id = "904c81c66872"
(2)   Service-Type = Login-User
(2)   Framed-MTU = 1100
(2)   EAP-Message = 0x020400ac1980000000a2160303009d01000099030361c1be1eba3df1e2ca02f41839245a72bdace4e45f0789d97073fb48affbbb6f00002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000046000500050100000000000a00080006001d00170018000b00020100000d001a00180804080508060401050102010403050302030202060106030023000000170000ff01000100
(2)   State = 0x9b57e8189a53f1d78bdaca715fff9488
(2)   Aruba-Essid-Name = "test-aruba-network"
(2)   Aruba-Location-Id = "90:4c:81:c6:68:72"
(2)   Aruba-AP-Group = "aruba"
(2)   Aruba-Device-Type = "Win 10"
(2)   Message-Authenticator = 0xdf8cd3b270840a9c51b135c8733c4712
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(2)   authorize {
(2)     policy filter_username {
(2)       if (&User-Name) {
(2)       if (&User-Name)  -> TRUE
(2)       if (&User-Name)  {
(2)         if (&User-Name =~ / /) {
(2)         if (&User-Name =~ / /)  -> FALSE
(2)         if (&User-Name =~ /@[^@]*@/ ) {
(2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(2)         if (&User-Name =~ /\.\./ ) {
(2)         if (&User-Name =~ /\.\./ )  -> FALSE
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(2)         if (&User-Name =~ /\.$/)  {
(2)         if (&User-Name =~ /\.$/)   -> FALSE
(2)         if (&User-Name =~ /@\./)  {
(2)         if (&User-Name =~ /@\./)   -> FALSE
(2)       } # if (&User-Name)  = notfound
(2)     } # policy filter_username = notfound
(2)     [preprocess] = ok
(2)     [chap] = noop
(2)     [mschap] = noop
(2)     [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "myadav", looking up realm NULL
(2) suffix: No such realm "NULL"
(2)     [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 4 length 172
(2) eap: Continuing tunnel setup
(2)     [eap] = ok
(2)   } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2)   authenticate {
(2) eap: Expiring EAP session with state 0x9b57e8189a53f1d7
(2) eap: Finished EAP session with state 0x9b57e8189a53f1d7
(2) eap: Previous EAP request found for state 0x9b57e8189a53f1d7, released from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer indicated complete TLS record size will be 162 bytes
(2) eap_peap: Got complete TLS record (162 bytes)
(2) eap_peap: [eaptls verify] = length included
(2) eap_peap: (other): before SSL initialization
(2) eap_peap: TLS_accept: before SSL initialization
(2) eap_peap: TLS_accept: before SSL initialization
(2) eap_peap: <<< recv TLS 1.3  [length 009d] 
(2) eap_peap: TLS_accept: SSLv3/TLS read client hello
(2) eap_peap: >>> send TLS 1.2  [length 003d] 
(2) eap_peap: TLS_accept: SSLv3/TLS write server hello
(2) eap_peap: >>> send TLS 1.2  [length 02de] 
(2) eap_peap: TLS_accept: SSLv3/TLS write certificate
(2) eap_peap: >>> send TLS 1.2  [length 014d] 
(2) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(2) eap_peap: >>> send TLS 1.2  [length 0004] 
(2) eap_peap: TLS_accept: SSLv3/TLS write server done
(2) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done
(2) eap_peap: TLS - In Handshake Phase
(2) eap_peap: TLS - got 1152 bytes of data
(2) eap_peap: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 5 length 1004
(2) eap: EAP session adding &reply:State = 0x9b57e8189952f1d7
(2)     [eap] = handled
(2)   } # authenticate = handled
(2) Using Post-Auth-Type Challenge
4

0 回答 0