EAP-PWD с FreeRADIUS 3.0.15 и телефоном Android

Я установил FreeRADIUS-3.0.15 в Ubuntu-16.04.2 и установил конфигурации EAP-PWD (файлы: eap, пользователи).

С EAP-PWD я мог добиться УСПЕХА с помощью инструмента eapol_test, но НЕ смог заставить свой телефон Android (v5.1.1 и 7.1.2) пройти процессы аутентификации. 　При тех же настройках я мог получить мой Android-телефон прошел аутентификацию через TTLS и PEAP.

Я прочитал сообщение, https://serverfault.com/questions/683897/eap-pwd-with-freeradius-3/683923#683923. Но не похоже, что EAP-PWD сможет наконец работать на телефонах Android с сервером FreeRADIUS.

Есть ли какие-либо конфигурации, которые я пропустил? Требуются ли для работы EAP-PWD какие-то определенные устройства (например, точка доступа, коммутатор-контроллер и т. д.)?

Настройки EAP-PWD в файле "eap":

pwd {
    group = 19
    server_id = [email protected]
    fragment_size = 1020
    virtual_server = "inner-tunnel"
}

Сбойный сервер RADIUS регистрируется с помощью моего телефона Android:

Ready to process requests
(0) Received Access-Request Id 19 from 192.168.1.1:65514 to 192.168.1.48:1812 length 113
(0)   User-Name = "steve"
(0)   NAS-Port-Type = Wireless-802.11
(0)   Called-Station-Id = "00-0A-79-98-19-1F"
(0)   Calling-Station-Id = "90-B6-86-8E-8E-F2"
(0)   NAS-IP-Address = 192.168.1.1
(0)   Framed-MTU = 1400
(0)   EAP-Message = 0x0201000a017374657665
(0)   Message-Authenticator = 0xfc142f419a003e1f32c49845e2b47148
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "steve", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 1 length 10
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0)     [eap] = ok
(0)   } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0)   authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_md5 to process data
(0) eap_md5: Issuing MD5 Challenge
(0) eap: Sending EAP Request (code 1) ID 2 length 22
(0) eap: EAP session adding &reply:State = 0x0920d2120922d68e
(0)     [eap] = handled
(0)   } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0)   Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 19 from 192.168.1.48:1812 to 192.168.1.1:65514 length 0
(0)   EAP-Message = 0x01020016041003e295427e4313c871b5357ea94cb0cd
(0)   Message-Authenticator = 0x00000000000000000000000000000000
(0)   State = 0x0920d2120922d68e7c074922ee6197b2
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 20 from 192.168.1.1:65515 to 192.168.1.48:1812 length 127
(1)   User-Name = "steve"
(1)   NAS-Port-Type = Wireless-802.11
(1)   Called-Station-Id = "00-0A-79-98-19-1F"
(1)   Calling-Station-Id = "90-B6-86-8E-8E-F2"
(1)   NAS-IP-Address = 192.168.1.1
(1)   Framed-MTU = 1400
(1)   State = 0x0920d2120922d68e7c074922ee6197b2
(1)   EAP-Message = 0x020200060334
(1)   Message-Authenticator = 0x957e6bdb393fe8c0829f734afa134684
(1) session-state: No cached attributes
(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(1)   authorize {
(1)     policy filter_username {
(1)       if (&User-Name) {
(1)       if (&User-Name)  -> TRUE
(1)       if (&User-Name)  {
(1)         if (&User-Name =~ / /) {
(1)         if (&User-Name =~ / /)  -> FALSE
(1)         if (&User-Name =~ /@[^@]*@/ ) {
(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(1)         if (&User-Name =~ /\.\./ ) {
(1)         if (&User-Name =~ /\.\./ )  -> FALSE
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(1)         if (&User-Name =~ /\.$/)  {
(1)         if (&User-Name =~ /\.$/)   -> FALSE
(1)         if (&User-Name =~ /@\./)  {
(1)         if (&User-Name =~ /@\./)   -> FALSE
(1)       } # if (&User-Name)  = notfound
(1)     } # policy filter_username = notfound
(1)     [preprocess] = ok
(1)     [chap] = noop
(1)     [mschap] = noop
(1)     [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "steve", looking up realm NULL
(1) suffix: No such realm "NULL"
(1)     [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 2 length 6
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1)     [eap] = updated
(1) files: users: Matched entry steve at line 73
(1)     [files] = ok
(1)     [expiration] = noop
(1)     [logintime] = noop
(1) pap: WARNING: Auth-Type already set.  Not setting to PAP
(1)     [pap] = noop
(1)   } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1)   authenticate {
(1) eap: Expiring EAP session with state 0x0920d2120922d68e
(1) eap: Finished EAP session with state 0x0920d2120922d68e
(1) eap: Previous EAP request found for state 0x0920d2120922d68e, released from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type PWD (52)
(1) eap: Calling submodule eap_pwd to process data
(1) eap: Sending EAP Request (code 1) ID 3 length 36
(1) eap: EAP session adding &reply:State = 0x0920d2120823e68e
(1)     [eap] = handled
(1)   } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1)   Challenge { ... } # empty sub-section is ignored
(1) Sent Access-Challenge Id 20 from 192.168.1.48:1812 to 192.168.1.1:65515 length 0
(1)   EAP-Message = 0x010300243401001301015bd0471300746865736572766572406578616d706c652e636f6d
(1)   Message-Authenticator = 0x00000000000000000000000000000000
(1)   State = 0x0920d2120823e68e7c074922ee6197b2
(1) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 19 with timestamp +59
(1) Cleaning up request packet ID 20 with timestamp +59
Ready to process requests

Fish 26.10.2017 источник

Ответы (1)

arrow_upward
0
arrow_downward

Я решил проблему после долгого теста.

В тех же системных настройках и средах просто нужно было заменить ТД на другую (я думал, что проблема была вызвана тем, что некоторые ТД (или их прошивки) не поддерживали функцию EAP-PWD), и проблема могла быть решена .

Fish 10.11.2017

EAP-PWD с FreeRADIUS 3.0.15 и телефоном Android

Ответы (1)

Вопросы по теме