[問題] 如何使用FreeRADIUS實做EAP-PWD加密連線

看板Linux作者ehomeii (ddqual)時間8年前 (2017/10/29 18:50)推噓0(0推 0噓 1→)

留言1則, 1人參與討論串1/1

想求教大家，最近在研究Wi-Fi的WPA2-Enterprise加密連線實做，我已經在筆電上用Vitual Box安裝好了Ubuntu-16.04.2 + FreeRADIUS-3.0.15，還有一台支援WPA2-Enterprise的雜牌AP。目前我用Android手機來做測試，TTLS、PEAP都可以順利連線成功，但手機UI上有一項"PWD"，目前一直無法順利完成認證連線， FreeRADIUS中的設定似乎也只有"eap"這個檔案裡的PWD{}程式碼需要Uncomment來開啟PWD 功能，我想PWD認證的帳號密碼應該是和TTLS、PEAP一樣只需要設定在"users"檔案中吧，但就是無法成功，Android 5 & 7都無法連上，不過我使用Wpa_supplicant中的 eapol_test這隻測試程式來驗證，卻是成功的，所以現在不知道問題究竟是出在哪裡？？請問EAP-PWD是不是需要搭配特殊廠牌的AP(或軟韌體)才能使用？還是我還有哪些地方需要設定嗎？以下是FreeRADIUS的Fail logs Ready to process requests (0) Received Access-Request Id 19 from 192.168.1.1:65514 to 192.168.1.48:1812 length 113 (0) User-Name = "steve" (0) NAS-Port-Type = Wireless-802.11 (0) Called-Station-Id = "00-0A-79-98-19-1F" (0) Calling-Station-Id = "90-B6-86-8E-8E-F2" (0) NAS-IP-Address = 192.168.1.1 (0) Framed-MTU = 1400 (0) EAP-Message = 0x0201000a017374657665 (0) Message-Authenticator = 0xfc142f419a003e1f32c49845e2b47148 (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "steve", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 1 length 10 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_md5 to process data (0) eap_md5: Issuing MD5 Challenge (0) eap: Sending EAP Request (code 1) ID 2 length 22 (0) eap: EAP session adding &reply:State = 0x0920d2120922d68e (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) Challenge { ... } # empty sub-section is ignored (0) Sent Access-Challenge Id 19 from 192.168.1.48:1812 to 192.168.1.1:65514 length 0 (0) EAP-Message = 0x01020016041003e295427e4313c871b5357ea94cb0cd (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x0920d2120922d68e7c074922ee6197b2 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 20 from 192.168.1.1:65515 to 192.168.1.48:1812 length 127 (1) User-Name = "steve" (1) NAS-Port-Type = Wireless-802.11 (1) Called-Station-Id = "00-0A-79-98-19-1F" (1) Calling-Station-Id = "90-B6-86-8E-8E-F2" (1) NAS-IP-Address = 192.168.1.1 (1) Framed-MTU = 1400 (1) State = 0x0920d2120922d68e7c074922ee6197b2 (1) EAP-Message = 0x020200060334 (1) Message-Authenticator = 0x957e6bdb393fe8c0829f734afa134684 (1) session-state: No cached attributes (1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "steve", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 2 length 6 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) files: users: Matched entry steve at line 73 (1) [files] = ok (1) [expiration] = noop (1) [logintime] = noop (1) pap: WARNING: Auth-Type already set. Not setting to PAP (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x0920d2120922d68e (1) eap: Finished EAP session with state 0x0920d2120922d68e (1) eap: Previous EAP request found for state 0x0920d2120922d68e, released from the list (1) eap: Peer sent packet with method EAP NAK (3) (1) eap: Found mutually acceptable type PWD (52) (1) eap: Calling submodule eap_pwd to process data (1) eap: Sending EAP Request (code 1) ID 3 length 36 (1) eap: EAP session adding &reply:State = 0x0920d2120823e68e (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (1) Challenge { ... } # empty sub-section is ignored (1) Sent Access-Challenge Id 20 from 192.168.1.48:1812 to 192.168.1.1:65515 length 0 (1) EAP-Message = 0x010300243401001301015bd0471300746865736572766572406578616d706c652e636f6d (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x0920d2120823e68e7c074922ee6197b2 (1) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 19 with timestamp +59 (1) Cleaning up request packet ID 20 with timestamp +59 Ready to process requests 希望有大大能提供建議指點指點，先謝謝啦！！ -- ※ 發信站: 批踢踢實業坊(ptt.cc), 來自: 1.168.43.160 ※ 文章網址: https://www.ptt.cc/bbs/Linux/M.1509274256.A.2C2.html