Re: Wpa/WPA2-Radius+EAP-TLS/EAP-PEAP
Добавлено: 2011-10-06 16:41:11
а с сертификатами, которые сам радиус генерит, должно работать?
а то таже фигня...
а то таже фигня...
Если проблема не решается сама, значит она неразрешима
https://forum.lissyara.su/
Код: Выделить всё
# uname -a
FreeBSD boomer.brain.lan 6.3-RELEASE-p13 FreeBSD 6.3-RELEASE-p13 #0: Thu Oct 1 22:14:44 UTC 2009 root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386
Код: Выделить всё
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020f00261900170301001b00ed9a193f2d8c672bf5ab3b4b22f022457cb1cda774b863a45366
NAS-IP-Address = 192.168.15.3
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "user1", looking up realm NULL
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "user1"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 15 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Success
[eap] Freeing handler
++[eap] returns ok
# Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 15 to 192.168.15.3 port 1080
MS-MPPE-Recv-Key = 0x4b46b84fbcb8de89d9eb52f49af330062f62b62292a6e5db56c3d7a9e62cf5db
MS-MPPE-Send-Key = 0x9ccf0f52390875cafcae6a70026ca659354688153ec997bf698cad7c1f3f7111
EAP-Message = 0x030f0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "user1"
Finished request 14.
Going to the next request
Waking up in 4.8 seconds.
Cleaning up request 5 ID 6 with timestamp +40
Cleaning up request 6 ID 7 with timestamp +40
Cleaning up request 7 ID 8 with timestamp +40
Cleaning up request 8 ID 9 with timestamp +40
Cleaning up request 9 ID 10 with timestamp +40
Cleaning up request 10 ID 11 with timestamp +40
Cleaning up request 11 ID 12 with timestamp +40
Cleaning up request 12 ID 13 with timestamp +40
Cleaning up request 13 ID 14 with timestamp +40
Cleaning up request 14 ID 15 with timestamp +40
Ready to process requests.
Код: Выделить всё
# uname -a
FreeBSD gate.brain.lan 7.1-RELEASE-p16 FreeBSD 7.1-RELEASE-p16 #13: Fri Sep 2 19:02:55 EEST 2011 eugene@gate.brain.lan:/usr/obj/usr/src/sys/GENERIC i386
Код: Выделить всё
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0200000a017573657231
NAS-IP-Address = 192.168.15.3
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "user1", looking up realm NULL
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "user1"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 0 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry user1 at line 204
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.15.3 port 1031
EAP-Message = 0x010100061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf5d81498f5d90d0b6f521f7a1917ea50
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.15.3 port 1031, id=0, length=189
Sending duplicate reply to client dwl2100 port 1031 - ID: 0
Sending Access-Challenge of id 0 to 192.168.15.3 port 1031
Waking up in 1.9 seconds.
Cleaning up request 0 ID 0 with timestamp +28
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0xf5d81498f5d90d0b did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Ready to process requests.
Код: Выделить всё
rad_recv: Access-Request packet from host 192.168.224.64 port 2048, id=16, length=145
User-Name = "fox"
NAS-IP-Address = 192.168.224.64
NAS-Port = 0
Called-Station-Id = "54-E6-FC-E5-4B-F6:FOX-WRK"
Calling-Station-Id = "70-F3-95-E8-3D-29"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message = 0x0201000801666f78
Message-Authenticator = 0x061dcf5db39a7162218c391bea671739
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[ntdomain] No '\' in User-Name = "fox", looking up realm NULL
[ntdomain] Found realm "DEFAULT"
[ntdomain] Adding Stripped-User-Name = "fox"
[ntdomain] Adding Realm = "DEFAULT"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 1 length 8
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[sql] expand: %{User-Name} -> fox
[sql] sql_set_user escaped user --> 'fox'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'fox' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'fox' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'fox' ORDER BY priority
rlm_sql_mysql: MYSQL check_error: 1146 received
[sql] database query error, SELECT groupname FROM radusergroup WHERE username = 'fox' ORDER BY priority: п?п?п?п?п?я?п? 'radiuswifi.radusergroup' пҐп? я?я?я?п?я?я?п?я?п?я?
[sql] Error retrieving group list
[sql] Error processing groups; rejecting user
rlm_sql (sql): Released sql socket id: 4
++[sql] returns fail
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> fox
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 16 to 192.168.224.64 port 2048
Waking up in 4.9 seconds.
Cleaning up request 0 ID 16 with timestamp +15
Ready to process requests.
Странно я когда я настраивал винду седьмую и висту, я так с бубном и галлюциногенными грибами не шаманил,bbk писал(а):Скрины по настройке Win 7 для связки Freeradius2 + EAP-TLS + WPA2 + Windows7bbk писал(а):Настроил связку Freeradius2 + EAP-TLS + WPA2 + WindowsXP по вашей статье. С Windows XP всё без проблем работает.
Но к сожалению никак не получается сделать всё тоже самое для Windows7.
Дайте пожалуйста подробную инструкцию, если кто может, по настройке Windows7 под этуже связку.
Решение во вложении
Код: Выделить всё
rad_recv: Access-Request packet from host 192.168.136.88 port 34182, id=240, len gth=60
User-Name = "testuser"
User-Password = "testuser"
NAS-IP-Address = 192.168.136.88
NAS-Port = 1812
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail -%Y%m%d -> /var/log/radius/radacct/192.168.136.88/auth-detail-20121121
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expan ds to /var/log/radius/radacct/192.168.136.88/auth-detail-20121121
[auth_log] expand: %t -> Wed Nov 21 08:22:52 2012
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
[sql] expand: %{User-Name} -> testuser
[sql] sql_set_user escaped user --> 'testuser'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op FROM radchec k WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE usern ame = 'testuser' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testuser' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radrepl y WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE usern ame = 'testuser' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'testuser' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE use rname = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'testuser' ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM radusergroup WH ERE username = 'testuser' ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
rlm_checkval: Could not find item named Calling-Station-Id in request
rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs
++[checkval] returns notfound
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good" !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+- entering group PAP {...}
[pap] login attempt with password "testuser"
[pap] Using clear text password "testuser"
[pap] User authenticated successfully
++[pap] returns ok
expand: goodpass -> goodpass
Login OK: [testuser/testuser] (from client server.zi port 1812) goodpass
+- entering group post-auth {...}
[sql] expand: %{User-Name} -> testuser
[sql] sql_set_user escaped user --> 'testuser'
[sql] expand: %{User-Password} -> testuser
[sql] expand: INSERT INTO radpostauth (username, pas s, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password} }', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpo stauth (username, pass, reply, authdate) VALUES ( 'testuser', 'testuser', 'Access-Accept', '2012-11-21 08:22:5 2')
[sql] expand: /var/log/radius/sqltrace.sql -> /var/log/radius/sqltrace.sql
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testuser', 'testuser', 'Access-Accept', '2012-11-21 08:22:52')
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql_mysql: query: INSERT INTO radpostauth (userna me, pass, reply, authdate) VALUES ( 'testuser', 'testuser', 'Access-Accept', '2012-11-21 08:22:52')
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
[sql_log] Processing sql_log_postauth
[sql_log] expand: %{User-Name} -> testuser
[sql_log] expand: %{%{User-Name}:-DEFAULT} -> testuser
[sql_log] sql_set_user escaped user --> 'testuser'
[sql_log] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
[sql_log] expand: INSERT INTO radpostauth (userna me, pass, reply, authdate) VALUES ('%{User-Name}', '%{Use r-Password:-Chap-Password}', '%{reply:Packet-Type}', '%S'); -> INSER T INTO radpostauth (username, pass, reply, authdate) VALUE S ('testuser', 'testuser', 'Access-Accept' , '2012-11-21 08:22:52');
[sql_log] expand: /var/log/radius/radacct/sql-relay -> /var/log/radius/rad acct/sql-relay
++[sql_log] returns ok
++[exec] returns noop
Sending Access-Accept of id 240 to 192.168.136.88 port 34182
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 240 with timestamp +1901
Ready to process requests.
Код: Выделить всё
rad_recv: Access-Request packet from host 192.168.136.210 port 8021, id=8, length=228
Framed-MTU = 1466
NAS-IP-Address = 192.168.136.210
NAS-Identifier = "D-Link"
User-Name = "testuser"
Service-Type = Framed-User
NAS-Port = 1
NAS-Port-Type = Ethernet
NAS-Port-Id = "ether1_1"
Called-Station-Id = "00-19-5b-f3-c5-00"
Calling-Station-Id = "00-22-64-5c-df-23"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
State = 0x89f05b348ff842993489b5a8dae508e8
EAP-Message = 0x0208002419001703010019afe8aa68babf480f3d53edc9dd1d569187cadb734a4e6f1ad6
Message-Authenticator = 0xd23082ac9e4aace39609be655d8fd2cf
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.136.210/auth-detail-20121121
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.136.210/auth-detail-20121121
[auth_log] expand: %t -> Wed Nov 21 08:29:54 2012
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 36
[eap] Continuing tunnel setup.
++[eap] returns ok
++[unix] returns notfound
++[files] returns noop
[sql] expand: %{User-Name} -> testuser
[sql] sql_set_user escaped user --> 'testuser'
rlm_sql (sql): Reserving sql socket id: 2
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testuser' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testuser' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'testuser' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'testuser' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'testuser' ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'testuser' ORDER BY priority
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
rlm_checkval: Item Name: Calling-Station-Id, Value: 00-22-64-5c-df-23
rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs
++[checkval] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good" !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Identity - testuser
[peap] Got tunneled request
EAP-Message = 0x0208000d017465737475736572
server {
PEAP: Got tunneled identity of testuser
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to testuser
Sending tunneled request
EAP-Message = 0x0208000d017465737475736572
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "testuser"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] Request is supposed to be proxied to Realm LOCAL. Not doing EAP.
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request.
No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
Failed to authenticate the user.
expand: badpass -> badpass
Login incorrect: [testuser/<no User-Password attribute>] (from client private-network-1 port 0 via TLS tunnel) badpass
} # server inner-tunnel
[peap] Got tunneled reply code 3
[peap] Got tunneled reply RADIUS code 3
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 8 to 192.168.136.210 port 8021
EAP-Message = 0x010900261900170301001b8904fe6150cd0920fcf22c03a085a10f27a7494caadac8489f1aad
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x89f05b348ef942993489b5a8dae508e8
Finished request 7.
Going to the next request
Waking up in 4.3 seconds.
rad_recv: Access-Request packet from host 192.168.136.210 port 8021, id=9, length=230
Framed-MTU = 1466
NAS-IP-Address = 192.168.136.210
NAS-Identifier = "D-Link"
User-Name = "testuser"
Service-Type = Framed-User
NAS-Port = 1
NAS-Port-Type = Ethernet
NAS-Port-Id = "ether1_1"
Called-Station-Id = "00-19-5b-f3-c5-00"
Calling-Station-Id = "00-22-64-5c-df-23"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
State = 0x89f05b348ef942993489b5a8dae508e8
EAP-Message = 0x020900261900170301001be5b97196746ab67115fb829ab6985105f8e76f8cc65d0c5facd4eb
Message-Authenticator = 0xc999f7c7ce50aad5fb1b9b27e67159b9
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.136.210/auth-detail-20121121
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.136.210/auth-detail-20121121
[auth_log] expand: %t -> Wed Nov 21 08:29:54 2012
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
++[unix] returns notfound
++[files] returns noop
[sql] expand: %{User-Name} -> testuser
[sql] sql_set_user escaped user --> 'testuser'
rlm_sql (sql): Reserving sql socket id: 1
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testuser' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testuser' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'testuser' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'testuser' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'testuser' ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'testuser' ORDER BY priority
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
rlm_checkval: Item Name: Calling-Station-Id, Value: 00-22-64-5c-df-23
rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs
++[checkval] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good" !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Had sent TLV failure. User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
expand: badpass -> badpass
Login incorrect: [testuser/<via Auth-Type = EAP>] (from client private-network-1 port 1 cli 00-22-64-5c-df-23) badpass
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> testuser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 8 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 8
Sending Access-Reject of id 9 to 192.168.136.210 port 8021
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.3 seconds.
Cleaning up request 0 ID 1 with timestamp +41
Cleaning up request 1 ID 2 with timestamp +41
Waking up in 0.4 seconds.
Cleaning up request 2 ID 3 with timestamp +41
Cleaning up request 3 ID 4 with timestamp +41
Cleaning up request 4 ID 5 with timestamp +41
Cleaning up request 5 ID 6 with timestamp +41
Waking up in 0.1 seconds.
Cleaning up request 6 ID 7 with timestamp +41
Cleaning up request 7 ID 8 with timestamp +41
Waking up in 1.0 seconds.
Cleaning up request 8 ID 9 with timestamp +41
Ready to process requests.
Вопрос про сертификаты очень темная штука.... Убил пару дней, но к положительному результату так и не пришел. Отсюда есть вопросы:Krylov Alexey писал(а):Поставил на FreeBSD 9.1-RELEASE-p5 порт freeradius-2.2.0.
И застрял на генерировании сертификатов. Предложенные скрипты у меня не запустились, так как все сертификаты у меня в /etc/ssl, не отработал CA.pl
Может как-то можно обойти этот CA.pl или как то указать ему другой openssl.cnf?
Нашел скрипт /usr/local/etc/raddb/certs/bootstrap. C его помощью сгенерировал сертификаты, однако это пользы не принесло. Подскажите, как быть?