Centos7、ldap、Windows AD、FreeRadius 3.0.13 搭建802.1X验证环境出现错误

原创 Yearn  2018-01-19 15:22:35  阅读 2306 次 评论 0 条

以下问题是博主自己真实遇到的技术疑难问题:

配置环境:Centos7、ldap、Windows AD、FreeRadius 3.0.13

三层交换机是:EdgeSwitch48   、M/N:ES-48-Lite


Linux 环境搭建802.1X验证环境无法正常进行验证,下面的错误在 FreeRadius 本地 Linux 环境下用 radtest 指令测试是可以正常验证的,在实际运行环境就重复出现同一个错误。


解决总结:最后博主解决方案是更换了一台思科交换机(Cisco2960S)来做802.1x认证,不知道是不是我的交换机没设置好还是什么原因使用这个 EdgeSwitch48 交换机硬是被它折磨了好长时间,一直卡在同一个问题没办法解决。


以下是使用实体Win7电脑测试802.1x验证出现错误的调试日志(红色字表明有异常):

Centos7、ldap、Windows AD、FreeRadius 3.0.13 搭建802.1X验证环境出现错误


Waking up in 4.9 seconds.
(5) Received Access-Request Id 35 from 192.168.1.3:43811 to 192.168.1.33:1812 length 484
(5)   User-Name = "ubnt0"
(5)   Called-Station-Id = "f0-9f-c2-10-c9-4b"
(5)   Calling-Station-Id = "88:ae:1d:23:ed:aa"
(5)   NAS-Identifier = "f0-9f-c2-10-c9-4a"
(5)   NAS-IP-Address = 192.168.1.33
(5)   NAS-Port = 9
(5)   Framed-MTU = 1500
(5)   NAS-Port-Type = Ethernet
(5)   State = 0xef2858f5ec2d41589d90fdd1f0ae3698
(5)   EAP-Message = 0x02050150198000000146160301010610000102010016a4bb9916dff1dcc9c8c31956ae1a9fcc920e60fe1676d29aea605f6753138e17e551c937b251a307386b25d037c1738ab1fd1dd0c9ab807cf0ca5325a83d2ff47378309b9c5b8eb7058a10e8df518896753f3c12c834e3c91cd596a99c63f40e83
(5)   Message-Authenticator = 0x693dc4b0bd43d961bbe76d255c823f6d
(5) session-state: No cached attributes
(5) # Executing section authorize from file /etc/raddb/sites-enabled/default
(5)   authorize {
(5)     policy filter_username {
(5)       if (&User-Name) {
(5)       if (&User-Name)  -> TRUE
(5)       if (&User-Name)  {
(5)         if (&User-Name =~ / /) {
(5)         if (&User-Name =~ / /)  -> FALSE
(5)         if (&User-Name =~ /@[^@]*@/ ) {
(5)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(5)         if (&User-Name =~ /\.\./ ) {
(5)         if (&User-Name =~ /\.\./ )  -> FALSE
(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(5)         if (&User-Name =~ /\.$/)  {
(5)         if (&User-Name =~ /\.$/)   -> FALSE
(5)         if (&User-Name =~ /@\./)  {
(5)         if (&User-Name =~ /@\./)   -> FALSE
(5)       } # if (&User-Name)  = notfound
(5)     } # policy filter_username = notfound
(5)     [preprocess] = ok
(5)     [chap] = noop
(5)     [mschap] = noop
(5)     [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "ubnt0", looking up realm NULL
(5) suffix: Found realm "NULL"
(5) suffix: Adding Stripped-User-Name = "ubnt0"
(5) suffix: Adding Realm = "NULL"
(5) suffix: Authentication realm is LOCAL
(5)     [suffix] = ok
(5) eap: Peer sent EAP Response (code 2) ID 5 length 336
(5) eap: Continuing tunnel setup
(5)     [eap] = ok
(5)   } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5)   authenticate {
(5) eap: Expiring EAP session with state 0xef2858f5ec2d4158
(5) eap: Finished EAP session with state 0xef2858f5ec2d4158
(5) eap: Previous EAP request found for state 0xef2858f5ec2d4158, released from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer indicated complete TLS record size will be 326 bytes
(5) eap_peap: Got complete TLS record (326 bytes)
(5) eap_peap: [eaptls verify] = length included
(5) eap_peap: <<< recv TLS 1.0 Handshake [length 0106], ClientKeyExchange
(5) eap_peap: TLS_accept: SSLv3 read client key exchange A
(5) eap_peap: TLS_accept: SSLv3 read certificate verify A
(5) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
(5) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal bad_record_mac
(5) eap_peap: ERROR: TLS Alert write:fatal:bad record mac
(5) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(5) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac
(5) eap_peap: ERROR: System call (I/O) error (-1)
(5) eap_peap: ERROR: TLS receive handshake failed during operation
(5) eap_peap: ERROR: [eaptls process] = fail
(5) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module failed

(5) eap: Sending EAP Failure (code 4) ID 5 length 4
(5) eap: Failed in EAP select
(5)     [eap] = invalid
(5)   } # authenticate = invalid
(5) Failed to authenticate the user
(5) Login incorrect (eap_peap: TLS Alert write:fatal:bad record mac): [ubnt0] (from client 192.168.1.3 port 9 cli 88:ae:1d:23:ed:aa)
(5) Using Post-Auth-Type Reject
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5)   Post-Auth-Type REJECT {
(5) attr_filter.access_reject: EXPAND %{User-Name}
(5) attr_filter.access_reject:    --> ubnt0
(5) attr_filter.access_reject: Matched entry DEFAULT at line 11
(5)     [attr_filter.access_reject] = updated
(5)     [eap] = noop
(5)     policy remove_reply_message_if_eap {
(5)       if (&reply:EAP-Message && &reply:Reply-Message) {
(5)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(5)       else {
(5)         [noop] = noop
(5)       } # else = noop
(5)     } # policy remove_reply_message_if_eap = noop
(5)   } # Post-Auth-Type REJECT = updated
(5) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(5) Sending delayed response
(5) Sent Access-Reject Id 35 from 192.168.1.33:1812 to 192.168.1.3:43811 length 44
(5)   EAP-Message = 0x04050004
(5)   Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
(1) Cleaning up request packet ID 31 with timestamp +6
(2) Cleaning up request packet ID 32 with timestamp +6
(3) Cleaning up request packet ID 33 with timestamp +6
(4) Cleaning up request packet ID 34 with timestamp +6
(5) Cleaning up request packet ID 35 with timestamp +6
Ready to process requests


我们可以从上面的红色日志看到貌似是在 安全套接层(SSL) 就出现问题然后导致 安全传输层协议(TLS) 通信的时候出现了异常,这个是我个人的猜测,具体原因还是得大神解答。

我最后面解决这个问题是,更换了一台思科交换机(Cisco2960S)来做802.1x认证,不知道是不是我的交换机没设置好还是什么原因使用这个 EdgeSwitch48 交换机硬是被它折磨了好长时间,一直卡在上面的问题没办法解决。

Centos7、ldap、Windows AD、FreeRadius 3.0.13 搭建802.1X验证环境出现错误


以下是在 FreeRaius 服务器本地使用 radtest 指令测试的结果,这个是可以正常验证的:

(7) Received Access-Request Id 113 from 127.0.0.1:40009 to 127.0.0.1:1812 length 75
(7)   User-Name = "ubnt0"
(7)   User-Password = "123456"
(7)   NAS-IP-Address = 192.168.1.33
(7)   NAS-Port = 0
(7)   Message-Authenticator = 0x5f052396dc4fba620144d5d17d8e8638
(7) # Executing section authorize from file /etc/raddb/sites-enabled/default
(7)   authorize {
(7)     policy filter_username {
(7)       if (&User-Name) {
(7)       if (&User-Name)  -> TRUE
(7)       if (&User-Name)  {
(7)         if (&User-Name =~ / /) {
(7)         if (&User-Name =~ / /)  -> FALSE
(7)         if (&User-Name =~ /@[^@]*@/ ) {
(7)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(7)         if (&User-Name =~ /\.\./ ) {
(7)         if (&User-Name =~ /\.\./ )  -> FALSE
(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(7)         if (&User-Name =~ /\.$/)  {
(7)         if (&User-Name =~ /\.$/)   -> FALSE
(7)         if (&User-Name =~ /@\./)  {
(7)         if (&User-Name =~ /@\./)   -> FALSE
(7)       } # if (&User-Name)  = notfound
(7)     } # policy filter_username = notfound
(7)     [preprocess] = ok
(7)     [chap] = noop
(7)     [mschap] = noop
(7)     [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "ubnt0", looking up realm NULL
(7) suffix: Found realm "NULL"
(7) suffix: Adding Stripped-User-Name = "ubnt0"
(7) suffix: Adding Realm = "NULL"
(7) suffix: Authentication realm is LOCAL
(7)     [suffix] = ok
(7) eap: No EAP-Message, not doing EAP
(7)     [eap] = noop
(7)     [files] = noop
rlm_ldap (ldap): Closing connection (0): Hit idle_timeout, was idle for 1181 seconds
rlm_ldap (ldap): Closing connection (1): Hit idle_timeout, was idle for 1181 seconds
rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 1181 seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for 1181 seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (4): Hit idle_timeout, was idle for 1181 seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): 0 of 0 connections in use.  You  may need to increase "spare"
rlm_ldap (ldap): Opening additional connection (5), 1 of 32 pending slots used
rlm_ldap (ldap): Connecting to ldap://192.168.1.31:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Reserved connection (5)
(7) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(7) ldap:    --> (uid=ubnt0)
(7) ldap: Performing search in "dc=yfyun,dc=net" with filter "(uid=ubnt0)", scope "sub"
(7) ldap: Waiting for search result...
(7) ldap: User object found at DN "uid=ubnt0,ou=People,dc=yfyun,dc=net"
(7) ldap: Processing user attributes
(7) ldap: control:Password-With-Header += '{crypt}$6$4gqD.dIJ$tOTKqo82N4uVb2rlsB0ZKyE3mCnuY0pE1nI.jvk5K271ie57gvX1dQ3FdSxfrNH1qC6jfi9NXUZxJIyM7yKQt.'
rlm_ldap (ldap): Released connection (5)
Need 2 more connections to reach min connections (3)
rlm_ldap (ldap): Opening additional connection (6), 1 of 31 pending slots used
rlm_ldap (ldap): Connecting to ldap://192.168.1.31:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(7)     [ldap] = updated
(7)     [expiration] = noop
(7)     [logintime] = noop
(7) pap: Converted: &control:Password-With-Header -> &control:Crypt-Password
(7) pap: Removing &control:Password-With-Header
(7)     [pap] = updated
(7)   } # authorize = updated
(7) Found Auth-Type = PAP
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7)   Auth-Type PAP {
(7) pap: Login attempt with password
(7) pap: Comparing with "known-good" Crypt-password
(7) pap: User authenticated successfully
(7)     [pap] = ok
(7)   } # Auth-Type PAP = ok
(7) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(7)   post-auth {
(7)     update {
(7)       No attributes updated
(7)     } # update = noop
(7) ldap: EXPAND .
(7) ldap:    --> .
(7) ldap: EXPAND Authenticated at %S
(7) ldap:    --> Authenticated at 2017-11-15 16:00:35.749436
rlm_ldap (ldap): Reserved connection (5)
(7) ldap: Using user DN from request "uid=ubnt0,ou=People,dc=yfyun,dc=net"
(7) ldap: Modifying object with DN "uid=ubnt0,ou=People,dc=yfyun,dc=net"
(7) ldap: Waiting for modify result...
rlm_ldap (ldap): Released connection (5)
(7)     [ldap] = ok
(7)     [exec] = noop
(7)     policy remove_reply_message_if_eap {
(7)       if (&reply:EAP-Message && &reply:Reply-Message) {
(7)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(7)       else {
(7)         [noop] = noop
(7)       } # else = noop
(7)     } # policy remove_reply_message_if_eap = noop
(7)   } # post-auth = ok
(7) Login OK: [ubnt0] (from client localhost port 0)
(7) Sent Access-Accept Id 113 from 127.0.0.1:1812 to 127.0.0.1:40009 length 0
(7) Finished request
Waking up in 4.9 seconds.
(7) Cleaning up request packet ID 113 with timestamp +1181
Ready to process requests

如果有大家有需要可以去看看我的 FreeRadius 配置过程和一些经验分享:https://www.yfyun.xin/?id=19


打赏
本文地址:https://www.yfyun.xin/index.php/post/20.html
版权声明:本文为原创文章,版权归 Yearn 所有,欢迎分享本文,转载请保留出处!

发表评论


表情

还没有留言,还不快点抢沙发?