Приветствую друзья.
Пытаюсь поднять WPA2-EAP на микротике, freeradius отрабатывает нормально при авторизации на свитчах и куче сетевых железок но вот настроить WPA2-EAP не получается.
В логе имеет:
(220) Received Access-Request Id 234 from 10.10.3.189:42134 to 172.17.0.2:1812 length 264
(220) Service-Type = Framed-User
(220) Framed-MTU = 1400
(220) User-Name = "sys"
(220) State = 0x9c1eed869b17f40c954b4359550f8eb4
(220) NAS-Port-Id = "radius"
(220) NAS-Port-Type = Wireless-802.11
(220) Acct-Session-Id = "82000020"
(220) Acct-Multi-Session-Id = "6E-3B-6B-F2-A3-84-80-A5-89-00-3D-A3-82-00-00-00-00-00-00-1D"
(220) Calling-Station-Id = "80-A5-89-00-3D-A3"
(220) Called-Station-Id = "6E-3B-6B-F2-A3-84:Radius"
(220) EAP-Message = 0x0209002b19001703010020f6f18e3b9d1144351e61353162621a3e6de737d51713a7746737b0d5689bf84d
(220) Message-Authenticator = 0x24d64cf0c1f4b2596164e3b4faca09d1
(220) NAS-Identifier = "MikroTik"
(220) NAS-IP-Address = 10.10.3.189
(220) Restoring &session-state
(220) &session-state:Module-Failure-Message := "No Auth-Type found: rejecting the user via Post-Auth-Type = Reject"
(220) # Executing section authorize from file /radius/conf/sites-enabled/default
(220) authorize {
(220) policy filter_username {
(220) if (&User-Name) {
(220) if (&User-Name) -> TRUE
(220) if (&User-Name) {
(220) if (&User-Name =~ / /) {
(220) if (&User-Name =~ / /) -> FALSE
(220) if (&User-Name =~ /@[^@]*@/ ) {
(220) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(220) if (&User-Name =~ /\.\./ ) {
(220) if (&User-Name =~ /\.\./ ) -> FALSE
(220) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(220) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(220) if (&User-Name =~ /\.$/) {
(220) if (&User-Name =~ /\.$/) -> FALSE
(220) if (&User-Name =~ /@\./) {
(220) if (&User-Name =~ /@\./) -> FALSE
(220) } # if (&User-Name) = notfound
(220) } # policy filter_username = notfound
(220) [preprocess] = ok
(220) [chap] = noop
(220) [mschap] = noop
(220) [digest] = noop
(220) suffix: Checking for suffix after "@"
(220) suffix: No '@' in User-Name = "sys", looking up realm NULL
(220) suffix: No such realm "NULL"
(220) [suffix] = noop
(220) eap: Peer sent EAP Response (code 2) ID 9 length 43
(220) eap: Continuing tunnel setup
(220) [eap] = ok
(220) } # authorize = ok
(220) Found Auth-Type = eap
(220) # Executing group from file /radius/conf/sites-enabled/default
(220) authenticate {
(220) eap: Expiring EAP session with state 0x9c1eed869b17f40c
(220) eap: Finished EAP session with state 0x9c1eed869b17f40c
(220) eap: Previous EAP request found for state 0x9c1eed869b17f40c, released from the list
(220) eap: Peer sent packet with method EAP PEAP (25)
(220) eap: Calling submodule eap_peap to process data
(220) eap_peap: Continuing EAP-TLS
(220) eap_peap: [eaptls verify] = ok
(220) eap_peap: Done initial handshake
(220) eap_peap: [eaptls process] = ok
(220) eap_peap: Session established. Decoding tunneled attributes
(220) eap_peap: PEAP state send tlv failure
(220) eap_peap: Received EAP-TLV response
(220) eap_peap: The users session was previously rejected: returning reject (again.)
(220) eap_peap: This means you need to read the PREVIOUS messages in the debug output
(220) eap_peap: to find out the reason why the user was rejected
(220) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you
(220) eap_peap: what went wrong, and how to fix the problem
(220) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed
(220) eap: Sending EAP Failure (code 4) ID 9 length 4
(220) eap: Failed in EAP select
(220) [eap] = invalid
(220) } # authenticate = invalid
(220) Failed to authenticate the user
(220) Using Post-Auth-Type Reject
(220) # Executing group from file /radius/conf/sites-enabled/default
(220) Post-Auth-Type REJECT {
(220) sql: EXPAND .query
(220) sql: --> .query
(220) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (30)
(220) sql: EXPAND %{User-Name}
(220) sql: --> sys
(220) sql: SQL-User-Name set to 'sys'
(220) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES('%{User-Name}', '%{%{User-Password}:-Chap-Password}', '%{reply:Packet-Type}', NOW())
(220) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES('sys', 'Chap-Password', 'Access-Reject', NOW())
(220) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES('sys', 'Chap-Password', 'Access-Reject', NOW())
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: query affected rows = 1
(220) sql: SQL query returned: success
(220) sql: 1 record(s) updated
rlm_sql (sql): Released connection (30)
(220) [sql] = ok
(220) attr_filter.access_reject: EXPAND %{User-Name}
(220) attr_filter.access_reject: --> sys
(220) attr_filter.access_reject: Matched entry DEFAULT at line 11
(220) [attr_filter.access_reject] = updated
(220) policy remove_reply_message_if_eap {
(220) if (&reply:EAP-Message && &reply:Reply-Message) {
(220) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(220) else {
(220) [noop] = noop
(220) } # else = noop
(220) } # policy remove_reply_message_if_eap = noop
(220) } # Post-Auth-Type REJECT = updated
(220) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
(220) Discarding duplicate request from client 0.0.0.0/0 port 42134 - ID: 234 due to delayed response
Waking up in 0.6 seconds.
(220) Discarding duplicate request from client 0.0.0.0/0 port 42134 - ID: 234 due to delayed response
Waking up in 0.4 seconds.
(220) Sending delayed response
(220) Sent Access-Reject Id 234 from 172.17.0.2:1812 to 10.10.3.189:42134 length 44
(220) EAP-Message = 0x04090004
(220) Message-Authenticator = 0x00000000000000000000000000000000
Смущает строка
(220) eap_peap: PEAP state send tlv failure
но гугл что-то не прояснил ситуацию.
В качестве клиента выступает Windows7, настройки подключения
Mikrosoft EAP(PEAP) + EAP-MSCHAPv2
Прошу поделится опытом, какие конфиги нужны, покажу.
Решение:mods-avaliable/eap, строку
default_eap_type = tls
необходимо привести к виду
default_eap_type = tls,peap
(с третьей версии разделитель запятая а не пробел)
и потом собственно настроить и сам mschap
mods-avaliable/mschapuse_mppe = yes
require_encryption = yes
require_strong = yes
Простой
Средний
