Задача, настроить freeradius с запросом клиентского сертификата и пары логин/пароль из AD.
Есть AD 20212 R2, UniFi Controller (Current Version5.2.9 (Build: atag_5.2.9_8748)) и Freeradius (3.0.12) с ntlm_auth.
Есть сертификат CA, клиентский сертификат, и северный (из коробки). Используем Windows 7, PEAP MS-CHAP v2.
При такой конфигурации:
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
Все работает:
(11) eap: Peer sent EAP Response (code 2) ID 65 length 43
(11) eap: Continuing tunnel setup
(11) [eap] = ok
(11) } # authorize = ok
(11) Found Auth-Type = eap
(11) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(11) authenticate {
(11) eap: Expiring EAP session with state 0xa3f6d1f2aab7c86f
(11) eap: Finished EAP session with state 0xa3f6d1f2aab7c86f
(11) eap: Previous EAP request found for state 0xa3f6d1f2aab7c86f, released from the list
(11) eap: Peer sent packet with method EAP PEAP (25)
(11) eap: Calling submodule eap_peap to process data
(11) eap_peap: Continuing EAP-TLS
(11) eap_peap: [eaptls verify] = ok
(11) eap_peap: Done initial handshake
(11) eap_peap: [eaptls process] = ok
(11) eap_peap: Session established. Decoding tunneled attributes
(11) eap_peap: PEAP state send tlv success
(11) eap_peap: Received EAP-TLV response
(11) eap_peap: Success
(11) eap_peap: Using saved attributes from the original Access-Accept
(11) eap_peap: User-Name = "test2"
(11) eap_peap: caching User-Name = "test2"
(11) eap_peap: Saving session f7d69eb235e0c190cb9fb041a359715ca03959e083342b3506 e62f2a44c637e2 in the disk cache
(11) eap: Sending EAP Success (code 3) ID 65 length 4
(11) eap: Freeing handler
(11) [eap] = ok
(11) } # authenticate = ok
(11) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/ default
(11) post-auth {
(11) update {
(11) No attributes updated
(11) } # update = noop
(11) [exec] = noop
(11) policy remove_reply_message_if_eap {
(11) if (&reply:EAP-Message && &reply:Reply-Message) {
(11) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(11) else {
(11) [noop] = noop
(11) } # else = noop
(11) } # policy remove_reply_message_if_eap = noop
(11) } # post-auth = noop
(11) Sent Access-Accept Id 243 from 10.11.12.6:1812 to 192.168.101.250:47904 len gth 0
(11) User-Name = "test2"
(11) MS-MPPE-Recv-Key = 0x3d4381f5ae8856173f931331f08099128998347880426c3fcb15 badfebbf25f9
(11) MS-MPPE-Send-Key = 0x3fdce394cfb3378a7190958dc1e3004f4eb306d61f5ff936bbc6 29eb91d5d751
(11) EAP-Message = 0x03410004
(11) Message-Authenticator = 0x00000000000000000000000000000000
(11) Finished request
Но при изменение
require_client_cert = yes
EAP-TLS не отрабатывает.
11) eap: Peer sent EAP Response (code 2) ID 230 length 151
(11) eap: Continuing tunnel setup
(11) [eap] = ok
(11) } # authorize = ok
(11) Found Auth-Type = eap
(11) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(11) authenticate {
(11) eap: Expiring EAP session with state 0xf22750c1f6c14964
(11) eap: Finished EAP session with state 0xf22750c1f6c14964
(11) eap: Previous EAP request found for state 0xf22750c1f6c14964, released from the list
(11) eap: Peer sent packet with method EAP PEAP (25)
(11) eap: Calling submodule eap_peap to process data
(11) eap_peap: Continuing EAP-TLS
(11) eap_peap: Peer indicated complete TLS record size will be 141 bytes
(11) eap_peap: Got complete TLS record (141 bytes)
(11) eap_peap: [eaptls verify] = length included
(11) eap_peap: <<< recv TLS 1.0 Handshake [length 0007], Certificate
(11) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal handshake_failure
(11) eap_peap: ERROR: TLS Alert write:fatal:handshake failure
tls: TLS_accept: Error in SSLv3 read client certificate B
(11) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
(11) eap_peap: ERROR: System call (I/O) error (-1)
(11) eap_peap: ERROR: TLS receive handshake failed during operation
(11) eap_peap: ERROR: [eaptls process] = fail
(11) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed
(11) eap: Sending EAP Failure (code 4) ID 230 length 4
(11) eap: Failed in EAP select
(11) [eap] = invalid
(11) } # authenticate = invalid
(11) Failed to authenticate the user
Такая конфигурация в принципе возможна?