@Sat0shi
ИБ

WPA-Enterprise 2FA FreeRadius где проблема?

Задача, настроить freeradius с запросом клиентского сертификата и пары логин/пароль из AD.

Есть AD 20212 R2, UniFi Controller (Current Version5.2.9 (Build: atag_5.2.9_8748)) и Freeradius (3.0.12) с ntlm_auth.
Есть сертификат CA, клиентский сертификат, и северный (из коробки). Используем Windows 7, PEAP MS-CHAP v2.

При такой конфигурации:

peap {
        tls = "tls-common"
        default_eap_type = "mschapv2"
        copy_request_to_tunnel = yes
        use_tunneled_reply = yes
        proxy_tunneled_request_as_eap = yes
        virtual_server = "inner-tunnel"
        soh = no
        require_client_cert = no
   }


Все работает:
(11) eap: Peer sent EAP Response (code 2) ID 65 length 43
(11) eap: Continuing tunnel setup
(11)     [eap] = ok
(11)   } # authorize = ok
(11) Found Auth-Type = eap
(11) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(11)   authenticate {
(11) eap: Expiring EAP session with state 0xa3f6d1f2aab7c86f
(11) eap: Finished EAP session with state 0xa3f6d1f2aab7c86f
(11) eap: Previous EAP request found for state 0xa3f6d1f2aab7c86f, released from                                                                     the list
(11) eap: Peer sent packet with method EAP PEAP (25)
(11) eap: Calling submodule eap_peap to process data
(11) eap_peap: Continuing EAP-TLS
(11) eap_peap: [eaptls verify] = ok
(11) eap_peap: Done initial handshake
(11) eap_peap: [eaptls process] = ok
(11) eap_peap: Session established.  Decoding tunneled attributes
(11) eap_peap: PEAP state send tlv success
(11) eap_peap: Received EAP-TLV response
(11) eap_peap: Success
(11) eap_peap: Using saved attributes from the original Access-Accept
(11) eap_peap:   User-Name = "test2"
(11) eap_peap:     caching User-Name = "test2"
(11) eap_peap: Saving session f7d69eb235e0c190cb9fb041a359715ca03959e083342b3506                                                                    e62f2a44c637e2 in the disk cache
(11) eap: Sending EAP Success (code 3) ID 65 length 4
(11) eap: Freeing handler
(11)     [eap] = ok
(11)   } # authenticate = ok
(11) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/                                                                    default
(11)   post-auth {
(11)     update {
(11)       No attributes updated
(11)     } # update = noop
(11)     [exec] = noop
(11)     policy remove_reply_message_if_eap {
(11)       if (&reply:EAP-Message && &reply:Reply-Message) {
(11)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(11)       else {
(11)         [noop] = noop
(11)       } # else = noop
(11)     } # policy remove_reply_message_if_eap = noop
(11)   } # post-auth = noop
(11) Sent Access-Accept Id 243 from 10.11.12.6:1812 to 192.168.101.250:47904 len                                                                    gth 0
(11)   User-Name = "test2"
(11)   MS-MPPE-Recv-Key = 0x3d4381f5ae8856173f931331f08099128998347880426c3fcb15                                                                    badfebbf25f9
(11)   MS-MPPE-Send-Key = 0x3fdce394cfb3378a7190958dc1e3004f4eb306d61f5ff936bbc6                                                                    29eb91d5d751
(11)   EAP-Message = 0x03410004
(11)   Message-Authenticator = 0x00000000000000000000000000000000
(11) Finished request


Но при изменение
require_client_cert = yes

EAP-TLS не отрабатывает.

11) eap: Peer sent EAP Response (code 2) ID 230 length 151
(11) eap: Continuing tunnel setup
(11)     [eap] = ok
(11)   } # authorize = ok
(11) Found Auth-Type = eap
(11) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(11)   authenticate {
(11) eap: Expiring EAP session with state 0xf22750c1f6c14964
(11) eap: Finished EAP session with state 0xf22750c1f6c14964
(11) eap: Previous EAP request found for state 0xf22750c1f6c14964, released from the list
(11) eap: Peer sent packet with method EAP PEAP (25)
(11) eap: Calling submodule eap_peap to process data
(11) eap_peap: Continuing EAP-TLS
(11) eap_peap: Peer indicated complete TLS record size will be 141 bytes
(11) eap_peap: Got complete TLS record (141 bytes)
(11) eap_peap: [eaptls verify] = length included
(11) eap_peap: <<< recv TLS 1.0 Handshake [length 0007], Certificate
(11) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal handshake_failure
(11) eap_peap: ERROR: TLS Alert write:fatal:handshake failure
tls: TLS_accept: Error in SSLv3 read client certificate B
(11) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
(11) eap_peap: ERROR: System call (I/O) error (-1)
(11) eap_peap: ERROR: TLS receive handshake failed during operation
(11) eap_peap: ERROR: [eaptls process] = fail
(11) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module failed
(11) eap: Sending EAP Failure (code 4) ID 230 length 4
(11) eap: Failed in EAP select
(11)     [eap] = invalid
(11)   } # authenticate = invalid
(11) Failed to authenticate the user


Такая конфигурация в принципе возможна?
  • Вопрос задан
  • 849 просмотров
Решения вопроса 1
@Sat0shi Автор вопроса
ИБ
freeradius.1045715.n5.nabble.com/two-factor-authen...

Невозможно для Windows Client сделать авторизацию через сертификат и запрос пары логин/пароль в AD.
Ответ написан
Комментировать
Пригласить эксперта
Ответы на вопрос 1
AxianLTD
@AxianLTD
Error in SSLv3 read client certificate B
(11) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
(11) eap_peap: ERROR: System call (I/O) error (-1)
-----------------
Так вполне конкретно же пишет - клиент не вернул сертификат. У вас видимо ошибка в настройках клиента.
Ответ написан
Ваш ответ на вопрос

Войдите, чтобы написать ответ

Войти через центр авторизации
Похожие вопросы