Freeradius + LDAP + EAP-TTLS with PAP 的問題

Freeradius + LDAP + EAP-TTLS with PAP 的問題

嗨，小弟最近試架 Freeradius + LDAP + EAP-TTLS with PAP 給公司的職員登錄使用無線網路。小弟是用WPA／WPA２ 的 802.1x 來做測試。Client 是用 SecureW2。問題是用戶不能登錄如果SecureW2使用EAP-TTLS with PAP. 把SecureW2設成用EAP-TTLS with EAP-MD5 as inner tunnel就沒問題。小弟沒使用Anonymous 做outter tunnel. 已經試了兩個星期都還沒解決。 希望各位大大可以幫個忙看一看。感激不盡。

radius.conf
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = /usr/lib
pidfile = ${run_dir}/radiusd.pid
user = radiusd
goup = radiusd
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no

checkrad = ${sbindir}/checkrad

security {

max_attributes = 200
reject_delay = 1
status_server = no
}

proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf

$INCLUDE ${confdir}/clients.conf

snmp = no
$INCLUDE ${confdir}/snmp.conf

thread pool {

start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}

modules {
pap {
encryption_scheme = clear
}

chap {
authtype = CHAP
}

pam {
pam_auth = radiusd
}

unix {
cache = no
shadow = /etc/shadow
radwtmp = ${logdir}/radwtmp
}

$INCLUDE ${confdir}/eap.conf

mschap {
}

ldap ldap_1x {
server = "localhost"
identity = "cn=Manager,dc=."
password = xxxxxxx
basedn = "dc=ocesb,dc=com,dc=my,dc=."
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
start_tls = no

access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap

ldap_connections_number = 5
password_attribute = userPassword
groupname_attribute = radiusGroupName
groupmembership_attribute = radiusGroupName
groupmembership_filter = "(objectclass=radiusprofile)"
timeout = 4
timelimit = 3
net_timeout = 1

}

realm IPASS {
format = prefix
delimiter = "/"
ignore_default = no
ignore_null = no
}

realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
}

realm realmpercent {
format = suffix
delimiter = "%"
ignore_default = no
ignore_null = no
}

realm ntdomain {
format = prefix
delimiter = "\\"
ignore_default = no
ignore_null = no
}

checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}

preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}


files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}


detail {

detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}

acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}

$INCLUDE ${confdir}/sql.conf

radutmp {

filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}

always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}

expr {
}

digest {
}

exec {
wait = yes
input_pairs = request
}

exec echo {

wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
}


ippool main_pool {
range-start = 192.168.1.1
range-stop = 192.168.3.254
netmask = 255.255.255.0
cache-size = 800
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = no
maximum-timeout = 0
}
}

instantiate {
exec
expr
}

authorize {
preprocess
chap
mschap
suffix
eap
files
# sql
Autz-Type LDAP1 {
ldap_1x
}
}

authenticate {

Auth-Type PAP {
pap
}


Auth-Type CHAP {
chap
}


Auth-Type MS-CHAP {
mschap
}
unix

#Auth-Type LDAP {
# ldap
# }
# Auth-Type LDAP1 {
# ldap_1x
# }

eap
}


preacct {
preprocess
acct_unique
suffix
files
}

accounting {
detail
unix
radutmp
sql1
sql2
}
session {
radutmp
sql1
}
post-auth {
}

pre-proxy {
}
post-proxy {
eap
}



eap.conf

eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
leap {
}
gtc {
auth_type = PAP
}

tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
check_crl = yes

check_cert_cn = %{User-Name}
}

ttls {

default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no

}

mschapv2 {
}
}

users
DEFAULT Service-Type == Framed-User
Framed-IP-Address = 255.255.255.254,
Framed-MTU = 576,
Service-Type = Framed-User,
Fall-Through = Yes

DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP

DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP

DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP

DEFAULT Realm == "ocesb.com.my", Autz-Type := LDAP1, Auth-Type := LDAP1

user.ldif
dn: uid=user, ou=People, dc=ocesb, dc=com, dc=my, dc=.
mailLocalAddress: user@ocesb.com.my
givenName: Tan Chee
accountStatus: active
radiusClass: 0x01
objectClass: inetLocalMailRecipient
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: radiusprofile
objectClass: qmailUser
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
mailRoutingAddress: user@mail.ocesb.com.my
mailQuotaSize: 2000000000
shadowLastChange: 12745
userPassword:: xxxxxx
mailMessageStore: vmail/ocesb.com.my/user/Maildir/
uid: user
mail: user@ocesb.com.my
uidNumber: 5000
cn: Tan Chee Keong
dialupAccess: Yes
loginShell: /bin/false
gidNumber: 5000
shadowMax: 99999
gecos: Tan Chee Keong
mailHost: mailpj.ocesb.com.my
homeDirectory: /home/vmail/ocesb.com.my/user
sn: Keong

Tags: