嘿 Stack Overflow 的朋友们,
那么,这就是交易。我们正在运行 WPA2 业务设置,并且我们的用户通过 FreeRADIUS 进行身份验证,FreeRADIUS 使用 LDAP 检查存储在 NTLM 哈希中的密码。
我们决定让事情变得有趣一点,并设置一个 Kerberos 服务器。该计划是将 FreeRADIUS 切换为使用 Kerberos 进行身份验证。但是,令人惊讶的是,我们遇到了困难。
我用谷歌搜索并尝试了很多解决方案(添加领域、调整代理等),但似乎没有任何效果。现在我设置了一个新的 FreeRADIUS 并将其调整到我期望它工作的程度。我已附上输出/配置文件供您细读,如果您没有看到您期望的特定文件,则意味着我们正在使用默认设置。 (我还删除了一些默认的输出/配置行,以便我可以满足字符限制并避免在这个问题上出现“这看起来像垃圾邮件”错误,所以如果您需要更多信息,请告诉我)
我的直觉是 FreeRADIUS 正在努力寻找 Kerberos Auth-Type 来发挥其魔力(根据日志文件),尽管我已将相关配置与站点配置文件放在一起,但没有运气。
您有什么想法或技巧可以让 FreeRADIUS 与 Kerberos 良好配合吗?我洗耳恭听。
附注为了表明 Freeradius 正在工作,我还在测试中对 bob(freeradisu 测试用户)进行了身份验证,您也可以在下面找到日志。但是,尽管
[email protected]myusermyuserkdc1.mydomain.commods-enabled/krb5krb5 {
keytab = /etc/krb5.keytab
service_principal = radius/myhost.mydomain.com
...
}
sites-enabled/defaultserver default {
...
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
digest
Auth-Type Kerberos {
krb5
}
eap
}
...
}
sites-enabled/inner-tunnelserver inner-tunnel {
...
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
Auth-Type Kerberos {
krb5
}
eap
}
...
}
freeradius -XFreeRADIUS Version 3.0.26
Copyright (C) 1999-2021 The FreeRADIUS server project and contributors
...
# Loaded module rlm_krb5
# Loading module "krb5" from file /etc/freeradius/3.0/mods-enabled/krb5
krb5 {
keytab = "/etc/krb5.keytab"
service_principal = "radius/myhost.mydomain.com"
}
...
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/3.0/radiusd.conf
} # server
server inner-tunnel { # from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
# Loading authenticate {...}
Compiling Auth-Type PAP for attr Auth-Type
Compiling Auth-Type CHAP for attr Auth-Type
Compiling Auth-Type MS-CHAP for attr Auth-Type
Compiling Auth-Type Kerberos for attr Auth-Type
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/3.0/sites-enabled/inner-tunnel:339
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
} # server inner-tunnel
server default { # from file /etc/freeradius/3.0/sites-enabled/default
# Loading authenticate {...}
Compiling Auth-Type PAP for attr Auth-Type
Compiling Auth-Type CHAP for attr Auth-Type
Compiling Auth-Type MS-CHAP for attr Auth-Type
Compiling Auth-Type Kerberos for attr Auth-Type
# Loading authorize {...}
Compiling Autz-Type New-TLS-Connection for attr Autz-Type
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
Compiling Post-Auth-Type Challenge for attr Post-Auth-Type
Compiling Post-Auth-Type Client-Lost for attr Post-Auth-Type
} # server default
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 57046
Listening on proxy address :: port 48368
Ready to process requests
(0) Received Access-Request Id 162 from 127.0.0.1:48852 to 127.0.0.1:1812 length 73
(0) User-Name = "bob"
(0) User-Password = "hello"
(0) NAS-IP-Address = 127.0.1.1
(0) NAS-Port = 1812
(0) Message-Authenticator = 0x7894a2aa45e6b0d3621da2cd35e5ff1d
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) policy filter_username {
...
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "bob", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) files: users: Matched entry bob at line 207
(0) [files] = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) [pap] = updated
(0) } # authorize = updated
(0) Found Auth-Type = PAP
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Auth-Type PAP {
(0) pap: Login attempt with password
(0) pap: Comparing with "known good" Cleartext-Password
(0) pap: User authenticated successfully
...
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 162 with timestamp +10 due to cleanup_delay was reached
Ready to process requests
(1) Received Access-Request Id 137 from 127.0.0.1:59059 to 127.0.0.1:1812 length 91
(1) User-Name = "[email protected]"
(1) User-Password = "mypassword"
(1) NAS-IP-Address = 127.0.1.1
(1) NAS-Port = 1812
(1) Message-Authenticator = 0x019a1ace5301cf741365042877d3b08b
(1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(1) authorize {
(1) policy filter_username {
...
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: Looking up realm "MYDOMAIN.COM" for User-Name = "[email protected]"
(1) suffix: No such realm "MYDOMAIN.COM"
(1) [suffix] = noop
(1) eap: No EAP-Message, not doing EAP
(1) [eap] = noop
(1) [files] = noop
(1) [expiration] = noop
(1) [logintime] = noop
(1) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(1) pap: WARNING: Authentication will fail unless a "known good" password is available
(1) [pap] = noop
(1) } # authorize = ok
(1) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(1) Failed to authenticate the user
(1) Using Post-Auth-Type Reject
...
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(1) Sending delayed response
(1) Sent Access-Reject Id 137 from 127.0.0.1:1812 to 127.0.0.1:59059 length 20
Waking up in 3.9 seconds.
(1) Cleaning up request packet ID 137 with timestamp +18 due to cleanup_delay was reached
Ready to process requests
(2) Received Access-Request Id 199 from 127.0.0.1:51213 to 127.0.0.1:1812 length 76
(2) User-Name = "myuser"
(2) User-Password = "mypassword"
(2) NAS-IP-Address = 127.0.1.1
(2) NAS-Port = 1812
(2) Message-Authenticator = 0x0535e0799d3002096b71b8e5476aefbc
(2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(2) authorize {
(2) policy filter_username {
...
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "myuser", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: No EAP-Message, not doing EAP
(2) [eap] = noop
(2) [files] = noop
(2) [expiration] = noop
(2) [logintime] = noop
(2) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(2) pap: WARNING: Authentication will fail unless a "known good" password is available
(2) [pap] = noop
(2) } # authorize = ok
(2) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(2) Failed to authenticate the user
(2) Using Post-Auth-Type Reject
...
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(2) Sending delayed response
(2) Sent Access-Reject Id 199 from 127.0.0.1:1812 to 127.0.0.1:51213 length 20
Waking up in 3.9 seconds.
(2) Cleaning up request packet ID 199 with timestamp +34 due to cleanup_delay was reached
Ready to process requests
我希望
myuserradtest [email protected] mypassword localhost 1812 testing123或
radtest myuser mypassword localhost 1812 testing123所以我终于找到了如何解决这个问题。
您根本不需要更改
sites-enabled/inner-tunnelsites-enabled/defaultauthorize {
...
if (&User-Password) {
update control {
&Auth-Type = Kerberos
}
}
pap
...
}
authenticate {
Auth-Type Kerberos {
krb5
}
Auth-Type PAP {
pap
}
...
}
免责声明: 这不是安全且优化的配置。我只是想让您知道配置应该是什么样子,以便命令
radtest myuser mypassword localhost 1812 testing123myuser