测试系统:centos7.0
下载strongswan源码包编译安装,yum install strongswan出来的默认没有启用eap-radius
yum install openssl-develtar -xf strongswsan-5.5.1.tar.gz
./configure --enable-eap-identity --enable-eap-md5 \
--enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap \
--enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap \
--enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock --enable-unity \
--enable-certexpire --enable-radattr --enable-tools --enable-openssl --disable-gmp --enable-kernel-libipsec配置/usr/local/etc/strongswan.d/charon/eap-radius.conf
在server区域添加如下选项
servers {
radius-for-vpn {
secret = testing123
address = radius.exapmle.com
}
}修改strongswan配置/usr/local/etc/strongswan.d/charon/ipsec.conf的rightauth为
rightauth = eap-radius在radtest能够成功通过openldap认证的情况下,使用windwos的ikev2拨号,
使用radiusd -X发现,用
radtest username password radius.example.com 4 testing123 Received Access-Request Id 1 from 10.0.0.1:58710 to 10.0.0.1:1812 length 76
User-Name = 'user1'
User-Password = 'admin'
NAS-IP-Address = 10.0.0.1
NAS-Port = 4
Message-Authenticator = 0xa6f60b034a0b967b8270705c6be94524
(8) Received Access-Request packet from host 10.0.0.1 port 58710, id=1, length=76
(8) User-Name = 'user1'
(8) User-Password = 'admin'
(8) NAS-IP-Address = 10.0.0.1
(8) NAS-Port = 4
(8) Message-Authenticator = 0xa6f60b034a0b967b8270705c6be94524
(8) # Executing section authorize from file /etc/raddb/sites-enabled/default
(8) authorize {
(8) filter_username filter_username {
(8) if (!&User-Name)
(8) if (!&User-Name) -> FALSE
(8) if (&User-Name =~ / /)
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@.*@/ )
(8) if (&User-Name =~ /@.*@/ ) -> FALSE
(8) if (&User-Name =~ /\\.\\./ )
(8) if (&User-Name =~ /\\.\\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\\.$/)
(8) if (&User-Name =~ /\\.$/) -> FALSE
(8) if (&User-Name =~ /@\\./)
(8) if (&User-Name =~ /@\\./) -> FALSE
(8) } # filter_username filter_username = notfound
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix : Checking for suffix after "@"
(8) suffix : No '@' in User-Name = "user1", looking up realm NULL
(8) suffix : No such realm "NULL"
(8) [suffix] = noop
(8) eap : No EAP-Message, not doing EAP
(8) [eap] = noop
(8) [files] = noop
rlm_ldap (ldap): Reserved connection (8)
(8) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(8) ldap : --> (uid=user1)
(8) ldap : EXPAND dc=cloudtropy,dc=com
(8) ldap : --> dc=cloudtropy,dc=com
(8) ldap : Performing search in 'dc=cloudtropy,dc=com' with filter '(uid=user1)', scope 'sub'
(8) ldap : Waiting for search result...
(8) ldap : User object found at DN "uid=user1,ou=DevOps,ou=Member,dc=cloudtropy,dc=com"
(8) ldap : Processing user attributes
(8) ldap : control:Password-With-Header += '{SSHA}DZH+C/YIGMMZq0e1eFOxjlWGzPs4RlVJ'
rlm_ldap (ldap): Released connection (8)
rlm_ldap (ldap): 0 of 4 connections in use. Need more spares
rlm_ldap (ldap): Opening additional connection (9)
rlm_ldap (ldap): Connecting to ldap.cloutropy.com.cn:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Closing connection (7): Hit idle_timeout, was idle for 180 seconds
rlm_ldap (ldap): Closing connection (6): Hit idle_timeout, was idle for 221 seconds
rlm_ldap (ldap): Closing connection (5): Hit idle_timeout, was idle for 237 seconds
(8) [ldap] = ok
(8) [expiration] = noop
(8) [logintime] = noop
(8) [pap] = updated
(8) } # authorize = updated
(8) Found Auth-Type = PAP
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8) Auth-Type PAP {
(8) pap : Login attempt with password
(8) pap : Comparing with "known-good" SSHA-Password
(8) pap : Normalizing SSHA1-Password from base64 encoding, 32 bytes -> 24 bytes
(8) pap : User authenticated successfully
(8) [pap] = ok
(8) } # Auth-Type PAP = ok
(8) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(8) post-auth {
(8) [exec] = noop
(8) remove_reply_message_if_eap remove_reply_message_if_eap {
(8) if (&reply:EAP-Message && &reply:Reply-Message)
(8) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(8) else else {
(8) [noop] = noop
(8) } # else else = noop
(8) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(8) } # post-auth = noop
(8) Sending Access-Accept packet to host 10.0.0.1 port 58710, id=1, length=0
Sending Access-Accept Id 1 from 10.0.0.1:1812 to 10.0.0.1:58710
(8) Finished request
用windows的ikev2的客户端认证没有帐号密码
(7) Received Access-Request packet from host 10.0.0.1 port 38517, id=142, length=226
(7) User-Name = 'user1'
(7) NAS-Port-Type = Virtual
(7) Service-Type = Framed-User
(7) NAS-Port = 4
(7) NAS-Port-Id = 'ikev2-eap-mschapv2'
(7) NAS-IP-Address = 10.0.0.1
(7) Called-Station-Id = '10.0.0.1[4500]'
(7) Calling-Station-Id = '1.1.1.1[2193]'
(7) EAP-Message = 0x020100411a0201003c318c14d6d2bc07227b4e81356f5a6009cf0000000000000000c656f6467d35e4ae098c85aebc2d1b015103d1c4408e79cc0068756e746572
(7) NAS-Identifier = 'strongSwan'
(7) State = 0x874ed917874fc3a3903d900194a65936
(7) Message-Authenticator = 0x4276fade8578cf5c9634bfe0ef5b137d
(7) # Executing section authorize from file /etc/raddb/sites-enabled/default
(7) authorize {
(7) filter_username filter_username {
(7) if (!&User-Name)
(7) if (!&User-Name) -> FALSE
(7) if (&User-Name =~ / /)
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@.*@/ )
(7) if (&User-Name =~ /@.*@/ ) -> FALSE
(7) if (&User-Name =~ /\\.\\./ )
(7) if (&User-Name =~ /\\.\\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\\.$/)
(7) if (&User-Name =~ /\\.$/) -> FALSE
(7) if (&User-Name =~ /@\\./)
(7) if (&User-Name =~ /@\\./) -> FALSE
(7) } # filter_username filter_username = notfound
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix : Checking for suffix after "@"
(7) suffix : No '@' in User-Name = "user1", looking up realm NULL
(7) suffix : No such realm "NULL"
(7) [suffix] = noop
(7) eap : Peer sent code Response (2) ID 1 length 65
(7) eap : No EAP Start, assuming it's an on-going EAP conversation
(7) [eap] = updated
(7) [files] = noop
rlm_ldap (ldap): Reserved connection (7)
(7) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(7) ldap : --> (uid=user1)
(7) ldap : EXPAND dc=example,dc=com
(7) ldap : --> dc=example,dc=com
(7) ldap : Performing search in 'dc=example,dc=com' with filter '(uid=user1)', scope 'sub'
(7) ldap : Waiting for search result...
(7) ldap : User object found at DN "uid=user1,ou=DevOps,ou=Member,dc=example,dc=com"
(7) ldap : Processing user attributes
(7) ldap : control:Password-With-Header += '{SSHA}DZH+C/YIGMMZq0e1eFOxjlWGzPs4RlVJ'
rlm_ldap (ldap): Released connection (7)
rlm_ldap (ldap): 0 of 4 connections in use. Need more spares
rlm_ldap (ldap): Opening additional connection (8)
rlm_ldap (ldap): Connecting to ldap.cloutropy.com.cn:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Closing connection (4): Hit idle_timeout, was idle for 62 seconds
(7) [ldap] = ok
(7) [expiration] = noop
(7) [logintime] = noop
(7) WARNING: pap : Auth-Type already set. Not setting to PAP
(7) [pap] = noop
(7) } # authorize = updated
(7) Found Auth-Type = EAP
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) authenticate {
(7) eap : Expiring EAP session with state 0x874ed917874fc3a3
(7) eap : Finished EAP session with state 0x874ed917874fc3a3
(7) eap : Previous EAP request found for state 0x874ed917874fc3a3, released from the list
(7) eap : Peer sent method MSCHAPv2 (26)
(7) eap : EAP MSCHAPv2 (26)
(7) eap : Calling eap_mschapv2 to process EAP data
(7) eap_mschapv2 : # Executing group from file /etc/raddb/sites-enabled/default
(7) eap_mschapv2 : Auth-Type MS-CHAP {
(7) WARNING: mschap : No Cleartext-Password configured. Cannot create LM-Password
(7) WARNING: mschap : No Cleartext-Password configured. Cannot create NT-Password
(7) mschap : Creating challenge hash with username: user1
(7) mschap : Client is using MS-CHAPv2
(7) ERROR: mschap : FAILED: No NT/LM-Password. Cannot perform authentication
(7) ERROR: mschap : MS-CHAP2-Response is incorrect
(7) [mschap] = reject
(7) } # Auth-Type MS-CHAP = reject
(7) eap : Freeing handler
(7) [eap] = reject
(7) } # authenticate = reject
(7) Failed to authenticate the user
(7) Using Post-Auth-Type Reject
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) Post-Auth-Type REJECT {
(7) attr_filter.access_reject : EXPAND %{User-Name}
(7) attr_filter.access_reject : --> user1
(7) attr_filter.access_reject : Matched entry DEFAULT at line 11
(7) [attr_filter.access_reject] = updated
(7) eap : Reply already contained an EAP-Message, not inserting EAP-Failure
(7) [eap] = noop
(7) remove_reply_message_if_eap remove_reply_message_if_eap {
(7) if (&reply:EAP-Message && &reply:Reply-Message)
(7) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(7) else else {
(7) [noop] = noop
(7) } # else else = noop
(7) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(7) } # Post-Auth-Type REJECT = updated
(7) Delaying response for 1 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(7) Sending delayed response
(7) Sending Access-Reject packet to host 10.0.0.1 port 38517, id=142, length=0
(7) MS-CHAP-Error = '\001E=691 R=1'
(7) EAP-Message = 0x04010004
(7) Message-Authenticator = 0x00000000000000000000000000000000
Sending Access-Reject Id 142 from 10.0.0.1:1812 to 10.0.0.1:38517
MS-CHAP-Error = '\001E=691 R=1'
EAP-Message = 0x04010004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
(6) Cleaning up request packet ID 141 with timestamp +111
(7) Cleaning up request packet ID 142 with timestamp +111
待续。。。。。
扫一扫
5559
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
