Срочно нужно настроить связку freeradius+cisco 1130AG.
После манипуляции с конфигами и генерацией ssl ключя для TLS модуля,
вижу такое:
rad_recv: Access-Request packet from host 192.168.24.5:1645, id=51, length=126
User-Name = "user"
Framed-MTU = 1400
Called-Station-Id = "001d.a174.d080"
Calling-Station-Id = "0015.af38.2141"
Service-Type = Login-User
Message-Authenticator = 0x1dfb2307baff026a198dc6d8da020702
EAP-Message = 0x020200090175736572
NAS-Port-Type = Wireless-802.11
NAS-Port = 395
NAS-Port-Id = "395"
NAS-IP-Address = 192.168.24.5
NAS-Identifier = "ap"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
rlm_eap: EAP packet type response id 2 length 9
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
radius_xlat: 'user'
rlm_sql (sql): sql_set_user escaped user --> 'user'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'user' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.
Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'user' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'user' ORDER BY id'
radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.
Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'user' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 4
modcall[authorize]: module "sql" returns ok for request 0
modcall: leaving group authorize (returns updated) for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
modcall[authenticate]: module "eap" returns handled for request 0
modcall: leaving group authenticate (returns handled) for request 0
Sending Access-Challenge of id 51 to 192.168.24.5 port 1645
Password = "pass"
EAP-Message = 0x010300160410bc38c0196b8f44defcf71bd90f35c440
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe681beb612f26d08849714a384e7adc1
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.24.5:1645, id=52, length=141
User-Name = "user"
Framed-MTU = 1400
Called-Station-Id = "001d.a174.d080"
Calling-Station-Id = "0015.af38.2141"
Service-Type = Login-User
Message-Authenticator = 0x3482a0904da9640810010bc7b01562e6
EAP-Message = 0x020300060319
NAS-Port-Type = Wireless-802.11
NAS-Port = 395
NAS-Port-Id = "395"
State = 0xe681beb612f26d08849714a384e7adc1
NAS-IP-Address = 192.168.24.5
NAS-Identifier = "ap"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
rlm_eap: EAP packet type response id 3 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
radius_xlat: 'user'
rlm_sql (sql): sql_set_user escaped user --> 'user'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'user' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 3
radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.
Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'user' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'user' ORDER BY id'
radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.
Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'user' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 3
modcall[authorize]: module "sql" returns ok for request 1
modcall: leaving group authorize (returns updated) for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: EAP-NAK asked for EAP-Type/peap
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 1
modcall: leaving group authenticate (returns handled) for request 1
Sending Access-Challenge of id 52 to 192.168.24.5 port 1645
Password = "pass"
EAP-Message = 0x010400061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbe96aa6179623e846c8f3996d13ac6a8
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.24.5:1645, id=54, length=141
User-Name = "user"
Framed-MTU = 1400
Called-Station-Id = "001d.a174.d080"
Calling-Station-Id = "0015.af38.2141"
Service-Type = Login-User
Message-Authenticator = 0x3a4c230754bdfb53beab1a04e85ef865
EAP-Message = 0x020500061900
NAS-Port-Type = Wireless-802.11
NAS-Port = 395
NAS-Port-Id = "395"
State = 0x63484b60a8d8e098a30fe4664d97ee74
NAS-IP-Address = 192.168.24.5
NAS-Identifier = "ap"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
modcall[authorize]: module "preprocess" returns ok for request 3
rlm_eap: EAP packet type response id 5 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 3
radius_xlat: 'user'
rlm_sql (sql): sql_set_user escaped user --> 'user'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'user' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 1
radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.
Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'user' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'user' ORDER BY id'
radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.
Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'user' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 1
modcall[authorize]: module "sql" returns ok for request 3
modcall: leaving group authorize (returns updated) for request 3
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 3
modcall: leaving group authenticate (returns handled) for request 3
Sending Access-Challenge of id 54 to 192.168.24.5 port 1645
Password = "pass"
EAP-Message = 0x010602f71900170d3036303132343133323630375a30819f310b3009060355040613024341311
1300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153
013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f737
4311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f
70d0109011612636c69656e74406578616d706c652e636f6d30819f300d06092a864886f70d01010
1050003818d0030818902818100d4c5b19724f164acf1ffb189db1c8fbff4f14396ea7cb1e90f78d
69451725377895dfe52ccb99b41e8
EAP-Message = 0x0ddeb58b127a943f4f58cbc562878192fbdc6fece9f871e7c130d35cf5188817e9b133249edd2
a1c75d31043ae87553cec7a77ef26aa7d74281db9b77e17c6446c5dd9b188b43250ca0229963722a
123a726b00b4027fd0203010001a381ff3081fc301d0603551d0e0416041468d36d3e1ee7bc9d5a0
57021c363da1365d1ade33081cc0603551d230481c43081c1801468d36d3e1ee7bc9d5a057021c36
3da1365d1ade3a181a5a481a230819f310b30090603550406130243413111300f060355040813085
0726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7
267616e697a6174696f6e31123010
EAP-Message = 0x060355040b13096c6f63616c686f7374311b301906035504031312436c69656e7420636572746
96669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636
f6d820100300c0603551d13040530030101ff300d06092a864886f70d01010405000381810033c00
b66b1e579ef73a06798252dab8d5e5511fc00fd276d80d12f834777c6743fdc2743fca1507704e4b
c0979e4f60ac3ad9ee83e6f347369229d1f77229ba2e982359da563024a00163dba6d6c986c0bad2
8af85132ff8f0d76501bf1b7c2dff658ce1e62c01997b6e64e3e8d4373354ce9912847651539063b
85bbc5485c516030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3f7bc9050fd1d7c0e1b52be6695cdc51
Finished request 3
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.24.5:1645, id=55, length=141
User-Name = "user"
Framed-MTU = 1400
Called-Station-Id = "001d.a174.d080"
Calling-Station-Id = "0015.af38.2141"
Service-Type = Login-User
Message-Authenticator = 0x7bbd05f19b9bfe69ee989d67c1fa8536
EAP-Message = 0x020600061900
NAS-Port-Type = Wireless-802.11
NAS-Port = 395
NAS-Port-Id = "395"
State = 0x3f7bc9050fd1d7c0e1b52be6695cdc51
NAS-IP-Address = 192.168.24.5
NAS-Identifier = "ap"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module "preprocess" returns ok for request 4
rlm_eap: EAP packet type response id 6 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 4
radius_xlat: 'user'
rlm_sql (sql): sql_set_user escaped user --> 'user'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'user' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 0
radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.
Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'user' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'user' ORDER BY id'
radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.
Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'user' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 0
modcall[authorize]: module "sql" returns ok for request 4
modcall: leaving group authorize (returns updated) for request 4
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 4
modcall: leaving group authenticate (returns handled) for request 4
Sending Access-Challenge of id 55 to 192.168.24.5 port 1645
Password = "pass"
EAP-Message = 0x010700061900
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9a2334c0c8ad4d54435d0fcf9d5b0dd8
Finished request 4
Going to the next request
--- Walking the entire request list ---
Waking up in 5 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 51 with timestamp 47600bfb
Cleaning up request 1 ID 52 with timestamp 47600bfb
Cleaning up request 2 ID 53 with timestamp 47600bfb
Cleaning up request 3 ID 54 with timestamp 47600bfb
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 4 ID 55 with timestamp 47600bfc
Nothing to do. Sleeping until we see a request.
Тут ещё поковырялся, теперь вижу такое:
modcall: entering group authenticate for request 8
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Success
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns ok for request 8
modcall: leaving group authenticate (returns ok) for request 8
Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 8
rlm_sql (sql): Processing sql_postauth
radius_xlat: 'user'
rlm_sql (sql): sql_set_user escaped user --> 'user'
radius_xlat: 'INSERT into radpostauth (user, pass, reply, date) values ('user', 'Chap-Password', 'Access-Accept', NOW())'
rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (user, pass, reply, date) values ('user', 'Chap-Password', 'Access-Accept', NOW())
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql (sql): Released sql socket id: 1
modcall[post-auth]: module "sql" returns ok for request 8
modcall: leaving group post-auth (returns ok) for request 8
Sending Access-Accept of id 215 to 192.168.24.5 port 1645
Framed-IP-Address = 192.168.25.6
MS-MPPE-Recv-Key = 0x7506f5c122d9519a0f848c2e1dbddc042829ae5ea74e52c55a3188d5f22bbc31
MS-MPPE-Send-Key = 0x31f659bcdbefded6e9d6ea71d5300b61221ba7b3b7bb7f924d24e58d3cb6824b
EAP-Message = 0x030a0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "user"
Finished request 8
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 207 with timestamp 47610849
Cleaning up request 1 ID 208 with timestamp 47610849
Cleaning up request 2 ID 209 with timestamp 47610849
Cleaning up request 3 ID 210 with timestamp 47610849
Cleaning up request 4 ID 211 with timestamp 47610849
Cleaning up request 5 ID 212 with timestamp 47610849
Cleaning up request 6 ID 213 with timestamp 47610849
Cleaning up request 7 ID 214 with timestamp 47610849
Cleaning up request 8 ID 215 with timestamp 47610849
Nothing to do. Sleeping until we see a request.
т.е. получается что машина получает ИП из radreply, авторизация вроде как то же проходит нормально, но клиент не коннектиться %(((