我正在尝试设置EAP-TTLS/GTC身份验证。在阶段1中,服务器提供EAP-TTLS,客户机接受它。客户端为第二阶段设置为自动,我希望服务器为第二阶段身份验证提供GTC,但这并没有发生。有没有人能帮我弄清楚conf文件中缺少什么?
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
md5 {
}
leap {
}
gtc {
auth_type = Local
}
tls {
certdir = ${confdir}/certs_freeradius2
cadir = ${confdir}/certs_freeradius2
private_key_password = radius
private_key_file = /etc/freeradius/certs/server.key
certificate_file = /etc/freeradius/certs/server.pem
CA_file = /etc/freeradius/certs/ca.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
fragment_size = 1024
include_length = yes
cipher_list = "DEFAULT"
make_cert_command = "${certdir}/bootstrap"
cache {
}
}
ttls {
default_eap_type = gtc
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
mschapv2 {
}
}
我想指出的另一件事是,我确实在radius.log中看到了gtc的启动和处理,但我不认为第二阶段是成功的。
73 Wed Aug 5 16:22:48 2015 : Debug: Module: Linked to sub-module rlm_eap_gtc
74 Wed Aug 5 16:22:48 2015 : Debug: Module: Instantiating eap-gtc
75 Wed Aug 5 16:22:48 2015 : Debug: gtc {
76 Wed Aug 5 16:22:48 2015 : Debug: challenge = "Password: "
77 Wed Aug 5 16:22:48 2015 : Debug: auth_type = "Local"
78 Wed Aug 5 16:22:48 2015 : Debug: }
79 Wed Aug 5 16:22:48 2015 : Debug: Module: Linked to sub-module rlm_eap_tls
80 Wed Aug 5 16:22:48 2015 : Debug: Module: Instantiating eap-tls
81 Wed Aug 5 16:22:48 2015 : Debug: tls {
82 Wed Aug 5 16:22:48 2015 : Debug: rsa_key_exchange = no
83 Wed Aug 5 16:22:48 2015 : Debug: dh_key_exchange = yes
84 Wed Aug 5 16:22:48 2015 : Debug: rsa_key_length = 512
85 Wed Aug 5 16:22:48 2015 : Debug: dh_key_length = 512
106 Wed Aug 5 16:22:48 2015 : Debug: Module: Instantiating eap-ttls
107 Wed Aug 5 16:22:48 2015 : Debug: ttls {
108 Wed Aug 5 16:22:48 2015 : Debug: default_eap_type = "gtc"
109 Wed Aug 5 16:22:48 2015 : Debug: copy_request_to_tunnel = no
110 Wed Aug 5 16:22:48 2015 : Debug: use_tunneled_reply = no
111 Wed Aug 5 16:22:48 2015 : Debug: virtual_server = "inner-tunnel"
112 Wed Aug 5 16:22:48 2015 : Debug: include_length = yes
113 Wed Aug 5 16:22:48 2015 : Debug: }
552 Wed Aug 5 16:25:43 2015 : Info: [eap] EAP Identity
553 Wed Aug 5 16:25:43 2015 : Info: [eap] processing type gtc
554 Wed Aug 5 16:25:43 2015 : Info: ++[eap] returns handled
555 Wed Aug 5 16:25:43 2015 : Info: [ttls] Got tunneled Access-Challenge
556 Wed Aug 5 16:25:43 2015 : Info: ++[eap] returns handled
557 Wed Aug 5 16:25:43 2015 : Info: Finished request 5.
558 Wed Aug 5 16:25:43 20
Wed Aug 5 16:25:43 2015 : Info: [pap] WARNING: Auth-Type already set. Not setting to PAP
612 Wed Aug 5 16:25:43 2015 : Info: ++[pap] returns noop
613 Wed Aug 5 16:25:43 2015 : Info: Found Auth-Type = EAP
614 Wed Aug 5 16:25:43 2015 : Info: # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
615 Wed Aug 5 16:25:43 2015 : Info: +- entering group authenticate {...}
616 Wed Aug 5 16:25:43 2015 : Info: [eap] Request found, released from the list
617 Wed Aug 5 16:25:43 2015 : Info: [eap] EAP/gtc
618 Wed Aug 5 16:25:43 2015 : Info: [eap] processing type gtc
619 Wed Aug 5 16:25:43 2015 : Debug: rlm_eap_gtc: Everything is OK.
620 Wed Aug 5 16:25:43 2015 : Info: [eap] Freeing handler
621 Wed Aug 5 16:25:43 2015 : Info: ++[eap] returns ok
622 Wed Aug 5 16:25:43 2015 : Auth: Login OK: [CrOS] (from client 172.16.10.3 port 0 via TLS tunnel)
623 Wed Aug 5 16:25:43 2015 : Info: WARNING: Empty post-auth section. Using default return values.
624 Wed Aug 5 16:25:43 2015 : Info: # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel
625 Wed Aug 5 16:25:43 2015 : Info: [ttls] Got tunneled Access-Accept
您发布的调试日志显示auth已成功完成
[ttls] Got tunneled Access-Accept表示Phase2成功完成,认证响应为阳性。