Всем привет! Помогите с вопросом, а то уже запутался...
Задача: Есть Wi-Fi сеть на Mikrotik с использованием CAPsMANv2. Необходимо сделать авторизацию к сети Wi-Fi через логин/пароль в LDAP.
Дано:
- Контроллер и точка доступа Mikrotik находятся на одном устройстве и все настроено корректно, вопросов не вызывает.
- FreeRADIUS 3.0.4 и OpenLDAP 2.4.39 размещены на одном сервере Centos 7.
- Для авторизации клиентов использую EAP-TTLS и EAP-PEAP (Windows 7).
- OpenLDAP хранит пароли пользователей в SHA-1
На данный момент EAP-TTLS и EAP-PEAP работают если пользователь вручную прописан в /etc/raddb/users. При связке с LDAP не работает. Вот отрывок вывода c radiusd -X:
(7) eap_ttls : Authenticate
(7) eap_ttls : processing EAP-TLS
(7) eap_ttls : eaptls_verify returned 7
(7) eap_ttls : Done initial handshake
(7) eap_ttls : eaptls_process returned 7
(7) eap_ttls : Session established. Proceeding to decode tunneled attributes
(7) eap_ttls : Got tunneled request
EAP-Message = 0x0202001604103540c5278845c25c90c52f3aeaecc073
(7) eap_ttls : Sending tunneled request
(7) server inner-tunnel {
(7) Request:
EAP-Message = 0x0202001604103540c5278845c25c90c52f3aeaecc073
User-Name = 'ya220591gso'
State = 0x4ed9fe974fdbfadc9a3e1b536f151b40
(7) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(7) authorize {
(7) [mschap] = noop
(7) suffix : Checking for suffix after "@"
(7) suffix : No '@' in User-Name = "ya220591gso", looking up realm NULL
(7) suffix : No such realm "NULL"
(7) [suffix] = noop
(7) update control {
(7) Proxy-To-Realm := 'LOCAL'
(7) } # update control = noop
(7) eap : Peer sent code Response (2) ID 2 length 22
(7) eap : No EAP Start, assuming it's an on-going EAP conversation
(7) [eap] = updated
(7) [files] = noop
rlm_ldap (ldap): Reserved connection (4)
(7) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(7) ldap : --> (uid=ya220591gso)
(7) ldap : EXPAND dc=company,dc=com
(7) ldap : --> dc=company,dc=com
(7) ldap : Performing search in 'dc=company,dc=com' with filter '(uid=ya220591gso)', scope 'sub'
(7) ldap : Waiting for search result...
(7) ldap : User object found at DN "uid=ya220591gso,ou=employees,ou=users,dc=company,dc=com"
(7) ldap : Processing user attributes
(7) ldap : control:Password-With-Header += '{SHA}lllC0FmgiiD2WsopWYf8evs3qYo='
rlm_ldap (ldap): Released connection (4)
(7) [ldap] = ok
(7) [expiration] = noop
(7) [logintime] = noop
(7) WARNING: pap : Auth-Type already set. Not setting to PAP
(7) [pap] = noop
(7) } # authorize = updated
(7) Found Auth-Type = EAP
(7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7) authenticate {
(7) eap : Expiring EAP session with state 0x4ed9fe974fdbfadc
(7) eap : Finished EAP session with state 0x4ed9fe974fdbfadc
(7) eap : Previous EAP request found for state 0x4ed9fe974fdbfadc, released from the list
(7) eap : Peer sent method MD5 (4)
(7) eap : EAP MD5 (4)
(7) eap : Calling eap_md5 to process EAP data
(7) eap_md5 : Cleartext-Password is required for EAP-MD5 authentication
(7) ERROR: eap : Failed continuing EAP MD5 (4) session. EAP sub-module failed
(7) eap : Failed in EAP select
(7) [eap] = invalid
(7) } # authenticate = invalid
(7) Failed to authenticate the user
Судя с отрывка лога то ключевой момент кроется в шифровании пароля SHA-1 у LDAP и MD5 у RADIUS. Ткните пожалуйста носом где в RADIUS сменить с MD5 на SHA-1, или в каком направлении копать... Конфиги прилагаю:
/etc/raddb/mods-available/ldap:
ldap {
server = "127.0.0.1"
identity = "cn=admin,dc=company,dc=com"
password = adminLdaP2000
base_dn = "dc=company,dc=com"
update {
control:Password-With-Header += 'userPassword'
}
user {
base_dn = "dc=company,dc=com"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
}
group {
base_dn = "${..base_dn}"
filter = "(objectClass=posixGroup)"
}
profile {
}
client {
base_dn = "${..base_dn}"
filter = '(objectClass=frClient)'
attribute {
identifier = 'radiusClientIdentifier'
secret = 'radiusClientSecret'
}
}
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
type {
start {
update {
description := "Online at %S"
}
}
interim-update {
update {
description := "Last seen at %S"
}
}
stop {
update {
description := "Offline at %S"
}
}
}
}
post-auth {
update {
description := "Authenticated at %S"
}
}
options {
chase_referrals = yes
rebind = yes
timeout = 10
timelimit = 3
net_timeout = 1
idle = 60
probes = 3
interval = 3
ldap_debug = 0x0028
}
pool {
start = 5
min = 4
max = ${thread[pool].max_servers}
spare = 3
uses = 0
lifetime = 0
idle_timeout = 60
}
}
/etc/raddb/mods-available/eap:
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = ${max_requests}
# Supported EAP-types
md5 { ### Пытался комментировать или менять эту строку на sha/sha1 в итоге "ломается" конфиг.
}
tls-config tls-common {
private_key_password = stastodd-test
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
ca_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
check_crl = yes
ca_path = ${cadir}
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
ecdh_curve = "secp384r1"
cache {
enable = yes
lifetime = 24 # hours
max_entries = 255
name = "EAP-TTLS"
persist_dir = "${logdir}/tlscache"
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
}
}
ttls {
tls = tls-common
### default_eap_type = md5 ### Стандартная конфигурация
default_eap_type = sha ### Когда ставлю sha то никак не влияет на ошибку при [root@testldap stastodd]# radiusd -X
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
peap {
tls = tls-common
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
mschapv2 {
}
}
/etc/raddb/sites-available/default:
server default {
listen {
type = auth
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipaddr = *
port = 0
type = acct
limit {
}
}
listen {
type = auth
ipv6addr = :: # any. ::1 == localhost
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipv6addr = ::
port = 0
type = acct
limit {
}
}
authorize {
filter_username
preprocess
chap
mschap
digest
suffix
eap {
ok = return
}
files
-sql
-ldap
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
digest
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
-sql
exec
attr_filter.accounting_response
}
session {
}
post-auth {
-sql
exec
remove_reply_message_if_eap
Post-Auth-Type REJECT {
-sql
attr_filter.access_reject
eap
remove_reply_message_if_eap
}
}
pre-proxy {
}
post-proxy {
eap
}