我正在尝试使用FreeRADIUS 3来设置EAP-PWD。

但是，我无法使其工作，文档几乎不存在。 因此，我不知道我遇到的问题是错误configuration还是实际的错误。

组态

这是我的configuration（至less是相关的部分）：

MODS启用/ EAP：

• FreeRADIUS 3和通配符Certs
• 如何在另一台服务器上克隆和恢复FreeRadius设置？
• validationCisco ASA到Windows 2008域
• Radius服务器基准
• PPPoE和FreeRadius

eap { pwd { #group = 19 server_id = [email protected] # This has the same meaning as for TLS. fragment_size = 1020 # The virtual server which determines the "known good" password for the user. # Note that unlike TLS, only the "authorize" section is processed. # EAP-PWD requests can be distinguished by having a User-Name, but no User-Password, CHAP-Password, EAP-Message, etc. #virtual_server = "inner-tunnel" } 

我不知道group = 19是什么意思。 （这是解释无处）

网站启用/默认：

 authorize { filter_username preprocess # Look in an SQL database. sql #permit_only_eap eap { ok = return } logintime } authenticate { # Allow EAP authentication. eap } 

启用站点-/内隧道：

 authorize { eap { ok = return } # Look in an SQL database. sql expiration } authenticate { mschap # Allow EAP authentication. eap } 

老实说，我不明白是否/为什么EAP-PWD需要隧道请求。 我已经安装了，因为我也使用PEAPv0 / MS-CHAPv2。 我试了两个虚拟服务器（默认和内部隧道）

问题

那么，这个问题。 我在请求者身上发现身份validation错误。 这是我在日志中看到的：

 (2) eap: Peer sent method PWD (52) (2) eap: EAP PWD (52) (2) eap: Calling eap_pwd to process EAP data (2) eap_pwd: Sending tunneled request (2) eap_pwd: server default { (2) # Executing section authorize from file /etc/freeradius/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (!&User-Name) { (2) if (!&User-Name) -> TRUE (2) if (!&User-Name) { (2) [noop] = noop (2) } # if (!&User-Name) = noop (2) if (&User-Name =~ / /) { (2) ERROR: Failed retrieving values required to evaluate condition (2) if (&User-Name =~ /@.*@/ ) { (2) ERROR: Failed retrieving values required to evaluate condition (2) if (&User-Name =~ /\.\./ ) { (2) ERROR: Failed retrieving values required to evaluate condition (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) ERROR: Failed retrieving values required to evaluate condition (2) if (&User-Name =~ /\.$/) { (2) ERROR: Failed retrieving values required to evaluate condition (2) if (&User-Name =~ /@\./) { (2) ERROR: Failed retrieving values required to evaluate condition (2) } # policy filter_username = noop (2) [preprocess] = ok (2) sql: EXPAND %{User-Name} (2) sql: --> (2) sql: SQL-User-Name set to '' rlm_sql (sql): Reserved connection (4) (2) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (2) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '' ORDER BY id (2) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '' ORDER BY id (2) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (2) sql: --> SELECT groupname FROM radusergroup WHERE username = '' ORDER BY priority (2) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = '' ORDER BY priority (2) sql: User not found in any groups rlm_sql (sql): Released connection (4) (2) [sql] = notfound (2) eap: No EAP-Message, not doing EAP (2) [eap] = noop (2) [logintime] = noop (2) } # authorize = ok (2) eap_pwd: } # server default (2) eap_pwd: Got tunneled reply code 0 failed to find password for lars to do pwd authentication (2) eap: ERROR: Failed continuing EAP PWD (52) session. EAP sub-module failed (2) eap: Failed in EAP select (2) [eap] = invalid (2) } # authenticate = invalid (2) Failed to authenticate the user (2) Login incorrect (eap: Failed continuing EAP PWD (52) session. EAP sub-module failed): [lars] (from client LARS-RANNOCH port 4 cli 48-59-29-F6-BA-89) 

第一个授权部分（没有在上面的日志中显示）正常，但之后，EAP-PWD似乎做了另一个隧道请求。 （为什么？我认为这只是PEAP和EAP-TTLS必需的）。 在这种情况下，我已经在EAPconfiguration中注释了“虚拟服务器”行，所以请求由默认的虚拟服务器处理。

可以看出， User-Name属性是空的（ SQL-User-Name set to '' ），这导致sql模块无法获取正确的logging： failed to find password for lars to do pwd authentication 。

我的EAP-PWDconfiguration是否正确？ 什么原因导致这个错误