EAP请求由MariaDB支持的FreeRADIUS 3服务器具有空密码

我有一个由MariaDB SQL数据库支持的CentOS 7上运行的FreeRADIUS版本3.0.13 (适用于主机x86_64-redhat-linux-gnu,构build于2017年8月23日15:18:22)。

我能够使用radtest从远程系统成功地对SQL数据库中的用户条目提出请求。 然而,涉及EAP隧道的请求总是被Access-Reject满足,审计日志logging了一个空密码,这似乎暗示密码不是从内部隧道中提取的。

这在radpostauth表的摘录中有所体现 ; loggingid = 22是由于对testing用户的最大请求而创build的,loggingid = 23是由于来自WPA2-Enterprise WAP的请求而创build的。

+----+----------------+--------+---------------+---------------------+ | id | username | pass | reply | authdate | +----+----------------+--------+---------------+---------------------+ | 22 | tu | | Access-Reject | 2017-08-28 20:23:47 | | 23 | tu | testp2 | Access-Accept | 2017-08-28 20:28:04 | +----+----------------+--------+---------------+---------------------+ 

FreeRADIUS Wiki SQL如何撰写有关类似的声音问题的作者:

EAP使用内部隧道validation机制。 我很好奇,为什么在完成EAP-TLS身份validation之后我没有看到使用我的密码的尝试,但本地的radclienttesting显示了正确的密码。 我在sites-enabled / inner-tunnel中取消了注释“sql”,这就是通过身份validation所需的全部内容。 显然,这可以进一步或更好的解释,但如果你卡住了这个尝试。 我会尽量在稍后的时间添加到这个注释中。

因此,我检查了/usr/local/share/examples/freeradius/raddb/sites-available/inner-tunnel文件,并且sql已经被取消注释:

 authorize { ⋮ # # Look in an SQL database. The schema of the database # is meant to mirror the "users" file. # # See "Authorization Queries" in sql.conf -sql ⋮ } 

radeapclient输出如下(req.txt的内容在这里https://pastebin.com/47K8bEB6 ):

 $ radeapclient -x minos:1812 auth pass < req.txt Loading input data... Read 1 element(s) from input: stdin Loaded: 1 input element(s). Adding new socket: src: 0.0.0.0:0, dst: 192.168.2.110:1812 Added new socket: 5 (num sockets: 1) Transaction: 0, sending packet: 0 (id: 119)... Sent Access-Request Id 119 from 0.0.0.0:35260 to 192.168.2.110:1812 length 51 User-Name = "tu" EAP-MD5-Password = "testp2" EAP-Code = Response EAP-Id = 210 EAP-Type-Identity = 0x7475 Message-Authenticator = 0x00 EAP-Message = 0x02d20007017475 Transaction: 0, received packet (id: 119). Received Access-Challenge Id 119 from 192.168.2.110:1812 to 0.0.0.0:35260 length 80 EAP-Message = 0x01d3001604101294d6e2b4fe419121a6edcb7052e2ad Message-Authenticator = 0x23a7113ecee2fd4474aacab496113a9c State = 0x1d5cfc5c1d8ff88ca60335e85073eb55 EAP-Id = 211 EAP-Code = Request EAP-Type-MD5-Challenge = 0x101294d6e2b4fe419121a6edcb7052e2ad Transaction: 0, sending packet: 1 (id: 11)... Sent Access-Request Id 11 from 0.0.0.0:35260 to 192.168.2.110:1812 length 84 User-Name = "tu" EAP-MD5-Password = "testp2" EAP-Code = Response EAP-Id = 211 Message-Authenticator = 0x00 EAP-Type-MD5-Challenge = 0x103aaa4cddecbc6a616a212050fd00970d State = 0x1d5cfc5c1d8ff88ca60335e85073eb55 EAP-Message = 0x02d3001604103aaa4cddecbc6a616a212050fd00970d Transaction: 0, received packet (id: 11). Received Access-Reject Id 11 from 192.168.2.110:1812 to 0.0.0.0:35260 length 44 EAP-Message = 0x04d30004 Message-Authenticator = 0x3c9f253e2931fcb92e1da0de658dfe16 EAP-Id = 211 EAP-Code = Failure EAP transaction finished, but reply is not an Access-Accept Main loop: done. 

此请求期间生成的服务器debugging输出可在此处获得: https : //pastebin.com/NXgARGnP