Os clientes Windows não se conectam à rede via FreeRADIUS e WPA2 / Enterprise

0

Atualmente estou tendo problemas para conectar meus clientes do Windows via FreeRADIUS. Eu tenho um Asus RT-AC68U executando o firmware Merlin e estou executando o FreeRADIUS fora do Entware-ng. Meus clientes não-Windows se conectam muito bem, então minha suspeita está no modo como a conexão de rede é configurada no Windows 8/10 ou na forma como o FreeRADIUS é configurado.

Eu segui o guia "Configurando o FreeRadius2 através do Entware" aqui para instalar e configurar o FreeRADIUS no meu roteador. Minha configuração do Windows está aqui: Qualquerajudaseriamuitoapreciada.AquestãodoSuperUsuárioqueeuencontreimaisrelacionadaàminhaconsultaé O Windows não pode se conectar ao ponto de acesso Wi-Fi Enterprise WPA2 com a autenticação PAP EAP-TTLS usando o FreeRADIUS , mas infelizmente não resolve meu problema específico.

A saída de depuração para o servidor freeradius também é a seguinte:

    admin@MERLIN:/tmp/mnt/sda2/entware-ng.arm/etc/freeradius2/sites# radiusd -XX
Sun Jan 22 06:40:57 2017 : Info: radiusd: FreeRADIUS Version 2.2.9, for host arm-openwrt-linux-gnu, built on Dec 26 2016 at 19:02:57
Sun Jan 22 06:40:57 2017 : Debug: Server was built with: 
Sun Jan 22 06:40:57 2017 : Debug:   accounting
Sun Jan 22 06:40:57 2017 : Debug:   authentication
Sun Jan 22 06:40:57 2017 : Debug:  WITH_DHCP
Sun Jan 22 06:40:57 2017 : Debug:  WITH_VMPS
Sun Jan 22 06:40:57 2017 : Debug: Server core libs:
Sun Jan 22 06:40:57 2017 : Debug:   ssl: OpenSSL 1.0.2j  26 Sep 2016
Sun Jan 22 06:40:57 2017 : Info: Copyright (C) 1999-2015 The FreeRADIUS server project and contributors.
Sun Jan 22 06:40:57 2017 : Info: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
Sun Jan 22 06:40:57 2017 : Info: PARTICULAR PURPOSE.
Sun Jan 22 06:40:57 2017 : Info: You may redistribute copies of FreeRADIUS under the terms of the
Sun Jan 22 06:40:57 2017 : Info: GNU General Public License.
Sun Jan 22 06:40:57 2017 : Info: For more information about these matters, see the file named COPYRIGHT.
Sun Jan 22 06:40:57 2017 : Info: Starting - reading configuration files ...
Sun Jan 22 06:40:57 2017 : Debug: including configuration file /opt/etc/freeradius2/radiusd.conf
Sun Jan 22 06:40:57 2017 : Debug: including configuration file /opt/etc/freeradius2/clients.conf
Sun Jan 22 06:40:57 2017 : Debug: including files in directory /opt/etc/freeradius2/modules/
Sun Jan 22 06:40:57 2017 : Debug: including configuration file /opt/etc/freeradius2/modules/ldap
Sun Jan 22 06:40:57 2017 : Debug: including configuration file /opt/etc/freeradius2/modules/pap
Sun Jan 22 06:40:57 2017 : Debug: including configuration file /opt/etc/freeradius2/modules/mschap
Sun Jan 22 06:40:57 2017 : Debug: including configuration file /opt/etc/freeradius2/modules/files
Sun Jan 22 06:40:57 2017 : Debug: including configuration file /opt/etc/freeradius2/eap.conf
Sun Jan 22 06:40:57 2017 : Debug: including files in directory /opt/etc/freeradius2/sites/
Sun Jan 22 06:40:57 2017 : Debug: including configuration file /opt/etc/freeradius2/sites/default
Sun Jan 22 06:40:57 2017 : Debug: including configuration file /opt/etc/freeradius2/sites/inner-tunnel
Sun Jan 22 06:40:57 2017 : Debug: main {
Sun Jan 22 06:40:57 2017 : Debug:   allow_core_dumps = no
Sun Jan 22 06:40:57 2017 : Debug: }
Sun Jan 22 06:40:57 2017 : Debug: including dictionary file /opt/etc/freeradius2/dictionary
Sun Jan 22 06:40:57 2017 : Debug: main {
Sun Jan 22 06:40:57 2017 : Debug:   name = "radiusd"
Sun Jan 22 06:40:57 2017 : Debug:   prefix = "/opt"
Sun Jan 22 06:40:57 2017 : Debug:   localstatedir = "/opt/var"
Sun Jan 22 06:40:57 2017 : Debug:   sbindir = "/opt/sbin"
Sun Jan 22 06:40:57 2017 : Debug:   logdir = "/opt/var/log"
Sun Jan 22 06:40:57 2017 : Debug:   run_dir = "/opt/var/run/radius"
Sun Jan 22 06:40:57 2017 : Debug:   libdir = "/opt/lib/freeradius2"
Sun Jan 22 06:40:57 2017 : Debug:   radacctdir = "/opt/var/db/radacct"
Sun Jan 22 06:40:57 2017 : Debug:   hostname_lookups = no
Sun Jan 22 06:40:57 2017 : Debug:   max_request_time = 15
Sun Jan 22 06:40:57 2017 : Debug:   cleanup_delay = 7
Sun Jan 22 06:40:57 2017 : Debug:   max_requests = 512
Sun Jan 22 06:40:57 2017 : Debug:   pidfile = "/opt/var/run/radius/radiusd.pid"
Sun Jan 22 06:40:57 2017 : Debug:   checkrad = "/opt/sbin/checkrad"
Sun Jan 22 06:40:57 2017 : Debug:   debug_level = 0
Sun Jan 22 06:40:57 2017 : Debug:   proxy_requests = no
Sun Jan 22 06:40:57 2017 : Debug:  log {
Sun Jan 22 06:40:57 2017 : Debug:   stripped_names = no
Sun Jan 22 06:40:57 2017 : Debug:   auth = no
Sun Jan 22 06:40:57 2017 : Debug:   auth_badpass = no
Sun Jan 22 06:40:57 2017 : Debug:   auth_goodpass = no
Sun Jan 22 06:40:57 2017 : Debug:  }
Sun Jan 22 06:40:57 2017 : Debug:  security {
Sun Jan 22 06:40:57 2017 : Debug:   max_attributes = 200
Sun Jan 22 06:40:57 2017 : Debug:   reject_delay = 5
Sun Jan 22 06:40:57 2017 : Debug:   status_server = no
Sun Jan 22 06:40:57 2017 : Debug:  }
Sun Jan 22 06:40:57 2017 : Debug: }
Sun Jan 22 06:40:57 2017 : Debug: radiusd: #### Loading Realms and Home Servers ####
Sun Jan 22 06:40:57 2017 : Debug: radiusd: #### Loading Clients ####
Sun Jan 22 06:40:57 2017 : Debug:  client 192.168.1.0/28 {
Sun Jan 22 06:40:57 2017 : Debug:   ipaddr = 192.168.1.1
Sun Jan 22 06:40:57 2017 : Debug:   require_message_authenticator = yes
Sun Jan 22 06:40:57 2017 : Debug:   secret = "secretsecretsecret"
Sun Jan 22 06:40:57 2017 : Debug:   nastype = "other"
Sun Jan 22 06:40:57 2017 : Debug:  }
Sun Jan 22 06:40:57 2017 : Debug: radiusd: #### Instantiating modules ####
Sun Jan 22 06:40:57 2017 : Debug: radiusd: #### Loading Virtual Servers ####
Sun Jan 22 06:40:57 2017 : Debug: server { # from file /opt/etc/freeradius2/radiusd.conf
Sun Jan 22 06:40:57 2017 : Debug:  modules {
Sun Jan 22 06:40:57 2017 : Debug:  Module: Checking authenticate {...} for more modules to load
Sun Jan 22 06:40:57 2017 : Debug:     (Loaded rlm_mschap, checking if it's valid)
Sun Jan 22 06:40:57 2017 : Debug:  Module: Linked to module rlm_mschap
Sun Jan 22 06:40:57 2017 : Debug:  Module: Instantiating module "mschap" from file /opt/etc/freeradius2/modules/mschap
Sun Jan 22 06:40:57 2017 : Debug:   mschap {
Sun Jan 22 06:40:57 2017 : Debug:       use_mppe = yes
Sun Jan 22 06:40:57 2017 : Debug:       require_encryption = no
Sun Jan 22 06:40:57 2017 : Debug:       require_strong = no
Sun Jan 22 06:40:57 2017 : Debug:       with_ntdomain_hack = no
Sun Jan 22 06:40:57 2017 : Debug:       allow_retry = yes
Sun Jan 22 06:40:57 2017 : Debug:   }
Sun Jan 22 06:40:57 2017 : Debug:     (Loaded rlm_eap, checking if it's valid)
Sun Jan 22 06:40:57 2017 : Debug:  Module: Linked to module rlm_eap
Sun Jan 22 06:40:57 2017 : Debug:  Module: Instantiating module "eap" from file /opt/etc/freeradius2/eap.conf
Sun Jan 22 06:40:57 2017 : Debug:   eap {
Sun Jan 22 06:40:57 2017 : Debug:       default_eap_type = "ttls"
Sun Jan 22 06:40:57 2017 : Debug:       timer_expire = 60
Sun Jan 22 06:40:57 2017 : Debug:       ignore_unknown_eap_types = no
Sun Jan 22 06:40:57 2017 : Debug:       cisco_accounting_username_bug = no
Sun Jan 22 06:40:57 2017 : Debug:       max_sessions = 4096
Sun Jan 22 06:40:57 2017 : Debug:   }
Sun Jan 22 06:40:57 2017 : Debug:  Module: Linked to sub-module rlm_eap_tls
Sun Jan 22 06:40:57 2017 : Debug:  Module: Instantiating eap-tls
Sun Jan 22 06:40:57 2017 : Debug:    tls {
Sun Jan 22 06:40:57 2017 : Debug:       rsa_key_exchange = no
Sun Jan 22 06:40:57 2017 : Debug:       dh_key_exchange = yes
Sun Jan 22 06:40:57 2017 : Debug:       rsa_key_length = 512
Sun Jan 22 06:40:57 2017 : Debug:       dh_key_length = 512
Sun Jan 22 06:40:57 2017 : Debug:       verify_depth = 0
Sun Jan 22 06:40:57 2017 : Debug:       pem_file_type = yes
Sun Jan 22 06:40:57 2017 : Debug:       private_key_file = "/opt/etc/freeradius2/certs/ec-server_key.pem"
Sun Jan 22 06:40:57 2017 : Debug:       certificate_file = "/opt/etc/freeradius2/certs/ec-server_cert.pem"
Sun Jan 22 06:40:57 2017 : Debug:       private_key_password = "password"
Sun Jan 22 06:40:57 2017 : Debug:       dh_file = "/opt/etc/freeradius2/certs/dh"
Sun Jan 22 06:40:57 2017 : Debug:       random_file = "/dev/urandom"
Sun Jan 22 06:40:57 2017 : Debug:       fragment_size = 1024
Sun Jan 22 06:40:57 2017 : Debug:       include_length = yes
Sun Jan 22 06:40:57 2017 : Debug:       check_crl = no
Sun Jan 22 06:40:57 2017 : Debug:       check_all_crl = no
Sun Jan 22 06:40:57 2017 : Debug:       cipher_list = "TLSv1:ECDHE-ECDSA-AES256-SHA"
Sun Jan 22 06:40:57 2017 : Debug:       check_cert_issuer = "/C=US/ST=NY/L=New York/O=Merlin/OU=IT/CN=admin/[email protected]"
Sun Jan 22 06:40:57 2017 : Debug:       ecdh_curve = "secp521r1"
Sun Jan 22 06:40:57 2017 : Debug:    }
Sun Jan 22 06:40:59 2017 : Debug:  Module: Linked to sub-module rlm_eap_ttls
Sun Jan 22 06:40:59 2017 : Debug:  Module: Instantiating eap-ttls
Sun Jan 22 06:40:59 2017 : Debug:    ttls {
Sun Jan 22 06:40:59 2017 : Debug:       default_eap_type = "md5"
Sun Jan 22 06:40:59 2017 : Debug:       copy_request_to_tunnel = no
Sun Jan 22 06:40:59 2017 : Debug:       use_tunneled_reply = yes
Sun Jan 22 06:40:59 2017 : Debug:       virtual_server = "inner-tunnel"
Sun Jan 22 06:40:59 2017 : Debug:       include_length = yes
Sun Jan 22 06:40:59 2017 : Debug:    }
Sun Jan 22 06:40:59 2017 : Debug:  Module: Checking authorize {...} for more modules to load
Sun Jan 22 06:40:59 2017 : Debug:  } # modules
Sun Jan 22 06:40:59 2017 : Debug: } # server
Sun Jan 22 06:40:59 2017 : Debug: server inner-tunnel { # from file /opt/etc/freeradius2/sites/inner-tunnel
Sun Jan 22 06:40:59 2017 : Debug:  modules {
Sun Jan 22 06:40:59 2017 : Debug:  Module: Checking authenticate {...} for more modules to load
Sun Jan 22 06:40:59 2017 : Debug:     (Loaded rlm_pap, checking if it's valid)
Sun Jan 22 06:40:59 2017 : Debug:  Module: Linked to module rlm_pap
Sun Jan 22 06:40:59 2017 : Debug:  Module: Instantiating module "pap" from file /opt/etc/freeradius2/modules/pap
Sun Jan 22 06:40:59 2017 : Debug:   pap {
Sun Jan 22 06:40:59 2017 : Debug:       encryption_scheme = "auto"
Sun Jan 22 06:40:59 2017 : Debug:       auto_header = yes
Sun Jan 22 06:40:59 2017 : Debug:   }
Sun Jan 22 06:40:59 2017 : Debug:  Module: Checking authorize {...} for more modules to load
Sun Jan 22 06:40:59 2017 : Debug:     (Loaded rlm_files, checking if it's valid)
Sun Jan 22 06:40:59 2017 : Debug:  Module: Linked to module rlm_files
Sun Jan 22 06:40:59 2017 : Debug:  Module: Instantiating module "files" from file /opt/etc/freeradius2/modules/files
Sun Jan 22 06:40:59 2017 : Debug:   files {
Sun Jan 22 06:40:59 2017 : Debug:       usersfile = "/opt/etc/freeradius2/users"
Sun Jan 22 06:40:59 2017 : Debug:       compat = "no"
Sun Jan 22 06:40:59 2017 : Debug:   }
Sun Jan 22 06:40:59 2017 : Debug: reading pairlist file /opt/etc/freeradius2/users
Sun Jan 22 06:40:59 2017 : Debug:  } # modules
Sun Jan 22 06:40:59 2017 : Debug: } # server
Sun Jan 22 06:40:59 2017 : Debug: radiusd: #### Opening IP addresses and Ports ####
Sun Jan 22 06:40:59 2017 : Debug: listen {
Sun Jan 22 06:40:59 2017 : Debug:   type = "auth"
Sun Jan 22 06:40:59 2017 : Debug:   ipaddr = 192.168.1.1
Sun Jan 22 06:40:59 2017 : Debug:   port = 1111
Sun Jan 22 06:40:59 2017 : Debug: }
Sun Jan 22 06:40:59 2017 : Debug: listen {
Sun Jan 22 06:40:59 2017 : Debug:       type = "auth"
Sun Jan 22 06:40:59 2017 : Debug:       ipaddr = 192.168.1.1
Sun Jan 22 06:40:59 2017 : Debug:       port = 11111
Sun Jan 22 06:40:59 2017 : Debug: }
Sun Jan 22 06:40:59 2017 : Debug: Listening on authentication address 192.168.1.1 port 1111
Sun Jan 22 06:40:59 2017 : Debug: Listening on authentication address 192.168.1.1 port 11111 as server inner-tunnel
Sun Jan 22 06:40:59 2017 : Info: Ready to process requests.

Sun Jan 22 06:39:05 2017 : Info: ++[eap] = handled
Sun Jan 22 06:39:05 2017 : Info: +} # group authenticate = handled
Sending Access-Challenge of id 0 to 192.168.1.1 port 37394
    EAP-Message = 0x010300061520
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0xd3ae25a1d3ad30d9fc8f19efc6ae34d4
Sun Jan 22 06:39:05 2017 : Info: Finished request 0.
Sun Jan 22 06:39:05 2017 : Debug: Going to the next request
Sun Jan 22 06:39:05 2017 : Debug: Waking up in 6.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 37394, id=0, length=296
Sun Jan 22 06:39:05 2017 : Info: Cleaning up request 0 ID 0 with timestamp +33
    User-Name = "anonymous"
    NAS-IP-Address = 192.168.1.1
    Called-Station-Id = "382c4a9c3c98"
    Calling-Station-Id = "7c7a91882d77"
    NAS-Identifier = "382c4a9c3c98"
    NAS-Port = 82
    Framed-MTU = 1400
    State = 0xd3ae25a1d3ad30d9fc8f19efc6ae34d4
    NAS-Port-Type = Wireless-802.11
    EAP-Message = 018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000
    Message-Authenticator = 0x1e96a1dba89221e13e437285a0ddb5a3
Sun Jan 22 06:39:05 2017 : Info: # Executing section authorize from file /opt/etc/freeradius2/sites/default
Sun Jan 22 06:39:05 2017 : Info: +group authorize {
Sun Jan 22 06:39:05 2017 : Info: ++[mschap] = noop
Sun Jan 22 06:39:05 2017 : Info: [eap] EAP packet type response id 3 length 161
Sun Jan 22 06:39:05 2017 : Info: [eap] Continuing tunnel setup.
Sun Jan 22 06:39:05 2017 : Info: ++[eap] = ok
Sun Jan 22 06:39:05 2017 : Info: +} # group authorize = ok
Sun Jan 22 06:39:05 2017 : Info: Found Auth-Type = EAP
Sun Jan 22 06:39:05 2017 : Info: # Executing group from file /opt/etc/freeradius2/sites/default
Sun Jan 22 06:39:05 2017 : Info: +group authenticate {
Sun Jan 22 06:39:05 2017 : Info: [eap] Request found, released from the list
Sun Jan 22 06:39:05 2017 : Info: [eap] EAP/ttls
Sun Jan 22 06:39:05 2017 : Info: [eap] processing type ttls
Sun Jan 22 06:39:05 2017 : Info: [ttls] Authenticate
Sun Jan 22 06:39:05 2017 : Info: [ttls] processing EAP-TLS
Sun Jan 22 06:39:05 2017 : Debug:   TLS Length 151
Sun Jan 22 06:39:05 2017 : Info: [ttls] Length Included
Sun Jan 22 06:39:05 2017 : Info: [ttls] eaptls_verify returned 11 
Sun Jan 22 06:39:05 2017 : Info: [ttls]     (other): before/accept initialization
Sun Jan 22 06:39:05 2017 : Info: [ttls]     TLS_accept: before/accept initialization
Sun Jan 22 06:39:05 2017 : Info: [ttls] <<< Unknown TLS version [length 0005]  
Sun Jan 22 06:39:05 2017 : Info: [ttls] <<< Unknown TLS version [length 0092]  
Sun Jan 22 06:39:05 2017 : Info: [ttls] >>> Unknown TLS version [length 0005]  
Sun Jan 22 06:39:05 2017 : Info: [ttls] >>> Unknown TLS version [length 0002]  
Sun Jan 22 06:39:05 2017 : Error: TLS Alert write:fatal:handshake failure
Sun Jan 22 06:39:05 2017 : Error:     TLS_accept: error in error
Sun Jan 22 06:39:05 2017 : Error:     TLS_accept: error in error
Sun Jan 22 06:39:05 2017 : Error: rlm_eap: SSL error error:1408A0C1:lib(20):func(138):reason(193)
Sun Jan 22 06:39:05 2017 : Error: SSL: SSL_read failed in a system call (-1), TLS session fails.
Sun Jan 22 06:39:05 2017 : Debug: TLS receive handshake failed during operation
Sun Jan 22 06:39:05 2017 : Info: [ttls] eaptls_process returned 4 
Sun Jan 22 06:39:05 2017 : Info: [eap] Handler failed in EAP/ttls
Sun Jan 22 06:39:05 2017 : Info: [eap] Failed in EAP select
Sun Jan 22 06:39:05 2017 : Info: ++[eap] = invalid
Sun Jan 22 06:39:05 2017 : Info: +} # group authenticate = invalid
Sun Jan 22 06:39:05 2017 : Info: Failed to authenticate the user.
Sun Jan 22 06:39:05 2017 : Info: Using Post-Auth-Type Reject
Sun Jan 22 06:39:05 2017 : Info:   WARNING: Unknown value specified for Post-Auth-Type.  Cannot perform requested action.
Sun Jan 22 06:39:05 2017 : Info: Delaying reject of request 1 for 5 seconds
Sun Jan 22 06:39:05 2017 : Debug: Going to the next request
Sun Jan 22 06:39:05 2017 : Debug: Waking up in 0.9 seconds.
Sun Jan 22 06:39:06 2017 : Debug: Waking up in 3.9 seconds.
^C
    
por Quilty Kim 14.01.2017 / 05:07

1 resposta

0

O problema é que sua cifra de tls o estende para permitir mais cifras.

    
por 22.01.2017 / 08:26