个人中心
文章发布
退出
作者热门文章
- android - 多次调用 OnPrimaryClipChangedListener
- android - 无法更新 RecyclerView 中的 TextView 字段
- android.database.CursorIndexOutOfBoundsException : Index 0 requested, 光标大小为 0
- android - 使用 AppCompat 时,我们是否需要明确指定其 UI 组件(Spinner、EditText)颜色
27
4
我需要一点帮助来了解我使用 RADIUS+LDAP 的无线登录是否足够安全。
我有这样的基础设施:PC 客户端 (Linux) + ASUS AP Wireless + FreeRadius 和 OPENLDAP 在云中的同一台计算机上。
我配置了一切,现在我可以使用 LDAP 凭据登录。客户端使用带有 TTLS+PAP 的 WPA2 Enterprise,因为 PAP 是唯一可用的协议(protocol),因为 LDAP 中的密码已加密 (ssha)。
即使我使用 PAP,一切都足够安全吗?
这是登录后 radiusd -x 的回复:
rad_recv: Access-Request packet from host MYHOST port 34321, id=46, length=144
User-Name = "MYUSERNAME"
NAS-IP-Address = 192.168.3.14
NAS-Identifier = "RalinkAP0"
NAS-Port = 0
Called-Station-Id = "10-BF-48-81-BC-F4"
Calling-Station-Id = "D8-0F-99-5F-62-A1"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020100110163696363696f2e62656c6c6f
Message-Authenticator = 0x54067f60041b728d4922c41eb47701f9
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "MYUSERNAME", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 1 length 17
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[ldap] performing user authorization for MYUSERNAME
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> MYUSERNAME
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=MYUSERNAME)
[ldap] expand: dc=MYCOMPANYNAME,dc=XX -> dc=MYCOMPANYNAME,dc=XX
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to localhost:389, authentication 0
[ldap] bind as / to localhost:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in dc=MYCOMPANYNAME,dc=XX, with filter (uid=MYUSERNAME)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
[ldap] radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] radiusPortLimit -> Port-Limit = 2
[ldap] radiusIdleTimeout -> Idle-Timeout = 10
[ldap] radiusFramedCompression -> Framed-Compression = Van-Jacobson-TCP-IP
[ldap] radiusFramedMTU -> Framed-MTU = 1500
[ldap] radiusFramedIPAddress -> Framed-IP-Address = 255.255.255.254
[ldap] radiusFramedProtocol -> Framed-Protocol = PPP
[ldap] radiusServiceType -> Service-Type = Framed-User
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 46 to MYHOST port 34321
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Type:0 = VLAN
Port-Limit = 2
Idle-Timeout = 10
Framed-Compression = Van-Jacobson-TCP-IP
Framed-MTU = 1500
Framed-IP-Address = 255.255.255.254
Framed-Protocol = PPP
Service-Type = Framed-User
EAP-Message = 0x010200160410b148152ba08ab4607e84d55f739a3ef3
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb4961f26b4941b04a1bc4b208f20b4e7
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host MYHOST port 34321, id=47, length=151
User-Name = "MYUSERNAME"
NAS-IP-Address = 192.168.3.14
NAS-Identifier = "RalinkAP0"
NAS-Port = 0
Called-Station-Id = "10-BF-48-81-BC-F4"
Calling-Station-Id = "D8-0F-99-5F-62-A1"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020200060315
State = 0xb4961f26b4941b04a1bc4b208f20b4e7
Message-Authenticator = 0x9f0f65b2a2f87074e97b124376e7f431
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "MYUSERNAME", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 2 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[ldap] performing user authorization for MYUSERNAME
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> MYUSERNAME
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=MYUSERNAME)
[ldap] expand: dc=MYCOMPANYNAME,dc=XX -> dc=MYCOMPANYNAME,dc=XX
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=MYCOMPANYNAME,dc=XX, with filter (uid=MYUSERNAME)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
[ldap] radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] radiusPortLimit -> Port-Limit = 2
[ldap] radiusIdleTimeout -> Idle-Timeout = 10
[ldap] radiusFramedCompression -> Framed-Compression = Van-Jacobson-TCP-IP
[ldap] radiusFramedMTU -> Framed-MTU = 1500
[ldap] radiusFramedIPAddress -> Framed-IP-Address = 255.255.255.254
[ldap] radiusFramedProtocol -> Framed-Protocol = PPP
[ldap] radiusServiceType -> Service-Type = Framed-User
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/ttls
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 47 to MYHOST port 34321
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Type:0 = VLAN
Port-Limit = 2
Idle-Timeout = 10
Framed-Compression = Van-Jacobson-TCP-IP
Framed-MTU = 1500
Framed-IP-Address = 255.255.255.254
Framed-Protocol = PPP
Service-Type = Framed-User
EAP-Message = 0x010300061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb4961f26b5950a04a1bc4b208f20b4e7
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host MYHOST port 34321, id=48, length=454
User-Name = "MYUSERNAME"
NAS-IP-Address = 192.168.3.14
NAS-Identifier = "RalinkAP0"
NAS-Port = 0
Called-Station-Id = "10-BF-48-81-BC-F4"
Calling-Station-Id = "D8-0F-99-5F-62-A1"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0203013315001603010128010001240303bd970c3385ad96ee42e8b049f8b6d02e349ddd6cd3a78eb60d855a1894029fdc0000aac030c02cc028c024c014c00a00a500a300a1009f006b006a0069006800390038003700360088008700860085c032c02ec02ac026c00fc005009d003d00350084c02fc02bc027c023c013c00900a400a200a0009e00670040003f003e0033003200310030009a0099009800970045004400430042c031c02dc029c025c00ec004009c003c002f00960041c011c007c00cc00200050004c012c008001600130010000dc00dc003000a00ff01000051000b000403000102000a001c001a00170019001c001b0018001a00
EAP-Message = 0x16000e000d000b000c0009000a000d0020001e060106020603050105020503040104020403030103020303020102020203000f000101
State = 0xb4961f26b5950a04a1bc4b208f20b4e7
Message-Authenticator = 0x9f5728a6902c6f16485f2eed80c4652c
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "MYUSERNAME", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 3 length 253
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] (other): before/accept initialization
[ttls] TLS_accept: before/accept initialization
[ttls] <<< TLS 1.0 Handshake [length 0128], ClientHello
[ttls] TLS_accept: unknown state
[ttls] >>> TLS 1.0 Handshake [length 003e], ServerHello
[ttls] TLS_accept: unknown state
[ttls] >>> TLS 1.0 Handshake [length 030e], Certificate
[ttls] TLS_accept: unknown state
[ttls] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
[ttls] TLS_accept: unknown state
[ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: Need to read more data: unknown state
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 48 to MYHOST port 34321
EAP-Message = 0x0104040015c0000004af160301003e0200003a0301a0453991b0cb983f4e977681153035970084cc099e869e8a26f3284792b25f0200c014000012ff01000100000b000403000102000f000101160301030e0b00030a00030700030430820300308201e8a003020102020900d12977d60c576812300d06092a864886f70d01010b050030383136303406035504030c2d69702d3137322d33312d32312d37302e65752d63656e7472616c2d312e636f6d707574652e696e7465726e616c301e170d3136303730353137313635305a170d3236303730333137313635305a30383136303406035504030c2d69702d3137322d33312d32312d37302e65752d
EAP-Message = 0x63656e7472616c2d312e636f6d707574652e696e7465726e616c30820122300d06092a864886f70d01010105000382010f003082010a0282010100b6cfaf705b881279fe399ed9e708a2f0e361cd6d2586a1e7cad4b46629f5377efc81ef0d4e2a149d42bc523210a3ed52833a93caf7de7f06a624eb654bcb6b64453e390b56bc3af10e61620f21f51bf1d0cc218e5a49c10d59c611ee50f33928863d5434453c737a10a3d30f42a859414ba511d3ab2f2ce85f2ef390c30b48c702aa16cff36f3f058c14cdfca5c9fa12ec6d3c2be86e1178932320b4013e1b96a86bb9cc5848622f4b4989e1b5783c30d2e1dd295a2d57a94de3c5df10669a033db6
EAP-Message = 0xc86669db8bf2cce122d8d278957e776e0b8ff0c0244f6978d3f591b3b08fc78b1be33d412a9065ade04d35760e6d79738d7d2ebbaee3d0d9c9b5ba49ba170203010001a30d300b30090603551d1304023000300d06092a864886f70d01010b050003820101006f8d780bdb5ad970c6aa702db236aaddd55b203ca7c4cbbebb1a34d93404179d1e3dd9d0b27847e10655b9665a5c98d5d8b63d0498121268a025ef8e117f13b51d41d0967d25726913bb9d1011e6e7d9a065e71591f79ee2fed93b9d679f7e2dadbcc8775047ff3c783766a2f30e71f330ae03189a80d94cf8f421ce29235eb7261287ac168d6127c4eeb246a07e6e3baa2605f67fcc88
EAP-Message = 0xe5e700071625adca3796d40956b2fc990f4cc93132c5af0d2a0fc3d47ea7ad833888c4bf80839fc76b88870ce099de01acae3d6c7a36a249fcca2d69351dc20d230ae5d6211a174caa3a6b23eaaff74e4225ad3522daba22ba2ea152b4680f8ea23617a5b80072f538160301014b0c0001470300174104f0ffcd7da5999c754ac670b357e6f23a863c32d1224650000ed329805dd577a87a66b94267470889ad6f13e5aecb0c75fd9bcca9baf5b387dff35911a9cbe38601007913b21ea8de618fcecbb3c81b2a5f96611704a797ae4a3886d69ad31bae811a82954c9abf4e020077dee057372e51638e91a0919d1f80cfdcebddcd9473562070ad1193
EAP-Message = 0x41c2388a034111e89a66df84
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb4961f26b6920a04a1bc4b208f20b4e7
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host MYHOST port 34321, id=49, length=151
User-Name = "MYUSERNAME"
NAS-IP-Address = 192.168.3.14
NAS-Identifier = "RalinkAP0"
NAS-Port = 0
Called-Station-Id = "10-BF-48-81-BC-F4"
Calling-Station-Id = "D8-0F-99-5F-62-A1"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020400061500
State = 0xb4961f26b6920a04a1bc4b208f20b4e7
Message-Authenticator = 0x5e54e734a23f7d5eccd994dd6b3b1c64
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "MYUSERNAME", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 49 to MYHOST port 34321
EAP-Message = 0x010500c31580000004af95618a570ca1af462abbae65491a7eb4fb54855bc38d7d24ea3dfe0d6b2317db0291ab32cd3581def62f41f0818af0265db92e9373e6dedd2d9ac109c70c69abb65f98a9a2adc612f44f5dae42077752ca2da44d1d65edbe3eae84131e843b0cb0cf0f67a7cba37fd53b52ab087329c20bf41212f8bcf644e3b0f947c7efb6c48c3a47ee2e9b82e90d6ca712388d32a1ad2547b8d9c58f14ccbc9ea73ac1368389bd19f30524e3fc34ca63323234538e16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb4961f26b7930a04a1bc4b208f20b4e7
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host MYHOST port 34321, id=50, length=285
User-Name = "MYUSERNAME"
NAS-IP-Address = 192.168.3.14
NAS-Identifier = "RalinkAP0"
NAS-Port = 0
Called-Station-Id = "10-BF-48-81-BC-F4"
Calling-Station-Id = "D8-0F-99-5F-62-A1"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0205008c15001603010046100000424104ad07a8afc3f54a25ad1e2d16cb82d7fee22bbd5d29230586f6bd74c5b5f63ab583d2893d5d929ddbfbccd3d979ab1991aa327bdb1bbfde3b911474ec4e40ba1b1403010001011603010030e4ade37cae91ee44ea813a08bccd336330ea8f0e683e27671ebc192531fb39d497ad24e18a55aef6ac9196abdc07ba11
State = 0xb4961f26b7930a04a1bc4b208f20b4e7
Message-Authenticator = 0xcc67db6ecf8d276c1e1dcfe3b174ae5f
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "MYUSERNAME", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 5 length 140
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: unknown state
[ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] <<< TLS 1.0 Handshake [length 0010], Finished
[ttls] TLS_accept: unknown state
[ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] TLS_accept: unknown state
[ttls] >>> TLS 1.0 Handshake [length 0010], Finished
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: unknown state
[ttls] (other): SSL negotiation finished successfully
SSL Connection Established
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 50 to MYHOST port 34321
EAP-Message = 0x0106004515800000003b1403010001011603010030c80d41290431875efa6f9b95f93e9efe6caca8b619ff85be8774b5005d6d7d9407a83820d5f0491f4c0b6d6eba1571bc
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb4961f26b0900a04a1bc4b208f20b4e7
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host MYHOST port 34321, id=51, length=273
User-Name = "MYUSERNAME"
NAS-IP-Address = 192.168.3.14
NAS-Identifier = "RalinkAP0"
NAS-Port = 0
Called-Station-Id = "10-BF-48-81-BC-F4"
Calling-Station-Id = "D8-0F-99-5F-62-A1"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x02060080150017030100201b68b351df52aa520d5cef2e67154f1634828faa63b4015ff1c95858612fd2da1703010050cc8afe5516e1093bc38f7c72ad9451ad667a8f87c79b1cb571d501733c12840822aa82249accb65441ebeeb2b7830406351dd0c1921e46682bb2c50cacdd4e2ac89519e4032fd9ee46c06f6c3ae87cc0
State = 0xb4961f26b0900a04a1bc4b208f20b4e7
Message-Authenticator = 0x01b3a063376dd33133836e9662c60a85
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "MYUSERNAME", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 6 length 128
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] eaptls_process returned 7
[ttls] Session established. Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
User-Name = "MYUSERNAME"
User-Password = "MYPASSWORD"
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
User-Name = "MYUSERNAME"
User-Password = "MYPASSWORD"
FreeRADIUS-Proxied-To = 127.0.0.1
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "MYUSERNAME", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++update control {
++} # update control = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
++[files] = noop
[ldap] performing user authorization for MYUSERNAME
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> MYUSERNAME
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=MYUSERNAME)
[ldap] expand: dc=MYCOMPANYNAME,dc=XX -> dc=MYCOMPANYNAME,dc=XX
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=MYCOMPANYNAME,dc=XX, with filter (uid=MYUSERNAME)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
[ldap] radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] radiusPortLimit -> Port-Limit = 2
[ldap] radiusIdleTimeout -> Idle-Timeout = 10
[ldap] radiusFramedCompression -> Framed-Compression = Van-Jacobson-TCP-IP
[ldap] radiusFramedMTU -> Framed-MTU = 1500
[ldap] radiusFramedIPAddress -> Framed-IP-Address = 255.255.255.254
[ldap] radiusFramedProtocol -> Framed-Protocol = PPP
[ldap] radiusServiceType -> Service-Type = Framed-User
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
[ldap] Setting Auth-Type = LDAP
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
++[pap] = noop
+} # group authorize = ok
Found Auth-Type = LDAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group LDAP {
[ldap] login attempt by "MYUSERNAME" with password "MYPASSWORD"
[ldap] user DN: uid=MYUSERNAME,ou=people,dc=MYCOMPANYNAME,dc=XX
[ldap] (re)connect to localhost:389, authentication 1
[ldap] bind as uid=MYUSERNAME,ou=people,dc=MYCOMPANYNAME,dc=XX/MYPASSWORD to localhost:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] user MYUSERNAME authenticated succesfully
++[ldap] = ok
+} # group LDAP = ok
Login OK: [MYUSERNAME] (from client Bologna port 0 via TLS tunnel)
WARNING: Empty post-auth section. Using default return values.
# Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel
} # server inner-tunnel
[ttls] Got tunneled reply code 2
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Type:0 = VLAN
Port-Limit = 2
Idle-Timeout = 10
Framed-Compression = Van-Jacobson-TCP-IP
Framed-MTU = 1500
Framed-IP-Address = 255.255.255.254
Framed-Protocol = PPP
Service-Type = Framed-User
[ttls] Got tunneled Access-Accept
[eap] Freeing handler
++[eap] = ok
+} # group authenticate = ok
Login OK: [MYUSERNAME] (from client Bologna port 0 cli D8-0F-99-5F-62-A1)
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+group post-auth {
++[exec] = noop
+} # group post-auth = noop
Sending Access-Accept of id 51 to MYHOST port 34321
MS-MPPE-Recv-Key = 0x28aa4458b67ba2c51a43a0b0d444edd7ca1857a316904ab88670ea72b10bb375
MS-MPPE-Send-Key = 0x476389374dc15fb4cc34d491493b43db273451ce228245ea384c04a5db15ff9b
EAP-Message = 0x03060004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "MYUSERNAME"
Finished request 5.
Going to the next request
Waking up in 4.8 seconds.
Cleaning up request 0 ID 46 with timestamp +165
Cleaning up request 1 ID 47 with timestamp +165
Cleaning up request 2 ID 48 with timestamp +165
Cleaning up request 3 ID 49 with timestamp +165
Cleaning up request 4 ID 50 with timestamp +165
Cleaning up request 5 ID 51 with timestamp +165
Ready to process requests.
非常感谢您的帮助。
最佳答案
仅当客户端/请求者设置为正确验证 RADIUS 服务器提供的证书时,EAP-TTLS 才是安全的。通常保证这一点的唯一方法是在连接到网络的任何设备上预先配置无线配置文件和请求者设置。
如果您想要安全身份验证,请使用 OpenLDAP 的 PKI 模块,并为每个用户/设备生成证书并使用 EAP-TLS。
参见this presentation关于当前请求者的行为。
关于Linux、LDAP、半径,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/45883000/
27
4
0
我们正在构建一个新的库,它需要对我们的主要身份管理 LDAP 系统进行读/写。 我们正在考虑使用 Spring LDAP ( http://projects.spring.io/spring-ldap
在 LDAP 身份验证的情况下, 是什么?参数 一般用于身份验证 .我想对于通过 ldap 登录的用户来说,使用 DN 会很头疼,因为它太大而无法记住。 使用 uid 或 sAMAccountName
我知道 LDAP 用于提供一些信息并帮助促进授权。 但是 LDAP 的其他用途是什么? 最佳答案 我将重点讨论为什么使用 LDAP,而不是 LDAP 是什么。 使用模型类似于人们使用借书卡或电话簿的方
我正在尝试查询 LDAP 服务器以获取使用 ruby 的 net-ldap 库的任何组的详细信息 require 'rubygems' require 'net/ldap' username =
在使用 spring ldap 模板的 Ldap 搜索中,我返回一个 User 对象,该对象具有保存另一个用户的 dn 的属性之一。并且,User 对象有一些属性需要使用其他用户的 ldap 条目获取
我正在尝试使用例如search_s函数根据对象的完整可分辨名称搜索对象,但我觉得这并不方便。例如, search_s('DC=example, DC=com', ldap.SCOPE_SUBTREE,
LDAP 查询如何工作:-(我)。 Windows Powershell(二). Java JNDI(三)。 SpringLDAP 上述 3 种方法中的 LDAP 筛选器查询是否仅搜索前 1000 条
我们正在使用 spring security 在我们的应用程序中对来自 LDAP 的用户进行身份验证。认证部分工作正常,但授权部分不工作。 我们无法从 LDAP 中检索用户的角色。 来自本书 《 Sp
这个问题在这里已经有了答案: Does the LDAP protocol limit the length of a DN (3 个回答) 关闭8年前。 DN 是否有最大长度?如果我想将它们存储在数
我知道我的谷歌搜索技能让我失望了,因为那里有 必须是这样的:一个简单、易于使用的远程托管目录服务(更好的是,通过几个不同的接口(interface)和 SSO 公开用户目录)。 你知道一个和/或有一个
我有一个使用 JSF 2.1 和 JEE 6 设置的 Web 应用程序,该应用程序在 WebLogic 12.1.2 服务器上运行,并带有用于身份验证的 openLDAP。我一直注意到在应用程序中加载
我的应用程序每天执行一次 LDAP 查询并获取给定容器中的所有用户和组。获取后,我的应用程序将遍历组的用户列表,仅将新用户添加到我的应用程序数据库中(它仅添加用户名)。 如果有 50,000 个用户,
我正在尝试解决一个问题,即尝试通过 LDAP 设置用户密码失败,因为访问被拒绝错误 - 即使我正在使用管理员用户对 AD 进行身份验证。 在 stackoverflow 中找到的答案说,要么我必须以管
我有一个我没有完全权限的 LDAP 服务器和一个我是 root 的具有 LDAP 身份验证的 ubuntu 系统。是否可以将 LDAP 用户添加到本地组? (我不知道我的表述是否正确,但我想要的只是在
我有一个属性(groupIDNumber),我想让它作为自动递增数字工作? 我们如何定义该属性? 感谢您的帮助, -纳米 最佳答案 这不是 LDAP 协议(protocol)的一部分,也不是标准的做法
对“uid”属性执行不区分大小写匹配的语法是什么?如果属性定义很重要,那么它将如何更改?特别是我将 ApacheDS 用于我的 LDAP 存储。 最佳答案 (uid=miXedCaseUSer)将匹配
已结束。此问题正在寻求书籍、工具、软件库等的推荐。它不满足Stack Overflow guidelines 。目前不接受答案。 我们不允许提出寻求书籍、工具、软件库等推荐的问题。您可以编辑问题,以便
我需要有关 LDAP 搜索过滤器的信息来提取嵌套组成员资格。基本上,我的想法是,例如,一个用户属于 5 个组 [A、B、C、D、E]我可以编写单个 LDAP 搜索查询来获取组 [A、B、C、D、E]
我关注了 installing ldap on centos 在我的服务器上设置 LDAP 服务器的指南,完成所有安装步骤后,我执行了 ldapsearch -x -b "dc=test,dc=com
我想编写一个 LDAP 查询来测试用户 (sAMAccountName) 是否是特定组的成员。是否可以这样做以便我获得 0 或 1 个结果记录? 我想我可以获取用户的所有组并测试每个组是否匹配,但我想
我是一名优秀的程序员,十分优秀!