Windows-Clients stellen keine Verbindung zum Netzwerk über FreeRADIUS und WPA2/Enterprise her

tag-icon tag-icon networking windows-10 windows-8 wireless-networking freeradius
Windows-Clients stellen keine Verbindung zum Netzwerk über FreeRADIUS und WPA2/Enterprise her

Ich habe derzeit Probleme, meine Windows-Clients über FreeRADIUS zu verbinden. Ich habe einen Asus RT-AC68U mit Merlin-Firmware und führe FreeRADIUS über Entware-ng aus. Meine Nicht-Windows-Clients verbinden sich problemlos, daher liegt mein Verdacht entweder an der Art und Weise, wie die Netzwerkverbindung in Windows 8/10 eingerichtet ist, oder an der Art und Weise, wie FreeRADIUS konfiguriert ist.

Ich habe die Anleitung „FreeRadius2 über Entware einrichten“ befolgt.Hierum FreeRADIUS auf meinem Router zu installieren und zu konfigurieren. Meine Windows-Konfiguration ist hier: Bildbeschreibung hier eingeben Für jede Hilfe wäre ich sehr dankbar. Die Super User-Frage, die ich am ehesten mit meiner Anfrage in Verbindung gebracht habe, lautetWindows kann keine Verbindung zum Enterprise WPA2 Wi-Fi-Zugangspunkt mit EAP-TTLS PAP-Authentifizierung über FreeRADIUS herstellen, aber leider löst es mein spezielles Problem nicht.

Die Debug-Ausgabe für den Freeradius-Server lautet außerdem wie folgt:

    admin@MERLIN:/tmp/mnt/sda2/entware-ng.arm/etc/freeradius2/sites# radiusd -XX
Sun Jan 22 06:40:57 2017 : Info: radiusd: FreeRADIUS Version 2.2.9, for host arm-openwrt-linux-gnu, built on Dec 26 2016 at 19:02:57
Sun Jan 22 06:40:57 2017 : Debug: Server was built with: 
Sun Jan 22 06:40:57 2017 : Debug:   accounting
Sun Jan 22 06:40:57 2017 : Debug:   authentication
Sun Jan 22 06:40:57 2017 : Debug:  WITH_DHCP
Sun Jan 22 06:40:57 2017 : Debug:  WITH_VMPS
Sun Jan 22 06:40:57 2017 : Debug: Server core libs:
Sun Jan 22 06:40:57 2017 : Debug:   ssl: OpenSSL 1.0.2j  26 Sep 2016
Sun Jan 22 06:40:57 2017 : Info: Copyright (C) 1999-2015 The FreeRADIUS server project and contributors.
Sun Jan 22 06:40:57 2017 : Info: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
Sun Jan 22 06:40:57 2017 : Info: PARTICULAR PURPOSE.
Sun Jan 22 06:40:57 2017 : Info: You may redistribute copies of FreeRADIUS under the terms of the
Sun Jan 22 06:40:57 2017 : Info: GNU General Public License.
Sun Jan 22 06:40:57 2017 : Info: For more information about these matters, see the file named COPYRIGHT.
Sun Jan 22 06:40:57 2017 : Info: Starting - reading configuration files ...
Sun Jan 22 06:40:57 2017 : Debug: including configuration file /opt/etc/freeradius2/radiusd.conf
Sun Jan 22 06:40:57 2017 : Debug: including configuration file /opt/etc/freeradius2/clients.conf
Sun Jan 22 06:40:57 2017 : Debug: including files in directory /opt/etc/freeradius2/modules/
Sun Jan 22 06:40:57 2017 : Debug: including configuration file /opt/etc/freeradius2/modules/ldap
Sun Jan 22 06:40:57 2017 : Debug: including configuration file /opt/etc/freeradius2/modules/pap
Sun Jan 22 06:40:57 2017 : Debug: including configuration file /opt/etc/freeradius2/modules/mschap
Sun Jan 22 06:40:57 2017 : Debug: including configuration file /opt/etc/freeradius2/modules/files
Sun Jan 22 06:40:57 2017 : Debug: including configuration file /opt/etc/freeradius2/eap.conf
Sun Jan 22 06:40:57 2017 : Debug: including files in directory /opt/etc/freeradius2/sites/
Sun Jan 22 06:40:57 2017 : Debug: including configuration file /opt/etc/freeradius2/sites/default
Sun Jan 22 06:40:57 2017 : Debug: including configuration file /opt/etc/freeradius2/sites/inner-tunnel
Sun Jan 22 06:40:57 2017 : Debug: main {
Sun Jan 22 06:40:57 2017 : Debug:   allow_core_dumps = no
Sun Jan 22 06:40:57 2017 : Debug: }
Sun Jan 22 06:40:57 2017 : Debug: including dictionary file /opt/etc/freeradius2/dictionary
Sun Jan 22 06:40:57 2017 : Debug: main {
Sun Jan 22 06:40:57 2017 : Debug:   name = "radiusd"
Sun Jan 22 06:40:57 2017 : Debug:   prefix = "/opt"
Sun Jan 22 06:40:57 2017 : Debug:   localstatedir = "/opt/var"
Sun Jan 22 06:40:57 2017 : Debug:   sbindir = "/opt/sbin"
Sun Jan 22 06:40:57 2017 : Debug:   logdir = "/opt/var/log"
Sun Jan 22 06:40:57 2017 : Debug:   run_dir = "/opt/var/run/radius"
Sun Jan 22 06:40:57 2017 : Debug:   libdir = "/opt/lib/freeradius2"
Sun Jan 22 06:40:57 2017 : Debug:   radacctdir = "/opt/var/db/radacct"
Sun Jan 22 06:40:57 2017 : Debug:   hostname_lookups = no
Sun Jan 22 06:40:57 2017 : Debug:   max_request_time = 15
Sun Jan 22 06:40:57 2017 : Debug:   cleanup_delay = 7
Sun Jan 22 06:40:57 2017 : Debug:   max_requests = 512
Sun Jan 22 06:40:57 2017 : Debug:   pidfile = "/opt/var/run/radius/radiusd.pid"
Sun Jan 22 06:40:57 2017 : Debug:   checkrad = "/opt/sbin/checkrad"
Sun Jan 22 06:40:57 2017 : Debug:   debug_level = 0
Sun Jan 22 06:40:57 2017 : Debug:   proxy_requests = no
Sun Jan 22 06:40:57 2017 : Debug:  log {
Sun Jan 22 06:40:57 2017 : Debug:   stripped_names = no
Sun Jan 22 06:40:57 2017 : Debug:   auth = no
Sun Jan 22 06:40:57 2017 : Debug:   auth_badpass = no
Sun Jan 22 06:40:57 2017 : Debug:   auth_goodpass = no
Sun Jan 22 06:40:57 2017 : Debug:  }
Sun Jan 22 06:40:57 2017 : Debug:  security {
Sun Jan 22 06:40:57 2017 : Debug:   max_attributes = 200
Sun Jan 22 06:40:57 2017 : Debug:   reject_delay = 5
Sun Jan 22 06:40:57 2017 : Debug:   status_server = no
Sun Jan 22 06:40:57 2017 : Debug:  }
Sun Jan 22 06:40:57 2017 : Debug: }
Sun Jan 22 06:40:57 2017 : Debug: radiusd: #### Loading Realms and Home Servers ####
Sun Jan 22 06:40:57 2017 : Debug: radiusd: #### Loading Clients ####
Sun Jan 22 06:40:57 2017 : Debug:  client 192.168.1.0/28 {
Sun Jan 22 06:40:57 2017 : Debug:   ipaddr = 192.168.1.1
Sun Jan 22 06:40:57 2017 : Debug:   require_message_authenticator = yes
Sun Jan 22 06:40:57 2017 : Debug:   secret = "secretsecretsecret"
Sun Jan 22 06:40:57 2017 : Debug:   nastype = "other"
Sun Jan 22 06:40:57 2017 : Debug:  }
Sun Jan 22 06:40:57 2017 : Debug: radiusd: #### Instantiating modules ####
Sun Jan 22 06:40:57 2017 : Debug: radiusd: #### Loading Virtual Servers ####
Sun Jan 22 06:40:57 2017 : Debug: server { # from file /opt/etc/freeradius2/radiusd.conf
Sun Jan 22 06:40:57 2017 : Debug:  modules {
Sun Jan 22 06:40:57 2017 : Debug:  Module: Checking authenticate {...} for more modules to load
Sun Jan 22 06:40:57 2017 : Debug:     (Loaded rlm_mschap, checking if it's valid)
Sun Jan 22 06:40:57 2017 : Debug:  Module: Linked to module rlm_mschap
Sun Jan 22 06:40:57 2017 : Debug:  Module: Instantiating module "mschap" from file /opt/etc/freeradius2/modules/mschap
Sun Jan 22 06:40:57 2017 : Debug:   mschap {
Sun Jan 22 06:40:57 2017 : Debug:       use_mppe = yes
Sun Jan 22 06:40:57 2017 : Debug:       require_encryption = no
Sun Jan 22 06:40:57 2017 : Debug:       require_strong = no
Sun Jan 22 06:40:57 2017 : Debug:       with_ntdomain_hack = no
Sun Jan 22 06:40:57 2017 : Debug:       allow_retry = yes
Sun Jan 22 06:40:57 2017 : Debug:   }
Sun Jan 22 06:40:57 2017 : Debug:     (Loaded rlm_eap, checking if it's valid)
Sun Jan 22 06:40:57 2017 : Debug:  Module: Linked to module rlm_eap
Sun Jan 22 06:40:57 2017 : Debug:  Module: Instantiating module "eap" from file /opt/etc/freeradius2/eap.conf
Sun Jan 22 06:40:57 2017 : Debug:   eap {
Sun Jan 22 06:40:57 2017 : Debug:       default_eap_type = "ttls"
Sun Jan 22 06:40:57 2017 : Debug:       timer_expire = 60
Sun Jan 22 06:40:57 2017 : Debug:       ignore_unknown_eap_types = no
Sun Jan 22 06:40:57 2017 : Debug:       cisco_accounting_username_bug = no
Sun Jan 22 06:40:57 2017 : Debug:       max_sessions = 4096
Sun Jan 22 06:40:57 2017 : Debug:   }
Sun Jan 22 06:40:57 2017 : Debug:  Module: Linked to sub-module rlm_eap_tls
Sun Jan 22 06:40:57 2017 : Debug:  Module: Instantiating eap-tls
Sun Jan 22 06:40:57 2017 : Debug:    tls {
Sun Jan 22 06:40:57 2017 : Debug:       rsa_key_exchange = no
Sun Jan 22 06:40:57 2017 : Debug:       dh_key_exchange = yes
Sun Jan 22 06:40:57 2017 : Debug:       rsa_key_length = 512
Sun Jan 22 06:40:57 2017 : Debug:       dh_key_length = 512
Sun Jan 22 06:40:57 2017 : Debug:       verify_depth = 0
Sun Jan 22 06:40:57 2017 : Debug:       pem_file_type = yes
Sun Jan 22 06:40:57 2017 : Debug:       private_key_file = "/opt/etc/freeradius2/certs/ec-server_key.pem"
Sun Jan 22 06:40:57 2017 : Debug:       certificate_file = "/opt/etc/freeradius2/certs/ec-server_cert.pem"
Sun Jan 22 06:40:57 2017 : Debug:       private_key_password = "password"
Sun Jan 22 06:40:57 2017 : Debug:       dh_file = "/opt/etc/freeradius2/certs/dh"
Sun Jan 22 06:40:57 2017 : Debug:       random_file = "/dev/urandom"
Sun Jan 22 06:40:57 2017 : Debug:       fragment_size = 1024
Sun Jan 22 06:40:57 2017 : Debug:       include_length = yes
Sun Jan 22 06:40:57 2017 : Debug:       check_crl = no
Sun Jan 22 06:40:57 2017 : Debug:       check_all_crl = no
Sun Jan 22 06:40:57 2017 : Debug:       cipher_list = "TLSv1:ECDHE-ECDSA-AES256-SHA"
Sun Jan 22 06:40:57 2017 : Debug:       check_cert_issuer = "/C=US/ST=NY/L=New York/O=Merlin/OU=IT/CN=admin/[email protected]"
Sun Jan 22 06:40:57 2017 : Debug:       ecdh_curve = "secp521r1"
Sun Jan 22 06:40:57 2017 : Debug:    }
Sun Jan 22 06:40:59 2017 : Debug:  Module: Linked to sub-module rlm_eap_ttls
Sun Jan 22 06:40:59 2017 : Debug:  Module: Instantiating eap-ttls
Sun Jan 22 06:40:59 2017 : Debug:    ttls {
Sun Jan 22 06:40:59 2017 : Debug:       default_eap_type = "md5"
Sun Jan 22 06:40:59 2017 : Debug:       copy_request_to_tunnel = no
Sun Jan 22 06:40:59 2017 : Debug:       use_tunneled_reply = yes
Sun Jan 22 06:40:59 2017 : Debug:       virtual_server = "inner-tunnel"
Sun Jan 22 06:40:59 2017 : Debug:       include_length = yes
Sun Jan 22 06:40:59 2017 : Debug:    }
Sun Jan 22 06:40:59 2017 : Debug:  Module: Checking authorize {...} for more modules to load
Sun Jan 22 06:40:59 2017 : Debug:  } # modules
Sun Jan 22 06:40:59 2017 : Debug: } # server
Sun Jan 22 06:40:59 2017 : Debug: server inner-tunnel { # from file /opt/etc/freeradius2/sites/inner-tunnel
Sun Jan 22 06:40:59 2017 : Debug:  modules {
Sun Jan 22 06:40:59 2017 : Debug:  Module: Checking authenticate {...} for more modules to load
Sun Jan 22 06:40:59 2017 : Debug:     (Loaded rlm_pap, checking if it's valid)
Sun Jan 22 06:40:59 2017 : Debug:  Module: Linked to module rlm_pap
Sun Jan 22 06:40:59 2017 : Debug:  Module: Instantiating module "pap" from file /opt/etc/freeradius2/modules/pap
Sun Jan 22 06:40:59 2017 : Debug:   pap {
Sun Jan 22 06:40:59 2017 : Debug:       encryption_scheme = "auto"
Sun Jan 22 06:40:59 2017 : Debug:       auto_header = yes
Sun Jan 22 06:40:59 2017 : Debug:   }
Sun Jan 22 06:40:59 2017 : Debug:  Module: Checking authorize {...} for more modules to load
Sun Jan 22 06:40:59 2017 : Debug:     (Loaded rlm_files, checking if it's valid)
Sun Jan 22 06:40:59 2017 : Debug:  Module: Linked to module rlm_files
Sun Jan 22 06:40:59 2017 : Debug:  Module: Instantiating module "files" from file /opt/etc/freeradius2/modules/files
Sun Jan 22 06:40:59 2017 : Debug:   files {
Sun Jan 22 06:40:59 2017 : Debug:       usersfile = "/opt/etc/freeradius2/users"
Sun Jan 22 06:40:59 2017 : Debug:       compat = "no"
Sun Jan 22 06:40:59 2017 : Debug:   }
Sun Jan 22 06:40:59 2017 : Debug: reading pairlist file /opt/etc/freeradius2/users
Sun Jan 22 06:40:59 2017 : Debug:  } # modules
Sun Jan 22 06:40:59 2017 : Debug: } # server
Sun Jan 22 06:40:59 2017 : Debug: radiusd: #### Opening IP addresses and Ports ####
Sun Jan 22 06:40:59 2017 : Debug: listen {
Sun Jan 22 06:40:59 2017 : Debug:   type = "auth"
Sun Jan 22 06:40:59 2017 : Debug:   ipaddr = 192.168.1.1
Sun Jan 22 06:40:59 2017 : Debug:   port = 1111
Sun Jan 22 06:40:59 2017 : Debug: }
Sun Jan 22 06:40:59 2017 : Debug: listen {
Sun Jan 22 06:40:59 2017 : Debug:       type = "auth"
Sun Jan 22 06:40:59 2017 : Debug:       ipaddr = 192.168.1.1
Sun Jan 22 06:40:59 2017 : Debug:       port = 11111
Sun Jan 22 06:40:59 2017 : Debug: }
Sun Jan 22 06:40:59 2017 : Debug: Listening on authentication address 192.168.1.1 port 1111
Sun Jan 22 06:40:59 2017 : Debug: Listening on authentication address 192.168.1.1 port 11111 as server inner-tunnel
Sun Jan 22 06:40:59 2017 : Info: Ready to process requests.

Sun Jan 22 06:39:05 2017 : Info: ++[eap] = handled
Sun Jan 22 06:39:05 2017 : Info: +} # group authenticate = handled
Sending Access-Challenge of id 0 to 192.168.1.1 port 37394
    EAP-Message = 0x010300061520
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0xd3ae25a1d3ad30d9fc8f19efc6ae34d4
Sun Jan 22 06:39:05 2017 : Info: Finished request 0.
Sun Jan 22 06:39:05 2017 : Debug: Going to the next request
Sun Jan 22 06:39:05 2017 : Debug: Waking up in 6.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 37394, id=0, length=296
Sun Jan 22 06:39:05 2017 : Info: Cleaning up request 0 ID 0 with timestamp +33
    User-Name = "anonymous"
    NAS-IP-Address = 192.168.1.1
    Called-Station-Id = "382c4a9c3c98"
    Calling-Station-Id = "7c7a91882d77"
    NAS-Identifier = "382c4a9c3c98"
    NAS-Port = 82
    Framed-MTU = 1400
    State = 0xd3ae25a1d3ad30d9fc8f19efc6ae34d4
    NAS-Port-Type = Wireless-802.11
    EAP-Message = 018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000
    Message-Authenticator = 0x1e96a1dba89221e13e437285a0ddb5a3
Sun Jan 22 06:39:05 2017 : Info: # Executing section authorize from file /opt/etc/freeradius2/sites/default
Sun Jan 22 06:39:05 2017 : Info: +group authorize {
Sun Jan 22 06:39:05 2017 : Info: ++[mschap] = noop
Sun Jan 22 06:39:05 2017 : Info: [eap] EAP packet type response id 3 length 161
Sun Jan 22 06:39:05 2017 : Info: [eap] Continuing tunnel setup.
Sun Jan 22 06:39:05 2017 : Info: ++[eap] = ok
Sun Jan 22 06:39:05 2017 : Info: +} # group authorize = ok
Sun Jan 22 06:39:05 2017 : Info: Found Auth-Type = EAP
Sun Jan 22 06:39:05 2017 : Info: # Executing group from file /opt/etc/freeradius2/sites/default
Sun Jan 22 06:39:05 2017 : Info: +group authenticate {
Sun Jan 22 06:39:05 2017 : Info: [eap] Request found, released from the list
Sun Jan 22 06:39:05 2017 : Info: [eap] EAP/ttls
Sun Jan 22 06:39:05 2017 : Info: [eap] processing type ttls
Sun Jan 22 06:39:05 2017 : Info: [ttls] Authenticate
Sun Jan 22 06:39:05 2017 : Info: [ttls] processing EAP-TLS
Sun Jan 22 06:39:05 2017 : Debug:   TLS Length 151
Sun Jan 22 06:39:05 2017 : Info: [ttls] Length Included
Sun Jan 22 06:39:05 2017 : Info: [ttls] eaptls_verify returned 11 
Sun Jan 22 06:39:05 2017 : Info: [ttls]     (other): before/accept initialization
Sun Jan 22 06:39:05 2017 : Info: [ttls]     TLS_accept: before/accept initialization
Sun Jan 22 06:39:05 2017 : Info: [ttls] <<< Unknown TLS version [length 0005]  
Sun Jan 22 06:39:05 2017 : Info: [ttls] <<< Unknown TLS version [length 0092]  
Sun Jan 22 06:39:05 2017 : Info: [ttls] >>> Unknown TLS version [length 0005]  
Sun Jan 22 06:39:05 2017 : Info: [ttls] >>> Unknown TLS version [length 0002]  
Sun Jan 22 06:39:05 2017 : Error: TLS Alert write:fatal:handshake failure
Sun Jan 22 06:39:05 2017 : Error:     TLS_accept: error in error
Sun Jan 22 06:39:05 2017 : Error:     TLS_accept: error in error
Sun Jan 22 06:39:05 2017 : Error: rlm_eap: SSL error error:1408A0C1:lib(20):func(138):reason(193)
Sun Jan 22 06:39:05 2017 : Error: SSL: SSL_read failed in a system call (-1), TLS session fails.
Sun Jan 22 06:39:05 2017 : Debug: TLS receive handshake failed during operation
Sun Jan 22 06:39:05 2017 : Info: [ttls] eaptls_process returned 4 
Sun Jan 22 06:39:05 2017 : Info: [eap] Handler failed in EAP/ttls
Sun Jan 22 06:39:05 2017 : Info: [eap] Failed in EAP select
Sun Jan 22 06:39:05 2017 : Info: ++[eap] = invalid
Sun Jan 22 06:39:05 2017 : Info: +} # group authenticate = invalid
Sun Jan 22 06:39:05 2017 : Info: Failed to authenticate the user.
Sun Jan 22 06:39:05 2017 : Info: Using Post-Auth-Type Reject
Sun Jan 22 06:39:05 2017 : Info:   WARNING: Unknown value specified for Post-Auth-Type.  Cannot perform requested action.
Sun Jan 22 06:39:05 2017 : Info: Delaying reject of request 1 for 5 seconds
Sun Jan 22 06:39:05 2017 : Debug: Going to the next request
Sun Jan 22 06:39:05 2017 : Debug: Waking up in 0.9 seconds.
Sun Jan 22 06:39:06 2017 : Debug: Waking up in 3.9 seconds.
^C

Antwort1

Das Problem besteht darin, dass Ihre TLS-Chiffre erweitert werden muss, um weitere Chiffren zuzulassen.

verwandte Informationen