Actualmente tengo problemas para que mis clientes de Windows se conecten a través de FreeRADIUS. Tengo un Asus RT-AC68U con firmware Merlin y estoy ejecutando FreeRADIUS fuera de Entware-ng. Mis clientes que no son de Windows se conectan bien, por lo que mis sospechas radican en la forma en que está configurada la conexión de red en Windows 8/10 o en la forma en que está configurado FreeRADIUS.
Seguí la guía "Configuración de FreeRadius2 a través de Entware"aquípara instalar y configurar FreeRADIUS en mi enrutador. Mi configuración de Windows está aquí:
Cualquier ayuda sería muy apreciada. La pregunta de superusuario que encontré más relacionada con mi consulta esWindows no puede conectarse al punto de acceso Wi-Fi Enterprise WPA2 con autenticación EAP-TTLS PAP usando FreeRADIUS, pero lamentablemente no resuelve mi problema particular.
La salida de depuración para el servidor freeradius también es la siguiente:
admin@MERLIN:/tmp/mnt/sda2/entware-ng.arm/etc/freeradius2/sites# radiusd -XX
Sun Jan 22 06:40:57 2017 : Info: radiusd: FreeRADIUS Version 2.2.9, for host arm-openwrt-linux-gnu, built on Dec 26 2016 at 19:02:57
Sun Jan 22 06:40:57 2017 : Debug: Server was built with:
Sun Jan 22 06:40:57 2017 : Debug: accounting
Sun Jan 22 06:40:57 2017 : Debug: authentication
Sun Jan 22 06:40:57 2017 : Debug: WITH_DHCP
Sun Jan 22 06:40:57 2017 : Debug: WITH_VMPS
Sun Jan 22 06:40:57 2017 : Debug: Server core libs:
Sun Jan 22 06:40:57 2017 : Debug: ssl: OpenSSL 1.0.2j 26 Sep 2016
Sun Jan 22 06:40:57 2017 : Info: Copyright (C) 1999-2015 The FreeRADIUS server project and contributors.
Sun Jan 22 06:40:57 2017 : Info: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
Sun Jan 22 06:40:57 2017 : Info: PARTICULAR PURPOSE.
Sun Jan 22 06:40:57 2017 : Info: You may redistribute copies of FreeRADIUS under the terms of the
Sun Jan 22 06:40:57 2017 : Info: GNU General Public License.
Sun Jan 22 06:40:57 2017 : Info: For more information about these matters, see the file named COPYRIGHT.
Sun Jan 22 06:40:57 2017 : Info: Starting - reading configuration files ...
Sun Jan 22 06:40:57 2017 : Debug: including configuration file /opt/etc/freeradius2/radiusd.conf
Sun Jan 22 06:40:57 2017 : Debug: including configuration file /opt/etc/freeradius2/clients.conf
Sun Jan 22 06:40:57 2017 : Debug: including files in directory /opt/etc/freeradius2/modules/
Sun Jan 22 06:40:57 2017 : Debug: including configuration file /opt/etc/freeradius2/modules/ldap
Sun Jan 22 06:40:57 2017 : Debug: including configuration file /opt/etc/freeradius2/modules/pap
Sun Jan 22 06:40:57 2017 : Debug: including configuration file /opt/etc/freeradius2/modules/mschap
Sun Jan 22 06:40:57 2017 : Debug: including configuration file /opt/etc/freeradius2/modules/files
Sun Jan 22 06:40:57 2017 : Debug: including configuration file /opt/etc/freeradius2/eap.conf
Sun Jan 22 06:40:57 2017 : Debug: including files in directory /opt/etc/freeradius2/sites/
Sun Jan 22 06:40:57 2017 : Debug: including configuration file /opt/etc/freeradius2/sites/default
Sun Jan 22 06:40:57 2017 : Debug: including configuration file /opt/etc/freeradius2/sites/inner-tunnel
Sun Jan 22 06:40:57 2017 : Debug: main {
Sun Jan 22 06:40:57 2017 : Debug: allow_core_dumps = no
Sun Jan 22 06:40:57 2017 : Debug: }
Sun Jan 22 06:40:57 2017 : Debug: including dictionary file /opt/etc/freeradius2/dictionary
Sun Jan 22 06:40:57 2017 : Debug: main {
Sun Jan 22 06:40:57 2017 : Debug: name = "radiusd"
Sun Jan 22 06:40:57 2017 : Debug: prefix = "/opt"
Sun Jan 22 06:40:57 2017 : Debug: localstatedir = "/opt/var"
Sun Jan 22 06:40:57 2017 : Debug: sbindir = "/opt/sbin"
Sun Jan 22 06:40:57 2017 : Debug: logdir = "/opt/var/log"
Sun Jan 22 06:40:57 2017 : Debug: run_dir = "/opt/var/run/radius"
Sun Jan 22 06:40:57 2017 : Debug: libdir = "/opt/lib/freeradius2"
Sun Jan 22 06:40:57 2017 : Debug: radacctdir = "/opt/var/db/radacct"
Sun Jan 22 06:40:57 2017 : Debug: hostname_lookups = no
Sun Jan 22 06:40:57 2017 : Debug: max_request_time = 15
Sun Jan 22 06:40:57 2017 : Debug: cleanup_delay = 7
Sun Jan 22 06:40:57 2017 : Debug: max_requests = 512
Sun Jan 22 06:40:57 2017 : Debug: pidfile = "/opt/var/run/radius/radiusd.pid"
Sun Jan 22 06:40:57 2017 : Debug: checkrad = "/opt/sbin/checkrad"
Sun Jan 22 06:40:57 2017 : Debug: debug_level = 0
Sun Jan 22 06:40:57 2017 : Debug: proxy_requests = no
Sun Jan 22 06:40:57 2017 : Debug: log {
Sun Jan 22 06:40:57 2017 : Debug: stripped_names = no
Sun Jan 22 06:40:57 2017 : Debug: auth = no
Sun Jan 22 06:40:57 2017 : Debug: auth_badpass = no
Sun Jan 22 06:40:57 2017 : Debug: auth_goodpass = no
Sun Jan 22 06:40:57 2017 : Debug: }
Sun Jan 22 06:40:57 2017 : Debug: security {
Sun Jan 22 06:40:57 2017 : Debug: max_attributes = 200
Sun Jan 22 06:40:57 2017 : Debug: reject_delay = 5
Sun Jan 22 06:40:57 2017 : Debug: status_server = no
Sun Jan 22 06:40:57 2017 : Debug: }
Sun Jan 22 06:40:57 2017 : Debug: }
Sun Jan 22 06:40:57 2017 : Debug: radiusd: #### Loading Realms and Home Servers ####
Sun Jan 22 06:40:57 2017 : Debug: radiusd: #### Loading Clients ####
Sun Jan 22 06:40:57 2017 : Debug: client 192.168.1.0/28 {
Sun Jan 22 06:40:57 2017 : Debug: ipaddr = 192.168.1.1
Sun Jan 22 06:40:57 2017 : Debug: require_message_authenticator = yes
Sun Jan 22 06:40:57 2017 : Debug: secret = "secretsecretsecret"
Sun Jan 22 06:40:57 2017 : Debug: nastype = "other"
Sun Jan 22 06:40:57 2017 : Debug: }
Sun Jan 22 06:40:57 2017 : Debug: radiusd: #### Instantiating modules ####
Sun Jan 22 06:40:57 2017 : Debug: radiusd: #### Loading Virtual Servers ####
Sun Jan 22 06:40:57 2017 : Debug: server { # from file /opt/etc/freeradius2/radiusd.conf
Sun Jan 22 06:40:57 2017 : Debug: modules {
Sun Jan 22 06:40:57 2017 : Debug: Module: Checking authenticate {...} for more modules to load
Sun Jan 22 06:40:57 2017 : Debug: (Loaded rlm_mschap, checking if it's valid)
Sun Jan 22 06:40:57 2017 : Debug: Module: Linked to module rlm_mschap
Sun Jan 22 06:40:57 2017 : Debug: Module: Instantiating module "mschap" from file /opt/etc/freeradius2/modules/mschap
Sun Jan 22 06:40:57 2017 : Debug: mschap {
Sun Jan 22 06:40:57 2017 : Debug: use_mppe = yes
Sun Jan 22 06:40:57 2017 : Debug: require_encryption = no
Sun Jan 22 06:40:57 2017 : Debug: require_strong = no
Sun Jan 22 06:40:57 2017 : Debug: with_ntdomain_hack = no
Sun Jan 22 06:40:57 2017 : Debug: allow_retry = yes
Sun Jan 22 06:40:57 2017 : Debug: }
Sun Jan 22 06:40:57 2017 : Debug: (Loaded rlm_eap, checking if it's valid)
Sun Jan 22 06:40:57 2017 : Debug: Module: Linked to module rlm_eap
Sun Jan 22 06:40:57 2017 : Debug: Module: Instantiating module "eap" from file /opt/etc/freeradius2/eap.conf
Sun Jan 22 06:40:57 2017 : Debug: eap {
Sun Jan 22 06:40:57 2017 : Debug: default_eap_type = "ttls"
Sun Jan 22 06:40:57 2017 : Debug: timer_expire = 60
Sun Jan 22 06:40:57 2017 : Debug: ignore_unknown_eap_types = no
Sun Jan 22 06:40:57 2017 : Debug: cisco_accounting_username_bug = no
Sun Jan 22 06:40:57 2017 : Debug: max_sessions = 4096
Sun Jan 22 06:40:57 2017 : Debug: }
Sun Jan 22 06:40:57 2017 : Debug: Module: Linked to sub-module rlm_eap_tls
Sun Jan 22 06:40:57 2017 : Debug: Module: Instantiating eap-tls
Sun Jan 22 06:40:57 2017 : Debug: tls {
Sun Jan 22 06:40:57 2017 : Debug: rsa_key_exchange = no
Sun Jan 22 06:40:57 2017 : Debug: dh_key_exchange = yes
Sun Jan 22 06:40:57 2017 : Debug: rsa_key_length = 512
Sun Jan 22 06:40:57 2017 : Debug: dh_key_length = 512
Sun Jan 22 06:40:57 2017 : Debug: verify_depth = 0
Sun Jan 22 06:40:57 2017 : Debug: pem_file_type = yes
Sun Jan 22 06:40:57 2017 : Debug: private_key_file = "/opt/etc/freeradius2/certs/ec-server_key.pem"
Sun Jan 22 06:40:57 2017 : Debug: certificate_file = "/opt/etc/freeradius2/certs/ec-server_cert.pem"
Sun Jan 22 06:40:57 2017 : Debug: private_key_password = "password"
Sun Jan 22 06:40:57 2017 : Debug: dh_file = "/opt/etc/freeradius2/certs/dh"
Sun Jan 22 06:40:57 2017 : Debug: random_file = "/dev/urandom"
Sun Jan 22 06:40:57 2017 : Debug: fragment_size = 1024
Sun Jan 22 06:40:57 2017 : Debug: include_length = yes
Sun Jan 22 06:40:57 2017 : Debug: check_crl = no
Sun Jan 22 06:40:57 2017 : Debug: check_all_crl = no
Sun Jan 22 06:40:57 2017 : Debug: cipher_list = "TLSv1:ECDHE-ECDSA-AES256-SHA"
Sun Jan 22 06:40:57 2017 : Debug: check_cert_issuer = "/C=US/ST=NY/L=New York/O=Merlin/OU=IT/CN=admin/[email protected]"
Sun Jan 22 06:40:57 2017 : Debug: ecdh_curve = "secp521r1"
Sun Jan 22 06:40:57 2017 : Debug: }
Sun Jan 22 06:40:59 2017 : Debug: Module: Linked to sub-module rlm_eap_ttls
Sun Jan 22 06:40:59 2017 : Debug: Module: Instantiating eap-ttls
Sun Jan 22 06:40:59 2017 : Debug: ttls {
Sun Jan 22 06:40:59 2017 : Debug: default_eap_type = "md5"
Sun Jan 22 06:40:59 2017 : Debug: copy_request_to_tunnel = no
Sun Jan 22 06:40:59 2017 : Debug: use_tunneled_reply = yes
Sun Jan 22 06:40:59 2017 : Debug: virtual_server = "inner-tunnel"
Sun Jan 22 06:40:59 2017 : Debug: include_length = yes
Sun Jan 22 06:40:59 2017 : Debug: }
Sun Jan 22 06:40:59 2017 : Debug: Module: Checking authorize {...} for more modules to load
Sun Jan 22 06:40:59 2017 : Debug: } # modules
Sun Jan 22 06:40:59 2017 : Debug: } # server
Sun Jan 22 06:40:59 2017 : Debug: server inner-tunnel { # from file /opt/etc/freeradius2/sites/inner-tunnel
Sun Jan 22 06:40:59 2017 : Debug: modules {
Sun Jan 22 06:40:59 2017 : Debug: Module: Checking authenticate {...} for more modules to load
Sun Jan 22 06:40:59 2017 : Debug: (Loaded rlm_pap, checking if it's valid)
Sun Jan 22 06:40:59 2017 : Debug: Module: Linked to module rlm_pap
Sun Jan 22 06:40:59 2017 : Debug: Module: Instantiating module "pap" from file /opt/etc/freeradius2/modules/pap
Sun Jan 22 06:40:59 2017 : Debug: pap {
Sun Jan 22 06:40:59 2017 : Debug: encryption_scheme = "auto"
Sun Jan 22 06:40:59 2017 : Debug: auto_header = yes
Sun Jan 22 06:40:59 2017 : Debug: }
Sun Jan 22 06:40:59 2017 : Debug: Module: Checking authorize {...} for more modules to load
Sun Jan 22 06:40:59 2017 : Debug: (Loaded rlm_files, checking if it's valid)
Sun Jan 22 06:40:59 2017 : Debug: Module: Linked to module rlm_files
Sun Jan 22 06:40:59 2017 : Debug: Module: Instantiating module "files" from file /opt/etc/freeradius2/modules/files
Sun Jan 22 06:40:59 2017 : Debug: files {
Sun Jan 22 06:40:59 2017 : Debug: usersfile = "/opt/etc/freeradius2/users"
Sun Jan 22 06:40:59 2017 : Debug: compat = "no"
Sun Jan 22 06:40:59 2017 : Debug: }
Sun Jan 22 06:40:59 2017 : Debug: reading pairlist file /opt/etc/freeradius2/users
Sun Jan 22 06:40:59 2017 : Debug: } # modules
Sun Jan 22 06:40:59 2017 : Debug: } # server
Sun Jan 22 06:40:59 2017 : Debug: radiusd: #### Opening IP addresses and Ports ####
Sun Jan 22 06:40:59 2017 : Debug: listen {
Sun Jan 22 06:40:59 2017 : Debug: type = "auth"
Sun Jan 22 06:40:59 2017 : Debug: ipaddr = 192.168.1.1
Sun Jan 22 06:40:59 2017 : Debug: port = 1111
Sun Jan 22 06:40:59 2017 : Debug: }
Sun Jan 22 06:40:59 2017 : Debug: listen {
Sun Jan 22 06:40:59 2017 : Debug: type = "auth"
Sun Jan 22 06:40:59 2017 : Debug: ipaddr = 192.168.1.1
Sun Jan 22 06:40:59 2017 : Debug: port = 11111
Sun Jan 22 06:40:59 2017 : Debug: }
Sun Jan 22 06:40:59 2017 : Debug: Listening on authentication address 192.168.1.1 port 1111
Sun Jan 22 06:40:59 2017 : Debug: Listening on authentication address 192.168.1.1 port 11111 as server inner-tunnel
Sun Jan 22 06:40:59 2017 : Info: Ready to process requests.
Sun Jan 22 06:39:05 2017 : Info: ++[eap] = handled
Sun Jan 22 06:39:05 2017 : Info: +} # group authenticate = handled
Sending Access-Challenge of id 0 to 192.168.1.1 port 37394
EAP-Message = 0x010300061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd3ae25a1d3ad30d9fc8f19efc6ae34d4
Sun Jan 22 06:39:05 2017 : Info: Finished request 0.
Sun Jan 22 06:39:05 2017 : Debug: Going to the next request
Sun Jan 22 06:39:05 2017 : Debug: Waking up in 6.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 37394, id=0, length=296
Sun Jan 22 06:39:05 2017 : Info: Cleaning up request 0 ID 0 with timestamp +33
User-Name = "anonymous"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "382c4a9c3c98"
Calling-Station-Id = "7c7a91882d77"
NAS-Identifier = "382c4a9c3c98"
NAS-Port = 82
Framed-MTU = 1400
State = 0xd3ae25a1d3ad30d9fc8f19efc6ae34d4
NAS-Port-Type = Wireless-802.11
EAP-Message = 018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000018000
Message-Authenticator = 0x1e96a1dba89221e13e437285a0ddb5a3
Sun Jan 22 06:39:05 2017 : Info: # Executing section authorize from file /opt/etc/freeradius2/sites/default
Sun Jan 22 06:39:05 2017 : Info: +group authorize {
Sun Jan 22 06:39:05 2017 : Info: ++[mschap] = noop
Sun Jan 22 06:39:05 2017 : Info: [eap] EAP packet type response id 3 length 161
Sun Jan 22 06:39:05 2017 : Info: [eap] Continuing tunnel setup.
Sun Jan 22 06:39:05 2017 : Info: ++[eap] = ok
Sun Jan 22 06:39:05 2017 : Info: +} # group authorize = ok
Sun Jan 22 06:39:05 2017 : Info: Found Auth-Type = EAP
Sun Jan 22 06:39:05 2017 : Info: # Executing group from file /opt/etc/freeradius2/sites/default
Sun Jan 22 06:39:05 2017 : Info: +group authenticate {
Sun Jan 22 06:39:05 2017 : Info: [eap] Request found, released from the list
Sun Jan 22 06:39:05 2017 : Info: [eap] EAP/ttls
Sun Jan 22 06:39:05 2017 : Info: [eap] processing type ttls
Sun Jan 22 06:39:05 2017 : Info: [ttls] Authenticate
Sun Jan 22 06:39:05 2017 : Info: [ttls] processing EAP-TLS
Sun Jan 22 06:39:05 2017 : Debug: TLS Length 151
Sun Jan 22 06:39:05 2017 : Info: [ttls] Length Included
Sun Jan 22 06:39:05 2017 : Info: [ttls] eaptls_verify returned 11
Sun Jan 22 06:39:05 2017 : Info: [ttls] (other): before/accept initialization
Sun Jan 22 06:39:05 2017 : Info: [ttls] TLS_accept: before/accept initialization
Sun Jan 22 06:39:05 2017 : Info: [ttls] <<< Unknown TLS version [length 0005]
Sun Jan 22 06:39:05 2017 : Info: [ttls] <<< Unknown TLS version [length 0092]
Sun Jan 22 06:39:05 2017 : Info: [ttls] >>> Unknown TLS version [length 0005]
Sun Jan 22 06:39:05 2017 : Info: [ttls] >>> Unknown TLS version [length 0002]
Sun Jan 22 06:39:05 2017 : Error: TLS Alert write:fatal:handshake failure
Sun Jan 22 06:39:05 2017 : Error: TLS_accept: error in error
Sun Jan 22 06:39:05 2017 : Error: TLS_accept: error in error
Sun Jan 22 06:39:05 2017 : Error: rlm_eap: SSL error error:1408A0C1:lib(20):func(138):reason(193)
Sun Jan 22 06:39:05 2017 : Error: SSL: SSL_read failed in a system call (-1), TLS session fails.
Sun Jan 22 06:39:05 2017 : Debug: TLS receive handshake failed during operation
Sun Jan 22 06:39:05 2017 : Info: [ttls] eaptls_process returned 4
Sun Jan 22 06:39:05 2017 : Info: [eap] Handler failed in EAP/ttls
Sun Jan 22 06:39:05 2017 : Info: [eap] Failed in EAP select
Sun Jan 22 06:39:05 2017 : Info: ++[eap] = invalid
Sun Jan 22 06:39:05 2017 : Info: +} # group authenticate = invalid
Sun Jan 22 06:39:05 2017 : Info: Failed to authenticate the user.
Sun Jan 22 06:39:05 2017 : Info: Using Post-Auth-Type Reject
Sun Jan 22 06:39:05 2017 : Info: WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action.
Sun Jan 22 06:39:05 2017 : Info: Delaying reject of request 1 for 5 seconds
Sun Jan 22 06:39:05 2017 : Debug: Going to the next request
Sun Jan 22 06:39:05 2017 : Debug: Waking up in 0.9 seconds.
Sun Jan 22 06:39:06 2017 : Debug: Waking up in 3.9 seconds.
^C
Respuesta1
El problema es que su cifrado tls lo extiende para permitir más cifrados.