私はこの機能に初めてアクセスし、freeradius
MD5認証がTLSトンネルで使用されていないときにブロックしようとしていますeap-ttls
。それでもTTLSの内部的な方法でMD5認証を有効にしたいと思います。
私はいくつか動作しようとしましたが、これが正しい方法であるかどうかを知りたいと思い、将来のバグをもたらすことができることを破りたくありません。
inner-eap
ファイルで使用できるようにモジュールへのシンボリックリンクを作成しましたmods-enabled
。inner-eap
その後、モジュールで基本認証をMD5に変更しました。- モジュールのMD5部分
eap
(内部部分ではない)に注釈を付けました。 sites-enabled/inner-tunnel
この行eap
に注釈を付けるとinner-eap
。authorized { inner-eap{ ok = return } #default conf #eap { # ok = return #} } authenticate { #eap inner-eap }
テストしてみたところ、MD5はeap-ttls
予想通りメソッド以外には使われていないようでした。
私はこれを以下から得るfreeradius
:
(4) Received Access-Request Id 184 from X.X.X.X:X to X.X.X.X:X length 156
(4) User-Name = "Anonymous"
(4) Called-Station-Id = "XX-XX-XX-XX-XX-XX"
(4) Calling-Station-Id = "XX:XX:XX:XX:XX:XX"
(4) NAS-Identifier = "XX-XX-XX-XX-XX-XX"
(4) NAS-IP-Address = XXX.XXX.XXX.XXX
(4) NAS-Port = 5
(4) Framed-MTU = 1500
(4) NAS-Port-Type = Ethernet
(4) State = 0x2f4dfb6f2f4fee7b659f82a7ed5ceb4d
(4) EAP-Message = 0x020200060304
(4) Message-Authenticator = 0xfa4f0a59e609bde52b1ef4494d429350
(4) Restoring &session-state
(4) &session-state:Framed-MTU = 994
(4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /@\./) {
(4) if (&User-Name =~ /@\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "Anonymous", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 2 length 6
(4) eap: No EAP Start, assuming it's an on-going EAP conversation
(4) [eap] = updated
(4) [files] = noop
(4) [expiration] = noop
(4) [logintime] = noop
Not doing PAP as Auth-Type is already set.
(4) [pap] = noop
(4) } # authorize = updated
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0x2f4dfb6f2f4fee7b
(4) eap: Finished EAP session with state 0x2f4dfb6f2f4fee7b
(4) eap: Previous EAP request found for state 0x2f4dfb6f2f4fee7b, released from the list
(4) eap: Peer sent packet with method EAP NAK (3)
(4) eap: Peer NAK'd asking for unsupported EAP type MD5 (4), skipping...
(4) eap: ERROR: No mutually acceptable types found
(4) eap: Sending EAP Failure (code 4) ID 2 length 4
(4) eap: Failed in EAP select
(4) [eap] = invalid
(4) } # authenticate = invalid
(4) Failed to authenticate the user
(4) Using Post-Auth-Type Reject
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4) Post-Auth-Type REJECT {
(4) attr_filter.access_reject: EXPAND %{User-Name}
(4) attr_filter.access_reject: --> Anonymous
(4) attr_filter.access_reject: Matched entry DEFAULT at line 11
(4) [attr_filter.access_reject] = updated
(4) [eap] = noop
(4) policy remove_reply_message_if_eap {
(4) if (&reply:EAP-Message && &reply:Reply-Message) {
(4) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(4) else {
(4) [noop] = noop
(4) } # else = noop
(4) } # policy remove_reply_message_if_eap = noop
(4) } # Post-Auth-Type REJECT = updated
(4) Delaying response for 1.000000 seconds
Waking up in 0.2 seconds.
Waking up in 0.6 seconds.
(1) Sending delayed response
(1) Sent Access-Reject Id 182 from X.X.X.X:X to X.X.X.X:X length 44
(1) EAP-Message = 0x04020004
(1) Message-Authenticator = 0x00000000000000000000000000000000
(4) Sending delayed response
(4) Sent Access-Reject Id 184 from X.X.X.X:X to X.X.X.X:X length 44
(4) EAP-Message = 0x04020004
(4) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 181 with timestamp +42 due to cleanup_delay was reached
(1) Cleaning up request packet ID 182 with timestamp +42 due to cleanup_delay was reached
(3) Cleaning up request packet ID 183 with timestamp +42 due to cleanup_delay was reached
(4) Cleaning up request packet ID 184 with timestamp +42 due to cleanup_delay was reached
Ready to process requests
EAP-TTLS/MD5を使用する場合:
(10) Received Access-Request Id 211 from X.X.X.X:X to X.X.X.X:X length 217
(10) User-Name = "Anonymous"
(10) Called-Station-Id = "X-X-X-X-X-X"
(10) Calling-Station-Id = "X:X:X:X:X:X"
(10) NAS-Identifier = "X-X-X-X-X-X"
(10) NAS-IP-Address = X.X.X.X
(10) NAS-Port = 5
(10) Framed-MTU = 1500
(10) NAS-Port-Type = Ethernet
(10) State = 0xb09f6f25b5987ab45a49d44c79fdc272
(10) EAP-Message = 0x0207004315001703030038c6adbb5c16c6c563e2d83bf6c77dbeea42301a1860182204dbf2239a4b934c9f79824ceea2bf5bb725fc7f8576a7deddf907300e0a52bb0e
(10) Message-Authenticator = 0x1a63f12a15f8031ce35ebd7c8732aed7
(10) Restoring &session-state
(10) &session-state:Framed-MTU = 994
(10) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(10) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
(10) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(10) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(10) &session-state:TLS-Session-Version = "TLS 1.2"
(10) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(10) authorize {
(10) policy filter_username {
(10) if (&User-Name) {
(10) if (&User-Name) -> TRUE
(10) if (&User-Name) {
(10) if (&User-Name =~ / /) {
(10) if (&User-Name =~ / /) -> FALSE
(10) if (&User-Name =~ /@[^@]*@/ ) {
(10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(10) if (&User-Name =~ /\.\./ ) {
(10) if (&User-Name =~ /\.\./ ) -> FALSE
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(10) if (&User-Name =~ /\.$/) {
(10) if (&User-Name =~ /\.$/) -> FALSE
(10) if (&User-Name =~ /@\./) {
(10) if (&User-Name =~ /@\./) -> FALSE
(10) } # if (&User-Name) = notfound
(10) } # policy filter_username = notfound
(10) [preprocess] = ok
(10) [chap] = noop
(10) [mschap] = noop
(10) [digest] = noop
(10) suffix: Checking for suffix after "@"
(10) suffix: No '@' in User-Name = "Anonymous", looking up realm NULL
(10) suffix: No such realm "NULL"
(10) [suffix] = noop
(10) eap: Peer sent EAP Response (code 2) ID 7 length 67
(10) eap: Continuing tunnel setup
(10) [eap] = ok
(10) } # authorize = ok
(10) Found Auth-Type = eap
(10) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(10) authenticate {
(10) eap: Expiring EAP session with state 0xf1a81cfaf3ac0960
(10) eap: Finished EAP session with state 0xb09f6f25b5987ab4
(10) eap: Previous EAP request found for state 0xb09f6f25b5987ab4, released from the list
(10) eap: Peer sent packet with method EAP TTLS (21)
(10) eap: Calling submodule eap_ttls to process data
(10) eap_ttls: Authenticate
(10) eap_ttls: (TLS) EAP Done initial handshake
(10) eap_ttls: Session established. Proceeding to decode tunneled attributes
(10) eap_ttls: Got tunneled request
(10) eap_ttls: EAP-Message = 0x0201001604102f20220e77c8250f43b6902c2c91ba28
(10) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
(10) eap_ttls: Sending tunneled request
(10) Virtual server inner-tunnel received request
(10) EAP-Message = 0x0201001604102f20220e77c8250f43b6902c2c91ba28
(10) FreeRADIUS-Proxied-To = 127.0.0.1
(10) User-Name = "bob"
(10) State = 0xb9681c83b969189d0d90e6d70aad92ec
(10) WARNING: Outer User-Name is not anonymized. User privacy is compromised.
(10) server inner-tunnel {
(10) session-state: No cached attributes
(10) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(10) authorize {
(10) policy filter_username {
(10) if (&User-Name) {
(10) if (&User-Name) -> TRUE
(10) if (&User-Name) {
(10) if (&User-Name =~ / /) {
(10) if (&User-Name =~ / /) -> FALSE
(10) if (&User-Name =~ /@[^@]*@/ ) {
(10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(10) if (&User-Name =~ /\.\./ ) {
(10) if (&User-Name =~ /\.\./ ) -> FALSE
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(10) if (&User-Name =~ /\.$/) {
(10) if (&User-Name =~ /\.$/) -> FALSE
(10) if (&User-Name =~ /@\./) {
(10) if (&User-Name =~ /@\./) -> FALSE
(10) } # if (&User-Name) = notfound
(10) } # policy filter_username = notfound
(10) [chap] = noop
(10) [mschap] = noop
(10) suffix: Checking for suffix after "@"
(10) suffix: No '@' in User-Name = "bob", looking up realm NULL
(10) suffix: No such realm "NULL"
(10) [suffix] = noop
(10) update control {
(10) &Proxy-To-Realm := LOCAL
(10) } # update control = noop
(10) inner-eap: Peer sent EAP Response (code 2) ID 1 length 22
(10) inner-eap: No EAP Start, assuming it's an on-going EAP conversation
(10) [inner-eap] = updated
(10) files: users: Matched entry bob at line 87
(10) files: EXPAND Hello, %{User-Name}
(10) files: --> Hello, bob
(10) [files] = ok
(10) [expiration] = noop
(10) [logintime] = noop
(10) pap: WARNING: Auth-Type already set. Not setting to PAP
(10) [pap] = noop
(10) } # authorize = updated
(10) Found Auth-Type = inner-eap
(10) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(10) authenticate {
(10) inner-eap: Expiring EAP session with state 0xb9681c83b969189d
(10) inner-eap: Finished EAP session with state 0xb9681c83b969189d
(10) inner-eap: Previous EAP request found for state 0xb9681c83b969189d, released from the list
(10) inner-eap: Peer sent packet with method EAP MD5 (4)
(10) inner-eap: Calling submodule eap_md5 to process data
(10) inner-eap: Sending EAP Success (code 3) ID 1 length 4
(10) inner-eap: Freeing handler
(10) [inner-eap] = ok
(10) } # authenticate = ok
(10) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(10) post-auth {
(10) if (0) {
(10) if (0) -> FALSE
(10) } # post-auth = noop
(10) } # server inner-tunnel
(10) Virtual server sending reply
(10) Reply-Message = "Hello, bob"
(10) EAP-Message = 0x03010004
(10) Message-Authenticator = 0x00000000000000000000000000000000
(10) User-Name = "bob"
(10) eap_ttls: Got tunneled Access-Accept
(10) eap: Sending EAP Success (code 3) ID 7 length 4
(10) eap: Freeing handler
(10) [eap] = ok
(10) } # authenticate = ok
(10) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(10) post-auth {
(10) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
(10) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE
(10) update {
(10) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 994
(10) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.3 Handshake, ClientHello'
(10) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerHello'
(10) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, Certificate'
(10) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerKeyExchange'
(10) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerHelloDone'
(10) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, ClientKeyExchange'
(10) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, Finished'
(10) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 ChangeCipherSpec'
(10) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, Finished'
(10) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384'
(10) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2'
(10) } # update = noop
(10) [exec] = noop
(10) policy remove_reply_message_if_eap {
(10) if (&reply:EAP-Message && &reply:Reply-Message) {
(10) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(10) else {
(10) [noop] = noop
(10) } # else = noop
(10) } # policy remove_reply_message_if_eap = noop
(10) if (EAP-Key-Name && &reply:EAP-Session-Id) {
(10) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE
(10) } # post-auth = noop
(10) Sent Access-Accept Id 211 from X.X.X.X:X to X.X.X.X:X length 177
これは正しいアプローチですか?そうでない場合はどうしますか?
わかりますと付け加えたいです。
(10) WARNING: Outer User-Name is not anonymized. User privacy is compromised.
最後のログに。真剣に受け入れるべきですか?匿名IDを使用して接続しているため、要求者は匿名でなければなりません。