EAP-TTLSで使用されていない場合、FreeradiusはEAP-MD5をどのようにブロックしますか?

EAP-TTLSで使用されていない場合、FreeradiusはEAP-MD5をどのようにブロックしますか?

私はこの機能に初めてアクセスし、freeradiusMD5認証がTLSトンネルで使用されていないときにブロックしようとしていますeap-ttls。それでもTTLSの内部的な方法でMD5認証を有効にしたいと思います。

私はいくつか動作しようとしましたが、これが正しい方法であるかどうかを知りたいと思い、将来のバグをもたらすことができることを破りたくありません。

  • inner-eapファイルで使用できるようにモジュールへのシンボリックリンクを作成しましたmods-enabled
  • inner-eapその後、モジュールで基本認証をMD5に変更しました。
  • モジュールのMD5部分eap(内部部分ではない)に注釈を付けました。
  • sites-enabled/inner-tunnelこの行eapに注釈を付けるとinner-eap
    authorized {
      inner-eap{
        ok = return
      }
    #default conf
      #eap {
      #  ok = return
      #}
    }
    
    authenticate {
      #eap
      inner-eap
    
    }
    

テストしてみたところ、MD5はeap-ttls予想通りメソッド以外には使われていないようでした。

私はこれを以下から得るfreeradius

(4) Received Access-Request Id 184 from X.X.X.X:X to X.X.X.X:X length 156
(4)   User-Name = "Anonymous"
(4)   Called-Station-Id = "XX-XX-XX-XX-XX-XX"
(4)   Calling-Station-Id = "XX:XX:XX:XX:XX:XX"
(4)   NAS-Identifier = "XX-XX-XX-XX-XX-XX"
(4)   NAS-IP-Address = XXX.XXX.XXX.XXX
(4)   NAS-Port = 5
(4)   Framed-MTU = 1500
(4)   NAS-Port-Type = Ethernet
(4)   State = 0x2f4dfb6f2f4fee7b659f82a7ed5ceb4d
(4)   EAP-Message = 0x020200060304
(4)   Message-Authenticator = 0xfa4f0a59e609bde52b1ef4494d429350
(4) Restoring &session-state
(4)   &session-state:Framed-MTU = 994
(4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(4)   authorize {
(4)     policy filter_username {
(4)       if (&User-Name) {
(4)       if (&User-Name)  -> TRUE
(4)       if (&User-Name)  {
(4)         if (&User-Name =~ / /) {
(4)         if (&User-Name =~ / /)  -> FALSE
(4)         if (&User-Name =~ /@[^@]*@/ ) {
(4)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(4)         if (&User-Name =~ /\.\./ ) {
(4)         if (&User-Name =~ /\.\./ )  -> FALSE
(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(4)         if (&User-Name =~ /\.$/)  {
(4)         if (&User-Name =~ /\.$/)   -> FALSE
(4)         if (&User-Name =~ /@\./)  {
(4)         if (&User-Name =~ /@\./)   -> FALSE
(4)       } # if (&User-Name)  = notfound
(4)     } # policy filter_username = notfound
(4)     [preprocess] = ok
(4)     [chap] = noop
(4)     [mschap] = noop
(4)     [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "Anonymous", looking up realm NULL
(4) suffix: No such realm "NULL"
(4)     [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 2 length 6
(4) eap: No EAP Start, assuming it's an on-going EAP conversation
(4)     [eap] = updated
(4)     [files] = noop
(4)     [expiration] = noop
(4)     [logintime] = noop
Not doing PAP as Auth-Type is already set.
(4)     [pap] = noop
(4)   } # authorize = updated
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4)   authenticate {
(4) eap: Expiring EAP session with state 0x2f4dfb6f2f4fee7b
(4) eap: Finished EAP session with state 0x2f4dfb6f2f4fee7b
(4) eap: Previous EAP request found for state 0x2f4dfb6f2f4fee7b, released from the list
(4) eap: Peer sent packet with method EAP NAK (3)
(4) eap: Peer NAK'd asking for unsupported EAP type MD5 (4), skipping...
(4) eap: ERROR: No mutually acceptable types found
(4) eap: Sending EAP Failure (code 4) ID 2 length 4
(4) eap: Failed in EAP select
(4)     [eap] = invalid
(4)   } # authenticate = invalid
(4) Failed to authenticate the user
(4) Using Post-Auth-Type Reject
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4)   Post-Auth-Type REJECT {
(4) attr_filter.access_reject: EXPAND %{User-Name}
(4) attr_filter.access_reject:    --> Anonymous
(4) attr_filter.access_reject: Matched entry DEFAULT at line 11
(4)     [attr_filter.access_reject] = updated
(4)     [eap] = noop
(4)     policy remove_reply_message_if_eap {
(4)       if (&reply:EAP-Message && &reply:Reply-Message) {
(4)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(4)       else {
(4)         [noop] = noop
(4)       } # else = noop
(4)     } # policy remove_reply_message_if_eap = noop
(4)   } # Post-Auth-Type REJECT = updated
(4) Delaying response for 1.000000 seconds
Waking up in 0.2 seconds.
Waking up in 0.6 seconds.
(1) Sending delayed response
(1) Sent Access-Reject Id 182 from X.X.X.X:X to X.X.X.X:X length 44
(1)   EAP-Message = 0x04020004
(1)   Message-Authenticator = 0x00000000000000000000000000000000
(4) Sending delayed response
(4) Sent Access-Reject Id 184 from X.X.X.X:X to X.X.X.X:X length 44
(4)   EAP-Message = 0x04020004
(4)   Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 181 with timestamp +42 due to cleanup_delay was reached
(1) Cleaning up request packet ID 182 with timestamp +42 due to cleanup_delay was reached
(3) Cleaning up request packet ID 183 with timestamp +42 due to cleanup_delay was reached
(4) Cleaning up request packet ID 184 with timestamp +42 due to cleanup_delay was reached
Ready to process requests

EAP-TTLS/MD5を使用する場合:

(10) Received Access-Request Id 211 from X.X.X.X:X to X.X.X.X:X length 217
(10)   User-Name = "Anonymous"
(10)   Called-Station-Id = "X-X-X-X-X-X"
(10)   Calling-Station-Id = "X:X:X:X:X:X"
(10)   NAS-Identifier = "X-X-X-X-X-X"
(10)   NAS-IP-Address = X.X.X.X
(10)   NAS-Port = 5
(10)   Framed-MTU = 1500
(10)   NAS-Port-Type = Ethernet
(10)   State = 0xb09f6f25b5987ab45a49d44c79fdc272
(10)   EAP-Message = 0x0207004315001703030038c6adbb5c16c6c563e2d83bf6c77dbeea42301a1860182204dbf2239a4b934c9f79824ceea2bf5bb725fc7f8576a7deddf907300e0a52bb0e
(10)   Message-Authenticator = 0x1a63f12a15f8031ce35ebd7c8732aed7
(10) Restoring &session-state
(10)   &session-state:Framed-MTU = 994
(10)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(10)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(10)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(10)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(10)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(10)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
(10)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(10)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(10)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(10)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(10)   &session-state:TLS-Session-Version = "TLS 1.2"
(10) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(10)   authorize {
(10)     policy filter_username {
(10)       if (&User-Name) {
(10)       if (&User-Name)  -> TRUE
(10)       if (&User-Name)  {
(10)         if (&User-Name =~ / /) {
(10)         if (&User-Name =~ / /)  -> FALSE
(10)         if (&User-Name =~ /@[^@]*@/ ) {
(10)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(10)         if (&User-Name =~ /\.\./ ) {
(10)         if (&User-Name =~ /\.\./ )  -> FALSE
(10)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(10)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(10)         if (&User-Name =~ /\.$/)  {
(10)         if (&User-Name =~ /\.$/)   -> FALSE
(10)         if (&User-Name =~ /@\./)  {
(10)         if (&User-Name =~ /@\./)   -> FALSE
(10)       } # if (&User-Name)  = notfound
(10)     } # policy filter_username = notfound
(10)     [preprocess] = ok
(10)     [chap] = noop
(10)     [mschap] = noop
(10)     [digest] = noop
(10) suffix: Checking for suffix after "@"
(10) suffix: No '@' in User-Name = "Anonymous", looking up realm NULL
(10) suffix: No such realm "NULL"
(10)     [suffix] = noop
(10) eap: Peer sent EAP Response (code 2) ID 7 length 67
(10) eap: Continuing tunnel setup
(10)     [eap] = ok
(10)   } # authorize = ok
(10) Found Auth-Type = eap
(10) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(10)   authenticate {
(10) eap: Expiring EAP session with state 0xf1a81cfaf3ac0960
(10) eap: Finished EAP session with state 0xb09f6f25b5987ab4
(10) eap: Previous EAP request found for state 0xb09f6f25b5987ab4, released from the list
(10) eap: Peer sent packet with method EAP TTLS (21)
(10) eap: Calling submodule eap_ttls to process data
(10) eap_ttls: Authenticate
(10) eap_ttls: (TLS) EAP Done initial handshake
(10) eap_ttls: Session established.  Proceeding to decode tunneled attributes
(10) eap_ttls: Got tunneled request
(10) eap_ttls:   EAP-Message = 0x0201001604102f20220e77c8250f43b6902c2c91ba28
(10) eap_ttls:   FreeRADIUS-Proxied-To = 127.0.0.1
(10) eap_ttls: Sending tunneled request
(10) Virtual server inner-tunnel received request
(10)   EAP-Message = 0x0201001604102f20220e77c8250f43b6902c2c91ba28
(10)   FreeRADIUS-Proxied-To = 127.0.0.1
(10)   User-Name = "bob"
(10)   State = 0xb9681c83b969189d0d90e6d70aad92ec
(10) WARNING: Outer User-Name is not anonymized.  User privacy is compromised.
(10) server inner-tunnel {
(10)   session-state: No cached attributes
(10)   # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(10)     authorize {
(10)       policy filter_username {
(10)         if (&User-Name) {
(10)         if (&User-Name)  -> TRUE
(10)         if (&User-Name)  {
(10)           if (&User-Name =~ / /) {
(10)           if (&User-Name =~ / /)  -> FALSE
(10)           if (&User-Name =~ /@[^@]*@/ ) {
(10)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(10)           if (&User-Name =~ /\.\./ ) {
(10)           if (&User-Name =~ /\.\./ )  -> FALSE
(10)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(10)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(10)           if (&User-Name =~ /\.$/)  {
(10)           if (&User-Name =~ /\.$/)   -> FALSE
(10)           if (&User-Name =~ /@\./)  {
(10)           if (&User-Name =~ /@\./)   -> FALSE
(10)         } # if (&User-Name)  = notfound
(10)       } # policy filter_username = notfound
(10)       [chap] = noop
(10)       [mschap] = noop
(10) suffix: Checking for suffix after "@"
(10) suffix: No '@' in User-Name = "bob", looking up realm NULL
(10) suffix: No such realm "NULL"
(10)       [suffix] = noop
(10)       update control {
(10)         &Proxy-To-Realm := LOCAL
(10)       } # update control = noop
(10) inner-eap: Peer sent EAP Response (code 2) ID 1 length 22
(10) inner-eap: No EAP Start, assuming it's an on-going EAP conversation
(10)       [inner-eap] = updated
(10) files: users: Matched entry bob at line 87
(10) files: EXPAND Hello, %{User-Name}
(10) files:    --> Hello, bob
(10)       [files] = ok
(10)       [expiration] = noop
(10)       [logintime] = noop
(10) pap: WARNING: Auth-Type already set.  Not setting to PAP
(10)       [pap] = noop
(10)     } # authorize = updated
(10)   Found Auth-Type = inner-eap
(10)   # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(10)     authenticate {
(10) inner-eap: Expiring EAP session with state 0xb9681c83b969189d
(10) inner-eap: Finished EAP session with state 0xb9681c83b969189d
(10) inner-eap: Previous EAP request found for state 0xb9681c83b969189d, released from the list
(10) inner-eap: Peer sent packet with method EAP MD5 (4)
(10) inner-eap: Calling submodule eap_md5 to process data
(10) inner-eap: Sending EAP Success (code 3) ID 1 length 4
(10) inner-eap: Freeing handler
(10)       [inner-eap] = ok
(10)     } # authenticate = ok
(10)   # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(10)     post-auth {
(10)       if (0) {
(10)       if (0)  -> FALSE
(10)     } # post-auth = noop
(10) } # server inner-tunnel
(10) Virtual server sending reply
(10)   Reply-Message = "Hello, bob"
(10)   EAP-Message = 0x03010004
(10)   Message-Authenticator = 0x00000000000000000000000000000000
(10)   User-Name = "bob"
(10) eap_ttls: Got tunneled Access-Accept
(10) eap: Sending EAP Success (code 3) ID 7 length 4
(10) eap: Freeing handler
(10)     [eap] = ok
(10)   } # authenticate = ok
(10) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(10)   post-auth {
(10)     if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
(10)     if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name))  -> FALSE
(10)     update {
(10)       &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 994
(10)       &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.3 Handshake, ClientHello'
(10)       &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerHello'
(10)       &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, Certificate'
(10)       &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerKeyExchange'
(10)       &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerHelloDone'
(10)       &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, ClientKeyExchange'
(10)       &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, Finished'
(10)       &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 ChangeCipherSpec'
(10)       &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, Finished'
(10)       &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384'
(10)       &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2'
(10)     } # update = noop
(10)     [exec] = noop
(10)     policy remove_reply_message_if_eap {
(10)       if (&reply:EAP-Message && &reply:Reply-Message) {
(10)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(10)       else {
(10)         [noop] = noop
(10)       } # else = noop
(10)     } # policy remove_reply_message_if_eap = noop
(10)     if (EAP-Key-Name && &reply:EAP-Session-Id) {
(10)     if (EAP-Key-Name && &reply:EAP-Session-Id)  -> FALSE
(10)   } # post-auth = noop
(10) Sent Access-Accept Id 211 from X.X.X.X:X to X.X.X.X:X length 177

これは正しいアプローチですか?そうでない場合はどうしますか?

わかりますと付け加えたいです。

(10) WARNING: Outer User-Name is not anonymized. User privacy is compromised.

最後のログに。真剣に受け入れるべきですか?匿名IDを使用して接続しているため、要求者は匿名でなければなりません。

関連情報