Серверная роль, основанная на FilterId с использованием freeradius, не работает
Я настраиваю беспроводную лабораторию. Пользователь guest123 с паролем guest123 аутентифицируется по беспроводной сети, используя аутентификацию 802.1X. FreeRadius также должен возвращать FilterId=>labguest. Правило на беспроводном контроллере устанавливает для роли пользователя значение FilterId, возвращаемое во время обмена RADIUS.
Вместо этого запрос / ответ расходуются десять раз, и пользователю назначается роль по умолчанию, "аутентифицированная".
Короткие вопросы, прежде чем приступить к деталям, - что я делаю не так, и есть ли автоматизированный инструмент для анализа выходных данных FreeRadius -X и выработки рекомендаций?
Простые тесты командной строки от беспроводного контроллера и freeradius показывают как аутентификацию, так и возвращенные атрибуты.
Вот та часть, которая работает
От freeradius:
root@ubuntu/etc/freeradius@ radtest guest123 guest123 localhost 0 testing123
User-Name = "guest123"
User-Password = "guest123"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "guest123"
Received Access-Accept Id 184 from 127.0.0.1:1812 to 0.0.0.0:0 length 36
Service-Type = Framed-User
Filter-Id = "labguest"
От контроллера Арубы:
Роль "labguest" определяется здесь:
user-role labguest
access-list session global-sacl
access-list session apprf-labguest-sacl
access-list session "Cant ping controller"
access-list session allowall
access-list session v6-allowall
Правило для назначения роли пользователя на основе FilterId находится здесь:
aaa server-group "lab-emp_srvgrp-kqh72"
auth-server radius1
set role condition Filter-Id value-of
Вот та часть, которая сломана
После аутентификации по беспроводной сети и 802.1X пользователь получает роль по умолчанию 802.1X, "аутентифицирован", а не "labguest".
(Master1) # show user mac 44:39:c4:59:e5:64
Name: guest123, IP: 192.168.16.23, MAC: 44:39:c4:59:e5:64, Age: 00:00:05
Role: authenticated (how: ROLE_DERIVATION_DOT1X), ACL: 70/0
Authentication: Yes, status: successful, method: 802.1x, protocol: EAP-PEAP, server: radius1
Authentication Servers: dot1x authserver: radius1, mac authserver:
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: ROLE_DERIVATION_DOT1X
VLAN Derivation: Default VLAN
FreeRADIUS Version 3.0.15
<<<deleted debug output>>>
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# server default
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 50900
Listening on proxy address :: port 60069
Ready to process requests
(0) Received Access-Request Id 42 from 192.168.18.254:40607 to
192.168.18.249:1812 length 175
(0) User-Name = "guest123"
(0) NAS-IP-Address = 192.168.18.254
(0) NAS-Port = 0
(0) NAS-Identifier = "192.168.18.254"
(0) NAS-Port-Type = Wireless-802.11
(0) Calling-Station-Id = "4439C459E564"
(0) Called-Station-Id = "000B86BE91F0"
(0) Service-Type = Framed-User
(0) Framed-MTU = 1100
(0) EAP-Message = 0x0202000d016775657374313233
(0) Aruba-Essid-Name = "lab-emp"
(0) Aruba-Location-Id = "AP1"
(0) Aruba-AP-Group = "lab1"
(0) Message-Authenticator = 0x6780aa98cfe6f147e8334301882c9c1f
(0) # Executing section authorize from file /etc/freeradius/sites-enabled
/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "guest123", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 2 length 13
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest
of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_ttls to process data
(0) eap_ttls: Initiating new EAP-TLS session
(0) eap_ttls: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 3 length 6
(0) eap: EAP session adding &reply:State = 0xedb76556edb4700e
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 42 from 192.168.18.249:1812 to
192.168.18.254:40607 length 0
(0) EAP-Message = 0x010300061520
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0xedb76556edb4700e88dcdd844646037b
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 43 from 192.168.18.254:40607 to
192.168.18.249:1812 length 186
(1) User-Name = "guest123"
(1) NAS-IP-Address = 192.168.18.254
(1) NAS-Port = 0
(1) NAS-Identifier = "192.168.18.254"
(1) NAS-Port-Type = Wireless-802.11
(1) Calling-Station-Id = "4439C459E564"
(1) Called-Station-Id = "000B86BE91F0"
(1) Service-Type = Framed-User
(1) Framed-MTU = 1100
(1) EAP-Message = 0x020300060319
(1) State = 0xedb76556edb4700e88dcdd844646037b
(1) Aruba-Essid-Name = "lab-emp"
(1) Aruba-Location-Id = "AP1"
(1) Aruba-AP-Group = "lab1"
(1) Message-Authenticator = 0xfe39826a334b5ddbe8fa4012037a87d8
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/freeradius/sites-enabled
/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "guest123", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 3 length 6
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) files: users: Matched entry guest123 at line 82
(1) [files] = ok
(1) sql: EXPAND %{User-Name}
(1) sql: --> guest123
(1) sql: SQL-User-Name set to 'guest123'
rlm_sql (sql): Reserved connection (0)
(1) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id
(1) sql: --> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'guest123' ORDER BY id
(1) sql: Executing select query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'guest123' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
(1) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-
User-Name}' ORDER BY priority
(1) sql: --> SELECT groupname FROM radusergroup WHERE username =
'guest123' ORDER BY priority
(1) sql: Executing select query: SELECT groupname FROM radusergroup WHERE
username = 'guest123' ORDER BY priority
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 1
(1) sql: User not found in any groups
rlm_sql (sql): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
rlm_sql_postgresql: Connecting using parameters: dbname=radius
host=localhost user=radius password=********
Connected to database 'radius' on 'localhost' server version 90510, protocol
version 3, backend PID 1714
(1) [sql] = notfound
(1) [expiration] = noop
(1) [logintime] = noop
(1) pap: WARNING: Auth-Type already set. Not setting to PAP
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0xedb76556edb4700e
(1) eap: Finished EAP session with state 0xedb76556edb4700e
(1) eap: Previous EAP request found for state 0xedb76556edb4700e, released
from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Initiating new EAP-TLS session
(1) eap_peap: [eaptls start] = request
(1) eap: Sending EAP Request (code 1) ID 4 length 6
(1) eap: EAP session adding &reply:State = 0xedb76556ecb37c0e
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1) Challenge { ... } # empty sub-section is ignored
(1) Sent Access-Challenge Id 43 from 192.168.18.249:1812 to
192.168.18.254:40607 length 0
(1) Service-Type = Framed-User
(1) Framed-Filter-Id = "labguest"
(1) EAP-Message = 0x010400061920
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0xedb76556ecb37c0e88dcdd844646037b
(1) Finished request
Waking up in 4.9 seconds.
<<<deleted generally repeating debug output>>>
(10) Received Access-Request Id 52 from 192.168.18.254:40607 to 192.168.18.249:1812 length 223
(10) User-Name = "guest123"
(10) NAS-IP-Address = 192.168.18.254
(10) NAS-Port = 0
(10) NAS-Identifier = "192.168.18.254"
(10) NAS-Port-Type = Wireless-802.11
(10) Calling-Station-Id = "4439C459E564"
(10) Called-Station-Id = "000B86BE91F0"
(10) Service-Type = Framed-User
(10) Framed-MTU = 1100
(10) EAP-Message =
0x020c002b190017030100209568f164a54cf0e2aa3c<<<more deleted>>>
(10) State = 0xedb76556e4bb7c0e88dcdd844646037b
(10) Aruba-Essid-Name = "lab-emp"
(10) Aruba-Location-Id = "AP1"
(10) Aruba-AP-Group = "lab1"
(10) Message-Authenticator = 0x2277c43d40495abc84afcfee2d7af56b
(10) session-state: No cached attributes
(10) # Executing section authorize from file /etc/freeradius/sites-enabled
/default
(10) authorize {
(10) policy filter_username {
(10) if (&User-Name) {
(10) if (&User-Name) -> TRUE
(10) if (&User-Name) {
(10) if (&User-Name =~ / /) {
(10) if (&User-Name =~ / /) -> FALSE
(10) if (&User-Name =~ /@[^@]*@/ ) {
(10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(10) if (&User-Name =~ /\.\./ ) {
(10) if (&User-Name =~ /\.\./ ) -> FALSE
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(10) if (&User-Name =~ /\.$/) {
(10) if (&User-Name =~ /\.$/) -> FALSE
(10) if (&User-Name =~ /@\./) {
(10) if (&User-Name =~ /@\./) -> FALSE
(10) } # if (&User-Name) = notfound
(10) } # policy filter_username = notfound
(10) [preprocess] = ok
(10) [chap] = noop
(10) [mschap] = noop
(10) [digest] = noop
(10) suffix: Checking for suffix after "@"
(10) suffix: No '@' in User-Name = "guest123", looking up realm NULL
(10) suffix: No such realm "NULL"
(10) [suffix] = noop
(10) eap: Peer sent EAP Response (code 2) ID 12 length 43
(10) eap: Continuing tunnel setup
(10) [eap] = ok
(10) } # authorize = ok
(10) Found Auth-Type = eap
(10) # Executing group from file /etc/freeradius/sites-enabled/default
(10) authenticate {
(10) eap: Expiring EAP session with state 0xedb76556e4bb7c0e
(10) eap: Finished EAP session with state 0xedb76556e4bb7c0e
(10) eap: Previous EAP request found for state 0xedb76556e4bb7c0e, released
from the list
(10) eap: Peer sent packet with method EAP PEAP (25)
(10) eap: Calling submodule eap_peap to process data
(10) eap_peap: Continuing EAP-TLS
(10) eap_peap: [eaptls verify] = ok
(10) eap_peap: Done initial handshake
(10) eap_peap: [eaptls process] = ok
(10) eap_peap: Session established. Decoding tunneled attributes
(10) eap_peap: PEAP state send tlv success
(10) eap_peap: Received EAP-TLV response
(10) eap_peap: Success
(10) eap: Sending EAP Success (code 3) ID 12 length 4
(10) eap: Freeing handler
(10) [eap] = ok
(10) } # authenticate = ok
(10) # Executing section post-auth from file /etc/freeradius/sites-enabled
/default
(10) post-auth {
(10) update {
(10) No attributes updated
(10) } # update = noop
(10) sql: EXPAND .query
(10) sql: --> .query
(10) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (4)
(10) sql: EXPAND %{User-Name}
(10) sql: --> guest123
(10) sql: SQL-User-Name set to 'guest123'
(10) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S')
(10) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( 'guest123', ', 'Access-Accept', '2017-12-06 05:15:26')
(10) sql: Executing query: INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES ( 'guest123', ', 'Access-Accept', '2017-12-06 05:15:26')
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: query affected rows = 1
(10) sql: SQL query returned: success
(10) sql: 1 record(s) updated
rlm_sql (sql): Released connection (4)
(10) [sql] = ok
(10) [exec] = noop
(10) policy remove_reply_message_if_eap {
(10) if (&reply:EAP-Message && &reply:Reply-Message) {
(10) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(10) else {
(10) [noop] = noop
(10) } # else = noop
(10) } # policy remove_reply_message_if_eap = noop
(10) } # post-auth = ok
(10) Sent Access-Accept Id 52 from 192.168.18.249:1812 to
192.168.18.254:40607 length 0
(10) MS-MPPE-Recv-Key =
0xa5ded2c64f1026f75e105877bcc5715f3712051d16c7977a680fd50a2bd53352
(10) MS-MPPE-Send-Key =
0x5ccf08fba6d8803a9ac0478c8b02bd8c9ea5829c6c3d389410eed4f36fb06692
(10) EAP-Message = 0x030c0004
(10) Message-Authenticator = 0x00000000000000000000000000000000
(10) User-Name = "guest123"
(10) Finished request
Waking up in 4.8 seconds.
(0) Cleaning up request packet ID 42 with timestamp +29
(1) Cleaning up request packet ID 43 with timestamp +29
(2) Cleaning up request packet ID 44 with timestamp +29
(3) Cleaning up request packet ID 45 with timestamp +29
(4) Cleaning up request packet ID 46 with timestamp +29
(5) Cleaning up request packet ID 47 with timestamp +29
(6) Cleaning up request packet ID 48 with timestamp +29
(7) Cleaning up request packet ID 49 with timestamp +29
(8) Cleaning up request packet ID 50 with timestamp +29
(9) Cleaning up request packet ID 51 with timestamp +29
(10)) Cleaning up request packet ID 52 with timestamp +29
Ready to process requests
Ожидаемый результат:
(Master1) # show user mac 44:39:c4:59:e5:64
Name: guest123, IP: 192.168.16.23, MAC: 44:39:c4:59:e5:64, Age: 00:00:05
Role: labguest (how: ROLE_DERIVATION_DOT1X_SDR)
Фактический результат:
(Master1) # show user mac 44:39:c4:59:e5:64
Name: guest123, IP: 192.168.16.23, MAC: 44:39:c4:59:e5:64, Age: 00:00:05
Role: authenticated (how: ROLE_DERIVATION_DOT1X)
2 ответа
Я разместил в блоге Aruba Airheads, а затем открыл дело с поддержкой Aruba/HPE. После анализа журналов и захвата пакетов инженер службы поддержки Aruba/HPE сказал:
"Я хотел бы сообщить вам, что я прошел захват пакетов и приложил скриншоты из того же самого на основе того, что мы наблюдали; как видно на скриншоте CP-Accept, мы видим Radius Accept, когда пользователь проходил аутентификацию с Captive Portal. Мы видим в принимаемом пакете, что сервер отправляет атрибут 'labguest' на контроллер для назначения роли пользователя.
В случае скриншота Dot1x-Accept мы не видим никаких атрибутов, отправляемых сервером в принимающем пакете, когда пользователь проходил аутентификацию с помощью dot1x-аутентификации.
Пожалуйста, проверьте на стороне сервера, нужно ли нам включить отправку атрибута для MSCHAPv2 вместе с протоколом PAP, или есть ли какие-либо конкретные конфигурации на сервере, которые обрабатывают атрибуты, которые должны быть отправлены на основе типа аутентификации. "
Затем я разместил в списке пользователей FreeRADIUS. Отклик:
"Решение состоит в том, чтобы переместить модуль" files "до"eap". Редактировать сайты с поддержкой / по умолчанию. Посмотрите на раздел "Авторизация".
Это работает. Выдержка из отредактированных сайтов с включенным / по умолчанию:
#
# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
# authentication.
#
# It also sets the EAP-Type attribute in the request
# attribute list to the EAP type from the packet.
#
# The EAP module returns "ok" or "updated" if it is not yet ready
# to authenticate the user. The configuration below checks for
# "ok", and stops processing the "authorize" section if so.
#
# Any LDAP and/or SQL servers will not be queried for the
# initial set of packets that go back and forth to set up
# TTLS or PEAP.
#
# The "updated" check is commented out for compatibility with
# previous versions of this configuration, but you may wish to
# uncomment it as well; this will further reduce the number of
# LDAP and/or SQL queries for TTLS or PEAP.
#
files
eap {
ok = return
# updated = return
}
#
# Pull crypt'd passwords from /etc/passwd or /etc/shadow,
# using the system API's to get the password. If you want
# to read /etc/passwd or /etc/shadow directly, see the
# mods-available/passwd module.
#
# unix
#
# Read the 'users' file. In v3, this is located in
# raddb/mods-config/files/authorize
# files
Тесты с контроллера Aruba:
(Master1) #aaa test-server mschapv2 radius1 guest123 guest123 verbose
Authentication Successful
Processing time (ms) : 6.407
Attribute value pairs in request
--------------------------------
Vendor Attribute Value
------ --------- -----
NAS-IP-Address 192.168.18.254
NAS-Port-Id 0
NAS-Port-Type Wireless-IEEE802.11
User-Name guest123
Service-Type Login-User
Calling-Station-Id 0.0.0.0
Called-Station-Id 000B86BE91F0
Microsoft MS-CHAP-Challenge \032\241\007[\002(\\321j5\001v\221lf\236
Microsoft MS-CHAP2-Response
Aruba Aruba-Essid-Name
Aruba Aruba-Location-Id N/A
Aruba Aruba-AP-Group N/A
Aruba Aruba-Device-Type
Message-Auth I\365\262\357\365o{s\264\270\246\022Cz\264-
PW_RADIUS_ID H
Rad-Length 199
Attribute value pairs in response
---------------------------------
Vendor Attribute Value
------ --------- -----
Service-Type Framed-User
Filter-Id labguest
Microsoft MS-CHAP2-Success
Microsoft MS-MPPE-Recv-Key \205g8\374\333\260\031\306\3379\321\220\273\273\355\024\277\210Q\003\226\004M>\372\307p6\273&\322\231N\253
Microsoft MS-MPPE-Send-Key \215\277d\301f\207A\215!\376\345.\324\177BM\364\310\251p\263\224\315 \012\001\035:\327\253\314\016\026\243
Microsoft MS-MPPE-Encryption-Policy
Microsoft MS-MPPE-Encryption-Types
PW_RADIUS_ID H
Rad-Length 195
PW_RADIUS_CODE \002
PW_RAD_AUTHENTICATOR }\203!\353\244}\215,\216\203J]\027\247\325\272
(Master1) # show user mac fc:c2:de:13:d6:15
Name: guest123, IP: 192.168.16.3, MAC: fc:c2:de:13:d6:15, Age: 00:00:00
Role: labguest (how: ROLE_DERIVATION_DOT1X_SDR), ACL: 71/0
Authentication: Yes, status: successful, method: 802.1x, protocol: EAP-PEAP, server: radius1
Authentication Servers: dot1x authserver: radius1, mac authserver:
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: ROLE_DERIVATION_DOT1X_SDR
VLAN Derivation: Default VLAN
Обратите внимание, что редактирование на сайтах с включенным / по умолчанию было после чистой установки FreeRADIUS, а не исправление любых обезьян.
В случае, если этот Атрибут установлен сервером RADIUS, которому freeradius должен проксировать, вам необходимо изменить файлы:
mods-config / attr_filter / пре-прокси и пост-прокси
добавив среди атрибутов, которые вы должны проксировать, также:
Filter-Id =* ЛЮБОЙ