购买或续订
购买或续订
取消
开启建议
自动建议可通过在您键入时建议可能的匹配,而快速缩小您的搜索结果范围。
显示结果 
搜索替代 
您的意思是: 
cancel
开始对话
4418
查看次数
10
有帮助
5
回复

思科设备连接radius服务器后,radius认证失败 内容如下:

marksong59296
Level 1
Level 1

发布时间 ‎09-15-2019 08:54 PM

Received Access-Request Id 26 from 192.168.12.10:32768 to 192.168.11.122:1812 length 227
(34) User-Name = "test2"
(34) Chargeable-User-Identity = 0x00
(34) Location-Capable = Civic-Location
(34) Calling-Station-Id = "90-b0-ed-78-12-45"
(34) Called-Station-Id = "54-4a-00-47-10-00:lb_test"
(34) NAS-Port = 1
(34) Cisco-AVPair = "audit-session-id=0a0ca8c00000000e3b747f5d"
(34) NAS-IP-Address = 192.168.12.10
(34) NAS-Identifier = "test12"
(34) Airespace-Wlan-Id = 1
(34) Service-Type = Framed-User
(34) Framed-MTU = 1300
(34) NAS-Port-Type = Wireless-802.11
(34) EAP-Message = 0x020200080319152b
(34) State = 0x1d433afd1d413e101c2bff7c06bd3be9
(34) Message-Authenticator = 0xc5efd75213b0499c6d00f469f24a41de
(34) session-state: No cached attributes
(34) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(34) authorize {
(34) policy filter_username {
(34) if (&User-Name) {
(34) if (&User-Name) -> TRUE
(34) if (&User-Name) {
(34) if (&User-Name =~ / /) {
(34) if (&User-Name =~ / /) -> FALSE
(34) if (&User-Name =~ /@[^@]*@/ ) {
(34) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(34) if (&User-Name =~ /\.\./ ) {
(34) if (&User-Name =~ /\.\./ ) -> FALSE
(34) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(34) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(34) if (&User-Name =~ /\.$/) {
(34) if (&User-Name =~ /\.$/) -> FALSE
(34) if (&User-Name =~ /@\./) {
(34) if (&User-Name =~ /@\./) -> FALSE
(34) } # if (&User-Name) = notfound
(34) } # policy filter_username = notfound
(34) [preprocess] = ok
(34) [chap] = noop
(34) [mschap] = noop
(34) [digest] = noop
(34) suffix: Checking for suffix after "@"
(34) suffix: No '@' in User-Name = "test2", looking up realm NULL
(34) suffix: No such realm "NULL"
(34) [suffix] = noop
(34) eap: Peer sent EAP Response (code 2) ID 2 length 8
(34) eap: No EAP Start, assuming it's an on-going EAP conversation
(34) [eap] = updated
(34) [files] = noop
(34) sql: EXPAND %{User-Name}
(34) sql: --> test2
(34) sql: SQL-User-Name set to 'test2'
rlm_sql (sql): Reserved connection (28)
(34) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(34) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test2' ORDER BY id
(34) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test2' ORDER BY id
(34) sql: User found in radcheck table
(34) sql: Conditional check items matched, merging assignment check items
(34) sql: Cleartext-Password := "test2"
(34) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(34) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test2' ORDER BY id
(34) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test2' ORDER BY id
(34) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(34) sql: --> SELECT groupname FROM radusergroup WHERE username = 'test2' ORDER BY priority
(34) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'test2' ORDER BY priority
(34) sql: User not found in any groups
rlm_sql (sql): Released connection (28)
Need 1 more connections to reach min connections (3)
rlm_sql (sql): Opening additional connection (29), 1 of 30 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.7.26, protocol version 10
(34) [sql] = ok
(34) [expiration] = noop
(34) [logintime] = noop
(34) pap: WARNING: Auth-Type already set. Not setting to PAP
(34) [pap] = noop
(34) } # authorize = updated
(34) Found Auth-Type = eap
(34) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(34) authenticate {
(34) eap: Expiring EAP session with state 0x1d433afd1d413e10
(34) eap: Finished EAP session with state 0x1d433afd1d413e10
(34) eap: Previous EAP request found for state 0x1d433afd1d413e10, released from the list
(34) eap: Peer sent packet with method EAP NAK (3)
(34) eap: Peer NAK'd asking for unsupported EAP type PEAP (25), skipping...
(34) eap: Peer NAK'd asking for unsupported EAP type TTLS (21), skipping...
(34) eap: Peer NAK'd asking for unsupported EAP type FAST (43), skipping...
(34) eap: ERROR: No mutually acceptable types found
(34) eap: Sending EAP Failure (code 4) ID 2 length 4
(34) eap: Failed in EAP select
(34) [eap] = invalid
(34) } # authenticate = invalid
(34) Failed to authenticate the user
(34) Using Post-Auth-Type Reject
(34) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(34) Post-Auth-Type REJECT {
(34) sql: EXPAND .query
(34) sql: --> .query
(34) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (27)
(34) sql: EXPAND %{User-Name}
(34) sql: --> test2
(34) sql: SQL-User-Name set to 'test2'
(34) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(34) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'test2', '', 'Access-Reject', '2019-09-16 07:39:01')
(34) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'test2', '', 'Access-Reject', '2019-09-16 07:39:01')
(34) sql: SQL query returned: success
(34) sql: 1 record(s) updated
rlm_sql (sql): Released connection (27)
(34) [sql] = ok
(34) attr_filter.access_reject: EXPAND %{User-Name}
(34) attr_filter.access_reject: --> test2
(34) attr_filter.access_reject: Matched entry DEFAULT at line 11
(34) [attr_filter.access_reject] = updated
(34) [eap] = noop
(34) policy remove_reply_message_if_eap {
(34) if (&reply:EAP-Message && &reply:Reply-Message) {
(34) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(34) else {
(34) [noop] = noop
(34) } # else = noop
(34) } # policy remove_reply_message_if_eap = noop
(34) } # Post-Auth-Type REJECT = updated
(34) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(34) Sending delayed response
(34) Sent Access-Reject Id 26 from 192.168.11.122:1812 to 192.168.12.10:32768 length 44
(34) EAP-Message = 0x04020004
(34) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
(33) Cleaning up request packet ID 25 with timestamp +4349
(34) Cleaning up request packet ID 26 with timestamp +4349
Ready to process requests
那位大神帮忙看下
标签:
0 有帮助
5 条回复5

cisco.feng
Spotlight
Spotlight

发布时间 ‎09-16-2019 06:10 PM

Free radius配置问题
0 有帮助

Wubin2010
Spotlight
Spotlight

发布时间 ‎09-22-2019 11:42 PM

看信息好像是1X加密问题
0 有帮助

Rockyw
Spotlight
Spotlight

发布时间 ‎09-27-2019 08:05 AM

再把配置贴上的话,估计会有助于排错。
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rockyw | If it solves your problem, please mark as answer. Thanks !

suzhouxiaoniu
Spotlight
Spotlight

发布时间 ‎09-30-2019 02:25 AM

似乎是双方验证类型不匹配,有相关配置更方面大家排错
0 有帮助

ZhuangKay9725
Spotlight
Spotlight

发布时间 ‎10-13-2019 11:46 PM

从错误信息看,感觉像是认证方式/类型服务器和客户端不同的原因。
对于RADIUS的话,可以检查以下几点:
- 网络设备以及认证双方的认证方式设置相同
- 服务器是否有CA(可以是正式的CA也可以是自签发)
- 服务器是否将接入的网络设备作为合法的RADIUS客户端
0 有帮助
快捷链接

浏览社区快速链接并以您的母语获取个性化内容:

发布或浏览文章 分享想法或新闻 观看我们的所有视频
Customers Also Viewed These Support Documents