Не удается получить определенный атрибут поставщика с помощью радиуса EAP-ttls

Я новичок в радиусе и EAP. Мне не удается получить атрибуты поставщика с сервера freeradius с помощью radius и EAP-TTLS (при выполнении PAP атрибуты пользователя хорошо возвращаются сервером).

Я работаю на Linux-машине и Linux-сервере.

Я прочитал этот пост, который очень помог понять: Как и где сочетаются RADIUS и EAP?, но все равно не могу найти свою проблему.

На сервере я определил пользователя в файле конфигурации user с определенными атрибутами:

brendon Cleartext-Password := "XXX"
    IEC62351-8-RoleID = "ROLE1",
    IEC62351-8-RoleID += "ROLE2"

Проблема, с которой я сталкиваюсь, заключается в том, что сервер всегда возвращает MS_MPPE_Send_Key и MS_MPPE_Recv_Key, и я не понимаю, почему. Вот журнал, который я получаю от freeradius (работает с опцией -X):

Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 56290
Listening on proxy address :: port 38281
Ready to process requests
(0) Received Access-Request Id 26 from 10.214.232.212:52631 to 10.234.31.92:1812 length 66
(0)   EAP-Message = 0x0200000e01616e6f6e796d6f7573
(0)   NAS-Port = 0
(0)   NAS-IP-Address = 10.214.232.212
(0)   Message-Authenticator = 0x5a9d7211de5c5d4c69a26898eea105d3
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> FALSE
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Proxy reply, or no User-Name.  Ignoring
(0)     [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 0 length 14
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0)     [eap] = ok
(0)   } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   authenticate {
(0) eap: WARNING: NAS did not set User-Name.  Setting it locally from EAP Identity
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_tls to process data
(0) eap_tls: Initiating new EAP-TLS session
(0) eap_tls: Setting verify mode to require certificate from client
(0) eap_tls: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 1 length 6
(0) eap: EAP session adding &reply:State = 0xca6f8448ca6e893f
(0)     [eap] = handled
(0)   } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 26 from 10.234.31.92:1812 to 10.214.232.212:52631 length 0
(0)   EAP-Message = 0x010100060d20
(0)   Message-Authenticator = 0x00000000000000000000000000000000
(0)   State = 0xca6f8448ca6e893fac15f965d7a090eb
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 0 from 10.214.232.212:52633 to 10.234.31.92:1812 length 76
(1)   EAP-Message = 0x020100060315
(1)   State = 0xca6f8448ca6e893fac15f965d7a090eb
(1)   NAS-Port = 0
(1)   NAS-IP-Address = 10.214.232.212
(1)   Message-Authenticator = 0x530c1b0fc523fbad1f3826c97da0aaaa
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(1)   authorize {
(1)     policy filter_username {
(1)       if (&User-Name) {
(1)       if (&User-Name)  -> FALSE
(1)     } # policy filter_username = notfound
(1)     [preprocess] = ok
(1)     [chap] = noop
(1)     [mschap] = noop
(1)     [digest] = noop
(1) suffix: Proxy reply, or no User-Name.  Ignoring
(1)     [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 1 length 6
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1)     [eap] = updated
(1)   } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1)   authenticate {
(1) eap: Expiring EAP session with state 0xca6f8448ca6e893f
(1) eap: Finished EAP session with state 0xca6f8448ca6e893f
(1) eap: Previous EAP request found for state 0xca6f8448ca6e893f, released from the list
(1) eap: Broken NAS did not set User-Name, setting from EAP Identity
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type TTLS (21)
(1) eap: Calling submodule eap_ttls to process data
(1) eap_ttls: Initiating new EAP-TLS session
(1) eap_ttls: [eaptls start] = request
(1) eap: Sending EAP Request (code 1) ID 2 length 6
(1) eap: EAP session adding &reply:State = 0xca6f8448cb6d913f
(1)     [eap] = handled
(1)   } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1)   Challenge { ... } # empty sub-section is ignored
(1) Sent Access-Challenge Id 0 from 10.234.31.92:1812 to 10.214.232.212:52633 length 0
(1)   EAP-Message = 0x010200061520
(1)   Message-Authenticator = 0x00000000000000000000000000000000
(1)   State = 0xca6f8448cb6d913fac15f965d7a090eb
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 76 from 10.214.232.212:49159 to 10.234.31.92:1812 length 162
(2)   EAP-Message = 0x0202005c150016030300510100004d030364390bf93f2a436557592deaa70503e2e0bc7de89b31ddbba6dd90dd038170d6000018006b003d003900350067003c0033002f0016000a000500040100000c000d00080006060105010401
(2)   State = 0xca6f8448cb6d913fac15f965d7a090eb
(2)   NAS-Port = 0
(2)   NAS-IP-Address = 10.214.232.212
(2)   Message-Authenticator = 0xc1f7a27c2f771c3c1b95ed0c06843925
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(2)   authorize {
(2)     policy filter_username {
(2)       if (&User-Name) {
(2)       if (&User-Name)  -> FALSE
(2)     } # policy filter_username = notfound
(2)     [preprocess] = ok
(2)     [chap] = noop
(2)     [mschap] = noop
(2)     [digest] = noop
(2) suffix: Proxy reply, or no User-Name.  Ignoring
(2)     [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 2 length 92
(2) eap: Continuing tunnel setup
(2)     [eap] = ok
(2)   } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2)   authenticate {
(2) eap: Expiring EAP session with state 0xca6f8448cb6d913f
(2) eap: Finished EAP session with state 0xca6f8448cb6d913f
(2) eap: Previous EAP request found for state 0xca6f8448cb6d913f, released from the list
(2) eap: Broken NAS did not set User-Name, setting from EAP Identity
(2) eap: Peer sent packet with method EAP TTLS (21)
(2) eap: Calling submodule eap_ttls to process data
(2) eap_ttls: Authenticate
(2) eap_ttls: Continuing EAP-TLS
(2) eap_ttls: [eaptls verify] = ok
(2) eap_ttls: Done initial handshake
(2) eap_ttls: (other): before SSL initialization
(2) eap_ttls: TLS_accept: before SSL initialization
(2) eap_ttls: TLS_accept: before SSL initialization
(2) eap_ttls: <<< recv UNKNOWN TLS VERSION ?0304? [length 0051] 
(2) eap_ttls: TLS_accept: SSLv3/TLS read client hello
(2) eap_ttls: >>> send TLS 1.2  [length 002a] 
(2) eap_ttls: TLS_accept: SSLv3/TLS write server hello
(2) eap_ttls: >>> send TLS 1.2  [length 08e9] 
(2) eap_ttls: TLS_accept: SSLv3/TLS write certificate
(2) eap_ttls: >>> send TLS 1.2  [length 0004] 
(2) eap_ttls: TLS_accept: SSLv3/TLS write server done
(2) eap_ttls: TLS_accept: Need to read more data: SSLv3/TLS write server done
(2) eap_ttls: In SSL Handshake Phase
(2) eap_ttls: In SSL Accept mode
(2) eap_ttls: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 3 length 1004
(2) eap: EAP session adding &reply:State = 0xca6f8448c86c913f
(2)     [eap] = handled
(2)   } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2)   Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 76 from 10.234.31.92:1812 to 10.214.232.212:49159 length 0
(2)   EAP-Message = 0x010303ec15c000000926160303002a020000260303bfeabe84c460d86d6c56c083ac65e152a3f1ff5ca2eb4e28d83375c0fc6b7a2900003d0016030308e90b0008e50008e20003de308203da308202c2a003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652
(2)   Message-Authenticator = 0x00000000000000000000000000000000
(2)   State = 0xca6f8448c86c913fac15f965d7a090eb
(2) Finished request
Waking up in 4.8 seconds.
(3) Received Access-Request Id 118 from 10.214.232.212:49161 to 10.234.31.92:1812 length 76
(3)   EAP-Message = 0x020300061500
(3)   State = 0xca6f8448c86c913fac15f965d7a090eb
(3)   NAS-Port = 0
(3)   NAS-IP-Address = 10.214.232.212
(3)   Message-Authenticator = 0x1c17e681e7392d1f17aa0e220cdacf3f
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(3)   authorize {
(3)     policy filter_username {
(3)       if (&User-Name) {
(3)       if (&User-Name)  -> FALSE
(3)     } # policy filter_username = notfound
(3)     [preprocess] = ok
(3)     [chap] = noop
(3)     [mschap] = noop
(3)     [digest] = noop
(3) suffix: Proxy reply, or no User-Name.  Ignoring
(3)     [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 3 length 6
(3) eap: Continuing tunnel setup
(3)     [eap] = ok
(3)   } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3)   authenticate {
(3) eap: Expiring EAP session with state 0xca6f8448c86c913f
(3) eap: Finished EAP session with state 0xca6f8448c86c913f
(3) eap: Previous EAP request found for state 0xca6f8448c86c913f, released from the list
(3) eap: Broken NAS did not set User-Name, setting from EAP Identity
(3) eap: Peer sent packet with method EAP TTLS (21)
(3) eap: Calling submodule eap_ttls to process data
(3) eap_ttls: Authenticate
(3) eap_ttls: Continuing EAP-TLS
(3) eap_ttls: Peer ACKed our handshake fragment
(3) eap_ttls: [eaptls verify] = request
(3) eap_ttls: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 4 length 1004
(3) eap: EAP session adding &reply:State = 0xca6f8448c96b913f
(3)     [eap] = handled
(3)   } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3)   Challenge { ... } # empty sub-section is ignored
(3) Sent Access-Challenge Id 118 from 10.234.31.92:1812 to 10.214.232.212:49161 length 0
(3)   EAP-Message = 0x010403ec15c0000009268800a977a803b2f219926b4759cfb1dbf1ec31b1c13f81554ad12c84a916499b4aaa2ef57c091d4b2c6e574b938447f18263cb4e450c36a0a3a60004fe308204fa308203e2a00302010202143fb8f121a16d0a0ee175c15ce4ad900eecac4e86300d06092a864886f70d01010b
(3)   Message-Authenticator = 0x00000000000000000000000000000000
(3)   State = 0xca6f8448c96b913fac15f965d7a090eb
(3) Finished request
Waking up in 4.7 seconds.
(4) Received Access-Request Id 227 from 10.214.232.212:49163 to 10.234.31.92:1812 length 76
(4)   EAP-Message = 0x020400061500
(4)   State = 0xca6f8448c96b913fac15f965d7a090eb
(4)   NAS-Port = 0
(4)   NAS-IP-Address = 10.214.232.212
(4)   Message-Authenticator = 0x631fd6b0ac1a7cd86c58f36e07fffe82
(4) session-state: No cached attributes
(4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(4)   authorize {
(4)     policy filter_username {
(4)       if (&User-Name) {
(4)       if (&User-Name)  -> FALSE
(4)     } # policy filter_username = notfound
(4)     [preprocess] = ok
(4)     [chap] = noop
(4)     [mschap] = noop
(4)     [digest] = noop
(4) suffix: Proxy reply, or no User-Name.  Ignoring
(4)     [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 4 length 6
(4) eap: Continuing tunnel setup
(4)     [eap] = ok
(4)   } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4)   authenticate {
(4) eap: Expiring EAP session with state 0xca6f8448c96b913f
(4) eap: Finished EAP session with state 0xca6f8448c96b913f
(4) eap: Previous EAP request found for state 0xca6f8448c96b913f, released from the list
(4) eap: Broken NAS did not set User-Name, setting from EAP Identity
(4) eap: Peer sent packet with method EAP TTLS (21)
(4) eap: Calling submodule eap_ttls to process data
(4) eap_ttls: Authenticate
(4) eap_ttls: Continuing EAP-TLS
(4) eap_ttls: Peer ACKed our handshake fragment
(4) eap_ttls: [eaptls verify] = request
(4) eap_ttls: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 5 length 364
(4) eap: EAP session adding &reply:State = 0xca6f8448ce6a913f
(4)     [eap] = handled
(4)   } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4)   Challenge { ... } # empty sub-section is ignored
(4) Sent Access-Challenge Id 227 from 10.234.31.92:1812 to 10.214.232.212:49163 length 0
(4)   EAP-Message = 0x0105016c158000000926551d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b050003820101007e21180e883167354b7b139f27709b2f9c7f5524
(4)   Message-Authenticator = 0x00000000000000000000000000000000
(4)   State = 0xca6f8448ce6a913fac15f965d7a090eb
(4) Finished request
Waking up in 4.6 seconds.
(5) Received Access-Request Id 64 from 10.214.232.212:49165 to 10.234.31.92:1812 length 436
(5)   EAP-Message = 0x0205016c1500160303010610000102010072c9a295aa179141e03937b0c18c8fae57f4ad6be416334aa40bfe0106e14d379ecbb14ae07386268808b8d6deb7f2674f094b8906f01e7b49009eb259820d355e067ece0779e5a35d8f67381692286408cdf50093ecf5518cd9aa650ab71241f5696c62ca63
(5)   State = 0xca6f8448ce6a913fac15f965d7a090eb
(5)   NAS-Port = 0
(5)   NAS-IP-Address = 10.214.232.212
(5)   Message-Authenticator = 0x33d3e95a174b6095ebbbde42cd794c61
(5) session-state: No cached attributes
(5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(5)   authorize {
(5)     policy filter_username {
(5)       if (&User-Name) {
(5)       if (&User-Name)  -> FALSE
(5)     } # policy filter_username = notfound
(5)     [preprocess] = ok
(5)     [chap] = noop
(5)     [mschap] = noop
(5)     [digest] = noop
(5) suffix: Proxy reply, or no User-Name.  Ignoring
(5)     [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 5 length 364
(5) eap: Continuing tunnel setup
(5)     [eap] = ok
(5)   } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5)   authenticate {
(5) eap: Expiring EAP session with state 0xca6f8448ce6a913f
(5) eap: Finished EAP session with state 0xca6f8448ce6a913f
(5) eap: Previous EAP request found for state 0xca6f8448ce6a913f, released from the list
(5) eap: Broken NAS did not set User-Name, setting from EAP Identity
(5) eap: Peer sent packet with method EAP TTLS (21)
(5) eap: Calling submodule eap_ttls to process data
(5) eap_ttls: Authenticate
(5) eap_ttls: Continuing EAP-TLS
(5) eap_ttls: [eaptls verify] = ok
(5) eap_ttls: Done initial handshake
(5) eap_ttls: TLS_accept: SSLv3/TLS write server done
(5) eap_ttls: <<< recv TLS 1.2  [length 0106] 
(5) eap_ttls: TLS_accept: SSLv3/TLS read client key exchange
(5) eap_ttls: TLS_accept: SSLv3/TLS read change cipher spec
(5) eap_ttls: <<< recv TLS 1.2  [length 0010] 
(5) eap_ttls: TLS_accept: SSLv3/TLS read finished
(5) eap_ttls: >>> send TLS 1.2  [length 0001] 
(5) eap_ttls: TLS_accept: SSLv3/TLS write change cipher spec
(5) eap_ttls: >>> send TLS 1.2  [length 0010] 
(5) eap_ttls: TLS_accept: SSLv3/TLS write finished
(5) eap_ttls: (other): SSL negotiation finished successfully
(5) eap_ttls: SSL Connection Established
(5) eap_ttls: [eaptls process] = handled
(5) eap: Sending EAP Request (code 1) ID 6 length 101
(5) eap: EAP session adding &reply:State = 0xca6f8448cf69913f
(5)     [eap] = handled
(5)   } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5)   Challenge { ... } # empty sub-section is ignored
(5) Sent Access-Challenge Id 64 from 10.234.31.92:1812 to 10.214.232.212:49165 length 0
(5)   EAP-Message = 0x0106006515800000005b14030300010116030300500e01ea4a3c1744a693a78e0c24bbaa4205b73616a68270625289080f663625794d236f222cc62bf34e901353102a08c09852c7ffd49ff1abd9ad7fdd240d0915d43ed3cbc25cfc073b20b05ecb2ce581
(5)   Message-Authenticator = 0x00000000000000000000000000000000
(5)   State = 0xca6f8448cf69913fac15f965d7a090eb
(5) Finished request
Waking up in 4.5 seconds.
(6) Received Access-Request Id 29 from 10.214.232.212:49167 to 10.234.31.92:1812 length 177
(6)   EAP-Message = 0x0206006b15001703030060583bd9865086316dfd855e553a4eebbf201383d7c0ebee1a5d8473aff7d592465a655442fded16656e6dbbb712eff4a2655b6895ef5ec72c2aff56c914627d9df248c6e718e48cbeb53f828be82d80a3fe15a03059f9cea7832eabed3fde3cec
(6)   State = 0xca6f8448cf69913fac15f965d7a090eb
(6)   NAS-Port = 0
(6)   NAS-IP-Address = 10.214.232.212
(6)   Message-Authenticator = 0x3e371922ea1733f51a920a7298e5cbcb
(6) session-state: No cached attributes
(6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(6)   authorize {
(6)     policy filter_username {
(6)       if (&User-Name) {
(6)       if (&User-Name)  -> FALSE
(6)     } # policy filter_username = notfound
(6)     [preprocess] = ok
(6)     [chap] = noop
(6)     [mschap] = noop
(6)     [digest] = noop
(6) suffix: Proxy reply, or no User-Name.  Ignoring
(6)     [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 6 length 107
(6) eap: Continuing tunnel setup
(6)     [eap] = ok
(6)   } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(6)   authenticate {
(6) eap: Expiring EAP session with state 0xca6f8448cf69913f
(6) eap: Finished EAP session with state 0xca6f8448cf69913f
(6) eap: Previous EAP request found for state 0xca6f8448cf69913f, released from the list
(6) eap: Broken NAS did not set User-Name, setting from EAP Identity
(6) eap: Peer sent packet with method EAP TTLS (21)
(6) eap: Calling submodule eap_ttls to process data
(6) eap_ttls: Authenticate
(6) eap_ttls: Continuing EAP-TLS
(6) eap_ttls: [eaptls verify] = ok
(6) eap_ttls: Done initial handshake
(6) eap_ttls: [eaptls process] = ok
(6) eap_ttls: Session established.  Proceeding to decode tunneled attributes
(6) eap_ttls: Got tunneled request
(6) eap_ttls:   User-Name = "brendon"
(6) eap_ttls:   User-Password = "hello"
(6) eap_ttls:   FreeRADIUS-Proxied-To = 127.0.0.1
(6) eap_ttls: Sending tunneled request
(6) Virtual server inner-tunnel received request
(6)   User-Name = "brendon"
(6)   User-Password = "hello"
(6)   FreeRADIUS-Proxied-To = 127.0.0.1
(6) server inner-tunnel {
(6)   # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(6)     authorize {
(6)       policy filter_username {
(6)         if (&User-Name) {
(6)         if (&User-Name)  -> TRUE
(6)         if (&User-Name)  {
(6)           if (&User-Name =~ / /) {
(6)           if (&User-Name =~ / /)  -> FALSE
(6)           if (&User-Name =~ /@[^@]*@/ ) {
(6)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(6)           if (&User-Name =~ /\.\./ ) {
(6)           if (&User-Name =~ /\.\./ )  -> FALSE
(6)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(6)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(6)           if (&User-Name =~ /\.$/)  {
(6)           if (&User-Name =~ /\.$/)   -> FALSE
(6)           if (&User-Name =~ /@\./)  {
(6)           if (&User-Name =~ /@\./)   -> FALSE
(6)         } # if (&User-Name)  = notfound
(6)       } # policy filter_username = notfound
(6)       [chap] = noop
(6)       [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "brendon", looking up realm NULL
(6) suffix: No such realm "NULL"
(6)       [suffix] = noop
(6)       update control {
(6)         &Proxy-To-Realm := LOCAL
(6)       } # update control = noop
(6) eap: No EAP-Message, not doing EAP
(6)       [eap] = noop
(6) files: users: Matched entry brendon at line 230
(6)       [files] = ok
(6)       [expiration] = noop
(6)       [logintime] = noop
(6)       [pap] = updated
(6)     } # authorize = updated
(6)   Found Auth-Type = PAP
(6)   # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(6)     Auth-Type PAP {
(6) pap: Login attempt with password
(6) pap: Comparing with "known good" Cleartext-Password
(6) pap: User authenticated successfully
(6)       [pap] = ok
(6)     } # Auth-Type PAP = ok
(6)   # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(6)     post-auth {
(6)       if (0) {
(6)       if (0)  -> FALSE
(6)     } # post-auth = noop
(6)   Login OK: [brendon/hello] (from client whatever port 0 via TLS tunnel)
(6) } # server inner-tunnel
(6) Virtual server sending reply
(6)   IEC62351-8-RoleID = "OPERATOR"
(6)   IEC62351-8-RoleID = "ENGINEER"
(6) eap_ttls: Got tunneled Access-Accept
(6) eap: Sending EAP Success (code 3) ID 6 length 4
(6) eap: Freeing handler
(6)     [eap] = ok
(6)   } # authenticate = ok
(6) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(6)   post-auth {
(6)     update {
(6)       No attributes updated
(6)     } # update = noop
(6)     [exec] = noop
(6)     policy remove_reply_message_if_eap {
(6)       if (&reply:EAP-Message && &reply:Reply-Message) {
(6)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(6)       else {
(6)         [noop] = noop
(6)       } # else = noop
(6)     } # policy remove_reply_message_if_eap = noop
(6)   } # post-auth = noop
(6) Login OK: [anonymous/<via Auth-Type = eap>] (from client whatever port 0)
(6) Sent Access-Accept Id 29 from XX.XX.XX.XX:1812 to XX.XX.XX.XX:49167 length 0
(6)   MS-MPPE-Recv-Key = 0x612dbdf934dde72a902cbb61f7b317f0ab027e043211d743bb15f39d1b7df21b
(6)   MS-MPPE-Send-Key = 0x508c9aefdb3b61db7d53ce2232efce1ebcec0b67fb40c205639779f2b3e4e820
(6)   EAP-Message = 0x03060004
(6)   Message-Authenticator = 0x00000000000000000000000000000000
(6) Finished request
Waking up in 4.5 seconds.
(0) Cleaning up request packet ID 26 with timestamp +9
(1) Cleaning up request packet ID 0 with timestamp +9
(2) Cleaning up request packet ID 76 with timestamp +9
(3) Cleaning up request packet ID 118 with timestamp +9
(4) Cleaning up request packet ID 227 with timestamp +9
Waking up in 0.1 seconds.
(5) Cleaning up request packet ID 64 with timestamp +10
(6) Cleaning up request packet ID 29 with timestamp +10
Ready to process requests

Как мы видим в конце, сервер «знает» атрибуты, связанные с пользователем:

(6) Virtual server sending reply
(6)   IEC62351-8-RoleID = "OPERATOR"
(6)   IEC62351-8-RoleID = "ENGINEER"

но их не возвращают. Вместо этого:

(6) Login OK: [anonymous/<via Auth-Type = eap>] (from client whatever port 0)
(6) Sent Access-Accept Id 29 from XX.XX.XX.XX:1812 to XX.XX.XX.XX:49167 length 0
(6)   MS-MPPE-Recv-Key = 0x612dbdf934dde72a902cbb61f7b317f0ab027e043211d743bb15f39d1b7df21b
(6)   MS-MPPE-Send-Key = 0x508c9aefdb3b61db7d53ce2232efce1ebcec0b67fb40c205639779f2b3e4e820

Если это может помочь, вот пакеты wireshark:

Доступ-Запрос:

Frame 23: 219 bytes on wire (1752 bits), 219 bytes captured (1752 bits) on interface \Device\NPF_{58F84452-96E4-452B-98A5-663F8E4D7FDB}, id 0
Ethernet II, Src: XX:XX:XX:XX:XX:XX (XX:XX:XX:XX:XX:XX), Dst: XX:XX:XX:XX:XX:XX (XX:XX:XX:XX:XX:XX)
Internet Protocol Version 4, Src: XX.XX.XX.XX, Dst: XX.XX.XX.XX
User Datagram Protocol, Src Port: 49167, Dst Port: 1812
RADIUS Protocol
    Code: Access-Request (1)
    Packet identifier: 0x1d (29)
    Length: 177
    Authenticator: a95b00007e62000008380000fc5f0000
    [The response to this request is in frame 24]
    Attribute Value Pairs
        AVP: t=EAP-Message(79) l=109 Last Segment[1]
        AVP: t=State(24) l=18 val=ca6f8448cf69913fac15f965d7a090eb
        AVP: t=NAS-Port(5) l=6 val=0
        AVP: t=NAS-IP-Address(4) l=6 val=XX.XX.XX.XX
        AVP: t=Message-Authenticator(80) l=18 val=3e371922ea1733f51a920a7298e5cbcb

Доступ-Принять:

Frame 24: 202 bytes on wire (1616 bits), 202 bytes captured (1616 bits) on interface \Device\NPF_{58F84452-96E4-452B-98A5-663F8E4D7FDB}, id 0
Ethernet II, Src: XX:XX:XX:XX:XX:XX (XX:XX:XX:XX:XX:XX), Dst: XX:XX:XX:XX:XX:XX (XX:XX:XX:XX:XX:XX)
Internet Protocol Version 4, Src: XX.XX.XX.XX, Dst: XX.XX.XX.XX
User Datagram Protocol, Src Port: 1812, Dst Port: 49167
RADIUS Protocol
    Code: Access-Accept (2)
    Packet identifier: 0x1d (29)
    Length: 160
    Authenticator: 9f6d9c09c55e654a93f47a4215a8418e
    [This is a response to a request in frame 23]
    [Time from request: 0.069017000 seconds]
    Attribute Value Pairs
        AVP: t=Vendor-Specific(26) l=58 vnd=Microsoft(311)
        AVP: t=Vendor-Specific(26) l=58 vnd=Microsoft(311)
        AVP: t=EAP-Message(79) l=6 Last Segment[1]
        AVP: t=Message-Authenticator(80) l=18 val=9eb84fabca3ba8c74ae5db4db35aad07

Это неправильная конфигурация сервера? или проблема в Access-Request? или что-нибудь еще?

Я могу предоставить конфигурацию чтения, если это необходимо

Umaiki 14.04.2023 10:35
Стоит ли изучать PHP в 2023-2024 годах?
Стоит ли изучать PHP в 2023-2024 годах?
Привет всем, сегодня я хочу высказать свои соображения по поводу вопроса, который я уже много раз получал в своем сообществе: "Стоит ли изучать PHP в...
Поведение ключевого слова "this" в стрелочной функции в сравнении с нормальной функцией
Поведение ключевого слова "this" в стрелочной функции в сравнении с нормальной функцией
В JavaScript одним из самых запутанных понятий является поведение ключевого слова "this" в стрелочной и обычной функциях.
Приемы CSS-макетирования - floats и Flexbox
Приемы CSS-макетирования - floats и Flexbox
Здравствуйте, друзья-студенты! Готовы совершенствовать свои навыки веб-дизайна? Сегодня в нашем путешествии мы рассмотрим приемы CSS-верстки - в...
Тестирование функциональных ngrx-эффектов в Angular 16 с помощью Jest
В системе управления состояниями ngrx, совместимой с Angular 16, появились функциональные эффекты. Это здорово и делает код определенно легче для...
Концепция локализации и ее применение в приложениях React ⚡️
Концепция локализации и ее применение в приложениях React ⚡️
Локализация - это процесс адаптации приложения к различным языкам и культурным требованиям. Это позволяет пользователям получить опыт, соответствующий...
Пользовательский скаляр GraphQL
Пользовательский скаляр GraphQL
Листовые узлы системы типов GraphQL называются скалярами. Достигнув скалярного типа, невозможно спуститься дальше по иерархии типов. Скалярный тип...
0
1
103
1
Перейти к ответу Данный вопрос помечен как решенный

Ответы 1

Ответ принят как подходящий

Проблема заключалась в неправильной настройке сервера freeradius.

В моем случае мне нужно было добавить к /etc/freeradius/3.0/mods-available/eap:

ttls {
  [...]
  use_tunneled_reply = yes
  [...]
}

чтобы попросить сервер добавить атрибут к ответному сообщению.

Другие вопросы по теме