Ubuntu下freeradius的EAP-MD5/EAP-PEAP-MSCHAPV2/EAP-TTLS-MD5/EAP-TTLS-MSCHAPV2方式认证(基于mysql)

基于freeradius+mysql，今天验证下freeradius的EAP认证：1.EAP-MD5；2.EAP-PEAP

一、EAP-MD5方式认证

1.修改配置文件

(1)/usr/local/etc/raddb/sites-available/default

去掉eap前面的#

(2)/usr/local/etc/raddb/eap.conf

确认default_eap_type=md5

2.在数据库中加入Auth-Type为EAP的测试账号

#mysql -u root -p
Enter password:456456
mysql> use freeradius;
mysql> insert into radgroupreply (groupname,attribute,op,value) values ('eap','Auth-Type',':=','EAP');
mysql> insert into radgroupreply (groupname,attribute,op,value) values ('eap','Service-Type',':=','Framed-User');
mysql> insert into radgroupreply (groupname,attribute,op,value) values ('eap','Framed-IP-Address',':=','255.255.255.255');
mysql> insert into radgroupreply (groupname,attribute,op,value) values ('eap','Framed-IP-Netmask',':=','255.255.255.0');
mysql> insert into radcheck (username,attribute,op,value) values ('eap','User-Password',':=','eap');
mysql> insert into radusergroup (username,groupname) values ('eap','eap');
mysql> insert into radreply (username,attribute,op,value) values ('eap','Reply-Message',':=','eap OK!');

3.开始测试

#radiusd -X

#(echo "User-Name = \"eap\""; echo "Cleartext-Password = \"eap\""; echo "EAP-Code = \"Response\""; echo "EAP-Id = 210"; echo "EAP-Type-Identity = \"eap\""; echo "Message-Authenticator = 0x00";) | radeapclient -x localhost auth testing123

Sending Access-Request packet to host 127.0.0.1 port 1812, id=16, length=0
User-Name = "eap"
Cleartext-Password = "eap"
EAP-Code = Response
EAP-Id = 210
EAP-Type-Identity = 0x656170
Message-Authenticator = 0x00
EAP-Message = 0x02d2000801656170
Received Access-Challenge packet from host 127.0.0.1 port 1812, id=16, length=107
Reply-Message = "eap OK!"
Service-Type = Framed-User
Framed-IP-Address = 255.255.255.255
Framed-IP-Netmask = 255.255.255.0
EAP-Message = 0x01d30016041008dabb8375e60ff9a515084acdce2e49
Message-Authenticator = 0x323977ef5d8f99e19c0f915225dc91fe
State = 0x622ff79862fcf31bc6a72392057197f7
EAP-Id = 211
EAP-Code = Request
EAP-Type-MD5-Challenge = 0x1008dabb8375e60ff9a515084acdce2e49
Sending Access-Request packet to host 127.0.0.1 port 1812, id=17, length=53
User-Name = "eap"
Cleartext-Password = "eap"
EAP-Code = Response
EAP-Id = 211
Message-Authenticator = 0x00000000000000000000000000000000
EAP-Type-MD5-Challenge = 0x10e968e2d801bc965f23c6e515ef2f8861
State = 0x622ff79862fcf31bc6a72392057197f7
EAP-Message = 0x02d300160410e968e2d801bc965f23c6e515ef2f8861
Received Access-Accept packet from host 127.0.0.1 port 1812, id=17, length=76
Reply-Message = "eap OK!"
Service-Type = Framed-User
Framed-IP-Address = 255.255.255.255
Framed-IP-Netmask = 255.255.255.0
EAP-Message = 0x03d30004
Message-Authenticator = 0x190af2672a849e7ddee425f18c01dd2c
User-Name = "eap"
EAP-Id = 211
EAP-Code = Success

二、EAP-PEAP方式认证

1.安装测试工具eapol_test

#cd /usr/local/src/
#wget http://hostap.epitest.fi/releases/wpa_supplicant-0.6.9.tar.gz #tar –xzvf wpa_supplicant-0.6.9.tar.gz
#cd wpa_supplicant-0.6.9/wpa_supplicant/
#cp defconfig .config
#make eapol_test
#cp eapol_test /usr/local/bin/

2.修改配置文件

(1)/usr/local/etc/raddb/sites-available/default

去掉eap前面的#

(2)/usr/local/etc/raddb/eap.conf

确认default_eap_type=peap

3.查看证书是否存在

#ls /usr/local/etc/raddb/certs/*.pem
正常 列表中含有ca.pem

若没有ca.pem文件，则执行以下命令：
#/usr/local/etc/raddb/certs/bootstrap

4.创建测试配置文件 ~/peap.test

#~/peap.test

network={　　　　　　//注意："="前后无空格
eap=PEAP
eapol_flags=0
key_mgmt=IEEE8021X
identity="eap"　　//注意：该测试账号是之前用sql建立在数据库中的，所以可以直接使用
password="eap"
ca_cert="/usr/local/etc/raddb/certs/ca.pem"
phase2="auth=MSCHAPV2"
anonymous_identity="anonymous"
}

5.开始测试

#radiusd -X

#eapol_test -c peap.test -s testing123　　//peap.test在~/目录下，所以该命令也要在~/目录下进行。需保持一致。

eapol_sm_cb: success=1
EAPOL: Successfully fetched key (len=32)
PMK from EAPOL – hexdump(len=32): d9 2f f7 04 41 7c 74 66 5b b3 e7 7c ea 77 21 72 04 94 cd 7f e1 c9 a0 6b 08 34 b1 b2 25 55 6f 53
EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 1  mismatch: 0
SUCCESS

三、EAP-TTLS-MD5方式认证

1.修改配置文件

(1)/usr/local/etc/raddb/sites-available/default

去掉eap前面的#

(2)/usr/local/etc/raddb/eap.conf

确认default_eap_type=ttls

2.创建测试配置文件 ~/ttlsmd5.test

~/ttlsmd5.test

network={
eap=TTLS
ssid="test"　　//可更改
key_mgmt=WPA-EAP
identity="eap"
password="eap"
ca_cert="/usr/local/etc/raddb/certs/ca.pem"
phase2="auth=MD5"
anonymous_identity="anonymous"　　//可更改
}

3.开始测试

#radiusd -X

#eapol_test -c ttlsmd5.test -s testing123

eapol_sm_cb: success=1
EAPOL: Successfully fetched key (len=32)
PMK from EAPOL – hexdump(len=32): 91 b2 66 fb da ff bd 7d 95 91 2a c5 82 a8 86 bb 18 14 ac 9f 30 e4 7e 21 9f 28 b8 00 35 62 ff f2
EAP: deinitialize previously used EAP method (21, TTLS) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 1  mismatch: 0
SUCCESS

四、EAP-TTLS-MSCHAPV2方式认证

1.修改配置文件

(1)/usr/local/etc/raddb/sites-available/default

去掉eap前面的#

(2)/usr/local/etc/raddb/eap.conf

确认default_eap_type=ttls

2.创建测试配置文件 ~/ttlsmschapv2.test

~/ttlsmschapv2.test

network={
eap=TTLS
ssid="test"　　//可更改
key_mgmt=WPA-EAP
identity="eap"
password="eap"
ca_cert="/usr/local/etc/raddb/certs/ca.pem"
phase2="auth=MSCHAPV2"
anonymous_identity="anonymous"　　//可更改
}

3.开始测试

#radiusd -X

#eapol_test -c ttlsmschapv2.test -s testing123

eapol_sm_cb: success=1
EAPOL: Successfully fetched key (len=32)
PMK from EAPOL – hexdump(len=32): 91 b2 66 fb da ff bd 7d 95 91 2a c5 82 a8 86 bb 18 14 ac 9f 30 e4 7e 21 9f 28 b8 00 35 62 ff f2
EAP: deinitialize previously used EAP method (21, TTLS) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 1  mismatch: 0
SUCCESS

$$$至此，参照http://blog.sina.com.cn/s/blog_5d2184eb0100hibt.html《FreeRadius+Mysql+EAP认证身份认证系统安装及配置》;

$$$其他认证方式，请参照http://blog.csdn.net/madding/article/details/17277197/《radius系列：freeradius测试》;