Jump to content
Калькуляторы

6.36.3 + CAPsMAN v2 + WPA2-EAP + Win2008R2 NPS + eduroam

Доброго времени суток!

 

Необходимо перейти от авторизации через hotspot на WPA2-EAP причём обязательно c поддержкой PEAP

 

В NPS в типах EAP разрешено "Защищенные EAP (PEAP)"

/caps-man security print

1 name="security-eduroam" authentication-types=wpa2-eap encryption=aes-ccm eap-methods=passthrough eap-radius-accounting=yes

 

Из логов NPS:

<Event>
<Timestamp data_type="4">09/14/2016 10:45:25.252</Timestamp>
<Computer-Name data_type="1">DC2</Computer-Name>
<Event-Source data_type="1">IAS</Event-Source>
<Service-Type data_type="0">2</Service-Type>
<Framed-MTU data_type="0">1400</Framed-MTU>
<User-Name data_type="1">NES\kkuyukov</User-Name>
<NAS-Port-Id data_type="1">RB951G-2HnD-18-1-3</NAS-Port-Id>
<NAS-Port-Type data_type="0">19</NAS-Port-Type>
<Acct-Session-Id data_type="1">82500001</Acct-Session-Id>
<Calling-Station-Id data_type="1">C0-4A-00-27-B7-33</Calling-Station-Id>
<Called-Station-Id data_type="1">4E-5E-0C-33-88-D7:eduroam-test</Called-Station-Id>
<NAS-Identifier data_type="1">RB1100Hx2-Skolkovo</NAS-Identifier>
<NAS-IP-Address data_type="3">192.168.32.1</NAS-IP-Address>
<Client-IP-Address data_type="3">192.168.32.1</Client-IP-Address>
<Client-Vendor data_type="0">0</Client-Vendor>
<Client-Friendly-Name data_type="1">Mikrotik</Client-Friendly-Name>
<Proxy-Policy-Name data_type="1">Use Windows authentication for all users</Proxy-Policy-Name>
<Provider-Type data_type="0">1</Provider-Type>
<SAM-Account-Name data_type="1">NES\kkuyukov</SAM-Account-Name>
<Class data_type="1">311 1 192.168.32.6 09/12/2016 11:43:17 548</Class>
<Fully-Qualifed-User-Name data_type="1">NES.RU/itdept/Kuyukov Konstantin</Fully-Qualifed-User-Name>
<Authentication-Type data_type="0">5</Authentication-Type>
<NP-Policy-Name data_type="1">Mikrotik-VPN</NP-Policy-Name>
<Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant>
<Packet-Type data_type="0">1</Packet-Type>
<Reason-Code data_type="0">0</Reason-Code>
</Event>
<Event>
<Timestamp data_type="4">09/14/2016 10:45:25.252</Timestamp>
<Computer-Name data_type="1">DC2</Computer-Name>
<Event-Source data_type="1">IAS</Event-Source>
<Class data_type="1">311 1 192.168.32.6 09/12/2016 11:43:17 548</Class>
<Fully-Qualifed-User-Name data_type="1">NES.RU/itdept/Kuyukov Konstantin</Fully-Qualifed-User-Name>
<Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant>
<Acct-Session-Id data_type="1">82500001</Acct-Session-Id>
<NP-Policy-Name data_type="1">Mikrotik-VPN</NP-Policy-Name>
<Client-IP-Address data_type="3">192.168.32.1</Client-IP-Address>
<Client-Vendor data_type="0">0</Client-Vendor>
<Client-Friendly-Name data_type="1">Mikrotik</Client-Friendly-Name>
<Proxy-Policy-Name data_type="1">Use Windows authentication for all users</Proxy-Policy-Name>
<Provider-Type data_type="0">1</Provider-Type>
<SAM-Account-Name data_type="1">NES\kkuyukov</SAM-Account-Name>
<Authentication-Type data_type="0">5</Authentication-Type>
<Packet-Type data_type="0">3</Packet-Type>
<Reason-Code data_type="0">66</Reason-Code>
</Event>

 

Из логов Микротик:

10:45:21 radius,debug,packet     Signature = 0x0f2f6c8191f4d34c407bb556e9f8f271 
10:45:21 radius,debug,packet     Service-Type = 2 
10:45:21 radius,debug,packet     Framed-MTU = 1400 
10:45:21 radius,debug,packet     User-Name = "host/KKuyukov-new.NES.RU" 
10:45:21 radius,debug,packet     NAS-Port-Id = "RB951G-2HnD-18-1-3" 
10:45:21 radius,debug,packet     NAS-Port-Type = 19 
10:45:21 radius,debug,packet     Acct-Session-Id = "82500000" 
10:45:21 radius,debug,packet     Calling-Station-Id = "C0-4A-00-27-B7-33" 
10:45:21 radius,debug,packet     Called-Station-Id = "4E-5E-0C-33-88-D7:eduroam-test" 
10:45:21 radius,debug,packet     EAP-Message = 0x0201001d01686f73742f4b4b7579756b 
10:45:21 radius,debug,packet       6f762d6e65772e4e45532e5255 
10:45:21 radius,debug,packet     Message-Authenticator = 0x9e539a771dc29fa3ca0c9288c06d1a1d 
10:45:21 radius,debug,packet     NAS-Identifier = "RB1100Hx2-Skolkovo" 
10:45:21 radius,debug,packet     NAS-IP-Address = 192.168.32.1 
10:45:21 radius,debug,packet received Access-Reject with id 4 from 192.168.32.6:1812 
10:45:21 radius,debug,packet     Signature = 0x5b0fb9f981ab6af22c0e30089d137268 
10:45:21 radius,debug,packet     EAP-Message = 0x04010004 
10:45:21 radius,debug,packet     Message-Authenticator = 0x3fd7e0a106283cb37c2c34359a9693cf 
10:45:21 radius,debug received reply for 58:9d 
10:45:25 radius,debug new request 58:9e code=Access-Request service=wireless called-id=4E-5E-0C-33-88-D7:eduroam-test 
10:45:25 radius,debug sending 58:9e to 192.168.32.6:1812 
10:45:25 radius,debug,packet sending Access-Request with id 5 to 192.168.32.6:1812 
10:45:25 radius,debug,packet     Signature = 0x1b42edc2b4e81394cbd5b0f5f5b85ac2 
10:45:25 radius,debug,packet     Service-Type = 2 
10:45:25 radius,debug,packet     Framed-MTU = 1400 
10:45:25 radius,debug,packet     User-Name = "NES\kkuyukov" 
10:45:25 radius,debug,packet     NAS-Port-Id = "RB951G-2HnD-18-1-3" 
10:45:25 radius,debug,packet     NAS-Port-Type = 19 
10:45:25 radius,debug,packet     Acct-Session-Id = "82500001" 
10:45:25 radius,debug,packet     Calling-Station-Id = "C0-4A-00-27-B7-33" 
10:45:25 radius,debug,packet     Called-Station-Id = "4E-5E-0C-33-88-D7:eduroam-test" 
10:45:25 radius,debug,packet     EAP-Message = 0x02010011014e45535c6b6b7579756b6f 
10:45:25 radius,debug,packet       76 
10:45:25 radius,debug,packet     Message-Authenticator = 0x7f18ac5cd7f77d07e18b12f6e68ebe74 
10:45:25 radius,debug,packet     NAS-Identifier = "RB1100Hx2-Skolkovo" 
10:45:25 radius,debug,packet     NAS-IP-Address = 192.168.32.1 
10:45:25 radius,debug,packet received Access-Reject with id 5 from 192.168.32.6:1812 
10:45:25 radius,debug,packet     Signature = 0x33bdd0f8e404fac878cac49e7cce8457 
10:45:25 radius,debug,packet     EAP-Message = 0x04010004 
10:45:25 radius,debug,packet     Message-Authenticator = 0xa4eadb45fb5cdb1500e89508b87e206a 
10:45:25 radius,debug received reply for 58:9e 

 

Подскажите, плиз, как наладить авторизацию

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.