[Yakon]

Доброго времени суток!

 

Необходимо перейти от авторизации через hotspot на WPA2-EAP причём обязательно c поддержкой PEAP

 

В NPS в типах EAP разрешено "Защищенные EAP (PEAP)"

/caps-man security print

1 name="security-eduroam" authentication-types=wpa2-eap encryption=aes-ccm eap-methods=passthrough eap-radius-accounting=yes

 

Из логов NPS:

<Event>
<Timestamp data_type="4">09/14/2016 10:45:25.252</Timestamp>
<Computer-Name data_type="1">DC2</Computer-Name>
<Event-Source data_type="1">IAS</Event-Source>
<Service-Type data_type="0">2</Service-Type>
<Framed-MTU data_type="0">1400</Framed-MTU>
<User-Name data_type="1">NES\kkuyukov</User-Name>
<NAS-Port-Id data_type="1">RB951G-2HnD-18-1-3</NAS-Port-Id>
<NAS-Port-Type data_type="0">19</NAS-Port-Type>
<Acct-Session-Id data_type="1">82500001</Acct-Session-Id>
<Calling-Station-Id data_type="1">C0-4A-00-27-B7-33</Calling-Station-Id>
<Called-Station-Id data_type="1">4E-5E-0C-33-88-D7:eduroam-test</Called-Station-Id>
<NAS-Identifier data_type="1">RB1100Hx2-Skolkovo</NAS-Identifier>
<NAS-IP-Address data_type="3">192.168.32.1</NAS-IP-Address>
<Client-IP-Address data_type="3">192.168.32.1</Client-IP-Address>
<Client-Vendor data_type="0">0</Client-Vendor>
<Client-Friendly-Name data_type="1">Mikrotik</Client-Friendly-Name>
<Proxy-Policy-Name data_type="1">Use Windows authentication for all users</Proxy-Policy-Name>
<Provider-Type data_type="0">1</Provider-Type>
<SAM-Account-Name data_type="1">NES\kkuyukov</SAM-Account-Name>
<Class data_type="1">311 1 192.168.32.6 09/12/2016 11:43:17 548</Class>
<Fully-Qualifed-User-Name data_type="1">NES.RU/itdept/Kuyukov Konstantin</Fully-Qualifed-User-Name>
<Authentication-Type data_type="0">5</Authentication-Type>
<NP-Policy-Name data_type="1">Mikrotik-VPN</NP-Policy-Name>
<Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant>
<Packet-Type data_type="0">1</Packet-Type>
<Reason-Code data_type="0">0</Reason-Code>
</Event>
<Event>
<Timestamp data_type="4">09/14/2016 10:45:25.252</Timestamp>
<Computer-Name data_type="1">DC2</Computer-Name>
<Event-Source data_type="1">IAS</Event-Source>
<Class data_type="1">311 1 192.168.32.6 09/12/2016 11:43:17 548</Class>
<Fully-Qualifed-User-Name data_type="1">NES.RU/itdept/Kuyukov Konstantin</Fully-Qualifed-User-Name>
<Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant>
<Acct-Session-Id data_type="1">82500001</Acct-Session-Id>
<NP-Policy-Name data_type="1">Mikrotik-VPN</NP-Policy-Name>
<Client-IP-Address data_type="3">192.168.32.1</Client-IP-Address>
<Client-Vendor data_type="0">0</Client-Vendor>
<Client-Friendly-Name data_type="1">Mikrotik</Client-Friendly-Name>
<Proxy-Policy-Name data_type="1">Use Windows authentication for all users</Proxy-Policy-Name>
<Provider-Type data_type="0">1</Provider-Type>
<SAM-Account-Name data_type="1">NES\kkuyukov</SAM-Account-Name>
<Authentication-Type data_type="0">5</Authentication-Type>
<Packet-Type data_type="0">3</Packet-Type>
<Reason-Code data_type="0">66</Reason-Code>
</Event>

 

Из логов Микротик:

10:45:21 radius,debug,packet     Signature = 0x0f2f6c8191f4d34c407bb556e9f8f271 
10:45:21 radius,debug,packet     Service-Type = 2 
10:45:21 radius,debug,packet     Framed-MTU = 1400 
10:45:21 radius,debug,packet     User-Name = "host/KKuyukov-new.NES.RU" 
10:45:21 radius,debug,packet     NAS-Port-Id = "RB951G-2HnD-18-1-3" 
10:45:21 radius,debug,packet     NAS-Port-Type = 19 
10:45:21 radius,debug,packet     Acct-Session-Id = "82500000" 
10:45:21 radius,debug,packet     Calling-Station-Id = "C0-4A-00-27-B7-33" 
10:45:21 radius,debug,packet     Called-Station-Id = "4E-5E-0C-33-88-D7:eduroam-test" 
10:45:21 radius,debug,packet     EAP-Message = 0x0201001d01686f73742f4b4b7579756b 
10:45:21 radius,debug,packet       6f762d6e65772e4e45532e5255 
10:45:21 radius,debug,packet     Message-Authenticator = 0x9e539a771dc29fa3ca0c9288c06d1a1d 
10:45:21 radius,debug,packet     NAS-Identifier = "RB1100Hx2-Skolkovo" 
10:45:21 radius,debug,packet     NAS-IP-Address = 192.168.32.1 
10:45:21 radius,debug,packet received Access-Reject with id 4 from 192.168.32.6:1812 
10:45:21 radius,debug,packet     Signature = 0x5b0fb9f981ab6af22c0e30089d137268 
10:45:21 radius,debug,packet     EAP-Message = 0x04010004 
10:45:21 radius,debug,packet     Message-Authenticator = 0x3fd7e0a106283cb37c2c34359a9693cf 
10:45:21 radius,debug received reply for 58:9d 
10:45:25 radius,debug new request 58:9e code=Access-Request service=wireless called-id=4E-5E-0C-33-88-D7:eduroam-test 
10:45:25 radius,debug sending 58:9e to 192.168.32.6:1812 
10:45:25 radius,debug,packet sending Access-Request with id 5 to 192.168.32.6:1812 
10:45:25 radius,debug,packet     Signature = 0x1b42edc2b4e81394cbd5b0f5f5b85ac2 
10:45:25 radius,debug,packet     Service-Type = 2 
10:45:25 radius,debug,packet     Framed-MTU = 1400 
10:45:25 radius,debug,packet     User-Name = "NES\kkuyukov" 
10:45:25 radius,debug,packet     NAS-Port-Id = "RB951G-2HnD-18-1-3" 
10:45:25 radius,debug,packet     NAS-Port-Type = 19 
10:45:25 radius,debug,packet     Acct-Session-Id = "82500001" 
10:45:25 radius,debug,packet     Calling-Station-Id = "C0-4A-00-27-B7-33" 
10:45:25 radius,debug,packet     Called-Station-Id = "4E-5E-0C-33-88-D7:eduroam-test" 
10:45:25 radius,debug,packet     EAP-Message = 0x02010011014e45535c6b6b7579756b6f 
10:45:25 radius,debug,packet       76 
10:45:25 radius,debug,packet     Message-Authenticator = 0x7f18ac5cd7f77d07e18b12f6e68ebe74 
10:45:25 radius,debug,packet     NAS-Identifier = "RB1100Hx2-Skolkovo" 
10:45:25 radius,debug,packet     NAS-IP-Address = 192.168.32.1 
10:45:25 radius,debug,packet received Access-Reject with id 5 from 192.168.32.6:1812 
10:45:25 radius,debug,packet     Signature = 0x33bdd0f8e404fac878cac49e7cce8457 
10:45:25 radius,debug,packet     EAP-Message = 0x04010004 
10:45:25 radius,debug,packet     Message-Authenticator = 0xa4eadb45fb5cdb1500e89508b87e206a 
10:45:25 radius,debug received reply for 58:9e 

 

Подскажите, плиз, как наладить авторизацию