環境
-
Radiusサーバー情報
- VMware ESXi 11
- CentOS Linux 7.4.1708
- freeradius-3.0.13-8.el7_4.x86_64
- freeradius-utils-3.0.13-8.el7_4.x86_64
- 192.0.2.1
-
RadiusClient情報
- HP2530 YB.16.10.0011
- 192.0.2.2
-
端末
- ノートPC
- MAC:xx-xx-xx-yy-yy-yy
RadiusServer設定
下記参考↓
HP2530MAC認証設定
認証許可された端末に割り当てるVLAN設定
(config)# configure
(config)# vlan 15 name Radis
インターフェースコンテキストでVLANを指定。
(config)# interface 2
(eth-2)# untagged vlan 15
(eth-2)# exit
Radiusサーバを指定。keyは/etc/raddb/clientで指定した値。
(config)# radius-server host 10.180.198.69 key radiusstring
802.1x認証方式の設定
(config)# aaa authentication port-access chap-radius
ポート単位のMACアドレス認証有効化
(config)# aaa port-access mac-based 2
承認ClientVLAN指定
(config)# aaa port-access mac-based 2 auth-vid 15
設定保存
(config)# save
設定の確認
# show running-config
dhcp-snooping
dhcpv6-snooping
radius-server host 192.0.2.1
time timezone 540
snmp-server community "public"
aaa authentication port-access chap-radiusaaa
aaa port-access mac-based 2
aaa port-access mac-based 2 auth-vid 15
vlan 1
name "DEFAULT_VLAN"
no untagged 1-2
untagged 3-28
ip address dhcp-bootp
exit
vlan 15
name "Radius"
untagged 2
no ip address
exit
vlan 40
name "hoge"
untagged 1
ip address 192.0.2.2 255.255.255.0
exit
no tftp server
no dhcp config-file-update
no dhcp image-file-update
no dhcp tr69-acs-url
MAC認証後の確認
HP2530のshowコマンド
# show logging
Keys: W=Warning I=Information
M=Major D=Debug E=Error
---- Event Log listing: Events Since Boot ----
I 04/12/23 16:11:14 00184 mgr: Log cleared as a result of 'clear logging'
command
I 04/12/23 16:14:38 03125 mgr: Startup configuration changed by CLI. New seq.
number 3
I 04/17/23 11:12:14 00002 vlan: Radius virtual LAN disabled
I 04/17/23 11:12:14 00001 vlan: Radius virtual LAN enabled
# show port-access mac-based clients
Port Access MAC-Based Client Status
Port MAC Address IP Address Mode Client Status
----- ------------- -------------------------------- ---- --------------------
2 xxxxxx-yyyyyy n/a User authenticated
以下はRadiusServerでの操作
$ sudo cat /var/log/radius/radius.log | tail -5
Mon Apr 17 11:02:27 2023 : Info: # Skipping contents of 'if' as it is always 'false' -- /etc/raddb/sites-enabled/inner-tunnel:330Mon Apr 17 11:02:27 2023 : Info: Loaded virtual server inner-tunnel
Mon Apr 17 11:02:27 2023 : Info: Ready to process requests
Mon Apr 17 11:02:46 2023 : Auth: (0) Login OK: [xxxxxxyyyyyy/<CHAP-Password>] (from client HP2530 port 2 cli xx-xx-xx-yy-yy-yy)
Mon Apr 17 11:09:53 2023 : Auth: (1) Login OK: [xxxxxxyyyyyy/<CHAP-Password>] (from client HP2530 port 2 cli xx-xx-xx-yy-yy-yy)
$ sudo tcpdump -li ens160 port 1812
tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes
11:19:05.516817 IP 192.0.2.2.radius > localhost.localdomain.radius: RADIUS, Access-Request (1), id: 0x69 length: 330
11:19:05.517584 IP localhost.localdomain.radius > 192.0.2.2.radius: RADIUS, Access-Accept (2), id: 0x69 length: 36
認証拒否の対処方法
認証すると Auth: (17) Login incorrect (chap: &control:Cleartext-Password is required for authentication): [xxxxxxyyyyyy/] (from client HP2530 port 2 cli xx-xx-xx-yy-yy-yy) と拒否される
/etc/raddb/usersの181行目から183行目にマッチしていたので、認証拒否されていた。コメントアウトすることで、認証成功した。
181 #DEFAULT Framed-Protocol == PP
182 # Framed-Protocol = PPP,
183 # Framed-Compression = Van-Jacobson-TCP-IP