Strongswan app 使用IKEv2 EAP 通过 Freeradius EAP认证 连接 Strongswan

索引

  • 环境
  • 安装
    • 链接
    • Ubuntu 安装 Strongswan
    • 配置 Strongswang
    • 配置 Freeradius
    • 配置Strongswan APP
    • Debug
    • 应用

环境

@Linux

uname -a
Linux szqsm 4.15.0-73-generic #82-Ubuntu SMP Tue Dec 3 00:04:14 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
@Strongswan

ipsec --version
Linux strongSwan U5.6.2/K4.15.0-73-generic
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.
@Freeradius

freeradius -v
radiusd: FreeRADIUS Version 3.0.16, for host x86_64-pc-linux-gnu, built on Apr 17 2019 at 12:59:55
FreeRADIUS Version 3.0.16
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Mobile Phone: 魅族16Plus/android8.1.0
Strongswan App:android4

安装

链接

@Strongswan官网
@Strongswan App 安卓客户端下载
@Freeradius官网

Ubuntu 安装 Strongswan

@阿里云源(下载安装更快)
vim /etc/apt/sources.list.d/aliyun.list
deb http://mirrors.aliyun.com/ubuntu/ bionic main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ bionic-security main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ bionic-updates main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ bionic-proposed main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ bionic-backports main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ bionic main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ bionic-security main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ bionic-updates main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ bionic-proposed main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ bionic-backports main restricted universe multiverse

@apt更新
apt upgrade	更新已安装的软件包

apt list --upgradable查看可升级的软件信息
apt list --upgradable -a查看可升级的软件的全部版本信息

注意事项:不能随意使用sudo apt upgrade -y命令

@安装Strongswan
apt-get install strongswan strongswan-*
* strongswan 的许多模块如radius模块都是以单独的包,直接写strongswan-*把模块全部安装了,避免后面出现未安装模块而导致的错误(当然实际使用时最好根据需求去添加安装)

配置 Strongswang

@官方EAP-Framed-IP-Radius 文档 *供参考

生成私钥
pki --gen --outform pem > caKey.pem
pki --self --in caKey.pem --dn "C=CN, O=SZQSM, CN=SZQSM Root CA" --san root --ca --lifetime 3650 --outform pem > caCert.pem	#根证书
C--Country 国家		O--Organization 组织	CN--通用名保持默认
!!!Never store the private key caKey.der of the Certification Authority (CA) on a host with constant direct access to the Internet
私钥不要放到公网上

pki --gen --outform pem > serverKey.pem
pki --issue --in serverKey.pem --type priv --cacert caCert.pem --cakey caKey.pem	--dn "C=CN, O=SZQSM, CN=server" --san server --san 10.207.238.11 --flag Server --outform pem > serverCert.pem


pki --gen --outform pem > androidKey.pem
pki --issue --in androidKey.pem --type priv --cacert caCert.pem --cakey caKey.pem	--dn "C=CN, O=SZQSM, CN=android" --san android --san 10.207.238.11 --outform pem > androidCert.pem

mv caCert.pem /etc/ipsec.d/cacerts/

mv serverKey.pem /etc/ipsec.d/private/
mv clientKey.pem /etc/ipsec.d/private/

mv serverCert.pem /etc/ipsec.d/certs/
mv clientCert.pem /etc/ipsec.d/certs/ 
/etc/ipsec.conf
config setup
        charondebug="ike 2, knl 3, cfg 0"
        
conn %default
        fragmentation=yes
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=2
        reauth=yes
        rekey=yes
        keyexchange=ikev2
       

conn mobile
        left=10.207.238.11
        leftid=10.207.238.11
        leftsubnet=192.168.1.0/24
        leftsendcert=always
        leftauth=pubkey
        leftcert=serverCert.pem
        leftfirewall=yes
        rightsendcert=never
        rightauth=eap-radius
        rightsourceip=%radius
        eap_identity=%any
        auto=add
/etc/ipsec.secrets
: RSA serverKey.pem
/etc/strongswan.conf
charon {
    load_modular = yes
    plugins {
        eap-radius {
            class_group = yes
            secret = android_pass_123456
            server = 10.207.238.11
        }
        include strongswan.d/charon/*.conf
    }
    dns1 = 114.114.114.114
    dns2 = 8.8.8.8
    nbns1 = 114.114.114.114
    nbns1 = 8.8.8.8
}
在这里插入代码片

配置 Freeradius

/etc/freeradius/3.0/clients.conf
client android{
        showrtname      = android
        ipaddr          = 10.207.238.11/32
        secret          = android_pass_123456
        require_message_authenticator = yes
        nas-type        = other
}
@radcheck表
android Cleartext-Password := 123456

@radreply表
android	Framed-IP-Address = 192.168.200.101
android Framed-IP-Netmask = 255.255.255.0
android Reply-Message = EAP Auth Success!
/etc/freeradius/3.0/sites-enabled/default
        eap {
                ok = return
        }

/etc/freeradius/3.0/mods-available/eap
	default_eap_type = md5

配置Strongswan APP

Strongswan app 使用IKEv2 EAP 通过 Freeradius EAP认证 连接 Strongswan_第1张图片

Debug

开启Strongswan debug
ipsec start --nofork
+++++++++++++++++++++++Start+++++++++++++++++++++++++++++++++++
00[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke vici updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-imc tnc-imv tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters
00[LIB] dropped capabilities, running as uid 0, gid 0
00[JOB] spawning 16 worker threads
charon (16424) started after 120 ms

++++++++++++++++++++++Process+++++++++++++++++++++++++++
charon (16424) started after 120 ms
09[NET] received packet: from 10.207.238.201[63202] to 10.207.238.11[500] (716 bytes)
09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
09[IKE] 10.207.238.201 is initiating an IKE_SA
09[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
09[IKE] remote host is behind NAT
09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
09[NET] sending packet: from 10.207.238.11[500] to 10.207.238.201[63202] (272 bytes)
10[NET] received packet: from 10.207.238.201[63203] to 10.207.238.11[4500] (464 bytes)
10[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
10[IKE] received cert request for "C=CN, O=SZQSM, CN=SZQSM Root CA"
10[IKE] initiating EAP_IDENTITY method (id 0x00)
10[IKE] processing INTERNAL_IP4_ADDRESS attribute
10[IKE] processing INTERNAL_IP6_ADDRESS attribute
10[IKE] processing INTERNAL_IP4_DNS attribute
10[IKE] processing INTERNAL_IP6_DNS attribute
10[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
10[IKE] peer supports MOBIKE
10[IKE] authentication of '10.207.238.11' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
10[IKE] sending end entity cert "C=CN, O=SZQSM, CN=server"
10[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
10[NET] sending packet: from 10.207.238.11[4500] to 10.207.238.201[63203] (1184 bytes)
11[NET] received packet: from 10.207.238.201[63203] to 10.207.238.11[4500] (96 bytes)
11[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
11[IKE] received EAP identity 'android'
11[IKE] initiating EAP_MD5 method (id 0x01)
11[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MD5 ]
11[NET] sending packet: from 10.207.238.11[4500] to 10.207.238.201[63203] (96 bytes)
12[NET] received packet: from 10.207.238.201[63203] to 10.207.238.11[4500] (96 bytes)
12[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MD5 ]
12[IKE] RADIUS authentication of 'android' successful
12[IKE] EAP method EAP_MD5 succeeded, no MSK established
12[ENC] generating IKE_AUTH response 3 [ EAP/SUCC ]
12[NET] sending packet: from 10.207.238.11[4500] to 10.207.238.201[63203] (80 bytes)
13[NET] received packet: from 10.207.238.201[63203] to 10.207.238.11[4500] (112 bytes)
13[ENC] parsed IKE_AUTH request 4 [ AUTH ]
13[IKE] authentication of 'android' with EAP successful
13[IKE] authentication of '10.207.238.11' (myself) with EAP
13[IKE] IKE_SA mobile[1] established between 10.207.238.11[10.207.238.11]...10.207.238.201[android]
13[IKE] IKE_SA mobile[1] state change: CONNECTING => ESTABLISHED
13[IKE] scheduling reauthentication in 3283s
13[IKE] maximum IKE_SA lifetime 3463s
13[IKE] peer requested virtual IP %any
13[IKE] assigning virtual IP 192.168.200.101 to peer 'android'
13[IKE] peer requested virtual IP %any6
13[IKE] no virtual IP found for %any6 requested by 'android'
13[IKE] building INTERNAL_IP4_DNS attribute
13[IKE] building INTERNAL_IP4_NBNS attribute
13[IKE] building INTERNAL_IP4_DNS attribute
13[IKE] building INTERNAL_IP4_NETMASK attribute
13[KNL] sending XFRM_MSG_ALLOCSPI 203: => 248 bytes @ 0x7f23f748f5d0
.......
.......
13[IKE] CHILD_SA mobile{1} established with SPIs cb2fb18c_i 775f3792_o and TS 192.168.1.0/24 === 192.168.200.101/32
13[KNL] 10.207.238.11 is on interface enp2s0
13[ENC] generating IKE_AUTH response 4 [ AUTH CPRP(ADDR DNS NBNS DNS MASK) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
13[NET] sending packet: from 10.207.238.11[4500] to 10.207.238.201[63203] (320 bytes)

开启Freeradius debug
freeradius -X
+++++++++++++++++++++++Start+++++++++++++++++++++++++++++++++
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 57499
Listening on proxy address :: port 52425
Ready to process requests

++++++++++++++++++++++Process+++++++++++++++++++++++++++++
(0) Received Access-Request Id 94 from 10.207.238.11:47767 to 10.207.238.11:1812 length 149
(0)   User-Name = "android"
(0)   NAS-Port-Type = Virtual
(0)   Service-Type = Framed-User
(0)   NAS-Port = 1
(0)   NAS-Port-Id = "mobile"
(0)   NAS-IP-Address = 10.207.238.11
(0)   Called-Station-Id = "10.207.238.11[4500]"
(0)   Calling-Station-Id = "10.207.238.201[63203]"
(0)   EAP-Message = 0x0200000c01616e64726f6964
(0)   NAS-Identifier = "strongSwan"
(0)   Message-Authenticator = 0x16ea5c3a4208507e542deacc691df6ed
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "android", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 0 length 12
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0)     [eap] = ok
(0)   } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_md5 to process data
(0) eap_md5: Issuing MD5 Challenge
(0) eap: Sending EAP Request (code 1) ID 1 length 22
(0) eap: EAP session adding &reply:State = 0x1fc569941fc46da6
(0)     [eap] = handled
(0)   } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 94 from 10.207.238.11:1812 to 10.207.238.11:47767 length 0
(0)   EAP-Message = 0x010100160410e3e83db1dd437ba5c61425137e977b20
(0)   Message-Authenticator = 0x00000000000000000000000000000000
(0)   State = 0x1fc569941fc46da6a69b0463c29ac3e6
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 95 from 10.207.238.11:47767 to 10.207.238.11:1812 length 177
(1)   User-Name = "android"
(1)   NAS-Port-Type = Virtual
(1)   Service-Type = Framed-User
(1)   NAS-Port = 1
(1)   NAS-Port-Id = "mobile"
(1)   NAS-IP-Address = 10.207.238.11
(1)   Called-Station-Id = "10.207.238.11[4500]"
(1)   Calling-Station-Id = "10.207.238.201[63203]"
(1)   EAP-Message = 0x02010016041098cee51cb989481a34b1f531ced38d73
(1)   NAS-Identifier = "strongSwan"
(1)   State = 0x1fc569941fc46da6a69b0463c29ac3e6
(1)   Message-Authenticator = 0x16ddeeb511aac43b98caab280fb1c4b9
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(1)   authorize {
(1)     policy filter_username {
(1)       if (&User-Name) {
(1)       if (&User-Name)  -> TRUE
(1)       if (&User-Name)  {
(1)         if (&User-Name =~ / /) {
(1)         if (&User-Name =~ / /)  -> FALSE
(1)         if (&User-Name =~ /@[^@]*@/ ) {
(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(1)         if (&User-Name =~ /\.\./ ) {
(1)         if (&User-Name =~ /\.\./ )  -> FALSE
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(1)         if (&User-Name =~ /\.$/)  {
(1)         if (&User-Name =~ /\.$/)   -> FALSE
(1)         if (&User-Name =~ /@\./)  {
(1)         if (&User-Name =~ /@\./)   -> FALSE
(1)       } # if (&User-Name)  = notfound
(1)     } # policy filter_username = notfound
(1)     [preprocess] = ok
(1)     [chap] = noop
(1)     [mschap] = noop
(1)     [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "android", looking up realm NULL
(1) suffix: No such realm "NULL"
(1)     [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 1 length 22
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1)     [eap] = updated
(1)     [files] = noop
(1) sql: EXPAND %{User-Name}
(1) sql:    --> android
(1) sql: SQL-User-Name set to 'android'
rlm_sql (sql): Closing connection (0): Hit idle_timeout, was idle for 102 seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for 102 seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (2): Hit idle_timeout, was idle for 102 seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (3): Hit idle_timeout, was idle for 102 seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (4): Hit idle_timeout, was idle for 102 seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): 0 of 0 connections in use.  You  may need to increase "spare"
rlm_sql (sql): Opening additional connection (5), 1 of 32 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.5-10.1.43-MariaDB-0ubuntu0.18.04.1, protocol version 10
rlm_sql (sql): Reserved connection (5)
(1) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(1) sql:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'android' ORDER BY id
(1) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'android' ORDER BY id
(1) sql: User found in radcheck table
(1) sql: Conditional check items matched, merging assignment check items
(1) sql:   Cleartext-Password := "123456"
(1) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(1) sql:    --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'android' ORDER BY id
(1) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'android' ORDER BY id
(1) sql: User found in radreply table, merging reply items
(1) sql:   Framed-IP-Address = 192.168.200.101
(1) sql:   Framed-IP-Netmask = 255.255.255.0
(1) sql:   Reply-Message = "EAP Auth Success!"
(1) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(1) sql:    --> SELECT groupname FROM radusergroup WHERE username = 'android' ORDER BY priority
(1) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'android' ORDER BY priority
(1) sql: User not found in any groups
rlm_sql (sql): Released connection (5)
Need 2 more connections to reach min connections (3)
rlm_sql (sql): Opening additional connection (6), 1 of 31 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.5-10.1.43-MariaDB-0ubuntu0.18.04.1, protocol version 10
(1)     [sql] = ok
(1)     [expiration] = noop
(1)     [logintime] = noop
(1) pap: WARNING: Auth-Type already set.  Not setting to PAP
(1)     [pap] = noop
(1)   } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1)   authenticate {
(1) eap: Expiring EAP session with state 0x1fc569941fc46da6
(1) eap: Finished EAP session with state 0x1fc569941fc46da6
(1) eap: Previous EAP request found for state 0x1fc569941fc46da6, released from the list
(1) eap: Peer sent packet with method EAP MD5 (4)
(1) eap: Calling submodule eap_md5 to process data
(1) eap: Sending EAP Success (code 3) ID 1 length 4
(1) eap: Freeing handler
(1)     [eap] = ok
(1)   } # authenticate = ok
(1) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(1)   post-auth {
(1)     if (!&reply:State) {
(1)     if (!&reply:State)  -> TRUE
(1)     if (!&reply:State)  {
(1)       update reply {
(1)         EXPAND 0x%{randstr:16h}
(1)            --> 0x31ae4da58a01ce5a0a138ec6b632dcd40f
(1)         State := 0x31ae4da58a01ce5a0a138ec6b632dcd40f
(1)       } # update reply = noop
(1)     } # if (!&reply:State)  = noop
(1)     update {
(1)       No attributes updated
(1)     } # update = noop
(1) sql: EXPAND .query
(1) sql:    --> .query
(1) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (5)
(1) sql: EXPAND %{User-Name}
(1) sql:    --> android
(1) sql: SQL-User-Name set to 'android'
(1) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(1) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'android', '', 'Access-Accept', '2020-06-09 08:30:47')
(1) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'android', '', 'Access-Accept', '2020-06-09 08:30:47')
(1) sql: SQL query returned: success
(1) sql: 1 record(s) updated
rlm_sql (sql): Released connection (5)
(1)     [sql] = ok
(1)     [exec] = noop
(1)     policy remove_reply_message_if_eap {
(1)       if (&reply:EAP-Message && &reply:Reply-Message) {
(1)       if (&reply:EAP-Message && &reply:Reply-Message)  -> TRUE
(1)       if (&reply:EAP-Message && &reply:Reply-Message)  {
(1)         update reply {
(1)           &Reply-Message !* ANY
(1)         } # update reply = noop
(1)       } # if (&reply:EAP-Message && &reply:Reply-Message)  = noop
(1)       ... skipping else: Preceding "if" was taken
(1)     } # policy remove_reply_message_if_eap = noop
(1)   } # post-auth = ok
(1) Sent Access-Accept Id 95 from 10.207.238.11:1812 to 10.207.238.11:47767 length 0
(1)   Framed-IP-Address = 192.168.200.101
(1)   Framed-IP-Netmask = 255.255.255.0
(1)   EAP-Message = 0x03010004
(1)   Message-Authenticator = 0x00000000000000000000000000000000
(1)   User-Name = "android"
(1)   State := 0x31ae4da58a01ce5a0a138ec6b632dcd40f
(1) Finished request

Strongswan app 使用IKEv2 EAP 通过 Freeradius EAP认证 连接 Strongswan_第2张图片

应用

 ping 192.168.200.101 
PING 192.168.200.101 (192.168.200.101) 56(84) bytes of data.
64 bytes from 192.168.200.101: icmp_seq=1 ttl=64 time=141 ms
64 bytes from 192.168.200.101: icmp_seq=2 ttl=64 time=66.9 ms
64 bytes from 192.168.200.101: icmp_seq=3 ttl=64 time=85.6 ms
64 bytes from 192.168.200.101: icmp_seq=4 ttl=64 time=109 ms
64 bytes from 192.168.200.101: icmp_seq=5 ttl=64 time=6.63 ms
64 bytes from 192.168.200.101: icmp_seq=6 ttl=64 time=55.5 ms
64 bytes from 192.168.200.101: icmp_seq=7 ttl=64 time=74.7 ms
64 bytes from 192.168.200.101: icmp_seq=8 ttl=64 time=99.3 ms
64 bytes from 192.168.200.101: icmp_seq=9 ttl=64 time=119 ms
64 bytes from 192.168.200.101: icmp_seq=10 ttl=64 time=40.7 ms
^C
--- 192.168.200.101 ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 9012ms
rtt min/avg/max/mdev = 6.636/79.941/141.551/37.800 ms

traceroute 192.168.200.101
traceroute to 192.168.200.101 (192.168.200.101), 30 hops max, 60 byte packets
 1  192.168.200.101 (192.168.200.101)  169.430 ms  171.172 ms  171.248 ms

你可能感兴趣的:(系统与网络)