Freeradius
freeradius, rlm_rest : 無法驗證使用者
我讀到:在 FreeRadius 中配置 rlm_rest 模組
我的 FreeRadius 版本是 3.0.11 (git #d667a28)
我的嘗試是使用包含的 demo.pl,只需更改埠即可。
radtest –> radtest 測試 testing123 127.0.0.1 1 testing123
我為“授權”部分嘗試了一些場景。
#authorize { # if (User-Password) { # update control { # Auth-Type := rest # } # } #} #authorize { # if (User-Password) { # update control { # Cleartext-Password := User-Password # Auth-Type := rest # } # } #} authorize { update control { Auth-Type := rest } }
但我總是得到:‘無法驗證使用者’
調試:
Tue Aug 30 03:54:46 2016 : Debug: (0) rest: EXPAND / Tue Aug 30 03:54:46 2016 : Debug: (0) rest: --> / Tue Aug 30 03:54:46 2016 : Debug: (0) rest: Sending HTTP POST to "http://10.10.255.2:5000/" Tue Aug 30 03:54:46 2016 : Debug: (0) rest: Adding custom headers: Tue Aug 30 03:54:46 2016 : Debug: (0) rest: X-FreeRADIUS-Section: authenticate Tue Aug 30 03:54:46 2016 : Debug: (0) rest: X-FreeRADIUS-Server: default Tue Aug 30 03:54:46 2016 : Debug: (0) rest: Request body content-type will be "application/json" Tue Aug 30 03:54:46 2016 : Debug: (0) rest: Encoding attribute "User-Name" Tue Aug 30 03:54:46 2016 : Debug: (0) rest: Type : string Tue Aug 30 03:54:46 2016 : Debug: (0) rest: Length : 7 Tue Aug 30 03:54:46 2016 : Debug: (0) rest: Value : "testing" Tue Aug 30 03:54:46 2016 : Debug: (0) rest: Encoding attribute "User-Password" Tue Aug 30 03:54:46 2016 : Debug: (0) rest: Type : string Tue Aug 30 03:54:46 2016 : Debug: (0) rest: Length : 10 Tue Aug 30 03:54:46 2016 : Debug: (0) rest: Value : "testing123" Tue Aug 30 03:54:46 2016 : Debug: (0) rest: Encoding attribute "NAS-IP-Address" Tue Aug 30 03:54:46 2016 : Debug: (0) rest: Type : ipaddr Tue Aug 30 03:54:46 2016 : Debug: (0) rest: Length : 9 Tue Aug 30 03:54:46 2016 : Debug: (0) rest: Value : "127.0.1.1" Tue Aug 30 03:54:46 2016 : Debug: (0) rest: Encoding attribute "NAS-Port" Tue Aug 30 03:54:46 2016 : Debug: (0) rest: Type : integer Tue Aug 30 03:54:46 2016 : Debug: (0) rest: Length : 1 Tue Aug 30 03:54:46 2016 : Debug: (0) rest: Value : 1 Tue Aug 30 03:54:46 2016 : Debug: (0) rest: Encoding attribute "Message-Authenticator" Tue Aug 30 03:54:46 2016 : Debug: (0) rest: Type : octets Tue Aug 30 03:54:46 2016 : Debug: (0) rest: Length : 34 Tue Aug 30 03:54:46 2016 : Debug: (0) rest: Value : "0x9d06a674fbd767958883955ee01ec1cb" Tue Aug 30 03:54:46 2016 : Debug: (0) rest: JSON Data: {"User-Name":{"type":"string","value":["testing"]},"User-Password":{"type":"string","value":["testing123"]},"NAS-IP-Address":{"type":"ipaddr","value":["127.0.1.1"]},"NAS-Port":{"type":"integer","value":[1]},"Message-Authenticator":{"type":"octets","value":["0x9d06a674fbd767958883955ee01ec1cb"]}} Tue Aug 30 03:54:46 2016 : Debug: (0) rest: Returning 296 bytes of JSON data Tue Aug 30 03:54:47 2016 : Debug: (0) rest: Processing response header Tue Aug 30 03:54:47 2016 : Debug: (0) rest: Status : 200 (OK) Tue Aug 30 03:54:47 2016 : Debug: (0) rest: Type : json (application/json) Tue Aug 30 03:54:47 2016 : Debug: (0) rest: Parsing attribute "control:Cleartext-Password" Tue Aug 30 03:54:47 2016 : Debug: (0) rest: Type : string Tue Aug 30 03:54:47 2016 : Debug: (0) rest: Length : 10 Tue Aug 30 03:54:47 2016 : Debug: (0) rest: Value : "testing123" Tue Aug 30 03:54:47 2016 : Debug: testing123 Tue Aug 30 03:54:47 2016 : Debug: Parsed xlat tree: Tue Aug 30 03:54:47 2016 : Debug: literal --> testing123 Tue Aug 30 03:54:47 2016 : Debug: (0) rest: EXPAND testing123 Tue Aug 30 03:54:47 2016 : Debug: (0) rest: --> testing123 Tue Aug 30 03:54:47 2016 : Debug: (0) rest: Cleartext-Password := "testing123" Tue Aug 30 03:54:47 2016 : Debug: (0) rest: ::: FROM 1 TO 1 MAX 2 Tue Aug 30 03:54:47 2016 : Debug: (0) rest: ::: Examining Cleartext-Password Tue Aug 30 03:54:47 2016 : Debug: (0) rest: ::: APPENDING Cleartext-Password FROM 0 TO 1 Tue Aug 30 03:54:47 2016 : Debug: (0) rest: ::: TO in 1 out 1 Tue Aug 30 03:54:47 2016 : Debug: (0) rest: ::: to[0] = Auth-Type Tue Aug 30 03:54:47 2016 : Debug: (0) rest: Parsing attribute "reply:Reply-Message" Tue Aug 30 03:54:47 2016 : Debug: (0) rest: Type : string Tue Aug 30 03:54:47 2016 : Debug: (0) rest: Length : 18 Tue Aug 30 03:54:47 2016 : Debug: (0) rest: Value : "Hello from demo.pl" Tue Aug 30 03:54:47 2016 : Debug: Hello from demo.pl Tue Aug 30 03:54:47 2016 : Debug: Parsed xlat tree: Tue Aug 30 03:54:47 2016 : Debug: literal --> Hello from demo.pl Tue Aug 30 03:54:47 2016 : Debug: (0) rest: EXPAND Hello from demo.pl Tue Aug 30 03:54:47 2016 : Debug: (0) rest: --> Hello from demo.pl Tue Aug 30 03:54:47 2016 : Debug: (0) rest: Reply-Message := "Hello from demo.pl" Tue Aug 30 03:54:47 2016 : Debug: (0) rest: ::: FROM 1 TO 0 MAX 1 Tue Aug 30 03:54:47 2016 : Debug: (0) rest: ::: Examining Reply-Message Tue Aug 30 03:54:47 2016 : Debug: (0) rest: ::: APPENDING Reply-Message FROM 0 TO 0 Tue Aug 30 03:54:47 2016 : Debug: (0) rest: ::: TO in 0 out 0 Tue Aug 30 03:54:47 2016 : Debug: rlm_rest (rest): Released connection (0) Tue Aug 30 03:54:47 2016 : Debug: (0) modsingle[authenticate]: returned from rest (rlm_rest) for request 0 Tue Aug 30 03:54:47 2016 : Debug: (0) [rest] = updated Tue Aug 30 03:54:47 2016 : Debug: (0) } # authenticate = updated Tue Aug 30 03:54:47 2016 : Debug: (0) Failed to authenticate the user Tue Aug 30 03:54:47 2016 : Debug: (0) Using Post-Auth-Type Reject
你能給我任何線索嗎?
您在這裡沒有使用 rest 進行身份驗證,您只是使用它來檢索使用者的密碼。
您還需要列出 pap 模組才能實際執行比較。
IE
authorize { rest pap } authenticate { pap }
如果授權路由已經在對使用者進行身份驗證,也許您可以將 Auth-Type 設置為 Accept。它對我有用,但我願意聽到這有任何缺點
#authorize { # if (User-Password) { # update control { # Auth-Type := Accept # } # } #}