Freeradius

freeradius, rlm_rest : 無法驗證使用者

  • May 4, 2021

我讀到:在 FreeRadius 中配置 rlm_rest 模組

我的 FreeRadius 版本是 3.0.11 (git #d667a28)

我的嘗試是使用包含的 demo.pl,只需更改埠即可。

radtest –> radtest 測試 testing123 127.0.0.1 1 testing123

我為“授權”部分嘗試了一些場景。

#authorize {
#    if (User-Password) {
#        update control {
#            Auth-Type := rest
#        }
#    }
#}

#authorize {
#    if (User-Password) {
#        update control {
#            Cleartext-Password := User-Password
#            Auth-Type := rest
#        }
#    }
#}

authorize {
   update control {
       Auth-Type := rest
   }
}

但我總是得到:‘無法驗證使用者’

調試:

Tue Aug 30 03:54:46 2016 : Debug: (0) rest: EXPAND /
Tue Aug 30 03:54:46 2016 : Debug: (0) rest:    --> /
Tue Aug 30 03:54:46 2016 : Debug: (0) rest: Sending HTTP POST to "http://10.10.255.2:5000/"
Tue Aug 30 03:54:46 2016 : Debug: (0) rest: Adding custom headers:
Tue Aug 30 03:54:46 2016 : Debug: (0) rest:   X-FreeRADIUS-Section: authenticate
Tue Aug 30 03:54:46 2016 : Debug: (0) rest:   X-FreeRADIUS-Server: default
Tue Aug 30 03:54:46 2016 : Debug: (0) rest: Request body content-type will be "application/json"
Tue Aug 30 03:54:46 2016 : Debug: (0) rest: Encoding attribute "User-Name"
Tue Aug 30 03:54:46 2016 : Debug: (0) rest:   Type   : string
Tue Aug 30 03:54:46 2016 : Debug: (0) rest:   Length : 7
Tue Aug 30 03:54:46 2016 : Debug: (0) rest:   Value  : "testing"
Tue Aug 30 03:54:46 2016 : Debug: (0) rest: Encoding attribute "User-Password"
Tue Aug 30 03:54:46 2016 : Debug: (0) rest:   Type   : string
Tue Aug 30 03:54:46 2016 : Debug: (0) rest:   Length : 10
Tue Aug 30 03:54:46 2016 : Debug: (0) rest:   Value  : "testing123"
Tue Aug 30 03:54:46 2016 : Debug: (0) rest: Encoding attribute "NAS-IP-Address"
Tue Aug 30 03:54:46 2016 : Debug: (0) rest:   Type   : ipaddr
Tue Aug 30 03:54:46 2016 : Debug: (0) rest:   Length : 9
Tue Aug 30 03:54:46 2016 : Debug: (0) rest:   Value  : "127.0.1.1"
Tue Aug 30 03:54:46 2016 : Debug: (0) rest: Encoding attribute "NAS-Port"
Tue Aug 30 03:54:46 2016 : Debug: (0) rest:   Type   : integer
Tue Aug 30 03:54:46 2016 : Debug: (0) rest:   Length : 1
Tue Aug 30 03:54:46 2016 : Debug: (0) rest:   Value  : 1
Tue Aug 30 03:54:46 2016 : Debug: (0) rest: Encoding attribute "Message-Authenticator"
Tue Aug 30 03:54:46 2016 : Debug: (0) rest:   Type   : octets
Tue Aug 30 03:54:46 2016 : Debug: (0) rest:   Length : 34
Tue Aug 30 03:54:46 2016 : Debug: (0) rest:   Value  : "0x9d06a674fbd767958883955ee01ec1cb"
Tue Aug 30 03:54:46 2016 : Debug: (0) rest: JSON Data: {"User-Name":{"type":"string","value":["testing"]},"User-Password":{"type":"string","value":["testing123"]},"NAS-IP-Address":{"type":"ipaddr","value":["127.0.1.1"]},"NAS-Port":{"type":"integer","value":[1]},"Message-Authenticator":{"type":"octets","value":["0x9d06a674fbd767958883955ee01ec1cb"]}}
Tue Aug 30 03:54:46 2016 : Debug: (0) rest: Returning 296 bytes of JSON data
Tue Aug 30 03:54:47 2016 : Debug: (0) rest: Processing response header
Tue Aug 30 03:54:47 2016 : Debug: (0) rest:   Status : 200 (OK)
Tue Aug 30 03:54:47 2016 : Debug: (0) rest:   Type   : json (application/json)
Tue Aug 30 03:54:47 2016 : Debug: (0) rest: Parsing attribute "control:Cleartext-Password"
Tue Aug 30 03:54:47 2016 : Debug: (0) rest:   Type   : string
Tue Aug 30 03:54:47 2016 : Debug: (0) rest:   Length : 10
Tue Aug 30 03:54:47 2016 : Debug: (0) rest:   Value  : "testing123"
Tue Aug 30 03:54:47 2016 : Debug: testing123
Tue Aug 30 03:54:47 2016 : Debug: Parsed xlat tree:
Tue Aug 30 03:54:47 2016 : Debug: literal --> testing123
Tue Aug 30 03:54:47 2016 : Debug: (0) rest: EXPAND testing123
Tue Aug 30 03:54:47 2016 : Debug: (0) rest:    --> testing123
Tue Aug 30 03:54:47 2016 : Debug: (0) rest: Cleartext-Password := "testing123"
Tue Aug 30 03:54:47 2016 : Debug: (0) rest: ::: FROM 1 TO 1 MAX 2
Tue Aug 30 03:54:47 2016 : Debug: (0) rest: ::: Examining Cleartext-Password
Tue Aug 30 03:54:47 2016 : Debug: (0) rest: ::: APPENDING Cleartext-Password FROM 0 TO 1
Tue Aug 30 03:54:47 2016 : Debug: (0) rest: ::: TO in 1 out 1
Tue Aug 30 03:54:47 2016 : Debug: (0) rest: ::: to[0] = Auth-Type
Tue Aug 30 03:54:47 2016 : Debug: (0) rest: Parsing attribute "reply:Reply-Message"
Tue Aug 30 03:54:47 2016 : Debug: (0) rest:   Type   : string
Tue Aug 30 03:54:47 2016 : Debug: (0) rest:   Length : 18
Tue Aug 30 03:54:47 2016 : Debug: (0) rest:   Value  : "Hello from demo.pl"
Tue Aug 30 03:54:47 2016 : Debug: Hello from demo.pl
Tue Aug 30 03:54:47 2016 : Debug: Parsed xlat tree:
Tue Aug 30 03:54:47 2016 : Debug: literal --> Hello from demo.pl
Tue Aug 30 03:54:47 2016 : Debug: (0) rest: EXPAND Hello from demo.pl
Tue Aug 30 03:54:47 2016 : Debug: (0) rest:    --> Hello from demo.pl
Tue Aug 30 03:54:47 2016 : Debug: (0) rest: Reply-Message := "Hello from demo.pl"
Tue Aug 30 03:54:47 2016 : Debug: (0) rest: ::: FROM 1 TO 0 MAX 1
Tue Aug 30 03:54:47 2016 : Debug: (0) rest: ::: Examining Reply-Message
Tue Aug 30 03:54:47 2016 : Debug: (0) rest: ::: APPENDING Reply-Message FROM 0 TO 0
Tue Aug 30 03:54:47 2016 : Debug: (0) rest: ::: TO in 0 out 0
Tue Aug 30 03:54:47 2016 : Debug: rlm_rest (rest): Released connection (0)
Tue Aug 30 03:54:47 2016 : Debug: (0)     modsingle[authenticate]: returned from rest (rlm_rest) for request 0
Tue Aug 30 03:54:47 2016 : Debug: (0)     [rest] = updated
Tue Aug 30 03:54:47 2016 : Debug: (0)   } # authenticate = updated
Tue Aug 30 03:54:47 2016 : Debug: (0) Failed to authenticate the user
Tue Aug 30 03:54:47 2016 : Debug: (0) Using Post-Auth-Type Reject

你能給我任何線索嗎?

您在這裡沒有使用 rest 進行身份驗證,您只是使用它來檢索使用者的密碼。

您還需要列出 pap 模組才能實際執行比較。

IE

authorize {
   rest
   pap
}

authenticate {
   pap
}

如果授權路由已經在對使用者進行身份驗證,也許您可以將 Auth-Type 設置為 Accept。它對我有用,但我願意聽到這有任何缺點

#authorize {
#    if (User-Password) {
#        update control {
#            Auth-Type := Accept
#        }
#    }
#}

引用自:https://serverfault.com/questions/799899