FreeRADIUS Google 双因素身份验证器

问题描述 投票:0回答:2

我一直在尝试在 Cent OS 6.3 机器上设置 FreeRADIUS Google 双因素身份验证器。我已经安装好了一切。

我的 /etc/pam.d/raduis 文件看起来像这样

#%PAM-1.0
#auth       include     password-auth
#account    required    pam_nologin.so
#account    include     password-auth
#password   include     password-auth
#session    include     password-auth

auth requisite pam_google_authenticator.so forward_pass
auth required pam_unix.so use_first_pass debug

但是,如果我删除最后两行并取消注释其他行,则此设置似乎有效,并且我收到以下消息

[root@PCPRADIUSTEST ~]# radtest juanr pass localhost 18120 letmein123
Sending Access-Request of id 184 to 127.0.0.1 port 1812
        User-Name = "juanr"
        User-Password = "pass"
        NAS-IP-Address = 10.3.80.169
        NAS-Port = 18120
        Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=184, length=20

然而,目前这两行的结果是 

[root@PCPRADIUSTEST ~]# radtest juanr pass localhost 18120 letmein123
Sending Access-Request of id 41 to 127.0.0.1 port 1812
        User-Name = "juanr"
        User-Password = "pass"
        NAS-IP-Address = 10.3.80.169
        NAS-Port = 18120
        Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=41, length=20

然后我停止了 radius 服务并像 radius -XXX 一样启动它并得到了输出

rad_recv: Access-Request packet from host 127.0.0.1 port 37599, id=41, length=75
        User-Name = "juanr"
        User-Password = "pass"
        NAS-IP-Address = 10.3.80.169
        NAS-Port = 18120
        Message-Authenticator = 0x4f0c83f91dd3abc99f89952bb82de085
Thu Sep 12 16:33:10 2013 : Info: # Executing section authorize from file /etc/raddb/sites-enabled/default
Thu Sep 12 16:33:10 2013 : Info: +- entering group authorize {...}
Thu Sep 12 16:33:10 2013 : Info: ++[preprocess] returns ok
Thu Sep 12 16:33:10 2013 : Info: ++[chap] returns noop
Thu Sep 12 16:33:10 2013 : Info: ++[mschap] returns noop
Thu Sep 12 16:33:10 2013 : Info: ++[digest] returns noop
Thu Sep 12 16:33:10 2013 : Info: [suffix] No '@' in User-Name = "juanr", looking up realm NULL
Thu Sep 12 16:33:10 2013 : Info: [suffix] No such realm "NULL"
Thu Sep 12 16:33:10 2013 : Info: ++[suffix] returns noop
Thu Sep 12 16:33:10 2013 : Info: [eap] No EAP-Message, not doing EAP
Thu Sep 12 16:33:10 2013 : Info: ++[eap] returns noop
Thu Sep 12 16:33:10 2013 : Info: [files] users: Matched entry DEFAULT at line 74
Thu Sep 12 16:33:10 2013 : Info: ++[files] returns ok
Thu Sep 12 16:33:10 2013 : Info: ++[expiration] returns noop
Thu Sep 12 16:33:10 2013 : Info: ++[logintime] returns noop
Thu Sep 12 16:33:10 2013 : Info: [pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
Thu Sep 12 16:33:10 2013 : Info: ++[pap] returns noop
Thu Sep 12 16:33:10 2013 : Info: Found Auth-Type = PAM
Thu Sep 12 16:33:10 2013 : Info: # Executing group from file /etc/raddb/sites-enabled/default
Thu Sep 12 16:33:10 2013 : Info: +- entering group authenticate {...}
Thu Sep 12 16:33:10 2013 : Debug: pam_pass: using pamauth string <radiusd> for pam.conf lookup
Thu Sep 12 16:33:10 2013 : Debug: pam_pass: function pam_acct_mgmt FAILED for <juanr>. Reason: Authentication failure
Thu Sep 12 16:33:10 2013 : Info: ++[pam] returns reject
Thu Sep 12 16:33:10 2013 : Info: Failed to authenticate the user.
Thu Sep 12 16:33:10 2013 : Info: Using Post-Auth-Type Reject
Thu Sep 12 16:33:10 2013 : Info: # Executing group from file /etc/raddb/sites-enabled/default
Thu Sep 12 16:33:10 2013 : Info: +- entering group REJECT {...}
Thu Sep 12 16:33:10 2013 : Info: [attr_filter.access_reject]    expand: %{User-Name} -> juanr
Thu Sep 12 16:33:10 2013 : Debug: attr_filter: Matched entry DEFAULT at line 11
Thu Sep 12 16:33:10 2013 : Info: ++[attr_filter.access_reject] returns updated
Thu Sep 12 16:33:10 2013 : Info: Delaying reject of request 1 for 1 seconds
Thu Sep 12 16:33:10 2013 : Debug: Going to the next request
Thu Sep 12 16:33:10 2013 : Debug: Waking up in 0.9 seconds.
Thu Sep 12 16:33:11 2013 : Info: Sending delayed reject for request 1
Sending Access-Reject of id 41 to 127.0.0.1 port 37599
Thu Sep 12 16:33:11 2013 : Debug: Waking up in 4.9 seconds.

我按照 http://www.supertechguy.com/help/security/freeradius-google-auth 的说明进行设置。

您能给建议吗?

非常感谢。

google-authentication pam freeradius google-authenticator
2个回答
1
投票

经过这么多的上网和论坛搜索,我设法解决了这个问题。如果其他人遇到这个问题,这可能会对他们有帮助:)

Thu Sep 26 16:38:19 2013 : Debug: pam_pass: using pamauth string <radiusd> for pam.conf lookup
Thu Sep 26 16:38:19 2013 : Debug: pam_pass: function pam_authenticate FAILED for <test>. Reason: Cannot make/remove an entry for the specified session

上面的行实际上意味着身份验证失败,即使听起来不像,也可能意味着用户主目录中的 .google_authenticator 文件不可访问。

FreeRadius 日志文件对解决此问题没有多大帮助,但请查看 CentOS 上的 /var/log/secure 和 Ubuntu 中的 /var/log/auth.log。这将解释问题所在。

我的系统问题是我的时间已到,并且我的 iPhone 上的 Google 双因素身份验证器应用程序随机生成的号码无效。我必须安装 NTP 并将我的服务器时间更改为正确的时间,这解决了问题!!!!

希望这对其他人有帮助:)

0
投票

我与谷歌设置了一个半径,以便从网络设备的 MFA 的半径对用户进行身份验证,但我无法为不同设备配置不同属性的相同交换机属性。我们可以如何在 Radius 服务器上使用用户属性吗?

#dell 开关属性 *Test.user 明文密码 := "密码"

  •         Force10-avpair= "shell:role=sysadmin"

#华为交换机属性 *Test.user 明文密码 := "密码"

  • 服务类型 = NAS-提示-用户,

    RADIUS 属性

  •       Huawei-Exec-Privilege = "3",

    •                # Login-Service 50 is for SSH

    •             Login-Service = 50
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.