[如果使用来自其他VLAN的请求，则使用openldap + pam使用Google Authenticator进行FreeRADIUS设置会拒绝访问

Question

我已使用Google Authenticator配置FreeRADIUS来登录OpenLDAP用户。用于FreeRADIUS的认证机制是PAM。

我面临一个奇怪的问题，当用户尝试在同一网络VLAN（172.30.0.0/16）中进行身份验证时，我会获得成功；当同一用户尝试从不同的网络VLAN（172.35.0.0/16）进行身份验证时，我将获得访问拒绝。

成功输出：-

$ radtest user1 pass123456 172.30.14.177 0 mysecret

Sent Access-Request Id 54 from 0.0.0.0:58888 to 172.30.14.177:1812 length 83
User-Name = "user1"
User-Password = "pass123456"
NAS-IP-Address = 172.30.43.114
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "pass123456"
Received Access-Accept Id 54 from 172.30.14.177:1812 to 0.0.0.0:0 length 20

拒绝输出：-

$ radtest user1 pass123456 172.30.14.177 0 mysecret
Sent Access-Request Id 150 from 0.0.0.0:52179 to 172.30.14.177:1812 length 83
User-Name = "user1"
User-Password = "pass123456"
NAS-IP-Address = 172.35.2.147
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "pass123456"
Received Access-Reject Id 150 from 172.30.14.177:1812 to 0.0.0.0:0 length 20
(0) -: Expected Access-Accept got Access-Reject

成功日志：-

Fri Mar 22 06:35:55 2019 : WARNING: (1) pap: No "known good" password found for the user.  Not setting Auth-Type
Fri Mar 22 06:35:55 2019 : WARNING: (1) pap: Authentication will fail unless a "known good" password is available
Fri Mar 22 06:35:55 2019 : Debug: (1)     modsingle[authorize]: returned from pap (rlm_pap)
Fri Mar 22 06:35:55 2019 : Debug: (1)     [pap] = noop
Fri Mar 22 06:35:55 2019 : Debug: (1)   } # authorize = ok
Fri Mar 22 06:35:55 2019 : Debug: (1) Found Auth-Type = pam
Fri Mar 22 06:35:55 2019 : Debug: (1) # Executing group from file /etc/raddb/sites-enabled/default
Fri Mar 22 06:35:55 2019 : Debug: (1)   authenticate {
Fri Mar 22 06:35:55 2019 : Debug: (1)     modsingle[authenticate]: calling pam (rlm_pam)
Fri Mar 22 06:35:55 2019 : Debug: (1) pam: Using pamauth string "radiusd" for pam.conf lookup
Fri Mar 22 06:35:55 2019 : Debug: Waking up in 0.3 seconds.
Fri Mar 22 06:35:55 2019 : Debug: Waking up in 0.3 seconds.
Fri Mar 22 06:35:55 2019 : Debug: (1) pam: Authentication succeeded
Fri Mar 22 06:35:55 2019 : Debug: (1)     modsingle[authenticate]: returned from pam (rlm_pam)
Fri Mar 22 06:35:55 2019 : Debug: (1)     [pam] = ok
Fri Mar 22 06:35:55 2019 : Debug: (1)   } # authenticate = ok
Fri Mar 22 06:35:55 2019 : Debug: (1) # Executing section post-auth from file /etc/raddb/sites-enabled/default

故障日志：-

Fri Mar 22 06:35:00 2019 : WARNING: (0) pap: No "known good" password found for the user.  Not setting Auth-Type
Fri Mar 22 06:35:00 2019 : WARNING: (0) pap: Authentication will fail unless a "known good" password is available
Fri Mar 22 06:35:00 2019 : Debug: (0)     modsingle[authorize]: returned from pap (rlm_pap)
Fri Mar 22 06:35:00 2019 : Debug: (0)     [pap] = noop
Fri Mar 22 06:35:00 2019 : Debug: (0)   } # authorize = ok
Fri Mar 22 06:35:00 2019 : Debug: (0) Found Auth-Type = pam
Fri Mar 22 06:35:00 2019 : Debug: (0) # Executing group from file /etc/raddb/sites-enabled/default
Fri Mar 22 06:35:00 2019 : Debug: (0)   authenticate {
Fri Mar 22 06:35:00 2019 : Debug: (0)     modsingle[authenticate]: calling pam (rlm_pam)
Fri Mar 22 06:35:00 2019 : Debug: (0) pam: Using pamauth string "radiusd" for pam.conf lookup
Fri Mar 22 06:35:00 2019 : Debug: Waking up in 0.3 seconds.
Fri Mar 22 06:35:00 2019 : Debug: Waking up in 0.3 seconds.
Fri Mar 22 06:35:00 2019 : ERROR: (0) pam: pam_authenticate failed: Authentication failure
Fri Mar 22 06:35:00 2019 : Debug: (0)     modsingle[authenticate]: returned from pam (rlm_pam)
Fri Mar 22 06:35:00 2019 : Debug: (0)     [pam] = reject
Fri Mar 22 06:35:00 2019 : Debug: (0)   } # authenticate = reject
Fri Mar 22 06:35:00 2019 : Debug: (0) Failed to authenticate the user
Fri Mar 22 06:35:00 2019 : Debug: (0) Using Post-Auth-Type Reject

唯一的区别是，请求来自哪个网络到FreeRADIUS服务器。用户凭证是相同的。

PAM Config for radiusd：-

$ cat /etc/pam.d/radiusd
#%PAM-1.0
auth       requisite    pam_google_authenticator.so forward_pass
auth       required     pam_sss.so use_first_pass
account    required     pam_nologin.so
account    include      password-auth
session    include      password-auth

Answer 1

您可以共享您的配置吗？我正在尝试与您设置相同。我的环境是：

Cisco ISE-> FreeRadius（已安装Google身份验证器的服务器）->Active Directory（Windows 2012服务器）

我已成功连接到AD，并能够检查用户名和密码是否正确。之后，我需要验证Google Auth，但是在FreeRadius失败的情况下，我正在使用此guide。这是输出

Mon Nov 25 10:16:17 2019 : Debug: rlm_ldap (ldap): Reserved connection (3)
Mon Nov 25 10:16:17 2019 : Debug: (1) ldap: Login attempt by "USERNAME"
Mon Nov 25 10:16:17 2019 : Debug: (1) ldap: Using user DN from request "USERDN"
Mon Nov 25 10:16:17 2019 : Debug: (1) ldap: Waiting for bind result...
Mon Nov 25 10:16:17 2019 : Debug: (1) ldap: Bind successful
Mon Nov 25 10:16:17 2019 : Debug: (1) ldap: Bind as user "USERDN" was successful
Mon Nov 25 10:16:17 2019 : Debug: rlm_ldap (ldap): Released connection (3)
Mon Nov 25 10:16:17 2019 : Debug: (1)     modsingle[authenticate]: returned from ldap (rlm_ldap)
Mon Nov 25 10:16:17 2019 : Debug: (1)     [ldap] = ok
Mon Nov 25 10:16:17 2019 : Debug: (1)   } # Auth-Type LDAP = ok
Mon Nov 25 10:16:17 2019 : Debug: (1) # Executing section post-auth from file /etc/raddb/sites-enabled/default
Mon Nov 25 10:16:17 2019 : Debug: (1)   post-auth {
Mon Nov 25 10:16:17 2019 : Debug: (1)     if (User-Password =~ /^([0-9]{6})(.*)$/){
Mon Nov 25 10:16:17 2019 : Debug: No matches
Mon Nov 25 10:16:17 2019 : Debug: (1)     if (User-Password =~ /^([0-9]{6})(.*)$/) -> FALSE
Mon Nov 25 10:16:17 2019 : Debug: (1)     else {
Mon Nov 25 10:16:17 2019 : Debug: (1)       modsingle[post-auth]: calling reject (rlm_always)
Mon Nov 25 10:16:17 2019 : Debug: (1)       modsingle[post-auth]: returned from reject (rlm_always)
Mon Nov 25 10:16:17 2019 : Debug: (1)       [reject] = reject
Mon Nov 25 10:16:17 2019 : Debug: (1)     } # else = reject
Mon Nov 25 10:16:17 2019 : Debug: (1)   } # post-auth = reject
Mon Nov 25 10:16:17 2019 : Debug: (1) Using Post-Auth-Type Reject
Mon Nov 25 10:16:17 2019 : Debug: (1) # Executing group from file /etc/raddb/sites-enabled/default
Mon Nov 25 10:16:17 2019 : Debug: (1)   Post-Auth-Type REJECT {
Mon Nov 25 10:16:17 2019 : Debug: (1)     modsingle[post-auth]: calling attr_filter.access_reject (rlm_attr_filter)
Mon Nov 25 10:16:17 2019 : Debug: %{User-Name}

[如果使用来自其他VLAN的请求，则使用openldap + pam使用Google Authenticator进行FreeRADIUS设置会拒绝访问

问题描述投票：0回答：1

1个回答

最新问题

[如果使用来自其他VLAN的请求，则使用openldap + pam使用Google Authenticator进行FreeRADIUS设置会拒绝访问

问题描述 投票：0回答：1

1个回答

最新问题

问题描述投票：0回答：1