我已使用Google Authenticator配置FreeRADIUS来登录OpenLDAP用户。用于FreeRADIUS的认证机制是PAM。
我面临一个奇怪的问题,当用户尝试在同一网络VLAN(172.30.0.0/16)中进行身份验证时,我会获得成功;当同一用户尝试从不同的网络VLAN(172.35.0.0/16)进行身份验证时,我将获得访问拒绝。
成功输出:-
$ radtest user1 pass123456 172.30.14.177 0 mysecret
Sent Access-Request Id 54 from 0.0.0.0:58888 to 172.30.14.177:1812 length 83
User-Name = "user1"
User-Password = "pass123456"
NAS-IP-Address = 172.30.43.114
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "pass123456"
Received Access-Accept Id 54 from 172.30.14.177:1812 to 0.0.0.0:0 length 20
拒绝输出:-
$ radtest user1 pass123456 172.30.14.177 0 mysecret
Sent Access-Request Id 150 from 0.0.0.0:52179 to 172.30.14.177:1812 length 83
User-Name = "user1"
User-Password = "pass123456"
NAS-IP-Address = 172.35.2.147
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "pass123456"
Received Access-Reject Id 150 from 172.30.14.177:1812 to 0.0.0.0:0 length 20
(0) -: Expected Access-Accept got Access-Reject
成功日志:-
Fri Mar 22 06:35:55 2019 : WARNING: (1) pap: No "known good" password found for the user. Not setting Auth-Type
Fri Mar 22 06:35:55 2019 : WARNING: (1) pap: Authentication will fail unless a "known good" password is available
Fri Mar 22 06:35:55 2019 : Debug: (1) modsingle[authorize]: returned from pap (rlm_pap)
Fri Mar 22 06:35:55 2019 : Debug: (1) [pap] = noop
Fri Mar 22 06:35:55 2019 : Debug: (1) } # authorize = ok
Fri Mar 22 06:35:55 2019 : Debug: (1) Found Auth-Type = pam
Fri Mar 22 06:35:55 2019 : Debug: (1) # Executing group from file /etc/raddb/sites-enabled/default
Fri Mar 22 06:35:55 2019 : Debug: (1) authenticate {
Fri Mar 22 06:35:55 2019 : Debug: (1) modsingle[authenticate]: calling pam (rlm_pam)
Fri Mar 22 06:35:55 2019 : Debug: (1) pam: Using pamauth string "radiusd" for pam.conf lookup
Fri Mar 22 06:35:55 2019 : Debug: Waking up in 0.3 seconds.
Fri Mar 22 06:35:55 2019 : Debug: Waking up in 0.3 seconds.
Fri Mar 22 06:35:55 2019 : Debug: (1) pam: Authentication succeeded
Fri Mar 22 06:35:55 2019 : Debug: (1) modsingle[authenticate]: returned from pam (rlm_pam)
Fri Mar 22 06:35:55 2019 : Debug: (1) [pam] = ok
Fri Mar 22 06:35:55 2019 : Debug: (1) } # authenticate = ok
Fri Mar 22 06:35:55 2019 : Debug: (1) # Executing section post-auth from file /etc/raddb/sites-enabled/default
故障日志:-
Fri Mar 22 06:35:00 2019 : WARNING: (0) pap: No "known good" password found for the user. Not setting Auth-Type
Fri Mar 22 06:35:00 2019 : WARNING: (0) pap: Authentication will fail unless a "known good" password is available
Fri Mar 22 06:35:00 2019 : Debug: (0) modsingle[authorize]: returned from pap (rlm_pap)
Fri Mar 22 06:35:00 2019 : Debug: (0) [pap] = noop
Fri Mar 22 06:35:00 2019 : Debug: (0) } # authorize = ok
Fri Mar 22 06:35:00 2019 : Debug: (0) Found Auth-Type = pam
Fri Mar 22 06:35:00 2019 : Debug: (0) # Executing group from file /etc/raddb/sites-enabled/default
Fri Mar 22 06:35:00 2019 : Debug: (0) authenticate {
Fri Mar 22 06:35:00 2019 : Debug: (0) modsingle[authenticate]: calling pam (rlm_pam)
Fri Mar 22 06:35:00 2019 : Debug: (0) pam: Using pamauth string "radiusd" for pam.conf lookup
Fri Mar 22 06:35:00 2019 : Debug: Waking up in 0.3 seconds.
Fri Mar 22 06:35:00 2019 : Debug: Waking up in 0.3 seconds.
Fri Mar 22 06:35:00 2019 : ERROR: (0) pam: pam_authenticate failed: Authentication failure
Fri Mar 22 06:35:00 2019 : Debug: (0) modsingle[authenticate]: returned from pam (rlm_pam)
Fri Mar 22 06:35:00 2019 : Debug: (0) [pam] = reject
Fri Mar 22 06:35:00 2019 : Debug: (0) } # authenticate = reject
Fri Mar 22 06:35:00 2019 : Debug: (0) Failed to authenticate the user
Fri Mar 22 06:35:00 2019 : Debug: (0) Using Post-Auth-Type Reject
唯一的区别是,请求来自哪个网络到FreeRADIUS服务器。用户凭证是相同的。
PAM Config for radiusd:-
$ cat /etc/pam.d/radiusd
#%PAM-1.0
auth requisite pam_google_authenticator.so forward_pass
auth required pam_sss.so use_first_pass
account required pam_nologin.so
account include password-auth
session include password-auth
您可以共享您的配置吗?我正在尝试与您设置相同。我的环境是:
Cisco ISE-> FreeRadius(已安装Google身份验证器的服务器)->Active Directory(Windows 2012服务器)
我已成功连接到AD,并能够检查用户名和密码是否正确。之后,我需要验证Google Auth,但是在FreeRadius失败的情况下,我正在使用此guide。这是输出
Mon Nov 25 10:16:17 2019 : Debug: rlm_ldap (ldap): Reserved connection (3)
Mon Nov 25 10:16:17 2019 : Debug: (1) ldap: Login attempt by "USERNAME"
Mon Nov 25 10:16:17 2019 : Debug: (1) ldap: Using user DN from request "USERDN"
Mon Nov 25 10:16:17 2019 : Debug: (1) ldap: Waiting for bind result...
Mon Nov 25 10:16:17 2019 : Debug: (1) ldap: Bind successful
Mon Nov 25 10:16:17 2019 : Debug: (1) ldap: Bind as user "USERDN" was successful
Mon Nov 25 10:16:17 2019 : Debug: rlm_ldap (ldap): Released connection (3)
Mon Nov 25 10:16:17 2019 : Debug: (1) modsingle[authenticate]: returned from ldap (rlm_ldap)
Mon Nov 25 10:16:17 2019 : Debug: (1) [ldap] = ok
Mon Nov 25 10:16:17 2019 : Debug: (1) } # Auth-Type LDAP = ok
Mon Nov 25 10:16:17 2019 : Debug: (1) # Executing section post-auth from file /etc/raddb/sites-enabled/default
Mon Nov 25 10:16:17 2019 : Debug: (1) post-auth {
Mon Nov 25 10:16:17 2019 : Debug: (1) if (User-Password =~ /^([0-9]{6})(.*)$/){
Mon Nov 25 10:16:17 2019 : Debug: No matches
Mon Nov 25 10:16:17 2019 : Debug: (1) if (User-Password =~ /^([0-9]{6})(.*)$/) -> FALSE
Mon Nov 25 10:16:17 2019 : Debug: (1) else {
Mon Nov 25 10:16:17 2019 : Debug: (1) modsingle[post-auth]: calling reject (rlm_always)
Mon Nov 25 10:16:17 2019 : Debug: (1) modsingle[post-auth]: returned from reject (rlm_always)
Mon Nov 25 10:16:17 2019 : Debug: (1) [reject] = reject
Mon Nov 25 10:16:17 2019 : Debug: (1) } # else = reject
Mon Nov 25 10:16:17 2019 : Debug: (1) } # post-auth = reject
Mon Nov 25 10:16:17 2019 : Debug: (1) Using Post-Auth-Type Reject
Mon Nov 25 10:16:17 2019 : Debug: (1) # Executing group from file /etc/raddb/sites-enabled/default
Mon Nov 25 10:16:17 2019 : Debug: (1) Post-Auth-Type REJECT {
Mon Nov 25 10:16:17 2019 : Debug: (1) modsingle[post-auth]: calling attr_filter.access_reject (rlm_attr_filter)
Mon Nov 25 10:16:17 2019 : Debug: %{User-Name}