问题描述
我将我的 Freeradius 3.0 配置为使用 ntlm_auth 模块成功地通过用户名和密码对我们的 ActiveDirectory 进行身份验证。 然后我将以下代码添加到我的默认站点:
if (!State) {
update control {
Auth-Type := ntlm_auth
}
}
else {
update control {
Auth-Type := pam
}
}
并更改为同一文件中的 ntlm_auth 部分:
Auth-Type ntlm_auth {
ntlm_auth
if (ok) {
update reply {
# Create a random State attribute:
State := "%{randstr:aaaaaaaaaaaaaaaa}"
Reply-Message := "Bitte geben Sie die invenio OTP-PIN ein"
}
# Return Access-Challenge:
challenge
}
}
这很好用,但使用了明文密码。
因此,我更改了网关 (VPN) 上的配置以发送 MSCHAPv2 而不是纯文本。 我在配置中将 ntlm_auth 更改为 mschapv2,但现在我只得到 MSCHAPv2 响应,而没有响应来自挑战请求的 OTP-PIN。
日志(调试):
(0) Received Access-Request Id 73 from 212.99.164.134:10057 to 10.1.56.3:1812 length 188
(0) NAS-Identifier = "HAM-FW-02"
(0) User-Name = "USERnameSent"
(0) MS-CHAP2-Response = 0x1c009ddc9d60c7a00ed267291e4049fe8cae0000000000000000dbfae0e612d97ccaf67c193ddd7f0b21244172c83af71d06
(0) MS-CHAP-Challenge = 0xe19eb24bf11796bbb66baab10741f1fb
(0) NAS-Port-Type = Virtual
(0) Calling-Station-Id = "46.114.1.229"
(0) Acct-Session-Id = "17f2146e"
(0) Connect-Info = "vpn-ssl"
(0) Fortinet-Vdom-Name = "0010647802"
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(0) auth_log: --> /var/log/freeradius/radacct/212.99.164.134/auth-detail-20210326
(0) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/212.99.164.134/auth-detail-20210326
(0) auth_log: EXPAND %t
(0) auth_log: --> Fri Mar 26 06:36:08 2021
(0) [auth_log] = ok
(0) [chap] = noop
(0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
(0) [mschap] = ok
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "USERnameSent",looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message,not doing EAP
(0) [eap] = noop
(0) files: users: Matched entry DEFAULT at line 202
(0) [files] = ok
(0) [expiration] = noop
(0) [logintime] = noop
Not doing PAP as Auth-Type is already set.
(0) [pap] = noop
(0) if (!State) {
(0) if (!State) -> TRUE
(0) if (!State) {
(0) update control {
(0) Auth-Type := ntlm_auth
(0) } # update control = noop
(0) } # if (!State) = noop
(0) ... skipping else: Preceding "if" was taken
(0) } # authorize = ok
(0) Found Auth-Type = ntlm_auth
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Auth-Type ntlm_auth {
(0) mschap: Creating challenge hash with username: USERnameSent
(0) mschap: Client is using MS-CHAPv2
(0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:
(0) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
(0) mschap: --> --username=USERnameSent
(0) mschap: Creating challenge hash with username: USERnameSent
(0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(0) mschap: --> --challenge=0b0349cd8aa9407c
(0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(0) mschap: --> --nt-response=dbfae0e612d97ccaf67c193ddd7f0b21244172c83af71d06
(0) mschap: Program returned code (0) and output 'NT_KEY: 5796EA7F02A7060169CD28DE40DD6165'
(0) mschap: Adding MS-CHAPv2 MPPE keys
(0) [mschap] = ok
(0) if (ok) {
(0) if (ok) -> TRUE
(0) if (ok) {
(0) update reply {
(0) EXPAND %{randstr:aaaaaaaaaaaaaaaa}
(0) --> 9o91xD3qIywz6TTH
(0) State := 0x396f3931784433714979777a36545448
(0) Reply-Message := "Bitte geben Sie die invenio OTP-PIN ein"
(0) } # update reply = noop
(0) policy challenge {
(0) update control {
(0) &Response-Packet-Type = Access-Challenge
(0) } # update control = noop
(0) [handled] = handled
(0) } # policy challenge = handled
(0) } # if (ok) = handled
(0) } # Auth-Type ntlm_auth = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 73 from 10.1.56.3:1812 to 212.99.164.134:10057 length 0
(0) MS-CHAP2-Success = 0x1c533d33323442453233423243323435354244304539344338433737383335303142393346453232463037
(0) MS-MPPE-Recv-Key = 0x6d7dcf451b9c724308f1a01c9b1a7dcc
(0) MS-MPPE-Send-Key = 0xa993f3f27c1f6d5e8b192b9962de7bc4
(0) MS-MPPE-Encryption-Policy = Encryption-Allowed
(0) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(0) State := 0x396f3931784433714979777a36545448
(0) Reply-Message := "Bitte geben Sie die invenio OTP-PIN ein"
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 73 with timestamp +11
Ready to process requests
(1) Received Access-Request Id 74 from 212.99.164.134:24581 to 10.1.56.3:1812 length 206
(1) NAS-Identifier = "HAM-FW-02"
(1) State = 0x396f3931784433714979777a36545448
(1) User-Name = "USERnameSent"
(1) MS-CHAP2-Response = 0x1c003635363333340ed267291e4049fe8cae0000000000000000dbfae0e612d97ccaf67c193ddd7f0b21244172c83af71d06
(1) MS-CHAP-Challenge = 0xe19eb24bf11796bbb66baab10741f1fb
(1) NAS-Port-Type = Virtual
(1) Calling-Station-Id = "46.114.1.229"
(1) Acct-Session-Id = "17f2146e"
(1) Connect-Info = "vpn-ssl"
(1) Fortinet-Vdom-Name = "0010647802"
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(1) auth_log: --> /var/log/freeradius/radacct/212.99.164.134/auth-detail-20210326
(1) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/212.99.164.134/auth-detail-20210326
(1) auth_log: EXPAND %t
(1) auth_log: --> Fri Mar 26 06:36:16 2021
(1) [auth_log] = ok
(1) [chap] = noop
(1) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
(1) [mschap] = ok
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "USERnameSent",looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: No EAP-Message,not doing EAP
(1) [eap] = noop
(1) files: users: Matched entry DEFAULT at line 202
(1) [files] = ok
(1) [expiration] = noop
(1) [logintime] = noop
Not doing PAP as Auth-Type is already set.
(1) [pap] = noop
(1) if (!State) {
(1) if (!State) -> FALSE
(1) else {
(1) update control {
(1) Auth-Type := pam
(1) } # update control = noop
(1) } # else = noop
(1) } # authorize = ok
(1) Found Auth-Type = pam
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) Auth-Type pam {
(1) pam: Attribute "User-Password" is required for authentication
(1) [pam] = invalid
(1) } # Auth-Type pam = invalid
(1) Failed to authenticate the user
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) Post-Auth-Type REJECT {
(1) attr_filter.access_reject: EXPAND %{User-Name}
(1) attr_filter.access_reject: --> USERnameSent
(1) attr_filter.access_reject: Matched entry DEFAULT at line 11
(1) [attr_filter.access_reject] = updated
(1) [eap] = noop
(1) policy remove_reply_message_if_eap {
(1) if (&reply:EAP-Message && &reply:Reply-Message) {
(1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(1) else {
(1) [noop] = noop
(1) } # else = noop
(1) } # policy remove_reply_message_if_eap = noop
(1) } # Post-Auth-Type REJECT = updated
(1) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(1) Sending delayed response
(1) Sent Access-Reject Id 74 from 10.1.56.3:1812 to 212.99.164.134:24581 length 20
Waking up in 3.9 seconds.
(1) Cleaning up request packet ID 74 with timestamp +19
Ready to process requests
关于如何向我的 pam 模块发送挑战响应以向谷歌身份验证器验证此 PIN 的任何想法。响应似乎丢失,或者我可能必须在某处设置 {user-password} = {respone-value} ??
非常感谢!
最好的问候,
安德烈亚斯
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)