Freeradius:在特定条件下验证用户
Freeradius:在特定条件下验证用户
提问于 2021-11-21 15:02:13
有一个网络,用户使用PPPoE建立与访问服务器的连接。我们失去了计费系统和用户数据库。我们所知道的唯一条件是,“有效凭据应该是用户名和密码相同值的凭据。”(即用户名: johnsmith,密码:johnsmith)。
我们想尽快恢复对互联网的访问。
我们现在拥有的设置: Ubuntu 2004,accel,freeradius3.一切都很好,但是我们必须为每个用户添加一个记录到raddb/mods-config/files/授权文件。
# raddb/mods-config/files/authorize
user1 Cleartext-Password := "user1"
user2 Cleartext-Password := "user2"
userN Cleartext-Password := "userN"这样可以避免手动添加用户吗?脚本应该验证凭据,前提是用户名和有效密码是相同的值。
另外,我试过:
# raddb/mods-config/files/authorize
DEFAULT Auth-Type := Acceptradtest -t mschap tqq tq 172.17.0.1 0 testing123 -接收到Access-Accept,但是当尝试在路由器或PC上设置PPPoE时,我得到了Authentication failed, incorrect username or password.
感谢你的帮助。
freeradius-radius-1 | (11) Received Access-Request Id 1 from 192.168.192.1:49648 to 192.168.192.2:1812 length 178
freeradius-radius-1 | (11) User-Name = "q"
freeradius-radius-1 | (11) NAS-Identifier = "accel-ppp"
freeradius-radius-1 | (11) NAS-IP-Address = 172.17.0.1
freeradius-radius-1 | (11) NAS-Port-Type = Virtual
freeradius-radius-1 | (11) Service-Type = Framed-User
freeradius-radius-1 | (11) Framed-Protocol = PPP
freeradius-radius-1 | (11) Calling-Station-Id = "d8:47:32:c3:72:bd"
freeradius-radius-1 | (11) Called-Station-Id = "00:0c:29:fb:5d:8e"
freeradius-radius-1 | (11) MS-CHAP-Challenge = 0x57d2a52805a8b83f1c2241558e501549
freeradius-radius-1 | (11) MS-CHAP2-Response = 0x01002b3c2451214fb6e0583fb9972a49a56e00000000000000001ae496c046d6b776df57a8ba10ab82254b78878444ce0cb1
freeradius-radius-1 | (11) # Executing section authorize from file /etc/freeradius/sites-enabled/default
freeradius-radius-1 | (11) authorize {
freeradius-radius-1 | (11) policy filter_username {
freeradius-radius-1 | (11) if (&User-Name) {
freeradius-radius-1 | (11) if (&User-Name) -> TRUE
freeradius-radius-1 | (11) if (&User-Name) {
freeradius-radius-1 | (11) if (&User-Name =~ / /) {
freeradius-radius-1 | (11) if (&User-Name =~ / /) -> FALSE
freeradius-radius-1 | (11) if (&User-Name =~ /@[^@]*@/ ) {
freeradius-radius-1 | (11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
freeradius-radius-1 | (11) if (&User-Name =~ /\.\./ ) {
freeradius-radius-1 | (11) if (&User-Name =~ /\.\./ ) -> FALSE
freeradius-radius-1 | (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
freeradius-radius-1 | (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
freeradius-radius-1 | (11) if (&User-Name =~ /\.$/) {
freeradius-radius-1 | (11) if (&User-Name =~ /\.$/) -> FALSE
freeradius-radius-1 | (11) if (&User-Name =~ /@\./) {
freeradius-radius-1 | (11) if (&User-Name =~ /@\./) -> FALSE
freeradius-radius-1 | (11) } # if (&User-Name) = notfound
freeradius-radius-1 | (11) } # policy filter_username = notfound
freeradius-radius-1 | (11) [preprocess] = ok
freeradius-radius-1 | (11) [chap] = noop
freeradius-radius-1 | (11) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
freeradius-radius-1 | (11) [mschap] = ok
freeradius-radius-1 | (11) [digest] = noop
freeradius-radius-1 | (11) suffix: Checking for suffix after "@"
freeradius-radius-1 | (11) suffix: No '@' in User-Name = "q", looking up realm NULL
freeradius-radius-1 | (11) suffix: No such realm "NULL"
freeradius-radius-1 | (11) [suffix] = noop
freeradius-radius-1 | (11) eap: No EAP-Message, not doing EAP
freeradius-radius-1 | (11) [eap] = noop
freeradius-radius-1 | (11) files: users: Matched entry DEFAULT at line 1
freeradius-radius-1 | (11) [files] = ok
freeradius-radius-1 | (11) [expiration] = noop
freeradius-radius-1 | (11) [logintime] = noop
freeradius-radius-1 | (11) pap: WARNING: Auth-Type already set. Not setting to PAP
freeradius-radius-1 | (11) [pap] = noop
freeradius-radius-1 | (11) } # authorize = ok
freeradius-radius-1 | (11) Found Auth-Type = Accept
freeradius-radius-1 | (11) Auth-Type = Accept, accepting the user
freeradius-radius-1 | (11) # Executing section post-auth from file /etc/freeradius/sites-enabled/default
freeradius-radius-1 | (11) post-auth {
freeradius-radius-1 | (11) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
freeradius-radius-1 | (11) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE
freeradius-radius-1 | (11) update {
freeradius-radius-1 | (11) No attributes updated for RHS &session-state:
freeradius-radius-1 | (11) } # update = noop
freeradius-radius-1 | (11) [exec] = noop
freeradius-radius-1 | (11) policy remove_reply_message_if_eap {
freeradius-radius-1 | (11) if (&reply:EAP-Message && &reply:Reply-Message) {
freeradius-radius-1 | (11) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
freeradius-radius-1 | (11) else {
freeradius-radius-1 | (11) [noop] = noop
freeradius-radius-1 | (11) } # else = noop
freeradius-radius-1 | (11) } # policy remove_reply_message_if_eap = noop
freeradius-radius-1 | (11) if (EAP-Key-Name && &reply:EAP-Session-Id) {
freeradius-radius-1 | (11) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE
freeradius-radius-1 | (11) } # post-auth = noop
freeradius-radius-1 | (11) Sent Access-Accept Id 1 from 192.168.192.2:1812 to 192.168.192.1:49648 length 32
freeradius-radius-1 | (11) Session-Timeout = 14400
freeradius-radius-1 | (11) Termination-Action = RADIUS-Request
freeradius-radius-1 | (11) Finished request
freeradius-radius-1 | Waking up in 1.9 seconds.回答 1
Server Fault用户
发布于 2022-02-09 13:17:07
这在unlang ( FreeRADIUS配置的“语言”)中很容易做到。
您可以将(已知的) User-Name复制到Cleartext-Password,然后将传入的密码与之进行比较。
请参阅我对StackOverflow上相同问题的完整答案,例如:https://stackoverflow.com/a/70620187/5857272
页面原文内容由Server Fault提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://serverfault.com/questions/1084170
复制相关文章
相似问题
腾讯云开发者
