FreeRADIUS Google Dual Factor Authenticator

时间:2013-09-12 06:41:46

标签: google-authentication pam freeradius google-authenticator

我一直在尝试在Cent OS 6.3机器上设置FreeRADIUS Google Dual Factor Authenticator。我安装了一切。

我的/etc/pam.d/raduis文件看起来像这样

#%PAM-1.0
#auth       include     password-auth
#account    required    pam_nologin.so
#account    include     password-auth
#password   include     password-auth
#session    include     password-auth

auth requisite pam_google_authenticator.so forward_pass
auth required pam_unix.so use_first_pass debug

但是,如果我删除最后两行并取消注释其他行,则此设置似乎有效并且我收到以下消息

[root@PCPRADIUSTEST ~]# radtest juanr pass localhost 18120 letmein123
Sending Access-Request of id 184 to 127.0.0.1 port 1812
        User-Name = "juanr"
        User-Password = "pass"
        NAS-IP-Address = 10.3.80.169
        NAS-Port = 18120
        Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=184, length=20

然而,这两行目前得到的是

[root@PCPRADIUSTEST ~]# radtest juanr pass localhost 18120 letmein123
Sending Access-Request of id 41 to 127.0.0.1 port 1812
        User-Name = "juanr"
        User-Password = "pass"
        NAS-IP-Address = 10.3.80.169
        NAS-Port = 18120
        Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=41, length=20

然后我停止了半径服务并像radius -XXX一样启动它并获得输出

rad_recv: Access-Request packet from host 127.0.0.1 port 37599, id=41, length=75
        User-Name = "juanr"
        User-Password = "pass"
        NAS-IP-Address = 10.3.80.169
        NAS-Port = 18120
        Message-Authenticator = 0x4f0c83f91dd3abc99f89952bb82de085
Thu Sep 12 16:33:10 2013 : Info: # Executing section authorize from file /etc/raddb/sites-enabled/default
Thu Sep 12 16:33:10 2013 : Info: +- entering group authorize {...}
Thu Sep 12 16:33:10 2013 : Info: ++[preprocess] returns ok
Thu Sep 12 16:33:10 2013 : Info: ++[chap] returns noop
Thu Sep 12 16:33:10 2013 : Info: ++[mschap] returns noop
Thu Sep 12 16:33:10 2013 : Info: ++[digest] returns noop
Thu Sep 12 16:33:10 2013 : Info: [suffix] No '@' in User-Name = "juanr", looking up realm NULL
Thu Sep 12 16:33:10 2013 : Info: [suffix] No such realm "NULL"
Thu Sep 12 16:33:10 2013 : Info: ++[suffix] returns noop
Thu Sep 12 16:33:10 2013 : Info: [eap] No EAP-Message, not doing EAP
Thu Sep 12 16:33:10 2013 : Info: ++[eap] returns noop
Thu Sep 12 16:33:10 2013 : Info: [files] users: Matched entry DEFAULT at line 74
Thu Sep 12 16:33:10 2013 : Info: ++[files] returns ok
Thu Sep 12 16:33:10 2013 : Info: ++[expiration] returns noop
Thu Sep 12 16:33:10 2013 : Info: ++[logintime] returns noop
Thu Sep 12 16:33:10 2013 : Info: [pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
Thu Sep 12 16:33:10 2013 : Info: ++[pap] returns noop
Thu Sep 12 16:33:10 2013 : Info: Found Auth-Type = PAM
Thu Sep 12 16:33:10 2013 : Info: # Executing group from file /etc/raddb/sites-enabled/default
Thu Sep 12 16:33:10 2013 : Info: +- entering group authenticate {...}
Thu Sep 12 16:33:10 2013 : Debug: pam_pass: using pamauth string <radiusd> for pam.conf lookup
Thu Sep 12 16:33:10 2013 : Debug: pam_pass: function pam_acct_mgmt FAILED for <juanr>. Reason: Authentication failure
Thu Sep 12 16:33:10 2013 : Info: ++[pam] returns reject
Thu Sep 12 16:33:10 2013 : Info: Failed to authenticate the user.
Thu Sep 12 16:33:10 2013 : Info: Using Post-Auth-Type Reject
Thu Sep 12 16:33:10 2013 : Info: # Executing group from file /etc/raddb/sites-enabled/default
Thu Sep 12 16:33:10 2013 : Info: +- entering group REJECT {...}
Thu Sep 12 16:33:10 2013 : Info: [attr_filter.access_reject]    expand: %{User-Name} -> juanr
Thu Sep 12 16:33:10 2013 : Debug: attr_filter: Matched entry DEFAULT at line 11
Thu Sep 12 16:33:10 2013 : Info: ++[attr_filter.access_reject] returns updated
Thu Sep 12 16:33:10 2013 : Info: Delaying reject of request 1 for 1 seconds
Thu Sep 12 16:33:10 2013 : Debug: Going to the next request
Thu Sep 12 16:33:10 2013 : Debug: Waking up in 0.9 seconds.
Thu Sep 12 16:33:11 2013 : Info: Sending delayed reject for request 1
Sending Access-Reject of id 41 to 127.0.0.1 port 37599
Thu Sep 12 16:33:11 2013 : Debug: Waking up in 4.9 seconds.

我正按照http://www.supertechguy.com/help/security/freeradius-google-auth的说明进行设置。

你能告诉我吗?

非常感谢。

1 个答案:

答案 0 :(得分:1)

经过如此多的网上冲浪和论坛狩猎后,我设法解决了这个问题。如果有其他人遇到此问题,这可能对他们有所帮助:)

Thu Sep 26 16:38:19 2013 : Debug: pam_pass: using pamauth string <radiusd> for pam.conf lookup
Thu Sep 26 16:38:19 2013 : Debug: pam_pass: function pam_authenticate FAILED for <test>. Reason: Cannot make/remove an entry for the specified session

上述行实际上意味着身份验证失败,即使它听起来不像,也可能意味着无法访问用户主目录中的.google_authenticator文件。

FreeRadius日志文件对此问题没有多大帮助,但请查看CentOS上的/ var / log / secure和Ubuntu中的/var/log/auth.log。这将解释哪个是问题。

我的系统问题是我的时间已经结束,我的iPhone上的Google Dual Factor Authenticator应用程序随机生成的数字无效。我不得不安装NTP并将我的服务器时间更改为修正问题的正确时间!!!!

希望这有助于其他人:)

相关问题
最新问题