FreeRadius 3.0.13 rlm_rest restful api身份验证

时间:2017-04-29 16:56:29

标签: rest api restful-authentication freeradius

我尝试针对Restful API验证Radius请求。我的虚拟服务器配置如下:

authorize {
    filter_username
    filter_password
    preprocess
    auth_log

    if (User-Password) {
        update control {
            Auth-Type := rest
        }
    }
}

authenticate {
    rest
}

我的半径-X输出是:

(0) Received Access-Request Id 202 from 127.0.0.2:10708 to 127.0.0.2:1812 length 73
(0)   User-Name = "bob"
(0)   User-Password = "hello"
(0)   NAS-IP-Address = 127.0.0.2
(0)   NAS-Port = 1
(0)   Message-Authenticator = 0xcd622e98255234964d081be2513a0a9c
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/testserver
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     policy filter_password {
(0)       if (&User-Password &&            (&User-Password != "%{string:User-Password}")) {
(0)       EXPAND %{string:User-Password}
(0)          --> hello
(0)       if (&User-Password &&            (&User-Password != "%{string:User-Password}"))  -> FALSE
(0)     } # policy filter_password = notfound
(0)     [preprocess] = ok
(0) auth_log: EXPAND /antikor/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(0) auth_log:    --> /antikor/log/radacct/127.0.0.2/auth-detail-20170429
(0) auth_log: /antikor/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /antikor/log/radacct/127.0.0.2/auth-detail-20170429
(0) auth_log: EXPAND %t
(0) auth_log:    --> Sat Apr 29 19:46:26 2017
(0)     [auth_log] = ok
(0)     if (User-Password) {
(0)     if (User-Password)  -> TRUE
(0)     if (User-Password)  {
(0)       update control {
(0)         Auth-Type := rest
(0)       } # update control = noop
(0)     } # if (User-Password)  = noop
(0)   } # authorize = ok
(0) Found Auth-Type = rest
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/testserver
(0)   authenticate {
rlm_rest (rest): Reserved connection (0)
(0) rest: Expanding URI components
(0) rest: EXPAND http://127.0.0.1:8902
(0) rest:    --> http://127.0.0.1:8902
(0) rest: EXPAND /test.php?action=authenticate
(0) rest:    --> /test.php?action=authenticate
(0) rest: Sending HTTP POST to "http://127.0.0.1:8902/test.php?action=authenticate"
(0) rest: EXPAND {"username":"%{User-Name}", "password":"%{User-Password}"}
(0) rest:    --> {"username":"bob", "password":"hello"}
(0) rest: Processing response header
(0) rest:   Status : 200 (OK)
(0) rest:   Type   : json (application/json)
(0) rest: Parsing attribute "control:Cleartext-Password"
(0) rest: EXPAND hello
(0) rest:    --> hello
(0) rest: Cleartext-Password := "hello"
(0) rest: Parsing attribute "request:User-Password"
(0) rest: EXPAND hello
(0) rest:    --> hello
(0) rest: User-Password := "hello"
(0) rest: Parsing attribute "reply:Reply-Message"
(0) rest: EXPAND Hello bob
(0) rest:    --> Hello bob
(0) rest: Reply-Message := "Hello bob"
rlm_rest (rest): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_rest (rest): Opening additional connection (5), 1 of 27 pending slots used
rlm_rest (rest): Connecting to "http://127.0.0.1:8902/test.php"
(0)     [rest] = updated
(0)   } # authenticate = updated
(0) Failed to authenticate the user
(0) Login incorrect: [bob/hello] (from client antikor-l2tp port 1)
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/testserver
(0)   Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject:    --> bob
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0)     [attr_filter.access_reject] = updated
(0)     [eap] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 202 from 127.0.0.2:1812 to 127.0.0.2:10708 length 33
(0)   Reply-Message = "Hello bob"

我在test.php json回复中添加了控件:Cleartext-Password 请求:用户密码变量。一个接一个地试过。但仍然认证步骤失败。 JSON输出如下:

{"control:Cleartext-Password":"hello", "request:User-Password":"hello","reply:Reply-Message":"Hello bob"}

我想知道如果JSON响应错误,应该如何进行身份验证回复?

感谢。

1 个答案:

答案 0 :(得分:3)

授权方法rlm_rest模块的作用与其他数据存储模块类似rlm_sqlrlm_redisrlm_couchbase

它仅用于从远程源检索AVP,它不会决定是否应对用户进行身份验证。

为了让用户被接受,你需要在rlm_rest之后列出另一个模块,它可以查看请求中的属性,并找出要执行的身份验证类型。如果你正在进行明文认证(即没有EAP),那么你可以使用pap模块。

您的服务器配置看起来像

authorize {
    rest
    pap
}

authenticate {
    pap
}

  • rest.authorize检索control:Cleartext-Password,为服务器提供“好”密码,以便与用户发送的密码进行比较。

  • pap.authorize检查是否存在request:User-Password,如果存在,则设置control:Auth-Type pap。

  • pap.authenticate将control:Cleartext-Passwordrequest:User-Password进行比较,如果匹配则返回okreject,具体取决于是否有。

    < / LI>

请注意,您还可以使用此配置代码段执行HTTP BasicAuth:

authorize {
    if (&User-Password) {
        update control {
            Auth-Type := 'rest'
        }
    }
}

authenticate {
    rest
}
相关问题
最新问题