FreeRADIUS Rest auth更新失败

时间:2017-05-23 14:37:52

标签: rest authentication freeradius

我遇到了类似的问题,例如one。就我而言,我试图在API方面做所有的逻辑。 API看起来没问题,拒绝无效用户已经正常工作。问题是使用来自API的属性返回进行身份验证。 FreeRADIUS的休息模块在重新分析响应返回某些属性并且无法进行身份验证后发出更新命令。

我的配置如下:

authorize {
rest
    if (ok) {
        update control {
            Auth-Type := rest
        }
    }
}

逻辑是:签入授权用户是否退出(APi以状态代码204响应)然后执行身份验证。验证发送用户名& API的密码。 API会检查一些信息,然后返回状态代码200,如果一切正常,则返回正确的JSON格式。

好奇的是,如果我将我的API设置为使用状态代码204进行响应而不是200用户通过身份验证(但没有任何属性)

日志:

(0) Received Access-Request Id 91 from 127.0.0.1:57293 to 127.0.0.1:1812 length 75
(0)   User-Name = "admin"
(0)   User-Password = "1234"
(0)   NAS-IP-Address = 10.99.99.1
(0)   NAS-Port = 0
(0)   Message-Authenticator = 0x506aba80999c45a4c52d7c5544073969
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/nano
(0)   authorize {
rlm_rest (rest): Reserved connection (0)
(0) rest: Expanding URI components
(0) rest: EXPAND http://127.0.0.1:4000
(0) rest:    --> http://127.0.0.1:4000
(0) rest: EXPAND /check/%{User-Name}
(0) rest:    --> /check/admin
(0) rest: Sending HTTP GET to "http://127.0.0.1:4000/check/admin"
(0) rest: Processing response header
(0) rest:   Status : 204 (No Content)
rlm_rest (rest): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_rest (rest): Opening additional connection (5), 1 of 27 pending slots used
rlm_rest (rest): Connecting to "http://127.0.0.1:4000/"
(0)     [rest] = ok
(0)     if (ok) {
(0)     if (ok)  -> TRUE
(0)     if (ok)  {
(0)       update control {
(0)         Auth-Type := rest
(0)       } # update control = noop
(0)     } # if (ok)  = noop
(0)   } # authorize = ok
(0) Found Auth-Type = rest
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/nano
(0)   authenticate {
rlm_rest (rest): Reserved connection (1)
(0) rest: Expanding URI components
(0) rest: EXPAND http://127.0.0.1:4000
(0) rest:    --> http://127.0.0.1:4000
(0) rest: EXPAND /auth/%{User-Name}/%{User-Password}
(0) rest:    --> /auth/admin/1234
(0) rest: Sending HTTP GET to "http://127.0.0.1:4000/auth/admin/1234"
(0) rest: Processing response header
(0) rest:   Status : 200 (OK)
(0) rest:   Type   : json (application/json)
(0) rest: Parsing attribute "WISPr-Bandwidth-Max-Down"
(0) rest: EXPAND 3000
(0) rest:    --> 3000
(0) rest: WISPr-Bandwidth-Max-Down := 3000
(0) rest: Parsing attribute "WISPr-Bandwidth-Max-Up"
(0) rest: EXPAND 1000
(0) rest:    --> 1000
(0) rest: WISPr-Bandwidth-Max-Up := 1000
rlm_rest (rest): Released connection (1)
(0)     [rest] = updated
(0)   } # authenticate = updated
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) Post-Auth-Type sub-section not found.  Ignoring.
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/nano
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 91 from 127.0.0.1:1812 to 127.0.0.1:57293 length 44
(0)   WISPr-Bandwidth-Max-Down = 3000
(0)   WISPr-Bandwidth-Max-Up = 1000
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 91 with timestamp +9

提前感谢任何提示。

1 个答案:

答案 0 :(得分:2)

是的,我想我在v4.0.x修正了这个问题。这是一个遗留问题,'更新'不是一个可接受的返回代码。

您可以使用以下内容覆盖返回代码和优先级:

authenticate {
    Auth-Type rest {
        rest {
            updated = 1
        }
        if (updated) {
            ok
        }
    }
}

解释 - 每个返回代码'ok','noop','fail'等......具有不同的优先级和操作,具体取决于部分。如果模块的返回代码具有更高的优先级,则它仅更新部分返回代码。

有一个神奇的优先级'返回',导致服务器立即退出该部分。它是为验证部分中的大多数返回代码设置的。

我们需要覆盖对rest模块的调用的优先级,因此在不评估条件if (updated)的情况下,解释器不会返回认证。在上面的例子中,我们将更新的优先级设置为1,确保稍后可以覆盖它。