我正在尝试访问休息后端以通过RADIUS对用户进行身份验证。因此我编写了这个Python脚本。使用终端时,脚本中的所有步骤都可以正常工作。但是关于Freeradius日志,当Freeradius调用此脚本时,它总是停在response = urllib2.urlopen(req)。我使用请求而不是urllib2尝试了类似的脚本。结果是一样的。似乎不知何故Freeradius服务不允许访问网络或类似的东西。有谁知道可能导致这种情况的原因或如何获得更多的调试数据,然后只看到它停止的位置?
设置:Ubuntu 16.04
Python 2.7.12
Freeradius 3.0.15
/var/log/freeradius/radius.log
Thu Aug 24 18:08:16 2017 : Warning: [/etc/freeradius/mods-config/attr_filter/access_reject]:11 Check item "FreeRAD$
Thu Aug 24 18:08:16 2017 : Warning: [/etc/freeradius/mods-config/attr_filter/access_reject]:11 Check item "FreeRAD$
Thu Aug 24 18:08:16 2017 : Info: Python version: 2.7.12 (default, Nov 19 2016, 06:48:10) [GCC 5.4.0 20160609]
Thu Aug 24 18:08:16 2017 : Info: Loaded virtual server <default>
Thu Aug 24 18:08:16 2017 : Warning: Ignoring "sql" (see raddb/mods-available/README.rst)
Thu Aug 24 18:08:16 2017 : Warning: Ignoring "ldap" (see raddb/mods-available/README.rst)
Thu Aug 24 18:08:16 2017 : Info: # Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/sites-ena$
Thu Aug 24 18:08:16 2017 : Info: Loaded virtual server inner-tunnel
Thu Aug 24 18:08:16 2017 : Info: Loaded virtual server default
Thu Aug 24 18:08:16 2017 : Info: Ready to process requests
Thu Aug 24 18:08:31 2017 : Info: *** radlog call in authorize ***
Thu Aug 24 18:08:31 2017 : Info: ***pda ***
Thu Aug 24 18:08:31 2017 : Info: *** vor request push ab setzten ***
Thu Aug 24 18:31:33 2017 : Info: Signalled to terminate
Thu Aug 24 18:31:33 2017 : Info: Exiting normally
脚本:
import json
import time
import urllib2
import radiusd
def authorize(p):
radiusd.radlog(radiusd.L_INFO, '*** radlog call in authorize ***')
# prepare hostname and user which want to login
hostname = "172.22.15.222"
controller = "validate"
action = "check"
user = p[0][1]
#userpass = p[1][1]
userpass = ""
#removing doublequotes might become unnessecary in future versions of freeradius
#user = user[1:-1]
#userpass = userpass[1:-1]
radiusd.radlog(radiusd.L_INFO, '***' + user + " " + userpass + "***")
url = "https://" + hostname + "/" + \
controller + "/" + action
post_params = "user=" + user + "&pass=" + userpass + "&data=AnyConnect&content_type=0"
# do request
#response = requests.post(url, data=post_params, verify=sslver)
req = urllib2.Request(url, post_params)
radiusd.radlog(radiusd.L_INFO, '*** vor request push ab setzten ***')
response = urllib2.urlopen(req)
radiusd.radlog(radiusd.L_INFO, '*** nach request push ab setzen ***')
data = json.load(response)
transactionid = data[u"detail"][u"transactionid"]
#new post params
action = "check_status"
url = "https://" + hostname + "/" + \
controller + "/" + action
post_params = "user=" + user + "&pass=" + userpass + "&transactionid=" +transactionid
req = urllib2.Request(url, post_params)
authenticated = False
#Loop for 60 seconds
t_end = time.time() + 60
while time.time() < t_end:
#time.sleep(1)
response = urllib2.urlopen(req)
data = json.load(response)
authenticated = data[u"detail"][u"transactions"][transactionid][u"valid_tan"]
if authenticated:
radiusd.radlog(radiusd.L_INFO, '*** autentifizierung erfolgreich ***')
config = ( ('User-Name', user), )
reply = ( ('Reply-Message', 'Authentication did succeed'), )
break
else:
radiusd.radlog(radiusd.L_INFO, '*** authentifizierung nicht erfolgreich ***')
return(raduisd.RLM_MODULE_OK, reply, config)
freeradius -X
enter code Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 59425
Listening on proxy address :: port 53966
[1mReady to process requests[0m
(0) Received Access-Request Id 15 from 172.22.15.174:56005 to 172.22.15.226:1812 length 114
(0) User-Name = "pda"
(0) Acct-Session-Id = "1503645990P10amo"
(0) NAS-IP-Address = 127.0.0.1
(0) NAS-Identifier = "Localhost"
(0) NAS-Port = 0
(0) Calling-Station-Id = "1115551212"
(0) User-Password = "pda"
(0) Message-Authenticator = 0x4349c9c4b4af416f415cf648a864f499
(0) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
[1m*** radlog call in authorize ***[0m
[1m***pda ***[0m
[1m*** vor request push ab setzten ***[0m
(0) [python] = fail
(0) } # authorize = fail
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> pda
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) [eap] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 15 from 172.22.15.226:1812 to 172.22.15.174:56005 length 20
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 15 with timestamp +2
[1mReady to process requests[0mhere