我正在尝试使用CoovaChilli和FreeRadius与RADIUSdesk建立热点系统。
我完成了大部分工作。显示强制网络门户登录页面,但我无法以用户身份进行身份验证。
当我查看日志时,我的OpenWRT上的Coova Chilli发送了X????MVJ??? ??<?作为用户密码。
redir.c: 3854: 0 (Debug) redir_accept: Sending RADIUS request
radius.c: 1316: 0 (Debug) RADIUS client 0.0.0.0:0
redir.c: 2670: 0 (Debug) created radius packet (code=1, id=80, len=37)
redir.c: 2708: 0 (Debug) User password 16 [O��F��hs�
t��3]
redir.c: 2831: 0 (Debug) sending radius packet (code=1, id=80, len=299)
radius.c: 321: 0 (Debug) Allocating RADIUS packet
我也查看了freeradius日志,并且知道Freeradius解密了原始密码。
(0) pl_reset_time_for_data: $RAD_REQUEST{'User-Password'} = &request:User-Password -> 'X????MVJ??? ??<?'
(0) pl_reset_time_for_data: $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address -> '10.1.0.1'
(0) pl_reset_time_for_data: $RAD_REQUEST{'NAS-Port'} = &request:NAS-Port -> '5'
(0) pl_reset_time_for_data: $RAD_REQUEST{'Service-Type'} = &request:Service-Type -> 'Login-User'
(0) pl_reset_time_for_data: $RAD_REQUEST{'Framed-IP-Address'} = &request:Framed-IP-Address -> '10.1.0.4'
(0) pl_reset_time_for_data: $RAD_REQUEST{'Called-Station-Id'} = &request:Called-Station-Id -> 'C0-25-E9-07-52-76'
(0) pl_reset_time_for_data: $RAD_REQUEST{'Calling-Station-Id'} = &request:Calling-Station-Id -> 'AC-C3-3A-C0-F5-60'
(0) pl_reset_time_for_data: $RAD_REQUEST{'NAS-Identifier'} = &request:NAS-Identifier -> 'HUBS_ROOTS_HUB_1_cp_42'
(0) pl_reset_time_for_data: $RAD_REQUEST{'NAS-Port-Type'} = &request:NAS-Port-Type -> 'Wireless-802.11'
(0) pl_reset_time_for_data: $RAD_REQUEST{'Acct-Session-Id'} = &request:Acct-Session-Id -> '5a6c2ea800000005'
(0) pl_reset_time_for_data: $RAD_REQUEST{'Event-Timestamp'} = &request:Event-Timestamp -> 'Jan 27 2018 07:49:15 UTC'
(0) pl_reset_time_for_data: $RAD_REQUEST{'Message-Authenticator'} = &request:Message-Authenticator -> '0x3a3eb994b712e98f3a49e665e27e4d20'
(0) pl_reset_time_for_data: $RAD_REQUEST{'NAS-Port-Id'} = &request:NAS-Port-Id -> '00000005'
(0) pl_reset_time_for_data: $RAD_REQUEST{'WISPr-Location-ID'} = &request:WISPr-Location-ID -> 'isocc=,cc=,ac=,network=Coova,'
(0) pl_reset_time_for_data: $RAD_REQUEST{'WISPr-Location-Name'} = &request:WISPr-Location-Name -> 'Roots_Daryaganj'
(0) pl_reset_time_for_data: $RAD_REQUEST{'WISPr-Logoff-URL'} = &request:WISPr-Logoff-URL -> 'http://10.1.0.1:3990/logoff'
(0) pl_reset_time_for_data: $RAD_REQUEST{'Realm'} = &request:Realm -> 'roots'
(0) pl_reset_time_for_data: $RAD_REQUEST{'ChilliSpot-Version'} = &request:ChilliSpot-Version -> '1.3.1-svn'
(0) pl_reset_time_for_data: $RAD_REPLY{'Fall-Through'} = &reply:Fall-Through -> 'Yes'
(0) pl_reset_time_for_data: $RAD_CHECK{'User-Profile'} = &control:User-Profile -> '1G-1Day'
(0) pl_reset_time_for_data: $RAD_CHECK{'Cleartext-Password'} = &control:Cleartext-Password -> '<my cleartext password>'
但是,比较时,服务器使用的是加密密码而不是明文密码。
# Executing group from file /etc/freeradius/sites-enabled/radiusdesk-plain
(0) Auth-Type PAP {
(0) pap: Login attempt with password
(0) pap: Comparing with "known good" Cleartext-Password
(0) pap: ERROR: Cleartext password "X????MVJ??? ??<?" does not match "known good" password
(0) pap: Passwords don't match
(0) [pap] = reject
(0) } # Auth-Type PAP = reject
(0) Failed to authenticate the user
(0) WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/sites-enabled/radiusdesk-plain
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
答案 0 :(得分:0)
在RADIUS中,使用NAS(Coova)和RADIUS服务器FreeRADIUS之间已知的共享密钥对User-Password属性进行可逆加密。
我的猜测是,Coova正在显示此加密函数的输出,而不是原始的明文密码。这很奇怪......出于安全原因可能会这样做,因此您需要知道共享密钥以解密日志中的密码。
至于为什么你仍然得到加密输出,似乎Coova或FreeRADIUS中的共享秘密可能不正确。来自127.0.0.1的请求的默认密码是testing123,因此如果Coova和FreeRADIUS共处,我会尝试在Coova中配置它。
如果Coova和FreeRADIUS在不同的主机上运行,请在Coova中检查raddb/clients.conf匹配中配置的密码。
字符串每次更改的原因是因为密文是使用随机组件(请求验证器字段)创建的,该随机组件随后续(非重新传输)请求而变化。