我已经用Google Authenticator配置了FreeRADIUS来登录OpenLDAP用户。用于FreeRADIUS的身份验证机制是PAM。
我面临一个奇怪的问题,当用户尝试在同一网络VLAN(172.30.0.0/16)中进行身份验证时,我会获得成功;而当同一用户尝试从不同网络VLAN(172.35.0.0/16)进行身份验证时,我将获得访问拒绝
成功输出:-
-- both queries are against the SAMPLE database
-- and should return the same result
SELECT LEVEL, CAST(SPACE((LEVEL - 1) * 4) || '/' || DEPTNAME
AS VARCHAR(40)) AS DEPTNAME
FROM DEPARTMENT
START WITH DEPTNO = 'A00'
CONNECT BY NOCYCLE PRIOR DEPTNO = ADMRDEPT;
WITH tdep(level, deptname, deptno) as (
SELECT 1, CAST( DEPTNAME AS VARCHAR(40)) AS DEPTNAME, deptno
FROM department
WHERE DEPTNO = 'A00'
UNION ALL
SELECT t.LEVEL+1, CAST(SPACE(t.LEVEL * 4) || '/' || d.DEPTNAME
AS VARCHAR(40)) AS DEPTNAME, d.deptno
FROM DEPARTMENT d, tdep t
WHERE d.admrdept=t.deptno and d.deptno<>'A00')
SELECT level, deptname
FROM tdep;
拒绝输出:-
$ radtest user1 pass123456 172.30.14.177 0 mysecret
Sent Access-Request Id 54 from 0.0.0.0:58888 to 172.30.14.177:1812 length 83
User-Name = "user1"
User-Password = "pass123456"
NAS-IP-Address = 172.30.43.114
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "pass123456"
Received Access-Accept Id 54 from 172.30.14.177:1812 to 0.0.0.0:0 length 20
成功日志:-
$ radtest user1 pass123456 172.30.14.177 0 mysecret
Sent Access-Request Id 150 from 0.0.0.0:52179 to 172.30.14.177:1812 length 83
User-Name = "user1"
User-Password = "pass123456"
NAS-IP-Address = 172.35.2.147
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "pass123456"
Received Access-Reject Id 150 from 172.30.14.177:1812 to 0.0.0.0:0 length 20
(0) -: Expected Access-Accept got Access-Reject
故障日志:-
Fri Mar 22 06:35:55 2019 : WARNING: (1) pap: No "known good" password found for the user. Not setting Auth-Type
Fri Mar 22 06:35:55 2019 : WARNING: (1) pap: Authentication will fail unless a "known good" password is available
Fri Mar 22 06:35:55 2019 : Debug: (1) modsingle[authorize]: returned from pap (rlm_pap)
Fri Mar 22 06:35:55 2019 : Debug: (1) [pap] = noop
Fri Mar 22 06:35:55 2019 : Debug: (1) } # authorize = ok
Fri Mar 22 06:35:55 2019 : Debug: (1) Found Auth-Type = pam
Fri Mar 22 06:35:55 2019 : Debug: (1) # Executing group from file /etc/raddb/sites-enabled/default
Fri Mar 22 06:35:55 2019 : Debug: (1) authenticate {
Fri Mar 22 06:35:55 2019 : Debug: (1) modsingle[authenticate]: calling pam (rlm_pam)
Fri Mar 22 06:35:55 2019 : Debug: (1) pam: Using pamauth string "radiusd" for pam.conf lookup
Fri Mar 22 06:35:55 2019 : Debug: Waking up in 0.3 seconds.
Fri Mar 22 06:35:55 2019 : Debug: Waking up in 0.3 seconds.
Fri Mar 22 06:35:55 2019 : Debug: (1) pam: Authentication succeeded
Fri Mar 22 06:35:55 2019 : Debug: (1) modsingle[authenticate]: returned from pam (rlm_pam)
Fri Mar 22 06:35:55 2019 : Debug: (1) [pam] = ok
Fri Mar 22 06:35:55 2019 : Debug: (1) } # authenticate = ok
Fri Mar 22 06:35:55 2019 : Debug: (1) # Executing section post-auth from file /etc/raddb/sites-enabled/default
这里唯一的区别是请求来自哪个网络到FreeRADIUS服务器。用户凭证是相同的。
PAM Config for radiusd:-
Fri Mar 22 06:35:00 2019 : WARNING: (0) pap: No "known good" password found for the user. Not setting Auth-Type
Fri Mar 22 06:35:00 2019 : WARNING: (0) pap: Authentication will fail unless a "known good" password is available
Fri Mar 22 06:35:00 2019 : Debug: (0) modsingle[authorize]: returned from pap (rlm_pap)
Fri Mar 22 06:35:00 2019 : Debug: (0) [pap] = noop
Fri Mar 22 06:35:00 2019 : Debug: (0) } # authorize = ok
Fri Mar 22 06:35:00 2019 : Debug: (0) Found Auth-Type = pam
Fri Mar 22 06:35:00 2019 : Debug: (0) # Executing group from file /etc/raddb/sites-enabled/default
Fri Mar 22 06:35:00 2019 : Debug: (0) authenticate {
Fri Mar 22 06:35:00 2019 : Debug: (0) modsingle[authenticate]: calling pam (rlm_pam)
Fri Mar 22 06:35:00 2019 : Debug: (0) pam: Using pamauth string "radiusd" for pam.conf lookup
Fri Mar 22 06:35:00 2019 : Debug: Waking up in 0.3 seconds.
Fri Mar 22 06:35:00 2019 : Debug: Waking up in 0.3 seconds.
Fri Mar 22 06:35:00 2019 : ERROR: (0) pam: pam_authenticate failed: Authentication failure
Fri Mar 22 06:35:00 2019 : Debug: (0) modsingle[authenticate]: returned from pam (rlm_pam)
Fri Mar 22 06:35:00 2019 : Debug: (0) [pam] = reject
Fri Mar 22 06:35:00 2019 : Debug: (0) } # authenticate = reject
Fri Mar 22 06:35:00 2019 : Debug: (0) Failed to authenticate the user
Fri Mar 22 06:35:00 2019 : Debug: (0) Using Post-Auth-Type Reject