如果从其他VLAN收到请求，则使用openldap + pam使用Google Authenticator进行FreeRADIUS设置会导致访问被拒绝

Question

我已经用Google Authenticator配置了FreeRADIUS来登录OpenLDAP用户。用于FreeRADIUS的身份验证机制是PAM。

我面临一个奇怪的问题，当用户尝试在同一网络VLAN（172.30.0.0/16）中进行身份验证时，我会获得成功；而当同一用户尝试从不同网络VLAN（172.35.0.0/16）进行身份验证时，我将获得访问拒绝

成功输出：-

-- both queries are against the SAMPLE database
-- and should return the same result
SELECT LEVEL, CAST(SPACE((LEVEL - 1) * 4) || '/' || DEPTNAME
       AS VARCHAR(40)) AS DEPTNAME
FROM DEPARTMENT
     START WITH DEPTNO = 'A00'
     CONNECT BY NOCYCLE PRIOR DEPTNO = ADMRDEPT;


WITH tdep(level, deptname, deptno) as (
    SELECT 1, CAST( DEPTNAME AS VARCHAR(40)) AS DEPTNAME, deptno
    FROM department 
    WHERE DEPTNO = 'A00'
    UNION ALL
    SELECT t.LEVEL+1, CAST(SPACE(t.LEVEL  * 4) || '/' || d.DEPTNAME
       AS VARCHAR(40)) AS DEPTNAME, d.deptno
    FROM DEPARTMENT d, tdep t
    WHERE d.admrdept=t.deptno and d.deptno<>'A00')
SELECT level, deptname
FROM tdep;

拒绝输出：-

$ radtest user1 pass123456 172.30.14.177 0 mysecret

Sent Access-Request Id 54 from 0.0.0.0:58888 to 172.30.14.177:1812 length 83
User-Name = "user1"
User-Password = "pass123456"
NAS-IP-Address = 172.30.43.114
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "pass123456"
Received Access-Accept Id 54 from 172.30.14.177:1812 to 0.0.0.0:0 length 20

成功日志：-

$ radtest user1 pass123456 172.30.14.177 0 mysecret
Sent Access-Request Id 150 from 0.0.0.0:52179 to 172.30.14.177:1812 length 83
User-Name = "user1"
User-Password = "pass123456"
NAS-IP-Address = 172.35.2.147
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "pass123456"
Received Access-Reject Id 150 from 172.30.14.177:1812 to 0.0.0.0:0 length 20
(0) -: Expected Access-Accept got Access-Reject

故障日志：-

Fri Mar 22 06:35:55 2019 : WARNING: (1) pap: No "known good" password found for the user.  Not setting Auth-Type
Fri Mar 22 06:35:55 2019 : WARNING: (1) pap: Authentication will fail unless a "known good" password is available
Fri Mar 22 06:35:55 2019 : Debug: (1)     modsingle[authorize]: returned from pap (rlm_pap)
Fri Mar 22 06:35:55 2019 : Debug: (1)     [pap] = noop
Fri Mar 22 06:35:55 2019 : Debug: (1)   } # authorize = ok
Fri Mar 22 06:35:55 2019 : Debug: (1) Found Auth-Type = pam
Fri Mar 22 06:35:55 2019 : Debug: (1) # Executing group from file /etc/raddb/sites-enabled/default
Fri Mar 22 06:35:55 2019 : Debug: (1)   authenticate {
Fri Mar 22 06:35:55 2019 : Debug: (1)     modsingle[authenticate]: calling pam (rlm_pam)
Fri Mar 22 06:35:55 2019 : Debug: (1) pam: Using pamauth string "radiusd" for pam.conf lookup
Fri Mar 22 06:35:55 2019 : Debug: Waking up in 0.3 seconds.
Fri Mar 22 06:35:55 2019 : Debug: Waking up in 0.3 seconds.
Fri Mar 22 06:35:55 2019 : Debug: (1) pam: Authentication succeeded
Fri Mar 22 06:35:55 2019 : Debug: (1)     modsingle[authenticate]: returned from pam (rlm_pam)
Fri Mar 22 06:35:55 2019 : Debug: (1)     [pam] = ok
Fri Mar 22 06:35:55 2019 : Debug: (1)   } # authenticate = ok
Fri Mar 22 06:35:55 2019 : Debug: (1) # Executing section post-auth from file /etc/raddb/sites-enabled/default

这里唯一的区别是请求来自哪个网络到FreeRADIUS服务器。用户凭证是相同的。

PAM Config for radiusd：-

Fri Mar 22 06:35:00 2019 : WARNING: (0) pap: No "known good" password found for the user.  Not setting Auth-Type
Fri Mar 22 06:35:00 2019 : WARNING: (0) pap: Authentication will fail unless a "known good" password is available
Fri Mar 22 06:35:00 2019 : Debug: (0)     modsingle[authorize]: returned from pap (rlm_pap)
Fri Mar 22 06:35:00 2019 : Debug: (0)     [pap] = noop
Fri Mar 22 06:35:00 2019 : Debug: (0)   } # authorize = ok
Fri Mar 22 06:35:00 2019 : Debug: (0) Found Auth-Type = pam
Fri Mar 22 06:35:00 2019 : Debug: (0) # Executing group from file /etc/raddb/sites-enabled/default
Fri Mar 22 06:35:00 2019 : Debug: (0)   authenticate {
Fri Mar 22 06:35:00 2019 : Debug: (0)     modsingle[authenticate]: calling pam (rlm_pam)
Fri Mar 22 06:35:00 2019 : Debug: (0) pam: Using pamauth string "radiusd" for pam.conf lookup
Fri Mar 22 06:35:00 2019 : Debug: Waking up in 0.3 seconds.
Fri Mar 22 06:35:00 2019 : Debug: Waking up in 0.3 seconds.
Fri Mar 22 06:35:00 2019 : ERROR: (0) pam: pam_authenticate failed: Authentication failure
Fri Mar 22 06:35:00 2019 : Debug: (0)     modsingle[authenticate]: returned from pam (rlm_pam)
Fri Mar 22 06:35:00 2019 : Debug: (0)     [pam] = reject
Fri Mar 22 06:35:00 2019 : Debug: (0)   } # authenticate = reject
Fri Mar 22 06:35:00 2019 : Debug: (0) Failed to authenticate the user
Fri Mar 22 06:35:00 2019 : Debug: (0) Using Post-Auth-Type Reject