大佬教程收集整理的这篇文章主要介绍了Freeradius:使用 MSCHAPv2 配置 Windows-Password 和 PAM for (Google)OTP,大佬教程大佬觉得挺不错的,现在分享给大家,也给大家做个参考。
我将我的 Freeradius 3.0 配置为使用 ntlm_auth 模块成功地通过用户名和密码对我们的 ActiveDirectory 进行身份验证。 然后我将以下代码添加到我的默认站点:
if (!StatE) {
update control {
Auth-Type := ntlm_auth
}
}
else {
update control {
Auth-Type := pam
}
}
并更改为同一文件中的 ntlm_auth 部分:
Auth-Type ntlm_auth {
ntlm_auth
if (ok) {
update reply {
# Create a random State attribute:
State := "%{randstr:aaaaaaaaaaaaaaaa}"
Reply-message := "Bitte geben SIE dIE invenio OTP-PIN ein"
}
# Return Access-ChALLENge:
chALLENge
}
}
这很好用,但使用了明文密码。
因此,我更改了网关 (VPN) 上的配置以发送 MSCHAPv2 而不是纯文本。 我在配置中将 ntlm_auth 更改为 mschapv2,但现在我只得到 MSCHAPv2 响应,而没有响应来自挑战请求的 OTP-PIN。
日志(调试):
(0) Received Access-request ID 73 from 212.99.164.134:10057 to 10.1.56.3:1812 length 188
(0) NAS-IDentifIEr = "HAM-FW-02"
(0) User-name = "USERnameSent"
(0) MS-CHAP2-Response = 0x1c009ddc9d60c7a00ed267291e4049fe8cae0000000000000000dbfae0e612d97ccaf67c193ddd7f0b21244172c83af71d06
(0) MS-CHAP-ChALLENge = 0xe19eb24bf11796bbb66baab10741f1fb
(0) NAS-Port-Type = Virtual
(0) Calling-Station-ID = "46.114.1.229"
(0) Acct-Session-ID = "17f2146e"
(0) Connect-Info = "vpn-ssl"
(0) ForTinet-Vdom-name = "0010647802"
(0) # ExecuTing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-name =~ / /) {
(0) if (&User-name =~ / /) -> falSE
(0) if (&User-name =~ /@[^@]*@/ ) {
(0) if (&User-name =~ /@[^@]*@/ ) -> falSE
(0) if (&User-name =~ /\.\./ ) {
(0) if (&User-name =~ /\.\./ ) -> falSE
(0) if ((&User-name =~ /@/) && (&User-name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-name =~ /@/) && (&User-name !~ /@(.+)\.(.+)$/)) -> falSE
(0) if (&User-name =~ /\.$/) {
(0) if (&User-name =~ /\.$/) -> falSE
(0) if (&User-name =~ /@\./) {
(0) if (&User-name =~ /@\./) -> falSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(0) auth_log: --> /var/log/freeradius/radacct/212.99.164.134/auth-detail-20210326
(0) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/212.99.164.134/auth-detail-20210326
(0) auth_log: EXPAND %t
(0) auth_log: --> Fri Mar 26 06:36:08 2021
(0) [auth_log] = ok
(0) [chap] = noop
(0) mschap: Found MS-CHAP attributes. SetTing 'Auth-Type = mschap'
(0) [mschap] = ok
(0) [digest] = noop
(0) suffix: checking for suffix after "@"
(0) suffix: No '@' in User-name = "USERnameSent",looking up realm NulL
(0) suffix: No such realm "NulL"
(0) [suffix] = noop
(0) eap: No EAP-message,not doing EAP
(0) [eap] = noop
(0) files: users: Matched entry DEFAulT at line 202
(0) [files] = ok
(0) [expiration] = noop
(0) [logintime] = noop
Not doing PAP as Auth-Type is already set.
(0) [pap] = noop
(0) if (!StatE) {
(0) if (!StatE) -> TRUE
(0) if (!StatE) {
(0) update control {
(0) Auth-Type := ntlm_auth
(0) } # update control = noop
(0) } # if (!StatE) = noop
(0) ... skipPing else: Preceding "if" was taken
(0) } # authorize = ok
(0) Found Auth-Type = ntlm_auth
(0) # ExecuTing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Auth-Type ntlm_auth {
(0) mschap: CreaTing chALLENge hash with username: USERnameSent
(0) mschap: ClIEnt is using MS-CHAPv2
(0) mschap: ExecuTing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-namE}:-%{%{User-namE}:-NonE}} --chALLENge=%{%{mschap:ChALLENgE}:-00} --nt-response=%{%{mschap:NT-ResponsE}:-00}:
(0) mschap: EXPAND --username=%{%{Stripped-User-namE}:-%{%{User-namE}:-NonE}}
(0) mschap: --> --username=USERnameSent
(0) mschap: CreaTing chALLENge hash with username: USERnameSent
(0) mschap: EXPAND --chALLENge=%{%{mschap:ChALLENgE}:-00}
(0) mschap: --> --chALLENge=0b0349cd8aa9407c
(0) mschap: EXPAND --nt-response=%{%{mschap:NT-ResponsE}:-00}
(0) mschap: --> --nt-response=dbfae0e612d97ccaf67c193ddd7f0b21244172c83af71d06
(0) mschap: Program returned code (0) and output 'NT_KEY: 5796EA7F02A7060169CD28DE40DD6165'
(0) mschap: Adding MS-CHAPv2 MPPE keys
(0) [mschap] = ok
(0) if (ok) {
(0) if (ok) -> TRUE
(0) if (ok) {
(0) update reply {
(0) EXPAND %{randstr:aaaaaaaaaaaaaaaa}
(0) --> 9o91xD3qIywz6TTH
(0) State := 0x396f3931784433714979777a36545448
(0) Reply-message := "Bitte geben SIE dIE invenio OTP-PIN ein"
(0) } # update reply = noop
(0) policy chALLENge {
(0) update control {
(0) &Response-Packet-Type = Access-ChALLENge
(0) } # update control = noop
(0) [handled] = handled
(0) } # policy chALLENge = handled
(0) } # if (ok) = handled
(0) } # Auth-Type ntlm_auth = handled
(0) Using Post-Auth-Type ChALLENge
(0) # ExecuTing group from file /etc/freeradius/3.0/sites-enabled/default
(0) ChALLENge { ... } # empty sub-section is ignored
(0) Sent Access-ChALLENge ID 73 from 10.1.56.3:1812 to 212.99.164.134:10057 length 0
(0) MS-CHAP2-success = 0x1c533d33323442453233423243323435354244304539344338433737383335303142393346453232463037
(0) MS-MPPE-Recv-Key = 0x6d7dcf451b9c724308f1a01c9b1a7dcc
(0) MS-MPPE-Send-Key = 0xa993f3f27c1f6d5e8b192b9962de7bc4
(0) MS-MPPE-Encryption-Policy = Encryption-Allowed
(0) MS-MPPE-Encryption-Types = RC4-40or@R_647_5028@-Allowed
(0) State := 0x396f3931784433714979777a36545448
(0) Reply-message := "Bitte geben SIE dIE invenio OTP-PIN ein"
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 73 with timestamp +11
ready to process requests
(1) Received Access-request ID 74 from 212.99.164.134:24581 to 10.1.56.3:1812 length 206
(1) NAS-IDentifIEr = "HAM-FW-02"
(1) State = 0x396f3931784433714979777a36545448
(1) User-name = "USERnameSent"
(1) MS-CHAP2-Response = 0x1c003635363333340ed267291e4049fe8cae0000000000000000dbfae0e612d97ccaf67c193ddd7f0b21244172c83af71d06
(1) MS-CHAP-ChALLENge = 0xe19eb24bf11796bbb66baab10741f1fb
(1) NAS-Port-Type = Virtual
(1) Calling-Station-ID = "46.114.1.229"
(1) Acct-Session-ID = "17f2146e"
(1) Connect-Info = "vpn-ssl"
(1) ForTinet-Vdom-name = "0010647802"
(1) session-state: No cached attributes
(1) # ExecuTing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-name =~ / /) {
(1) if (&User-name =~ / /) -> falSE
(1) if (&User-name =~ /@[^@]*@/ ) {
(1) if (&User-name =~ /@[^@]*@/ ) -> falSE
(1) if (&User-name =~ /\.\./ ) {
(1) if (&User-name =~ /\.\./ ) -> falSE
(1) if ((&User-name =~ /@/) && (&User-name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-name =~ /@/) && (&User-name !~ /@(.+)\.(.+)$/)) -> falSE
(1) if (&User-name =~ /\.$/) {
(1) if (&User-name =~ /\.$/) -> falSE
(1) if (&User-name =~ /@\./) {
(1) if (&User-name =~ /@\./) -> falSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(1) auth_log: --> /var/log/freeradius/radacct/212.99.164.134/auth-detail-20210326
(1) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/212.99.164.134/auth-detail-20210326
(1) auth_log: EXPAND %t
(1) auth_log: --> Fri Mar 26 06:36:16 2021
(1) [auth_log] = ok
(1) [chap] = noop
(1) mschap: Found MS-CHAP attributes. SetTing 'Auth-Type = mschap'
(1) [mschap] = ok
(1) [digest] = noop
(1) suffix: checking for suffix after "@"
(1) suffix: No '@' in User-name = "USERnameSent",looking up realm NulL
(1) suffix: No such realm "NulL"
(1) [suffix] = noop
(1) eap: No EAP-message,not doing EAP
(1) [eap] = noop
(1) files: users: Matched entry DEFAulT at line 202
(1) [files] = ok
(1) [expiration] = noop
(1) [logintime] = noop
Not doing PAP as Auth-Type is already set.
(1) [pap] = noop
(1) if (!StatE) {
(1) if (!StatE) -> falSE
(1) else {
(1) update control {
(1) Auth-Type := pam
(1) } # update control = noop
(1) } # else = noop
(1) } # authorize = ok
(1) Found Auth-Type = pam
(1) # ExecuTing group from file /etc/freeradius/3.0/sites-enabled/default
(1) Auth-Type pam {
(1) pam: Attribute "User-password" is required for authentication
(1) [pam] = invalID
(1) } # Auth-Type pam = invalID
(1) Failed to authenticate the user
(1) Using Post-Auth-Type Reject
(1) # ExecuTing group from file /etc/freeradius/3.0/sites-enabled/default
(1) Post-Auth-Type REjeCT {
(1) attr_filter.access_reject: EXPAND %{User-namE}
(1) attr_filter.access_reject: --> USERnameSent
(1) attr_filter.access_reject: Matched entry DEFAulT at line 11
(1) [attr_filter.access_reject] = updated
(1) [eap] = noop
(1) policy remove_reply_message_if_eap {
(1) if (&reply:EAP-message && &reply:reply-messagE) {
(1) if (&reply:EAP-message && &reply:reply-messagE) -> falSE
(1) else {
(1) [noop] = noop
(1) } # else = noop
(1) } # policy remove_reply_message_if_eap = noop
(1) } # Post-Auth-Type REjeCT = updated
(1) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(1) Sending delayed response
(1) Sent Access-Reject ID 74 from 10.1.56.3:1812 to 212.99.164.134:24581 length 20
Waking up in 3.9 seconds.
(1) Cleaning up request packet ID 74 with timestamp +19
ready to process requests
关于如何向我的 pam 模块发送挑战响应以向谷歌身份验证器验证此 PIN 的任何想法。响应似乎丢失,或者我可能必须在某处设置 {user-passworD} = {respone-value} ??
非常感谢!
最好的问候,
安德烈亚斯
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)
以上是大佬教程为你收集整理的Freeradius:使用 MSCHAPv2 配置 Windows-Password 和 PAM for (Google)OTP全部内容,希望文章能够帮你解决Freeradius:使用 MSCHAPv2 配置 Windows-Password 和 PAM for (Google)OTP所遇到的程序开发问题。
如果觉得大佬教程网站内容还不错,欢迎将大佬教程推荐给程序员好友。
本图文内容来源于网友网络收集整理提供,作为学习参考使用,版权属于原作者。
如您有任何意见或建议可联系处理。小编QQ:384754419,请注明来意。