radius挑战认证

Posted 小懿大侠

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了radius挑战认证相关的知识,希望对你有一定的参考价值。

背景

做基于radius的双因子认证,但未找到一个方便测试的radius服务器,网上找了freeradius,折腾了很久没有搞定,想了想是否可以自己写一个,只要有一个radius的雏形,发一个challenge应该是比较简单的。

pyrad

找到了pyrad,这个是提供一个radius的基本操作的库,提供了客户端和服务端的库,试了一下服务端,windows上起不来,于是只能从头写。
基本思路是自己创建一个udp socket,进行监听,收到报文后,使用pyrad进行解析,然后做身份验证的处理,再用pyrad创建回应消息。
代码如下:

from pyrad import *
import socket
import pyrad.host
import random

BUFSIZE = 1024
KEY = b"testing123"
CHALLENGE = "test2"

class RadiusServer(pyrad.host.Host):
    def __init__(self):
        dict = pyrad.dictionary.Dictionary("dictionary.rfc2865") #从freeradius中搞一个通用的字典使用
        pyrad.host.Host.__init__(self, dict=dict)

    def get_challenge(self): #产生一个4字节的随机挑战码
        challenge = ""
        challenge = challenge + str(chr(random.randint(65,90)))
        challenge = challenge + str(chr(random.randint(65,90)))
        challenge = challenge + str(chr(random.randint(65,90)))
        challenge = challenge + str(chr(random.randint(65,90)))
        return challenge

    def check_pass(self, radpkt): #检查用户名密码,这里简单处理一下,如果密码是test则发起挑战,如果输入正确的挑战码,回应正确,否则失败
        global CHALLENGE
        print("check user")
        if radpkt.PwCrypt(CHALLENGE) == radpkt["User-Password"][0]:
            radpkt.code = packet.AccessAccept
            CHALLENGE = self.get_challenge() #挑战码使用过后就更换掉
            print("AccessAccept")
        elif radpkt.PwCrypt("test") == radpkt["User-Password"][0]:
            radpkt.code = packet.AccessChallenge
            CHALLENGE = self.get_challenge()
            radpkt.AddAttribute("Reply-Message", CHALLENGE) #把挑战码发给客户端
            print("AccessChallenge, please input", CHALLENGE)
        else:
            radpkt.code = packet.AccessReject
            print("AccessReject")

    def get_pkt(self, pkt):
        get_pw = None
        get_name = None
        radpkt = self.CreateAuthPacket(packet=pkt) #解析请求报文
        print("code:", radpkt.code)
        print("authenticator:", radpkt.authenticator)
        print("id:", radpkt.id)
        #radpkt.code = packet.AccessChallenge
        radpkt.secret = KEY

        for key in radpkt.keys():
            print(key, radpkt[key])
            if key == "User-Password":
                get_pw = 1
            if key == "User-Name":
                get_name = 1
        
        if 1 == get_pw and 1 == get_name:
            self.check_pass(radpkt)

        return radpkt.ReplyPacket()

ip_port = ('', 1812)
server = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)  # udp协议
server.bind(ip_port)


while True:
    data,client_addr = server.recvfrom(BUFSIZE)
    srv = RadiusServer()
    reply = srv.get_pkt(data)
    server.sendto(reply, client_addr)

测试,采用freeradius中自带的ratest进行测试。

使用第一次验证用的密码进行请求:  
C:\FreeRADIUS.net\bin>radclient.exe -d ..\etc\raddb -f radtest.txt -x -s 127.1 auth testing123
Sending Access-Request of id 172 to 127.0.0.1 port 1812
        User-Name = "admin"
        User-Password = "test"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 123
rad_recv: Access-Challenge packet from host 127.0.0.1:1812, id=172, length=63
        User-Name = "admin"
        User-Password = "test"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 123
        Reply-Message = "PFJT"

           Total approved auths:  1
             Total denied auths:  0
               Total lost auths:  0
PS C:\FreeRADIUS.net\bin> .\radtest.bat

收到了应答,里面带了挑战码

#使用挑战码去请求:  
C:\FreeRADIUS.net\bin>radclient.exe -d ..\etc\raddb -f radtest.txt -x -s 127.1 auth testing123
Sending Access-Request of id 0 to 127.0.0.1 port 1812
        User-Name = "admin"
        User-Password = "PFJT"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 123
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=0, length=57
        User-Name = "admin"
        User-Password = "PFJT"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 123

           Total approved auths:  1
             Total denied auths:  0
               Total lost auths:  0
PS C:\FreeRADIUS.net\bin> .\radtest.bat


第二次使用挑战码请求,挑战码已经失效,应该请求失败:
C:\FreeRADIUS.net\bin>radclient.exe -d ..\etc\raddb -f radtest.txt -x -s 127.1 auth testing123
Sending Access-Request of id 196 to 127.0.0.1 port 1812
        User-Name = "admin"
        User-Password = "PFJT"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 123
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=196, length=57
        User-Name = "admin"
        User-Password = "PFJT"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 123

           Total approved auths:  0
             Total denied auths:  1
               Total lost auths:  0

再改进一下,回应的报文中少点请求的属性。

from pyrad import *
import socket
import pyrad.host
import random

BUFSIZE = 1024
KEY = b"testing123"
CHALLENGE = "test2"

class RadiusServer(pyrad.host.Host):
    def __init__(self):
        dict = pyrad.dictionary.Dictionary("dictionary.rfc2865") #从freeradius中搞一个通用的字典使用
        pyrad.host.Host.__init__(self, dict=dict)

    def get_challenge(self): #产生一个4字节的随机挑战码
        challenge = ""
        challenge = challenge + str(chr(random.randint(65,90)))
        challenge = challenge + str(chr(random.randint(65,90)))
        challenge = challenge + str(chr(random.randint(65,90)))
        challenge = challenge + str(chr(random.randint(65,90)))
        return challenge

    def check_pass(self, radpkt, get_pw): #检查用户名密码,这里简单处理一下,如果密码是test则发起挑战,如果输入正确的挑战码,回应正确,否则失败
        global CHALLENGE
        print("check user")
        pwd = ""
        
        if 1 == get_pw:
            pwd = radpkt["User-Password"][0]    
            
            if radpkt.PwCrypt(CHALLENGE) == pwd:
                radpkt.code = packet.AccessAccept
                CHALLENGE = self.get_challenge() #挑战码使用过后就更换掉
                print("AccessAccept")
            elif radpkt.PwCrypt("test") == pwd:
                radpkt.code = packet.AccessChallenge
                CHALLENGE = self.get_challenge()
                radpkt.AddAttribute("Reply-Message", CHALLENGE) #把挑战码发给客户端
                print("AccessChallenge, please input", CHALLENGE)
            else:
                radpkt.code = packet.AccessReject
                print("AccessReject")
                    
    def get_pkt(self, pkt):
        get_pw = None
        get_name = None
        radpkt = self.CreateAuthPacket(packet=pkt) #解析请求报文
        print("code:", radpkt.code)
        print("authenticator:", radpkt.authenticator)
        print("id:", radpkt.id)
        #radpkt.code = packet.AccessChallenge
        radpkt.secret = KEY

        for key in radpkt.keys():
            print(key, radpkt[key])
            if key == "User-Password":
                get_pw = 1
            if key == "User-Name":
                get_name = 1
        
        if 1 == get_pw and 1 == get_name:
            self.check_pass(radpkt, get_pw)
            
        reply = radpkt.CreateReply()
        
        for key in radpkt.keys():
            if key == "User-Name":
                reply.AddAttribute("User-Name", radpkt["User-Name"][0])

            if key == "Reply-Message":
                reply.AddAttribute("Reply-Message", radpkt["Reply-Message"][0])

            if key == "NAS-IP-Address":
                reply.AddAttribute("NAS-IP-Address", radpkt["NAS-IP-Address"][0])

            #reply.source = radpkt.source
            reply.code = radpkt.code

        return reply.ReplyPacket()

ip_port = ('', 1812)
server = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)  # udp协议
server.bind(ip_port)


while True:
    data,client_addr = server.recvfrom(BUFSIZE)
    srv = RadiusServer()
    reply = srv.get_pkt(data)
    server.sendto(reply, client_addr)

测试:

PS C:\FreeRADIUS.net\bin> .\radclient.exe -d ..\etc\raddb -f radtest.txt -x -s 127.0.0.1 auth testing123
Sending Access-Request of id 48 to 127.0.0.1 port 1812
        User-Name = "admin"
        User-Password = "test"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 123
rad_recv: Access-Challenge packet from host 127.0.0.1:1812, id=48, length=39
        User-Name = "admin"
        NAS-IP-Address = 127.0.0.1
        Reply-Message = "UTJG"

           Total approved auths:  1
             Total denied auths:  0
               Total lost auths:  0
PS C:\FreeRADIUS.net\bin> .\radclient.exe -d ..\etc\raddb -f radtest.txt -x -s 127.0.0.1 auth testing123
Sending Access-Request of id 228 to 127.0.0.1 port 1812
        User-Name = "admin"
        User-Password = "UTJG"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 123
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=228, length=33
        User-Name = "admin"
        NAS-IP-Address = 127.0.0.1

           Total approved auths:  1
             Total denied auths:  0
               Total lost auths:  0

以上是关于radius挑战认证的主要内容,如果未能解决你的问题,请参考以下文章

css border-radius片段

Radius协议工作原理及双因素认证应用

Radius报文解析(转)

使用hostapd作为radius服务器,用于企业wifi加密认证

RADIUS协议

使用RADIUS认证服务器控制无线网络接入。