无法通过添加的用户向 freeradius 服务器进行身份验证

Posted 2023-02-19

【中文标题】无法通过添加的用户向 freeradius 服务器进行身份验证

【英文标题】：Failed to authenticate to the freeradius server with added user

【发布时间】：2021-11-29 20:13:51

【问题描述】：

在我的 Ubuntu VM 上构建源代码后，我试图在调试模式下测试我的 freeRadius 服务器。 我也参考了这个官方教程：https://wiki.freeradius.org/guide/basic-configuration-howto

我的目标是：

将密码为“password”的新用户“testing”添加到 freeradius 配置中，并以用户“testing”的身份成功通过 freeradius 服务器的身份验证。

以下是我尝试过的步骤：

(1) 我将用户信息添加到“/usr/local/etc/raddb/users”的第一行

testing Cleartext-Password := "password"

我没有对“sudo nano /usr/local/etc/raddb/clients.conf”进行更改

(2) 我在调试模式下启动了 freeradius 服务器

sudo radiusd -X

服务器显示Ready to process requests

(3) 我打开一个新终端并尝试发送带有新用户信息的请求

radtest testing password localhost 0 testing123

实际结果是：Access-Reject

在客户端：

Sent Access-Request Id 128 from 0.0.0.0:41704 to 127.0.0.1:1812 length 77
    User-Name = "testing"
    User-Password = "password"
    NAS-IP-Address = 127.0.1.1
    NAS-Port = 0
    Message-Authenticator = 0x00
    Cleartext-Password = "password"
Received Access-Reject Id 128 from 127.0.0.1:1812 to 127.0.0.1:41704 length 20
(0) -: Expected Access-Accept got Access-Reject

在服务器端：

(1) Received Access-Request Id 128 from 127.0.0.1:41704 to 127.0.0.1:1812 length 77
(1)   User-Name = "testing"
(1)   User-Password = "password"
(1)   NAS-IP-Address = 127.0.1.1
(1)   NAS-Port = 0
(1)   Message-Authenticator = 0xaf245c154458b4236bcca590799eeef4
(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(1)   authorize 
(1)     policy filter_username 
(1)       if (&User-Name) 
(1)       if (&User-Name)  -> TRUE
(1)       if (&User-Name)  
(1)         if (&User-Name =~ / /) 
(1)         if (&User-Name =~ / /)  -> FALSE
(1)         if (&User-Name =~ /@[^@]*@/ ) 
(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(1)         if (&User-Name =~ /\.\./ ) 
(1)         if (&User-Name =~ /\.\./ )  -> TRUE
(1)         if (&User-Name =~ /\.\./ )  
(1)           update request 
(1)             &Module-Failure-Message += 'Rejected: User-Name contains multiple ..s'
(1)            # update request = noop
(1)           [reject] = reject
(1)          # if (&User-Name =~ /\.\./ )  = reject
(1)        # if (&User-Name)  = reject
(1)      # policy filter_username = reject
(1)    # authorize = reject
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1)   Post-Auth-Type REJECT 
(1) attr_filter.access_reject: EXPAND %User-Name
(1) attr_filter.access_reject:    --> testing
(1) attr_filter.access_reject: Matched entry DEFAULT at line 11
(1)     [attr_filter.access_reject] = updated
(1)     [eap] = noop
(1)     policy remove_reply_message_if_eap 
(1)       if (&reply:EAP-Message && &reply:Reply-Message) 
(1)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(1)       else 
(1)         [noop] = noop
(1)        # else = noop
(1)      # policy remove_reply_message_if_eap = noop
(1)    # Post-Auth-Type REJECT = updated
(1) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(1) Sending delayed response
(1) Sent Access-Reject Id 128 from 127.0.0.1:1812 to 127.0.0.1:41704 length 20
Waking up in 3.9 seconds.
(1) Cleaning up request packet ID 128 with timestamp +112

谁能告诉我我的步骤有什么问题？

谢谢！

【参考方案1】：

我发现之前我搞砸了构建过程。我使用 `make deb' 构建包，然后切换回从源代码构建。经过几个小时的调试，现在我终于得到了预期的输出。