0

我一直在尝试在 Cent OS 6.3 机器上设置 FreeRADIUS Google Dual Factor Authenticator。我已经安装了所有东西。

我的 /etc/pam.d/raduis 文件看起来像这样

#%PAM-1.0
#auth       include     password-auth
#account    required    pam_nologin.so
#account    include     password-auth
#password   include     password-auth
#session    include     password-auth

auth requisite pam_google_authenticator.so forward_pass
auth required pam_unix.so use_first_pass debug

但是,如果我删除最后两行并取消注释其他行,则此设置似乎有效,我收到以下消息

[root@PCPRADIUSTEST ~]# radtest juanr pass localhost 18120 letmein123
Sending Access-Request of id 184 to 127.0.0.1 port 1812
        User-Name = "juanr"
        User-Password = "pass"
        NAS-IP-Address = 10.3.80.169
        NAS-Port = 18120
        Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=184, length=20

然而,目前这两条线得到的是

[root@PCPRADIUSTEST ~]# radtest juanr pass localhost 18120 letmein123
Sending Access-Request of id 41 to 127.0.0.1 port 1812
        User-Name = "juanr"
        User-Password = "pass"
        NAS-IP-Address = 10.3.80.169
        NAS-Port = 18120
        Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=41, length=20

然后我停止了radius服务并像radius -XXX一样启动它并得到了输出

rad_recv: Access-Request packet from host 127.0.0.1 port 37599, id=41, length=75
        User-Name = "juanr"
        User-Password = "pass"
        NAS-IP-Address = 10.3.80.169
        NAS-Port = 18120
        Message-Authenticator = 0x4f0c83f91dd3abc99f89952bb82de085
Thu Sep 12 16:33:10 2013 : Info: # Executing section authorize from file /etc/raddb/sites-enabled/default
Thu Sep 12 16:33:10 2013 : Info: +- entering group authorize {...}
Thu Sep 12 16:33:10 2013 : Info: ++[preprocess] returns ok
Thu Sep 12 16:33:10 2013 : Info: ++[chap] returns noop
Thu Sep 12 16:33:10 2013 : Info: ++[mschap] returns noop
Thu Sep 12 16:33:10 2013 : Info: ++[digest] returns noop
Thu Sep 12 16:33:10 2013 : Info: [suffix] No '@' in User-Name = "juanr", looking up realm NULL
Thu Sep 12 16:33:10 2013 : Info: [suffix] No such realm "NULL"
Thu Sep 12 16:33:10 2013 : Info: ++[suffix] returns noop
Thu Sep 12 16:33:10 2013 : Info: [eap] No EAP-Message, not doing EAP
Thu Sep 12 16:33:10 2013 : Info: ++[eap] returns noop
Thu Sep 12 16:33:10 2013 : Info: [files] users: Matched entry DEFAULT at line 74
Thu Sep 12 16:33:10 2013 : Info: ++[files] returns ok
Thu Sep 12 16:33:10 2013 : Info: ++[expiration] returns noop
Thu Sep 12 16:33:10 2013 : Info: ++[logintime] returns noop
Thu Sep 12 16:33:10 2013 : Info: [pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
Thu Sep 12 16:33:10 2013 : Info: ++[pap] returns noop
Thu Sep 12 16:33:10 2013 : Info: Found Auth-Type = PAM
Thu Sep 12 16:33:10 2013 : Info: # Executing group from file /etc/raddb/sites-enabled/default
Thu Sep 12 16:33:10 2013 : Info: +- entering group authenticate {...}
Thu Sep 12 16:33:10 2013 : Debug: pam_pass: using pamauth string <radiusd> for pam.conf lookup
Thu Sep 12 16:33:10 2013 : Debug: pam_pass: function pam_acct_mgmt FAILED for <juanr>. Reason: Authentication failure
Thu Sep 12 16:33:10 2013 : Info: ++[pam] returns reject
Thu Sep 12 16:33:10 2013 : Info: Failed to authenticate the user.
Thu Sep 12 16:33:10 2013 : Info: Using Post-Auth-Type Reject
Thu Sep 12 16:33:10 2013 : Info: # Executing group from file /etc/raddb/sites-enabled/default
Thu Sep 12 16:33:10 2013 : Info: +- entering group REJECT {...}
Thu Sep 12 16:33:10 2013 : Info: [attr_filter.access_reject]    expand: %{User-Name} -> juanr
Thu Sep 12 16:33:10 2013 : Debug: attr_filter: Matched entry DEFAULT at line 11
Thu Sep 12 16:33:10 2013 : Info: ++[attr_filter.access_reject] returns updated
Thu Sep 12 16:33:10 2013 : Info: Delaying reject of request 1 for 1 seconds
Thu Sep 12 16:33:10 2013 : Debug: Going to the next request
Thu Sep 12 16:33:10 2013 : Debug: Waking up in 0.9 seconds.
Thu Sep 12 16:33:11 2013 : Info: Sending delayed reject for request 1
Sending Access-Reject of id 41 to 127.0.0.1 port 37599
Thu Sep 12 16:33:11 2013 : Debug: Waking up in 4.9 seconds.

我按照http://www.supertechguy.com/help/security/freeradius-google-auth的说明进行设置。

你能请教吗?

非常感谢。

4

1 回答 1

1

经过这么多的互联网冲浪和论坛搜索,我设法解决了这个问题。如果其他人有这个问题,这可能会帮助他们:)

Thu Sep 26 16:38:19 2013 : Debug: pam_pass: using pamauth string <radiusd> for pam.conf lookup
Thu Sep 26 16:38:19 2013 : Debug: pam_pass: function pam_authenticate FAILED for <test>. Reason: Cannot make/remove an entry for the specified session

上面的行实际上意味着身份验证失败,即使听起来不像,也可能意味着用户主目录中的 .google_authenticator 文件不可访问。

FreeRadius 日志文件在这个问题上对您没有多大帮助,但请查看 CentOS 上的 /var/log/secure 和 Ubuntu 中的 /var/log/auth.log。这将解释哪个是问题。

我的系统的问题是我的时间到了,我的 iPhone 上的 Google Dual Factor Authenticator 应用程序随机生成的号码无效。我必须安装 NTP 并将我的服务器时间更改为解决问题的正确时间!!!!

希望这对其他人有帮助:)

于 2013-09-30T10:41:21.910 回答