2

我正在尝试使用带有 RADIUSdesk 的 CoovaChilli 和 FreeRadius 设置热点系统。

我已经完成了大部分。Captive 门户登录页面已显示,但我无法以用户身份进行身份验证。

当我查看日志时,我的 OpenWRT 上的 Coova ChilliX????MVJ??? ??<?作为用户密码发送。

redir.c: 3854: 0 (Debug) redir_accept: Sending RADIUS request
radius.c: 1316: 0 (Debug) RADIUS client 0.0.0.0:0
redir.c: 2670: 0 (Debug) created radius packet (code=1, id=80, len=37)

redir.c: 2708: 0 (Debug) User password 16 [O��F��hs�
t��3]
redir.c: 2831: 0 (Debug) sending radius packet (code=1, id=80, len=299)

radius.c: 321: 0 (Debug) Allocating RADIUS packet

我也查看了 freeradius 日志,得知 Freeradius 解密了原始密码。

(0) pl_reset_time_for_data:   $RAD_REQUEST{'User-Password'} = &request:User-Password -> 'X????MVJ??? ??<?'
(0) pl_reset_time_for_data:   $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address -> '10.1.0.1'
(0) pl_reset_time_for_data:   $RAD_REQUEST{'NAS-Port'} = &request:NAS-Port -> '5'
(0) pl_reset_time_for_data:   $RAD_REQUEST{'Service-Type'} = &request:Service-Type -> 'Login-User'
(0) pl_reset_time_for_data:   $RAD_REQUEST{'Framed-IP-Address'} = &request:Framed-IP-Address -> '10.1.0.4'
(0) pl_reset_time_for_data:   $RAD_REQUEST{'Called-Station-Id'} = &request:Called-Station-Id -> 'C0-25-E9-07-52-76'
(0) pl_reset_time_for_data:   $RAD_REQUEST{'Calling-Station-Id'} = &request:Calling-Station-Id -> 'AC-C3-3A-C0-F5-60'
(0) pl_reset_time_for_data:   $RAD_REQUEST{'NAS-Identifier'} = &request:NAS-Identifier -> 'HUBS_ROOTS_HUB_1_cp_42'
(0) pl_reset_time_for_data:   $RAD_REQUEST{'NAS-Port-Type'} = &request:NAS-Port-Type -> 'Wireless-802.11'
(0) pl_reset_time_for_data:   $RAD_REQUEST{'Acct-Session-Id'} = &request:Acct-Session-Id -> '5a6c2ea800000005'
(0) pl_reset_time_for_data:   $RAD_REQUEST{'Event-Timestamp'} = &request:Event-Timestamp -> 'Jan 27 2018 07:49:15 UTC'
(0) pl_reset_time_for_data:   $RAD_REQUEST{'Message-Authenticator'} = &request:Message-Authenticator -> '0x3a3eb994b712e98f3a49e665e27e4d20'
(0) pl_reset_time_for_data:   $RAD_REQUEST{'NAS-Port-Id'} = &request:NAS-Port-Id -> '00000005'
(0) pl_reset_time_for_data:   $RAD_REQUEST{'WISPr-Location-ID'} = &request:WISPr-Location-ID -> 'isocc=,cc=,ac=,network=Coova,'
(0) pl_reset_time_for_data:   $RAD_REQUEST{'WISPr-Location-Name'} = &request:WISPr-Location-Name -> 'Roots_Daryaganj'
(0) pl_reset_time_for_data:   $RAD_REQUEST{'WISPr-Logoff-URL'} = &request:WISPr-Logoff-URL -> 'http://10.1.0.1:3990/logoff'
(0) pl_reset_time_for_data:   $RAD_REQUEST{'Realm'} = &request:Realm -> 'roots'
(0) pl_reset_time_for_data:   $RAD_REQUEST{'ChilliSpot-Version'} = &request:ChilliSpot-Version -> '1.3.1-svn'
(0) pl_reset_time_for_data:   $RAD_REPLY{'Fall-Through'} = &reply:Fall-Through -> 'Yes'
(0) pl_reset_time_for_data:   $RAD_CHECK{'User-Profile'} = &control:User-Profile -> '1G-1Day'
(0) pl_reset_time_for_data:   $RAD_CHECK{'Cleartext-Password'} = &control:Cleartext-Password -> '<my cleartext password>'

但是,在比较时,服务器使用的是加密密码而不是明文密码。

# Executing group from file /etc/freeradius/sites-enabled/radiusdesk-plain
(0)   Auth-Type PAP {
(0) pap: Login attempt with password
(0) pap: Comparing with "known good" Cleartext-Password
(0) pap: ERROR: Cleartext password "X????MVJ??? ??<?" does not match "known good" password
(0) pap: Passwords don't match
(0)     [pap] = reject
(0)   } # Auth-Type PAP = reject
(0) Failed to authenticate the user
(0) WARNING: Unprintable characters in the password.  Double-check the shared secret on the server and the NAS!
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/sites-enabled/radiusdesk-plain
(0)   Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
4

1 回答 1

1

在 RADIUS 中,用户密码属性使用 NAS (Coova) 和 RADIUS 服务器 FreeRADIUS 之间已知的共享秘密进行可逆加密。

我的猜测是 Coova 显示的是这个加密函数的输出而不是原始的明文密码。这很奇怪......出于安全原因可能会这样做,因此您需要知道共享密钥才能解密日志中的密码。

至于为什么您仍然获得加密输出,似乎共享密钥在 Coova 或 FreeRADIUS 中都不正确。来自 127.0.0.1 的请求的默认密钥是testing123,所以如果 Coova 和 FreeRADIUS 位于同一位置,我会尝试在 Coova 中配置它。

如果 Coova 和 FreeRADIUS 在不同的主机上运行,​​请检查raddb/clients.conf在 Coova 中配置的密码。

字符串每次更改的原因是因为密文是使用随机组件(请求验证器字段)创建的,该组件随每个后续(非重传)请求而更改。

于 2018-02-27T02:32:04.367 回答