9

我正在尝试针对 PHP 脚本对 freeradius 用户进行身份验证,但没有成功。我已经尝试了好几个小时来配置这个权利,我在谷歌上找到的所有线程要么是死链接,要么是过时的......

radiusd.conf

prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct

#  Name of the running server
name = freeradius

#  Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}

# Should likely be ${localstatedir}/lib/radiusd
db_dir = ${raddbdir}

libdir = /usr/lib/freeradius

pidfile = ${run_dir}/${name}.pid

# user/group: The name (or #number) of the user/group to run radiusd as.
user = freerad
group = freerad

#  max_request_time: The maximum time (in seconds) to handle a request.
max_request_time = 30

#  cleanup_delay: The time to wait (in seconds) before cleaning up
#  a reply which was sent to the NAS.
cleanup_delay = 5

#  max_requests: The maximum number of requests which the server keeps
#  track of.  This should be 256 multiplied by the number of clients.
#  e.g. With 4 clients, this number should be 1024.
max_requests = 1024

#  listen: Make the server listen on a particular IP address, and send
#  replies out from that address. This directive is most useful for
#  hosts with multiple IP addresses on one interface.
listen {
    type = auth
    ipaddr = *
    port = 0
}

#  This second "listen" section is for listening on the accounting
#  port, too.
listen {
    ipaddr = *
    port = 0
    type = acct
}

hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions    = yes

log {
    destination = files
    file = ${logdir}/radius.log
    syslog_facility = daemon
    stripped_names = no
    auth = no
    auth_badpass = no
    auth_goodpass = no
}

checkrad = ${sbindir}/checkrad

security {
    max_attributes = 200
    reject_delay = 1
    status_server = yes
}

proxy_requests  = off

# CLIENTS CONFIGURATION
client 0.0.0.0/0 {
    secret = secret
    shortname = wireless
}

# THREAD POOL CONFIGURATION
thread pool {
    start_servers = 5
    max_servers = 32
    min_spare_servers = 3
    max_spare_servers = 10
    max_requests_per_server = 0
}

# MODULE CONFIGURATION
modules {
    $INCLUDE ${confdir}/modules/
    $INCLUDE eap.conf
}

# Instantiation
instantiate {
    exec
    expr
    expiration
    logintime
}

$INCLUDE policy.conf

$INCLUDE sites-enabled/

模块/执行

exec {
    wait = yes 
    program = "/usr/bin/php -f /usr/local/auth.php %{User-Name} %{User-Password}"
    input_pairs = request 
    output_pairs = reply
    shell_escape = yes
}

网站可用/默认

authorize {
    preprocess
    exec
    chap
    suffix
    files
    expiration
    logintime
    pap
}

authenticate {
    Auth-Type PAP {
        pap
    }
    Auth-Type CHAP {
        chap
    }
    eap
}


preacct {
    preprocess
    acct_unique
    suffix
    files
}

accounting {
    detail
    radutmp
    exec
    attr_filter.accounting_response
}

session {
    radutmp
}

post-auth {
    exec
    Post-Auth-Type REJECT {
        attr_filter.access_reject
    }
}

pre-proxy {
}

post-proxy {
}

虽然我不知道在用户文件中放什么......

4

2 回答 2

16

这实际上很容易。删除您所做的一切并重新开始。

进入您的站点启用/默认文件。

进入授权指令并添加此代码。将 yourscript.php 替换为正确的脚本。确保用户 radiusd 有权运行脚本。

authorize{
    update control { 
        Auth-Type := `/usr/bin/php -f /etc/raddb/yourscript.php '%{User-Name}' '%{User-Password}' '%{Client-IP-Address}'`
    }

确保您的脚本在没有引号的情况下回显“接受”或“拒绝”。这应该验证您的用户。

由于有人要求如何提取属性-

打开 /etc/raddb/users 文件并更新以下内容 -

DEFAULT Auth-Type = Accept
Exec-Program-Wait = "/usr/bin/php -f  /etc/raddb/yourscript.php '%{User-Name}' '%{User-Password}' '%{Client-IP-Address}'"

本质上,您是在告诉它 Auth-Type 是否为 Accept 以执行以下脚本并提取属性。确保您的 PHP 脚本只是回显属性。根据供应商的不同,属性显然会有所不同。

编辑-

  • 添加属性信息

  • 添加了“%{Client-IP-Address}”以指定用户尝试连接的设备

于 2012-12-14T00:17:03.403 回答
-1

我在 Python 和 PHP 中尝试自定义脚本,
并发现
当脚本具有非零返回码时,Freeradius 的 Auth-Type 将始终为 'Auth-Reject'。

所以我在 PHP 中使用“echo”,在 Python 中使用“print”替换返回码。

像这样在 PHP

if(isUserValid($user['username'], $user['password'])) {
  // do nothing
  echo 'correct string';
} else {
  echo 'incorrect string';
}
return 0 //OR not return anything

或在 Python 中

if(login success):
  print "correct string"
else:
  print "incorrect string"

然后在 FreeRadius 中使用该字符串来确定登录成功或失败

  if (Tmp-String-0 == 'correct string') {
    update control {
      Auth-type := Accept
    }
    update reply{
      reply-message += "password correct"
    }
  }
  else {
    reject
    update reply{
      reply-message += "password incorrect"
    }
  }
于 2016-10-05T08:38:51.443 回答