FreeRADIUS Rest 身份验证更新失败
FreeRADIUS Rest auth failing on update
我遇到了类似的问题 。就我而言,我正在尝试在 API 方面执行所有逻辑。 API 看起来不错,拒绝无效用户已经可以正常工作了。问题是使用从 API 返回的属性进行身份验证。 FreeRADIUS 的 rest 模块在意识到响应 returns 某些属性并且无法通过身份验证后发出更新命令。
我的配置如下所示:
authorize {
rest
if (ok) {
update control {
Auth-Type := rest
}
}
}
逻辑是:如果用户退出(APi 响应状态代码 204),则签入授权,然后执行身份验证。身份验证将用户名和密码发送到 API。 API 检查一些信息,然后 returns 使用状态代码 200 和正确 JSON 格式的属性(如果一切正常)。
奇怪的是,如果我将 API 设置为使用状态代码 204 而不是 200 进行响应,用户将正常通过身份验证(但没有任何属性)
日志:
(0) Received Access-Request Id 91 from 127.0.0.1:57293 to 127.0.0.1:1812 length 75
(0) User-Name = "admin"
(0) User-Password = "1234"
(0) NAS-IP-Address = 10.99.99.1
(0) NAS-Port = 0
(0) Message-Authenticator = 0x506aba80999c45a4c52d7c5544073969
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/nano
(0) authorize {
rlm_rest (rest): Reserved connection (0)
(0) rest: Expanding URI components
(0) rest: EXPAND http://127.0.0.1:4000
(0) rest: --> http://127.0.0.1:4000
(0) rest: EXPAND /check/%{User-Name}
(0) rest: --> /check/admin
(0) rest: Sending HTTP GET to "http://127.0.0.1:4000/check/admin"
(0) rest: Processing response header
(0) rest: Status : 204 (No Content)
rlm_rest (rest): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_rest (rest): Opening additional connection (5), 1 of 27 pending slots used
rlm_rest (rest): Connecting to "http://127.0.0.1:4000/"
(0) [rest] = ok
(0) if (ok) {
(0) if (ok) -> TRUE
(0) if (ok) {
(0) update control {
(0) Auth-Type := rest
(0) } # update control = noop
(0) } # if (ok) = noop
(0) } # authorize = ok
(0) Found Auth-Type = rest
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/nano
(0) authenticate {
rlm_rest (rest): Reserved connection (1)
(0) rest: Expanding URI components
(0) rest: EXPAND http://127.0.0.1:4000
(0) rest: --> http://127.0.0.1:4000
(0) rest: EXPAND /auth/%{User-Name}/%{User-Password}
(0) rest: --> /auth/admin/1234
(0) rest: Sending HTTP GET to "http://127.0.0.1:4000/auth/admin/1234"
(0) rest: Processing response header
(0) rest: Status : 200 (OK)
(0) rest: Type : json (application/json)
(0) rest: Parsing attribute "WISPr-Bandwidth-Max-Down"
(0) rest: EXPAND 3000
(0) rest: --> 3000
(0) rest: WISPr-Bandwidth-Max-Down := 3000
(0) rest: Parsing attribute "WISPr-Bandwidth-Max-Up"
(0) rest: EXPAND 1000
(0) rest: --> 1000
(0) rest: WISPr-Bandwidth-Max-Up := 1000
rlm_rest (rest): Released connection (1)
(0) [rest] = updated
(0) } # authenticate = updated
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/nano
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 91 from 127.0.0.1:1812 to 127.0.0.1:57293 length 44
(0) WISPr-Bandwidth-Max-Down = 3000
(0) WISPr-Bandwidth-Max-Up = 1000
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 91 with timestamp +9
提前感谢您的任何提示。
是的,我想我在 v4.0.x 中修复了这个问题。这是一些遗留问题 'updated' 不是可接受的 return 代码。
您可以使用以下代码覆盖 return 代码和优先级:
authenticate {
Auth-Type rest {
rest {
updated = 1
}
if (updated) {
ok
}
}
}
解释 - 每个 return 代码 'ok'、'noop'、'fail' 等...根据部分具有不同的优先级和操作。如果模块的 return 代码具有更高的优先级,则只更新第 return 部分代码。
有一个神奇的优先级 'return' 会导致服务器立即退出该部分。它是为验证部分中的大多数 return 代码设置的。
我们需要覆盖调用 rest 模块的优先级,因此解释器不会 return 在不评估条件 if (updated)
的情况下进行身份验证。在上面的例子中我们将更新的优先级设置为1,保证以后可以覆盖。
我遇到了类似的问题
我的配置如下所示:
authorize {
rest
if (ok) {
update control {
Auth-Type := rest
}
}
}
逻辑是:如果用户退出(APi 响应状态代码 204),则签入授权,然后执行身份验证。身份验证将用户名和密码发送到 API。 API 检查一些信息,然后 returns 使用状态代码 200 和正确 JSON 格式的属性(如果一切正常)。
奇怪的是,如果我将 API 设置为使用状态代码 204 而不是 200 进行响应,用户将正常通过身份验证(但没有任何属性)
日志:
(0) Received Access-Request Id 91 from 127.0.0.1:57293 to 127.0.0.1:1812 length 75
(0) User-Name = "admin"
(0) User-Password = "1234"
(0) NAS-IP-Address = 10.99.99.1
(0) NAS-Port = 0
(0) Message-Authenticator = 0x506aba80999c45a4c52d7c5544073969
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/nano
(0) authorize {
rlm_rest (rest): Reserved connection (0)
(0) rest: Expanding URI components
(0) rest: EXPAND http://127.0.0.1:4000
(0) rest: --> http://127.0.0.1:4000
(0) rest: EXPAND /check/%{User-Name}
(0) rest: --> /check/admin
(0) rest: Sending HTTP GET to "http://127.0.0.1:4000/check/admin"
(0) rest: Processing response header
(0) rest: Status : 204 (No Content)
rlm_rest (rest): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_rest (rest): Opening additional connection (5), 1 of 27 pending slots used
rlm_rest (rest): Connecting to "http://127.0.0.1:4000/"
(0) [rest] = ok
(0) if (ok) {
(0) if (ok) -> TRUE
(0) if (ok) {
(0) update control {
(0) Auth-Type := rest
(0) } # update control = noop
(0) } # if (ok) = noop
(0) } # authorize = ok
(0) Found Auth-Type = rest
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/nano
(0) authenticate {
rlm_rest (rest): Reserved connection (1)
(0) rest: Expanding URI components
(0) rest: EXPAND http://127.0.0.1:4000
(0) rest: --> http://127.0.0.1:4000
(0) rest: EXPAND /auth/%{User-Name}/%{User-Password}
(0) rest: --> /auth/admin/1234
(0) rest: Sending HTTP GET to "http://127.0.0.1:4000/auth/admin/1234"
(0) rest: Processing response header
(0) rest: Status : 200 (OK)
(0) rest: Type : json (application/json)
(0) rest: Parsing attribute "WISPr-Bandwidth-Max-Down"
(0) rest: EXPAND 3000
(0) rest: --> 3000
(0) rest: WISPr-Bandwidth-Max-Down := 3000
(0) rest: Parsing attribute "WISPr-Bandwidth-Max-Up"
(0) rest: EXPAND 1000
(0) rest: --> 1000
(0) rest: WISPr-Bandwidth-Max-Up := 1000
rlm_rest (rest): Released connection (1)
(0) [rest] = updated
(0) } # authenticate = updated
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/nano
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 91 from 127.0.0.1:1812 to 127.0.0.1:57293 length 44
(0) WISPr-Bandwidth-Max-Down = 3000
(0) WISPr-Bandwidth-Max-Up = 1000
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 91 with timestamp +9
提前感谢您的任何提示。
是的,我想我在 v4.0.x 中修复了这个问题。这是一些遗留问题 'updated' 不是可接受的 return 代码。
您可以使用以下代码覆盖 return 代码和优先级:
authenticate {
Auth-Type rest {
rest {
updated = 1
}
if (updated) {
ok
}
}
}
解释 - 每个 return 代码 'ok'、'noop'、'fail' 等...根据部分具有不同的优先级和操作。如果模块的 return 代码具有更高的优先级,则只更新第 return 部分代码。
有一个神奇的优先级 'return' 会导致服务器立即退出该部分。它是为验证部分中的大多数 return 代码设置的。
我们需要覆盖调用 rest 模块的优先级,因此解释器不会 return 在不评估条件 if (updated)
的情况下进行身份验证。在上面的例子中我们将更新的优先级设置为1,保证以后可以覆盖。