Radius Protocol - 如何在第二个请求中正确设置状态?
Radius Protocol - How to correctly set the status in the second request?
我正在使用 TinyRadius 将我的 Java Web 服务器(作为 Radius 客户端)验证到 Windows 服务器(作为 Radius 服务器)。
我成功地向服务器发送了用户访问请求并收到了密码。
final RadiusClient client = new RadiusClient(
new RadiusEndpoint(
new InetSocketAddress(RADIUS_SERVER_ADDRESS, PORT),
SHARED_SECRET
)
);
final AccessRequest request = new AccessRequest(
USERNAME,
USER_PASS
);
request.setAuthProtocol(AccessRequest.AUTH_PAP);
request.addAttribute("NAS-IP-Address", RADIUS_CLIENT_ADDRESS);
RadiusPacket packet = null;
try {
packet = client.authenticate(request);
} catch (final RadiusException | IOException ex) {
System.out.println(ex.getMessage());
ex.printStackTrace();
}
此代码后跟一个日志,表明服务器已批准用户身份验证。
Sep 29, 2017 10:05:32 AM org.tinyradius.util.RadiusClient authenticate
INFO: send Access-Request packet: Access-Request, ID 1
User-Name: mp
NAS-IP-Address: 192.168.0.58
Sep 29, 2017 10:05:33 AM org.tinyradius.util.RadiusClient authenticate
INFO: received packet: Access-Challenge, ID 1
State: 0x7b41324244344539362d453139332d344539392d413134322d4134423536364441443938437d
Reply-Message: Enter PASSCODE
我的 Windows 服务器上的事件查看器也表明访问请求已被接受。
事实上,我在我的移动应用程序上正确地收到了密码(我正在使用 Censornet 的 SMS 密码,尽管这无关紧要)。
不幸的是,我在网上找不到任何 TinyRadius 密码示例,但在浏览其他库时,我偶然发现了这个 python library,它指出:
The ChallengeResponse exception has messages and state attributes messages can be displayed to the user to prompt them for their
challenge response. state must be echoed back as a RADIUS attribute.
和
Finally authenticate again using the challenge response from the user
in place of the password.
所以我所做的就是使用上面相同的代码。我将 PASSCODE 代替 USER_PASS 并将状态属性添加到我的 AccessRequest.
final RadiusAttribute stateAttr = new RadiusAttribute(24, STATE.getBytes());
request.addAttribute(stateAttr);
我向服务器发送请求,我可以看到这个日志。
Sep 29, 2017 10:34:04 AM org.tinyradius.util.RadiusClient authenticate
INFO: send Access-Request packet: Access-Request, ID 1
User-Name: mp
NAS-IP-Address: 192.168.0.58
State: 0x307837623431343133353330333433363334333832643433333433343339326433343432343633303264343234343335343532643330343533323337343633383332333333373332333933373764
Sep 29, 2017 10:34:04 AM org.tinyradius.util.RadiusClient authenticate
INFO: received packet: Access-Reject, ID 1
Reply-Message: Session is unknown or has expired
Windows 事件查看器指出:
Event description:
Event type: Authentication request
Result: Failure
Failure reason: Password validation failed
所以我阅读了第 4.4 节的 RFC 2865 访问挑战章节,他们指出:
the receipt of a valid
Access-Challenge indicates that a new Access-Request SHOULD be
sent [...]
with the User-Password Attribute replaced by the
user's response (encrypted), and including the State Attribute
from the Access-Challenge, if any. Only 0 or 1 instances of the
State Attribute can be present in an Access-Request.
因此,我想我做的一切都是对的。有人可以帮我吗?
我向 radius 服务器发送第二个请求的方式存在一些问题。
这样做是行不通的,因为 STATE.getBytes() 返回了不同编码的 String:
final RadiusAttribute stateAttr = new RadiusAttribute(24, STATE.getBytes()); // BAD
request.addAttribute(stateAttr);
我必须做的是:首先将响应存储到一个新的 Packet。
final AccessRequest request = new AccessRequest(
USERNAME,
USER_PASS
);
packet = client.authenticate(request);
然后,创建一个新的AccessRequest来回答挑战,并按以下方式设置状态。
final AccessRequest challengeResponseRequest = new AccessRequest(
USER,
PASSCODE
);
challengeResponseRequest.addAttribute(
new RadiusAttribute(24, packet.getAttribute(24).getAttributeData()) // GOOD
);
(注:24就是attribute code for STATUS)
通过发送较新的 AccessRequest:
client.authenticate(challengeResponseRequest);
日志确认身份验证成功:
Sep 29, 2017 2:05:13 PM org.tinyradius.util.RadiusClient authenticate
INFO: received packet: Access-Accept, ID 2
Class: 0x8f8007ad0000013700010200c0a800050000000024db5d173578383201d3379907bd2a500000000000000098
我正在使用 TinyRadius 将我的 Java Web 服务器(作为 Radius 客户端)验证到 Windows 服务器(作为 Radius 服务器)。
我成功地向服务器发送了用户访问请求并收到了密码。
final RadiusClient client = new RadiusClient(
new RadiusEndpoint(
new InetSocketAddress(RADIUS_SERVER_ADDRESS, PORT),
SHARED_SECRET
)
);
final AccessRequest request = new AccessRequest(
USERNAME,
USER_PASS
);
request.setAuthProtocol(AccessRequest.AUTH_PAP);
request.addAttribute("NAS-IP-Address", RADIUS_CLIENT_ADDRESS);
RadiusPacket packet = null;
try {
packet = client.authenticate(request);
} catch (final RadiusException | IOException ex) {
System.out.println(ex.getMessage());
ex.printStackTrace();
}
此代码后跟一个日志,表明服务器已批准用户身份验证。
Sep 29, 2017 10:05:32 AM org.tinyradius.util.RadiusClient authenticate
INFO: send Access-Request packet: Access-Request, ID 1
User-Name: mp
NAS-IP-Address: 192.168.0.58
Sep 29, 2017 10:05:33 AM org.tinyradius.util.RadiusClient authenticate
INFO: received packet: Access-Challenge, ID 1
State: 0x7b41324244344539362d453139332d344539392d413134322d4134423536364441443938437d
Reply-Message: Enter PASSCODE
我的 Windows 服务器上的事件查看器也表明访问请求已被接受。
事实上,我在我的移动应用程序上正确地收到了密码(我正在使用 Censornet 的 SMS 密码,尽管这无关紧要)。
不幸的是,我在网上找不到任何 TinyRadius 密码示例,但在浏览其他库时,我偶然发现了这个 python library,它指出:
The ChallengeResponse exception has
messagesandstateattributesmessagescan be displayed to the user to prompt them for their challenge response.statemust be echoed back as a RADIUS attribute.
和
Finally authenticate again using the challenge response from the user in place of the password.
所以我所做的就是使用上面相同的代码。我将 PASSCODE 代替 USER_PASS 并将状态属性添加到我的 AccessRequest.
final RadiusAttribute stateAttr = new RadiusAttribute(24, STATE.getBytes());
request.addAttribute(stateAttr);
我向服务器发送请求,我可以看到这个日志。
Sep 29, 2017 10:34:04 AM org.tinyradius.util.RadiusClient authenticate
INFO: send Access-Request packet: Access-Request, ID 1
User-Name: mp
NAS-IP-Address: 192.168.0.58
State: 0x307837623431343133353330333433363334333832643433333433343339326433343432343633303264343234343335343532643330343533323337343633383332333333373332333933373764
Sep 29, 2017 10:34:04 AM org.tinyradius.util.RadiusClient authenticate
INFO: received packet: Access-Reject, ID 1
Reply-Message: Session is unknown or has expired
Windows 事件查看器指出:
Event description:
Event type: Authentication request
Result: Failure
Failure reason: Password validation failed
所以我阅读了第 4.4 节的 RFC 2865 访问挑战章节,他们指出:
the receipt of a valid Access-Challenge indicates that a new Access-Request SHOULD be sent [...] with the User-Password Attribute replaced by the user's response (encrypted), and including the State Attribute from the Access-Challenge, if any. Only 0 or 1 instances of the State Attribute can be present in an Access-Request.
因此,我想我做的一切都是对的。有人可以帮我吗?
我向 radius 服务器发送第二个请求的方式存在一些问题。
这样做是行不通的,因为 STATE.getBytes() 返回了不同编码的 String:
final RadiusAttribute stateAttr = new RadiusAttribute(24, STATE.getBytes()); // BAD
request.addAttribute(stateAttr);
我必须做的是:首先将响应存储到一个新的 Packet。
final AccessRequest request = new AccessRequest(
USERNAME,
USER_PASS
);
packet = client.authenticate(request);
然后,创建一个新的AccessRequest来回答挑战,并按以下方式设置状态。
final AccessRequest challengeResponseRequest = new AccessRequest(
USER,
PASSCODE
);
challengeResponseRequest.addAttribute(
new RadiusAttribute(24, packet.getAttribute(24).getAttributeData()) // GOOD
);
(注:24就是attribute code for STATUS)
通过发送较新的 AccessRequest:
client.authenticate(challengeResponseRequest);
日志确认身份验证成功:
Sep 29, 2017 2:05:13 PM org.tinyradius.util.RadiusClient authenticate
INFO: received packet: Access-Accept, ID 2
Class: 0x8f8007ad0000013700010200c0a800050000000024db5d173578383201d3379907bd2a500000000000000098