1 api rest restful-authentication freeradius
我正在尝试针对 Restful API 验证 Radius 请求。我的虚拟服务器配置如下:
authorize {
filter_username
filter_password
preprocess
auth_log
if (User-Password) {
update control {
Auth-Type := rest
}
}
}
authenticate {
rest
}
我的半径 -X 输出是:
(0) Received Access-Request Id 202 from 127.0.0.2:10708 to 127.0.0.2:1812 length 73
(0) User-Name = "bob"
(0) User-Password = "hello"
(0) NAS-IP-Address = 127.0.0.2
(0) NAS-Port = 1
(0) Message-Authenticator = 0xcd622e98255234964d081be2513a0a9c
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/testserver
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) policy filter_password {
(0) if (&User-Password && (&User-Password != "%{string:User-Password}")) {
(0) EXPAND %{string:User-Password}
(0) --> hello
(0) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE
(0) } # policy filter_password = notfound
(0) [preprocess] = ok
(0) auth_log: EXPAND /antikor/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(0) auth_log: --> /antikor/log/radacct/127.0.0.2/auth-detail-20170429
(0) auth_log: /antikor/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /antikor/log/radacct/127.0.0.2/auth-detail-20170429
(0) auth_log: EXPAND %t
(0) auth_log: --> Sat Apr 29 19:46:26 2017
(0) [auth_log] = ok
(0) if (User-Password) {
(0) if (User-Password) -> TRUE
(0) if (User-Password) {
(0) update control {
(0) Auth-Type := rest
(0) } # update control = noop
(0) } # if (User-Password) = noop
(0) } # authorize = ok
(0) Found Auth-Type = rest
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/testserver
(0) authenticate {
rlm_rest (rest): Reserved connection (0)
(0) rest: Expanding URI components
(0) rest: EXPAND http://127.0.0.1:8902
(0) rest: --> http://127.0.0.1:8902
(0) rest: EXPAND /test.php?action=authenticate
(0) rest: --> /test.php?action=authenticate
(0) rest: Sending HTTP POST to "http://127.0.0.1:8902/test.php?action=authenticate"
(0) rest: EXPAND {"username":"%{User-Name}", "password":"%{User-Password}"}
(0) rest: --> {"username":"bob", "password":"hello"}
(0) rest: Processing response header
(0) rest: Status : 200 (OK)
(0) rest: Type : json (application/json)
(0) rest: Parsing attribute "control:Cleartext-Password"
(0) rest: EXPAND hello
(0) rest: --> hello
(0) rest: Cleartext-Password := "hello"
(0) rest: Parsing attribute "request:User-Password"
(0) rest: EXPAND hello
(0) rest: --> hello
(0) rest: User-Password := "hello"
(0) rest: Parsing attribute "reply:Reply-Message"
(0) rest: EXPAND Hello bob
(0) rest: --> Hello bob
(0) rest: Reply-Message := "Hello bob"
rlm_rest (rest): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_rest (rest): Opening additional connection (5), 1 of 27 pending slots used
rlm_rest (rest): Connecting to "http://127.0.0.1:8902/test.php"
(0) [rest] = updated
(0) } # authenticate = updated
(0) Failed to authenticate the user
(0) Login incorrect: [bob/hello] (from client antikor-l2tp port 1)
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/testserver
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> bob
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) [eap] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 202 from 127.0.0.2:1812 to 127.0.0.2:10708 length 33
(0) Reply-Message = "Hello bob"
我在 test.php json 回复中添加了control:Cleartext-Password和request:User-Password变量。一一试了。但身份验证步骤仍然失败。JSON 输出如下:
{"control:Cleartext-Password":"hello", "request:User-Password":"hello","reply:Reply-Message":"Hello bob"}
我想知道如果 JSON 响应是错误的,它应该如何用于 Authentication 回复?
谢谢。
授权方法rlm_rest模块的作用类似于其他数据存储模块,如rlm_sql、rlm_redis和rlm_couchbase。
它主要用于从远程源检索 AVP,它可以用作身份验证模块,但不是您在上面调用它的方式(此答案底部的示例)。
按照您调用 rlm_rest 的方式,为了让用户被接受,您需要列出另一个模块,该模块可以查看请求中的属性,查看您从 rest API 返回的内容,并找出要执行的身份验证类型。如果您正在进行纯文本身份验证(即没有 EAP),那么您可以使用 pap 模块。
您的服务器配置将看起来像
authorize {
rest
pap
}
authenticate {
pap
}
rest.authorize 检索control:Cleartext-Password为服务器提供“好”密码以与用户发送的密码进行比较。
pap.authorize 检查是否request:User-Password存在,如果存在,则设置control:Auth-Typepap。
pap.authenticate比较control:Cleartext-Password有request:User-Password,如果他们匹配的回报ok还是reject取决于他们是否做或没有。
在这种情况下,验证纯文本用户的另一种方法是使用 HTTP BasicAuth 和 rlm_rest 的身份验证方法。其政策如下所示:
authorize {
if (&User-Password) {
update control {
Auth-Type := 'rest'
}
}
}
authenticate {
rest
}
| 归档时间: |
|
| 查看次数: |
4856 次 |
| 最近记录: |