FreeRADIUS 3 用於 OTP 驗證,驗證成功,但 FreeRADIUS 無法解析回應。
發送測試命令並監視偵錯輸出 ( radiusd -X),出現如下所示的錯誤,即使外部程式的回應看起來令人滿意,但輸出未解析:
# below, totp.py generates a TOTP for johnboy, to aid testing
# using pyotp package to make testing easier...
radtest -t mschap johnboy $(./totp.py) localhost 0 testing123
.
.
.
(4) eap: No EAP-Message, not doing EAP
(4) [eap] = noop
(4) [expiration] = noop
(4) [logintime] = noop
(4) multiotp: Executing: /usr/local/bin/multiotp.php '%{User-Name}' '%{User-Password}' -request-nt-key -src=%{Packet-Src-IP-Address} -chap-challenge=%{CHAP-Challenge} -chap-password=%{CHAP-Password} -ms-chap-challenge=%{MS-CHAP-Challenge} -ms-chap-response=%{MS-CHAP-Response} -ms-chap2-response=%{MS-CHAP2-Response}:
(4) multiotp: EXPAND %{User-Name}
(4) multiotp: --> johnboy
(4) multiotp: EXPAND %{User-Password}
(4) multiotp: -->
(4) multiotp: EXPAND -src=%{Packet-Src-IP-Address}
(4) multiotp: --> -src=127.0.0.1
(4) multiotp: EXPAND -chap-challenge=%{CHAP-Challenge}
(4) multiotp: --> -chap-challenge=
(4) multiotp: EXPAND -chap-password=%{CHAP-Password}
(4) multiotp: --> -chap-password=
(4) multiotp: EXPAND -ms-chap-challenge=%{MS-CHAP-Challenge}
(4) multiotp: --> -ms-chap-challenge=0xf54c102e95a800d8
(4) multiotp: EXPAND -ms-chap-response=%{MS-CHAP-Response}
(4) multiotp: --> -ms-chap-response=0x0001000000000000000000000000000000000000000000000000e3004419ce4b084c0b073836fd40f3828fcc7c4223b0dcc5
(4) multiotp: EXPAND -ms-chap2-response=%{MS-CHAP2-Response}
(4) multiotp: --> -ms-chap2-response=
(4) multiotp: ERROR: Failed parsing output from: /usr/local/bin/multiotp.php '%{User-Name}' '%{User-Password}' -request-nt-key -src=%{Packet-Src-IP-Address} -chap-challenge=%{CHAP-Challenge} -chap-password=%{CHAP-Password} -ms-chap-challenge=%{MS-CHAP-Challenge} -ms-chap-response=%{MS-CHAP-Response} -ms-chap2-response=%{MS-CHAP2-Response}: Expecting opera
tor
(4) multiotp: ERROR: Program returned code (0) and output 'Filter-Id += "<user_group>",NT_KEY: A7C014D1209A4078F1003810BDB08BE6 '
(4) [multiotp] = fail
(4) } # authorize = fail
(4) Using Post-Auth-Type Reject
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) Post-Auth-Type REJECT {
.
.
.
答案1
來自FreeRADIUS 郵件列表,來自 MultiOTP 的回應'Filter-Id += "<user_group>",NT_KEY: A7C014D1209A4078F1003810BDB08BE6 '對於 FreeRADIUS 3 無效,但很可能適用於 FreeRADIUS 2。
我透過使用包裝腳本來解析 [MultiOTP[(https://github.com/multiOTP/multiotp),僅傳回「authenticate」部分的「exec」步驟的「Filter-Id +=」Erica-Users」部分,並僅傳回「authorize」步驟的「mschap」步驟的「NT_KEY: A7C014D1209A4078F1003810BEY: A7C014D1209A4078F1003810BEY08BE6」部分驗證過程FreeRADI 。
值得注意的是 FreeRADIUS 3 with MultiOTP 的文檔MultiOTP README.md,並重複FreeRADIUS 維基,在撰寫本文時不是,而且它不建議 FreeRADIUS 3 實際使用的檔案名稱。
MultiOTP 本身的配置步驟是準確的。
對於遇到相同問題的任何人,這裡有一些 FreeRADIUS 3 配置的程式碼片段。我沒有展示虛擬伺服器設定文件,這可能更具體於特定環境。
/usr/local/bin/multiotp_wrapper_mschap.sh:
#!/bin/bash
# Extract Filter-Id
user_name=$1
user_password=$2
packet_src_ip_address=$3
ms_chap_challange=$4
ms_chap_response=$5
/usr/local/bin/multiotp.php ${user_name} ${user_password} -request-nt-key -src=${packet_src_ip_address} -ms-chap-challenge=${ms_chap_challange} -ms-chap-response=${ms_chap_response} | sed -e 's/.*,//'
/usr/local/bin/multiotp_wrapper_exec.sh
#!/bin/bash
# Extract NT_KEY
user_name=$1
user_password=$2
packet_src_ip_address=$3
ms_chap_challange=$4
ms_chap_response=$5
/usr/local/bin/multiotp.php ${user_name} ${user_password} -request-nt-key -src=${packet_src_ip_address} -ms-chap-challenge=${ms_chap_challange} -ms-chap-response=${ms_chap_response} | sed -e 's/,NT_KEY.*$//'
/etc/raddb/mods-enabled/multiotp:
exec multiotp {
wait = yes
input_pairs = request
output_pairs = reply
program = "/usr/local/bin/multiotp_wrapper_exec.sh '%{User-Name}' '%{User-Password}' %{Packet-Src-IP-Address} %{MS-CHAP-Challenge} %{MS-CHAP-Response}"
shell_escape = yes
}
/etc/raddb/mods-enabled/multiotpmschap:
mschap multiotpmschap {
# ntlm_auth = "/usr/local/bin/multiotp.php '%{User-Name}' '%{User-Password}' -request-nt-key -src=%{Packet-Src-IP-Address} -chap-challenge=%{CHAP-Challenge} -chap-password=%{CHAP-Password} -ms-chap-challenge=%{MS-CHAP-Challenge} -ms-chap-response=%{MS-CHAP-Response} -ms-chap2-response=%{MS-CHAP2-Response}"
ntlm_auth = "/usr/local/bin/multiotp_wrapper_mschap.sh '%{User-Name}' '%{User-Password}' %{Packet-Src-IP-Address} %{MS-CHAP-Challenge} %{MS-CHAP-Response}"
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 30
lifetime = 86400
cleanup_interval = 300
idle_timeout = 600
}
}
答案2
以防萬一其他人收到“錯誤:解析輸出失敗”,請檢查 multiotp.ini 中的“顯示日誌”選項,如果啟用了該選項,也可能會導致該問題。