我正在使用 REST 模块授权 DHCP 请求。如果授权失败,我想发送显式 DHCP NAK,但是如果失败,DHCP 模块似乎会立即返回,并忽略 DHCP 请求而不做出任何响应。
这是我的 DHCP 模块配置 - 如果 rest.authorize 成功,则 if (ok) 控制块被命中,但如果 rest.authorize 失败,则 if (fail) 永远不会被命中。
dhcp DHCP-Discover {
rest.authorize
if (fail) {
update reply {
DHCP-Message-Type = DHCP-Nak
}
}
if (ok) {
update reply {
DHCP-Message-Type = DHCP-Offer
}
update reply {
DHCP-Domain-Name-Server = x.x.x.x
DHCP-Domain-Name-Server = x.x.x.x
DHCP-Subnet-Mask = 255.255.255.0
DHCP-Router-Address = x.x.x.x
DHCP-IP-Address-Lease-Time = 3600
DHCP-DHCP-Server-Identifier = x.x.x.x
}
mac2ip
}
}
以下是收到 401 Unauthorized 后的输出。我想要在指定的(短)时间内对 DHCP 进行临时阻止。但是 FreeRADIUS 的行为是忽略对相同 DHCP 事务的重复请求,这意味着客户端上的 DHCP 被阻止,直到它开始新的事务。如果可以发送 DHCP NAK,DHCP 客户端将在每个 NAK(即 DHCP Discover)之后启动新的事务,这意味着 FreeRADIUS 将处理来自客户端的每个 DHCP Discover,并且阻止将在更接近所需阻止时间时被移除。
Tue Jun 3 03:00:57 2014 : Debug: (3) rest : Sending HTTP GET to
"http://xxxxxx//api/v1/dhcp/80%3Aea%3A96%3A2a%3Ab6%3Aaa"
Tue Jun 3 03:00:57 2014 : Debug: (3) rest : Processing response header
Tue Jun 3 03:00:57 2014 : Debug: (3) rest : Status : 401 (Unauthorized)
Tue Jun 3 03:00:57 2014 : Debug: (3) rest : Skipping attribute processing, no body data received
Tue Jun 3 03:00:57 2014 : Debug: rlm_rest (rest): Released connection (4)
Tue Jun 3 03:00:57 2014 : Debug: (3) modsingle[authorize]: returned from rest (rlm_rest) for request 3
Tue Jun 3 03:00:57 2014 : Debug: (3) [rest.authorize] = fail
Tue Jun 3 03:00:57 2014 : Debug: (3) } # dhcp DHCP-Discover = fail
Tue Jun 3 03:00:57 2014 : Debug: (3) Finished request 3.
Tue Jun 3 03:00:57 2014 : Debug: Waking up in 0.2 seconds.
Tue Jun 3 03:00:58 2014 : Debug: Waking up in 4.6 seconds.
Received DHCP-Discover of id 7b0fb2de from 172.19.0.9:67 to 172.19.0.12:67
Tue Jun 3 03:00:59 2014 : Debug: (3) No reply. Ignoring retransmit.
Tue Jun 3 03:00:59 2014 : Debug: Waking up in 2.9 seconds.
Received DHCP-Discover of id 7b0fb2de from 172.19.0.9:67 to 172.19.0.12:67
Tue Jun 3 03:01:02 2014 : Debug: (3) No reply. Ignoring retransmit.
Tue Jun 3 03:01:02 2014 : Debug: Waking up in 0.4 seconds.
Tue Jun 3 03:01:02 2014 : Debug: (2) Cleaning up request packet ID 2064626397 with timestamp +56
Tue Jun 3 03:01:02 2014 : Debug: Waking up in 1999991.0 seconds.
Received DHCP-Discover of id 7b0fb2de from 172.19.0.9:67 to 172.19.0.12:67
Tue Jun 3 03:01:06 2014 : Debug: (3) No reply. Ignoring retransmit.
Tue Jun 3 03:01:06 2014 : Debug: Waking up in 3999983.1 seconds.
Received DHCP-Discover of id 7b0fb2de from 172.19.0.9:67 to 172.19.0.12:67
Tue Jun 3 03:01:15 2014 : Debug: (3) No reply. Ignoring retransmit.
Tue Jun 3 03:01:15 2014 : Debug: Waking up in 7999966.3 seconds.
Received DHCP-Discover of id 7b0fb2de from 172.19.0.9:67 to 172.19.0.12:67
Tue Jun 3 03:01:23 2014 : Debug: (3) No reply. Ignoring retransmit.
Tue Jun 3 03:01:23 2014 : Debug: Waking up in 15999942.1 seconds.
对于下面的选项 #4 解决方案,尽管这在 DHCP NAK 方面有效,但 DHCP 模块会“记住”DHCP 事务的 REST 授权结果。只有当设备尝试进行新事务时,DHCP 模块才会再次进行 REST 授权调用:
Received DHCP-Discover of id 7b0fb322 from 172.19.0.9:67 to 172.19.0.12:67
Sending DHCP-NAK of id 7b0fb322 from 172.19.0.12:67 to 172.19.0.9:67
Wed Jun 4 00:31:32 2014 : Debug: Waking up in 3.5 seconds.
Received DHCP-Discover of id 7b0fb322 from 172.19.0.9:67 to 172.19.0.12:67
Sending DHCP-NAK of id 7b0fb322 from 172.19.0.12:67 to 172.19.0.9:67
Wed Jun 4 00:31:35 2014 : Debug: Waking up in 0.6 seconds.
Wed Jun 4 00:31:36 2014 : Debug: (4) Cleaning up request packet ID 2064626465 with timestamp +138
Wed Jun 4 00:31:36 2014 : Debug: Waking up in 1999991.0 seconds.
Received DHCP-Discover of id 7b0fb322 from 172.19.0.9:67 to 172.19.0.12:67
Sending DHCP-NAK of id 7b0fb322 from 172.19.0.12:67 to 172.19.0.9:67
Wed Jun 4 00:31:40 2014 : Debug: Waking up in 3999982.8 seconds.
答案1
rest.authorize {
fail = 1
}
if (reject || fail) {
update reply {
DHCP-Message-Type = DHCP-NAK
}
}
好的。所以你有四个选择:
- 返回带有 JSON 内容类型和一组空括号 {} 的 401(可能有效)
- 使用 v3.0.x HEAD 提交,我刚刚修改了行为以允许空主体。奇怪的是它实际上是在为空主体调用主体数据回调。我没想到这一点,这就是它出错的原因。这将出现在发布的版本 3.0.4 中。
- 将下面的返回语句编辑
RDEBUG2("Skipping....")
为。src/modules/rlm_rest/rest.c
return 0
- 编辑您的休息调用以匹配我上面添加的代码片段(因为将它放在这个项目符号列表之后会影响格式)。