有一个网络,用户使用 PPPoE 建立与接入服务器的连接。我们丢失了计费系统和用户数据库。我们知道的唯一条件是“有效凭证应该是用户名和密码相同值的凭证。(即用户名:johnsmith,密码:johnsmith)”。
我们希望尽快恢复互联网访问。
我们现在拥有的设置:Ubuntu 2004、accel-ppp、freeradius3。一切运行正常,但我们必须向 raddb/mods-config/files/authorize 文件添加每个用户的记录。
# raddb/mods-config/files/authorize
user1 Cleartext-Password := "user1"
user2 Cleartext-Password := "user2"
userN Cleartext-Password := "userN"
是否可以避免手动添加用户?脚本应假设用户名和有效密码是相同的值来验证凭据。
另外,我还尝试过:
# raddb/mods-config/files/authorize
DEFAULT Auth-Type := Accept
radtest -t mschap tqq tq 172.17.0.1 0 testing123 - 已收到Access-Accept,但在尝试在路由器或 PC 上设置 PPPoE 时,我收到Authentication failed, incorrect username or password.
感谢任何帮助。
freeradius-radius-1 | (11) Received Access-Request Id 1 from 192.168.192.1:49648 to 192.168.192.2:1812 length 178
freeradius-radius-1 | (11) User-Name = "q"
freeradius-radius-1 | (11) NAS-Identifier = "accel-ppp"
freeradius-radius-1 | (11) NAS-IP-Address = 172.17.0.1
freeradius-radius-1 | (11) NAS-Port-Type = Virtual
freeradius-radius-1 | (11) Service-Type = Framed-User
freeradius-radius-1 | (11) Framed-Protocol = PPP
freeradius-radius-1 | (11) Calling-Station-Id = "d8:47:32:c3:72:bd"
freeradius-radius-1 | (11) Called-Station-Id = "00:0c:29:fb:5d:8e"
freeradius-radius-1 | (11) MS-CHAP-Challenge = 0x57d2a52805a8b83f1c2241558e501549
freeradius-radius-1 | (11) MS-CHAP2-Response = 0x01002b3c2451214fb6e0583fb9972a49a56e00000000000000001ae496c046d6b776df57a8ba10ab82254b78878444ce0cb1
freeradius-radius-1 | (11) # Executing section authorize from file /etc/freeradius/sites-enabled/default
freeradius-radius-1 | (11) authorize {
freeradius-radius-1 | (11) policy filter_username {
freeradius-radius-1 | (11) if (&User-Name) {
freeradius-radius-1 | (11) if (&User-Name) -> TRUE
freeradius-radius-1 | (11) if (&User-Name) {
freeradius-radius-1 | (11) if (&User-Name =~ / /) {
freeradius-radius-1 | (11) if (&User-Name =~ / /) -> FALSE
freeradius-radius-1 | (11) if (&User-Name =~ /@[^@]*@/ ) {
freeradius-radius-1 | (11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
freeradius-radius-1 | (11) if (&User-Name =~ /\.\./ ) {
freeradius-radius-1 | (11) if (&User-Name =~ /\.\./ ) -> FALSE
freeradius-radius-1 | (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
freeradius-radius-1 | (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
freeradius-radius-1 | (11) if (&User-Name =~ /\.$/) {
freeradius-radius-1 | (11) if (&User-Name =~ /\.$/) -> FALSE
freeradius-radius-1 | (11) if (&User-Name =~ /@\./) {
freeradius-radius-1 | (11) if (&User-Name =~ /@\./) -> FALSE
freeradius-radius-1 | (11) } # if (&User-Name) = notfound
freeradius-radius-1 | (11) } # policy filter_username = notfound
freeradius-radius-1 | (11) [preprocess] = ok
freeradius-radius-1 | (11) [chap] = noop
freeradius-radius-1 | (11) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
freeradius-radius-1 | (11) [mschap] = ok
freeradius-radius-1 | (11) [digest] = noop
freeradius-radius-1 | (11) suffix: Checking for suffix after "@"
freeradius-radius-1 | (11) suffix: No '@' in User-Name = "q", looking up realm NULL
freeradius-radius-1 | (11) suffix: No such realm "NULL"
freeradius-radius-1 | (11) [suffix] = noop
freeradius-radius-1 | (11) eap: No EAP-Message, not doing EAP
freeradius-radius-1 | (11) [eap] = noop
freeradius-radius-1 | (11) files: users: Matched entry DEFAULT at line 1
freeradius-radius-1 | (11) [files] = ok
freeradius-radius-1 | (11) [expiration] = noop
freeradius-radius-1 | (11) [logintime] = noop
freeradius-radius-1 | (11) pap: WARNING: Auth-Type already set. Not setting to PAP
freeradius-radius-1 | (11) [pap] = noop
freeradius-radius-1 | (11) } # authorize = ok
freeradius-radius-1 | (11) Found Auth-Type = Accept
freeradius-radius-1 | (11) Auth-Type = Accept, accepting the user
freeradius-radius-1 | (11) # Executing section post-auth from file /etc/freeradius/sites-enabled/default
freeradius-radius-1 | (11) post-auth {
freeradius-radius-1 | (11) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
freeradius-radius-1 | (11) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE
freeradius-radius-1 | (11) update {
freeradius-radius-1 | (11) No attributes updated for RHS &session-state:
freeradius-radius-1 | (11) } # update = noop
freeradius-radius-1 | (11) [exec] = noop
freeradius-radius-1 | (11) policy remove_reply_message_if_eap {
freeradius-radius-1 | (11) if (&reply:EAP-Message && &reply:Reply-Message) {
freeradius-radius-1 | (11) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
freeradius-radius-1 | (11) else {
freeradius-radius-1 | (11) [noop] = noop
freeradius-radius-1 | (11) } # else = noop
freeradius-radius-1 | (11) } # policy remove_reply_message_if_eap = noop
freeradius-radius-1 | (11) if (EAP-Key-Name && &reply:EAP-Session-Id) {
freeradius-radius-1 | (11) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE
freeradius-radius-1 | (11) } # post-auth = noop
freeradius-radius-1 | (11) Sent Access-Accept Id 1 from 192.168.192.2:1812 to 192.168.192.1:49648 length 32
freeradius-radius-1 | (11) Session-Timeout = 14400
freeradius-radius-1 | (11) Termination-Action = RADIUS-Request
freeradius-radius-1 | (11) Finished request
freeradius-radius-1 | Waking up in 1.9 seconds.
答案1
这在 FreeRADIUS 配置“语言”unlang 中很容易做到。
您将(已知)复制User-Name到Cleartext-Password,然后将传入的密码与之进行比较。
有关示例,请参阅我在 StackOverflow 上对同一问题的完整回答:https://stackoverflow.com/a/70620187/5857272