Freeradius 和 Rest 身份验证

Freeradius 和 Rest 身份验证

我正在努力将 freeradius 集成到我们的平台中,并尝试通过我们平台上的 rest api 使身份验证正常工作。我们在 docker 容器中运行 rest api 和 freeradius 服务器,并且两个容器都通过 docker-compose 连接。

经过多次反复尝试,我找到了 freeradius 服务器调用其他服务器的配置,并且我可以看到响应被正确发送回来,但即使使用已知的良好凭据,我也会收到失败的回复。

在 sites-enabled/default 配置中,我们有以下配置

authorize {
    # Use REST API for authorization if we have a password
    if (&User-Password) {
        update control {
            Auth-Type := 'rest'
        }
    }
}

authenticate {
    rest
}

在 mods-enabled/rest 文件中,我们有以下内容

    connect_uri = "http://freeradiusapi:8080/"
    authorize {
        uri = "${..connect_uri}check/%{User-Name}"
        method = 'get'
    }
    authenticate {
        uri = "${..connect_uri}auth/%{User-Name}/%{User-Password}"
        method = 'get'
    }

它正确调用了 rest api,我可以看到它正确运行了 http 200

以下是日志文件的相关摘录。

freeradius     | (0) Received Access-Request Id 228 from 172.18.0.2:59890 to 172.18.0.6:1812 length 47
freeradius     | (0)   User-Name = "shughes"
freeradius     | (0)   User-Password = "bananas123"
freeradius     | (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default
freeradius     | (0)   authorize {
freeradius     | (0)     if (&User-Password) {
freeradius     | (0)     if (&User-Password)  -> TRUE
freeradius     | (0)     if (&User-Password)  {
freeradius     | (0)       update control {
freeradius     | (0)         Auth-Type := rest
freeradius     | (0)       } # update control = noop
freeradius     | (0)     } # if (&User-Password)  = noop
freeradius     | (0)   } # authorize = noop
freeradius     | (0) Found Auth-Type = rest
freeradius     | (0) # Executing group from file /etc/freeradius/sites-enabled/default
freeradius     | (0)   authenticate {
freeradius     | rlm_rest (rest): 0 of 0 connections in use.  You  may need to increase "spare"
freeradius     | rlm_rest (rest): Opening additional connection (0), 1 of 32 pending slots used
freeradius     | rlm_rest (rest): Connecting to "http://freeradiusapi:8080/"
freeradius     | rlm_rest (rest): Reserved connection (0)
freeradius     | (0) rest: Expanding URI components
freeradius     | (0) rest: EXPAND http://freeradiusapi:8080
freeradius     | (0) rest:    --> http://freeradiusapi:8080
freeradius     | (0) rest: EXPAND /auth/%{User-Name}/%{User-Password}
freeradius     | (0) rest:    --> /auth/myuser/mypassword
freeradius     | (0) rest: Sending HTTP GET to "http://freeradiusapi:8080/auth/myuser/mypassword"
freeradius     | (0) rest: Processing response header
freeradius     | (0) rest:   Status : 200 (OK)
freeradius     | (0) rest:   Type   : json (application/json)
freeradius     | (0) rest: Adding reply:REST-HTTP-Status-Code = "200"
freeradius     | (0) rest: Parsing attribute "control:Auth-Type"
freeradius     | (0) rest: EXPAND Accept
freeradius     | (0) rest:    --> Accept
freeradius     | (0) rest: Auth-Type := Accept
freeradius     | rlm_rest (rest): Released connection (0)
freeradius     | Need more connections to reach 10 spares
freeradius     | rlm_rest (rest): Opening additional connection (1), 1 of 31 pending slots used
freeradius     | rlm_rest (rest): Connecting to "http://freeradiusapi:8080/"
freeradius     | (0)     [rest] = updated
freeradius     | (0)   } # authenticate = updated
freeradius     | (0) Failed to authenticate the user
freeradius     | (0) Using Post-Auth-Type Reject
freeradius     | (0) # Executing group from file /etc/freeradius/sites-enabled/default
freeradius     | (0)   Post-Auth-Type REJECT {
freeradius     | (0)     [rest] = noop
freeradius     | (0)   } # Post-Auth-Type REJECT = noop
freeradius     | (0) Delaying response for 1.000000 seconds
freeradius     | Waking up in 0.9 seconds.
freeradius     | (0) Sending delayed response
freeradius     | (0) Sent Access-Reject Id 228 from 172.18.0.6:1812 to 172.18.0.2:59890 length 20
freeradius     | Waking up in 3.9 seconds.
freeradius     | (0) Cleaning up request packet ID 228 with timestamp +5 due to cleanup_delay was reached

今天某个时候我确实让它正常工作了,但我不太明白我做错了什么,非常感谢任何帮助。谢谢

答案1

我也与 rlm_rest 合作。

我的站点已启用

authorize {
filter_username
preprocess
rest
chap
mschap
}


authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
}

mods-enabled/rest

authorize {
uri = "http://192.168.56.1:5000/radius/authorize"
method = 'post'
body = 'JSON'
}
accounting {
uri = "http://192.168.56.1:5000/radius/accounting"
method = 'post'
body = JSON
}

它运行顺利。但我在动态客户端中使用 rest 时仍然有问题

相关内容