我正在努力将 freeradius 集成到我们的平台中,并尝试通过我们平台上的 rest api 使身份验证正常工作。我们在 docker 容器中运行 rest api 和 freeradius 服务器,并且两个容器都通过 docker-compose 连接。
经过多次反复尝试,我找到了 freeradius 服务器调用其他服务器的配置,并且我可以看到响应被正确发送回来,但即使使用已知的良好凭据,我也会收到失败的回复。
在 sites-enabled/default 配置中,我们有以下配置
authorize {
# Use REST API for authorization if we have a password
if (&User-Password) {
update control {
Auth-Type := 'rest'
}
}
}
authenticate {
rest
}
在 mods-enabled/rest 文件中,我们有以下内容
connect_uri = "http://freeradiusapi:8080/"
authorize {
uri = "${..connect_uri}check/%{User-Name}"
method = 'get'
}
authenticate {
uri = "${..connect_uri}auth/%{User-Name}/%{User-Password}"
method = 'get'
}
它正确调用了 rest api,我可以看到它正确运行了 http 200
以下是日志文件的相关摘录。
freeradius | (0) Received Access-Request Id 228 from 172.18.0.2:59890 to 172.18.0.6:1812 length 47
freeradius | (0) User-Name = "shughes"
freeradius | (0) User-Password = "bananas123"
freeradius | (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default
freeradius | (0) authorize {
freeradius | (0) if (&User-Password) {
freeradius | (0) if (&User-Password) -> TRUE
freeradius | (0) if (&User-Password) {
freeradius | (0) update control {
freeradius | (0) Auth-Type := rest
freeradius | (0) } # update control = noop
freeradius | (0) } # if (&User-Password) = noop
freeradius | (0) } # authorize = noop
freeradius | (0) Found Auth-Type = rest
freeradius | (0) # Executing group from file /etc/freeradius/sites-enabled/default
freeradius | (0) authenticate {
freeradius | rlm_rest (rest): 0 of 0 connections in use. You may need to increase "spare"
freeradius | rlm_rest (rest): Opening additional connection (0), 1 of 32 pending slots used
freeradius | rlm_rest (rest): Connecting to "http://freeradiusapi:8080/"
freeradius | rlm_rest (rest): Reserved connection (0)
freeradius | (0) rest: Expanding URI components
freeradius | (0) rest: EXPAND http://freeradiusapi:8080
freeradius | (0) rest: --> http://freeradiusapi:8080
freeradius | (0) rest: EXPAND /auth/%{User-Name}/%{User-Password}
freeradius | (0) rest: --> /auth/myuser/mypassword
freeradius | (0) rest: Sending HTTP GET to "http://freeradiusapi:8080/auth/myuser/mypassword"
freeradius | (0) rest: Processing response header
freeradius | (0) rest: Status : 200 (OK)
freeradius | (0) rest: Type : json (application/json)
freeradius | (0) rest: Adding reply:REST-HTTP-Status-Code = "200"
freeradius | (0) rest: Parsing attribute "control:Auth-Type"
freeradius | (0) rest: EXPAND Accept
freeradius | (0) rest: --> Accept
freeradius | (0) rest: Auth-Type := Accept
freeradius | rlm_rest (rest): Released connection (0)
freeradius | Need more connections to reach 10 spares
freeradius | rlm_rest (rest): Opening additional connection (1), 1 of 31 pending slots used
freeradius | rlm_rest (rest): Connecting to "http://freeradiusapi:8080/"
freeradius | (0) [rest] = updated
freeradius | (0) } # authenticate = updated
freeradius | (0) Failed to authenticate the user
freeradius | (0) Using Post-Auth-Type Reject
freeradius | (0) # Executing group from file /etc/freeradius/sites-enabled/default
freeradius | (0) Post-Auth-Type REJECT {
freeradius | (0) [rest] = noop
freeradius | (0) } # Post-Auth-Type REJECT = noop
freeradius | (0) Delaying response for 1.000000 seconds
freeradius | Waking up in 0.9 seconds.
freeradius | (0) Sending delayed response
freeradius | (0) Sent Access-Reject Id 228 from 172.18.0.6:1812 to 172.18.0.2:59890 length 20
freeradius | Waking up in 3.9 seconds.
freeradius | (0) Cleaning up request packet ID 228 with timestamp +5 due to cleanup_delay was reached
今天某个时候我确实让它正常工作了,但我不太明白我做错了什么,非常感谢任何帮助。谢谢
答案1
我也与 rlm_rest 合作。
我的站点已启用
authorize {
filter_username
preprocess
rest
chap
mschap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
}
mods-enabled/rest
authorize {
uri = "http://192.168.56.1:5000/radius/authorize"
method = 'post'
body = 'JSON'
}
accounting {
uri = "http://192.168.56.1:5000/radius/accounting"
method = 'post'
body = JSON
}
它运行顺利。但我在动态客户端中使用 rest 时仍然有问题