我运行的CentOS 6.6 64位服务器与FreeRADIUS 2.1.12从基地库安装。 此外,我正在使用configuration为连接到我们的Windows 2012 R2服务器的MultiOTP( http://www.multiotp.net/ )。
MultiOTP版本是4.3.1.1,为了configurationFreeRADIUS,我使用了这个指南: http ://wiki.freeradius.org/guide/multiOTP-HOWTO
我找不到任何有关较旧的FreeRADIUS版本的信息,但至less使用PAP似乎是可行的:
radtest -t pap -x myusername mypasswordandtoken localhost 1812 sharedsecret Sending Access-Request of id 95 to 127.0.0.1 port 1812 User-Name = "myusername" User-Password = "mypasswordandtoken" NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=95, length=20 radiusd -X输出如下所示:
[suffix] No '@' in User-Name = "myusername", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++? if (control:Auth-Type == 'MS-CHAP') (Attribute control:Auth-Type was not found) ? Evaluating (control:Auth-Type == 'MS-CHAP') -> FALSE ++? if (control:Auth-Type == 'MS-CHAP') -> FALSE ++- entering else else {...} +++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> TRUE +++? if (!control:Auth-Type) -> TRUE +++- entering if (!control:Auth-Type) {...} ++++[control] returns noop +++- if (!control:Auth-Type) returns noop ++- else else returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = multiotp # Executing group from file /etc/raddb/sites-enabled/default +- entering group multiotp {...} [multiotp] expand: '%{User-Name}' -> 'myusername' [multiotp] expand: '%{User-Password}' -> 'mypasswordandtoken' [multiotp] expand: -src=%{Packet-Src-IP-Address} -> -src=127.0.0.1 [multiotp] expand: -chap-challenge=%{CHAP-Challenge} -> -chap-challenge= [multiotp] expand: -chap-password=%{CHAP-Password} -> -chap-password= [multiotp] expand: -ms-chap-challenge=%{MS-CHAP-Challenge} -> -ms-chap-challenge= [multiotp] expand: -ms-chap-response=%{MS-CHAP-Response} -> -ms-chap-response= [multiotp] expand: -ms-chap2-response=%{MS-CHAP2-Response} -> -ms-chap2-response= Exec-Program output: Exec-Program: returned: 0 ++[multiotp] returns ok
使用-t mschap运行radtest不起作用,Radius输出是这样的:
[suffix] No '@' in User-Name = "myusername", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++? if (control:Auth-Type == 'MS-CHAP') ? Evaluating (control:Auth-Type == 'MS-CHAP') -> TRUE ++? if (control:Auth-Type == 'MS-CHAP') -> TRUE ++- entering if (control:Auth-Type == 'MS-CHAP') {...} +++[control] returns noop ++- if (control:Auth-Type == 'MS-CHAP') returns noop ++ ... skipping else for request 1: Preceding "if" was taken [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = multiotpmschap # Executing group from file /etc/raddb/sites-enabled/default +- entering group multiotpmschap {...} [multiotpmschap] Told to do MS-CHAPv1 with NT-Password [multiotpmschap] expand: %{User-Name} -> myusername [multiotpmschap] expand: %{User-Password} -> [multiotpmschap] expand: -src=%{Packet-Src-IP-Address} -> -src=127.0.0.1 [multiotpmschap] expand: -chap-challenge=%{CHAP-Challenge} -> -chap-challenge= [multiotpmschap] expand: -chap-password=%{CHAP-Password} -> -chap-password= [multiotpmschap] expand: -ms-chap-challenge=%{MS-CHAP-Challenge} -> -ms-chap-challenge=0xdf908aaeb26f4444 [multiotpmschap] expand: -ms-chap-response=%{MS-CHAP-Response} -> -ms-chap-response=0x0001000000000000000000000000000000000000000000000000fbb0b53f018a0e1fec964169db2b88be0ca521a8d8a234b6 [multiotpmschap] expand: -ms-chap2-response=%{MS-CHAP2-Response} -> -ms-chap2-response= Exec-Program output: NT_KEY: F1111A9A8F0E249D347BE73B2D538685 Exec-Program-Wait: plaintext: NT_KEY: F1111A9A8F0E249D347BE73B2D538685 Exec-Program: returned: 99 [multiotpmschap] External script failed. [multiotpmschap] MS-CHAP-Response is incorrect. ++[multiotpmschap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> myusername attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.6 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 105 to 127.0.0.1 port 49595 MS-CHAP-Error = "\000E=69 Waking up in 4.9 seconds.
将MS-CHAPv2身份validation的应用程序连接到freeradius也会产生与使用mschap和radclient相同的错误。
有谁知道这个版本的FreeRADIUS是否可以与连接到活动目录的MultiOTP一起使用?
是的,你说得对,MSCHAP和MSCHAPv2是哈希密码,所以如果密码是[PIN /内部密码+令牌],multiOTP重新计算仍然可以,但是用AD密码就没有办法了,因为我们没有存储在multiOTP中的AD密码。
此设置使用MultiOTPencryption的AD +令牌(MSCHAP)不依赖于您正在使用的FreeRADIUS版本。 如果你要深入了解事情的运作,你会意识到这是不可能的。 现在,我相信MultiOTP没有办法使用来自其数据库+令牌的AD来重新生成哈希,以匹配来自客户端的encryption密码(使用MSCHAP)。 试想解释128位散列。
它正在为PAP工作,因为string比较authentication是纯文本。 在这种情况下,与encryptionforms不同,MultiOTP很容易重buildstring。
我希望这也可以解释为什么你会得到这个错误。
代替:
Username: username Password: [password] + [OTP]
你现在可以使用:
Username: username:OTP Password: password
用户名= john,密码= myBigPassword,OTP = 123456
Username: john:123456 Password: myBigPassword
随着OTP一直在变化,它是完全安全的,MS-CHAPv2的工作原理是:-)