2013-09-26 104 views
0

您好我一直在這篇文章設置FreeRADIUS的谷歌的雙因素身份驗證測試FreeRADIUS的谷歌的雙因素身份驗證,帕姆

http://www.supertechguy.com/help/security/freeradius-google-auth

小時,我仍然無法得到它的工作如下。如果我的/etc/pam.d/radiusd如下所示它與 以下命令效果很好

radtest測試測試本地主機18120是testing123

# 
# /etc/pam.d/radiusd - PAM configuration for FreeRADIUS 
# 

# We fall back to the system default in /etc/pam.d/common-* 
# 

@include common-auth 
@include common-account 
@include common-password 
@include common-session 

但是,如果它看起來像下面

# 
# /etc/pam.d/radiusd - PAM configuration for FreeRADIUS 
# 

# We fall back to the system default in /etc/pam.d/common-* 
# 

#@include common-auth 
#@include common-account 
#@include common-password 
#@include common-session 

auth requisite pam_google_authenticator.so forward_pass 
auth required pam_unix.so use_first_pass 

我的日誌文件說以下和auth失敗。

rad_recv: Access-Request packet from host 127.0.0.1 port 43185, id=111, length=56 
     User-Name = "test" 
     User-Password = "test" 
     NAS-IP-Address = 127.0.1.1 
     NAS-Port = 18120 
Thu Sep 26 16:38:19 2013 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default 
Thu Sep 26 16:38:19 2013 : Info: +- entering group authorize {...} 
Thu Sep 26 16:38:19 2013 : Info: ++[preprocess] returns ok 
Thu Sep 26 16:38:19 2013 : Info: ++[chap] returns noop 
Thu Sep 26 16:38:19 2013 : Info: ++[mschap] returns noop 
Thu Sep 26 16:38:19 2013 : Info: ++[digest] returns noop 
Thu Sep 26 16:38:19 2013 : Info: [suffix] No '@' in User-Name = "test", looking up realm NULL 
Thu Sep 26 16:38:19 2013 : Info: [suffix] No such realm "NULL" 
Thu Sep 26 16:38:19 2013 : Info: ++[suffix] returns noop 
Thu Sep 26 16:38:19 2013 : Info: [eap] No EAP-Message, not doing EAP 
Thu Sep 26 16:38:19 2013 : Info: ++[eap] returns noop 
Thu Sep 26 16:38:19 2013 : Info: [files] users: Matched entry DEFAULT at line 74 
Thu Sep 26 16:38:19 2013 : Info: ++[files] returns ok 
Thu Sep 26 16:38:19 2013 : Info: ++[expiration] returns noop 
Thu Sep 26 16:38:19 2013 : Info: ++[logintime] returns noop 
Thu Sep 26 16:38:19 2013 : Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. 
Thu Sep 26 16:38:19 2013 : Info: ++[pap] returns noop 
Thu Sep 26 16:38:19 2013 : Info: Found Auth-Type = PAM 
Thu Sep 26 16:38:19 2013 : Info: # Executing group from file /etc/freeradius/sites-enabled/default 
Thu Sep 26 16:38:19 2013 : Info: +- entering group authenticate {...} 
Thu Sep 26 16:38:19 2013 : Debug: pam_pass: using pamauth string <radiusd> for pam.conf lookup 
Thu Sep 26 16:38:19 2013 : Debug: pam_pass: function pam_authenticate FAILED for <test>. Reason: Cannot make/remove an entry for the specified session 
Thu Sep 26 16:38:19 2013 : Info: ++[pam] returns reject 
Thu Sep 26 16:38:19 2013 : Info: Failed to authenticate the user. 
Thu Sep 26 16:38:19 2013 : Info: Using Post-Auth-Type Reject 
Thu Sep 26 16:38:19 2013 : Info: # Executing group from file /etc/freeradius/sites-enabled/default 
Thu Sep 26 16:38:19 2013 : Info: +- entering group REJECT {...} 
Thu Sep 26 16:38:19 2013 : Info: [attr_filter.access_reject] expand: %{User-Name} -> test 
Thu Sep 26 16:38:19 2013 : Debug: attr_filter: Matched entry DEFAULT at line 11 
Thu Sep 26 16:38:19 2013 : Info: ++[attr_filter.access_reject] returns updated 
Thu Sep 26 16:38:19 2013 : Info: Delaying reject of request 0 for 1 seconds 
Thu Sep 26 16:38:19 2013 : Debug: Going to the next request 
Thu Sep 26 16:38:19 2013 : Debug: Waking up in 0.9 seconds. 
Thu Sep 26 16:38:20 2013 : Info: Sending delayed reject for request 0 
Sending Access-Reject of id 111 to 127.0.0.1 port 43185 
Thu Sep 26 16:38:20 2013 : Debug: Waking up in 4.9 seconds. 
Thu Sep 26 16:38:25 2013 : Info: Cleaning up request 0 ID 111 with timestamp +3 
Thu Sep 26 16:38:25 2013 : Info: Ready to process requests. 

我使用Ubuntu最新

有誰知道這裏的問題?

非常感謝

回答

2

這麼多的網上衝浪和論壇狩獵後,我設法解決這個問題。如果任何人有這個問題,這可能幫助他們:)

Thu Sep 26 16:38:19 2013 : Debug: pam_pass: using pamauth string <radiusd> for pam.conf lookup 
Thu Sep 26 16:38:19 2013 : Debug: pam_pass: function pam_authenticate FAILED for <test>. Reason: Cannot make/remove an entry for the specified session 

上面一行實際上意味着一個權威性失敗,即使它聽起來並不像它,也可能意味着在用戶的家是.google_authenticator文件目錄不可訪問。

FreeRadius日誌文件對這個問題沒什麼幫助,但是可以通過CentOS上的/ var/log/secure和Ubuntu中的/var/log/auth.log查看。這將解釋哪個是問題。

問題與我的系統是我的時間了,我的隨機生成的數字由谷歌雙因素身份驗證應用程序在我的iPhone無效。我必須安裝NTP,並將我的服務器時間更改爲正確的時間,以解決問題!

希望這種幫助別人:)

-1

該怎麼對超科技人的頁面(http://www.supertechguy.com/help/security/freeradius-google-auth)上有一個錯字。

DEFAULT  Auth-Type := PAM 

應該

DEFAULT  Auth-Type = PAM 

我不知道爲什麼他把一個冒號在那裏,但刪除它固定我的問題。

這是我確定服務器有正確的時間(和時區)後,它沒有。所以謝謝你的建議!