我正在尝试使用CoovaChilli和FreeRadius与RADIUSdesk建立一个热点系统。
我已经完成了大部分工作。显示强制网络门户登录页面,但我无法以用户身份进行身份验证。
当我查看日志时,我的OpenWRT上的Coova Chilli发送了X????MVJ??? ??<?作为用户密码。
redir.c: 3854: 0 (Debug) redir_accept: Sending RADIUS request
radius.c: 1316: 0 (Debug) RADIUS client 0.0.0.0:0
redir.c: 2670: 0 (Debug) created radius packet (code=1, id=80, len=37)
redir.c: 2708: 0 (Debug) User password 16 [O��F��hs�
t��3]
redir.c: 2831: 0 (Debug) sending radius packet (code=1, id=80, len=299)
radius.c: 321: 0 (Debug) Allocating RADIUS packet
我也查看了freeradius日志,并了解到Freeradius解密了原始密码。
(0) pl_reset_time_for_data: $RAD_REQUEST{'User-Password'} = &request:User-Password -> 'X????MVJ??? ??<?'
(0) pl_reset_time_for_data: $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address -> '10.1.0.1'
(0) pl_reset_time_for_data: $RAD_REQUEST{'NAS-Port'} = &request:NAS-Port -> '5'
(0) pl_reset_time_for_data: $RAD_REQUEST{'Service-Type'} = &request:Service-Type -> 'Login-User'
(0) pl_reset_time_for_data: $RAD_REQUEST{'Framed-IP-Address'} = &request:Framed-IP-Address -> '10.1.0.4'
(0) pl_reset_time_for_data: $RAD_REQUEST{'Called-Station-Id'} = &request:Called-Station-Id -> 'C0-25-E9-07-52-76'
(0) pl_reset_time_for_data: $RAD_REQUEST{'Calling-Station-Id'} = &request:Calling-Station-Id -> 'AC-C3-3A-C0-F5-60'
(0) pl_reset_time_for_data: $RAD_REQUEST{'NAS-Identifier'} = &request:NAS-Identifier -> 'HUBS_ROOTS_HUB_1_cp_42'
(0) pl_reset_time_for_data: $RAD_REQUEST{'NAS-Port-Type'} = &request:NAS-Port-Type -> 'Wireless-802.11'
(0) pl_reset_time_for_data: $RAD_REQUEST{'Acct-Session-Id'} = &request:Acct-Session-Id -> '5a6c2ea800000005'
(0) pl_reset_time_for_data: $RAD_REQUEST{'Event-Timestamp'} = &request:Event-Timestamp -> 'Jan 27 2018 07:49:15 UTC'
(0) pl_reset_time_for_data: $RAD_REQUEST{'Message-Authenticator'} = &request:Message-Authenticator -> '0x3a3eb994b712e98f3a49e665e27e4d20'
(0) pl_reset_time_for_data: $RAD_REQUEST{'NAS-Port-Id'} = &request:NAS-Port-Id -> '00000005'
(0) pl_reset_time_for_data: $RAD_REQUEST{'WISPr-Location-ID'} = &request:WISPr-Location-ID -> 'isocc=,cc=,ac=,network=Coova,'
(0) pl_reset_time_for_data: $RAD_REQUEST{'WISPr-Location-Name'} = &request:WISPr-Location-Name -> 'Roots_Daryaganj'
(0) pl_reset_time_for_data: $RAD_REQUEST{'WISPr-Logoff-URL'} = &request:WISPr-Logoff-URL -> 'http://10.1.0.1:3990/logoff'
(0) pl_reset_time_for_data: $RAD_REQUEST{'Realm'} = &request:Realm -> 'roots'
(0) pl_reset_time_for_data: $RAD_REQUEST{'ChilliSpot-Version'} = &request:ChilliSpot-Version -> '1.3.1-svn'
(0) pl_reset_time_for_data: $RAD_REPLY{'Fall-Through'} = &reply:Fall-Through -> 'Yes'
(0) pl_reset_time_for_data: $RAD_CHECK{'User-Profile'} = &control:User-Profile -> '1G-1Day'
(0) pl_reset_time_for_data: $RAD_CHECK{'Cleartext-Password'} = &control:Cleartext-Password -> '<my cleartext password>'
但是,在比较时,服务器使用的是加密密码而不是明文密码。
# Executing group from file /etc/freeradius/sites-enabled/radiusdesk-plain
(0) Auth-Type PAP {
(0) pap: Login attempt with password
(0) pap: Comparing with "known good" Cleartext-Password
(0) pap: ERROR: Cleartext password "X????MVJ??? ??<?" does not match "known good" password
(0) pap: Passwords don't match
(0) [pap] = reject
(0) } # Auth-Type PAP = reject
(0) Failed to authenticate the user
(0) WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/sites-enabled/radiusdesk-plain
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
在 RADIUS中,User-Password 属性使用 NAS (Coova) 和 RADIUS 服务器 FreeRADIUS 之间已知的共享密钥进行可逆加密。
我的猜测是Coova显示的是此加密函数的输出,而不是原始的明文密码。 这很奇怪...它可能出于安全原因这样做,以便您需要知道共享密钥才能解密日志中的密码。
至于为什么你仍然得到加密的输出,似乎共享密钥在Coova或FreeRADIUS中都是不正确的。 来自 127.0.0.1 的请求的默认密钥是testing123,所以如果 Coova 和 FreeRADIUS 是共置的,我会尝试在 Coova 中配置它。
如果 Coova 和 FreeRADIUS 在不同的主机上运行,请检查在 Coova 中配置的密钥raddb/clients.conf匹配项。
字符串每次更改的原因是因为密文是使用随机组件(请求身份验证器字段)创建的,该组件会随着每个后续(非重新传输)请求而变化。