[ARMADIK]

Народ привет.

 

Решил тут поиграться с организацией доступа к настройкам AudioCodes MP 124, через авторизацию на RADIUS сервере.

Понял сервер, прописал

 

clients.conf - client configuration directives

#

client 1.2.3.4 {

secret = FutureRADIUS

shortname = audc_device

}

 

Добавил AudioCodes VSA dictionary

И добавил юзера

 

john Auth-Type := Local, User-Password == "qwerty"

Service-Type = Login-User,

ACL-Auth-Level = ACL-Auth-SecurityAdminLevel

 

При отправке запроса после ввода пароля и логина отбивает. Если заходить локально через radtest то разрешает.

Поснифил пакеты, разница в том что кодес шифрует пароль при отправке.

 

И выдает что то вроде этого

Ready to process requests

Received Access-Request Id 75 from 10.40.15.193:801 to 10.40.15.60:1812 length 110

User-Name = 'john'

User-Password = '\010\250\017`\0211\313\371c\366\360\354\320\004\240%{x+\351\020y|\277\321c\210\360\377\257\327Q\222\263e\345s\\q\026\211lb\352\367\314$\310q\205\355\212B\224\325\371\262\010\036'

NAS-IP-Address = 10.40.15.193

NAS-Port-Type = Async

Service-Type = Login-User

(0) Received Access-Request packet from host 10.40.15.193 port 801, id=75, length=110

(0) User-Name = 'john'

(0) User-Password = '\010\250\017`\0211\313\371c\366\360\354\320\004\240%{x+\351\020y|\277\321c\210\360\377\257\327Q\222\263e\345s\\q\026\211lb\352\367\314$\310q\205\355\212B\224\325\371\262\010\036'

(0) NAS-IP-Address = 10.40.15.193

(0) NAS-Port-Type = Async

(0) Service-Type = Login-User

(0) # Executing section authorize from file /etc/raddb/sites-enabled/default

(0) authorize {

(0) cui.authorize cui.authorize {

(0) if ("%{client:add_cui}" == 'yes')

(0) Client does not contain config item "add_cui"

(0) EXPAND %{client:add_cui}

(0) -->

(0) if ("%{client:add_cui}" == 'yes') -> FALSE

(0) } # cui.authorize cui.authorize = notfound

(0) auth_log : EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d

(0) auth_log : --> /var/log/radius/radacct/10.40.15.193/auth-detail-20161028

(0) auth_log : /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.40.15.193/auth-detail-20161028

(0) auth_log : EXPAND %t

(0) auth_log : --> Fri Oct 28 13:20:27 2016

(0) [auth_log] = ok

(0) [chap] = noop

(0) [mschap] = noop

(0) eap : No EAP-Message, not doing EAP

(0) [eap] = noop

Found User-Password == "..."

Are you sure you don't mean Cleartext-Password?

See "man rlm_pap" for more information

(0) [files] = noop

(0) [expiration] = noop

(0) [logintime] = noop

(0) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type

(0) WARNING: pap : Authentication will fail unless a "known good" password is available

(0) [pap] = noop

(0) } # authorize = ok

(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject

(0) Failed to authenticate the user

(0) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [john/\010\250\017`\0211\313\371c\366\360\354\320\004\240%{x+\351\020y|\277\321c\210\360\377\257\327Q\222\263e\345s\\q\026\211lb\352\367\314$\310q\205\355\212B\224\325\371\262\010\036] (from client AudioCodes port 0)

(0) WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!

(0) Using Post-Auth-Type Reject

(0) Delaying response for 1 seconds

 

 

Буду рад советам и ссылкам по теме.

Edited October 28, 2016 by ARMADIK