Установка FreeRADIUS с помощью Google Authenticator с использованием openldap + pam получает отказ в доступе, если запрос получен из другой VLAN

Question

Я настроил FreeRADIUS с Google Authenticator для входа в систему пользователя OpenLDAP. Механизм аутентификации, используемый для FreeRADIUS - PAM.

Я сталкиваюсь со странной проблемой, при которой я получаю успех, когда пользователь пытается пройти аутентификацию в той же сети VLAN (172.30.0.0/16), и получаю отказ в доступе, когда один и тот же пользователь пытался пройти аутентификацию из другой сети VLAN (172.35.0.0/16) .

Результат успешной работы: -

$ radtest user1 pass123456 172.30.14.177 0 mysecret

Sent Access-Request Id 54 from 0.0.0.0:58888 to 172.30.14.177:1812 length 83
User-Name = "user1"
User-Password = "pass123456"
NAS-IP-Address = 172.30.43.114
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "pass123456"
Received Access-Accept Id 54 from 172.30.14.177:1812 to 0.0.0.0:0 length 20

Отклонить вывод: -

$ radtest user1 pass123456 172.30.14.177 0 mysecret
Sent Access-Request Id 150 from 0.0.0.0:52179 to 172.30.14.177:1812 length 83
User-Name = "user1"
User-Password = "pass123456"
NAS-IP-Address = 172.35.2.147
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "pass123456"
Received Access-Reject Id 150 from 172.30.14.177:1812 to 0.0.0.0:0 length 20
(0) -: Expected Access-Accept got Access-Reject

Журналы успеха: -

Fri Mar 22 06:35:55 2019 : WARNING: (1) pap: No "known good" password found for the user.  Not setting Auth-Type
Fri Mar 22 06:35:55 2019 : WARNING: (1) pap: Authentication will fail unless a "known good" password is available
Fri Mar 22 06:35:55 2019 : Debug: (1)     modsingle[authorize]: returned from pap (rlm_pap)
Fri Mar 22 06:35:55 2019 : Debug: (1)     [pap] = noop
Fri Mar 22 06:35:55 2019 : Debug: (1)   } # authorize = ok
Fri Mar 22 06:35:55 2019 : Debug: (1) Found Auth-Type = pam
Fri Mar 22 06:35:55 2019 : Debug: (1) # Executing group from file /etc/raddb/sites-enabled/default
Fri Mar 22 06:35:55 2019 : Debug: (1)   authenticate {
Fri Mar 22 06:35:55 2019 : Debug: (1)     modsingle[authenticate]: calling pam (rlm_pam)
Fri Mar 22 06:35:55 2019 : Debug: (1) pam: Using pamauth string "radiusd" for pam.conf lookup
Fri Mar 22 06:35:55 2019 : Debug: Waking up in 0.3 seconds.
Fri Mar 22 06:35:55 2019 : Debug: Waking up in 0.3 seconds.
Fri Mar 22 06:35:55 2019 : Debug: (1) pam: Authentication succeeded
Fri Mar 22 06:35:55 2019 : Debug: (1)     modsingle[authenticate]: returned from pam (rlm_pam)
Fri Mar 22 06:35:55 2019 : Debug: (1)     [pam] = ok
Fri Mar 22 06:35:55 2019 : Debug: (1)   } # authenticate = ok
Fri Mar 22 06:35:55 2019 : Debug: (1) # Executing section post-auth from file /etc/raddb/sites-enabled/default

Журналы отказов: -

Fri Mar 22 06:35:00 2019 : WARNING: (0) pap: No "known good" password found for the user.  Not setting Auth-Type
Fri Mar 22 06:35:00 2019 : WARNING: (0) pap: Authentication will fail unless a "known good" password is available
Fri Mar 22 06:35:00 2019 : Debug: (0)     modsingle[authorize]: returned from pap (rlm_pap)
Fri Mar 22 06:35:00 2019 : Debug: (0)     [pap] = noop
Fri Mar 22 06:35:00 2019 : Debug: (0)   } # authorize = ok
Fri Mar 22 06:35:00 2019 : Debug: (0) Found Auth-Type = pam
Fri Mar 22 06:35:00 2019 : Debug: (0) # Executing group from file /etc/raddb/sites-enabled/default
Fri Mar 22 06:35:00 2019 : Debug: (0)   authenticate {
Fri Mar 22 06:35:00 2019 : Debug: (0)     modsingle[authenticate]: calling pam (rlm_pam)
Fri Mar 22 06:35:00 2019 : Debug: (0) pam: Using pamauth string "radiusd" for pam.conf lookup
Fri Mar 22 06:35:00 2019 : Debug: Waking up in 0.3 seconds.
Fri Mar 22 06:35:00 2019 : Debug: Waking up in 0.3 seconds.
Fri Mar 22 06:35:00 2019 : ERROR: (0) pam: pam_authenticate failed: Authentication failure
Fri Mar 22 06:35:00 2019 : Debug: (0)     modsingle[authenticate]: returned from pam (rlm_pam)
Fri Mar 22 06:35:00 2019 : Debug: (0)     [pam] = reject
Fri Mar 22 06:35:00 2019 : Debug: (0)   } # authenticate = reject
Fri Mar 22 06:35:00 2019 : Debug: (0) Failed to authenticate the user
Fri Mar 22 06:35:00 2019 : Debug: (0) Using Post-Auth-Type Reject

Единственная разница здесь в том, что сеть, из которой поступает запрос на сервер FreeRADIUS. Учетные данные пользователя такие же.

Конфигурация PAM для radiusd: -

$ cat /etc/pam.d/radiusd
#%PAM-1.0
auth       requisite    pam_google_authenticator.so forward_pass
auth       required     pam_sss.so use_first_pass
account    required     pam_nologin.so
account    include      password-auth
session    include      password-auth