(一)简介
freeradius通常用来进行帐户认证管理,记帐管理,常见的电信运营商的宽带帐户,上网帐户管理,记帐,都是使用的radius服务器进行鉴权记帐的。Freeradius包含一个radius服务器和radius-client,能够对支持radius协议的网络设备进行鉴权记帐。 ------百度百科vim
(二)安装配置服务服务器
[root@localhost ~]# yum install freeradius freeradius-ldap freeradius-utils -y [root@localhost ~]# systemctl enable radiusd.service [root@localhost ~]# systemctl start radiusd.service
(三)修改相关配置文件网络
3.1,修改/etc/raddb/mods-available/ldap文件,主要是ldap部分,其余的都是默认ide
[root@localhost raddb]# cat /etc/raddb/mods-available/ldap | grep -v '#' | grep -v ^$ ldap { server = 'x.x.x.x' #服务器 port = 389 #端口 identity = 'CN=opsldap,CN=Users,DC=txxxdxx,DC=me' #链接LDAP账号 password =xxxxxxxx #链接LDAP密码 base_dn = 'DC=txxxdxx,DC=me' #dn sasl { } update { control:Password-With-Header += 'userPassword' control: += 'radiusControlAttribute' request: += 'radiusRequestAttribute' reply: += 'radiusReplyAttribute' } edir = no #修改 user { base_dn = "${..base_dn}" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" #修改为sAM 如下用默认 sasl { } } group { base_dn = "${..base_dn}" filter = '(objectClass=posixGroup)' membership_attribute = 'memberOf' } profile { } client { base_dn = "${..base_dn}" filter = '(objectClass=radiusClient)' template { } attribute { ipaddr = 'radiusClientIdentifier' secret = 'radiusClientSecret' } } accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" type { start { update { description := "Online at %S" } } interim-update { update { description := "Last seen at %S" } } stop { update { description := "Offline at %S" } } } } post-auth { update { description := "Authenticated at %S" } } options { chase_referrals = yes rebind = yes res_timeout = 10 srv_timelimit = 3 net_timeout = 1 idle = 60 probes = 3 interval = 3 ldap_debug = 0x0028 } tls { } pool { start = ${thread[pool].start_servers} min = ${thread[pool].min_spare_servers} max = ${thread[pool].max_servers} spare = ${thread[pool].max_spare_servers} uses = 0 retry_delay = 30 lifetime = 0 idle_timeout = 60 }
3.2,建立软链接在mods-enable/模块下post
[root@localhost raddb]# ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ [root@localhost raddb]# ll /etc/raddb/mods-enabled/ldap lrwxrwxrwx 1 root root 30 Jul 17 18:19 /etc/raddb/mods-enabled/ldap -> /etc/raddb/mods-available/ldap
3.3,在site-avaiable/下建立site_ldap文件测试
[root@localhost raddb]# cat /etc/raddb/sites-available/site_ldap ldap { server = 'x.x.8.55' #服务器 port = 389 #端口 identity = 'CN=opsldap,CN=Users,DC=txxxdxx,DC=me' #链接LDAP账号 password =xxxxxxxx #链接LDAP密码 base_dn = 'DC=txxxdxx,DC=me' #dn sasl { } update { control:Password-With-Header += 'userPassword' control: += 'radiusControlAttribute' request: += 'radiusRequestAttribute' reply: += 'radiusReplyAttribute' } edir = no #修改 user { base_dn = "${..base_dn}" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" #修改为sAM #如下用默认 sasl { } } group { base_dn = "${..base_dn}" filter = '(objectClass=posixGroup)' membership_attribute = 'memberOf' } profile { } client { base_dn = "${..base_dn}" filter = '(objectClass=radiusClient)' template { } attribute { ipaddr = 'radiusClientIdentifier' secret = 'radiusClientSecret' } } accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" type { start { update { description := "Online at %S" } } interim-update { update { description := "Last seen at %S" } } stop { update { description := "Offline at %S" } } } } post-auth { update { description := "Authenticated at %S" } } options { chase_referrals = yes rebind = yes res_timeout = 10 srv_timelimit = 3 net_timeout = 1 idle = 60 probes = 3 interval = 3 ldap_debug = 0x0028 } tls { } pool { start = ${thread[pool].start_servers} min = ${thread[pool].min_spare_servers} max = ${thread[pool].max_servers} spare = ${thread[pool].max_spare_servers} uses = 0 retry_delay = 30 lifetime = 0 idle_timeout = 60 } }
3.4,在site-enabled下建立软链接ui
[root@localhost raddb]# ln -s /etc/raddb/sites-available/site_ldap /etc/raddb/sites-enabled/ [root@localhost raddb]# ll /etc/raddb/sites-enabled/site_ldap lrwxrwxrwx 1 root root 36 Jul 17 18:21 /etc/raddb/sites-enabled/site_ldap -> /etc/raddb/sites-available/site_ldap
(四),队radius进行相关的测试,能够经过重启服务器或者radiusd -X 进行测试设置spa
[root@localhost mods-available]# systemctl restart radiusd 或者 [root@localhost mods-available]# radiusd -X
4.1,修改 /etc/raddb/clients.conf 文件,客户端认证的网段和密钥。(修改服务器端记录客户端的配置文件 /etc/raddb/clients.conf 文件,该文件默认值提供了本机测试的 local 配置,即:安装完后默认只容许本机的client客户端访问radius服务器)debug
[root@localhost raddb]# cat /etc/raddb/clients.conf | grep -v '#' | grep -v ^$ client localhost { ###认证的网段 ipaddr = 127.0.0.1 ###被认证能够访问的ip地址 proto = * secret = testing123 ###密钥 require_message_authenticator = no limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost_ipv6 { ipv6addr = ::1 secret = testing123 }
4.2,修改测试用户文件/etc/raddb/users,添加测试帐号bob,密钥:hellorest
[root@localhost raddb]# cat /etc/raddb/users | grep -v '#' | grep -v ^$ bob Cleartext-Password := "hello" Reply-Message := "Hello, %{User-Name}" DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "SLIP" Framed-Protocol = SLIP
4.3,测试是否正常
[root@localhost raddb]# radtest bob hello localhost 0 testing123 Sent Access-Request Id 151 from 0.0.0.0:52757 to 127.0.0.1:1812 length 73 User-Name = "bob" User-Password = "hello" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "hello" Received Access-Accept Id 151 from 127.0.0.1:1812 to 0.0.0.0:0 length 32 Reply-Message = "Hello, bob"
(五)Freeradius添加其余网段的测试
1,服务器端配置:修改vim /etc/raddb/clients.conf 文件,增长一个client并配置共享密钥 secret = tdops,shortname能够任意。clientIP能够是一个地址也能够是一个网段。
,添加以下格式的认证
[root@localhost raddb]# vim /etc/raddb/clients.conf client 172.20.66.0/24 { secret = testing123 showtanme = CE-SW }
2,在规定网段的主机作测试。
[root@localhost ~]# radtest lqb xxx 172.20.66.127:1833 0 testing123 Sent Access-Request Id 186 from 0.0.0.0:39032 to 172.20.66.127:1833 length 80 User-Name = "lqb" User-Password = "xxx" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "xxx" Received Access-Accept Id 186 from 172.20.66.127:1833 to 0.0.0.0:0 length 20
3,服务端的日志为:
Wed Jul 18 16:18:31 2018 : Info: Need 5 more connections to reach 10 spares Wed Jul 18 16:18:31 2018 : Info: rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used Wed Jul 18 16:18:31 2018 : Auth: (0) Login OK: [lqb (from client 172.20.66.0/24 port 0)
至此经过Windows的AD域认证完成。