发布时间 : 星期日 文章centos搭建freeradius更新完毕开始阅读261aca2b7f1922791688e8f1
1.安装openssl,mysql,freeradius,freeradius-utils(支持radtest) yum install openssl yum install mysql yum install freeradius yum install freeradius-utils
启动radius服务: radiusd -X
备注:这个方法很实用,尤其是在debug测试阶段,可以详细的看到用户认证的流程,认证方式,用户名/密码,错误消息,方便快速定位。
1.讲解freeradius两个最重要最基本的文件:users和clients.conf 1.1 详细讲解/etc/raddb/clients.conf文件 client 127.0.0.1/24 { secret = localtest #共享密钥,用于pap/chap/mschap认证 shortname = any #FQDN或IP地址别名,我用any/localhost/127.0.0.1都测试过,看不出什么区别。这个值在2.X也不是必须。 } client localhost { ipaddr = 127.0.0.1 secret = localtest require_message_authenticator = no # 在1.x版本,client发送Access-Request时不会携带Message-Authenticator,但是从2.x以后,RFC5080建议所有的clients发送Message-Authenticator,如果设为yes,client没有携带Message-Authenticator,报文会悄悄的discarded掉,而不会通知client # shortname = localhost #optional in 2.x nastype = other #nastype告诉‘checkrad.pl’使用哪个NAS-specific 方法查询可同时使用的NAS。 localhost不需要使用NAS。 #下面两个配置是为将来保留。当前使用‘naspassed’文件存储NAS的用户名和密码,这在checkrad.pl查询可以同时使用的NAS。 # login = !root # password = someadminpas #从2.0开始,clients可以指定一个virtual server如: # virtual_server = home1 #一个指向‘home_server_pool’或‘home_server’的指示器包括这个client的Coa配置。例如,一个coa的home server或home pool,参考raddb/sites-available/originate-coa。 # coa_server = coa #降低从client到server的response_window的报文,注意不可以增大response_window. # response_window = 10.0 } # IPv6 Client
#client ::1 { # secret = testing123 # shortname = localhost #} # # All IPv6 Site-local clients #client fe80::/16 { # secret = testing123 # shortname = localhost #} #client some.host.org { # secret = testing123 # shortname = localhost #} #client 10.10.10.10 { # # secret and password are mapped through the \ # secret = testing123 # shortname = liv1 # # the following three fields are optional, but may be used by # # checkrad.pl for simultaneous usage checks # nastype = livingston # login = !root # password = someadminpas #} ####################################################################### # # Per-socket client lists. The configuration entries are exactly the same as above, but they are nested inside of a section. # Per-socket client lists. 这些配置条目和上面的一样,但是嵌套在这部分。 # # You can have as many per-socket client lists as you have \sections, or you can re-use a list among multiple \ # 你可以填写所有的listen部分,或者重写一个list在多个listen章节中。 # Un-comment this section, and edit a \per_socket_clients\ # 取消注释这部分,编辑listen部分,增加:\= per_socket_clients\ # That IP address/port combinationwill then accept ONLY the clients listed in this section.
# 只接受这部分包括的clients的ip地址和端口号对。 #
#clients per_socket_clients { # client 192.168.3.4 { # secret = testing123 # } #}
1.2 详细讲解/etc/raddb/users
testAuth-Type := CHAP, Cleartext-Password := \ Reply-Message = \ %{User-Name}\ 备注:现在已经用Cleartest-Password这个参数替代了User-Password,%{User-Name}获取用户名
2.chap验证方式
2.1 在/etc/raddb/users 添加如下配置:
testAuth-Type := CHAP, Cleartext-Password := \ Reply-Message = \ %{User-Name}\
2.2 在/etc/raddb/clients.conf添加如下客户端.添加客户端有两各版本:1.在1.x版本格式是,client后面跟着ip地址,方法体内用shortname区分其他client,这个是必须填的。2.在2.x的版本格式是,client后面跟着一个名字,使用ipaddr或者ipv6addr配置客户端ip地址。这时候shortname就成为可选参数了。 client 172.22.4.0/24 { secret = adcforever shortname = any } client 127.0.0.1/24 { secret = localtest #共享密钥 shortname = any #FQDN或IP地址别名,我用any/localhost/127.0.0.1都测试过,看不出什么区别。这个值在2.X也不是必须。 } client localhost { ipaddr = 127.0.0.1 secret = localtest require_message_authenticator = no nastype = other } 2.3 使用radtest验证
Usage: radtest [OPTIONS] user passwd radius-server[:port] nas-port-number secret [ppphint] [nasname]
[root@ADCTEST ~]# radtest -t chap test 123456 localhost 0 testing123 Sending Access-Request of id 1 to 127.0.0.1 port 1812
User-Name = \
CHAP-Password = 0x015fe7280a953af2331ba99066be43f30f NAS-IP-Address = 59.108.66.243 NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=1, length=46 CHAP-Password = 0x74657374696e67313233 Reply-Message = \ test\
2.4 查看radiusd服务端log rad_recv: Access-Request packet from host 127.0.0.1 port 35882, id=173, length=75 User-Name = \
CHAP-Password = 0xad5524e1db4033bc5854e9a97bd8353ed9 NAS-IP-Address = 59.108.66.243 NAS-Port = 0
Message-Authenticator = 0x418d9e36f01f344e79887dda7fb8da5f # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = \ [suffix] No such realm \ ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry test at line 73 [files] expand: Hello, %{User-Name} -> Hello, test ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = CHAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group CHAP {...} [chap] login attempt by \ [chap] Using clear text password \ [chap] chap user test authenticated succesfully ++[chap] returns ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop