Centos7.4+freeradius+ldap (Windows AD) authentication to build a RADIUS service

Source: Internet
Author: User

Tags: stop each line offline head ipaddr out LDAP from

(a) Introduction
Freeradius generally used for account authentication management, bookkeeping management, common telecommunications operators of broadband accounts, Internet account management, accounting, are used by the RADIUS server for authentication. The Freeradius includes a RADIUS server and radius-client that can be used to authenticate network devices that support the RADIUS protocol. ------Baidu Encyclopedia

(ii) Installation and configuration services

[[email protected] ~]# yum install freeradius freeradius-ldap freeradius-utils -y[[email protected] ~]# systemctl enable radiusd.service[[email protected] ~]# systemctl start radiusd.service

(iii) Modification of the relevant configuration file

3.1, modify the/etc/raddb/mods-available/ldap file, mainly the LDAP part, the other is the default

[[email protected] raddb]# Cat/etc/raddb/mods-available/ldap | Grep-v ' # ' | Grep-v ^ $ldap {server = ' x.x.x.x ' #服务器port = 389 #端口identity = ' Cn=opsldap,cn=users,dc=txxxdxx,dc=me ' #连接LDAP帐号passw Ord =xxxxxxxx #连接LDAP密码base_dn = ' Dc=txxxdxx,dc=me ' #dnsasl {}update {control:password-with-header + = ' UserPassword ' Control: + = ' Radiuscontrolattribute ' request: + = ' Radiusrequestattribute ' rep Ly: + = ' radiusreplyattribute '}edir = no #修改user {base_dn = "${". BASE_DN} "filter =" (Samaccountname=%{%{stripped-user-name}:-%{user-name}}) "#修改成sAM以下用默认sasl {}}group {base_dn =" ${. . base_dn} "filter = ' (objectclass=posixgroup) ' Membership_attribute = ' memberOf '}profile {}client {base_dn =" ${. BASE_DN} "filter = ' (objectclass=radiusclient) ' template {}attribute {ipaddr = ' radiusclientidentif Ier ' secret = ' Radiusclientsecret '}}accounting {reference = "%{tolower:type.%{acCt-status-type}} ' Type {start {update {description: = ' Online at%s '}}interim-update {update {description: = ' last seen at %s '}}stop {update {description: = ' Offline at%s '}}}}post-auth {update {description: = ' authenticated at%s '}}options {cha Se_referrals = Yesrebind = Yesres_timeout = 10srv_timelimit = 3net_timeout = 1idle = 60probes = 3interval = 3ldap_debug = 0x0028}tls {}pool {start = ${thread[pool].start_servers}min = ${thread[pool].min_spare_servers}max = ${thread[pool]. Max_servers}spare = ${thread[pool].max_spare_servers}uses = 0retry_delay = 30lifetime = 0idle_timeout = 60}

3.2. Create a soft connection under the mods-enable/module

[[email protected] raddb]# ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/[[email protected] raddb]# ll /etc/raddb/mods-enabled/ldap lrwxrwxrwx 1 root root 30 Jul 17 18:19 /etc/raddb/mods-enabled/ldap -> /etc/raddb/mods-available/ldap

3.3, create the Site_ldap file under site-avaiable/

[[email protected] raddb]# cat/etc/raddb/sites-available/site_ldap LDAP {server = ' x.x.8.55 ' #服务器 p        ORT = 389 #端口 identity = ' cn=opsldap,cn=users,dc=txxxdxx,dc=me ' #连接LDAP帐号 password =xxxxxxxx #连接LDAP密码 base_dn = ' Dc=txxxdxx,dc=me ' #dn SASL {} update {Control:password-with-head                         Er + = ' userpassword ' control: + = ' Radiuscontrolattribute ' request: + = ' Radiusrequestattribute ' reply: + = ' radiusreplyattribut E '} edir = no #修改 user {base_dn = "${".                BASE_DN} "filter =" (Samaccountname=%{%{stripped-user-name}:-%{user-name}) "#修改成sAM # below with default SASL {}} group {base_dn = "${". BASE_DN} "filter = ' (objectclass=posixgroup) ' Membership_attribute = ' memberOf'} profile {} client {base_dn = ' ${. BASE_DN} "filter = ' (objectclass=radiusclient) ' template {} A                           Ttribute {ipaddr = ' radiusclientidentifier ' secret = ' Radiusclientsecret '}} accounting {reference =                                "%{tolower:type.%{acct-status-type}}" type {start {                        Update {Description: = "Online at%s"}                                        } interim-update {update {                        Description: = "Last seen at%s"}}              Stop {update {                          Description: = "Offline at%s"}}                }} post-auth {update {description: = "Authenticated at%s"                }} options {chase_referrals = yes rebind = yes                Res_timeout = Srv_timelimit = 3 Net_timeout = 1 idle = 60                Probes = 3 Interval = 3 Ldap_debug = 0x0028} TLS {} pool { start = ${thread[pool].start_servers} min = ${thread[pool].min_spare_servers} ma                x = ${thread[pool].max_servers} spare = ${thread[pool].max_spare_servers} uses = 0 Retry_delay = Lifetime = 0 idle_timeout = 60}}

3.4, create a soft connection under site-enabled

[[email protected] raddb]# ln -s /etc/raddb/sites-available/site_ldap /etc/raddb/sites-enabled/[[email protected] raddb]# ll /etc/raddb/sites-enabled/site_ldap lrwxrwxrwx 1 root root 36 Jul 17 18:21 /etc/raddb/sites-enabled/site_ldap -> /etc/raddb/sites-available/site_ldap

(iv), team radius for the relevant test, you can restart the server or Radiusd-x to test settings

[[email protected] mods-available]# systemctl restart radiusd或者[[email protected]st mods-available]# radiusd  -X

4.1, modify the/etc/raddb/clients.conf file, the client-authenticated network segment and the key. (Modify the server-side record client's profile/etc/raddb/clients.conf file, which provides the local configuration of the native test, that is, the default is to allow only native client clients to access the RADIUS server after the installation is complete)

[[email protected] raddb]#  cat /etc/raddb/clients.conf | grep -v ‘#‘ | grep -v ^$client localhost {        ###认证的网段    ipaddr = 127.0.0.1   ###被认证可以访问的ip地址    proto = *    secret = testing123      ###密钥    require_message_authenticator = no    limit {        max_connections = 16        lifetime = 0        idle_timeout = 30    }}client localhost_ipv6 {    ipv6addr    = ::1    secret      = testing123}

4.2, modify test user file/etc/raddb/users, add test account bob, key: Hello

[[email protected] raddb]#  cat /etc/raddb/users | grep -v ‘#‘ | grep -v ^$bob Cleartext-Password := "hello"Reply-Message := "Hello, %{User-Name}"DEFAULT Framed-Protocol == PPPFramed-Protocol = PPP,Framed-Compression = Van-Jacobson-TCP-IPDEFAULT Hint == "CSLIP"Framed-Protocol = SLIP,Framed-Compression = Van-Jacobson-TCP-IPDEFAULT Hint == "SLIP"Framed-Protocol = SLIP

4.3, test is normal

[[email protected] raddb]# radtest bob hello localhost 0 testing123Sent Access-Request Id 151 from 0.0.0.0:52757 to 127.0.0.1:1812 length 73    User-Name = "bob"    User-Password = "hello"    NAS-IP-Address = 127.0.0.1    NAS-Port = 0    Message-Authenticator = 0x00    Cleartext-Password = "hello"  Received Access-Accept Id 151 from 127.0.0.1:1812 to 0.0.0.0:0 length 32    Reply-Message = "Hello, bob"

(v) Freeradius to add additional network segment testing
1, server-side configuration: Modify the vim/etc/raddb/clients.conf file, add a client and configure the shared key secret = Tdops,shortname can be arbitrary. ClientIP can be an address or a network segment.
, add authentication in the following format

[[email protected] raddb]# vim /etc/raddb/clients.conf client 172.20.66.0/24 {        secret = testing123        showtanme = CE-SW        }

2, in the specified network segment of the host to do the test.

[[email protected] ~]#  radtest lqb xxx 172.20.66.127:1833 0 testing123Sent Access-Request Id 186 from 0.0.0.0:39032 to 172.20.66.127:1833 length 80    User-Name = "lqb"    User-Password = "xxx"    NAS-IP-Address = 127.0.0.1    NAS-Port = 0    Message-Authenticator = 0x00    Cleartext-Password = "xxx"Received Access-Accept Id 186 from 172.20.66.127:1833 to 0.0.0.0:0 length 20

3, the service side log is:

Wed Jul 18 16:18:31 2018 : Info: Need 5 more connections to reach 10 sparesWed Jul 18 16:18:31 2018 : Info: rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots usedWed Jul 18 16:18:31 2018 : Auth: (0) Login OK: [lqb (from client 172.20.66.0/24 port 0)

This completes the AD domain authentication through windows.

Centos7.4+freeradius+ldap (Windows AD) authentication to build a RADIUS service

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

Tags Index: