Deploy the ADIUS server in Linux

As a network administrator, you need to store user information for each network device you want to manage. However, network devices generally only support limited user management functions. Learn how to use an external RADIUS server on Linux to authenticate users. Specifically, an LDAP server is used for authentication.

As a network administrator, you need to store user information for management for each network device you want to manage. However, network devices generally only support limited user management functions. Learn how to use an external RADIUS server on Linux to authenticate users. Specifically, an LDAP server is used for authentication, the user information stored on the LDAP server and verified by the RADIUS server can be centrally stored, which reduces the management overhead of user management and makes the remote login process safer.

As part of network security in modern systems, data security is as important as system security. Therefore, protecting data-ensuring confidentiality, integrity, and availability-is critical to administrators.

In this article, I will talk about the confidentiality of data security: ensure that protected data can only be accessed by authorized users or systems. You will learn how to create and configure a RemoteAuthentication Dial-In User Service server (RADIUS) on Linux to perform User authentication, authorization, and accounting (AAA ).

Introduction to components

First, let's talk about the RADIUS protocol, AAA components, how they work, and LDAP protocol.

The Remote Authentication Dial-In User Service protocol is defined In RFC2865 of IET (see references for links ). It allows network access servers (NAS) to perform user authentication, authorization, and accounting. RADIUS is a UDP-based client/server protocol. A radius client is a network access server. it is usually a vro, vSwitch, or wireless access point (the access point is a specially configured node on the network, and WAP is a wireless version ). A radius server is usually a monitoring program running on a UNIX or Windows2000 server.

RADIUS and AAA

If NAS receives a user connection request, it will pass them to the specified RADIUS server, which verifies the user and returns the user configuration information to NAS. Then, NAS accepts or rejects connection requests.

The fully functional RADIUS server supports many different user authentication mechanisms. in addition to LDAP, it also includes:

PAP (Password AuthenticationProtocol, which is used together with PPP. in this mechanism, the Password is sent to the client in plaintext for comparison );

CHAP (Challenge Handshake AuthenticationProtocol, which challenges the Handshake verification protocol, which is safer than PAP and uses both the user name and password );

Local UNIX/Linux system password database (/etc/passwd );

Other local databases.

In RADIUS, authentication and authorization are combined. If a user name is found and the password is correct, the RADIUS server returns an Access-Accept response, which includes some parameters (attribute-value pairs) to ensure Access to the user. These parameters are configured in RADIUS, including the access type, protocol type, IP address specified by the user, an access control list (ACL), or a static route to be applied on NAS, there are other values.

The RADIUS accounting feature (defined in RFC2866; see references for links) allows sending data at the beginning and end of a connection session, indicates the amount of resources that may be used during a session for security or billing, such as Time, packets, and bytes.

Lightweight Directory Access Protocol

Lightweight Directory AccessProtocol (LDAP) is an open standard that defines a method for accessing and updating information in X.500 directories. LDAP can be used to store user information in a central place, so that the same information is not necessarily stored in each system. It can also be used to maintain and access information in a consistent and controllable manner.

LDAP manages users in a centralized directory, which simplifies user management. In addition to storing user information, you can define users in LDAP to enable some optional features, such as limiting the number of logins. In this article, you will learn how to configure the RADIUS server to authenticate users based on LDAP-because the focus of this article is RADIUS, I will not describe the installation and configuration of the LDAP server.

OpenLDAP is an open source implementation of LDAP. You can find details about OpenLDAP.org (see references for links ).

Scenario

Imagine the following scenarios:

Users can access their company's intranet through dial-up verification at home.

Laptops with wireless support can be connected to a campus network via wireless verification.

Administrators use their workstation to log on to a network device via management user authentication via telnet or HTTP.

All these verification tasks can be completed through a RADIUS server based on a central LDAP server (see figure 1 ).

Verify using RADIUS and LDAP

In this article, I will focus on the implementation of the last option as an introduction to this solution. First install the RADIUS server.

Install RADIUS

The RADIUS server software can be obtained from multiple locations. In this article, I will use FreeRADIUS (see references for links), but CiscoSecure Access Control Server (ACS) is a centralized user Access Control framework, it can be used for user management across multiple Cisco devices on UNIX and Windows and supports the Cisco-specific protocol TACACS + (said to have more features on devices that support TACACS + ).

FreeRADIUS is a powerful Linux RADIUS server from the open source community and can be used in today's distributed and heterogeneous computing environments. FreeRADIUS1.0.2 supports LDAP, MySQL, PostgreSQL, and Oracle databases, and is compatible with network protocols such as EAP and CiscoLEAP. FreeRADIUS is currently deployed in many large production network systems.

The following steps demonstrate how to install and test FreeRADIUS 1.0.2 on Red Hat Enterprise Linux Advanced Server3.0:

Listing 1 install and test FreeRADIUS

Tar-zxvf freeradius-1.0.2.tar.gz-extract it with gunzip and tar ./Configure Make Make install-run this command as root Radiusd or-start RADIUS server Radiusd-X-start RADIUS server in debug mode Radtest test localhost 0 testing123-test RADIUS server

If radtest receives a response, the FreeRADIUS server works properly.

I also recommend another free tool, NTRadPing, which can be used to test authentication and authorization requests from Windows clients. It can display detailed responses sent back from the RADIUS server, such as attribute values.

Now let's configure FreeRADIUS.

When we discuss how to use Gearman for distributed processing, each machine needs to register an independent job for information feedback. However, for convenience, the Gearman: Worker script register_function code must be universal, so I thought of using their respective IP addresses as job names ~

So how can I get the local ip address as func in the worker script?

The first method is to call shell:

$ Ip = 'ifconfig eth0 | grep-oE '([0-9] {1, 3 }\.?) {4} '| head-n 1 ';

Note: The input here is fixed, so the simple [0-9] {1, 3} is. if the ip address is verified in a web program or another place, you need to be more rigorous!

Or

$ Ip = 'ifconfig eth0 | awk-F: '/inet addr/{split ($2, a, ""); print a [1]; exit }'';

Well, it seems too much perl, and it is not good to call external shells frequently. The second is:

Open FH, "ifconfig eth0 | ";
While ( ){
Last unless/inet addr :( (\ d {1, 3 }\.?) {4 })/;
Print $1;
}

It looks a little more perl, although it is essentially the same as calling the shell and grep methods above.

Third, a little more perl, purely reading files:

Open FH, '<', '/etc/sysconfig/network-scripts/ifcfg-eth0 ';
While ( ){
Next unless/IPADDR \ s * = \ s * (\ S + )/;
Print $1;
}

Further, if the rh system is not necessarily required, read/etc/issue, determine whether the network configuration file is/etc/sysconfig/network-script/ifcfg-eth0 or/etc/network/interfaces or others, and then write different processing methods according to different releases ...... Are you planning to write the module yourself?

Well, let's fully appreciate the charm of CPAN. go to search and find a number of modules, such as Sys: HostIP, Sys: HostAddr, and Net: Inetface. Fourth:

Use Sys: HostAddr;
My $ interface = Sys: HostAddr-> new (ipv => '4', interface => 'eth0 ');
Print $ interface-> main_ip;

But let's look at the pm file and sweat. these modules call the ifconfig command, but they are encapsulated according to the different versions of the release.

Is there a solution? Also, let's look at the fifth type:

Perl-MPOSIX-MSocket-e 'my $ host = (uname) [1]; print inet_ntoa (scalar gethostbyname ($ host ))';

However, some children's shoes have said that this may be caused by the hostname, which leads to 127.0.0.1 ......

Then there is another trick. The straceifconfig command shows that linux uses the ioctl command to obtain the ip address of the network interface. So we can also use ioctl!

As follows:

#! /Usr/bin/perl
Use strict;
Use warnings;
Use Socket;
Require 'sys/ioctl. pH ';
Sub get_ip_address ($ ){
My $ pack = pack ("a *", shift );
My $ socket;
Socket ($ socket, AF_INET, SOCK_DGRAM, 0 );
Ioctl ($ socket, SIOCGIFADDR (), $ pack );
Return inet_ntoa (substr ($ pack, 20, 4 ));
};
Print get_ip_address ("eth0 ");

The advantage is that only the core module is called, and other modules are not required when distributing scripts.

Note: this is actually modified according to a py script on the internet. The py version is as follows:

#! /Usr/bin/python
Import socket
Import fcntl
Import struct
Def get_ip_address (ifname ):
S = socket. socket (socket. AF_INET, socket. SOCK_DGRAM)
Return socket. inet_ntoa (fcntl. ioctl (
S. fileno (),
0x8915, # SIOCGIFADDR
Struct. pack ('256s ', ifname [: 15])
) [20: 24])
Print get_ip_address ('eth0 ')