CentOS7.4+FreeRadius+ldap（Windows AD）認證 搭建radius服務

標籤：stop   each   line   offline   head   ipaddr   out   ldap   from   

（一）簡介
freeradius一般用來進行賬戶認證管理，記賬管理，常見的電信電訊廠商的寬頻賬戶，上網賬戶管理，記賬，都是使用的radius伺服器進行鑒權記賬的。Freeradius包含一個radius伺服器和radius-client，可以對支援radius協議的網路裝置進行鑒權記賬。 ------百度百科

（二）安裝佈建服務

[[email protected] ~]# yum install freeradius freeradius-ldap freeradius-utils -y[[email protected] ~]# systemctl enable radiusd.service[[email protected] ~]# systemctl start radiusd.service

（三）修改相關設定檔

3.1，修改/etc/raddb/mods-available/ldap檔案，主要是ldap部分，其他的都是預設

[[email protected] raddb]#  cat /etc/raddb/mods-available/ldap | grep -v ‘#‘ | grep -v ^$ldap {server = ‘x.x.x.x‘   #伺服器port = 389   #連接埠identity = ‘CN=opsldap,CN=Users,DC=txxxdxx,DC=me‘  #串連LDAP帳號password =xxxxxxxx   #串連LDAP密碼base_dn = ‘DC=txxxdxx,DC=me‘   #dnsasl {}update {control:Password-With-Header    += ‘userPassword‘control:                        += ‘radiusControlAttribute‘request:                        += ‘radiusRequestAttribute‘reply:                          += ‘radiusReplyAttribute‘}edir = no   #修改user {base_dn = "${..base_dn}"filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"     #修改成sAM以下用預設sasl {}}group {base_dn = "${..base_dn}"filter = ‘(objectClass=posixGroup)‘membership_attribute = ‘memberOf‘}profile {}client {base_dn = "${..base_dn}"filter = ‘(objectClass=radiusClient)‘template {}attribute {ipaddr                          = ‘radiusClientIdentifier‘secret                          = ‘radiusClientSecret‘}}accounting {reference = "%{tolower:type.%{Acct-Status-Type}}"type {start {update {description := "Online at %S"}}interim-update {update {description := "Last seen at %S"}}stop {update {description := "Offline at %S"}}}}post-auth {update {description := "Authenticated at %S"}}options {chase_referrals = yesrebind = yesres_timeout = 10srv_timelimit = 3net_timeout = 1idle = 60probes = 3interval = 3ldap_debug = 0x0028}tls {}pool {start = ${thread[pool].start_servers}min = ${thread[pool].min_spare_servers}max = ${thread[pool].max_servers}spare = ${thread[pool].max_spare_servers}uses = 0retry_delay = 30lifetime = 0idle_timeout = 60}

3.2，建立軟串連在mods-enable/模組下

[[email protected] raddb]# ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/[[email protected] raddb]# ll /etc/raddb/mods-enabled/ldap lrwxrwxrwx 1 root root 30 Jul 17 18:19 /etc/raddb/mods-enabled/ldap -> /etc/raddb/mods-available/ldap

3.3，在site-avaiable/下建立site_ldap檔案

[[email protected] raddb]# cat /etc/raddb/sites-available/site_ldap ldap {        server = ‘x.x.8.55‘   #伺服器        port = 389   #連接埠        identity = ‘CN=opsldap,CN=Users,DC=txxxdxx,DC=me‘  #串連LDAP帳號        password =xxxxxxxx   #串連LDAP密碼        base_dn = ‘DC=txxxdxx,DC=me‘   #dn        sasl {        }        update {                control:Password-With-Header    += ‘userPassword‘                control:                        += ‘radiusControlAttribute‘                request:                        += ‘radiusRequestAttribute‘                reply:                          += ‘radiusReplyAttribute‘        }        edir = no   #修改        user {                base_dn = "${..base_dn}"                filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"     #修改成sAM#以下用預設                sasl {                }        }        group {                base_dn = "${..base_dn}"                filter = ‘(objectClass=posixGroup)‘                membership_attribute = ‘memberOf‘        }        profile {        }        client {                base_dn = "${..base_dn}"                filter = ‘(objectClass=radiusClient)‘                template {                }                attribute {                        ipaddr                          = ‘radiusClientIdentifier‘                        secret                          = ‘radiusClientSecret‘                }        }        accounting {                reference = "%{tolower:type.%{Acct-Status-Type}}"                type {                        start {                                update {                                        description := "Online at %S"                                }                        }                        interim-update {                                update {                                        description := "Last seen at %S"                                }                        }                        stop {                                update {                                        description := "Offline at %S"                                }                        }                }        }        post-auth {                update {                        description := "Authenticated at %S"                }        }        options {                chase_referrals = yes                rebind = yes                res_timeout = 10                srv_timelimit = 3                net_timeout = 1                idle = 60                probes = 3                interval = 3                ldap_debug = 0x0028        }        tls {        }        pool {                start = ${thread[pool].start_servers}                min = ${thread[pool].min_spare_servers}                max = ${thread[pool].max_servers}                spare = ${thread[pool].max_spare_servers}                uses = 0                retry_delay = 30                lifetime = 0                idle_timeout = 60        }}

3.4，在site-enabled下建立軟串連

[[email protected] raddb]# ln -s /etc/raddb/sites-available/site_ldap /etc/raddb/sites-enabled/[[email protected] raddb]# ll /etc/raddb/sites-enabled/site_ldap lrwxrwxrwx 1 root root 36 Jul 17 18:21 /etc/raddb/sites-enabled/site_ldap -> /etc/raddb/sites-available/site_ldap

（四），隊radius進行相關的測試，可以通過重啟伺服器或者radiusd -X 進行測試設定

[[email protected] mods-available]# systemctl restart radiusd或者[[email protected]st mods-available]# radiusd  -X

4.1,修改 /etc/raddb/clients.conf 檔案，用戶端認證的網段和密鑰。（修改伺服器端記錄用戶端的設定檔 /etc/raddb/clients.conf 檔案，該檔案預設值提供了本機測試的 local 配置，即：安裝完後預設只允許原生client用戶端訪問radius伺服器）

[[email protected] raddb]#  cat /etc/raddb/clients.conf | grep -v ‘#‘ | grep -v ^$client localhost {        ###認證的網段    ipaddr = 127.0.0.1   ###被認證可以訪問的ip地址    proto = *    secret = testing123      ###密鑰    require_message_authenticator = no    limit {        max_connections = 16        lifetime = 0        idle_timeout = 30    }}client localhost_ipv6 {    ipv6addr    = ::1    secret      = testing123}

4.2，修改測試使用者檔案/etc/raddb/users，添加測試帳號bob，密鑰：hello

[[email protected] raddb]#  cat /etc/raddb/users | grep -v ‘#‘ | grep -v ^$bob Cleartext-Password := "hello"Reply-Message := "Hello, %{User-Name}"DEFAULT Framed-Protocol == PPPFramed-Protocol = PPP,Framed-Compression = Van-Jacobson-TCP-IPDEFAULT Hint == "CSLIP"Framed-Protocol = SLIP,Framed-Compression = Van-Jacobson-TCP-IPDEFAULT Hint == "SLIP"Framed-Protocol = SLIP

4.3，測試是否正常

[[email protected] raddb]# radtest bob hello localhost 0 testing123Sent Access-Request Id 151 from 0.0.0.0:52757 to 127.0.0.1:1812 length 73    User-Name = "bob"    User-Password = "hello"    NAS-IP-Address = 127.0.0.1    NAS-Port = 0    Message-Authenticator = 0x00    Cleartext-Password = "hello"  Received Access-Accept Id 151 from 127.0.0.1:1812 to 0.0.0.0:0 length 32    Reply-Message = "Hello, bob"

（五）Freeradius添加其他網段的測試
1，伺服器端配置：修改vim /etc/raddb/clients.conf 檔案，增加一個client並配置共用密鑰 secret = tdops,shortname可以任意。clientIP可以是一個地址也可以是一個網段。
，添加如下格式的認證

[[email protected] raddb]# vim /etc/raddb/clients.conf client 172.20.66.0/24 {        secret = testing123        showtanme = CE-SW        }

2，在規定網段的主機做測試。

[[email protected] ~]#  radtest lqb xxx 172.20.66.127:1833 0 testing123Sent Access-Request Id 186 from 0.0.0.0:39032 to 172.20.66.127:1833 length 80    User-Name = "lqb"    User-Password = "xxx"    NAS-IP-Address = 127.0.0.1    NAS-Port = 0    Message-Authenticator = 0x00    Cleartext-Password = "xxx"Received Access-Accept Id 186 from 172.20.66.127:1833 to 0.0.0.0:0 length 20

3,服務端的日誌為：

Wed Jul 18 16:18:31 2018 : Info: Need 5 more connections to reach 10 sparesWed Jul 18 16:18:31 2018 : Info: rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots usedWed Jul 18 16:18:31 2018 : Auth: (0) Login OK: [lqb (from client 172.20.66.0/24 port 0)

至此通過Windows的AD域認證完成。

CentOS7.4+FreeRadius+ldap（Windows AD）認證 搭建radius服務