標籤:sed init red 特殊 emc cisc 通過 認證 用戶端
(一)概述
本文檔描述了如何設定FreeRadius伺服器,以便對windows用戶端網路使用者透明的對ActiveDirectory進行身分識別驗證。
1.1、原理:
FrReRADIUS通過基於連接埠的存取控制提供身分識別驗證。只有當證明伺服器驗證了認證時,使用者才能串連到網路。使用者認證通過使用802.1x標準的特殊認證協議來驗證。(FreeRADIUS offers authentication via port based access control. A user can connect to the network only if its credentials have been validated by the authentication server. User credentials are verified by using special authentication protocols which belong to the 802.1X standard.---官方文檔)
如所示,如果使用者憑證已被FRIERADIUS伺服器認證,則僅授予工作站的網路存取權限。否則,交換器連接埠將被關閉對所有的網路流量。RADIUS伺服器允許與網域控制站聯絡以進行使用者身分識別驗證。雖然交換器連接埠被關閉,但是工作站可以通過認證協議與RADIUS伺服器通訊。RADIUS伺服器能夠檢查網域控制站,如果使用者存在並且密碼是否正確。如果是這種情況,RADIUS伺服器告訴交換器開啟連接埠,使用者將訪問網路。
1.2、所需的環境
- CentOS7.4
- FreeRADIUS 3.0.17(https://freeradius.org/releases/)
- Samba 3.0.x
- Openssl
- Cisco Switch
- Windows7 sp1
(二)、Linux伺服器的安裝配置
1、關閉防火牆和selinux
[[email protected] ~]$ sudo iptables -L -nChain INPUT (policy ACCEPT)target prot opt source destination Chain FORWARD (policy ACCEPT)target prot opt source destination Chain OUTPUT (policy ACCEPT)target prot opt source destination [[email protected] ~]$ sudo grep ‘^[a-Z]‘ /etc/selinux/config SELINUX=disabledSELINUXTYPE=targeted
2、編譯安裝freeradius
[[email protected] ~]# sudo xf freeradius-server-3.0.17.tar.gz[[email protected] ~]# cd freeradius-server-3.0.17[[email protected] freeradius-server-3.0.17]# sudo yum install libtalloc-devel -y[[email protected] freeradius-server-3.0.17]#yum install openssl openssl-devel[[email protected] freeradius-server-3.0.17]#sudo ./configure[[email protected] freeradius-server-3.0.17]# sudo make && make install[[email protected] raddb]# cp /usr/local/sbin/rc.radiusd /etc/init.d/radiused[[email protected] raddb]# /etc/init.d/radiused start[[email protected] raddb]# ps -ef|grep radiusdroot 5529 1 0 17:04 ? 00:00:00 /usr/local/sbin/radiusdroot 5537 26619 0 17:04 pts/2 00:00:00 grep --color=auto radiusd[[email protected] raddb]# /etc/init.d/radiused stopStopping FreeRADIUS: radiusd.[[email protected] raddb]# ps -ef|grep radiusd
3、安裝配置samba
[[email protected] ~]$ sudo yum install samba samba-client samba-winbind krb5-serverLoaded plugins: fastestmirrorLoading mirror speeds from cached hostfileResolving Dependencies--> Running transaction check---> Package krb5-server.x86_64 0:1.15.1-19.el7 will be installedInstalled: krb5-server.x86_64 0:1.15.1-19.el7 samba.x86_64 0:4.7.1-6.el7 samba-client.x86_64 0:4.7.1-6.el7 samba-winbind.x86_64 0:4.7.1-6.el7 Dependency Installed: avahi-libs.x86_64 0:0.6.31-19.el7 cups-libs.x86_64 1:1.6.3-35.el7 libarchive.x86_64 0:3.1.2-10.el7_2 libevent.x86_64 0:2.0.21-4.el7 libldb.x86_64 0:1.2.2-1.el7 libsmbclient.x86_64 0:4.7.1-6.el7 libtalloc.x86_64 0:2.1.10-1.el7 libtdb.x86_64 0:1.3.15-1.el7 libtevent.x86_64 0:0.9.33-2.el7 libverto-libevent.x86_64 0:0.2.5-4.el7 libwbclient.x86_64 0:4.7.1-6.el7 pytalloc.x86_64 0:2.1.10-1.el7 samba-client-libs.x86_64 0:4.7.1-6.el7 samba-common.noarch 0:4.7.1-6.el7 samba-common-libs.x86_64 0:4.7.1-6.el7 samba-common-tools.x86_64 0:4.7.1-6.el7 samba-libs.x86_64 0:4.7.1-6.el7 samba-winbind-modules.x86_64 0:4.7.1-6.el7 words.noarch 0:3.0-22.el7 Dependency Updated: dbus.x86_64 1:1.10.24-7.el7 dbus-libs.x86_64 1:1.10.24-7.el7 krb5-devel.x86_64 0:1.15.1-19.el7 krb5-libs.x86_64 0:1.15.1-19.el7 libkadm5.x86_64 0:1.15.1-19.el7Complete!
3、配置samba伺服器並重啟samba服務。
一旦PAP認證測試成功,使用ActiveDirectory的網站的下一步是配置系統以對ActiveDirectory進行使用者身分識別驗證。純文字密碼通過ActiveDirectory不可用,因此我們必須使用SAMBA和ntlm_auth程式。在這個配置中,我們使用ActiveDirectory作為身分識別驗證Oracle,而不是LDAP資料庫。一旦Samba已經安裝在您的系統上,您應該編輯SMBCONF檔案,並將[Global ]部分配置為指向NT伺服器,包括主機名稱和NT域。本文只配置samba設定檔中的[global]部分
[[email protected] raddb]# vim /etc/samba/smb.conf[global] workgroup = CORP ##指定域的netbios名稱 security = ads ##指定samba的工作模式,和域整合 winbind use default domain = no password server = X.X.X.X #指定定身分識別驗證的伺服器為域控 realm = CORP.BAIDU.COM #指定AD網域名稱 [homes] comment = Home Directories valid users = %S, %D%w%S browseable = No read only = No inherit acls = Yes[printers] comment = All Printers path = /var/tmp printable = Yes create mask = 0600 browseable = No[print$] comment = Printer Drivers path = /var/lib/samba/drivers write list = @printadmin root force group = @printadmin create mask = 0664 directory mask = 0775[[email protected] raddb]# systemctl start smb[[email protected] raddb]# systemctl status smb● smb.service - Samba SMB Daemon Loaded: loaded (/usr/lib/systemd/system/smb.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2018-07-31 17:16:05 CST; 4s ago Main PID: 5587 (smbd) Status: "smbd: ready to serve connections..." CGroup: /system.slice/smb.service ├─5587 /usr/sbin/smbd --foreground --no-process-group ├─5589 /usr/sbin/smbd --foreground --no-process-group ├─5590 /usr/sbin/smbd --foreground --no-process-group └─5591 /usr/sbin/smbd --foreground --no-process-group
4、配置/etc/krb5.conf
[[email protected] ~]# vim /etc/krb5.conf[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log[libdefaults] default_realm = CORP.BAIDU.COM #指定網域名稱 dns_lookup_realm = false dns_lookup_kdc = false[realms]CORP.PPDAI.COM = { kdc = 10.128.105.170:88 #指域控為kdc伺服器及連接埠 admin_server = 10.128.105.170:749 #指定域控的管理連接埠 default_domain = corp.baidu.com }[domain_realm] .corp.ppdai.com = CORP.BAIDU.COM corp.ppdai.com = CORP.BAIDU.COM[kdc] profile =/var/kerberos/krb5kdc/kdc.conf[appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
5、編輯/etc/nsswich.conf,在下列行末添加winbind,其他的不變
[[email protected] ~]# cat /etc/nsswitch.confpasswd: files sss winbindshadow: files sss winbindgroup: files sss winbindprotocols: files sss winbindservices: files sss winbindnetgroup: files sss winbindautomount: files sss winbind
6、把改台伺服器添加到域中。如果不加入到域的話,啟動winbind服務會起不來出現報錯。
[[email protected] radiusd]# net join -U liqingbiaoEnter liqingbiao‘s password:Using short domain name -- CORPJoined ‘FREERADIUS2‘ to dns domain ‘corp.baidu.com‘No DNS domain configured for freeradius2. Unable to perform DNS Update.DNS update failed: NT_STATUS_INVALID_PARAMETER
7、啟動smaba和winbind服務。
[[email protected] radiusd]# systemctl enable winbind[[email protected] radiusd]# systemctl enable smb[[email protected] radiusd]# systemctl start winbind[[email protected] radiusd]# systemctl start smb[[email protected] radiusd]# systemctl status winbind● winbind.service - Samba Winbind Daemon Loaded: loaded (/usr/lib/systemd/system/winbind.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2018-07-31 17:26:30 CST; 1min 5s ago Main PID: 5651 (winbindd) Status: "winbindd: ready to serve connections..." CGroup: /system.slice/winbind.service ├─5651 /usr/sbin/winbindd --foreground --no-process-group └─5653 /usr/sbin/winbindd --foreground --no-process-group
8、通過wbinfo進行帳號拉取測試。wbinfo –a user%password
[[email protected] appuser]# wbinfo -a it001%123456plaintext password authentication failedCould not authenticate user it004%Aa123456 with plaintext passwordchallenge/response password authentication succeeded ###成功了[[email protected] appuser]# ntlm_auth --request-nt-key --domain=CORP --username=it001 ###ntlm是windows 域環境下的認證方式Password: NT_STATUS_OK: The operation completed successfully. (0x0)
9、修改/var/lib/samba/winbindd_privileged許可權
[[email protected] appuser]#usermod –G wbpriv radiusd[[email protected] appuser]#chown –R root.radiusd /var/lib/samba/winbindd_privileged
(三)、FreeRadius的配置
freeradius具體相關的配置如下:
- clients.conf
- mods-available/mschap
- mods-available/eap
- users
1、配置clients.conf檔案,添加通訊用戶端。
[[email protected] ~]# vim /usr/local/etc/raddb/clients.confclient 172.20.19.0/24 { secret = test showtanme = CE-SW }client 172.20.66.0/24 { secret = [email protected]@123456 showtanme = CE-SW }client 172.20.94.0/24 { secret = [email protected]@123456 showtanme = CE-SW }
2、配置mods-available/mschap檔案。編輯/usr/local/etc/raddb/mods-available/mschap檔案
[[email protected] ~]# vim /usr/local/etc/raddb/mods-available/mschap
with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-00} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00} --domain=%{%{mschap:NT-Domain}:-CORP.BAIDU.COM}"
3、配置mods-available/eap檔案,編輯/usr/local/etc/raddb/mods-available/eap檔案
[[email protected] ~]# vim /usr/local/etc/raddb/mods-available/eap default_eap_type = peap.random_file = /dev/urandom
4、配置/usr/local/etc/raddb/mods-enabled/ntlm_auth檔案
[[email protected] ~]# vim /usr/local/etc/raddb/mods-enabled/ntlm_authexec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --domain=CORP.PPDAI.COM --username=%{mschap:User-Name} --password=%{User-Password}"
5、編輯/etc/raddb/sites-enabled/default 和/etc/raddb/sites-enabled/inner-tunnel檔案
authenticate { ... ntlm_auth ...}
FreeRadius+Cisco交換器+Windows AD實現802.1X認證