admin 管理员组文章数量: 887021
2024年3月7日发(作者:swing布局方式)
什么是FreeRADIUS?
RADIUS是Remote Access Dial In User Service的简称。 RADIUS主要用来提供认证(Authentication)机制,用来辨认使用者的身份与密码 –> 确认通过之后,经由授权
(Authorization)使用者登入网域使用相关资源 –> 并可提供计费(Accounting)机制,保存使用者的网络使用记录。 FreeRADIUS是一款OpenSource软件,基于RADIUS协议,实现RADIUS AAA(Authentication、Authorization、Accounting)功能。
Radius认证的过程:
1,supplicant向NAS发起802.1X的EAP0L-START;
2,NAS收到EAP0L-START之后发给supplicant一个eap/identity;
3,supplicant收到这个eap/identity之后将username作为response发回给NAS;
4,NAS将包含有username的eap包封装入RADIUS包的的eap_message属性中,并作为access request包(包ID假定为1)发给RADIUS服务器;
5,RADIUS服务器收到这个含有eap_message属性的RADIUS包之后,发回一个带有eap_message(其内部的EAP包为md5 challenge)给NAS;
6,NAS收到这个RADIUS包之后将eap_message属性中的EAP包提取出来,然后封装在EAPOL中发给supplicant;
7,supplicant收到这个EAP/MD5 CHALLENGE之后将passwd放入EAP包中发给NAS,然后NAS再次打包发给RADIUS
8,RADIUS进行认证,如果username和passwd匹配之后认证通过。
目的:搭建freeradius服务器 实现用户上网的Mac地址认证
环境:centos+freeradius+mysql
安装:
一、安装openssl
二、安装mysql
1
[root@zhinan~] yun groupinstall "MySQL Database" /#安装MySQL数据库
2
[root@zhinan~] service mysqld start /#启动数据库
3
[root@zhinan~] netstat -nax /#查看3306端口是否在使用,从而确定安装是否成功
4
[root@zhinan~] mysqladmin -u root password '123' /#修改root的密码为123
5
[root@zhinan~] mysql -u root -p123 /#进入mysql,查看数据库是正常使用。正常使用则退出
三,安装freeradius
最新的freeradius的版本是2.2.0。
1
[root@zhinan~] tar -xzvf /#解压缩
2
[root@zhinan~] cd freeradius-server-2.2.0 /#进入解压缩后的目录:
3
[root@zhinan~] ./config /#检测安装环境
4
[root@zhinan~] make /#编译
5
[root@zhinan~] make install /#安装
安装完后,可以使用命令
1 [root@zhinan~] radiusd -x /#进入radiusd服务器的调试模式,如果能进入则安装成功。
安装成功后freeradius的配置文件的路径是:usr/local/etc/raddb/
日志文件的路径是:usr/local/var/log
一般以上过程不会出问题,主要的问题在于配置。
radius 服务器几个配置文件
服务器端配置
存储radius客户端(NAS,ROUTER)的验证信息,主要是配KEY
./modules/ 主要是针对LDAP,MYSQL、数字证书等的配置
四、配置过程
1
[root@zhinan~] mysql -u root -p123 /#登陆mysql
2
mysql> creat database radius; /#创建数据库
3
mysql> exit /#退出数据库。
4
[root@zhinan~] cd usr/local/etc/raddb/sql/mysql /#进入5
usr/local/etc/raddb/sql/mysql下
[root@zhinan~] mysql -u root -p radius < /#把表导入到数据库中
(注意,2.1.1版本的数据库文件是 ,这跟其他版本不同,1.1.7版本之前的数据库文件是 ,或者rlm_,而且存放路径不同)
导入后,可以在用命令
1
mysql> use radius;
2
mysql> show tabels; /#看到以下数据库表:
3
4
+------------------+
5
6
| Tables_in_radius |
7
8
+------------------+
9
10
| radacct |
11
12
| radcheck |
13
14
| radgroupcheck |
15
16
| radgroupreply |
17
18
| radpostauth |
19
20
| radreply |
21
22
| radusergroup |
23
24
+------------------+
修改usr/local/etc/raddb/site_enabled下的defoult文件(2.1.1与1.1.7不同,被分成了几个部分,authorize 被放在了defoult文件下,请注意),把authorize{} 、accounting {}中的sql前面的#去掉,并把authorize{} 中的files前加#;如下示:
1
authorize {
2
chap
3
mschap
4
suffix
5
eap
6
#files
7
sql
8
pap
9
}
10
accounting {
11
detail
12
unix
13
radutmp
14
sql
15
}
修改与mysql数据库连接的配置文件/usr/local/etc/raddb/,
1
server = "localhost"
2
login = "root"
3
password = "数据库root的登陆密码"
4
radius_db = "radius" /#radius为数据库名
修改客户端信息配置文件:/usr/local/etc/raddb/
1
client 127.0.0.1 {
2
secret = testing123
3
shortname = localhost
4
nastype = other
5
}
6
7
client 10.1.1.5 {
8
ipaddr = 10.1.1.5
9
secret = testing123 /#Secret:Radius aaa与NAS之间的key传送是密文,而不是口令,10 是MD5计算结果
11
shortname = nas01
nastype =other
在数据库中加入测试帐号
1
[root@zhinan~] mysql -u root -p123
2
mysql> use radius;
建立组信息:
insert into radgroupreply (groupname,attribute,op,value) values
('user','Auth-Type',':=','Local');
insert into radgroupreply (groupname,attribute,op,value) values
('user','Service-Type',':=','Framed-User');
insert into radgroupreply (groupname,attribute,op,value) values
('user','Framed-IP-Address',':=','255.255.255.255′);
insert into radgroupreply (groupname,attribute,op,value) values
('user','Framed-IP-Netmask',':=','255.255.255.0′);
建立用户信息:
insert into radcheck (username,attribute,op,value) values
('test','User-Password',':=','test');
配置集中式MAC认证的时,只需往radcheck表中添加MAC地址作为用户名和密码就可以了。
INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('geng', 'Password',
'peng');
INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('5cff350d01d8',
'Password', '5cff350d01d8');
将用户加入组中:
insert into radusergroup (username,groupname) values ('test','user');
mysql> exit; /#退出数据库
测试radius
1
[root@zhinan~] radiusd -X
2 然后另外打开一个终端输入一下信息
3
[root@zhinan~] radtest test test localhost 0 testing123
4
Sending Access-Request of id 222 to 127.0.0.1 port 1812
5
User-Name = "test"
6
User-Password = "test"
7
NAS-IP-Address = 127.0.0.1
8
NAS-Port = 0
Access-Accept packet from host 127.0.0.1 port 1812, id=222, length=38
9
rad_recv:
10
Service-Type = Framed-User
11
Framed-IP-Address = 255.255.255.255
12
Framed-IP-Netmask = 255.255.255.0
13 如果显示如上信息,则恭喜,freeradius安装配置成功。
排错:
【1】如果出现“rlm_sql (sql): Could not link driver rlm_sql_mysql:
rlm_sql_: cannot open shared object file: No such file or
directory”
找不到驱动包的错误,就要
a:先安装mysql-devel
b:然后进入到freeradius的安装文件目录下的src/modules/rlm_sql/drivers/rlm_sql_mysql 运行命令:./configure
–with-mysql-dir=/usr/share/mysql/ –with-mysql-lib-dir=/usr/lib/mysql/
c:make;make intall 这时候会把rlm_sql_mysql的驱动安装到/usr/local/lib目录下,但是必须把这些驱动copy到/usr/lib 目录下才能正常运行:#cp -a
/usr/local/lib/rlm_sql_mysql* /usr/lib
【2】radiusd -X
调试提示 Failed binding to authentication address * port 1812:
Address already in use /usr/local/etc/raddb/[240]:
Error binding to port for 0.0.0.0 port 1812
1812端口被占用
1
[root@zhinan~] lsof -i:1812 /#显示占用1812端口的进程
2
radiusd 5507 root 10u IPv4 17199 0t0 UDP *:radius
3
[root@zhinan~]kill 5507 /#杀掉pid为5507的进程,pid根据lsof命令输出得。
交换机中的配置
MAC-authentication
MAC-authentication domain test
#
radius scheme freeradius
server-type standard
primary authentication 10.1.5.100
accounting optiona
key authentication testing123
user-name-format without-domain
nas-ip 10.1.1.5
#
domain jiubang
scheme radius-scheme freeradius
#
interface ethernet 1/0/22
port access vlan 5
MAC-authentication
测试
1 [root@zhinan~] radiusd -X /#开启radius服务
当有用户认证时,信息如下:
Ready to process requests.
rad_recv: Access-Request packet from host 10.1.1.5 port 5001, id=10, length=117
User-Name = “7845c40a786a@test”
User-Password = “7845c40a786a”
NAS-IP-Address = 10.1.1.5
NAS-Identifier = “3822d6bc438f”
NAS-Port = 16871429
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = “7845-c40a-786a”
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {…}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm “test” for User-Name = “7845c40a786a@test”
[suffix] No such realm “test”
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[sql] expand: %{User-Name} -> 7845c40a786a@test
[sql] sql_set_user escaped user –> „7845c40a786a@test‟
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE
username = „%{SQL-User-Name}‟ ORDER BY id -> SELECT id, username, attribute,
value, op FROM radcheck WHERE username = „7845c40a786a@test‟ ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username =
„%{SQL-User-Name}‟ ORDER BY priority -> SELECT groupname FROM
radusergroup WHERE username = „7845c40a786a@test‟ ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
[sql] User 7845c40a786a@test not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No “known good” password found for the user. Authentication
may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the
user
Failed to authenticate the user.
Using Post-Auth-Type REJECT
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {…}
[attr__reject] expand: %{User-Name} -> 7845c40a786a@test
attr_filter: Matched entry DEFAULT at line 11
++[attr__reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 10 to 10.1.1.5 port 5001
Waking up in 4.9 seconds.
Cleaning up request 0 ID 10 with timestamp +61
Ready to process requests
版权声明:本文标题:基于freeradius的mac认证 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.freenas.com.cn/jishu/1709821839h547770.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论