CentOS7.4+FreeRadius+ldap(Windows AD)认证 搭建radius服务

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了CentOS7.4+FreeRadius+ldap(Windows AD)认证 搭建radius服务相关的知识,希望对你有一定的参考价值。

(一)简介
freeradius一般用来进行账户认证管理,记账管理,常见的电信运营商的宽带账户,上网账户管理,记账,都是使用的radius服务器进行鉴权记账的。Freeradius包含一个radius服务器和radius-client,可以对支持radius协议的网络设备进行鉴权记账。 ------百度百科

(二)安装配置服务

[[email protected] ~]# yum install freeradius freeradius-ldap freeradius-utils -y
[[email protected] ~]# systemctl enable radiusd.service
[[email protected] ~]# systemctl start radiusd.service

(三)修改相关配置文件

3.1,修改/etc/raddb/mods-available/ldap文件,主要是ldap部分,其他的都是默认


[[email protected] raddb]#  cat /etc/raddb/mods-available/ldap | grep -v ‘#‘ | grep -v ^$
ldap {
server = ‘x.x.x.x‘   #服务器
port = 389   #端口
identity = ‘CN=opsldap,CN=Users,DC=txxxdxx,DC=me‘  #连接LDAP帐号
password =xxxxxxxx   #连接LDAP密码
base_dn = ‘DC=txxxdxx,DC=me‘   #dn
sasl {
}
update {
control:Password-With-Header    += ‘userPassword‘
control:                        += ‘radiusControlAttribute‘
request:                        += ‘radiusRequestAttribute‘
reply:                          += ‘radiusReplyAttribute‘
}
edir = no   #修改
user {
base_dn = "${..base_dn}"
filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"     #修改成sAM
以下用默认
sasl {
}
}
group {
base_dn = "${..base_dn}"
filter = ‘(objectClass=posixGroup)‘
membership_attribute = ‘memberOf‘
}
profile {
}
client {
base_dn = "${..base_dn}"
filter = ‘(objectClass=radiusClient)‘
template {
}
attribute {
ipaddr                          = ‘radiusClientIdentifier‘
secret                          = ‘radiusClientSecret‘
}
}
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
type {
start {
update {
description := "Online at %S"
}
}
interim-update {
update {
description := "Last seen at %S"
}
}
stop {
update {
description := "Offline at %S"
}
}
}
}
post-auth {
update {
description := "Authenticated at %S"
}
}
options {
chase_referrals = yes
rebind = yes
res_timeout = 10
srv_timelimit = 3
net_timeout = 1
idle = 60
probes = 3
interval = 3
ldap_debug = 0x0028
}
tls {
}
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 30
lifetime = 0
idle_timeout = 60
}

3.2,创建软连接在mods-enable/模块下

[[email protected] raddb]# ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/
[[email protected] raddb]# ll /etc/raddb/mods-enabled/ldap 
lrwxrwxrwx 1 root root 30 Jul 17 18:19 /etc/raddb/mods-enabled/ldap -> /etc/raddb/mods-available/ldap

3.3,在site-avaiable/下创建site_ldap文件

[[email protected] raddb]# cat /etc/raddb/sites-available/site_ldap 

ldap {
        server = ‘x.x.8.55‘   #服务器
        port = 389   #端口
        identity = ‘CN=opsldap,CN=Users,DC=txxxdxx,DC=me‘  #连接LDAP帐号
        password =xxxxxxxx   #连接LDAP密码
        base_dn = ‘DC=txxxdxx,DC=me‘   #dn
        sasl {
        }
        update {
                control:Password-With-Header    += ‘userPassword‘
                control:                        += ‘radiusControlAttribute‘
                request:                        += ‘radiusRequestAttribute‘
                reply:                          += ‘radiusReplyAttribute‘
        }
        edir = no   #修改
        user {
                base_dn = "${..base_dn}"
                filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"     #修改成sAM
#以下用默认
                sasl {
                }
        }
        group {
                base_dn = "${..base_dn}"
                filter = ‘(objectClass=posixGroup)‘
                membership_attribute = ‘memberOf‘
        }
        profile {
        }
        client {
                base_dn = "${..base_dn}"
                filter = ‘(objectClass=radiusClient)‘
                template {
                }
                attribute {
                        ipaddr                          = ‘radiusClientIdentifier‘
                        secret                          = ‘radiusClientSecret‘
                }
        }
        accounting {
                reference = "%{tolower:type.%{Acct-Status-Type}}"
                type {
                        start {
                                update {
                                        description := "Online at %S"
                                }
                        }
                        interim-update {
                                update {
                                        description := "Last seen at %S"
                                }
                        }
                        stop {
                                update {
                                        description := "Offline at %S"
                                }
                        }
                }
        }
        post-auth {
                update {
                        description := "Authenticated at %S"
                }
        }
        options {
                chase_referrals = yes
                rebind = yes
                res_timeout = 10
                srv_timelimit = 3
                net_timeout = 1
                idle = 60
                probes = 3
                interval = 3
                ldap_debug = 0x0028
        }
        tls {
        }
        pool {
                start = ${thread[pool].start_servers}
                min = ${thread[pool].min_spare_servers}
                max = ${thread[pool].max_servers}
                spare = ${thread[pool].max_spare_servers}
                uses = 0
                retry_delay = 30
                lifetime = 0
                idle_timeout = 60
        }
}

3.4,在site-enabled下创建软连接

[[email protected] raddb]# ln -s /etc/raddb/sites-available/site_ldap /etc/raddb/sites-enabled/
[[email protected] raddb]# ll /etc/raddb/sites-enabled/site_ldap 
lrwxrwxrwx 1 root root 36 Jul 17 18:21 /etc/raddb/sites-enabled/site_ldap -> /etc/raddb/sites-available/site_ldap

(四),队radius进行相关的测试,可以通过重启服务器或者radiusd -X 进行测试设置

[[email protected] mods-available]# systemctl restart radiusd
或者
[[email protected] mods-available]# radiusd  -X

4.1,修改 /etc/raddb/clients.conf 文件,客户端认证的网段和密钥。(修改服务器端记录客户端的配置文件 /etc/raddb/clients.conf 文件,该文件默认值提供了本机测试的 local 配置,即:安装完后默认只允许本机的client客户端访问radius服务器)

[[email protected] raddb]#  cat /etc/raddb/clients.conf | grep -v ‘#‘ | grep -v ^$
client localhost {        ###认证的网段
    ipaddr = 127.0.0.1   ###被认证可以访问的ip地址
    proto = *
    secret = testing123      ###密钥
    require_message_authenticator = no
    limit {
        max_connections = 16
        lifetime = 0
        idle_timeout = 30
    }
}
client localhost_ipv6 {
    ipv6addr    = ::1
    secret      = testing123
}

4.2,修改测试用户文件/etc/raddb/users,添加测试账号bob,密钥:hello

[[email protected] raddb]#  cat /etc/raddb/users | grep -v ‘#‘ | grep -v ^$
bob Cleartext-Password := "hello"
Reply-Message := "Hello, %{User-Name}"
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP

4.3,测试是否正常


[[email protected] raddb]# radtest bob hello localhost 0 testing123
Sent Access-Request Id 151 from 0.0.0.0:52757 to 127.0.0.1:1812 length 73
    User-Name = "bob"
    User-Password = "hello"
    NAS-IP-Address = 127.0.0.1
    NAS-Port = 0
    Message-Authenticator = 0x00
    Cleartext-Password = "hello"
  Received Access-Accept Id 151 from 127.0.0.1:1812 to 0.0.0.0:0 length 32
    Reply-Message = "Hello, bob"

(五)Freeradius添加其他网段的测试
1,服务器端配置:修改vim /etc/raddb/clients.conf 文件,增加一个client并配置共享密钥 secret = tdops,shortname可以任意。clientIP可以是一个地址也可以是一个网段。
,添加如下格式的认证

[[email protected] raddb]# vim /etc/raddb/clients.conf 
client 172.20.66.0/24 {
        secret = testing123
        showtanme = CE-SW
        }

2,在规定网段的主机做测试。

[[email protected] ~]#  radtest lqb xxx 172.20.66.127:1833 0 testing123
Sent Access-Request Id 186 from 0.0.0.0:39032 to 172.20.66.127:1833 length 80
    User-Name = "lqb"
    User-Password = "xxx"
    NAS-IP-Address = 127.0.0.1
    NAS-Port = 0
    Message-Authenticator = 0x00
    Cleartext-Password = "xxx"
Received Access-Accept Id 186 from 172.20.66.127:1833 to 0.0.0.0:0 length 20

3,服务端的日志为:

Wed Jul 18 16:18:31 2018 : Info: Need 5 more connections to reach 10 spares
Wed Jul 18 16:18:31 2018 : Info: rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
Wed Jul 18 16:18:31 2018 : Auth: (0) Login OK: [lqb (from client 172.20.66.0/24 port 0)

至此通过Windows的AD域认证完成。

以上是关于CentOS7.4+FreeRadius+ldap(Windows AD)认证 搭建radius服务的主要内容,如果未能解决你的问题,请参考以下文章

freeradius 关联LDAP认证-按属性过滤LDAP目录中的用户

freeradius 3.0使用ldap bind windows ad 来认证用户

使用802.1X+FreeRadius+LDAP实现网络准入方案

从 FreeRADIUS 和 OpenLDAP 发送 VSA

CentOS7上搭建LDAP-PDC并且将windows 2008 R2加入LDAP-PDC域

Gitlab+Gerrit+Ldap+nginx+mysql 之Gerrit搭建与配置