Strongswan+freeradius+daloradius+ad認證明現ikev2接入服務二

strongswan openswan freeradius討論QQ羣：892427461

Strongswan+freeradius+daloradius+ad認證明現ikev2接入服務

第二部分    安裝配置freeradius-4.0.0 samba 使用winbind 集成Windiows Active Directory 域帳戶認證並實現用戶組認證

實驗時間：2018年8月7日-2018年8月8日

拓撲圖：

  

環境：

    防火牆1：FW1    USG2200

           

    IP地址外網：10.99.101.170    域名：strongswan.test.com

    IP地址內網：192.168.20.3

    

    防火牆2：FW2    USG2200

     IP地址外網：10.99.101.129     域名：mystrongswan.test.com

    IP地址內網：192.168.20.2

   

    防火牆5：FW5    USG2200

     IP地址外網：10.99.101.167

    IP地址內網：131.107.0.1

 

    服務器：

        域控服務器：

        Windows Server2016

        IP地址：192.168.20.10         域名：dc.test.com

        

        strongswan服務器：

        Centos7

        IP地址：192.168.20.29

        Strongswan-5.6.3

        freeradius服務器：

        Centos7

        IP地址：192.168.20.27

        freeradius-4.0.0

    客戶端：Windows7

        

        自帶客戶端 epa-mschapv2模式 、 計算機證書模式

第二部分    安裝配置freeradius-4.0.0 samba 使用winbind 集成Windiows Active Directory 域帳戶認證並實現用戶組認證

實驗時間：2018年8月7日-2018年8月7日

一、 CentOS 7 最小安裝，隨意，其餘也能夠。

 

    設置IP地址

 

cd /etc/sysconfig/networks-scripts

vi ifcfg-ens32

    BOOTPROTO=static

    ONBOOT=yes

    IPADDR=192.168.20.27

    NETMASK=255.255.255.0

    GATEWAY=192.168.20.2

    DNS1=192.168.20.10

 

reboot

 

二、 安裝vim，可選步驟，不安裝也能夠。

 

yum install -y vim

 

三、 安裝完後升級系統，可選步驟，不升級也能夠。

 

yum upgrade -y

 

    升級全部包，不改變軟件設置和系統設置，系統版本升級，內核不改變

 

yum update -y

         

    升級全部包，改變軟件設置和系統設置,系統版本內核都升級

四、 關閉selinux

 

vim /etc/sysconfig/selinux

    SELINUX=disabled

reboot

sestatus

   SELinux status：   disabled

五、安裝並配置samba

yum install samba -y

yum install samba-winbind -y

vim /etc/samba/smb.conf

    

[global]

   netbios name = freeradius

   workgroup = TEST

   server string = RADIUS server

   security = ads

   invalid users = root

   socket options = TCP_NODELAY

   idmap uid = 16777216-33554431

   idmap gid = 16777216-33554431

   winbind use default domain = no

   winbind max domain connections = 5

   winbind max clients = 1000

   password server = DC.TEST.COM

   realm = TEST.COM

systemctl restart smb nmb

net ads join -U administrator

    

    顯示

    Joined 'FREERADIUS' to dns domain 'test.com'

    NO DNS domain configured for freeradius.Unable to perform DNS Update.

    DNS update failed：NT_STATUS_INVALID_PARAMETER

systemctl restart winbind

net ads testjoin

    

    顯示

    Joins is OK.

systemctl enable smb nmb winbind

在域控dc.test.com能夠看到名爲freeradius的計算機帳戶。

六、下載freeradius源碼包

yum install -y git

cd /usr/src

git clone git://github.com/freeradius/freeradius-server.git

cd /usr/src/freeradius-server

commit d0b4760e41db01f09c49cea90065ae5cc4b27256
Merge: b342d5f 3fa2f22
Author: Alan DeKok <aland@freeradius.org>
Date:   Wed Nov 16 11:16:35 2016 -0500

七、編譯要求支持C11，安裝gcc4.9

yum install centos-release-scl -y
 
yum install devtoolset-3-toolchain -y
 
scl enable devtoolset-3 bash

gcc --version

     

    顯示

    gcc (GCC) 4.9.2 20150212 (Red Hat 4.9.2-6)

    Copyright (C) 2014 Free Software Foundation, Inc.

    This is free software; see the source for copying conditions.  There is NO

    warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPO

8-一、編譯安裝freeradius，這一步記錄了一些configure make make install 中遇到的錯誤提示與安裝包之間的關係，不想看的直接跳到8-2。

scl enable devtoolset-3 bash

./configure

    錯誤提示

    configure: WARNING: talloc library not found. Use --with-talloc-lib-dir=<path>.

    configure: error: FreeRADIUS requires libtalloc.  Please read doc/developer/dependencies.rst for further instructions.

    

    安裝libtalloc-devel

yum -y install libtalloc-devel

./configure

    錯誤提示

    configure: WARNING: kqueue library not found. Use --with-kqueue-lib-dir=<path>.

    configure: error: FreeRADIUS requires libkqueue (or system kqueue).  Please read doc/developer/dependencies.rst for further instructions.

    安裝libkqueue

cd /usr/src

yum install -y wget
 
wget https://jaist.dl.sourceforge.net/project/libkqueue/libkqueue-2.0/libkqueue-2.0.1.tar.gz
 
tar -xzvf libkqueue-2.0.1.tar.gz
 
cd libkqueue-2.0.1/
 
./configure
 
make
 
make install
 
ln -s /usr/local/include/kqueue/sys /usr/local/include/

cd /usr/src/freeradius-server

./configure

    錯誤提示：

   

    configure: error: failed linking to libcrypto. Use --with-openssl-lib-dir=<path>, or --with-openssl=no (builds without OpenSSL)

    See `config.log' for more details

    

    安裝openssl-devel

yum install -y openssl-devel

./configure

    顯示

    config.status: creating all.mk

    configure經過,但還須要winbind、mysql支持。

     configure: WARNING: wbclient.h not found. Use --with-winbind-include-dir=<path>.

    configure: WARNING: silently building without support for direct authentication via winbind. requires: libwbclient

yum install -y libwbclient-devel

    

    configure: WARNING: core/ntstatus.h not found. Use --with-winbind-include-dir=<path>.

yum install -y samba-devel

    

    configure: WARNING: MySQL headers not found. Use --with-mysql-include-dir=<path>.

    configure: WARNING: silently not building rlm_sql_mysql.

    configure: WARNING: FAILURE: rlm_sql_mysql requires: libmysqlclient || libmysqlclient_r mysql.h.

yum install -y mariadb-devel

     安裝readline-devel，不然make會出現錯誤提示

     

    src/bin/radmin.c:79:15:warning:passing argument 1 of 'fgets' from incompatible pointer type line = fgets(readline_buffer, sizeof(readline_buffer),stdin);

yum install -y readline-devel

    

    安裝libpcap-devel，不然make會出現錯誤提示

    src/lib/util/dict.c:48:8: error: unknown type name ‘fr_hash_table_t’

    static fr_hash_table_t *protocol_by_name = NULL; //!< Hash containing names of all the registered protocols.

    

yum install -y libpcap-devel

    安裝pam-devel，不然make install後  radiusd -X 會出現錯誤提示

    

    /usr/local/etc/raddb/mods-enabled/pam[15]: Failed to link to module "rlm_pam": rlm_pam.so: cannot open shared object file: No such file or directory

    Not built with support for LSAN interface

    /usr/local/etc/raddb/mods-enabled/pam[15]: Make sure it (and all its dependent libraries!) are in the search path of your system's ld

yum install pam-devel

./configure

configure完成。

make

    

     提示

    

    WARNING - may need 'make reconfig' for AUTOCONF src/modules/rlm_sql/drivers/rlm_sql_db2/

    WARNING - may need 'make reconfig' for AUTOCONF src/modules/rlm_lua/

    WARNING - may need 'make reconfig' for AUTOCONF src/modules/rlm_krb5/

    WARNING - may need 'make reconfig' for AUTOCONF src/modules/rlm_sql/drivers/rlm_sql_db2/

    WARNING - may need 'make reconfig' for AUTOCONF src/modules/rlm_lua/

    WARNING - may need 'make reconfig' for AUTOCONF src/modules/rlm_krb5/

make reconfig

    提示

    Makefile:192: *** You need to install autoconf to re-build the "configure" scripts。 中止。

yum install autoconf -y

make reconfig

make

   

    make成功

make install

    

    freeradius安裝成功，配置文件位於/usr/local/etc/raddb/

radiusd -X

    

    錯誤提示：

    

    Unable to open file "/usr/local/etc/raddb/certs/rsa/ca.pem": Effective user/group - root:root: ENOENT: No such file or directory

    rlm_eap_tls - Failed initializing SSL context

    /usr/local/etc/raddb/mods-enabled/eap[15]: Instantiation failed for module "eap"

cd /usr/local/etc/raddb/certs

make

radiusd -X

     提示

  

    Ready to process requests

    debug模式啓動成功

8-二、編譯安裝freeradius

scl enable devtoolset-3 bash

yum -y install libtalloc-devel openssl-devel libwbclient-devel samba-devel mariadb-devel readline-devel pam-devel autoconf libpcap-devel net-snmp-devel net-snmp-utils gdbm-devel libtool libtool-ltdl-devel zlib-devel openldap-devel krb5-devel python-devel mysql-devel postgresql-devel unixODBC-devel memcached-devel
 
cd /usr/src

yum install -y wget

wget https://jaist.dl.sourceforge.net/project/libkqueue/libkqueue-2.0/libkqueue-2.0.1.tar.gz

tar -xzvf libkqueue-2.0.1.tar.gz

cd libkqueue-2.0.1/

./configure

make

make install

ln -s /usr/local/include/kqueue/sys /usr/local/include/

cd /usr/src/freeradius-server

./configure

make

make install

cd /usr/local/etc/raddb/certs

make

radiusd –X

 

Ready to process requests

 

debug模式啓動成功

九、開啓防火牆端口

firewall-cmd --zone=public --add-port=1812/udp --permanent
 
firewall-cmd --zone=public --add-port=1813/udp --permanent
 
firewall-cmd --reload

十、配置freeradius

    啓用winbind

ln -s /usr/local/etc/raddb/mods-available/winbind /usr/local/etc/raddb/mods-enabled/

    

vim /usr/local/etc/raddb/mods-enabled/mschap

    

    取消註釋

    winbind_username = "%{mschap:User-Name}"

    winbind_domain = "%{mschap:NT-Domain

vim /usr/local/etc/raddb/sites-enabled/default

    

    send Access-Accept段增長組認證，限制strongswan組的用戶能夠經過認證

    send Access-Accept{

              ...

                if (!Winbind-Group == "strongswan") {

                reject

                }

              ...

    }

radiusd -X

     本機切換一個終端測試

    域用戶：sswanuser1       密碼 asdf123.    隸屬於    strongswan 用戶組

    域用戶：feisswanuser1     密碼 asdf123.   不隸屬於    strongswan用戶組

radtest -t mschap sswanuser1 asdf123. 127.0.0.1 0 testing123

    顯示

    

Sent Access-Request Id 157 from 0.0.0.0:51595 to 127.0.0.1:1812 length 136

Cleartext-Password = "asdf123."

User-Name = "sswanuser1"

MS-CHAP-Password = "asdf123."

NAS-IP-Address = 127.0.0.1

NAS-Port = 0

Message-Authenticator = 0x00

MS-CHAP-Challenge = 0x9aff829427d02e33

MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000004599a4f2c634a7a8d3df706e509d3d9086007dbb590f6c78

Received Access-Accept Id 157 from 127.0.0.1:1812 to 0.0.0.0:51595 via lo length 84

MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed

MS-MPPE-Encryption-Policy = Encryption-Allowed

MS-CHAP-MPPE-Keys = 0x00000000000000007b73fe4ee9d5c787afd20f901a960783

    認證經過

    

radtest -t mschap feisswanuser1 asdf123. 127.0.0.1 0 testing123

    顯示

Sent Access-Request Id 127 from 0.0.0.0:44856 to 127.0.0.1:1812 length 139

Cleartext-Password = "asdf123."

User-Name = "feisswanuser1"

MS-CHAP-Password = "asdf123."

NAS-IP-Address = 127.0.0.1

NAS-Port = 0

Message-Authenticator = 0x00

MS-CHAP-Challenge = 0xa8d0c5a792406d82

MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000eedb7a880b0bd9677cf1f25bd3cab570ca106dc6107b32a5

Received Access-Reject Id 127 from 127.0.0.1:1812 to 0.0.0.0:44856 via lo length 20

(0) -: Expected Access-Accept got Access-Reject

    認證失敗

十一、添加freeradius系統服務

 

 

cd /lib/systemd/system/
 
vim radiusd.service

 

 

[Unit]

Description=FreeRADIUS high performance RADIUS server.

After=syslog.target network.target ipa.service dirsrv.target krb5kdc.service

After=mariadb.service

 

[Service]

Type=forking

PIDFile=/usr/local/var/run/radiusd/radiusd.pid

# ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd

ExecStartPre=/usr/local/sbin/radiusd -C

ExecStart=/usr/local/sbin/radiusd -d /usr/local/etc/raddb

ExecReload=/usr/local/sbin/radiusd -C

ExecReload=/bin/kill -HUP $MAINPID

 

[Install]

WantedBy=multi-user.target

第二部分    安裝配置freeradius-4.0.0 samba 使用winbind 集成Windiows Active Directory 域帳戶認證並實現用戶組認證

配置結束

第一部分    Centos7 strongswan安裝配置支持 Windows7  ikev2 eap-machapv2模式、計算機證書模式

    第二部分    安裝配置freeradius-4.0.0 samba 使用winbind 集成Windiows Active Directory 域帳戶認證並實現用戶組認證

第三部分    集成Strongswan+freeradius實現使用域用戶組認證ikev2接入

第四部分    安裝mysql、daloradius實現freeradius的web管理

第五部分    配置根據撥入用戶名即域帳戶分配固定IP地址以實現對用戶的追蹤