CentOS7.4+FreeRadius+ldap(Windows AD)認證 搭建radius服務
(一)簡介
freeradius通常用來進行帳戶認證管理,記帳管理,常見的電信運營商的寬帶帳戶,上網帳戶管理,記帳,都是使用的radius服務器進行鑑權記帳的。Freeradius包含一個radius服務器和radius-client,能夠對支持radius協議的網絡設備進行鑑權記帳。 ------百度百科vim
(二)安裝配置服務服務器
[root@localhost ~]# yum install freeradius freeradius-ldap freeradius-utils -y [root@localhost ~]# systemctl enable radiusd.service [root@localhost ~]# systemctl start radiusd.service
(三)修改相關配置文件網絡
3.1,修改/etc/raddb/mods-available/ldap文件,主要是ldap部分,其餘的都是默認ide
[root@localhost raddb]# cat /etc/raddb/mods-available/ldap | grep -v '#' | grep -v ^$
ldap {
server = 'x.x.x.x' #服務器
port = 389 #端口
identity = 'CN=opsldap,CN=Users,DC=txxxdxx,DC=me' #鏈接LDAP賬號
password =xxxxxxxx #鏈接LDAP密碼
base_dn = 'DC=txxxdxx,DC=me' #dn
sasl {
}
update {
control:Password-With-Header += 'userPassword'
control: += 'radiusControlAttribute'
request: += 'radiusRequestAttribute'
reply: += 'radiusReplyAttribute'
}
edir = no #修改
user {
base_dn = "${..base_dn}"
filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" #修改爲sAM
如下用默認
sasl {
}
}
group {
base_dn = "${..base_dn}"
filter = '(objectClass=posixGroup)'
membership_attribute = 'memberOf'
}
profile {
}
client {
base_dn = "${..base_dn}"
filter = '(objectClass=radiusClient)'
template {
}
attribute {
ipaddr = 'radiusClientIdentifier'
secret = 'radiusClientSecret'
}
}
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
type {
start {
update {
description := "Online at %S"
}
}
interim-update {
update {
description := "Last seen at %S"
}
}
stop {
update {
description := "Offline at %S"
}
}
}
}
post-auth {
update {
description := "Authenticated at %S"
}
}
options {
chase_referrals = yes
rebind = yes
res_timeout = 10
srv_timelimit = 3
net_timeout = 1
idle = 60
probes = 3
interval = 3
ldap_debug = 0x0028
}
tls {
}
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 30
lifetime = 0
idle_timeout = 60
}
3.2,建立軟鏈接在mods-enable/模塊下post
[root@localhost raddb]# ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ [root@localhost raddb]# ll /etc/raddb/mods-enabled/ldap lrwxrwxrwx 1 root root 30 Jul 17 18:19 /etc/raddb/mods-enabled/ldap -> /etc/raddb/mods-available/ldap
3.3,在site-avaiable/下建立site_ldap文件測試
[root@localhost raddb]# cat /etc/raddb/sites-available/site_ldap
ldap {
server = 'x.x.8.55' #服務器
port = 389 #端口
identity = 'CN=opsldap,CN=Users,DC=txxxdxx,DC=me' #鏈接LDAP賬號
password =xxxxxxxx #鏈接LDAP密碼
base_dn = 'DC=txxxdxx,DC=me' #dn
sasl {
}
update {
control:Password-With-Header += 'userPassword'
control: += 'radiusControlAttribute'
request: += 'radiusRequestAttribute'
reply: += 'radiusReplyAttribute'
}
edir = no #修改
user {
base_dn = "${..base_dn}"
filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" #修改爲sAM
#如下用默認
sasl {
}
}
group {
base_dn = "${..base_dn}"
filter = '(objectClass=posixGroup)'
membership_attribute = 'memberOf'
}
profile {
}
client {
base_dn = "${..base_dn}"
filter = '(objectClass=radiusClient)'
template {
}
attribute {
ipaddr = 'radiusClientIdentifier'
secret = 'radiusClientSecret'
}
}
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
type {
start {
update {
description := "Online at %S"
}
}
interim-update {
update {
description := "Last seen at %S"
}
}
stop {
update {
description := "Offline at %S"
}
}
}
}
post-auth {
update {
description := "Authenticated at %S"
}
}
options {
chase_referrals = yes
rebind = yes
res_timeout = 10
srv_timelimit = 3
net_timeout = 1
idle = 60
probes = 3
interval = 3
ldap_debug = 0x0028
}
tls {
}
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 30
lifetime = 0
idle_timeout = 60
}
}
3.4,在site-enabled下建立軟鏈接ui
[root@localhost raddb]# ln -s /etc/raddb/sites-available/site_ldap /etc/raddb/sites-enabled/ [root@localhost raddb]# ll /etc/raddb/sites-enabled/site_ldap lrwxrwxrwx 1 root root 36 Jul 17 18:21 /etc/raddb/sites-enabled/site_ldap -> /etc/raddb/sites-available/site_ldap
(四),隊radius進行相關的測試,能夠經過重啓服務器或者radiusd -X 進行測試設置spa
[root@localhost mods-available]# systemctl restart radiusd 或者 [root@localhost mods-available]# radiusd -X
4.1,修改 /etc/raddb/clients.conf 文件,客戶端認證的網段和密鑰。(修改服務器端記錄客戶端的配置文件 /etc/raddb/clients.conf 文件,該文件默認值提供了本機測試的 local 配置,即:安裝完後默認只容許本機的client客戶端訪問radius服務器)debug
[root@localhost raddb]# cat /etc/raddb/clients.conf | grep -v '#' | grep -v ^$
client localhost { ###認證的網段
ipaddr = 127.0.0.1 ###被認證能夠訪問的ip地址
proto = *
secret = testing123 ###密鑰
require_message_authenticator = no
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
secret = testing123
}
4.2,修改測試用戶文件/etc/raddb/users,添加測試帳號bob,密鑰:hellorest
[root@localhost raddb]# cat /etc/raddb/users | grep -v '#' | grep -v ^$
bob Cleartext-Password := "hello"
Reply-Message := "Hello, %{User-Name}"
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
4.3,測試是否正常
[root@localhost raddb]# radtest bob hello localhost 0 testing123
Sent Access-Request Id 151 from 0.0.0.0:52757 to 127.0.0.1:1812 length 73
User-Name = "bob"
User-Password = "hello"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "hello"
Received Access-Accept Id 151 from 127.0.0.1:1812 to 0.0.0.0:0 length 32
Reply-Message = "Hello, bob"
(五)Freeradius添加其餘網段的測試
1,服務器端配置:修改vim /etc/raddb/clients.conf 文件,增長一個client並配置共享密鑰 secret = tdops,shortname能夠任意。clientIP能夠是一個地址也能夠是一個網段。
,添加以下格式的認證
[root@localhost raddb]# vim /etc/raddb/clients.conf
client 172.20.66.0/24 {
secret = testing123
showtanme = CE-SW
}
2,在規定網段的主機作測試。
[root@localhost ~]# radtest lqb xxx 172.20.66.127:1833 0 testing123
Sent Access-Request Id 186 from 0.0.0.0:39032 to 172.20.66.127:1833 length 80
User-Name = "lqb"
User-Password = "xxx"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "xxx"
Received Access-Accept Id 186 from 172.20.66.127:1833 to 0.0.0.0:0 length 20
3,服務端的日誌爲:
Wed Jul 18 16:18:31 2018 : Info: Need 5 more connections to reach 10 spares Wed Jul 18 16:18:31 2018 : Info: rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used Wed Jul 18 16:18:31 2018 : Auth: (0) Login OK: [lqb (from client 172.20.66.0/24 port 0)
至此經過Windows的AD域認證完成。
相關文章
- 1. WindowsServer搭建radius認證服務器
- 2. Windows Server2016 NPS服務構建基於AD域控的radius認證
- 3. Windows電腦上搭建Radius 服務器並實現802.1X認證
- 4. 基於Windows 2012R2 AD RADIUS無線認證
- 5. AAA認證服務器(radius)建設
- 6. Windows 2008 Server搭建Radius服務器
- 7. Windows Server 搭建企業無線認證(Radius認證方案)
- 8. Windows2016 PPTP服務器搭配RADIUS服務器認證
- 9. Radware Alteon Radius認證+Windows Radius server
- 10. Windows Server 2008 R2 AD服務器搭建
- 更多相關文章...
- • Git 服務器搭建 - Git 教程
- • 啓動MySQL服務 - MySQL教程
- • Spring Cloud 微服務實戰(三) - 服務註冊與發現
- • 適用於PHP初學者的學習線路和建議
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. WindowsServer搭建radius認證服務器
- 2. Windows Server2016 NPS服務構建基於AD域控的radius認證
- 3. Windows電腦上搭建Radius 服務器並實現802.1X認證
- 4. 基於Windows 2012R2 AD RADIUS無線認證
- 5. AAA認證服務器(radius)建設
- 6. Windows 2008 Server搭建Radius服務器
- 7. Windows Server 搭建企業無線認證(Radius認證方案)
- 8. Windows2016 PPTP服務器搭配RADIUS服務器認證
- 9. Radware Alteon Radius認證+Windows Radius server
- 10. Windows Server 2008 R2 AD服務器搭建