CentOS+FreeRadius认证实现
百里胜泫
准备工作搭建CentOS7,地址为:192.168.51.104
1.关闭防火墙
# 192.168.51.104
systemctl stop firewalld //关闭防火墙
systemctl disable firewalld //关闭防火墙自启
sed -i '/SELINUX/s/enforcing/disabled/' /etc/selinux/config //关闭Selinux
sestatus //查询Selinux状态(需重启后查询)
2.安装配置MariaDB
#192.168.51.104
yum install -y mariadb-server mariadb //安装MariaDB数据库
systemctl start mariadb //启动MariaDB
systemctl enable mariadb //设置开机自启动
mysql_secure_installation //SQL自动配置(除设置密码,其余都回车)
配置MariaDB
# 192.168.51.104
mysql -u root -p
MariaDB [(none)]> create database radius; //创建数据库radius
MariaDB [(none)]> grant all on radius.* to radius@localhost identified by 'radius'; //设置radius用户名密码及权限
MariaDB [(none)]> flush privileges; //刷新权限
MariaDB [(none)]> exit
3.安装配置FreeRadius
# 192.168.51.104
yum install -y freeradius freeradius-utils freeradius-mysql //安装FreeRadius及组件
systemctl start radiusd.service //启动radius服务
systemctl enable radiusd.service //设置radius服务开机自启动
配置radius
# 192.168.51.104
配置 /etc/raddb/users
文件头添加 user1 Cleartext-Password := "radius"
radiusd -X #调试模式运行radius
radtest user1 radius localhost 1812 testing123 # 另开启一终端
Sent Access-Request Id 6 from 0.0.0.0:43355 to 127.0.0.1:1812 length 75
User-Name = "user1"
User-Password = "radius"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = "radius"
Received Access-Accept Id 6 from 127.0.0.1:1812 to 0.0.0.0:0 length 20
4.FreeRadius对接Mariadb
创建raidus数据库和数据表
# 192.168.51.104
mysql -u root -p radius < /etc/raddb/mods-config/sql/main/mysql/schema.sql /创建FreeRadius在数据库中的数据表
配置sql
#192.168.51.104 配置/etc/raddb/mods-available/sql
sql {
driver = "rlm_sql_mysql"
dialect = "mysql"
server = "localhost"
port = 3306
login = "radius"
password = "radius"
radius_db = "radius"
acct_table1 = "radacct"
acct_table2 = "radacct"
postauth_table = "radpostauth"
authcheck_table = "radcheck"
groupcheck_table = "radgroupcheck"
authreply_table = "radreply"
groupreply_table = "radgroupreply"
usergroup_table = "radusergroup"
delete_stale_sessions = yes
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 30
lifetime = 0
idle_timeout = 60
}
client_table = "nas"
group_attribute = "SQL-Group"
$INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf
}
chgrp -h radiusd /etc/raddb/mods-available/sql
systemctl restart radiusd.service
systemctl status mariadb
cd /etc/raddb/mods-enabled/
ln -s ../mods-available/sql
systemctl restart radiusd.service
systemctl status radiusd.service
4.验证
1.数据库中添加授权用户
mysql -uroot -p
use radius
insert into radcheck(username,attribute,value,op) values ('user2','Cleartext-Password','radius',':=')
2.本地测试
[root@work1 ~]# radtest user2 radius localhost 1812 testing123
Sent Access-Request Id 190 from 0.0.0.0:39209 to 127.0.0.1:1812 length 75
User-Name = "user2"
User-Password = "radius"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = "radius"
Received Access-Accept Id 190 from 127.0.0.1:1812 to 0.0.0.0:0 length 20
3.配置其他机器访问
[root@work1 ~]# cat /etc/raddb/clients.conf
client localhost {
ipaddr = 127.0.0.1
proto = *
secret = testing123
require_message_authenticator = no
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
secret = testing123
}
client 0.0.0.0/0 {
secret = testing123
}
4.使用pyrad进行验证
from __future__ import print_function
from pyrad.client import Client
from pyrad.dictionary import Dictionary
import pyrad.packet
srv = Client(server="192.168.51.104", secret=b"testing123",
dict=Dictionary("dictionary.rfc2865"))
# create request
req = srv.CreateAuthPacket(code=pyrad.packet.AccessRequest,
User_Name="user2", NAS_Identifier="localhost")
req["User-Password"] = req.PwCrypt("radius")
# send request
reply = srv.SendPacket(req)
if reply.code == pyrad.packet.AccessAccept:
print("access accepted")
else:
print("access denied")
print("Attributes returned by server:")
for i in reply.keys():
print("%s: %s" % (i, reply[i]))
# 输出内容
access accepted
Attributes returned by server:
5.其他
dictionary.rfc2865内容如下
ATTRIBUTE User-Name 1 string
ATTRIBUTE User-Password 2 string
ATTRIBUTE CHAP-Password 3 octets
ATTRIBUTE NAS-IP-Address 4 ipaddr
ATTRIBUTE NAS-Port 5 integer
ATTRIBUTE Service-Type 6 integer
ATTRIBUTE Framed-Protocol 7 integer
ATTRIBUTE Framed-IP-Address 8 ipaddr
ATTRIBUTE Framed-IP-Netmask 9 ipaddr
ATTRIBUTE Framed-Routing 10 integer
ATTRIBUTE Filter-Id 11 string
ATTRIBUTE Framed-MTU 12 integer
ATTRIBUTE Framed-Compression 13 integer
ATTRIBUTE Login-IP-Host 14 ipaddr
ATTRIBUTE Login-Service 15 integer
ATTRIBUTE Login-TCP-Port 16 integer
ATTRIBUTE Reply-Message 18 string
ATTRIBUTE Callback-Number 19 string
ATTRIBUTE Callback-Id 20 string
ATTRIBUTE Framed-Route 22 string
ATTRIBUTE Framed-IPX-Network 23 ipaddr
ATTRIBUTE State 24 octets
ATTRIBUTE Class 25 octets
ATTRIBUTE Vendor-Specific 26 octets
ATTRIBUTE Session-Timeout 27 integer
ATTRIBUTE Idle-Timeout 28 integer
ATTRIBUTE Termination-Action 29 integer
ATTRIBUTE Called-Station-Id 30 string
ATTRIBUTE Calling-Station-Id 31 string
ATTRIBUTE NAS-Identifier 32 string
ATTRIBUTE Proxy-State 33 octets
ATTRIBUTE Login-LAT-Service 34 string
ATTRIBUTE Login-LAT-Node 35 string
ATTRIBUTE Login-LAT-Group 36 octets
ATTRIBUTE Framed-AppleTalk-Link 37 integer
ATTRIBUTE Framed-AppleTalk-Network 38 integer
ATTRIBUTE Framed-AppleTalk-Zone 39 string
类似资料: