Freeradius认证
//freeradius 相关工具
yum install -y freeradius freeradius-mysql freeradius-utils
//启动
radiusd -X
//配置文件地址:
/etc/raddb
//客户端配置
/etc/raddb/clients.conf
//默认文件配置位置
/etc/raddb/sites-available/default
//eap位置【freeradius 版本不同,存放位置不同,此版本为 freeradius 3.0】
/etc/raddb/mods-available/eap//参考文章
Ubuntu下freeradius的EAP-MD5,PEAPv0/EAP-MSCHAPv2,EAP-TTLS/MD5,EAP-TTLS/MSCHAPv2方式认证(基于mysql)
freeradius3.0安装配置mysql
一、 Radius协议认证预演情况
本文就PAP(密码认证协议)、CHAP(挑战握手认证协议)、Radius与Mysql连接、[EAP-MD5,PEAPv0/EAP-MSCHAPv2,EAP-TTLS/MD5,EAP-TTLS/MSCHAPv2方式认证(基于mysql)]做介绍:
1.1 Radius协议 [freeradius 3.0; mysql 8.0]
预先安装mysql数据库,然后安装freeradius,以及freeradius的数据库扩展插件freeradius-mysql:
yum install -y freeradius freeradius-mysql freeradius-utils
1、具体使用方式如下:
1)用户可分为配置文件users、数据库mysql等;先以配置文件users例;其余方式做备注; 修改users,添加用户信息(格式如下,testing为用户名;Cleartext-Password为明文密码)。
#vi /etc/raddb/users
testing Cleartext-Password := "123456"
Reply-Message := "Hello, %{User-Name}"2)修改clients,将访问ip写入。
#vi /etc/raddb/clients.conf
client xx.xx.xx.xx.0/24{
secret = testing123
}
3)启动radius服务器;
radiusd –X4)服务器本身验证:(需另开窗口,echo 的内容是请求内容,127.0.0.0:1812是radius认证端口, auth 是请求类型 , testing123 是cleint和radius的密钥, -x 表明查看详细过程。)
echo "User-Name=testing,User-Password=123456" | radclient 127.0.0.1:1812 auth testing123 -x返回信息为:(Access-Accept即为成功,具体展示如下)
Sent Access-Request Id 210 from 0.0.0.0:38271 to 127.0.0.1:1812 length 47
User-Name = "testing"
User-Password = "123456"
Cleartext-Password = "123456"
Received Access-Accept Id 210 from 127.0.0.1:1812 to 0.0.0.0:0 length 36
Reply-Message = "Hello, testing"
1.2 Radius与Mysql连接
1、 建议直接使用数据库工具连接数据库做处理;(注意数据库版本[不同版本sql不一致],本版本以mysql8.0为例)
//Linux登录数据库
mysql -uroot -p
//查看mysql版本;
select version();
1)创建Mysql系统用户radius:
CREATE USER 'radius'@'localhost' IDENTIFIED BY 'goldencis'; //创建用户失败:ERROR 1819 (HY000): Your password does not satisfy the current policy requirements。
//1)、查看密码策略
SHOW VARIABLES LIKE 'validate_password%';
//2)、设置密码策略:
set global validate_password.policy=LOW;
//3)、修改系统账户密码
ALTER USER 'radius'@'localhost' IDENTIFIED WITH mysql_native_password BY '123456';
2)授权系统用户
grant all on radius.* to 'radius'@'localhost';
ALTER USER 'radius'@'localhost' IDENTIFIED WITH mysql_native_password BY 'goldencis';2、 建立数据库表(建议直接下载sql文件,用工具导入)
#mysql -u root radius < /etc/raddb/mods-config/sql/main/mysql/schema.sql;
3、 建立测试用户组及数据
1)建立用户组
insert into radgroupreply (groupname,attribute,op,value) values ('group1','Auth-Type',':=','Local');
insert into radgroupreply (groupname,attribute,op,value) values ('group1','Service-Type',':=','Framed-User');
insert into radgroupreply (groupname,attribute,op,value) values ('group1','Framed-IP-Address',':=','192.168.49.0');
insert into radgroupreply (groupname,attribute,op,value) values ('group1','Framed-IP-Netmask',':=','255.255.255.0');
2)创建测试用户
insert into radcheck (username,attribute,op,value) values ('test','Cleartext-Password',':=','test123');3)将用户加入组
insert into radusergroup (username,groupname) values ('test','group1'); 4、设置freeradius使用mysql数据库
#vi /etc/raddb/mods-available/sql
sql {
driver = "rlm_sql_mysql"
dialect = "mysql"
server = "localhost"
port = 3306
login = "root"
password = "123"
radius_db = "radius"
...
}建立软连接:
ln -s /etc/raddb/mods-available/sql /etc/raddb/mods-enabled/
5、#vi /etc/raddb/sites-available/default
分别将authorize {}、accounting{}里面的sql去掉注释,并且将file注释掉。
6、 运行测试
#radiusd -X
7、测试(Access-Accept 为成功; Access-Reject为失败)
#radtest test test123 localhost 1812 testing123返回结果:
Sent Access-Request Id 64 from 0.0.0.0:53508 to 127.0.0.1:1812 length 74
User-Name = "test"
User-Password = "test123"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = "test123"
Received Access-Accept Id 64 from 127.0.0.1:1812 to 0.0.0.0:0 length 38
Service-Type = Framed-User
Framed-IP-Address = 192.168.49.0
Framed-IP-Netmask = 255.255.255.0
1.3 Radius协议EAP-MD5【验证失败】
1.(1) /etc/raddb/sites-available/default
去掉eap前面的#
(2)/etc/raddb/mods-available/eap
确认default_eap_type=md5
2.在数据库中加入Auth-Type为EAP的测试账号
insert into radgroupreply (groupname,attribute,op,value) values ('eap','Auth-Type',':=','EAP');
insert into radgroupreply (groupname,attribute,op,value) values ('eap','Service-Type',':=','Framed-User');
insert into radgroupreply (groupname,attribute,op,value) values ('eap','Framed-IP-Address',':=','255.255.255.255');
insert into radgroupreply (groupname,attribute,op,value) values ('eap','Framed-IP-Netmask',':=','255.255.255.0');
insert into radcheck (username,attribute,op,value) values ('eap','User-Password',':=','eap');
insert into radusergroup (username,groupname) values ('eap','eap');
insert into radreply (username,attribute,op,value) values ('eap','Reply-Message',':=','eap OK!');
3.验证方式:
#( echo "User-Name = \"eap""; echo "Cleartext-Password = \"eap\""; echo "EAP-Code = \"Response\""; echo "EAP-Id = 210"; echo "EAP-Type-Identity = \"eap\""; echo "Message-Authenticator = 0x00";) | radeapclient -x localhost auth testing123
1.4、PEAPv0/EAP-MSCHAPv2方式认证 【验证通过】
1.安装测试工具eapol_test
手动安装wpa_supplicant-2.0.tar.gz文件,wpa_supplicant官网地址暂时打不开,先下载再打包。
#cd /usr/local/src/
#wget http://hostap.epitest.fi/releases/wpa_supplicant-0.6.4.tar.gz
#tar –xzvf wpa_supplicant-0.6.9.tar.gz
#cd wpa_supplicant-0.6.9/wpa_supplicant/
#cp defconfig .config
#make eapol_test
#cp eapol_test /usr/local/bin/
ps:
1)make: cc: Command not found 问题
yum -y install gcc automake autoconf libtool make
2)/src/crypto/tls_openssl.c:17:25: fatal error: openssl/ssl.h: No such file or directory
yum install openssl-devel
3)make时可能会有各种坑,注意安装相互依赖包。
2.修改配置文件
(1)/etc/raddb/sites-available/default
去掉eap前面的#
(2)/etc/raddb/mods-available/eap
确认default_eap_type=peap
3.查看证书是否存在
#ls /etc/raddb/certs/*.pem
正常 列表中含有ca.pem。若没有ca.pem文件,则执行以下命令:
#/etc/raddb/certs/bootstrap 4.创建测试配置文件 ~/peap.test
//注意:"="前后无空格
network={
eap=TTLS
ssid="test"
key_mgmt=WPA-EAP
identity="eap"
password="eap"
ca_cert="/etc/raddb/certs/ca.pem"
phase2="auth=MD5"
anonymous_identity="anonymous"
}
5.开始测试
启动服务:
#radiusd -X测试命令:
#eapol_test -c peap.test -s testing123//peap.test在~/目录下,所以该命令也要在~/目录下进行。需保持一致。
EAPOL: Successfully fetched key (len=32)
PMK from EAPOL - hexdump(len=32): f5 46 21 85 38 9f d2 a3 49 6e f0 a0 a3 89 85 3b 3a e1 fd 1e 61 ab 49 13 b5 4d 5c d8 f0 62 af a8
EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 1 mismatch: 0
SUCCESS
1.5、EAP-TTLS/MD5方式认证 【验证通过】
1.修改配置文件
(1)/etc/raddb/sites-available/default
去掉eap前面的#
(2)/etc/raddb/mods-available/eap
确认default_eap_type=ttls
2.创建测试配置文件 ~/ttlsmd5.test
~/ttlsmd5.test
network={
eap=TTLS
ssid="test"
key_mgmt=WPA-EAP
identity="eap"
password="eap"
ca_cert="/etc/raddb/certs/ca.pem"
phase2="auth=MD5"
anonymous_identity="anonymous"
} 3.开始测试
#radiusd -X
#eapol_test -c ttlsmd5.test -s testing123
EAPOL: Successfully fetched key (len=32)
PMK from EAPOL - hexdump(len=32): ae 1d c5 12 2c 2b 52 81 39 cf 14 4b b2 3d 6e 64 d0 0b de fb 99 a8 e1 5e 73 ba d2 89 fb 59 8e 33
EAP: deinitialize previously used EAP method (21, TTLS) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 1 mismatch: 0
SUCCESS
1.6、EAP-TTLS/MSCHAPv2方式认证 【验证通过】
1.修改配置文件
(1)/etc/raddb/sites-available/default
去掉eap前面的#
(2)/etc/raddb/mods-available/eap
确认default_eap_type=ttls
2.创建测试配置文件 ~/ttlsmschapv2.test
~/ttlsmschapv2.test
network={
eap=TTLS
ssid="test"
key_mgmt=WPA-EAP
identity="eap"
password="eap"
ca_cert="/etc/raddb/certs/ca.pem"
phase2="auth=MSCHAPV2"
anonymous_identity="anonymous"
}3.开始测试
#radiusd -X
#eapol_test -c ttlsmschapv2.test -s testing123
EAPOL: Successfully fetched key (len=32)
PMK from EAPOL - hexdump(len=32): 17 29 45 99 53 2d 7d 5a 48 84 1e 79 30 59 f1 7b 15 84 b3 0e fc 2e 3c c0 b1 43 53 78 50 97 0d 8a
EAP: deinitialize previously used EAP method (21, TTLS) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 1 mismatch: 0
SUCCESS