安装服务
安装服务依赖 freeradius
$ sudo apt install freeradius
查看版本
$ freeradius -v
radiusd: FreeRADIUS Version 3.0.16, for host x86_64-pc-linux-gnu, built on Apr 17 2019 at 12:59:55
FreeRADIUS Version 3.0.16
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
配置文件位置和版本相关
如果显示3.0.*
,则配置文件位置具体目录是/etc/freeradius/3.0
如果版本显示3.2.*
,那么配置文件的目录位置是/etc/freeradius/3.2
下面所有涉及到的文件配置目录都要看版本情况具体配置修改,不要照抄文档
radius
服务所在机器的IP
是192.168.100.150
启动测试服务器,正常情况下最后几行会显示如下数据
$ sudo freeradius -X
.....
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 56061
Listening on proxy address :: port 59459
Ready to process requests
# 有时候如果显示如下数据,则表示报错
xxxxxxxxxx Failed binding to auth address * port 1812 bound to server default: Address already in use /etc/freeradius/3.0/sites-enabled/default[59]: Error binding to port for 0.0.0.0 port 1812
# 则表示已经有另外一个`radius`服务已经启动,并且已经占用了端口
# 需要执行如下步骤把服务关闭
# $ sudo systemctl stop freeradius.service
# 或者是另外一个终端执行了freeradius命令但是忘记关闭了
# 可以执行pkill freeradius
添加radius
用户数据
编辑文件,添加用户名为operator
密码为 testpass
$ sudo vim /etc/freeradius/3.0/users
operator Cleartext-Password := "testpass"
Reply-Message := "Hello, %{User-Name}"
重启 freeradius
服务
$ sudo freeradius -X
测试radius
服务
从另外一台机器,开一个终端检测启动radius
服务的机器是否开放1812
端口
$ sudo nmap -sU 192.168.100.150 -p 1812
# 如下输出表示开放
Starting Nmap 7.80 ( https://nmap.org ) at 2021-08-27 11:12 CST
Nmap scan report for 192.168.100.150
Host is up (0.00017s latency).
PORT STATE SERVICE
1812/udp open|filtered radius
MAC Address: CC:D3:9D:9F:D5:1D (Ieee Registration Authority)
Nmap done: 1 IP address (1 host up) scanned in 0.55 seconds
新开一个终端,执行以下命令
$ radtest operator testpass 192.168.100.150 0 testing123
# 如下输出表示验证成功
Sent Access-Request Id 202 from 0.0.0.0:35778 to 127.0.0.1:1812 length 79
User-Name = "operator"
User-Password = "testpass"
NAS-IP-Address = 192.168.100.150
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "testpass"
Received Access-Accept Id 202 from 127.0.0.1:1812 to 0.0.0.0:0 length 38
Reply-Message = "Hello, operator"
配置允许远程验证用户
$ vim /etc/freeradius/3.0/clients.conf
# 输入如下,表示新建一个客户端,ipaddr允许所有网络访问,如果设置为192.168.100.150则表示只允许192.168.100.150的ip进行验证,填写0.0.0.0表示不限制IP,共享密钥是testing123
client private-network-1 {
ipaddr = 0.0.0.0
secret = testing123
}
修改radius监听端口
以下两种方式各选一种
方式一
直接修改配置,举例修改端口为8888
$ sudo vim /etc/freeradius/3.0/sites-enabled/default
# 修改
listent {
...
type = auth
ipaddr = *
port = 0
}
# 修改port端口
listent {
...
type = auth
ipaddr = *
port = 8888
}
方式二
修改/etc/services
$ sudo vim /etc/services
# 找到
radius 1812/tcp
radius 1812/udp
# 修改为自定义端口
radius 8888/tcp
radius 8888/udp
请求认证
推荐使用radclient
$ radclient -h
Usage: radclient [options] server[:port] []
One of auth, acct, status, coa, disconnect or auto.
-4 Use IPv4 address of server
-6 Use IPv6 address of server.
-c Send each packet 'count' times.
-d Set user dictionary directory (defaults to /etc/freeradius/3.0).
-D Set main dictionary directory (defaults to /usr/share/freeradius).
-f [:] Read packets from file, not stdin.
If a second file is provided, it will be used to verify responses
-F Print the file name, packet number and reply code.
-h Print usage help information.
-n Send N requests/s
-p Send 'num' packets from a file in parallel.
-q Do not print anything out.
-r If timeout, retry sending the packet 'retries' times.
-s Print out summary information of auth results.
-S read secret from file, not command line.
-t Wait 'timeout' seconds before retrying (may be a floating point number).
-v Show program version information.
-x Debugging mode.
-P Use proto (tcp or udp) for transport.
举例操作
验证 用户账号operator
,密码testpass
,使用ipv4
地址192.168.100.150
,端口1812
,共享密钥testing1234
,超时时间为1s
,重复尝试认证次数4
次
$ echo "User-Name=operator,User-Password=testpass" | radclient -4 192.168.100.150:1812 auth testing1234 -t 1 -r 4
# 成功后会有如下输出
Sent Access-Request Id 61 from 0.0.0.0:54293 to 192.168.100.150:1812 length 49
Received Access-Accept Id 61 from 192.168.100.150:1812 to 192.168.0.121:54293 length 38