Ubuntu系统下的Radius认证服务安装与配置

安装服务

安装服务依赖 freeradius

$ sudo apt install freeradius

查看版本

$ freeradius -v

radiusd: FreeRADIUS Version 3.0.16, for host x86_64-pc-linux-gnu, built on Apr 17 2019 at 12:59:55
FreeRADIUS Version 3.0.16
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT

配置文件位置和版本相关
如果显示3.0.*，则配置文件位置具体目录是/etc/freeradius/3.0
如果版本显示3.2.*，那么配置文件的目录位置是/etc/freeradius/3.2

下面所有涉及到的文件配置目录都要看版本情况具体配置修改，不要照抄文档

radius服务所在机器的IP是192.168.100.150

启动测试服务器，正常情况下最后几行会显示如下数据

$ sudo freeradius -X

.....
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 56061
Listening on proxy address :: port 59459
Ready to process requests

# 有时候如果显示如下数据，则表示报错
xxxxxxxxxx Failed binding to auth address * port 1812 bound to server default: Address already in use /etc/freeradius/3.0/sites-enabled/default[59]: Error binding to port for 0.0.0.0 port 1812

# 则表示已经有另外一个`radius`服务已经启动，并且已经占用了端口
# 需要执行如下步骤把服务关闭
# $ sudo systemctl stop freeradius.service
# 或者是另外一个终端执行了freeradius命令但是忘记关闭了
# 可以执行pkill freeradius

添加radius用户数据

编辑文件，添加用户名为operator 密码为 testpass

$ sudo vim /etc/freeradius/3.0/users

operator  Cleartext-Password := "testpass"
           Reply-Message := "Hello, %{User-Name}"

重启 freeradius服务

$ sudo freeradius -X

测试radius服务

从另外一台机器，开一个终端检测启动radius服务的机器是否开放1812端口

$ sudo nmap -sU 192.168.100.150 -p 1812

# 如下输出表示开放
Starting Nmap 7.80 ( https://nmap.org ) at 2021-08-27 11:12 CST
Nmap scan report for 192.168.100.150
Host is up (0.00017s latency).

PORT     STATE         SERVICE
1812/udp open|filtered radius
MAC Address: CC:D3:9D:9F:D5:1D (Ieee Registration Authority)

Nmap done: 1 IP address (1 host up) scanned in 0.55 seconds

新开一个终端，执行以下命令

$ radtest operator testpass 192.168.100.150 0 testing123
# 如下输出表示验证成功
Sent Access-Request Id 202 from 0.0.0.0:35778 to 127.0.0.1:1812 length 79
        User-Name = "operator"
        User-Password = "testpass"
        NAS-IP-Address = 192.168.100.150
        NAS-Port = 0
        Message-Authenticator = 0x00
        Cleartext-Password = "testpass"
Received Access-Accept Id 202 from 127.0.0.1:1812 to 0.0.0.0:0 length 38
        Reply-Message = "Hello, operator"

配置允许远程验证用户

$ vim /etc/freeradius/3.0/clients.conf

# 输入如下,表示新建一个客户端，ipaddr允许所有网络访问，如果设置为192.168.100.150则表示只允许192.168.100.150的ip进行验证，填写0.0.0.0表示不限制IP，共享密钥是testing123
client private-network-1 {
        ipaddr          = 0.0.0.0
        secret          = testing123
}

修改radius监听端口

以下两种方式各选一种

方式一

直接修改配置，举例修改端口为8888

$ sudo vim /etc/freeradius/3.0/sites-enabled/default

# 修改
listent {
    ...
    type = auth
    ipaddr = *
    port = 0
}
# 修改port端口
listent {
    ...
    type = auth
    ipaddr = *
    port = 8888
}

方式二

修改/etc/services

$ sudo vim /etc/services
# 找到
radius          1812/tcp
radius          1812/udp
# 修改为自定义端口
radius          8888/tcp
radius          8888/udp

请求认证

推荐使用radclient

$ radclient -h

Usage: radclient [options] server[:port]  []
                One of auth, acct, status, coa, disconnect or auto.
  -4                     Use IPv4 address of server
  -6                     Use IPv6 address of server.
  -c              Send each packet 'count' times.
  -d              Set user dictionary directory (defaults to /etc/freeradius/3.0).
  -D            Set main dictionary directory (defaults to /usr/share/freeradius).
  -f [:]     Read packets from file, not stdin.
                         If a second file is provided, it will be used to verify responses
  -F                     Print the file name, packet number and reply code.
  -h                     Print usage help information.
  -n                Send N requests/s
  -p                Send 'num' packets from a file in parallel.
  -q                     Do not print anything out.
  -r            If timeout, retry sending the packet 'retries' times.
  -s                     Print out summary information of auth results.
  -S               read secret from file, not command line.
  -t            Wait 'timeout' seconds before retrying (may be a floating point number).
  -v                     Show program version information.
  -x                     Debugging mode.
  -P              Use proto (tcp or udp) for transport.

举例操作

验证 用户账号operator，密码testpass，使用ipv4地址192.168.100.150，端口1812，共享密钥testing1234，超时时间为1s，重复尝试认证次数4次

$ echo "User-Name=operator,User-Password=testpass" | radclient -4 192.168.100.150:1812 auth testing1234 -t 1 -r 4

# 成功后会有如下输出
Sent Access-Request Id 61 from 0.0.0.0:54293 to 192.168.100.150:1812 length 49
Received Access-Accept Id 61 from 192.168.100.150:1812 to 192.168.0.121:54293 length 38

参考文档与引用

freeradius官方文档
radius协议基础原理
linux搭建radius服务器