04_ubuntu radius 服务安装配置
参考
https://blog.csdn.net/qq_33385691/article/details/82498772
1.安装
sudo apt-get install freeradius freeradius-ldap freeradius-mysql
2.配置
- 用户配置
vim /etc/freeradius/user
steve Cleartext-Password := "testing" #用户名 steve, 密码 testing
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 172.16.3.33,
Framed-IP-Netmask = 255.255.255.0,
Framed-Routing = Broadcast-Listen,
Framed-Filter-Id = "std.ppp",
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP
- 配置key
vim /etc/freeradius/clients.conf
client localhost {
# hostname (radius.example.com)
ipaddr = 127.0.0.1
# OR, you can use an IPv6 address, but not both
# ipv6addr = :: # any. ::1 == localhost
secret = testing123
3.重启服务
sudo /etc/init.d/freeradius restart
sudo service freeradius restart
4.基本功能测试
- 服务端
sudo service freeradius stop
sudo freeradius -X #前台运行, 开启调试模式
sudo freeradius #后台运行模式
- 客户端 测试命令:
radtest Username Password ServerIP Port Secret
radtest 用户名 密码 地址 端口 key
测试实例1:
radtest steve testing localhost 1812 testing123
Sending Access-Request of id 76 to 127.0.0.1 port 1812
User-Name = "steve"
User-Password = "testing"
NAS-IP-Address = 0.0.0.22
NAS-Port = 1812
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=76, length=71
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 172.16.3.33
Framed-IP-Netmask = 255.255.255.0
Framed-Routing = Broadcast-Listen
Filter-Id = "std.ppp"
Framed-MTU = 1500
Framed-Compression = Van-Jacobson-TCP-IP
5.添加一个新用户
- 增加一个测试用户: 用户test, 密码5678
sudo vim /etc/freeradius/users
test Cleartext-Password := "5678"
Tip: 注意tab 对齐
- 配置客户端访问控制
sudo vim /etc/freeradius/clients.conf
client 192.168.56.0/24 {
secret = testing234
shortname = privat-network-1
}
- 重启服务
sudo service freeradius stop
sudo freeradius -X
4.测试
客户端:
# radtest test 5678 192.168.56.111 0 testing234
Sending Access-Request of id 137 to 192.168.56.111 port 1812
User-Name = "test"
User-Password = "5678"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 192.168.56.111 port 1812, id=137, length=20
服务端:
# sudo freeradius -X
rad_recv: Access-Request packet from host 192.168.56.111 port 51631, id=137, length=74
User-Name = "test"
User-Password = "5678"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Message-Authenticator = 0xb81f77e46da45055d14413911e50e7af
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[files] users: Matched entry test at line 86
++[files] = ok
++[expiration] = noop
++[logintime] = noop
++[pap] = updated
+} # group authorize = updated
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group PAP {
[pap] login attempt with password "5678"
[pap] Using clear text password "5678"
[pap] User authenticated successfully
++[pap] = ok
+} # group PAP = ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+group post-auth {
++[exec] = noop
+} # group post-auth = noop
Sending Access-Accept of id 137 to 192.168.56.111 port 51631
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 137 with timestamp +19
Ready to process requests.
6.添加一个网段认证
# vim /etc/free/radius/client.conf
client 192.168.56.0/24 {
secret = testing234
shortname = private-network-1
}
client 10.68.4.0/24 {
secret = testing123
shortname = private-network-3
}