第一次使用freeradius进行认证,记录使用的一些配置和技巧
1. OS: buntu 10.04.4 LTS server版
2. freeradius 版本:2.1.8
注:据说freeradius版本之间有差异,低版本1.x 同样的配置在2.x 就不能工作;
- 配置client.conf, 直接使用Linux上的系统账户进行认证
$ vim /etc/freeradius/clients.conf
client HS_dev {
ipaddr = 2.1.1.1
netmask = 24
secret = hs_radius123
shortname = clients-trust-net
}
client 端配置好此处正确的secret即可使用linux 上的系统账户进行登录,这些账户储存于 /etc/passwd
- 配置users,可以使用新配置的用户进行认证
如果定制用户,简单的方法是在文件 /etc/freeradius/users 添加账户,最开始添加的内容如下:
admin User-Password == test
HS-msg = welcome
重启freeradius并让其工作在debug 模式:
$ sudo freeradius -X
当尝试使用账户 admin,密码test 登录时,这个版本的freeradius会报错:
......
[pap] WARNING! No "known good" password found for theuser. Authentication may fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for therequest: Rejecting the user
Failed to authenticate the user.
Login incorrect: [hs_admin/hillstone] (from clientclients-trust-net port 0)
Using Post-Auth-Type Reject
......
认证不能成功,看了些资料,于是更改配置:
admin User-Password := test
HS-msg = welcome
重启freeradius并工作于debug模式,然后尝试再次登录,这次能够认证成功,但报warning:
Found Auth-Type = PAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config itemswith Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "knowngood" !!!
!!! clear text password is in Cleartext-Password, and not inUser-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+- entering group PAP {...}
[pap] login attempt with password "test"
[pap] Using clear text password "test"
[pap] User authenticated successfully
++[pap] returns ok
阅读manual:man rlm_pap
It is important to understand the difference between the User-Password and Cleartext-Password attributes. The Cleartext-Password attribute is the "known good" password for the user. Simply supplying the Cleartext-Password to the server will result in most authentication methods working. The User-Password attribute is the password as typed in by the user on their private machine. The two are not the same, and should be treated very differently. That is, you should generally not use the User-Password attribute anywhere in the RADIUS configuration.
没有完全明白这个含义。
试图更改配置如下:
admin Cleartext-Password == test
HS-msg = welcome
重启radius server,认证失败,原因同第一次相同。
再次更改配置如下:
admin Cleartext-Password := test
HS-msg = welcome
重启radius servr,完美成功!
参考资料:
http://blog.sina.com.cn/s/blog_6151984a0100eyix.html
http://blog.sina.com.cn/s/blog_6151984a0100eyiz.html
http://wiki.freeradius.org/guide/Concepts
http://freeradius.org/doc/
http://wiki.freeradius.org/protocol/Access%20Request
http://wiki.freeradius.org/config/Auth%20Type
扫一扫
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
