测试系统:centos7.0
下载strongswan源码包编译安装,yum install strongswan出来的默认没有启用eap-radius
yum install openssl-devel
tar -xf strongswsan-5.5.1.tar.gz
./configure --enable-eap-identity --enable-eap-md5 \
--enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap \
--enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap \
--enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock --enable-unity \
--enable-certexpire --enable-radattr --enable-tools --enable-openssl --disable-gmp --enable-kernel-libipsec
配置/usr/local/etc/strongswan.d/charon/eap-radius.conf
在server区域添加如下选项
servers {
radius-for-vpn {
secret = testing123
address = radius.exapmle.com
}
}
修改strongswan配置/usr/local/etc/strongswan.d/charon/ipsec.conf的rightauth为
rightauth = eap-radius
在radtest能够成功通过openldap认证的情况下,使用windwos的ikev2拨号,
使用radiusd -X发现,用
radtest username password radius.example.com 4 testing123
radiusd收到了客户端发送的帐号密码
Received Access-Request Id 1 from 10.0.0.1:58710 to 10.0.0.1:1812 length 76
User-Name = 'user1'
User-Password = 'admin'
NAS-IP-Address = 10.0.0.1
NAS-Port = 4
Message-Authenticator = 0xa6f60b034a0b967b8270705c6be94524
(8) Received Access-Request packet from host 10.0.0.1 port 58710, id=1, length=76
(8) User-Name = 'user1'
(8) User-Password = 'admin'
(8) NAS-IP-Address = 10.0.0.1
(8) NAS-Port = 4
(8) Message-Authenticator = 0xa6f60b034a0b967b8270705c6be94524
(8) # Executing section authorize from file /etc/raddb/sites-enabled/default
(8) authorize {
(8) filter_username filter_username {
(8) if (!&User-Name)
(8) if (!&User-Name) -> FALSE
(8) if (&User-Name =~ / /)
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@.*@/ )
(8) if (&User-Name =~ /@.*@/ ) -> FALSE
(8) if (&User-Name =~ /\\.\\./ )
(8) if (&User-Name =~ /\\.\\./ ) -> FAL