基于freeradius+mysql,今天验证下freeradius的EAP认证:1.EAP-MD5;2.EAP-PEAP
一、EAP-MD5方式认证
1.修改配置文件
(1)/usr/local/etc/raddb/sites-available/default 去掉eap前面的# (2)/usr/local/etc/raddb/eap.conf 确认default_eap_type=md5
2.在数据库中加入Auth-Type为EAP的测试账号
#mysql -u root -p
Enter password:456456
mysql> use freeradius;
mysql> insert into radgroupreply (groupname,attribute,op,value) values ('eap','Auth-Type',':=','EAP');
mysql> insert into radgroupreply (groupname,attribute,op,value) values ('eap','Service-Type',':=','Framed-User'); mysql> insert into radgroupreply (groupname,attribute,op,value) values ('eap','Framed-IP-Address',':=','255.255.255.255'); mysql> insert into radgroupreply (groupname,attribute,op,value) values ('eap','Framed-IP-Netmask',':=','255.255.255.0'); mysql> insert into radcheck (username,attribute,op,value) values ('eap','User-Password',':=','eap'); mysql> insert into radusergroup (username,groupname) values ('eap','eap'); mysql> insert into radreply (username,attribute,op,value) values ('eap','Reply-Message',':=','eap OK!');
3.开始测试
#radiusd -X
#(echo "User-Name = \"eap\""; echo "Cleartext-Password = \"eap\""; echo "EAP-Code = \"Response\""; echo "EAP-Id = 210"; echo "EAP-Type-Identity = \"eap\""; echo "Message-Authenticator = 0x00";) | radeapclient -x localhost auth testing123
Sending Access-Request packet to host 127.0.0.1 port 1812, id=16, length=0 User-Name = "eap" Cleartext-Password = "eap" EAP-Code = Response EAP-Id = 210 EAP-Type-Identity = 0x656170 Message-Authenticator = 0x00 EAP-Message = 0x02d2000801656170 Received Access-Challenge packet from host 127.0.0.1 port 1812, id=16, length=107 Reply-Message = "eap OK!" Service-Type = Framed-User Framed-IP-Address = 255.255.255.255 Framed-IP-Netmask = 255.255.255.0 EAP-Message = 0x01d30016041008dabb8375e60ff9a515084acdce2e49 Message-Authenticator = 0x323977ef5d8f99e19c0f915225dc91fe State = 0x622ff79862fcf31bc6a72392057197f7 EAP-Id = 211 EAP-Code = Request EAP-Type-MD5-Challenge = 0x1008dabb8375e60ff9a515084acdce2e49 Sending Access-Request packet to host 127.0.0.1 port 1812, id=17, length=53 User-Name = "eap" Cleartext-Password = "eap" EAP-Code = Response EAP-Id = 211 Message-Authenticator = 0x00000000000000000000000000000000 EAP-Type-MD5-Challenge = 0x10e968e2d801bc965f23c6e515ef2f8861 State = 0x622ff79862fcf31bc6a72392057197f7 EAP-Message = 0x02d300160410e968e2d801bc965f23c6e515ef2f8861 Received Access-Accept packet from host 127.0.0.1 port 1812, id=17, length=76 Reply-Message = "eap OK!" Service-Type = Framed-User Framed-IP-Address = 255.255.255.255 Framed-IP-Netmask = 255.255.255.0 EAP-Message = 0x03d30004 Message-Authenticator = 0x190af2672a849e7ddee425f18c01dd2c User-Name = "eap" EAP-Id = 211 EAP-Code = Success
二、PEAPv0/EAP-MSCHAPv2方式认证
1.安装测试工具eapol_test
#cd /usr/local/src/ #wget http://hostap.epitest.fi/releases/wpa_supplicant-0.6.9.tar.gz #tar –xzvf wpa_supplicant-0.6.9.tar.gz #cd wpa_supplicant-0.6.9/wpa_supplicant/ #cp defconfig .config #make eapol_test #cp eapol_test /usr/local/bin/
2.修改配置文件
(1)/usr/local/etc/raddb/sites-available/default 去掉eap前面的# (2)/usr/local/etc/raddb/eap.conf 确认default_eap_type=peap
3.查看证书是否存在
#ls /usr/local/etc/raddb/certs/*.pem 正常 列表中含有ca.pem 若没有ca.pem文件,则执行以下命令: #/usr/local/etc/raddb/certs/bootstrap
4.创建测试配置文件 ~/peap.test
#~/peap.test network={ //注意:"="前后无空格 eap=PEAP eapol_flags=0 key_mgmt=IEEE8021X identity="eap" //注意:该测试账号是之前用sql建立在数据库中的,所以可以直接使用 password="eap" ca_cert="/usr/local/etc/raddb/certs/ca.pem" phase2="auth=MSCHAPV2" anonymous_identity="anonymous" }
5.开始测试
#radiusd -X
#eapol_test -c peap.test -s testing123 //peap.test在~/目录下,所以该命令也要在~/目录下进行。需保持一致。
eapol_sm_cb: success=1
EAPOL: Successfully fetched key (len=32)
PMK from EAPOL – hexdump(len=32): d9 2f f7 04 41 7c 74 66 5b b3 e7 7c ea 77 21 72 04 94 cd 7f e1 c9 a0 6b 08 34 b1 b2 25 55 6f 53
EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 1 mismatch: 0
SUCCESS
三、EAP-TTLS/MD5方式认证
1.修改配置文件
(1)/usr/local/etc/raddb/sites-available/default 去掉eap前面的# (2)/usr/local/etc/raddb/eap.conf 确认default_eap_type=ttls
2.创建测试配置文件 ~/ttlsmd5.test
~/ttlsmd5.test network={ eap=TTLS ssid="test" //可更改 key_mgmt=WPA-EAP identity="eap" password="eap" ca_cert="/usr/local/etc/raddb/certs/ca.pem" phase2="auth=MD5" anonymous_identity="anonymous" //可更改 }
3.开始测试
#radiusd -X
#eapol_test -c ttlsmd5.test -s testing123
eapol_sm_cb: success=1
EAPOL: Successfully fetched key (len=32)
PMK from EAPOL – hexdump(len=32): 91 b2 66 fb da ff bd 7d 95 91 2a c5 82 a8 86 bb 18 14 ac 9f 30 e4 7e 21 9f 28 b8 00 35 62 ff f2
EAP: deinitialize previously used EAP method (21, TTLS) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 1 mismatch: 0
SUCCESS
四、EAP-TTLS/MSCHAPv2方式认证
1.修改配置文件
(1)/usr/local/etc/raddb/sites-available/default 去掉eap前面的# (2)/usr/local/etc/raddb/eap.conf 确认default_eap_type=ttls
2.创建测试配置文件 ~/ttlsmschapv2.test
~/ttlsmschapv2.test network={ eap=TTLS ssid="test" //可更改 key_mgmt=WPA-EAP identity="eap" password="eap" ca_cert="/usr/local/etc/raddb/certs/ca.pem" phase2="auth=MSCHAPV2" anonymous_identity="anonymous" //可更改 }
3.开始测试
#radiusd -X
#eapol_test -c ttlsmschapv2.test -s testing123
eapol_sm_cb: success=1
EAPOL: Successfully fetched key (len=32)
PMK from EAPOL – hexdump(len=32): 91 b2 66 fb da ff bd 7d 95 91 2a c5 82 a8 86 bb 18 14 ac 9f 30 e4 7e 21 9f 28 b8 00 35 62 ff f2
EAP: deinitialize previously used EAP method (21, TTLS) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 1 mismatch: 0
SUCCESS
$$$至此,参照http://blog.sina.com.cn/s/blog_5d2184eb0100hibt.html《FreeRadius+Mysql+EAP认证身份认证系统安装及配置》;
$$$其他认证方式,请参照http://blog.csdn.net/madding/article/details/17277197/《radius系列:freeradius测试》;