CentOS7+ FreeRadius+mariadb+深信服的上网行为管理实现上网实名认证
随着互联网技术日新月异,很多企业开始重视网路安全问题。行为,日志审计也开始成为了重中之重。
我们本次本着开源,节俭的前提,使用开源的认证软件来自己搭建Radius服务器,实现实名认证上网。
大致思路是AC提供流量阻断,radius服务器提供认证员工信息是否符合接入网络的要求。
实验环境:centos7.5 内存4GB 硬盘:50GB。关闭了selinux,防火墙
1、更新操作系统
yum update -y
2、安装freeradius相关包
yum install -y freeradius freeradius-mysql freeradius-utils
3、进行简单环境测试
打开vim /etc/raddb/users
打开文件后,查找 steve Cleartext-Password :=“testing” (73-81行), 取消该段内容的注释。
66 #
67
68 #
69 # This is a complete entry for “steve”. Note that there is no Fall-Through
70 # entry so that no DEFAULT entry will be used, and the user will NOT
71 # get any attributes in addition to the ones listed here.
72 #
73 steve Cleartext-Password := “testing”
74 Service-Type = Framed-User,
75 Framed-Protocol = PPP,
76 Framed-IP-Address = 172.16.3.33,
77 Framed-IP-Netmask = 255.255.255.0,
78 Framed-Routing = Broadcast-Listen,
79 Framed-Filter-Id = “std.ppp”,
80 Framed-MTU = 1500,
81 Framed-Compression = Van-Jacobsen-TCP-IP
82
83 #
84 # The canonical testing user which is in most of the
85 # examples.
86 #
87 #bob Cleartext-Password := “hello”
88 # Reply-Message := “Hello, %{User-Name}”
4、测试是否安装成功freeradius
打开一个新的终端运行radius -X
另一终端输入
radtest steve testing localhost 0 testing123
输出结果为:
[root@localhost ~]# radtest steve testing localhost 0 testing123
Sent Access-Request Id 253 from 0.0.0.0:45709 to 127.0.0.1:1812 length 75
User-Name = “steve”
User-Password = “testing”
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = “testing”
Received Access-Accept Id 253 from 127.0.0.1:1812 to 0.0.0.0:0 length 71
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 172.16.3.33
Framed-IP-Netmask = 255.255.255.0
Framed-Routing = Broadcast-Listen
Filter-Id = “std.ppp”
Framed-MTU = 1500
Framed-Compression = Van-Jacobson-TCP-IP
到此freeradius安装基本完成,下面是集合mariadb数据库实现联动认证的。
5、安装mariadb
yum install -y mariadb mariadb-server mariadb-devel
启动mariadb
systemctl start mariadb
systemctl enable mariadb
如下
[root@localhost ~]# systemctl start mariadb
[root@localhost ~]# systemctl enable mariadb
Created symlink from /etc/systemd/system/multi-user.target.wants/mariadb.service to /usr/lib/systemd/system/mariadb.service.
6、创建认证数据库,赋予相应的权限(特别重要)
6.1设置数据库密码:
mysqladmin -uroot password 123456
6.2登录
[root@localhost ~]# mysql -uroot -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 3
Server version: 5.5.64-MariaDB MariaDB Server
Copyright © 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.
MariaDB [(none)]>
6.3 创建数据库,赋予权限
mysql>grant all on radius.* to radius@localhost identified by “radpass”;
mysql>exit;
6.4导入表结构
[root@localhost ~]# mysql -uroot -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 5
Server version: 5.5.64-MariaDB MariaDB Server
Copyright © 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.
MariaDB [(none)]> use radius
Database changed
MariaDB [radius]> source /etc/raddb/mods-config/sql/main/mysql/schema.sql
Query OK, 0 rows affected (0.07 sec)
Query OK, 0 rows affected (0.09 sec)
Query OK, 0 rows affected (0.06 sec)
Query OK, 0 rows affected (0.07 sec)
Query OK, 0 rows affected (0.13 sec)
Query OK, 0 rows affected (0.05 sec)
Query OK, 0 rows affected (0.07 sec)
Query OK, 0 rows affected (0.06 sec)
MariaDB [radius]>
6.5刷新数据库
flush privileges;
6.6数据表说明
表的说明
上面的指令,共导入了7个表,分别是:
radcheck 用户检查信息表
radreply 用户回复信息表
radgroupcheck 用户组检查信息表
radgroupreply 用户组检查信息表
radusergroup 用户和组关系表
radacct 计费情况表
radpostauth 认证后处理信息,可以包括认证请求成功和拒绝的记录。
6.7在数据库里建立组
insert into radgroupreply (groupname,attribute,op,value) values (‘user’,‘Auth-Type’,’:=’,‘Local’);
insert into radgroupreply (groupname,attribute,op,value) values (‘user’,‘Service-Type’,’:=’,‘Framed-User’);
insert into radgroupreply (groupname,attribute,op,value) values (‘user’,‘Framed-IP-Address’,’:=’,‘255.255.255.255’);
insert into radgroupreply (groupname,attribute,op,value) values (‘user’,‘Framed-IP-Netmask’,’:=’,‘255.255.255.0’);
6.7、将用户加入组中:
insert into radusergroup (username,groupname) values (‘test’,‘user’);
exit
7.修改 FreeRADIUS中的mysql 认证配置
执行如下命令:
cd /etc/raddb/mods-enabled
ln -s …/mods-available/sql
8、修改 FreeRADIUS中的mysql 配置文件
该配置文件位于/etc/raddb/mods-available目录,名称为sql
可以通过vi来修改,命令如下:
vi /etc/raddb/mods-available/sql
找到driver = “rlm_sql_null”这一行,修改为driver = “rlm_sql_mysql”。保持并退出。
sql {
# The sub-module to use to execute queries. This should match
# the database you’re attempting to connect to.
#
# * rlm_sql_mysql
# * rlm_sql_mssql
# * rlm_sql_oracle
# * rlm_sql_postgresql
# * rlm_sql_sqlite
# * rlm_sql_null (log queries to disk)
#
driver = "rlm_sql_mysql"
取消注释,
87 dialect = “mysql” 修改为mysql
88
89 # Connection info:
90 #
91 server = “localhost”
92 port = 3306
93 login = “radius”
94 password = "radpass"
95
96 # Database table configuration for everything except Oracle
97 radius_db = "radius"
给245行注释取消(很重要)
244 # Clients will ONLY be read on server startup.
245 read_clients = yes
246
247 # Table to keep radius client info
248 client_table = “nas”
249
250 #
251 # The group attribute spec
8、修改所属组
将/etc/raddb/mods-enabled/sql所属组更改为radiusd:
chgrp -h radiusd /etc/raddb/mods-enabled/sql
配置 /etc/raddb/sites-available/default
注意:注释398行files
不注释会导致任意账号密码认证通过
397 # raddb/mods-config/files/authorize
398 # files
399
400 #
401 # Look in an SQL database. The schema of the database
402 # is meant to mirror the “users” file.
403 #
404 # See “Authorization Queries” in mods-available/sql
405 -sql
添加启动
添加启动服务,调整FreeRadius与MariaDB的启动顺序,FreeRadius必须在MariaDB启动之后启动,在[Unit]部分,增加After=mariadb.service,如下图所示:
systemctl enable radiusd.service
vi /etc/systemd/system/multi-user.target.wants/radiusd.service
After=mariadb.service
如下
[Unit]
Description=FreeRADIUS high performance RADIUS server.
After=syslog.target network.target ipa.service dirsrv.target krb5kdc.service
After=mariadb.service
[Service]
Type=forking
PIDFile=/var/run/radiusd/radiusd.pid
ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd
ExecStartPre=/usr/sbin/radiusd -C
ExecStart=/usr/sbin/radiusd -d /etc/raddb
ExecReload=/usr/sbin/radiusd -C
ExecReload=/bin/kill -HUP $MAINPID
[Install]
WantedBy=multi-user.target
9、添加客户端连接(对接外部设备密码)
添加客户端连接设置,添加允许所有用户接入,如需特定ip访问,ip可以自由更改。
vi /etc/raddb/clients.conf
client all_client {
ipaddr = 0.0.0.0/0
secret = testing123 #这是认证设备里要填写的密码
require_message_authenticator = no
}
10、测试
根据radius的debug信息,深信服的验证数据中,深信服发送了一个核心信息就是Service-Type = Authenticate-Only
freeradius内修改radius的配置文件(/usr/local/etc/raddb/users)或者
vim /etc/raddb/users
vi users 增加下一行可以让深信服通过验证。
DEFAULT Service-Type = Authenticate-Only,Auth-Type := Accept
如果启动警告
输入
systemctl daemon-reload
systemctl start radiusd
到此。搭建完毕
日志功能配置
修改radiusd.conf配置文件
vim /etc/raddb/radiusd.conf
Log{
auth = yes
auth_badpass = yes
auth_goodpass = yes
}
配置 /etc/raddb/sites-available/default
Authorize{
auth_log
}
post-auth{
reply_log //732
}
注释了398files
增加用户名 密码用MD5加密。认证设备选择PAP
insert into radcheck (username,attribute,op,value) values (“20008”,“MD5-Password”,":=",md5(“123456”));
本次教程只讲了操作,原理会在后面和大家讲述
262
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
