【转】上网认证1 FreeRadius安装及与openldap的连接

https://blog.csdn.net/oLinBSoft/article/details/85775603

Freeradius是开源免费并完全兼容RADIUS协议的RADIUS服务器和客户端软件，可以用它对用户的接入和访问特定的网络进行有效的控制，授权，计费等等，它支持多种验证，包括文件，LDAP，数据库等等。

本次测试安装环境centos7

计算机名 freeradius ip:172.16.48.72

1. 先关闭SELinux和firewalld

2. 安装freeradius及与ldap连接工具

yum -y install freeradius freeradius-utils freeradiu-ldap

3.启动测试

systemctl start radiusd

systemctl enable radiusd

#systemctl status radiusd

4. 修改配置文件，允许测试账号

vim /etc/raddb/users

把以下一段前面的#注释去掉

steve Cleartext-Password := “testing”
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 172.16.3.33,
Framed-IP-Netmask = 255.255.255.0,
Framed-Routing = Broadcast-Listen,
Framed-Filter-Id = “std.ppp”,
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP
5. 重启服务 systemctl restart radiusd

测试连接：

[root@freeradius ~]# radtest steve testing localhost 1812 testing123

出现 Received Access-Accept Id 9 from 127.0.0.1:1812 to 0.0.0.0:0 length 71说明认证测试成功

6. 设置与openldap的连接

首先修改 新建或编辑/etc/raddb/mods-available/ldap 文件，下面是去除#注释行的全文

[root@freeradius ~]# cat /etc/raddb/mods-available/ldap |grep -v “#” |grep -v “^;”|grep -v “^$”

ldap {
server = ‘172.16.0.123’
port = 389
identity = ‘cn=admin,dc=linbsoft,dc=com’
password = 123456
base_dn = ‘dc=linbsoft,dc=com’
sasl {
}
update {
control:Password-With-Header += ‘userPassword’
control: += ‘radiusControlAttribute’
request: += ‘radiusRequestAttribute’
reply: += ‘radiusReplyAttribute’
}
user {
base_dn = “KaTeX parse error: Expected 'EOF', got '}' at position 86: … sasl { } }̲ group { bas…{…base_dn}”
filter = ‘(objectClass=posixGroup)’
membership_attribute = ‘memberOf’
}
profile {
}
client {
base_dn = “${…base_dn}”
filter = ‘(objectClass=radiusClient)’
template {
}
attribute {
ipaddr = ‘radiusClientIdentifier’
secret = ‘radiusClientSecret’
}
}
accounting {
reference = “%{tolower:type.%{Acct-Status-Type}}”
type {
start {
update {
description := “Online at %S”
}
}
interim-update {
update {
description := “Last seen at %S”
}
}
stop {
update {
description := “Offline at %S”
}
}
}
}
post-auth {
update {
description := “Authenticated at %S”
}
}
options {
chase_referrals = yes
rebind = yes
res_timeout = 10
srv_timelimit = 3
net_timeout = 1
idle = 60
probes = 3
interval = 3
ldap_debug = 0x0028
}
tls {
}
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 30
lifetime = 0
idle_timeout = 60
}
}

7. /etc/raddb/sites-available/site_ldap文件内容如下

cat /etc/raddb/sites-available/site_ldap
server site_ldap {
listen {
ipaddr = 0.0.0.0
port = 1833
type = auth
}
authorize {
update {
control:Auth-Type := ldap
}
}
authenticate {
Auth-Type ldap {
ldap
}
}
post-auth {
Post-Auth-Type Reject {
}
}
}

8. 建立软连接

ln -s /etc/raddb/sites-available/site_ldap /etc/raddb/sites-enabled/

9. 重启systemctl restart radiusd

测试使用openldap 账号连接

[root@freeradius ~]# radtest 20180515 123456 localhost 0 testing123
Sent Access-Request Id 160 from 0.0.0.0:48710 to 127.0.0.1:1812 length 78
User-Name = “20180515”
User-Password = “123456”
NAS-IP-Address = 172.16.48.72
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = “123456”

Received Access-Accept Id 160 from 127.0.0.1:1812 to 0.0.0.0:0 length 20
其中 20180515及123456是在openldap的一个账号密码

参考文章：

https://blog.csdn.net/broada2015/article/details/50886298 用802.1X+FreeRadius+LDAP实现网络准入方案
https://blog.csdn.net/cikenerd/article/details/54728652 Centos7 freeradius3 整合 openldap —》测试成功！！
https://blog.csdn.net/zy517863543/article/details/78914150 安装FreeRadius+Daloradius web管理+Daloradius 中文汉化
https://www.cnblogs.com/Kevin-1967/p/8931413.html Freeradius+Cisco2500AC+OpenLdap认证
http://blog.51cto.com/waydee/1103942 FreeRADIUS 测试环境搭建

---

作者：领尚
来源：CSDN
原文：https://blog.csdn.net/oLinBSoft/article/details/85775603
版权声明：本文为博主原创文章，转载请附上博文链接！