radius+openldap+mariadb+docker安装指导
1.安装的目的
公司为了安全wifi上网,需要对接入wifi的的终端进行公司员工的账号密码认账,公司的账号密码是用域账号进行统一管理,公司目前用的交换机是华三的三成交换机,这个交换机上有自带的portal web认证和radius用户认证,为了使华三的web认证和公司的域账号可以进行关联认证,所以就使用了radius和openldap的方案
2. 使用docker安装mariadb
使用mariadb作为radius的数据存储,这里用的是docker-compose安装的mariadb
yml文件编写如下
]# cat mariadb.yml
# Use root/example as user/password credentials
version: '3.1'
services:
mariadb:
image: mariadb:10.3
volumes:
- /data/ahi/mariadb/:/var/lib/mysql
restart: always
ports:
- 3306:3306
environment:
MYSQL_ROOT_PASSWORD: abcd@1234
启动mariadb
]# docker-compose -f ./mariadb.yml up -d
Pulling mariadb (mariadb:10.3)...
10.3: Pulling from library/mariadb
da7391352a9b: Already exists
14428a6d4bcd: Already exists
2c2d948710f2: Already exists
22776aa82430: Already exists
90e64230d63d: Already exists
f30861f14a10: Already exists
e8e9e6a3da24: Already exists
420a23f08c41: Already exists
bd73f23de482: Already exists
739c71d82551: Pull complete
65465f3a9066: Pull complete
1d96eca58ffe: Pull complete
13ddb412bd22: Pull complete
Digest: sha256:25d59d64013285f77db2e252c1b2cd390dc639773ae4f5132b90f539cfba27d4
Status: Downloaded newer image for mariadb:10.3
Creating opt_mariadb_1 ... done
]# docker ps -a|grep mariadb
09f1381289bb mariadb:10.3 "docker-entrypoint.s…" About a minute ago Up 11 seconds 0.0.0.0:3306->3306/tcp opt_mariadb_1
添加radius数据库及用户名
t]# docker exec -it opt_mariadb_1 /bin/bash
root@09f1381289bb:/# mysql -uroot -pabcd@1234
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 8
Server version: 10.3.27-MariaDB-1:10.3.27+maria~focal mariadb.org binary distribution
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> create database radius;
Query OK, 1 row affected (0.001 sec)
MariaDB [(none)]> grant all on radius.* to radius@"%" identified by "radius";
Query OK, 0 rows affected (0.001 sec)
MariaDB [(none)]>
测试数据库是否可以连接
]# docker restart opt_mariadb_1
opt_mariadb_1
]# docker exec -it opt_mariadb_1 /bin/bash
root@09f1381289bb:/# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
71: eth0@if72: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:12:00:03 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.18.0.3/16 brd 172.18.255.255 scope global eth0
valid_lft forever preferred_lft forever
root@09f1381289bb:/# mysql -h172.18.0.3 -uradius -pradius
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 8
Server version: 10.3.27-MariaDB-1:10.3.27+maria~focal mariadb.org binary distribution
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> exit
Bye
连接成功
mariadb安装完成
3.安装openldap
openldap是域用户管工具,同样也是用docker的方式安装
yml编写如下
]# cat openldap.yml
version: "3"
services:
openldap:
image: osixia/openldap
container_name: openldap
restart: always
ports:
- '389:389'
volumes:
- /data/ahi/openldap/data:/var/lib/ldap
- /data/ahi/openldap/ldap.d:/etc/ldap/slapd.d
environment:
- LDAP_TLS=false
- LDAP_ORGANISATION=ahi.internal
- LDAP_DOMAIN=ahi.internal
- LDAP_ADMIN_PASSWORD=abcd@1234
- LDAP_CONFIG_PASSWORD=abcd@1234
- 配置LDAP组织者:
LDAP_ORGANISATION
- 配置LDAP域:
LDAP_DOMAIN
- 配置LDAP密码:
LDAP_ADMIN_PASSWORD
- 默认登录用户名:
admin
Docker-compose启动openldap
]# docker-compose -f ./openldap.yml up -d
Pulling radius (osixia/openldap:)...
latest: Pulling from osixia/openldap
8559a31e96f4: Pull complete
1ab40e40d006: Pull complete
b578faeebc89: Pull complete
d101246a274b: Pull complete
f07e49f51d05: Pull complete
b41b15b6b364: Pull complete
3c18a389bf1d: Pull complete
26752ae4d31f: Pull complete
26e71d0f11cd: Pull complete
Digest: sha256:7a407831497410aee01a0b628285c8110e6cb670e0f96fd5d12b1a6bd25093a0
Status: Downloaded newer image for osixia/openldap:latest
Recreating radius ... done
]# docker ps -a|grep ldap
5cb09c0f8af3 osixia/openldap "/container/tool/run" About a minute ago Up 20 seconds 0.0.0.0:389->389/tcp, 636/tcp openldap
安装完成
安装phpldapadmin
phpldapadmin是openldap可视化web管理工具
yml编写如下:
]# cat phpldapadmin.yml
version: "3"
services:
phpldapadmin:
image: osixia/phpldapadmin
container_name: phpldapadmin
restart: always
ports:
- "9090:80"
environment:
- PHPLDAPADMIN_HTTPS=false
- PHPLDAPADMIN_LDAP_HOSTS=192.168.4.126
PHPLDAPADMIN_HTTPS: 是否开启HTPPS
PHPLDAPADMIN_LDAP_HOSTS:openldap地址
Docker-compse启动phpldapadamin
]# docker-compose -f ./phpldapadmin.yml up -d
Creating phpldapadmin ... done
]# docker-compose -f ./phpldapadmin.yml ps -a
Name Command State Ports
--------------------------------------------------------------------------
phpldapadmin /container/tool/run Up 443/tcp, 0.0.0.0:9090->80/tcp
验证是否安装成功
浏览器上登陆phpldapadmin
地址:http://ip:9090
安装完成
4.安装daloradius
daloraius是radius的web管平台,集成了radius
yml编写如下
]# cat daloradius.yml
version: "3"
services:
radius:
image: frauhottelmann/daloradius-docker:v1.1-3
container_name: radius
restart: always
ports:
- '8080:80'
environment:
- MYSQL_HOST=192.168.4.126
- MYSQL_PORT=3306
- MYSQL_DATABASE=radius
- MYSQL_USER=radius
- MYSQL_PASSWORD=radius
Docker-compose启动daloradius
[root@ahi-vm-192-168-4-126 opt]# docker-compose -f ./daloradius.yml up -d
Pulling radius (frauhottelmann/daloradius-docker:v1.1-3)...
v1.1-3: Pulling from frauhottelmann/daloradius-docker
6a5697faee43: Pull complete
ba13d3bc422b: Pull complete
a254829d9e55: Pull complete
dae5f46716c9: Pull complete
63d7aa7706a3: Pull complete
8c39cd0795b9: Pull complete
fd9f14766a67: Pull complete
9206e4575afb: Pull complete
50df80f46226: Pull complete
1015c5061c31: Pull complete
75c2ac8b22d4: Pull complete
Digest: sha256:2fb7cd750e4362213e982133f20837030f2df9d83b303ed07040e4fd683a014f
Status: Downloaded newer image for frauhottelmann/daloradius-docker:v1.1-3
Creating radius ... done
[root@ahi-vm-192-168-4-126 opt]# docker ps -a|grep radius
6755af21b796 frauhottelmann/daloradius-docker:v1.1-3 "sh /cbs/init.sh" 44 seconds ago Up 12 seconds 1812-1813/tcp, 0.0.0.0:8080->80/tcp radius
访问daloradius是否安装成功
地址:http://ip:8080/daloradius
用户名密码 adminitrator/radius
安装完成
5.安装freeradius-server
因为daloradius自带的radius不能用ldap认证,所以再安装一下freeradius-server
yml编写如下
]# cat radius.yml
version: "3"
services:
radius:
image: freeradius/freeradius-server:3.0.21
container_name: radius
restart: always
ports:
- '1812:1812/udp'
- '1813:1813/udp'
- '1833:1833/udp'
启动容器
]# docker-compose -f ./radius.yml up -d
Creating radius ... done
]# docker-compose -f ./radius.yml ps -a
Name Command State Ports
------------------------------------------------------------------------------------------------------------------------
radius /docker-entrypoint.sh /bin ... Up 0.0.0.0:1812->1812/udp, 0.0.0.0:1813->1813/udp, 0.0.0.0:1833->1833/udp
配置连接openldap
配置/etc/raddb/mods-available/ldap,修改配置
由于容器里面没有编辑器,所以线拷贝出来,然后修改完后再拷贝进去
]# docker cp radius:/etc/freeradius/mods-available/ldap ./
]# cat ldap|grep -v "#"
ldap {
server = '192.168.4.126'
port = 389
identity = 'cn=admin,dc=ahi,dc=internal'
password = abcd@1234
base_dn = 'dc=ahi,dc=internal'
sasl {
}
....后面的默认不修改省略
]# docker cp ./ldap /etc/freeradius/mods-available/
identity = 'cn=admin,dc=ahi,dc=internal’用管理员的账号对接
配置/etc/raddb/sites-available/ldap,添加配置
以下配置认证和授权类型为ldap
]# cat site-ldap
server site_ldap {
listen {
ipaddr = 0.0.0.0
port = 1833
type = auth
}
authorize {
update {
control:Auth-Type := ldap
}
}
authenticate {
Auth-Type ldap {
ldap
}
}
post-auth {
Post-Auth-Type Reject {
}
}
}
]# docker cp ./site-ldap /etc/freeradius/sites-available/ldap
]# docker cp ./clients.conf radius:/etc/freeradius/clients.conf
]# cat clients.conf |grep -v "#"
client localhost {
ipaddr = 0.0.0.0/0
proto = *
secret = qqqqqqqq
require_message_authenticator = no
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
secret = testing123
}
]# docker cp ./clients.conf radius:/etc/freeradius/clients.conf
主要吧监听地址改成0.0.0.0/0,让外来IP访问服务
登陆到容器做软连接,启用模块以及配置后重启容器
~]# docker exec -it radius /bin/bash
# ln -s /etc/freeradius/mods-available/ldap /etc/freeradius/mods-enabled/
# ln -s /etc/freeradius/sites-available/ldap /etc/freeradius/sites-enabled/
# exit
]# docker-compose -f ./radius.yml restart
Restarting radius ... done
]# docker-compose -f ./radius.yml ps -a
Name Command State Ports
------------------------------------------------------------------------------------------------------------------------
radius /docker-entrypoint.sh free ... Up 0.0.0.0:1812->1812/udp, 0.0.0.0:1813->1813/udp, 0.0.0.0:1833->1833/udp
测试openldap是否生效
添加测试用户test/test
radius验证用户
# 添加前
root@a416af31cc96:/# radtest test test radius 0 qqqqqqqq
Sent Access-Request Id 98 from 0.0.0.0:48511 to 172.21.0.3:1812 length 74
User-Name = "test"
User-Password = "test"
NAS-IP-Address = 172.21.0.3
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "test"
Received Access-Reject Id 98 from 172.21.0.3:1812 to 172.21.0.3:48511 length 20
(0) -: Expected Access-Accept got Access-Reject
# 添加后
root@a416af31cc96:/# radtest test test radius 0 qqqqqqqq
Sent Access-Request Id 66 from 0.0.0.0:54243 to 172.21.0.3:1812 length 74
User-Name = "test"
User-Password = "test"
NAS-IP-Address = 172.21.0.3
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "test"
Received Access-Accept Id 66 from 172.21.0.3:1812 to 172.21.0.3:54243 length 20
radtest 用户名 密码 主机 0 clien的key
radius对接openldap验证成功的
配置连接sql
mysql就和openldap可以同时存在用户,同时也会记录一些用户信息
]# docker cp radius:/etc/freeradius/mods-available/sql ./
]# cat sql |grep -v "#"
sql {
dialect = "mysql"
driver = "rlm_sql_mysql"
sqlite {
filename = "/tmp/freeradius.db"
busy_timeout = 200
bootstrap = "${modconfdir}/${..:name}/main/sqlite/schema.sql"
}
mysql {
warnings = auto
}
postgresql {
send_application_name = yes
}
mongo {
appname = "freeradius"
tls {
certificate_file = /path/to/file
certificate_password = "password"
ca_file = /path/to/file
ca_dir = /path/to/directory
crl_file = /path/to/file
weak_cert_validation = false
allow_invalid_hostname = false
}
}
server = "192.168.4.126"
port = 3306
login = "radius"
password = "radius"
ssl=false
radius_db = "radius"
acct_table1 = "radacct"
acct_table2 = "radacct"
postauth_table = "radpostauth"
authcheck_table = "radcheck"
groupcheck_table = "radgroupcheck"
authreply_table = "radreply"
groupreply_table = "radgroupreply"
usergroup_table = "radusergroup"
delete_stale_sessions = yes
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 30
lifetime = 0
idle_timeout = 60
}
read_clients = yes
client_table = "nas"
group_attribute = "SQL-Group"
$INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf
}
]# docker cp ./sql radius:/etc/freeradius/mods-available/sql
server = "192.168.4.126"
port = 3306
login = "radius"
password = "radius"
ssl=false
修改连接mysql信息,与上面的数据库配置的信息一致,注释掉mysql{}里面的tls部分,不然会报错,启动不了
]# docker cp radius:/etc/freeradius/sites-available/default ./
]# cat default |grep -v "#"|egrep -v "^$"
server default {
listen {
type = auth
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipaddr = *
port = 0
type = acct
limit {
}
}
listen {
type = auth
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipv6addr = ::
port = 0
type = acct
limit {
}
}
authorize {
filter_username
preprocess
chap
mschap
digest
suffix
eap {
ok = return
}
sql
-ldap
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
digest
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
sql
exec
attr_filter.accounting_response
}
session {
sql
}
post-auth {
if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
update reply {
&User-Name !* ANY
}
}
update {
&reply: += &session-state:
}
sql
exec
remove_reply_message_if_eap
Post-Auth-Type REJECT {
sql
attr_filter.access_reject
eap
remove_reply_message_if_eap
}
Post-Auth-Type Challenge {
}
}
pre-proxy {
}
post-proxy {
eap
}
}
]# docker cp ./default radius:/etc/freeradius/sites-available/default
去掉sql的注释,将-sql改成sql,就是认证授权计费都使用sql
创建软件接并重启服务
~]# docker exec -it radius /bin/bash
# ln -s /etc/freeradius/mods-available/sql /etc/freeradius/mods-enabled/
# exit
]# docker-compose -f ./radius.yml restart
Restarting radius ... done
]# docker-compose -f ./radius.yml ps -a
Name Command State Ports
------------------------------------------------------------------------------------------------------------------------
radius /docker-entrypoint.sh free ... Up 0.0.0.0:1812->1812/udp, 0.0.0.0:1813->1813/udp, 0.0.0.0:1833->1833/udp
测试是否生效
在daloradius上创建新用户
在容器里面验证
# 添加用户前
root@a416af31cc96:/# radtest test_sql test_sql radius 0 qqqqqqqq
Sent Access-Request Id 232 from 0.0.0.0:33435 to 172.21.0.3:1812 length 78
User-Name = "test_sql"
User-Password = "test_sql"
NAS-IP-Address = 172.21.0.3
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "test_sql"
Received Access-Reject Id 232 from 172.21.0.3:1812 to 172.21.0.3:33435 length 20
(0) -: Expected Access-Accept got Access-Reject
#添加用户后
root@a416af31cc96:/# radtest test_sql test_sql radius 0 qqqqqqqq
Sent Access-Request Id 106 from 0.0.0.0:51538 to 172.21.0.3:1812 length 78
User-Name = "test_sql"
User-Password = "test_sql"
NAS-IP-Address = 172.21.0.3
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "test_sql"
Received Access-Accept Id 106 from 172.21.0.3:1812 to 172.21.0.3:51538 length 20
验证成功