centos上的安装和调试freeradius

作者:袖梨 2022-06-30

1、使用yum安装即可,确定安装的是freeradius2,而不是1。如果以前又freeradius,先卸载

     yum remove freeradius
     安装
     yum install freeradius2
     yum install freeradius2-utils  //这个含radtest,用户测试

     默认freeradius是使用files方式认证用户,如果不使用数据库,到此安装就搞定了

2、安装完成后就修改配置文件。

     vi /etc/raddb/users
     找到steve,注释去掉,将steve改成你的用户名。可以建立多个用户,如下:
     dalon   Cleartext-Password := "testing"
     test    Cleartext-Password := "testing123"

3、 测试

      可执行文件为 /usr/sbin/radius
      /usr/sbin/radius -X       //debug模式运行,可以看到详细过程。
      radtest 测试server是否能响应:    
      radtest test testing localhost 0 testing123
      test和testing分别为用户名和密钥,对于配置文件users里面的内容。
      localhost为配置文件clients.conf中的内容,默认针对localhost密钥为testing123
      0 意思为NAS-PORT 0,默认为0,所以不用配置。见文件 /etc/raddb/radiusd.conf中配置,如下:
      listen {
       ipaddr = *       //监听IPV4所有地址
#        ipv6addr = ::
        port = 0        //nas-port
        type = acct
#       interface = eth0
#       clients = per_socket_clients
}

测试正确的结果如下(下面是测试IPV6):

[root@CentOS ~]# radtest -6 test test123 ::1 0 testing123
Sending Access-Request of id 44 to ::1 port 1812
        User-Name = "test"
        User-Password = "test123"
        NAS-IPv6-Address = ::1
        NAS-Port = 0
        Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host ::1 port 1812, id=44, length=20

4、将服务器改成监听IPV6

需要修改文件

a) /etc/raddb/radiusd.conf
    将两个listen {}中 ipaddr = *  注掉,ipv6addr = ::   取消注释
b) /etc/raddb/clients.conf
将localhost中的监听地址改成ipv6的,如下:
client localhost {
        ipv6addr = ::1  # any.  ::1 == localhost

建立一组client(下面的例子是3000::/64网段为例,也可以使用::/0):
client 3000::/64 {
        secret          = testing123
        shortname       = ipv6client     //为区别名,和别的组不一样即可
}

5. 验证通过的debug信息:

rad_recv: Access-Request packet from host 3000::abcd port 60378, id=232, length=45
        User-Name = "dalon"
        User-Password = "testing"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "dalon", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry dalon at line 76
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "testing"
[pap] Using clear text password "testing"
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 232 to 3000::abcd port 60378
Finished request 29.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 29 ID 232 with timestamp +531
Ready to process requests.


6.在mysql中添加用户进行测试

mysql;
use radius;
insert into radcheck (username,attribute,op,value) values ('test','User-Password',':=','pass123');
exit;
radtest test pass123 127.0.0.1 0 testing123
看到“rad_recv: Access-Accept” 则认证成功。

7.如果授权其他主机访问radius认证,可以在radius server的clients.conf添加授权

vim /etc/raddb/clients.conf
添加
client 192.168.50.64 {
    ipaddr = 192.168.50.64
    secret      = testing123
}

登录192.168.50.64
yum -y install freeradius-utils
radtest test pass123 192.168.50.65 0 testing123

相关文章

精彩推荐