centos_radius_搭建freeradius

1.安装openssl,mysql,freeradius,freeradius-utils(支持radtest)
yum install openssl
yum install mysql
yum install freeradius
yum install freeradius-utils
启动radius服务：
radiusd -X
备注：这个方法很实用，尤其是在debug测试阶段，可以详细的看到用户认证的流程，认证方式，用户名/密码，错误消息，方便快速定位。


1.讲解freeradius两个最重要最基本的文件：users和clients.conf
1.1 详细讲解/etc/raddb/clients.conf文件
client 127.0.0.1/24 {
secret = localtest #共享密钥,用于pap/chap/mschap 认证
shortname = any #FQDN或IP地址别名，我用any/localhost/127.0.0.1都测试过，看不出什么区别。这个值在2.X也不是必须。
}
client localhost {
ipaddr = 127.0.0.1
secret = localtest
require_message_authenticator = no # 在1.x版本，client发送Access-Request时不会携带Message-Authenticator，但是从2.x以后，RFC5080建议所有的clients发送Message-Authenticator，如果设为yes，client没有携带Message-Authenticator，报文会悄悄的discarded掉，而不会通知client
# shortname = localhost #optional in 2.x
nastype = other #nastype告诉‘checkrad.pl’使用哪个NAS-specific 方法查询可同时使用的NAS。 localhost不需要使用NAS。
#下面两个配置是为将来保留。当前使用‘naspassed’文件存储NAS的用户名和密码，这在checkrad.pl查询可以同时使用的NAS。
# login = !root
# password = someadminpas
#从2.0开始，clients可以指定一个virtual server如：
# virtual_server = home1
#一个指向‘home_server_pool’或‘home_server’的指示器包括这个client的Coa配置。例如，一个coa的home server或home pool，参考 raddb/sites-available/originate-coa。
# coa_server = coa
#降低从client到server的response_window的报文，注意不可以增大response_window.
# response_window = 10.0

}
# IPv6 Client
#client ::1 {
# secret = testing123
# shortname = localhost
#}
#
# All IPv6 Site-local clients
#client fe80::/16 {
# secret = testing123
# shortname = localhost
#}

#client https://www.360docs.net/doc/2b12301405.html, {
# secret = testing123
# shortname = localhost
#}
#client 10.10.10.10 {
# # secret and password are mapped through the "secrets" file.
# secret = testing123
# shortname = liv1
# # the following three fields are optional, but may be used by
# # checkrad.pl for simultaneous usage checks
# nastype = livingston
# login = !root
# password = someadminpas
#}

###########################################################

############
#
# Per-socket client lists. The configuration entries are exactly the same as above, but they are nested inside of a section.
# Per-socket client lists. 这些配置条目和上面的一样，但是嵌套在这部分。
#
# You can have as many per-socket client lists as you have "listen" sections, or you can re-use a list among multiple "listen" sections.
# 你可以填写所有的listen部分，或者重写一个list在多个listen章节中。
# Un-comment this section, and edit a "listen" section to add:"clients = per_socket_clients".
# 取消注释这部分，编辑listen部分，增加:"clients = per_socket_clients".
# That IP address/port combinationwill then accept ONLY the clients listed in this section.
# 只接受这部分包括的clients的ip地址和端口号对。
#
#clients per_socket_clients {
# client 192.168.3.4 {
# secret = testing123
# }
#}

1.2 详细讲解/etc/raddb/users
test Auth-Type := CHAP, Cleartext-Password := "123456"
Reply-Message = "Hello, %{User-Name}"
备注：现在已经用Cleartest-Password这个参数替代了User-Password，%{User-Name}获取用户名


2.chap验证方式
2.1 在/etc/raddb/users 添加如下配置：
test Auth-Type := CHAP, Cleartext-Password := "123456"
Reply-Message = "Hello, %{User-Name}"
2.2 在/etc/raddb/clients.conf添加如下客户端.添加客户端有两各版本：1.在1.x版本格式是，client后面跟着ip地址，方法体内用shortname区分其他client，这个是必须填的。2.在2.x的版本格式是，client后面跟着一个名字，使用ipaddr或者ipv6addr配置客户端ip地址。这时候shortname就成为可选参数了。
client 172.22.4.0/24 {
secret = adcforever
shortname = any
}
client 127.0.0.1/24 {
secret = localtest #共享密钥
shortname = any #FQDN或IP地址别名，我用any/localhost/127.0.0.1都测试过，看不出什么区别。这个值在2.X也不是必须。
}
client localhost {
ipaddr = 127.0.0.1
secret = localtest
require_message_authenticator = no
nastype = other

}
2.3 使用radtest验证
Usage: radtest [OPTIONS] user passwd radius-server[:port] nas-port-number secret [ppphint] [nasname]
[root@ADCTEST ~]# radtest -t chap test 123456 localhost 0 testing123
Sending Access-Request of id 1 to 127.0.0.1 port 1812
User-Name = "test"
CHAP-Password = 0x015fe7280a953af2331ba99066be43f30f
NAS-IP-Address = 59.108.66.243
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=1, length=46
CHAP-Password

= 0x74657374696e67313233
Reply-Message = "Hello, test"
2.4 查看radiusd服务端log
rad_recv: Access-Request packet from host 127.0.0.1 port 35882, id=173, length=75
User-Name = "test"
CHAP-Password = 0xad5524e1db4033bc5854e9a97bd8353ed9
NAS-IP-Address = 59.108.66.243
NAS-Port = 0
Message-Authenticator = 0x418d9e36f01f344e79887dda7fb8da5f
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry test at line 73
[files] expand: Hello, %{User-Name} -> Hello, test
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = CHAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group CHAP {...}
[chap] login attempt by "test" with CHAP password
[chap] Using clear text password "123456" for user test authentication.
[chap] chap user test authenticated succesfully
++[chap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 173 to 127.0.0.1 port 35882
CHAP-Password := 0x74657374696e67313233
Reply-Message = "Hello, test"
Finished request 1.
Going to the next request
Waking up in 3.0 seconds.
Cleaning up request 0 ID 254 with timestamp +3
Waking up in 1.9 seconds.
Cleaning up request 1 ID 173 with timestamp +5
Ready to process requests.

3.pap验证方式（不指定Auth-Type时，默认使用pap）
3.1 在/etc/raddb/users 添加如下配置：
steve Cleartext-Password := "testing" #所以这里其实省略了Auth-Type=PAP
Reply-Message = "Hello, %{User-Name}"
3.2 在/etc/raddb/clients.conf添加如下客户端
client 172.22.4.0/24 {
secret = adcforever #这个secret要和adc上user radius里的secret配置相同
shortname = any
}
3.3 使用radtest验证
[root@ADCTEST ~]# radtest steve testing localhost 0 testing123
Sending Access-Request of id 112 to 127.0.0.1 port 1812
User-Name = "steve"
User-Password = "testing"
NAS-IP-Address = 59.108.66.243
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=112, length=34

Reply-Message = "Hello, steve"
3.4 查看radiusd服务端log
rad_recv: Access-Request packet from host 127.0.0.1 port 59314, id=112, length=75
User-Name = "steve"
User-Password = "testing"
NAS-IP-Address = 59.108.66.243
NAS-Port = 0
Message-Authenticator = 0x27bd9086984884334866a5ed48e592fa
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "steve", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry steve at line 80
[files] expand: Hello, %{User-Name} -> Hello, steve
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = PAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "testing"
[pap] Using clear text password "testing"
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 112 to 127.0.0.1 port 59314
Reply-Message = "Hello, steve"
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 112 with timestamp +4
Ready to process requests.


4.FortiADC的radius配置
4.1 配置user radius，指定认证服务器ip，认证类型，端口号，认证密码
ZGC-FangZheng-12~ # config user radius
ZGC-FangZheng-12~ (radius) # show
config user radius
edit "radius1"
set server 172.22.4.7
set secret ENC toz0gWWAzy8ZOqapKuOcOWpSPlxsaOu4kBluQ5wiLVbmfVIJWq7cqHdIwGiABU2RERTYgLJR6QwCG2z+C2DJvNP/a0FDl0W0t6BNiy0Eqbda/uci
set vdom root
next
end
ZGC-FangZheng-12~ (radius) # edit radius1
ZGC-FangZheng-12~ (radius1) # set secret adcforever #这个值要和radius server上的clients.conf配置相同
ZGC-FangZheng-12~ (radius1) # get
server : 172.22.4.7
port : 1812
secret : *
auth-type : chap #adc支持chap/pap/mschap/machapv2四种认证类型
vdom : root
4.2 用户绑定radius server
ZGC-FangZheng-12~ # get sys admin
== [ admin ]
vdom: root
trusted-hosts: 0.0.0.0/0 ::/0
auth-strategy: radius
access-profile: super_admin_prof

== [ ypliu ]
vdom: root

trusted-hosts: 0.0.0.0/0 ::/0
auth-strategy: local
access-profile: super_admin_prof

== [ chap ]
vdom: root
trusted-hosts: 0.0.0.0/0 ::/0
auth-strategy: radius
access-profile: super_admin_prof