您的位置:360文档中心› centos搭建freeradius

centos搭建freeradius

合集下载

freeRadius + daloRadius安装手册

freeRadius + daloRadius安装手册

freeRadius + daloRadius安装手册一、概念 (2)二、环境准备: (2)三、安装步骤: (2)1. 安装LAMP平台yum install httpd mysql* php* (2)2. 安装freeradius yum install -y freeradius* (2)3. 设置服务启动 (2)4. 修改mysql 密码 (2)5. 重起服务器。

(2)6. 用radtest steve testing localhost 0 testing123进行测试, (2)7. 登录Mysql创建radius库,并分配权限 (3)8. 创建备份目录mkdir /root/freeradius-conf-backup (3)9. 配置FreeRadius支持sql (3)10. 安装daloradius (4)11. 导入mysql元数据 (4)12. 配置daloRadius: (4)13. 通过网页访问http://10.xx.0.7/radius (5)14. 登入http://10.xx.0.7/radius 用户名为administrator 密码为:radius, (5)四、FreeRadius管理 (6)1. NAS管理 (6)2. 防火墙添加Radius认证信息 (7)3. 限制用户并发,只允许一个用户登入 (8)一、概念freeRadius为AAA Radius Llinux下开源解决方案,daloRadius为图形化web管理工具。

二、环境准备:OS:Centos 6.5,需要LAMP,Freeradius,以及daloRadius三、安装步骤:1. 安装LAMP平台yum install httpd mysql* php*2. 安装freeradius yum install -y freeradius*3. 设置服务启动chkconfig radiusd onchkconfig httpd onchkconfig mysqld on4. 修改mysql 密码mysqladmin -u root password 'xxx-xx123'5. 重起服务器。

FreeRadius配置与验证测试_v3.0

FreeRadius配置与验证测试_v3.0

Freeradius配置与验证测试[摘要]本文主要介绍FreeRadius安装和基本测试。

增加介绍配置FreeRadius支持IPv6地址方式认证的内容。

在CentOS5.5系统安装和配置FreeRadius服务器,进行简单的认证测试。

在安装FreeRadius服务器前,预先需要在服务器上安装Gcc编译器和openssl。

1环境检查1、查看openssl版本# openssl version -aOpenSSL 0.9.8e-fips-rhel5 01 Jul 20082、查看gcc版本#gcc –vgcc 版本4.1.2 20080704 (Red Hat 4.1.2-52)3、系统进行一次升级#yum –y update2FreeRadius安装到官网下载FreeRadius安装包/在此下载的是Version 2.2.0. tar.gz(PGP Signature)版本freeradius-server-2.2.0.tar.gz1、上传到CentOS服务器,注意要使用二进制方式,建议放到根目录下。

2、修改文件属性#chmod 777 freeradius-server-2.2.0.tar.gz3、解压文件#tar xvf freeradius-server-2.2.0.tar.gz4、进入解压目录# cd freeradius-server-2.2.05、编译服务器#./configurechecking for gcc... gccchecking for C compiler default output file name... a.out checking whether the C compiler works... yeschecking whether we are cross compiling... nochecking for suffix of executables...checking for suffix of object files... ochecking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yeschecking for gcc option to accept ISO C89... none needed checking for g++... g++checking whether we are using the GNU C++ compiler... yes checking whether g++ accepts -g... yeschecking how to run the C preprocessor... gcc -Echecking for grep that handles long lines and -e... /usr/bin/grep checking for egrep... /usr/bin/grep -Echecking for AIX... nochecking whether gcc needs -traditional... nochecking whether we are using SUNPro C... nochecking for ranlib... ranlibchecking for special C compiler options needed for large files... no checking for _FILE_OFFSET_BITS value needed for large files... no checking for ANSI C header files... yeschecking for sys/types.h... yeschecking for sys/stat.h... yeschecking for stdlib.h... yeschecking for string.h... yeschecking for memory.h... yeschecking for strings.h... yeschecking for inttypes.h... yeschecking for stdint.h... yeschecking for unistd.h... yeschecking whether byte ordering is bigendian... nochecking for gmake... nochecking for make... /usr/bin/makeconfigure: error: GNU Make is not installed. Please download and install it from ftp:///pub/gnu/make/ before continuing.#make && make install此过程需要编译和安装,可能需要几分钟。

centos_radius_搭建freeradius

centos_radius_搭建freeradius
# coa_server = coa
#降低从client到server的response_window的报文,注意不可以增大response_window.
# response_window = 10.0
}
# 取消注释这部分,编辑listen部分,增加:"clients = per_socket_clients".
# That IP address/port combinationwill then accept ONLY the clients listed in this section.
client 172.22.4.0/24 {
secret = adcforever
shortname = any
}
client 127.0.0.1/24 {
secret = localtest #共享密钥
}
client localhost {
ipaddr = 127.0.0.1
secret = localtest
require_message_authenticator = no # 在1.x版本,client发送Access-Request时不会携带Message-Authenticator,但是从2.x以后,RFC5080建议所有的clients发送Message-Authenticator,如果设为yes,client没有携带Message-Authenticator,报文会悄悄的discarded掉,而不会通知client
备注:现在已经用Cleartest-Password这个参数替代了User-Password,%{User-Name}获取用户名
2.chap验证方式

freeradius部署总结

freeradius部署总结

freeradius部署总结Freeradius + mysql + 华为AP⽆线认证1freeradius安装与测试1.1安装freereradius 与 mysql。

环境:centos 6.6 软件版本freeradius-server-2.2.9。

#mkdir /usr/local/radius //创建⼀个安装包⽬录。

#mv freeradius-server-2.2.9.tar.gz /usr/local/radius //将安装包移动⾄此⽬录下。

#cd /usr/local/radius //进⼊该⽬录#tar –zxvf freeradius-server-2.2.9.tar.gz //解压⽂件到当前⽬录#cd freeradius-server-2.2.9 //进⼊该⽂件夹安装之前,先将需要的库环境安装,因为系统安装的版本不⼀致,可能没有安装相应的库。

#yum install –y gcc vim //编译⼯具和编辑⼯具#yum install –y openssl.devel //安装OpenSSL库#./configure //安装检查#make//编译#make install //安装1.2测试redius服务是否安装成功。

相关配置⽂件路径为: /usr/local/etc/raddb/。

#vim /usr/local/etc/raddb/users去掉以下内容前⾯的#注释:steve Cleartext-Password := "testing"这样就有了测试账号steve和密码:testing。

或者⾃⾏新建⼀⾏记录。

1.3对radius服务进⾏启动测试。

#radiusd –X,在debug 模式下运⾏,可以看到报错和认证信息。

如果程序正常运⾏,最后三⾏如下Listening on authentication *:1812Listening on accounting *:1813Ready to process requests.1.4进⾏简单的连接测试# radtest steve testing localhost 1812 testing123出现Access-Accept字样说明成功。

FreeRadius配置与验证测试_v3.0

FreeRadius配置与验证测试_v3.0

Freeradius配置与验证测试[摘要]本文主要介绍FreeRadius安装和基本测试。

增加介绍配置FreeRadius支持IPv6地址方式认证的内容。

在CentOS5.5系统安装和配置FreeRadius服务器,进行简单的认证测试。

在安装FreeRadius服务器前,预先需要在服务器上安装Gcc编译器和openssl。

1环境检查1、查看openssl版本# openssl version -aOpenSSL 0.9.8e-fips-rhel5 01 Jul 20082、查看gcc版本#gcc –vgcc 版本4.1.2 20080704 (Red Hat 4.1.2-52)3、系统进行一次升级#yum –y update2FreeRadius安装到官网下载FreeRadius安装包/在此下载的是Version 2.2.0. tar.gz(PGP Signature)版本freeradius-server-2.2.0.tar.gz1、上传到CentOS服务器,注意要使用二进制方式,建议放到根目录下。

2、修改文件属性#chmod 777 freeradius-server-2.2.0.tar.gz3、解压文件#tar xvf freeradius-server-2.2.0.tar.gz4、进入解压目录# cd freeradius-server-2.2.05、编译服务器#./configurechecking for gcc... gccchecking for C compiler default output file name... a.out checking whether the C compiler works... yeschecking whether we are cross compiling... nochecking for suffix of executables...checking for suffix of object files... ochecking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yeschecking for gcc option to accept ISO C89... none needed checking for g++... g++checking whether we are using the GNU C++ compiler... yes checking whether g++ accepts -g... yeschecking how to run the C preprocessor... gcc -Echecking for grep that handles long lines and -e... /usr/bin/grep checking for egrep... /usr/bin/grep -Echecking for AIX... nochecking whether gcc needs -traditional... nochecking whether we are using SUNPro C... nochecking for ranlib... ranlibchecking for special C compiler options needed for large files... no checking for _FILE_OFFSET_BITS value needed for large files... no checking for ANSI C header files... yeschecking for sys/types.h... yeschecking for sys/stat.h... yeschecking for stdlib.h... yeschecking for string.h... yeschecking for memory.h... yeschecking for strings.h... yeschecking for inttypes.h... yeschecking for stdint.h... yeschecking for unistd.h... yeschecking whether byte ordering is bigendian... nochecking for gmake... nochecking for make... /usr/bin/makeconfigure: error: GNU Make is not installed. Please download and install it from ftp:///pub/gnu/make/ before continuing.#make && make install此过程需要编译和安装,可能需要几分钟。

CentOS7部署FreeRadius3.0及WEB管理界面DaloRadius

CentOS7部署FreeRadius3.0及WEB管理界面DaloRadius

CentOS7部署FreeRadius3.0及WEB管理界⾯DaloRadius CentOS7部署FreeRadius3.0及WEB管理界⾯DaloRadius RADIUS (Remote Authentication and Dial-In User Service)是⽤于拨号⽤户接⼊认证及服务请求认证的⽹络协议和软件。

RADIUS会提供中⼼式认证、签权和计费(AAA)服务,⽤于管理接⼊⽤户使⽤⽹络资源。

RADIUS允许使⽤集中式数据库来保存所有⽤户的配置信息,以供所有⽤户共享使⽤。

RADIUS 常常被 ISP (互联⽹服务提供商)⽤于管理互联⽹⽤户接⼊。

FreeRADIUS 是⼀款免费开源RADIUS服务软件。

由于 freeRADIUS 并不具有原⽣的web界⾯,使⽤起来相对⿇烦,但是我们可以采⽤许多第三⽅web界⾯来管理和使⽤ freeRADIUS。

DaloRADIUS便是⼀款功能强⼤且易于使⽤的RADIUS web界⾯,主要⽤于提供运营级热点及接⼊管理,daloRADIUS 使⽤PHP语⾔开发,并且⽀持多种数据库系统。

⼀、 系统说明IP地址12.172.1.12/24操作系统CentOS 7.7 1909FreeRadius版本v 3.0DaloRadius版本v 1.0⼆、 CentOS系统组件安装、更新与设置 2.1 防⽕墙设置systemctl stop firewalld //关闭防⽕墙systemctl disable firewalld //关闭防⽕墙⾃启 2.2 Selinux设置sed -i '/SELINUX/s/enforcing/disabled/' /etc/selinux/config //关闭Selinuxsestatus //查询Selinux状态(需重启后查询) 2.3 组件安装yum install -y net-tools //安装Ifconfig⼯具yum install bash-completion -y //安装命令补全⼯具yum -y install lrzsz //安装⽂件管理⼯具yum install -y wget unzip //安装unzipyum install -y epel-release //安装EPEL软件库yum makecache fast //重置软件库缓存信息  2.4 更新系统及源码库yum -y update && yum -y upgrade三、 安装配置数据库 3.1 安装MariaDB数据库yum install -y mariadb-server mariadb //安装MariaDB数据库systemctl start mariadb //启动MariaDBsystemctl enable mariadb //设置开机⾃启动mysql_secure_installation //SQL⾃动配置(除设置密码,其余都回车) 3.2 配置MariaDB数据库mysql -u root -p //登录数据库MariaDB [(none)]> create database radius; 创建数据库radiusMariaDB [(none)]> grant all on radius.* to radius@localhost identified by '123abc'; //设置radius⽤户名密码及权限MariaDB [(none)]> flush privileges; //刷新权限MariaDB [(none)]> exit //退出四、 安装Apache Web服务器及PHP DaloRadius是PHP开发的Web应⽤,需要安装Apach Web服务器和PHP 4.1 安装Apache Web服务器yum install -y httpd //安装httpd服务systemctl enable httpd //设置开机⾃启动systemctl start httpd //开启httpd服务 4.2 安装PHP及相关软件包yum install -y php php-mysql php-pear php-devel php-common php-gd php-mbstring php-mcrypt php-xml php-pear-DB //安装PHP及软件包systemctl restart httpd //安装完成后重启hApache Web服务以使PHP⽣效五、 安装配置FreeRadius 5.1 安装FreeRadiusyum install -y freeradius freeradius-utils freeradius-mysql //安装FreeRadius及组件systemctl start radiusd.service //启动radius服务systemctl enable radiusd.service //设置radius服务开机⾃启动firewall-cmd --permanent --add-service=radius //设置防⽕墙允许radius服务(本⽂前⾯已禁⽌防⽕墙⾃启动,可不运⾏此命令)firewall-cmd --reload //重启防⽕墙 5.2 配置FreeRadius连接MariaDB数据库mysql -u root -p radius < /etc/raddb/mods-config/sql/main/mysql/schema.sql //创建FreeRadius在数据库中的数据表 5.3 修改FreeRadius配置⽂件vi /etc/raddb/mods-available/sql //使⽤VI编辑器修改配置⽂件chgrp -h radiusd /etc/raddb/mods-available/sql //配置⽂件权限systemctl restart radiusd.service //重启radius服务修改内容如下:六、 安装DaloRadius 6.1 下载DaloRadius源代码并解压后将⽂件夹移动到Apache Web服务器⼯作⽬录wget https:///lirantal/daloradius/archive/master.zip //从Github上获取并下载源代码unzip master.zip //解压rm -f master.zipmv daloradius-master/ /var/www/html/daloradius //移动⽂件夹 6.2 设置DaloRadius⽬录权限及属主信息chown -R apache:apache /var/www/html/daloradiuschmod -R 664 /var/www/html/daloradius/library/daloradius.conf.php 6.3 打开防⽕墙HTTP服务firewall-cmd --permanent --add-service=http //打开防⽕墙http服务(本⽂中已关闭防⽕墙,不必运⾏此命令)firewall-cmd --reload //重启防⽕墙 6.4 在MariaDB中创建DaloRadius数据对象mysql -u root -p radius < /var/www/html/daloradius/contrib/db/fr2-mysql-daloradius-and-freeradius.sql //导⼊SQL脚本mysql -u root -p radius < /var/www/html/daloradius/contrib/db/mysql-daloradius.sql //导⼊SQL脚本 6.5 修改DaloRadius配置⽂件vi /var/www/html/daloradius/library/daloradius.conf.php //使⽤VI编辑器修改DaloRadius配置⽂件七、 测试连接 7.1 浏览器访问:http://12.172.1.12/daloradius 7.2 登录系统(默认⽤户名:administrator 密码:radius)========== End。

Centos7FreeRadius完整搭建过程

Centos7FreeRadius完整搭建过程
yum -y install gcc-c++
yum install openssl
yum install openssl-devel
insert into radgroupreply (groupname,attribute,op,value) values ('user','Framed-IP-Address',':=','255.255.255.255');
insert into radgroupreply (groupname,attribute,op,value) values ('user','Framed-IP-Netmask',':=','255.255.255.0');
insert into radusergroup (username,groupname) values ('test','user');
18、修改 FreeRADIUS中的mysql 认证配置
(1)进入以下路径cd usr/local/etc/raddb/mods-enabled/
(2)执行命令ln -s ../mods-available/sql
说明:
如果需要服务器动态下发VLAN,按如下设置!
vim /usr/local/etc/raddb/users
添加以下内容:
test Cleartext-Password := "testpwd"
Tunnel-Type = "VLAN",
Tunnel-Medium-Type = "IEEE-802",

centos6.5 安装freeradius

centos6.5 安装freeradius

Centos 6.5上编译安装freeradius3.0.10平台:Centos 6.5 x86_641,安装源并更新Rpm -Uvh/pub/epel/6/x86_64/epel-RELEASE-6-8.noarch.rpmrpm -Uvh /enterprise/remi-RELEASE-6.rpmyum UPDATE -y2,安装相关库yum -y install wget expat-devel gcc make gmp-devel gmp pkgconfig perl libpcap gcc-c++ logrotate tar cpio gawk flex bison bison-devel lsof libpcap-devel patch openssl openssl-devel libgcrypt* crypt* autoconf automake libtasn1-devel zlib zlib-devel trousers trousers-devel texinfo libnl-devel libnl dbus dbus-devel ncurses-devel readline-devel libtool-ltdl libtalloc* hiredis* redhat-lsb python mysql-devel3,安装Mysql和Apacheyum --enablerepo=remi -y install mysql mysql-server mysql-devel httpd httpd-devel chkconfig httpd onchkconfig mysqld onservice mysqld startmysql_secure_installationmysql -u root -p 输入密码创建你需要的数据库4,安装phpyum --enablerepo=remi install -y php php-mysql php-common php-devel php-gd php-imap php-ldap php-odbc php-pear php-xml php-xmlrpc php-mbstring php-mcrypt php-bcmath php-mhash php-snmp php-process libmcrypt libmcrypt-develwget /cont/download/ioncube_loaders_lin_x86-64.tar.gz tar zxvf ioncube_loaders_lin_x86-64.tar.gzcp -rf ioncube /usr/local/sed -i 's/post_max_size = 8M/post_max_size = 50M/g' /etc/php.inised -i 's/upload_max_filesize = 2M/upload_max_filesize = 50M/g' /etc/php.inised -i 's/;date.timezone =/date.timezone = PRC/g' /etc/php.inised -i 's/; cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g' /etc/php.inised -i 's/max_execution_time = 30/max_execution_time = 300/g' /etc/php.inised -i 's/disable_functions =.*/disable_functions = passthru,exec,system,chroot,scandir,chgrp,chown,shell_exec,proc_open,proc_ge t_status,popen,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepas sthru,stream_socket_server/g' /etc/php.iniecho "zend_extension=/usr/local/ioncube/ioncube_loader_lin_5.4.so">> /etc/php.iniwget /pub/Releases/3.2.0/xcache-3.2.0.tar.gztar -zxvf xcache-3.2.0.tar.gzcd xcache-3.2.0phpize --cleanphpize./configure --enable-xcachemake && make installcat xcache.ini >> /etc/php.iniservice httpd restart5,编译安装freeradiuswget ftp:///pub/freeradius/freeradius-server-3.0.10.tar.gztar zxvf freeradius-server-3.0.10.tar.gzcd freeradius-server-3.0.10./configure --with-modules=rlm_sql_mysql (各种WARNING,没有ERROR) make && make install6,测试调试模式命令:radiusd -X提示Refusing to start with libssl version OpenSSL 1.0.1evi /usr/local/etc/raddb/radiusd.conf找到allow_vulnerable_openssl = no,修改成allow_vulnerable_openssl = yes 再次启动radiusd -X新打开一个终端vi /usr/local/etc/raddb/users找到这一行#steve Cleartext-Password:="testing"将前面的#去掉radtest steve testing localhost 0 testing123radtest 17000001111 111111 localhost 0 testing123获得结果:Sent Access-Request Id 41 from 0.0.0.0:35117 to 127.0.0.1:1812 length 75 User-Name = "steve"User-Password = "testing"NAS-IP-Address = 106.185.45.18NAS-Port = 0Message-Authenticator = 0x00Cleartext-Password = "testing"Received Access-Accept Id 41 from 127.0.0.1:1812 to 0.0.0.0:0 length 20accept!貌似成了,玩去吧 ^_^还有一种简单的yum安装添加源:cd /etc/yum.repos.d/wget/repositories/home:freeradius:3.0.x:centos/CentOS_C entOS-6/home:freeradius:3.0.x:centos.repoyum install -y freeradius freeradius-utils freeradius-mysql安装的版本是freeradius 3.0.3Freeradiusd mysql 相关配置参考文献:/cluniquecui/article/details/424904235.3 创建数据库命令如下:mysql -u root –p要求输入密码时,直接回车即可。

  1. 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
  2. 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
  3. 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。

1.安装openssl,mysql,freeradius,freeradius-utils(支持radtest)yum install opensslyum install mysqlyum install freeradiusyum install freeradius-utils启动radius服务:radiusd -X备注:这个方法很实用,尤其是在debug测试阶段,可以详细的看到用户认证的流程,认证方式,用户名/密码,错误消息,方便快速定位。

1.讲解freeradius两个最重要最基本的文件:users和clients.conf1.1 详细讲解/etc/raddb/clients.conf文件client 127.0.0.1/24 {secret = localtest #共享密钥,用于pap/chap/mschap认证shortname = any #FQDN或IP地址别名,我用any/localhost/127.0.0.1都测试过,看不出什么区别。

这个值在2.X也不是必须。

}client localhost {ipaddr = 127.0.0.1secret = localtestrequire_message_authenticator = no # 在1.x版本,client发送Access-Request时不会携带Message-Authenticator,但是从2.x以后,RFC5080建议所有的clients发送Message-Authenticator,如果设为yes,client没有携带Message-Authenticator,报文会悄悄的discarded掉,而不会通知client# shortname = localhost #optional in 2.xnastype = other #nastype告诉‘checkrad.pl’使用哪个NAS-specific 方法查询可同时使用的NAS。

localhost不需要使用NAS。

#下面两个配置是为将来保留。

当前使用‘naspassed’文件存储NAS的用户名和密码,这在checkrad.pl查询可以同时使用的NAS。

# login = !root# password = someadminpas#从2.0开始,clients可以指定一个virtual server如:# virtual_server = home1#一个指向‘home_server_pool’或‘home_server’的指示器包括这个client的Coa配置。

例如,一个coa的home server或home pool,参考raddb/sites-available/originate-coa。

# coa_server = coa#降低从client到server的response_window的报文,注意不可以增大response_window.# response_window = 10.0}# IPv6 Client#client ::1 {# secret = testing123# shortname = localhost#}## All IPv6 Site-local clients#client fe80::/16 {# secret = testing123# shortname = localhost#}#client {# secret = testing123# shortname = localhost#}#client 10.10.10.10 {# # secret and password are mapped through the "secrets" file.# secret = testing123# shortname = liv1# # the following three fields are optional, but may be used by# # checkrad.pl for simultaneous usage checks# nastype = livingston# login = !root# password = someadminpas#}######################################################################### Per-socket client lists. The configuration entries are exactly the same as above, but they are nested inside of a section.# Per-socket client lists. 这些配置条目和上面的一样,但是嵌套在这部分。

## You can have as many per-socket client lists as you have "listen" sections, or you can re-use a list among multiple "listen" sections.# 你可以填写所有的listen部分,或者重写一个list在多个listen章节中。

# Un-comment this section, and edit a "listen" section to add:"clients = per_socket_clients".# 取消注释这部分,编辑listen部分,增加:"clients = per_socket_clients".# That IP address/port combinationwill then accept ONLY the clients listed in this section.# 只接受这部分包括的clients的ip地址和端口号对。

##clients per_socket_clients {# client 192.168.3.4 {# secret = testing123# }#}1.2 详细讲解/etc/raddb/userstestAuth-Type := CHAP, Cleartext-Password := "123456"Reply-Message = "Hello, %{User-Name}"备注:现在已经用Cleartest-Password这个参数替代了User-Password,%{User-Name}获取用户名2.chap验证方式2.1 在/etc/raddb/users 添加如下配置:testAuth-Type := CHAP, Cleartext-Password := "123456"Reply-Message = "Hello, %{User-Name}"2.2 在/etc/raddb/clients.conf添加如下客户端.添加客户端有两各版本:1.在1.x版本格式是,client后面跟着ip地址,方法体内用shortname区分其他client,这个是必须填的。

2.在2.x的版本格式是,client后面跟着一个名字,使用ipaddr或者ipv6addr配置客户端ip地址。

这时候shortname就成为可选参数了。

client 172.22.4.0/24 {secret = adcforevershortname = any}client 127.0.0.1/24 {secret = localtest #共享密钥shortname = any #FQDN或IP地址别名,我用any/localhost/127.0.0.1都测试过,看不出什么区别。

这个值在2.X也不是必须。

}client localhost {ipaddr = 127.0.0.1secret = localtestrequire_message_authenticator = nonastype = other}2.3 使用radtest验证Usage: radtest [OPTIONS] user passwd radius-server[:port] nas-port-number secret [ppphint] [nasname][root@ADCTEST ~]# radtest -t chap test 123456 localhost 0 testing123Sending Access-Request of id 1 to 127.0.0.1 port 1812User-Name = "test"CHAP-Password = 0x015fe7280a953af2331ba99066be43f30fNAS-IP-Address = 59.108.66.243NAS-Port = 0Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=1, length=46 CHAP-Password = 0x74657374696e67313233Reply-Message = "Hello, test"2.4 查看radiusd服务端lograd_recv: Access-Request packet from host 127.0.0.1 port 35882, id=173, length=75 User-Name = "test"CHAP-Password = 0xad5524e1db4033bc5854e9a97bd8353ed9NAS-IP-Address = 59.108.66.243NAS-Port = 0Message-Authenticator = 0x418d9e36f01f344e79887dda7fb8da5f# Executing section authorize from file /etc/raddb/sites-enabled/default+- entering group authorize {...}++[preprocess] returns ok[chap] Setting 'Auth-Type := CHAP'++[chap] returns ok++[mschap] returns noop++[digest] returns noop[suffix] No '@' in User-Name = "test", looking up realm NULL[suffix] No such realm "NULL"++[suffix] returns noop[eap] No EAP-Message, not doing EAP++[eap] returns noop[files] users: Matched entry test at line 73[files] expand: Hello, %{User-Name} -> Hello, test++[files] returns ok++[expiration] returns noop++[logintime] returns noop[pap] WARNING: Auth-Type already set. Not setting to PAP++[pap] returns noopFound Auth-Type = CHAP# Executing group from file /etc/raddb/sites-enabled/default+- entering group CHAP {...}[chap] login attempt by "test" with CHAP password[chap] Using clear text password "123456" for user test authentication.[chap] chap user test authenticated succesfully++[chap] returns ok# Executing section post-auth from file /etc/raddb/sites-enabled/default+- entering group post-auth {...}++[exec] returns noopSending Access-Accept of id 173 to 127.0.0.1 port 35882CHAP-Password := 0x74657374696e67313233Reply-Message = "Hello, test"Finished request 1.Going to the next requestWaking up in 3.0 seconds.Cleaning up request 0 ID 254 with timestamp +3Waking up in 1.9 seconds.Cleaning up request 1 ID 173 with timestamp +5Ready to process requests.3.pap验证方式(不指定Auth-Type时,默认使用pap)3.1 在/etc/raddb/users 添加如下配置:steveCleartext-Password := "testing" #所以这里其实省略了Auth-Type=PAPReply-Message = "Hello, %{User-Name}"3.2 在/etc/raddb/clients.conf添加如下客户端client 172.22.4.0/24 {secret = adcforever #这个secret要和adc上user radius里的secret配置相同shortname = any}3.3 使用radtest验证[root@ADCTEST ~]# radteststeve testing localhost 0 testing123Sending Access-Request of id 112 to 127.0.0.1 port 1812User-Name = "steve"User-Password = "testing"NAS-IP-Address = 59.108.66.243NAS-Port = 0Message-Authenticator = 0x00000000000000000000000000000000rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=112, length=34Reply-Message = "Hello, steve"3.4 查看radiusd服务端lograd_recv: Access-Request packet from host 127.0.0.1 port 59314, id=112, length=75User-Name = "steve"User-Password = "testing"NAS-IP-Address = 59.108.66.243NAS-Port = 0Message-Authenticator = 0x27bd9086984884334866a5ed48e592fa # Executing section authorize from file /etc/raddb/sites-enabled/default+- entering group authorize {...}++[preprocess] returns ok++[chap] returns noop++[mschap] returns noop++[digest] returns noop[suffix] No '@' in User-Name = "steve", looking up realm NULL[suffix] No such realm "NULL"++[suffix] returns noop[eap] No EAP-Message, not doing EAP++[eap] returns noop[files] users: Matched entry steve at line 80[files] expand: Hello, %{User-Name} -> Hello, steve++[files] returns ok++[expiration] returns noop++[logintime] returns noop[pap] WARNING: Auth-Type already set. Not setting to PAP++[pap] returns noopFound Auth-Type = PAP# Executing group from file /etc/raddb/sites-enabled/default+- entering group PAP {...}[pap] login attempt with password "testing"[pap] Using clear text password "testing"[pap] User authenticated successfully++[pap] returns ok# Executing section post-auth from file /etc/raddb/sites-enabled/default+- entering group post-auth {...}++[exec] returns noopSending Access-Accept of id 112 to 127.0.0.1 port 59314Reply-Message = "Hello, steve"Finished request 0.Going to the next requestWaking up in 4.9 seconds.Cleaning up request 0 ID 112 with timestamp +4Ready to process requests.4.FortiADC的radius配置4.1 配置user radius,指定认证服务器ip,认证类型,端口号,认证密码ZGC-FangZheng-12~ # config user radiusZGC-FangZheng-12~ (radius) # showconfig user radiusedit "radius1"set server 172.22.4.7set secret ENC toz0gWWAzy8ZOqapKuOcOWpSPlxsaOu4kBluQ5wiLVbmfVIJWq7cqHdIwGiABU2RERTYgLJR6QwC G2z+C2DJvNP/a0FDl0W0t6BNiy0Eqbda/ucisetvdom rootnextendZGC-FangZheng-12~ (radius) # edit radius1ZGC-FangZheng-12~ (radius1) # set secret adcforever #这个值要和radius server上的clients.conf配置相同ZGC-FangZheng-12~ (radius1) # getserver : 172.22.4.7port : 1812secret : *auth-type : chap #adc支持chap/pap/mschap/machapv2四种认证类型vdom : root4.2 用户绑定radius serverZGC-FangZheng-12~ # get sys admin== [ admin ]vdom: roottrusted-hosts: 0.0.0.0/0 ::/0auth-strategy: radiusaccess-profile: super_admin_prof== [ ypliu ]vdom: roottrusted-hosts: 0.0.0.0/0 ::/0auth-strategy: localaccess-profile: super_admin_prof== [ chap ]vdom: roottrusted-hosts: 0.0.0.0/0 ::/0auth-strategy: radiusaccess-profile: super_admin_prof。

相关文档
最新文档