关于ubuntu:Ubuntu系统下的Radius认证服务安装与配置

装置服务

装置服务依赖 freeradius

$ sudo apt install freeradius

查看版本

$ freeradius -v

radiusd: FreeRADIUS Version 3.0.16, for host x86_64-pc-linux-gnu, built on Apr 17 2019 at 12:59:55
FreeRADIUS Version 3.0.16
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT

配置文件地位和版本相干
如果显示 3.0.*，则配置文件地位具体目录是/etc/freeradius/3.0
如果版本显示3.2.*，那么配置文件的目录地位是/etc/freeradius/3.2

上面所有波及到的文件配置目录都要看版本状况具体配置批改，不要照抄文档

radius服务所在机器的 IP 是192.168.100.150

启动测试服务器，失常状况下最初几行会显示如下数据

$ sudo freeradius -X

.....
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 56061
Listening on proxy address :: port 59459
Ready to process requests

# 有时候如果显示如下数据，则示意报错
xxxxxxxxxx Failed binding to auth address * port 1812 bound to server default: Address already in use /etc/freeradius/3.0/sites-enabled/default[59]: Error binding to port for 0.0.0.0 port 1812

# 则示意曾经有另外一个 `radius` 服务曾经启动，并且曾经占用了端口
# 须要执行如下步骤把服务敞开
# $ sudo systemctl stop freeradius.service
# 或者是另外一个终端执行了 freeradius 命令然而遗记敞开了
# 能够执行 pkill freeradius

增加 radius 用户数据

编辑文件，增加用户名为operator 明码为 testpass

$ sudo vim /etc/freeradius/3.0/users

operator  Cleartext-Password := "testpass"
           Reply-Message := "Hello, %{User-Name}"

重启 freeradius服务

$ sudo freeradius -X

测试 radius 服务

从另外一台机器，开一个终端检测启动 radius 服务的机器是否凋谢 1812 端口

$ sudo nmap -sU 192.168.100.150 -p 1812

# 如下输入示意凋谢
Starting Nmap 7.80 (https://nmap.org) at 2021-08-27 11:12 CST
Nmap scan report for 192.168.100.150
Host is up (0.00017s latency).

PORT     STATE         SERVICE
1812/udp open|filtered radius
MAC Address: CC:D3:9D:9F:D5:1D (Ieee Registration Authority)

Nmap done: 1 IP address (1 host up) scanned in 0.55 seconds

新开一个终端，执行以下命令

$ radtest operator testpass 192.168.100.150 0 testing123
# 如下输入示意验证胜利
Sent Access-Request Id 202 from 0.0.0.0:35778 to 127.0.0.1:1812 length 79
        User-Name = "operator"
        User-Password = "testpass"
        NAS-IP-Address = 192.168.100.150
        NAS-Port = 0
        Message-Authenticator = 0x00
        Cleartext-Password = "testpass"
Received Access-Accept Id 202 from 127.0.0.1:1812 to 0.0.0.0:0 length 38
        Reply-Message = "Hello, operator"

配置容许近程验证用户

$ vim /etc/freeradius/3.0/clients.conf

# 输出如下, 示意新建一个客户端，ipaddr 容许所有网络拜访，如果设置为 192.168.100.150 则示意只容许 192.168.100.150 的 ip 进行验证，填写 0.0.0.0 示意不限度 IP，共享密钥是 testing123
client private-network-1 {
        ipaddr          = 0.0.0.0
        secret          = testing123
}

批改 radius 监听端口

以下两种形式各选一种

形式一

间接批改配置，举例批改端口为 8888

$ sudo vim /etc/freeradius/3.0/sites-enabled/default

# 批改
listent {
    ...
    type = auth
    ipaddr = *
    port = 0
}
# 批改 port 端口
listent {
    ...
    type = auth
    ipaddr = *
    port = 8888
}

形式二

批改/etc/services

$ sudo vim /etc/services
# 找到
radius          1812/tcp
radius          1812/udp
# 批改为自定义端口
radius          8888/tcp
radius          8888/udp

申请认证

举荐应用radclient

$ radclient -h

Usage: radclient [options] server[:port] <command> [<secret>]
  <command>              One of auth, acct, status, coa, disconnect or auto.
  -4                     Use IPv4 address of server
  -6                     Use IPv6 address of server.
  -c <count>             Send each packet 'count' times.
  -d <raddb>             Set user dictionary directory (defaults to /etc/freeradius/3.0).
  -D <dictdir>           Set main dictionary directory (defaults to /usr/share/freeradius).
  -f <file>[:<file>]     Read packets from file, not stdin.
                         If a second file is provided, it will be used to verify responses
  -F                     Print the file name, packet number and reply code.
  -h                     Print usage help information.
  -n <num>               Send N requests/s
  -p <num>               Send 'num' packets from a file in parallel.
  -q                     Do not print anything out.
  -r <retries>           If timeout, retry sending the packet 'retries' times.
  -s                     Print out summary information of auth results.
  -S <file>              read secret from file, not command line.
  -t <timeout>           Wait 'timeout' seconds before retrying (may be a floating point number).
  -v                     Show program version information.
  -x                     Debugging mode.
  -P <proto>             Use proto (tcp or udp) for transport.

举例操作

验证 用户账号 operator，明码testpass，应用ipv4 地址 192.168.100.150，端口1812，共享密钥testing1234，超时工夫为1s，反复尝试认证次数4 次

$ echo "User-Name=operator,User-Password=testpass" | radclient -4 192.168.100.150:1812 auth testing1234 -t 1 -r 4

# 胜利后会有如下输入
Sent Access-Request Id 61 from 0.0.0.0:54293 to 192.168.100.150:1812 length 49
Received Access-Accept Id 61 from 192.168.100.150:1812 to 192.168.0.121:54293 length 38

参考文档与援用

freeradius 官网文档
radius 协定根底原理
linux 搭建 radius 服务器