关于ubuntu:Ubuntu系统下的Radius认证服务安装与配置

装置服务

装置服务依赖 freeradius

$ sudo apt install freeradius

查看版本

$ freeradius -v

radiusd: FreeRADIUS Version 3.0.16, for host x86_64-pc-linux-gnu, built on Apr 17 2019 at 12:59:55
FreeRADIUS Version 3.0.16
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT

配置文件地位和版本相干
如果显示3.0.*，则配置文件地位具体目录是/etc/freeradius/3.0
如果版本显示3.2.*，那么配置文件的目录地位是/etc/freeradius/3.2

上面所有波及到的文件配置目录都要看版本状况具体配置批改，不要照抄文档

radius服务所在机器的IP是192.168.100.150

启动测试服务器，失常状况下最初几行会显示如下数据

$ sudo freeradius -X

.....
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 56061
Listening on proxy address :: port 59459
Ready to process requests

# 有时候如果显示如下数据，则示意报错
xxxxxxxxxx Failed binding to auth address * port 1812 bound to server default: Address already in use /etc/freeradius/3.0/sites-enabled/default[59]: Error binding to port for 0.0.0.0 port 1812

# 则示意曾经有另外一个`radius`服务曾经启动，并且曾经占用了端口
# 须要执行如下步骤把服务敞开
# $ sudo systemctl stop freeradius.service
# 或者是另外一个终端执行了freeradius命令然而遗记敞开了
# 能够执行pkill freeradius

增加radius用户数据

编辑文件，增加用户名为operator 明码为 testpass

$ sudo vim /etc/freeradius/3.0/users

operator  Cleartext-Password := "testpass"
           Reply-Message := "Hello, %{User-Name}"

重启 freeradius服务

$ sudo freeradius -X

测试radius服务

从另外一台机器，开一个终端检测启动radius服务的机器是否凋谢1812端口

$ sudo nmap -sU 192.168.100.150 -p 1812

# 如下输入示意凋谢
Starting Nmap 7.80 ( https://nmap.org ) at 2021-08-27 11:12 CST
Nmap scan report for 192.168.100.150
Host is up (0.00017s latency).

PORT     STATE         SERVICE
1812/udp open|filtered radius
MAC Address: CC:D3:9D:9F:D5:1D (Ieee Registration Authority)

Nmap done: 1 IP address (1 host up) scanned in 0.55 seconds

新开一个终端，执行以下命令

$ radtest operator testpass 192.168.100.150 0 testing123
# 如下输入示意验证胜利
Sent Access-Request Id 202 from 0.0.0.0:35778 to 127.0.0.1:1812 length 79
        User-Name = "operator"
        User-Password = "testpass"
        NAS-IP-Address = 192.168.100.150
        NAS-Port = 0
        Message-Authenticator = 0x00
        Cleartext-Password = "testpass"
Received Access-Accept Id 202 from 127.0.0.1:1812 to 0.0.0.0:0 length 38
        Reply-Message = "Hello, operator"

配置容许近程验证用户

$ vim /etc/freeradius/3.0/clients.conf

# 输出如下,示意新建一个客户端，ipaddr容许所有网络拜访，如果设置为192.168.100.150则示意只容许192.168.100.150的ip进行验证，填写0.0.0.0示意不限度IP，共享密钥是testing123
client private-network-1 {
        ipaddr          = 0.0.0.0
        secret          = testing123
}

批改radius监听端口

以下两种形式各选一种

形式一

间接批改配置，举例批改端口为8888

$ sudo vim /etc/freeradius/3.0/sites-enabled/default

# 批改
listent {
    ...
    type = auth
    ipaddr = *
    port = 0
}
# 批改port端口
listent {
    ...
    type = auth
    ipaddr = *
    port = 8888
}

形式二

批改/etc/services

$ sudo vim /etc/services
# 找到
radius          1812/tcp
radius          1812/udp
# 批改为自定义端口
radius          8888/tcp
radius          8888/udp

申请认证

举荐应用radclient

$ radclient -h

Usage: radclient [options] server[:port] <command> [<secret>]
  <command>              One of auth, acct, status, coa, disconnect or auto.
  -4                     Use IPv4 address of server
  -6                     Use IPv6 address of server.
  -c <count>             Send each packet 'count' times.
  -d <raddb>             Set user dictionary directory (defaults to /etc/freeradius/3.0).
  -D <dictdir>           Set main dictionary directory (defaults to /usr/share/freeradius).
  -f <file>[:<file>]     Read packets from file, not stdin.
                         If a second file is provided, it will be used to verify responses
  -F                     Print the file name, packet number and reply code.
  -h                     Print usage help information.
  -n <num>               Send N requests/s
  -p <num>               Send 'num' packets from a file in parallel.
  -q                     Do not print anything out.
  -r <retries>           If timeout, retry sending the packet 'retries' times.
  -s                     Print out summary information of auth results.
  -S <file>              read secret from file, not command line.
  -t <timeout>           Wait 'timeout' seconds before retrying (may be a floating point number).
  -v                     Show program version information.
  -x                     Debugging mode.
  -P <proto>             Use proto (tcp or udp) for transport.

举例操作

验证 用户账号operator，明码testpass，应用ipv4地址192.168.100.150，端口1812，共享密钥testing1234，超时工夫为1s，反复尝试认证次数4次

$ echo "User-Name=operator,User-Password=testpass" | radclient -4 192.168.100.150:1812 auth testing1234 -t 1 -r 4

# 胜利后会有如下输入
Sent Access-Request Id 61 from 0.0.0.0:54293 to 192.168.100.150:1812 length 49
Received Access-Accept Id 61 from 192.168.100.150:1812 to 192.168.0.121:54293 length 38

参考文档与援用

freeradius官网文档
radius协定根底原理
linux搭建radius服务器