学习笔记：上网认证1 FreeRadius安装及与openldap的连接

Freeradius是开源免费并完全兼容RADIUS协议的RADIUS服务器和客户端软件，可以用它对用户的接入和访问特定的网络进行有效的控制，授权，计费等等，它支持多种验证，包括文件，LDAP，数据库等等。

本次测试安装环境centos7  

计算机名 freeradius  ip:172.16.48.72

1.  先关闭SELinux和firewalld

2. 安装freeradius及与ldap连接工具

yum -y install freeradius freeradius-utils freeradiu-ldap

3.启动测试

# systemctl start radiusd 

# systemctl enable radiusd

#systemctl status radiusd

4. 修改配置文件，允许测试账号

vim   /etc/raddb/users

把以下一段前面的#注释去掉

steve    Cleartext-Password := "testing"
    Service-Type = Framed-User,
    Framed-Protocol = PPP,
    Framed-IP-Address = 172.16.3.33,
    Framed-IP-Netmask = 255.255.255.0,
    Framed-Routing = Broadcast-Listen,
    Framed-Filter-Id = "std.ppp",
    Framed-MTU = 1500,
    Framed-Compression = Van-Jacobsen-TCP-IP
5. 重启服务 systemctl restart radiusd

测试连接： 

[root@freeradius ~]# radtest steve testing localhost 1812 testing123

出现 Received Access-Accept Id 9 from 127.0.0.1:1812 to 0.0.0.0:0 length 71说明认证测试成功

6. 设置与openldap的连接

首先修改 新建或编辑/etc/raddb/mods-available/ldap 文件，下面是去除#注释行的全文

[code][root@freeradius ~]# cat  /etc/raddb/mods-available/ldap  |grep -v "#" |grep -v "^;"|grep -v "^$"

ldap {
server = '172.16.0.123'
port = 389
identity = 'cn=admin,dc=linbsoft,dc=com'
password = 123456
base_dn = 'dc=linbsoft,dc=com'
sasl {
}
update {
control:Password-With-Header	+= 'userPassword'
control:			+= 'radiusControlAttribute'
request:			+= 'radiusRequestAttribute'
reply:				+= 'radiusReplyAttribute'
}
user {
base_dn = "${..base_dn}"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
sasl {
}
}
group {
base_dn = "${..base_dn}"
filter = '(objectClass=posixGroup)'
membership_attribute = 'memberOf'
}
profile {
}
client {
base_dn = "${..base_dn}"
filter = '(objectClass=radiusClient)'
template {
}
attribute {
ipaddr				= 'radiusClientIdentifier'
secret				= 'radiusClientSecret'
}
}
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
type {
start {
update {
description := "Online at %S"
}
}
interim-update {
update {
description := "Last seen at %S"
}
}
stop {
update {
description := "Offline at %S"
}
}
}
}
post-auth {
update {
description := "Authenticated at %S"
}
}
options {
chase_referrals = yes
rebind = yes
res_timeout = 10
srv_timelimit = 3
net_timeout = 1
idle = 60
probes = 3
interval = 3
ldap_debug = 0x0028
}
tls {
}
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 30
lifetime = 0
idle_timeout = 60
}
}

7.  /etc/raddb/sites-available/site_ldap文件内容如下

cat  /etc/raddb/sites-available/site_ldap
server site_ldap {
    listen {
         ipaddr = 0.0.0.0
         port = 1833
         type = auth
     }
     authorize {
         update {
             control:Auth-Type := ldap
             }
         }
     authenticate {
         Auth-Type ldap {
             ldap
             }
         }
     post-auth {
         Post-Auth-Type Reject {
             }
         }
 }
 

8. 建立软连接

ln -s /etc/raddb/sites-available/site_ldap  /etc/raddb/sites-enabled/

9. 重启systemctl restart radiusd

测试使用openldap 账号连接

[code][root@freeradius ~]# radtest 20180515 123456  localhost 0 testing123
Sent Access-Request Id 160 from 0.0.0.0:48710 to 127.0.0.1:1812 length 78
User-Name = "20180515"
User-Password = "123456"
NAS-IP-Address = 172.16.48.72
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "123456"
Received Access-Accept Id 160 from 127.0.0.1:1812 to 0.0.0.0:0 length 20

其中 20180515及123456是在openldap的一个账号密码

参考文章：

https://blog.csdn.net/broada2015/article/details/50886298  用802.1X+FreeRadius+LDAP实现网络准入方案
https://blog.csdn.net/cikenerd/article/details/54728652  Centos7 freeradius3 整合 openldap  ---》测试成功！！
https://blog.csdn.net/zy517863543/article/details/78914150  安装FreeRadius+Daloradius web管理+Daloradius 中文汉化
https://www.cnblogs.com/Kevin-1967/p/8931413.html  Freeradius+Cisco2500AC+OpenLdap认证
http://blog.51cto.com/waydee/1103942  FreeRADIUS 测试环境搭建