FreeRadius Server and Client Note
note FreeRadius
Linux
發布日期:   2020-09-21
文章字數:   503
閱讀時長:   3 分
閱讀次數:  

About FreeRADIUS

The FreeRADIUS Server Project is a high performance and highly configurable multi-protocol policy server, supporting RADIUS, DHCPv4 and VMPS. Using RADIUS allows authentication and authorization for a network to be centralized, and minimizes the number of changes that have to be done when adding or deleting new users to a network.

FreeRADIUS can authenticate users on systems such as 802.1x (WiFi), dialup, PPPoE, VPN’s, VoIP, and many others. It supports back-end databases such as MySQL, PostgreSQL, Oracle, Microsoft Active Directory, Redis, OpenLDAP. It is used daily to authenticate the Internet access for hundreds of millions of people, in sites ranging from 10 to 10 million+ users.

FreeRadius-Server

Using docker fastly build Server for test

$docker run -it --rm --name radius-server -p 1812-1813:1812-1813/udp -v ~/Desktop/radius_shared:/shared freeradius/freeradius-server bash -l

進入 docker

# 更新
$apt update && apt install vim

# 編輯身分驗證
$vim /etc/raddb/users
bob    Cleartext-Password := "test"
          Reply-Message := "Hello, %{User-Name}"

# 編輯帳戶
$vim /etc/raddb/clients.conf
client dockernet {
        ipaddr = 172.18.0.0/24
        secret = testing123
}

# 啟動 Server
$ ./docker-entrypoint.sh -X
(-X : debug mode 可以不加)

Testing the configuration

1. radtest

$ radtest bob test 127.0.0.1 0 testing123
Sent Access-Request Id 50 from 0.0.0.0:55240 to 127.0.0.1:1812 length 73
        User-Name = "bob"
        User-Password = "test"
        NAS-IP-Address = 172.18.0.2
        NAS-Port = 0
        Message-Authenticator = 0x00
        Cleartext-Password = "test"
Received Access-Accept Id 50 from 127.0.0.1:1812 to 127.0.0.1:55240 length 32
        Reply-Message = "Hello, bob"

2. radclient

$ echo "User-Name=bob,User-Password=test" | radclient 172.18.0.2 auth testing123 -x
Sent Access-Request Id 190 from 0.0.0.0:40644 to 172.18.0.2:1812 length 43
       User-Name = "bob"
       User-Password = "test"
       Cleartext-Password = "test"
Received Access-Accept Id 190 from 172.18.0.2:1812 to 172.18.0.2:40644 length 32
       Reply-Message = "Hello, bob"

FreeRaduis-client

Download website: [https://freeradius.org/ftp/pub/freeradius/]

$ tree
.
|-- etc
|   `-- radiusclient
|       |-- dictionary
|       |-- dictionary.ascend
|       |-- dictionary.compat
|       |-- dictionary.merit
|       |-- dictionary.sip
|       |-- issue
|       |-- port-id-map
|       |-- radiusclient.conf
|       `-- servers
|-- include
|   `-- freeradius-client.h
|-- lib
|   |-- libfreeradius-client.la
|   |-- libfreeradius-client.so -> libfreeradius-client.so.2.0.0
|   |-- libfreeradius-client.so.2 -> libfreeradius-client.so.2.0.0
|   `-- libfreeradius-client.so.2.0.0
`-- sbin
    |-- login.radius
    |-- radacct
    |-- radembedded
    |-- radexample
    |-- radiusclient
    |-- radlogin
    `-- radstatus

execute

  • radacct(not use)
  • radexample(not use)
  • radlogin(not use)
  • radembedded(not use)
  • radiusclient
  • radstatus(not use)

1.radiusclient

$radiusclient -h
radiusclient: invalid option -- 'h'
usage: radiusclient [-f config_file] [-p nas_port] [-s | [-a] a1=v1 [a2=v2[...[aN=vN]...]]]

$radiusclient -f /usr/etc/radiusclient/radiusclient.conf -p 1812 User-Name=bob Password=test
Reply-Message                    = 'Hello, bob'

$ echo $?  <= 0 ,success; other,fail
0

/usr/etc/radiusclient-tls.conf

# RADIUS settings

# The name to be used to identify this NAS (server). If set it will
# be used in NAS-Identifier.
#nas-identifier my-server-name

# Override the IP (or IPv6) address of the NAS.
#nas-ip         10.100.5.3
#nas-ip         ::1

# RADIUS server to use for authentication requests.
# optionally you can specify a the port number on which is remote
# RADIUS listens separated by a colon from the hostname. if
# no port is specified /etc/services is consulted of the radius
# service. if this fails also a compiled in default is used.
# For IPv6 addresses use the '[IPv6]:port' format, or
# simply '[IPv6]'. You may specify more than a single server
# in a comma-separated list.
#
authserver      localhost:2083
#authserver     127.1.1.1:9999,172.17.0.1

# For DTLS with PSK authentication, the following format is valid:
#authserver     localhost:2083:psk@username@hexkey

# In TLS/DTLS the acct server directive is ignored.
#
acctserver      localhost:2083

# file holding PSKs used for the communication
# between the RADIUS client and server. They should
# be stored in "psk:username:hexkey" format.
#servers        /usr/local/etc/radcli/servers-tls

# Dictionary of allowed attributes and values. That depends
# heavily on the features of your server. A default dictionary
# is installed in /usr/local/share/radcli/dictionary
dictionary      /usr/local/etc/radcli/dictionary

# default authentication realm to append to all usernames if no
# realm was explicitly specified by the user
# the radiusd directly form Livingston doesnt use any realms, so leave
# it blank then
default_realm

# time to wait for a reply from the RADIUS server
radius_timeout  10

# resend request this many times before trying the next server
radius_retries  3

# local address from which radius packets have to be sent
bindaddr        *

# Namespace in which all sockets of Radcli are to be opened. This is effectively same as the 
# Radcli existing on that namespace.
# If commented out, the default existing Namespace will be used.                                    
#namespace   namespace-name

# Support for IPv6 non-temporary address support. This is an IPv6-only option
# and is valid only when IPv6 Privacy Extensions are enabled in system.
# If this option is set to "true", the radius packets will be sent with the
# IPv6 Global address and will not use the temporary adresses. If commented
# out, temporary IPv6 addresses will be used as source address for the packets
# sent.
#use-public-addr        true

# TLS/DTLS settings

# Transport Protocol Support
# Available options - 'tcp', 'udp', 'tls' and 'dtls'. 
# If commented out, udp will be used.
# TLS and DTLS authentication can be used with PSK keys or X.509 certificate 
# authentication (see below).
serv-type       tls

# The CA certificate to be used to verify the server's certificate.
# Does not need to be set if we are using PSK (pre-shared keys).
tls-ca-file     /usr/local/etc/radcli/ca.pem

# Our certificate and key files. These identify this NAS to the
# radius servers. They don't need to be set if using PSK.
tls-cert-file   /usr/local/etc/radcli/cert.pem
tls-key-file    /usr/local/etc/radcli/key.pem

# Used for debugging purposed. It will disable hostname verification
# on the connected host. Not recommended to be enabled.
#tls-verify-hostname    false

Appendix: Command line flags

radlogin
-f
        Path to an alternative configuration file
-i
        File name of the terminal used to determine what to send in the NAS-Port attribute. Normally the tty of stdin is used.
-n
        Disable display if the radlogin issue file. This option is set by default if radlogin is called with an argument.
-V
        Display version information
-h
        Display usage information

radacct
-i
        File name of the terminal used to determine what to send in the NAS-Port attribute. Normally the tty of stdout is used.
-V
        Display version information
-h
        Display usage information

radstatus
-V
        Display version information
-h
        Display usage information

  轉載請註明: YuYan's blog FreeRadius Server and Client Note

  目錄