如何使用radius认证服务器软件协议认证enable的口令
点击联系发帖人
时间:2015-08-08 05:12
?é?? Search &
°??à±????? Browse by Category
..... ?? 3/4 ???
.......... Access
.......... Microsoft SQL Server
.......... Oracle
..... ???? 1/4
.......... ?·??AE÷
.......... VPN
..........
1/2 >>>>>>>>ú
..... JAVA????·???AE÷
.......... WebLogic
.......... Websphere
..... ?? 1/4 ?/?? 1/4 ?
.......... Lotus Domino
.......... Lotus Notes
.......... Microsoft Exchange
.......... Microsoft Outlook
..... ?? 1/4 ?
.......... ?¨? 1/2 >>ú
.......... ±? 1/4 ?± 3/4
.......... ?ò??>>ú
.......... ?ae???è±,
.......... ·???AE÷
............... ??Windows Server 2003 ????·??????í?? 1/4 ? 1/4 ??????í?ó
..... AE???
..... °ì?<<?í 1/4 ?
.......... Excel
.......... Powerpoint
.......... Project
.......... Visio
.......... Word
..... ??×÷?u??
.......... AIX
.......... Microsoft Windows 98/ME/2K/XP
.......... Microsoft Windows Server
.......... Solaris
.......... Unix/Linux
..... ??? 3/4 °??<<
..... ·??????í
..... ?¤ 3/4 ss?í 1/4 ?
.......... ×??ae?í 1/4 ?
..... ?¤×÷??u?
..... ?u?¨ 1/4
.: RADIUS???¤?-?í???u??
RADIUS???¤?-?í???u??
????RADIUS???>>??C/S 1/2 á??u??-?é???üu???>>§??×??? 3/4 ???NAS?¨Net Access Server?(C)·???AE÷??????????????RADIUS??>>§???í 1/4 ?u? 1/4 AE??>>ú? 1/4 ????????RADIUSu???>>§????RADIUS?-?é???¤>>ú?AE?é>>???????????PAP??CHAP>>ò?ssUnixu?? 1/4 ???¤u??à??· 1/2 ? 1/2 ??RADIUS???>>?????(C)??u??-?é???ü 1/2 ???u??<>ù??Attribute-Length-Valueu??ò?? 1/2 ???u???RADIUS???§???§???(C)???§ 1/4 ?ר????????????????RADIUS?-?é 1/4 òu??÷?·?????(C)?????ò??u?u 1/2 ????·???????°ü?¨AE??¨u?>>°??????ADSL???????????í????????IPu?>>°??VPDN?¨Virtual Private Dialup Networks??>>ù????????>>§u??é??ר?????????u???(C)???AE??u?>>°?¤,?·?u??u????×? 1/2 üIEEE?á????802.1x±ê× 1/4 ???????>>??>>ù??????u?±ê× 1/4 ???????????ss????u? 1/2 ??????¤???????¤?±??????RADIUS?-?é?? ?ú?·????RADIUS?-?é×???????Livingston?<>§ 1/2 ??????¤?? 1/4 AE·????ó?? 3/4 -???à??,? 1/2 ??????????>>???¨??u????¤ 1/4 AE·??-?é????????????1966?êMerit Network, Inc.??????°??ó?§u??>> 1/4 ?·??????<>¤,???u?????>>???MichNet??1987?ê??Merit?????úNSF?¨?ú 1/4 ??AE?§>>ù 1/2 ?>>á?(C)u???±ê???¤?????(R)u???NSFnet?¨ 1/4 ?Internet?°?í?(C)u????????????ò??NSFnet??>>ù??IPu?????????MichNet??>>ù??ר???????-?é??Merit?ae??×????? 1/2 <<MichNetu?ר???????-?é??±???IP?-?é?????±????°?MichNet??u??ó???????u???? 1/4 °AE??à??ר???-?é?AE??u 1/2 IP??????????????1991?ê??Merit 3/4 ??¨??±ê????·???AE÷?(C)?????? 1/4 ,,????ó???>> 1/4 ? 1/2 ?Livingstonu??<>?u?????????????1992?ê???ì??IETFu?NASREQ?¤×÷×é????,?ae?(R)?á 1/2 >>??RADIUS×÷????°,?????ì??RADIUS???????u??u????? 1/2 ???±ê× 1/4 ?? 1/4 ,???ù??u????? 1/2 ???·???AE÷?§?? 3/4 ù?u????,??-?é??????1997?ê??RADIUS RFC2058·?±í???ae?ó??RFC2138??×???u?RADIUSRFC2865·?±í??2000?ê6???? >>ù± 3/4 ?¤×÷?-?í??????>>§ 1/2 ???NAS??NAS?òRADIUS·???AE÷????Access-Require?? 3/4 ?°ü?á 1/2 >>??>>§??????°ü?¨??>>§????????u??à????????AE?????>>§?????? 3/4 -??MD5 1/4 ???u????<> 3/4 -???????<>RADIUS·???AE÷????>>§????????u???·¨?? 1/2 ??? 1/4 ì?é??±????±?????á???>>,?Challenge?????ó 1/2 ??>>? 1/2 ????>>§???¤??????????NAS 1/2 ????à?AEu????¤?>>??????·¨??,?NAS·u>>?Access-Accept?? 3/4 ?°ü?????í??>>§ 1/2 ??????>>? 1/2 ?¤×÷??·??ò·u>>?Access-Reject?? 3/4 ?°ü?? 3/4 ? 3/4 ???>>§·????>>???????í·?????NAS?òRADIUS·???AE÷?á?? 1/4 AE·????óAccount-Require??RADIUS·???AE÷?ì??Account-Accept??????>>§u? 1/4 AE·???? 1/4 ?????±??>>§???? 1/2 ???×? 1/4 ?u??à????×÷??????RADIUS>>??§???ú?í???????????? 1/4 òu?u??u???ú?í 3/4 ????>>?¨·???AE÷??????×÷??AE???RADIUS·???AE÷u??ú?í??,???×?·?RADIUS???¤?? 1/4 AE·??? 3/4 ?°ü???ù? 1/2 ?????????? 3/4 ????ú?íu??>>,? 3/4 ss???u???????ù????????>>§?¨??± 3/4 ????AE?????u?RADIUS·???AE÷ 1/2 ??????¤????>>§u 1/2 ·??é?????????ù??u???????u?u 1/2 ·????????????u???é????????????RADIUS·???AE÷??NAS·???AE÷?¨??UDP?-?é 1/2 ????¨????RADIUS·???AE÷u?1812????,??????¤??1813????,??? 1/4 AE·??¤×÷??????UDPu?>>ù± 3/4 ? 1/4 ?????ò??NAS??RADIUS·???AE÷?ó?à?????>>,? 3/4 ??ò??????????UDP,ü 1/4 ??ì 1/2 ?· 1/2 ±???????UDP?????? 1/2 ?u???>>á 1/4 ??áRADIUSu?????????,ü°??<>??ae?¨?????<>ú?AE??????NAS?ò??,?RADIUS·???AE÷?á 1/2 >>???ó?>>????u 1/2 ·u>>??????????????????ó±,·?RADIUS·???AE÷???<<?????????à,?±,·?RADIUS·???AE÷???ò??NAS 1/2 ??????<<u??±?ò??????????????u?· 1/2 ·¨??????±,·?RADIUS·???AE÷u??????????°RADIUS·???AE÷u??????>>?????ò?è?????? 1/2 ??????¤?? ?-?é 1/2 á??????Code ?ò?¤????1,?×? 1/2 ???????±ê?÷RADIUS±¨??u??à????????Code?ò??u??????????§?u??±¨?? 1/2 <>??AEú,???§?u??????????1?????ó·????¨Access-Request?(C)?>>????2?? 1/2 ???·????¨Access-Accept?(C)?>>????3?? 3/4 ? 3/4 ?·????¨Access-Reject?(C)?>>????4?? 1/4 AE·????ó?¨Accounting-Request?(C)?>>????5?? 1/4 AE·??ì???¨Accounting-Response?(C)?>>????11????? 1/2 ·????¨Access-Challenge?(C)?>>????12??·???AE÷×????¨Status-Server ??Experimental?(C)?>>????13????>>§>>ú×????¨Status-Client ??Experimental?(C)?>>????255???¤???¨Reserved?(C) ????Identifier¨D AE??????ó???ì??u?±ê??·??? ????Length¨D ?????ó????°ü?¨?·???? ????Authenticator ?ò? 1/4 ??16,?×? 1/2 ???????Radius Client??Server?(R) 1/4 ????????¤u????§????????????????·¨??·??????óAccess-Request±¨????u????¤×?u??u??16×? 1/2 ??ae>>ú???????¤×?u??u???>>??±>>?¤?????????>>,????í????u??ú?üAE????¨?>>??????1.·??????ó???¤×???????Access-Request°ü?????¤×?u??u??16×? 1/2 ??ae>>ú??,???¤×?u??u???>>??±>>?¤??,???????>>,????í????u??ú?üAE????¨?>>?>>????2.·???>>??????¤×?????Access-Accept Access-Reject??Access-Challenge°ü??u????¤×??AE??·???>>??????¤×???·???>>??????¤×?u??u?¨????MD5(Code+ID+Length+RequestAuth+Attributes+Secret)?>>????3. 1/4 AE·????ó???¤×??????? 1/4 AE·????ó°ü??u????¤×??ò?AE?? 1/4 AE·????ó???¤×????ü???>>,?16×? 1/2 ?u?MD5???é???? 1/4 AE·????ó???¤×?u??u?¨????MD5(Code + Identifier + Length+ 16 zero octets + requestattributes +sharedsecret)?>>????4. 1/4 AE·?>>??????¤×??????? 1/4 AE·?>>???±¨????u????¤×??ò?AE?? 1/4 AE·?>>??????¤×????üu??u?¨????MD5(Accounting-Response Code + Identifier + Length + the RequestAuthenticatorfieldfrom the Accounting-Request packet being replied to +theresponseattributes + shared secret)?>>???? & >>ù± 3/4 ???? 1/2 >>>>??÷??????radius ·???AE÷????>>§u????¤?????¨???è??????nas u??è±,u??ú?í???¤??????radius??>>§????radius·???AE÷?(R) 1/4 ??¨?????í???????¤?à>>? 1/4 ? 1/2 >>>>?u?????????>>§????????????· 1/2 ? 1/2 ?????????<<??????????°??<<????radius?-?é?????????¤?????¨?????? 1/4 ??ì??±¨?????????????¨??????????>>ù± 3/4
1/2 >>>>?? 1/2 ?è??????????(1) ??>>§??????>>§?????????>>????(2) radius??>>§??,ù 3/4 ?>>???u???>>§???????????òradius ·???AE÷·??????¤???ó°ü?¨access-request?(C)??????(3) radius·???AE÷ 1/2 <>§??????users?? 3/4 ??????? 1/2 ?????±?·????????????¤???????ò 1/2 <<??>>§u??¨???????????¤?ì??°ü?¨access-accept?(C)·???,?radius??>>§???>>???????¤?§°????ò·u>>?access-reject ?ì??°ü??????(4) radius??>>§??,ù 3/4 ? 1/2 ???u 1/2 u????¤ 1/2 á?? 1/2 ???/ 3/4 ? 3/4 ???>>§?????????? 1/2 ?????>>§???òradius ??>>§???òradius·???AE÷·??? 1/4 AE·???? 1/4 ???ó°ü?¨accounting-request?(C)??status-type ???u??start?>>????(5) radius·???AE÷·u>>? 1/4 AE·???? 1/4 ?ì??°ü?¨accounting-response?(C)?>>????(6) radius ??>>§???òradius·???AE÷·??? 1/4 AE·????????ó°ü?¨accounting-request?(C)??status-type ???u??stop?>>????(7) radius·???AE÷·u>>? 1/4 AE·? 1/2 á???ì??°ü?¨accounting-response?(C)?????aeu?? 1/2 ?è??? 3/4 ??????Red Hat Enterprise Linux Advanced Server 3.0??°?×°??????FreeRADIUS 1.0.2????u?1 °?×°??????FreeRADIUStar -zxvf freeradius-1.0.2.tar.gz&&&&&&&& - extract it with gunzip and tar./configuremakemake install&&&&&&&&&&&&&&&&&&&&&&&&&&&&& - run this command as rootradiusd or&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& - start RADIUS serverradiusd -X&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& - start RADIUS server in debug moderadtest test test localhost 0 testing123& - test RADIUS server&????radtest??u 1/2 ?>>,??ì?????ò±í?÷FreeRADIUS·???AE÷?¤×÷?????????±??>>??AE 1/4 ??í?>>????·??¤ 3/4 ss???? 3/4 ???NTRadPing???ü????????????×?Windows??>>§>>úu??é?¤?????¨???ó???ü??????? 3/4 ??RADIUS·???AE÷·?>>?u??ê?,u??ì?????????????u??????????????????FreeRADIUS??????FreeRADIUSRADIUS·???AE÷u?????°ü?¨??·???AE÷????>>§>>ú????>>§u??????¨? 1/4 ???????é?¤?????¨?(C)???????>>??u??è??????RADIUS·???AE÷???????>>??u???????????u??????ó?à??????? 1/4 ???à?AEu???* ????·???AE÷FreeRADIUS?????? 1/4 ??¨???>>??/etc/raddb?? 1/4 ? 1/4 ??????×?????????è???????ae???ù??,?radiusd.conf?? 1/4 ?????u?2 ??,?radiusd.conf1) Global settings:log_auth = yes&&&&&&&&&&&&&&& - log authentication requests to the log filelog_auth_badpass = no&&&&&&&& - don't log passwords if request rejectedlog_auth_goodpass = no&&&&&&& - don't log passwords if request accepted2) LDAP Settings:modules {&& ldap {&&&&& server = &&&& - the hostname or IP address of the LDAP server&&&&& port = 636&&&&&&&&&&&&&&&&&&&& - encrypted communications&&&&& basedn = &ou=bluepages,&&& - define the base Distinguished Names (DN),&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& - under the Organization (O) &&,&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& - in the Organization Unit (OU) &bluepages&&&&&& filter = &(mail=%u)&&&&&&&&&&&&&&&&&&& - specify search criteria&&&&& base_filter = &(objectclass=person)&&& - specify base search criteria&& }authenticate {&&&&&&&&&&&&&&& - enable authentication against LDAP&& Auth-Type LDAP {&&&&& ldap&& }&????±>>?è?????? IBM BluePages??????LDAP·???u??>>,??u????????AE???LDAP·???AE÷?????????????ù?>>????* ??????>>§>>ú??>>§>>ú????/etc/raddb/clients.conf ?? 1/4 ???????u?????? 1/2 ??· 1/2 ? 1/2 ??????????RADIUS??>>§>>ú???ú????°?IP subnet 1/2 <>ò?ss????°??÷>>ú??>>ò IP u??·????NAS?¨??u?4?(C)??????°???u?????· 1/2 ·¨???????¨??shortname??nastype????u?3 °?IP subnet 1/2 <<NAS·?×éclient 192.168.0.0/24 {&& secret&&&&& = mysecret1&& - the &secret& should be the same as configured on NAS&& shortname&& = mylan&&&&&& - the &shortname& can be used for logging&& nastype&&&&& = cisco&&&&& - the &nastype& is used for checkrad and is optional}&??u?4 °??÷>>ú??>>ò IP u??·???? NASclient 192.168.0.1 {&& secret&&&&& = mysecret1&& shortname&& = myserver&& nastype&&&&& = other}&* ???é?¤????????>>§?? 1/4 ? /etc/raddb/user °ü????,???>>§u??é?¤??????????????u?5 /etc/raddb/user ?? 1/4 ?1) Authentication type:Auth-Type := LDAP&&&&&& - authenticate against LDAPAuth-Type := Local, User-Password == &mypasswd&&&&&&&&&&&&&&&&&&&&&&&& - authenticate against the&&&&&&&&&&&&&&&&&&&&&&& - password set in /etc/raddb/userAuth-Type := System&&&& - authenticate against the system password file&&&&&&&&&&&&&&&&&&&&&&& - /etc/passwd or /etc/shadow2) Service type:Service-Type = Login,&& - for administrative login&* ?????¨????????>>§???aeu??é?¤·???AE÷????-?u???¨AV?(C)??,?????>>§???¨?? 1/2 ????????????é?¤±>> 1/2 ????ó????,?????-?u??±>>·u>>?,?NAS??×÷???????í?±u?? 1/4 ???óu??ì????????Cisco?·??AE÷?????>>??u??¨?? 1/4 ?±??? 1/4 ?±?1???????¨?¨non-privileged?(C)???á? 3/4 ·??? router&??????????u?? 1/4 u????? 1/4 ?±??? 1/4 ?±?15?????¨?¨privileged?(C)?? ?á? 3/4 ·??? router#?????? 1/2 ??? enable ??? 1/2 ?óu? 1/4 ?±??? 1/4 ?±?2u 1/2 14 ?????????????>>?????????aeu??ü?????????>>,???>>§??????·???·???AE÷u?? 1/4 ????>>?u???EXEC?ü??u??? 1/4 ?·?????cisco-avpair =&shell:priv-lvl=15& ???aeu??ú?????í?à??u??????????>>????????Cisco???ss·???u???Cisco:Avpair= &aironet:admin-capability=write+snmp+ident+firmware+admin& ????????×é??? 1/4 ????,??????>>AE?·u>>???Cisco:Avpair = &aironet:admin-capability=ident+admin&Cisco:Avpair = &aironet:admin-capability=admin& ???? Cisco ???u????>>?u????????(C)?ü??u?,ü?à??????????????·???·???AE÷ 1/2 ????????? 1/2 <>,?Cisco?·??AE÷???>>?ó??u 1/2 ?>>,?Cisco WAP??????Cisco IOS 12.1?·??AE÷?????? 1/2 <>?ó?????é?¤?????¨?? 1/4 ???????u?6 AE???AAAaaa new-modelradius-server host 192.168.0.100radius-server key mysecret1&AAA ???·??AE÷????,?±>>AE??????>>?ó???,?¨???? NAS ?á?(C) AAA ·???u? RADIUS ·???AE÷u???±í?? 1/4 ??????????? 1/4 ??? NAS ?? RADIUS ·???AE÷?(R) 1/4 ?u??? 3/4 ??<>?ù????u?7 ?????é?¤aaa authentication login default group radius localline vty 0 4login authentication default&????,???×????????????í?±???? RADIUS ?é?¤?????? RADIUS ·???AE÷?>>???????ò???? NAS u?± 3/4 u???>>§?? 3/4 ???????????u?8 ???????¨aaa authorization exec default group radius if-authenticated&???í??>>§??u?? 1/4 u 1/2
NAS ???±???? EXEC shell????u?9 ???? 1/4 ???aaa accounting system default start-stop group radiusaaa accounting network default start-stop group radiusaaa accounting connection default start-stop group radiusaaa accounting exec default stop-only group radiusaaa accounting commands 1 default stop-only group radiusaaa accounting commands 15 default wait-start group radius&±??????·??AE÷ 1/2 ?????±?u????????????(R)·??? 1/4 ??? 1/4 ?? 1/4 u 1/2 RADIUS·???AE÷????????u?9??u??ü?? 1/4 ?? 1/4 ????NAS?u???? 1/4 ????????? 1/2 ????????? 1/2 ???EXEC??×÷?? 1/4 ° 1/4 ?±?1?? 1/4 ?±?15??u??ü??u? 1/4 ????????????ù 3/4 ???????????????????????Cisco???ss·???u??? 1/2 ???u??????????aeu???????????????Firmware 12.01T1u?Cisco 1200 Series AP????? 1/4 2??u?AE??>>?ì???ù? 3/4 ???ú??* ????·???AE÷??>>ò IP u??·?????íu???????* ?????°Radius?±×÷???à???????????°User Authentication?±?? 1/4 ??????¤×÷??u?RADIUS?????ù??????? 1/4 ?? 3/4 -?ê????FreeRADIUS·???AE÷??????? 1/4
1/4 ?? 1/4 NAS·???u??ù???????? 1/2 <<,??????ae????/var/log/radius/radius.log?? 1/4 ????? 3/4 ??????ù????u?10 /var/log/radius/radius.log?? 1/4 ?Thu Mar 3 21:37:32 2005 : Auth: Login OK: [David] (from client&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& mylan port 1 cli 192.168.0.94)Mon Mar 7 23:39:53 2005 : Auth: Login incorrect: [John] (from&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& client mylan port 1 cli 192.168.0.94)&?ê?,u? 1/4 ???????±>>?ae·???/var/log/radius/radacct??? 1/4 ??????u?11±í?÷??David??2005?ê3??4??19:40u 1/2 19:51?????± 1/4 ????? 192.168.0.94u?? 1/4 u 1/2 ???·??AE÷192.168.0.1???????ê?,u?????????????u÷?é°??<<?????? 1/4 °??? 1/4 ??>>¤?×???ó 1/4 AEu? 1/4 ?? 1/4 u????í?±???u???????>>?ó°??ú????u?11 RADIUS ?á?(C)u? 1/4 ????, 1/2 ?? 3/4 ??Fri Mar& 4 19:40:12 2005&&&&&&& NAS-IP-Address = 192.168.0.1&&&&&&& NAS-Port = 1&&&&&&& NAS-Port-Type = Virtual&&&&&&& User-Name = &David&&&&&&&& Calling-Station-Id = &192.168.0.94&&&&&&&& Acct-Status-Type = Start&&&&&&& Acct-Authentic = RADIUS&&&&&&& Service-Type = NAS-Prompt-User&&&&&&& Acct-Session-Id = &&&&&&&&& Acct-Delay-Time = 0&&&&&&& Client-IP-Address = 192.168.0.1&&&&&&& Acct-Unique-Session-Id = &dacb116&&&&&&&& Timestamp = Fri Mar& 4 19:51:17 2005&&&&&&& NAS-IP-Address = 192.168.0.1&&&&&&& NAS-Port = 1&&&&&&& NAS-Port-Type = Virtual&&&&&&& User-Name = &David&&&&&&&& Calling-Station-Id = &192.168.0.94&&&&&&&& Acct-Status-Type = Stop&&&&&&& Acct-Authentic = RADIUS&&&&&&& Service-Type = NAS-Prompt-User&&&&&&& Acct-Session-Id = &&&&&&&&& Acct-Terminate-Cause = Idle-Timeout&&&&&&& Acct-Session-Time = 665&&&&&&& Acct-Delay-Time = 0&&&&&&& Client-IP-Address = 192.168.0.1&&&&&&& Acct-Unique-Session-Id = &dacb116&&&&&&&& Timestamp =
1/2 á?????¨??×??-± 3/4 ????????u? 1/4 òu?? 1/2 ?è???ú???? 1/2 ¨???>>,?Remote Authentication Dial-In User Service·???AE÷??,?·???AE÷?????>>,?????u?LDAP·???AE÷?????í??????°??<<?????? 1/2 ???u??é?¤?????¨?? 1/4 ?????± 3/4 ???á?(C)????????????°??ú?ú?ê??????????* ??RADIUS??LDAP·???AE÷?? 1/4 °AAA,???u? 1/2 é????* ?>>,???????°?×°??????????u??? 3/4 °??* ????°?×°??????RADIUS·???AE÷u??u?÷??* ????????????·???·???AE÷u??, 1/2 ???* RADIUS 1/2 <>,?? 3/4 ???????(C)?,? 3/4 ?????ì???·±???±?>>¤u??? 3/4 ??>>????Linux?u?????????¨u??u??·?????
??AE??????????à??????
5 - ·??????? Very Helpful
3 - ???(C)???? Somewhat Helpful
1 - ?>>???? Not Helpful
16:35 by ±±· 1/2 ??, 653 visits, ????,
(No rating)&
Views: 2022
??>>§AE???
.: .: .: .: .:
±± 3/4 (C)>>¤? 1/2 ?AE 1/4
1/4 ?????<<? 3/4
Novots Technologies Limitedradius与ldap认证
RADIUS:Remote Authentication Dial In
User Service,远程用户拨号认证系统
由RFC2865,RFC2866定义,是目前应用最广泛的AAA协议。
RADIUS协议最初是由Livingston公司提出的,原先的目的是为拨号用户进行认证和计费。后来经过多次改进,形成了一项通用的认证计费协议。
创立于1966年Merit Network,
Inc.是密执安大学的一家非营利公司,其业务是运行维护该校的网络互联MichNet。1987年,Merit在美国NSF(国家科学基金会)的招标中胜出,赢得了NSFnet(即Internet前身)的运营合同。因为NSFnet是基于IP的网络,而MichNet却基于专有网络协议,Merit面对着如何将MichNet的专有网络协议演变为IP协议,同时也要把MichNet上的大量拨号业务以及其相关专有协议移植到IP网络上来。
1991年,Merit决定招标拨号服务器供应商,几个月后,一家叫Livingston的公司提出了建议,冠名为RADIUS,并为此获得了合同。
1992年秋天,IETF的NASREQ工作组成立,随之提交了RADIUS作为草案。很快,RADIUS成为事实上的网络接入标准,几乎所有的网络接入服务器厂商均实现了该协议。
1997年,RADIUS
RFC2039发表,随后是RFC2138,最新的RADIUS RFC2865发表于2000年6月。
RADIUS是一种C/S结构的协议,它的客户端最初就是NAS(Net Access Server)服务器,现在任何运行RADIUS客户端软件的计算机都可以成为RADIUS的客户端。RADIUS协议认证机制灵活,可以采用PAP、 CHAP或者Unix登录认证等多种方式。RADIUS是一种可扩展的协议,它进行的全部工作都是基于Attribute-Length-Value的向量进行的。RADIUS也支持厂商扩充厂家专有属性。
RADIUS的基本工作原理。用户接入NAS,NAS向RADIUS服务器使用Access-Require数据包提交用户信息,包括用户名、密码等相关信息,其中用户密码是经过MD5加密的,双方使用共享密钥,这个密钥不经过网络传播;RADIUS服务器对用户名和密码的合法性进行检验,必要时可以提出一个Challenge,要求进一步对用户认证,也可以对NAS进行类似的认证;如果合法,给NAS返回Access-Accept数据包,允许用户进行下一步工作,否则返回Access-Reject数据包,拒绝用户访问;如果允许访问,NAS向RADIUS服务器提出计费请求Account- Require,RADIUS服务器响应Account-Accept,对用户的计费开始,同时用户可以进行自己的相关操作。
RADIUS还支持代理和漫游功能。简单地说,代理就是一台服务器,可以作为其他RADIUS服务器的代理,负责转发RADIUS认证和计费数据包。所谓漫游功能,就是代理的一个具体实现,这样可以让用户通过本来和其无关的RADIUS服务器进行认证,用户到非归属运营商所在地也可以得到服务,也可以实现虚拟运营。
RADIUS服务器和NAS服务器通过UDP协议进行通信,RADIUS服务器的1812端口负责认证,1813端口负责计费工作。采用UDP的基本考虑是因为NAS和RADIUS服务器大多在同一个局域网中,使用UDP更加快捷方便。
RADIUS协议还规定了重传机制。如果NAS向某个RADIUS服务器提交请求没有收到返回信息,那么可以要求备份RADIUS服务器重传。由于有多个备份RADIUS服务器,因此NAS进行重传的时候,可以采用轮询的方法。如果备份RADIUS服务器的密钥和以前RADIUS服务器的密钥不同,则需要重新进行认证。 由于RADIUS协议简单明确,可扩充,因此得到了广泛应用,包括普通电话上网、ADSL上网、小区宽带上网、IP电话、VPDN(Virtual Private Dialup
Networks,基于拨号用户的虚拟专用拨号网业务)、移动电话预付费等业务。最近IEEE提出了802.1x标准,这是一种基于端口的标准,用于对无线网络的接入认证,在认证时也采用RADIUS协议。
无线认证模型
802.1x简要概述
这是一项通过验证来保护网络的端口访问协议。此类型的验证方法在无线环境中因该媒体的性质而特别有用。如果无线用户通过
802.1x 网络访问验证,接入点上会打开一个用于通信的虚拟端口。如果验证不成功,则不会提供虚拟端口,并将阻断通信。
802.1x 验证分为3 个基本部分:
在无线工作站上运行的软件客户端
无线接入点
认证服务器 -
一个认证数据库,通常是一个Radius 服务器(例如Cisco ACS*、Funk Steel-Belted RADIUS* 或 Microsoft* IAS*)
表1 认证架构图
表二 Radius支持的无线认证类型
802.1x EAP 类型
---信息摘要 5
---传输层安全
---隧道传输层安全
---受保护的传输层安全
---通过安全隧道灵活验证
---轻型可扩展认证协议
需要客户端证书
需要服务器证书
WEP 密钥管理
Rouge AP 检测
部署难易程度
难(因为客户端证书配置的缘故)
在使用强密码时,高。
的安装与配置
我使用的是OpenLDAP-2.4.9,解压后
[root@localhost ubuntu] ./configure
一般情况下,系统会提示你没有安装berkeleyDB,但就算你安装了,你一样会发现还是找不到(configure: error: BDB/HDB: BerkeleyDB
not available),使用如下方法解决
CPPFLAGS="-I/usr/local/BerkeleyDB.4.3/include"
export CPPFLAGS
LDFLAGS="-L/usr/local/BerkeleyDB.4.3/lib"
export LDFLAGS
LD_LIBRARY_PATH="/usr/local/BerkeleyDB.4.3/lib"
export LD_LIBRARY_PATH
[root@localhost ubuntu]make
[root@localhost ubuntu]make install
[root@localhost ubuntu]make test (最好要做的,可以测试是否可以启动ldap服务,如提示无法启动,表明389端口被占用,重启机器就好了)
启动服务:
[root@localhost ubuntu]./slapd &d 1这里我推荐使用log=1的模式,log
level=256时很多输出就看不到了
我使用的是freeradius-server-2.0.4
先安装openssl
#tar zxvf openssl-f-0.9.7-stable-SNAP-.tar.gz
#cd openssl-0.9.7-stable-SNAP-
#./config shared --prefix=/usr/local/openssl
#make install
安装FreeRadius
#cd radiusd#./configure --prefix=/usr/local/newradius
--with-openssl-includes=/usr/local/openssl/include /
--with-openssl-libraries=/usr/local/openssl/lib
#make install
这里之所以要安装openssl,我们的目的是去产生证书,在raddb/certs下,使用make client.pem之类的命令,如果需要修改证书配置,可以编辑.cnf文件,,
der和cer是一样的,都是一个证书,cer是windows上用的,
pem是一个证书请求,是的文本文件
p12是一个个人证书,里面的包含私钥
Edit slapd.conf 如下
# See slapd.conf(5) for details on configuration
# This file should NOT be world readable.
#添加schema顺序最好不要变
/usr/local/etc/openldap/schema/core.schema
/usr/local/etc/openldap/schema/corba.schema
/usr/local/etc/openldap/schema/cosine.schema
/usr/local/etc/openldap/schema/inetorgperson.schema
/usr/local/etc/openldap/schema/misc.schema
/usr/local/etc/openldap/schema/openldap.schema
/usr/local/etc/openldap/schema/nis.schema
/usr/local/etc/openldap/schema/radius.schema
# Define global ACLs to disable default read
# Do not enable referrals until AFTER you have a working
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
# Load dynamic backend modules:
# modulepath %MODULEDIR%
# moduleload back_bdb.la
# moduleload back_hdb.la
# moduleload back_ldap.la
# Sample security restrictions
# Require integrity protection (prevent
hijacking)
# Require 112-bit (3DES or better) encryption for
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
# if no access controls are present, the default
# allows anyone and everyone to read anything but
# updates to rootdn. (e.g., "access to * by *
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
database bdb
#你的ldap的根节点,在添加搜索时都会用到
suffix "dc=teddy,dc=net"
rootdn "cn=master,dc=teddy,dc=net"
# Cleartext passwords, especially for the rootdn,
# be avoid. See slappasswd(8) and slapd.conf(5) for
# Use of strong authentication encouraged.
#连接密码
rootpw secret
# The database directory MUST exist prior to running slapd
# should only be accessible by the slapd and slap
# Mode 700 recommended.
directory /usr/local/var/openldap-data
# Indices to maintain
index objectClass eq
下面我们将开始往LDAP上添加结点
生成一个test1.ldif
dn: cn=master,dc=teddy,dc=net
objectClass: organizationalRole
生成一个test2.ldif
dn: uid=radiususer,cn=master,dc=teddy,dc=net
uid:radiususer
cn:radiususer
objectClass:top
#objectClass: dcObject
objectClass: account
objectClass:posixAccount
userPassword:test
uidNumber:10072
gidNumber:10002
homeDirectory:/home/radiususer
loginShell:/bin/shell
执行命令:
Ldapadd &x &D “cn=master,dc=teddy,dc=net” &w &f
test1(2).ldif
此时要确保ldap的服务是启动状态的
这时你会得到要求输入密码的要求,输入rootdn的密码,添加成功
Ldapsearch &x &b ‘dc=terry,dc=net’去验证
#证书部分要看实际情况,测试时可使用刚才生成的证书
# These is used to simplify later
configurations.
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = whatever
private_key_file = ${certdir}/server.pem
# If Private key & Certificate are located
# the same file, then private_key_file
# certificate_file must contain the same file
# If CA_file (below) is not used, then the
# certificate_file below MUST include not
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
certificate_file = ${certdir}/server.pem
# Trusted Root CA list
# ALL of the CA's in this list will be trusted
# to issue client certificates for
authentication.
# In general, you should use self-signed
# certificates for 802.1x (EAP) authentication.
# In that case, this CA file should contain
# *one* CA certificate.
# This parameter is used only for EAP-TLS,
# when you issue client certificates. If you do
# not use client certificates, and you do not
# to permit EAP-TLS authentication, then delete
# this configuration item.
CA_file = ${cadir}/ca.pem
# For DH cipher suites to work, you have to
# run OpenSSL to create the DH file first:
# openssl dhparam -out certs/dh 1024
dh_file = ${certdir}/dh
random_file = ${certdir}/random
# This can never exceed the size of a RADIUS
# packet (4096 bytes), and is preferably half
# that, to accomodate other attributes in
# RADIUS packet. On most APs the MAX packet
# length is configured between 1500 - 1600
# In these cases, fragment size should be
# 1024 or less.
# fragment_size = 1024
# include_length is a flag which is
# by default set to yes If set to
# yes, Total Length of the message is
# included in EVERY packet we send.
# If set to no, Total Length of the
# message is included ONLY in the
# First packet of a fragment series.
# include_length = yes
# Check the Certificate Revocation List
# 1) Copy CA certificates and CRLs to same
directory.
# 2) Execute 'c_rehash &CA
certs&CRLs Directory&'.
# 'c_rehash' is OpenSSL's command.
# 3) uncomment the line below.
# 5) Restart radiusd
# check_crl = yes
# CA_path =
/path/to/directory/with/ca_certs/and/crls/
# If check_cert_issuer is set, the value will
# be checked against the DN of the issuer in
# the client certificate. If the values do not
# match, the cerficate verification will fail,
# rejecting the user.
# check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My
Company Ltd"
# If check_cert_cn is set, the value will
# be xlat'ed and checked against the CN
# in the client certificate. If the values
# do not match, the certificate verification
# will fail rejecting the user.
# This check is done only if the previous
# "check_cert_issuer" is not set, or if
# the check succeeds.
# check_cert_cn = %{User-Name}
# Set this option to specify the allowed
# TLS cipher suites. The format is listed
# in "man 1 ciphers".
cipher_list = "DEFAULT"
# This configuration entry should be deleted
# once the server is running in a normal
# configuration. It is here ONLY to make
# initial deployments easier.
make_cert_command = "${certdir}/bootstrap"
default_eap_type = md5
copy_request_to_tunnel = no
# allowed values: {no, yes}
use_tunneled_reply = no
virtual_server = "inner-tunnel"
##################################################
# The tunneled EAP session needs a default
# EAP type which is separate from the one for
# the non-tunneled EAP module. Inside of the
# PEAP tunnel, we recommend using MS-CHAPv2,
# as that is the default type supported by
# Windows clients.
default_eap_type = mschapv2
# the PEAP module also has these configuration
# items, which are the same as for TTLS.
copy_request_to_tunnel = no
use_tunneled_reply = no
# When the tunneled session is proxied, the
# home server may not understand EAP-MSCHAP-V2.
# Set this entry to "no" to proxy the tunneled
# EAP-MSCHAP-V2 as normal MSCHAPv2.
# proxy_tunneled_request_as_eap = yes
# The inner tunneled request can be sent
# through a virtual server constructed
# specifically for this purpose.
# If this entry is commented out, the inner
# tunneled request will be sent through
# the virtual server that processed the
# outer requests.
virtual_server = "inner-tunnel"
mschapv2 {
这里我只说ldap的配置
# Note that this needs to match the name in the
# server certificate, if you're using ldaps.
#LDAP服务器的地址
server = "127.0.0.1"
#login LDAP时所使用的account
identity="cn=master,dc=teddy,dc=net
password = "secret"
basedn = "dc=teddy,dc=net"
"(uid=%{Stripped-User-Name:-%{User-Name}})"
access_attr="uid"
password_attribute=userPassword
# How many connections to keep open to the LDAP
# This saves time over opening a new LDAP socket
# every authentication request.
ldap_connections_number = 5
# seconds to wait for LDAP query to finish. default:
timeout = 4
# seconds LDAP server has to process the query
(server-side
# time limit). default: 20
# LDAP_OPT_TIMELIMIT is set to this value.
timelimit = 3
# seconds to wait for response of the server.
# failures) default: 10
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
net_timeout = 1
# This subsection configures the tls related
# that control how FreeRADIUS connects to an
# server. It contains all of the "tls_*"
configuration
# entries used in older versions of FreeRADIUS.
# configuration entries can still be used, but we
# using these.
# Set this to 'yes' to use TLS encrypted
connections
# to the LDAP database by using the StartTLS
# operation.
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 689) connections
start_tls = no
# cacertfile = /path/to/cacert.pem
# cacertdir = /path/to/ca/dir/
# certfile = /path/to/radius.crt
# keyfile = /path/to/radius.key
# randfile = /path/to/rnd
# Certificate Verification requirements. Can be:
# "never" (don't even bother trying)
# "allow" (try, but don't fail if the cerificate
# can't be verified)
# "demand" (fail if the certificate doesn't
# The default is "allow"
# require_cert = "demand"
# default_profile = "cn=radprofile,ou=dialup,o=My
# profile_attribute = "radiusProfileDn"
# access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to
# directory attributes.
dictionary_mapping = ${confdir}/ldap.attrmap
# Set password_attribute = nspmPassword to get
# user's password from a Novell eDirectory
# backend. This will work ONLY IF FreeRADIUS has
# built with the --with-edir configure option.
# See also the following links:
/coolsolutions/appnote/16745.html
https://secure-/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html
# Novell may require TLS encrypted sessions before
# the user's password.
# password_attribute = userPassword
# Un-comment the following to disable Novell
# eDirectory account policy check and intruder
# detection. This will work *only if* FreeRADIUS
# configured to build with --with-edir option.
edir_account_policy_check = no
# Group membership checking. Disabled by
# groupname_attribute = cn
# groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
# By default, if the packet contains a
User-Password,
# and no other module is configured to handle
# authentication, the LDAP module sets itself to
# LDAP bind for authentication.
# THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
# THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x
# You can disable this behavior by setting the
# configuration entry to "no".
# allowed values: {no, yes}
# set_auth_type = yes
# ldap_debug: debug flag for LDAP SDK
# (see OpenLDAP documentation). Set this to
# huge amounts of LDAP debugging on the screen.
# You should only use this if you are an LDAP
# default: 0x0000 (no debugging messages)
# Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
ldap_debug = 0x0028
Client‘IP address’{
Secret=test
Shortname=test802.1
Ok,重新启动radius
#radius &X &f
[root@ubuntu:~]# radtest radiususer test (ldap user)10.190.41.78 0
test(radius password)
User-Name = "radiususer"
User-Password = "test"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
成功你会看到
已投稿到:
以上网友发言只代表其个人观点,不代表新浪网的观点或立场。}
°??à±????? Browse by Category
..... ?? 3/4 ???
.......... Access
.......... Microsoft SQL Server
.......... Oracle
..... ???? 1/4
.......... ?·??AE÷
.......... VPN
..........
1/2 >>>>>>>>ú
..... JAVA????·???AE÷
.......... WebLogic
.......... Websphere
..... ?? 1/4 ?/?? 1/4 ?
.......... Lotus Domino
.......... Lotus Notes
.......... Microsoft Exchange
.......... Microsoft Outlook
..... ?? 1/4 ?
.......... ?¨? 1/2 >>ú
.......... ±? 1/4 ?± 3/4
.......... ?ò??>>ú
.......... ?ae???è±,
.......... ·???AE÷
............... ??Windows Server 2003 ????·??????í?? 1/4 ? 1/4 ??????í?ó
..... AE???
..... °ì?<<?í 1/4 ?
.......... Excel
.......... Powerpoint
.......... Project
.......... Visio
.......... Word
..... ??×÷?u??
.......... AIX
.......... Microsoft Windows 98/ME/2K/XP
.......... Microsoft Windows Server
.......... Solaris
.......... Unix/Linux
..... ??? 3/4 °??<<
..... ·??????í
..... ?¤ 3/4 ss?í 1/4 ?
.......... ×??ae?í 1/4 ?
..... ?¤×÷??u?
..... ?u?¨ 1/4
.: RADIUS???¤?-?í???u??
RADIUS???¤?-?í???u??
????RADIUS???>>??C/S 1/2 á??u??-?é???üu???>>§??×??? 3/4 ???NAS?¨Net Access Server?(C)·???AE÷??????????????RADIUS??>>§???í 1/4 ?u? 1/4 AE??>>ú? 1/4 ????????RADIUSu???>>§????RADIUS?-?é???¤>>ú?AE?é>>???????????PAP??CHAP>>ò?ssUnixu?? 1/4 ???¤u??à??· 1/2 ? 1/2 ??RADIUS???>>?????(C)??u??-?é???ü 1/2 ???u??<>ù??Attribute-Length-Valueu??ò?? 1/2 ???u???RADIUS???§???§???(C)???§ 1/4 ?ר????????????????RADIUS?-?é 1/4 òu??÷?·?????(C)?????ò??u?u 1/2 ????·???????°ü?¨AE??¨u?>>°??????ADSL???????????í????????IPu?>>°??VPDN?¨Virtual Private Dialup Networks??>>ù????????>>§u??é??ר?????????u???(C)???AE??u?>>°?¤,?·?u??u????×? 1/2 üIEEE?á????802.1x±ê× 1/4 ???????>>??>>ù??????u?±ê× 1/4 ???????????ss????u? 1/2 ??????¤???????¤?±??????RADIUS?-?é?? ?ú?·????RADIUS?-?é×???????Livingston?<>§ 1/2 ??????¤?? 1/4 AE·????ó?? 3/4 -???à??,? 1/2 ??????????>>???¨??u????¤ 1/4 AE·??-?é????????????1966?êMerit Network, Inc.??????°??ó?§u??>> 1/4 ?·??????<>¤,???u?????>>???MichNet??1987?ê??Merit?????úNSF?¨?ú 1/4 ??AE?§>>ù 1/2 ?>>á?(C)u???±ê???¤?????(R)u???NSFnet?¨ 1/4 ?Internet?°?í?(C)u????????????ò??NSFnet??>>ù??IPu?????????MichNet??>>ù??ר???????-?é??Merit?ae??×????? 1/2 <<MichNetu?ר???????-?é??±???IP?-?é?????±????°?MichNet??u??ó???????u???? 1/4 °AE??à??ר???-?é?AE??u 1/2 IP??????????????1991?ê??Merit 3/4 ??¨??±ê????·???AE÷?(C)?????? 1/4 ,,????ó???>> 1/4 ? 1/2 ?Livingstonu??<>?u?????????????1992?ê???ì??IETFu?NASREQ?¤×÷×é????,?ae?(R)?á 1/2 >>??RADIUS×÷????°,?????ì??RADIUS???????u??u????? 1/2 ???±ê× 1/4 ?? 1/4 ,???ù??u????? 1/2 ???·???AE÷?§?? 3/4 ù?u????,??-?é??????1997?ê??RADIUS RFC2058·?±í???ae?ó??RFC2138??×???u?RADIUSRFC2865·?±í??2000?ê6???? >>ù± 3/4 ?¤×÷?-?í??????>>§ 1/2 ???NAS??NAS?òRADIUS·???AE÷????Access-Require?? 3/4 ?°ü?á 1/2 >>??>>§??????°ü?¨??>>§????????u??à????????AE?????>>§?????? 3/4 -??MD5 1/4 ???u????<> 3/4 -???????<>RADIUS·???AE÷????>>§????????u???·¨?? 1/2 ??? 1/4 ì?é??±????±?????á???>>,?Challenge?????ó 1/2 ??>>? 1/2 ????>>§???¤??????????NAS 1/2 ????à?AEu????¤?>>??????·¨??,?NAS·u>>?Access-Accept?? 3/4 ?°ü?????í??>>§ 1/2 ??????>>? 1/2 ?¤×÷??·??ò·u>>?Access-Reject?? 3/4 ?°ü?? 3/4 ? 3/4 ???>>§·????>>???????í·?????NAS?òRADIUS·???AE÷?á?? 1/4 AE·????óAccount-Require??RADIUS·???AE÷?ì??Account-Accept??????>>§u? 1/4 AE·???? 1/4 ?????±??>>§???? 1/2 ???×? 1/4 ?u??à????×÷??????RADIUS>>??§???ú?í???????????? 1/4 òu?u??u???ú?í 3/4 ????>>?¨·???AE÷??????×÷??AE???RADIUS·???AE÷u??ú?í??,???×?·?RADIUS???¤?? 1/4 AE·??? 3/4 ?°ü???ù? 1/2 ?????????? 3/4 ????ú?íu??>>,? 3/4 ss???u???????ù????????>>§?¨??± 3/4 ????AE?????u?RADIUS·???AE÷ 1/2 ??????¤????>>§u 1/2 ·??é?????????ù??u???????u?u 1/2 ·????????????u???é????????????RADIUS·???AE÷??NAS·???AE÷?¨??UDP?-?é 1/2 ????¨????RADIUS·???AE÷u?1812????,??????¤??1813????,??? 1/4 AE·??¤×÷??????UDPu?>>ù± 3/4 ? 1/4 ?????ò??NAS??RADIUS·???AE÷?ó?à?????>>,? 3/4 ??ò??????????UDP,ü 1/4 ??ì 1/2 ?· 1/2 ±???????UDP?????? 1/2 ?u???>>á 1/4 ??áRADIUSu?????????,ü°??<>??ae?¨?????<>ú?AE??????NAS?ò??,?RADIUS·???AE÷?á 1/2 >>???ó?>>????u 1/2 ·u>>??????????????????ó±,·?RADIUS·???AE÷???<<?????????à,?±,·?RADIUS·???AE÷???ò??NAS 1/2 ??????<<u??±?ò??????????????u?· 1/2 ·¨??????±,·?RADIUS·???AE÷u??????????°RADIUS·???AE÷u??????>>?????ò?è?????? 1/2 ??????¤?? ?-?é 1/2 á??????Code ?ò?¤????1,?×? 1/2 ???????±ê?÷RADIUS±¨??u??à????????Code?ò??u??????????§?u??±¨?? 1/2 <>??AEú,???§?u??????????1?????ó·????¨Access-Request?(C)?>>????2?? 1/2 ???·????¨Access-Accept?(C)?>>????3?? 3/4 ? 3/4 ?·????¨Access-Reject?(C)?>>????4?? 1/4 AE·????ó?¨Accounting-Request?(C)?>>????5?? 1/4 AE·??ì???¨Accounting-Response?(C)?>>????11????? 1/2 ·????¨Access-Challenge?(C)?>>????12??·???AE÷×????¨Status-Server ??Experimental?(C)?>>????13????>>§>>ú×????¨Status-Client ??Experimental?(C)?>>????255???¤???¨Reserved?(C) ????Identifier¨D AE??????ó???ì??u?±ê??·??? ????Length¨D ?????ó????°ü?¨?·???? ????Authenticator ?ò? 1/4 ??16,?×? 1/2 ???????Radius Client??Server?(R) 1/4 ????????¤u????§????????????????·¨??·??????óAccess-Request±¨????u????¤×?u??u??16×? 1/2 ??ae>>ú???????¤×?u??u???>>??±>>?¤?????????>>,????í????u??ú?üAE????¨?>>??????1.·??????ó???¤×???????Access-Request°ü?????¤×?u??u??16×? 1/2 ??ae>>ú??,???¤×?u??u???>>??±>>?¤??,???????>>,????í????u??ú?üAE????¨?>>?>>????2.·???>>??????¤×?????Access-Accept Access-Reject??Access-Challenge°ü??u????¤×??AE??·???>>??????¤×???·???>>??????¤×?u??u?¨????MD5(Code+ID+Length+RequestAuth+Attributes+Secret)?>>????3. 1/4 AE·????ó???¤×??????? 1/4 AE·????ó°ü??u????¤×??ò?AE?? 1/4 AE·????ó???¤×????ü???>>,?16×? 1/2 ?u?MD5???é???? 1/4 AE·????ó???¤×?u??u?¨????MD5(Code + Identifier + Length+ 16 zero octets + requestattributes +sharedsecret)?>>????4. 1/4 AE·?>>??????¤×??????? 1/4 AE·?>>???±¨????u????¤×??ò?AE?? 1/4 AE·?>>??????¤×????üu??u?¨????MD5(Accounting-Response Code + Identifier + Length + the RequestAuthenticatorfieldfrom the Accounting-Request packet being replied to +theresponseattributes + shared secret)?>>???? & >>ù± 3/4 ???? 1/2 >>>>??÷??????radius ·???AE÷????>>§u????¤?????¨???è??????nas u??è±,u??ú?í???¤??????radius??>>§????radius·???AE÷?(R) 1/4 ??¨?????í???????¤?à>>? 1/4 ? 1/2 >>>>?u?????????>>§????????????· 1/2 ? 1/2 ?????????<<??????????°??<<????radius?-?é?????????¤?????¨?????? 1/4 ??ì??±¨?????????????¨??????????>>ù± 3/4
1/2 >>>>?? 1/2 ?è??????????(1) ??>>§??????>>§?????????>>????(2) radius??>>§??,ù 3/4 ?>>???u???>>§???????????òradius ·???AE÷·??????¤???ó°ü?¨access-request?(C)??????(3) radius·???AE÷ 1/2 <>§??????users?? 3/4 ??????? 1/2 ?????±?·????????????¤???????ò 1/2 <<??>>§u??¨???????????¤?ì??°ü?¨access-accept?(C)·???,?radius??>>§???>>???????¤?§°????ò·u>>?access-reject ?ì??°ü??????(4) radius??>>§??,ù 3/4 ? 1/2 ???u 1/2 u????¤ 1/2 á?? 1/2 ???/ 3/4 ? 3/4 ???>>§?????????? 1/2 ?????>>§???òradius ??>>§???òradius·???AE÷·??? 1/4 AE·???? 1/4 ???ó°ü?¨accounting-request?(C)??status-type ???u??start?>>????(5) radius·???AE÷·u>>? 1/4 AE·???? 1/4 ?ì??°ü?¨accounting-response?(C)?>>????(6) radius ??>>§???òradius·???AE÷·??? 1/4 AE·????????ó°ü?¨accounting-request?(C)??status-type ???u??stop?>>????(7) radius·???AE÷·u>>? 1/4 AE·? 1/2 á???ì??°ü?¨accounting-response?(C)?????aeu?? 1/2 ?è??? 3/4 ??????Red Hat Enterprise Linux Advanced Server 3.0??°?×°??????FreeRADIUS 1.0.2????u?1 °?×°??????FreeRADIUStar -zxvf freeradius-1.0.2.tar.gz&&&&&&&& - extract it with gunzip and tar./configuremakemake install&&&&&&&&&&&&&&&&&&&&&&&&&&&&& - run this command as rootradiusd or&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& - start RADIUS serverradiusd -X&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& - start RADIUS server in debug moderadtest test test localhost 0 testing123& - test RADIUS server&????radtest??u 1/2 ?>>,??ì?????ò±í?÷FreeRADIUS·???AE÷?¤×÷?????????±??>>??AE 1/4 ??í?>>????·??¤ 3/4 ss???? 3/4 ???NTRadPing???ü????????????×?Windows??>>§>>úu??é?¤?????¨???ó???ü??????? 3/4 ??RADIUS·???AE÷·?>>?u??ê?,u??ì?????????????u??????????????????FreeRADIUS??????FreeRADIUSRADIUS·???AE÷u?????°ü?¨??·???AE÷????>>§>>ú????>>§u??????¨? 1/4 ???????é?¤?????¨?(C)???????>>??u??è??????RADIUS·???AE÷???????>>??u???????????u??????ó?à??????? 1/4 ???à?AEu???* ????·???AE÷FreeRADIUS?????? 1/4 ??¨???>>??/etc/raddb?? 1/4 ? 1/4 ??????×?????????è???????ae???ù??,?radiusd.conf?? 1/4 ?????u?2 ??,?radiusd.conf1) Global settings:log_auth = yes&&&&&&&&&&&&&&& - log authentication requests to the log filelog_auth_badpass = no&&&&&&&& - don't log passwords if request rejectedlog_auth_goodpass = no&&&&&&& - don't log passwords if request accepted2) LDAP Settings:modules {&& ldap {&&&&& server = &&&& - the hostname or IP address of the LDAP server&&&&& port = 636&&&&&&&&&&&&&&&&&&&& - encrypted communications&&&&& basedn = &ou=bluepages,&&& - define the base Distinguished Names (DN),&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& - under the Organization (O) &&,&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& - in the Organization Unit (OU) &bluepages&&&&&& filter = &(mail=%u)&&&&&&&&&&&&&&&&&&& - specify search criteria&&&&& base_filter = &(objectclass=person)&&& - specify base search criteria&& }authenticate {&&&&&&&&&&&&&&& - enable authentication against LDAP&& Auth-Type LDAP {&&&&& ldap&& }&????±>>?è?????? IBM BluePages??????LDAP·???u??>>,??u????????AE???LDAP·???AE÷?????????????ù?>>????* ??????>>§>>ú??>>§>>ú????/etc/raddb/clients.conf ?? 1/4 ???????u?????? 1/2 ??· 1/2 ? 1/2 ??????????RADIUS??>>§>>ú???ú????°?IP subnet 1/2 <>ò?ss????°??÷>>ú??>>ò IP u??·????NAS?¨??u?4?(C)??????°???u?????· 1/2 ·¨???????¨??shortname??nastype????u?3 °?IP subnet 1/2 <<NAS·?×éclient 192.168.0.0/24 {&& secret&&&&& = mysecret1&& - the &secret& should be the same as configured on NAS&& shortname&& = mylan&&&&&& - the &shortname& can be used for logging&& nastype&&&&& = cisco&&&&& - the &nastype& is used for checkrad and is optional}&??u?4 °??÷>>ú??>>ò IP u??·???? NASclient 192.168.0.1 {&& secret&&&&& = mysecret1&& shortname&& = myserver&& nastype&&&&& = other}&* ???é?¤????????>>§?? 1/4 ? /etc/raddb/user °ü????,???>>§u??é?¤??????????????u?5 /etc/raddb/user ?? 1/4 ?1) Authentication type:Auth-Type := LDAP&&&&&& - authenticate against LDAPAuth-Type := Local, User-Password == &mypasswd&&&&&&&&&&&&&&&&&&&&&&&& - authenticate against the&&&&&&&&&&&&&&&&&&&&&&& - password set in /etc/raddb/userAuth-Type := System&&&& - authenticate against the system password file&&&&&&&&&&&&&&&&&&&&&&& - /etc/passwd or /etc/shadow2) Service type:Service-Type = Login,&& - for administrative login&* ?????¨????????>>§???aeu??é?¤·???AE÷????-?u???¨AV?(C)??,?????>>§???¨?? 1/2 ????????????é?¤±>> 1/2 ????ó????,?????-?u??±>>·u>>?,?NAS??×÷???????í?±u?? 1/4 ???óu??ì????????Cisco?·??AE÷?????>>??u??¨?? 1/4 ?±??? 1/4 ?±?1???????¨?¨non-privileged?(C)???á? 3/4 ·??? router&??????????u?? 1/4 u????? 1/4 ?±??? 1/4 ?±?15?????¨?¨privileged?(C)?? ?á? 3/4 ·??? router#?????? 1/2 ??? enable ??? 1/2 ?óu? 1/4 ?±??? 1/4 ?±?2u 1/2 14 ?????????????>>?????????aeu??ü?????????>>,???>>§??????·???·???AE÷u?? 1/4 ????>>?u???EXEC?ü??u??? 1/4 ?·?????cisco-avpair =&shell:priv-lvl=15& ???aeu??ú?????í?à??u??????????>>????????Cisco???ss·???u???Cisco:Avpair= &aironet:admin-capability=write+snmp+ident+firmware+admin& ????????×é??? 1/4 ????,??????>>AE?·u>>???Cisco:Avpair = &aironet:admin-capability=ident+admin&Cisco:Avpair = &aironet:admin-capability=admin& ???? Cisco ???u????>>?u????????(C)?ü??u?,ü?à??????????????·???·???AE÷ 1/2 ????????? 1/2 <>,?Cisco?·??AE÷???>>?ó??u 1/2 ?>>,?Cisco WAP??????Cisco IOS 12.1?·??AE÷?????? 1/2 <>?ó?????é?¤?????¨?? 1/4 ???????u?6 AE???AAAaaa new-modelradius-server host 192.168.0.100radius-server key mysecret1&AAA ???·??AE÷????,?±>>AE??????>>?ó???,?¨???? NAS ?á?(C) AAA ·???u? RADIUS ·???AE÷u???±í?? 1/4 ??????????? 1/4 ??? NAS ?? RADIUS ·???AE÷?(R) 1/4 ?u??? 3/4 ??<>?ù????u?7 ?????é?¤aaa authentication login default group radius localline vty 0 4login authentication default&????,???×????????????í?±???? RADIUS ?é?¤?????? RADIUS ·???AE÷?>>???????ò???? NAS u?± 3/4 u???>>§?? 3/4 ???????????u?8 ???????¨aaa authorization exec default group radius if-authenticated&???í??>>§??u?? 1/4 u 1/2
NAS ???±???? EXEC shell????u?9 ???? 1/4 ???aaa accounting system default start-stop group radiusaaa accounting network default start-stop group radiusaaa accounting connection default start-stop group radiusaaa accounting exec default stop-only group radiusaaa accounting commands 1 default stop-only group radiusaaa accounting commands 15 default wait-start group radius&±??????·??AE÷ 1/2 ?????±?u????????????(R)·??? 1/4 ??? 1/4 ?? 1/4 u 1/2 RADIUS·???AE÷????????u?9??u??ü?? 1/4 ?? 1/4 ????NAS?u???? 1/4 ????????? 1/2 ????????? 1/2 ???EXEC??×÷?? 1/4 ° 1/4 ?±?1?? 1/4 ?±?15??u??ü??u? 1/4 ????????????ù 3/4 ???????????????????????Cisco???ss·???u??? 1/2 ???u??????????aeu???????????????Firmware 12.01T1u?Cisco 1200 Series AP????? 1/4 2??u?AE??>>?ì???ù? 3/4 ???ú??* ????·???AE÷??>>ò IP u??·?????íu???????* ?????°Radius?±×÷???à???????????°User Authentication?±?? 1/4 ??????¤×÷??u?RADIUS?????ù??????? 1/4 ?? 3/4 -?ê????FreeRADIUS·???AE÷??????? 1/4
1/4 ?? 1/4 NAS·???u??ù???????? 1/2 <<,??????ae????/var/log/radius/radius.log?? 1/4 ????? 3/4 ??????ù????u?10 /var/log/radius/radius.log?? 1/4 ?Thu Mar 3 21:37:32 2005 : Auth: Login OK: [David] (from client&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& mylan port 1 cli 192.168.0.94)Mon Mar 7 23:39:53 2005 : Auth: Login incorrect: [John] (from&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& client mylan port 1 cli 192.168.0.94)&?ê?,u? 1/4 ???????±>>?ae·???/var/log/radius/radacct??? 1/4 ??????u?11±í?÷??David??2005?ê3??4??19:40u 1/2 19:51?????± 1/4 ????? 192.168.0.94u?? 1/4 u 1/2 ???·??AE÷192.168.0.1???????ê?,u?????????????u÷?é°??<<?????? 1/4 °??? 1/4 ??>>¤?×???ó 1/4 AEu? 1/4 ?? 1/4 u????í?±???u???????>>?ó°??ú????u?11 RADIUS ?á?(C)u? 1/4 ????, 1/2 ?? 3/4 ??Fri Mar& 4 19:40:12 2005&&&&&&& NAS-IP-Address = 192.168.0.1&&&&&&& NAS-Port = 1&&&&&&& NAS-Port-Type = Virtual&&&&&&& User-Name = &David&&&&&&&& Calling-Station-Id = &192.168.0.94&&&&&&&& Acct-Status-Type = Start&&&&&&& Acct-Authentic = RADIUS&&&&&&& Service-Type = NAS-Prompt-User&&&&&&& Acct-Session-Id = &&&&&&&&& Acct-Delay-Time = 0&&&&&&& Client-IP-Address = 192.168.0.1&&&&&&& Acct-Unique-Session-Id = &dacb116&&&&&&&& Timestamp = Fri Mar& 4 19:51:17 2005&&&&&&& NAS-IP-Address = 192.168.0.1&&&&&&& NAS-Port = 1&&&&&&& NAS-Port-Type = Virtual&&&&&&& User-Name = &David&&&&&&&& Calling-Station-Id = &192.168.0.94&&&&&&&& Acct-Status-Type = Stop&&&&&&& Acct-Authentic = RADIUS&&&&&&& Service-Type = NAS-Prompt-User&&&&&&& Acct-Session-Id = &&&&&&&&& Acct-Terminate-Cause = Idle-Timeout&&&&&&& Acct-Session-Time = 665&&&&&&& Acct-Delay-Time = 0&&&&&&& Client-IP-Address = 192.168.0.1&&&&&&& Acct-Unique-Session-Id = &dacb116&&&&&&&& Timestamp =
1/2 á?????¨??×??-± 3/4 ????????u? 1/4 òu?? 1/2 ?è???ú???? 1/2 ¨???>>,?Remote Authentication Dial-In User Service·???AE÷??,?·???AE÷?????>>,?????u?LDAP·???AE÷?????í??????°??<<?????? 1/2 ???u??é?¤?????¨?? 1/4 ?????± 3/4 ???á?(C)????????????°??ú?ú?ê??????????* ??RADIUS??LDAP·???AE÷?? 1/4 °AAA,???u? 1/2 é????* ?>>,???????°?×°??????????u??? 3/4 °??* ????°?×°??????RADIUS·???AE÷u??u?÷??* ????????????·???·???AE÷u??, 1/2 ???* RADIUS 1/2 <>,?? 3/4 ???????(C)?,? 3/4 ?????ì???·±???±?>>¤u??? 3/4 ??>>????Linux?u?????????¨u??u??·?????
??AE??????????à??????
5 - ·??????? Very Helpful
3 - ???(C)???? Somewhat Helpful
1 - ?>>???? Not Helpful
16:35 by ±±· 1/2 ??, 653 visits, ????,
(No rating)&
Views: 2022
??>>§AE???
.: .: .: .: .:
±± 3/4 (C)>>¤? 1/2 ?AE 1/4
1/4 ?????<<? 3/4
Novots Technologies Limitedradius与ldap认证
RADIUS:Remote Authentication Dial In
User Service,远程用户拨号认证系统
由RFC2865,RFC2866定义,是目前应用最广泛的AAA协议。
RADIUS协议最初是由Livingston公司提出的,原先的目的是为拨号用户进行认证和计费。后来经过多次改进,形成了一项通用的认证计费协议。
创立于1966年Merit Network,
Inc.是密执安大学的一家非营利公司,其业务是运行维护该校的网络互联MichNet。1987年,Merit在美国NSF(国家科学基金会)的招标中胜出,赢得了NSFnet(即Internet前身)的运营合同。因为NSFnet是基于IP的网络,而MichNet却基于专有网络协议,Merit面对着如何将MichNet的专有网络协议演变为IP协议,同时也要把MichNet上的大量拨号业务以及其相关专有协议移植到IP网络上来。
1991年,Merit决定招标拨号服务器供应商,几个月后,一家叫Livingston的公司提出了建议,冠名为RADIUS,并为此获得了合同。
1992年秋天,IETF的NASREQ工作组成立,随之提交了RADIUS作为草案。很快,RADIUS成为事实上的网络接入标准,几乎所有的网络接入服务器厂商均实现了该协议。
1997年,RADIUS
RFC2039发表,随后是RFC2138,最新的RADIUS RFC2865发表于2000年6月。
RADIUS是一种C/S结构的协议,它的客户端最初就是NAS(Net Access Server)服务器,现在任何运行RADIUS客户端软件的计算机都可以成为RADIUS的客户端。RADIUS协议认证机制灵活,可以采用PAP、 CHAP或者Unix登录认证等多种方式。RADIUS是一种可扩展的协议,它进行的全部工作都是基于Attribute-Length-Value的向量进行的。RADIUS也支持厂商扩充厂家专有属性。
RADIUS的基本工作原理。用户接入NAS,NAS向RADIUS服务器使用Access-Require数据包提交用户信息,包括用户名、密码等相关信息,其中用户密码是经过MD5加密的,双方使用共享密钥,这个密钥不经过网络传播;RADIUS服务器对用户名和密码的合法性进行检验,必要时可以提出一个Challenge,要求进一步对用户认证,也可以对NAS进行类似的认证;如果合法,给NAS返回Access-Accept数据包,允许用户进行下一步工作,否则返回Access-Reject数据包,拒绝用户访问;如果允许访问,NAS向RADIUS服务器提出计费请求Account- Require,RADIUS服务器响应Account-Accept,对用户的计费开始,同时用户可以进行自己的相关操作。
RADIUS还支持代理和漫游功能。简单地说,代理就是一台服务器,可以作为其他RADIUS服务器的代理,负责转发RADIUS认证和计费数据包。所谓漫游功能,就是代理的一个具体实现,这样可以让用户通过本来和其无关的RADIUS服务器进行认证,用户到非归属运营商所在地也可以得到服务,也可以实现虚拟运营。
RADIUS服务器和NAS服务器通过UDP协议进行通信,RADIUS服务器的1812端口负责认证,1813端口负责计费工作。采用UDP的基本考虑是因为NAS和RADIUS服务器大多在同一个局域网中,使用UDP更加快捷方便。
RADIUS协议还规定了重传机制。如果NAS向某个RADIUS服务器提交请求没有收到返回信息,那么可以要求备份RADIUS服务器重传。由于有多个备份RADIUS服务器,因此NAS进行重传的时候,可以采用轮询的方法。如果备份RADIUS服务器的密钥和以前RADIUS服务器的密钥不同,则需要重新进行认证。 由于RADIUS协议简单明确,可扩充,因此得到了广泛应用,包括普通电话上网、ADSL上网、小区宽带上网、IP电话、VPDN(Virtual Private Dialup
Networks,基于拨号用户的虚拟专用拨号网业务)、移动电话预付费等业务。最近IEEE提出了802.1x标准,这是一种基于端口的标准,用于对无线网络的接入认证,在认证时也采用RADIUS协议。
无线认证模型
802.1x简要概述
这是一项通过验证来保护网络的端口访问协议。此类型的验证方法在无线环境中因该媒体的性质而特别有用。如果无线用户通过
802.1x 网络访问验证,接入点上会打开一个用于通信的虚拟端口。如果验证不成功,则不会提供虚拟端口,并将阻断通信。
802.1x 验证分为3 个基本部分:
在无线工作站上运行的软件客户端
无线接入点
认证服务器 -
一个认证数据库,通常是一个Radius 服务器(例如Cisco ACS*、Funk Steel-Belted RADIUS* 或 Microsoft* IAS*)
表1 认证架构图
表二 Radius支持的无线认证类型
802.1x EAP 类型
---信息摘要 5
---传输层安全
---隧道传输层安全
---受保护的传输层安全
---通过安全隧道灵活验证
---轻型可扩展认证协议
需要客户端证书
需要服务器证书
WEP 密钥管理
Rouge AP 检测
部署难易程度
难(因为客户端证书配置的缘故)
在使用强密码时,高。
的安装与配置
我使用的是OpenLDAP-2.4.9,解压后
[root@localhost ubuntu] ./configure
一般情况下,系统会提示你没有安装berkeleyDB,但就算你安装了,你一样会发现还是找不到(configure: error: BDB/HDB: BerkeleyDB
not available),使用如下方法解决
CPPFLAGS="-I/usr/local/BerkeleyDB.4.3/include"
export CPPFLAGS
LDFLAGS="-L/usr/local/BerkeleyDB.4.3/lib"
export LDFLAGS
LD_LIBRARY_PATH="/usr/local/BerkeleyDB.4.3/lib"
export LD_LIBRARY_PATH
[root@localhost ubuntu]make
[root@localhost ubuntu]make install
[root@localhost ubuntu]make test (最好要做的,可以测试是否可以启动ldap服务,如提示无法启动,表明389端口被占用,重启机器就好了)
启动服务:
[root@localhost ubuntu]./slapd &d 1这里我推荐使用log=1的模式,log
level=256时很多输出就看不到了
我使用的是freeradius-server-2.0.4
先安装openssl
#tar zxvf openssl-f-0.9.7-stable-SNAP-.tar.gz
#cd openssl-0.9.7-stable-SNAP-
#./config shared --prefix=/usr/local/openssl
#make install
安装FreeRadius
#cd radiusd#./configure --prefix=/usr/local/newradius
--with-openssl-includes=/usr/local/openssl/include /
--with-openssl-libraries=/usr/local/openssl/lib
#make install
这里之所以要安装openssl,我们的目的是去产生证书,在raddb/certs下,使用make client.pem之类的命令,如果需要修改证书配置,可以编辑.cnf文件,,
der和cer是一样的,都是一个证书,cer是windows上用的,
pem是一个证书请求,是的文本文件
p12是一个个人证书,里面的包含私钥
Edit slapd.conf 如下
# See slapd.conf(5) for details on configuration
# This file should NOT be world readable.
#添加schema顺序最好不要变
/usr/local/etc/openldap/schema/core.schema
/usr/local/etc/openldap/schema/corba.schema
/usr/local/etc/openldap/schema/cosine.schema
/usr/local/etc/openldap/schema/inetorgperson.schema
/usr/local/etc/openldap/schema/misc.schema
/usr/local/etc/openldap/schema/openldap.schema
/usr/local/etc/openldap/schema/nis.schema
/usr/local/etc/openldap/schema/radius.schema
# Define global ACLs to disable default read
# Do not enable referrals until AFTER you have a working
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
# Load dynamic backend modules:
# modulepath %MODULEDIR%
# moduleload back_bdb.la
# moduleload back_hdb.la
# moduleload back_ldap.la
# Sample security restrictions
# Require integrity protection (prevent
hijacking)
# Require 112-bit (3DES or better) encryption for
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
# if no access controls are present, the default
# allows anyone and everyone to read anything but
# updates to rootdn. (e.g., "access to * by *
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
database bdb
#你的ldap的根节点,在添加搜索时都会用到
suffix "dc=teddy,dc=net"
rootdn "cn=master,dc=teddy,dc=net"
# Cleartext passwords, especially for the rootdn,
# be avoid. See slappasswd(8) and slapd.conf(5) for
# Use of strong authentication encouraged.
#连接密码
rootpw secret
# The database directory MUST exist prior to running slapd
# should only be accessible by the slapd and slap
# Mode 700 recommended.
directory /usr/local/var/openldap-data
# Indices to maintain
index objectClass eq
下面我们将开始往LDAP上添加结点
生成一个test1.ldif
dn: cn=master,dc=teddy,dc=net
objectClass: organizationalRole
生成一个test2.ldif
dn: uid=radiususer,cn=master,dc=teddy,dc=net
uid:radiususer
cn:radiususer
objectClass:top
#objectClass: dcObject
objectClass: account
objectClass:posixAccount
userPassword:test
uidNumber:10072
gidNumber:10002
homeDirectory:/home/radiususer
loginShell:/bin/shell
执行命令:
Ldapadd &x &D “cn=master,dc=teddy,dc=net” &w &f
test1(2).ldif
此时要确保ldap的服务是启动状态的
这时你会得到要求输入密码的要求,输入rootdn的密码,添加成功
Ldapsearch &x &b ‘dc=terry,dc=net’去验证
#证书部分要看实际情况,测试时可使用刚才生成的证书
# These is used to simplify later
configurations.
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = whatever
private_key_file = ${certdir}/server.pem
# If Private key & Certificate are located
# the same file, then private_key_file
# certificate_file must contain the same file
# If CA_file (below) is not used, then the
# certificate_file below MUST include not
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
certificate_file = ${certdir}/server.pem
# Trusted Root CA list
# ALL of the CA's in this list will be trusted
# to issue client certificates for
authentication.
# In general, you should use self-signed
# certificates for 802.1x (EAP) authentication.
# In that case, this CA file should contain
# *one* CA certificate.
# This parameter is used only for EAP-TLS,
# when you issue client certificates. If you do
# not use client certificates, and you do not
# to permit EAP-TLS authentication, then delete
# this configuration item.
CA_file = ${cadir}/ca.pem
# For DH cipher suites to work, you have to
# run OpenSSL to create the DH file first:
# openssl dhparam -out certs/dh 1024
dh_file = ${certdir}/dh
random_file = ${certdir}/random
# This can never exceed the size of a RADIUS
# packet (4096 bytes), and is preferably half
# that, to accomodate other attributes in
# RADIUS packet. On most APs the MAX packet
# length is configured between 1500 - 1600
# In these cases, fragment size should be
# 1024 or less.
# fragment_size = 1024
# include_length is a flag which is
# by default set to yes If set to
# yes, Total Length of the message is
# included in EVERY packet we send.
# If set to no, Total Length of the
# message is included ONLY in the
# First packet of a fragment series.
# include_length = yes
# Check the Certificate Revocation List
# 1) Copy CA certificates and CRLs to same
directory.
# 2) Execute 'c_rehash &CA
certs&CRLs Directory&'.
# 'c_rehash' is OpenSSL's command.
# 3) uncomment the line below.
# 5) Restart radiusd
# check_crl = yes
# CA_path =
/path/to/directory/with/ca_certs/and/crls/
# If check_cert_issuer is set, the value will
# be checked against the DN of the issuer in
# the client certificate. If the values do not
# match, the cerficate verification will fail,
# rejecting the user.
# check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My
Company Ltd"
# If check_cert_cn is set, the value will
# be xlat'ed and checked against the CN
# in the client certificate. If the values
# do not match, the certificate verification
# will fail rejecting the user.
# This check is done only if the previous
# "check_cert_issuer" is not set, or if
# the check succeeds.
# check_cert_cn = %{User-Name}
# Set this option to specify the allowed
# TLS cipher suites. The format is listed
# in "man 1 ciphers".
cipher_list = "DEFAULT"
# This configuration entry should be deleted
# once the server is running in a normal
# configuration. It is here ONLY to make
# initial deployments easier.
make_cert_command = "${certdir}/bootstrap"
default_eap_type = md5
copy_request_to_tunnel = no
# allowed values: {no, yes}
use_tunneled_reply = no
virtual_server = "inner-tunnel"
##################################################
# The tunneled EAP session needs a default
# EAP type which is separate from the one for
# the non-tunneled EAP module. Inside of the
# PEAP tunnel, we recommend using MS-CHAPv2,
# as that is the default type supported by
# Windows clients.
default_eap_type = mschapv2
# the PEAP module also has these configuration
# items, which are the same as for TTLS.
copy_request_to_tunnel = no
use_tunneled_reply = no
# When the tunneled session is proxied, the
# home server may not understand EAP-MSCHAP-V2.
# Set this entry to "no" to proxy the tunneled
# EAP-MSCHAP-V2 as normal MSCHAPv2.
# proxy_tunneled_request_as_eap = yes
# The inner tunneled request can be sent
# through a virtual server constructed
# specifically for this purpose.
# If this entry is commented out, the inner
# tunneled request will be sent through
# the virtual server that processed the
# outer requests.
virtual_server = "inner-tunnel"
mschapv2 {
这里我只说ldap的配置
# Note that this needs to match the name in the
# server certificate, if you're using ldaps.
#LDAP服务器的地址
server = "127.0.0.1"
#login LDAP时所使用的account
identity="cn=master,dc=teddy,dc=net
password = "secret"
basedn = "dc=teddy,dc=net"
"(uid=%{Stripped-User-Name:-%{User-Name}})"
access_attr="uid"
password_attribute=userPassword
# How many connections to keep open to the LDAP
# This saves time over opening a new LDAP socket
# every authentication request.
ldap_connections_number = 5
# seconds to wait for LDAP query to finish. default:
timeout = 4
# seconds LDAP server has to process the query
(server-side
# time limit). default: 20
# LDAP_OPT_TIMELIMIT is set to this value.
timelimit = 3
# seconds to wait for response of the server.
# failures) default: 10
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
net_timeout = 1
# This subsection configures the tls related
# that control how FreeRADIUS connects to an
# server. It contains all of the "tls_*"
configuration
# entries used in older versions of FreeRADIUS.
# configuration entries can still be used, but we
# using these.
# Set this to 'yes' to use TLS encrypted
connections
# to the LDAP database by using the StartTLS
# operation.
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 689) connections
start_tls = no
# cacertfile = /path/to/cacert.pem
# cacertdir = /path/to/ca/dir/
# certfile = /path/to/radius.crt
# keyfile = /path/to/radius.key
# randfile = /path/to/rnd
# Certificate Verification requirements. Can be:
# "never" (don't even bother trying)
# "allow" (try, but don't fail if the cerificate
# can't be verified)
# "demand" (fail if the certificate doesn't
# The default is "allow"
# require_cert = "demand"
# default_profile = "cn=radprofile,ou=dialup,o=My
# profile_attribute = "radiusProfileDn"
# access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to
# directory attributes.
dictionary_mapping = ${confdir}/ldap.attrmap
# Set password_attribute = nspmPassword to get
# user's password from a Novell eDirectory
# backend. This will work ONLY IF FreeRADIUS has
# built with the --with-edir configure option.
# See also the following links:
/coolsolutions/appnote/16745.html
https://secure-/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html
# Novell may require TLS encrypted sessions before
# the user's password.
# password_attribute = userPassword
# Un-comment the following to disable Novell
# eDirectory account policy check and intruder
# detection. This will work *only if* FreeRADIUS
# configured to build with --with-edir option.
edir_account_policy_check = no
# Group membership checking. Disabled by
# groupname_attribute = cn
# groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
# By default, if the packet contains a
User-Password,
# and no other module is configured to handle
# authentication, the LDAP module sets itself to
# LDAP bind for authentication.
# THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
# THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x
# You can disable this behavior by setting the
# configuration entry to "no".
# allowed values: {no, yes}
# set_auth_type = yes
# ldap_debug: debug flag for LDAP SDK
# (see OpenLDAP documentation). Set this to
# huge amounts of LDAP debugging on the screen.
# You should only use this if you are an LDAP
# default: 0x0000 (no debugging messages)
# Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
ldap_debug = 0x0028
Client‘IP address’{
Secret=test
Shortname=test802.1
Ok,重新启动radius
#radius &X &f
[root@ubuntu:~]# radtest radiususer test (ldap user)10.190.41.78 0
test(radius password)
User-Name = "radiususer"
User-Password = "test"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
成功你会看到
已投稿到:
以上网友发言只代表其个人观点,不代表新浪网的观点或立场。}
我要回帖
更多关于 radius web认证 的文章
更多推荐
- ·什么样的音乐网站才免费听歌的网站有哪些
- ·巨灵书霸是书吗?小说版权怎么买买?
- ·求一部tl漫画
- ·开篇女主被献给男主一步步设计得到女主的小说的现代小说?
- ·求找一本小说说,找到必有重谢
- ·三星j7怎么截屏听筒左边是什么
- ·win7开机进入修复模式途中按三次win7开机进入修复模式键能进入安全模式?苹果电脑呢
- ·港版苹果发布会视频六扣扣视频要下载什么
- ·我想要投资网点烟
- ·我的河南科技大学与河南工业大学招生简章职业技术招生网通知书为什么查不到
- ·加不了好友哦,怎么办(在百度云盘里)——我想找五十度灰捉妖记电影完整版云盘的,如果有的话可以直接加我,感激不尽
- ·用计算机弹真的爱你指弹吉他谱
- ·白血细胞数目12.05*10^9/l 中性中性粒细胞百分比733.1% 中性粒细胞数目8.81*10^9
- ·多光谱立方体泰剧怎么用matlab显示,就像多幅图像叠在一起。
- ·堂德小区北到珠江钓鱼如何坐车网 广州
- ·闪迪酷捷 8GB 8gb的u盘多少钱 好不好
- ·thinkpad w500 拆解开机不启动。只“N”灯亮,按开机后,所有的灯都亮,然后熄灭到只剩“N”和一个电池灯亮。
- ·图形点阵 背lcd显示屏显示屏怎么和仪表同步通讯显示
- ·装完win10网络红叉能上网后电脑连接打个叉无法上网
- ·腾讯视频 中国好声音,好声音第四季歌曲漫步视频
- ·如何使用radius认证服务器软件协议认证enable的口令
- ·美国全民大冲关完整版免费审核完要多久?
- ·Q54LMUHVN.exe能删除吗
- ·冉莹颖身高微博名字是什么?
- ·求amnesia失忆症攻略汉化版安卓游戏下载!如有什么下载之后要安装的东西麻烦告知!!!(游戏不收费!)
- ·创维酷开42寸电视55寸电视跟44寸的主板通用的吗
- ·名著中体现母爱的段落老师爱心,智慧,智慧的段落各300字
- ·宁洱2015火把节开幕式直播几点
- ·裕龙新宿王子酒店附近商场卖鞋的商场
- ·欧冠出线规则那不勒斯出线几率大吗
- ·今晚开什么生肖什么?
- ·意甲俄罗斯经济衰退的原因?
- ·电拼车(两轮的)能否装真空胎?哪里有卖?能有效防破吗?迪卡侬骑行眼镜好不好效果好不好?
- ·精英上海游泳馆教练的贾倩倩教练真的是国家二级运动员吗?
- ·高温天北京室外游泳池会引起脑出血吗
- ·运动驼背会不会造成脖子粗背部一条条红色痕迹,有点类似树条抽打的
