Ubuntu系统下的Radius认证服务安装与配置 Ubuntu系统下的Radius认证服务安

安装服务安装服务依赖 freeradius

$ sudo apt install freeradius

查看版本

$ freeradius -vradiusd: FreeRADIUS Version 3.0.16, for host x86_64-pc-linux-gnu, built on Apr 17 2019 at 12:59:55 FreeRADIUS Version 3.0.16 Copyright (C) 1999-2017 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT

配置文件位置和版本相关
如果显示3.0.*，则配置文件位置具体目录是/etc/freeradius/3.0
如果版本显示3.2.*，那么配置文件的目录位置是/etc/freeradius/3.2
下面所有涉及到的文件配置目录都要看版本情况具体配置修改，不要照抄文档
radius服务所在机器的IP是192.168.100.150
启动测试服务器，正常情况下最后几行会显示如下数据

$ sudo freeradius -X..... Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on auth address :: port 1812 bound to server default Listening on acct address :: port 1813 bound to server default Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Listening on proxy address * port 56061 Listening on proxy address :: port 59459 Ready to process requests# 有时候如果显示如下数据，则表示报错 xxxxxxxxxx Failed binding to auth address * port 1812 bound to server default: Address already in use /etc/freeradius/3.0/sites-enabled/default[59]: Error binding to port for 0.0.0.0 port 1812# 则表示已经有另外一个`radius`服务已经启动，并且已经占用了端口 # 需要执行如下步骤把服务关闭 # $ sudo systemctl stop freeradius.service # 或者是另外一个终端执行了freeradius命令但是忘记关闭了 # 可以执行pkill freeradius

添加radius用户数据编辑文件，添加用户名为operator 密码为 testpass

$ sudo vim /etc/freeradius/3.0/users

operatorCleartext-Password := "testpass" Reply-Message := "Hello, %{User-Name}"

重启 freeradius服务

$ sudo freeradius -X

测试radius服务从另外一台机器，开一个终端检测启动radius服务的机器是否开放1812端口

$ sudo nmap -sU 192.168.100.150 -p 1812# 如下输出表示开放 Starting Nmap 7.80 ( https://nmap.org ) at 2021-08-27 11:12 CST Nmap scan report for 192.168.100.150 Host is up (0.00017s latency).PORTSTATESERVICE 1812/udp open|filtered radius MAC Address: CC:D3:9D:9F:D5:1D (Ieee Registration Authority)Nmap done: 1 IP address (1 host up) scanned in 0.55 seconds

新开一个终端，执行以下命令

$ radtest operator testpass 192.168.100.150 0 testing123 # 如下输出表示验证成功 Sent Access-Request Id 202 from 0.0.0.0:35778 to 127.0.0.1:1812 length 79 User-Name = "operator" User-Password = "testpass" NAS-IP-Address = 192.168.100.150 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "testpass" Received Access-Accept Id 202 from 127.0.0.1:1812 to 0.0.0.0:0 length 38 Reply-Message = "Hello, operator"

配置允许远程验证用户

$ vim /etc/freeradius/3.0/clients.conf# 输入如下,表示新建一个客户端，ipaddr允许所有网络访问，如果设置为192.168.100.150则表示只允许192.168.100.150的ip进行验证，填写0.0.0.0表示不限制IP，共享密钥是testing123 client private-network-1 { ipaddr= 0.0.0.0 secret= testing123 }

修改radius监听端口以下两种方式各选一种
方式一直接修改配置，举例修改端口为8888

$ sudo vim /etc/freeradius/3.0/sites-enabled/default# 修改 listent { ... type = auth ipaddr = * port = 0 } # 修改port端口 listent { ... type = auth ipaddr = * port = 8888 }

方式二 【Ubuntu系统下的Radius认证服务安装与配置】修改/etc/services

$ sudo vim /etc/services # 找到 radius1812/tcp radius1812/udp # 修改为自定义端口 radius8888/tcp radius8888/udp

请求认证推荐使用radclient

$ radclient -hUsage: radclient [options] server[:port] [] One of auth, acct, status, coa, disconnect or auto. -4Use IPv4 address of server -6Use IPv6 address of server. -c Send each packet 'count' times. -d Set user dictionary directory (defaults to /etc/freeradius/3.0). -D Set main dictionary directory (defaults to /usr/share/freeradius). -f [:]Read packets from file, not stdin. If a second file is provided, it will be used to verify responses -FPrint the file name, packet number and reply code. -hPrint usage help information. -n Send N requests/s -p Send 'num' packets from a file in parallel. -qDo not print anything out. -r If timeout, retry sending the packet 'retries' times. -sPrint out summary information of auth results. -S read secret from file, not command line. -t Wait 'timeout' seconds before retrying (may be a floating point number). -vShow program version information. -xDebugging mode. -P Use proto (tcp or udp) for transport.

举例操作
验证用户账号operator，密码testpass，使用ipv4地址192.168.100.150，端口1812，共享密钥testing1234，超时时间为1s，重复尝试认证次数4次

$ echo "User-Name=operator,User-Password=testpass" | radclient -4 192.168.100.150:1812 auth testing1234 -t 1 -r 4# 成功后会有如下输出 Sent Access-Request Id 61 from 0.0.0.0:54293 to 192.168.100.150:1812 length 49 Received Access-Accept Id 61 from 192.168.100.150:1812 to 192.168.0.121:54293 length 38

参考文档与引用 freeradius官方文档
radius协议基础原理
linux搭建radius服务器