strongswan openswan freeradius讨论QQ群:892427461
Strongswan+freeradius+daloradius+ad认证实现ikev2接入服务
第二部分 安装配置freeradius-4.0.0 samba 使用winbind 集成Windiows Active Directory 域账户认证并实现用户组认证
实验时间:2018年8月7日-2018年8月8日
拓扑图:
环境:
防火墙1:FW1 USG2200
IP地址外网:10.99.101.170 域名:strongswan.test.com
IP地址内网:192.168.20.3
防火墙2:FW2 USG2200
IP地址外网:10.99.101.129 域名:mystrongswan.test.com
IP地址内网:192.168.20.2
防火墙5:FW5 USG2200
IP地址外网:10.99.101.167
IP地址内网:131.107.0.1
服务器:
域控服务器:
Windows Server2016
IP地址:192.168.20.10 域名:dc.test.com
strongswan服务器:
Centos7
IP地址:192.168.20.29
Strongswan-5.6.3
freeradius服务器:
Centos7
IP地址:192.168.20.27
freeradius-4.0.0
客户端:Windows7
自带客户端 epa-mschapv2模式 、 计算机证书模式
第二部分 安装配置freeradius-4.0.0 samba 使用winbind 集成Windiows Active Directory 域账户认证并实现用户组认证
实验时间:2018年8月7日-2018年8月7日
1、 CentOS 7 最小安装,随意,其他也可以。
设置IP地址
cd /etc/sysconfig/networks-scripts vi ifcfg-ens32
BOOTPROTO=static
ONBOOT=yes
IPADDR=192.168.20.27
NETMASK=255.255.255.0
GATEWAY=192.168.20.2
DNS1=192.168.20.10
reboot
2、 安装vim,可选步骤,不安装也可以。
yum install -y vim
3、 安装完后升级系统,可选步骤,不升级也可以。
yum upgrade -y
升级所有包,不改变软件设置和系统设置,系统版本升级,内核不改变
yum update -y
升级所有包,改变软件设置和系统设置,系统版本内核都升级
4、 关闭selinux
vim /etc/sysconfig/selinux
SELINUX=disabled
reboot
sestatus
SELinux status: disabled
5、安装并配置samba
yum install samba -y yum install samba-winbind -y vim /etc/samba/smb.conf
[global]
netbios name = freeradius
workgroup = TEST
server string = RADIUS server
security = ads
invalid users = root
socket options = TCP_NODELAY
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
winbind use default domain = no
winbind max domain connections = 5
winbind max clients = 1000
password server = DC.TEST.COM
realm = TEST.COM
systemctl restart smb nmb net ads join -U administrator
显示
Joined 'FREERADIUS' to dns domain 'test.com'
NO DNS domain configured for freeradius.Unable to perform DNS Update.
DNS update failed:NT_STATUS_INVALID_PARAMETER
systemctl restart winbind net ads testjoin
显示
Joins is OK.
systemctl enable smb nmb winbind
在域控dc.test.com可以看到名为freeradius的计算机账户。
6、下载freeradius源码包
yum install -y git cd /usr/src git clone git://github.com/freeradius/freeradius-server.git cd /usr/src/freeradius-server commit d0b4760e41db01f09c49cea90065ae5cc4b27256 Merge: b342d5f 3fa2f22 Author: Alan DeKok <aland@freeradius.org> Date: Wed Nov 16 11:16:35 2016 -0500
7、编译要求支持C11,安装gcc4.9
yum install centos-release-scl -y yum install devtoolset-3-toolchain -y scl enable devtoolset-3 bash gcc --version
显示
gcc (GCC) 4.9.2 20150212 (Red Hat 4.9.2-6)
Copyright (C) 2014 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPO
8-1、编译安装freeradius,这一步记录了一些configure make make install 中遇到的错误提示与安装包之间的关系,不想看的直接跳到8-2。
scl enable devtoolset-3 bash ./configure
错误提示
configure: WARNING: talloc library not found. Use --with-talloc-lib-dir=<path>.
configure: error: FreeRADIUS requires libtalloc. Please read doc/developer/dependencies.rst for further instructions.
安装libtalloc-devel
yum -y install libtalloc-devel ./configure
错误提示
configure: WARNING: kqueue library not found. Use --with-kqueue-lib-dir=<path>.
configure: error: FreeRADIUS requires libkqueue (or system kqueue). Please read doc/developer/dependencies.rst for further instructions.
安装libkqueue
cd /usr/src yum install -y wget wget https://jaist.dl.sourceforge.net/project/libkqueue/libkqueue-2.0/libkqueue-2.0.1.tar.gz tar -xzvf libkqueue-2.0.1.tar.gz cd libkqueue-2.0.1/ ./configure make make install ln -s /usr/local/include/kqueue/sys /usr/local/include/ cd /usr/src/freeradius-server ./configure
错误提示:
configure: error: failed linking to libcrypto. Use --with-openssl-lib-dir=<path>, or --with-openssl=no (builds without OpenSSL)
See `config.log' for more details
安装openssl-devel
yum install -y openssl-devel ./configure
显示
config.status: creating all.mk
configure通过,但还需要winbind、mysql支持。
configure: WARNING: wbclient.h not found. Use --with-winbind-include-dir=<path>.
configure: WARNING: silently building without support for direct authentication via winbind. requires: libwbclient
yum install -y libwbclient-devel
configure: WARNING: core/ntstatus.h not found. Use --with-winbind-include-dir=<path>.
yum install -y samba-devel
configure: WARNING: MySQL headers not found. Use --with-mysql-include-dir=<path>.
configure: WARNING: silently not building rlm_sql_mysql.
configure: WARNING: FAILURE: rlm_sql_mysql requires: libmysqlclient || libmysqlclient_r mysql.h.
yum install -y mariadb-devel
安装readline-devel,否则make会出现错误提示
src/bin/radmin.c:79:15:warning:passing argument 1 of 'fgets' from incompatible pointer type line = fgets(readline_buffer, sizeof(readline_buffer),stdin);
yum install -y readline-devel
安装libpcap-devel,否则make会出现错误提示
src/lib/util/dict.c:48:8: error: unknown type name ‘fr_hash_table_t’
static fr_hash_table_t *protocol_by_name = NULL; //!< Hash containing names of all the registered protocols.
yum install -y libpcap-devel
安装pam-devel,否则make install后 radiusd -X 会出现错误提示
/usr/local/etc/raddb/mods-enabled/pam[15]: Failed to link to module "rlm_pam": rlm_pam.so: cannot open shared object file: No such file or directory
Not built with support for LSAN interface
/usr/local/etc/raddb/mods-enabled/pam[15]: Make sure it (and all its dependent libraries!) are in the search path of your system's ld
yum install pam-devel ./configure
configure完成。
make
提示
WARNING - may need 'make reconfig' for AUTOCONF src/modules/rlm_sql/drivers/rlm_sql_db2/
WARNING - may need 'make reconfig' for AUTOCONF src/modules/rlm_lua/
WARNING - may need 'make reconfig' for AUTOCONF src/modules/rlm_krb5/
WARNING - may need 'make reconfig' for AUTOCONF src/modules/rlm_sql/drivers/rlm_sql_db2/
WARNING - may need 'make reconfig' for AUTOCONF src/modules/rlm_lua/
WARNING - may need 'make reconfig' for AUTOCONF src/modules/rlm_krb5/
make reconfig
提示
Makefile:192: *** You need to install autoconf to re-build the "configure" scripts。 停止。
yum install autoconf -y make reconfig make
make成功
make install
freeradius安装成功,配置文件位于/usr/local/etc/raddb/
radiusd -X
错误提示:
Unable to open file "/usr/local/etc/raddb/certs/rsa/ca.pem": Effective user/group - root:root: ENOENT: No such file or directory
rlm_eap_tls - Failed initializing SSL context
/usr/local/etc/raddb/mods-enabled/eap[15]: Instantiation failed for module "eap"
cd /usr/local/etc/raddb/certs make radiusd -X
提示
Ready to process requests
debug模式启动成功
8-2、编译安装freeradius
scl enable devtoolset-3 bash yum -y install libtalloc-devel openssl-devel libwbclient-devel samba-devel mariadb-devel readline-devel pam-devel autoconf libpcap-devel net-snmp-devel net-snmp-utils gdbm-devel libtool libtool-ltdl-devel zlib-devel openldap-devel krb5-devel python-devel mysql-devel postgresql-devel unixODBC-devel memcached-devel cd /usr/src yum install -y wget wget https://jaist.dl.sourceforge.net/project/libkqueue/libkqueue-2.0/libkqueue-2.0.1.tar.gz tar -xzvf libkqueue-2.0.1.tar.gz cd libkqueue-2.0.1/ ./configure make make install ln -s /usr/local/include/kqueue/sys /usr/local/include/ cd /usr/src/freeradius-server ./configure make make install cd /usr/local/etc/raddb/certs make radiusd –X
Ready to process requests
debug模式启动成功
9、开启防火墙端口
firewall-cmd --zone=public --add-port=1812/udp --permanent firewall-cmd --zone=public --add-port=1813/udp --permanent firewall-cmd --reload
10、配置freeradius
启用winbind
ln -s /usr/local/etc/raddb/mods-available/winbind /usr/local/etc/raddb/mods-enabled/
vim /usr/local/etc/raddb/mods-enabled/mschap
取消注释
winbind_username = "%{mschap:User-Name}"
winbind_domain = "%{mschap:NT-Domain
vim /usr/local/etc/raddb/sites-enabled/default
send Access-Accept段增加组认证,限制strongswan组的用户可以通过认证
send Access-Accept{
...
if (!Winbind-Group == "strongswan") {
reject
}
...
}
radiusd -X
本机切换一个终端测试
域用户:sswanuser1 密码 asdf123. 隶属于 strongswan 用户组
域用户:feisswanuser1 密码 asdf123. 不隶属于 strongswan用户组
radtest -t mschap sswanuser1 asdf123. 127.0.0.1 0 testing123
显示
Sent Access-Request Id 157 from 0.0.0.0:51595 to 127.0.0.1:1812 length 136
Cleartext-Password = "asdf123."
User-Name = "sswanuser1"
MS-CHAP-Password = "asdf123."
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Message-Authenticator = 0x00
MS-CHAP-Challenge = 0x9aff829427d02e33
MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000004599a4f2c634a7a8d3df706e509d3d9086007dbb590f6c78
Received Access-Accept Id 157 from 127.0.0.1:1812 to 0.0.0.0:51595 via lo length 84
MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
MS-MPPE-Encryption-Policy = Encryption-Allowed
MS-CHAP-MPPE-Keys = 0x00000000000000007b73fe4ee9d5c787afd20f901a960783
认证通过
radtest -t mschap feisswanuser1 asdf123. 127.0.0.1 0 testing123
显示
Sent Access-Request Id 127 from 0.0.0.0:44856 to 127.0.0.1:1812 length 139
Cleartext-Password = "asdf123."
User-Name = "feisswanuser1"
MS-CHAP-Password = "asdf123."
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Message-Authenticator = 0x00
MS-CHAP-Challenge = 0xa8d0c5a792406d82
MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000eedb7a880b0bd9677cf1f25bd3cab570ca106dc6107b32a5
Received Access-Reject Id 127 from 127.0.0.1:1812 to 0.0.0.0:44856 via lo length 20
(0) -: Expected Access-Accept got Access-Reject
认证失败
11、添加freeradius系统服务
cd /lib/systemd/system/ vim radiusd.service
[Unit]
Description=FreeRADIUS high performance RADIUS server.
After=syslog.target network.target ipa.service dirsrv.target krb5kdc.service
After=mariadb.service
[Service]
Type=forking
PIDFile=/usr/local/var/run/radiusd/radiusd.pid
# ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd
ExecStartPre=/usr/local/sbin/radiusd -C
ExecStart=/usr/local/sbin/radiusd -d /usr/local/etc/raddb
ExecReload=/usr/local/sbin/radiusd -C
ExecReload=/bin/kill -HUP $MAINPID
[Install]
WantedBy=multi-user.target
第二部分 安装配置freeradius-4.0.0 samba 使用winbind 集成Windiows Active Directory 域账户认证并实现用户组认证
配置结束
第一部分 Centos7 strongswan安装配置支持 Windows7 ikev2 eap-machapv2模式、计算机证书模式
第二部分 安装配置freeradius-4.0.0 samba 使用winbind 集成Windiows Active Directory 域账户认证并实现用户组认证
第三部分 集成Strongswan+freeradius实现使用域用户组认证ikev2接入
第四部分 安装mysql、daloradius实现freeradius的web管理
第五部分 配置根据拨入用户名即域账户分配固定IP地址以实现对用户的追踪
