| 知乎专栏 | 多维度架构 |
过程 92.1. 安装NIS服务器
ypserv
# yum install ypserv -y
/etc/hosts
[root@nis ~]# hostname nis.example.com [root@nis ~]# echo "192.168.3.5 nis.example.com" >> /etc/hosts [root@nis ~]# cat /etc/hosts # Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 datacenter.example.com datacenter localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 127.0.0.1 kerberos.example.com 192.168.3.5 nis.example.com
设置NIS域名
# nisdomainname example.com # nisdomainname example.com
加入 /etc/rc.local 开机脚本
# echo '/bin/nisdomainname example.com' >> /etc/rc.local # echo 'NISDOMAIN=example.com' >> /etc/sysconfig/network
设置/etc/ypserv.conf主配置文件
# vim /etc/ypserv.conf 127.0.0.0/255.255.255.0 : * : * : none 192.168.3.0/255.255.255.0 : * : * : none * : * : * : deny
创建 /var/yp/securenets 文件
securenets 安全配置文件
# vim /var/yp/securenets host 127.0.0.1 255.255.255.0 192.168.3.0
启动NIS服务器
NIS服务器需要portmap服务的支持,并且需要启动ypserv和yppasswdd两个服务
[root@nis ~]# service portmap status portmap (pid 2336) is running... [root@nis ~]# service ypserv start Starting YP server services: [ OK ] [root@nis ~]# service yppasswdd start Starting YP passwd service: [ OK ]
构建NIS数据库
32bit: /usr/lib/yp/ypinit -m
64bit: /usr/lib64/yp/ypinit -m
[root@nis ~]# /usr/lib64/yp/ypinit -m
At this point, we have to construct a list of the hosts which will run NIS
servers. nis.example.com is in the list of NIS server hosts. Please continue to add
the names for the other hosts, one per line. When you are done with the
list, type a <control D>.
next host to add: nis.example.com
next host to add:
next host to add:
The current list of NIS servers looks like this:
nis.example.com
Is this correct? [y/n: y]
We need a few minutes to build the databases...
Building /var/yp/example.com/ypservers...
Running /var/yp/Makefile...
gmake[1]: Entering directory `/var/yp/example.com'
Updating passwd.byname...
Updating passwd.byuid...
Updating group.byname...
Updating group.bygid...
Updating hosts.byname...
Updating hosts.byaddr...
Updating rpc.byname...
Updating rpc.bynumber...
Updating services.byname...
Updating services.byservicename...
Updating netid.byname...
Updating protocols.bynumber...
Updating protocols.byname...
Updating mail.aliases...
gmake[1]: Leaving directory `/var/yp/example.com'
nis.example.com has been set up as a NIS master server.
Now you can run ypinit -s nis.example.com on all slave server.
检查
# ls /var/yp/ binding example.com Makefile nicknames securenets ypservers
Service
[root@datacenter ~]# chkconfig --list | grep yp ypbind 0:off 1:off 2:off 3:off 4:off 5:off 6:off yppasswdd 0:off 1:off 2:off 3:off 4:off 5:off 6:off ypserv 0:off 1:off 2:off 3:off 4:off 5:off 6:off ypxfrd 0:off 1:off 2:off 3:off 4:off 5:off 6:off [root@nis ~]# chkconfig ypserv on [root@nis ~]# chkconfig yppasswdd on
Now you can run ypinit -s nis.example.com on all slave server.
# ypinit -s nis.example.com
过程 92.2. 安装NIS客户端软件
NIS客户机需要安装ypbind和yp-tools两个软件包
# yum install ypbind yp-tools -y
NIS域名
# nisdomainname example.com
/etc/hosts
192.168.3.5 nis.example.com
/etc/yp.conf
# vim /etc/yp.conf domain example.com server nis.example.com
/etc/nsswitch.conf
# vim /etc/nsswitch.conf passwd: files nis shadow: files nis group: files nis hosts: files nis dns
启动ypbind服务程序
[root@test ~]# service portmap status portmap is stopped [root@test ~]# service portmap start Starting portmap: [ OK ] [root@test ~]# service ypbind start Turning on allow_ypbind SELinux boolean Binding to the NIS domain: [ OK ] Listening for an NIS domain server..
yp-tools 测试工具
yptest 命令可对NIS服务器进行自动测试
# yptest
ypwhich 命令可显示NIS客户机所使用的NIS服务器的主机名称和数据库文件列表
# ypwhich # ypwhich -x
ypcat命令显示数据库文件列表和指定数据库的内容
# ypcat -x # ypcat passwd
NIS Client Service
# chkconfig ypbind on
# authconfig-tui
Use NIS
┌────────────────┤ Authentication Configuration ├─────────────────┐
│ │
│ User Information Authentication │
│ [ ] Cache Information [*] Use MD5 Passwords │
│ [ ] Use Hesiod [*] Use Shadow Passwords │
│ [ ] Use LDAP [ ] Use LDAP Authentication │
│ [*] Use NIS [ ] Use Kerberos │
│ [ ] Use Winbind [ ] Use SMB Authentication │
│ [ ] Use Winbind Authentication │
│ [ ] Local authorization is sufficient │
│ │
│ ┌────────┐ ┌──────┐ │
│ │ Cancel │ │ Next │ │
│ └────────┘ └──────┘ │
│ │
│ │
└─────────────────────────────────────────────────────────────────┘
NIS Settings
┌─────────────────┤ NIS Settings ├─────────────────┐
│ │
│ Domain: example.com_____________________________ │
│ Server: nis.example.com_________________________ │
│ │
│ ┌──────┐ ┌────┐ │
│ │ Back │ │ Ok │ │
│ └──────┘ └────┘ │
│ │
│ │
└──────────────────────────────────────────────────┘
nis server:
在NIS服务器上创建一个test用户
# adduser test # passwd test # /usr/lib64/yp/ypinit -m
nis client
使用test用户登录到客户机
ssh test@client.example.com
测试
[root@test ~]# yptest Test 1: domainname Configured domainname is "example.com" Test 2: ypbind Used NIS server: nis.example.com Test 3: yp_match WARNING: No such key in map (Map passwd.byname, key nobody) Test 4: yp_first neo neo:$1$e1nd3pts$s7NikMnKwpL4vUp2LM/N9.:500:500::/home/neo:/bin/bash Test 5: yp_next test test:$1$g4.VCB7i$I/N5W/imakprFdtP02i8/.:502:502::/home/test:/bin/bash svnroot svnroot:!!:501:501::/home/svnroot:/bin/bash Test 6: yp_master nis.example.com Test 7: yp_order 1271936660 Test 8: yp_maplist rpc.byname protocols.bynumber ypservers passwd.byname hosts.byname rpc.bynumber group.bygid services.byservicename mail.aliases passwd.byuid services.byname netid.byname protocols.byname group.byname hosts.byaddr Test 9: yp_all neo neo:$1$e1nd3pts$s7NikMnKwpL4vUp2LM/N9.:500:500::/home/neo:/bin/bash test test:$1$g4.VCB7i$I/N5W/imakprFdtP02i8/.:502:502::/home/test:/bin/bash svnroot svnroot:!!:501:501::/home/svnroot:/bin/bash 1 tests failed
更改密码
$ yppasswd Changing NIS account information for test on nis.example.com. Please enter old password: Changing NIS password for test on nis.example.com. Please enter new password: Please retype new password: The NIS password has been changed on nis.example.com.
-bash-3.2$ ypcat hosts 127.0.0.1 localhost.localdomain localhost 127.0.0.1 kerberos.example.com 192.168.3.5 nis.example.com -bash-3.2$ ypcat passwd neo:$1$e1nd3pts$s7NikMnKwpL4vUp2LM/N9.:500:500::/home/neo:/bin/bash test:$1$g4.VCB7i$I/N5W/imakprFdtP02i8/.:502:502::/home/test:/bin/bash svnroot:!!:501:501::/home/svnroot:/bin/bash
-bash-3.2$ ypwhich nis.example.com ypwhich -x Use "ethers" for map "ethers.byname" Use "aliases" for map "mail.aliases" Use "services" for map "services.byname" Use "protocols" for map "protocols.bynumber" Use "hosts" for map "hosts.byname" Use "networks" for map "networks.byaddr" Use "group" for map "group.byname" Use "passwd" for map "passwd.byname"
First, install the OpenLDAP server daemon slapd and ldap-utils, a package containing LDAP management utilities:
sudo apt-get install slapd ldap-utils
By default the directory suffix will match the domain name of the server. For example, if the machine's Fully Qualified Domain Name (FQDN) is ldap.example.com, the default suffix will be dc=example,dc=com. If you require a different suffix, the directory can be reconfigured using dpkg-reconfigure. Enter the following in a terminal prompt:
sudo dpkg-reconfigure slapd
example.com.ldif
dn: ou=people,dc=example,dc=com objectClass: organizationalUnit ou: people dn: ou=groups,dc=example,dc=com objectClass: organizationalUnit ou: groups dn: uid=john,ou=people,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: john sn: Doe givenName: John cn: John Doe displayName: John Doe uidNumber: 1000 gidNumber: 10000 userPassword: password gecos: John Doe loginShell: /bin/bash homeDirectory: /home/john shadowExpire: -1 shadowFlag: 0 shadowWarning: 7 shadowMin: 8 shadowMax: 999999 shadowLastChange: 10877 mail: john.doe@example.com postalCode: 31000 l: Toulouse o: Example mobile: +33 (0)6 xx xx xx xx homePhone: +33 (0)5 xx xx xx xx title: System Administrator postalAddress: initials: JD dn: cn=example,ou=groups,dc=example,dc=com objectClass: posixGroup cn: example gidNumber: 10000
To add the entries to the LDAP directory use the ldapadd utility:
ldapadd -x -D cn=admin,dc=example,dc=com -W -f example.com.ldif
We can check that the content has been correctly added with the tools from the ldap-utils package. In order to execute a search of the LDAP directory:
ldapsearch -xLLL -b "dc=example,dc=com" uid=john sn givenName cn dn: uid=john,ou=people,dc=example,dc=com cn: John Doe sn: Doe givenName: John
Just a quick explanation:
-x: will not use SASL authentication method, which is the default.
-LLL: disable printing LDIF schema information.
libnss-ldap
sudo apt-get install libnss-ldap
reconfigure ldap-auth-config
sudo dpkg-reconfigure ldap-auth-config
auth-client-config
sudo auth-client-config -t nss -p lac_ldap
pam-auth-update.
sudo pam-auth-update
sudo apt-get install ldapscripts
/etc/ldapscripts/ldapscripts.conf
SERVER=localhost BINDDN='cn=admin,dc=example,dc=com' BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd" SUFFIX='dc=example,dc=com' GSUFFIX='ou=Groups' USUFFIX='ou=People' MSUFFIX='ou=Computers' GIDSTART=10000 UIDSTART=10000 MIDSTART=10000
Now, create the ldapscripts.passwd file to allow authenticated access to the directory:
sudo sh -c "echo -n 'secret' > /etc/ldapscripts/ldapscripts.passwd" sudo chmod 400 /etc/ldapscripts/ldapscripts.passwd
http://web.mit.edu/Kerberos/
kerberos是由MIT开发的提供网络认证服务的系统,很早就听说过它的大名,但一直没有使用过它。 它可用来为网络上的各种server提供认证服务,使得口令不再是以明文方式在网络上传输,并且联接之间通讯是加密的; 它和PKI认证的原理不一样,PKI使用公钥体制(不对称密码体制),kerberos基于私钥体制(对称密码体制)。
获得krb5的安装包
yum search krb5[root@centos ~]# yum search krb5 ========================================== Matched: krb5 =========================================== krb5-auth-dialog.x86_64 : Kerberos 5 authentication dialog krb5-devel.i386 : Development files needed to compile Kerberos 5 programs. krb5-devel.x86_64 : Development files needed to compile Kerberos 5 programs. krb5-libs.i386 : The shared libraries used by Kerberos 5. krb5-libs.x86_64 : The shared libraries used by Kerberos 5. krb5-server.x86_64 : The KDC and related programs for Kerberos 5. krb5-workstation.x86_64 : Kerberos 5 programs for use on workstations. pam_krb5.i386 : A Pluggable Authentication Module for Kerberos 5. pam_krb5.x86_64 : A Pluggable Authentication Module for Kerberos 5.
安装
yum install krb5-server.i386[root@centos ~]# yum install krb5-server Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package krb5-server.x86_64 0:1.6.1-36.el5_4.1 set to be updated --> Finished Dependency Resolution Dependencies Resolved ==================================================================================================== Package Arch Version Repository Size ==================================================================================================== Installing: krb5-server x86_64 1.6.1-36.el5_4.1 updates 914 k Transaction Summary ==================================================================================================== Install 1 Package(s) Update 0 Package(s) Remove 0 Package(s) Total download size: 914 k Is this ok [y/N]: y Downloading Packages: krb5-server-1.6.1-36.el5_4.1.x86_64.rpm | 914 kB 00:01 Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Installing : krb5-server 1/1 Installed: krb5-server.x86_64 0:1.6.1-36.el5_4.1 Complete! [root@datacenter ~]#Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package krb5-server.x86_64 0:1.6.1-36.el5_4.1 set to be updated --> Finished Dependency Resolution Dependencies Resolved ==================================================================================================== Package Arch Version Repository Size ==================================================================================================== Installing: krb5-server x86_64 1.6.1-36.el5_4.1 updates 914 k Transaction Summary ==================================================================================================== Install 1 Package(s) Update 0 Package(s) Remove 0 Package(s) Total download size: 914 k Is this ok [y/N]: y Downloading Packages: krb5-server-1.6.1-36.el5_4.1.x86_64.rpm | 914 kB 00:01 Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Installing : krb5-server 1/1 Installed: krb5-server.x86_64 0:1.6.1-36.el5_4.1 Complete!yum install krb5-workstation
[root@centos ~]# yum install krb5-workstationyum install krb5-libs
过程 92.3. installation
$ sudo apt-get install krb5-admin-server
Configuring
┌──────────────────────────────┤ Configuring krb5-admin-server ├───────────────────────────────┐ │ │ │ Setting up a Kerberos Realm │ │ │ │ This package contains the administrative tools required to run the Kerberos master server. │ │ │ │ However, installing this package does not automatically set up a Kerberos realm. This can │ │ be done later by running the "krb5_newrealm" command. │ │ │ │ Please also read the /usr/share/doc/krb5-kdc/README.KDC file and the administration guide │ │ found in the krb5-doc package. │ │ │ │ <Ok> │ │ │ └──────────────────────────────────────────────────────────────────────────────────────────────┘
OK
┌───────────────────────────────┤ Configuring krb5-admin-server ├───────────────────────────────┐ │ │ │ Kadmind serves requests to add/modify/remove principals in the Kerberos database. │ │ │ │ It is required by the kpasswd program, used to change passwords. With standard setups, this │ │ daemon should run on the master KDC. │ │ │ │ Run the Kerberos V5 administration daemon (kadmind)? │ │ │ │ <Yes> <No> │ │ │ └───────────────────────────────────────────────────────────────────────────────────────────────┘
Yes
过程 92.4. Kerberos Server 配置步骤
Create the Database
创建Kerberos的本地数据库
kdb5_util create -r EXAMPLE.COM -s[root@datacenter ~]# kdb5_util create -r EXAMPLE.COM -s Loading random data Initializing database '/var/kerberos/krb5kdc/principal' for realm 'EXAMPLE.COM', master key name 'K/M@EXAMPLE.COM' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify:
/etc/krb5.conf
# cp /etc/krb5.conf /etc/krb5.conf.old
# vim /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com:88
admin_server = kerberos.example.com:749
default_domain = example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
检查下面配置文件 /var/kerberos/krb5kdc/kadm5.acl
[root@datacenter ~]# cat /var/kerberos/krb5kdc/kadm5.acl */admin@EXAMPLE.COM *
格式
The format of the file is:
Kerberos_principal permissions [target_principal] [restrictions]
Add Administrators to the Kerberos Database
创建账号
[root@datacenter ~]# kadmin.local Authenticating as principal root/admin@EXAMPLE.COM with password. kadmin.local: addprinc admin/admin@EXAMPLE.COM WARNING: no policy specified for admin/admin@EXAMPLE.COM; defaulting to no policy Enter password for principal "admin/admin@EXAMPLE.COM": Re-enter password for principal "admin/admin@EXAMPLE.COM": Principal "admin/admin@EXAMPLE.COM" created. kadmin.local:
也同样可以使用下面命令
kadmin.local -q "addprinc username/admin"[root@datacenter ~]# kadmin.local -q "addprinc krbuser" Authenticating as principal admin/admin@EXAMPLE.COM with password. WARNING: no policy specified for krbuser@EXAMPLE.COM; defaulting to no policy Enter password for principal "krbuser@EXAMPLE.COM": Re-enter password for principal "krbuser@EXAMPLE.COM": Principal "krbuser@EXAMPLE.COM" created.
Create a kadmind Keytab
[root@datacenter ~]# kadmin.local -q "ktadd -k /var/kerberos/krb5kdc/kadm5.keytab => kadmin/admin kadmin/changepw" Authenticating as principal admin/admin@EXAMPLE.COM with password. kadmin.local: Principal => does not exist. Entry for principal kadmin/admin with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab. Entry for principal kadmin/admin with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab. Entry for principal kadmin/changepw with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab. Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Start the Kerberos Daemons on the Master KDC
启动 Kerberos进程
[root@datacenter ~]# sudo /etc/init.d/krb524 start Starting Kerberos 5-to-4 Server: [ OK ] [root@datacenter ~]# sudo /etc/init.d/krb5kdc restart Stopping Kerberos 5 KDC: [ OK ] Starting Kerberos 5 KDC: [ OK ] [root@datacenter ~]# sudo /etc/init.d/kadmin start Starting Kerberos 5 Admin Server: [ OK ]
Log 文件
[root@datacenter ~]# cat /var/log/krb5kdc.log [root@datacenter ~]# cat /var/log/krb5libs.log [root@datacenter ~]# cat /var/log/kadmind.log
过程 92.5. Kerberos Client 配置步骤
Ticket Management
Obtaining Tickets with kinit
[root@datacenter ~]# kinit admin/admin Password for admin/admin@EXAMPLE.COM:
Viewing Your Tickets with klist
[root@datacenter ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin/admin@EXAMPLE.COM Valid starting Expires Service principal 03/25/10 16:15:18 03/26/10 16:15:18 krbtgt/EXAMPLE.COM@ZEXAMPLECOM Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached
Destroying Your Tickets with kdestroy
[root@datacenter ~]# kdestroy [root@datacenter ~]# klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached
Password Management
Changing Your Password
[root@datacenter ~]# kpasswd Password for admin/admin@EXAMPLE.COM: Enter new password: Enter it again: Password changed.
[root@datacenter ~]# ktutil ktutil: rkt /var/kerberos/krb5kdc/kadm5.keytab ktutil: l slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 3 kadmin/admin@EXAMPLE.COM 2 3 kadmin/admin@EXAMPLE.COM 3 3 kadmin/changepw@EXAMPLE.COM 4 3 kadmin/changepw@EXAMPLE.COM ktutil: q
[root@datacenter ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin/admin@EXAMPLE.COM Valid starting Expires Service principal 03/25/10 16:53:02 03/26/10 16:53:02 krbtgt/EXAMPLE.COM@EXAMPLE.COM 03/25/10 17:02:10 03/26/10 16:53:02 host/172.16.0.8@ Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached
[root@datacenter ~]# kinit admin/admin Password for admin/admin@EXAMPLE.COM: [root@datacenter ~]# kadmin.local -q "addprinc -randkey host/172.16.0.8" Authenticating as principal admin/admin@EXAMPLE.COM with password. WARNING: no policy specified for host/172.16.0.8@EXAMPLE.COM; defaulting to no policy Principal "host/172.16.0.8@EXAMPLE.COM" created. [root@datacenter ~]# kadmin.local -q " ktadd -k /var/kerberos/krb5kdc/kadm5.keytab host/172.16.0.8" Authenticating as principal admin/admin@EXAMPLE.COM with password. Entry for principal host/172.16.0.8 with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab. Entry for principal host/172.16.0.8 with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab. [root@datacenter ~]# ktutil ktutil: rkt /var/kerberos/krb5kdc/kadm5.keytab ktutil: l slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 3 kadmin/admin@EXAMPLE.COM 2 3 kadmin/admin@EXAMPLE.COM 3 3 kadmin/changepw@EXAMPLE.COM 4 3 kadmin/changepw@EXAMPLE.COM 5 3 host/172.16.0.8@EXAMPLE.COM 6 3 host/172.16.0.8@EXAMPLE.COM ktutil: q [root@datacenter ~]#
I want to authorize Wi-Fi Protected Access with freeradius for Wi-Fi Route.
http://freeradius.org/
debian/ubuntu
FreeRADIUS
D-Link DI-624+A
some package of freeradius.
netkiller@shenzhen:~$ apt-cache search freeradius freeradius - a high-performance and highly configurable RADIUS server freeradius-dialupadmin - set of PHP scripts for administering a FreeRADIUS server freeradius-iodbc - iODBC module for FreeRADIUS server freeradius-krb5 - kerberos module for FreeRADIUS server freeradius-ldap - LDAP module for FreeRADIUS server freeradius-mysql - MySQL module for FreeRADIUS server
install
netkiller@shenzhen:~$ sudo apt-get install freeradius
OK, we have installed let's quickly test it. the '******' is your password.
netkiller@shenzhen:~$ radtest netkiller ****** localhost 0 testing123
Sending Access-Request of id 237 to 127.0.0.1 port 1812
User-Name = "netkiller"
User-Password = "******"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=237, length=20
if you can see 'Access-Accept', you have succeed
let me to input an incorrect password.
netkiller@shenzhen:~$ radtest netkiller ****** localhost 0 testing123
Sending Access-Request of id 241 to 127.0.0.1 port 1812
User-Name = "netkiller"
User-Password = "******"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Re-sending Access-Request of id 241 to 127.0.0.1 port 1812
User-Name = "netkiller"
User-Password = "******"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=241, length=20
you will see 'Access-Reject'.
默认你只能通过localhost访问radius, 如需其他网络访问需要在配置文件中添加类似下面配置,配置文件在 /etc/freeradius/clients.conf
# vim /etc/freeradius/clients.conf
client 172.16.0.0/24 {
secret = testing123
shortname = freeradius.example.com
}
CentOS与Ubuntu安装包有所不同,配置文件在 /etc/raddb下面
过程 92.6. 安装步骤
yum 安装
yum install -y freeradius
# yum install freeradius freeradius-utils
设置启动文件
chkconfig radiusd on service radiusd start
配置 radiusd
cp /etc/raddb/clients.conf{,.original}
cp /etc/raddb/users{,.original}
cp /etc/raddb/sites-enabled/default{,.original}
cat >> /etc/raddb/clients.conf <<EOF
client 192.168.0.0/16 {
secret = testing123
shortname = freeradius.example.com
}
EOF
/etc/raddb/users
guest Cleartext-Password := "test"
/etc/raddb/sites-enabled/default
测试 radiusd
$ radtest guest test 192.168.2.1 1812 testing123 Sending Access-Request of id 223 to 192.168.2.1 port 1812 User-Name = "guest" User-Password = "test" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 192.168.2.1 port 1812, id=223, length=20