FreeRadius+Mysql+EAP认证身份认证系统安装及配置

David — Sat, 04 Jul 2009 07:12:28 +0000

使用FreeRadius,Mysql及EAP认证可以搭建用于无线、有线、VPN链路等的统一身份认证系统。

环境:Ubuntu 8.04.2-Server

各软件版本:

Mysql:5.0.51a-3ubuntu5.4
OpenSSL:0.9.8g-4ubuntu3.7
FreeRadius:2.1.6

安装

1.Mysql

执行命令:

sudo apt-get install mysql-server mysql-common mysql-client

2.OpenSSL

执行命令:

sudo apt-get install openssl libssl0.9.8 libssl-dev ca-certificates

3.FreeRadius

执行命令:

sudo apt-get install debhelper libltdl3-dev libpam0g-dev libmysqlclient15-dev build-essential libgdbm-dev libldap2-dev libsasl2-dev libiodbc2-dev libkrb5-dev snmp autotools-dev dpatch libperl-dev libtool dpkg-dev libpq-dev libsnmp-dev

cd /usr/local/src/

sudo wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.6.tar.gz

sudo tar -xzvf freeradius-server-2.1.6.tar.gz

cd freeradius-server-2.1.6

sudo ./configure –prefix=/usr/local/freeradius

sudo make

sudo make install

配置

1.Mysql

执行命令：

mysqladmin -u root -p create radius

mysql –u root –p radius < /usr/local/freeradius/etc/raddb/sql/mysql/schema.sql

配置权限:

mysql –u root –p

grant all on radius.* to radius@localhost identified by "it580.pass";

exit

2.FreeRadius

执行命令:

sudo nano /etc/ld.so.conf

加入如下内容:

include /usr/local/freeradius/lib

执行命令:

sudo ldconfig

adduser radiususer

sudo chown -R radiususer:radiususer /usr/local/freeradius/

执行如下命令,看FreeRadius是否能够启动起来

sudo /usr/local/freeradius/sbin/radiusd –X

如果看到如下内容，说明FreeRadius启动正常。

Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /usr/local/freeradius/var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.

执行测试一(1.User文件方式认证)，确认radius user方式认证正常。

通过后开始加入数据库支持。

执行命令:

nano /usr/local/freeradius/etc/raddb/sql.conf

修改里面的用户名和密码:

login = "radius"
password = "it580.pass"

执行命令,编辑radiusd.conf:

nano /usr/local/freeradius/etc/raddb/radiusd.conf

首先，将执行Freeradius的用户修改为:

user = radiususer
group = radiususer

开启sql支持,将以下的内容前的#去除:

$INCLUDE sql.conf

执行命令,编辑default:

nano /usr/local/freeradius/etc/raddb/sites-available/default

将以下的内容前的#去除:

sql

执行测试二(2.SQL方式认证)，确认radius SQL认证正常。

通过后开始启动EAP支持。

检查/usr/local/freeradius/etc/raddb/sites-available/default,eap前的#是否去除。可以使用如下命令:

cat /usr/local/freeradius/etc/raddb/sites-available/default |grep -v ‘#’

执行测试三(3.EAP-MD5方式认证)，确认radius EAP-MD5认证正常。

通过后开始启动EAP-PEAP。

执行命令:

nano /usr/local/freeradius/etc/raddb/eap.conf

修改md5为peap，显示如下，并保存：

default_eap_type = peap

检查证书是否存在，使用命令:

ls /usr/local/freeradius/etc/raddb/certs/*.pem

如果没有ca.pem文件，就执行命令,如果有的话，请不必执行该命令:

/usr/local/freeradius/etc/raddb/certs/bootstrap

执行测试四(4.EAP-PEAP方式认证)，确认radius EAP-PEAP认证正常。

通过后开始启动EAP-TTLS-MD5。

执行命令:

nano /usr/local/freeradius/etc/raddb/eap.conf

修改peap为ttls-md5，显示如下并保存：

default_eap_type = ttls

执行测试五(5.TTLS-MD5方式认证)，确认radius TTLS-MD5认证正常。

通过后开始启动TTLS-MSCHAPV2。

执行命令:

nano /usr/local/freeradius/etc/raddb/eap.conf

修改md5为mschapv2，显示如下并保存:

default_eap_type = mschapv2

执行测试六(6.TTLS-MSCHAPV2方式认证)，确认radius TTLS-MSCHAPV2认证正常。

全文完。

测试

1.User文件方式认证

执行命令:

nano /usr/local/freeradius/etc/raddb/users

在该文件底部加入如下内容,增加一个用户radiususer,密码为it580.com:

radiususer Cleartext-Password := "it580.com"

执行命令,启动Freeradius的调试模式:

/usr/local/freeradius/sbin/radiusd –X

执行命令，测试新增的用户:

/usr/local/freeradius/bin/radtest radiususer it580.com localhost 0 testing123

如果输出如下内容，说明该用户验证成功:

Sending Access-Request of id 180 to 127.0.0.1 port 1812
User-Name = "radiususer"
User-Password = "it580.com"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=180, length=20

2.SQL 方式认证

执行命令:

mysql –u radius –p radius

insert into radcheck(username,attribute,value,op) values(’sqluser’,'Cleartext-Password’,'it580.com’,':=’);

执行命令,启动Freeradius的调试模式:

/usr/local/freeradius/sbin/radiusd –X

执行命令，测试新增的用户:

/usr/local/freeradius/bin/radtest sqluser it580.com localhost 0 testing123

如果输出如下内容，说明该用户验证成功:

Sending Access-Request of id 113 to 127.0.0.1 port 1812
User-Name = "sqluser"
User-Password = "it580.com"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=113, length=20

3.EAP-MD5方式认证

执行命令,启动Freeradius的调试模式:

/usr/local/freeradius/sbin/radiusd –X

执行命令，测试user方式的EAP-MD5:

( echo "User-Name = \"radiususer\""; echo "Cleartext-Password = \"it580.com\""; echo "EAP-Code = Response"; echo "EAP-Id = 210"; echo "EAP-Type-Identity = \"dial\""; echo "Message-Authenticator = 0×00"; ) | /usr/local/freeradius/bin/radeapclient -x 127.0.0.1 auth testing123

执行命令，测试SQL方式的EAP-MD5:

( echo "User-Name = \"sqluser\""; echo "Cleartext-Password = \"it580.com\""; echo "EAP-Code = Response"; echo "EAP-Id = 210"; echo "EAP-Type-Identity = \"sqluser\""; echo "Message-Authenticator = 0×00"; ) | /usr/local/freeradius/bin/radeapclient -x 127.0.0.1 auth testing123

如果输出如下内容，说明验证成功:

EAP-Id = 211
EAP-Code = Success

4.EAP-PEAP方式认证

先安装测试工具,eapol_test:

cd /usr/local/src/

sudo wget http://hostap.epitest.fi/releases/wpa_supplicant-0.6.9.tar.gz

sudo tar –xzvf wpa_supplicant-0.6.9.tar.gz

cd wpa_supplicant-0.6.9/wpa_supplicant/

cp defconfig .config

make eapol_test

cp eapol_test /usr/local/freeradius/bin/

建立测试配置文件peap.test：

nano ~/peap.test

将以下内容贴入,并保存:

network={
            eap=PEAP
            eapol_flags=0
            key_mgmt=IEEE8021X
            identity="sqluser"
            password="it580.com"
            ca_cert="/usr/local/freeradius/etc/raddb/certs/ca.pem"
            phase2="auth=MSCHAPV2"
            anonymous_identity="anonymous"
}

执行以下命令测试:

cd ~

/usr/local/freeradius/bin/eapol_test -c peap.test -s testing123

如果输出如下内容，说明验证成功:

eapol_sm_cb: success=1
EAPOL: Successfully fetched key (len=32)
PMK from EAPOL – hexdump(len=32): d9 2f f7 04 41 7c 74 66 5b b3 e7 7c ea 77 21 72 04 94 cd 7f e1 c9 a0 6b 08 34 b1 b2 25 55 6f 53
EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 1 mismatch: 0
SUCCESS

5.TTLS-MD5方式认证

执行命令:

nano ~/ttlsmd5.test

加入如下内容，并保存:

network={
ssid="test"
eap=TTLS
key_mgmt=WPA-EAP
identity="sqluser"
password="it580.com"
anonymous_identity="anonymous"
ca_cert="/usr/local/freeradius/etc/raddb/certs/ca.pem"
phase2="auth=MD5"
}

执行测试命令:

/usr/local/freeradius/bin/eapol_test -c ttlsmd5.test -s testing123

如果输出如下内容，说明验证成功:

eapol_sm_cb: success=1
EAPOL: Successfully fetched key (len=32)
PMK from EAPOL – hexdump(len=32): 91 b2 66 fb da ff bd 7d 95 91 2a c5 82 a8 86 bb 18 14 ac 9f 30 e4 7e 21 9f 28 b8 00 35 62 ff f2
EAP: deinitialize previously used EAP method (21, TTLS) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 1 mismatch: 0
SUCCESS

6.TTLS-MSCHAPV2方式认证

执行命令:

nano ~/ttlsmschapv2.test

加入如下内容，并保存:

network={
ssid="test"
eap=TTLS
key_mgmt=WPA-EAP
identity="sqluser"
password="it580.com"
anonymous_identity="anonymous"
ca_cert="/usr/local/freeradius/etc/raddb/certs/ca.pem"
phase2="auth=MSCHAPV2"
}

执行测试命令:

/usr/local/freeradius/bin/eapol_test -c ~/ttlsmschapv2.test -s testing123

如果输出如下内容，说明验证成功:

eapol_sm_cb: success=1
EAPOL: Successfully fetched key (len=32)
PMK from EAPOL – hexdump(len=32): 16 6d 2a 43 84 f9 9c cd 56 91 ee e5 d4 78 28 b1 c1 8b 09 e0 f9 4b 29 0f 0c c4 00 a8 f2 96 3b 80
EAP: deinitialize previously used EAP method (21, TTLS) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 1 mismatch: 0
SUCCESS

Tags: eap, freeradius, linux, mysql, ubuntu

空想枫 » mysql

FreeRadius+Mysql+EAP认证身份认证系统安装及配置

安装

配置

测试

Related posts