| 知乎專欄 | 多維度架構 | 微信號 netkiller-ebook | QQ群:128659835 請註明“讀者” |
過程 140.1. 安裝NIS伺服器
ypserv
# yum install ypserv -y
/etc/hosts
[root@nis ~]# hostname nis.example.com [root@nis ~]# echo "192.168.3.5 nis.example.com" >> /etc/hosts [root@nis ~]# cat /etc/hosts # Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 datacenter.example.com datacenter localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 127.0.0.1 kerberos.example.com 192.168.3.5 nis.example.com
設置NIS域名
# nisdomainname example.com # nisdomainname example.com
加入 /etc/rc.local 開機腳本
# echo '/bin/nisdomainname example.com' >> /etc/rc.local # echo 'NISDOMAIN=example.com' >> /etc/sysconfig/network
設置/etc/ypserv.conf主配置檔案
# vim /etc/ypserv.conf 127.0.0.0/255.255.255.0 : * : * : none 192.168.3.0/255.255.255.0 : * : * : none * : * : * : deny
創建 /var/yp/securenets 檔案
securenets 安全配置檔案
# vim /var/yp/securenets host 127.0.0.1 255.255.255.0 192.168.3.0
啟動NIS伺服器
NIS伺服器需要portmap服務的支持,並且需要啟動ypserv和yppasswdd兩個服務
[root@nis ~]# service portmap status portmap (pid 2336) is running... [root@nis ~]# service ypserv start Starting YP server services: [ OK ] [root@nis ~]# service yppasswdd start Starting YP passwd service: [ OK ]
構建NIS資料庫
32bit: /usr/lib/yp/ypinit -m
64bit: /usr/lib64/yp/ypinit -m
[root@nis ~]# /usr/lib64/yp/ypinit -m
At this point, we have to construct a list of the hosts which will run NIS
servers. nis.example.com is in the list of NIS server hosts. Please continue to add
the names for the other hosts, one per line. When you are done with the
list, type a <control D>.
next host to add: nis.example.com
next host to add:
next host to add:
The current list of NIS servers looks like this:
nis.example.com
Is this correct? [y/n: y]
We need a few minutes to build the databases...
Building /var/yp/example.com/ypservers...
Running /var/yp/Makefile...
gmake[1]: Entering directory `/var/yp/example.com'
Updating passwd.byname...
Updating passwd.byuid...
Updating group.byname...
Updating group.bygid...
Updating hosts.byname...
Updating hosts.byaddr...
Updating rpc.byname...
Updating rpc.bynumber...
Updating services.byname...
Updating services.byservicename...
Updating netid.byname...
Updating protocols.bynumber...
Updating protocols.byname...
Updating mail.aliases...
gmake[1]: Leaving directory `/var/yp/example.com'
nis.example.com has been set up as a NIS master server.
Now you can run ypinit -s nis.example.com on all slave server.
檢查
# ls /var/yp/ binding example.com Makefile nicknames securenets ypservers
Service
[root@datacenter ~]# chkconfig --list | grep yp ypbind 0:off 1:off 2:off 3:off 4:off 5:off 6:off yppasswdd 0:off 1:off 2:off 3:off 4:off 5:off 6:off ypserv 0:off 1:off 2:off 3:off 4:off 5:off 6:off ypxfrd 0:off 1:off 2:off 3:off 4:off 5:off 6:off [root@nis ~]# chkconfig ypserv on [root@nis ~]# chkconfig yppasswdd on
Now you can run ypinit -s nis.example.com on all slave server.
# ypinit -s nis.example.com
過程 140.2. 安裝NIS客戶端軟件
NIS客戶機需要安裝ypbind和yp-tools兩個軟件包
# yum install ypbind yp-tools -y
NIS域名
# nisdomainname example.com
/etc/hosts
192.168.3.5 nis.example.com
/etc/yp.conf
# vim /etc/yp.conf domain example.com server nis.example.com
/etc/nsswitch.conf
# vim /etc/nsswitch.conf passwd: files nis shadow: files nis group: files nis hosts: files nis dns
啟動ypbind服務程序
[root@test ~]# service portmap status portmap is stopped [root@test ~]# service portmap start Starting portmap: [ OK ] [root@test ~]# service ypbind start Turning on allow_ypbind SELinux boolean Binding to the NIS domain: [ OK ] Listening for an NIS domain server..
yp-tools 測試工具
yptest 命令可對NIS伺服器進行自動測試
# yptest
ypwhich 命令可顯示NIS客戶機所使用的NIS伺服器的主機名稱和資料庫檔案列表
# ypwhich # ypwhich -x
ypcat命令顯示資料庫檔案列表和指定資料庫的內容
# ypcat -x # ypcat passwd
NIS Client Service
# chkconfig ypbind on
# authconfig-tui
Use NIS
┌────────────────┤ Authentication Configuration ├─────────────────┐
│ │
│ User Information Authentication │
│ [ ] Cache Information [*] Use MD5 Passwords │
│ [ ] Use Hesiod [*] Use Shadow Passwords │
│ [ ] Use LDAP [ ] Use LDAP Authentication │
│ [*] Use NIS [ ] Use Kerberos │
│ [ ] Use Winbind [ ] Use SMB Authentication │
│ [ ] Use Winbind Authentication │
│ [ ] Local authorization is sufficient │
│ │
│ ┌────────┐ ┌──────┐ │
│ │ Cancel │ │ Next │ │
│ └────────┘ └──────┘ │
│ │
│ │
└─────────────────────────────────────────────────────────────────┘
NIS Settings
┌─────────────────┤ NIS Settings ├─────────────────┐
│ │
│ Domain: example.com_____________________________ │
│ Server: nis.example.com_________________________ │
│ │
│ ┌──────┐ ┌────┐ │
│ │ Back │ │ Ok │ │
│ └──────┘ └────┘ │
│ │
│ │
└──────────────────────────────────────────────────┘
nis server:
在NIS伺服器上創建一個test用戶
# adduser test # passwd test # /usr/lib64/yp/ypinit -m
nis client
使用test用戶登錄到客戶機
ssh test@client.example.com
測試
[root@test ~]# yptest Test 1: domainname Configured domainname is "example.com" Test 2: ypbind Used NIS server: nis.example.com Test 3: yp_match WARNING: No such key in map (Map passwd.byname, key nobody) Test 4: yp_first neo neo:$1$e1nd3pts$s7NikMnKwpL4vUp2LM/N9.:500:500::/home/neo:/bin/bash Test 5: yp_next test test:$1$g4.VCB7i$I/N5W/imakprFdtP02i8/.:502:502::/home/test:/bin/bash svnroot svnroot:!!:501:501::/home/svnroot:/bin/bash Test 6: yp_master nis.example.com Test 7: yp_order 1271936660 Test 8: yp_maplist rpc.byname protocols.bynumber ypservers passwd.byname hosts.byname rpc.bynumber group.bygid services.byservicename mail.aliases passwd.byuid services.byname netid.byname protocols.byname group.byname hosts.byaddr Test 9: yp_all neo neo:$1$e1nd3pts$s7NikMnKwpL4vUp2LM/N9.:500:500::/home/neo:/bin/bash test test:$1$g4.VCB7i$I/N5W/imakprFdtP02i8/.:502:502::/home/test:/bin/bash svnroot svnroot:!!:501:501::/home/svnroot:/bin/bash 1 tests failed
更改密碼
$ yppasswd Changing NIS account information for test on nis.example.com. Please enter old password: Changing NIS password for test on nis.example.com. Please enter new password: Please retype new password: The NIS password has been changed on nis.example.com.
-bash-3.2$ ypcat hosts 127.0.0.1 localhost.localdomain localhost 127.0.0.1 kerberos.example.com 192.168.3.5 nis.example.com -bash-3.2$ ypcat passwd neo:$1$e1nd3pts$s7NikMnKwpL4vUp2LM/N9.:500:500::/home/neo:/bin/bash test:$1$g4.VCB7i$I/N5W/imakprFdtP02i8/.:502:502::/home/test:/bin/bash svnroot:!!:501:501::/home/svnroot:/bin/bash
-bash-3.2$ ypwhich nis.example.com ypwhich -x Use "ethers" for map "ethers.byname" Use "aliases" for map "mail.aliases" Use "services" for map "services.byname" Use "protocols" for map "protocols.bynumber" Use "hosts" for map "hosts.byname" Use "networks" for map "networks.byaddr" Use "group" for map "group.byname" Use "passwd" for map "passwd.byname"
First, install the OpenLDAP server daemon slapd and ldap-utils, a package containing LDAP management utilities:
sudo apt-get install slapd ldap-utils
By default the directory suffix will match the domain name of the server. For example, if the machine's Fully Qualified Domain Name (FQDN) is ldap.example.com, the default suffix will be dc=example,dc=com. If you require a different suffix, the directory can be reconfigured using dpkg-reconfigure. Enter the following in a terminal prompt:
sudo dpkg-reconfigure slapd
example.com.ldif
dn: ou=people,dc=example,dc=com objectClass: organizationalUnit ou: people dn: ou=groups,dc=example,dc=com objectClass: organizationalUnit ou: groups dn: uid=john,ou=people,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: john sn: Doe givenName: John cn: John Doe displayName: John Doe uidNumber: 1000 gidNumber: 10000 userPassword: password gecos: John Doe loginShell: /bin/bash homeDirectory: /home/john shadowExpire: -1 shadowFlag: 0 shadowWarning: 7 shadowMin: 8 shadowMax: 999999 shadowLastChange: 10877 mail: john.doe@example.com postalCode: 31000 l: Toulouse o: Example mobile: +33 (0)6 xx xx xx xx homePhone: +33 (0)5 xx xx xx xx title: System Administrator postalAddress: initials: JD dn: cn=example,ou=groups,dc=example,dc=com objectClass: posixGroup cn: example gidNumber: 10000
To add the entries to the LDAP directory use the ldapadd utility:
ldapadd -x -D cn=admin,dc=example,dc=com -W -f example.com.ldif
We can check that the content has been correctly added with the tools from the ldap-utils package. In order to execute a search of the LDAP directory:
ldapsearch -xLLL -b "dc=example,dc=com" uid=john sn givenName cn dn: uid=john,ou=people,dc=example,dc=com cn: John Doe sn: Doe givenName: John
Just a quick explanation:
-x: will not use SASL authentication method, which is the default.
-LLL: disable printing LDIF schema information.
libnss-ldap
sudo apt-get install libnss-ldap
reconfigure ldap-auth-config
sudo dpkg-reconfigure ldap-auth-config
auth-client-config
sudo auth-client-config -t nss -p lac_ldap
pam-auth-update.
sudo pam-auth-update
sudo apt-get install ldapscripts
/etc/ldapscripts/ldapscripts.conf
SERVER=localhost BINDDN='cn=admin,dc=example,dc=com' BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd" SUFFIX='dc=example,dc=com' GSUFFIX='ou=Groups' USUFFIX='ou=People' MSUFFIX='ou=Computers' GIDSTART=10000 UIDSTART=10000 MIDSTART=10000
Now, create the ldapscripts.passwd file to allow authenticated access to the directory:
sudo sh -c "echo -n 'secret' > /etc/ldapscripts/ldapscripts.passwd" sudo chmod 400 /etc/ldapscripts/ldapscripts.passwd
http://web.mit.edu/Kerberos/
kerberos是由MIT開發的提供網絡認證服務的系統,很早就聽說過它的大名,但一直沒有使用過它。 它可用來為網絡上的各種server提供認證服務,使得口令不再是以明文方式在網絡上傳輸,並且聯接之間通訊是加密的; 它和PKI認證的原理不一樣,PKI使用公鑰體制(不對稱密碼體制),kerberos基于私鑰體制(對稱密碼體制)。
獲得krb5的安裝包
yum search krb5[root@centos ~]# yum search krb5 ========================================== Matched: krb5 =========================================== krb5-auth-dialog.x86_64 : Kerberos 5 authentication dialog krb5-devel.i386 : Development files needed to compile Kerberos 5 programs. krb5-devel.x86_64 : Development files needed to compile Kerberos 5 programs. krb5-libs.i386 : The shared libraries used by Kerberos 5. krb5-libs.x86_64 : The shared libraries used by Kerberos 5. krb5-server.x86_64 : The KDC and related programs for Kerberos 5. krb5-workstation.x86_64 : Kerberos 5 programs for use on workstations. pam_krb5.i386 : A Pluggable Authentication Module for Kerberos 5. pam_krb5.x86_64 : A Pluggable Authentication Module for Kerberos 5.
安裝
yum install krb5-server.i386[root@centos ~]# yum install krb5-server Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package krb5-server.x86_64 0:1.6.1-36.el5_4.1 set to be updated --> Finished Dependency Resolution Dependencies Resolved ==================================================================================================== Package Arch Version Repository Size ==================================================================================================== Installing: krb5-server x86_64 1.6.1-36.el5_4.1 updates 914 k Transaction Summary ==================================================================================================== Install 1 Package(s) Update 0 Package(s) Remove 0 Package(s) Total download size: 914 k Is this ok [y/N]: y Downloading Packages: krb5-server-1.6.1-36.el5_4.1.x86_64.rpm | 914 kB 00:01 Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Installing : krb5-server 1/1 Installed: krb5-server.x86_64 0:1.6.1-36.el5_4.1 Complete! [root@datacenter ~]#Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package krb5-server.x86_64 0:1.6.1-36.el5_4.1 set to be updated --> Finished Dependency Resolution Dependencies Resolved ==================================================================================================== Package Arch Version Repository Size ==================================================================================================== Installing: krb5-server x86_64 1.6.1-36.el5_4.1 updates 914 k Transaction Summary ==================================================================================================== Install 1 Package(s) Update 0 Package(s) Remove 0 Package(s) Total download size: 914 k Is this ok [y/N]: y Downloading Packages: krb5-server-1.6.1-36.el5_4.1.x86_64.rpm | 914 kB 00:01 Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Installing : krb5-server 1/1 Installed: krb5-server.x86_64 0:1.6.1-36.el5_4.1 Complete!yum install krb5-workstation
[root@centos ~]# yum install krb5-workstationyum install krb5-libs
過程 140.3. installation
$ sudo apt-get install krb5-admin-server
Configuring
┌──────────────────────────────┤ Configuring krb5-admin-server ├───────────────────────────────┐ │ │ │ Setting up a Kerberos Realm │ │ │ │ This package contains the administrative tools required to run the Kerberos master server. │ │ │ │ However, installing this package does not automatically set up a Kerberos realm. This can │ │ be done later by running the "krb5_newrealm" command. │ │ │ │ Please also read the /usr/share/doc/krb5-kdc/README.KDC file and the administration guide │ │ found in the krb5-doc package. │ │ │ │ <Ok> │ │ │ └──────────────────────────────────────────────────────────────────────────────────────────────┘
OK
┌───────────────────────────────┤ Configuring krb5-admin-server ├───────────────────────────────┐ │ │ │ Kadmind serves requests to add/modify/remove principals in the Kerberos database. │ │ │ │ It is required by the kpasswd program, used to change passwords. With standard setups, this │ │ daemon should run on the master KDC. │ │ │ │ Run the Kerberos V5 administration daemon (kadmind)? │ │ │ │ <Yes> <No> │ │ │ └───────────────────────────────────────────────────────────────────────────────────────────────┘
Yes
過程 140.4. Kerberos Server 配置步驟
Create the Database
創建Kerberos的本地資料庫
kdb5_util create -r EXAMPLE.COM -s[root@datacenter ~]# kdb5_util create -r EXAMPLE.COM -s Loading random data Initializing database '/var/kerberos/krb5kdc/principal' for realm 'EXAMPLE.COM', master key name 'K/M@EXAMPLE.COM' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify:
/etc/krb5.conf
# cp /etc/krb5.conf /etc/krb5.conf.old
# vim /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com:88
admin_server = kerberos.example.com:749
default_domain = example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
檢查下面配置檔案 /var/kerberos/krb5kdc/kadm5.acl
[root@datacenter ~]# cat /var/kerberos/krb5kdc/kadm5.acl */admin@EXAMPLE.COM *
格式
The format of the file is:
Kerberos_principal permissions [target_principal] [restrictions]
Add Administrators to the Kerberos Database
創建賬號
[root@datacenter ~]# kadmin.local Authenticating as principal root/admin@EXAMPLE.COM with password. kadmin.local: addprinc admin/admin@EXAMPLE.COM WARNING: no policy specified for admin/admin@EXAMPLE.COM; defaulting to no policy Enter password for principal "admin/admin@EXAMPLE.COM": Re-enter password for principal "admin/admin@EXAMPLE.COM": Principal "admin/admin@EXAMPLE.COM" created. kadmin.local:
也同樣可以使用下面命令
kadmin.local -q "addprinc username/admin"[root@datacenter ~]# kadmin.local -q "addprinc krbuser" Authenticating as principal admin/admin@EXAMPLE.COM with password. WARNING: no policy specified for krbuser@EXAMPLE.COM; defaulting to no policy Enter password for principal "krbuser@EXAMPLE.COM": Re-enter password for principal "krbuser@EXAMPLE.COM": Principal "krbuser@EXAMPLE.COM" created.
Create a kadmind Keytab
[root@datacenter ~]# kadmin.local -q "ktadd -k /var/kerberos/krb5kdc/kadm5.keytab => kadmin/admin kadmin/changepw" Authenticating as principal admin/admin@EXAMPLE.COM with password. kadmin.local: Principal => does not exist. Entry for principal kadmin/admin with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab. Entry for principal kadmin/admin with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab. Entry for principal kadmin/changepw with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab. Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Start the Kerberos Daemons on the Master KDC
啟動 Kerberos進程
[root@datacenter ~]# sudo /etc/init.d/krb524 start Starting Kerberos 5-to-4 Server: [ OK ] [root@datacenter ~]# sudo /etc/init.d/krb5kdc restart Stopping Kerberos 5 KDC: [ OK ] Starting Kerberos 5 KDC: [ OK ] [root@datacenter ~]# sudo /etc/init.d/kadmin start Starting Kerberos 5 Admin Server: [ OK ]
Log 檔案
[root@datacenter ~]# cat /var/log/krb5kdc.log [root@datacenter ~]# cat /var/log/krb5libs.log [root@datacenter ~]# cat /var/log/kadmind.log
過程 140.5. Kerberos Client 配置步驟
Ticket Management
Obtaining Tickets with kinit
[root@datacenter ~]# kinit admin/admin Password for admin/admin@EXAMPLE.COM:
Viewing Your Tickets with klist
[root@datacenter ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin/admin@EXAMPLE.COM Valid starting Expires Service principal 03/25/10 16:15:18 03/26/10 16:15:18 krbtgt/EXAMPLE.COM@ZEXAMPLECOM Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached
Destroying Your Tickets with kdestroy
[root@datacenter ~]# kdestroy [root@datacenter ~]# klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached
Password Management
Changing Your Password
[root@datacenter ~]# kpasswd Password for admin/admin@EXAMPLE.COM: Enter new password: Enter it again: Password changed.
[root@datacenter ~]# ktutil ktutil: rkt /var/kerberos/krb5kdc/kadm5.keytab ktutil: l slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 3 kadmin/admin@EXAMPLE.COM 2 3 kadmin/admin@EXAMPLE.COM 3 3 kadmin/changepw@EXAMPLE.COM 4 3 kadmin/changepw@EXAMPLE.COM ktutil: q
[root@datacenter ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin/admin@EXAMPLE.COM Valid starting Expires Service principal 03/25/10 16:53:02 03/26/10 16:53:02 krbtgt/EXAMPLE.COM@EXAMPLE.COM 03/25/10 17:02:10 03/26/10 16:53:02 host/172.16.0.8@ Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached
[root@datacenter ~]# kinit admin/admin Password for admin/admin@EXAMPLE.COM: [root@datacenter ~]# kadmin.local -q "addprinc -randkey host/172.16.0.8" Authenticating as principal admin/admin@EXAMPLE.COM with password. WARNING: no policy specified for host/172.16.0.8@EXAMPLE.COM; defaulting to no policy Principal "host/172.16.0.8@EXAMPLE.COM" created. [root@datacenter ~]# kadmin.local -q " ktadd -k /var/kerberos/krb5kdc/kadm5.keytab host/172.16.0.8" Authenticating as principal admin/admin@EXAMPLE.COM with password. Entry for principal host/172.16.0.8 with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab. Entry for principal host/172.16.0.8 with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab. [root@datacenter ~]# ktutil ktutil: rkt /var/kerberos/krb5kdc/kadm5.keytab ktutil: l slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 3 kadmin/admin@EXAMPLE.COM 2 3 kadmin/admin@EXAMPLE.COM 3 3 kadmin/changepw@EXAMPLE.COM 4 3 kadmin/changepw@EXAMPLE.COM 5 3 host/172.16.0.8@EXAMPLE.COM 6 3 host/172.16.0.8@EXAMPLE.COM ktutil: q [root@datacenter ~]#
I want to authorize Wi-Fi Protected Access with freeradius for Wi-Fi Route.
http://freeradius.org/
debian/ubuntu
FreeRADIUS
D-Link DI-624+A
some package of freeradius.
netkiller@shenzhen:~$ apt-cache search freeradius freeradius - a high-performance and highly configurable RADIUS server freeradius-dialupadmin - set of PHP scripts for administering a FreeRADIUS server freeradius-iodbc - iODBC module for FreeRADIUS server freeradius-krb5 - kerberos module for FreeRADIUS server freeradius-ldap - LDAP module for FreeRADIUS server freeradius-mysql - MySQL module for FreeRADIUS server
install
netkiller@shenzhen:~$ sudo apt-get install freeradius
OK, we have installed let's quickly test it. the '******' is your password.
netkiller@shenzhen:~$ radtest netkiller ****** localhost 0 testing123
Sending Access-Request of id 237 to 127.0.0.1 port 1812
User-Name = "netkiller"
User-Password = "******"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=237, length=20
if you can see 'Access-Accept', you have succeed
let me to input an incorrect password.
netkiller@shenzhen:~$ radtest netkiller ****** localhost 0 testing123
Sending Access-Request of id 241 to 127.0.0.1 port 1812
User-Name = "netkiller"
User-Password = "******"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Re-sending Access-Request of id 241 to 127.0.0.1 port 1812
User-Name = "netkiller"
User-Password = "******"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=241, length=20
you will see 'Access-Reject'.
預設你只能通過localhost訪問radius, 如需其他網絡訪問需要在配置檔案中添加類似下面配置,配置檔案在 /etc/freeradius/clients.conf
# vim /etc/freeradius/clients.conf
client 172.16.0.0/24 {
secret = testing123
shortname = freeradius.example.com
}
CentOS與Ubuntu安裝包有所不同,配置檔案在 /etc/raddb下面
過程 140.6. 安裝步驟
yum 安裝
yum install -y freeradius
# yum install freeradius freeradius-utils
設置啟動檔案
chkconfig radiusd on service radiusd start
配置 radiusd
cp /etc/raddb/clients.conf{,.original}
cp /etc/raddb/users{,.original}
cp /etc/raddb/sites-enabled/default{,.original}
cat >> /etc/raddb/clients.conf <<EOF
client 192.168.0.0/16 {
secret = testing123
shortname = freeradius.example.com
}
EOF
/etc/raddb/users
guest Cleartext-Password := "test"
/etc/raddb/sites-enabled/default
測試 radiusd
$ radtest guest test 192.168.2.1 1812 testing123 Sending Access-Request of id 223 to 192.168.2.1 port 1812 User-Name = "guest" User-Password = "test" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 192.168.2.1 port 1812, id=223, length=20