| |
| Freeradius+mysql+D-link无线路由配置MS-chapv2认证 |
|
| 来源:
ChinaUnix博客 日期:
2008.05.14 15:32 (共有条评论) 我要评论 |
| |
近来有一个需求要做无线认证的东东。参考了网上很多文档,有用Freeradius+cisco的无线AP的,有用TP-link的,有用华为3Com的,可就是没有D-link的无线路由器的,倒是找到一个用D-link无线网卡的。认证方式有用MD5认证的,有用tls的证书认证的,有用eap的。不过关于用ms-chap认证的写的都不是很详细,致使我在配置过程中走了不少弯路。下面把我的配置简单的写一下,以便下次配置时能更顺利一些。也希望能帮助到一些有同样困惑的朋友。
软件环境:
RHEL AS4 update 6,Freeadius 1.1.7,mysql-4.1.20-2.RHEL4.1.0.1
硬件环境:
D-link的DI-624+A无线路由器
系统自带的有freeradius 1.0.1,但测试时发现不支持MD5认证。因为我配置时参考了一篇网上的使用MD5认证的文章,但系统自带的不支持MD5认证方式,然后就自己安装了freeradius1.1.7。安装很简单,从官方网站上下载源码包,解压,进入解压后的目录,./configure --prefix=/usr/local/freeradius然后make;make install就行了。还要说明一点儿的是,我使用的系统是x86_64的,make时出错,说什么/usr/lib/libgdbm.so不能创建符号链接之类的错误,查了一下,好象是编译环境的问题,没有那么多时间研究怎么解决,就在一台AS3U8,i686的机器上先编译安装了一份儿,然后直接拷到AS4U6上用了,没有发现有什么问题。
mysql用的系统自带的。下面附一下我的几个配置文件,个人感觉只有一个地方是关键点。是它让我走了不少弯路。
1.radius.conf
cat radiusd.conf |grep -v "#"
prefix = /usr/local/freeradius
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp = no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
auto_header = yes
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
radwtmp = ${logdir}/radwtmp
}
$INCLUDE ${confdir}/eap.conf
mschap {
}
ldap {
server = "ldap.your.domain"
basedn = "o=My Org,c=UA"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
edir_account_policy_check=no
timeout = 4
timelimit = 3
net_timeout = 1
}
realm IPASS {
format = prefix
delimiter = "/"
ignore_default = no
ignore_null = no
}
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
}
realm realmpercent {
format = suffix
delimiter = "%"
ignore_default = no
ignore_null = no
}
realm ntdomain {
format = prefix
delimiter = "\\"
ignore_default = no
ignore_null = no
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
compat = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
$INCLUDE ${confdir}/sql.conf
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
sqlcounter dailycounter {
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
reply-name = Session-Timeout
sqlmod-inst = sql
key = User-Name
reset = daily
query = "SELECT SUM(AcctSessionTime - \
GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
FROM radacct WHERE UserName='%{%k}' AND \
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
}
sqlcounter monthlycounter {
counter-name = Monthly-Session-Time
check-name = Max-Monthly-Session
reply-name = Session-Timeout
sqlmod-inst = sql
key = User-Name
reset = monthly
query = "SELECT SUM(AcctSessionTime - \
GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
FROM radacct WHERE UserName='%{%k}' AND \
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
digest {
}
exec {
wait = yes
input_pairs = request
}
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
}
ippool main_pool {
range-start = 192.168.1.1
range-stop = 192.168.3.254
netmask = 255.255.255.0
cache-size = 800
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = no
maximum-timeout = 0
}
}
instantiate {
exec
expr
}
authorize {
preprocess
chap
mschap
suffix
eap
files
sql
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
radutmp
}
session {
radutmp
}
post-auth {
}
pre-proxy {
}
post-proxy {
eap
}
这里需要去掉几个sql前面的#号,authorize部分的sql一定要打开注释。其它的改动不大。
2.sql.conf,主要更改下面几个地方:
server = "localhost"
login = "mysqlusername"
password = "somepassword"
3.users这个文件,注释掉下面两行
#DEFAULT Auth-Type = System
# Fall-Through = 1
4.clients.conf在结尾处增加:
client yourAPIpaddress {
secret = somepassword
shortname = dlink
}
5.eap.conf这个文件是关键
cat eap.conf |grep -v "#"
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
leap {
}
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
check_crl = yes
check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
check_cert_cn = %{User-Name}
cipher_list = "DEFAULT"
}
ttls {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
注意第一行更改为peap,然后打开下面的peap的注释。
mysql的没有什么特殊的,参考网上其它文章添加用户就行了。原来我想用md5+secureW2的pap认证,可不清楚是不是我的无线路由不支持,在服务器上用radtest测试md5认证的用户和明码认证的用户都可以通过认证,但一经过无线路由器,在无线客户端上认证就死活通不过。最后参用了ms-chap的认证方式。
6.无线路由器上的配置
安全方式选择WPA,在它下面选择AES(用TKIP的认证方式也是死活不能通过)
然后在下面的802.1x设定中填上radius服务器的IP,端口用默认的1812,密码用clients.conf中设置的secret
7.无线客户端的设置
现在以windows自带的为例,简单说一下:
图一,网络验证的设置,然后点验证,进行图二的设置。
然后点属性,进入下一个页面的设置:见下图。
去掉验证服务器证书前面的勾。然后勾上“启用快速重新边接”。验证方法选“安全密码(EAP-MSCHAP v2)".再点配置,去掉里面的勾。重新连接无线网,会弹出一个认证窗口,在里面输入在服务器上分配的用户名和密码就可以了。
本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u1/34054/showart_688005.html
|
| 发表评论
查看评论(共有条评论)
|
| |
|
|
|
