Freeradius ldap: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
(Die Seite wurde neu angelegt: „=clients.conf= *cat /etc/freeradius/clients.conf <pre> client localhost { ipaddr = 127.0.0.1 secret = sysadm nastype = other } client 192.168.0.0/16 { se…“)
 
 
(8 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 1: Zeile 1:
 +
=groupofNames=
 +
<pre>
 +
# switch, groups, xinux.net
 +
dn: cn=switch,ou=groups,dc=xinux,dc=net
 +
objectClass: groupOfNames
 +
cn: switch
 +
description: Switch Admins
 +
member: cn=thomas will,ou=users,dc=xinux,dc=net
 +
</pre>
 +
 
=clients.conf=
 
=clients.conf=
 
*cat /etc/freeradius/clients.conf  
 
*cat /etc/freeradius/clients.conf  
Zeile 22: Zeile 32:
  
 
=radiusd.conf=
 
=radiusd.conf=
 +
*cat  /etc/freeradius/radiusd.conf
 
<pre>
 
<pre>
cat  /etc/freeradius/radiusd.conf
 
 
prefix = /usr
 
prefix = /usr
 
exec_prefix = /usr
 
exec_prefix = /usr
Zeile 94: Zeile 104:
 
$INCLUDE sites-enabled/
 
$INCLUDE sites-enabled/
 
</pre>
 
</pre>
 +
 
=ldap=
 
=ldap=
 +
*cat /etc/freeradius/modules/ldap
 
<pre>
 
<pre>
cat /etc/freeradius/modules/ldap
 
 
ldap {
 
ldap {
server = "hoor.xmen.de"
+
        server = "localhost"
port = "636"
+
        identity = "cn=admin,dc=xinux,dc=net"
basedn = "dc=linuggs,dc=de"
+
        password = sysadm
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
+
        basedn = "dc=xinux,dc=net"
ldap_connections_number = 5
+
        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
timeout = 4
+
        ldap_connections_number = 5
timelimit = 3
+
        max_uses = 0
net_timeout = 1
+
        timeout = 4
dictionary_mapping = ${confdir}/ldap.attrmap
+
        timelimit = 3
edir_account_policy_check = no
+
        net_timeout = 1
set_auth_type = yes
+
        dictionary_mapping = ${confdir}/ldap.attrmap
 +
        edir_account_policy_check = no
 +
        groupname_attribute = cn
 +
        groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
 +
        groupmembership_attribute = radiusGroupName
 +
        keepalive {
 +
                idle = 60
 +
                probes = 3
 +
                interval = 3
 +
        }
 
}
 
}
 
</pre>
 
</pre>
  
 
=default=
 
=default=
 +
*cat /etc/freeradius/sites-enabled/default
 
<pre>
 
<pre>
cat /etc/freeradius/sites-enabled/default
 
 
authorize {
 
authorize {
ldap
+
        preprocess
 +
        chap
 +
        mschap
 +
        digest
 +
        suffix
 +
        eap {
 +
                ok = return
 +
        }
 +
        files
 +
        ldap
 +
        expiration
 +
        logintime
 +
        pap
 +
 
 
}
 
}
 
authenticate {
 
authenticate {
Auth-Type LDAP {
+
        Auth-Type PAP {
ldap
+
                pap
}
+
        }
 +
        Auth-Type CHAP {
 +
                chap
 +
        }
 +
        Auth-Type MS-CHAP {
 +
                mschap
 +
        }
 +
        digest
 +
        unix
 +
        eap
 
}
 
}
 
preacct {
 
preacct {
 +
        preprocess
 +
        acct_unique
 +
        suffix
 +
        files
 
}
 
}
 
accounting {
 
accounting {
 +
        detail
 +
        exec
 +
        attr_filter.accounting_response
 
}
 
}
 
session {
 
session {
radutmp
+
        radutmp
 
}
 
}
 
post-auth {
 
post-auth {
exec
+
        exec
Post-Auth-Type REJECT {
+
        Post-Auth-Type REJECT {
attr_filter.access_reject
+
                eap
}
+
                attr_filter.access_reject
 +
        }
 
}
 
}
 
pre-proxy {
 
pre-proxy {
 
}
 
}
 
post-proxy {
 
post-proxy {
 +
        eap
 
}
 
}
 
</pre>
 
</pre>
  
 
=inner-tunnel=
 
=inner-tunnel=
 +
cat /etc/freeradius/sites-enabled
 
<pre>
 
<pre>
 
server inner-tunnel {
 
server inner-tunnel {
 +
listen {
 +
      ipaddr = 127.0.0.1
 +
      port = 18120
 +
      type = auth
 +
}
 
authorize {
 
authorize {
ldap
+
chap
 +
mschap
 +
suffix
 +
update control {
 +
      Proxy-To-Realm := LOCAL
 +
}
 +
eap {
 +
ok = return
 +
}
 +
files
 +
ldap
 +
expiration
 +
logintime
 +
pap
 
}
 
}
 
authenticate {
 
authenticate {
Auth-Type LDAP {
+
Auth-Type PAP {
ldap
+
pap
}
+
}
 +
Auth-Type CHAP {
 +
chap
 +
}
 +
Auth-Type MS-CHAP {
 +
mschap
 +
}
 +
unix
 +
eap
 
}
 
}
 
session {
 
session {
radutmp
+
radutmp
 
}
 
}
 +
 +
 
post-auth {
 
post-auth {
Post-Auth-Type REJECT {
+
Post-Auth-Type REJECT {
attr_filter.access_reject
+
attr_filter.access_reject
}
+
}
 
}
 
}
 
pre-proxy {
 
pre-proxy {
 
}
 
}
 +
 
post-proxy {
 
post-proxy {
 +
eap
 
}
 
}
 
}
 
}
 +
</pre>
 +
=users=
 +
*cat /etc/freeradius/users
 +
<pre>
 +
DEFAULT Ldap-Group == "cn=switch,ou=groups,dc=xinux,dc=net"
 +
        Tunnel-Type = VLAN,
 +
        Tunnel-Medium-Type = IEEE-802,
 +
        Tunnel-Private-Group-Id = "17"
 +
DEFAULT Auth-Type := Reject
 
</pre>
 
</pre>
  
Zeile 196: Zeile 287:
 
==console 2==
 
==console 2==
 
===postiv===
 
===postiv===
*radtest badura.vonodinsraben  suxer localhost 1812 secretkey
+
*radtest thomas.will suxer localhost 1812 sysadm
 
<pre>
 
<pre>
Sending Access-Request of id 52 to 127.0.0.1 port 1812
+
Sending Access-Accept of id 128 to 127.0.0.1 port 41246
User-Name = "badura.vonodinsraben"
+
Tunnel-Type:0 = VLAN
User-Password = "suxer"
+
Tunnel-Medium-Type:0 = IEEE-802
NAS-IP-Address = 192.168.244.153
+
Tunnel-Private-Group-Id:0 = "17"
NAS-Port = 1812
+
Finished request 2.
Message-Authenticator = 0x00000000000000000000000000000000
+
Going to the next request
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=52, length=20
+
Waking up in 4.9 seconds.
 +
Cleaning up request 2 ID 128 with timestamp +52
 +
Ready to process requests.
 
</pre>
 
</pre>
===negativ===
 
*radtest badura.vonodinsraben  falsch localhost  1812 secretkey
 
<pre>
 
Sending Access-Request of id 218 to 127.0.0.1 port 1812
 
User-Name = "badura.vonodinsraben"
 
User-Password = "falsch"
 
NAS-IP-Address = 192.168.244.153
 
NAS-Port = 1812
 
Message-Authenticator = 0x00000000000000000000000000000000
 
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=218, length=20
 
</pre>
 
 
*https://medium.com/@georgijsr/freeradius-2-1-12-ubuntu-14-04-server-with-ldap-authentication-and-ldap-fail-over-6611624ff2c9
 

Aktuelle Version vom 23. Januar 2018, 15:03 Uhr

groupofNames

# switch, groups, xinux.net
dn: cn=switch,ou=groups,dc=xinux,dc=net
objectClass: groupOfNames
cn: switch
description: Switch Admins
member: cn=thomas will,ou=users,dc=xinux,dc=net

clients.conf

  • cat /etc/freeradius/clients.conf
client localhost {
ipaddr = 127.0.0.1
secret = sysadm
nastype     = other
}
client 192.168.0.0/16 {
 secret = sysadm
nastype = other
}
client 172.16.0.0/12 {
secret = sysadm
nastype = other
}
client 10.0.0.0/8 {
secret = sysadm
nastype = other
}

radiusd.conf

  • cat /etc/freeradius/radiusd.conf
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
name = freeradius
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/${name}.pid
user = freerad
group = freerad
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
type = auth
ipaddr = *
port = 0
}
listen {
ipaddr = *
port = 0
type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions    = yes
extended_expressions    = yes
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
proxy_requests  = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
$INCLUDE ${confdir}/modules/
}
instantiate {
exec
expr
expiration
logintime
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/

ldap

  • cat /etc/freeradius/modules/ldap
ldap {
        server = "localhost"
        identity = "cn=admin,dc=xinux,dc=net"
        password = sysadm
        basedn = "dc=xinux,dc=net"
        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
        ldap_connections_number = 5
        max_uses = 0
        timeout = 4
        timelimit = 3
        net_timeout = 1
        dictionary_mapping = ${confdir}/ldap.attrmap
        edir_account_policy_check = no
        groupname_attribute = cn
        groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
        groupmembership_attribute = radiusGroupName
        keepalive {
                idle = 60
                probes = 3
                interval = 3
        }
}

default

  • cat /etc/freeradius/sites-enabled/default
authorize {
        preprocess
        chap
        mschap
        digest
        suffix
        eap {
                ok = return
        }
        files
        ldap
        expiration
        logintime
        pap

}
authenticate {
        Auth-Type PAP {
                pap
        }
        Auth-Type CHAP {
                chap
        }
        Auth-Type MS-CHAP {
                mschap
        }
        digest
        unix
        eap
}
preacct {
        preprocess
        acct_unique
        suffix
        files
}
accounting {
        detail
        exec
        attr_filter.accounting_response
}
session {
        radutmp
}
post-auth {
        exec
        Post-Auth-Type REJECT {
                eap
                attr_filter.access_reject
        }
}
pre-proxy {
}
post-proxy {
        eap
}

inner-tunnel

cat /etc/freeradius/sites-enabled 

server inner-tunnel {
listen {
       ipaddr = 127.0.0.1
       port = 18120
       type = auth
}
authorize {
	chap
	mschap
	suffix
	update control {
	       Proxy-To-Realm := LOCAL
	}
	eap {
		ok = return
	}
	files
	ldap
	expiration
	logintime
	pap
}
authenticate {
	Auth-Type PAP {
		pap
	}
	Auth-Type CHAP {
		chap
	}
	Auth-Type MS-CHAP {
		mschap
	}
	unix
	eap
}
session {
	radutmp
}


post-auth {
	Post-Auth-Type REJECT {
		attr_filter.access_reject
	}
}
pre-proxy {
}

post-proxy {
	eap
}
}

users

  • cat /etc/freeradius/users
DEFAULT Ldap-Group == "cn=switch,ou=groups,dc=xinux,dc=net"
        Tunnel-Type = VLAN,
        Tunnel-Medium-Type = IEEE-802,
        Tunnel-Private-Group-Id = "17"
DEFAULT Auth-Type := Reject

test

console 1

  • freeradius -X
...
 Module: Checking post-auth {...} for more modules to load
 } # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
	type = "auth"
	ipaddr = *
	port = 0
}
listen {
	type = "acct"
	ipaddr = *
	port = 0
}
 ... adding new socket proxy address * port 40079
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.

console 2

postiv

  • radtest thomas.will suxer localhost 1812 sysadm
Sending Access-Accept of id 128 to 127.0.0.1 port 41246
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "17"
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 2 ID 128 with timestamp +52
Ready to process requests.
Abgerufen von „http://wiki.ixheim.de/index.php?title=Freeradius_ldap&oldid=16307