strongswan openswan freeradius讨论QQ群:892427461

Strongswan+freeradius+daloradius+ad认证实现ikev2接入服务

第二部分    安装配置freeradius-4.0.0 samba 使用winbind 集成Windiows Active Directory 域账户认证并实现用户组认证

实验时间:2018年8月7日-2018年8月8日

拓扑图:

拓扑.PNG  

环境:

    防火墙1:FW1    USG2200

           

    IP地址外网:10.99.101.170    域名:strongswan.test.com

    IP地址内网:192.168.20.3

    

    防火墙2:FW2    USG2200

     IP地址外网:10.99.101.129     域名:mystrongswan.test.com

    IP地址内网:192.168.20.2

   

    防火墙5:FW5    USG2200

     IP地址外网:10.99.101.167

    IP地址内网:131.107.0.1

 

    服务器:

        域控服务器:

        Windows Server2016

        IP地址:192.168.20.10         域名:dc.test.com

        

        strongswan服务器:

        Centos7

        IP地址:192.168.20.29

        Strongswan-5.6.3

        freeradius服务器:

        Centos7

        IP地址:192.168.20.27

        freeradius-4.0.0

    客户端:Windows7

        

        自带客户端 epa-mschapv2模式 、 计算机证书模式

第二部分    安装配置freeradius-4.0.0 samba 使用winbind 集成Windiows Active Directory 域账户认证并实现用户组认证

实验时间:2018年8月7日-2018年8月7日

1、 CentOS 7 最小安装,随意,其他也可以

 

    设置IP地址

 

cd /etc/sysconfig/networks-scriptsvi ifcfg-ens32

    BOOTPROTO=static

    ONBOOT=yes

    IPADDR=192.168.20.27

    NETMASK=255.255.255.0

    GATEWAY=192.168.20.2

    DNS1=192.168.20.10

 

reboot

 

2、 安装vim,可选步骤,不安装也可以

 

yum install -y vim

 

3、 安装完后升级系统,可选步骤,不升级也可以

 

yum upgrade -y

 

    升级所有包,不改变软件设置和系统设置,系统版本升级,内核不改变

 

yum update -y

         

    升级所有包,改变软件设置和系统设置,系统版本内核都升级

4、 关闭selinux

 

vim /etc/sysconfig/selinux

    SELINUX=disabled

reboot
sestatus

   SELinux status:   disabled

5、安装并配置samba

yum install samba -yyum install samba-winbind -yvim /etc/samba/smb.conf

    

[global]

   netbios name = freeradius

   workgroup = TEST

   server string = RADIUS server

   security = ads

   invalid users = root

   socket options = TCP_NODELAY

   idmap uid = 16777216-33554431

   idmap gid = 16777216-33554431

   winbind use default domain = no

   winbind max domain connections = 5

   winbind max clients = 1000

   password server = DC.TEST.COM

   realm = TEST.COM

systemctl restart smb nmbnet ads join -U administrator

    

    显示

    Joined 'FREERADIUS' to dns domain 'test.com'

    NO DNS domain configured for freeradius.Unable to perform DNS Update.

    DNS update failed:NT_STATUS_INVALID_PARAMETER

systemctl restart winbindnet ads testjoin

    

    显示

    Joins is OK.

systemctl enable smb nmb winbind

在域控dc.test.com可以看到名为freeradius的计算机账户。

6、下载freeradius源码包

yum install -y gitcd /usr/srcgit clone git://github.com/freeradius/freeradius-server.gitcd /usr/src/freeradius-servercommit d0b4760e41db01f09c49cea90065ae5cc4b27256Merge: b342d5f 3fa2f22Author: Alan DeKok 
     
      Date:   Wed Nov 16 11:16:35 2016 -0500

7、编译要求支持C11,安装gcc4.9

yum install centos-release-scl -y yum install devtoolset-3-toolchain -y scl enable devtoolset-3 bashgcc --version

     

    显示

    gcc (GCC) 4.9.2 20150212 (Red Hat 4.9.2-6)

    Copyright (C) 2014 Free Software Foundation, Inc.

    This is free software; see the source for copying conditions.  There is NO

    warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPO

8-1、编译安装freeradius,这一步记录了一些configure make make install 中遇到的错误提示与安装包之间的关系,不想看的直接跳到8-2。

scl enable devtoolset-3 bash./configure

    错误提示

    configure: WARNING: talloc library not found. Use --with-talloc-lib-dir=<path>.

    configure: error: FreeRADIUS requires libtalloc.  Please read doc/developer/dependencies.rst for further instructions.

    

    安装libtalloc-devel

yum -y install libtalloc-devel./configure

    错误提示

    configure: WARNING: kqueue library not found. Use --with-kqueue-lib-dir=<path>.

    configure: error: FreeRADIUS requires libkqueue (or system kqueue).  Please read doc/developer/dependencies.rst for further instructions.

    安装libkqueue

cd /usr/srcyum install -y wget wget https://jaist.dl.sourceforge.net/project/libkqueue/libkqueue-2.0/libkqueue-2.0.1.tar.gz tar -xzvf libkqueue-2.0.1.tar.gz cd libkqueue-2.0.1/ ./configure make make install ln -s /usr/local/include/kqueue/sys /usr/local/include/cd /usr/src/freeradius-server./configure

    错误提示:

   

    configure: error: failed linking to libcrypto. Use --with-openssl-lib-dir=<path>, or --with-openssl=no (builds without OpenSSL)

    See `config.log' for more details

    

    安装openssl-devel

yum install -y openssl-devel./configure

    显示

    config.status: creating all.mk

    configure通过,但还需要winbind、mysql支持。

     configure: WARNING: wbclient.h not found. Use --with-winbind-include-dir=<path>.

    configure: WARNING: silently building without support for direct authentication via winbind. requires: libwbclient

yum install -y libwbclient-devel

    

    configure: WARNING: core/ntstatus.h not found. Use --with-winbind-include-dir=<path>.

yum install -y samba-devel

    

    configure: WARNING: MySQL headers not found. Use --with-mysql-include-dir=<path>.

    configure: WARNING: silently not building rlm_sql_mysql.

    configure: WARNING: FAILURE: rlm_sql_mysql requires: libmysqlclient || libmysqlclient_r mysql.h.

yum install -y mariadb-devel

     安装readline-devel,否则make会出现错误提示

     

    src/bin/radmin.c:79:15:warning:passing argument 1 of 'fgets' from incompatible pointer type line = fgets(readline_buffer, sizeof(readline_buffer),stdin);

yum install -y readline-devel

    

    安装libpcap-devel,否则make会出现错误提示

    src/lib/util/dict.c:48:8: error: unknown type name ‘fr_hash_table_t’

    static fr_hash_table_t *protocol_by_name = NULL; //!< Hash containing names of all the registered protocols.

    

yum install -y libpcap-devel

    安装pam-devel,否则make install后  radiusd -X 会出现错误提示

    

    /usr/local/etc/raddb/mods-enabled/pam[15]: Failed to link to module "rlm_pam": rlm_pam.so: cannot open shared object file: No such file or directory

    Not built with support for LSAN interface

    /usr/local/etc/raddb/mods-enabled/pam[15]: Make sure it (and all its dependent libraries!) are in the search path of your system's ld

yum install pam-devel./configure

configure完成。

make

    

     提示

    

    WARNING - may need 'make reconfig' for AUTOCONF src/modules/rlm_sql/drivers/rlm_sql_db2/

    WARNING - may need 'make reconfig' for AUTOCONF src/modules/rlm_lua/

    WARNING - may need 'make reconfig' for AUTOCONF src/modules/rlm_krb5/

    WARNING - may need 'make reconfig' for AUTOCONF src/modules/rlm_sql/drivers/rlm_sql_db2/

    WARNING - may need 'make reconfig' for AUTOCONF src/modules/rlm_lua/

    WARNING - may need 'make reconfig' for AUTOCONF src/modules/rlm_krb5/

make reconfig

    提示

    Makefile:192: *** You need to install autoconf to re-build the "configure" scripts。 停止。

yum install autoconf -ymake reconfigmake

   

    make成功

make install

    

    freeradius安装成功,配置文件位于/usr/local/etc/raddb/

radiusd -X

    

    错误提示:

    

    Unable to open file "/usr/local/etc/raddb/certs/rsa/ca.pem": Effective user/group - root:root: ENOENT: No such file or directory

    rlm_eap_tls - Failed initializing SSL context

    /usr/local/etc/raddb/mods-enabled/eap[15]: Instantiation failed for module "eap"

cd /usr/local/etc/raddb/certsmakeradiusd -X

     提示

  

    Ready to process requests

    debug模式启动成功

8-2、编译安装freeradius

scl enable devtoolset-3 bashyum -y install libtalloc-devel openssl-devel libwbclient-devel samba-devel mariadb-devel readline-devel pam-devel autoconf libpcap-devel net-snmp-devel net-snmp-utils gdbm-devel libtool libtool-ltdl-devel zlib-devel openldap-devel krb5-devel python-devel mysql-devel postgresql-devel unixODBC-devel memcached-devel cd /usr/srcyum install -y wgetwget https://jaist.dl.sourceforge.net/project/libkqueue/libkqueue-2.0/libkqueue-2.0.1.tar.gztar -xzvf libkqueue-2.0.1.tar.gzcd libkqueue-2.0.1/./configuremakemake installln -s /usr/local/include/kqueue/sys /usr/local/include/cd /usr/src/freeradius-server./configuremakemake installcd /usr/local/etc/raddb/certsmakeradiusd –X

 

Ready to process requests

 

debug模式启动成功

9、开启防火墙端口

firewall-cmd --zone=public --add-port=1812/udp --permanent firewall-cmd --zone=public --add-port=1813/udp --permanent firewall-cmd --reload

10、配置freeradius

    启用winbind

ln -s /usr/local/etc/raddb/mods-available/winbind /usr/local/etc/raddb/mods-enabled/

    

vim /usr/local/etc/raddb/mods-enabled/mschap

    

    取消注释

    winbind_username = "%{mschap:User-Name}"

    winbind_domain = "%{mschap:NT-Domain

vim /usr/local/etc/raddb/sites-enabled/default

    

    send Access-Accept段增加组认证,限制strongswan组的用户可以通过认证

    send Access-Accept{

              ...

                if (!Winbind-Group == "strongswan") {

                reject

                }

              ...

    }

radiusd -X

     本机切换一个终端测试

    域用户:sswanuser1       密码 asdf123.    隶属于    strongswan 用户组

    域用户:feisswanuser1     密码 asdf123.   不隶属于    strongswan用户组

radtest -t mschap sswanuser1 asdf123. 127.0.0.1 0 testing123

    显示

    

Sent Access-Request Id 157 from 0.0.0.0:51595 to 127.0.0.1:1812 length 136

Cleartext-Password = "asdf123."

User-Name = "sswanuser1"

MS-CHAP-Password = "asdf123."

NAS-IP-Address = 127.0.0.1

NAS-Port = 0

Message-Authenticator = 0x00

MS-CHAP-Challenge = 0x9aff829427d02e33

MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000004599a4f2c634a7a8d3df706e509d3d9086007dbb590f6c78

Received Access-Accept Id 157 from 127.0.0.1:1812 to 0.0.0.0:51595 via lo length 84

MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed

MS-MPPE-Encryption-Policy = Encryption-Allowed

MS-CHAP-MPPE-Keys = 0x00000000000000007b73fe4ee9d5c787afd20f901a960783

    认证通过

    

radtest -t mschap feisswanuser1 asdf123. 127.0.0.1 0 testing123

    显示

Sent Access-Request Id 127 from 0.0.0.0:44856 to 127.0.0.1:1812 length 139

Cleartext-Password = "asdf123."

User-Name = "feisswanuser1"

MS-CHAP-Password = "asdf123."

NAS-IP-Address = 127.0.0.1

NAS-Port = 0

Message-Authenticator = 0x00

MS-CHAP-Challenge = 0xa8d0c5a792406d82

MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000eedb7a880b0bd9677cf1f25bd3cab570ca106dc6107b32a5

Received Access-Reject Id 127 from 127.0.0.1:1812 to 0.0.0.0:44856 via lo length 20

(0) -: Expected Access-Accept got Access-Reject

    认证失败

11、添加freeradius系统服务

 

 

cd /lib/systemd/system/ vim radiusd.service

 

 

[Unit]

Description=FreeRADIUS high performance RADIUS server.

After=syslog.target network.target ipa.service dirsrv.target krb5kdc.service

After=mariadb.service

 

[Service]

Type=forking

PIDFile=/usr/local/var/run/radiusd/radiusd.pid

# ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd

ExecStartPre=/usr/local/sbin/radiusd -C

ExecStart=/usr/local/sbin/radiusd -d /usr/local/etc/raddb

ExecReload=/usr/local/sbin/radiusd -C

ExecReload=/bin/kill -HUP $MAINPID

 

[Install]

WantedBy=multi-user.target

第二部分    安装配置freeradius-4.0.0 samba 使用winbind 集成Windiows Active Directory 域账户认证并实现用户组认证

配置结束