Freeradius ldap: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
Thomas (Diskussion | Beiträge) |
Thomas (Diskussion | Beiträge) (→postiv) |
||
Zeile 287: | Zeile 287: | ||
==console 2== | ==console 2== | ||
===postiv=== | ===postiv=== | ||
− | *radtest | + | *radtest thomas.will suxer localhost 1812 sysadm |
<pre> | <pre> | ||
− | Sending Access- | + | Sending Access-Accept of id 128 to 127.0.0.1 port 41246 |
− | + | Tunnel-Type:0 = VLAN | |
− | + | Tunnel-Medium-Type:0 = IEEE-802 | |
− | + | Tunnel-Private-Group-Id:0 = "17" | |
− | + | Finished request 2. | |
− | + | Going to the next request | |
− | + | Waking up in 4.9 seconds. | |
+ | Cleaning up request 2 ID 128 with timestamp +52 | ||
+ | Ready to process requests. | ||
</pre> | </pre> | ||
Version vom 23. Januar 2018, 15:02 Uhr
groupofNames
# switch, groups, xinux.net dn: cn=switch,ou=groups,dc=xinux,dc=net objectClass: groupOfNames cn: switch description: Switch Admins member: cn=thomas will,ou=users,dc=xinux,dc=net
clients.conf
- cat /etc/freeradius/clients.conf
client localhost { ipaddr = 127.0.0.1 secret = sysadm nastype = other } client 192.168.0.0/16 { secret = sysadm nastype = other } client 172.16.0.0/12 { secret = sysadm nastype = other } client 10.0.0.0/8 { secret = sysadm nastype = other }
radiusd.conf
- cat /etc/freeradius/radiusd.conf
prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct name = freeradius confdir = ${raddbdir} run_dir = ${localstatedir}/run/${name} db_dir = ${raddbdir} libdir = /usr/lib/freeradius pidfile = ${run_dir}/${name}.pid user = freerad group = freerad max_request_time = 30 cleanup_delay = 5 max_requests = 1024 listen { type = auth ipaddr = * port = 0 } listen { ipaddr = * port = 0 type = acct } hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log { destination = files file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = no auth_badpass = no auth_goodpass = no } checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = yes } proxy_requests = yes $INCLUDE proxy.conf $INCLUDE clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { $INCLUDE ${confdir}/modules/ } instantiate { exec expr expiration logintime } $INCLUDE policy.conf $INCLUDE sites-enabled/
ldap
- cat /etc/freeradius/modules/ldap
ldap { server = "localhost" identity = "cn=admin,dc=xinux,dc=net" password = sysadm basedn = "dc=xinux,dc=net" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" ldap_connections_number = 5 max_uses = 0 timeout = 4 timelimit = 3 net_timeout = 1 dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" groupmembership_attribute = radiusGroupName keepalive { idle = 60 probes = 3 interval = 3 } }
default
- cat /etc/freeradius/sites-enabled/default
authorize { preprocess chap mschap digest suffix eap { ok = return } files ldap expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } digest unix eap } preacct { preprocess acct_unique suffix files } accounting { detail exec attr_filter.accounting_response } session { radutmp } post-auth { exec Post-Auth-Type REJECT { eap attr_filter.access_reject } } pre-proxy { } post-proxy { eap }
inner-tunnel
cat /etc/freeradius/sites-enabled
server inner-tunnel { listen { ipaddr = 127.0.0.1 port = 18120 type = auth } authorize { chap mschap suffix update control { Proxy-To-Realm := LOCAL } eap { ok = return } files ldap expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix eap } session { radutmp } post-auth { Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap } }
users
- cat /etc/freeradius/users
DEFAULT Ldap-Group == "cn=switch,ou=groups,dc=xinux,dc=net" Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = "17" DEFAULT Auth-Type := Reject
test
console 1
- freeradius -X
... Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } ... adding new socket proxy address * port 40079 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests.
console 2
postiv
- radtest thomas.will suxer localhost 1812 sysadm
Sending Access-Accept of id 128 to 127.0.0.1 port 41246 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "17" Finished request 2. Going to the next request Waking up in 4.9 seconds. Cleaning up request 2 ID 128 with timestamp +52 Ready to process requests.
negativ
- radtest badura.vonodinsraben falsch localhost 1812 secretkey
Sending Access-Request of id 218 to 127.0.0.1 port 1812 User-Name = "badura.vonodinsraben" User-Password = "falsch" NAS-IP-Address = 192.168.244.153 NAS-Port = 1812 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=218, length=20