2010年12月1日 星期三

FreeRADIUS + AD 帳號驗證

今天終於完成 radius + AD 的帳號驗證
趕快記下來~


OS:CentOS 5.5


環境說明;
Domain:TEST.COM
DC:dc.test.com (192.168.173.104)
Radius:rads.test.com (192.168.173.103)


Requirment:
samba
krb5-server
freeradius2  freeradius2-utils


1. 設定主機對應IP
        vi  /etc/sysconfig/network
        HOSTNAME=rads.test.com
        vi  /etc/hosts
        192.168.173.104         dc.test.com
        192.168.173.103         rads.test.com


2. 設定Samba作為對AD的溝通橋樑
        yum  install  samba
        vi  /etc/samba/smb.conf
        [global]
        workgroup = test
        realm = TEST.COM
        netbios name = rads
        security = ads
        password server = dc.test.com  [DC的FQDN]
        winbind separator = +
        idmap uid = 10000-20000  [設定網域帳號id範圍]
        idmap gid = 10000-20000  [設定網域群組id範圍]
        winbind enum users = yes
        winbind enum groups = yes
        nt acl support = yes
        winbind cache time = 0
        template shell = /bin/bash
        template homedir = /home/%U
        winbind use default domain = yes


3. 設定kerberos認證機制,AD使用kerberos認證機制
        vi  /etc/krb5.conf
        ...
        [libdefaults]
        default_realm = TEST.COM
        dns_lookup_realm = false
        dns_lookup_kdc = false
        ticket_lifetime = 24h
        forwardable = yes


        [realms]
        TEST.COM = {
        kdc = dc.test.com:88
        admin_server = dc.test.com:749
        default_domain = test.com
        }


        [domain_realm]
        .example.com = EXAMPLE.COM
        example.com = TEST.COM
        ...
        yum  install  krb5-server
        vi  /var/kerberos/krb5kdc/kdc.conf
        ...
        [realms]
        TEST.COM = {
        ...


4. 測試Samba與kdc是否可以正常溝通
        kinit  administrator@TEST.COM


5. 將Radius Server加入Domain
        /etc/init.d/smb  start; chkconfig smb on
        net  rpc  join  -U  administrator














6. 修改系統帳號驗證
        vi  /etc/nsswitch.conf
        passwd:     files winbind
        shadow:     files winbind
        group:      files winbind


7. 檢驗是否有匯入AD帳號
        /etc/init.d/winbind  start; chkconfig winbind on
        wbinfo  -u  (或是 getent  passwd)
        ntlm_auth  --request-nt-key  --domain=TEST  --username=administrator  --password=AD管理者密碼


8. 安裝FreeRADIUS套件
        yum  install  freeradius2  freeradius2-utils


9. 加入ntlm_auth驗證模組至radius
        vi  /etc/raddb/modules/ntlm_auth
        exec ntlm_auth {
           wait = yes
           program = "/path/to/ntlm_auth --request-nt-key --domain=TEST --username=%{mschap:User-Name} --password=%{User-Password}"
        }

10. 修改radius驗證機制
        vi  /etc/raddb/sites-enabled/default
        authenticate {
        ...
        ntlm_auth
        ...
        }
        vi  /etc/raddb/sites-enabled/inner-tunnel
        authenticate {
        ...
        ntlm_auth
        ...
        }

11. 修改/etc/raddb/users
        DEFAULT     Auth-Type = ntlm_auth

12. 測試帳號驗證機制
        radiusd  -X
        radtest user password localhost 0 testing123
張貼者:
標籤:

1 則留言:

  1. Unknown2013年1月29日 上午11:32

    我透過radtest 測試已經式運作正常,但是透過Wireless 802.1x的方式來驗證卻無法正常登入,以下是我的Radius Log
    請問是我哪邊設定有問題嗎?
    rad_recv: Access-Request packet from host 192.168.10.114 port 1036, id=141, length=169
    User-Name = "fred.wei"
    NAS-Port = 0
    Called-Station-Id = "06-27-22-AB-D8-02:unifi"
    Calling-Station-Id = "00-1E-64-0F-A3-B2"
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    Connect-Info = "CONNECT 0Mbps 802.11"
    EAP-Message = 0x021a001119800000000715030100020230
    State = 0xb3e44e03b7fe5769cbef6f850cf54389
    Message-Authenticator = 0x4c6e492680f05ded5484739acfbce228
    # Executing section authorize from file /etc/raddb/sites-enabled/default
    +- entering group authorize {...}
    ++[preprocess] returns ok
    ++[chap] returns noop
    ++[mschap] returns noop
    ++[digest] returns noop
    [suffix] No '@' in User-Name = "fred.wei", looking up realm NULL
    [suffix] No such realm "NULL"
    ++[suffix] returns noop
    [eap] EAP packet type response id 26 length 17
    [eap] Continuing tunnel setup.
    ++[eap] returns ok
    Found Auth-Type = EAP
    # Executing group from file /etc/raddb/sites-enabled/default
    +- entering group authenticate {...}
    [eap] Request found, released from the list
    [eap] EAP/peap
    [eap] processing type peap
    [peap] processing EAP-TLS
    TLS Length 7
    [peap] Length Included
    [peap] eaptls_verify returned 11
    [peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
    TLS Alert read:fatal:unknown CA
    TLS_accept: failed in SSLv3 read client certificate A
    rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
    SSL: SSL_read failed inside of TLS (-1), TLS session fails.
    TLS receive handshake failed during operation
    [peap] eaptls_process returned 4
    [peap] EAPTLS_OTHERS
    [eap] Handler failed in EAP/peap
    [eap] Failed in EAP select
    ++[eap] returns invalid
    Failed to authenticate the user.
    Using Post-Auth-Type Reject
    # Executing group from file /etc/raddb/sites-enabled/default
    +- entering group REJECT {...}
    [attr_filter.access_reject] expand: %{User-Name} -> fred.wei
    attr_filter: Matched entry DEFAULT at line 11
    ++[attr_filter.access_reject] returns updated
    Delaying reject of request 6 for 1 seconds
    Going to the next request
    Waking up in 0.9 seconds.
    Sending delayed reject for request 6
    Sending Access-Reject of id 141 to 192.168.10.114 port 1036
    EAP-Message = 0x041a0004
    Message-Authenticator = 0x00000000000000000000000000000000

    回覆刪除

訂閱: 張貼留言 (Atom)