radius与ldap认证
RADIUS:Remote Authentication Dial In
User Service,远程用户拨号认证系统
由RFC2865,RFC2866定义,是目前应用最广泛的AAA协议。
RADIUS协议最初是由Livingston公司提出的,原先的目的是为拨号用户进行认证和计费。后来经过多次改进,形成了一项通用的认证计费协议。
创立于1966年Merit Network,
Inc.是密执安大学的一家非营利公司,其业务是运行维护该校的网络互联MichNet。1987年,Merit在美国NSF(国家科学基金会)的招标中胜出,赢得了NSFnet(即Internet前身)的运营合同。因为NSFnet是基于IP的网络,而MichNet却基于专有网络协议,Merit面对着如何将MichNet的专有网络协议演变为IP协议,同时也要把MichNet上的大量拨号业务以及其相关专有协议移植到IP网络上来。
1991年,Merit决定招标拨号服务器供应商,几个月后,一家叫Livingston的公司提出了建议,冠名为RADIUS,并为此获得了合同。
1992年秋天,IETF的NASREQ工作组成立,随之提交了RADIUS作为草案。很快,RADIUS成为事实上的网络接入标准,几乎所有的网络接入服务器厂商均实现了该协议。
1997年,RADIUS
RFC2039发表,随后是RFC2138,最新的RADIUS RFC2865发表于2000年6月。
RADIUS是一种C/S结构的协议,它的客户端最初就是NAS(Net Access Server)服务器,现在任何运行RADIUS客户端软件的计算机都可以成为RADIUS的客户端。RADIUS协议认证机制灵活,可以采用PAP、 CHAP或者Unix登录认证等多种方式。RADIUS是一种可扩展的协议,它进行的全部工作都是基于Attribute-Length-Value的向量进行的。RADIUS也支持厂商扩充厂家专有属性。
RADIUS的基本工作原理。用户接入NAS,NAS向RADIUS服务器使用Access-Require数据包提交用户信息,包括用户名、密码等相关信息,其中用户密码是经过MD5加密的,双方使用共享密钥,这个密钥不经过网络传播;RADIUS服务器对用户名和密码的合法性进行检验,必要时可以提出一个Challenge,要求进一步对用户认证,也可以对NAS进行类似的认证;如果合法,给NAS返回Access-Accept数据包,允许用户进行下一步工作,否则返回Access-Reject数据包,拒绝用户访问;如果允许访问,NAS向RADIUS服务器提出计费请求Account- Require,RADIUS服务器响应Account-Accept,对用户的计费开始,同时用户可以进行自己的相关操作。
RADIUS还支持代理和漫游功能。简单地说,代理就是一台服务器,可以作为其他RADIUS服务器的代理,负责转发RADIUS认证和计费数据包。所谓漫游功能,就是代理的一个具体实现,这样可以让用户通过本来和其无关的RADIUS服务器进行认证,用户到非归属运营商所在地也可以得到服务,也可以实现虚拟运营。
RADIUS服务器和NAS服务器通过UDP协议进行通信,RADIUS服务器的1812端口负责认证,1813端口负责计费工作。采用UDP的基本考虑是因为NAS和RADIUS服务器大多在同一个局域网中,使用UDP更加快捷方便。
RADIUS协议还规定了重传机制。如果NAS向某个RADIUS服务器提交请求没有收到返回信息,那么可以要求备份RADIUS服务器重传。由于有多个备份RADIUS服务器,因此NAS进行重传的时候,可以采用轮询的方法。如果备份RADIUS服务器的密钥和以前RADIUS服务器的密钥不同,则需要重新进行认证。 由于RADIUS协议简单明确,可扩充,因此得到了广泛应用,包括普通***上网、ADSL上网、小区宽带上网、IP***、VPDN(Virtual Private Dialup
Networks,基于拨号用户的虚拟专用拨号网业务)、移动***预付费等业务。最近IEEE提出了802.1x标准,这是一种基于端口的标准,用于对无线网络的接入认证,在认证时也采用RADIUS协议。
无线认证模型
802.1x简要概述
这是一项通过验证来保护网络的端口访问协议。此类型的验证方法在无线环境中因该媒体的性质而特别有用。如果无线用户通过
802.1x 网络访问验证,接入点上会打开一个用于通信的虚拟端口。如果验证不成功,则不会提供虚拟端口,并将阻断通信。
802.1x 验证分为3 个基本部分:
在无线工作站上运行的软件客户端
无线接入点
认证服务器 -
一个认证数据库,通常是一个Radius 服务器(例如Cisco ACS*、Funk Steel-Belted RADIUS* 或 Microsoft* IAS*)
表1 认证架构图
表二 Radius支持的无线认证类型
802.1x EAP 类型
---信息摘要 5
---传输层安全
---隧道传输层安全
---受保护的传输层安全
---通过安全隧道灵活验证
---轻型可扩展认证协议
需要客户端***
需要服务器***
WEP 密钥管理
Rouge AP 检测
部署难易程度
难(因为客户端***配置的缘故)
在使用强密码时,高。
的***与配置
我使用的是OpenLDAP-2.4.9,解压后
[root@localhost ubuntu] ./configure
一般情况下,系统会提示你没有***berkeleyDB,但就算你***了,你一样会发现还是找不到(configure: error: BDB/HDB: BerkeleyDB
not available),使用如下方法解决
CPPFLAGS="-I/usr/local/BerkeleyDB.4.3/include"
export CPPFLAGS
LDFLAGS="-L/usr/local/BerkeleyDB.4.3/lib"
export LDFLAGS
LD_LIBRARY_PATH="/usr/local/BerkeleyDB.4.3/lib"
export LD_LIBRARY_PATH
[root@localhost ubuntu]make
[root@localhost ubuntu]make install
[root@localhost ubuntu]make test (最好要做的,可以测试是否可以启动ldap服务,如提示无法启动,表明389端口被占用,重启机器就好了)
启动服务:
[root@localhost ubuntu]./slapd &d 1这里我推荐使用log=1的模式,log
level=256时很多输出就看不到了
我使用的是freeradius-server-2.0.4
先***openssl
#tar zxvf openssl-f-0.9.7-stable-SNAP-.tar.gz
#cd openssl-0.9.7-stable-SNAP-
#./config shared --prefix=/usr/local/openssl
#make install
***FreeRadius
#cd radiusd#./configure --prefix=/usr/local/newradius
--with-openssl-includes=/usr/local/openssl/include /
--with-openssl-libraries=/usr/local/openssl/lib
#make install
这里之所以要***openssl,我们的目的是去产生***,在raddb/certs下,使用make client.pem之类的命令,如果需要修改***配置,可以编辑.cnf文件,,
der和cer是一样的,都是一个***,cer是windows上用的,
pem是一个***请求,是的文本文件
p12是一个个人***,里面的包含私钥
Edit slapd.conf 如下
# See slapd.conf(5) for details on configuration
# This file should NOT be world readable.
#添加schema顺序最好不要变
/usr/local/etc/openldap/schema/core.schema
/usr/local/etc/openldap/schema/corba.schema
/usr/local/etc/openldap/schema/cosine.schema
/usr/local/etc/openldap/schema/inetorgperson.schema
/usr/local/etc/openldap/schema/misc.schema
/usr/local/etc/openldap/schema/openldap.schema
/usr/local/etc/openldap/schema/nis.schema
/usr/local/etc/openldap/schema/radius.schema
# Define global ACLs to disable default read
# Do not enable referrals until AFTER you have a working
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
# Load dynamic backend modules:
# modulepath %MODULEDIR%
# moduleload back_bdb.la
# moduleload back_hdb.la
# moduleload back_ldap.la
# Sample security restrictions
# Require integrity protection (prevent
hijacking)
# Require 112-bit (3DES or better) encryption for
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
# if no access controls are present, the default
# allows anyone and everyone to read anything but
# updates to rootdn. (e.g., "access to * by *
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
database bdb
#你的ldap的根节点,在添加搜索时都会用到
suffix "dc=teddy,dc=net"
rootdn "cn=master,dc=teddy,dc=net"
# Cleartext passwords, especially for the rootdn,
# be avoid. See slappasswd(8) and slapd.conf(5) for
# Use of strong authentication encouraged.
#连接密码
rootpw secret
# The database directory MUST exist prior to running slapd
# should only be accessible by the slapd and slap
# Mode 700 recommended.
directory /usr/local/var/openldap-data
# Indices to maintain
index objectClass eq
下面我们将开始往LDAP上添加结点
生成一个test1.ldif
dn: cn=master,dc=teddy,dc=net
objectClass: organizationalRole
生成一个test2.ldif
dn: uid=radiususer,cn=master,dc=teddy,dc=net
uid:radiususer
cn:radiususer
objectClass:top
#objectClass: dcObject
objectClass: account
objectClass:posixAccount
userPassword:test
uidNumber:10072
gidNumber:10002
homeDirectory:/home/radiususer
loginShell:/bin/shell
执行命令:
Ldapadd &x &D “cn=master,dc=teddy,dc=net” &w &f
test1(2).ldif
此时要确保ldap的服务是启动状态的
这时你会得到要求输入密码的要求,输入rootdn的密码,添加成功
Ldapsearch &x &b ‘dc=terry,dc=net’去验证
#***部分要看实际情况,测试时可使用刚才生成的***
# These is used to simplify later
configurations.
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = whatever
private_key_file = ${certdir}/server.pem
# If Private key & Certificate are located
# the same file, then private_key_file
# certificate_file must contain the same file
# If CA_file (below) is not used, then the
# certificate_file below MUST include not
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
certificate_file = ${certdir}/server.pem
# Trusted Root CA list
# ALL of the CA's in this list will be trusted
# to issue client certificates for
authentication.
# In general, you should use self-signed
# certificates for 802.1x (EAP) authentication.
# In that case, this CA file should contain
# *one* CA certificate.
# This parameter is used only for EAP-TLS,
# when you issue client certificates. If you do
# not use client certificates, and you do not
# to permit EAP-TLS authentication, then delete
# this configuration item.
CA_file = ${cadir}/ca.pem
# For DH cipher suites to work, you have to
# run OpenSSL to create the DH file first:
# openssl dhparam -out certs/dh 1024
dh_file = ${certdir}/dh
random_file = ${certdir}/random
# This can never exceed the size of a RADIUS
# packet (4096 bytes), and is preferably half
# that, to accomodate other attributes in
# RADIUS packet. On most APs the MAX packet
# length is configured between 1500 - 1600
# In these cases, fragment size should be
# 1024 or less.
# fragment_size = 1024
# include_length is a flag which is
# by default set to yes If set to
# yes, Total Length of the message is
# included in EVERY packet we send.
# If set to no, Total Length of the
# message is included ONLY in the
# First packet of a fragment series.
# include_length = yes
# Check the Certificate Revocation List
# 1) Copy CA certificates and CRLs to same
directory.
# 2) Execute 'c_rehash &CA
certs&CRLs Directory&'.
# 'c_rehash' is OpenSSL's command.
# 3) uncomment the line below.
# 5) Restart radiusd
# check_crl = yes
# CA_path =
/path/to/directory/with/ca_certs/and/crls/
# If check_cert_issuer is set, the value will
# be checked against the DN of the issuer in
# the client certificate. If the values do not
# match, the cerficate verification will fail,
# rejecting the user.
# check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My
Company Ltd"
# If check_cert_cn is set, the value will
# be xlat'ed and checked against the CN
# in the client certificate. If the values
# do not match, the certificate verification
# will fail rejecting the user.
# This check is done only if the previous
# "check_cert_issuer" is not set, or if
# the check succeeds.
# check_cert_cn = %{User-Name}
# Set this option to specify the allowed
# TLS cipher suites. The format is listed
# in "man 1 ciphers".
cipher_list = "DEFAULT"
# This configuration entry should be deleted
# once the server is running in a normal
# configuration. It is here ONLY to make
# initial deployments easier.
make_cert_command = "${certdir}/bootstrap"
default_eap_type = md5
copy_request_to_tunnel = no
# allowed values: {no, yes}
use_tunneled_reply = no
virtual_server = "inner-tunnel"
##################################################
# The tunneled EAP session needs a default
# EAP type which is separate from the one for
# the non-tunneled EAP module. Inside of the
# PEAP tunnel, we recommend using MS-CHAPv2,
# as that is the default type supported by
# Windows clients.
default_eap_type = mschapv2
# the PEAP module also has these configuration
# items, which are the same as for TTLS.
copy_request_to_tunnel = no
use_tunneled_reply = no
# When the tunneled session is proxied, the
# home server may not understand EAP-MSCHAP-V2.
# Set this entry to "no" to proxy the tunneled
# EAP-MSCHAP-V2 as normal MSCHAPv2.
# proxy_tunneled_request_as_eap = yes
# The inner tunneled request can be sent
# through a virtual server constructed
# specifically for this purpose.
# If this entry is commented out, the inner
# tunneled request will be sent through
# the virtual server that processed the
# outer requests.
virtual_server = "inner-tunnel"
mschapv2 {
这里我只说ldap的配置
# Note that this needs to match the name in the
# server certificate, if you're using ldaps.
#LDAP服务器的地址
server = "127.0.0.1"
#login LDAP时所使用的account
identity="cn=master,dc=teddy,dc=net
password = "secret"
basedn = "dc=teddy,dc=net"
"(uid=%{Stripped-User-Name:-%{User-Name}})"
access_attr="uid"
password_attribute=userPassword
# How many connections to keep open to the LDAP
# This saves time over opening a new LDAP socket
# every authentication request.
ldap_connections_number = 5
# seconds to wait for LDAP query to finish. default:
timeout = 4
# seconds LDAP server has to process the query
(server-side
# time limit). default: 20
# LDAP_OPT_TIMELIMIT is set to this value.
timelimit = 3
# seconds to wait for response of the server.
# failures) default: 10
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
net_timeout = 1
# This subsection configures the tls related
# that control how FreeRADIUS connects to an
# server. It contains all of the "tls_*"
configuration
# entries used in older versions of FreeRADIUS.
# configuration entries can still be used, but we
# using these.
# Set this to 'yes' to use TLS encrypted
connections
# to the LDAP database by using the StartTLS
# operation.
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 689) connections
start_tls = no
# cacertfile = /path/to/cacert.pem
# cacertdir = /path/to/ca/dir/
# certfile = /path/to/radius.crt
# keyfile = /path/to/radius.key
# randfile = /path/to/rnd
# Certificate Verification requirements. Can be:
# "never" (don't even bother trying)
# "allow" (try, but don't fail if the cerificate
# can't be verified)
# "demand" (fail if the certificate doesn't
# The default is "allow"
# require_cert = "demand"
# default_profile = "cn=radprofile,ou=dialup,o=My
# profile_attribute = "radiusProfileDn"
# access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to
# directory attributes.
dictionary_mapping = ${confdir}/ldap.attrmap
# Set password_attribute = nspmPassword to get
# user's password from a Novell eDirectory
# backend. This will work ONLY IF FreeRADIUS has
# built with the --with-edir configure option.
# See also the following links:
/coolsolutions/appnote/16745.html
https://secure-/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html
# Novell may require TLS encrypted sessions before
# the user's password.
# password_attribute = userPassword
# Un-comment the following to disable Novell
# eDirectory account policy check and intruder
# detection. This will work *only if* FreeRADIUS
# configured to build with --with-edir option.
edir_account_policy_check = no
# Group membership checking. Disabled by
# groupname_attribute = cn
# groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
# By default, if the packet contains a
User-Password,
# and no other module is configured to handle
# authentication, the LDAP module sets itself to
# LDAP bind for authentication.
# THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
# THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x
# You can disable this behavior by setting the
# configuration entry to "no".
# allowed values: {no, yes}
# set_auth_type = yes
# ldap_debug: debug flag for LDAP SDK
# (see OpenLDAP documentation). Set this to
# huge amounts of LDAP debugging on the screen.
# You should only use this if you are an LDAP
# default: 0x0000 (no debugging messages)
# Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
ldap_debug = 0x0028
Client‘IP address’{
Secret=test
Shortname=test802.1
Ok,重新启动radius
#radius &X &f
[root@ubuntu:~]# radtest radiususer test (ldap user)10.190.41.78 0
test(radius password)
User-Name = "radiususer"
User-Password = "test"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
成功你会看到
已投稿到:
以上网友发言只代表其个人观点,不代表新浪网的观点或立场。您的举报已经提交成功,我们将尽快处理,谢谢!
您可能无法选择文件夹属性***享选项卡上的“将这个文件夹设为专用”选项。此选项可能无法使用。
以下任一原因均可导致产生此问题:
文件夹未处于用户配...
大家还关注foxmail ldap插件_搜索_中华文本库
Foxmail Microsoft Office 插件异常解决方法_计算机软件及应用_IT/计算机_专业资料。打开 Excel 选项 加载项 找到 Foxmail office 这个插件 点击下面的管理 - COM 加...
7 I 共 10 页 盈世信息科技(北京)有限公司 1 前言 Outlook 和 Foxmail 插件是 Coremail 研发团队推出的与用于 Microsoft Outlook, Foxmail 客户端不 Coremail ...
OpenLdap的***与部署手册_IT/计算机_专业资料。本文主要介绍openldap的基本概念,...26 4.3.3 Foxmail 客户端的应用 ... 28 ......
一是通 过发证机构,比如 ca.foxmail .cn,双击“收件人”,弹出属性窗口,切换 到“数字***”选项夹,然后点击“LDAP 搜索”按钮,为该账户搜索...
LDAP 应用概述与 qmail+LDAP ***配置一、概述 计算机网络经过长期的发展, 不同...(如 outlook、foxmail 等)来测试邮件的收发, 客户 端邮件帐号的建立请参考附带...
都是通过 IE 的 Active 插件来 实现的,因此很容易因为 IE 恶意插件的干扰导致无法正常 使用,而 foxmail 与 IE 没有任何关联关系,因此不受 IE 恶 意插件的...
插件,选择启用 启用记事本需要登录 QQ 邮箱或者腾讯启用邮箱(如果已经配置 了 QQ 邮箱的话,可以直接使用) 如果 foxmail 没有配置 QQ 邮箱,可以选择使用其他账号...
LDAP、WebMail、多域名、SSL/TLS、数 字***和签名...Foxmail 等标准的邮件客户端软件;支持 IE, FireFox ...Outlook 插件、多中继转发、邮件实时备份、公共邮件夹...
***并配置 managesieve 插件 十四、常见问题分析 注...当邮件通过 outlook 或 foxmail 发送到服务器的25...ldap php-odbc php-pear php-xml php-xmlrpc ...
这些应用系统往往需要下载***一些客户端插件才能实现 ...解决方案广泛采用了国际标准技术--LDAP、XML 等,对数...outlook、 foxmail 等邮件客户端, 实现离线存储和...