freeradius docker 安装记录
docker安装freeradius
#拉取镜像
docker pull freeradius/freeradius-server:latest
#启动Freeradius容器
docker run -d --name freeradius-server -p 1812-1813:1812-1813/udp freeradius/freeradius-server
#查看容器是否正常启动
docker ps -f name=freeradius-server#进入容器
#docker exec -it freeradius sh#复制一份完整配置文件
docker cp freeradius-server:/etc/freeradius ~/freeradius/config-bak#停止运行
docker stop freeradius-server#保留需要的修改的配置文件,其余删除
cd ~/freeradius/
mkdir config
cp ~/freeradius/config-bak/clients.conf config/clients.conf
cp ~/freeradius/config-bak/radiusd.conf config/radiusd.conf
cp ~/freeradius/config-bak/mods-available/eap config/eap
cp ~/freeradius/config-bak/mods-config/files/authorize config/authorize
#如果有自定义证书可以拷贝到config目录
config/certs
进行配置修改
对config中的authorize、clients.conf、radiusd.conf、eap进行修改
-
authorize 对应 /etc/freeradius/mods-config/files/authorize
#添加下面一行用户配置,两个字符串分别是验证时输入的身份和密码 "hzlarm" Cleartext-Password := "hzlarm123" -
clients.conf 对应 /etc/freeradius/clients.conf
#配置客户端的密码以下是默认的,本机测试,配置这个点即可:client localhost secret = testing123 #路由器添加radius服务器时需要 服务器ip与端口以及该secret,ipaddr是路由器的ip范围 #设置为0.0.0.0/0任何ip都可以 client private-network-1 {ipaddr = 0.0.0.0/0secret = hzlarm123 } -
radiusd.conf 对应 /etc/freeradius/radiusd.conf
#将所有(接受和拒绝)身份验证结果记录到日志文件中 log { .... auth = yes } -
eap 对应 /etc/freeradius/mods-available/eap
#eap的配置文件,默认tls,ttls,peap都包含,不需要的可以把相应的字段注释掉即可。 eap {#eap未指定时,默认的类型。default_eap_type = tls#default_eap_type = ttls#default_eap_type = peap#关联EAP请求数据包的列表,超时会被删除。timer_expire = 60#是否忽略不支持的eap请求。ignore_unknown_eap_types = no# Cisco 用户名bugcisco_accounting_username_bug = no#限制服务器正在跟踪的会话数,有助于防止DoS攻击。此命令取自radiusdus.conf中的“max_requests”指令。max_sessions = ${max_requests}tls-config tls-common {#private_key_password = whateverprivate_key_file = ${certdir}/srv.keycertificate_file = ${certdir}/srv.crtca_file = ${cadir}/ca.crtca_path = ${cadir}tls_min_version = "1.0"tls_max_version = "1.2"# 如果网关客户端是TLS1.0要加这个否则失败cipher_list = "DEFAULT@SECLEVEL=0"verify {#跳过额外检查skip_if_ocsp_ok = yes#client = "/path/to/openssl verify -capath ${..ca_path} %{TLS-Client-Cert-Filename}"}}# Supported EAP-types## EAP-TLStls {tls = tls-commondh_file = ${certdir}/dhrandom_file = /dev/urandom#fragment_size = 1024#include_length = yes#check_crl = yes#check_all_crl = yes#check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"#check_cert_cn = %{User-Name}#virtual_server = check-eap-tls#使用freeradius -X调试时,默认使用该命令生成证书。make_cert_command = "${certdir}/bootstrap"ecdh_curve = "prime256v1"cache {enable = nolifetime = 24 # hoursmax_entries = 255}ocsp {enable = nooverride_cert_url = yesurl = "http://127.0.0.1/ocsp/"}}peap {tls = tls-commondefault_eap_type = mschapv2copy_request_to_tunnel = nouse_tunneled_reply = no#proxy_tunneled_request_as_eap = yesvirtual_server = "inner-tunnel"#soh = yes#soh_virtual_server = "soh-server"#require_client_cert = yes}ttls {tls = tls-commondefault_eap_type = md5copy_request_to_tunnel = nouse_tunneled_reply = novirtual_server = "inner-tunnel"#include_length = yes#require_client_cert = yes}mschapv2 {# send_error = no}md5 {}gtc{} }
编辑 docker-compose 文件
# iv ~/freeradius/docker-compose.yml
version: '3'
services:freeradius:image: freeradius/freeradius-servercontainer_name: freeradiusports:- 1812-1813:1812-1813/udpvolumes:- ./logs:/var/log/freeradius- ./config/certs:/etc/freeradius/certs- ./config/clients.conf:/etc/freeradius/clients.conf- ./config/radiusd.conf:/etc/freeradius/radiusd.conf- ./config/eap:/etc/freeradius/mods-available/eap- ./config/authorize:/etc/freeradius/mods-config/files/authorizerestart: always
启动
docker-compose up -d
docker-compose 命令
# 启动
docker-compose up -d# 停止
docker-compose stop#重启
docker-compose restart
测试方法
安装测试工具eapol_test
Command line testing for EAP with FreeRADIUS
# Download and decompress wpa_supplicant
wget https://w1.fi/releases/wpa_supplicant-2.9.tar.gz
tar -xzvf wpa_supplicant-2.9.tar.gz
# Building eapol_test
cd wpa_supplicant-2.9/wpa_supplicant/
cp defconfig .config
vi .config
# Find the line containing #CONFIG_EAPOL_TEST=y and change it to CONFIG_EAPOL_TEST=y
make eapol_test
#If an error occurs, execute this command
#sudo apt-get install libdbus-1-dev libnl-3-dev libnl-genl-3-200 libnl-genl-3-dev libnl-idiag-3-dev
cp eapol_test /usr/local/bin/
eap-tls:
# sudo eapol_test -c eap-tls.conf -a 127.0.0.1 -p 1812 -s testing123 -r 1
# 以下内容写在eap-tls.conf文件network={eap=TLSeapol_flags=0key_mgmt=IEEE8021Xidentity="hzlarm"password="hzlarm123"# self cert client ca_cert="~/freeradius/config/certs/ca.crt"client_cert="~/freeradius/config/certs/client.crt"private_key="~/freeradius/config/certs/client.key"private_key_passwd="whatever"anonymous_identity="anonymous"
}
ttls-chap:
# sudo eapol_test -c ttls-chap.conf -a 127.0.0.1 -p 1812 -s testing123 -r 1
# 以下内容写在ttls-chap.conf文件network={ssid="example"key_mgmt=WPA-EAPeap=TTLSidentity="hzlarm"anonymous_identity="anonymous"password="hzlarm123"phase2="auth=CHAP"#Uncomment the following to perform server certificate validation.
# ca_cert="~/freeradius/config/certs/ca.crt"
}
ttls-eapmd5:
# sudo eapol_test -c ttls-eapmd5.conf -a 127.0.0.1 -p 1812 -s testing123 -r 1
# 以下内容写在ttls-eapmd5.conf文件network={ssid="example"key_mgmt=WPA-EAPeap=TTLSidentity="hzlarm"anonymous_identity="anonymous"password="hzlarm123"phase2="autheap=MD5"#Uncomment the following to perform server certificate validation.
# ca_cert="~/freeradius/config/certs/ca.crt"
}
ttls-mschapv2:
# sudo eapol_test -c ttls-mschapv2.conf -a 127.0.0.1 -p 1812 -s testing123 -r 1
# 以下内容写在ttls-mschapv2.conf文件network={ssid="example"key_mgmt=WPA-EAPeap=TTLSidentity="hzlarm"anonymous_identity="anonymous"password="hzlarm123"phase2="autheap=MSCHAPV2"#Uncomment the following to perform server certificate validation.
# ca_cert="~/freeradius/config/certs/ca.crt"
}
ttls-pap:
# sudo eapol_test -c ttls-pap.conf -a 127.0.0.1 -p 1812 -s testing123 -r 1
# 以下内容写在ttls-pap.conf文件network={ssid="example"key_mgmt=WPA-EAPeap=TTLSidentity="hzlarm"anonymous_identity="anonymous"password="hzlarm123"phase2="auth=PAP"#Uncomment the following to perform server certificate validation.
# ca_cert="~/freeradius/config/certs/ca.crt"
}
,(( ))的区别)
)
![[next.js] svgr/webpack](http://pic.xiahunao.cn/[next.js] svgr/webpack)
|TodayAI)
