FreeRADIUS2を利用した認証サーバをたてる。
OSにはCentOS6.3を利用。本稿記述時点でのバージョンは2.1.12
[root@radius]# radiusd -v radiusd: FreeRADIUS Version 2.1.12, for host x86_64-redhat-linux-gnu, built on Oct 3 2012 at 01:22:51 Copyright (C) 1999-2011 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. [root@radius]#
Remote Authentication Dial In User Service
認証とアカウンティングの仕組みのこと。日米wikiでは「プロトコル」という記載があるが、
ネット上の情報ではサーバであったり仕組みであったり、あいまいだなぁ。
#インストールはこれだけ!
[root@radius]# yum install freeradius
設定ファイルは /etc/raddb/ に展開される。
[root@radius]# vi /etc/raddb/radiusd.conf ----------8<------------ #user = radiusd #group = radiusd user = root group = root #auth = no auth = yes #auth = no auth = yes #stripped_names = no stripped_names = yes #auth_badpass = no auth_badpass = yes #auth_goodpass = no auth_goodpass = yes ----------8<------------
[root@radius]# vi /etc/raddb/clients.conf client localhost { ipaddr = 127.0.0.1 secret = testing123 nastype = other } client ClientNetwork { ipaddr = 192.168.100.0 netmask = 24 secret = clientdevice shortname = clientdevice }
[root@radius]# vi /etc/raddb/sites-available/default authorize { unix files pap } authenticate { pap files unix } post-auth { exec Post-Auth-Type REJECT { attr_filter.access_reject } }
[root@radius]# vi /etc/raddb/users hoge Auth-Type:=Local , Cleartext-Password := "huga" foo Auth-Type:=PAP , Cleartext-Password := "bar" ore Auth-Type:=System
[root@radius]# vi /etc/raddb/users DEFAULT Auth-Type := System Fall-Through = Yes hoge Auth-Type:=Local , Cleartext-Password := "huga" foo Auth-Type:=PAP , Cleartext-Password := "bar"DEFAULTはAuth-Typeだけでなく、そのほかの記述も可能。
freeradiusはデーモンとして動作もできるが、一旦デバッグモードで立ち上げて動作確認をしておく
テスト環境では、FreeRADIUSは 192.168.10.193 というIPアドレスで稼動している。
[root@radius]# radiusd -X ~省略~ Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests.
別ターミナルを立ち上げて、もしくは前述の clients.confで指定した端末から動作確認を行う。
[root@radius]#radtest hoge huga localhost 1 testing123 Sending Access-Request of id 231 to 127.0.0.1 port 1812 User-Name = "hoge" User-Password = "huga" NAS-IP-Address = 192.168.10.193 NAS-Port = 1 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=231, length=20デバッグログ
rad_recv: Access-Request packet from host 127.0.0.1 port 44523, id=231, length=74 User-Name = "hoge" User-Password = "huga" NAS-IP-Address = 192.168.10.193 NAS-Port = 1 Message-Authenticator = 0x16e583b0735358605d58b12417ac3bfa # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} [files] users: Matched entry DEFAULT at line 4 [files] users: Matched entry hoge at line 9 ++[files] returns ok [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop ++[unix] returns notfound Found Auth-Type = Local WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. User-Password in the request is correct. Login OK: [hoge/huga] (from client localhost port 1) # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 231 to 127.0.0.1 port 44523 Finished request 0. Going to the next request Waking up in 4.9 seconds.結局PAPが使われているってことなんだろうか。
[root@radius]# radtest foo bar localhost 1 testing123 Sending Access-Request of id 61 to 127.0.0.1 port 1812 User-Name = "foo" User-Password = "bar" NAS-IP-Address = 192.168.10.193 NAS-Port = 1 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=61, length=20デバッグログ
rad_recv: Access-Request packet from host 127.0.0.1 port 42481, id=61, length=73 User-Name = "foo" User-Password = "bar" NAS-IP-Address = 192.168.10.193 NAS-Port = 1 Message-Authenticator = 0x02159747cd5bb04ec27df177737177c8 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} [files] users: Matched entry DEFAULT at line 4 [files] users: Matched entry foo at line 10 ++[files] returns ok [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop ++[unix] returns notfound Found Auth-Type = PAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [pap] login attempt with password "bar" [pap] Using clear text password "bar" [pap] User authenticated successfully ++[pap] returns ok Login OK: [foo/bar] (from client localhost port 1) # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 61 to 127.0.0.1 port 42481 Finished request 1. Going to the next request Waking up in 4.9 seconds.
[root@radius]#radtest ore dayo localhost 1 testing123 Sending Access-Request of id 153 to 127.0.0.1 port 1812 User-Name = "ore" User-Password = "dayo" NAS-IP-Address = 192.168.10.193 NAS-Port = 1 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=153, length=20デバッグログ
rad_recv: Access-Request packet from host 127.0.0.1 port 54151, id=153, length=77 User-Name = "ore" User-Password = "dayo" NAS-IP-Address = 192.168.10.193 NAS-Port = 1 Message-Authenticator = 0xc459bbaaa0a043ffa4f0901b24760107 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} [files] users: Matched entry DEFAULT at line 4 ++[files] returns ok [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ++[unix] returns updated Found Auth-Type = System # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} ++[unix] returns ok Login OK: [ore/dayo] (from client localhost port 1) # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 153 to 127.0.0.1 port 54151 Finished request 2. Going to the next request Waking up in 4.9 seconds.PAPセクションとしてはこのユーザに対する"known good"パスワードがないので、PAPは失敗するだろう、と あるが、そもそもPAPを使うわけではないので、これは無視しても大丈夫でしょう。
認証する機器(オーセンティケータ)ごとに認証方式を変更することができる。
下記例では、192.168.1.1というオーセンティケータに対して、TARGET_DEVICEという名称を付け、専用の設定としている。
クライアントの設定
[root@radius]# vi /etc/raddb/clients.conf client DEVICE { ipaddr = 192.168.1.1 netmask = 32 secret = RADIUS_SECRET virtual_server = TARGET_DEVICE }
バーチャルサーバ設定
[root@radius]# vi /etc/raddb/site-available/TARGET_DEVICE server TARGET_DEVICE { authorize { unix } authenticate { unix } post-auth { exec Post-Auth-Type REJECT { attr_filter.access_reject } } }
バーチャルサーバの有効化
[root@radius]# ln -s /etc/raddb/site-available/TARGET_DEVICE /etc/raddb/site-enabled