FreeRADIUS 是一个高性能和高可配置的多协议策略服务器,支持RADIUS,DHCPv4 DHCPv6、TACACS+ 和 VMPS。它是根据 GNU GPLv2 的条款提供的。 使用 RADIUS 允许对网络进行身份验证和授权 集中化,并最大限度地减少必须 在向网络添加或删除新用户时完成。
CHAP:Challenge Handshake Authentication Protocol,挑战握手认证协议。
搭建步骤
一、环境要求
OS:CentOS7 机器
FreeRadius:FreeRADIUS Version 3.0.13
二、安装配置及其环境搭建
1.参考FreeRadius 服务器环境搭建(PAP 版) 进行简单环境搭建
2.修改 /etc/raddb/sites-enabled/default 开启 challenge 。freeradius 源码中有关于 challenge 配置的 example,路径为: /etc/raddb/sites-available/challenge
server default {
listen {
type = auth
ipaddr = *
port = 0
virtual_server = challenge
}
#server challenge {
authorize {
#
# If ther's no State attribute, then this is the request from
# the user.
#
if (!State) {
update control {
Auth-Type := Step1
Cleartext-Password := "password"
}
}
else {
#
# Do authentication for step 2.
# Set the "known good" password to the number
# saved in the session-state list.
#
update control {
Auth-Type := Step2
Cleartext-Password := &session-state:Tmp-Integer-0
}
}
}
authenticate {
Auth-Type Step1 {
# If the password doesn't match, the user is rejected
# immediately.
pap
#
# Set the random number to save.
#
update session-state {
Tmp-Integer-0 := "%{randstr:n}"
}
update reply {
Reply-Message := &session-state:Tmp-Integer-0
}
#
# Send an Access-Challenge.
# See raddb/policy.d/control for the definition
# of "challenge"
#
challenge
}
Auth-Type Step2 {
#
# Do PAP authentication with the password.
#
pap
}
}
post-auth {
-sql
exec
remove_reply_message_if_eap
Post-Auth-Type REJECT {
-sql
attr_filter.access_reject
eap
remove_reply_message_if_eap
}
Post-Auth-Type Challenge {
remove_reply_message_if_eap
attr_filter.access_challenge.post-auth
}
}
}
三、测试
使用 guacamole 来做 challenge 测试。
具体参考:Guacamole 配置开启 Radius 身份认证方式 配置来开启 guacamole 的 Radius 身份认证方式。