background
Recently, the system will integrate Radius authentication and support Radius identity authentication method.
Found that Apache/guacamole supports Radius authentication method. I built a guacamole environment and learned about the implementation of guacamole.
Guacamole environment setup
Guacamole uses version 1.4.0
and uses Docker to deploy Guacamole.
Refer to the article Deploying Guacamole with Docker to build it.
illustrate:
docker pull guacamole/guacamole
docker pull guacamole/guacd
guacamole/guacamole is the front-end project of guacamole. We generally only need to pay attention to this project.
guacamole/guacd is the back-end project of guacamole, mostly C projects, so don’t pay attention to it.
Guacamole turns on Radius authentication method
Guacamole's official Radius identity authentication method documentation
Learned from the official documentation:
Radius is an LGPL protocol and is incompatible with the Apache 2.0 license, so guacamole cannot release the binary version of Radius, and we need to build it manually
Guacamole build Radius jar package steps:
- wget https://apache.org/dyn/closer.lua/guacamole/1.4.0/source/guacamole-client-1.4.0.tar.gz?action=download Download the 1.4.0 guacamole package;
- tar -zxvf xxx to decompress;
- Enter the decompressed directory and execute mvn clean package -Plgpl-extensions to build (if it fails, you can first mvn clean, then mvn install, and finally execute the build command)
- After the build is successful, there is guacamole-auth-radius-1.4.0.jar under extensions/guacamole-auth-radius/target/;
- Execute the command docker cp data/guacamole/extensions/guacamole-auth-radius-1.4.0.jar guacamole:/home/guacamole/.guacamole/extensions/guacamole-auth-radius-1.4.0.jar to copy the radius jar package to Under the extensions directory of guacamole;
- Configuration file guacamole.properties for configuring Radius authentication method
- Execute docker cp data/guacamole/guacamole.properties guacamole:/home/guacamole/.guacamole/guacamole.properties to overwrite the guacamole.properties configuration file of guacamole (note: the original file content must be retained)
The guacamole.properties configuration file is as follows:
# 上面这部分是 guacamole 原有的配置文件,需要保留
# guacamole.properties - generated Thu Nov 17 03:25:00 AM UTC 2022
guacd-hostname: 172.17.0.3
guacd-port: 4822
mysql-username: root
mysql-password: sim
mysql-database: guac
mysql-hostname: 172.17.0.2
mysql-port: 3306
# 下面是 guacamole 开启 Radius 的配置文件
# radius 服务器主机地址
radius-hostname: 192.168.0.143
# radius 服务器认证端口
radius-auth-port: 1812
# 共享密钥
radius-shared-secret: testing123
# 协议 PAP 是密码认证
radius-auth-protocol: pap
# 失败重试次数
radius-retries: 3
# 超时时间
radius-timeout: 10
useSSL: false
Wrote a script to do the above series of things:
#!/bin/bash
# docker stop $1 && docker rm $1
docker ps | grep "guacamole/guacamole" | awk '{print $1}'
docker run --name guacamole --link guacd:guacd --link mysql:mysql -e MYSQL_DATABASE=guac -e MYSQL_USER=root -e MYSQL_PASSWORD=sim -v /root/liuwx/guacamole/data/guacamole:/etc/guacamole/ -d -p 9090:8080 guacamole/guacamole
docker cp guacamole-auth-radius-1.4.0.jar guacamole:/home/guacamole/.guacamole/extensions/guacamole-auth-radius-1.4.0.jar
docker cp guacamole.properties guacamole:/home/guacamole/.guacamole/guacamole.properties
~
test
Use the username and password on the radius server to log in.
For the construction and configuration of Radius server, please see the article: FreeRadius server environment construction (PAP version)