wikiv1:radius_ipa
Table of Contents
FreeRADIUS
Alterar o hash padrão do FreeIPA
# echo "dn: cn=config changetype: modify replace: passwordStorageScheme passwordStorageScheme: SSHA512" > passwordHashAlgorithm.ldif
# ldapsearch -h sp-spo-ipa.juntotelecom.com.br -p 389 -x -D "cn=Directory Manager" -W -b "cn=config" | grep passwordStorageScheme
Enter LDAP Password:
passwordStorageScheme: PBKDF2_SHA256
# ldapmodify -h localhost -p 389 -x -D "cn=Directory Manager" -W -f passwordHashAlgorithm.ldif Enter LDAP Password: modifying entry "cn=config"
# ldapsearch -h sp-spo-ipa.juntotelecom.com.br -p 389 -x -D "cn=Directory Manager" -W -b "cn=config" | grep passwordStorageScheme
Enter LDAP Password:
passwordStorageScheme: SSHA512
Adicionado o host
# ipa dnsrecord-add juntotelecom.com.br sp-spo-radius --a-rec 172.28.129.6
Record name: sp-spo-radius
A record: 172.28.129.6
# ipa dnsrecord-add juntotelecom.com.br sp-spo-radius --aaaa-rec 2804:694:4c00:4004::6 Record name: sp-spo-radius A record: 172.28.129.6 AAAA record: 2804:694:4c00:4004::6
# ipa host-add sp-spo-radius.juntotelecom.com.br --desc="FreeRADIUS" --password="@btjt(())22" ---------------------------------------------- Added host "sp-spo-radius.juntotelecom.com.br" ---------------------------------------------- Host name: sp-spo-radius.juntotelecom.com.br Description: FreeRADIUS Password: True Keytab: False Managed by: sp-spo-radius.juntotelecom.com.br
Permissão do usuário radiusadm
# ipa permission-add 'userPassword service read' --attrs=userPassword --type=user --right=read -------------------------------------------- Added permission "userPassword service read" -------------------------------------------- Permission name: userPassword service read Granted rights: read Effective attributes: userPassword Bind rule type: permission Subtree: cn=users,cn=accounts,dc=juntotelecom,dc=com,dc=br Type: user Permission flags: SYSTEM, V2
# ipa privilege-add 'Radius services' --desc='Privileges needed to allow radiusd servers to operate' --------------------------------- Added privilege "Radius services" --------------------------------- Privilege name: Radius services Description: Privileges needed to allow radiusd servers to operate
# ipa privilege-add-permission 'Radius services' --permissions='userPassword service read' Privilege name: Radius services Description: Privileges needed to allow radiusd servers to operate Permissions: userPassword service read ----------------------------- Number of permissions added 1 -----------------------------
# ipa role-add 'Radius server' --desc="Radius server role" -------------------------- Added role "Radius server" -------------------------- Role name: Radius server Description: Radius server role
# ipa role-add-privilege --privileges="Radius services" 'Radius server' Role name: Radius server Description: Radius server role Privileges: Radius services ---------------------------- Number of privileges added 1 ----------------------------
# yes "@btjt(())22" | ipa user-add "radiusadm" --first=Radius --last=User --shell=/bin/bash --password ---------------------- Added user "radiusadm" ---------------------- User login: radiusadm First name: Radius Last name: User Full name: Radius User Display name: Radius User Initials: RU Home directory: /home/radiusadm GECOS: Radius User Login shell: /bin/bash Principal name: radiusadm@JUNTOTELECOM.COM.BR Principal alias: radiusadm@JUNTOTELECOM.COM.BR User password expiration: 20220412204350Z Email address: radiusadm@juntotelecom.com.br UID: 187600003 GID: 187600003 Password: True Member of groups: ipausers Kerberos keys available: True
# ipa user-mod "radiusadm" --user-auth-type=password --user-auth-type=radius ------------------------- Modified user "radiusadm" ------------------------- User login: radiusadm First name: Radius Last name: User Home directory: /home/radiusadm Login shell: /bin/bash Principal name: radiusadm@JUNTOTELECOM.COM.BR Principal alias: radiusadm@JUNTOTELECOM.COM.BR Email address: radiusadm@juntotelecom.com.br UID: 187600003 GID: 187600003 User authentication types: password, radius Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True
# yes "@btjt(())22" | ipa user-mod "radiusadm" --password-expiration="2050-01-01Z" --password ------------------------- Modified user "radiusadm" ------------------------- User login: radiusadm First name: Radius Last name: User Home directory: /home/radiusadm Login shell: /bin/bash Principal name: radiusadm@JUNTOTELECOM.COM.BR Principal alias: radiusadm@JUNTOTELECOM.COM.BR User password expiration: 20220412204516Z Email address: radiusadm@juntotelecom.com.br UID: 187600003 GID: 187600003 User authentication types: password, radius Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True
# ipa role-add-member 'Radius server' --users='radiusadm' Role name: Radius server Description: Radius server role Member users: radiusadm Privileges: Radius services ------------------------- Number of members added 1 -------------------------
# ipa user-show radiusadm --all --raw dn: uid=radiusadm,cn=users,cn=accounts,dc=juntotelecom,dc=com,dc=br uid: radiusadm givenname: Radius sn: User cn: Radius User initials: RU homedirectory: /home/radiusadm gecos: Radius User loginshell: /bin/bash krbcanonicalname: radiusadm@JUNTOTELECOM.COM.BR krbprincipalname: radiusadm@JUNTOTELECOM.COM.BR mail: radiusadm@juntotelecom.com.br uidnumber: 187600003 gidnumber: 187600003 ipauserauthtype: password ipauserauthtype: radius nsaccountlock: FALSE has_password: TRUE has_keytab: TRUE displayName: Radius User ipaNTSecurityIdentifier: S-1-5-21-2731924211-1883941829-2112701219-1003 ipaUniqueID: 42e05e52-baa1-11ec-a438-000c29ad9330 krbExtraData: AALc5FVicm9vdC9hZG1pbkBKVU5UT1RFTEVDT00uQ09NLkJSAA== krbLastPwdChange: 20220412204516Z krbPasswordExpiration: 20220412204516Z memberof: cn=Radius server,cn=roles,cn=accounts,dc=juntotelecom,dc=com,dc=br memberof: cn=ipausers,cn=groups,cn=accounts,dc=juntotelecom,dc=com,dc=br memberofindirect: cn=userPassword service read,cn=permissions,cn=pbac,dc=juntotelecom,dc=com,dc=br memberofindirect: cn=Radius services,cn=privileges,cn=pbac,dc=juntotelecom,dc=com,dc=br mepManagedEntry: cn=radiusadm,cn=groups,cn=accounts,dc=juntotelecom,dc=com,dc=br objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson objectClass: inetuser objectClass: posixaccount objectClass: krbprincipalaux objectClass: krbticketpolicyaux objectClass: ipaobject objectClass: ipasshuser objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry objectClass: ipantuserattrs objectClass: ipauserauthtypeclass
Instalação FreeRADIUS
# cat <<EOF | tee -a /etc/hosts 172.28.129.6 sp-spo-radius.juntotelecom.com.br sp-spo-radius 177.75.187.213 sp-spo-ipa.juntotelecom.com.br sp-spo-ipa 2804:694:4c00:4004::6 sp-spo-radius.juntotelecom.com.br sp-spo-radius 2804:694:4c00:4001::13 sp-spo-ipa.juntotelecom.com.br sp-spo-ipa EOF
# hostnamectl set-hostname sp-spo-radius.juntotelecom.com.br
# echo "krb5-config krb5-config/kerberos_servers string krb5-config krb5-config/add_servers_realm string JUNTOTELECOM.COM.BR krb5-config krb5-config/default_realm string JUNTOTELECOM.COM.BR krb5-config krb5-config/add_servers boolean false krb5-config krb5-config/admin_server string krb5-config krb5-config/read_conf boolean true libpam-runtime libpam-runtime/override boolean false libpam-runtime libpam-runtime/profiles multiselect pwquality, unix, sss, systemd, gnome-keyring, capability" | debconf-set-selections
# apt-get install freeradius freeradius-ldap freeradius-utils sudo patch
# echo "deb http://deb.debian.org/debian bullseye-backports main" > /etc/apt/sources.list.d/bullseye-backports.list
# apt-get update
# DEBIAN_FRONTEND=noninteractive apt-get install -t bullseye-backports freeipa-client
# yes yes | ipa-client-install --ntp-server=sp-spo-ipa.juntotelecom.com.br --domain=juntotelecom.com.br --enable-dns-updates --password="@btjt(())22" --realm=JUNTOTELECOM.COM.BR --server=sp-spo-ipa.juntotelecom.com.br This program will set up IPA client. Version 4.9.8 WARNING: conflicting time&date synchronization service 'ntp' will be disabled in favor of chronyd Autodiscovery of servers for failover cannot work with this configuration. If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure. Proceed with fixed values and no DNS discovery? [no]: Client hostname: sp-spo-radius.juntotelecom.com.br Realm: JUNTOTELECOM.COM.BR DNS Domain: juntotelecom.com.br IPA Server: sp-spo-ipa.juntotelecom.com.br BaseDN: dc=juntotelecom,dc=com,dc=br NTP server: sp-spo-ipa.juntotelecom.com.br Continue to configure the system with these values? [no]: Synchronizing time Augeas failed to configure file /etc/chrony/chrony.conf Using default chrony configuration. Attempting to sync time with chronyc. Time synchronization was successful. Do you want to download the CA cert from http://sp-spo-ipa.juntotelecom.com.br/ipa/config/ca.crt ? (this is INSECURE) [no]: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=JUNTOTELECOM.COM.BR Issuer: CN=Certificate Authority,O=JUNTOTELECOM.COM.BR Valid From: 2022-04-12 19:45:00 Valid Until: 2042-04-12 19:45:00 Enrolled in IPA realm JUNTOTELECOM.COM.BR Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm JUNTOTELECOM.COM.BR Systemwide CA database updated. Hostname (sp-spo-radius.juntotelecom.com.br) does not have A/AAAA record. Failed to update DNS records. Missing A/AAAA record(s) for host sp-spo-radius.juntotelecom.com.br: 172.28.129.6, 2804:694:4c00:4004::6. Missing reverse record(s) for address(es): 172.28.129.6, 2804:694:4c00:4004::6. Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Could not update DNS SSHFP records. SSSD enabled Configured /etc/openldap/ldap.conf Principal is not set when enrolling with OTP; using principal 'admin@juntotelecom.com.br' for 'getent passwd' Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config.d/04-ipa.conf Configuring juntotelecom.com.br as NIS domain. Client configuration complete. The ipa-client-install command was successful
# cp -p /etc/sssd/sssd.conf{,.dist} # sed -i '/^\[domain\/.*]$/a enumerate = true' /etc/sssd/sssd.conf # systemctl restart sssd
# cp -p /etc/freeradius/3.0/mods-available/ldap{,.dist} # pushd /etc/freeradius/3.0/mods-enabled # ln -s ../mods-available/ldap .
# sed -i -e "s#'localhost'#'sp-spo-ipa.juntotelecom.com.br'#g" -e "s#'dc=example,dc=org'#'cn=users,cn=accounts,dc=juntotelecom,dc=com,dc=br'#g" ldap # sed -i "s/#[[:blank:]]*identity = .*/\tidentity = 'uid=radiusadm,cn=users,cn=accounts,dc=juntotelecom,dc=com,dc=br'/" ldap # sed -i "s/#[[:blank:]]*password = .*/\tpassword = '@btjt(())22'/" ldap
# cp -p /etc/freeradius/3.0/sites-available/default{,.dist}
# pushd /etc/freeradius/3.0/sites-enabled /etc/freeradius/3.0/sites-enabled ~
# sed -i 's/-ldap/ldap/' default
echo '526,528c526,528 < # Auth-Type LDAP { < # ldap < # } --- > Auth-Type LDAP { > ldap > }' | patch default
# popd ~ root@sp-spo-radius:~#
# rm /etc/freeradius/3.0/sites-enabled/default.orig # systemctl restart freeradius.service
Testando a autenticação
# ldapsearch -h sp-spo-ipa.juntotelecom.com.br -p 389 -v -b 'dc=juntotelecom,dc=com,dc=br' -D "uid=radiusadm,cn=users,cn=accounts,dc=juntotelecom,dc=com,dc=br" -W -LLL
# yes test | ipa user-add "radiustest" --first=Radius --last=Test --shell=/usr/bin/false --password ----------------------- Added user "radiustest" ----------------------- User login: radiustest First name: Radius Last name: Test Full name: Radius Test Display name: Radius Test Initials: RT Home directory: /home/radiustest GECOS: Radius Test Login shell: /usr/bin/false Principal name: radiustest@JUNTOTELECOM.COM.BR Principal alias: radiustest@JUNTOTELECOM.COM.BR User password expiration: 20220412213118Z Email address: radiustest@juntotelecom.com.br UID: 187600004 GID: 187600004 Password: True Member of groups: ipausers Kerberos keys available: True
# ipa user-mod radiustest --password-expiration="2050-01-01Z" --user-auth-type=password --user-auth-type=radius -------------------------- Modified user "radiustest" -------------------------- User login: radiustest First name: Radius Last name: Test Home directory: /home/radiustest Login shell: /usr/bin/false Principal name: radiustest@JUNTOTELECOM.COM.BR Principal alias: radiustest@JUNTOTELECOM.COM.BR User password expiration: 20500101000000Z Email address: radiustest@juntotelecom.com.br UID: 187600004 GID: 187600004 User authentication types: password, radius Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True
# systemctl stop freeradius.service # sudo -u freerad freeradius -fxX
~$ radtest radiustest test 127.0.0.1 0 testing123
Sent Access-Request Id 30 from 0.0.0.0:59482 to 127.0.0.1:1812 length 80
User-Name = "radiustest"
User-Password = "test"
NAS-IP-Address = 172.28.129.6
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "test"
Received Access-Accept Id 30 from 127.0.0.1:1812 to 127.0.0.1:59482 length 20
Tue Apr 12 18:36:06 2022 : Debug: (0) Received Access-Request Id 30 from 127.0.0.1:59482 to 127.0.0.1:1812 length 80 Tue Apr 12 18:36:06 2022 : Debug: (0) User-Name = "radiustest" Tue Apr 12 18:36:06 2022 : Debug: (0) User-Password = "test" Tue Apr 12 18:36:06 2022 : Debug: (0) NAS-IP-Address = 172.28.129.6 Tue Apr 12 18:36:06 2022 : Debug: (0) NAS-Port = 0 Tue Apr 12 18:36:06 2022 : Debug: (0) Message-Authenticator = 0xb14fe3c0f0e4be30e99922378beefed4 Tue Apr 12 18:36:06 2022 : Debug: (0) session-state: No State attribute Tue Apr 12 18:36:06 2022 : Debug: (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default Tue Apr 12 18:36:06 2022 : Debug: (0) authorize { Tue Apr 12 18:36:06 2022 : Debug: (0) policy filter_username { Tue Apr 12 18:36:06 2022 : Debug: (0) if (&User-Name) { Tue Apr 12 18:36:06 2022 : Debug: (0) if (&User-Name) -> TRUE Tue Apr 12 18:36:06 2022 : Debug: (0) if (&User-Name) { Tue Apr 12 18:36:06 2022 : Debug: (0) if (&User-Name =~ / /) { Tue Apr 12 18:36:06 2022 : Debug: (0) if (&User-Name =~ / /) -> FALSE Tue Apr 12 18:36:06 2022 : Debug: (0) if (&User-Name =~ /@[^@]*@/ ) { Tue Apr 12 18:36:06 2022 : Debug: (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE Tue Apr 12 18:36:06 2022 : Debug: (0) if (&User-Name =~ /\.\./ ) { Tue Apr 12 18:36:06 2022 : Debug: (0) if (&User-Name =~ /\.\./ ) -> FALSE Tue Apr 12 18:36:06 2022 : Debug: (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { Tue Apr 12 18:36:06 2022 : Debug: (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE Tue Apr 12 18:36:06 2022 : Debug: (0) if (&User-Name =~ /\.$/) { Tue Apr 12 18:36:06 2022 : Debug: (0) if (&User-Name =~ /\.$/) -> FALSE Tue Apr 12 18:36:06 2022 : Debug: (0) if (&User-Name =~ /@\./) { Tue Apr 12 18:36:06 2022 : Debug: (0) if (&User-Name =~ /@\./) -> FALSE Tue Apr 12 18:36:06 2022 : Debug: (0) } # if (&User-Name) = notfound Tue Apr 12 18:36:06 2022 : Debug: (0) } # policy filter_username = notfound Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[authorize]: calling preprocess (rlm_preprocess) Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[authorize]: returned from preprocess (rlm_preprocess) Tue Apr 12 18:36:06 2022 : Debug: (0) [preprocess] = ok Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[authorize]: calling chap (rlm_chap) Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[authorize]: returned from chap (rlm_chap) Tue Apr 12 18:36:06 2022 : Debug: (0) [chap] = noop Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[authorize]: calling mschap (rlm_mschap) Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[authorize]: returned from mschap (rlm_mschap) Tue Apr 12 18:36:06 2022 : Debug: (0) [mschap] = noop Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[authorize]: calling digest (rlm_digest) Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[authorize]: returned from digest (rlm_digest) Tue Apr 12 18:36:06 2022 : Debug: (0) [digest] = noop Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[authorize]: calling suffix (rlm_realm) Tue Apr 12 18:36:06 2022 : Debug: (0) suffix: Checking for suffix after "@" Tue Apr 12 18:36:06 2022 : Debug: (0) suffix: No '@' in User-Name = "radiustest", looking up realm NULL Tue Apr 12 18:36:06 2022 : Debug: (0) suffix: No such realm "NULL" Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[authorize]: returned from suffix (rlm_realm) Tue Apr 12 18:36:06 2022 : Debug: (0) [suffix] = noop Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[authorize]: calling eap (rlm_eap) Tue Apr 12 18:36:06 2022 : Debug: (0) eap: No EAP-Message, not doing EAP Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[authorize]: returned from eap (rlm_eap) Tue Apr 12 18:36:06 2022 : Debug: (0) [eap] = noop Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[authorize]: calling files (rlm_files) Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[authorize]: returned from files (rlm_files) Tue Apr 12 18:36:06 2022 : Debug: (0) [files] = noop Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[authorize]: calling ldap (rlm_ldap) Tue Apr 12 18:36:06 2022 : Info: rlm_ldap (ldap): Closing connection (0): Hit idle_timeout, was idle for 126 seconds Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap: Closing libldap handle 0x56106ba41f70 Tue Apr 12 18:36:06 2022 : Info: rlm_ldap (ldap): Closing connection (1): Hit idle_timeout, was idle for 126 seconds Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap: Closing libldap handle 0x56106ba38e60 Tue Apr 12 18:36:06 2022 : Info: rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 126 seconds Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap (ldap): You probably need to lower "min" Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap: Closing libldap handle 0x56106ba50eb0 Tue Apr 12 18:36:06 2022 : Info: rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for 126 seconds Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap (ldap): You probably need to lower "min" Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap: Closing libldap handle 0x56106ba508b0 Tue Apr 12 18:36:06 2022 : Info: rlm_ldap (ldap): Closing connection (4): Hit idle_timeout, was idle for 126 seconds Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap (ldap): You probably need to lower "min" Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap: Closing libldap handle 0x56106ba5c010 Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase "spare" Tue Apr 12 18:36:06 2022 : Info: rlm_ldap (ldap): Opening additional connection (5), 1 of 32 pending slots used Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap (ldap): Connecting to ldap://sp-spo-ipa.juntotelecom.com.br:389 Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap (ldap): New libldap handle 0x56106ba5c010 Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap (ldap): Waiting for bind result... Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap (ldap): Bind successful Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap (ldap): Reserved connection (5) Tue Apr 12 18:36:06 2022 : Debug: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) Tue Apr 12 18:36:06 2022 : Debug: Parsed xlat tree: Tue Apr 12 18:36:06 2022 : Debug: literal --> (uid= Tue Apr 12 18:36:06 2022 : Debug: XLAT-IF { Tue Apr 12 18:36:06 2022 : Debug: attribute --> Stripped-User-Name Tue Apr 12 18:36:06 2022 : Debug: } Tue Apr 12 18:36:06 2022 : Debug: XLAT-ELSE { Tue Apr 12 18:36:06 2022 : Debug: attribute --> User-Name Tue Apr 12 18:36:06 2022 : Debug: } Tue Apr 12 18:36:06 2022 : Debug: literal --> ) Tue Apr 12 18:36:06 2022 : Debug: (0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) Tue Apr 12 18:36:06 2022 : Debug: (0) ldap: --> (uid=radiustest) Tue Apr 12 18:36:06 2022 : Debug: (0) ldap: Performing search in "cn=users,cn=accounts,dc=juntotelecom,dc=com,dc=br" with filter "(uid=radiustest)", scope "sub" Tue Apr 12 18:36:06 2022 : Debug: (0) ldap: Waiting for search result... Tue Apr 12 18:36:06 2022 : Debug: (0) ldap: User object found at DN "uid=radiustest,cn=users,cn=accounts,dc=juntotelecom,dc=com,dc=br" Tue Apr 12 18:36:06 2022 : Debug: (0) ldap: Processing user attributes Tue Apr 12 18:36:06 2022 : Debug: (0) ldap: control:Password-With-Header += '{SSHA512}669DM1uaEIJS1SimK9lMk9wD1KC+kp47tQ1B0w5IZxzkqtH/Vp1aJUvVtJFSQpTDMObp+ZS0jsMqy/C9pCsPq/sXJhMk2Joq' Tue Apr 12 18:36:06 2022 : Debug: (0) ldap: Attribute "radiusControlAttribute" not found in LDAP object Tue Apr 12 18:36:06 2022 : Debug: (0) ldap: Attribute "radiusRequestAttribute" not found in LDAP object Tue Apr 12 18:36:06 2022 : Debug: (0) ldap: Attribute "radiusReplyAttribute" not found in LDAP object Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap (ldap): Released connection (5) Tue Apr 12 18:36:06 2022 : Info: Need 2 more connections to reach min connections (3) Tue Apr 12 18:36:06 2022 : Info: rlm_ldap (ldap): Opening additional connection (6), 1 of 31 pending slots used Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap (ldap): Connecting to ldap://sp-spo-ipa.juntotelecom.com.br:389 Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap (ldap): New libldap handle 0x56106ba39000 Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap (ldap): Waiting for bind result... Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap (ldap): Bind successful Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[authorize]: returned from ldap (rlm_ldap) Tue Apr 12 18:36:06 2022 : Debug: (0) [ldap] = updated Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[authorize]: calling expiration (rlm_expiration) Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[authorize]: returned from expiration (rlm_expiration) Tue Apr 12 18:36:06 2022 : Debug: (0) [expiration] = noop Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[authorize]: calling logintime (rlm_logintime) Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[authorize]: returned from logintime (rlm_logintime) Tue Apr 12 18:36:06 2022 : Debug: (0) [logintime] = noop Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[authorize]: calling pap (rlm_pap) Tue Apr 12 18:36:06 2022 : Debug: (0) pap: Converted: &control:Password-With-Header = '{SSHA512}669DM1uaEIJS1SimK9lMk9wD1KC+kp47tQ1B0w5IZxzkqtH/Vp1aJUvVtJFSQpTDMObp+ZS0jsMqy/C9pCsPq/sXJhMk2Joq' -> &control:SSHA2-512-Password = '0x363639444d31756145494a533153696d4b396c4d6b397744314b432b6b70343774513142307735495a787a6b7174482f567031614a557656744a4653517054444d4f62702b5a53306a734d71792f433970437350712f73584a684d6b324a6f71' Tue Apr 12 18:36:06 2022 : Debug: (0) pap: Removing &control:Password-With-Header Tue Apr 12 18:36:06 2022 : Debug: (0) pap: Normalizing SSHA2-512-Password from base64 encoding, 96 bytes -> 72 bytes Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[authorize]: returned from pap (rlm_pap) Tue Apr 12 18:36:06 2022 : Debug: (0) [pap] = updated Tue Apr 12 18:36:06 2022 : Debug: (0) } # authorize = updated Tue Apr 12 18:36:06 2022 : Debug: (0) Found Auth-Type = PAP Tue Apr 12 18:36:06 2022 : Debug: (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default Tue Apr 12 18:36:06 2022 : Debug: (0) Auth-Type PAP { Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[authenticate]: calling pap (rlm_pap) Tue Apr 12 18:36:06 2022 : Debug: (0) pap: Login attempt with password "test" (4) Tue Apr 12 18:36:06 2022 : Debug: (0) pap: Comparing with "known-good" SSHA2-512-Password Tue Apr 12 18:36:06 2022 : Debug: (0) pap: User authenticated successfully Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[authenticate]: returned from pap (rlm_pap) Tue Apr 12 18:36:06 2022 : Debug: (0) [pap] = ok Tue Apr 12 18:36:06 2022 : Debug: (0) } # Auth-Type PAP = ok Tue Apr 12 18:36:06 2022 : Debug: (0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default Tue Apr 12 18:36:06 2022 : Debug: (0) post-auth { Tue Apr 12 18:36:06 2022 : Debug: (0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { Tue Apr 12 18:36:06 2022 : Debug: (0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE Tue Apr 12 18:36:06 2022 : Debug: (0) update { Tue Apr 12 18:36:06 2022 : Debug: (0) No attributes updated for RHS &session-state: Tue Apr 12 18:36:06 2022 : Debug: (0) } # update = noop Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[post-auth]: calling exec (rlm_exec) Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[post-auth]: returned from exec (rlm_exec) Tue Apr 12 18:36:06 2022 : Debug: (0) [exec] = noop Tue Apr 12 18:36:06 2022 : Debug: (0) policy remove_reply_message_if_eap { Tue Apr 12 18:36:06 2022 : Debug: (0) if (&reply:EAP-Message && &reply:Reply-Message) { Tue Apr 12 18:36:06 2022 : Debug: (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE Tue Apr 12 18:36:06 2022 : Debug: (0) else { Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[post-auth]: calling noop (rlm_always) Tue Apr 12 18:36:06 2022 : Debug: (0) modsingle[post-auth]: returned from noop (rlm_always) Tue Apr 12 18:36:06 2022 : Debug: (0) [noop] = noop Tue Apr 12 18:36:06 2022 : Debug: (0) } # else = noop Tue Apr 12 18:36:06 2022 : Debug: (0) } # policy remove_reply_message_if_eap = noop Tue Apr 12 18:36:06 2022 : Debug: (0) } # post-auth = noop Tue Apr 12 18:36:06 2022 : Debug: (0) Sent Access-Accept Id 30 from 127.0.0.1:1812 to 127.0.0.1:59482 length 0 Tue Apr 12 18:36:06 2022 : Debug: (0) Finished request Tue Apr 12 18:36:06 2022 : Debug: Waking up in 4.9 seconds. Tue Apr 12 18:36:11 2022 : Debug: (0) Cleaning up request packet ID 30 with timestamp +126 Tue Apr 12 18:36:11 2022 : Info: Ready to process requests
Configuração do arquivo clients
# cp -p /etc/freeradius/3.0/clients.conf{,.dist}
# cat /etc/freeradius/3.0/clients.conf client localhost { ipaddr = 127.0.0.1 proto = * secret = testing123 require_message_authenticator = no # Permitted NAS types are: # # cisco # computone # livingston # juniper # max40xx # multitech # netserver # pathras # patton # portslave # tc # usrhiper # other # for all other types # nas_type = other # localhost isn't usually a NAS... # limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } # IPv6 Client client localhost_ipv6 { ipv6addr = ::1 secret = testing123 } # JuntoTelecom client bloco_ipv6 { ipv6addr = 2804:694::/32 secret = R4d10S } client private-network-1 { ipaddr = 10.0.0.0/8 secret = Yosh1@nintend0 } client private-network-2 { ipaddr = 172.16.0.0/12 secret = R4d10S } client private-network-3 { ipaddr = 192.168.0.0/16 secret = R4d10S } client bloco_public { ipaddr = 177.75.176.0/20 secret = Yosh1@nintend0 } client rondonopolis_internet { ipaddr = 179.220.65.181/32 secret = Yosh1@nintend0 }
Configuração arquivo users
# cp -p /etc/freeradius/3.0/mods-config/files/authorize{,.dist}
# cat /etc/freeradius/3.0/users # examples. # #bob Cleartext-Password := "hello" # Reply-Message := "Hello, %{User-Name}" # # Inicío JuntoTelecom - FreeIPA # Exemplo de uso sem autenticação #awx_user Cleartext-Password := "$4l03_V3r@" # Service-Type = NAS-Prompt-User, # Juniper-Local-User-Name := "remote", # Huawei-Exec-Privilege = "15", # Cisco-AVPair = "shell:priv-lvl=15" # Grupo com permissão de excrita DEFAULT Ldap-Group == "cn=radiusgpadm,cn=groups,cn=accounts,dc=juntotelecom,dc=com,dc=br" Service-Type = NAS-Prompt-User, Juniper-Local-User-Name := "remote", Huawei-Exec-Privilege = "15", Cisco-AVPair = "shell:priv-lvl=15" # Grupo com permissão de leitura DEFAULT Ldap-Group == "cn=radiusgpmgm,cn=groups,cn=accounts,dc=juntotelecom,dc=com,dc=br" Service-Type = NAS-Prompt-User, Juniper-Local-User-Name := "remote", Huawei-Exec-Privilege = "15", Cisco-AVPair = "shell:priv-lvl=3" DEFAULT Auth-Type := Reject # Fim JuntoTelecom - FreeIPA # DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP # # Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression. # DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP # # Default for SLIP: dynamic IP address, SLIP mode. # DEFAULT Hint == "SLIP" Framed-Protocol = SLIP #
# systemctl restart freeradius
Referência
wikiv1/radius_ipa.txt · Last modified: by 127.0.0.1