支持IPv6的Radius服务器的配置过程

一、系统环境准备

1、所用软件?freeradius-server-2.1.7?系统为Centos5.1

2、FreeRadius需要openssl支持?需安装openssl?采用如下命令检查是否安装openssl

#rpm-qa|grepopenssl

openssl-0.9.8b-8.3.el5_0.2

openssl-devel-0.9.8b-8.3.el5_0.2

openssl097a-0.9.7a-9.el5_2.1

如果缺少则在光盘中找到相关的安装包进行安装

二、FreeRadius安装

下载freeradius-server-2.1.7.tar.bz2?进入安装包所在目录?依次执行如下命令?

#tarxvffreeradius-server-2.1.7.tar.bz2

#cdfreeradius-server-2.1.7

#./configure

#make

#makeinstall

三、FreeRadius配置

对于FreeRadius的配置?主要是启用其IPv6的支持?FreeRadius目前做的很奇怪?它IPv4和IPv6不

能同时启用?要么启用IPv4?要么启用Ipv6。

编辑/usr/local/etc/raddb/radiusd.conf文件?将listen里面的IPv4配置禁用?将IPv6启用

#vi/usr/local/etc/raddb/radiusd.conf

listen{

#Typeofpacketstolistenfor.

#Allowedvaluesare:

#authlistenforauthenticationpackets

#acctlistenforaccountingpackets

#proxyIPtouseforsendingproxiedpackets

#detailReadfromthedetailfile.Forexamples,see

#raddb/sites-available/copy-acct-to-home-server

#statuslistenforStatus-Serverpackets.Forexamples,

#seeraddb/sites-available/status

#coalistenforCoA-RequestandDisconnect-Request

#packets.Forexamples,seethefile

#raddb/sites-available/coa-server

#

type=auth

#Note:"type=proxy"letsyoucontrolthesourceIPusedfor

#proxyingpackets,withsomelimitations:

#

#*AproxylistenerCANNOTbeusedinavirtualserversection.

#*Youshouldprobablyset"port=0".

#*Any"clients"configurationwillbeignored.

#

#Seealsoproxy.conf,andthe"src_ipaddr"configurationentry

#inthesample"home_server"section.Whenyouspecifythe

#sourceIPaddressforpacketssenttoahomeserver,the

#proxylistenersareautomaticallycreated.

#IPaddressonwhichtolisten.

#Allowedvaluesare:

#dottedquad(1.2.3.4)

#hostname(radius.example.com)

#wildcard(*)

#ipaddr=*//此处将其注释掉

#OR,youcanuseanIPv6address,butnotboth

#atthesametime.

ipv6addr=::#any.::1==localhost//此处将其启用

#Portonwhichtolisten.

#Allowedvaluesare:

#integerportnumber(1812)

#0means"use/etc/servicesfortheproperport"

port=0

#Somesystemssupportbindingtoaninterface,inaddition

#totheIPaddress.Thisfeatureisn'tstrictlynecessary,

#butforsiteswithmanyIPaddressesononeinterface,

#it'susefultosay"listenonalladdressesforeth0".

#

#Ifyoursystemdoesnotsupportthisfeature,youwill

#getanerrorifyoutrytouseit.

#

#interface=eth0

#Per-socketlistsofclients.Thisisaveryusefulfeature.

#

#Thenamehereisareferencetoasectionelsewherein

#radiusd.conf,orclients.conf.Havingthenameas

#areferenceallowsmultiplesocketstousethesame

#setofclients.

#

#Ifthisconfigurationisused,thenthegloballistofclients

#isIGNOREDforthis"listen"section.Takecareconfiguring

#thisfeature,toensureyoudon'taccidentallydisablea

#clientyouneed.

#

#Seeclients.conffortheconfigurationof"per_socket_clients".

#

#clients=per_socket_clients

}

#Thissecond"listen"sectionisforlisteningontheaccounting

#port,too.

#

listen{

#ipaddr=*//此处将其注释掉

ipv6addr=:://此处将其启用

port=0

type=acct

#interface=eth0

#clients=per_socket_clients

}

编辑/usr/local/etc/raddb/clients.conf文件,将localhost里面的IPv4配置禁用,将IPv6启用,并启用IPv6

的相关配置,如下所示

#vi/usr/local/etc/raddb/clients.conf

clientlocalhost{

#Allowedvaluesare:

#dottedquad(1.2.3.4)

#hostname(radius.example.com)

#ipaddr=127.0.0.1//此处将其注释掉

#OR,youcanuseanIPv6address,butnotboth

#atthesametime.

ipv6addr=::#any.::1==localhost//此处将其启用

#

#AnoteonDNS:WeSTRONGLYrecommendusingIPaddresses

#ratherthanhostnames.Usinghostnamesmeansthatthe

#serverwilldoDNSlookupswhenitstarts,makingit

#dependentonDNS.i.e.IfanythinggoeswrongwithDNS,

#theserverwon'tstart!

#

#TheserveralsolooksuptheIPaddressfromDNSonce,and

#onlyonce,whenitstarts.IftheDNSrecordislater

#updated,theserverWILLNOTseethatupdate.

#

#Oneclientdefinitioncanbeappliedtoanentirenetwork.

#e.g.127/8shouldbedefinedwith"ipaddr=127.0.0.0"and

#"netmask=8"

#

#Ifnotspecified,thedefaultnetmaskis32(i.e./32)

#

#WedoNOTrecommendusinganythingotherthan32.There

#areusuallyother,betterwaystoacheivethesamegoal.

#Usingnetmasksofotherthan32cancausesecurityissues.

#

#Youcanspecifyoverlappingnetworks(127/8and127.0/16)

#Inthatcase,thesmallestpossiblenetworkwillbeused

#asthe"bestmatch"fortheclient.

#

#Clientscanalsobedefineddynamicallyatruntime,based

#onanycriteria.e.g.SQLlookups,keyingoffofNAS-Identifier,

#etc.

#Seeraddb/sites-available/dynamic-clientsfordetails.

#

#netmask=32

#

#Thesharedsecretuseto"encrypt"and"sign"packetsbetween

#theNASandFreeRADIUS.YouMUSTchangethissecretfromthe

#default,otherwiseit'snotasecretanymore!

#

#Thesecretcanbeanystring,upto8kcharactersinlength.

#

#Controlcodescanbeenteredvioctalencoding,

#e.g."\101\102"=="AB"

#Quotationmarkscanbeenteredbyescapingthem,

#e.g."foo\"bar"

#

#Anoteonsecurity:ThesecurityoftheRADIUSprotocol

#dependsCOMPLETELYonthissecret!Werecommendusinga

#sharedsecretthatiscomposedof:

#

#uppercaseletters

#lowercaseletters

#numbers

#

#AndisatLEAST8characterslong,preferably16charactersin

#length.ThesecretMUSTberandom,andshouldnotbewords,

#phrase,oranythingelsethatisrecognizable.

#

#Thedefaultsecretbelowisonlyfortesting,andshould

#notbeusedinanyrealenvironment.

#

secret=testing123

#

#Old-styleclientsdonotsendaMessage-Authenticator

#inanAccess-Request.RFC5080suggeststhatallclients

#SHOULDincludeitinanAccess-Request.Theconfiguration

#itembelowallowstheservertorequireit.Ifaclient

#isrequiredtoincludeaMessage-Authenticatoranditdoes

#not,thenthepacketwillbesilentlydiscarded.

#

#allowedvalues:yes,no

require_message_authenticator=no

#

#Theshortnameisusedasanaliasforthefullyqualified

#domainname,ortheIPaddress.

#

#Itisacceptedforcompatibilitywith1.x,butitisno

#longernecessaryin2.0

#

#shortname=localhost

#

#thefollowingthreefieldsareoptional,butmaybeusedby

#checkrad.plforsimultaneoususechecks

#

#

#Thenastypetells'checkrad.pl'whichNAS-specificmethodto

#usetoquerytheNASforsimultaneoususe.

#

#PermittedNAStypesare:

#

#cisco

#computone

#livingston

#max40xx

#multitech

#netserver

#pathras

#patton

#portslave

#tc

#usrhiper

#other#forallothertypes

#

nastype=other#localhostisn'tusuallyaNAS...

#

#Thefollowingtwoconfigurationsareforfutureuse.

#The'naspasswd'fileiscurrentlyusedtostoretheNAS

#loginnameandpassword,whichisusedbycheckrad.pl

#whenqueryingtheNASforsimultaneoususe.

#

#login=!root

#password=someadminpas

#

#Asof2.0,clientscanalsobetiedtoavirtualserver.

#Thisisdonebysettingthe"virtual_server"configuration

#item,asintheexamplebelow.

#

#virtual_server=home1

#

#Apointertothe"home_server_pool"ORa"home_server"

#sectionthatcontainstheCoAconfigurationforthis

#client.Foranexampleofacoahomeserverorpool,

#seeraddb/sites-available/originate-coa

#coa_server=coa

}

#IPv6Client//启用以下两个默认的IPv6客户端

client::1{

secret=testing123

shortname=localhost

}

#

#AllIPv6Site-localclients

clientfe80::/16{

secret=testing123

shortname=localhost

}

编辑/usr/local/etc/raddb/users文件?在其最前面添加用户名和密码?如下所示

#vi/usr/local/etc/raddb/users

"yzm"Cleartext-Password:="yzm"

此时可以使用如下命令启动Radius的Debug模式?首次启动?系统会自动生成证书

#radiusd-X

此时服务器应该在IPv6地址的1812、1813端口进行监听?如下所示

#netstat-an|grep1812

udp00:::1812:::*

#netstat-an|grep1813

udp00:::1813:::*

使用如下命令验证服务器是否正常运行?新开一个shell窗口?执行如下命令?如果结果是

Access-Accept?则表示服务搭建成功

#radtestyzmyzm::11812testing123

SendingAccess-Requestofid130to::1port1812

User-Name="yzm"

User-Password="yzm"

NAS-IP-Address=127.0.0.1//此处的127.0.0.1应该是radtest默认写进去的?不用理会

NAS-Port=1812

rad_recv:Access-Acceptpacketfromhost::1port1812,id=130,length=20

//收到此回复表示服务器搭建成功

四、关于无线802.1X认证

对于无线的802.1X认证,查看FreeRadius配置中的eap.conf文件,其eap模块已经是默认启用了,也

就是说服务器应该是默认支持无线802.1X认证的,但这边没有支持Radiusv6的CPE去验证,所以这块是

没有经过验证的,待以后经过验证后再更新。

参考文献