freeradius安装与测试_eapol-test

freeradius官网

freeradius的github

安装办法

非源码安装

例如ubuntu：

For Bionic Beaver (18.04), add to your apt source list (/etc/apt/sources.list):

deb http://packages.networkradius.com/releases/ubuntu-bionic bionic main
1

sudo apt-key adv --keyserver keys.gnupg.net --recv-key 0x41382202
sudo apt-get update
sudo apt-get install freeradius
1
2
3

例如 FreeRADIUS 3.2 on Ubuntu Focal 22.04

• Add the NetworkRADIUS PGP public key:

install -d -o root -g root -m 0755 /etc/apt/keyrings
curl -s 'https://packages.networkradius.com/pgp/packages%40networkradius.com' | \
    sudo tee /etc/apt/keyrings/packages.networkradius.com.asc > /dev/null
1
2
3

• Add the APT sources list:

echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/packages.networkradius.com.asc] http://packages.networkradius.com/freeradius-3.2/ubuntu/jammy jammy main" | \
    sudo tee /etc/apt/sources.list.d/networkradius.list > /dev/null
1
2

• Finally, update the APT database and install the packages:

sudo apt-get update
sudo apt-get install freeradius
1
2

启动服务：/etc/init.d/freeradius start

调试启动：freeradius -X

源码安装：

git clone https://github.com/FreeRADIUS/freeradius-server.git

进入目录

切换到3.0版本

git checkout -b git checkout -b release_3_0_20

git pull

执行

./configure

发现少了两个依赖，一次安装。

sudo apt-get install libtalloc-dev

sudo apt-get install libkqueue-dev

make

sudo make install

使用ubtuntu的apt-get方式来安装freeradius的位置会和源码不同、源码安装的默认位置是

/usr/local/etc/raddb/

而使用ubuntu的apt-get方式的配置文件则安置在

/etc/freeradius/

官方给的简单测试方式：

然后修改/etc/freeradius/下的users文件把这段注释去掉

steve   Cleartext-Password := "testing"
    Service-Type = Framed-User,
    Framed-Protocol = PPP,
    Framed-IP-Address = 172.16.3.33,
    Framed-IP-Netmask = 255.255.255.0,
    Framed-Routing = Broadcast-Listen,
    Framed-Filter-Id = "std.ppp",
    Framed-MTU = 1500,
    Framed-Compression = Van-Jacobsen-TCP-IP
1
2
3
4
5
6
7
8
9

执行freeradius -X

在另一个终端：radtest testing localhost 1812 testing123

## vi users 用户配置
#两个字符串分别是验证时输入的身份和密码
"hzlarm" Cleartext-Password := "hzlarm123"

 
## clients.conf 配置客户端的密码以下是默认的,本机测试，配置这个点即可：client localhost 
 secret      = testing123
##如果是联网测试，往下找类似字段进行修改，指定的外网ip以及设定一个密码。
##这个密码是配置fitap时的密码，同样要输入的是radius服务器的ip与端口。这ip不清楚地话可以随意设置，
##等开启freeradius -X以及配置好fitap指向radius，服务器端会报错忽略某某ip，然后填入这个ip即可。
##设置为0.0.0.0/0任何ip都可以
client private-network-1 {
       ipaddr          = xxx.87.xx.12/24
       secret          = testing123

  
## etc/raddb/sites-enabled/default or etc/freeradius/sites-enabled/default
## 配置验证和授权的方式，计费可不考虑，这次不测是到这个点；确认开启了以下几个方式
pap
eap
chap
mschap
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

其他配置方案测试：

pap：

radtest hzlarm hzlarm123 127.0.0.1 1812 testing123

eap-md5：

#   radeapclient -x 127.0.0.1 auth testing123 < eap-md5.txt
#	以下内容写在eap-md5.txtf文件

User-Name = "hzlarm "
Cleartext-Password = "hzlarm123"
EAP-Code = Response
EAP-Id = 210
EAP-Type-Identity = "ufiletest"
Message-Authenticator = 0x00
1
2
3
4
5
6
7
8
9

peap-mschapv2：

#   eapol_test -c peap-mschapv2.conf -s testing123
#	以下内容写在peap-mschapv2.conf文件

network={
        ssid="example"
        key_mgmt=WPA-EAP
        eap=PEAP
        identity="hzlarm"
        anonymous_identity="anonymous"
        password="hzlarm123"
        phase2="autheap=MSCHAPV2"

#  Uncomment the following to perform server certificate validation.
#  ca_cert="/etc/freeradius/certs/ca.der"
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

安装测试工具eapol_test

cd /usr/local/src/
wget https://w1.fi/releases/wpa_supplicant-2.9.tar.gz
tar –xzvf wpa_supplicant-2.9.tar.gz
cd wpa_supplicant-2.9/wpa_supplicant/
cp defconfig .config
make eapol_test
#报错执行
#sudo apt-get install libdbus-1-dev
#sudo apt-get install libnl-3-dev libnl-genl-3-200 libnl-genl-3-dev libnl-idiag-3-dev
cp eapol_test /usr/local/bin/
1
2
3
4
5
6
7
8
9
10

eap-tls:

# 	sudo eapol_test -c eap-tls.conf -a 127.0.0.1 -p 1812 -s testing123 -r 1
# 	以下内容写在eap-tls.conf文件

network={
    eap=TLS
    eapol_flags=0
    key_mgmt=IEEE8021X
    identity="hzlarm"
    password="hzlarm123"

    # client 
    ca_cert="/etc/freeradius/certs/ca.pem"
    client_cert="/etc/freeradius/certs/client.pem"
    private_key="/etc/freeradius/certs/client.key"
    private_key_passwd="whatever"

    # server
    #ca_cert="/etc/freeradius/certs/ca.pem"
    #client_cert="/etc/freeradius/certs/server.pem"
    #private_key="/etc/freeradius/certs/server.key"
    #private_key_passwd="whatever"
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

ttls-chap:

#   eapol_test -c ttls-chap.conf -s testing123
#	以下内容写在ttls-chap.conf文件
network={
        ssid="example"
        key_mgmt=WPA-EAP
        eap=TTLS
        identity="hzlarm"
        anonymous_identity="anonymous"
        password="hzlarm123"
        phase2="auth=CHAP"

#  Uncomment the following to perform server certificate validation.
#		ca_cert="/etc/freeradius/certs/ca.der"
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14

ttls-eapmd5:

#
#   eapol_test -c ttls-eapmd5.conf -s testing123
#
network={
        ssid="example"
        key_mgmt=WPA-EAP
        eap=TTLS
        identity="hzlarm"
        anonymous_identity="anonymous"
        password="hzlarm123"
        phase2="autheap=MD5"

#  Uncomment the following to perform server certificate validation.
#		ca_cert="/etc/freeradius/certs/ca.der"
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

ttls-mschapv2:

#
#   eapol_test -c ttls-mschapv2.conf -s testing123
#
network={
    ssid="example"
    key_mgmt=WPA-EAP
    eap=TTLS
    identity="hzlarm"
    anonymous_identity="anonymous"
    password="hzlarm123"
    phase2="autheap=MSCHAPV2"

    #  Uncomment the following to perform server certificate validation.
    #ca_cert="/etc/freeradius/certs/ca.pem"
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

ttls-pap:

#
#   eapol_test -c ttls-pap.conf -s testing123
#
network={
        ssid="example"
        key_mgmt=WPA-EAP
        eap=TTLS
        identity="hzlarm"
        anonymous_identity="anonymous"
        password="hzlarm123"
        phase2="auth=PAP"
 
#  Uncomment the following to perform server certificate validation.
#		ca_cert="/etc/freeradius/certs/ca.der"
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

#eap的配置文件，默认tls，ttls,peap都包含，不需要的可以把相应的字段注释掉即可。
## /etc/raddb/eap.conf or/etc/freeradius/mods-available/eap

# -*- text -*-
##
##  eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
##
##      $Id$


eap {
    #eap未指定时，默认的类型。
    default_eap_type = peap
    #default_eap_type = ttls
    #default_eap_type = tls

    #关联EAP请求数据包的列表，超时会被删除。
    timer_expire     = 60

    #是否忽略不支持的eap请求。
    ignore_unknown_eap_types = no

    # Cisco 用户名bug
    cisco_accounting_username_bug = no

    #限制服务器正在跟踪的会话数，有助于防止DoS攻击。此命令取自radiusdus.conf中的“max_requests”指令。
    max_sessions = ${max_requests}

    # Supported EAP-types
    ## EAP-TLS
    tls {
        #
        #  These is used to simplify later configurations.
        #
        certdir = ${confdir}/certs
        cadir = ${confdir}/certs

        #private_key_password = whatever
        private_key_file = ${certdir}/srv.key

        certificate_file = ${certdir}/srv.crt

        CA_file = ${cadir}/ca.crt

        #
        #  For DH cipher suites to work, you have to
        #  run OpenSSL to create the DH file first:
        #
        #       openssl dhparam -out certs/dh 1024
        #
        dh_file = ${certdir}/dh
        random_file = /dev/urandom

        #       fragment_size = 1024
        #       include_length = yes
        #       check_crl = yes

        #       check_all_crl = yes

        CA_path = ${cadir}

        #       check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
        #       check_cert_cn = %{User-Name}
        cipher_list = "DEFAULT"
        # 如果客户端是TLS1.0要加这个否则失败
        #(6) eap_tls: (TLS) recv TLS 1.3 Handshake, ClientHello
		#(6) eap_tls: (TLS) send TLS 1.0 Alert, fatal protocol_version
		#(6) eap_tls: ERROR: (TLS) Alert write:fatal:protocol version
        #tls_min_version = "1.0"
        #tls_max_version = "1.2"
        #cipher_list = "DEFAULT@SECLEVEL=0"
        #       virtual_server = check-eap-tls

        #使用freeradius -X调试时,默认使用该命令生成证书。
        make_cert_command = "${certdir}/bootstrap"
        ecdh_curve = "prime256v1"
        cache {
            enable = no
            lifetime = 24 # hours
            max_entries = 255
        }
        verify {
            #tmpdir = /tmp/radiusd
            #client = "/path/to/openssl verify -CApath ${..CA_path} %{TLS-Client-Cert-Filename}"
        }
        ocsp {
            enable = no
            override_cert_url = yes
            url = "http://127.0.0.1/ocsp/"
        }
    }

    #PEAP模块需要安装TLS模块并进行配置，以便使用TLS隧道在EAP数据包内。TTLS不需要客户端证书
    #  You can make PEAP require a client cert by setting
    #       EAP-TLS-Require-Client-Cert = Yes
    peap {
        default_eap_type = mschapv2
        copy_request_to_tunnel = no
        use_tunneled_reply = no
        #       proxy_tunneled_request_as_eap = yes
        virtual_server = "inner-tunnel"
        #      soh = yes
        #      soh_virtual_server = "soh-server"
    }
    
    #TTLS模块需要安装TLS模块并进行配置，以便使用TLS隧道在EAP数据包内。TTLS不需要客户端证书
    #  You can make TTLS require a client cert by setting
    #       EAP-TLS-Require-Client-Cert = Yes
    ttls {
        default_eap_type = md5 
        # allowed values: {no, yes}
        copy_request_to_tunnel = no
        # allowed values: {no, yes}
        use_tunneled_reply = no

        virtual_server = "inner-tunnel"
        #       include_length = yes
    }   

    #
    #  This takes no configuration.
    #
    mschapv2 {
    # send_error = no
    }
    md5 {
    }
    gtc{
    }
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130