Különbségek

A kiválasztott változat és az aktuális verzió közötti különbségek a következők.

--- linux:freeradius [2025/09/08 20:13] – riba.zoltan
+++ linux:freeradius [2025/09/10 11:05] (aktuális) – [Kerberos hitelesítés] riba.zoltan
@@ Sor 285: / Sor 285: @@
 	EAP-Id = 245
 	EAP-Code = Success
+</code>
+==== LDAP hitelesítés ====
+Szükséges csomagok telepítése
+<code>
+# dnf install freeradius freeradius-utils freeradius-ldap
+</code>
+Létre kell hozni az ldap szimbolikus linket
+<code>
+# ln -s ../mods-available/ldap /etc/raddb/mods-enabled/ldap
+</code>
+Menteni kell a /etc/raddb/mods-available/ldap állományt majd módosítani a tartalmát
+<code>
+# [ ! -e /etc/raddb/mods-available/ldap.orig ] && cp -a /etc/raddb/mods-available/ldap /etc/raddb/mods-available/ldap.orig
+cat > /etc/raddb/mods-available/ldap <<'EOF'
+ldap {
+	server = 'ldaps://dc1.adomain.lan'
+	identity = 'cn=radiusbind,cn=users,dc=adomain,dc=lan'
+	password = 12345678
+	base_dn = 'dc=adomain,dc=lan'
+	update {
+		control:Password-With-Header += 'userPassword'
+		control: += 'radiusControlAttribute'
+		request: += 'radiusRequestAttribute'
+		reply: += 'radiusReplyAttribute'
+	}
+	user {
+		base_dn = "${..base_dn}"
+		filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
+	}
+	group {
+		base_dn = "${..base_dn}"
+		filter = '(objectClass=posixGroup)'
+		membership_attribute = 'memberOf'
+	}
+	client {
+		base_dn = "${..base_dn}"
+		filter = '(objectClass=radiusClient)'
+		attribute {
+			ipaddr = 'radiusClientIdentifier'
+			secret = 'radiusClientSecret'
+		}
+	}
+	accounting {
+		reference = "%{tolower:type.%{Acct-Status-Type}}"
+		type {
+			start {
+				update {
+					description := "Online at %S"
+				}
+			}
+			interim-update {
+				update {
+					description := "Last seen at %S"
+				}
+			}
+			stop {
+				update {
+					description := "Offline at %S"
+				}
+			}
+		}
+	}
+	post-auth {
+		update {
+			description := "Authenticated at %S"
+		}
+	}
+	options {
+		chase_referrals = yes
+		rebind = yes
+		res_timeout = 10
+		srv_timelimit = 3
+		net_timeout = 1
+		idle = 60
+		probes = 3
+		interval = 3
+		ldap_debug = 0x0028
+	}
+	tls {
+		start_tls = no
+		require_cert = 'allow'
+	}
+	pool {
+		start = ${thread[pool].start_servers}
+		min = ${thread[pool].min_spare_servers}
+		max = ${thread[pool].max_servers}
+		spare = ${thread[pool].max_spare_servers}
+		uses = 0
+		retry_delay = 30
+		lifetime = 0
+		idle_timeout = 60
+	}
+}
+EOF
+</core>
+Menteni kell a /etc/raddb/sites-available/default állományt majd módosítani a tartalmát
+<code>
+# [ ! -e /etc/raddb/sites-available/default.orig ] && cp -a /etc/raddb/sites-available/default /etc/raddb/sites-available/default.orig
+cat > /etc/raddb/sites-available/default <<'EOF'
+server default {
+	listen {
+		type = auth
+		ipaddr = *
+		port = 0
+		limit {
+			max_connections = 16
+			lifetime = 0
+			idle_timeout = 30
+		}
+	}
+	listen {
+		ipaddr = *
+		port = 0
+		type = acct
+		limit {
+		}
+	}
+	listen {
+		type = auth
+		ipv6addr = ::	# any.  ::1 == localhost
+		port = 0
+		limit {
+			max_connections = 16
+			lifetime = 0
+			idle_timeout = 30
+		}
+	}
+	listen {
+		ipv6addr = ::
+		port = 0
+		type = acct
+		limit {
+		}
+	}
+	authorize {
+		filter_username
+		preprocess
+		chap
+		mschap
+		digest
+		suffix
+		eap {
+			ok = return
+		}
+		files
+		-sql
+		ldap
+		if ((ok || updated) && User-Password && !control:Auth-Type) {
+			update {
+				control:Auth-Type := ldap
+			}
+		}
+		expiration
+		logintime
+		pap
+	}
+	authenticate {
+		Auth-Type PAP {
+			pap
+		}
+		Auth-Type CHAP {
+			chap
+		}
+		Auth-Type MS-CHAP {
+			mschap
+		}
+		mschap
+		digest
+		Auth-Type LDAP {
+			ldap
+		}
+		eap
+	}
+	preacct {
+		preprocess
+		acct_unique
+		suffix
+		files
+	}
+	accounting {
+		detail
+		unix
+		-sql
+		exec
+		attr_filter.accounting_response
+	}
+	session {
+	}
+post-auth {
+		if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
+			update reply {
+				&User-Name !* ANY
+			}
+		}
+		update {
+			&reply: += &session-state:
+		}
+		-sql
+		exec
+		remove_reply_message_if_eap
+		Post-Auth-Type REJECT {
+			-sql
+			attr_filter.access_reject
+			eap
+			remove_reply_message_if_eap
+		}
+		Post-Auth-Type Challenge {
+		}
+	}
+	pre-proxy {
+	}
+	post-proxy {
+		eap
+	}
+}
+EOF
+</code>
+Menteni kell a /etc/raddb/sites-available/inner-tunnel állományt majd módosítani a tartalmát
+<code>
+# [ ! -e /etc/raddb/sites-available/inner-tunnel.orig ] && cp -a /etc/raddb/sites-available/inner-tunnel /etc/raddb/sites-available/inner-tunnel.orig
+cat > /etc/raddb/sites-available/inner-tunnel <<'EOF'
+server inner-tunnel {
+	listen {
+		ipaddr = 127.0.0.1
+		port = 18120
+		type = auth
+	}
+	authorize {
+		filter_username
+		chap
+		mschap
+		suffix
+		update control {
+			&Proxy-To-Realm := LOCAL
+		}
+		eap {
+			ok = return
+		}
+		files
+		-sql
+		ldap
+		if ((ok || updated) && User-Password && !control:Auth-Type) {
+			update {
+				control:Auth-Type := ldap
+			}
+		}
+		expiration
+		logintime
+		pap
+	}
+	authenticate {
+		Auth-Type PAP {
+			pap
+		}
+		Auth-Type CHAP {
+			chap
+		}
+		Auth-Type MS-CHAP {
+			mschap
+		}
+		mschap
+		Auth-Type LDAP {
+			ldap
+		}
+		eap
+	}
+	session {
+		radutmp
+	}
+	post-auth {
+		-sql
+		if (0) {
+			update reply {
+				User-Name !* ANY
+				Message-Authenticator !* ANY
+				EAP-Message !* ANY
+				Proxy-State !* ANY
+				MS-MPPE-Encryption-Types !* ANY
+				MS-MPPE-Encryption-Policy !* ANY
+				MS-MPPE-Send-Key !* ANY
+				MS-MPPE-Recv-Key !* ANY
+			}
+			update {
+				&outer.session-state: += &reply:
+			}
+		}
+		Post-Auth-Type REJECT {
+			-sql
+			attr_filter.access_reject
+			update outer.session-state {
+				&Module-Failure-Message := &request:Module-Failure-Message
+			}
+		}
+	}
+	pre-proxy {
+	}
+	post-proxy {
+		eap
+	}
+}
+EOF
+</code>
+Újra kell indítani a radiusd szolgáltatást
+<code>
+# systemctl restart radiusd
+</code>
+Létre kell hozni a DC-n a radiusbind felhasználót akinek a jelszava nem jár le
+<code>
+# samba-tool user create radiusbind 12345678
+# samba-tool user setexpiry radiusbind --noexpiry
+</code>
+Tesztelhető a szolgáltatás
+<code>
+# radtest teszt.elek 12345678 127.0.0.1 0 testing123
+Sent Access-Request Id 158 from 0.0.0.0:39864 to 127.0.0.1:1812 length 80
+	User-Name = "teszt.elek"
+	User-Password = "12345678"
+	NAS-IP-Address = 192.168.110.11
+	NAS-Port = 0
+	Cleartext-Password = "12345678"
+Received Access-Accept Id 158 from 127.0.0.1:1812 to 127.0.0.1:39864 length 38
+	Message-Authenticator = 0xf111666b349fe1dcc5ea191026805f2d
 </code>
@@ Sor 293: / Sor 694: @@
 <code>
 # dnf install freeradius freeradius-utils freeradius-krb5 krb5-workstation
+</code>
+Hozzunk létre egy felhasználót a DC.n
+<code>
+# samba-tool user add radius-svc --random-password
+User 'radius-svc' added successfully
+</code>
+Hozzunk létre SPN-t a radius szervernek
+<code>
+# samba-tool spn add radius/dc1.adomain.lan radius-svc
+</code>
+Ellenőrizzük az SPN-t
+<code>
+# ldbsearch -H ldap://localhost -U administrator '(servicePrincipalName=radius/dc1.adomain.lan)' sAMAccountName servicePrincipalName
+Password for [ADOMAIN\administrator]:
+# record 1
+dn: CN=radius-svc,CN=Users,DC=adomain,DC=lan
+sAMAccountName: radius-svc
+servicePrincipalName: radius/dc1.adomain.lan
+# Referral
+ref: ldap://adomain.lan/CN=Configuration,DC=adomain,DC=lan
+# Referral
+ref: ldap://adomain.lan/DC=DomainDnsZones,DC=adomain,DC=lan
+# Referral
+ref: ldap://adomain.lan/DC=ForestDnsZones,DC=adomain,DC=lan
+# returned 4 records
+# 1 entries
+# 3 referrals
+</code>
+Ez a lépés nem kötelező . Beállíthatjuk a titkosítást a felhasználói fiók esetében.
+<code>
+# cat > ~/encryption-mod.ldif <<'EOF'
+dn: CN=radius-svc,CN=Users,DC=adomain,DC=lan
+changetype: modify
+replace: msDS-SupportedEncryptionTypes
+msDS-SupportedEncryptionTypes: 24
+EOF
+# ldbmodify -H ldap://localhost -U administrator ~/encryption-mod.ldif
+Password for [ADOMAIN\administrator]:
+Modified 1 records successfully
+</code>
+Exportáljuk a keytab-ot
+<code>
+# samba-tool domain exportkeytab /root/radius.keytab --principal=radius/dc1.adomain.lan
+Export one principal to /root/radius.keytab
+</code>
+Ellenőrizzük a keytab tartalmát
+<code>
+# klist -k -e /root/radius.keytab
+Keytab name: FILE:/root/radius.keytab
+KVNO Principal
+---- --------------------------------------------------------------------------
+radius/dc1.adomain.lan@ADOMAIN.LAN (aes256-cts-hmac-sha1-96)
+radius/dc1.adomain.lan@ADOMAIN.LAN (aes128-cts-hmac-sha1-96)
+</code>
+Másoljuk be a keytabot a megfelelő helyre és állítsuk be a jogosultságot
+<code>
+# cp -a /root/radius.keytab /var/lib/radiusd/keytab
+# chown radiusd:radiusd /var/lib/radiusd/keytab
+# chmod 0600 /var/lib/radiusd/keytab
+</code>
+Mentsük le az eredeti kerberos konfigurációt
+<code>
+# [ ! -f /etc/raddb/mods-available/krb5.orig ] && cp -a /etc/raddb/mods-available/krb5 /etc/raddb/mods-available/krb5.orig
+</code>
+Módosítsuk a konfigurációt
+<code>
+# cat > /etc/raddb/mods-available/krb5 <<'EOF'
+krb5 {
+	keytab = ${localstatedir}/lib/radiusd/keytab
+	service_principal = radius/dc1.adomain.lan
+	pool {
+		start = ${thread[pool].start_servers}
+		min = ${thread[pool].min_spare_servers}
+		max = ${thread[pool].max_servers}
+		spare = ${thread[pool].max_spare_servers}
+		uses = 0
+		lifetime = 0
+		idle_timeout = 0
+	}
+}
+EOF
+</code>
+Engedélyezzük a konfigurációt
+<code>
+# ln -s ../mods-available/krb5 /etc/raddb/mods-enabled/krb5
+</code>
+Indítsuk újra a szolgáltatást
+<code>
+# systemctl restart radiusd
+</code>
+Teszteljük a kapcsolatot
+<code>
+# radtest -t pap teszt.elek '12345678' localhost 0 testing123
+Sent Access-Request Id 176 from 0.0.0.0:36009 to 127.0.0.1:1812 length 80
+	User-Name = "teszt.elek"
+	User-Password = "12345678"
+	NAS-IP-Address = 192.168.110.11
+	NAS-Port = 0
+	Cleartext-Password = "12345678"
+Received Access-Accept Id 176 from 127.0.0.1:1812 to 127.0.0.1:36009 length 38
+	Message-Authenticator = 0x662c8de328ec1703342d74ece4225877
 </code>