如何設置代理半徑伺服器 (FreeRadius 3)
我正在嘗試設置一個代理 Freeradius 伺服器,將所有請求轉發到另一個 Freeradius 伺服器。
參考如下圖:
此設置的原因是我希望使用者通過 VPN 連接到本地 LAN,但由於 ISP 的 NAT 實施,本地站點無法訪問。
但是,我能夠建立從本地 LAN 到 VPN 伺服器的 site2site VPN 連接,因此我希望使用者能夠通過公共 VPN 伺服器與本地網路建立 VPN 連接,前提是他們是本地網路上的有效使用者.
我有一個在本地 LAN 上執行的 Freeradius 伺服器,它根據數據庫驗證使用者 - 這部分工作正常。
配置VPN伺服器端
據我了解,我唯一需要在伺服器上修改的是文件
proxy.conf。假設登錄 VPN 的使用者名在表單上,
users@example.com那麼我只需將以下條目添加到proxy.conf:realm example.com { type = radius secret = VeryS3cretPassw0rd authhost = local-radius.example.com:1812 accthost = local-radius.example.com:1813 nostrip }該
nostrip條目確保代理請求不會@從使用者名中刪除 -postfix。我還需要將以下內容添加到
/etc/hosts:# VPN Address of local-radius.example.com 192.168.100.2 local-radius.example.com配置本地radius伺服器端
在本地半徑伺服器上,我需要更新
client.conf,以便對本地半徑伺服器和源自 VPN ip 地址的任何查詢都是允許的。比如這個條目:client vpn-net { # Allow requests originating from VPN subnet. ipaddr = 192.168.100.0/24 secret = VeryS3cretPassw0rd }在 VPN 伺服器上執行以下命令按預期工作:
radtest -t mschap user@example.com SecretPassword local-radius.example.com:1812 0 VeryS3cretPassw0rd我收到以下回复:
Sent Access-Request Id 108 from 0.0.0.0:47466 to 192.168.100.2:1812 length 148 User-Name = "user@example.com" MS-CHAP-Password = "SecretPassword " NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "SecretPassword" MS-CHAP-Challenge = .... MS-CHAP-Response = ... Received Access-Accept Id 108 from 192.168.100.2:1812 to 192.168.100.1:47466 length 84 MS-CHAP-MPPE-Keys = ... MS-MPPE-Encryption-Policy = Encryption-Required MS-MPPE-Encryption-Types = 4但是在 VPN 伺服器上執行以下命令失敗:
radtest -t mschap user@example.com SecretPassword localhost:18120 0 testing123該命令的輸出是:
Sent Access-Request Id 104 from 0.0.0.0:39558 to 127.0.0.1:18120 length 148 User-Name = "user@example.com" MS-CHAP-Password = "SecretPassword" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "SecretPassword" MS-CHAP-Challenge = ... MS-CHAP-Response = ... Received Access-Reject Id 104 from 127.0.0.1:18120 to 127.0.0.1:39558 length 20 (0) -: Expected Access-Accept got Access-Reject在 VPN 伺服器上執行命令
freeradius -X會給出以下輸出:(0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (0) [mschap] = ok (0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "example.com" for User-Name = "user@example.com" (0) suffix: Found realm "example.com" (0) suffix: Adding Realm = "example.com" (0) suffix: Proxying request from user user@example.com to realm example.com (0) suffix: Preparing to proxy authentication request to realm "example.com" (0) [suffix] = updated (0) ntdomain: Request already has destination realm set. Ignoring (0) [ntdomain] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop (0) [expiration] = noop (0) [logintime] = noop (0) [pap] = noop (0) } # authorize = updated (0) There was no response configured: rejecting request在本地網路上監視 freeradius 表明從未從 vpn 伺服器呼叫該伺服器,所以我錯過了什麼?
我不太確定發生了什麼,但是在伺服器上完全重新安裝 Freeradius 後,代理請求沒有問題。
為簡單起見,您可以將代理伺服器指向本地半徑伺服器的 VPN ip 地址,基本上就是這樣。
假設您有一個全新安裝的 Freeradius,那麼您只需要
proxy.conf使用以下設置進行修改:realm example.com { type = radius secret = VeryS3cretPassw0rd # Connect to the VPN IP adress of local radius server. authhost = 192.168.100.2:1812 accthost = 192.168.100.2:1813 nostrip }此外,在使用以下方式測試使用者登錄時
radtest:不要測試,localhost:18120因為您僅針對VPN 上的本地使用者進行測試,因為它映射到inner-tunnel虛擬伺服器。您應該測試它,
localhost:1812因為它映射到default虛擬伺服器。針對代理伺服器的測試給了我以下輸出
freeradius -x(0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "example.com" for User-Name = "user@example.com" (0) suffix: Found realm "example.com" (0) suffix: Adding Stripped-User-Name = "user" (0) suffix: Adding Realm = "example.com" (0) suffix: Proxying request from user user to realm example.com (0) suffix: Preparing to proxy authentication request to realm "example.com" (0) [suffix] = updated (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop (0) [expiration] = noop (0) [logintime] = noop (0) [pap] = noop (0) } # authorize = updated (0) Starting proxy to home server 192.168.100.2 port 1812 (0) server default { (0) } (0) Proxying request to home server 192.168.100.2 port 1812 timeout 14.000000 (0) Sent Access-Request Id 191 from 127.0.0.1:45143 to 192.168.100.2:1812 length 142 (0) User-Name = "user" (0) NAS-IP-Address = 127.0.1.1 (0) NAS-Port = 0 (0) Message-Authenticator = ... (0) MS-CHAP-Challenge = ... (0) MS-CHAP-Response = ... (0) Event-Timestamp = "May 24 2021 17:18:40 CEST" (0) Proxy-State = 0x313133 Waking up in 0.3 seconds. (0) Marking home server 192.168.100.2 port 1812 alive (0) Clearing existing &reply: attributes (0) Received Access-Accept Id 191 from 192.168.100.2:1812 to 192.168.100.1:45143 length 89 (0) MS-CHAP-MPPE-Keys = ... (0) MS-MPPE-Encryption-Policy = Encryption-Required (0) MS-MPPE-Encryption-Types = 4 (0) Proxy-State = 0x313133重要的閉幕詞
似乎代理的工作方式隨著 Freeradius 的每個主要版本而改變。
我使用的語法與 Freeradius 的第 2 版兼容,但在第 3 版中被認為已過時。這裡推薦的方法是將領域
home_server_pools指向一個或多個home_servers.雖然已經過時 - 它仍然適用於版本 3。:-)
但是:在 Freeradius 版本 4 中,設置代理伺服器時一切都再次發生了變化,因此我們需要學習一種配置伺服器的新方法。
了解更多資訊。請訪問此連結: