一、ubuntu系統(tǒng)安裝freeradius作為radius服務器

apt install freeradius

二、radius服務器配置信息

1、允許訪問的radius客戶端信息
cat /etc/freeradius/3.0/clients.conf

# ipaddr是客戶端ip地址 # secret是口令，客戶端與服務器保持一致 client private {ipaddr = 127.0.0.1secret = testing123 } client 172.18.4.210 {ipaddr = 172.18.4.210secret = testing123require_message_authenticator = nonastype = other} client 172.18.4.211 {ipaddr = 172.18.4.211secret = testing123require_message_authenticator = nonastype = other}

2、保存用戶登錄信息的配置文件格式
cat /etc/freeradius/3.0/mods-config/files/authorize

# 自定義Reply-Message字段，回應客戶端的請求消息 # user-admin1是使用admin權限的用戶 user-admin1 Cleartext-Password := "123456"Service-Type = "Login-User",Reply-Message = "WY-MimicMr-admin" # user-viewer1是使用viewer權限的用戶 user-viewer1 Cleartext-Password := "123456"Service-Type = "Login-User",Reply-Message = "WY-MimicMr-viewer"

三、客戶端example

需要安裝pyrad模塊調用radius客戶端python接口

# pip install pyrad from pyrad.client import Client from pyrad.dictionary import Dictionary import pyrad.packet ''' dictionary is file cat dictionary # Following are the proper new names. Use these. # ATTRIBUTE User-Name 1 string ATTRIBUTE User-Password 2 string ATTRIBUTE CHAP-Password 3 octets ATTRIBUTE NAS-IP-Address 4 ipaddr ATTRIBUTE NAS-Port 5 integer ATTRIBUTE Service-Type 6 integer ATTRIBUTE Framed-Protocol 7 integer ATTRIBUTE Framed-IP-Address 8 ipaddr ATTRIBUTE Framed-IP-Netmask 9 ipaddr ATTRIBUTE Framed-Routing 10 integer ATTRIBUTE Filter-Id 11 string ATTRIBUTE Framed-MTU 12 integer ATTRIBUTE Framed-Compression 13 integer ATTRIBUTE Login-IP-Host 14 ipaddr ATTRIBUTE Login-Service 15 integer ATTRIBUTE Login-TCP-Port 16 integer ATTRIBUTE Reply-Message 18 string ATTRIBUTE Callback-Number 19 string ATTRIBUTE Callback-Id 20 string ATTRIBUTE Framed-Route 22 string ATTRIBUTE Framed-IPX-Network 23 ipaddr ATTRIBUTE State 24 octets ATTRIBUTE Class 25 octets ATTRIBUTE Vendor-Specific 26 octets ATTRIBUTE Session-Timeout 27 integer ATTRIBUTE Idle-Timeout 28 integer ATTRIBUTE Termination-Action 29 integer ATTRIBUTE Called-Station-Id 30 string ATTRIBUTE Calling-Station-Id 31 string ATTRIBUTE NAS-Identifier 32 string ''' def radius_auth(UserName,passwd):try:srv = Client(server="172.18.4.211",authport=1812,secret=b"testing12",dict=Dictionary("/opt/mr/sshmgr/dictionary"),timeout=7)req = srv.CreateAuthPacket(code=pyrad.packet.AccessRequest,User_Name=UserName)req["User-Password"] = req.PwCrypt(passwd)reply = srv.SendPacket(req)except Exception as e:print('111111111111m',e)return Noneif reply.code == pyrad.packet.AccessAccept:print("radius auth success.")else:return Noneif 'Reply-Message' not in reply.keys():return Noneif 'WY-MimicMr' not in reply['Reply-Message'][0]:return Nonereturn reply['Reply-Message'][0].split('-')[-1] print(radius_auth('radius_user1','123456')) print(radius_auth('radius_user2','123456')) print(radius_auth('user-admin1','123456')) print(radius_auth('user-viewer1','123456')) ''' root@MR-HEU:/opt/mr/sshmgr# python3 rad_test.py None None radius auth success. admin radius auth success. viewer root@MR-HEU:/opt/mr/sshmgr# '''

讀配置文件的方式，支持多服務器認證

# radius auth by wsq 20220401 ''' cat /etc/sysctl.d/pam_radius_auth.conf # radius config file template by wsq 20220401 # server[:port] shared_secret timeout (s) 172.18.4.211:1812 testing123 7 172.18.4.212:1812 testing 7 ''' def radius_auth(UserName,passwd):conf_list = []try:with open('/etc/sysctl.d/pam_radius_auth.conf') as f:for config in f.readlines():if config[0] == '#':continueconf = [i.strip() for i in config.split(' ') if i]ip = conf[0].split(':')[0]port = int(conf[0].split(':')[1])secret = bytes(conf[1],encoding="utf8")timeout = int(conf[2])temp = [ip,port,secret,timeout]conf_list.append(temp)except Exception as e:logging.warning("open pam_radius_auth.conf fail. %s" % e)return Nonefor conf in conf_list:try:srv = Client(server=conf[0],authport=conf[1], secret=conf[2],dict=Dictionary("/opt/mr/sshmgr/dictionary"),timeout=conf[3])req = srv.CreateAuthPacket(code=pyrad.packet.AccessRequest,User_Name=UserName)req["User-Password"] = req.PwCrypt(passwd)reply = srv.SendPacket(req)except Exception as e:logging.warning("radius server %s auth user %s fail." % (conf[0],UserName))continueelse:if reply.code == pyrad.packet.AccessAccept:logging.info("radius auth user %s success." % UserName)else:return Noneif 'Reply-Message' not in reply.keys():return Noneif 'WY-MimicMr' not in reply['Reply-Message'][0]:return Nonereturn reply['Reply-Message'][0].split('-')[-1] print(radius_auth('user-admin1','123456'))

四、Ubuntu14.04配置pam_radius_auth實現(xiàn)ssh和telnet登錄認證

首先 安裝libpam-radius-auth

apt-get install libpam-dev apt-get install libpam-radius-auth # 源碼安裝 # wget ftp://ftp.freeradius.org/pub/radius/pam_radius-1.4.0.tar.gz # tar -xzvf pam_radius-1.4.0.tar.gz # cd pam_radius-release_1_4_0/ # ./configure # make

安裝完成后，編譯生成的pam_radius_auth.so，pam_radius_auth.conf分別放在
/lib/security/pam_radius_auth.so 和 /etc/pam_radius_auth.conf

在64位Ubuntu14.04以上版本下，
拷貝pam_radius_auth.so 到PAM模塊庫路徑 /lib/x86_64-linux-gnu/security/

cp pam_radius_auth.so /lib/x86_64-linux-gnu/security/

拷貝pam_radius_auth.conf 到系統(tǒng)配置文件路徑/etc/sysctl.d/

cp pam_radius_auth.conf /etc/sysctl.d/

設置pam_radius_auth.conf 權限為0600

cd /etc/sysctl.d/;chmod 0600 pam_radius_auth.conf

在pam_radius_auth.conf中配置radius客戶端pam_radius和radius服務器用于交互的初始化信息，包括：
①radius 服務器IP(必須配置)
②radius 服務器PORT(可以省略，默認是1812<認證、授權>或1813<計費>）
③shared_secret(必須配置)
④timeout(必須配置)

注意：其中共享秘鑰shared_secret 域與radius服務器上客戶端配置文件/etc/raddb/clients.conf 中的secret域必須嚴格一致

vim pam_radius_auth.conf

⑴ 配置telnet遠程登錄身份驗證使用radius驗證
注意：Ubuntu14.04沒有關于telnet的PAM配置文件/etc/pam.d/remote，只能配置在/etc/pam.d/login內，如下圖所示。

vim /etc/pam.d/login

增加黃色框里的部分，位置保持固定，不要隨意改變。

⑵ 配置ssh遠程登錄身份驗證使用radius驗證

vim /etc/pam.d/sshd

增加黃色框里的兩個部分，位置保持固定，不要隨意改變。

總結

以上是生活随笔為你收集整理的python客户端调用freeradius实现认证授权功能的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內容還不錯，歡迎將生活随笔推薦給好友。