主页 / server / 问题 / 1064433
Accepted
Lasse Michael Mølgaard
Asked: 2021-05-23 15:27:48 +0800 CST

如何设置代理半径服务器 (FreeRadius 3)

  • 772

我正在尝试设置一个代理 Freeradius 服务器,将所有请求转发到另一个 Freeradius 服务器。

参考如下图:

通过 VPN 的代理半径服务器

此设置的原因是我希望用户通过 VPN 连接到本地 LAN,但由于 ISP 的 NAT 实施,本地站点无法访问。

但是,我能够建立从本地 LAN 到 VPN 服务器的 site2site VPN 连接,因此我希望用户能够通过公共 VPN 服务器与本地网络建立 VPN 连接,前提是他们是本地网络上的有效用户.

我有一个在本地 LAN 上运行的 Freeradius 服务器,可以根据数据库验证用户 - 这部分工作正常。

配置VPN服务器端

据我了解,我唯一需要在服务器上修改的是文件proxy.conf

假设登录 VPN 的用户名在表单上,[email protected]​​那么我只需将以下条目添加到proxy.conf

realm example.com {
    type = radius
    secret = VeryS3cretPassw0rd

    authhost = local-radius.example.com:1812
    accthost = local-radius.example.com:1813

    nostrip
}

nostrip条目确保代理请求不会@从用户名中删除 -postfix。

我还需要将以下内容添加到/etc/hosts

   # VPN Address of local-radius.example.com
 
   192.168.100.2   local-radius.example.com

配置本地radius服务器端

在本地半径服务器上,我需要更新client.conf,以便对本地半径服务器和源自 VPN ip 地址的任何查询都是允许的。比如这个条目:

client vpn-net {

        # Allow requests originating from VPN subnet.

        ipaddr          = 192.168.100.0/24
        secret          = VeryS3cretPassw0rd
}

在 VPN 服务器上运行以下命令按预期工作:

radtest -t mschap [email protected] SecretPassword local-radius.example.com:1812 0 VeryS3cretPassw0rd

我收到以下回复:

Sent Access-Request Id 108 from 0.0.0.0:47466 to 192.168.100.2:1812 length 148
        User-Name = "[email protected]"
        MS-CHAP-Password = "SecretPassword "
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 0
        Message-Authenticator = 0x00
        Cleartext-Password = "SecretPassword"
        MS-CHAP-Challenge = ....
        MS-CHAP-Response = ...
Received Access-Accept Id 108 from 192.168.100.2:1812 to 192.168.100.1:47466 length 84
        MS-CHAP-MPPE-Keys = ...
        MS-MPPE-Encryption-Policy = Encryption-Required
        MS-MPPE-Encryption-Types = 4

但是在 VPN 服务器上运行以下命令失败:

radtest -t mschap [email protected] SecretPassword localhost:18120 0 testing123

该命令的输出是:

Sent Access-Request Id 104 from 0.0.0.0:39558 to 127.0.0.1:18120 length 148
        User-Name = "[email protected]"
        MS-CHAP-Password = "SecretPassword"
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 0
        Message-Authenticator = 0x00
        Cleartext-Password = "SecretPassword"
        MS-CHAP-Challenge = ...
        MS-CHAP-Response = ...
Received Access-Reject Id 104 from 127.0.0.1:18120 to 127.0.0.1:39558 length 20
(0) -: Expected Access-Accept got Access-Reject

在 VPN 服务器上运行命令freeradius -X会给出以下输出:

(0) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
(0)     [mschap] = ok
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "example.com" for User-Name = "[email protected]"
(0) suffix: Found realm "example.com"
(0) suffix: Adding Realm = "example.com"
(0) suffix: Proxying request from user [email protected] to realm example.com
(0) suffix: Preparing to proxy authentication request to realm "example.com"
(0)     [suffix] = updated
(0) ntdomain: Request already has destination realm set.  Ignoring
(0)     [ntdomain] = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0)     [files] = noop
(0)     [expiration] = noop
(0)     [logintime] = noop
(0)     [pap] = noop
(0)   } # authorize = updated
(0) There was no response configured: rejecting request

在本地网络上监视 freeradius 表明从未从 vpn 服务器调用该服务器,所以我错过了什么?

proxy freeradius freeradius2

1 个回答

  1. Best Answer

    我不太确定发生了什么,但是在服务器上完全重新安装 Freeradius 后,代理请求没有问题。

    为简单起见,您可以将代理服务器指向本地半径服务器的 VPN ip 地址,基本上就是这样。

    假设您有一个全新安装的 Freeradius,那么您只需要proxy.conf使用以下设置进行修改:

    realm example.com {
    type = radius
    secret = VeryS3cretPassw0rd

    # Connect to the VPN IP adress of local radius server.
    authhost = 192.168.100.2:1812
    accthost = 192.168.100.2:1813

    nostrip
}

    此外,在使用以下方式测试用户登录时radtest:不要测试localhost:18120因为您仅针对VPN 上的本地用户进行测试,因为它映射到inner-tunnel虚拟服务器。

    您应该测试它,localhost:1812因为它映射到default虚拟服务器。

    针对代理服务器的测试给了我以下输出freeradius -x

    (0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "example.com" for User-Name = "[email protected]"
(0) suffix: Found realm "example.com"
(0) suffix: Adding Stripped-User-Name = "user"
(0) suffix: Adding Realm = "example.com"
(0) suffix: Proxying request from user user to realm example.com
(0) suffix: Preparing to proxy authentication request to realm "example.com"
(0)     [suffix] = updated
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0)     [files] = noop
(0)     [expiration] = noop
(0)     [logintime] = noop
(0)     [pap] = noop
(0)   } # authorize = updated
(0) Starting proxy to home server 192.168.100.2 port 1812
(0) server default {
(0) }
(0) Proxying request to home server 192.168.100.2 port 1812 timeout 14.000000
(0) Sent Access-Request Id 191 from 127.0.0.1:45143 to 192.168.100.2:1812 length 142
(0)   User-Name = "user"
(0)   NAS-IP-Address = 127.0.1.1
(0)   NAS-Port = 0
(0)   Message-Authenticator = ...
(0)   MS-CHAP-Challenge = ...
(0)   MS-CHAP-Response = ...
(0)   Event-Timestamp = "May 24 2021 17:18:40 CEST"
(0)   Proxy-State = 0x313133
Waking up in 0.3 seconds.
(0) Marking home server 192.168.100.2 port 1812 alive
(0) Clearing existing &reply: attributes
(0) Received Access-Accept Id 191 from 192.168.100.2:1812 to 192.168.100.1:45143 length 89
(0)   MS-CHAP-MPPE-Keys = ...
(0)   MS-MPPE-Encryption-Policy = Encryption-Required
(0)   MS-MPPE-Encryption-Types = 4
(0)   Proxy-State = 0x313133

    重要的闭幕词

    似乎代理的工作方式随着 Freeradius 的每个主要版本而改变。

    我使用的语法与 Freeradius 的第 2 版兼容,但在第 3 版中被认为已过时。这里推荐的方法是将领域home_server_pools指向一个或多个home_servers.

    虽然已经过时 - 它仍然适用于版本 3。:-)

    但是:在 Freeradius 版本 4 中,设置代理服务器时一切都再次发生了变化,因此我们需要学习一种配置服务器的新方法。

    了解更多信息。请访问此链接:

    https://wiki.freeradius.org/upgrading/version4/proxy

    • 0

相关问题