L2TP – Radius 认证

0
在之前的总结中整理过L2TP的两种模式,一个是有LAC,另一个无LAC,详细看《L2TP两种部署方法简述》。在这里,将对L2TP认证这块做详细总结,不过此文只总结LNS的认证(LAC认证类似),而且是通过AAA服务器。

AAA服务器

常见的AAA协议主要分两种,一种是思科专有的TACACS;另一种就是Radius。思科通过ACS服务器支持两种AAA协议,而Radius,根据不同厂商而不同,常见的有freeradius和daloradius。RAdius使用了两套UDP端口:
http://en.wikipedia.org/wiki/RADIUS
1. 1812 for Authentication and 1813 for Accounting that provide by IANA
2. ports 1645 and 1646 (authentication and accounting) were used unofficially in past
传统的1645和1646仍然有客户端在用,所以为了向后兼容,Radius会监控这两套端口。

Daloradius

这个是集成了mysql和php的web客户端,很方便。有两种安装方式,一种是OVA文件,直接用vmware导入既可以用,里面是bundle好的;另一种就是在linux里单独安装daloradius,php和mysql。第二种方法太麻烦,没有使用过,第一种试过,但是遇到了一些问题,不知道为什么不能使用admin账户,为了这个还特意在网上发了帖子,但是暂时没人理:
https://sourceforge.net/p/daloradius/discussion/684102/thread/487fe3b8/

不过在使用中,发现了一些比较有价值的关于VMware的一些技巧:

1. Assign a static IP Address for NAT VMWare
由于NAT开启后,地址是随机分配的,为了保证日后访问方便,可以固定NAT后的地址,可以参考下面的文章:
Assign static IP to guest with NAT Virt Network Adaptor?

下面是操作步骤:

root@lamp ~# ifconfig |grep HWaddr
eth0 Link encap:Ethernet HWaddr 00:0c:29:3d:d9:f5
mac:~ test$ find  /Library -name dhcpd.conf
find: /Library/Application Support/Apple/ParentalControls/Users: Permission denied
find: /Library/Caches/com.apple.coresymbolicationd: Permission denied
find: /Library/Caches/com.apple.Spotlight/schema.501.plist: Permission denied
find: /Library/Caches/com.apple.Spotlight/schema.89.plist: Permission denied
find: /Library/Caches/com.apple.Spotlight: Permission denied
find: /Library/McAfee/cma/scratch: Permission denied
/Library/Preferences/VMware Fusion/vmnet1/dhcpd.conf
/Library/Preferences/VMware Fusion/vmnet8/dhcpd.conf

mac:~ test$ su
Password:
sh-3.2#
sh-3.2# more /Library/Preferences/VMware Fusion/vmnet8/dhcpd.conf
/Library/Preferences/VMware: No such file or directory
Fusion/vmnet8/dhcpd.conf: No such file or directory
sh-3.2#
sh-3.2# cd /Library/Preferences/VMware\ Fusion/vmnet8/
sh-3.2# ls |grep dhcpd.conf
dhcpd.conf
dhcpd.conf.bak
sh-3.2#
sh-3.2# more dhcpd.conf

####### VMNET DHCP Configuration. End of "DO NOT MODIFY SECTION" #######
host radius-vm { hardware ethernet 00:0c:29:3d:d9:f5; fixed-address 192.168.255.100; } host windows { hardware ethernet 0:0c:29:06:96:1f; fixed-address 192.168.255.120; }

2. Port forwarding for NAT Vmware
正常的VM NAT只能允许VM HOST访问外网,但是外网是不能激活NAT的。所以这种情况下,外部的设备不能直接访问VM HOST,好在VM支持端口转换,不过仅支持TCP和UDP转换,不支持ICMP:VMware Server NAT Configuration。跟dhcpd.conf同一个目录下,有nat.conf文件,修改这个就可以了。如下所示,标红处就是端口转换的方法:

sh-3.2#  ls
dhcpd.conf	dhcpd.conf.bak	nat.conf	nat.conf.bak	nat.mac
sh-3.2# vi nat.conf
[incomingudp]
# UDP port forwarding example
#6000 = 172.16.3.0:6001
1812 = 192.168.255.100:1812
1813 = 192.168.255.100:1813
1645 = 192.168.255.100:1645
1646 = 192.168.255.100:1646

Freeradius

其实daloradius的核心也是freeradius,只不过加了web客户端而已,对于freeradius有windows版的,这个软件很小,而且很好使,配置都是通过文本来完成的,去这里下载:”http://freeradius.net”。本测试也是通过这个软件完成的。

2013-5-27 更新:
在Vmware之间切换网卡模式时(NAT和Bridge),发现freeradius失效,3个服务器控制选项也是灰的,重启free radius 进程不起作用,重新安装后就好了,不知是不是freeradius安装后就不能变更网络配置。。。另外如果wifi环境是加密的,需要输入用户名和密码,那么VM Host就不能通过Bridge或NAT接入。

2014-9-4 更新:
在做实验时,发现freeradius.net的free radius(1.1.7)有些bug,而且更新极慢;如果你遇到了,可以去http://freeradius.org去下载(3.0.3),注意一个是.net,另一个是.org,两个版本号都不一样。另外3.0.3的是开源软件,linux版的。。。最后还有一个2.2.5版本的,google FreeRADIUS for Windows就可以了。

LNS Radius认证

LNS配置

aaa group server radius AAA
 server name test123
 authorization reply reject TEST
!---通过上面的命令,过滤不支持的radius属性
!
aaa authentication ppp default group AAA local
aaa authorization network default group AAA local
!
aaa policy interface-config allow-subinterface
!
ip vrf ccna
 description BRUCE TEST  20130222
 rd 1:1
 route-target export 1:1
 route-target import 1:1
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
 accept-dialin
  protocol l2tp
  virtual-template 1
 terminate-from hostname 3845-2
 local name ASR1002-1
 lcp renegotiation on-mismatch
 l2tp tunnel password 0 cisco
!
username cisco password 0 cisco
!---这里的本地数据库是备份用的,用于测试
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/2/0
 ip address 10.75.49.71 255.255.255.0
 negotiation auto
!
interface Virtual-Template1
 no ip address
 no peer default ip address
 ppp authentication chap
!---这里既没有设置unnumbered也没有给拨号分配地址,即使配置了,也优先考虑radius
!
ip radius source-interface FastEthernet0/2/0
!
radius-server attribute list TEST
 attribute 13
!
!
radius server test123
 address ipv4 10.75.73.195 auth-port 1812 acct-port 1813
 key testing123

Radius的配置
User config:

test@cisco.comAuth-Type := Local, User-Password == "test"
      Cisco-AVPair += "ip:ip-unnumbered=loopback0",
      Cisco-AVPair += "ip:vrf-id=ccna",
      Framed-IP-Address += 33.33.33.250,
      Framed-Route += "172.16.0.0 255.255.0.0 33.33.33.250 100",
      Framed-Compression += ""

注意:在user配置中,建议把默认配置都清空,否则会出现Access-Reject
Radius Clients:

client 10.75.49.71 {
secret      = testing123
shortname   = asr1k
}

注意:在client配置中,不建议清空默认配置,否则可能会发生Server报端口(1812)不可达
下面是LNS上的“debug radius”信息:

RADIUS: Removing all radius source-int. pointing to Virtual-Access2.1
RADIUS/ENCODE(00000050):Orig. component type = VPDN
RADIUS:  AAA Unsupported Attr: interface         [223] 14
RADIUS:   55 6E 69 71 2D 53 65 73 73 2D 49 44      [ Uniq-Sess-ID]
RADIUS(00000050): Config NAS IP: 10.75.49.71
RADIUS(00000050): Config NAS IPv6: ::
RADIUS/ENCODE(00000050): acct_session_id: 69
RADIUS(00000050): sending
RADIUS(00000050): Send Access-Request to 72.163.226.56:1812 id 1645/34, len 112
RADIUS(00000050): Sending a IPv4 Radius Packet
RADIUS(00000050): Send Access-Request to 72.163.226.56:1812 id 1645/34, len 112
RADIUS:  authenticator 96 45 10 29 44 15 EE 90 - 12 77 E6 94 A2 62 5B 7B
RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
RADIUS:  User-Name           [1]   16  "test@cisco.com"
RADIUS:  CHAP-Password       [3]   19  *
RADIUS:  Connect-Info        [77]  11  "100000000"
RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
RADIUS:  NAS-Port            [5]   6   35
RADIUS:  NAS-Port-Id         [87]  16  "Uniq-Sess-ID35"
RADIUS:  Service-Type        [6]   6   Framed                    [2]
RADIUS:  NAS-IP-Address      [4]   6   10.75.49.71
RADIUS(00000050): Started 5 sec timeout
RADIUS: Received from id 1645/34 72.163.226.56:1812, Access-Accept, len 129
RADIUS:  authenticator 06 95 4C 5D 4D 0B 48 37 - 95 25 D8 6B 9C 1B 5B 3F
RADIUS:  Vendor, Cisco       [26]  34
RADIUS:   Cisco AVpair       [1]   28  "ip:ip-unnumbered=loopback0"
RADIUS:  Vendor, Cisco       [26]  22
RADIUS:   Cisco AVpair       [1]   16  "ip:vrf-id=ccna"
RADIUS:  Framed-IP-Address   [8]   6   33.33.33.250
RADIUS:  Framed-Route        [22]  41  "172.16.0.0 255.255.0.0 33.33.33.250 100"
RADIUS:  Framed-Compression  [13]  6   None                      [0]
RADIUS(00000050): Received from id 1645/34
RADIUS: attribute 13 rejected

ASR1002-1#sh ip vrf ccna
  Name                             Default RD          Interfaces
  ccna                             1:1                 Vi2.1
ASR1002-1#sh ip route vrf ccna

Routing Table: ccna
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      33.0.0.0/32 is subnetted, 1 subnets
C        33.33.33.250 is directly connected, Virtual-Access2.1
U     172.16.0.0/16 [100/0] via 33.33.33.250
本文出自 Frank's Blog

版权声明:


本文链接:L2TP – Radius 认证
版权声明:本文为原创文章,仅代表个人观点,版权归 Frank Zhao 所有,转载时请注明本文出处及文章链接
你可以留言,或者trackback 从你的网站

No Responses to “L2TP – Radius 认证”

  1. jason说道:

    您好,想请教一下freeradius和cisco AAA 这怎么实现用doloradiusWEB管理,网上找了很多没找着这方面的资料能方便提供一下吗?感激不尽。谢谢

    0
  2. frank说道:

    我没太明白你的意思,doloradius本来就是基于freeradius做的集成包,doloradius有自己的web管理,CISCO的ACS同样也有自己的web管理。

    0

留言哦

blonde teen swallows load.xxx videos