基于freeradius+mysql,今天验证下freeradius的EAP认证:1.EAP-MD5;2.EAP-PEAP
一、EAP-MD5方式认证
1.修改配置文件
(1)/usr/local/etc/raddb/sites-available/default 去掉eap前面的# (2)/usr/local/etc/raddb/eap.conf 确认default_eap_type=md5
2.在数据库中加入Auth-Type为EAP的测试账号
#mysql -u root -p
Enter password:456456
mysql> use freeradius;
mysql> insert into radgroupreply (groupname,attribute,op,value) values ('eap','Auth-Type',':=','EAP');
mysql> insert into radgroupreply (groupname,attribute,op,value) values ('eap','Service-Type',':=','Framed-User');
mysql> insert into radgroupreply (groupname,attribute,op,value) values ('eap','Framed-IP-Address',':=','255.255.255.255');
mysql> insert into radgroupreply (groupname,attribute,op,value) values ('eap','Framed-IP-Netmask',':=','255.255.255.0');
mysql> insert into radcheck (username,attribute,op,value) values ('eap','User-Password',':=','eap');
mysql> insert into radusergroup (username,groupname) values ('eap','eap');
mysql> insert into radreply (username,attribute,op,value) values ('eap','Reply-Message',':=','eap OK!');
3.开始测试
#radiusd -X
#(echo "User-Name = \"eap\""; echo "Cleartext-Password = \"eap\""; echo "EAP-Code = \"Response\""; echo "EAP-Id = 210"; echo "EAP-Type-Identity = \"eap\""; echo "Message-Authenticator = 0x00";) | radeapclient -x localhost auth testing123
Sending Access-Request packet to host 127.0.0.1 port 1812, id=16, length=0
User-Name = "eap"
Cleartext-Password = "eap"
EAP-Code = Response
EAP-Id = 210
EAP-Type-Identity = 0x656170
Message-Authenticator = 0x00
EAP-Message = 0x02d2000801656170
Received Access-Challenge packet from host 127.0.0.1 port 1812, id=16, length=107
Reply-Message = "eap OK!"
Service-Type = Framed-User
Framed-IP-Address = 255.255.255.255
Framed-IP-Netmask = 255.255.255.0
EAP-Message = 0x01d30016041008dabb8375e60ff9a515084acdce2e49
Message-Authenticator = 0x323977ef5d8f99e19c0f915225dc91fe
State = 0x622ff79862fcf31bc6a72392057197f7
EAP-Id = 211
EAP-Code = Request
EAP-Type-MD5-Challenge = 0x1008dabb8375e60ff9a515084acdce2e49
Sending Access-Request packet to host 127.0.0.1 port 1812, id=17, length=53
User-Name = "eap"
Cleartext-Password = "eap"
EAP-Code = Response
EAP-Id = 211
Message-Authenticator = 0x00000000000000000000000000000000
EAP-Type-MD5-Challenge = 0x10e968e2d801bc965f23c6e515ef2f8861
State = 0x622ff79862fcf31bc6a72392057197f7
EAP-Message = 0x02d300160410e968e2d801bc965f23c6e515ef2f8861
Received Access-Accept packet from host 127.0.0.1 port 1812, id=17, length=76
Reply-Message = "eap OK!"
Service-Type = Framed-User
Framed-IP-Address = 255.255.255.255
Framed-IP-Netmask = 255.255.255.0
EAP-Message = 0x03d30004
Message-Authenticator = 0x190af2672a849e7ddee425f18c01dd2c
User-Name = "eap"
EAP-Id = 211
EAP-Code = Success
二、PEAPv0/EAP-MSCHAPv2方式认证
1.安装测试工具eapol_test
#cd /usr/local/src/
#wget http://hostap.epitest.fi/releases/wpa_supplicant-0.6.9.tar.gz
#tar –xzvf wpa_supplicant-0.6.9.tar.gz
#cd wpa_supplicant-0.6.9/wpa_supplicant/
#cp defconfig .config
#make eapol_test
#cp eapol_test /usr/local/bin/
2.修改配置文件
(1)/usr/local/etc/raddb/sites-available/default 去掉eap前面的# (2)/usr/local/etc/raddb/eap.conf 确认default_eap_type=peap
3.查看证书是否存在
#ls /usr/local/etc/raddb/certs/*.pem
正常 列表中含有ca.pem 若没有ca.pem文件,则执行以下命令:
#/usr/local/etc/raddb/certs/bootstrap
4.创建测试配置文件 ~/peap.test
#~/peap.test network={ //注意:"="前后无空格
eap=PEAP
eapol_flags=0
key_mgmt=IEEE8021X
identity="eap" //注意:该测试账号是之前用sql建立在数据库中的,所以可以直接使用
password="eap"
ca_cert="/usr/local/etc/raddb/certs/ca.pem"
phase2="auth=MSCHAPV2"
anonymous_identity="anonymous"
}
5.开始测试
#radiusd -X
#eapol_test -c peap.test -s testing123 //peap.test在~/目录下,所以该命令也要在~/目录下进行。需保持一致。
eapol_sm_cb: success=1
EAPOL: Successfully fetched key (len=32)
PMK from EAPOL – hexdump(len=32): d9 2f f7 04 41 7c 74 66 5b b3 e7 7c ea 77 21 72 04 94 cd 7f e1 c9 a0 6b 08 34 b1 b2 25 55 6f 53
EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 1 mismatch: 0
SUCCESS
三、EAP-TTLS/MD5方式认证
1.修改配置文件
(1)/usr/local/etc/raddb/sites-available/default 去掉eap前面的# (2)/usr/local/etc/raddb/eap.conf 确认default_eap_type=ttls
2.创建测试配置文件 ~/ttlsmd5.test
~/ttlsmd5.test network={
eap=TTLS
ssid="test" //可更改
key_mgmt=WPA-EAP
identity="eap"
password="eap"
ca_cert="/usr/local/etc/raddb/certs/ca.pem"
phase2="auth=MD5"
anonymous_identity="anonymous" //可更改
}
3.开始测试
#radiusd -X
#eapol_test -c ttlsmd5.test -s testing123
eapol_sm_cb: success=1
EAPOL: Successfully fetched key (len=32)
PMK from EAPOL – hexdump(len=32): 91 b2 66 fb da ff bd 7d 95 91 2a c5 82 a8 86 bb 18 14 ac 9f 30 e4 7e 21 9f 28 b8 00 35 62 ff f2
EAP: deinitialize previously used EAP method (21, TTLS) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 1 mismatch: 0
SUCCESS
四、EAP-TTLS/MSCHAPv2方式认证
1.修改配置文件
(1)/usr/local/etc/raddb/sites-available/default 去掉eap前面的# (2)/usr/local/etc/raddb/eap.conf 确认default_eap_type=ttls
2.创建测试配置文件 ~/ttlsmschapv2.test
~/ttlsmschapv2.test network={
eap=TTLS
ssid="test" //可更改
key_mgmt=WPA-EAP
identity="eap"
password="eap"
ca_cert="/usr/local/etc/raddb/certs/ca.pem"
phase2="auth=MSCHAPV2"
anonymous_identity="anonymous" //可更改
}
3.开始测试
#radiusd -X
#eapol_test -c ttlsmschapv2.test -s testing123
eapol_sm_cb: success=1
EAPOL: Successfully fetched key (len=32)
PMK from EAPOL – hexdump(len=32): 91 b2 66 fb da ff bd 7d 95 91 2a c5 82 a8 86 bb 18 14 ac 9f 30 e4 7e 21 9f 28 b8 00 35 62 ff f2
EAP: deinitialize previously used EAP method (21, TTLS) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 1 mismatch: 0
SUCCESS
$$$至此,参照http://blog.sina.com.cn/s/blog_5d2184eb0100hibt.html《FreeRadius+Mysql+EAP认证身份认证系统安装及配置》;
$$$其他认证方式,请参照http://blog.csdn.net/madding/article/details/17277197/《radius系列:freeradius测试》;