-1

这可能看起来很简单,但是在对文档进行大量搜索之后,不幸的是,它并不清楚,因此将不胜感激任何帮助。

简而言之,我想返回一个 VSA 以响应身份验证请求。VSA 是用于虚拟路由器的瞻博网络 VSA,对于供应商 ID 4874 显示为 26-1。在 LDAP 配置中,我有以下适用于标准 RADIUS 属性的内容。

update {
        control:Password-With-Header    += 'userPassword'
        reply:Reply-Message             := 'radiusReplyMessage'
        reply:Framed-IP-Address         := 'radiusFramedIPAddress'
        reply:Framed-IP-Netmask         := 'radiusFramedIPNetmask'
        reply:Framed-MTU                := 'radiusFramedMTU'
        #reply:Vendor_Specific[1]       := 'radiusJuniperVirtualRouter'

        #  Where only a list is specified as the RADIUS attribute,
        #  the value of the LDAP attribute is parsed as a valuepair
        #  in the same format as the 'valuepair_attribute' (above).
        control:            += 'radiusControlAttribute'
        request:            += 'radiusRequestAttribute'
        reply:              += 'radiusReplyAttribute'
    }

这返回

[root@ldapm01 sites-available]# radtest -x -4 -P udp testaccount2 password 127.0.0.1 1 testing123
Sent Access-Request Id 193 from 0.0.0.0:46100 to 127.0.0.1:1812 length 82
        User-Name = "testaccount2"
        User-Password = "password"
        NAS-IP-Address = 10.0.0.17
        NAS-Port = 1
        Message-Authenticator = 0x00
        Cleartext-Password = "password"
Received Access-Accept Id 193 from 127.0.0.1:1812 to 0.0.0.0:0 length 38
        Framed-IP-Address = 10.0.0.2
        Framed-IP-Netmask = 255.255.255.255
        Framed-MTU = 1500

所以 FreeRADIUS 和 LDAP 正在工作。我需要解决的是

#reply:<Juniper VSA 1> := 'radiusJuniperVirtualRouter'

注意:瞻博网络的可用字典仅支持供应商 ID 2636,因此我必须创建一个新的字典文件。

4

1 回答 1

0

好的,所以我找到了答案,实际上它相当简单。这是在适当的字典中找到属性名称并将其用作参考的问题。字典名称是唯一的,通常是字典名称后跟的属性名称。在我的情况下,我必须在字典目录(Centos 7,/usr/share/freeradius)中找到我需要的企业 ID,在我的情况下是 dictinary.erx 4874(感谢供应商整合)。

这是ldap配置

update {
    control:Password-With-Header    += 'userPassword'
    reply:Reply-Message             := 'radiusReplyMessage'
    reply:Framed-IP-Address     := 'radiusFramedIPAddress'
    reply:Framed-IP-Netmask     := 'radiusFramedIPNetmask'
    reply:Framed-MTU                    := 'radiusFramedMTU'
    reply:ERX-Virtual-Router-Name   := 'radiusVRF'

    #  Where only a list is specified as the RADIUS attribute,
    #  the value of the LDAP attribute is parsed as a valuepair
    #  in the same format as the 'valuepair_attribute' (above).
}

然后我还必须创建一个匹配的 LDAP 模式条目来支持附加值,在我的例子中,我只是通过添加以下内容来扩展 FreeRADIUS 模式

olcAttributeTypes: {65}( 1.3.6.1.4.1.11344.4.1.2.1.67 NAME 'radiusVRF' DESC 'requestItem: $GENERIC$' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

然后将其添加到 olcObjectClasses 列表的末尾

olcObjectClasses: {0}( 1.3.6.1.4.1.11344.4.3.2.1 NAME 'radiusprofile' DESC '' SUP top AUXILIARY MAY ( radiusArapFeatures $ radiusArapSecurity $ radiusArapZoneAccess $ radiusAuthType $
 radiusCallbackId $ radiusCallbackNumber $radiusCalledStationId $ radiusCallingStationId $ radiusClass $ radiusClientIPAddress $ radiusFilterId $ radiusFramedAppleTalkLink $ radiusFramedAppleTalkNetwork $
 radiusFramedAppleTalkZone $ radiusFramedCompression $ radiusFramedIPAddress $ radiusFramedIPNetmask $ radiusFramedIPXNetwork $ radiusFramedMTU $radiusFramedProtocol $ radiusAttribute $
 radiusFramedRoute $ radiusFramedRouting $ radiusIdleTimeout $ radiusGroupName $ radiusHint $ radiusHuntgroupName $ radiusLoginIPHost $ radiusLoginLATGroup $ radiusLoginLATNode $ radiusLoginLATPort $
 radiusLoginLATService $ radiusLoginService $ radiusLoginTCPPort $ radiusLoginTime $ radiusPasswordRetry $ radiusPortLimit $ radiusPrompt $ radiusProxyToRealm $ radiusRealm $ radiusReplicateToRealm $
 radiusServiceType $ radiusSessionTimeout $ radiusStripUserName $ radiusTerminationAction $ radiusTunnelClientEndpoint $ radiusProfileDN $ radiusSimultaneousUse $ radiusTunnelAssignmentId $
 radiusTunnelMediumType $ radiusTunnelPassword $ radiusTunnelPreference $ radiusTunnelPrivateGroupId $ radiusTunnelServerEndpoint $ radiusTunnelType $ radiusUserCategory $ radiusVSA $ radiusExpiration $
 dialupAccess $ radiusNASIpAddress $ radiusReplyMessage $ radiusControlAttribute $ radiusReplyAttribute $ radiusRequestAttribute $ radiusNasId $ radiusVRF ) )

现在它给了我以下

radtest -x -4 -P udp testaccount1 password 127.0.0.1 1 testing123

Sent Access-Request Id 24 from 0.0.0.0:49135 to 127.0.0.1:1812 length 82
        User-Name = "testaccount1"
        User-Password = "password"
        NAS-IP-Address = 10.0.0.17
        NAS-Port = 1
        Message-Authenticator = 0x00
        Cleartext-Password = "password"
Received Access-Accept Id 24 from 127.0.0.1:1812 to 0.0.0.0:0 length 48
        Framed-IP-Address = 10.0.0.1
        Framed-IP-Netmask = 255.255.255.255
        Framed-MTU = 1500
        juniper-unisphere-Virtual-Router = "12"
于 2021-07-15T01:25:29.880 回答