Huawei Switch 10.255.255.1
FreeRadius 192.168.1.10
先安裝FreeRadius
apt install freeradius freeradius-utils freeradius-ldap ldap-utils
systemctl enable freeradius
systemctl start freeradius
systemctl status freeradius
vi /etc/freeradius/3.0/users
networkadmin Cleartext-Password := "Password123"
Huawei-Exec-Privilege = 15
vi /etc/freeradius/3.0/clients.conf
client huaweiswitch1 {
ipaddr = 10.255.255.1
secret = Secret123
nastype = other
}
systemctl restart freeradius
FreeRadius的部份已經完成, 可以在local測試, 由於在clients.conf對應127.0.0.1的default secret是testing123, 所以下面的測試是testing123
echo "User-Name = networkadmin, User-Password = Password123" | radclient -x 127.0.0.1 auth testing123
Sent Access-Request Id 62 from 0.0.0.0:57576 to 127.0.0.1:1812 length 68
User-Name = "networkadmin"
User-Password = "Password123"
Cleartext-Password = "Password123"
Received Access-Accept Id 62 from 127.0.0.1:1812 to 127.0.0.1:57576 length 50
Message-Authenticator = 0x4589cc50a0f16f8e1b945dedd5f02862
Huawei-Exec-Privilege = 15
接收到以上訊息代表正常, 現在到Huawei Switch設定
[HUAWEI]radius-server template MYtemplate
[HUAWEI-radius-MYtemplate]radius-server authentication 192.168.1.10 1812 weight 80
[HUAWEI-radius-MYtemplate]radius-server shared-key cipher Secret123
[HUAWEI-radius-MYtemplate]aaa
[HUAWEI-aaa]authentication-scheme MYscheme
[HUAWEI-aaa-authen-MYscheme]authentication-mode radius local
[HUAWEI-aaa-authen-MYscheme]domain MYdomain
[HUAWEI-aaa-domain-MYdomain]authentication-scheme MYscheme
[HUAWEI-aaa-domain-MYdomain]radius-server MYtemplate
[HUAWEI]domain MYdomain admin
login as: networkadmin
Keyboard-interactive authentication prompts from server:
| User Authentication
| Password:
End of keyboard-interactive prompts from server
Info: The max number of VTY users is 10, and the number
of current VTY users on line is 1.
The current login time is 2023-12-15 21:02:14+00:00.
Info: Lastest accessed IP: - Time: - Password will expire in: -
Info: Smart-upgrade is currently disabled. Enable Smart-upgrade to get recommend ed version information.
sys
Enter system view, return user view with Ctrl+Z.
[HUAWEI]dis curr
[HUAWEI]dis current-configuration
!Software Version V200R022C00SPC500
#
sysname HUAWEI
FreeRadius local account都能正常運作就可以連接AD
首先建立一個freeradius AD Account專門用來拿AD record, 不需要特別權限, 以下command測試FreeRadius和AD的連接是否正常, 查看其中一個account defadmin
ldapsearch -x -H ldap://def.com \
-D "freeradius@def.com" -w "12345678" \
-b "OU=IT,OU=defusers,DC=def,DC=com" \
"(&(objectClass=user)(sAMAccountName=defadmin)(memberOf=CN=NetworkAdmin,OU=IT,OU=defusers,DC=def,DC=com))"
能正常拿到資料的話就修改freeradius
vi /etc/freeradius/3.0/sites-enabled/default
authorize {
# if ((ok || updated) && User-Password && !control:Auth-Type) {
# update control {
# &Auth-Type := ldap
# }
# }
files
if (!ok) {
if (LDAP-Group == "CN=NetworkAdmin,OU=IT,OU=defusers,DC=def,DC=com") {
if (&User-Password && !control:Auth-Type) {
update reply {
Huawei-Exec-Privilege := 15
}
update {
control:Auth-Type := LDAP
}
}
}
else {
reject
}
}
authenticate {
Auth-Type LDAP {
ldap
}
}
sudo ln -s /etc/freeradius/3.0/mods-available/ldap /etc/freeradius/3.0/mods-enabled/ldap
vi /etc/freeradius/3.0/mods-available/ldap
ldap {
server = "def.com"
identity = "freeradius@def.com"
password = "12345678"
base_dn = "OU=IT,OU=defusers,DC=def,DC=com"
user {
# filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
找一個NetworkAdmin group的帳號測試
echo "User-Name = timng, User-Password = 12345678" | radclient -x 127.0.0.1 auth testing123
test-aaa timng 12345678 radius-template RS pap
Pass的話就可以再到huawei switch測試
