openvpn2.0.9實現radius認證

火星人 @ 2014-03-04 , reply:0


openvpn2.0.9實現radius認證

經過實踐,實現了openvpn2.0.9版本使用radius認證的配置功能。以下簡要說明,與大家分享。
我的環境是server端是linux9.0,Client端是winxp。
基本的配置就不複述了,使用證書認證的文章很多,其中網友elm就有不少好的配置手冊。
網路上關於username/password認證的文章也不少,但不是需要用到mysql資料庫就是要用到freeradius認證庫,我就想簡單快速的實現把用戶名密碼提交到第三方radius伺服器認證就可以了。第三方radius伺服器很多比如windows ActiveDirectory或WinRadius 2.01,我這裡用WinRadius2.01作為radius伺服器。
1.radiusplugin_v2.0.tar.gz:                可以編譯得到radiusplugin.so
        到http://www.nongnu.org/radiusplugin/下載
2.libgcrypt支持庫:        可以編譯得到/usr/lib/libgcrypt.so.11
        到ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.2.4.tar.gz下載
3.libgpg-error支持庫:        可以編譯得到/usr/local/lib/libgpg-error.so.0
        到ftp://ftp.gnupg.org/gcrypt/libgpg-error/libgpg-error-1.5.tar.gz下載
簡單的編譯以上3個支持庫,configure;make;make install。
我們要用到radiusplugin.so,其他是radiusplugin.so的支持庫。
好了如果能夠得到radiusplugin.so,已經成功了80%,其他的就是配置了。
把radiusplugin.so拷貝到/etc/openvpn下,並配置其配置文件radiusplugin.conf
內容如下:
# The NAS identifier which is sent to the RADIUS server
NAS-Identifier=OpenVpn

# The service type which is sent to the RADIUS server
Service-Type=5

# The framed protocol which is sent to the RADIUS server
Framed-Protocol=1

# The NAS port type which is sent to the RADIUS server
NAS-Port-Type=5

# 這是運行openvpn伺服器的ip,作為radius客戶端
NAS-IP-Address=192.168.2.8

#這裡指明openvpn的配置位置
OpenVPNConfig=/etc/openvpn/cert_conf/server.conf


# 這裡定義 radius server 參數可以超過1個作為備份
server
{
        # The UDP port for radius accounting.
        acctport=1813
        # The UDP port for radius authentication.
        authport=1812
        # 這是我radius 伺服器的ip,也就是運行winradius,並添加了用戶。
        name=192.168.2.2
        # How many times should the plugin send the if there is no response?
        retry=1
        # How long should the plugin wait for a response?
        wait=1
        # The shared secret.共享密鑰,在winradius里配置,設置-系統-NAS密鑰
        sharedsecret=winradius
}

以下配置openvpn伺服器,server.conf
這個配置跟證書配置只需新增以下3行不同。
plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radius.conf
client-cert-not-required
username-as-common-name
客戶端配置:在winxp下
去掉客戶端證書,並添加提示用戶密碼的參數就可以了。
ca ca.crt
#cert client.crt
#key client.key
auth-user-pass

啟動伺服器
openvpn --config server.conf
如果出錯查看日誌文件如openvpn.log一般可以解決.
啟動客戶端,提示
Sat Aug 25 17:52:38 2007 OpenVPN 2.0.9 Win32-MinGW built on Oct  1 2
006
Enter Auth Username:test
Enter Auth Password:
...
Sat Aug 25 17:55:22 2007 Route addition via IPAPI succeeded
Sat Aug 25 17:55:22 2007 Initialization Sequence Completed
認證通過,vpn隧道建立成功
查看winradius:
用戶(test)認證通過
用戶(test)呼叫()開始
查看linux server端日誌
RADIUS-PLUGIN: Configfile name: /etc/openvpn/radiusplugin.conf .
Sun Apr  1 13:31:09 2007 PLUGIN_INIT: POST /etc/openvpn/radiusplugin.so '/etc/openvpn/radiusplugin.conf' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY|PLUGIN_CLIENT_CONNECT|PLUGIN_CLIENT_DISCONNECT
...
Sun Apr  1 13:31:56 2007 192.168.2.2:3214 PLUGIN_CALL: POST /etc/openvpn/radiusplugin.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Sun Apr  1 13:31:56 2007 192.168.2.2:3214 TLS: Username/Password authentication succeeded for username 'test'
至此,radius認證成功。

《解決方案》

支持原創
《解決方案》

支持原來這裡面高手這麼多啊!不過能出來個HTUN的教程就好了!
《解決方案》

厲害厲害啊,真是高手如雲啊,以後可要常來光顧一下!大力支持原創!:em02:
《解決方案》

強!能不能再把Winradius的配置方法也提供出來呢?
《解決方案》

回復 #5 daul75 的帖子

winradius很簡單,基本不需配置,其實也沒幾個地方能配。
《解決方案》

我好不容易把radiusplugin.so弄出來,openvpn也可以運行了。不過現在遇到這個錯誤,不停跳出輸密碼窗口,client的日誌是:
Tue Oct 23 16:26:09 2007 OpenVPN 2.0.9 Win32-MinGW built on Oct  1 2006
Tue Oct 23 16:26:13 2007 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Tue Oct 23 16:26:13 2007 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Tue Oct 23 16:26:13 2007 Control Channel Authentication: using 'keytest\ta.key' as a OpenVPN static key file
Tue Oct 23 16:26:13 2007 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Oct 23 16:26:13 2007 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Oct 23 16:26:13 2007 LZO compression initialized
Tue Oct 23 16:26:13 2007 Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
Tue Oct 23 16:26:13 2007 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Oct 23 16:26:13 2007 Local Options hash (VER=V4): '272f1b58'
Tue Oct 23 16:26:13 2007 Expected Remote Options hash (VER=V4): 'a2e63101'
Tue Oct 23 16:26:13 2007 UDPv4 link local:
Tue Oct 23 16:26:13 2007 UDPv4 link remote: 192.168.0.40:1944
Tue Oct 23 16:26:13 2007 TLS: Initial packet from 192.168.0.40:1944, sid=d76a2c13 65b9615d
Tue Oct 23 16:26:13 2007 VERIFY OK: depth=1, /C=aa/ST=aa/L=aa/O=aa/OU=aa/CN=aa/emailAddress=test@aa.com
Tue Oct 23 16:26:13 2007 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Oct 23 16:26:13 2007 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Oct 23 16:26:13 2007 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Oct 23 16:26:13 2007 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Oct 23 16:26:13 2007 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Oct 23 16:26:13 2007 Peer Connection Initiated with 192.168.0.40:1944
Tue Oct 23 16:26:15 2007 SENT CONTROL : 'PUSH_REQUEST' (status=1)
Tue Oct 23 16:26:15 2007 AUTH: Received AUTH_FAILED control message
Tue Oct 23 16:26:15 2007 TCP/UDP: Closing socket
Tue Oct 23 16:26:15 2007 SIGTERM received, process exiting
Tue Oct 23 16:26:15 2007 OpenVPN 2.0.9 Win32-MinGW built on Oct  1 2006
××××××××××××××××××××××××××××××××××××
server端openvpn日誌是:
共認證兩次
Wed Oct 24 14:11:08 2007 MULTI: multi_create_instance called
Wed Oct 24 14:11:08 2007 192.168.0.100:3526 Re-using SSL/TLS context
Wed Oct 24 14:11:08 2007 192.168.0.100:3526 LZO compression initialized
Wed Oct 24 14:11:08 2007 192.168.0.100:3526 Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
Wed Oct 24 14:11:08 2007 192.168.0.100:3526 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Oct 24 14:11:08 2007 192.168.0.100:3526 Local Options hash (VER=V4): 'a2e63101'
Wed Oct 24 14:11:08 2007 192.168.0.100:3526 Expected Remote Options hash (VER=V4): '272f1b58'
Wed Oct 24 14:11:08 2007 192.168.0.100:3526 TLS: Initial packet from 192.168.0.100:3526, sid=1d471dea a3479a82
RADIUS-PLUGIN: No attributes Acct Interim Interval or bad length.
Error: Receiving data from internal socket failed!
Wed Oct 24 14:11:08 2007 192.168.0.100:3526 PLUGIN_CALL: POST /etc/openvpn/radiusplugin.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Wed Oct 24 14:11:08 2007 192.168.0.100:3526 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /etc/openvpn/radiusplugin.so
Wed Oct 24 14:11:08 2007 192.168.0.100:3526 TLS Auth Error: Auth Username/Password verification failed for peer
Wed Oct 24 14:11:08 2007 192.168.0.100:3526 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA
Wed Oct 24 14:11:08 2007 192.168.0.100:3526 [] Peer Connection Initiated with 192.168.0.100:3526
Wed Oct 24 14:11:09 2007 192.168.0.100:3526 PUSH: Received control message: 'PUSH_REQUEST'
Wed Oct 24 14:11:09 2007 192.168.0.100:3526 SENT CONTROL : 'AUTH_FAILED' (status=1)
Wed Oct 24 14:11:09 2007 192.168.0.100:3526 Delayed exit in 5 seconds
Wed Oct 24 14:11:14 2007 192.168.0.100:3526 SIGTERM received, client-instance exiting
Wed Oct 24 14:11:15 2007 MULTI: multi_create_instance called
Wed Oct 24 14:11:15 2007 192.168.0.100:3527 Re-using SSL/TLS context
Wed Oct 24 14:11:15 2007 192.168.0.100:3527 LZO compression initialized
Wed Oct 24 14:11:15 2007 192.168.0.100:3527 Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
Wed Oct 24 14:11:15 2007 192.168.0.100:3527 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Oct 24 14:11:15 2007 192.168.0.100:3527 Local Options hash (VER=V4): 'a2e63101'
Wed Oct 24 14:11:15 2007 192.168.0.100:3527 Expected Remote Options hash (VER=V4): '272f1b58'
Wed Oct 24 14:11:15 2007 192.168.0.100:3527 TLS: Initial packet from 192.168.0.100:3527, sid=c7cba271 dbb979e3
Error: The User is already authenticated. He could not insert in user map. The client connect will fail. In case of rekeying this note is ok.
Wed Oct 24 14:11:15 2007 192.168.0.100:3527 PLUGIN_CALL: POST /etc/openvpn/radiusplugin.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Wed Oct 24 14:11:15 2007 192.168.0.100:3527 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /etc/openvpn/radiusplugin.so
Wed Oct 24 14:11:15 2007 192.168.0.100:3527 TLS Auth Error: Auth Username/Password verification failed for peer
Wed Oct 24 14:11:15 2007 192.168.0.100:3527 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA
Wed Oct 24 14:11:15 2007 192.168.0.100:3527 [] Peer Connection Initiated with 192.168.0.100:3527
Wed Oct 24 14:11:16 2007 192.168.0.100:3527 PUSH: Received control message: 'PUSH_REQUEST'
Wed Oct 24 14:11:16 2007 192.168.0.100:3527 SENT CONTROL : 'AUTH_FAILED' (status=1)
Wed Oct 24 14:11:16 2007 192.168.0.100:3527 Delayed exit in 5 seconds
Wed Oct 24 14:11:21 2007 192.168.0.100:3527 SIGTERM received, client-instance exiting

***************
觀察winradius日誌,第一次認證時,日誌顯示openvpn和winradius有交互,但openvpn客戶端仍報錯;
而第二次認證時windius沒有任何反應,說明openvpn在第二次沒有和winradius交互任何數據。

這是怎麼回事啊?

[ 本帖最後由 onsale 於 2007-10-24 14:20 編輯 ]
《解決方案》

用freeradius做更好。運行在linux平台,支持資料庫。穩定安全。
《解決方案》

用第三方radius,是為了在radius伺服器上方便使用其他插件,達到簡訊通知等目的。再說,偶不懂資料庫,怕被mysql玩殘嘍。
  偶打開openvpn的debug,看到了下面的日誌:
RADIUS-PLUGIN: FOREGROUND: OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY is called.
RADIUS-PLUGIN: FOREGROUND: New user: username: test, password: *****, newuser ip: 192.168.0.100, new
user port: 2784 .
RADIUS-PLUGIN: BACKGROUND  AUTH: New user auth: username: test, password: *****, calling station: 19
2.168.0.100, commonname: test.
RADIUS-PLUGIN: radius_server().
RADIUS-PLUGIN: Build password packet:  password: *****, sharedSecret: *****.
RADIUS-PLUGIN: Send packet to 192.168.0.100.
RADIUS-PLUGIN: Get ACCESS_ACCEPT-Packet.
RADIUS-PLUGIN: parse_response_packet().
RADIUS-PLUGIN: BACKGROUND AUTH: routes: .
RADIUS-PLUGIN: BACKGROUND AUTH: framed ip: .
RADIUS-PLUGIN: No attributes Acct Interim Interval or bad length.
RADIUS-PLUGIN: BACKGROUND AUTH: Acct Interim Interval: 0.
RADIUS-PLUGIN: BACKGROUND AUTH: Try to open ccd file.
RADIUS-PLUGIN: BACKGROUND AUTH: Opened ccd file.
RADIUS-PLUGIN: FOREGROUND: Authentication succeeded!
RADIUS-PLUGIN: FOREGROUND: Received routes for user: .
RADIUS-PLUGIN: BACKGROUND  AUTH: Auth succeeded in radius_server().
Error: Receiving data from internal socket failed!

radius伺服器認證都通過了,最後似乎還是這個radiusplugin插件的問題啊,不知道這個socket怎麼處理
《解決方案》

openbsd+ openvpn+freeradius+freetds+odbc+mssql,裝起來太累了!還沒成功:em20:




[火星人 via ] openvpn2.0.9實現radius認證已經有278次圍觀

http://www.coctec.com/docs/service/show-post-17647.html