質問編集履歴
4
コピペミスを訂正しました
test
CHANGED
File without changes
|
test
CHANGED
@@ -226,7 +226,7 @@
|
|
226
226
|
|
227
227
|
221 # ipv6addr = ::1
|
228
228
|
|
229
|
-
222 # secret = testing123
|
229
|
+
222 # secret = testing1234
|
230
230
|
|
231
231
|
223 #}
|
232
232
|
|
3
/var/log/radius/radius.log 実施した作業を記載致しました
test
CHANGED
File without changes
|
test
CHANGED
@@ -2,6 +2,8 @@
|
|
2
2
|
|
3
3
|
radiusサーバーを構築作業を前任から引き継ぎ作業しております。
|
4
4
|
|
5
|
+
openldapとradiusサーバーの連携を目指しています。
|
6
|
+
|
5
7
|
systemctlでサービスが起動できない状態でしたので、最初から作業を行いたいと考え、rpm -qa | grep radius で表示されたパッケージ一覧をremoveコマンドで削除。yum install freeradius.x86_64
|
6
8
|
|
7
9
|
yum install freeradius-ldap.x86_64
|
@@ -108,7 +110,43 @@
|
|
108
110
|
|
109
111
|
```
|
110
112
|
|
113
|
+
vi /var/log/radius/radius.log
|
114
|
+
|
115
|
+
Sun Oct 15 08:48:23 2017 : Error: tls: error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error
|
116
|
+
|
117
|
+
Sun Oct 15 08:48:23 2017 : Error: tls: error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib
|
118
|
+
|
119
|
+
Sun Oct 15 08:48:23 2017 : Error: tls: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
|
120
|
+
|
121
|
+
Sun Oct 15 08:48:23 2017 : Error: rlm_eap_tls: Failed initializing SSL context
|
122
|
+
|
123
|
+
Sun Oct 15 08:48:23 2017 : Error: rlm_eap (EAP): Failed to initialise rlm_eap_tls
|
124
|
+
|
125
|
+
Sun Oct 15 08:48:23 2017 : Error: /etc/raddb/mods-enabled/eap[14]: Instantiation failed for module "eap"
|
126
|
+
|
127
|
+
Sun Oct 15 08:50:58 2017 : Info: Debugger not attached
|
128
|
+
|
129
|
+
Sun Oct 15 08:50:58 2017 : Warning: [/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list
|
130
|
+
|
131
|
+
for realm "DEFAULT".
|
132
|
+
|
133
|
+
Sun Oct 15 08:50:58 2017 : Warning: [/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list
|
134
|
+
|
135
|
+
for realm "DEFAULT".
|
136
|
+
|
137
|
+
Sun Oct 15 08:50:58 2017 : Error: tls: Failed reading private key file "/etc/raddb/certs/server.pem"
|
138
|
+
|
139
|
+
Sun Oct 15 08:50:58 2017 : Error: tls: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt
|
140
|
+
|
141
|
+
Sun Oct 15 08:50:58 2017 : Error: tls: error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error
|
142
|
+
|
143
|
+
Sun Oct 15 08:50:58 2017 : Error: tls: error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error
|
144
|
+
|
145
|
+
```
|
146
|
+
|
111
|
-
実施した作業
|
147
|
+
###radiusサーバーで実施した作業
|
148
|
+
|
149
|
+
```
|
112
150
|
|
113
151
|
yum update
|
114
152
|
|
2
実施した作業を記載しました
test
CHANGED
File without changes
|
test
CHANGED
@@ -106,7 +106,219 @@
|
|
106
106
|
|
107
107
|
```
|
108
108
|
|
109
|
-
|
109
|
+
```
|
110
|
+
|
111
|
+
実施した作業
|
112
|
+
|
113
|
+
yum update
|
114
|
+
|
115
|
+
yum install freeradius* -y
|
116
|
+
|
117
|
+
cd /etc/raddb/mods-enabled
|
118
|
+
|
119
|
+
ln -s ../mods-available/ldap ldap
|
120
|
+
|
121
|
+
chown root.radiusd ldap
|
122
|
+
|
123
|
+
|
124
|
+
|
125
|
+
vi /etc/raddb/mods‐available/ldap
|
126
|
+
|
127
|
+
12 server = "192.168.xxx.xxx"(LdapサーバーのIP)
|
128
|
+
|
129
|
+
16 port = 389
|
130
|
+
|
131
|
+
19 identity = "cn=Manager,dc=exampe,dc=com"
|
132
|
+
|
133
|
+
20 password = hoge
|
134
|
+
|
135
|
+
24 base_dn = "ou=People,dc=exampe,dc=com"
|
136
|
+
|
137
|
+
120 scope = 'one'
|
138
|
+
|
139
|
+
163 scope = 'one'
|
140
|
+
|
141
|
+
398 start_tls = no
|
142
|
+
|
143
|
+
400 ca_file = ${certdir}/ca.pem
|
144
|
+
|
145
|
+
403 ca_path = ${certdir}
|
146
|
+
|
147
|
+
|
148
|
+
|
149
|
+
|
150
|
+
|
151
|
+
/etc/raddb/radius.conf
|
152
|
+
|
153
|
+
321 auth = yes
|
154
|
+
|
155
|
+
329 auth_badpass = yes
|
156
|
+
|
157
|
+
|
158
|
+
|
159
|
+
/etc/raddb/proxy.conf ( this change probably can be obmitted)
|
160
|
+
|
161
|
+
134 ipaddr = 192.168.xxx.xxx(radiusサーバーのIP)
|
162
|
+
|
163
|
+
|
164
|
+
|
165
|
+
/etc/raddb/mods‐available/eap
|
166
|
+
|
167
|
+
176 private_key_password = 1234
|
168
|
+
|
169
|
+
|
170
|
+
|
171
|
+
|
172
|
+
|
173
|
+
Add to the file
|
174
|
+
|
175
|
+
/etc/raddb/mods-config/files/authorize
|
176
|
+
|
177
|
+
1 DEFAULT Auth-Type == EAP
|
178
|
+
|
179
|
+
2 Tunnel-Type = VLAN,
|
180
|
+
|
181
|
+
3 Tunnel-Medium-Type = IEEE-802
|
182
|
+
|
183
|
+
|
184
|
+
|
185
|
+
/etc/raddb/clients.conf
|
186
|
+
|
187
|
+
220 #client localhost_ipv6 {
|
188
|
+
|
189
|
+
221 # ipv6addr = ::1
|
190
|
+
|
191
|
+
222 # secret = testing123
|
192
|
+
|
193
|
+
223 #}
|
194
|
+
|
195
|
+
268 client network {
|
196
|
+
|
197
|
+
269 ipv4addr = 192.168.124.0/24
|
198
|
+
|
199
|
+
270 proto = *
|
200
|
+
|
201
|
+
271 secret = cisco
|
202
|
+
|
203
|
+
272 require_message_authenticator = no
|
204
|
+
|
205
|
+
273 nas_type = other
|
206
|
+
|
207
|
+
274 limit {
|
208
|
+
|
209
|
+
275 max_connections = 16
|
210
|
+
|
211
|
+
276 lifetime = 0
|
212
|
+
|
213
|
+
277 idle_timeout = 30
|
214
|
+
|
215
|
+
278 }
|
216
|
+
|
217
|
+
279 }
|
218
|
+
|
219
|
+
|
220
|
+
|
221
|
+
/etc/raddb/certs/ca.cnf
|
222
|
+
|
223
|
+
45 input_password = 1234
|
224
|
+
|
225
|
+
46 output_password = 1234
|
226
|
+
|
227
|
+
50 countryName = JP
|
228
|
+
|
229
|
+
51 stateOrProvinceName = TOKYO
|
230
|
+
|
231
|
+
52 localityName = TOKYO
|
232
|
+
|
233
|
+
53 organizationName = example.inc
|
234
|
+
|
235
|
+
54 #emailAddress = admin@example.com
|
236
|
+
|
237
|
+
|
238
|
+
|
239
|
+
/etc/raddb/certs/server.cnf
|
240
|
+
|
241
|
+
44 input_password = 1234
|
242
|
+
|
243
|
+
45 output_password = 1234
|
244
|
+
|
245
|
+
48 countryName = JP
|
246
|
+
|
247
|
+
49 stateOrProvinceName = TOKYO
|
248
|
+
|
249
|
+
50 localityName = TOKYO
|
250
|
+
|
251
|
+
51 organizationName = example.inc
|
252
|
+
|
253
|
+
52 #emailAddress = admin@example.com
|
254
|
+
|
255
|
+
|
256
|
+
|
257
|
+
11.) Make the verification keys and so on
|
258
|
+
|
259
|
+
証明書ファイルを作成
|
260
|
+
|
261
|
+
# ディレクトリを移動
|
262
|
+
|
263
|
+
cd /etc/raddb/certs/
|
264
|
+
|
265
|
+
|
266
|
+
|
267
|
+
# CAの秘密鍵と証明書を作成
|
268
|
+
|
269
|
+
openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf
|
270
|
+
|
271
|
+
|
272
|
+
|
273
|
+
# サーバーの秘密鍵と証明書を作成
|
274
|
+
|
275
|
+
openssl req -new -out server.csr -keyout server.key -config ./server.cnf
|
276
|
+
|
277
|
+
|
278
|
+
|
279
|
+
# index.txtファイルを初期化
|
280
|
+
|
281
|
+
: > index.txt
|
282
|
+
|
283
|
+
|
284
|
+
|
285
|
+
# サーバー証明書にCAの署名をする
|
286
|
+
|
287
|
+
openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf
|
288
|
+
|
289
|
+
|
290
|
+
|
291
|
+
# サーバー秘密鍵と証明書のファイルをまとめる
|
292
|
+
|
293
|
+
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'`
|
294
|
+
|
295
|
+
|
296
|
+
|
297
|
+
# サーバー秘密鍵と証明書のフォーマットを変換
|
298
|
+
|
299
|
+
openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'`
|
300
|
+
|
301
|
+
|
302
|
+
|
303
|
+
# 証明書の正当性を検証
|
304
|
+
|
305
|
+
openssl verify -CAfile ca.pem server.pem
|
306
|
+
|
307
|
+
|
308
|
+
|
309
|
+
# ディレクトリを移動
|
310
|
+
|
311
|
+
cd
|
312
|
+
|
313
|
+
|
314
|
+
|
315
|
+
12.)
|
316
|
+
|
317
|
+
START the radius server
|
318
|
+
|
319
|
+
systemctl start radius
|
320
|
+
|
321
|
+
```
|
110
322
|
|
111
323
|
|
112
324
|
|
1
試したこと に rm -rf /var/lib/radiusdで設定ファイルを削除後に再インストールを追記しました
test
CHANGED
File without changes
|
test
CHANGED
@@ -122,7 +122,17 @@
|
|
122
122
|
|
123
123
|
再起動
|
124
124
|
|
125
|
+
|
126
|
+
|
127
|
+
|
128
|
+
|
129
|
+
mysqlの完全アンインストールを参考にしてrm -rf /var/lib/radiusdで設定ファイルを削除後に再インストール
|
130
|
+
|
131
|
+
|
132
|
+
|
125
133
|
するも不変でした。ご協力をお願い致します。
|
134
|
+
|
135
|
+
|
126
136
|
|
127
137
|
###補足情報(言語/FW/ツール等のバージョンなど)
|
128
138
|
|