前置作業
0.關閉selinux
setenforce 0
sed -i 's/=enforcing/=disabled/g' /etc/selinux/config
1.先關閉防火牆
systemctl stop firewalld
systemctl disable firewalld
2.修改hostname
hostnamectl set-hostname radius999.fm.local
2.安裝freeradius跟google-authenticator
yum -y install freeradius freeradius-utils
yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum install -y google-authenticator
3.安裝AD相關工具
yum install -y sssd realmd samba-common-tools oddjob oddjob-mkhomedir adcli
#---------------- samba-commontools (這個可以不用安裝)
--------------------------------------------------------------------------------------------
4.修改radiusd.conf
vim /etc/raddb/radiusd.conf
修改
user = root
group = root
5.修改/etc/raddb/sites-enabled/default
vim /etc/raddb/sites-enabled/default
找到
# pam
取消註解如下
pam
6.freeradius啟用pam模組
ln -s /etc/raddb/mods-available/pam /etc/raddb/mods-enabled/pam
7.修改/etc/raddb/users,使用者預設使用PAM驗證
vim /etc/raddb/users
DEFAULT Auth-Type := PAM
8.修改/etc/raddb/clients.conf,設定要驗證的來源主機
vim /etc/raddb/clients.conf
client fortivpn {
ipaddr = 192.168.1.0/24
secret = test123
require_message_authenticator = no
}
--------------------------------------------------------------------------------------------
9.加入AD
realm join -v ad.local -U bhchen
realm permit --all
10.編輯sssd檔案(讓user登入的時候,可以不用帶入@ad.name 或者 ad/)
vim /etc/sssd/sssd.conf
use_fully_qualified_names = False
systemctl restart sssd
11.列出目前設定
realm list
12.列出AD帳號的資訊(如果看到user資料 代表成功連上AD)
id bhchen
--------------------------------------------------------------------------------------------
13.修改PAM設定(修改成如下)
vim /etc/pam.d/radiusd
auth requisite pam_google_authenticator.so forward_pass
auth required pam_sss.so use_first_pass
account required pam_nologin.so
account include password-auth
session include password-auth
14.重新啟動freeradius
systemctl enable radiusd
systemctl restart radiusd
15.登入一個AD使用者來進行測試,並且幫使用者套上google驗證
ssh -l bhchen@fm.local localhost
google-authenticator
預設回答都是y
google-authenticator -t -f -d -l bhchen@ad.local -i SHENYU.ME -r 3 -R 30 -W
google-authenticator -t -f -d -r 3 -R 30 -W
----------
PS.如果log沒有顯示完整
可以修改
vim /etc/raddb/radiusd.conf
log {
auth = no 改成 yes
}
之後用這個來進行驗證的時候,密碼就必須使用 AD密碼+opt密碼