2025年9月20日 星期六

PrivacyIDEA RADIUS plugin Installation Notes

PrivacyIDEA  Radius 外掛安裝筆記

安裝所需軟體與安裝說明的參考連結

github url 

https://github.com/privacyidea/FreeRADIUS

https://github.com/privacyidea/FreeRADIUS/tree/master

https://github.com/privacyidea/FreeRADIUS/tree/master/config/freeradius3


Install url 

https://privacyidea.readthedocs.io/en/latest/application_plugins/rlm_perl.html


OS Oracle Linux 9.6 + freeradius 3.0.21-44.el9_6


dnf install freeradius freeradius-utils freeradius-perl* -y

dnf install perl-LWP* perl-Config*  perl-Data*   perl-Try*     perl-URI* perl-Encode* perl-JSON* -y 


rm /etc/raddb/sites-enabled/* 


rm: remove symbolic link '/etc/raddb/sites-enabled/default'? y

rm: remove symbolic link '/etc/raddb/sites-enabled/inner-tunnel'? y


rm /etc/raddb/mods-enabled/eap 


rm: remove symbolic link '/etc/raddb/mods-enabled/eap'? y


git clone https://github.com/privacyidea/FreeRADIUS.git

cp ./FreeRADIUS/config/freeradius3/privacyidea /etc/raddb/sites-enabled/

cp ./FreeRADIUS/config/freeradius3/mods-perl-privacyidea /etc/raddb/mods-enabled/

cp ./FreeRADIUS/privacyidea_radius.pm /etc/privacyidea/

cp ./FreeRADIUS/rlm_perl.ini /etc/privacyidea/

chmod 755 /etc/privacyidea/privacyidea_radius.pm

chown root.radiusd /etc/raddb/mods-enabled/mods-perl-privacyidea

chown root.radiusd /etc/raddb/sites-enabled/privacyidea 

chmod 755 /etc/raddb/mods-enabled/mods-perl-privacyidea

chmod 755 /etc/raddb/sites-enabled/privacyidea


vi /etc/raddb/mods-enabled/mods-perl-privacyidea 


==================================

perl perl-privacyidea {

    filename = /etc/privacyidea/privacyidea_radius.pm

}

================================


vi  /etc/privacyidea/rlm_perl.ini 


=========================


[Default]

URL = https://localhost/validate/check

REALM = localhost

RESCONF = Linux

SSL_CHECK = false

#SSL_CA_PATH =

#DEBUG = true


[Mapping]

serial = privacyIDEA-Serial


[Mapping user]

# The Mapping is used to add attributes to the RADIUS response.

# The value is read from the privacyIDEA response.

# In this case the content of the privacyIDEA response

#   detail->user->group

# will be written to the RADIUS response attribute "Class".

#

group = Class


===============================


vi  /etc/raddb/clients.conf 


===============================

client hostip {

        ipaddr = 192.168.100.200

        proto = udp

        secret = Passw0rd

        shortname  = radius

nas_type = other

        require_message_authenticator = no

}

=================================

systemctl start     radiusd.service 

systemctl enable      radiusd.service



確定   radiusd service 是可以被正常執行



WEB UI 操作



 















測試與驗證

Linux shell  

radtest  radius.usere 226064 192.168.100.200 0  Passw0rd









其它參考資訊 :


(A) OTP Token 設定成相同 (可視需求直改DB,修改前記得備份 )
在這裡我是做  radius 的 Token 跟 LDAP 是相同的 Token .
==>是因為 LDAP 那個 Token 在手機上被我刪了.我懶的重建 Token 

 UPDATE token SET key_enc='c86242196fcccad535696820805cc1ba195380e84ed555b412841c24b0b8b85845eb05281dd4d99dcfdbde0ce64eeaa9',key_iv='06083ff0dea2c118c45d58d89e76edda' WHERE id = 1001;






(B) Windows Debug Log 

[20-09-2025 22:02:57] [Translator.cpp:32] Translation language zh, region TW
[20-09-2025 22:02:57] [Translator.cpp:109] Can not load translation file: C:\ProgramData\Netknights GmbH\PrivacyIDEA Credential Provider\locales\zh_TW.json
[20-09-2025 22:02:57] [Translator.cpp:109] Can not load translation file: C:\ProgramData\Netknights GmbH\PrivacyIDEA Credential Provider\locales\zh.json
[20-09-2025 22:02:57] [Translator.cpp:126] Loading translation from C:\ProgramData\Netknights GmbH\PrivacyIDEA Credential Provider\locales\en.json






(C) Windows 訊息中文化.及可能會用到的機碼 


C:\ProgramData\Netknights GmbH\PrivacyIDEA Credential Provider\locales

==> zh_TW.json











Demo

用 radius.user 的 Token 登入驗證.




當然也可將  radius 登入驗證程序整合其它的網通設備..
如 Cisco Switch 或  FortiGate Firewall VPN ......
張貼者:
標籤: ,

沒有留言:

張貼留言

訂閱: 張貼留言 (Atom)