我在CentOS 7.3上安装了FreeRadius 3.0.13,它也有SSSD 1.14.0,用于与我们的Windows 2012域控制器进行通信。 我们能够通过半径使用AD进行身份validation。 我们也在这个Radius服务器上安装了google authenticator。 我们可以连接到我们的openvpn服务器,使用AD和Google进行身份validation是很好的,这里没有问题。
然而,我有问题试图只允许某个AD组中的用户进行身份validation。 我正在使用“pam_sss”模块对AD进行身份validation。
这是我的'pam.d / radius'configuration
#%PAM-1.0 auth requisite pam_google_authenticator.so forward_pass auth required pam_sss.so use_first_pass account required pam_nologin.so account include password-auth session include password-auth 这是我的'raddb /用户'configuration
DEFAULT Auth-Type := PAM #DEFAULT Group == "remoteaccess", Auth-Type := Reject # Reply-Message = "You are a member of the Correct remoteaccess Group" DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP
这是我的'raddb /默认'configuration
server default { listen { type = auth ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 300 } } listen { ipaddr = * port = 0 type = acct limit { idle_timeout = 300 } } listen { type = auth ipv6addr = :: # any. ::1 == localhost port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 300 } } listen { ipv6addr = :: port = 0 type = acct limit { } } authorize { filter_username preprocess chap mschap digest suffix eap { ok = return } files -sql -ldap expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } mschap digest pam eap } preacct { preprocess acct_unique suffix files } accounting { detail unix -sql exec attr_filter.accounting_response } session { } post-auth { update { &reply: += &session-state: } -sql exec remove_reply_message_if_eap Post-Auth-Type REJECT { -sql attr_filter.access_reject eap remove_reply_message_if_eap } Post-Auth-Type Challenge { } } pre-proxy { } post-proxy { eap } }
这里是raddb / radiusconfiguration
prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = /usr/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct name = radiusd confdir = ${raddbdir} modconfdir = ${confdir}/mods-config certdir = ${confdir}/certs cadir = ${confdir}/certs run_dir = ${localstatedir}/run/${name} db_dir = ${localstatedir}/lib/radiusd debug_level = 9 libdir = /usr/lib64/freeradius pidfile = ${run_dir}/${name}.pid correct_escapes = true max_request_time = 30 cleanup_delay = 5 max_requests = 16384 hostname_lookups = no log { destination = files colourise = yes file = ${logdir}/radius.log syslog_facility = daemon stripped_names = yes auth = yes auth_badpass = yes auth_goodpass = yes msg_denied = "You are already logged in - access denied" } checkrad = ${sbindir}/checkrad security { user = root group = root allow_core_dumps = no max_attributes = 200 reject_delay = 1 status_server = yes } proxy_requests = yes $INCLUDE proxy.conf $INCLUDE clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 auto_limit_acct = no } modules { $INCLUDE mods-enabled/ } instantiate { } policy { $INCLUDE policy.d/ } $INCLUDE sites-enabled/
任何人有任何想法如何检查AD组和拒绝取决于用户是什么组或不在?