-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsearch.xml
670 lines (523 loc) · 164 KB
/
search.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
<?xml version="1.0" encoding="utf-8"?>
<search>
<entry>
<title>elasticsearch-head 安装配置</title>
<url>/elasticsearch-head-%E5%AE%89%E8%A3%85%E9%85%8D%E7%BD%AE.html</url>
<content><![CDATA[<blockquote>
<p>由于ES官方并没有为ES提供界面管理工具,仅仅是提供了后台服务。elasticsearch-head是一个为ES开发的一个页面客户端工具。</p>
</blockquote>
<h2 id="elasticsearch-head-安装"><a href="#elasticsearch-head-安装" class="headerlink" title="elasticsearch-head 安装"></a>elasticsearch-head 安装</h2><ul>
<li><p>由于ES官方并没有为ES提供界面管理工具,仅仅是提供了后台服务。elasticsearch-head是一个为ES开发的一个页面客户端工具,源码托管于<a href="https://github.com/mobz/elasticsearch-head" target="_blank" rel="noopener">GitHub</a>,推荐通过chrome插件安装。</p>
</li>
<li><p>如果不是通过chrome方式安装,由于前后端分离开发,所有会存在跨越的问题,需要在服务器端做CORS的配置</p>
<figure class="highlight autoit"><table><tr><td class="code"><pre><span class="line">[root<span class="symbol">@centos8</span> ~]<span class="meta"># vim /etc/elasticsearch/elasticsearch.yml</span></span><br><span class="line"></span><br><span class="line">http.cors.enabled: <span class="literal">true</span></span><br><span class="line">http.cors.allowd-origin: <span class="string">"*"</span></span><br><span class="line"></span><br><span class="line"><span class="meta"># 添加上面两条命令,如果是chrome插件方式安装,不存在这个问题。</span></span><br></pre></td></tr></table></figure>
</li>
<li><p>通过elasticsearch-head连接elasticsearch</p>
</li>
</ul>
<p><img src="../images/blog/elk/es-head.png" alt="es-head"></p>
<h3 id="创建索引,删除索引"><a href="#创建索引,删除索引" class="headerlink" title="创建索引,删除索引"></a>创建索引,删除索引</h3><ul>
<li>图形化创建索引</li>
</ul>
<p><img src="../images/blog/elk/ELK-GUI-create-index-1.png" alt="ELK-GUI create index-1"></p>
<p><img src="../images/blog/elk/ELK-GUI-create-index-2.png" alt="ELK-GUI create index-2"></p>
<p><img src="../images/blog/elk/ELK-GUI-create-index-3.png" alt="ELK-GUI create index-3"></p>
<ul>
<li>API方式创建索引,Chrome安装Talend API Tester插件发送PUT请求。</li>
</ul>
<p><img src="../images/blog/elk/ELK-API-crate-index.png" alt="ELK-API crate index"></p>
<ul>
<li>API方式删除索引,例如想要删除<code>test</code>这个索引。</li>
</ul>
<p><img src="../images/blog/elk/ELK-API-delete-index.png" alt="ELK-API delete index"></p>
<h3 id="插入数据"><a href="#插入数据" class="headerlink" title="插入数据"></a>插入数据</h3><ul>
<li>URL规则:<code>POST/{索引}/{类型}/{id}</code></li>
</ul>
<p><img src="../images/blog/elk/ELK-insert-data-id.png" alt="ELK-插入数据"></p>
<figure class="highlight json"><table><tr><td class="code"><pre><span class="line"># 数据</span><br><span class="line">{</span><br><span class="line"> <span class="attr">"id"</span>:<span class="number">1001</span>,</span><br><span class="line"> <span class="attr">"name"</span>:<span class="string">"张三"</span>,</span><br><span class="line"> <span class="attr">"age"</span>:<span class="string">"20"</span>,</span><br><span class="line"> <span class="attr">"sex"</span>:<span class="string">"男"</span></span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"># 响应</span><br><span class="line">{</span><br><span class="line"><span class="attr">"_index"</span>: <span class="string">"estest"</span>,</span><br><span class="line"><span class="attr">"_type"</span>: <span class="string">"user"</span>,</span><br><span class="line"><span class="attr">"_id"</span>: <span class="string">"1001"</span>,</span><br><span class="line"><span class="attr">"_version"</span>: <span class="number">1</span>,</span><br><span class="line"><span class="attr">"result"</span>: <span class="string">"created"</span>,</span><br><span class="line"><span class="attr">"_shards"</span>:{</span><br><span class="line"><span class="attr">"total"</span>: <span class="number">1</span>,</span><br><span class="line"><span class="attr">"successful"</span>: <span class="number">1</span>,</span><br><span class="line"><span class="attr">"failed"</span>: <span class="number">0</span></span><br><span class="line">},</span><br><span class="line"><span class="attr">"_seq_no"</span>: <span class="number">0</span>,</span><br><span class="line"><span class="attr">"_primary_term"</span>: <span class="number">1</span></span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<ul>
<li>查看数据,这里<code>_id</code>是数据的唯一标识符。说明:非结构化的索引,不需要事先创建,直接插入数据默认创建索引。</li>
</ul>
<p><img src="../images/blog/elk/ELK-show-data.png" alt="ELK-查看数据"></p>
<ul>
<li>发起<code>POST</code>请求<code>http://172.20.29.75:9200/estest/user</code>。这里我们的POST请求中并没有指定数据的唯一id。这里的内容里面的<code>id</code>是数据里面的一个字段。</li>
</ul>
<figure class="highlight json"><table><tr><td class="code"><pre><span class="line"># 请求内容</span><br><span class="line">{</span><br><span class="line"> <span class="attr">"id"</span>:<span class="number">1002</span>,</span><br><span class="line"> <span class="attr">"name"</span>:<span class="string">"李四"</span>,</span><br><span class="line"> <span class="attr">"age"</span>:<span class="string">"21"</span>,</span><br><span class="line"> <span class="attr">"sex"</span>:<span class="string">"女"</span></span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<ul>
<li>这里是随机产生的唯一id。</li>
</ul>
<p><img src="../images/blog/elk/ELK-insert-data.png" alt="ELK-插入数据 ID"></p>
<h3 id="更新数据"><a href="#更新数据" class="headerlink" title="更新数据"></a>更新数据</h3><ul>
<li>elasticsearch中,不能直接修改文档数据,但是可以通过覆盖的方式进行更新。这里使用<code>PUT</code>方式对数据的唯一id<figure class="highlight json"><table><tr><td class="code"><pre><span class="line">PUT http://172.20.29.75:9200/estest/user/1001</span><br><span class="line"></span><br><span class="line"># 请求内容</span><br><span class="line">{</span><br><span class="line"> <span class="attr">"id"</span>:<span class="number">1001</span>,</span><br><span class="line"> <span class="attr">"name"</span>:<span class="string">"张三"</span>,</span><br><span class="line"> <span class="attr">"age"</span>:<span class="string">"21"</span>,</span><br><span class="line"> <span class="attr">"sex"</span>:<span class="string">"女"</span></span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"># 响应内容,注意这里的_version</span><br><span class="line">{</span><br><span class="line"> <span class="attr">"_index"</span>: <span class="string">"estest"</span>,</span><br><span class="line"> <span class="attr">"_type"</span>: <span class="string">"user"</span>,</span><br><span class="line"> <span class="attr">"_id"</span>: <span class="string">"1001"</span>,</span><br><span class="line"> <span class="attr">"_version"</span>: <span class="number">2</span>,</span><br><span class="line"> <span class="attr">"result"</span>: <span class="string">"updated"</span>,</span><br><span class="line"> <span class="attr">"_shards"</span>: {</span><br><span class="line"> <span class="attr">"total"</span>: <span class="number">1</span>,</span><br><span class="line"> <span class="attr">"successful"</span>: <span class="number">1</span>,</span><br><span class="line"> <span class="attr">"failed"</span>: <span class="number">0</span></span><br><span class="line"> },</span><br><span class="line"> <span class="attr">"_seq_no"</span>: <span class="number">2</span>,</span><br><span class="line"> <span class="attr">"_primary_term"</span>: <span class="number">1</span></span><br><span class="line">}</span><br></pre></td></tr></table></figure>
</li>
</ul>
<figure class="highlight json"><table><tr><td class="code"><pre><span class="line"># 如果修改的数据,缺少一个字段,以前的字段不会被保留,因为这种方式对数据做的是全量更新。</span><br><span class="line">{</span><br><span class="line"> <span class="attr">"id"</span>:<span class="number">1001</span>,</span><br><span class="line"> <span class="attr">"name"</span>:<span class="string">"张三"</span>,</span><br><span class="line"> <span class="attr">"age"</span>:<span class="string">"22"</span></span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<ul>
<li>局部更新过程<figure class="highlight angelscript"><table><tr><td class="code"><pre><span class="line"><span class="number">1.</span>从旧文档中检索JSON</span><br><span class="line"><span class="number">2.</span>修改JSON文件</span><br><span class="line"><span class="number">3.</span>删除旧文档</span><br><span class="line"><span class="number">4.</span>索引新文档</span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li>注意这里方式是<code>POST</code>,在唯一id后面加<code>_update</code>参数,请求内容需要用<code>doc</code>封装。<figure class="highlight json"><table><tr><td class="code"><pre><span class="line">POST http://172.20.29.75:9200/estest/user/1001/_update</span><br><span class="line"></span><br><span class="line">{</span><br><span class="line"> <span class="attr">"doc"</span>:{</span><br><span class="line"> <span class="attr">"age"</span>:<span class="number">23</span></span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
</li>
</ul>
<h4 id="删除数据"><a href="#删除数据" class="headerlink" title="删除数据"></a>删除数据</h4><ul>
<li><p>在elasticsearch中,删除文档数据,只需要发起DELETE请求即可。注意result的结果,version也增加了。如果删除一条不存在的数据,会响应404,并且响应的结果是<code>not_found</code>。</p>
<figure class="highlight json"><table><tr><td class="code"><pre><span class="line">DELETE http://172.20.29.75:9200/estest/user/1001</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"># 响应</span><br><span class="line">{</span><br><span class="line"> <span class="attr">"_index"</span>: <span class="string">"estest"</span>,</span><br><span class="line"> <span class="attr">"_type"</span>: <span class="string">"user"</span>,</span><br><span class="line"> <span class="attr">"_id"</span>: <span class="string">"1001_update"</span>,</span><br><span class="line"> <span class="attr">"_version"</span>: <span class="number">2</span>,</span><br><span class="line"> <span class="attr">"result"</span>: <span class="string">"deleted"</span>,</span><br><span class="line"> <span class="attr">"_shards"</span>: {</span><br><span class="line"> <span class="attr">"total"</span>: <span class="number">1</span>,</span><br><span class="line"> <span class="attr">"successful"</span>: <span class="number">1</span>,</span><br><span class="line"> <span class="attr">"failed"</span>: <span class="number">0</span></span><br><span class="line"> },</span><br><span class="line"> <span class="attr">"_seq_no"</span>: <span class="number">6</span>,</span><br><span class="line"> <span class="attr">"_primary_term"</span>: <span class="number">1</span></span><br><span class="line">}</span><br></pre></td></tr></table></figure>
</li>
<li><p>说明:删除一个文档也不会立即从磁盘上移除,它只是被标记成已经删除。es会在添加更多索引的时候才会在后台进行删除内容的清理。</p>
</li>
</ul>
<h4 id="搜索数据"><a href="#搜索数据" class="headerlink" title="搜索数据"></a>搜索数据</h4><ul>
<li><p>根据id搜索数据</p>
<figure class="highlight json"><table><tr><td class="code"><pre><span class="line">GET http://172.20.29.75:9200/estest/user/VGGN3nABTHZ9F_yB_hk_</span><br><span class="line"></span><br><span class="line"># 返回的数据</span><br><span class="line">{</span><br><span class="line"> <span class="attr">"_index"</span>: <span class="string">"estest"</span>,</span><br><span class="line"> <span class="attr">"_type"</span>: <span class="string">"user"</span>,</span><br><span class="line"> <span class="attr">"_id"</span>: <span class="string">"VGGN3nABTHZ9F_yB_hk_"</span>,</span><br><span class="line"> <span class="attr">"_version"</span>: <span class="number">1</span>,</span><br><span class="line"> <span class="attr">"_seq_no"</span>: <span class="number">1</span>,</span><br><span class="line"> <span class="attr">"_primary_term"</span>: <span class="number">1</span>,</span><br><span class="line"> <span class="attr">"found"</span>: <span class="literal">true</span>,</span><br><span class="line"> <span class="attr">"_source"</span>: {</span><br><span class="line"> <span class="attr">"id"</span>: <span class="number">1002</span>,</span><br><span class="line"> <span class="attr">"name"</span>: <span class="string">"李四"</span>,</span><br><span class="line"> <span class="attr">"age"</span>: <span class="string">"21"</span>,</span><br><span class="line"> <span class="attr">"sex"</span>: <span class="string">"女"</span></span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
</li>
<li><p>搜索全部数据,默认响应10条数据。</p>
</li>
</ul>
<figure class="highlight"><table><tr><td class="code"><pre><span class="line">GET http://172.20.29.75:9200/estest/user/_search</span><br></pre></td></tr></table></figure>
<ul>
<li>关键字搜索数据<figure class="highlight json"><table><tr><td class="code"><pre><span class="line"># 查询年龄等于20的用户</span><br><span class="line"></span><br><span class="line">GET http://172.20.29.75:9200/estest/user/_search?q=age:21</span><br><span class="line"></span><br><span class="line"># 响应的数据</span><br><span class="line">{</span><br><span class="line"> <span class="attr">"took"</span>: <span class="number">30</span>,</span><br><span class="line"> <span class="attr">"timed_out"</span>: <span class="literal">false</span>,</span><br><span class="line"> <span class="attr">"_shards"</span>: {</span><br><span class="line"> <span class="attr">"total"</span>: <span class="number">2</span>,</span><br><span class="line"> <span class="attr">"successful"</span>: <span class="number">2</span>,</span><br><span class="line"> <span class="attr">"skipped"</span>: <span class="number">0</span>,</span><br><span class="line"> <span class="attr">"failed"</span>: <span class="number">0</span></span><br><span class="line"> },</span><br><span class="line"> <span class="attr">"hits"</span>: {</span><br><span class="line"> <span class="attr">"total"</span>: {</span><br><span class="line"> <span class="attr">"value"</span>: <span class="number">1</span>,</span><br><span class="line"> <span class="attr">"relation"</span>: <span class="string">"eq"</span></span><br><span class="line"> },</span><br><span class="line"> <span class="attr">"max_score"</span>: <span class="number">0.6931471</span>,</span><br><span class="line"> <span class="attr">"hits"</span>: [{</span><br><span class="line"> <span class="attr">"_index"</span>: <span class="string">"estest"</span>,</span><br><span class="line"> <span class="attr">"_type"</span>: <span class="string">"user"</span>,</span><br><span class="line"> <span class="attr">"_id"</span>: <span class="string">"VGGN3nABTHZ9F_yB_hk_"</span>,</span><br><span class="line"> <span class="attr">"_score"</span>: <span class="number">0.6931471</span>,</span><br><span class="line"> <span class="attr">"_source"</span>: {</span><br><span class="line"> <span class="attr">"id"</span>: <span class="number">1002</span>,</span><br><span class="line"> <span class="attr">"name"</span>: <span class="string">"李四"</span>,</span><br><span class="line"> <span class="attr">"age"</span>: <span class="string">"21"</span>,</span><br><span class="line"> <span class="attr">"sex"</span>: <span class="string">"女"</span></span><br><span class="line"> }</span><br><span class="line"> }]</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
</li>
</ul>
<h4 id="DSL-搜索"><a href="#DSL-搜索" class="headerlink" title="DSL 搜索"></a>DSL 搜索</h4><ul>
<li><p>elasticsearch提供特定查询语句DSL查询(Query DSL)DSL(Domain Specific Language 特定领域语言)以JSON请求体的形式出现。</p>
</li>
<li><p>之前在RESTful中都是通过GET请求来查询数据,这里DSL通过POST请求查询,因为需要提交json请求数据。</p>
</li>
</ul>
<figure class="highlight elixir"><table><tr><td class="code"><pre><span class="line">POST <span class="symbol">http:</span>/<span class="regexp">/172.20.29.75:9200/estest</span><span class="regexp">/user/</span>_search</span><br><span class="line"></span><br><span class="line">{</span><br><span class="line"> <span class="string">"query"</span><span class="symbol">:</span>{</span><br><span class="line"> <span class="string">"match"</span><span class="symbol">:</span>{</span><br><span class="line"> <span class="string">"age"</span><span class="symbol">:</span><span class="number">21</span></span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<ul>
<li>这里可以借助Postman这个软件来发起json请求。</li>
</ul>
<figure class="highlight json"><table><tr><td class="code"><pre><span class="line"># 注意,这里使用“_bulk?pretty”发起批量请求,json内容最后一定要添加空行。</span><br><span class="line"></span><br><span class="line">POST http://172.20.29.75:9200/_bulk?pretty</span><br><span class="line"></span><br><span class="line">{<span class="attr">"index"</span>: {<span class="attr">"_index"</span>: <span class="string">"estest"</span>}</span><br><span class="line">{<span class="attr">"id"</span>:<span class="number">1001</span>,<span class="attr">"name"</span>:<span class="string">"张三"</span>,<span class="attr">"age"</span>:<span class="number">20</span>,<span class="attr">"sex"</span>:<span class="string">"男"</span>}</span><br><span class="line"></span><br><span class="line">{<span class="attr">"index"</span>: {<span class="attr">"_index"</span>: <span class="string">"estest"</span>}</span><br><span class="line">{<span class="attr">"id"</span>:<span class="number">1002</span>,<span class="attr">"name"</span>:<span class="string">"李四"</span>,<span class="attr">"age"</span>:<span class="number">21</span>,<span class="attr">"sex"</span>:<span class="string">"女"</span>}</span><br><span class="line"></span><br><span class="line">{<span class="attr">"index"</span>: {<span class="attr">"_index"</span>: <span class="string">"estest"</span>}</span><br><span class="line">{<span class="attr">"id"</span>:<span class="number">1003</span>,<span class="attr">"name"</span>:<span class="string">"王五"</span>,<span class="attr">"age"</span>:<span class="number">31</span>,<span class="attr">"sex"</span>:<span class="string">"男"</span>}</span><br><span class="line"></span><br><span class="line">{<span class="attr">"index"</span>: {<span class="attr">"_index"</span>: <span class="string">"estest"</span>}</span><br><span class="line">{<span class="attr">"id"</span>:<span class="number">1004</span>,<span class="attr">"name"</span>:<span class="string">"赵六"</span>,<span class="attr">"age"</span>:<span class="number">32</span>,<span class="attr">"sex"</span>:<span class="string">"女"</span>}</span><br><span class="line"></span><br><span class="line">{<span class="attr">"index"</span>: {<span class="attr">"_index"</span>: <span class="string">"estest"</span>}</span><br><span class="line">{<span class="attr">"id"</span>:<span class="number">1005</span>,<span class="attr">"name"</span>:<span class="string">"孙七"</span>,<span class="attr">"age"</span>:<span class="number">33</span>,<span class="attr">"sex"</span>:<span class="string">"男"</span>}</span><br></pre></td></tr></table></figure>
<ul>
<li>这里做query查询,使用bool查询,这里设置2个bool查询方式,filter和must,过滤age大于30的,sex必须为男。匹配同时满足这2个条件的数据。</li>
</ul>
<figure class="highlight json"><table><tr><td class="code"><pre><span class="line">POST http://172.20.29.75:9200/estest/user/_search</span><br><span class="line"></span><br><span class="line">{</span><br><span class="line"> <span class="attr">"query"</span>:{</span><br><span class="line"> <span class="attr">"bool"</span>:{</span><br><span class="line"> <span class="attr">"filter"</span>:{</span><br><span class="line"> <span class="attr">"range"</span>:{</span><br><span class="line"> <span class="attr">"age"</span>:{</span><br><span class="line"> <span class="attr">"gt"</span>:<span class="number">30</span></span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> },</span><br><span class="line"> <span class="attr">"must"</span>:{</span><br><span class="line"> <span class="attr">"match"</span>:{</span><br><span class="line"> <span class="attr">"sex"</span>:<span class="string">"男"</span></span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"># 响应结果</span><br><span class="line">{</span><br><span class="line"> <span class="attr">"took"</span>: <span class="number">11</span>,</span><br><span class="line"> <span class="attr">"timed_out"</span>: <span class="literal">false</span>,</span><br><span class="line"> <span class="attr">"_shards"</span>: {</span><br><span class="line"> <span class="attr">"total"</span>: <span class="number">2</span>,</span><br><span class="line"> <span class="attr">"successful"</span>: <span class="number">2</span>,</span><br><span class="line"> <span class="attr">"skipped"</span>: <span class="number">0</span>,</span><br><span class="line"> <span class="attr">"failed"</span>: <span class="number">0</span></span><br><span class="line"> },</span><br><span class="line"> <span class="attr">"hits"</span>: {</span><br><span class="line"> <span class="attr">"total"</span>: {</span><br><span class="line"> <span class="attr">"value"</span>: <span class="number">2</span>,</span><br><span class="line"> <span class="attr">"relation"</span>: <span class="string">"eq"</span></span><br><span class="line"> },</span><br><span class="line"> <span class="attr">"max_score"</span>: <span class="number">0.9808291</span>,</span><br><span class="line"> <span class="attr">"hits"</span>: [</span><br><span class="line"> {</span><br><span class="line"> <span class="attr">"_index"</span>: <span class="string">"estest"</span>,</span><br><span class="line"> <span class="attr">"_type"</span>: <span class="string">"user"</span>,</span><br><span class="line"> <span class="attr">"_id"</span>: <span class="string">"WmFe4XABTHZ9F_yBuRmM"</span>,</span><br><span class="line"> <span class="attr">"_score"</span>: <span class="number">0.9808291</span>,</span><br><span class="line"> <span class="attr">"_source"</span>: {</span><br><span class="line"> <span class="attr">"id"</span>: <span class="number">1003</span>,</span><br><span class="line"> <span class="attr">"name"</span>: <span class="string">"王五"</span>,</span><br><span class="line"> <span class="attr">"age"</span>: <span class="number">31</span>,</span><br><span class="line"> <span class="attr">"sex"</span>: <span class="string">"男"</span></span><br><span class="line"> }</span><br><span class="line"> },</span><br><span class="line"> {</span><br><span class="line"> <span class="attr">"_index"</span>: <span class="string">"estest"</span>,</span><br><span class="line"> <span class="attr">"_type"</span>: <span class="string">"user"</span>,</span><br><span class="line"> <span class="attr">"_id"</span>: <span class="string">"XGFe4XABTHZ9F_yBuRmM"</span>,</span><br><span class="line"> <span class="attr">"_score"</span>: <span class="number">0.18232156</span>,</span><br><span class="line"> <span class="attr">"_source"</span>: {</span><br><span class="line"> <span class="attr">"id"</span>: <span class="number">1005</span>,</span><br><span class="line"> <span class="attr">"name"</span>: <span class="string">"孙七"</span>,</span><br><span class="line"> <span class="attr">"age"</span>: <span class="number">33</span>,</span><br><span class="line"> <span class="attr">"sex"</span>: <span class="string">"男"</span></span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> ]</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<ul>
<li>全文搜索,搜索name为张三或者李四的数据。</li>
</ul>
<figure class="highlight json"><table><tr><td class="code"><pre><span class="line">POST http://172.20.29.75:9200/estest/user/_search</span><br><span class="line"></span><br><span class="line"># 发送数据</span><br><span class="line">{</span><br><span class="line"> <span class="attr">"query"</span>:{</span><br><span class="line"> <span class="attr">"match"</span>:{</span><br><span class="line"> <span class="attr">"name"</span>:<span class="string">"张三 李四"</span></span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"># 响应结果</span><br><span class="line">{</span><br><span class="line"> <span class="attr">"took"</span>: <span class="number">4</span>,</span><br><span class="line"> <span class="attr">"timed_out"</span>: <span class="literal">false</span>,</span><br><span class="line"> <span class="attr">"_shards"</span>: {</span><br><span class="line"> <span class="attr">"total"</span>: <span class="number">2</span>,</span><br><span class="line"> <span class="attr">"successful"</span>: <span class="number">2</span>,</span><br><span class="line"> <span class="attr">"skipped"</span>: <span class="number">0</span>,</span><br><span class="line"> <span class="attr">"failed"</span>: <span class="number">0</span></span><br><span class="line"> },</span><br><span class="line"> <span class="attr">"hits"</span>: {</span><br><span class="line"> <span class="attr">"total"</span>: {</span><br><span class="line"> <span class="attr">"value"</span>: <span class="number">2</span>,</span><br><span class="line"> <span class="attr">"relation"</span>: <span class="string">"eq"</span></span><br><span class="line"> },</span><br><span class="line"> <span class="attr">"max_score"</span>: <span class="number">1.9616582</span>,</span><br><span class="line"> <span class="attr">"hits"</span>: [</span><br><span class="line"> {</span><br><span class="line"> <span class="attr">"_index"</span>: <span class="string">"estest"</span>,</span><br><span class="line"> <span class="attr">"_type"</span>: <span class="string">"user"</span>,</span><br><span class="line"> <span class="attr">"_id"</span>: <span class="string">"WWFe4XABTHZ9F_yBuRmM"</span>,</span><br><span class="line"> <span class="attr">"_score"</span>: <span class="number">1.9616582</span>,</span><br><span class="line"> <span class="attr">"_source"</span>: {</span><br><span class="line"> <span class="attr">"id"</span>: <span class="number">1002</span>,</span><br><span class="line"> <span class="attr">"name"</span>: <span class="string">"李四"</span>,</span><br><span class="line"> <span class="attr">"age"</span>: <span class="number">21</span>,</span><br><span class="line"> <span class="attr">"sex"</span>: <span class="string">"女"</span></span><br><span class="line"> }</span><br><span class="line"> },</span><br><span class="line"> {</span><br><span class="line"> <span class="attr">"_index"</span>: <span class="string">"estest"</span>,</span><br><span class="line"> <span class="attr">"_type"</span>: <span class="string">"user"</span>,</span><br><span class="line"> <span class="attr">"_id"</span>: <span class="string">"WGFe4XABTHZ9F_yBuRmL"</span>,</span><br><span class="line"> <span class="attr">"_score"</span>: <span class="number">1.3862942</span>,</span><br><span class="line"> <span class="attr">"_source"</span>: {</span><br><span class="line"> <span class="attr">"id"</span>: <span class="number">1001</span>,</span><br><span class="line"> <span class="attr">"name"</span>: <span class="string">"张三"</span>,</span><br><span class="line"> <span class="attr">"age"</span>: <span class="number">20</span>,</span><br><span class="line"> <span class="attr">"sex"</span>: <span class="string">"男"</span></span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> ]</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<ul>
<li>高亮显示</li>
</ul>
<figure class="highlight json"><table><tr><td class="code"><pre><span class="line">POST http://172.20.29.75:9200/estest/user/_search</span><br><span class="line"></span><br><span class="line">{</span><br><span class="line"> <span class="attr">"query"</span>:{</span><br><span class="line"> <span class="attr">"match"</span>:{</span><br><span class="line"> <span class="attr">"name"</span>:<span class="string">"张三 李四"</span></span><br><span class="line"> }</span><br><span class="line"> },</span><br><span class="line"> <span class="attr">"highlight"</span>:{</span><br><span class="line"> <span class="attr">"fields"</span>:{</span><br><span class="line"> <span class="attr">"name"</span>:{}</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"># 响应结果,这里高亮汉字需要注意分词的问题。</span><br><span class="line">{</span><br><span class="line"> <span class="attr">"took"</span>: <span class="number">56</span>,</span><br><span class="line"> <span class="attr">"timed_out"</span>: <span class="literal">false</span>,</span><br><span class="line"> <span class="attr">"_shards"</span>: {</span><br><span class="line"> <span class="attr">"total"</span>: <span class="number">2</span>,</span><br><span class="line"> <span class="attr">"successful"</span>: <span class="number">2</span>,</span><br><span class="line"> <span class="attr">"skipped"</span>: <span class="number">0</span>,</span><br><span class="line"> <span class="attr">"failed"</span>: <span class="number">0</span></span><br><span class="line"> },</span><br><span class="line"> <span class="attr">"hits"</span>: {</span><br><span class="line"> <span class="attr">"total"</span>: {</span><br><span class="line"> <span class="attr">"value"</span>: <span class="number">2</span>,</span><br><span class="line"> <span class="attr">"relation"</span>: <span class="string">"eq"</span></span><br><span class="line"> },</span><br><span class="line"> <span class="attr">"max_score"</span>: <span class="number">1.9616582</span>,</span><br><span class="line"> <span class="attr">"hits"</span>: [</span><br><span class="line"> {</span><br><span class="line"> <span class="attr">"_index"</span>: <span class="string">"estest"</span>,</span><br><span class="line"> <span class="attr">"_type"</span>: <span class="string">"user"</span>,</span><br><span class="line"> <span class="attr">"_id"</span>: <span class="string">"WWFe4XABTHZ9F_yBuRmM"</span>,</span><br><span class="line"> <span class="attr">"_score"</span>: <span class="number">1.9616582</span>,</span><br><span class="line"> <span class="attr">"_source"</span>: {</span><br><span class="line"> <span class="attr">"id"</span>: <span class="number">1002</span>,</span><br><span class="line"> <span class="attr">"name"</span>: <span class="string">"李四"</span>,</span><br><span class="line"> <span class="attr">"age"</span>: <span class="number">21</span>,</span><br><span class="line"> <span class="attr">"sex"</span>: <span class="string">"女"</span></span><br><span class="line"> },</span><br><span class="line"> <span class="attr">"highlight"</span>: {</span><br><span class="line"> <span class="attr">"name"</span>: [</span><br><span class="line"> <span class="string">"<em>李</em><em>四</em>"</span></span><br><span class="line"> ]</span><br><span class="line"> }</span><br><span class="line"> },</span><br><span class="line"> {</span><br><span class="line"> <span class="attr">"_index"</span>: <span class="string">"estest"</span>,</span><br><span class="line"> <span class="attr">"_type"</span>: <span class="string">"user"</span>,</span><br><span class="line"> <span class="attr">"_id"</span>: <span class="string">"WGFe4XABTHZ9F_yBuRmL"</span>,</span><br><span class="line"> <span class="attr">"_score"</span>: <span class="number">1.3862942</span>,</span><br><span class="line"> <span class="attr">"_source"</span>: {</span><br><span class="line"> <span class="attr">"id"</span>: <span class="number">1001</span>,</span><br><span class="line"> <span class="attr">"name"</span>: <span class="string">"张三"</span>,</span><br><span class="line"> <span class="attr">"age"</span>: <span class="number">20</span>,</span><br><span class="line"> <span class="attr">"sex"</span>: <span class="string">"男"</span></span><br><span class="line"> },</span><br><span class="line"> <span class="attr">"highlight"</span>: {</span><br><span class="line"> <span class="attr">"name"</span>: [</span><br><span class="line"> <span class="string">"<em>张</em><em>三</em>"</span></span><br><span class="line"> ]</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> ]</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<ul>
<li>聚合,这里先将张三年龄修改的和李四一样。</li>
</ul>
<figure class="highlight json"><table><tr><td class="code"><pre><span class="line">POST http://172.20.29.75:9200/estest/user/WGFe4XABTHZ9F_yBuRmL/_update</span><br><span class="line"></span><br><span class="line">{</span><br><span class="line"> <span class="attr">"doc"</span>:{</span><br><span class="line"> <span class="attr">"age"</span>:<span class="number">21</span></span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<ul>
<li>这里聚合报错,暂时不知道什么问题<figure class="highlight json"><table><tr><td class="code"><pre><span class="line">POST http://172.20.29.75:9200/estest/user/_search</span><br><span class="line"></span><br><span class="line">{</span><br><span class="line"> <span class="attr">"aggs"</span>:{</span><br><span class="line"> <span class="attr">"all_interests"</span>:{</span><br><span class="line"> <span class="attr">"terms"</span>:{</span><br><span class="line"> <span class="attr">"field"</span>:<span class="string">"age"</span></span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">#报错内容</span><br><span class="line">{</span><br><span class="line"> <span class="attr">"error"</span>: {</span><br><span class="line"> <span class="attr">"root_cause"</span>: [</span><br><span class="line"> {</span><br><span class="line"> <span class="attr">"type"</span>: <span class="string">"illegal_argument_exception"</span>,</span><br><span class="line"> <span class="attr">"reason"</span>: <span class="string">"Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [age] in order to load field data by uninverting the inverted index. Note that this can use significant memory."</span></span><br><span class="line"> }</span><br><span class="line"> ],</span><br><span class="line"> <span class="attr">"type"</span>: <span class="string">"search_phase_execution_exception"</span>,</span><br><span class="line"> <span class="attr">"reason"</span>: <span class="string">"all shards failed"</span>,</span><br><span class="line"> <span class="attr">"phase"</span>: <span class="string">"query"</span>,</span><br><span class="line"> <span class="attr">"grouped"</span>: <span class="literal">true</span>,</span><br><span class="line"> <span class="attr">"failed_shards"</span>: [</span><br><span class="line"> {</span><br><span class="line"> <span class="attr">"shard"</span>: <span class="number">0</span>,</span><br><span class="line"> <span class="attr">"index"</span>: <span class="string">"estest"</span>,</span><br><span class="line"> <span class="attr">"node"</span>: <span class="string">"Qcxv7GXOSt6PgiXR11Ea6A"</span>,</span><br><span class="line"> <span class="attr">"reason"</span>: {</span><br><span class="line"> <span class="attr">"type"</span>: <span class="string">"illegal_argument_exception"</span>,</span><br><span class="line"> <span class="attr">"reason"</span>: <span class="string">"Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [age] in order to load field data by uninverting the inverted index. Note that this can use significant memory."</span></span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> ],</span><br><span class="line"> <span class="attr">"caused_by"</span>: {</span><br><span class="line"> <span class="attr">"type"</span>: <span class="string">"illegal_argument_exception"</span>,</span><br><span class="line"> <span class="attr">"reason"</span>: <span class="string">"Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [age] in order to load field data by uninverting the inverted index. Note that this can use significant memory."</span>,</span><br><span class="line"> <span class="attr">"caused_by"</span>: {</span><br><span class="line"> <span class="attr">"type"</span>: <span class="string">"illegal_argument_exception"</span>,</span><br><span class="line"> <span class="attr">"reason"</span>: <span class="string">"Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [age] in order to load field data by uninverting the inverted index. Note that this can use significant memory."</span></span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> },</span><br><span class="line"> <span class="attr">"status"</span>: <span class="number">400</span></span><br><span class="line">}</span><br></pre></td></tr></table></figure>
</li>
</ul>
]]></content>
<categories>
<category>ELK</category>
</categories>
<tags>
<tag>ELK</tag>
<tag>elasticsearch</tag>
</tags>
</entry>
<entry>
<title>Hello World</title>
<url>/hello-world.html</url>
<content><![CDATA[<blockquote>
<p>Hexo 常用命令笔记</p>
</blockquote>
<p>Welcome to <a href="https://hexo.io/" target="_blank" rel="noopener">Hexo</a>! This is your very first post. Check <a href="https://hexo.io/docs/" target="_blank" rel="noopener">documentation</a> for more info. If you get any problems when using Hexo, you can find the answer in <a href="https://hexo.io/docs/troubleshooting.html" target="_blank" rel="noopener">troubleshooting</a> or you can ask me on <a href="https://github.com/hexojs/hexo/issues" target="_blank" rel="noopener">GitHub</a>.</p>
<h2 id="Quick-Start"><a href="#Quick-Start" class="headerlink" title="Quick Start"></a>Quick Start</h2><h3 id="Create-a-new-post"><a href="#Create-a-new-post" class="headerlink" title="Create a new post"></a>Create a new post</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">$ hexo new <span class="string">"My New Post"</span></span><br></pre></td></tr></table></figure>
<p>More info: <a href="https://hexo.io/docs/writing.html" target="_blank" rel="noopener">Writing</a></p>
<h3 id="Run-server"><a href="#Run-server" class="headerlink" title="Run server"></a>Run server</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">$ hexo server</span><br></pre></td></tr></table></figure>
<p>More info: <a href="https://hexo.io/docs/server.html" target="_blank" rel="noopener">Server</a></p>
<h3 id="Generate-static-files"><a href="#Generate-static-files" class="headerlink" title="Generate static files"></a>Generate static files</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">$ hexo generate</span><br></pre></td></tr></table></figure>
<p>More info: <a href="https://hexo.io/docs/generating.html" target="_blank" rel="noopener">Generating</a></p>
<h3 id="Deploy-to-remote-sites"><a href="#Deploy-to-remote-sites" class="headerlink" title="Deploy to remote sites"></a>Deploy to remote sites</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">$ hexo deploy</span><br></pre></td></tr></table></figure>
<p>More info: <a href="https://hexo.io/docs/one-command-deployment.html" target="_blank" rel="noopener">Deployment</a></p>
]]></content>
<categories>
<category>Hexo</category>
</categories>
<tags>
<tag>Hexo</tag>
</tags>
</entry>
<entry>
<title>Cisco AnyConnect 通过FreeRADIUS集成域账号+谷歌双因素认证</title>
<url>/Cisco-AnyConnect-%E9%80%9A%E8%BF%87FreeRADIUS%E9%9B%86%E6%88%90%E5%9F%9F%E8%B4%A6%E5%8F%B7-%E8%B0%B7%E6%AD%8C%E5%8F%8C%E5%9B%A0%E7%B4%A0%E8%AE%A4%E8%AF%81.html</url>
<content><![CDATA[<blockquote>
<p>实验目的:用户使用Cisco AnyConnect拨号时,输入AD账号密码和谷歌动态码后通过认证,获得授权。Cisco ASA指向FreeRADIUS做认证,FreeRADIUS联动AD和google_authenticator。</p>
</blockquote>
<h2 id="一、环境介绍"><a href="#一、环境介绍" class="headerlink" title="一、环境介绍"></a>一、环境介绍</h2><ul>
<li>拓扑图</li>
</ul>
<p><img src="../images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-topo.png" alt="[AnyConnect-freeradius-ad-mfa]topo"></p>
<ul>
<li>实验环境CentOS8有两块网卡,一块网卡用于访问Internet,一块网卡位于防火墙inside区域。</li>
<li>这里使用CentOS8(CentOS7也可以)安装FreeRADIUS和Google Authenticator。Windows Server 2016安装AD服务,AD安装过程这里不做介绍。需要用户在手机上安装Google-Authenticator APP。</li>
<li>用户使用AnyConnect拨号,输入用户名和密码,密码框输入<strong>密码+动态码</strong>,实现<strong>AD账号+动态码</strong>双因素认证。</li>
</ul>
<h2 id="二、CentOS8-环境设置"><a href="#二、CentOS8-环境设置" class="headerlink" title="二、CentOS8 环境设置"></a>二、CentOS8 环境设置</h2><ul>
<li>系统更新<br><code>[root@centos8 ~]# yum update</code></li>
</ul>
<ul>
<li>修改时区<br><code>[root@centos8 /]# ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime</code></li>
</ul>
<ul>
<li>查看时间是否正确<br><code>[root@centos8 /]#ll /etc/localtime</code></li>
</ul>
<ul>
<li>关闭SElinux,临时关闭和永久关闭。<br><code>[root@centos8 ~]# setenforce 0</code><br><code>[root@centos8 ~]# sed -i 's/=enforcing/=permissive/g' /etc/selinux/config</code></li>
</ul>
<ul>
<li>查看SElinux状态。<br><code>[root@centos8 ~]# getenforce</code><br><code>Permissive</code></li>
</ul>
<ul>
<li>关闭防火墙(可选),本次实验未关闭防火墙。<br><code>[root@centos8 ~]# systemctl stop firewalld.service</code><br><code>[root@centos8 ~]# systemctl disable firewalld.service</code></li>
</ul>
<hr>
<h2 id="三、FreeRADIUS-安装及配置"><a href="#三、FreeRADIUS-安装及配置" class="headerlink" title="三、FreeRADIUS 安装及配置"></a>三、FreeRADIUS 安装及配置</h2><h3 id="3-1-FreeRADIUS安装"><a href="#3-1-FreeRADIUS安装" class="headerlink" title="3.1 FreeRADIUS安装"></a>3.1 FreeRADIUS安装</h3><ul>
<li>安装FreeRADIUS<br><code>[root@centos8 ~]# yum install freeradius freeradius-utils</code></li>
</ul>
<ul>
<li>启动radius服务<br><code>[root@centos8 ~]# systemctl enable --now radiusd.service</code></li>
</ul>
<ul>
<li>防火墙放行radius<br><code>[root@centos8 ~]# firewall-cmd --add-service=radius --permanent</code><br><code>[root@centos8 ~]# firewall-cmd --reload</code></li>
</ul>
<h3 id="3-2-FreeRADIUS修改配置文件"><a href="#3-2-FreeRADIUS修改配置文件" class="headerlink" title="3.2 FreeRADIUS修改配置文件"></a>3.2 FreeRADIUS修改配置文件</h3><ul>
<li>由于FreeRadius必须有权访问所有用户目录中的.google_authenticator令牌,因此它必须具有root权限。<figure class="highlight routeros"><table><tr><td class="code"><pre><span class="line">[root@centos8 ~]# vi /etc/raddb/radiusd.conf</span><br><span class="line"></span><br><span class="line"> #user = radiusd</span><br><span class="line"> #group = radiusd</span><br><span class="line"> <span class="built_in"> user </span>= root</span><br><span class="line"> <span class="built_in"> group </span>= root</span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li>取消<code>pam</code>的注释,radius激活PAM(Pluggable Authentication Modules)可动态加载验证模块。<figure class="highlight routeros"><table><tr><td class="code"><pre><span class="line">[root@centos8 ~]# vi /etc/raddb/sites-enabled/default</span><br><span class="line"></span><br><span class="line"> pam</span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li>激活pam,radius pam模块默认没有激活。<br><code>[root@centos8 ~]# ln -s /etc/raddb/mods-available/pam /etc/raddb/mods-enabled/pam</code></li>
</ul>
<ul>
<li>编辑<code>/etc/raddb/clients.conf</code>配置文件,接受来Cisco ASAv的radius认证请求。在行末添加防火墙的与共享密钥和ip地址。<figure class="highlight routeros"><table><tr><td class="code"><pre><span class="line">[root@centos8 ~]# vi /etc/raddb/clients.conf</span><br><span class="line"></span><br><span class="line">client 192.168.1.254 {</span><br><span class="line"><span class="built_in"> secret </span>= cisco</span><br><span class="line"> shortname = CiscoASA</span><br><span class="line"> nastype = cisco</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
</li>
</ul>
<h3 id="3-3-FreeRADIUS-服务测试"><a href="#3-3-FreeRADIUS-服务测试" class="headerlink" title="3.3 FreeRADIUS 服务测试"></a>3.3 FreeRADIUS 服务测试</h3><ul>
<li>新建用户组,如果你需要拒绝用户访问,可以将用户加入到这个组。<br><code>[root@centos8 ~]# groupadd radius-disabled</code></li>
</ul>
<ul>
<li>编辑<code>/etc/raddb/users</code>将创建的“radius-disabled”组添加到“拒绝用户组”部分。<figure class="highlight routeros"><table><tr><td class="code"><pre><span class="line">[root@centos8 ~]# vi /etc/raddb/users</span><br><span class="line"></span><br><span class="line"><span class="comment">#DEFAULT Group == "disabled", Auth-Type := Reject</span></span><br><span class="line"><span class="comment"># Reply-Message = "Your account has been disabled."</span></span><br><span class="line"></span><br><span class="line">DEFAULT <span class="built_in"> Group </span>== <span class="string">"radius-disabled"</span>, Auth-Type := Reject</span><br><span class="line"> Reply-Message = <span class="string">"Your account has been disabled."</span></span><br><span class="line">DEFAULT Auth-Type := PAM</span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li>CentOS新建本地账号测试radius服务。<figure class="highlight autoit"><table><tr><td class="code"><pre><span class="line">[root<span class="symbol">@centos8</span> ~]<span class="meta"># useradd radlocal</span></span><br><span class="line">[root<span class="symbol">@centos8</span> ~]<span class="meta"># passwd radlocal</span></span><br><span class="line">更改用户 radlocal 的密码 。</span><br><span class="line">新的 密码:radpassword</span><br><span class="line">重新输入新的 密码:radpassword</span><br><span class="line">passwd:所有的身份验证令牌已经成功更新。</span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li>radius 开启调式模式,这个命令非常有用,如果认证不成功,可以根据报错信息定位到错误发生的原因。<br><code>[root@centos8 ~]# radiusd -X</code></li>
</ul>
<ul>
<li>新建一个窗口,测试本地账号radius验证是否通过,注意<code>Received Access-Accept</code>表示认证通过。<figure class="highlight plain"><table><tr><td class="code"><pre><span class="line">[root@centos8 ~]# radtest radlocal radpassword localhost 18120 testing123</span><br><span class="line">Sent Access-Request Id 9 from 0.0.0.0:41546 to 127.0.0.1:1812 length 78</span><br><span class="line"> User-Name = "radlocal"</span><br><span class="line"> User-Password = "radpassword"</span><br><span class="line"> NAS-IP-Address = 172.20.29.110</span><br><span class="line"> NAS-Port = 18120</span><br><span class="line"> Message-Authenticator = 0x00</span><br><span class="line"> Cleartext-Password = "radpassword"</span><br><span class="line">Received Access-Accept Id 9 from 127.0.0.1:1812 to 127.0.0.1:41546 length 20</span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li>开启<code>radius -X</code>窗口显示的输出作为参考。<figure class="highlight routeros"><table><tr><td class="code"><pre><span class="line">Listening on auth<span class="built_in"> address </span>127.0.0.1<span class="built_in"> port </span>18120 bound <span class="keyword">to</span><span class="built_in"> server </span>inner-tunnel</span><br><span class="line">Listening on<span class="built_in"> proxy address </span>*<span class="built_in"> port </span>43164</span><br><span class="line">Listening on<span class="built_in"> proxy address </span>::<span class="built_in"> port </span>40551</span><br><span class="line">Ready <span class="keyword">to</span> process requests</span><br><span class="line">(0) Received Access-Request Id 9 <span class="keyword">from</span> 127.0.0.1:41546 <span class="keyword">to</span> 127.0.0.1:1812 length 78</span><br><span class="line">(0) User-Name = <span class="string">"radlocal"</span></span><br><span class="line">(0) User-Password = <span class="string">"radpassword"</span></span><br><span class="line">(0) NAS-IP-Address = 172.20.29.110</span><br><span class="line">(0) NAS-Port = 18120</span><br><span class="line">(0) Message-Authenticator = 0xeba37c10c860860bd3dcc7bff2c5edf0</span><br><span class="line">(0) # Executing section authorize <span class="keyword">from</span> file /etc/raddb/sites-enabled/default</span><br><span class="line">(0) authorize {</span><br><span class="line">(0) <span class="built_in"> policy </span>filter_username {</span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name) {</span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name) -> <span class="literal">TRUE</span></span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name) {</span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name =~ / /) {</span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name =~ / /) -> <span class="literal">FALSE</span></span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name =~ /@[^@]*@/ ) {</span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name =~ /@[^@]*@/ ) -> <span class="literal">FALSE</span></span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name =~ /\.\./ ) {</span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name =~ /\.\./ ) -> <span class="literal">FALSE</span></span><br><span class="line">(0) <span class="keyword">if</span> ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {</span><br><span class="line">(0) <span class="keyword">if</span> ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> <span class="literal">FALSE</span></span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name =~ /\.$/) {</span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name =~ /\.$/) -> <span class="literal">FALSE</span></span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name =~ /@\./) {</span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name =~ /@\./) -> <span class="literal">FALSE</span></span><br><span class="line">(0) } # <span class="keyword">if</span> (&User-Name) = notfound</span><br><span class="line">(0) } #<span class="built_in"> policy </span>filter_username = notfound</span><br><span class="line">(0) [preprocess] = ok</span><br><span class="line">(0) [chap] = noop</span><br><span class="line">(0) [mschap] = noop</span><br><span class="line">(0) [digest] = noop</span><br><span class="line">(0) suffix: Checking <span class="keyword">for</span> suffix after <span class="string">"@"</span></span><br><span class="line">(0) suffix: <span class="literal">No</span> <span class="string">'@'</span> <span class="keyword">in</span> User-Name = <span class="string">"radlocal"</span>, looking up realm <span class="literal">NULL</span></span><br><span class="line">(0) suffix: <span class="literal">No</span> such realm <span class="string">"NULL"</span></span><br><span class="line">(0) [suffix] = noop</span><br><span class="line">(0) eap: <span class="literal">No</span> EAP-Message, <span class="keyword">not</span> doing EAP</span><br><span class="line">(0) [eap] = noop</span><br><span class="line">(0) files: users: Matched entry<span class="built_in"> DEFAULT </span>at line 69</span><br><span class="line">(0) [files] = ok</span><br><span class="line">(0) [expiration] = noop</span><br><span class="line">(0) [logintime] = noop</span><br><span class="line">(0) pap: WARNING: <span class="literal">No</span> <span class="string">"known good"</span> password found <span class="keyword">for</span> the user. <span class="keyword">Not</span> setting Auth-Type</span><br><span class="line">(0) pap: WARNING: Authentication will fail unless a <span class="string">"known good"</span> password is available</span><br><span class="line">(0) [pap] = noop</span><br><span class="line">(0) } # authorize = ok</span><br><span class="line">(0) Found Auth-Type = pam</span><br><span class="line">(0) # Executing<span class="built_in"> group </span><span class="keyword">from</span> file /etc/raddb/sites-enabled/default</span><br><span class="line">(0) authenticate {</span><br><span class="line">(0) pam: Using pamauth string <span class="string">"radiusd"</span> <span class="keyword">for</span> pam.conf lookup</span><br><span class="line">(0) pam: Authentication succeeded</span><br><span class="line">(0) [pam] = ok</span><br><span class="line">(0) } # authenticate = ok</span><br><span class="line">(0) # Executing section post-auth <span class="keyword">from</span> file /etc/raddb/sites-enabled/default</span><br><span class="line">(0) post-auth {</span><br><span class="line">(0) update {</span><br><span class="line">(0) <span class="literal">No</span> attributes updated</span><br><span class="line">(0) } # update = noop</span><br><span class="line">(0) [exec] = noop</span><br><span class="line">(0) <span class="built_in"> policy </span>remove_reply_message_if_eap {</span><br><span class="line">(0) <span class="keyword">if</span> (&reply:EAP-Message && &reply:Reply-Message) {</span><br><span class="line">(0) <span class="keyword">if</span> (&reply:EAP-Message && &reply:Reply-Message) -> <span class="literal">FALSE</span></span><br><span class="line">(0) <span class="keyword">else</span> {</span><br><span class="line">(0) [noop] = noop</span><br><span class="line">(0) } # <span class="keyword">else</span> = noop</span><br><span class="line">(0) } #<span class="built_in"> policy </span>remove_reply_message_if_eap = noop</span><br><span class="line">(0) } # post-auth = noop</span><br><span class="line">(0) Sent Access-Accept Id 9 <span class="keyword">from</span> 127.0.0.1:1812 <span class="keyword">to</span> 127.0.0.1:41546 length 0</span><br><span class="line">(0) Finished request</span><br><span class="line">Waking up <span class="keyword">in</span> 4.9 seconds.</span><br><span class="line">(0) Cleaning up request packet ID 9 with +50</span><br><span class="line">Ready <span class="keyword">to</span> process requests</span><br></pre></td></tr></table></figure>
</li>
</ul>
<hr>
<h2 id="四、SSSD安装配置"><a href="#四、SSSD安装配置" class="headerlink" title="四、SSSD安装配置"></a>四、SSSD安装配置</h2><ul>
<li>AD已经安装和配置完成,下面是AD的一些配置信息。创建python.com域,DNS能解析公网地址,防止CentOS DNS指向AD之后无法yum安装软件。</li>
</ul>
<p><img src="../images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-ad-01.png" alt="[AnyConnect-freeradius-ad-mfa]ad-01.png"></p>
<ul>
<li>创建mfatest的A记录,CentOS做测试解析用途。</li>
</ul>
<p><img src="../images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-ad-02.png" alt="[AnyConnect-freeradius-ad-mfa]ad-02.png"></p>
<ul>
<li>安装SSSD,CentOS8已经内建。<br><code>[root@centos8 ~]# yum install sssd realmd adcli</code><br><code>[root@centos8 ~]# yum install oddjob oddjob-mkhomedir sssd samba-commontools</code></li>
</ul>
<ul>
<li>修改DNS,指向AD的IP地址。<figure class="highlight angelscript"><table><tr><td class="code"><pre><span class="line">[<span class="symbol">root@</span>centos8 ~]# vi /etc/resolv.conf</span><br><span class="line">nameserver <span class="number">192.168</span><span class="number">.1</span><span class="number">.20</span></span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li>DNS连通性测试<figure class="highlight routeros"><table><tr><td class="code"><pre><span class="line">[root@centos8 ~]#<span class="built_in"> ping </span>python.com</span><br><span class="line">PING python.com (192.168.1.20) 56(84) bytes of data.</span><br><span class="line">64 bytes <span class="keyword">from</span> 192.168.1.20 (192.168.1.20): <span class="attribute">icmp_seq</span>=1 <span class="attribute">ttl</span>=128 <span class="attribute">time</span>=0.205 ms</span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li>DNS解析测试<figure class="highlight css"><table><tr><td class="code"><pre><span class="line"><span class="selector-attr">[root@centos8 ~]</span># <span class="selector-tag">nslookup</span></span><br><span class="line">> <span class="selector-tag">mfatest</span><span class="selector-class">.python</span><span class="selector-class">.com</span></span><br><span class="line"><span class="selector-tag">Server</span>: 192<span class="selector-class">.168</span><span class="selector-class">.1</span><span class="selector-class">.20</span></span><br><span class="line"><span class="selector-tag">Address</span>: 192<span class="selector-class">.168</span><span class="selector-class">.1</span><span class="selector-class">.20</span><span class="selector-id">#53</span></span><br><span class="line"></span><br><span class="line"><span class="selector-tag">Name</span>: <span class="selector-tag">mfatest</span><span class="selector-class">.python</span><span class="selector-class">.com</span></span><br><span class="line"><span class="selector-tag">Address</span>: 1<span class="selector-class">.1</span><span class="selector-class">.1</span><span class="selector-class">.1</span></span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li>CentOS加入python.com域,输入管理员密码。<figure class="highlight vim"><table><tr><td class="code"><pre><span class="line">[root@centos8 ~]# realm <span class="keyword">join</span> <span class="keyword">python</span>.<span class="keyword">com</span></span><br><span class="line">Administrator 的密码:</span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li>可以发现域信息。<figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="string">[root@centos8</span> <span class="string">~]#</span> <span class="string">realm</span> <span class="string">list</span></span><br><span class="line"><span class="string">python.com</span></span><br><span class="line"> <span class="attr">type:</span> <span class="string">kerberos</span></span><br><span class="line"> <span class="attr">realm-name:</span> <span class="string">PYTHON.COM</span></span><br><span class="line"> <span class="attr">domain-name:</span> <span class="string">python.com</span></span><br><span class="line"> <span class="attr">configured:</span> <span class="string">kerberos-member</span></span><br><span class="line"> <span class="attr">server-software:</span> <span class="string">active-directory</span></span><br><span class="line"> <span class="attr">client-software:</span> <span class="string">sssd</span></span><br><span class="line"> <span class="attr">required-package:</span> <span class="string">oddjob</span></span><br><span class="line"> <span class="attr">required-package:</span> <span class="string">oddjob-mkhomedir</span></span><br><span class="line"> <span class="attr">required-package:</span> <span class="string">sssd</span></span><br><span class="line"> <span class="attr">required-package:</span> <span class="string">adcli</span></span><br><span class="line"> <span class="attr">required-package:</span> <span class="string">samba-common-tools</span></span><br><span class="line"> <span class="attr">login-formats:</span> <span class="string">%[email protected]</span></span><br><span class="line"> <span class="attr">login-policy:</span> <span class="string">allow-permitted-logins</span></span><br><span class="line"> <span class="attr">permitted-logins:</span></span><br><span class="line"> <span class="attr">permitted-groups:</span> <span class="string">vpnusers</span></span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li>AD查看CentOS8加入成功。</li>
</ul>
<p><img src="../images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-ad-03.png" alt="[AnyConnect-freeradius-ad-mfa]ad-03.png"></p>
<ul>
<li>AD上创建测试用户wintest</li>
</ul>
<p><img src="../images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-ad-04.png" alt="[AnyConnect-freeradius-ad-mfa]ad-04.png"></p>
<ul>
<li>在CentOS上使用AD的用户名密码登录测试。<figure class="highlight routeros"><table><tr><td class="code"><pre><span class="line">[root@centos8 ~]# ssh -l [email protected] localhost</span><br><span class="line">The authenticity of host <span class="string">'localhost (::1)'</span> can<span class="string">'t be established.</span></span><br><span class="line"><span class="string">ECDSA key fingerprint is SHA256:JNzSM2I5llmwVPjZAmZa0n1TS9dAZJYTgB2Odpq5IWA.</span></span><br><span class="line"><span class="string">Are you sure you want to continue connecting (yes/no/[fingerprint])? yes</span></span><br><span class="line"><span class="string">Warning: Permanently added '</span>localhost<span class="string">' (ECDSA) to the list of known hosts.</span></span><br><span class="line"><span class="string">[email protected]@localhost'</span>s password:</span><br><span class="line">Activate the web<span class="built_in"> console </span>with: systemctl <span class="builtin-name">enable</span> --now cockpit.socket</span><br><span class="line"></span><br><span class="line">[[email protected]@centos8 ~]$ exit</span><br><span class="line">注销</span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li>AD创建vpnusers组,创建vpnuser用户</li>
</ul>
<p><img src="../images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-ad-05.png" alt="[AnyConnect-freeradius-ad-mfa]ad-05.png"></p>
<ul>
<li>CentOS放行允许<code>vpnusers</code>这个组的用户在这台机器上认证。这条命令允许所有域账号认证:<code>realm permit -all</code>。这里放行的认证,不只放行了radius,还放行了ssh的认证,生产环境应该禁止这个组用户登<br>录ssh。<br><code>[root@centos8 ~]# realm permit -g vpnusers</code></li>
</ul>
<ul>
<li>开启radius调试模式<br><code>[root@centos8 ~]#radius -X</code></li>
</ul>
<ul>
<li><p>在新的窗口,使用AD账号测试radius认证,认证通过。</p>
<figure class="highlight angelscript"><table><tr><td class="code"><pre><span class="line">[<span class="symbol">root@</span>centos8 ~]# radtest <span class="symbol">vpnuser@</span>python.com Cisc0123 localhost <span class="number">18120</span> testing123</span><br><span class="line">Sent Access-Request Id <span class="number">16</span> <span class="keyword">from</span> <span class="number">0.0</span><span class="number">.0</span><span class="number">.0</span>:<span class="number">38424</span> to <span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span>:<span class="number">1812</span> length <span class="number">88</span></span><br><span class="line"> User-Name = <span class="string">"[email protected]"</span></span><br><span class="line"> User-Password = <span class="string">"Cisc0123"</span></span><br><span class="line"> NAS-IP-Address = <span class="number">172.20</span><span class="number">.29</span><span class="number">.110</span></span><br><span class="line"> NAS-Port = <span class="number">18120</span></span><br><span class="line"> Message-Authenticator = <span class="number">0x00</span></span><br><span class="line"> Cleartext-Password = <span class="string">"Cisc0123"</span></span><br><span class="line">Received Access-Accept Id <span class="number">16</span> <span class="keyword">from</span> <span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span>:<span class="number">1812</span> to <span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span>:<span class="number">38424</span> length <span class="number">20</span></span><br></pre></td></tr></table></figure>
</li>
<li><p>radius调试模式看到的日志。</p>
<figure class="highlight routeros"><table><tr><td class="code"><pre><span class="line">(2) Received Access-Request Id 16 <span class="keyword">from</span> 127.0.0.1:38424 <span class="keyword">to</span> 127.0.0.1:1812 length 88</span><br><span class="line">(2) User-Name = <span class="string">"[email protected]"</span></span><br><span class="line">(2) User-Password = <span class="string">"Cisc0123"</span></span><br><span class="line">(2) NAS-IP-Address = 172.20.29.110</span><br><span class="line">(2) NAS-Port = 18120</span><br><span class="line">(2) Message-Authenticator = 0xd2adbf7920450d47617cc1c7128e437e</span><br><span class="line">(2) # Executing section authorize <span class="keyword">from</span> file /etc/raddb/sites-enabled/default</span><br><span class="line">(2) authorize {</span><br><span class="line">(2) <span class="built_in"> policy </span>filter_username {</span><br><span class="line">(2) <span class="keyword">if</span> (&User-Name) {</span><br><span class="line">(2) <span class="keyword">if</span> (&User-Name) -> <span class="literal">TRUE</span></span><br><span class="line">(2) <span class="keyword">if</span> (&User-Name) {</span><br><span class="line">(2) <span class="keyword">if</span> (&User-Name =~ / /) {</span><br><span class="line">(2) <span class="keyword">if</span> (&User-Name =~ / /) -> <span class="literal">FALSE</span></span><br><span class="line">(2) <span class="keyword">if</span> (&User-Name =~ /@[^@]*@/ ) {</span><br><span class="line">(2) <span class="keyword">if</span> (&User-Name =~ /@[^@]*@/ ) -> <span class="literal">FALSE</span></span><br><span class="line">(2) <span class="keyword">if</span> (&User-Name =~ /\.\./ ) {</span><br><span class="line">(2) <span class="keyword">if</span> (&User-Name =~ /\.\./ ) -> <span class="literal">FALSE</span></span><br><span class="line">(2) <span class="keyword">if</span> ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {</span><br><span class="line">(2) <span class="keyword">if</span> ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> <span class="literal">FALSE</span></span><br><span class="line">(2) <span class="keyword">if</span> (&User-Name =~ /\.$/) {</span><br><span class="line">(2) <span class="keyword">if</span> (&User-Name =~ /\.$/) -> <span class="literal">FALSE</span></span><br><span class="line">(2) <span class="keyword">if</span> (&User-Name =~ /@\./) {</span><br><span class="line">(2) <span class="keyword">if</span> (&User-Name =~ /@\./) -> <span class="literal">FALSE</span></span><br><span class="line">(2) } # <span class="keyword">if</span> (&User-Name) = notfound</span><br><span class="line">(2) } #<span class="built_in"> policy </span>filter_username = notfound</span><br><span class="line">(2) [preprocess] = ok</span><br><span class="line">(2) [chap] = noop</span><br><span class="line">(2) [mschap] = noop</span><br><span class="line">(2) [digest] = noop</span><br><span class="line">(2) suffix: Checking <span class="keyword">for</span> suffix after <span class="string">"@"</span></span><br><span class="line">(2) suffix: Looking up realm <span class="string">"python.com"</span> <span class="keyword">for</span> User-Name = <span class="string">"[email protected]"</span></span><br><span class="line">(2) suffix: <span class="literal">No</span> such realm <span class="string">"python.com"</span></span><br><span class="line">(2) [suffix] = noop</span><br><span class="line">(2) eap: <span class="literal">No</span> EAP-Message, <span class="keyword">not</span> doing EAP</span><br><span class="line">(2) [eap] = noop</span><br><span class="line">(2) files: users: Matched entry<span class="built_in"> DEFAULT </span>at line 69</span><br><span class="line">(2) [files] = ok</span><br><span class="line">(2) [expiration] = noop</span><br><span class="line">(2) [logintime] = noop</span><br><span class="line">(2) pap: WARNING: <span class="literal">No</span> <span class="string">"known good"</span> password found <span class="keyword">for</span> the user. <span class="keyword">Not</span> setting Auth-Type</span><br><span class="line">(2) pap: WARNING: Authentication will fail unless a <span class="string">"known good"</span> password is available</span><br><span class="line">(2) [pap] = noop</span><br><span class="line">(2) } # authorize = ok</span><br><span class="line">(2) Found Auth-Type = pam</span><br><span class="line">(2) # Executing<span class="built_in"> group </span><span class="keyword">from</span> file /etc/raddb/sites-enabled/default</span><br><span class="line">(2) authenticate {</span><br><span class="line">(2) pam: Using pamauth string <span class="string">"radiusd"</span> <span class="keyword">for</span> pam.conf lookup</span><br><span class="line">(2) pam: Authentication succeeded</span><br><span class="line">(2) [pam] = ok</span><br><span class="line">(2) } # authenticate = ok</span><br><span class="line">(2) # Executing section post-auth <span class="keyword">from</span> file /etc/raddb/sites-enabled/default</span><br><span class="line">(2) post-auth {</span><br><span class="line">(2) update {</span><br><span class="line">(2) <span class="literal">No</span> attributes updated</span><br><span class="line">(2) } # update = noop</span><br><span class="line">(2) [exec] = noop</span><br><span class="line">(2) <span class="built_in"> policy </span>remove_reply_message_if_eap {</span><br><span class="line">(2) <span class="keyword">if</span> (&reply:EAP-Message && &reply:Reply-Message) {</span><br><span class="line">(2) <span class="keyword">if</span> (&reply:EAP-Message && &reply:Reply-Message) -> <span class="literal">FALSE</span></span><br><span class="line">(2) <span class="keyword">else</span> {</span><br><span class="line">(2) [noop] = noop</span><br><span class="line">(2) } # <span class="keyword">else</span> = noop</span><br><span class="line">(2) } #<span class="built_in"> policy </span>remove_reply_message_if_eap = noop</span><br><span class="line">(2) } # post-auth = noop</span><br><span class="line">(2) Sent Access-Accept Id 16 <span class="keyword">from</span> 127.0.0.1:1812 <span class="keyword">to</span> 127.0.0.1:38424 length 0</span><br><span class="line">(2) Finished request</span><br><span class="line">Waking up <span class="keyword">in</span> 4.9 seconds.</span><br><span class="line">(2) Cleaning up request packet ID 16 with timestamp +6169</span><br><span class="line">Ready <span class="keyword">to</span> process requests</span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li>使用户不需用带域名就可以被识别,需要修改配置文件/etc/sssd/sssd.conf,将use_fully_qualified_names行的True值修改为False。<figure class="highlight ini"><table><tr><td class="code"><pre><span class="line"><span class="section">[root@centos8 ~]</span><span class="comment"># vi /etc/sssd/sssd.conf</span></span><br><span class="line"></span><br><span class="line"><span class="attr">use_fully_qualified_names</span> = <span class="literal">False</span></span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li>重启sssd服务,重新列出域控信息,登录格式可以和之前对比。<figure class="highlight plain"><table><tr><td class="code"><pre><span class="line">[root@centos8 ~]# systemctl restart sssd</span><br><span class="line"></span><br><span class="line">[root@centos8 ~]# realm list</span><br><span class="line">python.com</span><br><span class="line"> type: kerberos</span><br><span class="line"> realm-name: PYTHON.COM</span><br><span class="line"> domain-name: python.com</span><br><span class="line"> configured: kerberos-member</span><br><span class="line"> server-software: active-directory</span><br><span class="line"> client-software: sssd</span><br><span class="line"> required-package: oddjob</span><br><span class="line"> required-package: oddjob-mkhomedir</span><br><span class="line"> required-package: sssd</span><br><span class="line"> required-package: adcli</span><br><span class="line"> required-package: samba-common-tools</span><br><span class="line"> login-formats: %U</span><br><span class="line"> login-policy: allow-permitted-logins</span><br><span class="line"> permitted-logins:</span><br><span class="line"> permitted-groups: vpnusers</span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li>现在不用加域信息也能识别用户。<figure class="highlight gcode"><table><tr><td class="code"><pre><span class="line">[root@ce<span class="symbol">ntos8</span> ~]<span class="attr"># id vpnuser</span></span><br><span class="line"><span class="attr">uid=363201109</span><span class="comment">(vpnuser)</span> gid=<span class="number">363200513</span><span class="comment">(domain users)</span> 组=<span class="number">363200513</span><span class="comment">(domain users)</span>,<span class="number">363201108</span><span class="comment">(vpnusers)</span></span><br></pre></td></tr></table></figure>
</li>
</ul>
<hr>
<h2 id="五、安装和配置Google-Authenticator-PAM"><a href="#五、安装和配置Google-Authenticator-PAM" class="headerlink" title="五、安装和配置Google Authenticator PAM"></a>五、安装和配置Google Authenticator PAM</h2><h3 id="5-1-安装Google-Authenticator"><a href="#5-1-安装Google-Authenticator" class="headerlink" title="5.1 安装Google Authenticator"></a>5.1 安装Google Authenticator</h3><ul>
<li>准备PAM编译环境<figure class="highlight angelscript"><table><tr><td class="code"><pre><span class="line">[<span class="symbol">root@</span>centos8 ~]# yum install pam-devel make gcc-c++ git</span><br><span class="line">[<span class="symbol">root@</span>centos8 ~]# yum install <span class="built_in">auto</span>make <span class="built_in">auto</span>conf libtool</span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li>下载安装文件,注意这里目录为<code>~</code><br><code>[root@centos8 ~]# git clone https://github.com/google/google-authenticator-libpam</code></li>
</ul>
<ul>
<li>安装google-authenticator<figure class="highlight autoit"><table><tr><td class="code"><pre><span class="line">[root<span class="symbol">@centos8</span> ~]<span class="meta"># cd google-authenticator-libpam/</span></span><br><span class="line">[root<span class="symbol">@centos8</span> google-authenticator-libpam]<span class="meta"># ./bootstrap.sh</span></span><br><span class="line">[root<span class="symbol">@centos8</span> google-authenticator-libpam]<span class="meta"># ./configure</span></span><br><span class="line">[root<span class="symbol">@centos8</span> google-authenticator-libpam]<span class="meta"># make</span></span><br><span class="line">[root<span class="symbol">@centos8</span> google-authenticator-libpam]<span class="meta"># make install</span></span><br></pre></td></tr></table></figure>
</li>
</ul>
<h3 id="5-2-账号开启双因素认证"><a href="#5-2-账号开启双因素认证" class="headerlink" title="5.2 账号开启双因素认证"></a>5.2 账号开启双因素认证</h3><ul>
<li>切换到ad账号<br><code>[root@centos8 ~]# su - [email protected]</code></li>
</ul>
<ul>
<li>为账号开启双因素认证。<figure class="highlight sql"><table><tr><td class="code"><pre><span class="line">[[email protected]@centos8 ~]$ google-authenticator</span><br><span class="line"></span><br><span class="line"><span class="keyword">Do</span> you want <span class="keyword">authentication</span> tokens <span class="keyword">to</span> be <span class="built_in">time</span>-based (y/n) y</span><br><span class="line"><span class="keyword">Warning</span>: pasting the <span class="keyword">following</span> <span class="keyword">URL</span> <span class="keyword">into</span> your browser exposes the OTP secret <span class="keyword">to</span> Google:</span><br><span class="line"> https://www.google.com/chart?chs=<span class="number">200</span>x200&chld=M|<span class="number">0</span>&cht=qr&chl=otpauth://totp/[email protected]@centos8%<span class="number">3</span>Fsecret%<span class="number">3</span>DOF2GUT37EUSG7Y2TYX57HKYRUY%<span class="number">26</span>issuer%<span class="number">3</span>Dcentos8</span><br><span class="line"><span class="keyword">Failed</span> <span class="keyword">to</span> <span class="keyword">use</span> libqrencode <span class="keyword">to</span> <span class="keyword">show</span> QR code visually <span class="keyword">for</span> scanning.</span><br><span class="line"></span><br><span class="line">如果安装了<span class="string">`libqrencode`</span>,屏幕会出现一个二维码如果你的终端终端不支持显示二维码,可以手动打开这个网页链接(墙)来查看二维码或者手动输入后面的密钥(secret <span class="keyword">key</span>)来代替扫描二维码,下面有<span class="number">5</span>个紧</span><br><span class="line">急救助码(emergency scratch code),</span><br><span class="line">紧急救助码就是当你无法获取认证码时(比如手机丢了),可以当做认证码来用,每用一个少一个,但其实可以手动添加的,建议如果 root 账户使用 Google Authenticator 的话一定要把紧急救助码另外保存一</span><br><span class="line">份。</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">Consider</span> typing the OTP secret <span class="keyword">into</span> your app manually.</span><br><span class="line">Your <span class="keyword">new</span> secret <span class="keyword">key</span> <span class="keyword">is</span>: OF2GUT37EUSG7Y2TYX57HKYRUY</span><br><span class="line">Enter code <span class="keyword">from</span> app (<span class="number">-1</span> <span class="keyword">to</span> <span class="keyword">skip</span>): <span class="number">198586</span></span><br><span class="line">Code confirmed</span><br><span class="line">Your emergency scratch codes <span class="keyword">are</span>:</span><br><span class="line"> <span class="number">82763900</span></span><br><span class="line"> <span class="number">77203549</span></span><br><span class="line"> <span class="number">34651872</span></span><br><span class="line"> <span class="number">82841984</span></span><br><span class="line"> <span class="number">93446389</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">Do</span> you want me <span class="keyword">to</span> <span class="keyword">update</span> your <span class="string">"/home/[email protected]/.google_authenticator"</span> <span class="keyword">file</span>? (y/n) y</span><br><span class="line">是否更新用户的 Google Authenticator 配置文件,选择 y 才能使上面操作对当前用户生效,其实就是在对应用户的 Home 目录下生成了一个 .google_authenticator 文件,</span><br><span class="line">如果你想停用这个用户的 Google Authenticator 验证,只需要删除这个用户 Home 目录下的 .google_authenticator 文件就可以了。</span><br><span class="line"></span><br><span class="line"><span class="keyword">Do</span> you want <span class="keyword">to</span> <span class="keyword">disallow</span> multiple uses <span class="keyword">of</span> the same <span class="keyword">authentication</span></span><br><span class="line">token? This restricts you <span class="keyword">to</span> one login about every <span class="number">30</span>s, but it increases</span><br><span class="line">your chances <span class="keyword">to</span> <span class="keyword">notice</span> <span class="keyword">or</span> even prevent man-<span class="keyword">in</span>-the-middle attacks (y/n) y</span><br><span class="line">每次生成的认证码是否同时只允许一个人使用?这里选择 y。</span><br><span class="line"></span><br><span class="line"><span class="keyword">By</span> <span class="keyword">default</span>, a <span class="keyword">new</span> token <span class="keyword">is</span> <span class="keyword">generated</span> every <span class="number">30</span> <span class="keyword">seconds</span> <span class="keyword">by</span> the mobile app.</span><br><span class="line"><span class="keyword">In</span> <span class="keyword">order</span> <span class="keyword">to</span> compensate <span class="keyword">for</span> possible <span class="built_in">time</span>-skew <span class="keyword">between</span> the <span class="keyword">client</span> <span class="keyword">and</span> the <span class="keyword">server</span>,</span><br><span class="line">we <span class="keyword">allow</span> an extra token <span class="keyword">before</span> <span class="keyword">and</span> <span class="keyword">after</span> the <span class="keyword">current</span> time. This allows <span class="keyword">for</span> a</span><br><span class="line"><span class="built_in">time</span> skew <span class="keyword">of</span> up <span class="keyword">to</span> <span class="number">30</span> <span class="keyword">seconds</span> <span class="keyword">between</span> <span class="keyword">authentication</span> <span class="keyword">server</span> <span class="keyword">and</span> client. <span class="keyword">If</span> you</span><br><span class="line">experience problems <span class="keyword">with</span> poor <span class="built_in">time</span> synchronization, you can increase the <span class="keyword">window</span></span><br><span class="line"><span class="keyword">from</span> its <span class="keyword">default</span> <span class="keyword">size</span> <span class="keyword">of</span> <span class="number">3</span> permitted codes (one previous code, the <span class="keyword">current</span></span><br><span class="line">code, the <span class="keyword">next</span> code) <span class="keyword">to</span> <span class="number">17</span> permitted codes (the <span class="number">8</span> previous codes, the <span class="keyword">current</span></span><br><span class="line">code, <span class="keyword">and</span> the <span class="number">8</span> <span class="keyword">next</span> codes). This will permit <span class="keyword">for</span> a <span class="built_in">time</span> skew <span class="keyword">of</span> up <span class="keyword">to</span> <span class="number">4</span> <span class="keyword">minutes</span></span><br><span class="line"><span class="keyword">between</span> <span class="keyword">client</span> <span class="keyword">and</span> server.</span><br><span class="line"><span class="keyword">Do</span> you want <span class="keyword">to</span> <span class="keyword">do</span> so? (y/n) y</span><br><span class="line">是否增加时间误差?这里选择 n或者y都行。</span><br><span class="line"></span><br><span class="line"><span class="keyword">If</span> the computer that you <span class="keyword">are</span> <span class="keyword">logging</span> <span class="keyword">into</span> isn<span class="string">'t hardened against brute-force</span></span><br><span class="line"><span class="string">login attempts, you can enable rate-limiting for the authentication module.</span></span><br><span class="line"><span class="string">By default, this limits attackers to no more than 3 login attempts every 30s.</span></span><br><span class="line"><span class="string">Do you want to enable rate-limiting? (y/n) y</span></span><br><span class="line"><span class="string">是否启用次数限制?</span></span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li>上面的交互式的设置也可用通过参数一次性设置(推荐),先查看一下参数含义。<figure class="highlight stata"><table><tr><td class="code"><pre><span class="line">[[email protected]@centos8 ~]<span class="variable">$google</span>-authenticator -<span class="keyword">h</span></span><br><span class="line">google-authenticator [<options>]</span><br><span class="line"> -<span class="keyword">h</span>, --<span class="keyword">help</span> <span class="keyword">Print</span> this message</span><br><span class="line"> -c, --counter-based <span class="keyword">Set</span> up counter-based (HOTP) verification</span><br><span class="line"> -C, --<span class="keyword">no</span>-<span class="keyword">confirm</span> Don't <span class="keyword">confirm</span> code. <span class="keyword">For</span> non-interactive setups</span><br><span class="line"> -t, --time-based <span class="keyword">Set</span> up time-based (TOTP) verification</span><br><span class="line"> -<span class="keyword">d</span>, --disallow-reuse Disallow reuse of previously used TOTP tokens</span><br><span class="line"> -<span class="keyword">D</span>, --allow-reuse Allow reuse of previously used TOTP tokens</span><br><span class="line"> -f, --force Write <span class="keyword">file</span> without first confirming with user</span><br><span class="line"> -<span class="keyword">l</span>, --<span class="keyword">label</span>=<<span class="keyword">label</span>> Override the default <span class="keyword">label</span> <span class="keyword">in</span> <span class="string">"otpauth://"</span> URL</span><br><span class="line"> -i, --issuer=<issuer> Override the default issuer <span class="keyword">in</span> <span class="string">"otpauth://"</span> URL</span><br><span class="line"> -q, --quiet Quiet mode</span><br><span class="line"> -Q, --qr-mode={NONE,ANSI,UTF8} QRCode output mode</span><br><span class="line"> -r, --rate-limit=<span class="keyword">N</span> Limit logins to <span class="keyword">N</span> per every <span class="keyword">M</span> seconds</span><br><span class="line"> -R, --rate-time=<span class="keyword">M</span> Limit logins to <span class="keyword">N</span> per every <span class="keyword">M</span> seconds</span><br><span class="line"> -<span class="keyword">u</span>, --<span class="keyword">no</span>-rate-limit Disable rate-limiting</span><br><span class="line"> -s, --secret=<<span class="keyword">file</span>> Specify a non-standard <span class="keyword">file</span> location</span><br><span class="line"> -S, --step-size=S <span class="keyword">Set</span> interval between <span class="keyword">token</span> refreshes</span><br><span class="line"> -w, --<span class="keyword">window</span>-size=W <span class="keyword">Set</span> <span class="keyword">window</span> of concurrently valid codes</span><br><span class="line"> -W, --minimal-<span class="keyword">window</span> Disable <span class="keyword">window</span> of concurrently valid codes</span><br><span class="line"> -<span class="keyword">e</span>, --emergency-codes=<span class="keyword">N</span> Number of emergency codes to <span class="keyword">generate</span></span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li>这里Cisco_VPN是会在APP上显示的令牌名标签,vpnuser@centos8是APP上的主机名标签。<figure class="highlight llvm"><table><tr><td class="code"><pre><span class="line">[vpnuser<span class="title">@python.com</span><span class="title">@centos8</span> ~]$ google-authenticator -t -f -d -l vpnuser<span class="title">@centos8</span> -i Cisco_VPN -r <span class="number">3</span> -R <span class="number">30</span> -W</span><br><span class="line">Warning: pasting the following URL into your browser exposes the OTP secret <span class="keyword">to</span> Google:</span><br><span class="line"> https://www.google.com/chart?chs=<span class="number">200</span><span class="keyword">x</span><span class="number">200</span>&chld=M|<span class="number">0</span>&cht=qr&chl=otpauth://totp/lql<span class="title">@centos8</span><span class="symbol">%3</span>Fsecret<span class="symbol">%3</span>DJQ<span class="number">355</span>PSUBG<span class="number">52</span>KJBUMDJVBSMDLU<span class="symbol">%26</span>issuer<span class="symbol">%3</span>DLQL.ME</span><br></pre></td></tr></table></figure>
</li>
</ul>
<h3 id="5-3-修改pam配置文件,并测试AD账号加动态码登录radius。"><a href="#5-3-修改pam配置文件,并测试AD账号加动态码登录radius。" class="headerlink" title="5.3 修改pam配置文件,并测试AD账号加动态码登录radius。"></a>5.3 修改pam配置文件,并测试AD账号加动态码登录radius。</h3><ul>
<li>查找<code>pam_google_authenticator.so</code>所在目录<figure class="highlight awk"><table><tr><td class="code"><pre><span class="line">[root@centos8 ~]<span class="comment"># find / -name pam_google_authenticator.so</span></span><br><span class="line"><span class="regexp">/usr/</span>local<span class="regexp">/lib/</span>security<span class="regexp">/pam_google_authenticator.so</span></span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li>编辑<code>/etc/pam.d/radiusd</code>,告诉FreeRadius使用本地Unix密码和Google Authenticator代码对用户进行身份验证。<figure class="highlight crystal"><table><tr><td class="code"><pre><span class="line">[root@centos8 ~]<span class="comment"># vi /etc/pam.d/radiusd</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#%PAM-1.0</span></span><br><span class="line"><span class="comment">#auth include password-auth</span></span><br><span class="line"><span class="comment">#account required pam_nologin.so</span></span><br><span class="line"><span class="comment">#account include password-auth</span></span><br><span class="line"><span class="comment">#password include password-auth</span></span><br><span class="line"><span class="comment">#session include password-auth</span></span><br><span class="line"></span><br><span class="line">auth requisite /usr/local/<span class="class"><span class="keyword">lib</span>/<span class="title">security</span>/<span class="title">pam_google_authenticator</span>.<span class="title">so</span> <span class="title">forward_pass</span></span></span><br><span class="line">auth required pam_sss.so use_first_pass</span><br><span class="line">account required pam_nologin.so</span><br><span class="line">account <span class="keyword">include</span> password-auth</span><br><span class="line">session <span class="keyword">include</span> password-auth</span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li>开启radius调试模式<br><code>[root@centos8 ~]#radius -X</code></li>
</ul>
<ul>
<li>在新的窗口使用域账号测试radius认证,这里密码构成是<strong>密码+动态码</strong>。<figure class="highlight angelscript"><table><tr><td class="code"><pre><span class="line">[<span class="symbol">root@</span>centos8 ~]# radtest <span class="symbol">vpnuser@</span>python.com Cisc0123072009 localhost <span class="number">18120</span> testing123</span><br><span class="line">Sent Access-Request Id <span class="number">119</span> <span class="keyword">from</span> <span class="number">0.0</span><span class="number">.0</span><span class="number">.0</span>:<span class="number">49063</span> to <span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span>:<span class="number">1812</span> length <span class="number">88</span></span><br><span class="line"> User-Name = <span class="string">"[email protected]"</span></span><br><span class="line"> User-Password = <span class="string">"Cisc0123072009"</span></span><br><span class="line"> NAS-IP-Address = <span class="number">172.20</span><span class="number">.29</span><span class="number">.110</span></span><br><span class="line"> NAS-Port = <span class="number">18120</span></span><br><span class="line"> Message-Authenticator = <span class="number">0x00</span></span><br><span class="line"> Cleartext-Password = <span class="string">"Cisc0123072009"</span></span><br><span class="line">Received Access-Accept Id <span class="number">119</span> <span class="keyword">from</span> <span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span>:<span class="number">1812</span> to <span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span>:<span class="number">49063</span> length <span class="number">20</span></span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li>AD 结合动态码测试日志<figure class="highlight routeros"><table><tr><td class="code"><pre><span class="line">(3) Received Access-Request Id 119 <span class="keyword">from</span> 127.0.0.1:49063 <span class="keyword">to</span> 127.0.0.1:1812 length 88</span><br><span class="line">(3) User-Name = <span class="string">"[email protected]"</span></span><br><span class="line">(3) User-Password = <span class="string">"Cisc0123072009"</span></span><br><span class="line">(3) NAS-IP-Address = 172.20.29.110</span><br><span class="line">(3) NAS-Port = 18120</span><br><span class="line">(3) Message-Authenticator = 0x457cc852a7cb00f054b1cc168f75998e</span><br><span class="line">(3) # Executing section authorize <span class="keyword">from</span> file /etc/raddb/sites-enabled/default</span><br><span class="line">(3) authorize {</span><br><span class="line">(3) <span class="built_in"> policy </span>filter_username {</span><br><span class="line">(3) <span class="keyword">if</span> (&User-Name) {</span><br><span class="line">(3) <span class="keyword">if</span> (&User-Name) -> <span class="literal">TRUE</span></span><br><span class="line">(3) <span class="keyword">if</span> (&User-Name) {</span><br><span class="line">(3) <span class="keyword">if</span> (&User-Name =~ / /) {</span><br><span class="line">(3) <span class="keyword">if</span> (&User-Name =~ / /) -> <span class="literal">FALSE</span></span><br><span class="line">(3) <span class="keyword">if</span> (&User-Name =~ /@[^@]*@/ ) {</span><br><span class="line">(3) <span class="keyword">if</span> (&User-Name =~ /@[^@]*@/ ) -> <span class="literal">FALSE</span></span><br><span class="line">(3) <span class="keyword">if</span> (&User-Name =~ /\.\./ ) {</span><br><span class="line">(3) <span class="keyword">if</span> (&User-Name =~ /\.\./ ) -> <span class="literal">FALSE</span></span><br><span class="line">(3) <span class="keyword">if</span> ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {</span><br><span class="line">(3) <span class="keyword">if</span> ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> <span class="literal">FALSE</span></span><br><span class="line">(3) <span class="keyword">if</span> (&User-Name =~ /\.$/) {</span><br><span class="line">(3) <span class="keyword">if</span> (&User-Name =~ /\.$/) -> <span class="literal">FALSE</span></span><br><span class="line">(3) <span class="keyword">if</span> (&User-Name =~ /@\./) {</span><br><span class="line">(3) <span class="keyword">if</span> (&User-Name =~ /@\./) -> <span class="literal">FALSE</span></span><br><span class="line">(3) } # <span class="keyword">if</span> (&User-Name) = notfound</span><br><span class="line">(3) } #<span class="built_in"> policy </span>filter_username = notfound</span><br><span class="line">(3) [preprocess] = ok</span><br><span class="line">(3) [chap] = noop</span><br><span class="line">(3) [mschap] = noop</span><br><span class="line">(3) [digest] = noop</span><br><span class="line">(3) suffix: Checking <span class="keyword">for</span> suffix after <span class="string">"@"</span></span><br><span class="line">(3) suffix: Looking up realm <span class="string">"python.com"</span> <span class="keyword">for</span> User-Name = <span class="string">"[email protected]"</span></span><br><span class="line">(3) suffix: <span class="literal">No</span> such realm <span class="string">"python.com"</span></span><br><span class="line">(3) [suffix] = noop</span><br><span class="line">(3) eap: <span class="literal">No</span> EAP-Message, <span class="keyword">not</span> doing EAP</span><br><span class="line">(3) [eap] = noop</span><br><span class="line">(3) files: users: Matched entry<span class="built_in"> DEFAULT </span>at line 69</span><br><span class="line">(3) [files] = ok</span><br><span class="line">(3) [expiration] = noop</span><br><span class="line">(3) [logintime] = noop</span><br><span class="line">(3) pap: WARNING: <span class="literal">No</span> <span class="string">"known good"</span> password found <span class="keyword">for</span> the user. <span class="keyword">Not</span> setting Auth-Type</span><br><span class="line">(3) pap: WARNING: Authentication will fail unless a <span class="string">"known good"</span> password is available</span><br><span class="line">(3) [pap] = noop</span><br><span class="line">(3) } # authorize = ok</span><br><span class="line">(3) Found Auth-Type = pam</span><br><span class="line">(3) # Executing<span class="built_in"> group </span><span class="keyword">from</span> file /etc/raddb/sites-enabled/default</span><br><span class="line">(3) authenticate {</span><br><span class="line">(3) pam: Using pamauth string <span class="string">"radiusd"</span> <span class="keyword">for</span> pam.conf lookup</span><br><span class="line">(3) pam: Authentication succeeded</span><br><span class="line">(3) [pam] = ok</span><br><span class="line">(3) } # authenticate = ok</span><br><span class="line">(3) # Executing section post-auth <span class="keyword">from</span> file /etc/raddb/sites-enabled/default</span><br><span class="line">(3) post-auth {</span><br><span class="line">(3) update {</span><br><span class="line">(3) <span class="literal">No</span> attributes updated</span><br><span class="line">(3) } # update = noop</span><br><span class="line">(3) [exec] = noop</span><br><span class="line">(3) <span class="built_in"> policy </span>remove_reply_message_if_eap {</span><br><span class="line">(3) <span class="keyword">if</span> (&reply:EAP-Message && &reply:Reply-Message) {</span><br><span class="line">(3) <span class="keyword">if</span> (&reply:EAP-Message && &reply:Reply-Message) -> <span class="literal">FALSE</span></span><br><span class="line">(3) <span class="keyword">else</span> {</span><br><span class="line">(3) [noop] = noop</span><br><span class="line">(3) } # <span class="keyword">else</span> = noop</span><br><span class="line">(3) } #<span class="built_in"> policy </span>remove_reply_message_if_eap = noop</span><br><span class="line">(3) } # post-auth = noop</span><br><span class="line">(3) Sent Access-Accept Id 119 <span class="keyword">from</span> 127.0.0.1:1812 <span class="keyword">to</span> 127.0.0.1:49063 length 0</span><br><span class="line">(3) Finished request</span><br><span class="line">Waking up <span class="keyword">in</span> 4.9 seconds.</span><br><span class="line">(3) Cleaning up request packet ID 119 with timestamp +6972</span><br><span class="line">Ready <span class="keyword">to</span> process requests</span><br></pre></td></tr></table></figure>
</li>
</ul>
<hr>
<h2 id="六、ASAv-AnyConnect-配置"><a href="#六、ASAv-AnyConnect-配置" class="headerlink" title="六、ASAv AnyConnect 配置"></a>六、ASAv AnyConnect 配置</h2><h3 id="6-1-ASAv初始化配置"><a href="#6-1-ASAv初始化配置" class="headerlink" title="6.1 ASAv初始化配置"></a>6.1 ASAv初始化配置</h3><ul>
<li>ASAv接口初始化,这里我通过防火墙mgmt接口ssh网管。<figure class="highlight routeros"><table><tr><td class="code"><pre><span class="line">interface Management0/0</span><br><span class="line"> nameif mgmt</span><br><span class="line"> security-level 0</span><br><span class="line"><span class="built_in"> ip address </span>192.168.100.100 255.255.255.0</span><br><span class="line"></span><br><span class="line">ssh 0.0.0.0 0.0.0.0 mgmt</span><br><span class="line"></span><br><span class="line">interface GigabitEthernet0/0</span><br><span class="line"> nameif outside</span><br><span class="line"> security-level 0</span><br><span class="line"><span class="built_in"> ip address </span>202.100.1.254 255.255.255.0</span><br><span class="line">!</span><br><span class="line">interface GigabitEthernet0/1</span><br><span class="line"> nameif inside</span><br><span class="line"> security-level 100</span><br><span class="line"><span class="built_in"> ip address </span>192.168.1.254 255.255.255.0</span><br></pre></td></tr></table></figure>
</li>
</ul>
<h3 id="6-2-ASAv上传AnyConnect镜像"><a href="#6-2-ASAv上传AnyConnect镜像" class="headerlink" title="6.2 ASAv上传AnyConnect镜像"></a>6.2 ASAv上传AnyConnect镜像</h3><ul>
<li>开启http服务,创建本地管理密码,让ASDM可以顺利连接。<figure class="highlight routeros"><table><tr><td class="code"><pre><span class="line">http<span class="built_in"> server </span><span class="builtin-name">enable</span> 8000</span><br><span class="line">http 0 0 mgmt</span><br><span class="line">aaa authentication http<span class="built_in"> console </span>LOCAL</span><br><span class="line">username admin password cisco privilege 15</span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li>ASDM上传AnyConnect镜像到ASAv本地。</li>
</ul>
<p><img src="../images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-asdm-01.png" alt="[AnyConnect-freeradius-ad-mfa]asdm-01"><br><img src="../images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-asdm-02.png" alt="[AnyConnect-freeradius-ad-mfa]asdm-02"><br><img src="../images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-asdm-03.png" alt="[AnyConnect-freeradius-ad-mfa]asdm-03"><br><img src="../images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-asdm-04.png" alt="[AnyConnect-freeradius-ad-mfa]asdm-04"></p>
<ul>
<li>确认AnyConnect上传成功<figure class="highlight angelscript"><table><tr><td class="code"><pre><span class="line">MFA-ASAv# dir</span><br><span class="line">Directory of disk0:/</span><br><span class="line"><span class="number">94</span> -rwx <span class="number">41077110</span> <span class="number">08</span>:<span class="number">07</span>:<span class="number">22</span> Mar <span class="number">05</span> <span class="number">2020</span> anyconnect-win<span class="number">-4.6</span><span class="number">.00362</span>-webdeploy-k9.pkg</span><br></pre></td></tr></table></figure>
</li>
</ul>
<h3 id="6-3-Cisco-ASAv-AnyConnect本地认证配置。"><a href="#6-3-Cisco-ASAv-AnyConnect本地认证配置。" class="headerlink" title="6.3 Cisco ASAv AnyConnect本地认证配置。"></a>6.3 Cisco ASAv AnyConnect本地认证配置。</h3><ul>
<li><p>首先配置AnyConnect的本地认证,当本地认证测试通过之后,再将认证流量送到freeradius进行双因素认证。</p>
<figure class="highlight properties"><table><tr><td class="code"><pre><span class="line"><span class="attr">username</span> <span class="string">ssluser password cisco</span></span><br><span class="line"></span><br><span class="line"><span class="attr">webvpn</span></span><br><span class="line"> <span class="attr">enable</span> <span class="string">outside</span></span><br><span class="line"> <span class="attr">anyconnect</span> <span class="string">image disk0:/anyconnect-win-4.6.00362-webdeploy-k9.pkg 1</span></span><br><span class="line"> <span class="attr">anyconnect</span> <span class="string">enable</span></span><br></pre></td></tr></table></figure>
</li>
<li><p>这里启用了隧道分隔。</p>
<figure class="highlight routeros"><table><tr><td class="code"><pre><span class="line">access-list anyconnect_split standard permit 192.168.1.0 255.255.255.0</span><br><span class="line">access-list anyconnect_filter_acl extended permit<span class="built_in"> ip </span>any 192.168.1.0 255.255.255.0</span><br><span class="line"></span><br><span class="line">ip local<span class="built_in"> pool </span>sslvpn_pool 192.168.50.100-192.168.50.200</span><br><span class="line"></span><br><span class="line">group-policy anyconnect_group_policy internal</span><br><span class="line">group-policy anyconnect_group_policy attributes</span><br><span class="line"> vpn-filter value anyconnect_filter_acl</span><br><span class="line"> vpn-tunnel-protocol ssl-client ssl-clientless</span><br><span class="line"> split-tunnel-policy tunnelspecified</span><br><span class="line"> split-tunnel-network-list value anyconnect_split</span><br><span class="line"> address-pools value sslvpn_pool</span><br><span class="line"> webvpn</span><br><span class="line"> anyconnect profiles value anyconnect_profile<span class="built_in"> type </span>user</span><br><span class="line"></span><br><span class="line">username ssluser attributes</span><br><span class="line"> vpn-group-policy anyconnect_group_policy</span><br></pre></td></tr></table></figure>
</li>
<li><p>默认anyconnect不允许通过RDP的方式登录,这里我的管理机器是通过RDP登录的。所以需要修改anyconnect profile,让RDP用户能正常登录。</p>
</li>
</ul>
<p><img src="../images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-rdp-01.png" alt="[AnyConnect-freeradius-ad-mfa]rdp-01"></p>
<p><img src="../images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-rdp-02.png" alt="[AnyConnect-freeradius-ad-mfa]rdp-02"></p>
<ul>
<li>通过ASDM配置profile之后,通过命令行确认profile调用。<figure class="highlight routeros"><table><tr><td class="code"><pre><span class="line">group-policy anyconnect_group_policy attributes</span><br><span class="line"> webvpn</span><br><span class="line"> anyconnect profiles value anyconnect_profile<span class="built_in"> type </span>user</span><br></pre></td></tr></table></figure>
</li>
</ul>
<h3 id="6-4-AnyConnect本地账号登录测试"><a href="#6-4-AnyConnect本地账号登录测试" class="headerlink" title="6.4 AnyConnect本地账号登录测试"></a>6.4 AnyConnect本地账号登录测试</h3><p><img src="../images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-login-01.png" alt="[AnyConnect-freeradius-ad-mfa]login-01"><br><img src="../images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-login-02.png" alt="[AnyConnect-freeradius-ad-mfa]login-02"><br><img src="../images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-login-03.png" alt="[AnyConnect-freeradius-ad-mfa]login-03"></p>
<h3 id="6-5-freeradius配置和测试"><a href="#6-5-freeradius配置和测试" class="headerlink" title="6.5 freeradius配置和测试"></a>6.5 freeradius配置和测试</h3><ul>
<li>配置3A服务器指向freeradius。<figure class="highlight routeros"><table><tr><td class="code"><pre><span class="line">aaa-server freeradius protocol radius</span><br><span class="line">aaa-server freeradius (inside) host 192.168.1.10</span><br><span class="line"> key cisco</span><br><span class="line"> authentication-port 1812</span><br><span class="line"></span><br><span class="line">tunnel-group DefaultWEBVPNGroup general-attributes</span><br><span class="line"> authentication-server-group freeradius</span><br><span class="line"> default-group-policy anyconnect_group_policy</span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li>ASAv使用AD账号测试radius服务,因为之前修改过SSSD配置文件,这里是否添加<code>python.com</code>域名都可以。<figure class="highlight routeros"><table><tr><td class="code"><pre><span class="line">MFA-ASAv# test aaa-server authentication freeradius host 192.168.1.10 username vpnuser password Cisc0123187977</span><br><span class="line">INFO: Attempting Authentication test <span class="keyword">to</span><span class="built_in"> IP address </span><192.168.1.10> (timeout: 12 seconds)</span><br><span class="line">INFO: Authentication Successful</span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li>radius调试模式看到的日志<figure class="highlight routeros"><table><tr><td class="code"><pre><span class="line">Listening on acct<span class="built_in"> address </span>::<span class="built_in"> port </span>1813 bound <span class="keyword">to</span><span class="built_in"> server </span>default</span><br><span class="line">Listening on auth<span class="built_in"> address </span>127.0.0.1<span class="built_in"> port </span>18120 bound <span class="keyword">to</span><span class="built_in"> server </span>inner-tunnel</span><br><span class="line">Listening on<span class="built_in"> proxy address </span>*<span class="built_in"> port </span>54915</span><br><span class="line">Listening on<span class="built_in"> proxy address </span>::<span class="built_in"> port </span>45190</span><br><span class="line">Ready <span class="keyword">to</span> process requests</span><br><span class="line">(0) Received Access-Request Id 4 <span class="keyword">from</span> 192.168.1.254:30861 <span class="keyword">to</span> 192.168.1.10:1812 length 86</span><br><span class="line">(0) User-Name = <span class="string">"vpnuser"</span></span><br><span class="line">(0) User-Password = <span class="string">"Cisc0123187977"</span></span><br><span class="line">(0) NAS-IP-Address = 192.168.1.254</span><br><span class="line">(0) NAS-Port = 4</span><br><span class="line">(0) NAS-Port-Type = Virtual</span><br><span class="line">(0) Cisco-AVPair = <span class="string">"coa-push=true"</span></span><br><span class="line">(0) # Executing section authorize <span class="keyword">from</span> file /etc/raddb/sites-enabled/default</span><br><span class="line">(0) authorize {</span><br><span class="line">(0) <span class="built_in"> policy </span>filter_username {</span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name) {</span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name) -> <span class="literal">TRUE</span></span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name) {</span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name =~ / /) {</span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name =~ / /) -> <span class="literal">FALSE</span></span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name =~ /@[^@]*@/ ) {</span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name =~ /@[^@]*@/ ) -> <span class="literal">FALSE</span></span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name =~ /\.\./ ) {</span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name =~ /\.\./ ) -> <span class="literal">FALSE</span></span><br><span class="line">(0) <span class="keyword">if</span> ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {</span><br><span class="line">(0) <span class="keyword">if</span> ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> <span class="literal">FALSE</span></span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name =~ /\.$/) {</span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name =~ /\.$/) -> <span class="literal">FALSE</span></span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name =~ /@\./) {</span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name =~ /@\./) -> <span class="literal">FALSE</span></span><br><span class="line">(0) } # <span class="keyword">if</span> (&User-Name) = notfound</span><br><span class="line">(0) } #<span class="built_in"> policy </span>filter_username = notfound</span><br><span class="line">(0) [preprocess] = ok</span><br><span class="line">(0) [chap] = noop</span><br><span class="line">(0) [mschap] = noop</span><br><span class="line">(0) [digest] = noop</span><br><span class="line">(0) suffix: Checking <span class="keyword">for</span> suffix after <span class="string">"@"</span></span><br><span class="line">(0) suffix: <span class="literal">No</span> <span class="string">'@'</span> <span class="keyword">in</span> User-Name = <span class="string">"vpnuser"</span>, looking up realm <span class="literal">NULL</span></span><br><span class="line">(0) suffix: <span class="literal">No</span> such realm <span class="string">"NULL"</span></span><br><span class="line">(0) [suffix] = noop</span><br><span class="line">(0) eap: <span class="literal">No</span> EAP-Message, <span class="keyword">not</span> doing EAP</span><br><span class="line">(0) [eap] = noop</span><br><span class="line">(0) files: users: Matched entry<span class="built_in"> DEFAULT </span>at line 69</span><br><span class="line">(0) [files] = ok</span><br><span class="line">(0) [expiration] = noop</span><br><span class="line">(0) [logintime] = noop</span><br><span class="line">(0) pap: WARNING: <span class="literal">No</span> <span class="string">"known good"</span> password found <span class="keyword">for</span> the user. <span class="keyword">Not</span> setting Auth-Type</span><br><span class="line">(0) pap: WARNING: Authentication will fail unless a <span class="string">"known good"</span> password is available</span><br><span class="line">(0) [pap] = noop</span><br><span class="line">(0) } # authorize = ok</span><br><span class="line">(0) Found Auth-Type = pam</span><br><span class="line">(0) # Executing<span class="built_in"> group </span><span class="keyword">from</span> file /etc/raddb/sites-enabled/default</span><br><span class="line">(0) authenticate {</span><br><span class="line">(0) pam: Using pamauth string <span class="string">"radiusd"</span> <span class="keyword">for</span> pam.conf lookup</span><br><span class="line">(0) pam: Authentication succeeded</span><br><span class="line">(0) [pam] = ok</span><br><span class="line">(0) } # authenticate = ok</span><br><span class="line">(0) # Executing section post-auth <span class="keyword">from</span> file /etc/raddb/sites-enabled/default</span><br><span class="line">(0) post-auth {</span><br><span class="line">(0) update {</span><br><span class="line">(0) <span class="literal">No</span> attributes updated</span><br><span class="line">(0) } # update = noop</span><br><span class="line">(0) [exec] = noop</span><br><span class="line">(0) <span class="built_in"> policy </span>remove_reply_message_if_eap {</span><br><span class="line">(0) <span class="keyword">if</span> (&reply:EAP-Message && &reply:Reply-Message) {</span><br><span class="line">(0) <span class="keyword">if</span> (&reply:EAP-Message && &reply:Reply-Message) -> <span class="literal">FALSE</span></span><br><span class="line">(0) <span class="keyword">else</span> {</span><br><span class="line">(0) [noop] = noop</span><br><span class="line">(0) } # <span class="keyword">else</span> = noop</span><br><span class="line">(0) } #<span class="built_in"> policy </span>remove_reply_message_if_eap = noop</span><br><span class="line">(0) } # post-auth = noop</span><br><span class="line">(0) Sent Access-Accept Id 4 <span class="keyword">from</span> 192.168.1.10:1812 <span class="keyword">to</span> 192.168.1.254:30861 length 0</span><br><span class="line">(0) Finished request</span><br><span class="line">Waking up <span class="keyword">in</span> 4.9 seconds.</span><br><span class="line">(0) Cleaning up request packet ID 4 with timestamp +11</span><br><span class="line">Ready <span class="keyword">to</span> process requests</span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li><p>如果radius -X 无法运行,并且报错如下,一般是radius服务已经启动,占用了1812端口号导致的。</p>
<figure class="highlight routeros"><table><tr><td class="code"><pre><span class="line">Failed binding <span class="keyword">to</span> auth<span class="built_in"> address </span>*<span class="built_in"> port </span>1812 bound <span class="keyword">to</span><span class="built_in"> server </span>default:<span class="built_in"> Address </span>already <span class="keyword">in</span> use</span><br><span class="line">/etc/raddb/sites-enabled/default[59]: <span class="builtin-name">Error</span> binding <span class="keyword">to</span><span class="built_in"> port </span><span class="keyword">for</span> 0.0.0.0<span class="built_in"> port </span>1812</span><br></pre></td></tr></table></figure>
</li>
<li><p>查看UDP端口号使用。</p>
<figure class="highlight angelscript"><table><tr><td class="code"><pre><span class="line">[<span class="symbol">root@</span>centos8 ~]# ss -ulnp</span><br><span class="line">State Recv-Q Send-Q Local Address:Port Peer Address:Port</span><br><span class="line">UNCONN <span class="number">0</span> <span class="number">0</span> <span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span>:<span class="number">18120</span> <span class="number">0.0</span><span class="number">.0</span><span class="number">.0</span>:* users:((<span class="string">"radiusd"</span>,pid=<span class="number">15068</span>,fd=<span class="number">14</span>))</span><br><span class="line">UNCONN <span class="number">0</span> <span class="number">0</span> <span class="number">0.0</span><span class="number">.0</span><span class="number">.0</span>:<span class="number">1812</span> <span class="number">0.0</span><span class="number">.0</span><span class="number">.0</span>:* users:((<span class="string">"radiusd"</span>,pid=<span class="number">15068</span>,fd=<span class="number">10</span>))</span><br><span class="line">UNCONN <span class="number">0</span> <span class="number">0</span> <span class="number">0.0</span><span class="number">.0</span><span class="number">.0</span>:<span class="number">1813</span> <span class="number">0.0</span><span class="number">.0</span><span class="number">.0</span>:* users:((<span class="string">"radiusd"</span>,pid=<span class="number">15068</span>,fd=<span class="number">11</span>))</span><br></pre></td></tr></table></figure>
</li>
<li><p>可以使用<code>pkill</code>命令结束radius所有进程。<br><code>[root@centos8 ~]# pkill radiusd</code></p>
</li>
</ul>
<h3 id="6-6-使用-AD账号-动态码-登录AnyConnect"><a href="#6-6-使用-AD账号-动态码-登录AnyConnect" class="headerlink" title="6.6 使用 AD账号+动态码 登录AnyConnect"></a>6.6 使用 AD账号+动态码 登录AnyConnect</h3><ul>
<li>AnyConnect输入密码时,首先输入AD密码,然后输入6位动态码。例如这里密码是<code>Cisc0123</code>,动态码是<code>914714</code>,那么密码框应该输入<code>Cisc0123914714</code>。</li>
</ul>
<p><img src="../images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-login-01.png" alt="[AnyConnect-freeradius-ad-mfa]login-01"><br><img src="../images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-login-ad.png" alt="[AnyConnect-freeradius-ad-mfa]login-ad"><br><img src="../images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-login-03.png" alt="[AnyConnect-freeradius-ad-mfa]login-03"></p>
<ul>
<li>动态码</li>
</ul>
<p><img src="../images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-code.png" alt="[AnyConnect-freeradius-ad-mfa]code"></p>
<ul>
<li>AnyConnect登录,radius 调试日志。<figure class="highlight routeros"><table><tr><td class="code"><pre><span class="line">(4) Received Access-Request Id 8 <span class="keyword">from</span> 192.168.1.254:30861 <span class="keyword">to</span> 192.168.1.10:1812 length 666</span><br><span class="line">(4) User-Name = <span class="string">"vpnuser"</span></span><br><span class="line">(4) User-Password = <span class="string">"Cisc0123914714"</span></span><br><span class="line">(4) NAS-Port = 32768</span><br><span class="line">(4) Called-Station-Id = <span class="string">"202.100.1.254"</span></span><br><span class="line">(4) Calling-Station-Id = <span class="string">"202.100.1.10"</span></span><br><span class="line">(4) NAS-Port-Type = Virtual</span><br><span class="line">(4) Tunnel-Client-Endpoint:0 = <span class="string">"202.100.1.10"</span></span><br><span class="line">(4) Cisco-AVPair = <span class="string">"mdm-tlv=device-platform=win"</span></span><br><span class="line">(4) Cisco-AVPair = <span class="string">"mdm-tlv=device-mac=00-50-56-8e-14-a9"</span></span><br><span class="line">(4) Cisco-AVPair = <span class="string">"mdm-tlv=device-mac=00-50-56-8e-8a-ac"</span></span><br><span class="line">(4) Cisco-AVPair = <span class="string">"mdm-tlv=device-mac=00-50-56-8e-93-54"</span></span><br><span class="line">(4) Cisco-AVPair = <span class="string">"mdm-tlv=device-type=VMware, Inc. VMware7,1"</span></span><br><span class="line">(4) Cisco-AVPair = <span class="string">"mdm-tlv=device-platform-version=10.0.18362 "</span></span><br><span class="line">(4) Cisco-AVPair = <span class="string">"mdm-tlv=ac-user-agent=AnyConnect Windows 4.6.00362"</span></span><br><span class="line">(4) Cisco-AVPair = <span class="string">"mdm-tlv=device-uid=D7237D73128E45F4F2706858D0F4AC09129E5131839298ACB03D3999125B5FC1"</span></span><br><span class="line">(4) NAS-IP-Address = 192.168.1.254</span><br><span class="line">(4) Cisco-AVPair = <span class="string">"audit-session-id=c0a801fe000080005e60c235"</span></span><br><span class="line">(4) Cisco-AVPair = <span class="string">"ip:source-ip=202.100.1.10"</span></span><br><span class="line">(4) ASA-TunnelGroupName = <span class="string">"DefaultWEBVPNGroup"</span></span><br><span class="line">(4) ASA-ClientType = AnyConnect-Client-SSL-VPN</span><br><span class="line">(4) Cisco-AVPair = <span class="string">"coa-push=true"</span></span><br><span class="line">(4) # Executing section authorize <span class="keyword">from</span> file /etc/raddb/sites-enabled/default</span><br><span class="line">(4) authorize {</span><br><span class="line">(4) <span class="built_in"> policy </span>filter_username {</span><br><span class="line">(4) <span class="keyword">if</span> (&User-Name) {</span><br><span class="line">(4) <span class="keyword">if</span> (&User-Name) -> <span class="literal">TRUE</span></span><br><span class="line">(4) <span class="keyword">if</span> (&User-Name) {</span><br><span class="line">(4) <span class="keyword">if</span> (&User-Name =~ / /) {</span><br><span class="line">(4) <span class="keyword">if</span> (&User-Name =~ / /) -> <span class="literal">FALSE</span></span><br><span class="line">(4) <span class="keyword">if</span> (&User-Name =~ /@[^@]*@/ ) {</span><br><span class="line">(4) <span class="keyword">if</span> (&User-Name =~ /@[^@]*@/ ) -> <span class="literal">FALSE</span></span><br><span class="line">(4) <span class="keyword">if</span> (&User-Name =~ /\.\./ ) {</span><br><span class="line">(4) <span class="keyword">if</span> (&User-Name =~ /\.\./ ) -> <span class="literal">FALSE</span></span><br><span class="line">(4) <span class="keyword">if</span> ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {</span><br><span class="line">(4) <span class="keyword">if</span> ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> <span class="literal">FALSE</span></span><br><span class="line">(4) <span class="keyword">if</span> (&User-Name =~ /\.$/) {</span><br><span class="line">(4) <span class="keyword">if</span> (&User-Name =~ /\.$/) -> <span class="literal">FALSE</span></span><br><span class="line">(4) <span class="keyword">if</span> (&User-Name =~ /@\./) {</span><br><span class="line">(4) <span class="keyword">if</span> (&User-Name =~ /@\./) -> <span class="literal">FALSE</span></span><br><span class="line">(4) } # <span class="keyword">if</span> (&User-Name) = notfound</span><br><span class="line">(4) } #<span class="built_in"> policy </span>filter_username = notfound</span><br><span class="line">(4) [preprocess] = ok</span><br><span class="line">(4) [chap] = noop</span><br><span class="line">(4) [mschap] = noop</span><br><span class="line">(4) [digest] = noop</span><br><span class="line">(4) suffix: Checking <span class="keyword">for</span> suffix after <span class="string">"@"</span></span><br><span class="line">(4) suffix: <span class="literal">No</span> <span class="string">'@'</span> <span class="keyword">in</span> User-Name = <span class="string">"vpnuser"</span>, looking up realm <span class="literal">NULL</span></span><br><span class="line">(4) suffix: <span class="literal">No</span> such realm <span class="string">"NULL"</span></span><br><span class="line">(4) [suffix] = noop</span><br><span class="line">(4) eap: <span class="literal">No</span> EAP-Message, <span class="keyword">not</span> doing EAP</span><br><span class="line">(4) [eap] = noop</span><br><span class="line">(4) files: users: Matched entry<span class="built_in"> DEFAULT </span>at line 69</span><br><span class="line">(4) [files] = ok</span><br><span class="line">(4) [expiration] = noop</span><br><span class="line">(4) [logintime] = noop</span><br><span class="line">(4) pap: WARNING: <span class="literal">No</span> <span class="string">"known good"</span> password found <span class="keyword">for</span> the user. <span class="keyword">Not</span> setting Auth-Type</span><br><span class="line">(4) pap: WARNING: Authentication will fail unless a <span class="string">"known good"</span> password is available</span><br><span class="line">(4) [pap] = noop</span><br><span class="line">(4) } # authorize = ok</span><br><span class="line">(4) Found Auth-Type = pam</span><br><span class="line">(4) # Executing<span class="built_in"> group </span><span class="keyword">from</span> file /etc/raddb/sites-enabled/default</span><br><span class="line">(4) authenticate {</span><br><span class="line">(4) pam: Using pamauth string <span class="string">"radiusd"</span> <span class="keyword">for</span> pam.conf lookup</span><br><span class="line">(4) pam: Authentication succeeded</span><br><span class="line">(4) [pam] = ok</span><br><span class="line">(4) } # authenticate = ok</span><br><span class="line">(4) # Executing section post-auth <span class="keyword">from</span> file /etc/raddb/sites-enabled/default</span><br><span class="line">(4) post-auth {</span><br><span class="line">(4) update {</span><br><span class="line">(4) <span class="literal">No</span> attributes updated</span><br><span class="line">(4) } # update = noop</span><br><span class="line">(4) [exec] = noop</span><br><span class="line">(4) <span class="built_in"> policy </span>remove_reply_message_if_eap {</span><br><span class="line">(4) <span class="keyword">if</span> (&reply:EAP-Message && &reply:Reply-Message) {</span><br><span class="line">(4) <span class="keyword">if</span> (&reply:EAP-Message && &reply:Reply-Message) -> <span class="literal">FALSE</span></span><br><span class="line">(4) <span class="keyword">else</span> {</span><br><span class="line">(4) [noop] = noop</span><br><span class="line">(4) } # <span class="keyword">else</span> = noop</span><br><span class="line">(4) } #<span class="built_in"> policy </span>remove_reply_message_if_eap = noop</span><br><span class="line">(4) } # post-auth = noop</span><br><span class="line">(4) Sent Access-Accept Id 8 <span class="keyword">from</span> 192.168.1.10:1812 <span class="keyword">to</span> 192.168.1.254:30861 length 0</span><br><span class="line">(4) Finished request</span><br><span class="line">Waking up <span class="keyword">in</span> 4.9 seconds.</span><br><span class="line">(4) Cleaning up request packet ID 8 with timestamp +608</span><br><span class="line">Ready <span class="keyword">to</span> process requests</span><br></pre></td></tr></table></figure>
</li>
</ul>
]]></content>
<categories>
<category>Cisco VPN</category>
</categories>
<tags>
<tag>Cisco ASAv</tag>
<tag>AnyConnect</tag>
<tag>FreeRADIUS</tag>
<tag>Google Authenticator</tag>
</tags>
</entry>
<entry>
<title>WLC HA 升级步骤</title>
<url>/WLC-HA-%E5%8D%87%E7%BA%A7%E6%AD%A5%E9%AA%A4.html</url>
<content><![CDATA[<blockquote>
<p>这里介绍了Cisco WLC 5520在HA模式下系统升级和AP升级的过程。</p>
</blockquote>
<h2 id="上传升级镜像"><a href="#上传升级镜像" class="headerlink" title="上传升级镜像"></a>上传升级镜像</h2><p>通过FTP上传镜像到WLC</p>
<p><img src="../images/blog/wlc-upgrade/wlc-upload-ios.png" alt="WLC通过FTP上传镜像"></p>
<h2 id="查看镜像上传成功"><a href="#查看镜像上传成功" class="headerlink" title="查看镜像上传成功"></a>查看镜像上传成功</h2><figure class="highlight routeros"><table><tr><td class="code"><pre><span class="line">(Cisco Controller) >show boot</span><br><span class="line">Primary Boot Image<span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span>. 8.5.151.0 (default)</span><br><span class="line">Backup Boot Image<span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span> 8.5.140.0 (active)</span><br></pre></td></tr></table></figure>
<h2 id="查看AP当前运行版本"><a href="#查看AP当前运行版本" class="headerlink" title="查看AP当前运行版本"></a>查看AP当前运行版本</h2><figure class="highlight routeros"><table><tr><td class="code"><pre><span class="line">(Cisco Controller) >show ap image all</span><br><span class="line"></span><br><span class="line">Total number of APs<span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span> 69</span><br><span class="line">Number of APs</span><br><span class="line"> Initiated<span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span>. 0</span><br><span class="line"> Downloading<span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span>. 0</span><br><span class="line"> Predownloading<span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span> 0</span><br><span class="line"> Completed predownloading<span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span> 0</span><br><span class="line"> <span class="keyword">Not</span> Supported<span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span>. 0</span><br><span class="line"> Failed <span class="keyword">to</span> Predownload<span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span>. 0</span><br><span class="line"></span><br><span class="line"> Predownload Predownload Flexconnect</span><br><span class="line">AP Name Primary Image Backup Image Status Version Next Retry Time Retry Count Predownload</span><br><span class="line">------------------ -------------- -------------- --------------- -------------- ---------------- ------------ --------------</span><br><span class="line">pekidg-ap31-301 8.5.140.0 8.2.166.0 None None NA NA</span><br><span class="line">pekidg-ap22-608 8.5.140.0 8.2.166.0 None None NA NA</span><br><span class="line">pekidg-ap29-302 8.5.140.0 8.2.166.0 None None NA NA</span><br><span class="line">pekidg-ap04-N135 8.5.140.0 8.2.166.0 None None NA NA</span><br><span class="line">pekidg-ap10-302 8.5.140.0 8.2.166.0 None None NA NA</span><br><span class="line">pekidg-ap18-S062 8.5.140.0 8.2.166.0 None None NA NA</span><br><span class="line">pekidg-ap12-301 8.5.140.0 8.2.166.0 None None NA NA</span><br><span class="line">pekidg-ap02-707 8.5.140.0 8.2.166.0 None None NA NA</span><br><span class="line">pekidg-ap30-301 8.5.140.0 8.2.166.0 None None NA NA</span><br></pre></td></tr></table></figure>
<h2 id="推送新镜像到AP"><a href="#推送新镜像到AP" class="headerlink" title="推送新镜像到AP"></a>推送新镜像到AP</h2><figure class="highlight arduino"><table><tr><td class="code"><pre><span class="line">(Cisco Controller) ><span class="built_in">config</span> ap <span class="built_in">image</span> predownload primary all</span><br></pre></td></tr></table></figure>
<h2 id="查看推送过程"><a href="#查看推送过程" class="headerlink" title="查看推送过程"></a>查看推送过程</h2><figure class="highlight angelscript"><table><tr><td class="code"><pre><span class="line">(Cisco Controller) >show ap image all</span><br><span class="line"></span><br><span class="line">Total number of APs.............................. <span class="number">69</span></span><br><span class="line">Number of APs</span><br><span class="line"> Initiated....................................... <span class="number">0</span></span><br><span class="line"> Downloading..................................... <span class="number">0</span></span><br><span class="line"> Predownloading.................................. <span class="number">69</span></span><br><span class="line"> Completed predownloading........................ <span class="number">0</span></span><br><span class="line"> Not Supported................................... <span class="number">0</span></span><br><span class="line"> Failed to Predownload........................... <span class="number">0</span></span><br><span class="line"></span><br><span class="line"> Predownload Predownload Flexconnect</span><br><span class="line">AP Name Primary Image Backup Image Status Version Next Retry Time Retry Count Predownload</span><br><span class="line">------------------ -------------- -------------- --------------- -------------- ---------------- ------------ --------------</span><br><span class="line">pekidg-ap31<span class="number">-301</span> <span class="number">8.5</span><span class="number">.140</span><span class="number">.0</span> <span class="number">8.2</span><span class="number">.166</span><span class="number">.0</span> Predownloading <span class="number">8.5</span><span class="number">.151</span><span class="number">.0</span> NA <span class="number">0</span></span><br><span class="line">pekidg-ap22<span class="number">-608</span> <span class="number">8.5</span><span class="number">.140</span><span class="number">.0</span> <span class="number">8.2</span><span class="number">.166</span><span class="number">.0</span> Predownloading <span class="number">8.5</span><span class="number">.151</span><span class="number">.0</span> NA <span class="number">0</span></span><br><span class="line">pekidg-ap29<span class="number">-302</span> <span class="number">8.5</span><span class="number">.140</span><span class="number">.0</span> <span class="number">8.2</span><span class="number">.166</span><span class="number">.0</span> Predownloading <span class="number">8.5</span><span class="number">.151</span><span class="number">.0</span> NA <span class="number">0</span></span><br><span class="line">pekidg-ap04-N135 <span class="number">8.5</span><span class="number">.140</span><span class="number">.0</span> <span class="number">8.2</span><span class="number">.166</span><span class="number">.0</span> Predownloading <span class="number">8.5</span><span class="number">.151</span><span class="number">.0</span> NA <span class="number">0</span></span><br><span class="line">pekidg-ap10<span class="number">-302</span> <span class="number">8.5</span><span class="number">.140</span><span class="number">.0</span> <span class="number">8.2</span><span class="number">.166</span><span class="number">.0</span> Predownloading <span class="number">8.5</span><span class="number">.151</span><span class="number">.0</span> NA <span class="number">0</span></span><br><span class="line">pekidg-ap18-S062 <span class="number">8.5</span><span class="number">.140</span><span class="number">.0</span> <span class="number">8.2</span><span class="number">.166</span><span class="number">.0</span> Predownloading <span class="number">8.5</span><span class="number">.151</span><span class="number">.0</span> NA <span class="number">0</span></span><br><span class="line">pekidg-ap12<span class="number">-301</span> <span class="number">8.5</span><span class="number">.140</span><span class="number">.0</span> <span class="number">8.2</span><span class="number">.166</span><span class="number">.0</span> Predownloading <span class="number">8.5</span><span class="number">.151</span><span class="number">.0</span> NA <span class="number">0</span></span><br><span class="line">pekidg-ap02<span class="number">-707</span> <span class="number">8.5</span><span class="number">.140</span><span class="number">.0</span> <span class="number">8.2</span><span class="number">.166</span><span class="number">.0</span> Predownloading <span class="number">8.5</span><span class="number">.151</span><span class="number">.0</span> NA <span class="number">0</span></span><br><span class="line">pekidg-ap30<span class="number">-301</span> <span class="number">8.5</span><span class="number">.140</span><span class="number">.0</span> <span class="number">8.2</span><span class="number">.166</span><span class="number">.0</span> Predownloading <span class="number">8.5</span><span class="number">.151</span><span class="number">.0</span> NA <span class="number">0</span></span><br><span class="line">pekidg-ap20-S038 <span class="number">8.5</span><span class="number">.140</span><span class="number">.0</span> <span class="number">8.2</span><span class="number">.166</span><span class="number">.0</span> Predownloading <span class="number">8.5</span><span class="number">.151</span><span class="number">.0</span> NA <span class="number">0</span></span><br></pre></td></tr></table></figure>
<h2 id="推送成功"><a href="#推送成功" class="headerlink" title="推送成功"></a>推送成功</h2><figure class="highlight routeros"><table><tr><td class="code"><pre><span class="line">(Cisco Controller) >show ap image all</span><br><span class="line"></span><br><span class="line">Total number of APs<span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span> 69</span><br><span class="line">Number of APs</span><br><span class="line"> Initiated<span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span>. 0</span><br><span class="line"> Downloading<span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span>. 0</span><br><span class="line"> Predownloading<span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span> 1</span><br><span class="line"> Completed predownloading<span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span> 68</span><br><span class="line"> <span class="keyword">Not</span> Supported<span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span>. 0</span><br><span class="line"> Failed <span class="keyword">to</span> Predownload<span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span><span class="built_in">..</span>. 0</span><br><span class="line"></span><br><span class="line"> Predownload Predownload Flexconnect</span><br><span class="line">AP Name Primary Image Backup Image Status Version Next Retry Time Retry Count Predownload</span><br><span class="line">------------------ -------------- -------------- --------------- -------------- ---------------- ------------ --------------</span><br><span class="line">pekidg-ap31-301 8.5.140.0 8.5.151.0 Complete 8.5.151.0 NA NA</span><br><span class="line">pekidg-ap22-608 8.5.140.0 8.5.151.0 Complete 8.5.151.0 NA NA</span><br><span class="line">pekidg-ap29-302 8.5.140.0 8.5.151.0 Complete 8.5.151.0 NA NA</span><br><span class="line">pekidg-ap04-N135 8.5.140.0 8.5.151.0 Complete 8.5.151.0 NA NA</span><br><span class="line">pekidg-ap10-302 8.5.140.0 8.5.151.0 Complete 8.5.151.0 NA NA</span><br><span class="line">pekidg-ap18-S062 8.5.140.0 8.5.151.0 Complete 8.5.151.0 NA NA</span><br><span class="line">pekidg-ap12-301 8.5.140.0 8.5.151.0 Complete 8.5.151.0 NA NA</span><br><span class="line">pekidg-ap02-707 8.5.140.0 8.5.151.0 Complete 8.5.151.0 NA NA</span><br><span class="line">pekidg-ap30-301 8.5.140.0 8.5.151.0 Complete 8.5.151.0 NA NA</span><br><span class="line">pekidg-ap20-S038 8.5.140.0 8.5.151.0 Complete 8.5.151.0 NA NA</span><br></pre></td></tr></table></figure>
<h2 id="确认WLC-HA-状态正常"><a href="#确认WLC-HA-状态正常" class="headerlink" title="确认WLC HA 状态正常"></a>确认WLC HA 状态正常</h2><figure class="highlight routeros"><table><tr><td class="code"><pre><span class="line">(Cisco Controller) >show redundancy summary</span><br><span class="line"> Redundancy Mode = SSO ENABLED</span><br><span class="line"> Local State = ACTIVE</span><br><span class="line"> <span class="built_in"> Peer </span>State = STANDBY HOT</span><br><span class="line"> Unit = Primary</span><br><span class="line"> Unit ID = 28:AC:9E:DF:93:D1</span><br><span class="line"> Redundancy State = SSO</span><br><span class="line"> Mobility MAC = 28:AC:9E:DF:93:D1</span><br><span class="line"> Redundancy<span class="built_in"> Port </span> = UP</span><br><span class="line"> BulkSync Status = Complete</span><br><span class="line">Average Redundancy<span class="built_in"> Peer </span>Reachability Latency = 102 Micro Seconds</span><br><span class="line">Average Management Gateway Reachability Latency = 863 Micro Seconds</span><br></pre></td></tr></table></figure>
<h2 id="重启WLC"><a href="#重启WLC" class="headerlink" title="重启WLC"></a>重启WLC</h2><p>配置00:01:10之后重启,时间太短报错</p>
<figure class="highlight routeros"><table><tr><td class="code"><pre><span class="line">(Cisco Controller) >reset<span class="built_in"> system </span>both <span class="keyword">in</span> 00:01:10 image swap reset-aps save-config</span><br><span class="line">Time period is too short.</span><br></pre></td></tr></table></figure>
<p>推荐配置00:02:01之后重启,<code>both</code>表示重启2台WLC。(有可能重启之后AP已经升级到了新的镜像,但是WLC依然还是以前的镜像,这时候再敲一下下面的命令重启WLC即可。)</p>
<figure class="highlight routeros"><table><tr><td class="code"><pre><span class="line">(Cisco Controller) >reset<span class="built_in"> system </span>both <span class="keyword">in</span> 00:02:01 image swap reset-aps save-config</span><br><span class="line"></span><br><span class="line">System reset is scheduled <span class="keyword">for</span> Nov 07 00:00:14 2019.</span><br><span class="line">Current local time <span class="keyword">and</span> date is Nov 06 23:58:13 2019.</span><br><span class="line">Trap will <span class="keyword">not</span> be generated as total delay is less than the trap time.</span><br><span class="line">Active boot image will be changed before the reset.</span><br><span class="line">Use <span class="string">'reset system cancel'</span> <span class="keyword">to</span> cancel the reset.</span><br><span class="line">The<span class="built_in"> system </span>has unsaved changes.</span><br><span class="line">Configuration will be saved before the<span class="built_in"> system </span>reset.</span><br></pre></td></tr></table></figure>
]]></content>
<categories>
<category>Cisco</category>
</categories>
<tags>
<tag>Cisco WLC</tag>
</tags>
</entry>
<entry>
<title>markdown</title>
<url>/markdown.html</url>
<content><![CDATA[<blockquote>
<p>markdown 语法测试</p>
</blockquote>
<h1 id="一级标题"><a href="#一级标题" class="headerlink" title="一级标题"></a>一级标题</h1><h2 id="二级标题"><a href="#二级标题" class="headerlink" title="二级标题"></a>二级标题</h2><h3 id="三级标题"><a href="#三级标题" class="headerlink" title="三级标题"></a>三级标题</h3><h4 id="四级标题"><a href="#四级标题" class="headerlink" title="四级标题"></a>四级标题</h4><h5 id="五级标题"><a href="#五级标题" class="headerlink" title="五级标题"></a>五级标题</h5><h6 id="六级标题"><a href="#六级标题" class="headerlink" title="六级标题"></a>六级标题</h6><p><strong>印象笔记</strong></p>
<blockquote>
<p>近日,印象笔记宣布完成重组。作为Evernote已在中国独立运营近6年的品牌,印象笔记将成为由中方控股的中美合资独立运营实体,并获得红杉宽带跨境数字产业基金首轮数亿元人民币投资。</p>
</blockquote>
<p><a href="https://www.yinxiang.com/" target="_blank" rel="noopener">印象笔记官网</a></p>
<p>使用 iOS 版本印象笔记如何快速保存内容?</p>
<ol>
<li>启用印象笔记 Widget ——印象笔记·剪贴板</li>
<li>复制粘贴任意内容<ul>
<li>微信</li>
</ul>
</li>
<li>滑动到 Widget 插件区域即可完成保存<br>印象笔记·剪贴板有什么特点?</li>
</ol>
<ul>
<li>快:开启自动模式,可以自动保存剪贴板的任意内容</li>
<li>一切:只要可以复制粘贴就可以保存</li>
<li>有序:全部保存在「我的剪贴板」笔记本并以时间来命名</li>
</ul>
<p>三只青蛙</p>
<ul>
<li><input checked="" disabled="" type="checkbox"> 第一只青蛙</li>
<li><input disabled="" type="checkbox"> 第二只青蛙</li>
<li><input disabled="" type="checkbox"> 第三只青蛙</li>
</ul>
<table>
<thead>
<tr>
<th>帐户类型</th>
<th>免费帐户</th>
<th>标准帐户</th>
<th>高级帐户</th>
</tr>
</thead>
<tbody><tr>
<td>帐户流量</td>
<td>60M</td>
<td>1GB</td>
<td>10GB</td>
</tr>
<tr>
<td>设备数目</td>
<td>2台</td>
<td>无限制</td>
<td>无限制</td>
</tr>
<tr>
<td>当前价格</td>
<td>免费</td>
<td>¥8.17/月</td>
<td>¥12.33/月</td>
</tr>
</tbody></table>
<figure class="highlight plain"><table><tr><td class="code"><pre><span class="line">,预算,收入,花费,债务</span><br><span class="line">June,5000,8000,4000,6000</span><br><span class="line">July,3000,1000,4000,3000</span><br><span class="line">Aug,5000,7000,6000,3000</span><br><span class="line">Sep,7000,2000,3000,1000</span><br><span class="line">Oct,6000,5000,4000,2000</span><br><span class="line">Nov,4000,3000,5000,</span><br><span class="line"></span><br><span class="line">type: pie</span><br><span class="line">title: 每月收益</span><br><span class="line">x.title: Amount</span><br><span class="line">y.title: Month</span><br><span class="line">y.suffix: $</span><br></pre></td></tr></table></figure>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="comment">#!/usr/bin/python</span></span><br><span class="line"><span class="keyword">import</span> re</span><br><span class="line"></span><br><span class="line">line = <span class="string">"Cats are smarter than dogs"</span></span><br><span class="line"></span><br><span class="line">matchObj = re.match( <span class="string">r'(.*) are (.*?) .*'</span>, line, re.M|re.I)</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> matchObj:</span><br><span class="line"> <span class="keyword">print</span> <span class="string">"matchObj.group() : "</span>, matchObj.group()</span><br><span class="line"> <span class="keyword">print</span> <span class="string">"matchObj.group(1) : "</span>, matchObj.group(<span class="number">1</span>)</span><br><span class="line"> <span class="keyword">print</span> <span class="string">"matchObj.group(2) : "</span>, matchObj.group(<span class="number">2</span>)</span><br><span class="line"><span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">print</span> <span class="string">"No match!!"</span></span><br><span class="line"> </span><br><span class="line">list1 = [<span class="string">'aaa'</span>,<span class="number">111</span>,(<span class="number">4</span>,<span class="number">5</span>),<span class="number">2.01</span>]</span><br><span class="line">list2 = [<span class="string">'bbb'</span>,<span class="number">333</span>,<span class="number">111</span>,<span class="number">3.14</span>,(<span class="number">4</span>,<span class="number">5</span>)]</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> x <span class="keyword">in</span> list1:</span><br><span class="line"> <span class="keyword">if</span> x <span class="keyword">in</span> list2:</span><br><span class="line"> print(x,<span class="string">'in list1 and list2'</span>)</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> print(x,<span class="string">'only in list1'</span>)</span><br></pre></td></tr></table></figure>
<figure class="highlight plain"><table><tr><td class="code"><pre><span class="line">e^{i\pi} + 1 = 0</span><br></pre></td></tr></table></figure>
<figure class="highlight plain"><table><tr><td class="code"><pre><span class="line">graph TD</span><br><span class="line">A[模块A] -->|A1| B(模块B)</span><br><span class="line">B --> C{判断条件C}</span><br><span class="line">C -->|条件C1| D[模块D]</span><br><span class="line">C -->|条件C2| E[模块E]</span><br><span class="line">C -->|条件C3| F[模块F]</span><br></pre></td></tr></table></figure>
<figure class="highlight plain"><table><tr><td class="code"><pre><span class="line">sequenceDiagram</span><br><span class="line">A->>B: 是否已收到消息?</span><br><span class="line">B-->>A: 已收到消息</span><br></pre></td></tr></table></figure>
<figure class="highlight plain"><table><tr><td class="code"><pre><span class="line">gantt</span><br><span class="line">title 甘特图</span><br><span class="line">dateFormat YYYY-MM-DD</span><br><span class="line">section 项目A</span><br><span class="line">任务1 :a1, 2018-06-06, 30d</span><br><span class="line">任务2 :after a1 , 20d</span><br><span class="line">section 项目B</span><br><span class="line">任务3 :2018-06-12 , 12d</span><br><span class="line">任务4 : 24d</span><br></pre></td></tr></table></figure>
]]></content>
<categories>
<category>markdown</category>
</categories>
<tags>
<tag>markdown</tag>
</tags>
</entry>
</search>