2026-02-10 00:37:00 +08:00 · 2015-05-04 10:31:25 +02:00
parent 71bb8f2866
commit 9df499e376
6 changed files with 76 additions and 4 deletions
							
							
								
							
							
						
@@ -28,6 +28,7 @@ RUN mkdir /etc/ocserv
ADD key.pem /etc/ocserv/
ADD cert.pem /etc/ocserv/
ADD cert.pem /etc/ocserv/
ADD ocserv-radius.conf /etc/ocserv/ocserv.conf
ADD radiusclient.conf /etc/radiusclient/
ADD radius-clients.conf /etc/freeradius/clients.conf
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -26,6 +26,7 @@ RUN mkdir /etc/ocserv
ADD key.pem /etc/ocserv/
ADD cert.pem /etc/ocserv/
ADD ca.pem /etc/ocserv/
ADD ocserv-radius.conf /etc/ocserv/ocserv.conf
ADD radiusclient.conf /etc/radiusclient/
ADD radius-clients.conf /etc/raddb/clients.conf
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -2,7 +2,7 @@ EXTRA_DIST = passwd ocserv.conf Dockerfile-debian-tcp dev-tun.tgz myscript key.p
	Dockerfile-debian-unix ocserv-unix.conf haproxy.cfg combo.pem Dockerfile-fedora-unix \
	Dockerfile-fedora-tcp freeradius-users Dockerfile-debian-radius Dockerfile-fedora-radius \
	freeradius-users ocserv-radius.conf radiusclient.conf radius-clients.conf \
	radiusclient-servers pam-ocserv ocserv-pam.conf
	radiusclient-servers pam-ocserv ocserv-pam.conf ca.pem
TESTS_ENVIRONMENT = srcdir="$(srcdir)" \
	top_builddir="$(top_builddir)"
							
							
							
						
 
							
							
							
						
@@ -0,0 +1,20 @@
-----BEGIN CERTIFICATE-----
MIIDPzCCAfegAwIBAgIEUdguzDANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD
QTAiGA8yMDEzMDcwNjE0NTA1MloYDzIwMjMwNTE1MTQ1MDUyWjANMQswCQYDVQQD
EwJDQTCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCCAToCggExALRrJ5glr8H/Hsqw
fvTYvO1DhmdUXdq0HsKQX4M8AhH8E3KFsoikZUELdl8jvoqf/nlLczsux0s8vxbJ
l1U1F/OhckswwuAnlBLzVgDmzoJLEV2kHpv6+rkbKk0Ytbql5gzHqKihbaqIhNyW
DrJsHDWq58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3mN8qTGaJJO0f0BZjgWWlWDuh
zSVim5mBVAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm+96o6iB+8xvuuuqaIWQpkvKt
c+UZBZ03U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWSCAwuYcBYfJqZ4dasgzklzz4b
7eujbZ3LxTjewcdumzQUvjA+gpAeuUqaduTvMwxGojFy9sNhC/iqZ4n0peV2N6Ep
n4B5qnUCAwEAAaNDMEEwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQA
MB0GA1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0rGDANBgkqhkiG9w0BAQsFAAOC
ATEAa1kdd8E1PkM06Isw0S/thEll0rAYsNHwSX17IDUWocTTQlmVXBXcvLqM04QT
z7WNG4eushLhRpSn8LJQkf4RgvAxOMIjHM9troDbPVoec6k8fZrJ8jfXurOgoOVP
g+hScT3VDvxgiOVwgXSe2XBryGDaviRuSOHlfy5GPVirLJLZwpcX6RpsHMX9rrZX
ghvf8dwm4To9H5wT0Le2FnZRoLOTMmpr49bfKJqy/U7AUHaf4saSdkdEIaGOxkPk
x+SFlr9TjavnJvL0TApkvfNZ1aOVHRHINgaFYHQJ4U0jQ/g7lPmD+UtZWnvSMNXH
yct5cKOyP4j7Kla1sKPs+oamOQ7pR1Z/GwBxe48FvO7VDi7EkugLwlzoXC2G+4Jg
fJbi9Ui2FmXEeKkX34f1ONNj9Q==
-----END CERTIFICATE-----
							
							
								
							
							
						
@@ -5,6 +5,7 @@
#auth = "plain[/etc/ocserv/passwd]"
#auth = "pam"
auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas=ocserv1]"
enable-auth = "certificate"
# Whether to enable support for the occtl tool (i.e., either through D-BUS,
# or via a unix socket).
							
								
							
							
								
							
							
						
@@ -97,19 +98,19 @@ server-key = /etc/ocserv/key.pem
# The Certificate Authority that will be used to verify
# client certificates (public keys) if certificate authentication
# is set.
#ca-cert = /path/to/ca.pem
ca-cert = /etc/ocserv/ca.pem
# The object identifier that will be used to read the user ID in the client 
# certificate. The object identifier should be part of the certificate's DN
# Useful OIDs are: 
#  CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
#cert-user-oid = 0.9.2342.19200300.100.1.1
cert-user-oid = 0.9.2342.19200300.100.1.1
# The object identifier that will be used to read the user group in the 
# client  certificate. The object identifier should be part of the certificate's
# DN. Useful OIDs are: 
#  OU (organizational unit) = 2.5.4.11 
#cert-group-oid = 2.5.4.11
cert-group-oid = 2.5.4.11
# The revocation list of the certificates issued by the 'ca-cert' above.
#crl = /path/to/crl.pem
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -202,7 +202,56 @@ if test -z "$DISC";then
	stop
fi
# do the same with a certificate - test radius accounting with certificate auth
echo "Trying with certificate"
$DOCKER exec test_ocserv_radius truncate --size=0 /var/log/radius/radacct/127.0.0.1/$FILE
$OPENCONNECT $IP:$PORT_OCSERV --sslkey ./user-key.pem -c ./user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 &
PID=$!
ping -w 5 192.168.55.1
if test $? != 0;then
	kill $PID
	echo "Cannot ping ocserv"
	stop
fi
sleep 4
echo "Waiting for accounting report"
sleep 60
FILE=`$DOCKER exec test_ocserv_radius ls /var/log/radius/radacct/127.0.0.1/`
kill -INT $PID
sleep 10
$DOCKER exec test_ocserv_radius cat "/var/log/radius/radacct/127.0.0.1/$FILE" >out$TMP
cat out$TMP
OCTETS=`cat out$TMP|grep Acct-Input-Octets|tail -1|sed 's/Acct-Input-Octets = //g'`
if test -z "$OCTETS" || test "$OCTETS" = 0;then
	echo "Interim update showed no data!"
	stop
fi
DISC=`cat out$TMP|grep "Acct-Status-Type = Start"|tail -1`
if test -z "$DISC";then
	cat out$TMP
	echo "No connect status was detected!"
	stop
fi
DISC=`cat out$TMP|grep "Acct-Terminate-Cause = User-Request"|tail -1`
if test -z "$DISC";then
	cat out$TMP
	echo "No disconnect was detected!"
	stop
fi
$DOCKER stop test_ocserv_radius
$DOCKER rm test_ocserv_radius
rm -f out$TMP
exit $ret