Инструменты пользователя

Инструменты сайта


сервис_freeradius

Сервис FreeRADIUS

Инсталляция сервера

!!! Ставится 2-3 минуты !!!

Debian 9

root@server:~# apt install freeradius

root@server:~# cd /etc/freeradius/3.0/

Debian/Ubuntu

root@server:~# apt install freeradius

root@server:~# cd /etc/freeradius/

CentOS/SL

[root@server ~]# yum install freeradius2

[root@server ~]# yum install freeradius-utils

[root@server ~]# cd /etc/raddb/

FreeBSD

[server:~] # pkg install freeradius3

[server:~] # sysrc radiusd_enable=YES

[server:~] # cd /usr/local/etc/raddb/

Windows

Настройка сервера

Настройка c использованием текстовых файлов

server# cat sites-available/default
authorize {
...
#	unix
	files
accounting {
...
	radutmp
...
session {
...
	radutmp
...
server# cat clients.conf
...
client gate.corpX.un {
        secret          = testing123
        shortname       = gate
}

client switch {
       secret          = testing123
       shortname       = switch
}
server# cat mods-available/radutmp
...
check_with_nas = no
...
server# :> users

server# cat users
user1 Cleartext-Password := "rpassword1"
#     Framed-IP-Address = 192.168.100+X.101

user2 Cleartext-Password := "rpassword2", Simultaneous-Use := 1
#     Framed-IP-Address = 192.168.100+X.102,
#     Service-Type = NAS-Prompt-User,
#     cisco-avpair = "shell:priv-lvl=15"

401 Cleartext-Password := "401", Simultaneous-Use := 1

402 Cleartext-Password := "402", Simultaneous-Use := 1

403 Cleartext-Password := "403", Simultaneous-Use := 2

Настройка с использованием mysql

# apt install freeradius-mysql

mysql> CREATE DATABASE radius;
mysql> GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "radpass";

# mysql radius < /etc/freeradius/sql/mysql/schema.sql

# cat radiusd.conf
...
        $INCLUDE sql.conf
...
# cat sql.conf
...
        database = "mysql"
...
# cat sites-available/default
...
authorize {
...
	sql
...
accounting {
...
	sql
...
mysql> insert into radcheck (username, attribute, value, op) values ("401", "Cleartext-Password", "401", ":=");

mysql> select acctsessionid, username, acctstarttime, acctstoptime, callingstationid, calledstationid from radacct;

Запуск сервера

Debian/Ubuntu

root@server:~# service freeradius restart

FreeBSD

[server:~] # service radiusd start

Windows

C:\FreeRADIUS.net>start_radiusd_debug.bat

Тестирование сервера

  • !!! Не привилегированному пользователю может понадобиться находиться в группе freeradius
# apt install freeradius-utils

$ radtest user1 rpassword1 127.0.0.1 0 testing123

$ echo "User-Name=401,User-Password=401,NAS-IP-Address=127.0.0.1" | radclient localhost auth testing123

$ echo "User-Name=401,Acct-Session-Id=6000006B,Acct-Status-Type=Start,NAS-IP-Address=127.0.0.1,NAS-Port=401402"| radclient localhost acct testing123

# radwho -R

$ echo "User-Name=401,Acct-Session-Id=6000006B,Acct-Status-Type=Stop,NAS-IP-Address=127.0.0.1,NAS-Port=401402"| radclient localhost acct testing123

Учет ресурсов потребляемых пользователями

server# tail -f /var/log/radacct/192.168.X.1/detail-XXXXX

server# fetch http://www.pgregg.com/projects/radiusreport/radiusreport-0.3b6.tar
  или
server# wget http://www.pgregg.com/projects/radiusreport/radiusreport-0.3b6.tar

server# cd /usr/local
server# tar -xvf /root/radiusreport-0.3b6.tar

server# /usr/local/radiusreport-0.3b6/radiusreport -tba -l user1 -f /var/log/radacct/192.168.X.1/detail-XXXXX

Использование proxy

root@proxy:~# cat /etc/freeradius/proxy.conf
...
realm NULL {
       authhost        = radius1.corpX.un:1812
       authhost        = radius1.corpX.un:1812
       secret          = testing123
}

realm isp.un {
       authhost        = radius.isp.un:1812
       authhost        = radius.isp.un:1812
       secret          = testing123
}

realm DEFAULT {
       authhost        = radius2.corpX.un:1812
       authhost        = radius2.corpX.un:1812
       secret          = testing123
}

EAP

freeradius2# cat eap.conf

freeradius3# cat mods-available/eap
...
               default_eap_type = peap
...
freeradius2# cat modules/mschap

freeradius3# cat mods-available/mschap
freeradius3# cat mods-available/preprocess
...
       use_mppe = yes
...
       require_encryption = yes
...
       require_strong = yes
...
       with_ntdomain_hack = yes
...

Дополнительные материалы

root@valtest:~ # rcsdiff /usr/local/etc/raddb/eap.conf
diff -r1.1 /usr/local/etc/raddb/eap.conf
5c5
< ##    $Id: eap.conf,v 1.1 2014/07/29 14:09:57 root Exp $
---
> ##    $Id: eap.conf,v 1.2 2014/07/30 14:26:59 root Exp root $
30c30,31
<               default_eap_type = md5
---
>               #default_eap_type = md5
>               default_eap_type = peap
158,159c159,161
<                       private_key_password = whatever
<                       private_key_file = ${certdir}/server.pem
---
>               #       private_key_password = whatever
>               #       private_key_file = ${certdir}/server.pem
>                       private_key_file = ${certdir}/bmstu.ru.clkey
171c173,174
<                       certificate_file = ${certdir}/server.pem
---
>       #               certificate_file = ${certdir}/server.pem
>                       certificate_file = ${certdir}/bmstu.ru.crt
188c191,192
<                       CA_file = ${cadir}/ca.pem
---
> #                     CA_file = ${cadir}/ca.pem
>                       CA_file = ${cadir}/int.geotrust.crt
сервис_freeradius.txt · Последние изменения: 2018/05/03 11:42 — val