Differences

This shows you the differences between two versions of the page.

--- сервис_freeradius [2020/04/23 16:51]
val [Настройка c использованием текстовых файлов]
+++ сервис_freeradius [2026/02/28 10:00] (current)
val [EAP]
@@ Line 5: / Line 5: @@
 !!! Ставится 2-3 минуты !!!
-==== Debian 9, 10 ====
-<code>
-root@server:~# apt install freeradius
-root@server:~# cd /etc/freeradius/3.0/
-</code>
 ==== Debian/Ubuntu ====
 <code>
 root@server:~# apt install freeradius
-root@server:~# cd /etc/freeradius/
 </code>
@@ Line 25: / Line 16: @@
 [root@server ~]# yum install freeradius-utils
-[root@server ~]# cd /etc/raddb/
+[root@server ~]# ls /etc/raddb/
 </code>
-==== FreeBSD ====
-<code>
-[server:~] # pkg install freeradius3
-[server:~] # sysrc radiusd_enable=YES
-[server:~] # cd /usr/local/etc/raddb/
-</code>
-==== Windows ====
-  * [[http://freeradius.net/]]
-  * [[http://val.bmstu.ru/unix/billing/FreeRADIUS.net-1.1.7-r0.0.2.exe]]
 ===== Настройка сервера =====
@@ Line 47: / Line 27: @@
 <code>
-server# cat clients.conf
+server# cat /etc/freeradius/3.0/clients.conf
 </code><code>
 ...
@@ Line 59: / Line 39: @@
        shortname       = switch
 }
+#client switch1 { secret = testing123 }
+#client switch2 { secret = testing123 }
+#client switch3 { secret = testing123 }
 </code><code>
-server# :> users
+server# :> /etc/freeradius/3.0/users
-server# cat users
+server# cat /etc/freeradius/3.0/users
 </code><code>
 user1 Cleartext-Password := "rpassword1"
@@ Line 74: / Line 58: @@
 student Cleartext-Password := "password"
- Cleartext-Password := "401", Simultaneous-Use := 1
+## for ansible
+#root Cleartext-Password := "cisco"
-Cleartext-Password := "402", Simultaneous-Use := 1
+#     Service-Type = NAS-Prompt-User,
+#     cisco-avpair = "shell:priv-lvl=15"
-Cleartext-Password := "403", Simultaneous-Use := 2
 </code><code>
-server# cat radiusd.conf
+server# cat /etc/freeradius/3.0/radiusd.conf
 </code><code>
 ...
@@ Line 89: / Line 71: @@
 ...
 </code><code>
-server# cat sites-available/default
+server# cat /etc/freeradius/3.0/sites-available/default
 </code><code>
 authorize {
@@ Line 104: / Line 86: @@
 ...
 </code><code>
-server# cat mods-available/radutmp
+server# cat /etc/freeradius/3.0/mods-available/radutmp
 </code><code>
 ...
@@ Line 111: / Line 93: @@
 </code>
-==== Настройка с использованием mysql ====
-  * [[https://wiki.freeradius.org/guide/SQL-HOWTO|guide/SQL HOWTO]]
-  * [[https://wiki.freeradius.org/guide/SQL-HOWTO-for-freeradius-3.x-on-Debian-Ubuntu|guide/SQL HOWTO for freeradius 3.x on Debian Ubuntu]]
-<code>
-# apt install freeradius-mysql
-mysql> CREATE DATABASE radius;
-mysql> GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "radpass";
-# mysql radius < /etc/freeradius/sql/mysql/schema.sql
-# cat radiusd.conf
-</code><code>
-...
-        $INCLUDE sql.conf
-...
-</code><code>
-# cat sql.conf
-</code><code>
-...
-        database = "mysql"
-...
-</code><code>
-# cat sites-available/default
-</code><code>
-...
-authorize {
-...
-	sql
-...
-accounting {
-...
-	sql
-...
-</code><code>
-mysql> insert into radcheck (username, attribute, value, op) values ("401", "Cleartext-Password", "401", ":=");
-mysql> select acctsessionid, username, acctstarttime, acctstoptime, callingstationid, calledstationid from radacct;
-</code>
 ===== Запуск сервера =====
 ==== Debian/Ubuntu ====
 <code>
+root@server:~# ###systemctl enable freeradius
 root@server:~# service freeradius restart
-</code>
-==== FreeBSD ====
-<code>
-[server:~] # service radiusd start
-</code>
-==== Windows ====
-<code>
-C:\FreeRADIUS.net>start_radiusd_debug.bat
 </code>
@@ Line 180: / Line 111: @@
 $ radtest user1 rpassword1 127.0.0.1 0 testing123
+$ radtest root cisco 127.0.0.1 0 testing123
-$ echo "User-Name=401,User-Password=401,NAS-IP-Address=127.0.0.1" | radclient localhost auth testing123
+$ echo "User-Name=student,User-Password=password,NAS-IP-Address=127.0.0.1" | radclient localhost auth testing123
-$ echo "User-Name=401,Acct-Session-Id=6000006B,Acct-Status-Type=Start,NAS-IP-Address=127.0.0.1,NAS-Port=401402"| radclient localhost acct testing123
+# tail -f /var/log/freeradius/radius.log
-# radwho -R
-$ echo "User-Name=401,Acct-Session-Id=6000006B,Acct-Status-Type=Stop,NAS-IP-Address=127.0.0.1,NAS-Port=401402"| radclient localhost acct testing123
 </code>
@@ Line 207: / Line 135: @@
 </code>
-===== Использование proxy =====
+===== EAP =====
-<code>
-root@proxy:~# cat /etc/freeradius/proxy.conf
-</code><code>
-...
-realm NULL {
-       authhost        = radius1.corpX.un:1812
-       authhost        = radius1.corpX.un:1812
-       secret          = testing123
-}
-realm isp.un {
+  * [[https://www.depthsecurity.com/blog/when-802-1x-peap-eap-ttls-is-worse-than-no-wireless-security/|When 802.1x/PEAP/EAP-TTLS Is Worse Than No Wireless Security]]
-       authhost        = radius.isp.un:1812
-       authhost        = radius.isp.un:1812
-       secret          = testing123
-}
-realm DEFAULT {
-       authhost        = radius2.corpX.un:1812
-       authhost        = radius2.corpX.un:1812
-       secret          = testing123
-}
-</code>
-===== EAP =====
-  * [[http://blog.depthsecurity.com/2010/11/when-8021xpeapeap-ttls-is-worse-than-no.html|When 802.1x/PEAP/EAP-TTLS is Worse Than No Wireless Security]]
   * [[http://technet.microsoft.com/ru-ru/library/dd759219.aspx|Настройка проверки подлинности PEAP-TLS для беспроводных клиентов под управлением Windows 7 и Windows Vista]]
   * [[http://windows.microsoft.com/en-us/windows/enable-802-1x-authentication#1TC=windows-7|Enable 802.1X authentication Windows7]]
@@ Line 239: / Line 144: @@
 <code>
-freeradius2# cat eap.conf
+freeradius3# cat /etc/freeradius/3.0/mods-available/eap
-freeradius3# cat mods-available/eap
 </code><code>
 ...
@@ Line 247: / Line 150: @@
 ...
 </code><code>
-freeradius2# cat modules/mschap
+freeradius3# cat /etc/freeradius/3.0/mods-available/mschap
-freeradius3# cat mods-available/mschap
-freeradius3# cat mods-available/preprocess
 </code><code>
 ...
@@ Line 258: / Line 158: @@
 ...
        require_strong = yes
+...
+</code><code>
+freeradius3# cat /etc/freeradius/3.0/mods-available/preprocess
+</code><code>
 ...
        with_ntdomain_hack = yes
@@ Line 264: / Line 168: @@
 ===== Дополнительные материалы =====
+==== Настройка с использованием mysql ====
+  * [[https://wiki.freeradius.org/guide/SQL-HOWTO|guide/SQL HOWTO]]
+  * [[https://wiki.freeradius.org/guide/SQL-HOWTO-for-freeradius-3.x-on-Debian-Ubuntu|guide/SQL HOWTO for freeradius 3.x on Debian Ubuntu]]
+<code>
+# apt install freeradius-mysql
+mysql> CREATE DATABASE radius;
+mysql> GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "radpass";
+# mysql radius < /etc/freeradius/sql/mysql/schema.sql
+# cat radiusd.conf
+</code><code>
+...
+        $INCLUDE sql.conf
+...
+</code><code>
+# cat sql.conf
+</code><code>
+...
+        database = "mysql"
+...
+</code><code>
+# cat sites-available/default
+</code><code>
+...
+authorize {
+...
+	sql
+...
+accounting {
+...
+	sql
+...
+</code><code>
+mysql> insert into radcheck (username, attribute, value, op) values ("ussr1", "Cleartext-Password", "password1", ":=");
+mysql> select acctsessionid, username, acctstarttime, acctstoptime, callingstationid, calledstationid from radacct;
+</code>
+==== EAP сертификаты ====
 <code>
@@ Line 295: / Line 243: @@
 > #                     CA_file = ${cadir}/ca.pem
 >                       CA_file = ${cadir}/int.geotrust.crt
+</code>
+==== Использование proxy ====
+<code>
+root@proxy:~# cat /etc/freeradius/proxy.conf
+</code><code>
+...
+realm NULL {
+       authhost        = radius1.corpX.un:1812
+       authhost        = radius1.corpX.un:1812
+       secret          = testing123
+}
+realm isp.un {
+       authhost        = radius.isp.un:1812
+       authhost        = radius.isp.un:1812
+       secret          = testing123
+}
+realm DEFAULT {
+       authhost        = radius2.corpX.un:1812
+       authhost        = radius2.corpX.un:1812
+       secret          = testing123
+}
 </code>

Методические материалы Лохтурова Вячеслава

User Tools

Site Tools

Differences

Page Tools