Differences

This shows you the differences between two versions of the page.

--- сервис_freeradius [2022/03/04 12:14]
val
+++ сервис_freeradius [2026/05/03 09:37] (current)
val [Тестирование сервера]
@@ Line 5: / Line 5: @@
 !!! Ставится 2-3 минуты !!!
-==== Debian ====
+==== Debian/Ubuntu ====
 <code>
 root@server:~# apt install freeradius
@@ Line 33: / Line 33: @@
         secret          = testing123
         shortname       = gate
+        #require_message_authenticator = no
+        #limit_proxy_state = yes
 }
 client switch {
        secret          = testing123
-       shortname       = switch
+       #require_message_authenticator = no
+       #limit_proxy_state = yes
 }
+#client switch1 { secret = testing123 }
+#client switch2 { secret = testing123 }
+#client switch3 { secret = testing123 }
 </code><code>
 server# :> /etc/freeradius/3.0/users
@@ Line 45: / Line 52: @@
 </code><code>
 user1 Cleartext-Password := "rpassword1"
-#     Framed-IP-Address = 192.168.100+X.101
+#     Framed-IP-Address = 192.168.100+X.1
 user2 Cleartext-Password := "rpassword2", Simultaneous-Use := 1
-#     Framed-IP-Address = 192.168.100+X.102,
 #     Service-Type = NAS-Prompt-User,
 #     cisco-avpair = "shell:priv-lvl=15"
@@ Line 54: / Line 60: @@
 student Cleartext-Password := "password"
- Cleartext-Password := "401", Simultaneous-Use := 1
+## for ansible
+#root Cleartext-Password := "cisco"
-Cleartext-Password := "402", Simultaneous-Use := 1
+#     Service-Type = NAS-Prompt-User,
+#     cisco-avpair = "shell:priv-lvl=15"
-Cleartext-Password := "403", Simultaneous-Use := 2
 </code><code>
 server# cat /etc/freeradius/3.0/radiusd.conf
@@ Line 91: / Line 95: @@
 </code>
-==== Настройка с использованием mysql ====
-  * [[https://wiki.freeradius.org/guide/SQL-HOWTO|guide/SQL HOWTO]]
-  * [[https://wiki.freeradius.org/guide/SQL-HOWTO-for-freeradius-3.x-on-Debian-Ubuntu|guide/SQL HOWTO for freeradius 3.x on Debian Ubuntu]]
-<code>
-# apt install freeradius-mysql
-mysql> CREATE DATABASE radius;
-mysql> GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "radpass";
-# mysql radius < /etc/freeradius/sql/mysql/schema.sql
-# cat radiusd.conf
-</code><code>
-...
-        $INCLUDE sql.conf
-...
-</code><code>
-# cat sql.conf
-</code><code>
-...
-        database = "mysql"
-...
-</code><code>
-# cat sites-available/default
-</code><code>
-...
-authorize {
-...
-	sql
-...
-accounting {
-...
-	sql
-...
-</code><code>
-mysql> insert into radcheck (username, attribute, value, op) values ("401", "Cleartext-Password", "401", ":=");
-mysql> select acctsessionid, username, acctstarttime, acctstoptime, callingstationid, calledstationid from radacct;
-</code>
 ===== Запуск сервера =====
 ==== Debian/Ubuntu ====
 <code>
+root@server:~# ###systemctl enable freeradius
 root@server:~# service freeradius restart
 </code>
@@ Line 148: / Line 112: @@
 # apt install freeradius-utils
-$ radtest user1 rpassword1 127.0.0.1 0 testing123
+$  radtest user1 rpassword1 127.0.0.1 0 testing123
+$  radtest root cisco 127.0.0.1 0 testing123
+$  echo "User-Name=student,User-Password=password,NAS-IP-Address=127.0.0.1" | radclient localhost auth testing123
 # tail -f /var/log/freeradius/radius.log
-$ echo "User-Name=401,User-Password=401,NAS-IP-Address=127.0.0.1" | radclient localhost auth testing123
-$ echo "User-Name=401,Acct-Session-Id=6000006B,Acct-Status-Type=Start,NAS-IP-Address=127.0.0.1,NAS-Port=401402"| radclient localhost acct testing123
-# radwho -R
-$ echo "User-Name=401,Acct-Session-Id=6000006B,Acct-Status-Type=Stop,NAS-IP-Address=127.0.0.1,NAS-Port=401402"| radclient localhost acct testing123
 </code>
@@ Line 178: / Line 137: @@
 </code>
-===== Использование proxy =====
+===== EAP =====
-<code>
-root@proxy:~# cat /etc/freeradius/proxy.conf
-</code><code>
-...
-realm NULL {
-       authhost        = radius1.corpX.un:1812
-       authhost        = radius1.corpX.un:1812
-       secret          = testing123
-}
-realm isp.un {
+  * [[https://www.depthsecurity.com/blog/when-802-1x-peap-eap-ttls-is-worse-than-no-wireless-security/|When 802.1x/PEAP/EAP-TTLS Is Worse Than No Wireless Security]]
-       authhost        = radius.isp.un:1812
+  * [[https://www.reddit.com/r/sysadmin/comments/d3cagk/8021x_certificate_changed_now_clients_are_always/?tl=ru|Сертификат 802.1x изменился, теперь клиенты постоянно спрашивают, доверять ли соединению]]
-       authhost        = radius.isp.un:1812
-       secret          = testing123
-}
-realm DEFAULT {
-       authhost        = radius2.corpX.un:1812
-       authhost        = radius2.corpX.un:1812
-       secret          = testing123
-}
-</code>
-===== EAP =====
-  * [[http://blog.depthsecurity.com/2010/11/when-8021xpeapeap-ttls-is-worse-than-no.html|When 802.1x/PEAP/EAP-TTLS is Worse Than No Wireless Security]]
   * [[http://technet.microsoft.com/ru-ru/library/dd759219.aspx|Настройка проверки подлинности PEAP-TLS для беспроводных клиентов под управлением Windows 7 и Windows Vista]]
   * [[http://windows.microsoft.com/en-us/windows/enable-802-1x-authentication#1TC=windows-7|Enable 802.1X authentication Windows7]]
   * [[http://habrahabr.ru/post/170949/|Wi-Fi с логином и паролем для каждого пользователя или делаем WPA2-EAP/TLS подручными средствами]]
+  * [[Пакет OpenSSL#Создание самоподписанного сертификата]] wild сертификата
+<code>
+cp wild.key /etc/ssl/private/
+chmod 640 /etc/ssl/private/wild.key
+chown root:ssl-cert /etc/ssl/private/wild.key
+cp wild.crt /etc/ssl/certs/
+</code>
 <code>
 freeradius3# cat /etc/freeradius/3.0/mods-available/eap
@@ Line 214: / Line 159: @@
 ...
                default_eap_type = peap
+...
+               #private_key_file = /etc/ssl/private/wild.key
+...
+               #certificate_file = /etc/ssl/certs/wild.crt
 ...
 </code><code>
@@ Line 234: / Line 183: @@
 ===== Дополнительные материалы =====
+==== Настройка с использованием mysql ====
+  * [[https://wiki.freeradius.org/guide/SQL-HOWTO|guide/SQL HOWTO]]
+  * [[https://wiki.freeradius.org/guide/SQL-HOWTO-for-freeradius-3.x-on-Debian-Ubuntu|guide/SQL HOWTO for freeradius 3.x on Debian Ubuntu]]
 <code>
-root@valtest:~ # rcsdiff /usr/local/etc/raddb/eap.conf
+# apt install freeradius-mysql
+mysql> CREATE DATABASE radius;
+mysql> GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "radpass";
+# mysql radius < /etc/freeradius/sql/mysql/schema.sql
+# cat radiusd.conf
 </code><code>
-diff -r1.1 /usr/local/etc/raddb/eap.conf
+...
-c5
+        $INCLUDE sql.conf
-< ##    $Id: eap.conf,v 1.1 2014/07/29 14:09:57 root Exp $
+...
----
+</code><code>
-> ##    $Id: eap.conf,v 1.2 2014/07/30 14:26:59 root Exp root $
+# cat sql.conf
-c30,31
+</code><code>
-<               default_eap_type = md5
+...
----
+        database = "mysql"
->               #default_eap_type = md5
+...
->               default_eap_type = peap
+</code><code>
-,159c159,161
+# cat sites-available/default
-<                       private_key_password = whatever
+</code><code>
-<                       private_key_file = ${certdir}/server.pem
+...
----
+authorize {
->               #       private_key_password = whatever
+...
->               #       private_key_file = ${certdir}/server.pem
+	sql
->                       private_key_file = ${certdir}/bmstu.ru.clkey
+...
-c173,174
+accounting {
-<                       certificate_file = ${certdir}/server.pem
+...
----
+	sql
->       #               certificate_file = ${certdir}/server.pem
+...
->                       certificate_file = ${certdir}/bmstu.ru.crt
+</code><code>
-c191,192
+mysql> insert into radcheck (username, attribute, value, op) values ("ussr1", "Cleartext-Password", "password1", ":=");
-<                       CA_file = ${cadir}/ca.pem
----
+mysql> select acctsessionid, username, acctstarttime, acctstoptime, callingstationid, calledstationid from radacct;
-> #                     CA_file = ${cadir}/ca.pem
+</code>
->                       CA_file = ${cadir}/int.geotrust.crt
+==== Использование proxy ====
+<code>
+root@proxy:~# cat /etc/freeradius/proxy.conf
+</code><code>
+...
+realm NULL {
+       authhost        = radius1.corpX.un:1812
+       authhost        = radius1.corpX.un:1812
+       secret          = testing123
+}
+realm isp.un {
+       authhost        = radius.isp.un:1812
+       authhost        = radius.isp.un:1812
+       secret          = testing123
+}
+realm DEFAULT {
+       authhost        = radius2.corpX.un:1812
+       authhost        = radius2.corpX.un:1812
+       secret          = testing123
+}
 </code>

Методические материалы Лохтурова Вячеслава

User Tools

Site Tools

Differences

Page Tools