Differences

This shows you the differences between two versions of the page.

--- сервис_freeradius [2023/06/28 12:00]
val [Debian/Ubuntu]
+++ сервис_freeradius [2026/05/03 09:37] (current)
val [Тестирование сервера]
@@ Line 33: / Line 33: @@
         secret          = testing123
         shortname       = gate
+        #require_message_authenticator = no
+        #limit_proxy_state = yes
 }
 client switch {
        secret          = testing123
-       shortname       = switch
+       #require_message_authenticator = no
+       #limit_proxy_state = yes
 }
@@ Line 49: / Line 52: @@
 </code><code>
 user1 Cleartext-Password := "rpassword1"
-#     Framed-IP-Address = 192.168.100+X.101
+#     Framed-IP-Address = 192.168.100+X.1
 user2 Cleartext-Password := "rpassword2", Simultaneous-Use := 1
-#     Framed-IP-Address = 192.168.100+X.102,
 #     Service-Type = NAS-Prompt-User,
 #     cisco-avpair = "shell:priv-lvl=15"
@@ Line 97: / Line 99: @@
 ==== Debian/Ubuntu ====
 <code>
-root@server:~# systemctl enable freeradius
+root@server:~# ###systemctl enable freeradius
 root@server:~# service freeradius restart
@@ Line 110: / Line 112: @@
 # apt install freeradius-utils
-$ radtest user1 rpassword1 127.0.0.1 0 testing123
+$  radtest user1 rpassword1 127.0.0.1 0 testing123
+$  radtest root cisco 127.0.0.1 0 testing123
-$ echo "User-Name=student,User-Password=password,NAS-IP-Address=127.0.0.1" | radclient localhost auth testing123
+$  echo "User-Name=student,User-Password=password,NAS-IP-Address=127.0.0.1" | radclient localhost auth testing123
 # tail -f /var/log/freeradius/radius.log
-$ echo "User-Name=401,User-Password=401,NAS-IP-Address=127.0.0.1" | radclient localhost auth testing123
-$ echo "User-Name=401,Acct-Session-Id=6000006B,Acct-Status-Type=Start,NAS-IP-Address=127.0.0.1,NAS-Port=401402"| radclient localhost acct testing123
-# radwho -R
-$ echo "User-Name=401,Acct-Session-Id=6000006B,Acct-Status-Type=Stop,NAS-IP-Address=127.0.0.1,NAS-Port=401402"| radclient localhost acct testing123
 </code>
@@ Line 146: / Line 139: @@
 ===== EAP =====
-  * [[http://blog.depthsecurity.com/2010/11/when-8021xpeapeap-ttls-is-worse-than-no.html|When 802.1x/PEAP/EAP-TTLS is Worse Than No Wireless Security]]
+  * [[https://www.depthsecurity.com/blog/when-802-1x-peap-eap-ttls-is-worse-than-no-wireless-security/|When 802.1x/PEAP/EAP-TTLS Is Worse Than No Wireless Security]]
+  * [[https://www.reddit.com/r/sysadmin/comments/d3cagk/8021x_certificate_changed_now_clients_are_always/?tl=ru|Сертификат 802.1x изменился, теперь клиенты постоянно спрашивают, доверять ли соединению]]
   * [[http://technet.microsoft.com/ru-ru/library/dd759219.aspx|Настройка проверки подлинности PEAP-TLS для беспроводных клиентов под управлением Windows 7 и Windows Vista]]
   * [[http://windows.microsoft.com/en-us/windows/enable-802-1x-authentication#1TC=windows-7|Enable 802.1X authentication Windows7]]
   * [[http://habrahabr.ru/post/170949/|Wi-Fi с логином и паролем для каждого пользователя или делаем WPA2-EAP/TLS подручными средствами]]
+  * [[Пакет OpenSSL#Создание самоподписанного сертификата]] wild сертификата
+<code>
+cp wild.key /etc/ssl/private/
+chmod 640 /etc/ssl/private/wild.key
+chown root:ssl-cert /etc/ssl/private/wild.key
+cp wild.crt /etc/ssl/certs/
+</code>
 <code>
 freeradius3# cat /etc/freeradius/3.0/mods-available/eap
@@ Line 156: / Line 159: @@
 ...
                default_eap_type = peap
+...
+               #private_key_file = /etc/ssl/private/wild.key
+...
+               #certificate_file = /etc/ssl/certs/wild.crt
 ...
 </code><code>
@@ Line 214: / Line 221: @@
 ...
 </code><code>
-mysql> insert into radcheck (username, attribute, value, op) values ("401", "Cleartext-Password", "401", ":=");
+mysql> insert into radcheck (username, attribute, value, op) values ("ussr1", "Cleartext-Password", "password1", ":=");
 mysql> select acctsessionid, username, acctstarttime, acctstoptime, callingstationid, calledstationid from radacct;
 </code>
-==== EAP сертификаты ====
-<code>
-root@valtest:~ # rcsdiff /usr/local/etc/raddb/eap.conf
-</code><code>
-diff -r1.1 /usr/local/etc/raddb/eap.conf
-c5
-< ##    $Id: eap.conf,v 1.1 2014/07/29 14:09:57 root Exp $
----
-> ##    $Id: eap.conf,v 1.2 2014/07/30 14:26:59 root Exp root $
-c30,31
-<               default_eap_type = md5
----
->               #default_eap_type = md5
->               default_eap_type = peap
-,159c159,161
-<                       private_key_password = whatever
-<                       private_key_file = ${certdir}/server.pem
----
->               #       private_key_password = whatever
->               #       private_key_file = ${certdir}/server.pem
->                       private_key_file = ${certdir}/bmstu.ru.clkey
-c173,174
-<                       certificate_file = ${certdir}/server.pem
----
->       #               certificate_file = ${certdir}/server.pem
->                       certificate_file = ${certdir}/bmstu.ru.crt
-c191,192
-<                       CA_file = ${cadir}/ca.pem
----
-> #                     CA_file = ${cadir}/ca.pem
->                       CA_file = ${cadir}/int.geotrust.crt
-</code>
 ==== Использование proxy ====

Методические материалы Лохтурова Вячеслава

User Tools

Site Tools

Differences

Page Tools