====== Сервис FreeRADIUS ====== * [[http://freeradius.org/|The FreeRADIUS Project]] ===== Инсталляция сервера ===== !!! Ставится 2-3 минуты !!! ==== Debian/Ubuntu ==== root@server:~# apt install freeradius ==== CentOS/SL ==== [root@server ~]# yum install freeradius2 [root@server ~]# yum install freeradius-utils [root@server ~]# ls /etc/raddb/ ===== Настройка сервера ===== ==== Настройка c использованием текстовых файлов ==== server# cat /etc/freeradius/3.0/clients.conf ... client gate.corpX.un { secret = testing123 shortname = gate } client switch { secret = testing123 shortname = switch } #client switch1 { secret = testing123 } #client switch2 { secret = testing123 } #client switch3 { secret = testing123 } server# :> /etc/freeradius/3.0/users server# cat /etc/freeradius/3.0/users user1 Cleartext-Password := "rpassword1" # Framed-IP-Address = 192.168.100+X.101 user2 Cleartext-Password := "rpassword2", Simultaneous-Use := 1 # Framed-IP-Address = 192.168.100+X.102, # Service-Type = NAS-Prompt-User, # cisco-avpair = "shell:priv-lvl=15" student Cleartext-Password := "password" ## for ansible #root Cleartext-Password := "cisco" # Service-Type = NAS-Prompt-User, # cisco-avpair = "shell:priv-lvl=15" server# cat /etc/freeradius/3.0/radiusd.conf ... log { ... auth = yes ... server# cat /etc/freeradius/3.0/sites-available/default authorize { ... # unix files accounting { ... radutmp ... session { ... radutmp ... server# cat /etc/freeradius/3.0/mods-available/radutmp ... check_with_nas = no ... ===== Запуск сервера ===== ==== Debian/Ubuntu ==== root@server:~# systemctl enable freeradius root@server:~# service freeradius restart ===== Тестирование сервера ===== * !!! Не привилегированному пользователю может понадобиться находиться в группе freeradius # apt install freeradius-utils $ radtest user1 rpassword1 127.0.0.1 0 testing123 $ echo "User-Name=student,User-Password=password,NAS-IP-Address=127.0.0.1" | radclient localhost auth testing123 # tail -f /var/log/freeradius/radius.log $ echo "User-Name=401,User-Password=401,NAS-IP-Address=127.0.0.1" | radclient localhost auth testing123 $ echo "User-Name=401,Acct-Session-Id=6000006B,Acct-Status-Type=Start,NAS-IP-Address=127.0.0.1,NAS-Port=401402"| radclient localhost acct testing123 # radwho -R $ echo "User-Name=401,Acct-Session-Id=6000006B,Acct-Status-Type=Stop,NAS-IP-Address=127.0.0.1,NAS-Port=401402"| radclient localhost acct testing123 ===== Учет ресурсов потребляемых пользователями ===== * [[http://portmasters.com/tech/docs/radius/accounting.html|Implementing RADIUS Accounting]] server# tail -f /var/log/radacct/192.168.X.1/detail-XXXXX server# fetch http://www.pgregg.com/projects/radiusreport/radiusreport-0.3b6.tar или server# wget http://www.pgregg.com/projects/radiusreport/radiusreport-0.3b6.tar server# cd /usr/local server# tar -xvf /root/radiusreport-0.3b6.tar server# /usr/local/radiusreport-0.3b6/radiusreport -tba -l user1 -f /var/log/radacct/192.168.X.1/detail-XXXXX ===== EAP ===== * [[http://blog.depthsecurity.com/2010/11/when-8021xpeapeap-ttls-is-worse-than-no.html|When 802.1x/PEAP/EAP-TTLS is Worse Than No Wireless Security]] * [[http://technet.microsoft.com/ru-ru/library/dd759219.aspx|Настройка проверки подлинности PEAP-TLS для беспроводных клиентов под управлением Windows 7 и Windows Vista]] * [[http://windows.microsoft.com/en-us/windows/enable-802-1x-authentication#1TC=windows-7|Enable 802.1X authentication Windows7]] * [[http://habrahabr.ru/post/170949/|Wi-Fi с логином и паролем для каждого пользователя или делаем WPA2-EAP/TLS подручными средствами]] freeradius3# cat /etc/freeradius/3.0/mods-available/eap ... default_eap_type = peap ... freeradius3# cat /etc/freeradius/3.0/mods-available/mschap ... use_mppe = yes ... require_encryption = yes ... require_strong = yes ... freeradius3# cat /etc/freeradius/3.0/mods-available/preprocess ... with_ntdomain_hack = yes ... ===== Дополнительные материалы ===== ==== Настройка с использованием mysql ==== * [[https://wiki.freeradius.org/guide/SQL-HOWTO|guide/SQL HOWTO]] * [[https://wiki.freeradius.org/guide/SQL-HOWTO-for-freeradius-3.x-on-Debian-Ubuntu|guide/SQL HOWTO for freeradius 3.x on Debian Ubuntu]] # apt install freeradius-mysql mysql> CREATE DATABASE radius; mysql> GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "radpass"; # mysql radius < /etc/freeradius/sql/mysql/schema.sql # cat radiusd.conf ... $INCLUDE sql.conf ... # cat sql.conf ... database = "mysql" ... # cat sites-available/default ... authorize { ... sql ... accounting { ... sql ... mysql> insert into radcheck (username, attribute, value, op) values ("401", "Cleartext-Password", "401", ":="); mysql> select acctsessionid, username, acctstarttime, acctstoptime, callingstationid, calledstationid from radacct; ==== EAP сертификаты ==== root@valtest:~ # rcsdiff /usr/local/etc/raddb/eap.conf diff -r1.1 /usr/local/etc/raddb/eap.conf 5c5 < ## $Id: eap.conf,v 1.1 2014/07/29 14:09:57 root Exp $ --- > ## $Id: eap.conf,v 1.2 2014/07/30 14:26:59 root Exp root $ 30c30,31 < default_eap_type = md5 --- > #default_eap_type = md5 > default_eap_type = peap 158,159c159,161 < private_key_password = whatever < private_key_file = ${certdir}/server.pem --- > # private_key_password = whatever > # private_key_file = ${certdir}/server.pem > private_key_file = ${certdir}/bmstu.ru.clkey 171c173,174 < certificate_file = ${certdir}/server.pem --- > # certificate_file = ${certdir}/server.pem > certificate_file = ${certdir}/bmstu.ru.crt 188c191,192 < CA_file = ${cadir}/ca.pem --- > # CA_file = ${cadir}/ca.pem > CA_file = ${cadir}/int.geotrust.crt ==== Использование proxy ==== root@proxy:~# cat /etc/freeradius/proxy.conf ... realm NULL { authhost = radius1.corpX.un:1812 authhost = radius1.corpX.un:1812 secret = testing123 } realm isp.un { authhost = radius.isp.un:1812 authhost = radius.isp.un:1812 secret = testing123 } realm DEFAULT { authhost = radius2.corpX.un:1812 authhost = radius2.corpX.un:1812 secret = testing123 }