• The FreeRADIUS Project

!!! Ставится 2-3 минуты !!!

root@server:~# apt install freeradius

[root@server ~]# yum install freeradius2

[root@server ~]# yum install freeradius-utils

[root@server ~]# ls /etc/raddb/

server# cat /etc/freeradius/3.0/clients.conf

...
client gate.corpX.un {
        secret          = testing123
        shortname       = gate
}

client switch {
       secret          = testing123
       shortname       = switch
}

#client switch1 { secret = testing123 }
#client switch2 { secret = testing123 }
#client switch3 { secret = testing123 }

server# :> /etc/freeradius/3.0/users

server# cat /etc/freeradius/3.0/users

user1 Cleartext-Password := "rpassword1"
#     Framed-IP-Address = 192.168.100+X.101

user2 Cleartext-Password := "rpassword2", Simultaneous-Use := 1
#     Framed-IP-Address = 192.168.100+X.102,
#     Service-Type = NAS-Prompt-User,
#     cisco-avpair = "shell:priv-lvl=15"

student Cleartext-Password := "password"

## for ansible
#root Cleartext-Password := "cisco"
#     Service-Type = NAS-Prompt-User,
#     cisco-avpair = "shell:priv-lvl=15"

server# cat /etc/freeradius/3.0/radiusd.conf

...
log {
  ...
  auth = yes
...

server# cat /etc/freeradius/3.0/sites-available/default

authorize {
...
#	unix
	files
accounting {
...
	radutmp
...
session {
...
	radutmp
...

server# cat /etc/freeradius/3.0/mods-available/radutmp

...
check_with_nas = no
...

root@server:~# ###systemctl enable freeradius

root@server:~# service freeradius restart

• !!! Не привилегированному пользователю может понадобиться находиться в группе freeradius

# apt install freeradius-utils

$ radtest user1 rpassword1 127.0.0.1 0 testing123
$ radtest root cisco 127.0.0.1 0 testing123

$ echo "User-Name=student,User-Password=password,NAS-IP-Address=127.0.0.1" | radclient localhost auth testing123

# tail -f /var/log/freeradius/radius.log

• Implementing RADIUS Accounting

server# tail -f /var/log/radacct/192.168.X.1/detail-XXXXX

server# fetch http://www.pgregg.com/projects/radiusreport/radiusreport-0.3b6.tar
  или
server# wget http://www.pgregg.com/projects/radiusreport/radiusreport-0.3b6.tar

server# cd /usr/local
server# tar -xvf /root/radiusreport-0.3b6.tar

server# /usr/local/radiusreport-0.3b6/radiusreport -tba -l user1 -f /var/log/radacct/192.168.X.1/detail-XXXXX

• When 802.1x/PEAP/EAP-TTLS is Worse Than No Wireless Security
• Настройка проверки подлинности PEAP-TLS для беспроводных клиентов под управлением Windows 7 и Windows Vista
• Enable 802.1X authentication Windows7
• Wi-Fi с логином и паролем для каждого пользователя или делаем WPA2-EAP/TLS подручными средствами

freeradius3# cat /etc/freeradius/3.0/mods-available/eap

...
               default_eap_type = peap
...

freeradius3# cat /etc/freeradius/3.0/mods-available/mschap

...
       use_mppe = yes
...
       require_encryption = yes
...
       require_strong = yes
...

freeradius3# cat /etc/freeradius/3.0/mods-available/preprocess

...
       with_ntdomain_hack = yes
...

• guide/SQL HOWTO
• guide/SQL HOWTO for freeradius 3.x on Debian Ubuntu

# apt install freeradius-mysql

mysql> CREATE DATABASE radius;
mysql> GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "radpass";

# mysql radius < /etc/freeradius/sql/mysql/schema.sql

# cat radiusd.conf

...
        $INCLUDE sql.conf
...

# cat sql.conf

...
        database = "mysql"
...

# cat sites-available/default

...
authorize {
...
	sql
...
accounting {
...
	sql
...

mysql> insert into radcheck (username, attribute, value, op) values ("ussr1", "Cleartext-Password", "password1", ":=");

mysql> select acctsessionid, username, acctstarttime, acctstoptime, callingstationid, calledstationid from radacct;

root@valtest:~ # rcsdiff /usr/local/etc/raddb/eap.conf

diff -r1.1 /usr/local/etc/raddb/eap.conf
5c5
< ##    $Id: eap.conf,v 1.1 2014/07/29 14:09:57 root Exp $
---
> ##    $Id: eap.conf,v 1.2 2014/07/30 14:26:59 root Exp root $
30c30,31
<               default_eap_type = md5
---
>               #default_eap_type = md5
>               default_eap_type = peap
158,159c159,161
<                       private_key_password = whatever
<                       private_key_file = ${certdir}/server.pem
---
>               #       private_key_password = whatever
>               #       private_key_file = ${certdir}/server.pem
>                       private_key_file = ${certdir}/bmstu.ru.clkey
171c173,174
<                       certificate_file = ${certdir}/server.pem
---
>       #               certificate_file = ${certdir}/server.pem
>                       certificate_file = ${certdir}/bmstu.ru.crt
188c191,192
<                       CA_file = ${cadir}/ca.pem
---
> #                     CA_file = ${cadir}/ca.pem
>                       CA_file = ${cadir}/int.geotrust.crt

root@proxy:~# cat /etc/freeradius/proxy.conf

...
realm NULL {
       authhost        = radius1.corpX.un:1812
       authhost        = radius1.corpX.un:1812
       secret          = testing123
}

realm isp.un {
       authhost        = radius.isp.un:1812
       authhost        = radius.isp.un:1812
       secret          = testing123
}

realm DEFAULT {
       authhost        = radius2.corpX.un:1812
       authhost        = radius2.corpX.un:1812
       secret          = testing123
}