User Tools

Site Tools


сервис_freeradius

Сервис FreeRADIUS

Инсталляция сервера

!!! Ставится 2-3 минуты !!!

Debian/Ubuntu

root@server:~# apt install freeradius

CentOS/SL

[root@server ~]# yum install freeradius2

[root@server ~]# yum install freeradius-utils

[root@server ~]# ls /etc/raddb/

Настройка сервера

Настройка c использованием текстовых файлов

server# cat /etc/freeradius/3.0/clients.conf
...
client gate.corpX.un {
        secret          = testing123
        shortname       = gate
}

client switch {
       secret          = testing123
       shortname       = switch
}

#client switch1 { secret = testing123 }
#client switch2 { secret = testing123 }
#client switch3 { secret = testing123 }
server# :> /etc/freeradius/3.0/users

server# cat /etc/freeradius/3.0/users
user1 Cleartext-Password := "rpassword1"
#     Framed-IP-Address = 192.168.100+X.101

user2 Cleartext-Password := "rpassword2", Simultaneous-Use := 1
#     Framed-IP-Address = 192.168.100+X.102,
#     Service-Type = NAS-Prompt-User,
#     cisco-avpair = "shell:priv-lvl=15"

student Cleartext-Password := "password"

## for ansible
#root Cleartext-Password := "cisco"
#     Service-Type = NAS-Prompt-User,
#     cisco-avpair = "shell:priv-lvl=15"
server# cat /etc/freeradius/3.0/radiusd.conf
...
log {
  ...
  auth = yes
...
server# cat /etc/freeradius/3.0/sites-available/default
authorize {
...
#	unix
	files
accounting {
...
	radutmp
...
session {
...
	radutmp
...
server# cat /etc/freeradius/3.0/mods-available/radutmp
...
check_with_nas = no
...

Запуск сервера

Debian/Ubuntu

root@server:~# systemctl enable freeradius

root@server:~# service freeradius restart

Тестирование сервера

  • !!! Не привилегированному пользователю может понадобиться находиться в группе freeradius
# apt install freeradius-utils

$ radtest user1 rpassword1 127.0.0.1 0 testing123

$ echo "User-Name=student,User-Password=password,NAS-IP-Address=127.0.0.1" | radclient localhost auth testing123

# tail -f /var/log/freeradius/radius.log



$ echo "User-Name=401,User-Password=401,NAS-IP-Address=127.0.0.1" | radclient localhost auth testing123

$ echo "User-Name=401,Acct-Session-Id=6000006B,Acct-Status-Type=Start,NAS-IP-Address=127.0.0.1,NAS-Port=401402"| radclient localhost acct testing123

# radwho -R

$ echo "User-Name=401,Acct-Session-Id=6000006B,Acct-Status-Type=Stop,NAS-IP-Address=127.0.0.1,NAS-Port=401402"| radclient localhost acct testing123

Учет ресурсов потребляемых пользователями

server# tail -f /var/log/radacct/192.168.X.1/detail-XXXXX

server# fetch http://www.pgregg.com/projects/radiusreport/radiusreport-0.3b6.tar
  или
server# wget http://www.pgregg.com/projects/radiusreport/radiusreport-0.3b6.tar

server# cd /usr/local
server# tar -xvf /root/radiusreport-0.3b6.tar

server# /usr/local/radiusreport-0.3b6/radiusreport -tba -l user1 -f /var/log/radacct/192.168.X.1/detail-XXXXX

EAP

freeradius3# cat /etc/freeradius/3.0/mods-available/eap
...
               default_eap_type = peap
...
freeradius3# cat /etc/freeradius/3.0/mods-available/mschap
...
       use_mppe = yes
...
       require_encryption = yes
...
       require_strong = yes
...
freeradius3# cat /etc/freeradius/3.0/mods-available/preprocess
...
       with_ntdomain_hack = yes
...

Дополнительные материалы

Настройка с использованием mysql

# apt install freeradius-mysql

mysql> CREATE DATABASE radius;
mysql> GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "radpass";

# mysql radius < /etc/freeradius/sql/mysql/schema.sql

# cat radiusd.conf
...
        $INCLUDE sql.conf
...
# cat sql.conf
...
        database = "mysql"
...
# cat sites-available/default
...
authorize {
...
	sql
...
accounting {
...
	sql
...
mysql> insert into radcheck (username, attribute, value, op) values ("401", "Cleartext-Password", "401", ":=");

mysql> select acctsessionid, username, acctstarttime, acctstoptime, callingstationid, calledstationid from radacct;

EAP сертификаты

root@valtest:~ # rcsdiff /usr/local/etc/raddb/eap.conf
diff -r1.1 /usr/local/etc/raddb/eap.conf
5c5
< ##    $Id: eap.conf,v 1.1 2014/07/29 14:09:57 root Exp $
---
> ##    $Id: eap.conf,v 1.2 2014/07/30 14:26:59 root Exp root $
30c30,31
<               default_eap_type = md5
---
>               #default_eap_type = md5
>               default_eap_type = peap
158,159c159,161
<                       private_key_password = whatever
<                       private_key_file = ${certdir}/server.pem
---
>               #       private_key_password = whatever
>               #       private_key_file = ${certdir}/server.pem
>                       private_key_file = ${certdir}/bmstu.ru.clkey
171c173,174
<                       certificate_file = ${certdir}/server.pem
---
>       #               certificate_file = ${certdir}/server.pem
>                       certificate_file = ${certdir}/bmstu.ru.crt
188c191,192
<                       CA_file = ${cadir}/ca.pem
---
> #                     CA_file = ${cadir}/ca.pem
>                       CA_file = ${cadir}/int.geotrust.crt

Использование proxy

root@proxy:~# cat /etc/freeradius/proxy.conf
...
realm NULL {
       authhost        = radius1.corpX.un:1812
       authhost        = radius1.corpX.un:1812
       secret          = testing123
}

realm isp.un {
       authhost        = radius.isp.un:1812
       authhost        = radius.isp.un:1812
       secret          = testing123
}

realm DEFAULT {
       authhost        = radius2.corpX.un:1812
       authhost        = radius2.corpX.un:1812
       secret          = testing123
}
сервис_freeradius.txt · Last modified: 2023/06/28 12:00 by val