Akagi201
7/18/2014 - 6:02 AM
freeradius.md
FreeRADIUS包括: RADIUS server(radiusd), client library(radiusclient-ng), PAM library, Apache module
FreeRADIUS server包含一个php管理页面dialupadmin: http://freeradius.org/dialupadmin.html
FreeRADIUS 3 包含了RADIUS over TLS,RADSEC, 完全重写的 rlm_ldap module.
gentoo
net-dialup/freeradius
官网
Repo
- free-radius: https://github.com/Akagi201/akfreeradius-server
Refs
install
sudo add-apt-repository ppa:freeradius/stable-3.0sudo apt-get updatesudo apt-get install freeradiussudo chown -R :freerad /etc/freeradius/ /var/log/freeradius/sudo usermod -a -G freerad akagi201- https://docs.google.com/document/d/14LnsBznOw0w2fR7xgBJhzyWp1OztlKO6D5fws0XpjBI/edit
sudo aptitude install freeradius-mysqlsudo aptitude install mysql-clientsudo aptitude install radiusclient1cd mods-enabled/ln -s ../mods-available/sql ./- http://lalitvc.wordpress.com/2014/07/03/freeradius-3-0-x-installation-and-configuration-with-mysql/
- 下面这里没有改.
- http://wiki.weithenn.org/cgi-bin/wiki.pl?AAA_Authentication_with_FreeRADIUS
policy {
$INCLUDE sites-enabled/
}
install on gentoo
add '=net-dialup/freeradius-3.0.3 **' to package.accept_keywordssudo emerge freeradius- 切换成root进行操作
cd /etc/raddb/certsmake- 下载
wpa_supplicant源码, 安装libnl, 编译eapol_test - http://en.it-usenet.org/thread/18494/14356/
akgentoo raddb # cd /etc/raddb/certs/
akgentoo certs #
akgentoo certs # make
openssl dhparam -out dh 1024
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
..................+.........+.....................+.................+....................................+.............................................................................+......................................................................................................+........+..................................+..................................................+......................................................+................................................................................+.....++*++*++*
openssl req -new -out server.csr -keyout server.key -config ./server.cnf
Generating a 2048 bit RSA private key
........................+++
.............+++
writing new private key to 'server.key'
-----
openssl req -new -x509 -keyout ca.key -out ca.pem \
-days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf
Generating a 2048 bit RSA private key
......................................................+++
..............................................................+++
writing new private key to 'ca.key'
-----
openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf
Using configuration from ./server.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Aug 3 13:40:42 2014 GMT
Not After : Oct 2 13:40:42 2014 GMT
Subject:
countryName = FR
stateOrProvinceName = Radius
organizationName = Example Inc.
commonName = Example Server Certificate
emailAddress = admin@example.com
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://www.example.com/example_ca.crl
Certificate is to be certified until Oct 2 13:40:42 2014 GMT (60 days)
Write out database with 1 new entries
Data Base Updated
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'`
openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'`
MAC verified OK
server.pem: OK
openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der
openssl req -new -out client.csr -keyout client.key -config ./client.cnf
Generating a 2048 bit RSA private key
........................+++
..................................+++
writing new private key to 'client.key'
-----
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
Using configuration from ./client.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Aug 3 13:40:42 2014 GMT
Not After : Oct 2 13:40:42 2014 GMT
Subject:
countryName = FR
stateOrProvinceName = Radius
organizationName = Example Inc.
commonName = user@example.com
emailAddress = user@example.com
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://www.example.com/example_ca.crl
Certificate is to be certified until Oct 2 13:40:42 2014 GMT (60 days)
Write out database with 1 new entries
Data Base Updated
openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'`
openssl pkcs12 -in client.p12 -out client.pem -passin pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'`
MAC verified OK
cp client.pem `grep emailAddress client.cnf | grep '@' | sed 's/.*=//;s/^ *//'`.pem
mysql
mysql -uroot -p
CREATE DATABASE radius;
GRANT ALL ON radius.* TO akagi201@localhost IDENTIFIED BY "radpass";
exit
/usr/share/doc/freeradius/examples/users2mysql.pl
install postgresql
sudo aptitude install -y postgresql-9.1 postgresql-client-9.1 postgresql-contrib-9.1 postgresql-server-dev-9.1- http://blog.sina.com.cn/s/blog_6af33caa0100ypck.html
radius client
- http://wiki.freeradius.org/glossary/RADIUS-Clients
- http://www.serverwatch.com/sreviews/article.php/3935211/5-Free-RADIUS-Testing-and-Monitoring-Tools.htm
openwrt
OpenSSL Heartbleed Fix
sudo add-apt-repository ppa:george-edison55/openssl-heartbleed-fixsudo apt-get updatesudo apt-get install openssl- 修改
/etc/freeradius/radiusd.conf,security字段下allow_vulnerable_openssl = 'CVE-2014-0160' - http://lalitvc.wordpress.com/2014/06/26/freeradius-refusing-to-start-with-libssl-version-openssl-security-advisory-cve-2014-0160/
- 不要升级openssl, 否则libssl版本会不匹配
- http://askubuntu.com/questions/307/how-can-ppas-be-removed
- http://ericrochow.wordpress.com/2012/10/06/how-to-use-freeradius-for-wireless-authentication-with-a-zonedirector/
- http://ckc620.blog.51cto.com/631254/366950
- http://andrewpakpahan.blogspot.com/2012/08/installing-and-configuring-freeradius.html
- http://www.fengzhinan.com/freeradius.html
- http://www.clearfoundation.com/component/option,com_kunena/Itemid,232/catid,26/func,view/id,28581/
freeradius2.1.3 防止用户帐号重复登录, freeradius 2.13以上的版本,我使用的版本是2.25
- 修改
etc/raddb/sites-enabled目录中的default 及inner-tunnel 这两个文件中的
# Session database, used for checking Simultaneous-Use. Either the radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
#radutmp
#原来使用的是radutmp文档
# See "Simultaneous Use Checking Querie" in sql.conf
sql
#现在采用sql数据库验证
}
- 修改etc/raddb/sql/mysql 目录下的 dialup.conf
# Uncomment simul_count_query to enable simultaneous use checking
把 simul_count_query 这一组前的#号去掉 如下
simul_count_query = "SELECT COUNT(*) \
FROM ${acct_table1} \
WHERE username = '%{SQL-User-Name}' \
AND acctstoptime IS NULL"
- 进入MYSQL在radgroupcheck添加Simultaneous-Use:=1 命令如下
INSERT INTO `radgroupcheck` ( `id` , `GroupName` , `Attribute` , `op` , `Value` )
VALUES (
NULL , ’user’, ’Simultaneous-Use’, ’:=’, ’1’
);
注意user 为组名,这个改成你自己用的组名