FreeRADIUS包括: RADIUS server(radiusd), client library(radiusclient-ng), PAM library, Apache module
FreeRADIUS server包含一个php管理页面dialupadmin: http://freeradius.org/dialupadmin.html
FreeRADIUS 3 包含了RADIUS over TLS,RADSEC, 完全重写的 rlm_ldap module.
net-dialup/freeradius
sudo add-apt-repository ppa:freeradius/stable-3.0
sudo apt-get update
sudo apt-get install freeradius
sudo chown -R :freerad /etc/freeradius/ /var/log/freeradius/
sudo usermod -a -G freerad akagi201
sudo aptitude install freeradius-mysql
sudo aptitude install mysql-client
sudo aptitude install radiusclient1
cd mods-enabled/
ln -s ../mods-available/sql ./
policy {
$INCLUDE sites-enabled/
}
add '=net-dialup/freeradius-3.0.3 **' to package.accept_keywords
sudo emerge freeradius
cd /etc/raddb/certs
make
wpa_supplicant
源码, 安装libnl, 编译eapol_test
akgentoo raddb # cd /etc/raddb/certs/
akgentoo certs #
akgentoo certs # make
openssl dhparam -out dh 1024
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
..................+.........+.....................+.................+....................................+.............................................................................+......................................................................................................+........+..................................+..................................................+......................................................+................................................................................+.....++*++*++*
openssl req -new -out server.csr -keyout server.key -config ./server.cnf
Generating a 2048 bit RSA private key
........................+++
.............+++
writing new private key to 'server.key'
-----
openssl req -new -x509 -keyout ca.key -out ca.pem \
-days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf
Generating a 2048 bit RSA private key
......................................................+++
..............................................................+++
writing new private key to 'ca.key'
-----
openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf
Using configuration from ./server.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Aug 3 13:40:42 2014 GMT
Not After : Oct 2 13:40:42 2014 GMT
Subject:
countryName = FR
stateOrProvinceName = Radius
organizationName = Example Inc.
commonName = Example Server Certificate
emailAddress = admin@example.com
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://www.example.com/example_ca.crl
Certificate is to be certified until Oct 2 13:40:42 2014 GMT (60 days)
Write out database with 1 new entries
Data Base Updated
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'`
openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'`
MAC verified OK
server.pem: OK
openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der
openssl req -new -out client.csr -keyout client.key -config ./client.cnf
Generating a 2048 bit RSA private key
........................+++
..................................+++
writing new private key to 'client.key'
-----
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
Using configuration from ./client.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Aug 3 13:40:42 2014 GMT
Not After : Oct 2 13:40:42 2014 GMT
Subject:
countryName = FR
stateOrProvinceName = Radius
organizationName = Example Inc.
commonName = user@example.com
emailAddress = user@example.com
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://www.example.com/example_ca.crl
Certificate is to be certified until Oct 2 13:40:42 2014 GMT (60 days)
Write out database with 1 new entries
Data Base Updated
openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'`
openssl pkcs12 -in client.p12 -out client.pem -passin pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'`
MAC verified OK
cp client.pem `grep emailAddress client.cnf | grep '@' | sed 's/.*=//;s/^ *//'`.pem
mysql -uroot -p
CREATE DATABASE radius;
GRANT ALL ON radius.* TO akagi201@localhost IDENTIFIED BY "radpass";
exit
/usr/share/doc/freeradius/examples/users2mysql.pl
sudo aptitude install -y postgresql-9.1 postgresql-client-9.1 postgresql-contrib-9.1 postgresql-server-dev-9.1
sudo add-apt-repository ppa:george-edison55/openssl-heartbleed-fix
sudo apt-get update
sudo apt-get install openssl
/etc/freeradius/radiusd.conf
, security
字段下 allow_vulnerable_openssl = 'CVE-2014-0160'
etc/raddb/sites-enabled
目录中的default 及inner-tunnel 这两个文件中的# Session database, used for checking Simultaneous-Use. Either the radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
#radutmp
#原来使用的是radutmp文档
# See "Simultaneous Use Checking Querie" in sql.conf
sql
#现在采用sql数据库验证
}
# Uncomment simul_count_query to enable simultaneous use checking
把 simul_count_query 这一组前的#号去掉 如下
simul_count_query = "SELECT COUNT(*) \
FROM ${acct_table1} \
WHERE username = '%{SQL-User-Name}' \
AND acctstoptime IS NULL"
INSERT INTO `radgroupcheck` ( `id` , `GroupName` , `Attribute` , `op` , `Value` )
VALUES (
NULL , ’user’, ’Simultaneous-Use’, ’:=’, ’1’
);
注意user 为组名,这个改成你自己用的组名