Akagi201
7/18/2014 - 6:02 AM

freeradius.md

FreeRADIUS包括: RADIUS server(radiusd), client library(radiusclient-ng), PAM library, Apache module

FreeRADIUS server包含一个php管理页面dialupadmin: http://freeradius.org/dialupadmin.html

FreeRADIUS 3 包含了RADIUS over TLS,RADSEC, 完全重写的 rlm_ldap module.

gentoo

  • net-dialup/freeradius

官网

Repo

Refs

install

policy {
$INCLUDE sites-enabled/
}

install on gentoo

  • add '=net-dialup/freeradius-3.0.3 **' to package.accept_keywords
  • sudo emerge freeradius
  • 切换成root进行操作
  • cd /etc/raddb/certs
  • make
  • 下载wpa_supplicant源码, 安装libnl, 编译eapol_test
  • http://en.it-usenet.org/thread/18494/14356/
akgentoo raddb # cd /etc/raddb/certs/
akgentoo certs #
akgentoo certs # make
openssl dhparam -out dh 1024
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
..................+.........+.....................+.................+....................................+.............................................................................+......................................................................................................+........+..................................+..................................................+......................................................+................................................................................+.....++*++*++*
openssl req -new  -out server.csr -keyout server.key -config ./server.cnf
Generating a 2048 bit RSA private key
........................+++
.............+++
writing new private key to 'server.key'
-----
openssl req -new -x509 -keyout ca.key -out ca.pem \
    -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf
Generating a 2048 bit RSA private key
......................................................+++
..............................................................+++
writing new private key to 'ca.key'
-----
openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr  -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf
Using configuration from ./server.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Aug  3 13:40:42 2014 GMT
            Not After : Oct  2 13:40:42 2014 GMT
        Subject:
            countryName               = FR
            stateOrProvinceName       = Radius
            organizationName          = Example Inc.
            commonName                = Example Server Certificate
            emailAddress              = admin@example.com
        X509v3 extensions:
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://www.example.com/example_ca.crl

Certificate is to be certified until Oct  2 13:40:42 2014 GMT (60 days)

Write out database with 1 new entries
Data Base Updated
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12  -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'`
openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'`
MAC verified OK
server.pem: OK
openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der
openssl req -new  -out client.csr -keyout client.key -config ./client.cnf
Generating a 2048 bit RSA private key
........................+++
..................................+++
writing new private key to 'client.key'
-----
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr  -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
Using configuration from ./client.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 2 (0x2)
        Validity
            Not Before: Aug  3 13:40:42 2014 GMT
            Not After : Oct  2 13:40:42 2014 GMT
        Subject:
            countryName               = FR
            stateOrProvinceName       = Radius
            organizationName          = Example Inc.
            commonName                = user@example.com
            emailAddress              = user@example.com
        X509v3 extensions:
            X509v3 Extended Key Usage:
                TLS Web Client Authentication
            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://www.example.com/example_ca.crl

Certificate is to be certified until Oct  2 13:40:42 2014 GMT (60 days)

Write out database with 1 new entries
Data Base Updated
openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12  -passin pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'`
openssl pkcs12 -in client.p12 -out client.pem -passin pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'`
MAC verified OK
cp client.pem `grep emailAddress client.cnf | grep '@' | sed 's/.*=//;s/^ *//'`.pem

mysql

mysql -uroot -p
CREATE DATABASE radius;
GRANT ALL ON radius.* TO akagi201@localhost IDENTIFIED BY "radpass";
exit

/usr/share/doc/freeradius/examples/users2mysql.pl

install postgresql

radius client

openwrt

OpenSSL Heartbleed Fix

freeradius2.1.3 防止用户帐号重复登录, freeradius 2.13以上的版本,我使用的版本是2.25

  1. 修改etc/raddb/sites-enabled目录中的default 及inner-tunnel 这两个文件中的
#  Session database, used for checking Simultaneous-Use. Either the radutmp 
#  or rlm_sql module can handle this.
#  The rlm_sql module is *much* faster
session {
        #radutmp
        #原来使用的是radutmp文档
        #  See "Simultaneous Use Checking Querie" in sql.conf
        sql
        #现在采用sql数据库验证
}
  1. 修改etc/raddb/sql/mysql 目录下的 dialup.conf
# Uncomment simul_count_query to enable simultaneous use checking
   把     simul_count_query 这一组前的#号去掉     如下
simul_count_query = "SELECT COUNT(*) \
                            FROM ${acct_table1} \
                            WHERE username = '%{SQL-User-Name}' \
                             AND acctstoptime IS NULL"
  1. 进入MYSQL在radgroupcheck添加Simultaneous-Use:=1 命令如下
INSERT INTO `radgroupcheck` ( `id` , `GroupName` , `Attribute` , `op` , `Value` ) 
VALUES ( 
NULL , ’user’, ’Simultaneous-Use’, ’:=’, ’1’
);

注意user 为组名,这个改成你自己用的组名