Professional Documents
Culture Documents
FreeRADIUS 安裝與管理
FreeRADIUS 安裝與管理
Email: kevin@nchc.org.tw
DATE:2/6/06
RADIUS
FreeRADIUS
FreeRADIUS
FreeRADIUS
Trust no one.
WWW
E-mail
(public) (private)
RADIUS #1
RADIUS / Remote Access DIalin User Service
RADIUS AAA
Authentication/ (AuthN)
Authorization/ (AuthZ)
Accounting/ (Acct)
RADIUS
UDP port 1812 port 1813
RADIUS port 1645 1646
4
RADIUS #2
RADIUS RFCs
RFC2865
Remote Authentication Dial In User Service (RADIUS)
RFC2866
RADIUS Accounting
RFC2867
RADIUS Accounting Modifications for Tunnel Protocol
Support
RFC2868
RADIUS Attributes for Tunnel Protocol Support
RFC2869
RADIUS Extensions
5
RADIUS #3
RADIUS
RADIUS
Server
RADIUS
6
FreeRADIUS
AAA
http://www.freeradius.org
7
FreeRADIUS
PAP
EAP
FreeRADIUS
package
Linux FreeRADIUS
binary
Red-Hat Linux Fedora Linux rpm
FreeBSD ports
FreeRADIUS
package FreeRADIUS
FreeRADIUS
/usr/local/etc/raddb
/etc/raddb
9
FreeRADIUS
wget ftp://ftp.freeradius.org/pub/radius/freeradius1.1.0.tar.gz
FreeRADIUS
cd freeradius-1.1.0/;./configure
configure
make;make install
/usr/local
10
FreeRADIUS
/usr/local/etc/raddb/
/usr/local/var/log/radius/radius.log
Accounting
/usr/local/var/log/radius/radacct/<NAS IP >/detail-
: /usr/local/var/log/radius/radacct/192.168.0.253/detail-20060130
/usr/local/sbin/radiusd
11
FreeRADIUS
radiusd.conf
FreeRADIUS
eap.conf
EAP
clients.conf
proxy.conf
users
snmp.conf
SNMP
12
FreeRADIUS
#1
Realm/
Domain Name
kevin@nchc.org.tw
(username):
kevin
kevin
: kevin
: ( FreeRADIUS NULL )
Realm
Domain Name
13
FreeRADIUS
#2
Proxy/
RADIUS
RADIUS Proxy
RADIUS
proxy realm
Secret Key/
secret key RADIUS
secret key
FreeRADIUS
#3
Attributes /
RADIUS
User-Name
User-Password
RADIUS
(
)
15
FreeRADIUS
#1
(Access-Request)
clients.conf
(Realm)
proxy.conf
realm
proxy.conf
realm
users
users
16
FreeRADIUS
#2
radiusd.conf
Access-Request
clients.conf
(RADIUS Proxy)
proxy.conf
UNIX shadow/passwd
SQL Server
LDAP
.
Access-Accept
Session-Timeout
users
Idle-Timeout
Access-Reject
17
FreeRADIUS
radiusd.conf
radiusd.conf FreeRADIUS
user = nobody
nobody
group = nobody
nobody
( ) root UNIX
root
bind_address = *
* IP
port = 0
0 1812/1813
listen
radiusd.conf
18
FreeRADIUS
clients.conf #1
clients.conf IP
IP clients.conf
RADIUS Server RADIUS
RADIUS Access Point
RADIUS
19
FreeRADIUS
clients.conf #2
192.168.0.5 RADIUS AP
RADIUS client qqsec
(secret key)
client 192.168.0.5 {
secret
shortname
nastype
}
=
=
=
qqsec
my_radius_client_pc
other
IP client 192.168.0.0/24
client 192.168.0.0/24 {
secret
=
shortname
=
nastype
=
}
qqsec
my_radius_clients
other
20
FreeRADIUS
users #1
users
UNIX
users
LDAP
Local
21
FreeRADIUS
users #2
users
=
:=
==
!=
=~
!~
22
FreeRADIUS
users #3
DEFAULT
DEFAULT
users System
Fall-Through
FreeRADIUS users
DEFAULT Fall-Through
= Yes
DEFAULT
Fall-Through = Yes
( )
23
FreeRADIUS
proxy.conf #4
proxy.conf
realm ( )
RADIUS
RADIUS proxy.conf
( ldflag )
FreeRADIUS
proxy.conf #5
Realm
domain name
kevin@nchc.org.tw realm nchc.org.tw
UNIX
wifi.nchc.org.tw
kevin@wifi.nchc.org.tw
CAMPUS_WLAN
kevin@CAMPUS_WLAN
SQL users
FreeRADIUS
proxy.conf #6
Realm
realm
kevin realm
proxy.conf
realm
kevin@nchc.org.tw nchc.org.tw
realm
RADIUS realm
proxy.conf
realm
RADIUS RADIUS
realm
proxy.conf
FreeRADIUS
26
FreeRADIUS
proxy.conf #7
nostrip
strip FreeRADIUS
realm
: kevin@nchc.org.tw kevin
realm
realm
realm
nostrip
RADIUS realm
realm RADIUS realm
strip
27
FreeRADIUS
proxy.conf #8
realm
realm NULL {
type
authhost
accthost
}
:
=
=
=
radius
LOCAL
LOCAL
LOCAL secret
realm 192.168.0.10:1645
realm NULL {
type
authhost
accthost
secret
}
=
=
=
=
radius
192.168.0.10:1645
192.168.0.10:1646
dontshowit
28
FreeRADIUS
proxy.conf #9
realm wifi.nchc.org.tw
realm wifi.nchc.org.tw {
type
= radius
authhost = LOCAL
accthost = LOCAL
}
realm wifi.nchc.org.tw
192.168.0.7:1812 realm
realm wifi.nchc.org.tw {
type
= radius
authhost = 192.168.0.7:1812
accthost = 192.168.0.7:1813
secret
= donttellanyone
}
29
FreeRADIUS
proxy.conf #10
radius
192.168.0.7:1812
192.168.0.7:1813
reallysecret
realm 192.168.0.99:1812
realm
realm DEFAULT {
type
authhost
accthost
secret
nostrip
}
=
=
=
=
radius
192.168.0.99:1812
192.168.0.99:1813
aloha3#5
30
FreeRADIUS
proxy.conf #11
realm fail_over (
fail_over )
2 server
wifi.home isp1.com isp1.com (
/server dead) isp2.com realm
realm wifi.home {
type
radius
authhost
isp1.com:1812
accthost
isp1.com:1813
secret
sweetheart
type
radius
authhost
isp2.com:1812
accthost
isp2.com:1813
secret
heartsweet
nostrip
}
realm wifi.home {
nostrip
fail_over
}
31
FreeRADIUS
proxy.conf #12
2 server
realm wifi.home {
type
radius
authhost
isp1.com:1812
accthost
isp1.com:1813
secret
sweetheart
type
radius
authhost
isp2.com:1812
accthost
isp2.com:1813
secret
heartsweet
nostrip
round_robin
}
realm wifi.home {
nostrip
round_robin
}
32
FreeRADIUS
snmp #1
FreeRADIUS SNMP RADIUS
snmp
FreeRADIUS UCD-SNMP
NET-SNMP
NET-SNMP UCD-SNMP
1) UCD-SNMP
FreeBSD Debian Linux
Red-Hat Fedora
2) ./configure Make.inc
CFLAGS
-DWITH_SNMP -DUCD_COMPATIBLE \
-DHAVE_UCD_SNMP_ASN1_SNMP_SNMPIMPL_H
SNMP_LIB -lsnmp -lssl
make;make install
33
FreeRADIUS
snmp #2
snmp
1) /usr/local/etc/raddb/snmp.conf
:
#smux_password = verysecret
# verysecret
snmp daemon
smux_password = my_snmp_secret
2) /etc/snmp/snmpd.conf
:
rocommunity public
smuxpeer .1.3.6.1.4.1.3317.1.3.1 my_snmp_secret
34
FreeRADIUS
snmp #3
snmp
snmpwalk snmpget
mibs/
RADIUS MIB
ICMP ping snmpget
FreeRADIUS
35
FreeRADIUS
#1
FreeRADIUS
( )
/usr/local/sbin/radiusd
( + debug )
/usr/local/sbin/radiusd -X
FreeRADIUS - radtest
radtest
radtest < > < > < IP>:<PORT> 0 < >
UNIX root
FreeRADIUS
#2
IP
clients.conf
37
FreeRADIUS
RADIUS
Accounting Attributes
( )
http://www.shenton.org/~chris/nasa-hq/dialup/radius/
http://www.pgregg.com/projects/radiusreport/index.php
38
FreeRADIUS
radrelay
FreeRADIUS
FreeRADIUS
FreeRADIUS
radrelay (
)
detail-20060202 192.168.0.20
ip312
radrelay -s ip312 -r 192.168.0.20 detail-20060202
man 1 radrelay
39
FreeRADIUS
1. / FreeRADIUS
2. radiusd.conf
LDAP SQL
3. proxy.conf
realm
realm ( )
4. users
5. radiusd
6. radtest acc_test pwd123 127.0.0.1 0 testing123
40
FreeRADIUS
#1
(mo) UNIX
mail.mo.edu.tw
mail.mo.edu.tw FreeRADIUS
proxy.conf
NULL mail.mo.edu.tw realm
clients.conf
IP
users
DEFAULT Auth-Type := System
41
FreeRADIUS
#2
c.mo.edu.tw
a.mo.edu.tw b.mo.edu.tw
LDAP UNIX
FreeRADIUS
a b c FreeRADIUS
a b : clients.conf
c.mo.edu.tw IP secret key
a b : proxy.conf
realm
c : clients.conf
IP secret key
c : proxy.conf
realm a.mo.edu.tw proxy a.mo.edu.tw
realm b.mo.edu.tw proxy b.mo.edu.tw
42
http://www.freeradius.org/
http://wlanrc.nchc.org.tw
http://www-128.ibm.com/developerworks/tw/library/l-radius/
http://wiki.freeradius.org/index.php/RADIUS
http://www.linuxjournal.com/article/8017
http://www.linuxjournal.com/article/8095
http://www.linuxjournal.com/article/8151
43