FreeRADIUS 安裝與管理

FreeRADIUS
Email: kevin@nchc.org.tw
DATE:2/6/06

RADIUS
FreeRADIUS
FreeRADIUS
FreeRADIUS

Trust no one.
WWW
E-mail
(public) (private)
RADIUS #1
RADIUS / Remote Access DIalin User Service
RADIUS AAA
Authentication/ (AuthN)
Authorization/ (AuthZ)
Accounting/ (Acct)
RADIUS
UDP port 1812 port 1813
RADIUS port 1645 1646
4
RADIUS #2
RADIUS RFCs
RFC2865
Remote Authentication Dial In User Service (RADIUS)
RFC2866
RADIUS Accounting
RFC2867
RADIUS Accounting Modifications for Tunnel Protocol
Support
RFC2868
RADIUS Attributes for Tunnel Protocol Support
RFC2869
RADIUS Extensions
5
RADIUS #3
RADIUS
RADIUS
Server
RADIUS
6
FreeRADIUS
Open Source RADIUS
Linux FreeBSD NetBSD Solaris

UNIX LDAP SQL Server
PAP EAP CHAP MS-CHAP
AAA
http://www.freeradius.org
7
FreeRADIUS
PAP (Password Authentication Protocol)
CHAP (Challenge Handshake Authtication Protocol)
PAP
EAP (Extensible Authentication Protocol)
EAP
FreeRADIUS
package
Linux FreeRADIUS
binary
Red-Hat Linux Fedora Linux rpm
FreeBSD ports
FreeRADIUS
package FreeRADIUS
FreeRADIUS
/usr/local/etc/raddb
/etc/raddb
9
FreeRADIUS
wget ftp://ftp.freeradius.org/pub/radius/freeradius1.1.0.tar.gz
tar xzvf freeradius-1.1.0.tar.gz
FreeRADIUS
cd freeradius-1.1.0/;./configure
configure
make;make install
/usr/local
10
FreeRADIUS
/usr/local/etc/raddb/
/usr/local/var/log/radius/radius.log
Accounting
/usr/local/var/log/radius/radacct/<NAS IP >/detail-
: /usr/local/var/log/radius/radacct/192.168.0.253/detail-20060130
/usr/local/sbin/radiusd
11
FreeRADIUS
radiusd.conf
FreeRADIUS
eap.conf
EAP
clients.conf
proxy.conf
users
snmp.conf
SNMP
12
FreeRADIUS
#1
Realm/
Domain Name
kevin@nchc.org.tw
(username):
kevin
(realm name): nchc.org.tw
kevin
: kevin
: ( FreeRADIUS NULL )
Realm
Domain Name
13
FreeRADIUS
#2
Proxy/
RADIUS
RADIUS Proxy
RADIUS
proxy realm
Secret Key/
secret key RADIUS
secret key
FreeRADIUS secret key

14
FreeRADIUS
#3
Attributes /
RADIUS
User-Name
User-Password
RADIUS
(
)
15
FreeRADIUS
#1
UDP port 1812/1813

radiusd.conf
(Access-Request)
clients.conf
(Realm)
proxy.conf
realm
proxy.conf
realm
users
users
16
FreeRADIUS
#2
radiusd.conf
Access-Request
clients.conf
(RADIUS Proxy)
proxy.conf
UNIX shadow/passwd
SQL Server
LDAP
.
Access-Accept
Session-Timeout
users
Idle-Timeout
Access-Reject
17
FreeRADIUS
radiusd.conf
radiusd.conf FreeRADIUS
user = nobody
nobody
group = nobody
nobody
( ) root UNIX
root
bind_address = *
* IP
port = 0
0 1812/1813
listen
radiusd.conf
18
FreeRADIUS
clients.conf #1
clients.conf IP
client < IP Address> {

secret
= <Secret Key >
shortname
= < >
nastype
= <NAS >
}
IP clients.conf
RADIUS Server RADIUS
RADIUS Access Point
RADIUS
19
FreeRADIUS
clients.conf #2
192.168.0.5 RADIUS AP
RADIUS client qqsec
(secret key)
client 192.168.0.5 {
secret
shortname
nastype
}
=
=
=
qqsec
my_radius_client_pc
other
IP client 192.168.0.0/24
client 192.168.0.0/24 {
secret
=
shortname
=
nastype
=
}
qqsec
my_radius_clients
other
20
FreeRADIUS
users #1
users
UNIX
DEFAULT Auth-Type = System
users
DEFAULT Au th-Type = Local
LDAP
DEFAULT Auth-Type = LDAP
Local
< > Auth-Type := Local, < >
kevin Auth-Type := Local, User-Password == "pwd123"

kevin pwd123
kevin Auth-Type := Local, Client-IP-Address == "127.0.0.1", User-Password == "pwd123"

kevin 127.0.0.1 pwd123
21
FreeRADIUS
users #2
users
=
:=
==
!=
=~
!~
22
FreeRADIUS
users #3
DEFAULT
DEFAULT
DEFAULT Auth-Type := System
users System
DEFAULT User-Name =~ "_test$", Client-IP-Address == "127.0.0.1"

Session-Timeout := 3
_test 127.0.0.1 Session-Timeout 3
Fall-Through
FreeRADIUS users
Fall-Through = Yes users
DEFAULT Fall-Through
= Yes
DEFAULT
Fall-Through = Yes
( )
23
FreeRADIUS
proxy.conf #4
proxy.conf
realm ( )
RADIUS
RADIUS proxy.conf
( ldflag )
realm <REALM > {

type
= radius
authhost= < IP>:<port>
accthost = < IP>:<port>
secret = < secret key>
ldflag = <round_robin | fail_over>
<nostrip>
}
24
FreeRADIUS
proxy.conf #5
Realm
domain name
kevin@nchc.org.tw realm nchc.org.tw
UNIX
UNIX domain name
wifi.nchc.org.tw
kevin@wifi.nchc.org.tw
CAMPUS_WLAN
kevin@CAMPUS_WLAN
SQL users
realm domain name

realm
FreeRADIUS realm
25
FreeRADIUS
proxy.conf #6
Realm
realm
kevin realm
proxy.conf
realm
kevin@nchc.org.tw nchc.org.tw
realm
RADIUS realm
proxy.conf
realm
RADIUS RADIUS
realm
proxy.conf
FreeRADIUS
26
FreeRADIUS
proxy.conf #7
nostrip
strip FreeRADIUS
realm
: kevin@nchc.org.tw kevin
realm
realm
realm
nostrip
RADIUS realm
realm RADIUS realm
strip
27
FreeRADIUS
proxy.conf #8
realm
realm NULL {
type
authhost
accthost
}
:
=
=
=
radius
LOCAL
LOCAL
LOCAL secret
realm 192.168.0.10:1645
realm NULL {
type
authhost
accthost
secret
}
=
=
=
=
radius
192.168.0.10:1645
192.168.0.10:1646
dontshowit
28
FreeRADIUS
proxy.conf #9
realm wifi.nchc.org.tw
realm wifi.nchc.org.tw {
type
= radius
authhost = LOCAL
accthost = LOCAL
}
realm wifi.nchc.org.tw
192.168.0.7:1812 realm
type
= radius
authhost = 192.168.0.7:1812
accthost = 192.168.0.7:1813
secret
= donttellanyone
}
29
FreeRADIUS
proxy.conf #10
realm wifi.nchc.org.tw 192.168.0.7:1812

realm
type
=
authhost
=
accthost
=
secret
=
nostrip
}
radius
192.168.0.7:1812
192.168.0.7:1813
reallysecret
realm 192.168.0.99:1812
realm
realm DEFAULT {
type
authhost
accthost
secret
nostrip
}
=
=
=
=
radius
192.168.0.99:1812
192.168.0.99:1813
aloha3#5
30
FreeRADIUS
proxy.conf #11
realm fail_over (
fail_over )
2 server
wifi.home isp1.com isp1.com (
/server dead) isp2.com realm
realm wifi.home {
type
radius
authhost
isp1.com:1812
accthost
isp1.com:1813
secret
sweetheart
type
radius
authhost
isp2.com:1812
accthost
isp2.com:1813
secret
heartsweet
nostrip
}
realm wifi.home {
nostrip
fail_over
}
31
FreeRADIUS
proxy.conf #12
FreeRADIUS RADIUS (round_robin)

RADIUS
2 server
realm wifi.home {
type
radius
authhost
isp1.com:1812
accthost
isp1.com:1813
secret
sweetheart
type
radius
authhost
isp2.com:1812
accthost
isp2.com:1813
secret
heartsweet
nostrip
round_robin
}
realm wifi.home {
nostrip
round_robin
}
32
FreeRADIUS
snmp #1
FreeRADIUS SNMP RADIUS
snmp
FreeRADIUS UCD-SNMP
NET-SNMP
NET-SNMP UCD-SNMP
1) UCD-SNMP
FreeBSD Debian Linux
Red-Hat Fedora
2) ./configure Make.inc
CFLAGS
-DWITH_SNMP -DUCD_COMPATIBLE \
-DHAVE_UCD_SNMP_ASN1_SNMP_SNMPIMPL_H
SNMP_LIB -lsnmp -lssl
make;make install
33
FreeRADIUS
snmp #2
snmp
1) /usr/local/etc/raddb/snmp.conf
:
#smux_password = verysecret
# verysecret
snmp daemon
smux_password = my_snmp_secret
2) /etc/snmp/snmpd.conf
:
rocommunity public
smuxpeer .1.3.6.1.4.1.3317.1.3.1 my_snmp_secret
34
FreeRADIUS
snmp #3
snmp
snmpwalk snmpget
snmpget -v2c -c public 192.168.0.3 .1.3.6.1.2.1.67.1.1.1.1.1.0
SNMPv2-SMI::mib-2.67.1.1.1.1.1.0 = STRING: "FreeRADIUS Version

0.9.3, for host i686-pc-linux-gnu, built on Jan 8 2004 at 10:33:53
mibs/
RADIUS MIB
ICMP ping snmpget
FreeRADIUS
35
FreeRADIUS
#1
FreeRADIUS
( )
/usr/local/sbin/radiusd
( + debug )
/usr/local/sbin/radiusd -X
FreeRADIUS - radtest
radtest
radtest < > < > < IP>:<PORT> 0 < >
radtest kevin pwd123 127.0.0.1 0 testing123

radtest kevin@wifi.nchc.org.tw pwd123 127.0.0.1 0 testing123
UNIX root
radtest root 12345 127.0.0.1 0 testing123

radtest root@wifi.nchc.org.tw 12345 127.0.0.1 0 testing123
rad_recv: Access-Accept packet from host 127.0.0.1:1812

36
FreeRADIUS
#2
NTRadPing for Win32

http://www.novell.com/coolsolutions/tools/downlo
ads/ntradping.zip
IP
clients.conf
37
FreeRADIUS
FreeRADIUS accounting accounting

RADIUS
RADIUS
Accounting Attributes
( )
http://www.shenton.org/~chris/nasa-hq/dialup/radius/
http://www.pgregg.com/projects/radiusreport/index.php
38
FreeRADIUS
radrelay
FreeRADIUS
FreeRADIUS
FreeRADIUS
radrelay (
)
detail-20060202 192.168.0.20
ip312
radrelay -s ip312 -r 192.168.0.20 detail-20060202
man 1 radrelay
39
FreeRADIUS
1. / FreeRADIUS
2. radiusd.conf
LDAP SQL
3. proxy.conf
realm
realm ( )
4. users
acc_test Auth-Type := Local, User-Password == "pwd123"

Session-Timeout = 3
: DEFAULT Auth-Type := System
5. radiusd
6. radtest acc_test pwd123 127.0.0.1 0 testing123
40
FreeRADIUS
#1
(mo) UNIX
mail.mo.edu.tw
mail.mo.edu.tw FreeRADIUS
proxy.conf
NULL mail.mo.edu.tw realm
clients.conf
IP
users
DEFAULT Auth-Type := System
41
FreeRADIUS
#2
c.mo.edu.tw
a.mo.edu.tw b.mo.edu.tw
LDAP UNIX
FreeRADIUS
a b c FreeRADIUS
a b : clients.conf
c.mo.edu.tw IP secret key
a b : proxy.conf
realm
c : clients.conf
IP secret key
c : proxy.conf
realm a.mo.edu.tw proxy a.mo.edu.tw
realm b.mo.edu.tw proxy b.mo.edu.tw
42

http://www.freeradius.org/
http://wlanrc.nchc.org.tw
http://www-128.ibm.com/developerworks/tw/library/l-radius/
http://wiki.freeradius.org/index.php/RADIUS
http://www.linuxjournal.com/article/8017
43

FreeRADIUS 安裝與管理

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FreeRADIUS 安裝與管理

Uploaded by

Copyright:

Available Formats

FreeRADIUS

Open Source RADIUS

Linux FreeBSD NetBSD Solaris

PAP (Password Authentication Protocol)

CHAP (Challenge Handshake Authtication Protocol)

EAP (Extensible Authentication Protocol)

tar xzvf freeradius-1.1.0.tar.gz

(realm name): nchc.org.tw

FreeRADIUS secret key

UDP port 1812/1813

client < IP Address> {

DEFAULT Auth-Type = System

DEFAULT Au th-Type = Local

DEFAULT Auth-Type = LDAP

< > Auth-Type := Local, < >

kevin Auth-Type := Local, User-Password == "pwd123"

kevin Auth-Type := Local, Client-IP-Address == "127.0.0.1", User-Password == "pwd123"

DEFAULT Auth-Type := System

DEFAULT User-Name =~ "_test$", Client-IP-Address == "127.0.0.1"

_test 127.0.0.1 Session-Timeout 3

Fall-Through = Yes users

realm <REALM > {

UNIX domain name

realm domain name

realm wifi.nchc.org.tw 192.168.0.7:1812

FreeRADIUS RADIUS (round_robin)

snmpget -v2c -c public 192.168.0.3 .1.3.6.1.2.1.67.1.1.1.1.1.0

SNMPv2-SMI::mib-2.67.1.1.1.1.1.0 = STRING: "FreeRADIUS Version

radtest kevin pwd123 127.0.0.1 0 testing123

radtest root 12345 127.0.0.1 0 testing123

rad_recv: Access-Accept packet from host 127.0.0.1:1812

NTRadPing for Win32

FreeRADIUS accounting accounting

acc_test Auth-Type := Local, User-Password == "pwd123"

: DEFAULT Auth-Type := System

You might also like