Freeradius peap
Zur Navigation springen
Zur Suche springen
clients.conf
cat /etc/freeradius/clients.conf client localhost { ipaddr = 127.0.0.1 secret = secretkey nastype = other } client 192.168.0.0/16 { secret = secretkey nastype = other } client 10.0.0.0/8 { secret = secretkey nastype = other }
radiusd.conf
cat /etc/freeradius/radiusd.conf prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct name = freeradius confdir = ${raddbdir} run_dir = ${localstatedir}/run/${name} db_dir = ${raddbdir} libdir = /usr/lib/freeradius pidfile = ${run_dir}/${name}.pid user = freerad group = freerad max_request_time = 30 cleanup_delay = 5 max_requests = 1024 listen { type = auth ipaddr = * port = 0 } listen { ipaddr = * port = 0 type = acct } hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log { destination = files file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = no auth_badpass = no auth_goodpass = no } checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = yes } proxy_requests = yes $INCLUDE proxy.conf $INCLUDE clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { $INCLUDE ${confdir}/modules/ } instantiate { exec expr expiration logintime } $INCLUDE policy.conf $INCLUDE sites-enabled/
eap
cat /etc/freeradius/eap.conf eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 md5 { } leap { } gtc { auth_type = PAP } tls { private_key_file = /etc/freeradius/certs/waka.xinux.org.key certificate_file = /etc/freeradius/certs/waka.xinux.org.crt CA_file = /etc/freeradius/certs/xin-ca.crt dh_file = /etc/freeradius/certs/dh.pem random_file = /dev/urandom cipher_list = "DEFAULT" cache { enable = no lifetime = 24 # hours max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" } } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no } peap { default_eap_type = mschapv2 } mschapv2 { } }
mschap
cat /etc/freeradius/modules/mschap mschap { use_mppe = yes require_encryption = yes require_strong = yes }
ldap
cat /etc/freeradius/modules/ldap ldap { server = "hoor.xmen.de" port = "636" basedn = "dc=linuggs,dc=de" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no set_auth_type = yes }
default und inner tunnel
cat /etc/freeradius/sites-enabled/default authorize { #digest mschap eap { ok = return } ldap files } authenticate { Auth-Type LDAP { ldap } Auth-Type MS-CHAP { mschap } eap files } preacct { } accounting { } session { radutmp } post-auth { exec Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { }
test
console 1
- freeradius -X
... Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } ... adding new socket proxy address * port 40079 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests.
console 2
postiv
- radtest badura.vonodinsraben suxer localhost 1812 secretkey
Sending Access-Request of id 52 to 127.0.0.1 port 1812 User-Name = "badura.vonodinsraben" User-Password = "suxer" NAS-IP-Address = 192.168.244.153 NAS-Port = 1812 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=52, length=20
negativ
- radtest badura.vonodinsraben falsch localhost 1812 secretkey
Sending Access-Request of id 218 to 127.0.0.1 port 1812 User-Name = "badura.vonodinsraben" User-Password = "falsch" NAS-IP-Address = 192.168.244.153 NAS-Port = 1812 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=218, length=20