Freeradius

Aus xinux.net
Zur Navigation springen Zur Suche springen

installation

  • apt-get install freeradius
  • apt-get install freeradius-ldap


clients.conf

cat /etc/freeradius/clients.conf 
client localhost {
ipaddr = 127.0.0.1
secret = secretkey
nastype     = other
}
client 192.168.0.0/16 {
 secret = secretkey
nastype = other
}
client 10.0.0.0/8 {
secret = secretkey
nastype = other
}

radiusd.conf

cat   /etc/freeradius/radiusd.conf 
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
name = freeradius
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/${name}.pid
user = freerad
group = freerad
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
type = auth
ipaddr = *
port = 0
}
listen {
ipaddr = *
port = 0
type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions    = yes
extended_expressions    = yes
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
proxy_requests  = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
$INCLUDE ${confdir}/modules/
}
instantiate {
exec
expr
expiration
logintime
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/

ldap

cat /etc/freeradius/modules/ldap 
ldap {
server = "hoor.xmen.de"
port = "636"
basedn = "dc=linuggs,dc=de"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
set_auth_type = yes
}

default

cat /etc/freeradius/sites-enabled/default
authorize {
ldap
}
authenticate {
Auth-Type LDAP {
ldap
}
}
preacct {
}
accounting {
}
session {
radutmp
}
post-auth {
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
}

inner-tunnel

server inner-tunnel {
authorize {
ldap
}
authenticate {
Auth-Type LDAP {
ldap
}
}
session {
radutmp
}
post-auth {
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
}
}

test

console 1

  • freeradius -X
...
 Module: Checking post-auth {...} for more modules to load
 } # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
	type = "auth"
	ipaddr = *
	port = 0
}
listen {
	type = "acct"
	ipaddr = *
	port = 0
}
 ... adding new socket proxy address * port 40079
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.

console 2

postiv

  • radtest badura.vonodinsraben suxer localhost 1812 secretkey
Sending Access-Request of id 52 to 127.0.0.1 port 1812
	User-Name = "badura.vonodinsraben"
	User-Password = "suxer"
	NAS-IP-Address = 192.168.244.153
	NAS-Port = 1812
	Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=52, length=20

negativ

  • radtest badura.vonodinsraben falsch localhost 1812 secretkey
Sending Access-Request of id 218 to 127.0.0.1 port 1812
	User-Name = "badura.vonodinsraben"
	User-Password = "falsch"
	NAS-IP-Address = 192.168.244.153
	NAS-Port = 1812
	Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=218, length=20

links

Abgerufen von „https://xinux.net/index.php?title=Freeradius&oldid=6263