freeradius安装和配置
注意:freeradius装完非常大,有几百兆
软件准备
freeradius 安装
安装后的第一次运行radiusd -X
安装后可以不进行任何配置,直接起daemon,直接进行loopback测试。
因为radius缺省配置就是支持本地daemon,本地client(loopback client)
radius 启动的特征
loopback测试——radtest
freeradius自带system V 启动文档
RADIUS 服务器的配置包括:
发觉radius.conf中没有设认证方式的地方
缺省就是local
访问radius就是自动读/etc/passwd or/etc/shadow
然后读ldap,mysql等,这些 conf也都事先include了,就看你设没设了.
如果radius.conf和ldap合作,有把握不读local(/etc/passwd),那么daemon可以直接用radius用户启动,而不是root启动
| [root@nm freeradius-server-2.1.1]# rpm -qa | grep openssl openssl-0.9.7a-43.10 openssl-devel-0.9.7a-43.10 xmlsec1-openssl-1.2.6-3 |
| [root@vmmac fprobe-1.1]# rpm -qa | grep ldap openldap-2.2.13-6.4E openldap-devel-2.2.13-6.4E openldap-clients-2.2.13-6.4E nss_ldap-226-13 openldap-servers-2.2.13-6.4E |
| freeradius-server-2.1.1.tar.gz |
freeradius 安装
| [root@nm freeradius-server-2.1.1]# ./configure configure: creating ./config.status config.status: creating Makefile config.status: creating config.h 会装很长时间,接近1小时 |
| [root@nm freeradius-server-2.1.1]# make Making all in rfc... gmake[4]: Entering directory`/usr/local/src/freeradius-server-2.1.1/doc/rfc' gmake[4]: Nothing to be done for `all'. gmake[4]: Leaving directory`/usr/local/src/freeradius-server-2.1.1/doc/rfc' gmake[3]: Leaving directory`/usr/local/src/freeradius-server-2.1.1/doc' gmake[2]: Leaving directory`/usr/local/src/freeradius-server-2.1.1/doc' gmake[1]: Leaving directory`/usr/local/src/freeradius-server-2.1.1' |
| [root@nm freeradius-server-2.1.1]# make install done gmake[4]: Leaving directory`/usr/local/src/freeradius-server-2.1.1/doc/rfc' gmake[3]: Leaving directory`/usr/local/src/freeradius-server-2.1.1/doc' gmake[2]: Leaving directory`/usr/local/src/freeradius-server-2.1.1/doc' gmake[1]: Leaving directory`/usr/local/src/freeradius-server-2.1.1' Installing dictionary files in /usr/local/share/freeradius /usr/local/src/freeradius-server-2.1.1/libtool --finish/usr/local/lib PATH="$PATH:/sbin" ldconfig -n /usr/local/lib |
安装后的第一次运行radiusd -X
安装后可以不进行任何配置,直接起daemon,直接进行loopback测试。
因为radius缺省配置就是支持本地daemon,本地client(loopback client)
| The first time after installation, you should run the serveras "root". Thiswill cause the server to create the certificatesit needs for EAP. 第一次启动,应该在root下运行radiusd-X这将使server建立EAP所需的 certificates $ radiusd –X 注意是大写X |
| Once that is done, the server can be run from an unpriviledgeduser account. 这个步骤做完后,server就能从非特权用户启动了 |
| [root@nm local]# radiusd -X FreeRADIUS Version 2.1.1, for host i686-pc-linux-gnu, built on Oct29 2008 at 10:27:47 Copyright (C) 1999-2008 The FreeRADIUS server project andcontributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FORA PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms ofthe GNU General Public License v2. Starting - reading configuration files ... including configuration file/usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file/usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ 。。。 Listening on authenticationaddress * port 1812 Listening on accounting address *port 1813 Listening on proxy address * port1814 Ready to processrequests. |
| 从另一个窗口 看log [root@nm ~]# cat /usr/local/var/log/radius/radius.log Wed Oct 29 11:23:25 2008 : Error: rlm_eap: SSL errorerror:02001002:system library:fopen:No such file or directory Wed Oct 29 11:23:25 2008 : Error: rlm_eap_tls: Error readingcertificate file /usr/local/etc/raddb/certs/server.pem Wed Oct 29 11:23:25 2008 : Error: rlm_eap: Failed to initializetype tls Wed Oct 29 11:23:25 2008 : Error:/usr/local/etc/raddb/eap.conf[17]: Instantiation failed for module"eap" Wed Oct 29 11:23:25 2008 : Error:/usr/local/etc/raddb/sites-enabled/inner-tunnel[223]: Failed tofind module "eap". Wed Oct 29 11:23:25 2008 : Error:/usr/local/etc/raddb/sites-enabled/inner-tunnel[176]: Errorsparsing authenticate section. Wed Oct 29 11:23:25 2008 : Error: Errors initializing modules 初次起动会出eap error |
| 随后再重起一次radiusd,不加-X [root@nm local]# radiusd & [1] 2419 |
| 从另一个窗口看log [root@nm ~]# cat /usr/local/var/log/radius/radius.log 再次启动就只有一条新log,没有error了 Wed Oct 29 13:09:48 2008 : Info: Ready to process requests. |
radius 启动的特征
| [root@nm ~]# ps -ef | grep radiusd root 2420 1 0 13:10? 00:00:00 radiusd |
| [root@nm ~]# netstat -an Active Internet connections (servers and established) Proto Recv-Q Send-Q LocalAddress ForeignAddress State tcp 0 00.0.0.0:21 0.0.0.0:* LISTEN tcp 0 00.0.0.0:23 0.0.0.0:* LISTEN tcp 0 010.4.3.117:23 10.4.3.119:1058 ESTABLISHED tcp 0 14610.4.3.117:23 10.4.3.119:4471 ESTABLISHED tcp 0 0:::80 :::* LISTEN tcp 0 0:::22 :::* LISTEN tcp 0 0:::443 :::* LISTEN tcp 0 0::ffff:10.4.3.117:22 ::ffff:10.4.3.119:4488 ESTABLISHED udp 0 00.0.0.0:1812 0.0.0.0:* udp 0 00.0.0.0:1813 0.0.0.0:* udp 0 00.0.0.0:1814 0.0.0.0:* |
loopback测试——radtest
| radtest [-d raddb_directory] user password radius-servernas-port-number secrect |
| nas-port-number:用不到,就为0即可 secret:就是在client.conf里的对应client的口令(radius安装完后,本地client127.0.0.1的口令缺省就是testing123) |
| [root@nm ~]# radtest test testlocalhost 0 testing123 Sending Access-Request ofid 48 to 127.0.0.1 port 1812 User-Name = "test" User-Password = "test" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 rad_recv: Access-Rejectpacket from host 127.0.0.1 port 1812, id=48, length=20 尽管user,passwd都是假的,但只要收到Access-Reject,也证明FreeRADIUS服务器已经正常启动 |
freeradius自带system V 启动文档
| [root@vm ~]# cp /usr/local/sbin/rc.radiusd/etc/init.d/radius |
| [root@vm ~]# /etc/init.d/radius Usage: /etc/init.d/ {start|stop|reload|restart|check} [root@vm ~]# /etc/init.d/radius start Starting FreeRADIUS:radiusd |
| [root@vm rc3.d]# ln -s../init.d/radius S96radius [root@vm rc3.d]# ls -l lrwxrwxrwx 1 root root 14 Feb 23 13:32 S39ldap-> ../init.d/ldap* lrwxrwxrwx 1 root root 16 Feb 27 09:06 S96radius-> ../init.d/radius* |
RADIUS 服务器的配置包括:
- radiusd.conf 服务器端配置
- clients.conf 存储radius客户端(NAS,ROUTER)的验证信息,主要是配KEY
- ./modules/ 主要是针对LDAP,MYSQL、数字证书等的配置
| 1.radiusd.conf 没什么可改的,都是系统的一些属性配置(目录啊、PID啊、LOG啊等等) [root@vmmac ~]# vi /usr/local/etc/raddb/radiusd.conf prefix = /usr/local exec_prefix = ${prefix} sysconfdir =${prefix}/etc localstatedir = ${prefix}/var sbindir = ${exec_prefix}/sbin logdir =${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct #user = radius #group = radius 缺省此两句被注释掉,是root启动daemon 如果radius认证不采用本地认证(/etc/passwd)的话,强烈建议采用radius 用户启动daemon max_requests = 1024 缺省1024,此值太小会造成大量认证时的busy,此值太大会耗内存 listen { type =auth Listen认证 ipaddr = * port =0 Port 0表示会listen在/etc/service下的端口定义(1812) } listen { type =acct Listen记帐 ipaddr = * port = 0 } log { # Destination for log messages: # files - log to "file", as definedbelow. # syslog - to syslog (see also the"syslog_facility", below. # stdout - standard output # stderr - standard error. # destination = files file = ${logdir}/radius.log # Which syslog facility to use, if ${destination}== "syslog" syslog_facility = daemon # Log authentication requests to the logfile. auth = yes auth_badpass = yes auth_goodpass = yes $INCLUDE clients.conf 实际clients.conf也是radiusd.conf的一部分,只不过分出去了。 modules { $INCLUDE ${confdir}/modules/ $INCLUDE eap.conf $INCLUDE sql.conf $INCLUDE sql/mysql/counter.conf } |
| 2. clients.conf ,定义NAS,主要是设KEY,主要是改clients.conf [root@vmmac ~]# vi /usr/local/etc/raddb/clients.conf client 10.4.193.26{ secret=admin123 Secret的意思:Radiusaaa与NAS之间的key传送是密文,而且传的不是口令,而是MD5计算结果 } client 10.4.3.150{ secret=admin123 } client localhost { ipaddr = 127.0.0.1 secret = testing123 } #client 192.168.0.0/24{ 设网段,这样可以方便多台NAS,且NAS填加的时候不用反复改clients.conf # secret = testing123-1 # shortname = private-network-1 #} # #client 192.168.0.0/16 { # secret = testing123-2 # shortname = private-network-2 #} |
发觉radius.conf中没有设认证方式的地方
缺省就是local
访问radius就是自动读/etc/passwd or/etc/shadow
然后读ldap,mysql等,这些 conf也都事先include了,就看你设没设了.
如果radius.conf和ldap合作,有把握不读local(/etc/passwd),那么daemon可以直接用radius用户启动,而不是root启动