Alma9 RADIUSインストール – Mad Grandfather Company

2023年6月10日

[root@radius1 ~]# dnf install freeradius freeradius-utils

メタデータの期限切れの最終確認: 3:57:08 前の 2023年06月06日 05時58分34秒に実施しました。

依存関係が解決しました。

========================================================================================================================

パッケージアーキテクチャーバージョンリポジトリーサイズ

========================================================================================================================

インストール:

freeradius x86_64 3.0.21-37.el9 appstream 1.1 M

freeradius-utils x86_64 3.0.21-37.el9 appstream 182 k

依存関係のインストール:

openssl-perl x86_64 1:3.0.7-6.el9_2 appstream 39 k

perl-DBI x86_64 1.643-9.el9 appstream 700 k

perl-GDBM_File x86_64 1.18-480.el9 appstream 22 k

perl-Math-BigInt noarch 1:1.9998.18-460.el9 appstream 188 k

perl-Math-Complex noarch 1.59-480.el9 appstream 47 k

perl-Time-HiRes x86_64 4:1.9764-462.el9 appstream 57 k

トランザクションの概要

========================================================================================================================

インストール 8 パッケージ

ダウンロードサイズの合計: 2.3 M

インストール後のサイズ: 7.2 M

これでよろしいですか? [y/N]: y

パッケージのダウンロード:

(1/8): openssl-perl-3.0.7-6.el9_2.x86_64.rpm 586 kB/s | 39 kB 00:00

(2/8): freeradius-utils-3.0.21-37.el9.x86_64.rpm 1.8 MB/s | 182 kB 00:00

(3/8): perl-GDBM_File-1.18-480.el9.x86_64.rpm 201 kB/s | 22 kB 00:00

(4/8): perl-DBI-1.643-9.el9.x86_64.rpm 4.4 MB/s | 700 kB 00:00

(5/8): perl-Math-Complex-1.59-480.el9.noarch.rpm 1.3 MB/s | 47 kB 00:00

(6/8): freeradius-3.0.21-37.el9.x86_64.rpm 3.9 MB/s | 1.1 MB 00:00

(7/8): perl-Math-BigInt-1.9998.18-460.el9.noarch.rpm 2.8 MB/s | 188 kB 00:00

(8/8): perl-Time-HiRes-1.9764-462.el9.x86_64.rpm 1.6 MB/s | 57 kB 00:00

————————————————————————————————————————

合計 1.9 MB/s | 2.3 MB 00:01

AlmaLinux 9 – AppStream 3.0 MB/s | 3.1 kB 00:00

GPG 鍵 0xB86B3716 をインポート中:

Userid : “AlmaLinux OS 9 <packager@almalinux.org>”

Fingerprint: BF18 AC28 7617 8908 D6E7 1267 D36C B86C B86B 3716

From : /etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux-9

これでよろしいですか? [y/N]: y

鍵のインポートに成功しました

トランザクションの確認を実行中

トランザクションの確認に成功しました。

トランザクションのテストを実行中

トランザクションのテストに成功しました。

トランザクションを実行中

準備 : 1/1

インストール中 : perl-Time-HiRes-4:1.9764-462.el9.x86_64 1/8

インストール中 : perl-Math-Complex-1.59-480.el9.noarch 2/8

インストール中 : perl-Math-BigInt-1:1.9998.18-460.el9.noarch 3/8

インストール中 : perl-DBI-1.643-9.el9.x86_64 4/8

インストール中 : perl-GDBM_File-1.18-480.el9.x86_64 5/8

インストール中 : openssl-perl-1:3.0.7-6.el9_2.x86_64 6/8

scriptletの実行中: freeradius-3.0.21-37.el9.x86_64 7/8

インストール中 : freeradius-3.0.21-37.el9.x86_64 7/8

インストール中 : freeradius-utils-3.0.21-37.el9.x86_64 8/8

scriptletの実行中: freeradius-utils-3.0.21-37.el9.x86_64 8/8

検証 : freeradius-3.0.21-37.el9.x86_64 1/8

検証 : freeradius-utils-3.0.21-37.el9.x86_64 2/8

検証 : openssl-perl-1:3.0.7-6.el9_2.x86_64 3/8

検証 : perl-DBI-1.643-9.el9.x86_64 4/8

検証 : perl-GDBM_File-1.18-480.el9.x86_64 5/8

検証 : perl-Math-BigInt-1:1.9998.18-460.el9.noarch 6/8

検証 : perl-Math-Complex-1.59-480.el9.noarch 7/8

検証 : perl-Time-HiRes-4:1.9764-462.el9.x86_64 8/8

インストール済み:

freeradius-3.0.21-37.el9.x86_64 freeradius-utils-3.0.21-37.el9.x86_64

openssl-perl-1:3.0.7-6.el9_2.x86_64 perl-DBI-1.643-9.el9.x86_64

perl-GDBM_File-1.18-480.el9.x86_64 perl-Math-BigInt-1:1.9998.18-460.el9.noarch

perl-Math-Complex-1.59-480.el9.noarch perl-Time-HiRes-4:1.9764-462.el9.x86_64

完了しました!

[root@radius1 ~]#

[root@radius1 ~]# systemctl status radiusd.service

○ radiusd.service – FreeRADIUS high performance RADIUS server.

Loaded: loaded (/usr/lib/systemd/system/radiusd.service; disabled; preset: disabled)

Active: inactive (dead)

[root@radius1 ~]#

[root@radius1 ~]# systemctl start radiusd

Job for radiusd.service failed because the control process exited with error code.

See “systemctl status radiusd.service” and “journalctl -xeu radiusd.service” for details.

[root@radius1 ~]#

[root@radius1 ~]# radiusd -X

FreeRADIUS Version 3.0.21

There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE

You may redistribute copies of FreeRADIUS under the terms of the

GNU General Public License

For more information about these matters, see the file named COPYRIGHT

Starting – reading configuration files …

including dictionary file /usr/share/freeradius/dictionary

including dictionary file /usr/share/freeradius/dictionary.dhcp

including dictionary file /usr/share/freeradius/dictionary.vqp

including dictionary file /etc/raddb/dictionary

including configuration file /etc/raddb/radiusd.conf

including configuration file /etc/raddb/proxy.conf

including configuration file /etc/raddb/clients.conf

including files in directory /etc/raddb/mods-enabled/

including configuration file /etc/raddb/mods-enabled/always

including configuration file /etc/raddb/mods-enabled/attr_filter

including configuration file /etc/raddb/mods-enabled/cache_eap

including configuration file /etc/raddb/mods-enabled/chap

including configuration file /etc/raddb/mods-enabled/date

including configuration file /etc/raddb/mods-enabled/detail

including configuration file /etc/raddb/mods-enabled/detail.log

including configuration file /etc/raddb/mods-enabled/digest

including configuration file /etc/raddb/mods-enabled/dynamic_clients

including configuration file /etc/raddb/mods-enabled/eap

including configuration file /etc/raddb/mods-enabled/echo

including configuration file /etc/raddb/mods-enabled/exec

including configuration file /etc/raddb/mods-enabled/expiration

including configuration file /etc/raddb/mods-enabled/expr

including configuration file /etc/raddb/mods-enabled/files

including configuration file /etc/raddb/mods-enabled/linelog

including configuration file /etc/raddb/mods-enabled/logintime

including configuration file /etc/raddb/mods-enabled/mschap

including configuration file /etc/raddb/mods-enabled/ntlm_auth

including configuration file /etc/raddb/mods-enabled/pap

including configuration file /etc/raddb/mods-enabled/passwd

including configuration file /etc/raddb/mods-enabled/preprocess

including configuration file /etc/raddb/mods-enabled/radutmp

including configuration file /etc/raddb/mods-enabled/realm

including configuration file /etc/raddb/mods-enabled/replicate

including configuration file /etc/raddb/mods-enabled/soh

including configuration file /etc/raddb/mods-enabled/sradutmp

including configuration file /etc/raddb/mods-enabled/unix

including configuration file /etc/raddb/mods-enabled/unpack

including configuration file /etc/raddb/mods-enabled/utf8

including files in directory /etc/raddb/policy.d/

including configuration file /etc/raddb/policy.d/accounting

including configuration file /etc/raddb/policy.d/canonicalization

including configuration file /etc/raddb/policy.d/control

including configuration file /etc/raddb/policy.d/cui

including configuration file /etc/raddb/policy.d/debug

including configuration file /etc/raddb/policy.d/dhcp

including configuration file /etc/raddb/policy.d/eap

including configuration file /etc/raddb/policy.d/filter

including configuration file /etc/raddb/policy.d/operator-name

including configuration file /etc/raddb/policy.d/rfc7542

including files in directory /etc/raddb/sites-enabled/

including configuration file /etc/raddb/sites-enabled/default

including configuration file /etc/raddb/sites-enabled/inner-tunnel

main {

security {

user = “radiusd”

group = “radiusd”

allow_core_dumps = no

}

name = “radiusd”

prefix = “/usr”

localstatedir = “/var”

logdir = “/var/log/radius”

run_dir = “/var/run/radiusd”

}

main {

name = “radiusd”

prefix = “/usr”

localstatedir = “/var”

sbindir = “/usr/sbin”

logdir = “/var/log/radius”

run_dir = “/var/run/radiusd”

libdir = “/usr/lib64/freeradius”

radacctdir = “/var/log/radius/radacct”

hostname_lookups = no

max_request_time = 30

cleanup_delay = 5

max_requests = 16384

pidfile = “/var/run/radiusd/radiusd.pid”

checkrad = “/usr/sbin/checkrad”

debug_level = 0

proxy_requests = yes

log {

stripped_names = no

auth = no

auth_badpass = no

auth_goodpass = no

colourise = yes

msg_denied = “You are already logged in – access denied”

}

resources {

}

security {

max_attributes = 200

reject_delay = 1.000000

status_server = yes

}

radiusd: #### Loading Realms and Home Servers ####

proxy server {

retry_delay = 5

retry_count = 3

default_fallback = no

dead_time = 120

wake_all_if_all_dead = no

}

home_server localhost {

ipaddr = 127.0.0.1

port = 1812

type = “auth”

secret = <<< secret >>>

response_window = 20.000000

response_timeouts = 1

max_outstanding = 65536

zombie_period = 40

status_check = “status-server”

ping_interval = 30

check_interval = 30

check_timeout = 4

num_answers_to_alive = 3

revive_interval = 120

limit {

max_connections = 16

max_requests = 0

lifetime = 0

idle_timeout = 0

}

coa {

irt = 2

mrt = 16

mrc = 5

mrd = 30

}

home_server_pool my_auth_failover {

type = fail-over

home_server = localhost

}

realm example.com {

auth_pool = my_auth_failover

}

realm LOCAL {

}

radiusd: #### Loading Clients ####

client localhost {

ipaddr = 127.0.0.1

require_message_authenticator = no

secret = <<< secret >>>

nas_type = “other”

proto = “*”

limit {

max_connections = 16

lifetime = 0

idle_timeout = 30

}

client localhost_ipv6 {

ipv6addr = ::1

require_message_authenticator = no

secret = <<< secret >>>

limit {

max_connections = 16

lifetime = 0

idle_timeout = 30

}

Debugger not attached

# Creating Auth-Type = mschap

# Creating Auth-Type = digest

# Creating Auth-Type = eap

# Creating Auth-Type = PAP

# Creating Auth-Type = CHAP

# Creating Auth-Type = MS-CHAP

radiusd: #### Instantiating modules ####

modules {

# Loaded module rlm_always

# Loading module “reject” from file /etc/raddb/mods-enabled/always

always reject {

rcode = “reject”

simulcount = 0

mpp = no

}

# Loading module “fail” from file /etc/raddb/mods-enabled/always

always fail {

rcode = “fail”

simulcount = 0

mpp = no

}

# Loading module “ok” from file /etc/raddb/mods-enabled/always

always ok {

rcode = “ok”

simulcount = 0

mpp = no

}

# Loading module “handled” from file /etc/raddb/mods-enabled/always

always handled {

rcode = “handled”

simulcount = 0

mpp = no

}

# Loading module “invalid” from file /etc/raddb/mods-enabled/always

always invalid {

rcode = “invalid”

simulcount = 0

mpp = no

}

# Loading module “userlock” from file /etc/raddb/mods-enabled/always

always userlock {

rcode = “userlock”

simulcount = 0

mpp = no

}

# Loading module “notfound” from file /etc/raddb/mods-enabled/always

always notfound {

rcode = “notfound”

simulcount = 0

mpp = no

}

# Loading module “noop” from file /etc/raddb/mods-enabled/always

always noop {

rcode = “noop”

simulcount = 0

mpp = no

}

# Loading module “updated” from file /etc/raddb/mods-enabled/always

always updated {

rcode = “updated”

simulcount = 0

mpp = no

}

# Loaded module rlm_attr_filter

# Loading module “attr_filter.post-proxy” from file /etc/raddb/mods-enabled/attr_filter

attr_filter attr_filter.post-proxy {

filename = “/etc/raddb/mods-config/attr_filter/post-proxy”

key = “%{Realm}”

relaxed = no

}

# Loading module “attr_filter.pre-proxy” from file /etc/raddb/mods-enabled/attr_filter

attr_filter attr_filter.pre-proxy {

filename = “/etc/raddb/mods-config/attr_filter/pre-proxy”

key = “%{Realm}”

relaxed = no

}

# Loading module “attr_filter.access_reject” from file /etc/raddb/mods-enabled/attr_filter

attr_filter attr_filter.access_reject {

filename = “/etc/raddb/mods-config/attr_filter/access_reject”

key = “%{User-Name}”

relaxed = no

}

# Loading module “attr_filter.access_challenge” from file /etc/raddb/mods-enabled/attr_filter

attr_filter attr_filter.access_challenge {

filename = “/etc/raddb/mods-config/attr_filter/access_challenge”

key = “%{User-Name}”

relaxed = no

}

# Loading module “attr_filter.accounting_response” from file /etc/raddb/mods-enabled/attr_filter

attr_filter attr_filter.accounting_response {

filename = “/etc/raddb/mods-config/attr_filter/accounting_response”

key = “%{User-Name}”

relaxed = no

}

# Loaded module rlm_cache

# Loading module “cache_eap” from file /etc/raddb/mods-enabled/cache_eap

cache cache_eap {

driver = “rlm_cache_rbtree”

key = “%{%{control:State}:-%{%{reply:State}:-%{State}}}”

ttl = 15

max_entries = 0

epoch = 0

add_stats = no

}

# Loaded module rlm_chap

# Loading module “chap” from file /etc/raddb/mods-enabled/chap

# Loaded module rlm_date

# Loading module “date” from file /etc/raddb/mods-enabled/date

date {

format = “%b %e %Y %H:%M:%S %Z”

utc = no

}

# Loading module “wispr2date” from file /etc/raddb/mods-enabled/date

date wispr2date {

format = “%Y-%m-%dT%H:%M:%S”

utc = no

}

# Loaded module rlm_detail

# Loading module “detail” from file /etc/raddb/mods-enabled/detail

detail {

filename = “/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d”

header = “%t”

permissions = 384

locking = no

escape_filenames = no

log_packet_header = no

}

# Loading module “auth_log” from file /etc/raddb/mods-enabled/detail.log

detail auth_log {

filename = “/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d”

header = “%t”

permissions = 384

locking = no

escape_filenames = no

log_packet_header = no

}

# Loading module “reply_log” from file /etc/raddb/mods-enabled/detail.log

detail reply_log {

filename = “/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d”

header = “%t”

permissions = 384

locking = no

escape_filenames = no

log_packet_header = no

}

# Loading module “pre_proxy_log” from file /etc/raddb/mods-enabled/detail.log

detail pre_proxy_log {

filename = “/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d”

header = “%t”

permissions = 384

locking = no

escape_filenames = no

log_packet_header = no

}

# Loading module “post_proxy_log” from file /etc/raddb/mods-enabled/detail.log

detail post_proxy_log {

filename = “/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d”

header = “%t”

permissions = 384

locking = no

escape_filenames = no

log_packet_header = no

}

# Loaded module rlm_digest

# Loading module “digest” from file /etc/raddb/mods-enabled/digest

# Loaded module rlm_dynamic_clients

# Loading module “dynamic_clients” from file /etc/raddb/mods-enabled/dynamic_clients

# Loaded module rlm_eap

# Loading module “eap” from file /etc/raddb/mods-enabled/eap

eap {

default_eap_type = “md5”

timer_expire = 60

ignore_unknown_eap_types = no

cisco_accounting_username_bug = no

max_sessions = 16384

}

# Loaded module rlm_exec

# Loading module “echo” from file /etc/raddb/mods-enabled/echo

exec echo {

wait = yes

program = “/bin/echo %{User-Name}”

input_pairs = “request”

output_pairs = “reply”

shell_escape = yes

}

# Loading module “exec” from file /etc/raddb/mods-enabled/exec

exec {

wait = no

input_pairs = “request”

shell_escape = yes

timeout = 10

}

# Loaded module rlm_expiration

# Loading module “expiration” from file /etc/raddb/mods-enabled/expiration

# Loaded module rlm_expr

# Loading module “expr” from file /etc/raddb/mods-enabled/expr

expr {

safe_characters = “@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /aeouaaaceeeeiio?uuuayAEOUsAAACEEEEIIO?UUU?”

}

# Loaded module rlm_files

# Loading module “files” from file /etc/raddb/mods-enabled/files

files {

filename = “/etc/raddb/mods-config/files/authorize”

acctusersfile = “/etc/raddb/mods-config/files/accounting”

preproxy_usersfile = “/etc/raddb/mods-config/files/pre-proxy”

}

# Loaded module rlm_linelog

# Loading module “linelog” from file /etc/raddb/mods-enabled/linelog

linelog {

filename = “/var/log/radius/linelog”

escape_filenames = no

syslog_severity = “info”

permissions = 384

format = “This is a log message for %{User-Name}”

reference = “messages.%{%{reply:Packet-Type}:-default}”

}

# Loading module “log_accounting” from file /etc/raddb/mods-enabled/linelog

linelog log_accounting {

filename = “/var/log/radius/linelog-accounting”

escape_filenames = no

syslog_severity = “info”

permissions = 384

format = “”

reference = “Accounting-Request.%{%{Acct-Status-Type}:-unknown}”

}

# Loaded module rlm_logintime

# Loading module “logintime” from file /etc/raddb/mods-enabled/logintime

logintime {

minimum_timeout = 60

}

# Loaded module rlm_mschap

# Loading module “mschap” from file /etc/raddb/mods-enabled/mschap

mschap {

use_mppe = yes

require_encryption = no

require_strong = no

with_ntdomain_hack = yes

passchange {

}

allow_retry = yes

winbind_retry_with_normalised_username = no

}

# Loading module “ntlm_auth” from file /etc/raddb/mods-enabled/ntlm_auth

exec ntlm_auth {

wait = yes

program = “/path/to/ntlm_auth –request-nt-key –domain=MYDOMAIN –username=%{mschap:User-Name} –password=%{User-Password}”

shell_escape = yes

}

# Loaded module rlm_pap

# Loading module “pap” from file /etc/raddb/mods-enabled/pap

pap {

normalise = yes

}

# Loaded module rlm_passwd

# Loading module “etc_passwd” from file /etc/raddb/mods-enabled/passwd

passwd etc_passwd {

filename = “/etc/passwd”

format = “*User-Name:Crypt-Password:”

delimiter = “:”

ignore_nislike = no

ignore_empty = yes

allow_multiple_keys = no

hash_size = 100

}

# Loaded module rlm_preprocess

# Loading module “preprocess” from file /etc/raddb/mods-enabled/preprocess

preprocess {

huntgroups = “/etc/raddb/mods-config/preprocess/huntgroups”

hints = “/etc/raddb/mods-config/preprocess/hints”

with_ascend_hack = no

ascend_channels_per_line = 23

with_ntdomain_hack = no

with_specialix_jetstream_hack = no

with_cisco_vsa_hack = no

with_alvarion_vsa_hack = no

}

# Loaded module rlm_radutmp

# Loading module “radutmp” from file /etc/raddb/mods-enabled/radutmp

radutmp {

filename = “/var/log/radius/radutmp”

username = “%{User-Name}”

case_sensitive = yes

check_with_nas = yes

permissions = 384

caller_id = yes

}

# Loaded module rlm_realm

# Loading module “IPASS” from file /etc/raddb/mods-enabled/realm

realm IPASS {

format = “prefix”

delimiter = “/”

ignore_default = no

ignore_null = no

}

# Loading module “suffix” from file /etc/raddb/mods-enabled/realm

realm suffix {

format = “suffix”

delimiter = “@”

ignore_default = no

ignore_null = no

}

# Loading module “bangpath” from file /etc/raddb/mods-enabled/realm

realm bangpath {

format = “prefix”

delimiter = “!”

ignore_default = no

ignore_null = no

}

# Loading module “realmpercent” from file /etc/raddb/mods-enabled/realm

realm realmpercent {

format = “suffix”

delimiter = “%”

ignore_default = no

ignore_null = no

}

# Loading module “ntdomain” from file /etc/raddb/mods-enabled/realm

realm ntdomain {

format = “prefix”

delimiter = “\\”

ignore_default = no

ignore_null = no

}

# Loaded module rlm_replicate

# Loading module “replicate” from file /etc/raddb/mods-enabled/replicate

# Loaded module rlm_soh

# Loading module “soh” from file /etc/raddb/mods-enabled/soh

soh {

dhcp = yes

}

# Loading module “sradutmp” from file /etc/raddb/mods-enabled/sradutmp

radutmp sradutmp {

filename = “/var/log/radius/sradutmp”

username = “%{User-Name}”

case_sensitive = yes

check_with_nas = yes

permissions = 420

caller_id = no

}

# Loaded module rlm_unix

# Loading module “unix” from file /etc/raddb/mods-enabled/unix

unix {

radwtmp = “/var/log/radius/radwtmp”

}

Creating attribute Unix-Group

# Loaded module rlm_unpack

# Loading module “unpack” from file /etc/raddb/mods-enabled/unpack

# Loaded module rlm_utf8

# Loading module “utf8” from file /etc/raddb/mods-enabled/utf8

instantiate {

}

# Instantiating module “reject” from file /etc/raddb/mods-enabled/always

# Instantiating module “fail” from file /etc/raddb/mods-enabled/always

# Instantiating module “ok” from file /etc/raddb/mods-enabled/always

# Instantiating module “handled” from file /etc/raddb/mods-enabled/always

# Instantiating module “invalid” from file /etc/raddb/mods-enabled/always

# Instantiating module “userlock” from file /etc/raddb/mods-enabled/always

# Instantiating module “notfound” from file /etc/raddb/mods-enabled/always

# Instantiating module “noop” from file /etc/raddb/mods-enabled/always

# Instantiating module “updated” from file /etc/raddb/mods-enabled/always

# Instantiating module “attr_filter.post-proxy” from file /etc/raddb/mods-enabled/attr_filter

reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy

# Instantiating module “attr_filter.pre-proxy” from file /etc/raddb/mods-enabled/attr_filter

reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy

# Instantiating module “attr_filter.access_reject” from file /etc/raddb/mods-enabled/attr_filter

reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject

# Instantiating module “attr_filter.access_challenge” from file /etc/raddb/mods-enabled/attr_filter

reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge

# Instantiating module “attr_filter.accounting_response” from file /etc/raddb/mods-enabled/attr_filter

reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response

# Instantiating module “cache_eap” from file /etc/raddb/mods-enabled/cache_eap

rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked

# Instantiating module “detail” from file /etc/raddb/mods-enabled/detail

# Instantiating module “auth_log” from file /etc/raddb/mods-enabled/detail.log

rlm_detail (auth_log): ‘User-Password’ suppressed, will not appear in detail output

# Instantiating module “reply_log” from file /etc/raddb/mods-enabled/detail.log

# Instantiating module “pre_proxy_log” from file /etc/raddb/mods-enabled/detail.log

# Instantiating module “post_proxy_log” from file /etc/raddb/mods-enabled/detail.log

# Instantiating module “eap” from file /etc/raddb/mods-enabled/eap

# Linked to sub-module rlm_eap_md5

# Linked to sub-module rlm_eap_leap

# Linked to sub-module rlm_eap_gtc

gtc {

challenge = “Password: ”

auth_type = “PAP”

}

# Linked to sub-module rlm_eap_tls

tls {

tls = “tls-common”

}

tls-config tls-common {

verify_depth = 0

ca_path = “/etc/raddb/certs”

pem_file_type = yes

private_key_file = “/etc/raddb/certs/server.pem”

Unable to check file “/etc/raddb/certs/server.pem”: No such file or directory

/etc/raddb/mods-enabled/eap[183]: Failed parsing configuration item “private_key_file”

rlm_eap_tls: Failed initializing SSL context

rlm_eap (EAP): Failed to initialise rlm_eap_tls

/etc/raddb/mods-enabled/eap[14]: Instantiation failed for module “eap”

[root@radius1 ~]#

[root@radius1 ~]# cd /etc/raddb/certs

[root@radius1 certs]#

[root@radius1 certs]# ./bootstrap

openssl dhparam -out dh -2 2048

Generating DH parameters, 2048 bit long safe prime

……………………………………………………………………………………………+…………..+…………………………………………………………………………………………………+…………………………………………………………………………………………….+..+…………………………………………………………………………..+……………………….+……+…………………………………………………………………………………………………………..+…..+………………………………………………………………………………………………………………….+……………………………………………………………..+……………………………………………………..+…………………………………………………………………………………………………………+…………………………………………………………………………………………………………………………….+………………..+.+………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………..+……………………………………………………………………………………………………………………………………………………………….+………………..+……………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………..+……………………………………………………………………………….+………………………………………………………………………………………………………………………………………………………………..+………………………………………………………..+……………………………………………………………………..+…………………………………………………………..+………………………………………………..+…………………………………….+……………………………+……………..+…………………………………………………………………………………………………………………………+……………………………….+………………………….+……………………………………………………………….++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*

chown root:radiusd dh

chmod 640 dh

openssl req -new -out server.csr -keyout server.key -config ./server.cnf -noenc

…+…..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+……+.+..+…….+……+…………..+……………+….+..+….+……+..+…+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*…………..+…+.+..+…….+……+..+…+.+…………..+……+……+………+………….+…+……..+……….+..+………….+…..+…….+..+…+……….+..+………….+..+……+………+…………+……+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

.+…..+.+…+…+…..+…+……+….+..+………+.+………+……..+.+……+……..+.+………+…+……..+………+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*…………..+..+…+………+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*….+..+……….+…..+…….+…..+……….+…+…..+…+…+.+…..+…………………….+…..+………+…….+…+………..+.+…+…………+…………………………+…..+…….+…………+…..+….+..+…+.+…+…..+.+…………..+…….+……..+…+…+.+…..+……….+…+..+………+….+……+..+…….+……+…………..+.+……+…..+……….+……+…..+……………+…+……….+……………..+….+…+…..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

—–

chmod g+r server.key

openssl req -new -x509 -keyout ca.key -out ca.pem \

-days ’60’ -config ./ca.cnf \

-passin pass:’whatever’ -passout pass:’whatever’ -noenc

……..+..+.+…………+…..+…+…+.+……+..+…+….+…..+……………………+….+..+……….+…+..+.+…+..+………….+..+….+…..+…+…+…….+…..+……+……….+…..+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*…..+….+…+..+…+….+…………..+.+…+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*…….+………+……+………..+….+…+..+….+………..+.+…+…..+……………….+..+….+…..+…….+..+.+……+…..+………+….+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

……..+.+………+…..+….+..+…+…………+………+.+………+…..+……….+……+……..+…….+…+..+…+…….+………+……..+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*…+…+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*…+…+……+……+…..+……….+..+……….+……+…………+…+………..+………+.+…+…………+…+…..+……+……+……+…+….+…………+……+…..+…+…………+…………+…+………….+…..+….+..+…+…….+……+………+…+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

—–

chmod g+r ca.key

chown root:radiusd ca.*

chmod 640 ca.*

openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key ‘whatever’ -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf

Using configuration from ./server.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 1 (0x1)

Validity

Not Before: Jun 6 03:31:09 2023 GMT

Not After : Aug 5 03:31:09 2023 GMT

Subject:

countryName = FR

stateOrProvinceName = Radius

organizationName = Example Inc.

commonName = Example Server Certificate

emailAddress = admin@example.org

X509v3 extensions:

X509v3 Extended Key Usage:

TLS Web Server Authentication

X509v3 CRL Distribution Points:

Full Name:

URI:http://www.example.com/example_ca.crl

X509v3 Certificate Policies:

Policy: 1.3.6.1.4.1.40808.1.3.2

Certificate is to be certified until Aug 5 03:31:09 2023 GMT (60 days)

Write out database with 1 new entries

Data Base Updated

openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:’whatever’ -passout pass:’whatever’

chmod g+r server.p12

openssl pkcs12 -in server.p12 -out server.pem -passin pass:’whatever’ -passout pass:’whatever’

chmod g+r server.pem

chown root:radiusd server.*

chmod 640 server.*

server.pem: OK

openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der

openssl ca -gencrl -keyfile ca.key -cert ca.pem -config ./ca.cnf -out ca-crl.pem -key ‘whatever’

Using configuration from ./ca.cnf

openssl crl -in ca-crl.pem -outform der -out ca.crl

rm ca-crl.pem

chown root:radiusd ca.*

chmod 640 ca.*

openssl req -new -out client.csr -keyout client.key -config ./client.cnf -noenc

.+..+………+.+…..+………+……+…+….+..+………………+.+……+………+………+……+…..+.+……..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*…….+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*……+…………+…+….+………+…..+…….+…+..+….+…+..+………+……+…+……………+…….+…+…+………………+..+………………….+……..+…+.+…+..+…+.+…..+…….+……..+.+……..+…………+….+..+…+……+.+…..+………+….+…..+….+……+…..+………+……………………………+……………………+.+………+……..+…+………….+..+………….+…..+.+…..+………….+..+……+…….+……………+…+………+…..+….+……+…+…+……..+….+…..+…….+……+…..+…+.+……+………+………..+…….+…..+…………………….+…+…..+…….+..+……….+………+..+….+……+..+…………+.+…+…..+….+..+…+.+…………..+…+…+.+……..+……+….+…+…+…………..+……+.+……+…..+….+…+……..+…….+..+…+.+………+……..+….+………+…………..+.+…..+.+…..+….+………+..+…………….+……..+….+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

…+………+……+.+……..+.+……+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*………+…+.+……+……..+………….+…………+..+…+.+……+…..+.+..+……+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*…+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

—–

chmod g+r client.key

openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key ‘whatever’ -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf

Using configuration from ./client.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 2 (0x2)

Validity

Not Before: Jun 6 03:31:09 2023 GMT

Not After : Aug 5 03:31:09 2023 GMT

Subject:

countryName = FR

stateOrProvinceName = Radius

organizationName = Example Inc.

commonName = user@example.org

emailAddress = user@example.org

X509v3 extensions:

X509v3 Extended Key Usage:

TLS Web Client Authentication

X509v3 CRL Distribution Points:

Full Name:

URI:http://www.example.com/example_ca.crl

Certificate is to be certified until Aug 5 03:31:09 2023 GMT (60 days)

Write out database with 1 new entries

Data Base Updated

openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:’whatever’ -passout pass:’whatever’

chmod g+r client.p12

openssl pkcs12 -in client.p12 -out client.pem -passin pass:’whatever’ -passout pass:’whatever’

chmod g+r client.pem

cp client.pem ‘user@example.org’.pem

chown root:radiusd client.*

chmod 640 client.*

[root@radius1 certs]#

[root@radius1 ~]# systemctl start radiusd

[root@radius1 ~]# systemctl status radiusd

radiusd.service – FreeRADIUS high performance RADIUS server.

Loaded: loaded (/usr/lib/systemd/system/radiusd.service; disabled; preset: disabled)

Active: active (running) since Tue 2023-06-06 12:34:57 JST; 18s ago

Process: 37253 ExecStartPre=/bin/chown -R radiusd.radiusd /var/run/radiusd (code=exited, status=0/SUCCESS)

Process: 37254 ExecStartPre=/usr/sbin/radiusd -C (code=exited, status=0/SUCCESS)

Process: 37256 ExecStart=/usr/sbin/radiusd -d /etc/raddb (code=exited, status=0/SUCCESS)

Main PID: 37258 (radiusd)

Tasks: 6 (limit: 48937)

Memory: 77.3M

CPU: 112ms

CGroup: /system.slice/radiusd.service

mq37258 /usr/sbin/radiusd -d /etc/raddb

6月 06 12:34:57 radius1 systemd[1]: Starting FreeRADIUS high performance RADIUS server….

6月 06 12:34:57 radius1 systemd[1]: Started FreeRADIUS high performance RADIUS server..

[root@radius1 ~]#

[root@radius1 ~]# systemctl enable radiusd

Created symlink /etc/systemd/system/multi-user.target.wants/radiusd.service → /usr/lib/systemd/system/radiusd.service.

[root@radius1 ~]#

[root@radius1 ~]# cd /etc/raddb

[root@radius1 raddb]# vi radiusd.conf

[root@radius1 raddb]# cat radiusd.conf

# -*- text -*-

## radiusd.conf — FreeRADIUS server configuration file – 3.0.21

## http://www.freeradius.org/

## $Id: e8aee3c00193127177cd65e31156c1d0f4b124d3 $

######################################################################

# The format of this (and other) configuration file is

# documented in “man unlang”. There are also READMEs in many

# subdirectories:

# raddb/README.rst

# How to upgrade from v2.

# raddb/mods-available/README.rst

# How to use mods-available / mods-enabled.

# All of the modules are in individual files,

# along with configuration items and full documentation.

# raddb/sites-available/README

# virtual servers, “listen” sections, clients, etc.

# The “sites-available” directory contains many

# worked examples of common configurations.

# raddb/certs/README

# How to create certificates for EAP or RadSec.

# Every configuration item in the server is documented

# extensively in the comments in the example configuration

# files.

# Before editing this (or any other) configuration file, PLEASE

# read “man radiusd”. See the section titled DEBUGGING. It

# outlines a method where you can quickly create the

# configuration you want, with minimal effort.

# Run the server in debugging mode, and READ the output.

# $ radiusd -X

# We cannot emphasize this point strongly enough. The vast

# majority of problems can be solved by carefully reading the

# debugging output, which includes warnings about common issues,

# and suggestions for how they may be fixed.

# There may be a lot of output, but look carefully for words like:

# “warning”, “error”, “reject”, or “failure”. The messages there

# will usually be enough to guide you to a solution.

# More documentation on “radiusd -X” is available on the wiki:

# https://wiki.freeradius.org/radiusd-X

# If you are going to ask a question on the mailing list, then

# explain what you are trying to do, and include the output from

# debugging mode (radiusd -X). Failure to do so means that all

# of the responses to your question will be people telling you

# to “post the output of radiusd -X”.

# Guidelines for posting to the mailing list are on the wiki:

# https://wiki.freeradius.org/list-help

# Please read those guidelines before posting to the list.

# Further documentation is available in the “doc” directory

# of the server distribution, or on the wiki at:

# https://wiki.freeradius.org/

# New users to RADIUS should read the Technical Guide. That guide

# explains how RADIUS works, how FreeRADIUS works, and what each

# part of a RADIUS system does. It is not just “configure FreeRADIUS”!

# https://networkradius.com/doc/FreeRADIUS-Technical-Guide.pdf

# More documentation on dictionaries, modules, unlang, etc. is also

# available on the Network RADIUS web site:

# https://networkradius.com/freeradius-documentation/

######################################################################

prefix = /usr

exec_prefix = /usr

sysconfdir = /etc

localstatedir = /var

sbindir = /usr/sbin

logdir = ${localstatedir}/log/radius

raddbdir = ${sysconfdir}/raddb

radacctdir = ${logdir}/radacct

# name of the running server. See also the “-n” command-line option.

name = radiusd

# Location of config and logfiles.

confdir = ${raddbdir}

modconfdir = ${confdir}/mods-config

certdir = ${confdir}/certs

cadir = ${confdir}/certs

run_dir = ${localstatedir}/run/${name}

db_dir = ${localstatedir}/lib/radiusd

# libdir: Where to find the rlm_* modules.

# This should be automatically set at configuration time.

# If the server builds and installs, but fails at execution time

# with an ‘undefined symbol’ error, then you can use the libdir

# directive to work around the problem.

# The cause is usually that a library has been installed on your

# system in a place where the dynamic linker CANNOT find it. When

# executing as root (or another user), your personal environment MAY

# be set up to allow the dynamic linker to find the library. When

# executing as a daemon, FreeRADIUS MAY NOT have the same

# personalized configuration.

# To work around the problem, find out which library contains that symbol,

# and add the directory containing that library to the end of ‘libdir’,

# with a colon separating the directory names. NO spaces are allowed.

# e.g. libdir = /usr/local/lib:/opt/package/lib

# You can also try setting the LD_LIBRARY_PATH environment variable

# in a script which starts the server.

# If that does not work, then you can re-configure and re-build the

# server to NOT use shared libraries, via:

# ./configure –disable-shared

# make

# make install

libdir = /usr/lib64/freeradius

# pidfile: Where to place the PID of the RADIUS server.

# The server may be signalled while it’s running by using this

# file.

# This file is written when ONLY running in daemon mode.

# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid`

pidfile = ${run_dir}/${name}.pid

# correct_escapes: use correct backslash escaping

# Prior to version 3.0.5, the handling of backslashes was a little

# awkward, i.e. “wrong”. In some cases, to get one backslash into

# a regex, you had to put 4 in the config files.

# Version 3.0.5 fixes that. However, for backwards compatibility,

# the new method of escaping is DISABLED BY DEFAULT. This means

# that upgrading to 3.0.5 won’t break your configuration.

# If you don’t have double backslashes (i.e. \\) in your configuration,

# this won’t matter to you. If you do have them, fix that to use only

# one backslash, and then set “correct_escapes = true”.

# You can check for this by doing:

# $ grep ‘\\\\’ $(find raddb -type f -print)

correct_escapes = true

# panic_action: Command to execute if the server dies unexpectedly.

# FOR PRODUCTION SYSTEMS, ACTIONS SHOULD ALWAYS EXIT.

# AN INTERACTIVE ACTION MEANS THE SERVER IS NOT RESPONDING TO REQUESTS.

# AN INTERACTICE ACTION MEANS THE SERVER WILL NOT RESTART.

# THE SERVER MUST NOT BE ALLOWED EXECUTE UNTRUSTED PANIC ACTION CODE

# PATTACH CAN BE USED AS AN ATTACK VECTOR.

# The panic action is a command which will be executed if the server

# receives a fatal, non user generated signal, i.e. SIGSEGV, SIGBUS,

# SIGABRT or SIGFPE.

# This can be used to start an interactive debugging session so

# that information regarding the current state of the server can

# be acquired.

# The following string substitutions are available:

# – %e The currently executing program e.g. /sbin/radiusd

# – %p The PID of the currently executing program e.g. 12345

# Standard ${} substitutions are also allowed.

# An example panic action for opening an interactive session in GDB would be:

#panic_action = “gdb %e %p”

# Again, don’t use that on a production system.

# An example panic action for opening an automated session in GDB would be:

#panic_action = “gdb -silent -x ${raddbdir}/panic.gdb %e %p 2>&1 | tee ${logdir}/gdb-${name}-%p.log”

# That command can be used on a production system.

# max_request_time: The maximum time (in seconds) to handle a request.

# Requests which take more time than this to process may be killed, and

# a REJECT message is returned.

# WARNING: If you notice that requests take a long time to be handled,

# then this MAY INDICATE a bug in the server, in one of the modules

# used to handle a request, OR in your local configuration.

# This problem is most often seen when using an SQL database. If it takes

# more than a second or two to receive an answer from the SQL database,

# then it probably means that you haven’t indexed the database. See your

# SQL server documentation for more information.

# Useful range of values: 5 to 120

max_request_time = 30

# cleanup_delay: The time to wait (in seconds) before cleaning up

# a reply which was sent to the NAS.

# The RADIUS request is normally cached internally for a short period

# of time, after the reply is sent to the NAS. The reply packet may be

# lost in the network, and the NAS will not see it. The NAS will then

# re-send the request, and the server will respond quickly with the

# cached reply.

# If this value is set too low, then duplicate requests from the NAS

# MAY NOT be detected, and will instead be handled as separate requests.

# If this value is set too high, then the server will cache too many

# requests, and some new requests may get blocked. (See ‘max_requests’.)

# Useful range of values: 2 to 30

cleanup_delay = 5

# max_requests: The maximum number of requests which the server keeps

# track of. This should be 256 multiplied by the number of clients.

# e.g. With 4 clients, this number should be 1024.

# If this number is too low, then when the server becomes busy,

# it will not respond to any new requests, until the ‘cleanup_delay’

# time has passed, and it has removed the old requests.

# If this number is set too high, then the server will use a bit more

# memory for no real benefit.

# If you aren’t sure what it should be set to, it’s better to set it

# too high than too low. Setting it to 1000 per client is probably

# the highest it should be.

# Useful range of values: 256 to infinity

max_requests = 16384

# hostname_lookups: Log the names of clients or just their IP addresses

# e.g., www.freeradius.org (on) or 206.47.27.232 (off).

# The default is ‘off’ because it would be overall better for the net

# if people had to knowingly turn this feature on, since enabling it

# means that each client request will result in AT LEAST one lookup

# request to the nameserver. Enabling hostname_lookups will also

# mean that your server may stop randomly for 30 seconds from time

# to time, if the DNS requests take too long.

# Turning hostname lookups off also means that the server won’t block

# for 30 seconds, if it sees an IP address which has no name associated

# with it.

# allowed values: {no, yes}

hostname_lookups = no

# Logging section. The various “log_*” configuration items

# will eventually be moved here.

log {

# Destination for log messages. This can be one of:

# files – log to “file”, as defined below.

# syslog – to syslog (see also the “syslog_facility”, below.

# stdout – standard output

# stderr – standard error.

# The command-line option “-X” over-rides this option, and forces

# logging to go to stdout.

destination = files

# Highlight important messages sent to stderr and stdout.

# Option will be ignored (disabled) if output if TERM is not

# an xterm or output is not to a TTY.

colourise = yes

# The logging messages for the server are appended to the

# tail of this file if destination == “files”

# If the server is running in debugging mode, this file is

# NOT used.

file = ${logdir}/radius.log

# Which syslog facility to use, if ${destination} == “syslog”

# The exact values permitted here are OS-dependent. You probably

# don’t want to change this.

syslog_facility = daemon

# Log the full User-Name attribute, as it was found in the request.

# allowed values: {no, yes}

stripped_names = no

# Log all (accept and reject) authentication results to the log file.

# This is the same as setting “auth_accept = yes” and

# “auth_reject = yes”

# allowed values: {no, yes}

auth = yes

# Log Access-Accept results to the log file.

# This is only used if “auth = no”

# allowed values: {no, yes}

# auth_accept = no

# Log Access-Reject results to the log file.

# This is only used if “auth = no”

# allowed values: {no, yes}

# auth_reject = no

# Log passwords with the authentication requests.

# auth_badpass – logs password if it’s rejected

# auth_goodpass – logs password if it’s correct

# allowed values: {no, yes}

auth_badpass = yes

auth_goodpass = yes

# Log additional text at the end of the “Login OK” messages.

# for these to work, the “auth” and “auth_goodpass” or “auth_badpass”

# configurations above have to be set to “yes”.

# The strings below are dynamically expanded, which means that

# you can put anything you want in them. However, note that

# this expansion can be slow, and can negatively impact server

# performance.

# msg_goodpass = “”

# msg_badpass = “”

# The message when the user exceeds the Simultaneous-Use limit.

msg_denied = “You are already logged in – access denied”

}

# The program to execute to do concurrency checks.

checkrad = ${sbindir}/checkrad

# ENVIRONMENT VARIABLES

# You can reference environment variables using an expansion like

# `$ENV{PATH}`. However it is sometimes useful to be able to also set

# environment variables. This section lets you do that.

# The main purpose of this section is to allow administrators to keep

# RADIUS-specific configuration in the RADIUS configuration files.

# For example, if you need to set an environment variable which is

# used by a module. You could put that variable into a shell script,

# but that’s awkward. Instead, just list it here.

# Note that these environment variables are set AFTER the

# configuration file is loaded. So you cannot set FOO here, and

# expect to reference it via `$ENV{FOO}` in another configuration file.

# You should instead just use a normal configuration variable for

# that.

ENV {

# Set environment varable `FOO` to value ‘/bar/baz’.

# NOTE: Note that you MUST use ‘=’. You CANNOT use ‘+=’ to append

# values.

# FOO = ‘/bar/baz’

# Delete environment variable `BAR`.

# BAR

# `LD_PRELOAD` is special. It is normally set before the

# application runs, and is interpreted by the dynamic linker.

# Which means you cannot set it inside of an application, and

# expect it to load libraries.

# Since this functionality is useful, we extend it here.

# You can set

# LD_PRELOAD = /path/to/library.so

# and the server will load the named libraries. Multiple

# libraries can be loaded by specificing multiple individual

# `LD_PRELOAD` entries.

# LD_PRELOAD = /path/to/library1.so

# LD_PRELOAD = /path/to/library2.so

}

# SECURITY CONFIGURATION

# There may be multiple methods of attacking on the server. This

# section holds the configuration items which minimize the impact

# of those attacks

security {

# chroot: directory where the server does “chroot”.

# The chroot is done very early in the process of starting

# the server. After the chroot has been performed it

# switches to the “user” listed below (which MUST be

# specified). If “group” is specified, it switches to that

# group, too. Any other groups listed for the specified

# “user” in “/etc/group” are also added as part of this

# process.

# The current working directory (chdir / cd) is left

# *outside* of the chroot until all of the modules have been

# initialized. This allows the “raddb” directory to be left

# outside of the chroot. Once the modules have been

# initialized, it does a “chdir” to ${logdir}. This means

# that it should be impossible to break out of the chroot.

# If you are worried about security issues related to this

# use of chdir, then simply ensure that the “raddb” directory

# is inside of the chroot, end be sure to do “cd raddb”

# BEFORE starting the server.

# If the server is statically linked, then the only files

# that have to exist in the chroot are ${run_dir} and

# ${logdir}. If you do the “cd raddb” as discussed above,

# then the “raddb” directory has to be inside of the chroot

# directory, too.

# chroot = /path/to/chroot/directory

# user/group: The name (or #number) of the user/group to run radiusd as.

# If these are commented out, the server will run as the

# user/group that started it. In order to change to a

# different user/group, you MUST be root ( or have root

# privileges ) to start the server.

# We STRONGLY recommend that you run the server with as few

# permissions as possible. That is, if you’re not using

# shadow passwords, the user and group items below should be

# set to radius’.

# NOTE that some kernels refuse to setgid(group) when the

# value of (unsigned)group is above 60000; don’t use group

# “nobody” on these systems!

# On systems with shadow passwords, you might have to set

# ‘group = shadow’ for the server to be able to read the

# shadow password file. If you can authenticate users while

# in debug mode, but not in daemon mode, it may be that the

# debugging mode server is running as a user that can read

# the shadow info, and the user listed below can not.

# The server will also try to use “initgroups” to read

# /etc/groups. It will join all groups where “user” is a

# member. This can allow for some finer-grained access

# controls.

user = radiusd

group = radiusd

# Core dumps are a bad thing. This should only be set to

# ‘yes’ if you’re debugging a problem with the server.

# allowed values: {no, yes}

allow_core_dumps = no

# max_attributes: The maximum number of attributes

# permitted in a RADIUS packet. Packets which have MORE

# than this number of attributes in them will be dropped.

# If this number is set too low, then no RADIUS packets

# will be accepted.

# If this number is set too high, then an attacker may be

# able to send a small number of packets which will cause

# the server to use all available memory on the machine.

# Setting this number to 0 means “allow any number of attributes”

max_attributes = 200

# reject_delay: When sending an Access-Reject, it can be

# delayed for a few seconds. This may help slow down a DoS

# attack. It also helps to slow down people trying to brute-force

# crack a users password.

# Setting this number to 0 means “send rejects immediately”

# If this number is set higher than ‘cleanup_delay’, then the

# rejects will be sent at ‘cleanup_delay’ time, when the request

# is deleted from the internal cache of requests.

# As of Version 3.0.5, “reject_delay” has sub-second resolution.

# e.g. “reject_delay = 1.4” seconds is possible.

# Useful ranges: 1 to 5

reject_delay = 1

# status_server: Whether or not the server will respond

# to Status-Server requests.

# When sent a Status-Server message, the server responds with

# an Access-Accept or Accounting-Response packet.

# This is mainly useful for administrators who want to “ping”

# the server, without adding test users, or creating fake

# accounting packets.

# It’s also useful when a NAS marks a RADIUS server “dead”.

# The NAS can periodically “ping” the server with a Status-Server

# packet. If the server responds, it must be alive, and the

# NAS can start using it for real requests.

# See also raddb/sites-available/status

status_server = yes

}

# PROXY CONFIGURATION

# proxy_requests: Turns proxying of RADIUS requests on or off.

# The server has proxying turned on by default. If your system is NOT

# set up to proxy requests to another server, then you can turn proxying

# off here. This will save a small amount of resources on the server.

# If you have proxying turned off, and your configuration files say

# to proxy a request, then an error message will be logged.

# To disable proxying, change the “yes” to “no”, and comment the

# $INCLUDE line.

# allowed values: {no, yes}

proxy_requests = yes

$INCLUDE proxy.conf

# CLIENTS CONFIGURATION

# Client configuration is defined in “clients.conf”.

# The ‘clients.conf’ file contains all of the information from the old

# ‘clients’ and ‘naslist’ configuration files. We recommend that you

# do NOT use ‘client’s or ‘naslist’, although they are still

# supported.

# Anything listed in ‘clients.conf’ will take precedence over the

# information from the old-style configuration files.

$INCLUDE clients.conf

# THREAD POOL CONFIGURATION

# The thread pool is a long-lived group of threads which

# take turns (round-robin) handling any incoming requests.

# You probably want to have a few spare threads around,

# so that high-load situations can be handled immediately. If you

# don’t have any spare threads, then the request handling will

# be delayed while a new thread is created, and added to the pool.

# You probably don’t want too many spare threads around,

# otherwise they’ll be sitting there taking up resources, and

# not doing anything productive.

# The numbers given below should be adequate for most situations.

thread pool {

# Number of servers to start initially — should be a reasonable

# ballpark figure.

start_servers = 5

# Limit on the total number of servers running.

# If this limit is ever reached, clients will be LOCKED OUT, so it

# should NOT BE SET TOO LOW. It is intended mainly as a brake to

# keep a runaway server from taking the system with it as it spirals

# down…

# You may find that the server is regularly reaching the

# ‘max_servers’ number of threads, and that increasing

# ‘max_servers’ doesn’t seem to make much difference.

# If this is the case, then the problem is MOST LIKELY that

# your back-end databases are taking too long to respond, and

# are preventing the server from responding in a timely manner.

# The solution is NOT do keep increasing the ‘max_servers’

# value, but instead to fix the underlying cause of the

# problem: slow database, or ‘hostname_lookups=yes’.

# For more information, see ‘max_request_time’, above.

max_servers = 32

# Server-pool size regulation. Rather than making you guess

# how many servers you need, FreeRADIUS dynamically adapts to

# the load it sees, that is, it tries to maintain enough

# servers to handle the current load, plus a few spare

# servers to handle transient load spikes.

# It does this by periodically checking how many servers are

# waiting for a request. If there are fewer than

# min_spare_servers, it creates a new spare. If there are

# more than max_spare_servers, some of the spares die off.

# The default values are probably OK for most sites.

min_spare_servers = 3

max_spare_servers = 10

# When the server receives a packet, it places it onto an

# internal queue, where the worker threads (configured above)

# pick it up for processing. The maximum size of that queue

# is given here.

# When the queue is full, any new packets will be silently

# discarded.

# The most common cause of the queue being full is that the

# server is dependent on a slow database, and it has received

# a large “spike” of traffic. When that happens, there is

# very little you can do other than make sure the server

# receives less traffic, or make sure that the database can

# handle the load.

# max_queue_size = 65536

# Clean up old threads periodically. For no reason other than

# it might be useful.

# ‘0’ is a special value meaning ‘infinity’, or ‘the servers never

# exit’

max_requests_per_server = 0

# Automatically limit the number of accounting requests.

# This configuration item tracks how many requests per second

# the server can handle. It does this by tracking the

# packets/s received by the server for processing, and

# comparing that to the packets/s handled by the child

# threads.

# If the received PPS is larger than the processed PPS, *and*

# the queue is more than half full, then new accounting

# requests are probabilistically discarded. This lowers the

# number of packets that the server needs to process. Over

# time, the server will “catch up” with the traffic.

# Throwing away accounting packets is usually safe and low

# impact. The NAS will retransmit them in a few seconds, or

# even a few minutes. Vendors should read RFC 5080 Section 2.2.1

# to see how accounting packets should be retransmitted. Using

# any other method is likely to cause network meltdowns.

auto_limit_acct = no

}

######################################################################

# SNMP notifications. Uncomment the following line to enable

# snmptraps. Note that you MUST also configure the full path

# to the “snmptrap” command in the “trigger.conf” file.

#$INCLUDE trigger.conf

# MODULE CONFIGURATION

# The names and configuration of each module is located in this section.

# After the modules are defined here, they may be referred to by name,

# in other sections of this configuration file.

modules {

# Each module has a configuration as follows:

# name [ instance ] {

# config_item = value

# …

# }

# The ‘name’ is used to load the ‘rlm_name’ library

# which implements the functionality of the module.

# The ‘instance’ is optional. To have two different instances

# of a module, it first must be referred to by ‘name’.

# The different copies of the module are then created by

# inventing two ‘instance’ names, e.g. ‘instance1’ and ‘instance2’

# The instance names can then be used in later configuration

# INSTEAD of the original ‘name’. See the ‘radutmp’ configuration

# for an example.

# Some modules have ordering issues. e.g. “sqlippool” uses

# the configuration from “sql”. In that case, the “sql”

# module must be read off of disk before the “sqlippool”.

# However, the directory inclusion below just reads the

# directory from start to finish. Which means that the

# modules are read off of disk randomly.

# As of 3.0.18, you can list individual modules *before* the

# directory inclusion. Those modules will be loaded first.

# Then, when the directory is read, those modules will be

# skipped and not read twice.

# $INCLUDE mods-enabled/sql

# As of 3.0, modules are in mods-enabled/. Files matching

# the regex /[a-zA-Z0-9_.]+/ are loaded. The modules are

# initialized ONLY if they are referenced in a processing

# section, such as authorize, authenticate, accounting,

# pre/post-proxy, etc.

$INCLUDE mods-enabled/

}

# Instantiation

# This section sets the instantiation order of the modules. listed

# here will get started up BEFORE the sections like authorize,

# authenticate, etc. get examined.

# This section is not strictly needed. When a section like authorize

# refers to a module, the module is automatically loaded and

# initialized. However, some modules may not be listed in any of the

# processing sections, so they should be listed here.

# Also, listing modules here ensures that you have control over

# the order in which they are initialized. If one module needs

# something defined by another module, you can list them in order

# here, and ensure that the configuration will be OK.

# After the modules listed here have been loaded, all of the modules

# in the “mods-enabled” directory will be loaded. Loading the

# “mods-enabled” directory means that unlike Version 2, you usually

# don’t need to list modules here.

instantiate {

# We list the counter module here so that it registers

# the check_name attribute before any module which sets

# it

# daily

# subsections here can be thought of as “virtual” modules.

# e.g. If you have two redundant SQL servers, and you want to

# use them in the authorize and accounting sections, you could

# place a “redundant” block in each section, containing the

# exact same text. Or, you could uncomment the following

# lines, and list “redundant_sql” in the authorize and

# accounting sections.

# The “virtual” module defined here can also be used with

# dynamic expansions, under a few conditions:

# * The section is “redundant”, or “load-balance”, or

# “redundant-load-balance”

# * The section contains modules ONLY, and no sub-sections

# * all modules in the section are using the same rlm_

# driver, e.g. They are all sql, or all ldap, etc.

# When those conditions are satisfied, the server will

# automatically register a dynamic expansion, using the

# name of the “virtual” module. In the example below,

# it will be “redundant_sql”. You can then use this expansion

# just like any other:

# update reply {

# Filter-Id := “%{redundant_sql: … }”

# }

# In this example, the expansion is done via module “sql1”,

# and if that expansion fails, using module “sql2”.

# For best results, configure the “pool” subsection of the

# module so that “retry_delay” is non-zero. That will allow

# the redundant block to quickly ignore all “down” SQL

# databases. If instead we have “retry_delay = 0”, then

# every time the redundant block is used, the server will try

# to open a connection to every “down” database, causing

# problems.

#redundant redundant_sql {

# sql1

# sql2

}

######################################################################

# Policies are virtual modules, similar to those defined in the

# “instantiate” section above.

# Defining a policy in one of the policy.d files means that it can be

# referenced in multiple places as a *name*, rather than as a series of

# conditions to match, and actions to take.

# Policies are something like subroutines in a normal language, but

# they cannot be called recursively. They MUST be defined in order.

# If policy A calls policy B, then B MUST be defined before A.

######################################################################

policy {

$INCLUDE policy.d/

}

######################################################################

# Load virtual servers.

# This next $INCLUDE line loads files in the directory that

# match the regular expression: /[a-zA-Z0-9_.]+/

# It allows you to define new virtual servers simply by placing

# a file into the raddb/sites-enabled/ directory.

$INCLUDE sites-enabled/

######################################################################

# All of the other configuration sections like “authorize {}”,

# “authenticate {}”, “accounting {}”, have been moved to the

# the file:

# raddb/sites-available/default

# This is the “default” virtual server that has the same

# configuration as in version 1.0.x and 1.1.x. The default

# installation enables this virtual server. You should

# edit it to create policies for your local site.

# For more documentation on virtual servers, see:

# raddb/sites-available/README

######################################################################

[root@radius1 raddb]#

[root@radius1 raddb]# vi users

[root@radius1 raddb]# cat users

# Configuration file for the rlm_files module.

# Please see rlm_files(5) manpage for more information.

# This file contains authentication security and configuration

# information for each user. Accounting requests are NOT processed

# through this file. Instead, see ‘accounting’, in this directory.

# The first field is the user’s name and can be up to

# 253 characters in length. This is followed (on the same line) with

# the list of authentication requirements for that user. This can

# include password, comm server name, comm server port number, protocol

# type (perhaps set by the “hints” file), and huntgroup name (set by

# the “huntgroups” file).

# If you are not sure why a particular reply is being sent by the

# server, then run the server in debugging mode (radiusd -X), and

# you will see which entries in this file are matched.

# When an authentication request is received from the comm server,

# these values are tested. Only the first match is used unless the

# “Fall-Through” variable is set to “Yes”.

# A special user named “DEFAULT” matches on all usernames.

# You can have several DEFAULT entries. All entries are processed

# in the order they appear in this file. The first entry that

# matches the login-request will stop processing unless you use

# the Fall-Through variable.

# Indented (with the tab character) lines following the first

# line indicate the configuration values to be passed back to

# the comm server to allow the initiation of a user session.

# This can include things like the PPP configuration values

# or the host to log the user onto.

# You can include another `users’ file with `$INCLUDE users.other’

# For a list of RADIUS attributes, and links to their definitions,

# see: http://www.freeradius.org/rfc/attributes.html

# Entries below this point are examples included in the server for

# educational purposes. They may be deleted from the deployed

# configuration without impacting the operation of the server.

# Deny access for a specific user. Note that this entry MUST

# be before any other ‘Auth-Type’ attribute which results in the user

# being authenticated.

# Note that there is NO ‘Fall-Through’ attribute, so the user will not

# be given any additional resources.

#lameuser Auth-Type := Reject

# Reply-Message = “Your account has been disabled.”

# Deny access for a group of users.

# Note that there is NO ‘Fall-Through’ attribute, so the user will not

# be given any additional resources.

#DEFAULT Group == “disabled”, Auth-Type := Reject

# Reply-Message = “Your account has been disabled.”

# This is a complete entry for “steve”. Note that there is no Fall-Through

# entry so that no DEFAULT entry will be used, and the user will NOT

# get any attributes in addition to the ones listed here.

#steve Cleartext-Password := “testing”

# Service-Type = Framed-User,

# Framed-Protocol = PPP,

# Framed-IP-Address = 172.16.3.33,

# Framed-IP-Netmask = 255.255.255.0,

# Framed-Routing = Broadcast-Listen,

# Framed-Filter-Id = “std.ppp”,

# Framed-MTU = 1500,

# Framed-Compression = Van-Jacobsen-TCP-IP

# The canonical testing user which is in most of the

# examples.

#bob Cleartext-Password := “hello”

# Reply-Message := “Hello, %{User-Name}”

# This is an entry for a user with a space in their name.

# Note the double quotes surrounding the name. If you have

# users with spaces in their names, you must also change

# the “filter_username” policy to allow spaces.

# See raddb/policy.d/filter, filter_username {} section.

#”John Doe” Cleartext-Password := “hello”

# Reply-Message = “Hello, %{User-Name}”

testing Cleartext-Password := “password”

# Dial user back and telnet to the default host for that port

#Deg Cleartext-Password := “ge55ged”

# Service-Type = Callback-Login-User,

# Login-IP-Host = 0.0.0.0,

# Callback-Number = “9,5551212”,

# Login-Service = Telnet,

# Login-TCP-Port = Telnet

# Another complete entry. After the user “dialbk” has logged in, the

# connection will be broken and the user will be dialed back after which

# he will get a connection to the host “timeshare1”.

#dialbk Cleartext-Password := “callme”

# Service-Type = Callback-Login-User,

# Login-IP-Host = timeshare1,

# Login-Service = PortMaster,

# Callback-Number = “9,1-800-555-1212”

# user “swilson” will only get a static IP number if he logs in with

# a framed protocol on a terminal server in Alphen (see the huntgroups file).

# Note that by setting “Fall-Through”, other attributes will be added from

# the following DEFAULT entries

#swilson Service-Type == Framed-User, Huntgroup-Name == “alphen”

# Framed-IP-Address = 192.0.2.65,

# Fall-Through = Yes

# If the user logs in as ‘username.shell’, then authenticate them

# using the default method, give them shell access, and stop processing

# the rest of the file.

#DEFAULT Suffix == “.shell”

# Service-Type = Login-User,

# Login-Service = Telnet,

# Login-IP-Host = your.shell.machine

# The rest of this file contains the several DEFAULT entries.

# DEFAULT entries match with all login names.

# Note that DEFAULT entries can also Fall-Through (see first entry).

# A name-value pair from a DEFAULT entry will _NEVER_ override

# an already existing name-value pair.

# Sample defaults for all framed connections.

#DEFAULT Service-Type == Framed-User

# Framed-IP-Address = 255.255.255.254,

# Framed-MTU = 576,

# Service-Type = Framed-User,

# Fall-Through = Yes

# Default for PPP: dynamic IP address, PPP mode, VJ-compression.

# NOTE: we do not use Hint = “PPP”, since PPP might also be auto-detected

# by the terminal server in which case there may not be a “P” suffix.

# The terminal server sends “Framed-Protocol = PPP” for auto PPP.

DEFAULT Framed-Protocol == PPP

Framed-Protocol = PPP,

Framed-Compression = Van-Jacobson-TCP-IP

# Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.

DEFAULT Hint == “CSLIP”

Framed-Protocol = SLIP,

Framed-Compression = Van-Jacobson-TCP-IP

# Default for SLIP: dynamic IP address, SLIP mode.

DEFAULT Hint == “SLIP”

Framed-Protocol = SLIP

# Last default: rlogin to our main server.

#DEFAULT

# Service-Type = Login-User,

# Login-Service = Rlogin,

# Login-IP-Host = shellbox.ispdomain.com

# #

# # Last default: shell on the local terminal server.

# #

# DEFAULT

# Service-Type = Administrative-User

# On no match, the user is denied access.

#########################################################

# You should add test accounts to the TOP of this file! #

# See the example user “bob” above. #

#########################################################

[root@radius1 raddb]#

[root@radius1 raddb]# radtest testing password 127.0.0.1 0 testing123

Sent Access-Request Id 247 from 0.0.0.0:39323 to 127.0.0.1:1812 length 77

User-Name = “testing”

User-Password = “password”

NAS-IP-Address = 192.168.122.51

NAS-Port = 0

Message-Authenticator = 0x00

Cleartext-Password = “password”

Received Access-Reject Id 247 from 127.0.0.1:1812 to 127.0.0.1:39323 length 20

(0) -: Expected Access-Accept got Access-Reject

[root@radius1 raddb]#

Mad Grandfather Company

コメントを残す コメントをキャンセル

コメントを残すコメントをキャンセル