[root@radius1 ~]# dnf install freeradius freeradius-utils
メタデータの期限切れの最終確認: 3:57:08 前の 2023年06月06日 05時58分34秒 に実施しました。
依存関係が解決しました。
========================================================================================================================
パッケージ アーキテクチャー バージョン リポジトリー サイズ
========================================================================================================================
インストール:
freeradius x86_64 3.0.21-37.el9 appstream 1.1 M
freeradius-utils x86_64 3.0.21-37.el9 appstream 182 k
依存関係のインストール:
openssl-perl x86_64 1:3.0.7-6.el9_2 appstream 39 k
perl-DBI x86_64 1.643-9.el9 appstream 700 k
perl-GDBM_File x86_64 1.18-480.el9 appstream 22 k
perl-Math-BigInt noarch 1:1.9998.18-460.el9 appstream 188 k
perl-Math-Complex noarch 1.59-480.el9 appstream 47 k
perl-Time-HiRes x86_64 4:1.9764-462.el9 appstream 57 k
トランザクションの概要
========================================================================================================================
インストール 8 パッケージ
ダウンロードサイズの合計: 2.3 M
インストール後のサイズ: 7.2 M
これでよろしいですか? [y/N]: y
パッケージのダウンロード:
(1/8): openssl-perl-3.0.7-6.el9_2.x86_64.rpm 586 kB/s | 39 kB 00:00
(2/8): freeradius-utils-3.0.21-37.el9.x86_64.rpm 1.8 MB/s | 182 kB 00:00
(3/8): perl-GDBM_File-1.18-480.el9.x86_64.rpm 201 kB/s | 22 kB 00:00
(4/8): perl-DBI-1.643-9.el9.x86_64.rpm 4.4 MB/s | 700 kB 00:00
(5/8): perl-Math-Complex-1.59-480.el9.noarch.rpm 1.3 MB/s | 47 kB 00:00
(6/8): freeradius-3.0.21-37.el9.x86_64.rpm 3.9 MB/s | 1.1 MB 00:00
(7/8): perl-Math-BigInt-1.9998.18-460.el9.noarch.rpm 2.8 MB/s | 188 kB 00:00
(8/8): perl-Time-HiRes-1.9764-462.el9.x86_64.rpm 1.6 MB/s | 57 kB 00:00
————————————————————————————————————————
合計 1.9 MB/s | 2.3 MB 00:01
AlmaLinux 9 – AppStream 3.0 MB/s | 3.1 kB 00:00
GPG 鍵 0xB86B3716 をインポート中:
Userid : “AlmaLinux OS 9 <packager@almalinux.org>”
Fingerprint: BF18 AC28 7617 8908 D6E7 1267 D36C B86C B86B 3716
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux-9
これでよろしいですか? [y/N]: y
鍵のインポートに成功しました
トランザクションの確認を実行中
トランザクションの確認に成功しました。
トランザクションのテストを実行中
トランザクションのテストに成功しました。
トランザクションを実行中
準備 : 1/1
インストール中 : perl-Time-HiRes-4:1.9764-462.el9.x86_64 1/8
インストール中 : perl-Math-Complex-1.59-480.el9.noarch 2/8
インストール中 : perl-Math-BigInt-1:1.9998.18-460.el9.noarch 3/8
インストール中 : perl-DBI-1.643-9.el9.x86_64 4/8
インストール中 : perl-GDBM_File-1.18-480.el9.x86_64 5/8
インストール中 : openssl-perl-1:3.0.7-6.el9_2.x86_64 6/8
scriptletの実行中: freeradius-3.0.21-37.el9.x86_64 7/8
インストール中 : freeradius-3.0.21-37.el9.x86_64 7/8
インストール中 : freeradius-utils-3.0.21-37.el9.x86_64 8/8
scriptletの実行中: freeradius-utils-3.0.21-37.el9.x86_64 8/8
検証 : freeradius-3.0.21-37.el9.x86_64 1/8
検証 : freeradius-utils-3.0.21-37.el9.x86_64 2/8
検証 : openssl-perl-1:3.0.7-6.el9_2.x86_64 3/8
検証 : perl-DBI-1.643-9.el9.x86_64 4/8
検証 : perl-GDBM_File-1.18-480.el9.x86_64 5/8
検証 : perl-Math-BigInt-1:1.9998.18-460.el9.noarch 6/8
検証 : perl-Math-Complex-1.59-480.el9.noarch 7/8
検証 : perl-Time-HiRes-4:1.9764-462.el9.x86_64 8/8
インストール済み:
freeradius-3.0.21-37.el9.x86_64 freeradius-utils-3.0.21-37.el9.x86_64
openssl-perl-1:3.0.7-6.el9_2.x86_64 perl-DBI-1.643-9.el9.x86_64
perl-GDBM_File-1.18-480.el9.x86_64 perl-Math-BigInt-1:1.9998.18-460.el9.noarch
perl-Math-Complex-1.59-480.el9.noarch perl-Time-HiRes-4:1.9764-462.el9.x86_64
完了しました!
[root@radius1 ~]#
[root@radius1 ~]# systemctl status radiusd.service
○ radiusd.service – FreeRADIUS high performance RADIUS server.
Loaded: loaded (/usr/lib/systemd/system/radiusd.service; disabled; preset: disabled)
Active: inactive (dead)
[root@radius1 ~]#
[root@radius1 ~]# systemctl start radiusd
Job for radiusd.service failed because the control process exited with error code.
See “systemctl status radiusd.service” and “journalctl -xeu radiusd.service” for details.
[root@radius1 ~]#
[root@radius1 ~]# radiusd -X
FreeRADIUS Version 3.0.21
Copyright (C) 1999-2019 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting – reading configuration files …
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/raddb/dictionary
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/attr_filter
including configuration file /etc/raddb/mods-enabled/cache_eap
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/date
including configuration file /etc/raddb/mods-enabled/detail
including configuration file /etc/raddb/mods-enabled/detail.log
including configuration file /etc/raddb/mods-enabled/digest
including configuration file /etc/raddb/mods-enabled/dynamic_clients
including configuration file /etc/raddb/mods-enabled/eap
including configuration file /etc/raddb/mods-enabled/echo
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/expiration
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/files
including configuration file /etc/raddb/mods-enabled/linelog
including configuration file /etc/raddb/mods-enabled/logintime
including configuration file /etc/raddb/mods-enabled/mschap
including configuration file /etc/raddb/mods-enabled/ntlm_auth
including configuration file /etc/raddb/mods-enabled/pap
including configuration file /etc/raddb/mods-enabled/passwd
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/radutmp
including configuration file /etc/raddb/mods-enabled/realm
including configuration file /etc/raddb/mods-enabled/replicate
including configuration file /etc/raddb/mods-enabled/soh
including configuration file /etc/raddb/mods-enabled/sradutmp
including configuration file /etc/raddb/mods-enabled/unix
including configuration file /etc/raddb/mods-enabled/unpack
including configuration file /etc/raddb/mods-enabled/utf8
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/canonicalization
including configuration file /etc/raddb/policy.d/control
including configuration file /etc/raddb/policy.d/cui
including configuration file /etc/raddb/policy.d/debug
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/operator-name
including configuration file /etc/raddb/policy.d/rfc7542
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
main {
security {
user = “radiusd”
group = “radiusd”
allow_core_dumps = no
}
name = “radiusd”
prefix = “/usr”
localstatedir = “/var”
logdir = “/var/log/radius”
run_dir = “/var/run/radiusd”
}
main {
name = “radiusd”
prefix = “/usr”
localstatedir = “/var”
sbindir = “/usr/sbin”
logdir = “/var/log/radius”
run_dir = “/var/run/radiusd”
libdir = “/usr/lib64/freeradius”
radacctdir = “/var/log/radius/radacct”
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = “/var/run/radiusd/radiusd.pid”
checkrad = “/usr/sbin/checkrad”
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = “You are already logged in – access denied”
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = “auth”
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = “status-server”
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = “other”
proto = “*”
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
# Creating Auth-Type = mschap
# Creating Auth-Type = digest
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_always
# Loading module “reject” from file /etc/raddb/mods-enabled/always
always reject {
rcode = “reject”
simulcount = 0
mpp = no
}
# Loading module “fail” from file /etc/raddb/mods-enabled/always
always fail {
rcode = “fail”
simulcount = 0
mpp = no
}
# Loading module “ok” from file /etc/raddb/mods-enabled/always
always ok {
rcode = “ok”
simulcount = 0
mpp = no
}
# Loading module “handled” from file /etc/raddb/mods-enabled/always
always handled {
rcode = “handled”
simulcount = 0
mpp = no
}
# Loading module “invalid” from file /etc/raddb/mods-enabled/always
always invalid {
rcode = “invalid”
simulcount = 0
mpp = no
}
# Loading module “userlock” from file /etc/raddb/mods-enabled/always
always userlock {
rcode = “userlock”
simulcount = 0
mpp = no
}
# Loading module “notfound” from file /etc/raddb/mods-enabled/always
always notfound {
rcode = “notfound”
simulcount = 0
mpp = no
}
# Loading module “noop” from file /etc/raddb/mods-enabled/always
always noop {
rcode = “noop”
simulcount = 0
mpp = no
}
# Loading module “updated” from file /etc/raddb/mods-enabled/always
always updated {
rcode = “updated”
simulcount = 0
mpp = no
}
# Loaded module rlm_attr_filter
# Loading module “attr_filter.post-proxy” from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = “/etc/raddb/mods-config/attr_filter/post-proxy”
key = “%{Realm}”
relaxed = no
}
# Loading module “attr_filter.pre-proxy” from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = “/etc/raddb/mods-config/attr_filter/pre-proxy”
key = “%{Realm}”
relaxed = no
}
# Loading module “attr_filter.access_reject” from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = “/etc/raddb/mods-config/attr_filter/access_reject”
key = “%{User-Name}”
relaxed = no
}
# Loading module “attr_filter.access_challenge” from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = “/etc/raddb/mods-config/attr_filter/access_challenge”
key = “%{User-Name}”
relaxed = no
}
# Loading module “attr_filter.accounting_response” from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = “/etc/raddb/mods-config/attr_filter/accounting_response”
key = “%{User-Name}”
relaxed = no
}
# Loaded module rlm_cache
# Loading module “cache_eap” from file /etc/raddb/mods-enabled/cache_eap
cache cache_eap {
driver = “rlm_cache_rbtree”
key = “%{%{control:State}:-%{%{reply:State}:-%{State}}}”
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_chap
# Loading module “chap” from file /etc/raddb/mods-enabled/chap
# Loaded module rlm_date
# Loading module “date” from file /etc/raddb/mods-enabled/date
date {
format = “%b %e %Y %H:%M:%S %Z”
utc = no
}
# Loading module “wispr2date” from file /etc/raddb/mods-enabled/date
date wispr2date {
format = “%Y-%m-%dT%H:%M:%S”
utc = no
}
# Loaded module rlm_detail
# Loading module “detail” from file /etc/raddb/mods-enabled/detail
detail {
filename = “/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d”
header = “%t”
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module “auth_log” from file /etc/raddb/mods-enabled/detail.log
detail auth_log {
filename = “/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d”
header = “%t”
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module “reply_log” from file /etc/raddb/mods-enabled/detail.log
detail reply_log {
filename = “/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d”
header = “%t”
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module “pre_proxy_log” from file /etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename = “/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d”
header = “%t”
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module “post_proxy_log” from file /etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename = “/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d”
header = “%t”
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_digest
# Loading module “digest” from file /etc/raddb/mods-enabled/digest
# Loaded module rlm_dynamic_clients
# Loading module “dynamic_clients” from file /etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_eap
# Loading module “eap” from file /etc/raddb/mods-enabled/eap
eap {
default_eap_type = “md5”
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_exec
# Loading module “echo” from file /etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = “/bin/echo %{User-Name}”
input_pairs = “request”
output_pairs = “reply”
shell_escape = yes
}
# Loading module “exec” from file /etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = “request”
shell_escape = yes
timeout = 10
}
# Loaded module rlm_expiration
# Loading module “expiration” from file /etc/raddb/mods-enabled/expiration
# Loaded module rlm_expr
# Loading module “expr” from file /etc/raddb/mods-enabled/expr
expr {
safe_characters = “@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /aeouaaaceeeeiio?uuuayAEOUsAAACEEEEIIO?UUU?”
}
# Loaded module rlm_files
# Loading module “files” from file /etc/raddb/mods-enabled/files
files {
filename = “/etc/raddb/mods-config/files/authorize”
acctusersfile = “/etc/raddb/mods-config/files/accounting”
preproxy_usersfile = “/etc/raddb/mods-config/files/pre-proxy”
}
# Loaded module rlm_linelog
# Loading module “linelog” from file /etc/raddb/mods-enabled/linelog
linelog {
filename = “/var/log/radius/linelog”
escape_filenames = no
syslog_severity = “info”
permissions = 384
format = “This is a log message for %{User-Name}”
reference = “messages.%{%{reply:Packet-Type}:-default}”
}
# Loading module “log_accounting” from file /etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = “/var/log/radius/linelog-accounting”
escape_filenames = no
syslog_severity = “info”
permissions = 384
format = “”
reference = “Accounting-Request.%{%{Acct-Status-Type}:-unknown}”
}
# Loaded module rlm_logintime
# Loading module “logintime” from file /etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_mschap
# Loading module “mschap” from file /etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loading module “ntlm_auth” from file /etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = “/path/to/ntlm_auth –request-nt-key –domain=MYDOMAIN –username=%{mschap:User-Name} –password=%{User-Password}”
shell_escape = yes
}
# Loaded module rlm_pap
# Loading module “pap” from file /etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_passwd
# Loading module “etc_passwd” from file /etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = “/etc/passwd”
format = “*User-Name:Crypt-Password:”
delimiter = “:”
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_preprocess
# Loading module “preprocess” from file /etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = “/etc/raddb/mods-config/preprocess/huntgroups”
hints = “/etc/raddb/mods-config/preprocess/hints”
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_radutmp
# Loading module “radutmp” from file /etc/raddb/mods-enabled/radutmp
radutmp {
filename = “/var/log/radius/radutmp”
username = “%{User-Name}”
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_realm
# Loading module “IPASS” from file /etc/raddb/mods-enabled/realm
realm IPASS {
format = “prefix”
delimiter = “/”
ignore_default = no
ignore_null = no
}
# Loading module “suffix” from file /etc/raddb/mods-enabled/realm
realm suffix {
format = “suffix”
delimiter = “@”
ignore_default = no
ignore_null = no
}
# Loading module “bangpath” from file /etc/raddb/mods-enabled/realm
realm bangpath {
format = “prefix”
delimiter = “!”
ignore_default = no
ignore_null = no
}
# Loading module “realmpercent” from file /etc/raddb/mods-enabled/realm
realm realmpercent {
format = “suffix”
delimiter = “%”
ignore_default = no
ignore_null = no
}
# Loading module “ntdomain” from file /etc/raddb/mods-enabled/realm
realm ntdomain {
format = “prefix”
delimiter = “\\”
ignore_default = no
ignore_null = no
}
# Loaded module rlm_replicate
# Loading module “replicate” from file /etc/raddb/mods-enabled/replicate
# Loaded module rlm_soh
# Loading module “soh” from file /etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loading module “sradutmp” from file /etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = “/var/log/radius/sradutmp”
username = “%{User-Name}”
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_unix
# Loading module “unix” from file /etc/raddb/mods-enabled/unix
unix {
radwtmp = “/var/log/radius/radwtmp”
}
Creating attribute Unix-Group
# Loaded module rlm_unpack
# Loading module “unpack” from file /etc/raddb/mods-enabled/unpack
# Loaded module rlm_utf8
# Loading module “utf8” from file /etc/raddb/mods-enabled/utf8
instantiate {
}
# Instantiating module “reject” from file /etc/raddb/mods-enabled/always
# Instantiating module “fail” from file /etc/raddb/mods-enabled/always
# Instantiating module “ok” from file /etc/raddb/mods-enabled/always
# Instantiating module “handled” from file /etc/raddb/mods-enabled/always
# Instantiating module “invalid” from file /etc/raddb/mods-enabled/always
# Instantiating module “userlock” from file /etc/raddb/mods-enabled/always
# Instantiating module “notfound” from file /etc/raddb/mods-enabled/always
# Instantiating module “noop” from file /etc/raddb/mods-enabled/always
# Instantiating module “updated” from file /etc/raddb/mods-enabled/always
# Instantiating module “attr_filter.post-proxy” from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module “attr_filter.pre-proxy” from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module “attr_filter.access_reject” from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
# Instantiating module “attr_filter.access_challenge” from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module “attr_filter.accounting_response” from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module “cache_eap” from file /etc/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module “detail” from file /etc/raddb/mods-enabled/detail
# Instantiating module “auth_log” from file /etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): ‘User-Password’ suppressed, will not appear in detail output
# Instantiating module “reply_log” from file /etc/raddb/mods-enabled/detail.log
# Instantiating module “pre_proxy_log” from file /etc/raddb/mods-enabled/detail.log
# Instantiating module “post_proxy_log” from file /etc/raddb/mods-enabled/detail.log
# Instantiating module “eap” from file /etc/raddb/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = “Password: ”
auth_type = “PAP”
}
# Linked to sub-module rlm_eap_tls
tls {
tls = “tls-common”
}
tls-config tls-common {
verify_depth = 0
ca_path = “/etc/raddb/certs”
pem_file_type = yes
private_key_file = “/etc/raddb/certs/server.pem”
Unable to check file “/etc/raddb/certs/server.pem”: No such file or directory
/etc/raddb/mods-enabled/eap[183]: Failed parsing configuration item “private_key_file”
rlm_eap_tls: Failed initializing SSL context
rlm_eap (EAP): Failed to initialise rlm_eap_tls
/etc/raddb/mods-enabled/eap[14]: Instantiation failed for module “eap”
[root@radius1 ~]#
[root@radius1 ~]# cd /etc/raddb/certs
[root@radius1 certs]#
[root@radius1 certs]# ./bootstrap
openssl dhparam -out dh -2 2048
Generating DH parameters, 2048 bit long safe prime
……………………………………………………………………………………………+…………..+…………………………………………………………………………………………………+…………………………………………………………………………………………….+..+…………………………………………………………………………..+……………………….+……+…………………………………………………………………………………………………………..+…..+………………………………………………………………………………………………………………….+……………………………………………………………..+……………………………………………………..+…………………………………………………………………………………………………………+…………………………………………………………………………………………………………………………….+………………..+.+………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………..+……………………………………………………………………………………………………………………………………………………………….+………………..+……………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………..+……………………………………………………………………………….+………………………………………………………………………………………………………………………………………………………………..+………………………………………………………..+……………………………………………………………………..+…………………………………………………………..+………………………………………………..+…………………………………….+……………………………+……………..+…………………………………………………………………………………………………………………………+……………………………….+………………………….+……………………………………………………………….++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*
chown root:radiusd dh
chmod 640 dh
openssl req -new -out server.csr -keyout server.key -config ./server.cnf -noenc
…+…..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+……+.+..+…….+……+…………..+……………+….+..+….+……+..+…+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*…………..+…+.+..+…….+……+..+…+.+…………..+……+……+………+………….+…+……..+……….+..+………….+…..+…….+..+…+……….+..+………….+..+……+………+…………+……+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.+…..+.+…+…+…..+…+……+….+..+………+.+………+……..+.+……+……..+.+………+…+……..+………+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*…………..+..+…+………+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*….+..+……….+…..+…….+…..+……….+…+…..+…+…+.+…..+…………………….+…..+………+…….+…+………..+.+…+…………+…………………………+…..+…….+…………+…..+….+..+…+.+…+…..+.+…………..+…….+……..+…+…+.+…..+……….+…+..+………+….+……+..+…….+……+…………..+.+……+…..+……….+……+…..+……………+…+……….+……………..+….+…+…..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
—–
chmod g+r server.key
openssl req -new -x509 -keyout ca.key -out ca.pem \
-days ’60’ -config ./ca.cnf \
-passin pass:’whatever’ -passout pass:’whatever’ -noenc
……..+..+.+…………+…..+…+…+.+……+..+…+….+…..+……………………+….+..+……….+…+..+.+…+..+………….+..+….+…..+…+…+…….+…..+……+……….+…..+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*…..+….+…+..+…+….+…………..+.+…+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*…….+………+……+………..+….+…+..+….+………..+.+…+…..+……………….+..+….+…..+…….+..+.+……+…..+………+….+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
……..+.+………+…..+….+..+…+…………+………+.+………+…..+……….+……+……..+…….+…+..+…+…….+………+……..+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*…+…+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*…+…+……+……+…..+……….+..+……….+……+…………+…+………..+………+.+…+…………+…+…..+……+……+……+…+….+…………+……+…..+…+…………+…………+…+………….+…..+….+..+…+…….+……+………+…+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
—–
chmod g+r ca.key
chown root:radiusd ca.*
chmod 640 ca.*
openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key ‘whatever’ -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf
Using configuration from ./server.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jun 6 03:31:09 2023 GMT
Not After : Aug 5 03:31:09 2023 GMT
Subject:
countryName = FR
stateOrProvinceName = Radius
organizationName = Example Inc.
commonName = Example Server Certificate
emailAddress = admin@example.org
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://www.example.com/example_ca.crl
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.40808.1.3.2
Certificate is to be certified until Aug 5 03:31:09 2023 GMT (60 days)
Write out database with 1 new entries
Data Base Updated
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:’whatever’ -passout pass:’whatever’
chmod g+r server.p12
openssl pkcs12 -in server.p12 -out server.pem -passin pass:’whatever’ -passout pass:’whatever’
chmod g+r server.pem
chown root:radiusd server.*
chmod 640 server.*
server.pem: OK
openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der
openssl ca -gencrl -keyfile ca.key -cert ca.pem -config ./ca.cnf -out ca-crl.pem -key ‘whatever’
Using configuration from ./ca.cnf
openssl crl -in ca-crl.pem -outform der -out ca.crl
rm ca-crl.pem
chown root:radiusd ca.*
chmod 640 ca.*
openssl req -new -out client.csr -keyout client.key -config ./client.cnf -noenc
.+..+………+.+…..+………+……+…+….+..+………………+.+……+………+………+……+…..+.+……..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*…….+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*……+…………+…+….+………+…..+…….+…+..+….+…+..+………+……+…+……………+…….+…+…+………………+..+………………….+……..+…+.+…+..+…+.+…..+…….+……..+.+……..+…………+….+..+…+……+.+…..+………+….+…..+….+……+…..+………+……………………………+……………………+.+………+……..+…+………….+..+………….+…..+.+…..+………….+..+……+…….+……………+…+………+…..+….+……+…+…+……..+….+…..+…….+……+…..+…+.+……+………+………..+…….+…..+…………………….+…+…..+…….+..+……….+………+..+….+……+..+…………+.+…+…..+….+..+…+.+…………..+…+…+.+……..+……+….+…+…+…………..+……+.+……+…..+….+…+……..+…….+..+…+.+………+……..+….+………+…………..+.+…..+.+…..+….+………+..+…………….+……..+….+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
…+………+……+.+……..+.+……+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*………+…+.+……+……..+………….+…………+..+…+.+……+…..+.+..+……+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*…+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
—–
chmod g+r client.key
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key ‘whatever’ -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
Using configuration from ./client.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Jun 6 03:31:09 2023 GMT
Not After : Aug 5 03:31:09 2023 GMT
Subject:
countryName = FR
stateOrProvinceName = Radius
organizationName = Example Inc.
commonName = user@example.org
emailAddress = user@example.org
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://www.example.com/example_ca.crl
Certificate is to be certified until Aug 5 03:31:09 2023 GMT (60 days)
Write out database with 1 new entries
Data Base Updated
openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:’whatever’ -passout pass:’whatever’
chmod g+r client.p12
openssl pkcs12 -in client.p12 -out client.pem -passin pass:’whatever’ -passout pass:’whatever’
chmod g+r client.pem
cp client.pem ‘user@example.org’.pem
chown root:radiusd client.*
chmod 640 client.*
[root@radius1 certs]#
[root@radius1 ~]# systemctl start radiusd
[root@radius1 ~]# systemctl status radiusd
- radiusd.service – FreeRADIUS high performance RADIUS server.
Loaded: loaded (/usr/lib/systemd/system/radiusd.service; disabled; preset: disabled)
Active: active (running) since Tue 2023-06-06 12:34:57 JST; 18s ago
Process: 37253 ExecStartPre=/bin/chown -R radiusd.radiusd /var/run/radiusd (code=exited, status=0/SUCCESS)
Process: 37254 ExecStartPre=/usr/sbin/radiusd -C (code=exited, status=0/SUCCESS)
Process: 37256 ExecStart=/usr/sbin/radiusd -d /etc/raddb (code=exited, status=0/SUCCESS)
Main PID: 37258 (radiusd)
Tasks: 6 (limit: 48937)
Memory: 77.3M
CPU: 112ms
CGroup: /system.slice/radiusd.service
mq37258 /usr/sbin/radiusd -d /etc/raddb
6月 06 12:34:57 radius1 systemd[1]: Starting FreeRADIUS high performance RADIUS server….
6月 06 12:34:57 radius1 systemd[1]: Started FreeRADIUS high performance RADIUS server..
[root@radius1 ~]#
[root@radius1 ~]# systemctl enable radiusd
Created symlink /etc/systemd/system/multi-user.target.wants/radiusd.service → /usr/lib/systemd/system/radiusd.service.
[root@radius1 ~]#
[root@radius1 ~]# cd /etc/raddb
[root@radius1 raddb]# vi radiusd.conf
[root@radius1 raddb]# cat radiusd.conf
# -*- text -*-
##
## radiusd.conf — FreeRADIUS server configuration file – 3.0.21
##
## http://www.freeradius.org/
## $Id: e8aee3c00193127177cd65e31156c1d0f4b124d3 $
##
######################################################################
#
# The format of this (and other) configuration file is
# documented in “man unlang”. There are also READMEs in many
# subdirectories:
#
# raddb/README.rst
# How to upgrade from v2.
#
# raddb/mods-available/README.rst
# How to use mods-available / mods-enabled.
# All of the modules are in individual files,
# along with configuration items and full documentation.
#
# raddb/sites-available/README
# virtual servers, “listen” sections, clients, etc.
# The “sites-available” directory contains many
# worked examples of common configurations.
#
# raddb/certs/README
# How to create certificates for EAP or RadSec.
#
# Every configuration item in the server is documented
# extensively in the comments in the example configuration
# files.
#
# Before editing this (or any other) configuration file, PLEASE
# read “man radiusd”. See the section titled DEBUGGING. It
# outlines a method where you can quickly create the
# configuration you want, with minimal effort.
#
# Run the server in debugging mode, and READ the output.
#
# $ radiusd -X
#
# We cannot emphasize this point strongly enough. The vast
# majority of problems can be solved by carefully reading the
# debugging output, which includes warnings about common issues,
# and suggestions for how they may be fixed.
#
# There may be a lot of output, but look carefully for words like:
# “warning”, “error”, “reject”, or “failure”. The messages there
# will usually be enough to guide you to a solution.
#
# More documentation on “radiusd -X” is available on the wiki:
# https://wiki.freeradius.org/radiusd-X
#
# If you are going to ask a question on the mailing list, then
# explain what you are trying to do, and include the output from
# debugging mode (radiusd -X). Failure to do so means that all
# of the responses to your question will be people telling you
# to “post the output of radiusd -X”.
#
# Guidelines for posting to the mailing list are on the wiki:
# https://wiki.freeradius.org/list-help
#
# Please read those guidelines before posting to the list.
#
# Further documentation is available in the “doc” directory
# of the server distribution, or on the wiki at:
# https://wiki.freeradius.org/
#
# New users to RADIUS should read the Technical Guide. That guide
# explains how RADIUS works, how FreeRADIUS works, and what each
# part of a RADIUS system does. It is not just “configure FreeRADIUS”!
# https://networkradius.com/doc/FreeRADIUS-Technical-Guide.pdf
#
# More documentation on dictionaries, modules, unlang, etc. is also
# available on the Network RADIUS web site:
# https://networkradius.com/freeradius-documentation/
#
######################################################################
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
#
# name of the running server. See also the “-n” command-line option.
name = radiusd
# Location of config and logfiles.
confdir = ${raddbdir}
modconfdir = ${confdir}/mods-config
certdir = ${confdir}/certs
cadir = ${confdir}/certs
run_dir = ${localstatedir}/run/${name}
db_dir = ${localstatedir}/lib/radiusd
#
# libdir: Where to find the rlm_* modules.
#
# This should be automatically set at configuration time.
#
# If the server builds and installs, but fails at execution time
# with an ‘undefined symbol’ error, then you can use the libdir
# directive to work around the problem.
#
# The cause is usually that a library has been installed on your
# system in a place where the dynamic linker CANNOT find it. When
# executing as root (or another user), your personal environment MAY
# be set up to allow the dynamic linker to find the library. When
# executing as a daemon, FreeRADIUS MAY NOT have the same
# personalized configuration.
#
# To work around the problem, find out which library contains that symbol,
# and add the directory containing that library to the end of ‘libdir’,
# with a colon separating the directory names. NO spaces are allowed.
#
# e.g. libdir = /usr/local/lib:/opt/package/lib
#
# You can also try setting the LD_LIBRARY_PATH environment variable
# in a script which starts the server.
#
# If that does not work, then you can re-configure and re-build the
# server to NOT use shared libraries, via:
#
# ./configure –disable-shared
# make
# make install
#
libdir = /usr/lib64/freeradius
# pidfile: Where to place the PID of the RADIUS server.
#
# The server may be signalled while it’s running by using this
# file.
#
# This file is written when ONLY running in daemon mode.
#
# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid`
#
pidfile = ${run_dir}/${name}.pid
#
# correct_escapes: use correct backslash escaping
#
# Prior to version 3.0.5, the handling of backslashes was a little
# awkward, i.e. “wrong”. In some cases, to get one backslash into
# a regex, you had to put 4 in the config files.
#
# Version 3.0.5 fixes that. However, for backwards compatibility,
# the new method of escaping is DISABLED BY DEFAULT. This means
# that upgrading to 3.0.5 won’t break your configuration.
#
# If you don’t have double backslashes (i.e. \\) in your configuration,
# this won’t matter to you. If you do have them, fix that to use only
# one backslash, and then set “correct_escapes = true”.
#
# You can check for this by doing:
#
# $ grep ‘\\\\’ $(find raddb -type f -print)
#
correct_escapes = true
# panic_action: Command to execute if the server dies unexpectedly.
#
# FOR PRODUCTION SYSTEMS, ACTIONS SHOULD ALWAYS EXIT.
# AN INTERACTIVE ACTION MEANS THE SERVER IS NOT RESPONDING TO REQUESTS.
# AN INTERACTICE ACTION MEANS THE SERVER WILL NOT RESTART.
#
# THE SERVER MUST NOT BE ALLOWED EXECUTE UNTRUSTED PANIC ACTION CODE
# PATTACH CAN BE USED AS AN ATTACK VECTOR.
#
# The panic action is a command which will be executed if the server
# receives a fatal, non user generated signal, i.e. SIGSEGV, SIGBUS,
# SIGABRT or SIGFPE.
#
# This can be used to start an interactive debugging session so
# that information regarding the current state of the server can
# be acquired.
#
# The following string substitutions are available:
# – %e The currently executing program e.g. /sbin/radiusd
# – %p The PID of the currently executing program e.g. 12345
#
# Standard ${} substitutions are also allowed.
#
# An example panic action for opening an interactive session in GDB would be:
#
#panic_action = “gdb %e %p”
#
# Again, don’t use that on a production system.
#
# An example panic action for opening an automated session in GDB would be:
#
#panic_action = “gdb -silent -x ${raddbdir}/panic.gdb %e %p 2>&1 | tee ${logdir}/gdb-${name}-%p.log”
#
# That command can be used on a production system.
#
# max_request_time: The maximum time (in seconds) to handle a request.
#
# Requests which take more time than this to process may be killed, and
# a REJECT message is returned.
#
# WARNING: If you notice that requests take a long time to be handled,
# then this MAY INDICATE a bug in the server, in one of the modules
# used to handle a request, OR in your local configuration.
#
# This problem is most often seen when using an SQL database. If it takes
# more than a second or two to receive an answer from the SQL database,
# then it probably means that you haven’t indexed the database. See your
# SQL server documentation for more information.
#
# Useful range of values: 5 to 120
#
max_request_time = 30
# cleanup_delay: The time to wait (in seconds) before cleaning up
# a reply which was sent to the NAS.
#
# The RADIUS request is normally cached internally for a short period
# of time, after the reply is sent to the NAS. The reply packet may be
# lost in the network, and the NAS will not see it. The NAS will then
# re-send the request, and the server will respond quickly with the
# cached reply.
#
# If this value is set too low, then duplicate requests from the NAS
# MAY NOT be detected, and will instead be handled as separate requests.
#
# If this value is set too high, then the server will cache too many
# requests, and some new requests may get blocked. (See ‘max_requests’.)
#
# Useful range of values: 2 to 30
#
cleanup_delay = 5
# max_requests: The maximum number of requests which the server keeps
# track of. This should be 256 multiplied by the number of clients.
# e.g. With 4 clients, this number should be 1024.
#
# If this number is too low, then when the server becomes busy,
# it will not respond to any new requests, until the ‘cleanup_delay’
# time has passed, and it has removed the old requests.
#
# If this number is set too high, then the server will use a bit more
# memory for no real benefit.
#
# If you aren’t sure what it should be set to, it’s better to set it
# too high than too low. Setting it to 1000 per client is probably
# the highest it should be.
#
# Useful range of values: 256 to infinity
#
max_requests = 16384
# hostname_lookups: Log the names of clients or just their IP addresses
# e.g., www.freeradius.org (on) or 206.47.27.232 (off).
#
# The default is ‘off’ because it would be overall better for the net
# if people had to knowingly turn this feature on, since enabling it
# means that each client request will result in AT LEAST one lookup
# request to the nameserver. Enabling hostname_lookups will also
# mean that your server may stop randomly for 30 seconds from time
# to time, if the DNS requests take too long.
#
# Turning hostname lookups off also means that the server won’t block
# for 30 seconds, if it sees an IP address which has no name associated
# with it.
#
# allowed values: {no, yes}
#
hostname_lookups = no
#
# Logging section. The various “log_*” configuration items
# will eventually be moved here.
#
log {
#
# Destination for log messages. This can be one of:
#
# files – log to “file”, as defined below.
# syslog – to syslog (see also the “syslog_facility”, below.
# stdout – standard output
# stderr – standard error.
#
# The command-line option “-X” over-rides this option, and forces
# logging to go to stdout.
#
destination = files
#
# Highlight important messages sent to stderr and stdout.
#
# Option will be ignored (disabled) if output if TERM is not
# an xterm or output is not to a TTY.
#
colourise = yes
#
# The logging messages for the server are appended to the
# tail of this file if destination == “files”
#
# If the server is running in debugging mode, this file is
# NOT used.
#
file = ${logdir}/radius.log
#
# Which syslog facility to use, if ${destination} == “syslog”
#
# The exact values permitted here are OS-dependent. You probably
# don’t want to change this.
#
syslog_facility = daemon
# Log the full User-Name attribute, as it was found in the request.
#
# allowed values: {no, yes}
#
stripped_names = no
# Log all (accept and reject) authentication results to the log file.
#
# This is the same as setting “auth_accept = yes” and
# “auth_reject = yes”
#
# allowed values: {no, yes}
#
auth = yes
# Log Access-Accept results to the log file.
#
# This is only used if “auth = no”
#
# allowed values: {no, yes}
#
# auth_accept = no
# Log Access-Reject results to the log file.
#
# This is only used if “auth = no”
#
# allowed values: {no, yes}
#
# auth_reject = no
# Log passwords with the authentication requests.
# auth_badpass – logs password if it’s rejected
# auth_goodpass – logs password if it’s correct
#
# allowed values: {no, yes}
#
auth_badpass = yes
auth_goodpass = yes
# Log additional text at the end of the “Login OK” messages.
# for these to work, the “auth” and “auth_goodpass” or “auth_badpass”
# configurations above have to be set to “yes”.
#
# The strings below are dynamically expanded, which means that
# you can put anything you want in them. However, note that
# this expansion can be slow, and can negatively impact server
# performance.
#
# msg_goodpass = “”
# msg_badpass = “”
# The message when the user exceeds the Simultaneous-Use limit.
#
msg_denied = “You are already logged in – access denied”
}
# The program to execute to do concurrency checks.
checkrad = ${sbindir}/checkrad
#
# ENVIRONMENT VARIABLES
#
# You can reference environment variables using an expansion like
# `$ENV{PATH}`. However it is sometimes useful to be able to also set
# environment variables. This section lets you do that.
#
# The main purpose of this section is to allow administrators to keep
# RADIUS-specific configuration in the RADIUS configuration files.
# For example, if you need to set an environment variable which is
# used by a module. You could put that variable into a shell script,
# but that’s awkward. Instead, just list it here.
#
# Note that these environment variables are set AFTER the
# configuration file is loaded. So you cannot set FOO here, and
# expect to reference it via `$ENV{FOO}` in another configuration file.
# You should instead just use a normal configuration variable for
# that.
#
ENV {
#
# Set environment varable `FOO` to value ‘/bar/baz’.
#
# NOTE: Note that you MUST use ‘=’. You CANNOT use ‘+=’ to append
# values.
#
# FOO = ‘/bar/baz’
#
# Delete environment variable `BAR`.
#
# BAR
#
# `LD_PRELOAD` is special. It is normally set before the
# application runs, and is interpreted by the dynamic linker.
# Which means you cannot set it inside of an application, and
# expect it to load libraries.
#
# Since this functionality is useful, we extend it here.
#
# You can set
#
# LD_PRELOAD = /path/to/library.so
#
# and the server will load the named libraries. Multiple
# libraries can be loaded by specificing multiple individual
# `LD_PRELOAD` entries.
#
#
# LD_PRELOAD = /path/to/library1.so
# LD_PRELOAD = /path/to/library2.so
}
# SECURITY CONFIGURATION
#
# There may be multiple methods of attacking on the server. This
# section holds the configuration items which minimize the impact
# of those attacks
#
security {
# chroot: directory where the server does “chroot”.
#
# The chroot is done very early in the process of starting
# the server. After the chroot has been performed it
# switches to the “user” listed below (which MUST be
# specified). If “group” is specified, it switches to that
# group, too. Any other groups listed for the specified
# “user” in “/etc/group” are also added as part of this
# process.
#
# The current working directory (chdir / cd) is left
# *outside* of the chroot until all of the modules have been
# initialized. This allows the “raddb” directory to be left
# outside of the chroot. Once the modules have been
# initialized, it does a “chdir” to ${logdir}. This means
# that it should be impossible to break out of the chroot.
#
# If you are worried about security issues related to this
# use of chdir, then simply ensure that the “raddb” directory
# is inside of the chroot, end be sure to do “cd raddb”
# BEFORE starting the server.
#
# If the server is statically linked, then the only files
# that have to exist in the chroot are ${run_dir} and
# ${logdir}. If you do the “cd raddb” as discussed above,
# then the “raddb” directory has to be inside of the chroot
# directory, too.
#
# chroot = /path/to/chroot/directory
# user/group: The name (or #number) of the user/group to run radiusd as.
#
# If these are commented out, the server will run as the
# user/group that started it. In order to change to a
# different user/group, you MUST be root ( or have root
# privileges ) to start the server.
#
# We STRONGLY recommend that you run the server with as few
# permissions as possible. That is, if you’re not using
# shadow passwords, the user and group items below should be
# set to radius’.
#
# NOTE that some kernels refuse to setgid(group) when the
# value of (unsigned)group is above 60000; don’t use group
# “nobody” on these systems!
#
# On systems with shadow passwords, you might have to set
# ‘group = shadow’ for the server to be able to read the
# shadow password file. If you can authenticate users while
# in debug mode, but not in daemon mode, it may be that the
# debugging mode server is running as a user that can read
# the shadow info, and the user listed below can not.
#
# The server will also try to use “initgroups” to read
# /etc/groups. It will join all groups where “user” is a
# member. This can allow for some finer-grained access
# controls.
#
user = radiusd
group = radiusd
# Core dumps are a bad thing. This should only be set to
# ‘yes’ if you’re debugging a problem with the server.
#
# allowed values: {no, yes}
#
allow_core_dumps = no
#
# max_attributes: The maximum number of attributes
# permitted in a RADIUS packet. Packets which have MORE
# than this number of attributes in them will be dropped.
#
# If this number is set too low, then no RADIUS packets
# will be accepted.
#
# If this number is set too high, then an attacker may be
# able to send a small number of packets which will cause
# the server to use all available memory on the machine.
#
# Setting this number to 0 means “allow any number of attributes”
max_attributes = 200
#
# reject_delay: When sending an Access-Reject, it can be
# delayed for a few seconds. This may help slow down a DoS
# attack. It also helps to slow down people trying to brute-force
# crack a users password.
#
# Setting this number to 0 means “send rejects immediately”
#
# If this number is set higher than ‘cleanup_delay’, then the
# rejects will be sent at ‘cleanup_delay’ time, when the request
# is deleted from the internal cache of requests.
#
# As of Version 3.0.5, “reject_delay” has sub-second resolution.
# e.g. “reject_delay = 1.4” seconds is possible.
#
# Useful ranges: 1 to 5
reject_delay = 1
#
# status_server: Whether or not the server will respond
# to Status-Server requests.
#
# When sent a Status-Server message, the server responds with
# an Access-Accept or Accounting-Response packet.
#
# This is mainly useful for administrators who want to “ping”
# the server, without adding test users, or creating fake
# accounting packets.
#
# It’s also useful when a NAS marks a RADIUS server “dead”.
# The NAS can periodically “ping” the server with a Status-Server
# packet. If the server responds, it must be alive, and the
# NAS can start using it for real requests.
#
# See also raddb/sites-available/status
#
status_server = yes
}
# PROXY CONFIGURATION
#
# proxy_requests: Turns proxying of RADIUS requests on or off.
#
# The server has proxying turned on by default. If your system is NOT
# set up to proxy requests to another server, then you can turn proxying
# off here. This will save a small amount of resources on the server.
#
# If you have proxying turned off, and your configuration files say
# to proxy a request, then an error message will be logged.
#
# To disable proxying, change the “yes” to “no”, and comment the
# $INCLUDE line.
#
# allowed values: {no, yes}
#
proxy_requests = yes
$INCLUDE proxy.conf
# CLIENTS CONFIGURATION
#
# Client configuration is defined in “clients.conf”.
#
# The ‘clients.conf’ file contains all of the information from the old
# ‘clients’ and ‘naslist’ configuration files. We recommend that you
# do NOT use ‘client’s or ‘naslist’, although they are still
# supported.
#
# Anything listed in ‘clients.conf’ will take precedence over the
# information from the old-style configuration files.
#
$INCLUDE clients.conf
# THREAD POOL CONFIGURATION
#
# The thread pool is a long-lived group of threads which
# take turns (round-robin) handling any incoming requests.
#
# You probably want to have a few spare threads around,
# so that high-load situations can be handled immediately. If you
# don’t have any spare threads, then the request handling will
# be delayed while a new thread is created, and added to the pool.
#
# You probably don’t want too many spare threads around,
# otherwise they’ll be sitting there taking up resources, and
# not doing anything productive.
#
# The numbers given below should be adequate for most situations.
#
thread pool {
# Number of servers to start initially — should be a reasonable
# ballpark figure.
start_servers = 5
# Limit on the total number of servers running.
#
# If this limit is ever reached, clients will be LOCKED OUT, so it
# should NOT BE SET TOO LOW. It is intended mainly as a brake to
# keep a runaway server from taking the system with it as it spirals
# down…
#
# You may find that the server is regularly reaching the
# ‘max_servers’ number of threads, and that increasing
# ‘max_servers’ doesn’t seem to make much difference.
#
# If this is the case, then the problem is MOST LIKELY that
# your back-end databases are taking too long to respond, and
# are preventing the server from responding in a timely manner.
#
# The solution is NOT do keep increasing the ‘max_servers’
# value, but instead to fix the underlying cause of the
# problem: slow database, or ‘hostname_lookups=yes’.
#
# For more information, see ‘max_request_time’, above.
#
max_servers = 32
# Server-pool size regulation. Rather than making you guess
# how many servers you need, FreeRADIUS dynamically adapts to
# the load it sees, that is, it tries to maintain enough
# servers to handle the current load, plus a few spare
# servers to handle transient load spikes.
#
# It does this by periodically checking how many servers are
# waiting for a request. If there are fewer than
# min_spare_servers, it creates a new spare. If there are
# more than max_spare_servers, some of the spares die off.
# The default values are probably OK for most sites.
#
min_spare_servers = 3
max_spare_servers = 10
# When the server receives a packet, it places it onto an
# internal queue, where the worker threads (configured above)
# pick it up for processing. The maximum size of that queue
# is given here.
#
# When the queue is full, any new packets will be silently
# discarded.
#
# The most common cause of the queue being full is that the
# server is dependent on a slow database, and it has received
# a large “spike” of traffic. When that happens, there is
# very little you can do other than make sure the server
# receives less traffic, or make sure that the database can
# handle the load.
#
# max_queue_size = 65536
# Clean up old threads periodically. For no reason other than
# it might be useful.
#
# ‘0’ is a special value meaning ‘infinity’, or ‘the servers never
# exit’
max_requests_per_server = 0
# Automatically limit the number of accounting requests.
# This configuration item tracks how many requests per second
# the server can handle. It does this by tracking the
# packets/s received by the server for processing, and
# comparing that to the packets/s handled by the child
# threads.
#
# If the received PPS is larger than the processed PPS, *and*
# the queue is more than half full, then new accounting
# requests are probabilistically discarded. This lowers the
# number of packets that the server needs to process. Over
# time, the server will “catch up” with the traffic.
#
# Throwing away accounting packets is usually safe and low
# impact. The NAS will retransmit them in a few seconds, or
# even a few minutes. Vendors should read RFC 5080 Section 2.2.1
# to see how accounting packets should be retransmitted. Using
# any other method is likely to cause network meltdowns.
#
auto_limit_acct = no
}
######################################################################
#
# SNMP notifications. Uncomment the following line to enable
# snmptraps. Note that you MUST also configure the full path
# to the “snmptrap” command in the “trigger.conf” file.
#
#$INCLUDE trigger.conf
# MODULE CONFIGURATION
#
# The names and configuration of each module is located in this section.
#
# After the modules are defined here, they may be referred to by name,
# in other sections of this configuration file.
#
modules {
#
# Each module has a configuration as follows:
#
# name [ instance ] {
# config_item = value
# …
# }
#
# The ‘name’ is used to load the ‘rlm_name’ library
# which implements the functionality of the module.
#
# The ‘instance’ is optional. To have two different instances
# of a module, it first must be referred to by ‘name’.
# The different copies of the module are then created by
# inventing two ‘instance’ names, e.g. ‘instance1’ and ‘instance2’
#
# The instance names can then be used in later configuration
# INSTEAD of the original ‘name’. See the ‘radutmp’ configuration
# for an example.
#
#
# Some modules have ordering issues. e.g. “sqlippool” uses
# the configuration from “sql”. In that case, the “sql”
# module must be read off of disk before the “sqlippool”.
# However, the directory inclusion below just reads the
# directory from start to finish. Which means that the
# modules are read off of disk randomly.
#
# As of 3.0.18, you can list individual modules *before* the
# directory inclusion. Those modules will be loaded first.
# Then, when the directory is read, those modules will be
# skipped and not read twice.
#
# $INCLUDE mods-enabled/sql
#
# As of 3.0, modules are in mods-enabled/. Files matching
# the regex /[a-zA-Z0-9_.]+/ are loaded. The modules are
# initialized ONLY if they are referenced in a processing
# section, such as authorize, authenticate, accounting,
# pre/post-proxy, etc.
#
$INCLUDE mods-enabled/
}
# Instantiation
#
# This section sets the instantiation order of the modules. listed
# here will get started up BEFORE the sections like authorize,
# authenticate, etc. get examined.
#
# This section is not strictly needed. When a section like authorize
# refers to a module, the module is automatically loaded and
# initialized. However, some modules may not be listed in any of the
# processing sections, so they should be listed here.
#
# Also, listing modules here ensures that you have control over
# the order in which they are initialized. If one module needs
# something defined by another module, you can list them in order
# here, and ensure that the configuration will be OK.
#
# After the modules listed here have been loaded, all of the modules
# in the “mods-enabled” directory will be loaded. Loading the
# “mods-enabled” directory means that unlike Version 2, you usually
# don’t need to list modules here.
#
instantiate {
#
# We list the counter module here so that it registers
# the check_name attribute before any module which sets
# it
# daily
# subsections here can be thought of as “virtual” modules.
#
# e.g. If you have two redundant SQL servers, and you want to
# use them in the authorize and accounting sections, you could
# place a “redundant” block in each section, containing the
# exact same text. Or, you could uncomment the following
# lines, and list “redundant_sql” in the authorize and
# accounting sections.
#
# The “virtual” module defined here can also be used with
# dynamic expansions, under a few conditions:
#
# * The section is “redundant”, or “load-balance”, or
# “redundant-load-balance”
# * The section contains modules ONLY, and no sub-sections
# * all modules in the section are using the same rlm_
# driver, e.g. They are all sql, or all ldap, etc.
#
# When those conditions are satisfied, the server will
# automatically register a dynamic expansion, using the
# name of the “virtual” module. In the example below,
# it will be “redundant_sql”. You can then use this expansion
# just like any other:
#
# update reply {
# Filter-Id := “%{redundant_sql: … }”
# }
#
# In this example, the expansion is done via module “sql1”,
# and if that expansion fails, using module “sql2”.
#
# For best results, configure the “pool” subsection of the
# module so that “retry_delay” is non-zero. That will allow
# the redundant block to quickly ignore all “down” SQL
# databases. If instead we have “retry_delay = 0”, then
# every time the redundant block is used, the server will try
# to open a connection to every “down” database, causing
# problems.
#
#redundant redundant_sql {
# sql1
# sql2
#}
}
######################################################################
#
# Policies are virtual modules, similar to those defined in the
# “instantiate” section above.
#
# Defining a policy in one of the policy.d files means that it can be
# referenced in multiple places as a *name*, rather than as a series of
# conditions to match, and actions to take.
#
# Policies are something like subroutines in a normal language, but
# they cannot be called recursively. They MUST be defined in order.
# If policy A calls policy B, then B MUST be defined before A.
#
######################################################################
policy {
$INCLUDE policy.d/
}
######################################################################
#
# Load virtual servers.
#
# This next $INCLUDE line loads files in the directory that
# match the regular expression: /[a-zA-Z0-9_.]+/
#
# It allows you to define new virtual servers simply by placing
# a file into the raddb/sites-enabled/ directory.
#
$INCLUDE sites-enabled/
######################################################################
#
# All of the other configuration sections like “authorize {}”,
# “authenticate {}”, “accounting {}”, have been moved to the
# the file:
#
# raddb/sites-available/default
#
# This is the “default” virtual server that has the same
# configuration as in version 1.0.x and 1.1.x. The default
# installation enables this virtual server. You should
# edit it to create policies for your local site.
#
# For more documentation on virtual servers, see:
#
# raddb/sites-available/README
#
######################################################################
[root@radius1 raddb]#
[root@radius1 raddb]# vi users
[root@radius1 raddb]# cat users
#
# Configuration file for the rlm_files module.
# Please see rlm_files(5) manpage for more information.
#
# This file contains authentication security and configuration
# information for each user. Accounting requests are NOT processed
# through this file. Instead, see ‘accounting’, in this directory.
#
# The first field is the user’s name and can be up to
# 253 characters in length. This is followed (on the same line) with
# the list of authentication requirements for that user. This can
# include password, comm server name, comm server port number, protocol
# type (perhaps set by the “hints” file), and huntgroup name (set by
# the “huntgroups” file).
#
# If you are not sure why a particular reply is being sent by the
# server, then run the server in debugging mode (radiusd -X), and
# you will see which entries in this file are matched.
#
# When an authentication request is received from the comm server,
# these values are tested. Only the first match is used unless the
# “Fall-Through” variable is set to “Yes”.
#
# A special user named “DEFAULT” matches on all usernames.
# You can have several DEFAULT entries. All entries are processed
# in the order they appear in this file. The first entry that
# matches the login-request will stop processing unless you use
# the Fall-Through variable.
#
# Indented (with the tab character) lines following the first
# line indicate the configuration values to be passed back to
# the comm server to allow the initiation of a user session.
# This can include things like the PPP configuration values
# or the host to log the user onto.
#
# You can include another `users’ file with `$INCLUDE users.other’
#
# For a list of RADIUS attributes, and links to their definitions,
# see: http://www.freeradius.org/rfc/attributes.html
#
# Entries below this point are examples included in the server for
# educational purposes. They may be deleted from the deployed
# configuration without impacting the operation of the server.
#
#
# Deny access for a specific user. Note that this entry MUST
# be before any other ‘Auth-Type’ attribute which results in the user
# being authenticated.
#
# Note that there is NO ‘Fall-Through’ attribute, so the user will not
# be given any additional resources.
#
#lameuser Auth-Type := Reject
# Reply-Message = “Your account has been disabled.”
#
# Deny access for a group of users.
#
# Note that there is NO ‘Fall-Through’ attribute, so the user will not
# be given any additional resources.
#
#DEFAULT Group == “disabled”, Auth-Type := Reject
# Reply-Message = “Your account has been disabled.”
#
#
# This is a complete entry for “steve”. Note that there is no Fall-Through
# entry so that no DEFAULT entry will be used, and the user will NOT
# get any attributes in addition to the ones listed here.
#
#steve Cleartext-Password := “testing”
# Service-Type = Framed-User,
# Framed-Protocol = PPP,
# Framed-IP-Address = 172.16.3.33,
# Framed-IP-Netmask = 255.255.255.0,
# Framed-Routing = Broadcast-Listen,
# Framed-Filter-Id = “std.ppp”,
# Framed-MTU = 1500,
# Framed-Compression = Van-Jacobsen-TCP-IP
#
# The canonical testing user which is in most of the
# examples.
#
#bob Cleartext-Password := “hello”
# Reply-Message := “Hello, %{User-Name}”
#
#
# This is an entry for a user with a space in their name.
# Note the double quotes surrounding the name. If you have
# users with spaces in their names, you must also change
# the “filter_username” policy to allow spaces.
#
# See raddb/policy.d/filter, filter_username {} section.
#
#”John Doe” Cleartext-Password := “hello”
# Reply-Message = “Hello, %{User-Name}”
testing Cleartext-Password := “password”
#
# Dial user back and telnet to the default host for that port
#
#Deg Cleartext-Password := “ge55ged”
# Service-Type = Callback-Login-User,
# Login-IP-Host = 0.0.0.0,
# Callback-Number = “9,5551212”,
# Login-Service = Telnet,
# Login-TCP-Port = Telnet
#
# Another complete entry. After the user “dialbk” has logged in, the
# connection will be broken and the user will be dialed back after which
# he will get a connection to the host “timeshare1”.
#
#dialbk Cleartext-Password := “callme”
# Service-Type = Callback-Login-User,
# Login-IP-Host = timeshare1,
# Login-Service = PortMaster,
# Callback-Number = “9,1-800-555-1212”
#
# user “swilson” will only get a static IP number if he logs in with
# a framed protocol on a terminal server in Alphen (see the huntgroups file).
#
# Note that by setting “Fall-Through”, other attributes will be added from
# the following DEFAULT entries
#
#swilson Service-Type == Framed-User, Huntgroup-Name == “alphen”
# Framed-IP-Address = 192.0.2.65,
# Fall-Through = Yes
#
# If the user logs in as ‘username.shell’, then authenticate them
# using the default method, give them shell access, and stop processing
# the rest of the file.
#
#DEFAULT Suffix == “.shell”
# Service-Type = Login-User,
# Login-Service = Telnet,
# Login-IP-Host = your.shell.machine
#
# The rest of this file contains the several DEFAULT entries.
# DEFAULT entries match with all login names.
# Note that DEFAULT entries can also Fall-Through (see first entry).
# A name-value pair from a DEFAULT entry will _NEVER_ override
# an already existing name-value pair.
#
# Sample defaults for all framed connections.
#
#DEFAULT Service-Type == Framed-User
# Framed-IP-Address = 255.255.255.254,
# Framed-MTU = 576,
# Service-Type = Framed-User,
# Fall-Through = Yes
#
# Default for PPP: dynamic IP address, PPP mode, VJ-compression.
# NOTE: we do not use Hint = “PPP”, since PPP might also be auto-detected
# by the terminal server in which case there may not be a “P” suffix.
# The terminal server sends “Framed-Protocol = PPP” for auto PPP.
#
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
#
# Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.
#
DEFAULT Hint == “CSLIP”
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
#
# Default for SLIP: dynamic IP address, SLIP mode.
#
DEFAULT Hint == “SLIP”
Framed-Protocol = SLIP
#
# Last default: rlogin to our main server.
#
#DEFAULT
# Service-Type = Login-User,
# Login-Service = Rlogin,
# Login-IP-Host = shellbox.ispdomain.com
# #
# # Last default: shell on the local terminal server.
# #
# DEFAULT
# Service-Type = Administrative-User
# On no match, the user is denied access.
#########################################################
# You should add test accounts to the TOP of this file! #
# See the example user “bob” above. #
#########################################################
[root@radius1 raddb]#
[root@radius1 raddb]# radtest testing password 127.0.0.1 0 testing123
Sent Access-Request Id 247 from 0.0.0.0:39323 to 127.0.0.1:1812 length 77
User-Name = “testing”
User-Password = “password”
NAS-IP-Address = 192.168.122.51
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = “password”
Received Access-Reject Id 247 from 127.0.0.1:1812 to 127.0.0.1:39323 length 20
(0) -: Expected Access-Accept got Access-Reject
[root@radius1 raddb]#