freeradius安装和配置

注意：freeradius装完非常大，有几百兆

 

   软件准备
[root@nm freeradius-server-2.1.1]# rpm -qa | grep openssl
openssl-0.9.7a-43.10
openssl-devel-0.9.7a-43.10
xmlsec1-openssl-1.2.6-3[root@vmmac fprobe-1.1]# rpm -qa | grep ldap
openldap-2.2.13-6.4E
openldap-devel-2.2.13-6.4E
openldap-clients-2.2.13-6.4E
nss_ldap-226-13
openldap-servers-2.2.13-6.4Efreeradius-server-2.1.1.tar.gz


    freeradius 安装
[root@nm freeradius-server-2.1.1]# ./configure
configure: creating ./config.status
config.status: creating Makefile
config.status: creating config.h
会装很长时间，接近1小时[root@nm freeradius-server-2.1.1]# make
Making all in rfc...
gmake[4]: Entering directory`/usr/local/src/freeradius-server-2.1.1/doc/rfc'
gmake[4]: Nothing to be done for `all'.
gmake[4]: Leaving directory`/usr/local/src/freeradius-server-2.1.1/doc/rfc'
gmake[3]: Leaving directory`/usr/local/src/freeradius-server-2.1.1/doc'
gmake[2]: Leaving directory`/usr/local/src/freeradius-server-2.1.1/doc'
gmake[1]: Leaving directory`/usr/local/src/freeradius-server-2.1.1'[root@nm freeradius-server-2.1.1]# make install
done
gmake[4]: Leaving directory`/usr/local/src/freeradius-server-2.1.1/doc/rfc'
gmake[3]: Leaving directory`/usr/local/src/freeradius-server-2.1.1/doc'
gmake[2]: Leaving directory`/usr/local/src/freeradius-server-2.1.1/doc'
gmake[1]: Leaving directory`/usr/local/src/freeradius-server-2.1.1'
Installing dictionary files in /usr/local/share/freeradius
/usr/local/src/freeradius-server-2.1.1/libtool --finish/usr/local/lib
PATH="$PATH:/sbin" ldconfig -n /usr/local/lib


    安装后的第一次运行radiusd -X
安装后可以不进行任何配置，直接起daemon,直接进行loopback测试。
因为radius缺省配置就是支持本地daemon,本地client(loopback client)
The first time after installation, you should run the serveras
"root".  Thiswill cause the server to create the certificatesit
needs for EAP.
 第一次启动，应该在root下运行radiusd-X这将使server建立EAP所需的 certificates
$ radiusd –X  注意是大写XOnce that is done, the server can be run from an unpriviledgeduser
account.
  这个步骤做完后，server就能从非特权用户启动了
[root@nm local]# radiusd -X
FreeRADIUS Version 2.1.1, for host i686-pc-linux-gnu, built on Oct29 2008 at 10:27:47
Copyright (C) 1999-2008 The FreeRADIUS server project andcontributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FORA
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms ofthe
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file/usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file/usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
。。。
Listening on authenticationaddress * port 1812
Listening on accounting address *port 1813
Listening on proxy address * port1814
Ready to processrequests.从另一个窗口 看log
[root@nm ~]# cat /usr/local/var/log/radius/radius.log
Wed Oct 29 11:23:25 2008 : Error: rlm_eap: SSL errorerror:02001002:system library:fopen:No such file or directory
Wed Oct 29 11:23:25 2008 : Error: rlm_eap_tls: Error readingcertificate file /usr/local/etc/raddb/certs/server.pem
Wed Oct 29 11:23:25 2008 : Error: rlm_eap: Failed to initializetype tls
Wed Oct 29 11:23:25 2008 : Error:/usr/local/etc/raddb/eap.conf[17]: Instantiation failed for module"eap"
Wed Oct 29 11:23:25 2008 : Error:/usr/local/etc/raddb/sites-enabled/inner-tunnel[223]: Failed tofind module "eap".
Wed Oct 29 11:23:25 2008 : Error:/usr/local/etc/raddb/sites-enabled/inner-tunnel[176]: Errorsparsing authenticate section.
Wed Oct 29 11:23:25 2008 : Error: Errors initializing modules
初次起动会出eap error随后再重起一次radiusd，不加-X
[root@nm local]# radiusd &
[1] 2419从另一个窗口看log
[root@nm ~]# cat /usr/local/var/log/radius/radius.log

再次启动就只有一条新log,没有error了
Wed Oct 29 13:09:48 2008 : Info: Ready to process requests.

    radius 启动的特征
[root@nm ~]# ps -ef | grep radiusd
root     2420    1  0 13:10?       00:00:00 radiusd[root@nm ~]# netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q LocalAddress              ForeignAddress            State     
tcp       0     00.0.0.0:21                 0.0.0.0:*                  LISTEN     
tcp       0     00.0.0.0:23                 0.0.0.0:*                  LISTEN     
tcp       0     010.4.3.117:23              10.4.3.119:1058            ESTABLISHED
tcp       0    14610.4.3.117:23              10.4.3.119:4471            ESTABLISHED
tcp       0     0:::80                      :::*                       LISTEN     
tcp       0     0:::22                      :::*                       LISTEN     
tcp       0     0:::443                     :::*                       LISTEN     
tcp       0     0::ffff:10.4.3.117:22       ::ffff:10.4.3.119:4488     ESTABLISHED
udp       0     00.0.0.0:1812        0.0.0.0:*                              
udp       0     00.0.0.0:1813         0.0.0.0:*                              
udp       0     00.0.0.0:1814         0.0.0.0:*  

   loopback测试——radtest
radtest [-d raddb_directory] user password radius-servernas-port-number secrectnas-port-number:用不到，就为0即可
secret:就是在client.conf里的对应client的口令（radius安装完后，本地client127.0.0.1的口令缺省就是testing123）[root@nm ~]# radtest test testlocalhost 0 testing123
Sending Access-Request ofid 48 to 127.0.0.1 port 1812
       User-Name = "test"
       User-Password = "test"
       NAS-IP-Address = 127.0.0.1
       NAS-Port = 0
rad_recv: Access-Rejectpacket from host 127.0.0.1 port 1812, id=48, length=20
尽管user,passwd都是假的，但只要收到Access-Reject，也证明FreeRADIUS服务器已经正常启动

   freeradius自带system V 启动文档
[root@vm ~]# cp /usr/local/sbin/rc.radiusd/etc/init.d/radius[root@vm ~]# /etc/init.d/radius
Usage: /etc/init.d/ {start|stop|reload|restart|check}
[root@vm ~]# /etc/init.d/radius start
Starting FreeRADIUS:radiusd[root@vm rc3.d]# ln -s../init.d/radius S96radius
[root@vm rc3.d]# ls -l
lrwxrwxrwx  1 root root 14 Feb 23 13:32 S39ldap-> ../init.d/ldap*
lrwxrwxrwx  1 root root 16 Feb 27 09:06 S96radius-> ../init.d/radius*


    RADIUS 服务器的配置包括：

•    radiusd.conf    服务器端配置
•    clients.conf     存储radius客户端（NAS,ROUTER）的验证信息，主要是配KEY
•    ./modules/      主要是针对LDAP，MYSQL、数字证书等的配置

1．radiusd.conf 没什么可改的，都是系统的一些属性配置（目录啊、PID啊、LOG啊等等）
[root@vmmac ~]# vi /usr/local/etc/raddb/radiusd.conf
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir =${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir =${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct

#user = radius
#group = radius
缺省此两句被注释掉，是root启动daemon
如果radius认证不采用本地认证（/etc/passwd）的话，强烈建议采用radius 用户启动daemon

max_requests = 1024
缺省1024，此值太小会造成大量认证时的busy,此值太大会耗内存

listen {
       type =auth     Listen认证
       ipaddr = *
       port =0     Port 0表示会listen在/etc/service下的端口定义（1812）
}
listen {
       type =acct    Listen记帐
       ipaddr = *
       port = 0
}

log {
       #  Destination for log messages：
       #      files - log to "file", as definedbelow.
       #      syslog - to syslog (see also the"syslog_facility", below.
       #      stdout - standard output
       #      stderr - standard error.
       #
       destination = files

       file = ${logdir}/radius.log

       #  Which syslog facility to use, if ${destination}== "syslog"
       syslog_facility = daemon

       #  Log authentication requests to the logfile.
       auth = yes
       auth_badpass = yes
       auth_goodpass = yes

$INCLUDE clients.conf
实际clients.conf也是radiusd.conf的一部分，只不过分出去了。

modules {
       $INCLUDE ${confdir}/modules/
       $INCLUDE eap.conf
       $INCLUDE sql.conf
       $INCLUDE sql/mysql/counter.conf
}2. clients.conf ，定义NAS，主要是设KEY，主要是改clients.conf
[root@vmmac ~]# vi /usr/local/etc/raddb/clients.conf

client 10.4.193.26{
       secret=admin123
Secret的意思：Radiusaaa与NAS之间的key传送是密文，而且传的不是口令，而是MD5计算结果
}

client 10.4.3.150{
       secret=admin123
}

client localhost {
       ipaddr = 127.0.0.1
       secret         =testing123
}
#client 192.168.0.0/24{
设网段，这样可以方便多台NAS，且NAS填加的时候不用反复改clients.conf

#      secret         = testing123-1
#      shortname      = private-network-1
#}
#
#client 192.168.0.0/16 {
#      secret         = testing123-2
#      shortname      = private-network-2
#}   
 

    发觉radius.conf中没有设认证方式的地方
缺省就是local
访问radius就是自动读/etc/passwd or/etc/shadow
然后读ldap,mysql等,这些 conf也都事先include了,就看你设没设了.

    如果radius.conf和ldap合作,有把握不读local(/etc/passwd),那么daemon可以直接用radius用户启动，而不是root启动