FreeRADIUS + MySQL installation and configuration notes

Source: Internet
Author: User
Tags freeradius

Remote Authentication Dial In User Service (Remote User dialing authentication System) is currently the most widely used AAA Protocol (AAA = Authentication, Authorization, Accounting, authentication, authorization, and billing ). As the demand for network security increases, small and medium-sized enterprises need to establish their own Authentication servers to manage dial-up users, especially when using VPDN private networks. However, these users do not need to use expensive professional systems. They can be reliably implemented by using PC servers and Linux Freeradius + MySQL.
First, make sure that you have set up pptpd and can use it properly.


1. FreeRADIUS Server Installation
1.1 download, compile, and install
Ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.11.tar.gz wget-c
Tar zxf freeradius-server-2.1.11.tar.gz
Cd freeradius-server-2.1.11
./Configure
Make & make install

1.2 Local test of basic files (selected)
Test whether the installation is successful. If you do not need to integrate with mysql, the installation is complete.


Vim/usr/local/etc/raddb/users
Search for steve Cleartext-Password: = "testing" (lines-84) and uncomment the content.

# Uppercase X indicates running in debug mode.
/Usr/local/sbin/radiusd-X
 
# Run in a new window. If you see "Access-Accept packet", the operation is successful. If you see "Access-Accept packet", the operation fails.
/Usr/local/bin/radtest steve testing localhost 0 testing123

Ii. FreeRadius MySQL module configuration
2.1 enable MySQL module support

# Find "SQL. conf" (row 683) and remove #
Vim/usr/local/etc/raddb/radiusd. conf

2.2 create a radius database and table

#123456 is your mysql root Password
Mysqladmin-uroot-p123456 create radius;

# Modifying the password of a radius account
Cd/usr/local/etc/raddb/SQL/mysql
Sed-I's/radpass/123456/G' admin. SQL
Sed-I's/radpass/123456/G'/usr/local/etc/raddb/SQL. conf

Mysql-uroot-p123456 <admin. SQL
Mysql-uroot-p123456 radius <ippool. SQL
Mysql-uroot-p123456 radius <schema. SQL
Mysql-uroot-p123456 radius <wimax. SQL
Mysql-uroot-p123456 radius <cui. SQL
Mysql-uroot-p123456 radius <nas. SQL

2.3 enable support for querying nas from a database
By default, it is read from the "/usr/local/etc/raddb/clients. conf" file. If it is enabled, it can be read from the database nas table.


Sed-I's/\ # readclients/G'/usr/local/etc/raddb/SQL. conf

2.4 enable online user query support

# Find simul_count_query and remove comments from line 279-282
Vim/usr/local/etc/raddb/SQL/mysql/dialup. conf

2.5 modify the sites-enabled directory configuration file.

Vim/usr/local/etc/raddb/sites-enabled/default

Find the authorize {} module, comment out files (row 159), and remove the # (row 166) before the SQL statement)
Find the accounting {} module, comment out radutmp (row 385), comment out # (row 395) before the SQL ).
Find the session {} module, comment out radutmp (row 439), and remove the # (row 443) before the SQL statement ).
Find the post-auth {} module, remove the # (row 464) before the SQL statement, and remove the # (row 552) before the SQL statement ).

Vim/usr/local/etc/raddb/sites-enabled/inner-tunnel

Find the authorize {} module, comment out files (row 124), and remove the # (row 131) before the SQL statement ).
Find the session {} module, comment out radutmp (row 251), and remove the # (row 255) before the SQL statement ).
Find the post-auth {} module, remove the # (row 277) before the SQL statement, and remove the # (row 301) before the SQL statement ).

3. install and configure FreeRADIUS Client
3.1. Compilation and Installation
Ftp://ftp.freeradius.org/pub/freeradius/freeradius-client-1.1.6.tar.gz wget-c
Tar-zxf freeradius-client-1.1.6.tar.gz
Cd freeradius-client-1.1.6
./Configure
Make & make install

3.2 set the communication Password
Cat>/usr/local/etc/radiusclient/servers <EOF
Localhost testing123
EOF

Localhost can be written as the server IP address, and testing123 is the connection password of the authentication server.
Note: If you are using an IP address, remember to modify the following settings at the same time.

1
Sed-I's/localhost/192.168.8.129/G'/usr/local/etc/radiusclient. conf

3.3 Add a dictionary
This step is important! Otherwise, the windows client cannot connect to the server.

1
2
Http://small-script.googlecode.com/files/dictionary.microsoft wget-c
Mv./dictionary. microsoft/usr/local/etc/radiusclient/
Cat>/usr/local/etc/radiusclient/dictionary <EOF
INCLUDE/usr/local/etc/radiusclient/dictionary. sip
INCLUDE/usr/local/etc/radiusclient/dictionary. ascend
INCLUDE/usr/local/etc/radiusclient/dictionary. merit
INCLUDE/usr/local/etc/radiusclient/dictionary. compat
INCLUDE/usr/local/etc/radiusclient/dictionary. microsoft
EOF

3.4. Enable freeradius plug-in PPTP
Some online tutorials are not mentioned in this step, but they are very important. Otherwise, an error will be reported!

Sed-I's/logwtmp/\ # logwtmp/G'/etc/pptpd. conf
Sed-I's/radius_deadtime/\ # radius_deadtime/G'/usr/local/etc/radiusclient. conf
Sed-I's/bindaddr/\ # bindaddr/G'/usr/local/etc/radiusclient. conf

Note: The 64-bit system plug-in path is "/usr/lib64/pppd/2.4.5/radius. so"

Cat>/etc/ppp/pptpd-options <EOF
Plugin/usr/lib/pppd/2.4.5/radius. so
Radius-config-file/usr/local/etc/radiusclient. conf
EOF

3.5 enable freeradius plug-in L2TP
The same applies to L2TP. First, install and configure L2TP/IPSec to ensure normal use.

Note: The 64-bit system plug-in path is "/usr/lib64/pppd/2.4.5/radius. so"


Cat>/etc/ppp/options. xl2tpd <EOF
Plugin/usr/lib/pppd/2.4.5/radius. so
Radius-config-file/usr/local/etc/radiusclient. conf
EOF

Iv. user permission management

# Connecting to the MySQL database
Mysql-uroot-p123456;
 
# Using the radius Database
USE radius;
 
# Add the user demo and password demo. Note that it is in the radchec table.
Insert into radcheck (username, attribute, op, VALUE) VALUES ('Demo', 'cleartext-password', ': =', 'Demo ');
 
# Add User demo to VIP1 User Group
Insert into radusergroup (username, groupname) VALUES ('Demo', 'vip1 ');
 
# Restrict the number of simultaneous logins. Note that the number of simultaneous logins is in the radgroupcheck table.
Insert into radgroupcheck (groupname, attribute, op, VALUE) VALUES ('normal', 'simultaneous-use', ': =', '1 ');
 
# Others
Insert into radgroupreply (groupname, attribute, op, VALUE) VALUES ('vip1', 'auth-type', ': =', 'local ');
Insert into radgroupreply (groupname, attribute, op, VALUE) VALUES ('vip1', 'service-type', ': =', 'framed-user ');
Insert into radgroupreply (groupname, attribute, op, VALUE) VALUES ('vip1', 'framed-Protocol', ': =', 'ppp ');
Insert into radgroupreply (groupname, attribute, op, VALUE) VALUES ('vip1', 'framed-mtu', ': =', '123 ');
Insert into radgroupreply (groupname, attribute, op, VALUE) VALUES ('vip1', 'framed-compression', ': =', 'Van-Jakobson-TCP-IP ');

5. Start
 
Cp/usr/local/sbin/rc. radiusd/etc/init. d/radiusd
/Etc/init. d/radiusd start

Address: https://wangyan.org/blog/freeradius-pptp-l2tp-html.html
Reference: wiki.freeradius.org/sql000020howto

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.