FreeRADIUS + MySQL installation and configuration notes

Remote Authentication Dial In User Service (Remote User dialing authentication System) is currently the most widely used AAA Protocol (AAA = Authentication, Authorization, Accounting, authentication, authorization, and billing ). As the demand for network security increases, small and medium-sized enterprises need to establish their own Authentication servers to manage dial-up users, especially when using VPDN private networks. However, these users do not need to use expensive professional systems. They can be reliably implemented by using PC servers and Linux Freeradius + MySQL.
First, make sure that you have set up pptpd and can use it properly.

1. FreeRADIUS Server Installation
1.1 download, compile, and install
Ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.11.tar.gz wget-c
Tar zxf freeradius-server-2.1.11.tar.gz
Cd freeradius-server-2.1.11
./Configure
Make & make install

1.2 Local test of basic files (selected)
Test whether the installation is successful. If you do not need to integrate with mysql, the installation is complete.

Vim/usr/local/etc/raddb/users
Search for steve Cleartext-Password: = "testing" (lines-84) and uncomment the content.

# Uppercase X indicates running in debug mode.
/Usr/local/sbin/radiusd-X
 
# Run in a new window. If you see "Access-Accept packet", the operation is successful. If you see "Access-Accept packet", the operation fails.
/Usr/local/bin/radtest steve testing localhost 0 testing123

Ii. FreeRadius MySQL module configuration
2.1 enable MySQL module support

# Find "SQL. conf" (row 683) and remove #
Vim/usr/local/etc/raddb/radiusd. conf

2.2 create a radius database and table

#123456 is your mysql root Password
Mysqladmin-uroot-p123456 create radius;

# Modifying the password of a radius account
Cd/usr/local/etc/raddb/SQL/mysql
Sed-I's/radpass/123456/G' admin. SQL
Sed-I's/radpass/123456/G'/usr/local/etc/raddb/SQL. conf

Mysql-uroot-p123456 <admin. SQL
Mysql-uroot-p123456 radius <ippool. SQL
Mysql-uroot-p123456 radius <schema. SQL
Mysql-uroot-p123456 radius <wimax. SQL
Mysql-uroot-p123456 radius <cui. SQL
Mysql-uroot-p123456 radius <nas. SQL

2.3 enable support for querying nas from a database
By default, it is read from the "/usr/local/etc/raddb/clients. conf" file. If it is enabled, it can be read from the database nas table.

Sed-I's/\ # readclients/G'/usr/local/etc/raddb/SQL. conf

2.4 enable online user query support

# Find simul_count_query and remove comments from line 279-282
Vim/usr/local/etc/raddb/SQL/mysql/dialup. conf

2.5 modify the sites-enabled directory configuration file.

Vim/usr/local/etc/raddb/sites-enabled/default

Find the authorize {} module, comment out files (row 159), and remove the # (row 166) before the SQL statement)
Find the accounting {} module, comment out radutmp (row 385), comment out # (row 395) before the SQL ).
Find the session {} module, comment out radutmp (row 439), and remove the # (row 443) before the SQL statement ).
Find the post-auth {} module, remove the # (row 464) before the SQL statement, and remove the # (row 552) before the SQL statement ).

Vim/usr/local/etc/raddb/sites-enabled/inner-tunnel

Find the authorize {} module, comment out files (row 124), and remove the # (row 131) before the SQL statement ).
Find the session {} module, comment out radutmp (row 251), and remove the # (row 255) before the SQL statement ).
Find the post-auth {} module, remove the # (row 277) before the SQL statement, and remove the # (row 301) before the SQL statement ).

3. install and configure FreeRADIUS Client
3.1. Compilation and Installation
Ftp://ftp.freeradius.org/pub/freeradius/freeradius-client-1.1.6.tar.gz wget-c
Tar-zxf freeradius-client-1.1.6.tar.gz
Cd freeradius-client-1.1.6
./Configure
Make & make install

3.2 set the communication Password
Cat>/usr/local/etc/radiusclient/servers <EOF
Localhost testing123
EOF

Localhost can be written as the server IP address, and testing123 is the connection password of the authentication server.
Note: If you are using an IP address, remember to modify the following settings at the same time.

1
Sed-I's/localhost/192.168.8.129/G'/usr/local/etc/radiusclient. conf

3.3 Add a dictionary
This step is important! Otherwise, the windows client cannot connect to the server.

1
2
Http://small-script.googlecode.com/files/dictionary.microsoft wget-c
Mv./dictionary. microsoft/usr/local/etc/radiusclient/
Cat>/usr/local/etc/radiusclient/dictionary <EOF
INCLUDE/usr/local/etc/radiusclient/dictionary. sip
INCLUDE/usr/local/etc/radiusclient/dictionary. ascend
INCLUDE/usr/local/etc/radiusclient/dictionary. merit
INCLUDE/usr/local/etc/radiusclient/dictionary. compat
INCLUDE/usr/local/etc/radiusclient/dictionary. microsoft
EOF

3.4. Enable freeradius plug-in PPTP
Some online tutorials are not mentioned in this step, but they are very important. Otherwise, an error will be reported!

Sed-I's/logwtmp/\ # logwtmp/G'/etc/pptpd. conf
Sed-I's/radius_deadtime/\ # radius_deadtime/G'/usr/local/etc/radiusclient. conf
Sed-I's/bindaddr/\ # bindaddr/G'/usr/local/etc/radiusclient. conf

Note: The 64-bit system plug-in path is "/usr/lib64/pppd/2.4.5/radius. so"

Cat>/etc/ppp/pptpd-options <EOF
Plugin/usr/lib/pppd/2.4.5/radius. so
Radius-config-file/usr/local/etc/radiusclient. conf
EOF

3.5 enable freeradius plug-in L2TP
The same applies to L2TP. First, install and configure L2TP/IPSec to ensure normal use.

Note: The 64-bit system plug-in path is "/usr/lib64/pppd/2.4.5/radius. so"

Cat>/etc/ppp/options. xl2tpd <EOF
Plugin/usr/lib/pppd/2.4.5/radius. so
Radius-config-file/usr/local/etc/radiusclient. conf
EOF

Iv. user permission management

# Connecting to the MySQL database
Mysql-uroot-p123456;
 
# Using the radius Database
USE radius;
 
# Add the user demo and password demo. Note that it is in the radchec table.
Insert into radcheck (username, attribute, op, VALUE) VALUES ('Demo', 'cleartext-password', ': =', 'Demo ');
 
# Add User demo to VIP1 User Group
Insert into radusergroup (username, groupname) VALUES ('Demo', 'vip1 ');
 
# Restrict the number of simultaneous logins. Note that the number of simultaneous logins is in the radgroupcheck table.
Insert into radgroupcheck (groupname, attribute, op, VALUE) VALUES ('normal', 'simultaneous-use', ': =', '1 ');
 
# Others
Insert into radgroupreply (groupname, attribute, op, VALUE) VALUES ('vip1', 'auth-type', ': =', 'local ');
Insert into radgroupreply (groupname, attribute, op, VALUE) VALUES ('vip1', 'service-type', ': =', 'framed-user ');
Insert into radgroupreply (groupname, attribute, op, VALUE) VALUES ('vip1', 'framed-Protocol', ': =', 'ppp ');
Insert into radgroupreply (groupname, attribute, op, VALUE) VALUES ('vip1', 'framed-mtu', ': =', '123 ');
Insert into radgroupreply (groupname, attribute, op, VALUE) VALUES ('vip1', 'framed-compression', ': =', 'Van-Jakobson-TCP-IP ');

5. Start
 
Cp/usr/local/sbin/rc. radiusd/etc/init. d/radiusd
/Etc/init. d/radiusd start

Address: https://wangyan.org/blog/freeradius-pptp-l2tp-html.html
Reference: wiki.freeradius.org/sql000020howto