Install and configure freeradius using apt-get in ubtunu

Source: Internet
Author: User
Tags freeradius

First, confirm that the local machine does not have any software package for radius installed, to confirm the clean installation, you can use the dpkg command to view

dpkg -l | grep radius

If no result is returned, proceed to the next step. If the result exists, use dpkg-P to completely delete the freeradius program file and configuration file, and then start the clean installation of freeradius,

Before installing freeradius, make sure that mysql has been installed. because mysql will be used later and apt-get will not be installed.

apt-get install mysql

Then install the freeradius component.

sudo apt-get install freeradius freeradius-ldap freeradius-mysql

After the installation is complete, freeradius will be automatically started. Because we need to use the debug mode to start freeradius, We need to disable the freeradius service first.

service freeradius stop

 

Note:

The location of freeradius installation using apt-get of ubtuntu is different from that of source code. The default location of source code installation is

/Usr/local/etc/raddb/

The configuration files in apt-get mode of ubuntu are stored in

/Etc/freeradius/

 

Then modify the users file under/etc/freeradius,

steve   Cleartext-Password := "testing"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 172.16.3.33,
Framed-IP-Netmask = 255.255.255.0,
Framed-Routing = Broadcast-Listen,
Framed-Filter-Id = "std.ppp",
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP

Describe these lines, that is, using a user named steve with the password testing to test whether the general rules are used to log on to the freeradius server, save the settings, exit, and start the radius debugging mode.

freeradius -X

Then open another terminal and use radtest to test whether the user can pass

radtest steve testing localhost 1812 testing123

Before this sentence, steve and testing indicate that the user and password, localhost, and 1812 are the IP address and port number of freeradius, and testing123 are the keys for communication between freeradius server and client, and the/etc/freeradius directory clients. conf defines the secret parameter in the client localhost field,

client localhost {
...
...
secret = testing123
...
...
}

Note that this secret field should not be less than 8 bytes. For more details, refer to the notes in front of the secret parameter in the clients. conf file.

 

After the radtest succeeds, the Access-Accept status,

In addition, if there is a linux user who is unlucky and does have steve, the freeradius server will skip the current user configuration and directly go to the query system configuration. the system password will prevail. The password defined in the users file will be invalid. If the user is not allowed to log on to linux, the user will be directly converted back to Access-Reject.

 

 

In addition, if you want to separate the freeradius server from the client to run, you need to add the client IP address to the client. conf on the server to notify the server.

vim /etc/freeradius/client.conf

For example, if the IP address of the freeradius client is 10.0.0.124, add the following content to the client. conf of the freeradius server.

client 10.0.0.124 {
ipaddr = 10.0.0.124
secret = testing123
require_message_authenticator = no
nastype = other
}

Save client. conf and restart the server. Then, you can access the server on the radius client with IP address 10.0.0.124. You can use the radtest command to test and change localhost to the corresponding server IP address,

P.S.: if the client does not have a public IP address or is under a firewall, access may fail,

========================================================== ======================================

Next, we will use the mysql database to connect to freeradius.

The first thing to do is to create a corresponding radius database and access mysql

mysql -uroot -p

Then create a radius Database

CREATE DATABASE radius;

Then exit mysql with exit, and create a system table. freeradius has self-contained SQL scripts. You can execute these scripts on your own. First, locate these scripts first.

cd /etc/freeradius/sql/mysql

See a lot of SQL files

-rw-r--r-- 1 root root      661 2010-01-04 21:56 admin.sql
-rw-r----- 1 root freerad 4543 2010-01-04 21:56 counter.conf
-rw-r--r-- 1 root root 1242 2010-01-04 21:56 cui.conf
-rw-r--r-- 1 root root 452 2010-01-04 21:56 cui.sql
-rw-r----- 1 root freerad 14375 2012-01-31 23:26 dialup.conf
-rw-r----- 1 root freerad 14379 2012-01-31 23:25 dialup.conf.bak
-rw-r----- 1 root freerad 4058 2010-01-04 21:56 ippool.conf
-rw-r----- 1 root freerad 579 2010-01-04 21:56 ippool.sql
-rw-r----- 1 root freerad 400 2010-01-04 21:56 nas.sql
-rw-r----- 1 root freerad 4318 2010-01-04 21:56 schema.sql
-rw-r--r-- 1 root root 1844 2010-01-04 21:56 wimax.conf
-rw-r--r-- 1 root root 407 2010-01-04 21:56 wimax.sql

Here, admin. SQL can create an administrator dedicated to managing the radius database for mysql.

Schema. SQL is used to create the most basic table of the radius database,

Other SQL statements do not need to be imported before they are imported by other additional modules.

First import admin. SQL

mysql -uUSERNAME -pPASSWD radius < admin.sql

The USERNAME and PASSWD represent the account and password of the mysql administrator, which is usually executed by the root user with the highest permissions,

Schema. SQL is also imported to the database in this format. If the result is normal, you can use the radius account to access the mysql database.

mysql -uradius -p

The default password is "radpass" (without quotation marks). After logging on, you can view the database,

use radius;
show tables;

The corresponding table has been created. Now the mysql database has been deployed, and then related data of freeradius is configured,

 

Modify/etc/freeradius/radiusd. conf and locate the row

 $INCLUDE  sql.conf

Uncomment, start SQL. conf,

Edit/etc/freeradius/SQL. conf

sql {
#
# Set the database to one of:
#
# mysql, mssql, oracle, postgresql
#
database = "mysql"

#
# Which FreeRADIUS driver to use.
#
driver = "rlm_sql_${database}"

# Connection info:
server = "localhost"
#port = 3306
login = "radius"
password = "radpass"

# Database table configuration for everything except Oracle
radius_db = "radius"
    ...
}

By default, if you use the apt-get command of ubuntu to install freeradius, the system will automatically detect that mysql has been installed and set the database to mysql. If not, set it to mysql. and then let's look at the password parameter again. If you have changed the password of the radius user before, modify the password here, and set other parameters by default,

Modify SQL. conf, and then set the corresponding device to notify it to use mysql as the data storage device,

vim /etc/freeradius/sites-available/default

Comment out the file in the authorize {} field, and uncomment the SQL statement. The file here refers to the usrs file. Instead of Writing user information in users, mysql is used to store user information,

Describe the SQL statements in the accounting {} field, enable SQL statements to record statistics,

Uncomment the SQL statement in the session {} field, enable the user's logon restriction function at the same time, and modify other places here for a while.

Describe the post-auth {} field SQL, enable the data record function after user login,

The entire file is as follows:

authorize {
...
...
# files
sql
...
}

...
...

accounting {
...
sql
...
}

...
...


session {
radutmp

#
# See "Simultaneous Use Checking Queries" in sql.conf
sql
}


post-auth {
...
sql
...
...
}

 

If you enable the simultaneous logon restriction function like you did before, you need to perform this step.

Edit the dialup. conf file

vim /etc/freeradius/sql/mysql/dialup.conf

Find these lines and describe them.

    # Uncomment simul_count_query to enable simultaneous use checking
simul_count_query = "SELECT COUNT(*) \
FROM ${acct_table1} \
WHERE username = '%{SQL-User-Name}' \
AND acctstoptime IS NULL"

Then the entire mysql radius configuration is complete.

Then, create several pieces of user information in the radius database to test whether the user authentication of mysql + freeradius is successful. The contents of the whole database table after insertion are as follows:

      mysql> select * from radusergroup;
+---------------+-----------+----------+
| UserName | GroupName | priority |
+---------------+-----------+----------+
| fredf | dynamic | 1|
| barney | static | 1|
| dialrouter | netdial | 1|
+---------------+-----------+----------+
3 rows in set (0.01 sec)

mysql> select * from radcheck;
+----+----------------+--------------------+------------------+------+
| id | UserName | Attribute | Value | Op |
+----+----------------+--------------------+------------------+------+
| 1 | fredf | Cleartext-Password | wilma | := |
| 2 | barney | Cleartext-Password | betty | := |
| 2 | dialrouter | Cleartext-Password | dialup | := |
+----+----------------+--------------------+------------------+------+
3 rows in set (0.01 sec)

mysql> select * from radreply;

+----+------------+-------------------+---------------------------------+------+
| id | UserName | Attribute | Value | Op |
+----+------------+-------------------+---------------------------------+------+
| 1 | barney | Framed-IP-Address | 1.2.3.4 | := |
| 2 | dialrouter | Framed-IP-Address | 2.3.4.1 | := |
| 3 | dialrouter | Framed-IP-Netmask | 255.255.255.255 | := |
| 4 | dialrouter | Framed-Routing | Broadcast-Listen | := |
| 5 | dialrouter | Framed-Route | 2.3.4.0 255.255.255.248 | := |
| 6 | dialrouter | Idle-Timeout | 900 | := |
+----+------------+-------------------+---------------------------------+------+
6 rows in set (0.01 sec)

mysql> select * from radgroupreply;
+----+-----------+--------------------+---------------------+------+
| id | GroupName | Attribute | Value | Op |
+----+-----------+--------------------+---------------------+------+
| 34 | dynamic | Framed-Compression | Van-Jacobsen-TCP-IP | := |
| 33 | dynamic | Framed-Protocol | PPP | := |
| 32 | dynamic | Service-Type | Framed-User | := |
| 35 | dynamic | Framed-MTU | 1500 | := |
| 37 | static | Framed-Protocol | PPP | := |
| 38 | static | Service-Type | Framed-User | := |
| 39 | static | Framed-Compression | Van-Jacobsen-TCP-IP | := |
| 41 | netdial | Service-Type | Framed-User | := |
| 42 | netdial | Framed-Protocol | PPP | := |
+----+-----------+--------------------+---------------------+------+
12 rows in set (0.01 sec)

Note that attribute values of these data types are specific characters, not just written by myself. To view the files defining these attributes, please check the dictionary directory of your current configuration file. the content is not defined, but the path is written, and is generally included in

$ INCLUDE/usr/share/freeradius/dictionary

The meaning here is that the entire dictionary file is placed in this file, in fact this file is also a path information, so the truly defined dictionary file is placed in the/usr/share/freeradius/directory, for example, the Framed-IP-Address attribute is defined in dictionary. in the rfc2865 file, Cleartext-Password is defined in dictionary. freeradius. internal File

 

Then start the debugging mode of freeradius.

freeradius -X

Note that the freeradius service must be stopped first. Otherwise, a conflict may occur and the above user will be used for testing.

For example, if you use a fredf user, the password is wilma,

radtest fredf wilma localhost 1812 testing123

When the Access-Accept status is returned, the content of the corresponding reply table is returned, the information returned by the radreply user is returned first, and the information returned by the radgroupreply group is returned. If the return result is successful, the configuration is correct.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.