FreeRadius安装配置整理

2012年1月19日 | 标签: , , ,

利用Amazon的EC2实例,以整理了一下FreeRadius的安装配置。

1. yum install freeradius freeradius-mysql freeradius-utils

2. local test
2a. vi /etc/raddb/users to uncomment the section of
steve Cleartext-Password := “testing”
2b. vi /etc/raddb/clients.conf, change the the ipaddr of client localhost to the local eth0 interface
ipaddr = 10.150.186.120
2c. run radius in debug mode
usr/local/sbin/radiusd -X
2d. run radtest, “Access-Accept packet” stand for success,”Access-Reject” stand for failure
/usr/local/bin/radtest steve testing localhost 0 testing123

3. Enable mysql module
3a. 启用MySQL模块支持
vim /etc/raddb/radiusd.conf
# 查找”sql.conf”(683行),去掉#号
#找到$INCLUDE sql/mysql/counter.conf,去掉前面的#。
3b. 创建 radius 数据库及表
# 123456是你mysql的root密码
mysqladmin -uroot -p123456 create radius;

#修改radius帐号的密码
cd /etc/raddb/sql/mysql
sed -i ‘s/radpass/123456/g’ admin.sql
sed -i ‘s/radpass/123456/g’ /etc/raddb/sql.conf

mysql -uroot -p123456 < admin.sql
mysql -uroot -p123456 radius < ippool.sql
mysql -uroot -p123456 radius < schema.sql
mysql -uroot -p123456 radius < wimax.sql
mysql -uroot -p123456 radius < cui.sql
mysql -uroot -p123456 radius < nas.sql
3.c 打开从数据库查询nas支持. 默认从 “/etc/raddb/clients.conf” 文件读取,开启后可从数据库nas表读取。
sed -i 's/\#readclients/readclients/g' /etc/raddb/sql.conf
( you can comment clients.conf inclusion in radiusd.conf
3.d 开在线人数查询支持
# 查找simul_count_query将279-282行注释去掉
vim /etc/raddb/sql/mysql/dialup.conf
3.e 修改sites-enabled目录配置文件
vim /usr/local/etc/raddb/sites-enabled/default
找到authorize {}模块,注释掉files(159行),去掉sql前的#号(166行)
找到accounting {}模块,注释掉radutmp(385行),注释掉去掉sql前面的#号(395行)。
找到session {}模块,注释掉radutmp(439行),去掉sql前面的#号(443行)。
找到post-auth {}模块,去掉sql前的#号(464行),去掉sql前的#号(552行)。

4. radiusclient configuration
4a. get radiusclient configuration from ppp source package
mkdir -p /usr/local/etc/radiusclient
From ppp source code :
wget ftp://ftp.samba.org/pub/ppp/ppp-2.4.5.tar.gz
tar zxvf ppp-2.4.5.tar.gz
cp -R /root/ppp-2.4.5/pppd/plugins/radius/etc/ /usr/local/etc/radiusclient
From ppp src.rpm
Amazon: get ppp sro package by : get_reference_code command
Redhat/Center OS: yumdownloader download the src.rpm
Debian apt-get source
rpm2cpio xxx.rpm | cpio -div
cp -R /root/ppp-2.4.5/pppd/plugins/radius/etc/ /usr/local/etc/radiusclient
4b. 编辑/usr/local/etc/radiusclient/servers,加上一组服务器和密钥,本例中为“MyVPN”:
localhost MyVPN

4c. Confirm the key is the same in /etc/raddb/clients.conf or nas table in sql
4d. 编辑/usr/local/etc/radiusclient/dictionary,将最后一行改为:
INCLUDE /usr/local/etc/radiusclient/dictionary.microsoft
可以再添加一行:
INCLUDE /usr/local/etc/radiusclient/dictionary.merit
# add your attribute
ATTRIBUTE Max-Monthly-Traffic 3003 integer
ATTRIBUTE Monthly-Traffic-Limit 3004 integer
ATTRIBUTE Monthly-Traffic 3005 integer

5. PPTP启用freeradius插件
5a. /etc/ppp/options.pptpd, add the folowing
plugin radius.so
plugin radattr.so
radius-config-file /usr/local/etc/radiusclient/radiusclient.conf
5b. if needed
sed -i 's/logwtmp/\#logwtmp/g' /etc/pptpd.conf
sed -i 's/radius_deadtime/\#radius_deadtime/g' /usr/local/etc/radiusclient/radiusclient.conf
sed -i 's/bindaddr/\#bindaddr/g' /usr/local/etc/radiusclient/radiusclient.conf
5c. /etc/ppp/options.xl2tpd, add the following
plugin radius.so
plugin radattr.so
radius-config-file /usr/local/etc/radiusclient/radiusclient.conf

6. 用户权限管理
# 连接 MySQL 数据库
mysql -uroot -p123456;

# 使用 radius 数据库
USE radius;

# 添加用户demo,密码demo,注意是在radchec表
INSERT INTO radcheck (username,attribute,op,VALUE) VALUES ('demo','Cleartext-Password',':=','demo');

# 将用户demo加入VIP1用户组
INSERT INTO radusergroup (username,groupname) VALUES ('demo','VIP1');

# 限制同时登陆人数,注意是在radgroupcheck表
INSERT INTO radgroupcheck (groupname,attribute,op,VALUE) VALUES ('normal','Simultaneous-Use',':=','1');

# 其他
INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('VIP1','Auth-Type',':=','Local');
INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('VIP1','Service-Type',':=','Framed-User');
INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('VIP1','Framed-Protocol',':=','PPP');
INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('VIP1','Framed-MTU',':=','1500');
INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('VIP1','Framed-Co

7. /etc/init.d/radiusd start

8. freeradius-dialupadmin ( http://wiki.freeradius.org/Dialup-admin )
8.a Add your defined attribute in the /etc/freeradius-dialupadmin
checkItem Max-Monthly-Traffic Max-Monthly-Traffic
8.b /etc/freeradius-dialupadmin/admin.conf
mysql database config & test client info
# table mapping e.g.
sql_usergroup_table: radusergroup
#counter default
counter_default_daily: none
counter_default_weekly: none
counter_default_monthly: none
counter_default_monthly_traffic: none
8.c /usr/share/freeradius-dialupadmin/bin scrtips perl tempfile fix
#use File::Temp;
use File::Temp qw/ tempfile /;

9. Others
9a. /etc/raddb/sql.conf
radius mysql database information, serve, db, user and password etc.
9b. /etc/raddb/dictionary (add your own attribute is needed )
ATTRIBUTE Max-Monthly-Traffic 3003 integer
ATTRIBUTE Monthly-Traffic-Limit 3004 integer
ATTRIBUTE Monthly-Traffic 3005 integer
9c. /etc/radiusd.conf, initialize your attribue in instantiate section
# daily
dailycounter
monthlycounter
monthlytrafficcounter
9d. /etc/raddb/sites-enabled/default
# in authorize:
# check dead users after sql
sql

if(User-Name) {
if("%{sql:UPDATE radacct set AcctStopTime=ADDDATE(AcctStartTime,INTERVAL AcctSessionTime SECOND),AcctTerminateCause='Clear-Stale Session' WHERE UserName='%{User-Name}' and AcctStopTime is null and (TIME_TO_SEC(TIMEDIFF(NOW(),AcctStartTime))-1000)>AcctSessionTime}”){
}
}

# Enforce daily limits on time spent logged in.
# daily
monthlytrafficcounter
dailycounter
monthlycounter

# in session
# See “Simultaneous Use Checking Queries” in sql.conf
# radutmp
sql
9e. /etc/raddb/sql/mysql/counter.conf

# DEFAULT Max-Daily-Session > 3600, Auth-Type = Reject
# Reply-Message = “You’ve used up more than one hour today”
#
sqlcounter dailycounter {
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
reply-name = Session-Timeout
sqlmod-inst = sql
key = User-Name
reset = daily

# This query properly handles calls that span from the
# previous reset period into the current period but
# involves more work for the SQL server than those
# below
query = “SELECT SUM(acctsessiontime – \
GREATEST((%b – UNIX_TIMESTAMP(acctstarttime)), 0)) \
FROM radacct WHERE username = ‘%{%k}’ AND \
UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > ‘%b’”

# This query ignores calls that started in a previous
# reset period and continue into into this one. But it
# is a little easier on the SQL server
# query = “SELECT SUM(acctsessiontime) FROM radacct WHERE \
# username = ‘%{%k}’ AND acctstarttime > FROM_UNIXTIME(‘%b’)”

# This query is the same as above, but demonstrates an
# additional counter parameter ‘%e’ which is the
# timestamp for the end of the period
# query = “SELECT SUM(acctsessiontime) FROM radacct \
# WHERE username = ‘%{%k}’ AND acctstarttime BETWEEN \
# FROM_UNIXTIME(‘%b’) AND FROM_UNIXTIME(‘%e’)”
}

sqlcounter monthlycounter {
counter-name = Monthly-Session-Time
check-name = Max-Monthly-Session
reply-name = Session-Timeout
sqlmod-inst = sql
key = User-Name
reset = monthly

# This query properly handles calls that span from the
# previous reset period into the current period but
# involves more work for the SQL server than those
# below
query = “SELECT SUM(acctsessiontime – \
GREATEST((%b – UNIX_TIMESTAMP(acctstarttime)), 0)) \
FROM radacct WHERE username=’%{%k}’ AND \
UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > ‘%b’”

# This query ignores calls that started in a previous
# reset period and continue into into this one. But it
# is a little easier on the SQL server
# query = “SELECT SUM(acctsessiontime) FROM radacct WHERE \
# username=’%{%k}’ AND acctstarttime > FROM_UNIXTIME(‘%b’)”

# This query is the same as above, but demonstrates an
# additional counter parameter ‘%e’ which is the
# timestamp for the end of the period
# query = “SELECT SUM(acctsessiontime) FROM radacct \
# WHERE username=’%{%k}’ AND acctstarttime BETWEEN \
# FROM_UNIXTIME(‘%b’) AND FROM_UNIXTIME(‘%e’)”
}

sqlcounter monthlytrafficcounter {
counter-name = Monthly-Traffic
check-name = Max-Monthly-Traffic
reply-name = Monthly-Traffic-Limit
sqlmod-inst = sql
key = User-Name
reset = monthly
query = “SELECT SUM(acctinputoctets + acctoutputoctets)/1024 FROM radacct WHERE UserName=’%{%k}’ AND UNIX_TIMESTAMP(AcctStartTime) + acctsessiontime > ‘%b’”
}
9f. radius databaase
# nas
insert your radius client
# radcheck
Cleartext-Password := password
# radgroupcheck
Simultaneous-Use := 2
Max-Daily-Session := 21600
Max-Monthly-Session := 345600
Max-Monthly-Traffic := 5242880 (5GB, KB Unit)
#radgroupreply
VIP Acct-Interim-Interval := 300
VIP Idle-Timeout := 600
#radusergroup
username groupname

相关文章:

  1. CentOS安装L2TP/IPSec
  2. Acct-Interim-Interval : 控制FreeRadius的用量测量更新周期
  3. PPTP VPN安装配置 – Amazon EC2
  4. WHMCS自动VPN开通
  5. FreeRadius限制一个帐号不能同时多处登录
发表评论 | Trackback
  1. Alex
    2012年1月22日23:04
    回复 | 引用 | #1

    新年好啊,经常在hostloc看到你,我最近也在研究freeradius,小弟有个问题,不知可否实现,就是ssh通过freeradius验证并计费流量,我目前实现了验证的问题,但是关于流量计费,原先的pam插件貌似不支持,不知有何高见
    我的qq 就是我qq邮箱前面,希望能加我一起研究,谢谢

  2. fallday
    2012年1月23日00:38
    回复 | 引用 | #2

    @Alex
    新年好。也没有看到有现成的SSH与freeradius的流量统计集成,也许可以自己实现一个。SSH的流量统计不知是否可以利用sshband项目的代码(http://code.google.com/p/sshband/ )。回头QQ加你,我们可以一起研究一下。

  3. Alex
    2012年1月24日15:45
    回复 | 引用 | #3

    已经加过qq,最近在看pam_radius的代码,发现radius验证的时候,必须检测本机是是否有存在的用户/etc/passwd, 用nis暂时可以解决,不过正在找办法绕过这种本机用户搜索验证,有眉目了,有空qq聊