https://wiki.freeradius.org/guide/Getting%20Started
FreeRADIUS is a modular, high performance and highly customizable open source RADIUS server.
We will now install freeRADIUS on CentOS 7 Linux Server. We will install freeRADIUS from YUM repository. So, before going to start freeRADIUS installation, you should have CentOS 7 ready so that it can access CentOS Yum repository.
we assume that you can install the server via something like yum install freeradius, or apt-get install freeradius.
first search radius by brew search
brew search radius
result :
==> Formulae
freeradius-server ✔
then install by :
brew install freeradius-server
Before going to start freeRADIUS installation, we will first check the available freeRADIUS packages in CentOS YUM repository. For this, issue the following command from your CentOS 7 command prompt with root user privilege.
[root@freeradius ~]# yum search freeradius
...
freeradius-devel.i686 : FreeRADIUS development files
freeradius-devel.x86_64 : FreeRADIUS development files
...
freeradius.x86_64 : High-performance and highly configurable free RADIUS server
The search command will show you the available packages that can be installed like the above output. Among the listed packages, we will only install
freeradius, freeradius-utils, freeradius-mysql and freeradius-perl packages.
So, issue the following command from your CentOS command prompt to install these packages.
[root@freeradius ~]# yum install freeradius freeradius-utils freeradius-mysql freeradius-perl –y
Within few moments, your desired freeRADIUS packages will be installed and you will get an installation complete message. To ensure your packages installation, issue the following command that will show installed freeRADIUS packages.
[root@freeradius ~]# rpm -qa | grep freeradius
freeradius-utils-3.0.13-9.el7_5.x86_64
freeradius-perl-3.0.13-9.el7_5.x86_64
freeradius-3.0.13-9.el7_5.x86_64
freeradius-mysql-3.0.13-9.el7_5.x86_64
If you get the above message, your freeRADIUS suit and required packages have been installed successfully.
Now we will check whether our freeRADIUS server is working or not with the following command.
[root@freeradius ~]# radiusd –X
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 47697
Listening on proxy address :: port 60842
Ready to process requests
If you got the above message, your freeRADIUS server is ready to accept RADIUS client request and provide reply.
Before going to start configuration, we will now check whether our RADIUS server is running or not with the following command where radiusd is freeRADIUS daemon in CentOS Linux Distribution.
[root@freeradius ~]# systemctl status radiusd
issue the following command to start radius daemon.
[root@freeradius ~]# systemctl start radiusd
Also issue the following command so that your radius daemon can run at the time of system restart.
[root@freeradius ~]# systemctl enable radiusd
To restart or reload your configuration, issue the following command from your CentOS 7 command prompt.
[root@freeradius ~]# systemctl restart radiusd
RADIUS Server listen Authentication request on UDP port 1812 and Accounting request on UDP port 1813. So, you have to allow these ports from your CentOS 7 Firewall. To allow these ports, issue the following command from your CentOS 7 command prompt.
[root@freeradius ~]# firewall-cmd –zone=public –add-port=1812/udp
[root@freeradius ~]# firewall-cmd –zone=public –add-port=1813/udp
To make this configuration permanent, issue the following command.
[root@freeradius ~]# firewall-cmd –zone=public –permanent –add-port=1812/udp
[root@freeradius ~]# firewall-cmd –zone=public –permanent –add-port=1813/udp
When the server has been installed on a new machine, the first step is to start it in debugging mode, as user root:
# radiusd -X
If the output says Ready to process requests, then all is well.
Starting the server
When the server has been installed on a new machine, the first step is to start it in debugging mode, as user root:
# radiusd -X
This step demonstrates that the server is installed and configured properly. If the output says Ready to process requests, then all is well.
setup site :
/usr/local/Cellar/freeradius-server/3.0.19_1
stop service :
open ActivityMonitor kill radiusd
Testing authentication is simple. Edit the users file
etc/raddb/mods-config/files/authorize
and add the following line of text at the top of the file, before anything else:
testing Cleartext-Password := "password"
Start the server in debugging mode (radiusd -X), and run radtest from another terminal window:
$ radtest testing password 127.0.0.1 0 testing123
format is :
$ radtest
Usage: radtest [OPTIONS] user passwd radius-server[:port] nas-port-number secret
You should see the server respond with an
Access-Accept
then congratulations, the following authentication methods now work for the testing user:
PAP, CHAP, MS-CHAPv1, MS-CHAPv2, PEAP, EAP-TTLS, EAP-GTC, EAP-MD5.
and test123 in command line is secret defined in
etc/raddb/client.conf
like as :
secret = testing123
When we discuss clients, we mean clients of the RADIUS server, e.g.
- wireless access point,
- network switch or
- other form of NAS.
NOT the network clients - such as laptops, tablets etc - they do not talk directly to the RADIUS server.
It is useful to add a new client, which can be done by editing the
etc/raddb/clients.conf
file. Add the following content:
client new {
ipaddr = 192.0.2.1
secret = testing123
}
You should change the IP address 192.0.2.1 to be the address of the client which will be sending Access-Request packets.
The client should also be configured to talk to the RADIUS server, by using the IP address of the machine running the RADIUS server. The client must use the same secret as configured above in the client section.
Then restart the server in debugging mode, and run a simple test using the testing user. You should see an
Access-Accept
in the server output.
note from :
https://splynx.com/3596/mikrotik-winbox-for-mac-os/
Winbox is a very nice tool, probably one of the best for network management and configuration. The safest way is to run Wine HQ and run native Winbox for windows on it. Here are the steps how to install Mikrotik Winbox on MAC OS, running on High Sierra 10.13.2.
install winehq - is a compatibility layer capable of running Windows applications on several POSIX-compliant operating systems, such as Linux, macOS, & BSD. Instead of simulating internal Windows logic like a virtual machine or emulator, Wine translates Windows API calls into POSIX calls on-the-fly, eliminating the performance and memory penalties of other methods and allowing you to cleanly integrate Windows applications into your desktop.
https://dl.winehq.org/wine-builds/macosx/download.html
XQuartz - a version of the X.Org X Window System that runs on OS X
https://www.xquartz.org/releases/XQuartz-2.7.9.html
download and run winbox :
https://mikrotik.com/download
#1
note from : https://systemzone.net/freeradius-installation-and-basic-configuration-on-centos-7/
Changing the server configuration should be done via the following steps:
- Start with a "known working" configuration, such as supplied by the default installation.
- Make one small change to the configuration files.
- Start the server in debugging mode (radiusd -X).Verify that the results are what you expect
The debug output shows
- any configuration changes you have made.
- Databases (if used) are connected and operating.
- Test packets are accepted by the server.
The debug output shows that the packets are being processed as you expect.
If anything goes wrong,double-check the configuration; read the entire debug output, looking for words like error or warning. These messages usually contain descriptions of what went wrong, and suggestions for how it can be fixed. Also see an explanation of the debug output and the debug form;
After successful freeRADIUS installation, we will now do a basic configuration where localhost will be defined as a NAS device (RADIUS client) and bob will be defined a test user. After we have defined the client and the test user, we will use the radtest program to fill the role of a RADIUS client and test the authentication of bob.
FreeRADIUS is set up by modifying configuration files. The default location of freeRADIUS configuration file in CentOS 7 is /etc/raddb. So:
cd /etc/raddb
ls
to view available configuration files and directories.
Open client.conf file with vim editor
vim client.conf
and confirm that the following entry exists in the clients.conf
client localhost {
ipaddr = 127.0.0.1
secret = testing123
require_message_authenticator = no
nas_type = other
}
Define bob as a FreeRADIUS test user. Open users file with vim editor
vim users
and add the following lines at the top of the users file. Make sure that the second and third lines are indented by a single tab character.
“bob” Cleartext-Password := “password”
Framed-IP-Address = 192.168.10.10,
Reply-Message = “Hello, %{User-Name}”
In v3, this users file is located in:
# raddb/mods-config/files/authorize
Reload the freeRADIUS server with the restart command.
[root@freeradius ~]# systemctl restart radiusd
Authenticate bob user using the following radtest command where
- bob is a test user and
- password is the password of bob user defined in users file.
- 127.0.0.1 (localhost) is IP address of NAS device,
- 100 is NAS port and
- testing123 is the NAS password
defined in client.conf file.
[root@freeradius raddb]# radtest bob password 127.0.0.1 100 testing123
Sent Access-Request Id 118 from 0.0.0.0:52494 to 127.0.0.1:1812 length 75
User-Name = “bob”
User-Password = “password”
NAS-IP-Address = 192.168.40.10
NAS-Port = 100
Message-Authenticator = 0x00
Cleartext-Password = “password”
Received Access-Accept Id 118 from 127.0.0.1:1812 to 0.0.0.0:0 length 40
Framed-IP-Address = 192.168.10.10
Reply-Message = “Hello, bob”
Radtest will show the response of the FreeRADIUS server like the above output. That means, your freeRADIUS server is completely ready to accept RADIUS clients and users request.
#4
From this tutorial we will try to install a freeradius server on Ubuntu 14.04 64bit distro with mysql support.
This tutorial requires will require the following ingredients to setup freeradius+mysql:
- an Ubuntu 14 64bit server
- Root Access to the server
- An SSH client (You can download putty or bitvise depends on your operating system and liking)
We shall be making a basic freeradius setup with a mysql database for storing user credentials and other information.
Let us first update our distro so we can be sure we will be able to install the required applications
sudo apt-get update
Then will will install freeradius, just do.
sudo apt-get install freeradius freeradius-mysql
'freeradius-mysql' is a required freeradius module so we can communicate with the mysql server.
Next, we will need to edit the default file to change the AAA mechanism of freeradius from file system to sql server.
nano /etc/freeradius/sites-enabled/default
Then we will have to comment out every line where it says 'file' and un-comment the lines which says 'sql'.
authorize {
# files
sql
}
authenticate {
}
preacct {
# files
}
accounting {
sql
}
session {
sql
}
post-auth {
sql
Post-Auth-Type REJECT {
# log failed authentications in SQL, too.
sql
attr_filter.access_reject
}
}
Next, we will go to the main radius configuration file. We will enable the mysql module so we can use it later on.
nano /etc/freeradius/radiusd.conf
We will un-comment the line:
v3 : $INCLUDE mods-enabled/sql
we will enter our mysql server access credentials into radius.
nano /etc/freeradius/sql.conf
edit the file and supply your mysql credentials.
sql {
database = "mysql"
server = "localhost"
login = "sampleuser"
password = "samplepassword"
radius_db = "radius"
#uncomment read_groups
read_groups = yes
#uncomment readclients
read_clients = yes
}
Enter Mysql root and create the radius database and user.
CREATE DATABASE radius;
CREATE USER 'sampleuser'@'localhost' IDENTIFIED BY 'samplepassword';
GRANT ALL PRIVILEGES ON *.* TO 'sampleuser'@'localhost';
FLUSH PRIVILEGES;
Next, we will have to import the sql file for freeradius into the 'radius' database. The schema.sql and nas.sql file is located at '/etc/freeradius/sql/mysql' folder.
mysql -u root -p radius < /etc/freeradius/sql/mysql/schema.sql;
mysql -u root -p radius < /etc/freeradius/sql/mysql/nas.sql;
两个文件可以通过google在github上找到。
It is important that we enter the correct freeradius values into the radius database for Freeradius to correctly read it, otherwise, Freeradius will throw an error during operation. The informations we want to enter are for the following:
Freeradius client ip and secret
Users name and password
Freeradius check values for groups and indvidual users.
Freeradius reply values for groups and individual users.
First, we will enter the freeradius client information into the nas table.
INSERT INTO nas VALUES (NULL , '0.0.0.0/0, 'myNAS', 'other', NULL , 'mysecret', NULL , NULL , 'RADIUS Client');
Then we will enter user information into the radcheck table.
INSERT INTO radcheck (username, attribute, op, value) VALUES ('thisuser', 'User-Password', ':=', 'thispassword');
Then we need to assign the user a group.
INSERT INTO radusergroup (username, groupname, priority) VALUES ('thisuser', 'thisgroup', '1');
After that we assign the reply properties for the group in the radgroupreply table.
INSERT INTO radgroupreply (groupname, attribute, op, value) VALUES ('thisgroup', 'Service-Type', ':=', 'Framed-User'), ('thisgroup', 'Framed-Protocol', ':=', 'PPP'), ('thisgroup', 'Framed-Compression', ':=', 'Van-Jacobsen-TCP-IP');
All is done for now.
To test the setup we will have to run freeradius in debug mode. We will execute the below command.
service freeradius stop
freeradius -X
To check if freeradius is running, you should see the following lines in your screen.
...
Ready to process requests.
Download NTRAdPing (Windows only) and enter the following information.
你的FreeRadius Server的地址
你的用户名密码,这里是reco和password123
你的秘钥,这里是sharedkey
端口号为1812 ,不要去改它。
点击Send,你应该看到消息:
Access-Accept
##SIMULTANEOUS-USE ON FREERADIUS
It is used to control simultaneous logins of users in a particular service by the number entered in the database. To enable simultaneous-use limit we un-comment the line in '/etc/freeradius/sql/mysql/dialup.conf'.
simul_count_query = "SELECT COUNT(*) \
FROM ${acct_table1} \
WHERE username = '%{SQL-User-Name}' \
AND acctstoptime IS NULL"
then entering the required value in the radgroupcheck table.
INSERT INTO radgroupcheck (groupname, attribute, op, value) VALUES ('thisgroup', 'Simultaneous-Use', ':=', '3');
Which means that the users in the group 'thisgroup' is allowed up to three simultaneous logins before being rejected.
https://gist.github.com/xjdrew/04d839479d8a6a490153
from : https://wiki.freeradius.org/guide/SQL-HOWTO
You should now created some dummy data in the database to test against. It goes something like this:
- In usergroup, put entries matching a user account name to a group name.
- In radcheck, put an entry for each user account name with a 'Cleartext-Password' attribute with a value of their password.
- In radreply, create entries for each user-specific radius reply attribute against their username
- In radgroupreply, create attributes to be returned to all group members
Here's a dump of some example 'radius' tables from a MySQL database.This example includes three users, one with a dynamically assigned IP by the NAS (fredf), one assigned a static IP (barney), and one representing a dial-up routed connection (dialrouter):
mysql> select * from radcheck;
+----+----------------+--------------------+------------------+------+
| id | UserName | Attribute | Value | Op |
+----+----------------+--------------------+------------------+------+
| 1 | fredf | Cleartext-Password | wilma | := |
| 2 | barney | Cleartext-Password | betty | := |
| 2 | dialrouter | Cleartext-Password | dialup | := |
+----+----------------+--------------------+------------------+------+
3 rows in set (0.01 sec)
mysql> select * from radreply;
+----+------------+-------------------+---------------------------------+------+
| id | UserName | Attribute | Value | Op |
+----+------------+-------------------+---------------------------------+------+
| 1 | barney | Framed-IP-Address | 1.2.3.4 | := |
| 2 | dialrouter | Framed-IP-Address | 2.3.4.1 | := |
| 3 | dialrouter | Framed-IP-Netmask | 255.255.255.255 | := |
| 4 | dialrouter | Framed-Routing | Broadcast-Listen | := |
| 5 | dialrouter | Framed-Route | 2.3.4.0 255.255.255.248 | := |
| 6 | dialrouter | Idle-Timeout | 900 | := |
+----+------------+-------------------+---------------------------------+------+
6 rows in set (0.01 sec)
mysql> select * from radgroupreply;
+----+-----------+--------------------+---------------------+------+
| id | GroupName | Attribute | Value | Op |
+----+-----------+--------------------+---------------------+------+
| 34 | dynamic | Framed-Compression | Van-Jacobsen-TCP-IP | := |
| 33 | dynamic | Framed-Protocol | PPP | := |
| 32 | dynamic | Service-Type | Framed-User | := |
| 35 | dynamic | Framed-MTU | 1500 | := |
| 37 | static | Framed-Protocol | PPP | := |
| 38 | static | Service-Type | Framed-User | := |
| 39 | static | Framed-Compression | Van-Jacobsen-TCP-IP | := |
| 41 | netdial | Service-Type | Framed-User | := |
| 42 | netdial | Framed-Protocol | PPP | := |
+----+-----------+--------------------+---------------------+------+
12 rows in set (0.01 sec)
In this example, 'barney' (who is a single user dialup) only needs an attribute for IP address in radreply so he gets his static IP - he does not need any other attributes here as all the others get picked up from the 'static' group entries in radgroupreply.
'fred' needs no entries in radreply as he is dynamically assigned an IP via the NAS - so he'll just get the 'dynamic' group entries from radgroupreply ONLY.
'dialrouter' is a dial-up router, so as well as needing a static IP it needs route and mask attributes (etc) to be returned. Hence the additional entries.
'dialrouter' also has an idle-timeout attribute so the router gets kicked if it's not doing anything - you could add this for other users too if you wanted to. Of course, if you feel like or need to add any other attributes, that's kind of up to you!
Note the operator ('op') values used in the various tables. The password check attribute MUST use :=. Most return attributes should have a := operator, although if you're returning multiple attributes of the same type (e.g. multiple Cisco- AVpair's) you should use the += operator instead otherwise only the first one will be returned. Read the docs for more details on operators.
我们想要验证的业务场景是这样的:
- 首先整个测试环境由一台用户电脑,一台路由器上,一个Radius服务器构成,它们通过一个局域网连接在一起
- 其次,路由器通过AAA协议,委托登录验证和授权给一台Radius服务器
- 当用户电脑通过Login发起登录到路由器时,路由器应该提交此登录请求到Radius服务器
现在,我们预设用户名称为reco,密码为password123。
路由器为MikroTik ,作为FreeRadius的Client,地址为:
192.168.1.56
一台作为客户端Windows 10,系统内安装WInBox作为MikroTik的管理工具和Login登录验证,地址为
192.168.1.188
一台FreeRadius Server,操作系统计划安装为Ubuntu 19。地址为:
192.168.1.144
拓扑结构为:
User(Windows 10+WinBox) -- MikroTik Router -- FreeRadius Server
下载地址在:https://mikrotik.com/download ,选择Winbox 64bit,即可获得此软件。点击下载软件并执行,进入软件登录界面。
执行WinBox,在页面下方的Neighbors内点击刷新,可以看到列表内IPAdress为192.168.1.56的路由器,可以在Board列看到其型号。我的MikroTik型号为CCR1009。
点击此选择,可以看到页面上方的Connect To 被自动填充为192.168.1.56,Login 为admin,我的CCR的密码为空,故而保留字段Password为空,然后点击Connect按钮。即可进入正常的软件工作界面。
我们需要委托用户登录给FreeRadius Server,在此之前需要知道,整个委托的过程是加密的,两者通过共享一个Secret字符串来完成加密解密,此字符串只要两面的配置相同即可,我们这里约定为sharedkey。现在,开始做如下的工作。
- 点击左侧菜单栏的Radius项,可以看到Radius窗口
- 点击添加按钮(加号),弹出New Radius Server
- 勾选login复选框,填写address字段为192.168.1.144
- 接着填写Secret为sharedkey
- 点击OK,对话框退出
启用RADIUS。
- 点击菜单 System > Users,出现User List窗口
- 点击按钮AAA,对话框 Login Authentication and Accounting 弹出
- 勾选 Use RADIUS 复选框.
- 点击OK,退出
FreeRADIUS通过修改配置文件来配置系统。不同的Linux分发以及MAC,配置文件的位置有所不同,Centos的位置在/etc/raddb. So:
cd /etc/raddb
ls
可以看到配置文件。我们关心的是两个配置文件,一个是Client.conf,用来配置Clients文件,也就是可以访问FreeRadius Server的NAS,包括它的IP地址,共享密码等。另外一个是users,用户配置登录用户,按照之前的约定,用户名为reco,密码为password123。
vim client.conf
添加如下内容到文件最后:
client localhost {
ipaddr = 127.0.0.1
secret = sharedkey
require_message_authenticator = no
nas_type = other
}
然后修改users文件:
vim users
添加以下内容到文件末尾,确保后两行使用一个tab在文字前面:
reco Cleartext-Password := "password123"
Framed-IP-Address = 192.168.10.10,
Reply-Message = “Hello, %{User-Name}”
重启启动服务器:
[root@freeradius ~]# systemctl restart radiusd
或者kill掉进程,然后以调试模式启动:
radiusd -X
然后使用radtest做功能验证:
[root@freeradius raddb]# radtest reco password123 127.0.0.1 0 sharedkey
输出为:
Sent Access-Request Id 118 from 0.0.0.0:52494 to 127.0.0.1:1812 length 75
User-Name = “reco”
User-Password = “password123”
NAS-IP-Address = 192.168.1.56
NAS-Port = 100
Message-Authenticator = 0x00
Cleartext-Password = “password123”
输出中的返回内容为
Received Access-Accept Id 118 from 127.0.0.1:1812 to 0.0.0.0:0 length 40
Framed-IP-Address = 192.168.10.10
Reply-Message = “Hello, reco”
这表示FreeRadius Server已经启用。现在我们加入如下内容到clients.conf的末尾:
client new {
ipaddr = 192.168.1.56
secret = sharedkey
require_message_authenticator = no
nas_type = other
}
client new1 {
ipaddr = 192.168.1.188
secret = sharedkey
require_message_authenticator = no
nas_type = other
}
这样就可以运行MikroTik路由器(IP地址为...56)访问本Radius服务器。并且之前我们已经配置了MikroTik路由器的Radius共享秘钥为sharedkey,这样两者就可以在一个加密信道通讯了。
另一个地址.188的,是为了允许用户电脑直接通过WinBox登录到FreeRadius,这样可以让测试FreeRadius更加方便。
再次回到用户机器(Windows 10+WinBox),运行WinBox,填写字段:
Connect To :192.168.1.56
Login : reco
Password : password123
如果登录成功,既可验证FreeRadius的通路完成。
现在我们的Clients,Users都是配置在文件内的。在实际工作中,为了效率和管理方便,会考虑使用关系数据库来做客户和用户的信息存储,接下来我们把FreeRadius配置到支持Mysql 服务器。
如果是Ubantu,需要安装freeradius-mysql模块:
sudo apt-get install freeradius freeradius-mysql
这样才能和mysql建立连接。MAC OS X上,sql模块是随同freeradius-server一起安装的,不必单独安装。
现在把默认在文件的认证机制转移到Mysql上,编辑如下文件:
vim sites-enabled/default
标注掉以下所有段落的files,添加或者撤销标注sql:
authorize {
# files
sql
}
authenticate {
}
preacct {
# files
}
accounting {
sql
}
session {
sql
}
post-auth {
sql
Post-Auth-Type REJECT {
# log failed authentications in SQL, too.
sql
attr_filter.access_reject
}
}
激活mysql模块:
vi radiusd.conf
撤销标注
$INCLUDE mods-enabled/sql
MAC OS X上,sql模块是随同freeradius-server一起安装的,位置在:
mods-available/sql
填写mysql连接信息:
nano /etc/freeradius/sql.conf
提供mysql连接信息:
sql {
database = "mysql"
server = "localhost"
login = "sampleuser"
password = "samplepassword"
radius_db = "radius"
#uncomment read_groups
read_groups = yes
#uncomment readclients
read_clients = yes
}
进入mysql命令行内,创建数据库和用户
CREATE DATABASE radius;
CREATE USER 'sampleuser'@'localhost' IDENTIFIED BY 'samplepassword';
GRANT ALL PRIVILEGES ON *.* TO 'sampleuser'@'localhost';
FLUSH PRIVILEGES;
导入模式sql文件到mysql内:
mysql -u root -p radius < schema.sql;
mysql -u root -p radius < nas.sql;
两个文件可以通过google查询freeradius schema.sql nas.sql ,在github上找到。
非常关键的是我们得把这些信息加入到mysql数据库内:
Freeradius client ip and secret
Users name and password
Freeradius check values for groups and indvidual users.
Freeradius reply values for groups and individual users.
在mysql命令行内执行如下语句 ,其中nas对应clients.conf,radcheck对应users:
INSERT INTO nas VALUES (NULL , '0.0.0.0/0, 'myNAS', 'other', NULL , 'mysecret', NULL , NULL , 'RADIUS Client');
INSERT INTO radcheck (username, attribute, op, value) VALUES ('thisuser', 'User-Password', ':=', 'thispassword');
我们也会设置group分组:
INSERT INTO radusergroup (username, groupname, priority) VALUES ('thisuser', 'thisgroup', '1');
以及指定分组的对应回复:
INSERT INTO radgroupreply (groupname, attribute, op, value) VALUES ('thisgroup', 'Service-Type', ':=', 'Framed-User'), ('thisgroup', 'Framed-Protocol', ':=', 'PPP'), ('thisgroup', 'Framed-Compression', ':=', 'Van-Jacobsen-TCP-IP');
搞定。
To test the setup we will have to run freeradius in debug mode. We will execute the below command.
service freeradius stop
freeradius -X
To check if freeradius is running, you should see the following lines in your screen.
...
Ready to process requests.
Download NTRAdPing (Windows only) and enter the following information.
你的FreeRadius Server的地址
你的用户名密码,这里是reco和password123
你的秘钥,这里是sharedkey
端口号为1812 ,不要去改它。
点击Send,你应该看到消息:
Access-Accept
##SIMULTANEOUS-USE ON FREERADIUS
It is used to control simultaneous logins of users in a particular service by the number entered in the database. To enable simultaneous-use limit we un-comment the line in '/etc/freeradius/sql/mysql/dialup.conf'.
simul_count_query = "SELECT COUNT(*) \
FROM ${acct_table1} \
WHERE username = '%{SQL-User-Name}' \
AND acctstoptime IS NULL"
then entering the required value in the radgroupcheck table.
INSERT INTO radgroupcheck (groupname, attribute, op, value) VALUES ('thisgroup', 'Simultaneous-Use', ':=', '3');
Which means that the users in the group 'thisgroup' is allowed up to three simultaneous logins before being rejected.
-
WinBox ,调试MikroTik
-
NTRadPing ,调试FreeRadius。一目了然的看到可以发送的请求信息的类型(Require type)和额外的属性(Additional RADIUS Attributes),属性清单和对应属性的可选择值。比如Service-Type := Framed 表示802.1X auth:
Service-type = Call-Check (MAC auth) Service-type = Framed (802.1X auth) Service-type = Login (Captive portal auth)
NTRadPing is a useful tool for testing installations of your RADIUS servers. Through NTRadPing you can simulate authentication and accounting requests and send them to the RADIUS server making NTRadPing act as a NAS client.
Before you send the request to the server, you need to configure the server IP address, the RADIUS secret key stored in the server clients file, and a username.
All the other parameters are optional.
On accounting requests, the "Acct-Session-Id" attribute is also added automatically if you do not explicitly enter it in the request attribute list.
If you issue an accounting request, then the RADIUS attribute "Acct-Status-Type" is added automatically by NTRadPing depending on the type of accounting request you have chosen (start, stop or update).
In the lower left list box you can add as many RADIUS attributes as you like to your request. The list of available attributes and the relevant values in the two drop down boxes depend on the dictionary file RADDICT.DAT.
By checking the "CHAP" checkbox, you may force NTRadPing to issue authentication requests with a CHAP password instead of a default (PAP) password.
In the right list box you will get results about the RADIUS request, along with a complete dump of all the returned RADIUS attributes.
The parameters entered in the main window are preserved even after closing the application (they are stored in the registry).
- radtest 简单调试FreeRadius,验证是否用户可以登录
format is :
$ radtest
Usage: radtest [OPTIONS] user passwd radius-server[:port] nas-port-number secret