freeradius安装和配置
赵俊远
freeradius安装和配置
| [root@nm freeradius-server-2.1.1]# rpm -qa | grep openssl openssl-0.9.7a-43.10 openssl-devel-0.9.7a-43.10 xmlsec1-openssl-1.2.6-3 |
| [root@vmmac fprobe-1.1]# rpm -qa | grep ldap openldap-2.2.13-6.4E openldap-devel-2.2.13-6.4E openldap-clients-2.2.13-6.4E nss_ldap-226-13 openldap-servers-2.2.13-6.4E |
| freeradius-server-2.1.1.tar.gz |
| [root@nm freeradius-server-2.1.1]# ./configure configure: creating ./config.status config.status: creating Makefile config.status: creating config.h 会装很长时间,接近1小时 |
| [root@nm freeradius-server-2.1.1]# make Making all in rfc... gmake[4]: Entering directory`/usr/local/src/freeradius-server-2.1.1/doc/rfc' gmake[4]: Nothing to be done for `all'. gmake[4]: Leaving directory`/usr/local/src/freeradius-server-2.1.1/doc/rfc' gmake[3]: Leaving directory`/usr/local/src/freeradius-server-2.1.1/doc' gmake[2]: Leaving directory`/usr/local/src/freeradius-server-2.1.1/doc' gmake[1]: Leaving directory`/usr/local/src/freeradius-server-2.1.1' |
| [root@nm freeradius-server-2.1.1]# make install done gmake[4]: Leaving directory`/usr/local/src/freeradius-server-2.1.1/doc/rfc' gmake[3]: Leaving directory`/usr/local/src/freeradius-server-2.1.1/doc' gmake[2]: Leaving directory`/usr/local/src/freeradius-server-2.1.1/doc' gmake[1]: Leaving directory`/usr/local/src/freeradius-server-2.1.1' Installing dictionary files in /usr/local/share/freeradius /usr/local/src/freeradius-server-2.1.1/libtool --finish/usr/local/lib PATH="$PATH:/sbin" ldconfig -n /usr/local/lib |
安装后可以不进行任何配置,直接起daemon,直接进行loopback测试。
因为radius缺省配置就是支持本地daemon,本地client(loopback client)
| The first time after installation, you should run the serveras "root". needs for EAP. $ radiusd –X |
| Once that is done, the server can be run from an unpriviledgeduser account. |
| [root@nm local]# radiusd -X FreeRADIUS Version 2.1.1, for host i686-pc-linux-gnu, built on Oct29 2008 at 10:27:47 Copyright (C) 1999-2008 The FreeRADIUS server project andcontributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FORA PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms ofthe GNU General Public License v2. Starting - reading configuration files ... including configuration file/usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file/usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ 。。。 Listening on authenticationaddress * port 1812 Listening on accounting address *port 1813 Listening on proxy address * port1814 Ready to processrequests. |
| 从另一个窗口 看log [root@nm ~]# cat /usr/local/var/log/radius/radius.log Wed Oct 29 11:23:25 2008 : Error: rlm_eap: SSL errorerror:02001002:system library:fopen:No such file or directory Wed Oct 29 11:23:25 2008 : Error: rlm_eap_tls: Error readingcertificate file /usr/local/etc/raddb/certs/server.pem Wed Oct 29 11:23:25 2008 : Error: rlm_eap: Failed to initializetype tls Wed Oct 29 11:23:25 2008 : Error:/usr/local/etc/raddb/eap.conf[17]: Instantiation failed for module"eap" Wed Oct 29 11:23:25 2008 : Error:/usr/local/etc/raddb/sites-enabled/inner-tunnel[223]: Failed tofind module "eap". Wed Oct 29 11:23:25 2008 : Error:/usr/local/etc/raddb/sites-enabled/inner-tunnel[176]: Errorsparsing authenticate section. Wed Oct 29 11:23:25 2008 : Error: Errors initializing modules 初次起动会出eap error |
| 随后再重起一次radiusd,不加-X [root@nm local]# radiusd & [1] 2419 |
| 从另一个窗口看log [root@nm ~]# cat /usr/local/var/log/radius/radius.log 再次启动就只有一条新log,没有error了 Wed Oct 29 13:09:48 2008 : Info: Ready to process requests. |
| [root@nm ~]# ps -ef | grep radiusd root |
| [root@nm ~]# netstat -an Active Internet connections (servers and established) Proto Recv-Q Send-Q LocalAddress tcp tcp tcp tcp tcp tcp tcp tcp udp udp udp |
| radtest [-d raddb_directory] user password radius-servernas-port-number secrect |
| nas-port-number:用不到,就为0即可 secret:就是在client.conf里的对应client的口令(radius安装完后,本地client127.0.0.1的口令缺省就是testing123) |
| [root@nm ~]# radtest test testlocalhost 0 testing123 Sending Access-Request ofid 48 to 127.0.0.1 port 1812 rad_recv: Access-Rejectpacket from host 127.0.0.1 port 1812, id=48, length=20 尽管user,passwd都是假的,但只要收到Access-Reject,也证明FreeRADIUS服务器已经正常启动 |
| [root@vm ~]# cp /usr/local/sbin/rc.radiusd/etc/init.d/radius |
| [root@vm ~]# /etc/init.d/radius Usage: /etc/init.d/ {start|stop|reload|restart|check} [root@vm ~]# /etc/init.d/radius start Starting FreeRADIUS:radiusd |
| [root@vm rc3.d]# ln -s../init.d/radius S96radius [root@vm rc3.d]# ls -l lrwxrwxrwx lrwxrwxrwx |
-
radiusd.conf 服务器端配置 -
clients.conf 存储radius客户端(NAS,ROUTER)的验证信息,主要是配KEY -
./modules/ 主要是针对LDAP,MYSQL、数字证书等的配置
| 1.radiusd.conf 没什么可改的,都是系统的一些属性配置(目录啊、PID啊、LOG啊等等) [root@vmmac ~]# vi /usr/local/etc/raddb/radiusd.conf prefix = /usr/local exec_prefix = ${prefix} sysconfdir =${prefix}/etc localstatedir = ${prefix}/var sbindir = ${exec_prefix}/sbin logdir =${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct #user = radius #group = radius 缺省此两句被注释掉,是root启动daemon 如果radius认证不采用本地认证(/etc/passwd)的话,强烈建议采用radius 用户启动daemon max_requests = 1024 缺省1024,此值太小会造成大量认证时的busy,此值太大会耗内存 listen { } listen { } log { $INCLUDE clients.conf 实际clients.conf也是radiusd.conf的一部分,只不过分出去了。 modules { } |
| 2. clients.conf ,定义NAS,主要是设KEY,主要是改clients.conf [root@vmmac ~]# vi /usr/local/etc/raddb/clients.conf client 10.4.193.26{ Secret的意思:Radiusaaa与NAS之间的key传送是密文,而且传的不是口令,而是MD5计算结果 } client 10.4.3.150{ } client localhost { } #client 192.168.0.0/24{ 设网段,这样可以方便多台NAS,且NAS填加的时候不用反复改clients.conf # # #} # #client 192.168.0.0/16 { # # #} |
缺省就是local
访问radius就是自动读/etc/passwd or/etc/shadow
然后读ldap,mysql等,这些 conf也都事先include了,就看你设没设了.
| [root@vmmac ~]# vi /usr/local/etc/raddb/radiusd.conf user = radius group = radius |
启动报错问题:
[root@szwlan1 freeradius-server-2.2.0]# radiusd -X
。。。。。
Could not link driver rlm_sql_mysql: rlm_sql_mysql.so: cannot open shared object file: No such file or directory
Make sure it (and all its dependent libraries!) are in the search path of your system's ld.
/usr/local/etc/raddb/sql.conf[22]: Instantiation failed for module "sql"
/usr/local/etc/raddb/sites-enabled/default[177]: Failed to find "sql" in the "modules" section.
/usr/local/etc/raddb/sites-enabled/default[69]: Errors parsing authorize section.
解决
先找到/usr/local/etc/raddb/radiusd.conf,看看$INCLUDEsql.conf前的注释是否去掉,若去掉还不行就按一下方法做。
1.如果你是使用mysql源码编辑方式安装的mysql,应该不会出现这个问题,如果你是用类似rpm模式安装的mysql,那么默认是不会安装rlm_sql_mysql.so的,如果需要这个文件就要补充安装mysql-devel-****.rpm
2.上网址:http://dev.mysql.com/doc/refman/5.1/en/linux-rpm.html下载该包。
3.到源代码树:freeradius-server****/src/modules/rlm_sql/drivers/rlm_sql_mysql里再进行编译,之后会在freeradius-server-2.1.1/src/modules/rlm_sql/drivers/lib中生成rlm_sql_mysql.so,把它拷贝到/usr/lib下即可”
rlm_sql_mysql-2.2.0.la
rlm_sql_mysql-2.2.0.so
rlm_sql_mysql.a
rlm_sql_mysql.la
rlm_sql_mysql.so
到
/usr/local/lib
Could not link driver rlm_sql_mysql: libperconaserverclient.so.18: cannot open shared object file: No such file or directory
Make sure it (and all its dependent libraries!) are in the search path of your system's ld.
/usr/local/etc/raddb/sql.conf[22]: Instantiation failed for module "sql"
/usr/local/etc/raddb/sites-enabled/default[177]: Failed to find "sql" in the "modules" section.
/usr/local/etc/raddb/sites-enabled/default[69]: Errors parsing authorize section.
拷贝libperconaserverclient.so.18 到/usr/lib64/下
类似资料: