Freeradius¶
Installation¶
apt-get install freeradius freeradius-ldap
Configuration¶
- /etc/freeradius/radiusd.conf
listen {
type = auth
ipaddr = *
port = 0
}
listen {
ipaddr = *
port = 0
type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
proxy_requests = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
$INCLUDE ${confdir}/modules/
$INCLUDE eap.conf
}
instantiate {
exec
expr
expiration
logintime
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/
- /etc/freeradius/clients.conf
client localhost {
ipaddr = 127.0.0.1
secret = "azaz"
require_message_authenticator = no
shortname = localhost
nastype = other # localhost isn't usually a NAS...
login = !root
password = "" # azaz
}
client 192.168.0.0/16 {
secret = "azaz"
password = "azaz"
shortname = private-network-1
require_message_authenticator = no
}
- /etc/freeradius/users
"tom" Cleartext-Password := "azaz"
Reply-Message = "Hello, %{User-Name}"
"pouce" Cleartext-Password := "azaz"
Reply-Message = "Hello, %{User-Name}"
Support LDAP¶
- /etc/freeradius/modules/ldap
Le mot de passe et le bind en admin est necessaire pour qu'il puisse aller piocher le mot de passe et ensuite l'utiliser
ldap {
server = "localhost"
identity = "cn=admin,dc=abuledu"
password = #cf /etc/ldap.secret
basedn = "ou=utilisateurs,dc=abuledu"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=posixAccount)"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
}
Note: pas nécessaire à albi et pas utilisé à cestas
Pour archives: Ajouter le fichier joint dans /etc/ldap/slapd.d/cn=config/cn=schema pour avoir /etc/ldap/slapd.d/cn=config/cn=schema/cn={6}freeradius.ldif
- /etc/freeradius/modules/pap
auto_header = yes
- activer les blocs ldap dans sites-available/default
authorize {
preprocess
chap
mschap
suffix
eap {
ok = return
}
unix
files
ldap
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
Auth-Type LDAP {
ldap
}
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
radutmp
attr_filter.accounting_response
}
session {
radutmp
}
post-auth {
ldap
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
Ça permet de faire les tests avec radtest:
radtest "toto" "azaz" 127.0.0.1 1812 MOTDEPASSESRVRADIUS
Et de fermer la session d'un utilisateur
echo "User-Name = guy.larrieu" | radclient 127.0.0.1 disconnect MOTDEPASSESRVRADIUS
Pour l'authentification via chilli, il faut absolument passer HS_RAD_PROTO=mschapv2
Sources: