freeRADIUS getting started 筆記

note from :

https://wiki.freeradius.org/guide/Getting%20Started
複製代碼

Installing the Server

we assume that you can install the server via something like yum install freeradius, or apt-get install freeradius.

Note that in Debian-based systems, the server daemon is called

freeradius /instead of radiusd 
複製代碼

The configuration files are also located in

/etc/freeradius/ instead of /etc/raddb/.
複製代碼

Starting the server

When the server has been installed on a new machine, the first step is to start it in debugging mode, as user root:

# radiusd -X
複製代碼

If the output says Ready to process requests, then all is well.

Starting the server When the server has been installed on a new machine, the first step is to start it in debugging mode, as user root:

radiusd -X

This step demonstrates that the server is installed and configured properly. If the output says Ready to process requests, then all is well.

Initial Tests

Testing authentication is simple. Edit the users file

etc/raddb/mods-config/files/authorize
複製代碼

and add the following line of text at the top of the file, before anything else:

testing Cleartext-Password := "password"
複製代碼

Start the server in debugging mode (radiusd -X), and run radtest from another terminal window:

$ radtest testing password 127.0.0.1 0 testing123
複製代碼

format is :

$ radtest
Usage: radtest [OPTIONS] user passwd radius-server[:port] nas-port-number secret 
複製代碼

You should see the server respond with an

Access-Accept
複製代碼

then congratulations, the following authentication methods now work for the testing user:

PAP, CHAP, MS-CHAPv1, MS-CHAPv2, PEAP, EAP-TTLS, EAP-GTC, EAP-MD5.
複製代碼

and test123 in command line is secret defined in

etc/raddb/client.conf
複製代碼

like as :

secret = testing123
複製代碼

Adding a client

When we discuss clients, we mean clients of the RADIUS server, e.g.

1. wireless access point,
2. network switch or
3. other form of NAS.

NOT the network clients - such as laptops, tablets etc - they do not talk directly to the RADIUS server.

The above test runs radtest from localhost. It is useful to add a new client, which can be done by editing the

etc/raddb/clients.conf 
複製代碼

file. Add the following content:

client new {
    ipaddr = 192.0.2.1
    secret = testing123
}
複製代碼

You should change the IP address 192.0.2.1 to be the address of the client which will be sending Access-Request packets.

The client should also be configured to talk to the RADIUS server, by using the IP address of the machine running the RADIUS server. The client must use the same secret as configured above in the client section.

Then restart the server in debugging mode, and run a simple test using the testing user. You should see an Access-Accept in the server output

The following steps outline the best known method for configuring the server. Following them lets you create complex configurations with a minimum of effort. Failure to follow them leads to days of frustration and wasted effort.

Configuring the Server

Changing the server configuration should be done via the following steps:

1. Start with a "known working" configuration, such as supplied by the default installation.
2. Make one small change to the configuration files.
3. Start the server in debugging mode (radiusd -X).Verify that the results are what you expect

The debug output shows

1. any configuration changes you have made.
2. Databases (if used) are connected and operating.
3. Test packets are accepted by the server.

The debug output shows that the packets are being processed as you expect.

If anything goes wrong,double-check the configuration; read the entire debug output, looking for words like error or warning. These messages usually contain descriptions of what went wrong, and suggestions for how it can be fixed. Also see an explanation of the debug output and the debug form;

on Mac OS X

first search radius by brew search

brew search radius
複製代碼

result :

==> Formulae
freeradius-server ✔
複製代碼

then install by :

brew install freeradius-server
複製代碼

setup site :

/usr/local/Cellar/freeradius-server/3.0.19_1
複製代碼

stop service :

open ActivityMonitor kill radiusd