HOW TO Freeradius + MYSQL Esse tutorial mostra como instalar o freeradius autenticando remotamente em uma base mysql. O how to é bem precário pois o freeradius tem inúmeros recursos e até hoje ando apanhando um pouco dele, portanto críticas são bem vindas. Para ajudar a suprir as deficiencias desse how to outra documentação em portugues pode ser encontrada em: http://www.linuxbsd.com.br/phpLinuxBSD/modules/artigos_tecnicos/freeradius_com_mysql.htm http://lists.cistron.nl/archives/freeradius-devel/2005/02/ http;//www.google.com.br :) Software utilizados: - Slackware 10.0.1 www.slackware.org - Freeradius www.freeradius.org - Mysql www.mysql.org Baixando o freeradius: cd /usr/local/src wget ftp://ftp.freeradius.org/pub/radius/old/freeradius-1.0.1.tar.gz Conferindo md5 md5sum freeradius-1.0.1.tar.gz abc30cb71367f859ceed4de6477cd59f freeradius-1.0.1.tar.gz Descompactando e compilando (shell tcsh máquina Pentium III): tar xvfz freeradius-1.0.1.tar.gz cd freeradius-1.0.1 ( setenv CFLAGS '-O6 -march=i686' ; ./configure --sysconfdir=/etc --with-logdir=/var/log/radius --with-radacctdir=/var/log/radacct ) make make install rehash Gerando o banco a ser consultado. Abaixo segue o dump do banco que estou utilizando, mencionando que o banco original pode ser encontrado no pacote do freeradius # Database : `radius` # # -------------------------------------------------------- # # Table structure for table `radacct` # create database radius; use radius; DROP TABLE IF EXISTS `radacct`; CREATE TABLE `radacct` ( `RadAcctId` bigint(21) NOT NULL auto_increment, `AcctSessionId` varchar(32) NOT NULL default '', `AcctUniqueId` varchar(32) NOT NULL default '', `UserName` varchar(64) NOT NULL default '', `Realm` varchar(64) default '', `NASIPAddress` varchar(15) NOT NULL default '', `NASPortId` int(12) default NULL, `NASPortType` varchar(32) default NULL, `AcctStartTime` datetime NOT NULL default '0000-00-00 00:00:00', `AcctStopTime` datetime NOT NULL default '0000-00-00 00:00:00', `AcctSessionTime` int(12) default NULL, `AcctAuthentic` varchar(32) default NULL, `ConnectInfo_start` varchar(32) default NULL, `ConnectInfo_stop` varchar(32) default NULL, `AcctInputOctets` bigint(12) default NULL, `AcctOutputOctets` bigint(12) default NULL, `CalledStationId` varchar(50) NOT NULL default '', `CallingStationId` varchar(50) NOT NULL default '', `AcctTerminateCause` varchar(32) NOT NULL default '', `ServiceType` varchar(32) default NULL, `FramedProtocol` varchar(32) default NULL, `FramedIPAddress` varchar(15) NOT NULL default '', `AcctStartDelay` int(12) default NULL, `AcctStopDelay` int(12) default NULL, `ClientIPAddressStart` varchar(15) NOT NULL default '', `ClientIPAddressStop` varchar(15) default NULL, `AscendDataRate` int(12) default NULL, `AscendXmitRate` int(12) default NULL, PRIMARY KEY (`RadAcctId`), KEY `UserName` (`UserName`), KEY `FramedIPAddress` (`FramedIPAddress`), KEY `AcctSessionId` (`AcctSessionId`), KEY `AcctUniqueId` (`AcctUniqueId`), KEY `AcctStartTime` (`AcctStartTime`), KEY `AcctStopTime` (`AcctStopTime`), KEY `NASIPAddress` (`NASIPAddress`) ) TYPE=MyISAM AUTO_INCREMENT=31214 ; # -------------------------------------------------------- # # Table structure for table `radcheck` # DROP TABLE IF EXISTS `radcheck`; CREATE TABLE `radcheck` ( `id` int(11) unsigned NOT NULL auto_increment, `UserName` varchar(64) NOT NULL default '', `Attribute` varchar(32) NOT NULL default '', `op` char(2) NOT NULL default '==', `Value` varchar(253) NOT NULL default '', PRIMARY KEY (`id`), KEY `UserName` (`UserName`(32)) ) TYPE=MyISAM AUTO_INCREMENT=27754 ; # -------------------------------------------------------- CREATE TABLE `radgroupcheck` ( `id` int(11) unsigned NOT NULL auto_increment, `GroupName` varchar(64) NOT NULL default '', `Attribute` varchar(32) NOT NULL default '', `op` char(2) NOT NULL default '==', `Value` varchar(253) NOT NULL default '', PRIMARY KEY (`id`), KEY `GroupName` (`GroupName`(32)) ) TYPE=MyISAM AUTO_INCREMENT=3 ; # # Dumping data for table `radgroupcheck` # INSERT INTO `radgroupcheck` VALUES (1, 'dialup', 'Auth-Type', '==', 'PAP'); # -------------------------------------------------------- # # Table structure for table `radgroupreply` # CREATE TABLE `radgroupreply` ( `id` int(11) unsigned NOT NULL auto_increment, `GroupName` varchar(64) NOT NULL default '', `Attribute` varchar(32) NOT NULL default '', `op` char(2) NOT NULL default '=', `Value` varchar(253) NOT NULL default '', `prio` int(10) unsigned NOT NULL default '0', PRIMARY KEY (`id`), KEY `GroupName` (`GroupName`(32)) ) TYPE=MyISAM AUTO_INCREMENT=3 ; # # Dumping data for table `radgroupreply` # INSERT INTO `radgroupreply` VALUES (1, 'dialup', 'Service-Type', '=', 'Framed-User', 0); INSERT INTO `radgroupreply` VALUES (2, 'dialup', 'Framed-Protocol', '=', 'PPP', 0); # -------------------------------------------------------- # # Table structure for table `radreply` # DROP TABLE IF EXISTS `radreply`; CREATE TABLE `radreply` ( `id` int(11) unsigned NOT NULL auto_increment, `UserName` varchar(64) NOT NULL default '', `Attribute` varchar(32) NOT NULL default '', `op` char(2) NOT NULL default '=', `Value` varchar(253) NOT NULL default '', PRIMARY KEY (`id`), KEY `UserName` (`UserName`(32)) ) TYPE=MyISAM AUTO_INCREMENT=1 ; # -------------------------------------------------------- # # Table structure for table `usergroup` # DROP TABLE IF EXISTS `usergroup`; CREATE TABLE `usergroup` ( `id` int(11) unsigned NOT NULL auto_increment, `UserName` varchar(64) NOT NULL default '', `GroupName` varchar(64) NOT NULL default '', PRIMARY KEY (`id`), KEY `UserName` (`UserName`(32)) ) TYPE=MyISAM AUTO_INCREMENT=27166 ; Alterando os arquivos de configuracao do radius /etc/raddb: -clients.conf - Nesse arquivo voce deve colocar os quesitos de autenticacao, ou seja as maquinas que vao conectar na porta do radius client 127.0.0.1 { secret = testing123 shortname = localhost } client xxx.xxx.xxx.xxx { secret = senha shortname = portmaster nastype = livingston } -proxy.conf - Nesse arquivo sao definidos as configuracoes de proxy do radius proxy server { synchronous = no retry_delay = 5 retry_count = 3 dead_time = 120 default_fallback = yes post_proxy_authorize = yes realm LOCAL { type = radius authhost = LOCAL accthost = LOCAL } realm dominio1.com.br { type = radius authhost = LOCAL accthost = LOCAL } realm dominio2.com { type = radius authhost = LOCAL accthost = LOCAL } realm dominio3.com.br { type = radius authhost = LOCAL accthost = LOCAL } -users - Arquivo de configuração dos usuarios, esse arquivo é de alta prioridade para o freeradius. DEFAULT Auth-Type := PAP Fall-Through = No DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "SLIP" Framed-Protocol = SLIP - sql.conf - Nesse arquivo indique os parametros de configuracao do banco mysql - radiusd.conf - Arquivo de configuração do freeradius prefix = /usr/local exec_prefix = ${prefix} sysconfdir = /etc localstatedir = ${prefix}/var sbindir = ${exec_prefix}/sbin logdir = /var/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = /var/log/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = ${exec_prefix}/lib pidfile = ${run_dir}/radiusd.pid max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = yes log_auth_badpass = yes log_auth_goodpass = yes usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf snmp = no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { encryption_scheme = crypt } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 radwtmp = ${logdir}/radwtmp } $INCLUDE ${confdir}/eap.conf mschap { authtype = MS-CHAP } ldap { server = "ldap.your.domain" basedn = "o=My Org,c=UA" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" start_tls = no access_attr = "dialupAccess" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } realm IPASS { format = prefix delimiter = "/" ignore_default = yes ignore_null = yes } realm suffix { format = suffix delimiter = "@" ignore_default = yes ignore_null = yes } realm realmpercent { format = suffix delimiter = "%" ignore_default = no ignore_null = no } realm ntdomain { format = prefix delimiter = "\\" ignore_default = yes ignore_null = yes } checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m detailperm = 0600 } detail auth_log { detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d detailperm = 0600 } detail reply_log { detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d detailperm = 0600 } detail pre_proxy_log { detailfile = ${radacctdir}/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d detailperm = 0600 } detail post_proxy_log { detailfile = ${radacctdir}/%{Client-IP-Address}/post-proxy-detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } $INCLUDE ${confdir}/sql.conf radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply } ippool main_pool { range-start = 192.168.1.1 range-stop = 192.168.3.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no maximum-timeout = 0 } } instantiate { exec expr } authorize { preprocess auth_log suffix files sql } authenticate { Auth-Type PAP { pap } } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp sql } session { radutmp sql } post-auth { reply_log } pre-proxy { } post-proxy { } - Utilize o radius em debug mode para ver se tudo vai inicializar corretamente: /usr/local/sbin/radiusd -y -X - Utilize tambem softwares para testar o seu radius, como por exemplo o radtest radtest user password xxx.xxx.xxx.xxx:1645 0 senha_radius - Leia os logs tail -f /var/log/radius.log - Use tcpdump tcpdump -p -n -s 1500 -i ethx port 1645 Por enquanto é só, espero ter ajudado em algo.