歷經千辛萬苦,
重灌再重灌...
重灌再重灌...
重灌再重灌...
終於皇天不負苦心人...QQ
終於讓我成功架成Freeradius+files+Mysql+PEAP tls拉,
我想很多人都跟我一樣,
因為網路上資料支離破碎,
找相關文件就像是無頭蒼蠅一樣,
都是東試試西試試,
時時碰壁,
試到都快抓狂了~= =
不過,
今天終於有一份完整的資料要呈現在大家面前拉~
希望對大家會有所幫助^^
首先呢,
我先跟大家說一下為什麼會卡關的原因,
其實原因都來自於Ubuntu與Freeradius EAP模組的授權問題,
所以在Ubuntu apt-get內並沒有將EAP設為預設模組,
而造成無法啟動模組的問題,
其實解決辦法很簡單,
就是...自己Complie,
接下來我就要教大家如何做拉~^^
首先我們先做好環境設定,
(以下的動作都必須要在root權限下執行 可參考此篇文章)
#apt-get update; apt-get upgrade -y;apt-get dist-upgrade -y //此行是用來更新系統的安全性
#apt-get install vim -y //安裝新版vim(非必要)
#vim /etc/vim/vimrc //修改vimrc內的systax on前的"拿掉,即可以讓vim語法顏色變(非必要)
#apt-get install build-essential -y //安裝Complie所需的Library
(以下的設定是防火牆設定,非必要)
#mkdir -p /usr/local/virus/iptables //建立目錄
#cd /usr/local/virus/iptables //移至目錄下
#vim iptables.rule //建立iptables.rule並將以下的shell script加入 以下shell script來自鳥哥的私房菜
--------------------------------------------------------------------------------------------------------------------
#!/bin/bash
# 請先輸入您的相關參數,不要輸入錯誤了!
EXTIF="eth0" # 這個是可以連上 Public IP 的網路介面
INIF="" # 內部 LAN 的連接介面;若無請填 ""
INNET="" # 內部 LAN 的網域,若沒有內部 LAN 請設定為 ""
export EXTIF INIF INNET
# 第一部份,針對本機的防火牆設定!###########################
# 1. 先設定好核心的網路功能:
echo "1" # /proc/sys/net/ipv4/tcp_syncookies
echo "1" # /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo "1" # $i
done
for i in /proc/sys/net/ipv4/conf/*/log_martians; do
echo "1" # $i
done
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo "0" # $i
done
for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo "0" # $i
done
for i in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo "0" # $i
done
# 2. 清除規則、設定預設政策及開放 lo 與相關的設定值
PATH=/sbin:/usr/sbin:/bin:/usr/bin; export PATH
iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED -j ACCEPT
# 3. 啟動額外的防火牆 script 模組
if [ -f /usr/local/virus/iptables/iptables.deny ]; then
sh /usr/local/virus/iptables/iptables.deny
fi
if [ -f /usr/local/virus/iptables/iptables.allow ]; then
sh /usr/local/virus/iptables/iptables.allow
fi
if [ -f /usr/local/virus/httpd-err/iptables.http ]; then
sh /usr/local/virus/httpd-err/iptables.http
fi
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
# 4. 允許某些類型的 ICMP 封包進入
AICMP="0 3 3/4 4 11 12 14 16 18"
for tyicmp in $AICMP
do
iptables -A INPUT -i $EXTIF -p icmp --icmp-type $tyicmp -j ACCEPT
done
# 5. 允許某些服務的進入,請依照您自己的環境開啟
iptables -A INPUT -p TCP -i $EXTIF --dport 22 -j ACCEPT # SSH
# iptables -A INPUT -p TCP -i $EXTIF --dport 25 -j ACCEPT # SMTP
# iptables -A INPUT -p UDP -i $EXTIF --sport 53 -j ACCEPT # DNS
# iptables -A INPUT -p TCP -i $EXTIF --sport 53 -j ACCEPT # DNS
# iptables -A INPUT -p TCP -i $EXTIF --dport 80 -j ACCEPT # WWW
# iptables -A INPUT -p TCP -i $EXTIF --dport 110 -j ACCEPT # POP3
# iptables -A INPUT -p TCP -i $EXTIF --dport 443 -j ACCEPT # HTTPS
iptables -A INPUT -p TCP -i $EXTIF --dport 1812 -j ACCEPT # freeradius
--------------------------------------------------------------------------------------------------------------------
#vim /etc/rc.local //為了讓防火牆腳本檔可以在開機時候自動執行,加入以下的script加入其內
--------------------------------------------------------------------------------------------------------------------
# 1. Firewall 防火牆
sh /usr/local/virus/iptables/iptables.rule
--------------------------------------------------------------------------------------------------------------------
#apt-get -y install mysql-server mysql-client //安裝Mysql Server & Client
#apt-get install libssl-dev libpq-dev -y //安裝Freeradius所需的library
#apt-get install apt-src -y //安裝apt-src指令
#apt-get install dpkg-dev -y //安裝dpkg指令
#apt-get install fakeroot -y //安裝fakeroot功能指令
#mkdir ~/freeradius_tls //在root目錄底下建立一個安裝暫存目錄
#cd ~/freeradius_tls
#wget ftp://ftp.freeradius.org/pub/radius/freeradius-1.1.7.tar.gz //下載Freeradius 原碼包
#tar -zxvf freeradius-1.1.7.tar.gz //解壓
#cd freeradius-1.1.7
#vim debian/control //編輯control將eap模組加在後面
--------------------------------------------------------------------------------------------------------------------
Package: freeradius-eaptls
Architecture: any
Depends: freeradius (= ${binary:Version}), ${shlibs:Depends}
Description: eap-tls module for FreeRADIUS server
Debian will not provide a binary version of the rlm_eap_tls.so library. This
module is required if you want to use EAP/TLS authentication, commonly used
for WiFi access points.
Package: freeradius-eappeap
Architecture: any
Depends: freeradius (= ${binary:Version}), ${shlibs:Depends}
Description: eap-peap module for FreeRADIUS server
Debian will not provide a binary version of the rlm_eap_peap.so library. This
module is required if you want to use EAP/PEAP authentication, commonly used
for WiFi access points.
--------------------------------------------------------------------------------------------------------------------
#dpkg-buildpackage -rfakeroot -uc -us //進行封裝
通常進行這個動作時候,會出現相依性問題!如下:
dpkg-checkbuilddeps: Unmet build dependencies: debhelper (>= 4.2.32) dpatch (>= 2) autotools-dev libtool (>= 1.5) libltdl3-dev libpam0g-dev libmysqlclient15-dev | libmysqlclient14-dev | libmysqlclient-dev libgdbm-dev libldap2-dev libsasl2-dev libiodbc2-dev libperl-dev snmp libsnmp9-dev | libsnmp5-dev | libsnmp4.2-dev
dpkg-buildpackage: warning: Build dependencies/conflicts unsatisfied; aborting.
dpkg-buildpackage: warning: (Use -d flag to override.)
有沒有注意到,他有提到的相依性性問題的組件有 debhelper dpatch autotools-dev libtool...等,所以我們只要利用apt-get install [組件名稱] 就可以一一解決囉^.^
#apt-get install debhelper dpatch autotools-dev libtool libltdl3-dev libpam0g-dev libmysqlclient15-dev libgdbm-dev libldap2-dev libsasl2-dev libiodbc2-dev libperl-dev snmp libsnmp9-dev -y //安裝相依性組件
#dpkg-buildpackage -rfakeroot -uc -us //再嘗試一次封裝
#cd ..
#dpkg -i freeradius_1.1.7-0_i386.deb freeradius-eaptls_1.1.7-0_i386.deb freeradius-mysql_1.1.7-0_i386.deb freeradius-eappeap_1.1.7-0_i386.deb //安裝以上封裝後的安裝包
到目前為止,你已經成功安裝含eap tls模組的Freeradius囉!
接下來將是重頭戲,
就是進行細部設定拉!
首先我們先將freeradius所需的資料庫建置起來!
#mysql -uroot -p密碼 //用Mysql Client
mysql>Create Database radius; //建置radius資料庫
按ctrl + c跳出
#cd /root/freeradius_tls/freeradius-1.1.7/doc/examples/ //radius的資料表通常都有附在原碼包內,如果找不到可以使用locate *.sql搜尋 可參考此篇文章
#mysql -u帳號 -p密碼 radius < mysql.sql //匯入radius資料表
#mysql -u帳號 -p密碼 radius //登入mysql server 並進入radius Database
mysql>insert into radgroupreply (groupname,attribute,op,value) values ('user','Auth-Type',':=','Local');
insert into radgroupreply (groupname,attribute,op,value) values ('user','Service-Type',':=','Framed-User');
insert into radgroupreply (groupname,attribute,op,value) values ('user','Framed-IP-Address',':=','255.255.255.254');
insert into radgroupreply (groupname,attribute,op,value) values ('user','Framed-IP-Netmask',':=','255.255.255.0'); //加入群組資料
mysql>insert into radcheck (username,attribute,op,value) values ('test','User-Password',':=','test'); //加入測試帳號
mysql>insert into usergroup (username,groupname) values ('test','user'); //測試賬號加入群組
以後新增帳號時只要用以下兩個命令即可
insert into radcheck (username,attribute,op,value) values ('帳號','User-Password',':=','密碼');
insert into usergroup (username,groupname) values ('帳號','user');
#cd /etc/freeradius
在修改之前,為了安全起見,先做一下備份。
# mkdir backup
#cp eap.conf clients.conf radiusd.conf sql.conf users backup/
#vim radiusd.conf //修改 radiusd.conf 內部份設定如下列
--------------------------------------------------------------------------------------------------------------------
//109行
user = root
group = root
//266行
hostname_lookups = yes
//290行
log_stripped_names = yes
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
//340行
lower_user = yes
//1136行 將#拿掉如下
detail auth_log {
detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
detailperm = 0600
}
//1153行 將#拿掉如下
detail reply_log {
detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d
detailperm = 0600
}
//1789行 將authorize內的auth_log attr_filter sql 的#拿掉如下
authorize {
preprocess
auth_log
attr_filter
chap
mschap
suffix
eap
files
sql
}
//1994行 將accounting內的sql的#拿掉如下
accounting {
detail
radutmp
sql
}
//2040行 將session內的sql的#拿掉如下
session {
radutmp
sql
}
//2052行 將post-auth內的 reply_log sql的#拿掉如下
post-auth {
reply_log
sql
}
--------------------------------------------------------------------------------------------------------------------
#vim clients.conf //編輯clients.conf 內加入以下設定值
--------------------------------------------------------------------------------------------------------------------
client 192.168.1.1 {
secret = testing123
shortname = test
}
--------------------------------------------------------------------------------------------------------------------
#vim sql.conf //編輯sql.conf內的設定值 如下
--------------------------------------------------------------------------------------------------------------------
//22行
login = "root" //MYSQL帳號
password = "密碼" //MYSQL密碼
//53行
sqltrace = yes
#vim eap.conf //編輯eap.conf內的設定值 如下
//23行
default_eap_type = peap
//123行 將tls的#拿掉 如下
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
}
//304行 將peap的#拿掉 如下
peap {
default_eap_type = mschapv2
}
--------------------------------------------------------------------------------------------------------------------
#vim users //編輯users內的設定值 如下
--------------------------------------------------------------------------------------------------------------------
//95行 在此行加入以下的設定
"testf" Auth-Type := Local, User-Password == "testf"
Reply-Message = "Hello, %u"
//155行 將155行 156行 #起來 如下
#DEFAULT Auth-Type = System
# Fall-Through = 1
--------------------------------------------------------------------------------------------------------------------
#freeradius -X //看看有沒有設定錯誤唄~~如果沒錯就準備重新啟動拉XD
#/etc/freeradius restart //重新啟動freeradius,大功告成!
#radtest testf testf localhost 0 testing123 //測試files認證
#radtest test test localhost 0 testing123 //測試mysql認證
如果成功的話會出現類似以下的訊息:
Sending Access-Request of id 138 to 127.0.0.1 port 1812
User-Name = "testf"
User-Password = "testf"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=138, length=34
Reply-Message = "Hello, testf"
Sending Access-Request of id 142 to 127.0.0.1 port 1812
User-Name = "test"
User-Password = "test"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=142, length=38
Service-Type = Framed-User
Framed-IP-Address = 255.255.255.254
Framed-IP-Netmask = 255.255.255.0
如果你成功的話,
就要恭喜你囉!
你又邁入Linux世界的一大步囉
![[超級懶人包] Amazon Kindle Fire 改機全攻略(Root、Market、中文注音輸入、中文化、google相關同步服務、常用軟體)](http://lh3.ggpht.com/-aOEAlqMzc2U/TtJdHCxAmzI/AAAAAAAACGY/bKHNkbQYzek/w72-h72-p-k-no-nu/2011-11-25-19-24-11_thumb%25255B2%25255D.png?imgmax=800)
![[圖文教學]APP2SD+ 建立EXT3分區 裝程式遊戲不用愁!!](http://lh3.ggpht.com/_CMJl5VWyD74/TbLp2Vk3FaI/AAAAAAAAAoI/sHCVyRRkyNg/w72-h72-p-k-no-nu/image_thumb%5B89%5D.png?imgmax=800)
![[筆記] LibSVM for matlab 安裝教學&使用方法](http://lh6.ggpht.com/_CMJl5VWyD74/TdnYknlCWsI/AAAAAAAAA4s/ZjtmvehrwoE/w72-h72-p-k-no-nu/image_thumb%5B25%5D.png?imgmax=800)
![[SD空間擴充術] 內建SD空間不夠用嗎?來!來!來!我教你!外接SD卡掛載至內建SD記憶體方法大解析](http://lh4.ggpht.com/-mJLPZG1vYOE/T9ijLbqedkI/AAAAAAAADXE/x45nJZ5iGH8/w72-h72-p-k-no-nu/image_thumb%25255B6%25255D.png?imgmax=800)
![[手癢系列] 不管怎樣都要來Root一下 Galaxy R I9103 CWM+Root安裝教學](http://lh5.ggpht.com/-5UFkNay3Xdw/T9cGFNRpN-I/AAAAAAAADUc/Hmn3LCqSrq4/w72-h72-p-k-no-nu/20120612154841_thumb%25255B9%25255D.png?imgmax=800)
![[CentOS] 忘記root密碼怎麼辦?別擔心!!還是有救的!!](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgn3OEwhZ8v0VVircs1zUYNFzEvkpPVqPJcVCuO2d-LNSaWUIkMjH_MXidhyphenhyphenNTQPiTzzL0y9UOBBuJn9vUn70hXE7hfIVh2gd9k6wwZ6rQfwUwileUtHm6e15UAVFbtiMN_9WLwTN3-Uflh/w72-h72-p-k-no-nu/1.jpg)
![[千呼萬喚始出來] Vibo A699 懶人包 V6.0 官方洩漏 Android 2.3版本 台灣特製版發布囉!!](http://lh4.ggpht.com/-2qKUNlWq4lE/TgN_6CGUl0I/AAAAAAAAA_8/5M38AFhi158/w72-h72-p-k-no-nu/2011-06-24-00-54-37_thumb%25255B1%25255D.png?imgmax=800)
![[2017年CP值之王] 小米6 開箱 6GB/128GB 陶瓷尊享版 超乎你想像!驚人價格超值旗艦!](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpecfrRuo1AAfhH1kBoZI5EQTYQgV92CLfdqO0pgWqIa-qEh7kO8bO0cRj25HOCpBqlxktmaSuiA3-LstTYHAsbDu0XyrvwEkyc-qmn5Ssa7Un2faXEDbkvjzve0MpncGlyHjGshfDMUum/w72-h72-p-k-no-nu/?imgmax=800)
沒有留言:
Write 意見