2012年6月6日

FreeRADIUS Installation on Ubuntu

1. Install Radius Server

sudo apt-get install freeradius

2. configure Radius Server

- configuration file path /etc/freeradius/

radiusd.conf (FreeRADIUS system configuration file)

clients.conf (client authentication configuration file)

client
{
secret =
shortname =
}

client 192.168.1.100{
secret = tseting123
shorename = private-network-1
}

users (cient)
testing Cleartext-Password := "password"



3. start Radius Server

sudo /usr/sbin/freeradius -X



1. 要產生憑證前先確認自己的linux上已經有裝好了openssl

#cd /usr/lib/ssl/misc/

#./CA.pl -newca

Enter PEM pass phrase: 12345 (自行輸入憑證密碼)

Country Name (2 letter code) [AU]:TW

State or Province Name (full name) [Some-State]:Taipei

Locality Name (eg, city) []:Taipei

Organization Name (eg, company) [Internet Widgits Pty Ltd]:ABC

Organizational Unit Name (eg, section) []:DEF

Common Name (eg, YOUR name) []:HIJ

Email Address []:e@e.e

2. 伺服器端認證檔案

#openssl req -new -nodes -keyout srv_key.pem -out srv_req.pem -config ../openssl.cnf

#openssl ca -config ../openssl.cnf -policy policy_anything -out srv_cert.pem -infiles ./srv_req.pem

#cat srv_key.pem srv_cert.pem > srv_keycert.pem

3. 客戶端認證檔案

#openssl req -new -keyout cli_key.pem -out cli_req.pem -config ../openssl.cnf

#openssl ca -config ../openssl.cnf -policy policy_anything -out cli_cert.pem -infiles ./cli_req.pem

#openssl pkcs12 -export -in cli_cert.pem -inkey cli_key.pem -out cli_cert.p12 -clcerts (for XP certificate format)

4. 產生兩個使用tls憑證需要用到的檔案

#openssl dhparam -check -text -5 512 -out dh

#dd if=/dev/urandom of=random count=2

5. 把上述的伺服器端檔案copy到/usr/local/etc/raddb/certs

6.

radiusd.conf: (mark了三行,下面的紅色井字號為mark)

#$INCLUDE sql.conf

#INCLUDE sql/mysql/counter.conf

#$INCLUDE sqlippool.conf

clients.conf:

client 192.168.1.1 {
secret = sodisgood
shortname = sod-ap
}

eap.conf: (修改了一些部分,並且添加了tls憑證部分)

default_eap_type = tls (原本是md5)

private_key_password = 12345 (產生憑證時輸入的密碼)

private_key_file = ${certdir}/srv_keycert.pem (當時後產生的伺服器憑證)

certificate_file = ${certdir}/srv_keycert.pem (同上)

CA_file = ${cadir}/cacert.pem (這個檔案會在demoCA裡面)

dh_file = ${certdir}/dh (tls需要用到的檔案)

random_file = ${certdir}/random (同上)

7. start server

#radiusd -X & (-X是debug mode,&是背景執行)


Ref: http://tec1021.pixnet.net/blog/post/28639573-%E8%BC%95%E9%AC%86%E6%9E%B6%E5%A5%BDradius%E4%BC%BA%E6%9C%8D%E5%99%A8~

沒有留言: