freeradius配置杂记

freeradius(http://www.freeradius.org/)是一个开源的高性能radius服务器程序,据统计目前有超过50000套涉及计费的系统部署中选择了freeradius。freeradius以她的高灵活性和可配置性以及开源而闻名。支持的特性包括SQL,LDAP,RADIUS代理,负载均衡以及近100个字典文件。支持的验证方式包括 PAP, CHAP, MS-CHAP, EAP-MD5, EAP-GTC, EAP-TLS, EAP-TTLS, PEAPv0, LEAP, EAP-SIM等,目前最新的稳定版是1.1.7。

freeradius的配置项目繁多,但是关键的配置文件也就几个,clients.conf, radiusd.conf以及sql.conf是最主要的配置文件。

1. clients.conf

freeradius在clients.conf中存储radius客户端的验证信息根据客户端IPsecret,两边都做MD5的结果进行校验。中途不传输secrte,只传输md5结果。

client 192.168.0.1

{

       secret             = test

       shortname      = nas01

       nastype          = other

}

 

2.radiusd.conf

这是freeradius的主配置文件

 

下面的设置是程序和配置信息路径

prefix = /usr/local

exec_prefix = ${prefix}

sysconfdir = ${prefix}/etc

localstatedir = ${prefix}/var

sbindir = ${exec_prefix}/sbin

logdir = ${localstatedir}/log/radius

raddbdir = ${sysconfdir}/raddb

radacctdir = ${logdir}/radacct

 

#  Location of config and logfiles.

confdir = ${raddbdir}

run_dir = ${localstatedir}/run/radiusd

 

每个请求的最长处理时间,如果超过这个时间,则这个请求会抛弃,返回REJECT消息

max_request_time = 30

 

回复消息发出后再缓存的时间(以用于丢失时重传)

cleanup_delay = 5

 

最多并存的请求数

max_requests = 1024

 

工作线程池配置

thread pool {

初始的工作线程数      

start_servers = 10

 

关于模块的配置

每个要加载的模块都有一个配置块,类似以下格式:

name [ instance ] {

       config_item = value

       ...

}

name表示模块名,比如mschap. freeradius在需要时加载rlm_mschap.so动态库

instance表示加载时的实例名,一般为一个模块一个实例,也可以存在多个实例

大括号中的为具体配置信息。

 

#

#  Pre-accounting.  Decide which accounting type to use.

#

preacct {

       preprocess

 

       #

       #  Ensure that we have a semi-unique identifier for every

       #  request, and many NAS boxes are broken.

       acct_unique

 

       #

       #  Look for IPASS-style 'realm/', and if not found, look for

       #  '@realm', and decide whether or not to proxy, based on

       #  that.

       #

       #  Accounting requests are generally proxied to the same

       #  home server as authentication requests.

#     IPASS

       suffix

#     ntdomain

 

       #

       #  Read the 'acct_users' file

       ##files

}

 

#

#  Accounting.  Log the accounting data.

#

accounting {

       #

       #  Create a 'detail'ed log of the packets.

       #  Note that accounting requests which are proxied

       #  are also logged in the detail file.

       detail

#     daily

 

       #  Update the wtmp file

       #

       #  If you don't use "radlast", you can delete this line.

       #unix

 

       #

       #  For Simultaneous-Use tracking.

       #

       #  Due to packet losses in the network, the data here

       #  may be incorrect.  There is little we can do about it.

       radutmp

#     sradutmp

 

       #  Return an address to the IP Pool when we see a stop record.

#     main_pool

#     sqlippool

 

       #

       #  Log traffic to an SQL database.

       #

       #  See "Accounting queries" in sql.conf

       sql

 

       #

       #  Instead of sending the query to the SQL server,

       #  write it into a log file.

       #

#     sql_log

 

       #  Cisco VoIP specific bulk accounting

#     pgsql-voip

 

}

 

3. sql.conf

这里存储数据库相关的配置

sql {

        # Database type

        # Current supported are: rlm_sql_mysql, rlm_sql_postgresql,

        # rlm_sql_iodbc, rlm_sql_oracle, rlm_sql_unixodbc, rlm_sql_freetds

这里选择数据驱动类型,freeradius已经实现了最常用的数据库驱动接口,包括mysql,oracel,MS SQL SERVER,DB2等

        #driver = "rlm_sql_mysql"

        driver = "rlm_sql_oracle"

 

这里设置数据库的登录用户名,密码,数据库等

        # Connect info

        server = "radiushost"

        login = "loginname"

        password = "loginpassword"

 

        # Database table configuration

        radius_db = "radiusdb"

 
阅读更多
想对作者说点什么?

博主推荐

换一批

没有更多推荐了,返回首页