15 12
发新话题
打印

【MPD5.5 + FreeRadius + POSTgreSQL 】实现 PPPoE服务

【MPD5.5 + FreeRadius + POSTgreSQL 】实现 PPPoE服务

一直想写点东西  又不知道些什么好 就写一个 最新的mpd5.5的配置吧

暂时放到手册板块     欢迎转载 转帖请注明【bbs.m0n0china.org 王国梁】

原创内容 请珍惜作者劳动成果  话不多说 直接进入主题

环境:  FreeBSD8.0 、 PostgreSQL8.4 、 FreeRadius2、 MPD5.5

满足以下条件:
1、宽带接入 (PPPoE)
2、用户带宽管理

一、安装系统:
FreeBSD 8.0-RELEASE i386
系统采用kernel-develop方式安装
过程就不再说了  不知道的就多看看 手册吧。

二、同步系统至最新:
复制内容到剪贴板
代码:
Radius#pkg_add -r cvsup-without-gui
Radius#rehash
Radius#cp /usr/share/examples/cvsup/stable-supfile /etc/supfile
Radius#vi /etc/supfile

将需要改动的地方改好  比如CVS服务器域名 版本等
再加一行
复制内容到剪贴板
代码:
ports-all tag=.

接下来开始更新:
复制内容到剪贴板
代码:
Radius#cvsup -g -L 2 /etc/supfile

等候若干秒。。。。。。个人比较偏重于这种更新方式  别的没有尝试过
完成后最好重新启动下系统  然后再开始编译kernel
复制内容到剪贴板
代码:
Radius#cd /usr/src/sys/i386/conf
Radius#cp GENERIC Radius_smp
Radius#vi Radius_smp

此处定制内核  根据个人硬件不同适当做修改。
另外添加:
复制内容到剪贴板
代码:
options         DEVICE_POLLING
options         HZ=2000
options         IPSTEALTH
# PF support
device          pf
device          pflog
device          pfsync
options         ALTQ
options         ALTQ_CBQ        # Class Bases Queuing (CBQ)
options         ALTQ_RED        # Random Early Detection (RED)
options         ALTQ_RIO        # RED In/Out
options         ALTQ_HFSC       # Hierarchical Packet Scheduler (HFSC)
options         ALTQ_PRIQ       # Priority Queuing (PRIQ)
options         ALTQ_NOPCC      # Required for SMP build
options         NETGRAPH  #netgraph(4) system
options         NETGRAPH_ASYNC
options         NETGRAPH_BPF
options         NETGRAPH_CAR
options         NETGRAPH_ETHER
options         NETGRAPH_IFACE
options         NETGRAPH_NAT
options         NETGRAPH_NETFLOW
options         NETGRAPH_KSOCKET
options         NETGRAPH_L2TP
options         NETGRAPH_MPPC_ENCRYPTION
options         NETGRAPH_PPP
options         NETGRAPH_PPPOE
options         NETGRAPH_PPTPGRE
options         NETGRAPH_SOCKET
options         NETGRAPH_TCPMSS
options         NETGRAPH_TEE
options         NETGRAPH_UI
options         NETGRAPH_VJC

复制内容到剪贴板
代码:
Radius#config Radius_smp
Radius#cd ../compile/Radius_smp
Radius#make cleardepend && make depend
Radius#make
Radius#make install
Radius#reboot


三、postgresql
复制内容到剪贴板
代码:
Radius#vi /etc/make.conf


加入以下内容:
复制内容到剪贴板
代码:
BATCH=yes
MASTER_SITE_BACKUP?= \
ftp://ftp.tw.freebsd.org/pub/FreeBSD/ports/distfiles/${DIST_SUBDIR}/\
MASTER_SITE_OVERRIDE?= ${MASTER_SITE_BACKUP}


复制内容到剪贴板
代码:
Radius#cd /usr/ports/databases/postgresql84-server
Radius#make install clean
Radius#echo 'postgresql_enable="YES"' >> /etc/rc.conf
Radius#/usr/local/etc/rc.d/postgresql initdb
Radius#/usr/local/etc/rc.d/postgresql start
Radius#su - pgsql -c 'createuser sysadm'
Radius#su - pgsql -c 'createdb -O sysadm radt'
Radius#psql radt sysadm
radt=> ALTER USER sysadm ENCRYPTED PASSWORD 'xxxxxx';  


四、freeradius

复制内容到剪贴板
代码:
Radius#cd /usr/ports/net/freeradius2
Radius#make config

复制内容到剪贴板
代码:
[X] USER          Run as user freeradius, group freeradius
[X] PGSQL         With PostgreSQL database support

复制内容到剪贴板
代码:
Radius#make install clean


配置FreeRadius:
1、/usr/local/etc/raddb/clients.conf
复制内容到剪贴板
代码:
# -*- text -*-
##
## clients.conf -- client configuration directives
##
## $Id$
#######################################################################
#
#  Define RADIUS clients (usually a NAS, Access Point, etc.).
#
#  Defines a RADIUS client.
#
#  '127.0.0.1' is another name for 'localhost'.  It is enabled by default,
#  to allow testing of the server after an initial installation.  If you
#  are not going to be permitting RADIUS queries from localhost, we suggest
#  that you delete, or comment out, this entry.
#
#
#
#  Each client has a "short name" that is used to distinguish it from
#  other clients.
#
#  In version 1.x, the string after the word "client" was the IP
#  address of the client.  In 2.0, the IP address is configured via
#  the "ipaddr" or "ipv6addr" fields.  For compatibility, the 1.x
#  format is still accepted.
#
client localhost {
#  Allowed values are:
# dotted quad (1.2.3.4)
#       hostname    (radius.example.com)
ipaddr = 127.0.0.1
#  OR, you can use an IPv6 address, but not both
#  at the same time.
# ipv6addr = :: # any.  ::1 == localhost
#
#  A note on DNS:  We STRONGLY recommend using IP addresses
#  rather than host names.  Using host names means that the
#  server will do DNS lookups when it starts, making it
#  dependent on DNS.  i.e. If anything goes wrong with DNS,
#  the server won't start!
#
#  The server also looks up the IP address from DNS once, and
#  only once, when it starts.  If the DNS record is later
#  updated, the server WILL NOT see that update.
#
#  One client definition can be applied to an entire network.
#  e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and
#  "netmask = 8"
#
#  If not specified, the default netmask is 32 (i.e. /32)
#
#  We do NOT recommend using anything other than 32.  There
#  are usually other, better ways to acheive the same goal.
#  Using netmasks of other than 32 can cause security issues.
#
#  You can specify overlapping networks (127/8 and 127.0/16)
#  In that case, the smallest possible network will be used
#  as the "best match" for the client.
#
#  Clients can also be defined dynamically at run time, based
#  on any criteria.  e.g. SQL lookups, keying off of NAS-Identifier,
#  etc.
#  See raddb/sites-available/dynamic-clients for details.
#
# netmask = 32
#
#  The shared secret use to "encrypt" and "sign" packets between
#  the NAS and FreeRADIUS.  You MUST change this secret from the
#  default, otherwise it's not a secret any more!
#
#  The secret can be any string, up to 8k characters in length.
#
#  Control codes can be entered vi octal encoding,
# e.g. "\101\102" == "AB"
#  Quotation marks can be entered by escaping them,
# e.g. "foo\"bar"
#
#  A note on security:  The security of the RADIUS protocol
#  depends COMPLETELY on this secret!  We recommend using a
#  shared secret that is composed of:
#
# upper case letters
# lower case letters
# numbers
#
#  And is at LEAST 8 characters long, preferably 16 characters in
#  length.  The secret MUST be random, and should not be words,
#  phrase, or anything else that is recognizable.
#
#  The default secret below is only for testing, and should
#  not be used in any real environment.
#
secret  = testing123
#
#  Old-style clients do not send a Message-Authenticator
#  in an Access-Request.  RFC 5080 suggests that all clients
#  SHOULD include it in an Access-Request.  The configuration
#  item below allows the server to require it.  If a client
#  is required to include a Message-Authenticator and it does
#  not, then the packet will be silently discarded.
#
#  allowed values: yes, no
require_message_authenticator = no
#
#  The short name is used as an alias for the fully qualified
#  domain name, or the IP address.
#
#  It is accepted for compatibility with 1.x, but it is no
#  longer necessary in 2.0
#
# shortname = localhost
#
# the following three fields are optional, but may be used by
# checkrad.pl for simultaneous use checks
#
#
# The nastype tells 'checkrad.pl' which NAS-specific method to
#  use to query the NAS for simultaneous use.
#
#  Permitted NAS types are:
#
# cisco
# computone
# livingston
# max40xx
# multitech
# netserver
# pathras
# patton
# portslave
# tc
# usrhiper
# other  # for all other types
#
nastype     = other # localhost isn't usually a NAS...
#
#  The following two configurations are for future use.
#  The 'naspasswd' file is currently used to store the NAS
#  login name and password, which is used by checkrad.pl
#  when querying the NAS for simultaneous use.
#
# login       = !root
# password    = someadminpas
#
#  As of 2.0, clients can also be tied to a virtual server.
#  This is done by setting the "virtual_server" configuration
#  item, as in the example below.
#
# virtual_server = home1
#
#  A pointer to the "home_server_pool" OR a "home_server"
#  section that contains the CoA configuration for this
#  client.  For an example of a coa home server or pool,
#  see raddb/sites-available/originate-coa
# coa_server = coa
}
# IPv6 Client
#client ::1 {
# secret  = testing123
# shortname = localhost
#}
#
# All IPv6 Site-local clients
#client fe80::/16 {
# secret  = testing123
# shortname = localhost
#}
#client some.host.org {
# secret  = testing123
# shortname = localhost
#}
#
#  You can now specify one secret for a network of clients.
#  When a client request comes in, the BEST match is chosen.
#  i.e. The entry from the smallest possible network.
#
#client 192.168.0.0/24 {
# secret  = testing123-1
# shortname = private-network-1
#}
#
#client 192.168.0.0/16 {
# secret  = testing123-2
# shortname = private-network-2
#}

#client 10.10.10.10 {
# # secret and password are mapped through the "secrets" file.
# secret      = testing123
# shortname   = liv1
#       # the following three fields are optional, but may be used by
#       # checkrad.pl for simultaneous usage checks
# nastype     = livingston
# login       = !root
# password    = someadminpas
#}
#######################################################################
#
#  Per-socket client lists.  The configuration entries are exactly
#  the same as above, but they are nested inside of a section.
#
#  You can have as many per-socket client lists as you have "listen"
#  sections, or you can re-use a list among multiple "listen" sections.
#
#  Un-comment this section, and edit a "listen" section to add:
#  "clients = per_socket_clients".  That IP address/port combination
#  will then accept ONLY the clients listed in this section.
#
#clients per_socket_clients {
# client 192.168.3.4 {
#  secret = testing123
#        }
#}


2、/usr/local/etc/raddb/dictionary
复制内容到剪贴板
代码:
#
# This is the master dictionary file, which references the
# pre-defined dictionary files included with the server.
#
# Any new/changed attributes MUST be placed in this file, as
# the pre-defined dictionaries SHOULD NOT be edited.
#
# $Id$
#
#
# The filename given here should be an absolute path.
#
$INCLUDE /usr/local/share/freeradius/dictionary
$INCLUDE /usr/local/share/freeradius/dictionary.mpd
#
# Place additional attributes or $INCLUDEs here.  They will
# over-ride the definitions in the pre-defined dictionaries.
#
# See the 'man' page for 'dictionary' for information on
# the format of the dictionary files.
#
# If you want to add entries to the dictionary file,
# which are NOT going to be placed in a RADIUS packet,
# add them here.  The numbers you pick should be between
# 3000 and 4000.
#
#ATTRIBUTE My-Local-String  3000 string
#ATTRIBUTE My-Local-IPAddr  3001 ipaddr
#ATTRIBUTE My-Local-Integer 3002 integer

dictionary.mpd 在mpd的源码包里,可以先把mpd解开拿过来用:
复制内容到剪贴板
代码:
Radius#cd /usr/ports/net/mpd5
Radius#make extract
Radius#cp work/mpd-5.5/conf/dictionary.mpd /usr/local/share/freeradius/


3、/usr/local/etc/raddb/radiusd.conf

复制内容到剪贴板
代码:
# -*- text -*-
##
## radiusd.conf -- FreeRADIUS server configuration file.
##
## http://www.freeradius.org/
## $Id$
##
######################################################################
#
# Read "man radiusd" before editing this file.  See the section
# titled DEBUGGING.  It outlines a method where you can quickly
# obtain the configuration you want, without running into
# trouble.
#
# Run the server in debugging mode, and READ the output.
#
#  $ radiusd -X
#
# We cannot emphasize this point strongly enough.  The vast
# majority of problems can be solved by carefully reading the
# debugging output, which includes warnings about common issues,
# and suggestions for how they may be fixed.
#
# There may be a lot of output, but look carefully for words like:
# "warning", "error", "reject", or "failure".  The messages there
# will usually be enough to guide you to a solution.
#
# If you are going to ask a question on the mailing list, then
# explain what you are trying to do, and include the output from
# debugging mode (radiusd -X).  Failure to do so means that all
# of the responses to your question will be people telling you
# to "post the output of radiusd -X".
######################################################################
#
#   The location of other config files and logfiles are declared
#   in this file.
#
#   Also general configuration for modules can be done in this
#   file, it is exported through the API to modules that ask for
#   it.
#
# See "man radiusd.conf" for documentation on the format of this
# file.  Note that the individual configuration items are NOT
# documented in that "man" page.  They are only documented here,
# in the comments.
#
# As of 2.0.0, FreeRADIUS supports a simple processing language
# in the "authorize", "authenticate", "accounting", etc. sections.
# See "man unlang" for details.
#
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
#
#  name of the running server.  See also the "-n" command-line option.
name = radiusd
#  Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
# Should likely be ${localstatedir}/lib/radiusd
db_dir = ${raddbdir}
#
# libdir: Where to find the rlm_* modules.
#
#   This should be automatically set at configuration time.
#
#   If the server builds and installs, but fails at execution time
#   with an 'undefined symbol' error, then you can use the libdir
#   directive to work around the problem.
#
#   The cause is usually that a library has been installed on your
#   system in a place where the dynamic linker CANNOT find it.  When
#   executing as root (or another user), your personal environment MAY
#   be set up to allow the dynamic linker to find the library.  When
#   executing as a daemon, FreeRADIUS MAY NOT have the same
#   personalized configuration.
#
#   To work around the problem, find out which library contains that symbol,
#   and add the directory containing that library to the end of 'libdir',
#   with a colon separating the directory names.  NO spaces are allowed.
#
#   e.g. libdir = /usr/local/lib:/opt/package/lib
#
#   You can also try setting the LD_LIBRARY_PATH environment variable
#   in a script which starts the server.
#
#   If that does not work, then you can re-configure and re-build the
#   server to NOT use shared libraries, via:
#
# ./configure --disable-shared
# make
# make install
#
libdir = /usr/local/lib/freeradius-2.1.8
#  pidfile: Where to place the PID of the RADIUS server.
#
#  The server may be signalled while it's running by using this
#  file.
#
#  This file is written when ONLY running in daemon mode.
#
#  e.g.:  kill -HUP `cat /var/run/radiusd/radiusd.pid`
#
pidfile = ${run_dir}/${name}.pid
#  chroot: directory where the server does "chroot".
#
#  The chroot is done very early in the process of starting the server.
#  After the chroot has been performed it switches to the "user" listed
#  below (which MUST be specified).  If "group" is specified, it switchs
#  to that group, too.  Any other groups listed for the specified "user"
#  in "/etc/group" are also added as part of this process.
#
#  The current working directory (chdir / cd) is left *outside* of the
#  chroot until all of the modules have been initialized.  This allows
#  the "raddb" directory to be left outside of the chroot.  Once the
#  modules have been initialized, it does a "chdir" to ${logdir}.  This
#  means that it should be impossible to break out of the chroot.
#
#  If you are worried about security issues related to this use of chdir,
#  then simply ensure that the "raddb" directory is inside of the chroot,
#  end be sure to do "cd raddb" BEFORE starting the server.
#
#  If the server is statically linked, then the only files that have
#  to exist in the chroot are ${run_dir} and ${logdir}.  If you do the
#  "cd raddb" as discussed above, then the "raddb" directory has to be
#  inside of the chroot directory, too.
#
#chroot = /path/to/chroot/directory
# user/group: The name (or #number) of the user/group to run radiusd as.
#
#   If these are commented out, the server will run as the user/group
#   that started it.  In order to change to a different user/group, you
#   MUST be root ( or have root privleges ) to start the server.
#
#   We STRONGLY recommend that you run the server with as few permissions
#   as possible.  That is, if you're not using shadow passwords, the
#   user and group items below should be set to radius'.
#
#  NOTE that some kernels refuse to setgid(group) when the value of
#  (unsigned)group is above 60000; don't use group nobody on these systems!
#
#  On systems with shadow passwords, you might have to set 'group = shadow'
#  for the server to be able to read the shadow password file.  If you can
#  authenticate users while in debug mode, but not in daemon mode, it may be
#  that the debugging mode server is running as a user that can read the
#  shadow info, and the user listed below can not.
#
#  The server will also try to use "initgroups" to read /etc/groups.
#  It will join all groups where "user" is a member.  This can allow
#  for some finer-grained access controls.
#
user = freeradius
group = freeradius
#  max_request_time: The maximum time (in seconds) to handle a request.
#
#  Requests which take more time than this to process may be killed, and
#  a REJECT message is returned.
#
#  WARNING: If you notice that requests take a long time to be handled,
#  then this MAY INDICATE a bug in the server, in one of the modules
#  used to handle a request, OR in your local configuration.
#
#  This problem is most often seen when using an SQL database.  If it takes
#  more than a second or two to receive an answer from the SQL database,
#  then it probably means that you haven't indexed the database.  See your
#  SQL server documentation for more information.
#
#  Useful range of values: 5 to 120
#
max_request_time = 30
#  cleanup_delay: The time to wait (in seconds) before cleaning up
#  a reply which was sent to the NAS.
#
#  The RADIUS request is normally cached internally for a short period
#  of time, after the reply is sent to the NAS.  The reply packet may be
#  lost in the network, and the NAS will not see it.  The NAS will then
#  re-send the request, and the server will respond quickly with the
#  cached reply.
#
#  If this value is set too low, then duplicate requests from the NAS
#  MAY NOT be detected, and will instead be handled as seperate requests.
#
#  If this value is set too high, then the server will cache too many
#  requests, and some new requests may get blocked.  (See 'max_requests'.)
#
#  Useful range of values: 2 to 10
#
cleanup_delay = 5
#  max_requests: The maximum number of requests which the server keeps
#  track of.  This should be 256 multiplied by the number of clients.
#  e.g. With 4 clients, this number should be 1024.
#
#  If this number is too low, then when the server becomes busy,
#  it will not respond to any new requests, until the 'cleanup_delay'
#  time has passed, and it has removed the old requests.
#
#  If this number is set too high, then the server will use a bit more
#  memory for no real benefit.
#
#  If you aren't sure what it should be set to, it's better to set it
#  too high than too low.  Setting it to 1000 per client is probably
#  the highest it should be.
#
#  Useful range of values: 256 to infinity
#
max_requests = 1024
#  listen: Make the server listen on a particular IP address, and send
#  replies out from that address. This directive is most useful for
#  hosts with multiple IP addresses on one interface.
#
#  If you want the server to listen on additional addresses, or on
#  additionnal ports, you can use multiple "listen" sections.
#
#  Each section make the server listen for only one type of packet,
#  therefore authentication and accounting have to be configured in
#  different sections.
#
#  The server ignore all "listen" section if you are using '-i' and '-p'
#  on the command line.
#
listen {
#  Type of packets to listen for.
#  Allowed values are:
# auth listen for authentication packets
# acct listen for accounting packets
# proxy   IP to use for sending proxied packets
# detail  Read from the detail file.  For examples, see
#               raddb/sites-available/copy-acct-to-home-server
# status  listen for Status-Server packets.  For examples,
#  see raddb/sites-available/status
# coa     listen for CoA-Request and Disconnect-Request
#  packets.  For examples, see the file
#  raddb/sites-available/coa-server
#
type = auth
#  Note: "type = proxy" lets you control the source IP used for
#        proxying packets, with some limitations:
#
#    * A proxy listener CANNOT be used in a virtual server section.
#    * You should probably set "port = 0".
#    * Any "clients" configuration will be ignored.
#
#  See also proxy.conf, and the "src_ipaddr" configuration entry
#  in the sample "home_server" section.  When you specify the
#  source IP address for packets sent to a home server, the
#  proxy listeners are automatically created.
#  IP address on which to listen.
#  Allowed values are:
# dotted quad (1.2.3.4)
#       hostname    (radius.example.com)
#       wildcard    (*)
ipaddr = *
#  OR, you can use an IPv6 address, but not both
#  at the same time.
# ipv6addr = :: # any.  ::1 == localhost
#  Port on which to listen.
#  Allowed values are:
# integer port number (1812)
# 0 means "use /etc/services for the proper port"
port = 0
#  Some systems support binding to an interface, in addition
#  to the IP address.  This feature isn't strictly necessary,
#  but for sites with many IP addresses on one interface,
#  it's useful to say "listen on all addresses for eth0".
#
#  If your system does not support this feature, you will
#  get an error if you try to use it.
#
# interface = eth0
#  Per-socket lists of clients.  This is a very useful feature.
#
#  The name here is a reference to a section elsewhere in
#  radiusd.conf, or clients.conf.  Having the name as
#  a reference allows multiple sockets to use the same
#  set of clients.
#
#  If this configuration is used, then the global list of clients
#  is IGNORED for this "listen" section.  Take care configuring
#  this feature, to ensure you don't accidentally disable a
#  client you need.
#
#  See clients.conf for the configuration of "per_socket_clients".
#
# clients = per_socket_clients
}
#  This second "listen" section is for listening on the accounting
#  port, too.
#
listen {
ipaddr = *
# ipv6addr = ::
port = 0
type = acct
# interface = eth0
# clients = per_socket_clients
}
#  hostname_lookups: Log the names of clients or just their IP addresses
#  e.g., www.freeradius.org (on) or 206.47.27.232 (off).
#
#  The default is 'off' because it would be overall better for the net
#  if people had to knowingly turn this feature on, since enabling it
#  means that each client request will result in AT LEAST one lookup
#  request to the nameserver.   Enabling hostname_lookups will also
#  mean that your server may stop randomly for 30 seconds from time
#  to time, if the DNS requests take too long.
#
#  Turning hostname lookups off also means that the server won't block
#  for 30 seconds, if it sees an IP address which has no name associated
#  with it.
#
#  allowed values: {no, yes}
#
hostname_lookups = no
#  Core dumps are a bad thing.  This should only be set to 'yes'
#  if you're debugging a problem with the server.
#
#  allowed values: {no, yes}
#
allow_core_dumps = no
#  Regular expressions
#
#  These items are set at configure time.  If they're set to "yes",
#  then setting them to "no" turns off regular expression support.
#
#  If they're set to "no" at configure time, then setting them to "yes"
#  WILL NOT WORK.  It will give you an error.
#
regular_expressions = yes
extended_expressions = yes
#
#  Logging section.  The various "log_*" configuration items
#  will eventually be moved here.
#
log {
#
#  Destination for log messages.  This can be one of:
#
# files - log to "file", as defined below.
# syslog - to syslog (see also the "syslog_facility", below.
# stdout - standard output
# stderr - standard error.
#
#  The command-line option "-X" over-rides this option, and forces
#  logging to go to stdout.
#
destination = files
#
#  The logging messages for the server are appended to the
#  tail of this file if destination == "files"
#
#  If the server is running in debugging mode, this file is
#  NOT used.
#
file = ${logdir}/radius.log
#
#  If this configuration parameter is set, then log messages for
#  a *request* go to this file, rather than to radius.log.
#
#  i.e. This is a log file per request, once the server has accepted
#  the request as being from a valid client.  Messages that are
#  not associated with a request still go to radius.log.
#
#  Not all log messages in the server core have been updated to use
#  this new internal API.  As a result, some messages will still
#  go to radius.log.  Please submit patches to fix this behavior.
#
#  The file name is expanded dynamically.  You should ONLY user
#  server-side attributes for the filename (e.g. things you control).
#  Using this feature MAY also slow down the server substantially,
#  especially if you do thinks like SQL calls as part of the
#  expansion of the filename.
#
#  The name of the log file should use attributes that don't change
#  over the lifetime of a request, such as User-Name,
#  Virtual-Server or Packet-Src-IP-Address.  Otherwise, the log
#  messages will be distributed over multiple files.
#
#  Logging can be enabled for an individual request by a special
#  dynamic expansion macro:  %{debug: 1}, where the debug level
#  for this request is set to '1' (or 2, 3, etc.).  e.g.
#
# ...
# update control {
#        Tmp-String-0 = "%{debug:1}"
# }
# ...
#
#  The attribute that the value is assigned to is unimportant,
#  and should be a "throw-away" attribute with no side effects.
#
#requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log
#
#  Which syslog facility to use, if ${destination} == "syslog"
#
#  The exact values permitted here are OS-dependent.  You probably
#  don't want to change this.
#
syslog_facility = daemon
#  Log the full User-Name attribute, as it was found in the request.
#
# allowed values: {no, yes}
#
stripped_names = no
#  Log authentication requests to the log file.
#
#  allowed values: {no, yes}
#
auth = no
#  Log passwords with the authentication requests.
#  auth_badpass  - logs password if it's rejected
#  auth_goodpass - logs password if it's correct
#
#  allowed values: {no, yes}
#
auth_badpass = no
auth_goodpass = no
#  Log additional text at the end of the "Login OK" messages.
#  for these to work, the "auth" and "auth_goopass" or "auth_badpass"
#  configurations above have to be set to "yes".
#
#  The strings below are dynamically expanded, which means that
#  you can put anything you want in them.  However, note that
#  this expansion can be slow, and can negatively impact server
#  performance.
#
# msg_goodpass = ""
# msg_badpass = ""
}
#  The program to execute to do concurrency checks.
checkrad = ${sbindir}/checkrad
# SECURITY CONFIGURATION
#
#  There may be multiple methods of attacking on the server.  This
#  section holds the configuration items which minimize the impact
#  of those attacks
#
security {
#
#  max_attributes: The maximum number of attributes
#  permitted in a RADIUS packet.  Packets which have MORE
#  than this number of attributes in them will be dropped.
#
#  If this number is set too low, then no RADIUS packets
#  will be accepted.
#
#  If this number is set too high, then an attacker may be
#  able to send a small number of packets which will cause
#  the server to use all available memory on the machine.
#
#  Setting this number to 0 means "allow any number of attributes"
max_attributes = 200
#
#  reject_delay: When sending an Access-Reject, it can be
#  delayed for a few seconds.  This may help slow down a DoS
#  attack.  It also helps to slow down people trying to brute-force
#  crack a users password.
#
#  Setting this number to 0 means "send rejects immediately"
#
#  If this number is set higher than 'cleanup_delay', then the
#  rejects will be sent at 'cleanup_delay' time, when the request
#  is deleted from the internal cache of requests.
#
#  Useful ranges: 1 to 5
reject_delay = 1
#
#  status_server: Whether or not the server will respond
#  to Status-Server requests.
#
#  When sent a Status-Server message, the server responds with
#  an Access-Accept or Accounting-Response packet.
#
#  This is mainly useful for administrators who want to "ping"
#  the server, without adding test users, or creating fake
#  accounting packets.
#
#  It's also useful when a NAS marks a RADIUS server "dead".
#  The NAS can periodically "ping" the server with a Status-Server
#  packet.  If the server responds, it must be alive, and the
#  NAS can start using it for real requests.
#
#  See also raddb/sites-available/status
#
status_server = yes
}
# PROXY CONFIGURATION
#
#  proxy_requests: Turns proxying of RADIUS requests on or off.
#
#  The server has proxying turned on by default.  If your system is NOT
#  set up to proxy requests to another server, then you can turn proxying
#  off here.  This will save a small amount of resources on the server.
#
#  If you have proxying turned off, and your configuration files say
#  to proxy a request, then an error message will be logged.
#
#  To disable proxying, change the "yes" to "no", and comment the
#  $INCLUDE line.
#
#  allowed values: {no, yes}
#
proxy_requests  = yes
$INCLUDE proxy.conf

# CLIENTS CONFIGURATION
#
#  Client configuration is defined in "clients.conf".  
#
#  The 'clients.conf' file contains all of the information from the old
#  'clients' and 'naslist' configuration files.  We recommend that you
#  do NOT use 'client's or 'naslist', although they are still
#  supported.
#
#  Anything listed in 'clients.conf' will take precedence over the
#  information from the old-style configuration files.
#
$INCLUDE clients.conf

# THREAD POOL CONFIGURATION
#
#  The thread pool is a long-lived group of threads which
#  take turns (round-robin) handling any incoming requests.
#
#  You probably want to have a few spare threads around,
#  so that high-load situations can be handled immediately.  If you
#  don't have any spare threads, then the request handling will
#  be delayed while a new thread is created, and added to the pool.
#
#  You probably don't want too many spare threads around,
#  otherwise they'll be sitting there taking up resources, and
#  not doing anything productive.
#
#  The numbers given below should be adequate for most situations.
#
thread pool {
#  Number of servers to start initially --- should be a reasonable
#  ballpark figure.
start_servers = 5
#  Limit on the total number of servers running.
#
#  If this limit is ever reached, clients will be LOCKED OUT, so it
#  should NOT BE SET TOO LOW.  It is intended mainly as a brake to
#  keep a runaway server from taking the system with it as it spirals
#  down...
#
#  You may find that the server is regularly reaching the
#  'max_servers' number of threads, and that increasing
#  'max_servers' doesn't seem to make much difference.
#
#  If this is the case, then the problem is MOST LIKELY that
#  your back-end databases are taking too long to respond, and
#  are preventing the server from responding in a timely manner.
#
#  The solution is NOT do keep increasing the 'max_servers'
#  value, but instead to fix the underlying cause of the
#  problem: slow database, or 'hostname_lookups=yes'.
#
#  For more information, see 'max_request_time', above.
#
max_servers = 32
#  Server-pool size regulation.  Rather than making you guess
#  how many servers you need, FreeRADIUS dynamically adapts to
#  the load it sees, that is, it tries to maintain enough
#  servers to handle the current load, plus a few spare
#  servers to handle transient load spikes.
#
#  It does this by periodically checking how many servers are
#  waiting for a request.  If there are fewer than
#  min_spare_servers, it creates a new spare.  If there are
#  more than max_spare_servers, some of the spares die off.
#  The default values are probably OK for most sites.
#
min_spare_servers = 3
max_spare_servers = 10
#  There may be memory leaks or resource allocation problems with
#  the server.  If so, set this value to 300 or so, so that the
#  resources will be cleaned up periodically.
#
#  This should only be necessary if there are serious bugs in the
#  server which have not yet been fixed.
#
#  '0' is a special value meaning 'infinity', or 'the servers never
#  exit'
max_requests_per_server = 0
}
# MODULE CONFIGURATION
#
#  The names and configuration of each module is located in this section.
#
#  After the modules are defined here, they may be referred to by name,
#  in other sections of this configuration file.
#
modules {
#
#  Each module has a configuration as follows:
#
# name [ instance ] {
#  config_item = value
#  ...
# }
#
#  The 'name' is used to load the 'rlm_name' library
#  which implements the functionality of the module.
#
#  The 'instance' is optional.  To have two different instances
#  of a module, it first must be referred to by 'name'.
#  The different copies of the module are then created by
#  inventing two 'instance' names, e.g. 'instance1' and 'instance2'
#
#  The instance names can then be used in later configuration
#  INSTEAD of the original 'name'.  See the 'radutmp' configuration
#  for an example.
#
#
#  As of 2.0.5, most of the module configurations are in a
#  sub-directory.  Files matching the regex /[a-zA-Z0-9_.]+/
#  are loaded.  The modules are initialized ONLY if they are
#  referenced in a processing section, such as authorize,
#  authenticate, accounting, pre/post-proxy, etc.
#
$INCLUDE ${confdir}/modules/
#  Extensible Authentication Protocol
#
#  For all EAP related authentications.
#  Now in another file, because it is very large.
#
$INCLUDE eap.conf
#  Include another file that has the SQL-related configuration.
#  This is another file only because it tends to be big.
#
$INCLUDE sql.conf
#
#  This module is an SQL enabled version of the counter module.
#
#  Rather than maintaining seperate (GDBM) databases of
#  accounting info for each counter, this module uses the data
#  stored in the raddacct table by the sql modules. This
#  module NEVER does any database INSERTs or UPDATEs.  It is
#  totally dependent on the SQL module to process Accounting
#  packets.
#
$INCLUDE sql/postgresql/counter.conf
#
#  IP addresses managed in an SQL table.
#
# $INCLUDE sqlippool.conf
}
# Instantiation
#
#  This section orders the loading of the modules.  Modules
#  listed here will get loaded BEFORE the later sections like
#  authorize, authenticate, etc. get examined.
#
#  This section is not strictly needed.  When a section like
#  authorize refers to a module, it's automatically loaded and
#  initialized.  However, some modules may not be listed in any
#  of the following sections, so they can be listed here.
#
#  Also, listing modules here ensures that you have control over
#  the order in which they are initalized.  If one module needs
#  something defined by another module, you can list them in order
#  here, and ensure that the configuration will be OK.
#
instantiate {
#
#  Allows the execution of external scripts.
#  The entire command line (and output) must fit into 253 bytes.
#
#  e.g. Framed-Pool = `%{exec:/bin/echo foo}`
exec
#
#  The expression module doesn't do authorization,
#  authentication, or accounting.  It only does dynamic
#  translation, of the form:
#
# Session-Timeout = `%{expr:2 + 3}`
#
#  So the module needs to be instantiated, but CANNOT be
#  listed in any other section.  See 'doc/rlm_expr' for
#  more information.
#
expr
#
# We add the counter module here so that it registers
# the check-name attribute before any module which sets
# it
# daily
expiration
logintime
# subsections here can be thought of as "virtual" modules.
#
# e.g. If you have two redundant SQL servers, and you want to
# use them in the authorize and accounting sections, you could
# place a "redundant" block in each section, containing the
# exact same text.  Or, you could uncomment the following
# lines, and list "redundant_sql" in the authorize and
# accounting sections.
#
#redundant redundant_sql {
# sql1
# sql2
#}
}
######################################################################
#
# Policies that can be applied in multiple places are listed
# globally.  That way, they can be defined once, and referred
# to multiple times.
#
######################################################################
$INCLUDE policy.conf
######################################################################
#
# Load virtual servers.
#
# This next $INCLUDE line loads files in the directory that
# match the regular expression: /[a-zA-Z0-9_.]+/
#
# It allows you to define new virtual servers simply by placing
# a file into the raddb/sites-enabled/ directory.
#
$INCLUDE sites-enabled/
######################################################################
#
# All of the other configuration sections like "authorize {}",
# "authenticate {}", "accounting {}", have been moved to the
# the file:
#
#  raddb/sites-available/default
#
# This is the "default" virtual server that has the same
# configuration as in version 1.0.x and 1.1.x.  The default
# installation enables this virtual server.  You should
# edit it to create policies for your local site.
#
# For more documentation on virtual servers, see:
#
#  raddb/sites-available/README
#
######################################################################


4、/usr/local/etc/raddb/sql.conf
复制内容到剪贴板
代码:
# -*- text -*-
##
## sql.conf -- SQL modules
##
## $Id$
######################################################################
#
#  Configuration for the SQL module
#
#  The database schemas and queries are located in subdirectories:
#
# sql/DB/schema.sql Schema
# sql/DB/dialup.conf Basic dialup (including policy) queries
# sql/DB/counter.conf counter
# sql/DB/ippool.conf IP Pools in SQL
# sql/DB/ippool.sql schema for IP pools.
#
#  Where "DB" is mysql, mssql, oracle, or postgresql.
#
sql {
#
#  Set the database to one of:
#
# mysql, mssql, oracle, postgresql
#
database = "postgresql"
#
#  Which FreeRADIUS driver to use.
#
driver = "rlm_sql_${database}"
# Connection info:
server = "localhost"
#port = 3306
login = "sysadm"
password = "xxxxxx"
# Database table configuration for everything except Oracle
radius_db = "radt"
# If you are using Oracle then use this instead
        # radius_db = "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SID=your_sid)))"
# If you want both stop and start records logged to the
# same SQL table, leave this as is.  If you want them in
# different tables, put the start table in acct_table1
# and stop table in acct_table2
acct_table1 = "radacct"
acct_table2 = "radacct"
# Allow for storing data after authentication
postauth_table = "radpostauth"
authcheck_table = "radcheck"
authreply_table = "radreply"
groupcheck_table = "radgroupcheck"
groupreply_table = "radgroupreply"
# Table to keep group info
usergroup_table = "radusergroup"
# If set to 'yes' (default) we read the group tables
# If set to 'no' the user MUST have Fall-Through = Yes in the radreply table
# read_groups = yes
# Remove stale session if checkrad does not see a double login
deletestalesessions = yes
# Print all SQL statements when in debug mode (-x)
sqltrace = no
sqltracefile = ${logdir}/sqltrace.sql
# number of sql connections to make to server
num_sql_socks = 5
# number of seconds to dely retrying on a failed database
# connection (per_socket)
connect_failure_retry_delay = 60
# lifetime of an SQL socket.  If you are having network issues
# such as TCP sessions expiring, you may need to set the socket
# lifetime.  If set to non-zero, any open connections will be
# closed "lifetime" seconds after they were first opened.
lifetime = 0
# Maximum number of queries used by an SQL socket.  If you are
# having issues with SQL sockets lasting "too long", you can
# limit the number of queries performed over one socket.  After
# "max_qeuries", the socket will be closed.  Use 0 for "no limit".
max_queries = 0
# Set to 'yes' to read radius clients from the database ('nas' table)
# Clients will ONLY be read on server startup.  For performance
# and security reasons, finding clients via SQL queries CANNOT
# be done "live" while the server is running.
#
#readclients = yes
# Table to keep radius client info
nas_table = "nas"
# Read driver-specific configuration
$INCLUDE sql/${database}/dialup.conf
}


5、/usr/local/etc/raddb/sites-available/default

复制内容到剪贴板
代码:
######################################################################
#
# As of 2.0.0, FreeRADIUS supports virtual hosts using the
# "server" section, and configuration directives.
#
# Virtual hosts should be put into the "sites-available"
# directory.  Soft links should be created in the "sites-enabled"
# directory to these files.  This is done in a normal installation.
#
# $Id$
#
######################################################################
#
# Read "man radiusd" before editing this file.  See the section
# titled DEBUGGING.  It outlines a method where you can quickly
# obtain the configuration you want, without running into
# trouble.  See also "man unlang", which documents the format
# of this file.
#
# This configuration is designed to work in the widest possible
# set of circumstances, with the widest possible number of
# authentication methods.  This means that in general, you should
# need to make very few changes to this file.
#
# The best way to configure the server for your local system
# is to CAREFULLY edit this file.  Most attempts to make large
# edits to this file will BREAK THE SERVER.  Any edits should
# be small, and tested by running the server with "radiusd -X".
# Once the edits have been verified to work, save a copy of these
# configuration files somewhere.  (e.g. as a "tar" file).  Then,
# make more edits, and test, as above.
#
# There are many "commented out" references to modules such
# as ldap, sql, etc.  These references serve as place-holders.
# If you need the functionality of that module, then configure
# it in radiusd.conf, and un-comment the references to it in
# this file.  In most cases, those small changes will result
# in the server being able to connect to the DB, and to
# authenticate users.
#
######################################################################
#
# In 1.x, the "authorize", etc. sections were global in
# radiusd.conf.  As of 2.0, they SHOULD be in a server section.
#
# The server section with no virtual server name is the "default"
# section.  It is used when no server name is specified.
#
# We don't indent the rest of this file, because doing so
# would make it harder to read.
#
#  Authorization. First preprocess (hints and huntgroups files),
#  then realms, and finally look in the "users" file.
#
#  The order of the realm modules will determine the order that
#  we try to find a matching realm.
#
#  Make *sure* that 'preprocess' comes before any realm if you
#  need to setup hints for the remote radius server
authorize {
#
#  The preprocess module takes care of sanitizing some bizarre
#  attributes in the request, and turning them into attributes
#  which are more standard.
#
#  It takes care of processing the 'raddb/hints' and the
#  'raddb/huntgroups' files.
preprocess
#
#  If you want to have a log of authentication requests,
#  un-comment the following line, and the 'detail auth_log'
#  section, above.
# auth_log
#
#  The chap module will set 'Auth-Type := CHAP' if we are
#  handling a CHAP request and Auth-Type has not already been set
chap
#
#  If the users are logging in with an MS-CHAP-Challenge
#  attribute for authentication, the mschap module will find
#  the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
#  to the request, which will cause the server to then use
#  the mschap module for authentication.
mschap
#
#  If you have a Cisco SIP server authenticating against
#  FreeRADIUS, uncomment the following line, and the 'digest'
#  line in the 'authenticate' section.
# digest
#
#  The WiMAX specification says that the Calling-Station-Id
#  is 6 octets of the MAC.  This definition conflicts with
#  RFC 3580, and all common RADIUS practices.  Un-commenting
#  the "wimax" module here means that it will fix the
#  Calling-Station-Id attribute to the normal format as
#  specified in RFC 3580 Section 3.21
# wimax
#
#  Look for IPASS style 'realm/', and if not found, look for
#  '@realm', and decide whether or not to proxy, based on
#  that.
# IPASS
#
#  If you are using multiple kinds of realms, you probably
#  want to set "ignore_null = yes" for all of them.
#  Otherwise, when the first style of realm doesn't match,
#  the other styles won't be checked.
#
suffix
# ntdomain
#
#  This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
#  authentication.
#
#  It also sets the EAP-Type attribute in the request
#  attribute list to the EAP type from the packet.
#
#  As of 2.0, the EAP module returns "ok" in the authorize stage
#  for TTLS and PEAP.  In 1.x, it never returned "ok" here, so
#  this change is compatible with older configurations.
#
#  The example below uses module failover to avoid querying all
#  of the following modules if the EAP module returns "ok".
#  Therefore, your LDAP and/or SQL servers will not be queried
#  for the many packets that go back and forth to set up TTLS
#  or PEAP.  The load on those servers will therefore be reduced.
#
eap {
  ok = return
}
#
#  Pull crypt'd passwords from /etc/passwd or /etc/shadow,
#  using the system API's to get the password.  If you want
#  to read /etc/passwd or /etc/shadow directly, see the
#  passwd module in radiusd.conf.
#
#unix
#
#  Read the 'users' file
#files
#
#  Look in an SQL database.  The schema of the database
#  is meant to mirror the "users" file.
#
#  See "Authorization Queries" in sql.conf
sql
#
#  If you are using /etc/smbpasswd, and are also doing
#  mschap authentication, the un-comment this line, and
#  configure the 'etc_smbpasswd' module, above.
# etc_smbpasswd
#
#  The ldap module will set Auth-Type to LDAP if it has not
#  already been set
# ldap
#
#  Enforce daily limits on time spent logged in.
# daily
#
# Use the checkval module
# checkval
expiration
logintime
#
#  If no other module has claimed responsibility for
#  authentication, then try to use PAP.  This allows the
#  other modules listed above to add a "known good" password
#  to the request, and to do nothing else.  The PAP module
#  will then see that password, and use it to do PAP
#  authentication.
#
#  This module should be listed last, so that the other modules
#  get a chance to set Auth-Type for themselves.
#
pap
#
#  If "status_server = yes", then Status-Server messages are passed
#  through the following section, and ONLY the following section.
#  This permits you to do DB queries, for example.  If the modules
#  listed here return "fail", then NO response is sent.
#
# Autz-Type Status-Server {
#
# }
}

#  Authentication.
#
#
#  This section lists which modules are available for authentication.
#  Note that it does NOT mean 'try each module in order'.  It means
#  that a module from the 'authorize' section adds a configuration
#  attribute 'Auth-Type := FOO'.  That authentication type is then
#  used to pick the apropriate module from the list below.
#
#  In general, you SHOULD NOT set the Auth-Type attribute.  The server
#  will figure it out on its own, and will do the right thing.  The
#  most common side effect of erroneously setting the Auth-Type
#  attribute is that one authentication method will work, but the
#  others will not.
#
#  The common reasons to set the Auth-Type attribute by hand
#  is to either forcibly reject the user (Auth-Type := Reject),
#  or to or forcibly accept the user (Auth-Type := Accept).
#
#  Note that Auth-Type := Accept will NOT work with EAP.
#
#  Please do not put "unlang" configurations into the "authenticate"
#  section.  Put them in the "post-auth" section instead.  That's what
#  the post-auth section is for.
#
authenticate {
#
#  PAP authentication, when a back-end database listed
#  in the 'authorize' section supplies a password.  The
#  password can be clear-text, or encrypted.
Auth-Type PAP {
  pap
}
#
#  Most people want CHAP authentication
#  A back-end database listed in the 'authorize' section
#  MUST supply a CLEAR TEXT password.  Encrypted passwords
#  won't work.
Auth-Type CHAP {
  chap
}
#
#  MSCHAP authentication.
Auth-Type MS-CHAP {
  mschap
}
#
#  If you have a Cisco SIP server authenticating against
#  FreeRADIUS, uncomment the following line, and the 'digest'
#  line in the 'authorize' section.
# digest
#
#  Pluggable Authentication Modules.
# pam
#
#  See 'man getpwent' for information on how the 'unix'
#  module checks the users password.  Note that packets
#  containing CHAP-Password attributes CANNOT be authenticated
#  against /etc/passwd!  See the FAQ for details.
#  
#unix
# Uncomment it if you want to use ldap for authentication
#
# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.
# Auth-Type LDAP {
#  ldap
# }
#
#  Allow EAP authentication.
#eap
#
#  The older configurations sent a number of attributes in
#  Access-Challenge packets, which wasn't strictly correct.
#  If you want to filter out these attributes, uncomment
#  the following lines.
#
# Auth-Type eap {
#  eap {
#   handled = 1  
#  }
#  if (handled && (Response-Packet-Type == Access-Challenge)) {
#   attr_filter.access_challenge.post-auth
#   handled  # override the "updated" code from attr_filter
#  }
# }
}

#
#  Pre-accounting.  Decide which accounting type to use.
#
preacct {
preprocess
#
#  Session start times are *implied* in RADIUS.
#  The NAS never sends a "start time".  Instead, it sends
#  a start packet, *possibly* with an Acct-Delay-Time.
#  The server is supposed to conclude that the start time
#  was "Acct-Delay-Time" seconds in the past.
#
#  The code below creates an explicit start time, which can
#  then be used in other modules.
#
#  The start time is: NOW - delay - session_length
#
#   update request {
#    FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
# }

#
#  Ensure that we have a semi-unique identifier for every
#  request, and many NAS boxes are broken.
acct_unique
#
#  Look for IPASS-style 'realm/', and if not found, look for
#  '@realm', and decide whether or not to proxy, based on
#  that.
#
#  Accounting requests are generally proxied to the same
#  home server as authentication requests.
# IPASS
# suffix
# ntdomain
#
#  Read the 'acct_users' file
#files
}
#
#  Accounting.  Log the accounting data.
#
accounting {
#
#  Create a 'detail'ed log of the packets.
#  Note that accounting requests which are proxied
#  are also logged in the detail file.
#detail
# daily
#  Update the wtmp file
#
#  If you don't use "radlast", you can delete this line.
#unix
#
#  For Simultaneous-Use tracking.
#
#  Due to packet losses in the network, the data here
#  may be incorrect.  There is little we can do about it.
#radutmp
# sradutmp
#  Return an address to the IP Pool when we see a stop record.
# main_pool
#
#  Log traffic to an SQL database.
#
#  See "Accounting queries" in sql.conf
sql
#
#  If you receive stop packets with zero session length,
#  they will NOT be logged in the database.  The SQL module
#  will print a message (only in debugging mode), and will
#  return "noop".
#
#  You can ignore these packets by uncommenting the following
#  three lines.  Otherwise, the server will not respond to the
#  accounting request, and the NAS will retransmit.
#
# if (noop) {
#  ok
# }
#
#  Instead of sending the query to the SQL server,
#  write it into a log file.
#
# sql_log
#  Cisco VoIP specific bulk accounting
# pgsql-voip
#  Filter attributes from the accounting response.
attr_filter.accounting_response
#
#  See "Autz-Type Status-Server" for how this works.
#
# Acct-Type Status-Server {
#
# }
}

#  Session database, used for checking Simultaneous-Use. Either the radutmp
#  or rlm_sql module can handle this.
#  The rlm_sql module is *much* faster
session {
# radutmp
#
#  See "Simultaneous Use Checking Queries" in sql.conf
sql
}

#  Post-Authentication
#  Once we KNOW that the user has been authenticated, there are
#  additional steps we can take.
post-auth {
#  Get an address from the IP Pool.
# main_pool
#
#  If you want to have a log of authentication replies,
#  un-comment the following line, and the 'detail reply_log'
#  section, above.
# reply_log
#
#  After authenticating the user, do another SQL query.
#
#  See "Authentication Logging Queries" in sql.conf
sql
#
#  Instead of sending the query to the SQL server,
#  write it into a log file.
#
# sql_log
#
#  Un-comment the following if you have set
#  'edir_account_policy_check = yes' in the ldap module sub-section of
#  the 'modules' section.
#
# ldap
# exec
#
#  Calculate the various WiMAX keys.  In order for this to work,
#  you will need to define the WiMAX NAI, usually via
#
# update request {
#        WiMAX-MN-NAI = "%{User-Name}"
# }
#
#  If you want various keys to be calculated, you will need to
#  update the reply with "template" values.  The module will see
#  this, and replace the template values with the correct ones
#  taken from the cryptographic calculations.  e.g.
#
#  update reply {
#  WiMAX-FA-RK-Key = 0x00
#  WiMAX-MSK = "%{EAP-MSK}"
# }
#
#  You may want to delete the MS-MPPE-*-Keys from the reply,
#  as some WiMAX clients behave badly when those attributes
#  are included.  See "raddb/modules/wimax", configuration
#  entry "delete_mppe_keys" for more information.
#
# wimax
#  If the WiMAX module did it's work, you may want to do more
#  things here, like delete the MS-MPPE-*-Key attributes.
#
# if (updated) {
#  update reply {
#   MS-MPPE-Recv-Key !* 0x00
#   MS-MPPE-Send-Key !* 0x00
#  }
# }
#
#  Access-Reject packets are sent through the REJECT sub-section of the
#  post-auth section.
#
#  Add the ldap module name (or instance) if you have set
#  'edir_account_policy_check = yes' in the ldap module configuration
#
Post-Auth-Type REJECT {
  attr_filter.access_reject
}
}
#
#  When the server decides to proxy a request to a home server,
#  the proxied request is first passed through the pre-proxy
#  stage.  This stage can re-write the request, or decide to
#  cancel the proxy.
#
#  Only a few modules currently have this method.
#
pre-proxy {
# attr_rewrite
#  Uncomment the following line if you want to change attributes
#  as defined in the preproxy_users file.
# files
#  Uncomment the following line if you want to filter requests
#  sent to remote servers based on the rules defined in the
#  'attrs.pre-proxy' file.
# attr_filter.pre-proxy
#  If you want to have a log of packets proxied to a home
#  server, un-comment the following line, and the
#  'detail pre_proxy_log' section, above.
# pre_proxy_log
}
#
#  When the server receives a reply to a request it proxied
#  to a home server, the request may be massaged here, in the
#  post-proxy stage.
#
post-proxy {
#  If you want to have a log of replies from a home server,
#  un-comment the following line, and the 'detail post_proxy_log'
#  section, above.
# post_proxy_log
# attr_rewrite
#  Uncomment the following line if you want to filter replies from
#  remote proxies based on the rules defined in the 'attrs' file.
# attr_filter.post-proxy
#
#  If you are proxying LEAP, you MUST configure the EAP
#  module, and you MUST list it here, in the post-proxy
#  stage.
#
#  You MUST also use the 'nostrip' option in the 'realm'
#  configuration.  Otherwise, the User-Name attribute
#  in the proxied request will not match the user name
#  hidden inside of the EAP packet, and the end server will
#  reject the EAP request.
#
# eap
#
#  If the server tries to proxy a request and fails, then the
#  request is processed through the modules in this section.
#
#  The main use of this section is to permit robust proxying
#  of accounting packets.  The server can be configured to
#  proxy accounting packets as part of normal processing.
#  Then, if the home server goes down, accounting packets can
#  be logged to a local "detail" file, for processing with
#  radrelay.  When the home server comes back up, radrelay
#  will read the detail file, and send the packets to the
#  home server.
#
#  With this configuration, the server always responds to
#  Accounting-Requests from the NAS, but only writes
#  accounting packets to disk if the home server is down.
#
# Post-Proxy-Type Fail {
#   detail
# }
}


6、部署AAA表:
复制内容到剪贴板
代码:
Radius#cd /usr/local/etc/raddb/sql/postgresql
Radius#psql -U sysadm radt < schema.sql


看一下表:
复制内容到剪贴板
代码:
radt=> \dt
            List of relations
Schema |     Name      | Type  | Owner  
-------+---------------+-------+--------
public | radacct       | table | sysadm
public | radcheck      | table | sysadm
public | radgroupcheck | table | sysadm
public | radgroupreply | table | sysadm
public | radpostauth   | table | sysadm
public | radreply      | table | sysadm
public | radusergroup  | table | sysadm
(7 rows)


再说说这些表的用途:

radacct:这个是帐务表,就是用户使用情况的记录
radcheck:用户的帐号密码表
radgroupcheck:组的认证信息表,没有用到
radgroupreply:组的返回信息,所有用户通用的配置可以扔在这里
radpostauth:记录认证行为的日志表
radreply:针对每用户的返回信息,带宽数据就在这里设定
radusergroup:用户和组的对应关系表


建立组的返回信息以及用户:
复制内容到剪贴板
代码:
radt=# INSERT INTO radgroupreply (groupname, attribute, op, value) VALUES ('PPPoE', 'Framed-Protocol', ':=', 'PPP');
INSERT 0 1
radt=# INSERT INTO radgroupreply (groupname, attribute, op, value) VALUES ('PPPoE', 'Service-Type', ':=', 'Framed-User');
INSERT 0 1
radt=# INSERT INTO radgroupreply (groupname, attribute, op, value) VALUES ('PPPoE','Framed-Compression', ':=', 'Van-Jacobsen-TCP-IP');
INSERT 0 1
radt=# INSERT INTO radgroupreply (groupname, attribute, op, value) VALUES ('PPPoE','mpd-limit', '+=', 'in#1=all rate-limit 1280000 1500000 3000000');
INSERT 0 1
radt=# INSERT INTO radgroupreply (groupname, attribute, op, value) VALUES ('PPPoE','mpd-limit', '+=', 'out#1=all rate-limit 2048000 2500000 4000000');      
INSERT 0 1
radt=# INSERT INTO radusergroup (username, groupname) VALUES ('test', 'PPPoE');
INSERT 0 1
radt=# INSERT INTO radcheck (username, attribute, op, value) VALUES ('test', 'Cleartext-Password', ':=', 'test');
INSERT 0 1
radt=#\q
Radius#radiusd -X //进入调试模式
Radius#radtest test test localhost 10 testing123
如果顺利通过 就可以正式启动了
复制内容到剪贴板
代码:
Radius#echo 'radiusd_enable="YES"' >> /etc/rc.conf
Radius#touch /var/log/radius.log
Radius#chown freeradius:freeradius /var/log/radius.log
Radius#/usr/local/etc/rc.d/radiusd start
五、MPD
复制内容到剪贴板
代码:
Radius#cd /usr/ports/net/mpd5
Radius#make install clean
Radius#cd /usr/local/etc/mpd5
Radius#cp mpd.conf.sample mpd.conf
Radius#vi mpd.conf

复制内容到剪贴板
代码:
startup:
        # configure mpd users
        #set user foo bar admin
        #set user foo1 bar1
        set user admin zhimalet5in.admin admin
        # configure the console
        set console self 172.16.88.18 5005
        set console open
        # configure the web server
        #set web self 0.0.0.0 5006
        #set web open


default:
        load pppoe_server
pppoe_server:
create bundle template B
        set iface disable proxy-arp        
        set iface enable tcpmssfix
        set ipcp dns 221.11.1.67
#set ipcp enable vjcomp
        set ippool add pool1 10.10.0.0 10.10.255.255
        set ipcp ranges 11.88.0.1/32 ippool pool1
        create link template common pppoe
#set link enable multilink
set link action bundle B
set link disable chap pap eap
set link mtu 1492
set link mru 1492
set link enable pap
load radius
create link template em1 common
set link max-children 5000
set pppoe iface em1
        set pppoe service ""
        #set pppoe acname "GXT"
set link enable incoming
        set auth max-logins 1

radius:
# You can use radius.conf(5), its useful, because you can share the
# same config with userland-ppp and other apps.
# set radius config /etc/radius.conf
# or specify the server directly here
set radius server 127.0.0.1 testing123 1812 1813
set radius retries 3
set radius timeout 3
# send the given IP in the RAD_NAS_IP_ADDRESS attribute to the server.
set radius me 127.0.0.1
# send accounting updates every 5 minutes
set auth acct-update 300
# enable RADIUS, and fallback to mpd.secret, if RADIUS auth failed
set auth enable radius-auth
# enable RADIUS accounting
set auth enable radius-acct
# protect our requests with the message-authenticator
set radius enable message-authentic
复制内容到剪贴板
代码:
Radius#echo 'mpd_enable="YES"' >> /etc/rc.conf
Radius#echo 'ng_ipacct_enable="YES"' >> /etc/rc.conf
Radius#/usr/local/etc/rc.d/mpd5 start

PPPoE 接入服务到此配置完成,用户可以通过以太网连接建立PPPoE拨号上网
若想通过服务上外网 则需要下一步 PF

六、PF

复制内容到剪贴板
代码:
Radius#echo 'gateway_enable="YES"' >> /etc/rc.conf
Radius#echo 'pf_enable="YES"' >> /etc/rc.conf
Radius#echo 'pf_rules="/etc/pf.conf"' >> /etc/rc.conf
Radius#echo 'pf_flags=""' >> /etc/rc.conf


然后创建了/etc/pf.conf,内容如下:

复制内容到剪贴板
代码:
ext_if="em0"
int_if="em1"
nat on $ext_if from x.x.x.x/16 to any -> $ext_if


到此全部结束  
正在考虑将 phppgadmin、apache、 php 放进来 以便于管理PostgreSQL。

rc.conf:
复制内容到剪贴板
代码:
# Created: Tue Mar  2 23:00:54 2010
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
# -- sysinstall generated deltas -- # Tue Mar  2 23:04:59 2010
ifconfig_em0="inet 172.16.88.18  netmask 255.255.255.0"
defaultrouter="172.16.88.2"
hostname="Radius.FreeBSD"
sendmail_enable="NONE"
inetd_enable="YES"
# -- sysinstall generated deltas -- # Tue Mar  2 23:23:51 2010
#sshd_enable="YES"
inetd_enable="YES"
postgresql_enable="YES"
radiusd_enable="YES"
mpd_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
gateway_enable="YES"


[ 本帖最后由 王国梁 于 2010-3-4 11:45 PM 编辑 ]

TOP

支持王版,我觉得名字要改一下,不然不能突出主题。

另外,cvsup,现在的确用的人少了,csup更好用。
http://analyst.3322.org
搜索是最好的老师,请善用搜索。
请注意提问的技巧,把问题说清楚。

TOP

引用:
原帖由 analyst 于 2010-3-4 11:18 PM 发表
支持王版,我觉得名字要改一下,不然不能突出主题。

另外,cvsup,现在的确用的人少了,csup更好用。
呵呵  我也觉得 我要学习新的知识了  cvsup 现在可能只有我一个人用呢吧。。。

csup 方法和cvsup 有什么不一样的吗?  我看貌似只是命令不一样  还有就是 cvsup 多了个 pkg_add

TOP

引用:
原帖由 王国梁 于 2010-3-4 11:41 PM 发表


呵呵  我也觉得 我要学习新的知识了  cvsup 现在可能只有我一个人用呢吧。。。

csup 方法和cvsup 有什么不一样的吗?  我看貌似只是命令不一样  还有就是 cvsup 多了个 pkg_add
csup 是用 C 语言对 CVSup 软件的重写。 它最大的好处是, 这个程序更快一些,并且也不需要依赖于 Modula-3 语言, 因此也就不需要安装后者。 另外, 如果您使用 FreeBSD 6.2 或更新版本, 就可以直接使用, 因为它成为了基本系统的一部分。 较早的 FreeBSD 版本的基本系统中并不包含 csup(1), 但可以通过 net/csup port 或预编译包来安装。 不过需要注意的是, csup 工具并不支持 CVS 模式。 如果您希望对代码库做完整的镜像,则还是需要使用 CVSup。


摘自:http://www.freebsd.org/doc/zh_CN/books/handbook/cvsup.html
http://analyst.3322.org
搜索是最好的老师,请善用搜索。
请注意提问的技巧,把问题说清楚。

TOP

这个要支持   一直想做就是不知道怎么做  建议王版加入radiusmanager  方便用户管理

TOP

楼上的有 radiusmanager 破解版的吗?  有的话 分享出来 我再加上。。

TOP

顶,我做过pppd+freeradius+mysql的,配置倒还容易,如果再用php做个管理界面就好了,哈哈哈

TOP

我有 radiusmanager

TOP

引用:
原帖由 王国梁 于 2010-3-10 07:52 PM 发表
楼上的有 radiusmanager 破解版的吗?  有的话 分享出来 我再加上。。
我也有
收费承接ROS路由远程可配置的各种设置
大猫猫和兔子的家
出售美国VPN,虚拟主机,要的PM。

TOP

引用:
原帖由 熊茂祥 于 2010-5-7 11:02 AM 发表


我也有

TOP

 15 12
发新话题