exec=${exec:=/usr/sbin/$prog}
config_dir=${config_dir:=/etc/raddb}
config=${config:=$config_dir/radiusd.conf}
pidfile=${pidfile:=/var/run/$prog/$prog.pid}
lockfile=${lockfile:=/var/lock/subsys/radiusd}
using install from source from (directory /opt/freeradius3.0.17)
exec=${exec:=/usr/sbin/$prog}
config_dir=${config_dir:=/opt/freeradius3.0.17/etc/raddb}
config=${config:=$config_dir/radiusd.conf}
pidfile=${pidfile:=/opt/freeradius3.0.17/var/run/$prog/$prog.pid}
lockfile=${lockfile:=/opt/freeradius3.0.17/var/lock/subsys/radiusd}
01. Install Openssl from source
echo "01. Steps to compile OpenSSL from sources"
yum -y groupinstall Development tools
yum -y install wget
cd /usr/local/src
#curl -O http://openssl.org/source/openssl-1.1.1.tar.gz
wget http://openssl.org/source/openssl-1.1.1.tar.gz
tar -xvf openssl-1.1.1.tar.gz
cd openssl-1.1.1
yum install perl gcc make zlib-devel -y
./config --prefix=/usr/local --openssldir=/usr/local/openssl shared zlib-dynamic
make && make install
echo "/usr/local/lib64" > /etc/ld.so.conf.d/openssl.conf
ldconfig
echo "02. Steps to compile Freeradius from sources"
yum -y groupinstall Development tools
cd /usr/local/src
#curl -O ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-3.0.17.tar.gz
yum -y install wget
wget ftp://62.210.29.29/pub/freeradius/freeradius-server-3.0.17.tar.gz
tar -xvf freeradius-server-3.0.17.tar.gz
cd freeradius-server-3.0.17
yum install -y libtalloc-devel openldap-devel
# if without opennssl
# ./configure --prefix=/data/radius3/freeradius-server-3.0.17 --with-openssl=no
# if with opennssl
./configure --prefix=/opt/freeradius3.0.17 --with-openssl-lib-dir=/usr/local/lib64 --with-openssl-include-dir=/usr/local/include/openssl
make && make install
https://youtu.be/jxeXKXfMtGo
03. create profile
[root@radius3 raddb]# cat /root/.bash_profile
# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
# User specific environment and startup programs
PATH=$PATH:$HOME/bin:/opt/freeradius3.0.17/bin:/opt/freeradius3.0.17/sbin
export PATH
[root@radius3 raddb]#
04. allow_vulnerable_openssl
[root@radius3 raddb]# cat /opt/freeradius3.0.17/etc/raddb/radiusd.conf | grep allow_vu
# allow_vulnerable_openssl: Allow the server to start with
allow_vulnerable_openssl = 'CVE-2016-6304'
[root@radius3 raddb]#
5. Create User
cat /opt/freeradius3.0.17/etc/raddb/users
# On no match, the user is denied access.
test Cleartext-Password := "testing123"
Reply-Message = "Hello",
Service-Type = Administrative-User,
PaloAlto-Admin-Role = superuser
testing Cleartext-Password := "password"
6. create client
cat /opt/freeradius3.0.17/etc/raddb/clients.conf
client 10.10.10.10{
secret = testing123
shortname = 10.10.10.10
nastype = paloalto
}
client 10.10.20.20 {
secret = testing123
shortname = 10.10.20.20
nastype = firewall
}
7. create /etc/init.d/radiusd
exec=${exec:=/usr/sbin/$prog}
config_dir=${config_dir:=/opt/freeradius3.0.17/etc/raddb}
config=${config:=$config_dir/radiusd.conf}
pidfile=${pidfile:=/opt/freeradius3.0.17/var/run/$prog/$prog.pid}
lockfile=${lockfile:=/opt/freeradius3.0.17/var/lock/subsys/radiusd}
sample log
[root@radius3-teguhtriharto init.d]# cat /etc/init.d/radiusd
#PATH=$PATH:$HOME/bin:/opt/freeradius3.0.17/bin:/opt/freeradius3.0.17/sbin
#radiusd -X
#!/bin/sh
#
# radiusd Start/Stop the FreeRADIUS daemon
#
# chkconfig: - 88 10
# description: Extensible, configurable, high performance RADIUS server.
### BEGIN INIT INFO
# Provides: radiusd
# Required-Start: $network
# Required-Stop:
# Default-Start:
# Default-Stop:
# Should-Start: $time $syslog mysql ldap postgresql samba krb5-kdc
# Should-Stop:
# Short-Description: FreeRADIUS server
# Description: Extensible, configurable, high performance RADIUS server.
### END INIT INFO
# Source function library.
. /etc/rc.d/init.d/functions
#. /etc/rc.d/init.d/radiusd
prog=radiusd
[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog
#exec=${exec:=/opt/freeradius3.0.17/sbin/$prog}
exec=${exec:=/usr/sbin/$prog}
config_dir=${config_dir:=/opt/freeradius3.0.17/etc/raddb}
config=${config:=$config_dir/radiusd.conf}
pidfile=${pidfile:=/opt/freeradius3.0.17/var/run/$prog/$prog.pid}
lockfile=${lockfile:=/opt/freeradius3.0.17/var/lock/subsys/radiusd}
start() {
[ -x $exec ] || exit 5
[ -f $config ] || exit 6
echo -n $"Starting $prog: "
daemon --pidfile $pidfile $exec -d $config_dir
retval=$?
echo
[ $retval -eq 0 ] && touch $lockfile
return $retval
}
stop() {
echo -n $"Stopping $prog: "
killproc -p $pidfile $prog
retval=$?
echo
[ $retval -eq 0 ] && rm -f $lockfile
return $retval
}
restart() {
stop
start
}
reload() {
# radiusd may not be capable of a 100% configuration reload depending
# on which loadable modules are in use, if sending the server a
# HUP is not sufficient then use restart here instead. However, we
# prefer by default to use HUP since it's what is usually desired.
#
# restart
kill -HUP `pidofproc -p $pidfile $prog`
}
force_reload() {
restart
}
rh_status() {
# run checks to determine if the service is running or use generic status
status -p $pidfile $prog
}
rh_status_q() {
rh_status >/dev/null 2>&1
}
case "$1" in
start)
rh_status_q && exit 0
$1
;;
stop)
rh_status_q || exit 0
$1
;;
restart)
$1
;;
reload)
rh_status_q || exit 7
$1
;;
force-reload)
force_reload
;;
status)
rh_status
;;
condrestart|try-restart)
rh_status_q || exit 0
restart
;;
*)
echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
exit 2
esac
exit $?
8. Restart radiusd
cd /root/
radiusd -X
or
[root@radius3-teguhtriharto init.d]# cd /etc/init.d/
[root@radius3-teguhtriharto init.d]# pwd
/etc/init.d
[root@radius3-teguhtriharto init.d]# ./radiusd stop
Stopping radiusd: [ OK ]
[root@radius3-teguhtriharto init.d]# ./radiusd status
radiusd is stopped
[root@radius3-teguhtriharto init.d]# ./radiusd start
Starting radiusd: [ OK ]
[root@radius3-teguhtriharto init.d]# ./radiusd status
radiusd (pid 18778) is running...
[root@radius3-teguhtriharto init.d]#
9. Test Radius
radtest testing password 127.0.0.1 0 testing123
sample log
.::: Radius test from localhost :::.
[root@radius-teguht ~]# radtest testing password 127.0.0.1 0 testing123
Sent Access-Request Id 156 from 0.0.0.0:36915 to 127.0.0.1:1812 length 77
User-Name = "testing"
User-Password = "password"
NAS-IP-Address = 10.10.10.100
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "password"
Received Access-Accept Id 156 from 127.0.0.1:1812 to 0.0.0.0:0 length 20
[root@radius-teguht ~]#
.::: Radius test from Client :::.
[root@server ~]# radtest testing password radius-teguhtriharto 1812 testing123
Sent Access-Request Id 7 from 0.0.0.0:48027 to 10.10.10.100:1812 length 77
User-Name = "testing"
User-Password = "password"
NAS-IP-Address = 10.10.10.100
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = "password"
Received Access-Accept Id 7 from 10.10.10.100:1812 to 0.0.0.0:0 length 20
[root@server ~]#
[root@server ~]#
[root@server ~]# radtest testing password 10.10.10.100 1812 testing123
Sent Access-Request Id 82 from 0.0.0.0:56496 to 10.10.10.100:1812 length 77
User-Name = "testing"
User-Password = "password"
NAS-IP-Address = 10.10.10.100
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = "password"
Received Access-Accept Id 82 from 10.10.10.100:1812 to 0.0.0.0:0 length 20
[root@server ~]#
[root@server ~]#
No comments:
Post a Comment