Configuration du serveur freeradius avec une base MySQL pour le stockage des paramètres d’authentification.
Pour un exemple d’installation de freeradius, c’est ici.
Ce tuto traite des protocoles peap et ttls (tls sera donc également configuré). La base de donnée et freeradius sont installés sur le même serveur.
L’installation est réalisée sur une distribution Linux Centos.
Installation de MySQL pour Freeradius
[root@localhost ~]# yum install mysql-server
[root@localhost ~]# yum install freeradius-mysql
On démarre mysql ( /etc/init.d/mysqld start ) puis on lance le script de sécurisation suivant /usr/bin/mysql_secure_installation.
[root@localhost ~]# /usr/bin/mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.
Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] y
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] y
... Success!
By default, MySQL comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] y
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MySQL
installation should now be secure.
Thanks for using MySQL!
[root@localhost ~]#
Activation de MySQL au démarrage
[root@localhost ~]# chkconfig mysqld on
Configuration de Mysql
Installation de la base
On se connecte à MySQL, on crée la base puis on importe les tables.
Ensuite les tables sont affichées.
root@localhost ~]# mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 14
Server version: 5.1.61 Source distribution
mysql>
mysql> CREATE DATABASE radius;
mysql> GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "radpass";
Query OK, 0 rows affected (0.00 sec)
mysql>
mysql> use radius
Database changed
mysql> source /etc/raddb/sql/mysql/schema.sql
Query OK, 0 rows affected (0.06 sec)
Query OK, 0 rows affected (0.04 sec)
Query OK, 0 rows affected (0.05 sec)
Query OK, 0 rows affected (0.04 sec)
Query OK, 0 rows affected (0.04 sec)
Query OK, 0 rows affected (0.05 sec)
Query OK, 0 rows affected (0.04 sec)
mysql> show tables;
+------------------+
| Tables_in_radius |
+------------------+
| radacct |
| radcheck |
| radgroupcheck |
| radgroupreply |
| radpostauth |
| radreply |
| radusergroup |
+------------------+
7 rows in set (0.00 sec)
mysql>
Configuration de Freeradius
Fichier /etc/raddb/radiusd.conf
décommenter la ligne $INCLUDE sql.conf
Fichier /etc/raddb/sites-available/inner-tunnel
Section authorize, décommenter la ligne sql
Fichier /etc/raddb/sql.conf
On modifie éventuellement l’IP du serveur MySQL et le mot de passe de l’utilisateur.
[root@centos ~]# more /etc/raddb/sql.conf
sql {
#
# Set the database to one of:
#
# mysql, mssql, oracle, postgresql
#
database = "mysql"
#
# Which FreeRADIUS driver to use.
#
driver = "rlm_sql_${database}"
# Connection info:
server = "localhost"
#port = 3306
login = "radius"
password = "radpass"
# Database table configuration for everything except Oracle
radius_db = "radius"
....
Ajout d’un utilisateur à la base de donnée sql
Pour l’authentification, entrer l’utilisateur et le mot de passe dans la table radcheck
Dans les extraits d’écran ci-dessous, on affiche les champs de la table radcheck, on entre l’utilisateur et on vérifie la saisie.
mysql> describe radcheck;
+-----------+------------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+-----------+------------------+------+-----+---------+----------------+
| id | int(11) unsigned | NO | PRI | NULL | auto_increment |
| username | varchar(64) | NO | MUL | | |
| attribute | varchar(64) | NO | | | |
| op | char(2) | NO | | == | |
| value | varchar(253) | NO | | | |
+-----------+------------------+------+-----+---------+----------------+
5 rows in set (0.00 sec)
mysql>
mysql> insert into radcheck (username,attribute,op,value) values ("clem","Cleartext-Password",":=","password");
Query OK, 1 row affected (0.00 sec)
mysql> select * from radcheck;
+----+----------+--------------------+----+----------+
| id | username | attribute | op | value |
+----+----------+--------------------+----+----------+
| 1 | clem | Cleartext-Password | := | password |
+----+----------+--------------------+----+----------+
1 row in set (0.00 sec)
mysql>
Pour associer un numéro de vlan à un utilisateur, on renseigne également la table radreply.
mysql> insert into radreply (username,attribute,op,value) values ("clem","Tunnel-Type","=","VLAN");
Query OK, 1 row affected (0.00 sec)
mysql> insert into radreply (username,attribute,op,value) values ("clem","Tunnel-Medium-Type","=","IEEE-802");
Query OK, 1 row affected (0.00 sec)
mysql> insert into radreply (username,attribute,op,value) values ("clem","Tunnel-Private-Group-Id","=","4");
Query OK, 1 row affected (0.00 sec)
mysql> select * from radreply;
+----+----------+-------------------------+----+---------+
| id | username | attribute | op | value |
+----+----------+-------------------------+----+---------+
| 1 | clem | Tunnel-Type | = | VLAN |
| 2 | clem | Tunnel-Medium-Type | = | IEEE-802|
| 3 | clem | Tunnel-Private-Group-Id | = | 4 |
+----+----------+-------------------------+----+---------+
3 rows in set (0.00 sec)
Et voilà, on peut maintenant tester l’authentification avec radtest, puis avec l’infrastructure réelle. Test de l’authentification freeradius
[root@localhost raddb]# radtest clem password 127.0.0.1 0 testing123
Sending Access-Request of id 230 to 127.0.0.1 port 1812
User-Name = "clem"
User-Password = "password"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=230, length=30
Class = 0x6469
Framed-Compression = Van-Jacobson-TCP-IP
Configuration du client et de la borne ou du switch
Nous en avons déjà parlé ici et là.