配置模块详细说

1、Radiusd.conf文件配置Radiusd.conf文件是freeradius的核心配置文件，其中设置了服务器的基本信息，配 置文件与日志文件的环境变量，并详细配置freeradius模块所使用的信息，与认证和计费 所使用模块的配置.配置的变量定义的形式为$仃。，他们就在这个文件上，并且不随请 求到请求而改变.变量的格式参照variables.txt.此处定义其他配置文件以及目录的位置，也就是环境变量prefix = /usr/localexec_prefix = $prefixsysconfdir = $prefix/etclocalstatedir = $prefix/varsbind

2、ir = $exec_prefix/sbinlogdir = $localstatedir/log/radiusraddbdir = $sysconfdir/raddbradacctdir = $logdir/radacct配置文件和日志文件的位置confdir = $raddbdirrun_dir = $localstatedir/run/radiusd日志文件的信息，添加到如下配置文件的底部log_file = $logdir/radius.log模块的位置由libdir来配置。如果不能工作，那么你可以从新配置，从新Build源码，并且使用共享库。pidfile: Where to pla

3、ce the PID of the RADIUS server.pidfile = $run_dir/radiusd.piduser/group如果有评论，服务器会运行用户/组启动它.修改用户/组，必须具有root权限启动服务 器这里的含义是指定启动radius服务可以限定操作系统上的用户和组，但是不建议启动它.#user = nobody#group = nobody最长请求时间（秒），这样的问题经常需要存在在应用SQL数据库时候，建议设置为5秒到 120秒之间.max_request_time = 30当请求超过最长请求时间的时候，可以设置服务器删除请求.当你的服务在threaded（线程

4、 下）运行，或者线程池（thread pool）模式，建议这里设置为no.但用threaded服务设 置为yes时，有可能使服务器崩溃.delete_blocked_requests = no在reply发送给NAS后的等待清空时间.建议2秒 到10秒cleanup_delay = 5服务器的请求最大数，建议值256到无穷max_requests = 1024让服务器监听某个IP，并且从次IP发送 相应信息.主要是为了服务器同时具有多服务 器时候使用.bind_address = *可以指定raidus的使用端口号，使用0表示使用默认的radius端口，在配置文件 /etc/services

5、配置.port = 0如果需要服务器同时监听其他的IP,可以用listen块.下面是例子#listen IP address on which to listen.Allowed values are:dotted quad ()hostname ()wildcard (*)ipaddr = *Port on which to listen.Allowed values are:integer port number (1812)0 means use /etc/services for the proper portport = 0Type of packets to listen for.

6、Allowed values are:auth listen for authentication packetsacct listen for accounting packets#type = auth#hostname_lookups大概是表示为NAS查找它的域名信息？可以通过域名配置NAS?hostname_lookups = no是否允许core dumps.allow_core_dumps = noexpressions支持，规则和扩展.regular_expressions = yesextended_expressions = yes记录User-Name属性的全称.log_s

7、tripped_names = no是否记录认证请求信息到日志文件log_auth = no当请求被拒绝时记录密码，当请求正确时记录密码log_auth_badpass = nolog_auth_goodpass = no是否允许用户名冲突，即重复同用户同时登陆.强烈不建议启用重复用户.usercollide = no将用户名小写化，将密码小写化.lower_user = nolower_pass = no是否去除用户名和密码中的空格nospace_user = nonospace_pass = no程序执行并发检查（不理解含义）checkrad = $sbindir/checkrad安全配置

8、域security 指在Radius包中的最大属性数目.设置为0表示无穷大.max_attributes = 200发送Access-Reject包时候，可以设置一定的延迟，以缓慢DOS攻击，也可以缓慢穷举破解用户名和密码的攻击reject_delay = 1服务器是否对状态服务器的请求信息进行相应.status_server = noPROXY CONFIGURATION代理域.是否开启代理服务，具体配置参照$confdir/proxy.confproxy_requests = yes$INCLUDE $confdir/proxy.confClients 配置$INCLUDE $confdi

9、r/clients.conf是否启用snmp配置，具体配置文件在snmp.confsnmp = no$INCLUDE $confdir/snmp.conf线程池配置域thread pool 启动时服务的个数.（在启动Mysql模块后可以明显看到.）当同时进行的请求数超过5个时， 会增加线程服务.start_servers = 5最大的服务数max_servers = 32当少于最少空闲服务时，它会建立服务，大于最大空闲服务时会停止多余的服务.最少空闲 服务，与最大空闲服务.min_spare_servers = 3max_spare_servers = 10每个server最大的请求数.当有内

10、存漏洞时，可能需要配置.max_requests_per_server = 01.3模块配置PAP 模块# Supports multiple encryption schemes 支持多种加密方式# clear: Clear text 明文# crypt: Unix crypt Unix 加密md5: MD5 ecnryption MD5 加密shal: SHA1 encryption. SHA1 加密DEFAULT: crypt 默认是 UnX 加密pap encryption_scheme = cryptCHAP 模块chap authtype = CHAPPAM 模块PAM模块（PAM

11、）是行业标准验证框架，鉴于很多系统的PAM库都有内存漏洞，所以不建 议使用。pam pam_auth = radiusdUNIX系统用户的 认证模块unix cache = nocache_reload = 600passwd = /etc/passwdshadow = /etc/shadowgroup = /etc/groupradwtmp = $logdir/radwtmpEAP 模块详细见 $confdir/eap.conf$INCLUDE $confdir/eap.confMSCHAP 模块mschap #use_mppe = no#require_encryption = yes#r

12、equire_strong = yes#为了纠正window发送chap时有时包括域，有时又不包括域的信息.#with_ntdomain_hack = no#ntlm_auth = /path/to/ntlm_auth-request-nt-key-username=%Stripped-User-Name:-%User-Name:-None-challenge=%mschap:Challenge:-00-nt-response=%mschap:NT-Response:-00”LDAP配置模块LDAP模块只能在Access-Request packet中包含明文密码属性才可以被使用。LDAP 认

13、证不能在其他任何认证方法中使用。具体配置详见下属章节。（参看doc/rlm_ldap）。passwd 模块Passwd模块允许通过任何passwd样式的文件进行授权，并可以从这些模块中提取属性 信息。smbpasswd 例子#passwd etc_smbpasswd filename = /etc/smbpasswdformat =*User-Name:LM-Password:NT-Password:SMB-Account-CTRL-TEXT:authtype = MS-CHAPhashsize = 100ignorenislike = noallowmultiplekeys = no#pas

14、swd etc_group # filename = /etc/groupformat = =Group-Name:*, User-Namehashsize = 50ignorenislike = yesallowmultiplekeys = yesdelimiter =:#1.3.9 Realm 模块应用在代理上.You can have multiple instances of the realm module to support multiple realm syntaxs at the same time. The search order is defined by the or

15、der in the authorize and preacct sections.realm IPASS format = prefixdelimiter = /ignore_default = noignore_null = nousernamerealm#realm suffix format = suffixdelimiter = ignore_default = noignore_null = nousername%realm#realm realmpercent format = suffix delimiter = % ignore_default = no ignore_nul

16、l = nodomainuser#realm ntdomain format = prefix delimiter = ignore_default = no ignore_null = no1.3.10简单值检查模块(checkval)It can be used to check if an attribute value in the request matches a (possibly multi valued) attribute in the check items This can be used for example for caller-id authentication

17、. For the module to run both the request attribute and the check items attribute must exist.checkval The attribute to look for in the requestRequest包中查找的属性名称item-name = Calling-Station-IdThe attribute to look for in check items. Can be multi valuedCheck表中查找的属性名称check-name = Calling-Station-IdThe dat

18、a type. Can be#数据类型的种类string，integer，ipaddr，date，abinary，octetsdata-type = stringIf set to yes and we dont find the item-name attribute in therequest then we send back a reject#如果设置为yes，我们不在request包中查找属性名称直接发送reject.DEFAULT is no#notfound-reject = no1.3.11 从写属性模块(attr_rewrite)从写任何包，在认证和计费时都很有用.在拿到包后

19、，可以从写包里属性的内容.#attr_rewrite sanecallerid attribute = Called-Station-Idmay be packet， reply， proxy， proxy_reply or config# searchin = packetsearchfor = + replacewith =ignore_case = nonew_attribute = nomax_matches = 10# If set to yes then the replace string will be appended to the original stringappend

20、 = no#1.3.12 预处理 radius 请求模块(preprocess)预处理Radius请求，在交付其他模块处理前.包含这两个配置文件.可以从写那些由一些 NAS添加的很奇怪的属性.然后把这些属性转换到一个形态。参见第二章。配置实例：preprocess huntgroups = $confdir/huntgroupshints = $confdir/hintswith_ascend_hack = noascend_channels_per_line = 23with_ntdomain_hack = nowith_specialix_jetstream_hack = nowith_c

21、isco_vsa_hack = no1.3.13用户文件模块(files) files usersfile = $confdir/users acctusersfile = $confdir/acct_userspreproxy_usersfile = $confdir/preproxy_userscompat = no1.3.14日志信息记录模块(detail)将计费信息详细记录到文件上，按照设定时间，每隔一个时段生成一个新文件记录.detail detailfile = $radacctdir/%Client-IP-Address/detail-%Y%m%ddetailperm = 060

22、0#suppress # User-Password#将认证信息详细记录到文件上，按照设定时间，每隔一个时段生成一个新文件记录.detail auth_log detailfile = $radacctdir/%Client-IP-Address/auth-detail-%Y%m%dThis MUST be 0600， otherwise anyone can readthe users passwords!detailperm = 0600将相应(日。？日)信息详细记录到文件上，按照设定时间，每隔一个时段生成一个新文件记录detail reply_log detailfile = $rada

23、cctdir/%Client-IP-Address/reply-detail-%Y%m%dThis MUST be 0600,This MUST be 0600,the users passwords!detailperm = 0600 This module logs packets proxied to a home server.detail pre_proxy_log detailfile = $radacctdir/%Client-IP-Address/pre-proxy-detail-%Y%m%dThis MUST be 0600, otherwise anyone can rea

24、dthe users passwords!detailperm = 0600 This module logs response packets from a home server.detail post_proxy_log detailfile = $radacctdir/%Client-IP-Address/post-proxy-detail-%Y%m%dThis MUST be 0600, otherwise anyone can readthe users passwords!detailperm = 0600SQL日志记录模块(sql_log)The rlm_sql_log mod

25、ule appends the SQL queries in a log file which is read later by the radsqlrelay program.它只是将sql语句写到文件里，而后由radsqlrelay程序读取.参看计费唯一 sessionid 模块针对NAS不停重复Acct-Session-Id values造成混淆的问题，建立唯一的计费sessionid acct_unique key = User-Name， Acct-Session-Id，NAS-IP-Address， Client-IP-Address， NAS-PortSQL 模块通过$INCLU

26、DE来把数据库的模块的配置文件链接进来.The following configuration file is for use with MySQL.#For Postgresql， use: $confdir/postgresql.confFor MS-SQL， use: $confdir/mssql.confFor Oracle， use: $confdir/oraclesql.conf$INCLUDE $confdir/sql.confRadutmp 模块记录了那些在线用户的用户名，以及他们从哪里登陆的信息.实例 1 radutmpradutmp filename = $logdir/r

27、adutmpusername = %User-Namecase_sensitive = yescheck_with_nas = yes perm = 0600callerid = yes实例2 Safe radutmpradutmp sradutmp filename = $logdir/sradutmpperm = 0644callerid = no1.3.19属性过滤模块属性过滤模块，过滤从代理raidus服务器那里收到响应信息里的属性，来确保我们可以发 送回给我们的Radius客户端，详细见attrs配置文件.attr_filter attrsfile = $confdir/attrs1

28、.3.20计数模块从计费包信息中拿去一个属性及它的值，统计这个属性不同值的总数.counter daily filename = $raddbdir/db.dailykey = User-Namecount-attribute = Acct-Session-Timereset = dailycounter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 50001.3.21 SQL计数模块该模块所需要的信息都储存raddacct表中。它

29、并不进行在数据库中插入数据项和更新数据 项，它完全依赖SQL模块来处理计费信息包。(具体请参照SQL模块配置分析第七章)例1sqlcounter dailycounter counter-name = Daily-Session-Timecheck-name = Max-Daily-Sessionsqlmod-inst = sqlkey = User-Namereset = dailyquery = SELECT SUM(AcctSessionTime - GREATEST(%b - UNIX_TIMESTAMP(AcctStartTime), 0) FROM radacct WHERE Us

30、erName= %k AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime %b 例2sqlcounter monthlycounter counter-name = Monthly-Session-Timecheck-name = Max-Monthly-Sessionsqlmod-inst = sqlkey = User-Namereset = monthly query = SELECT SUM(AcctSessionTime - GREATEST(%b - UNIX_TIMESTAMP(AcctStartTime), 0) FROM r

31、adacct WHERE UserName= %k AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime %bAlways 模块为了测试用的Always模块，不做任何事情.always fail rcode = failalways reject rcode = rejectalways ok rcode = oksimulcount = 0mpp = noExpression 模块(expr)This module is useful only for xlat .expr Digest 模块 目前没有配置Digest authenticat

32、ion against a Cisco SIP server.1.3.25外部程序执行模块(exec)This module is useful only for xlat可以将外界程序运行的结果赋予给属性值.如:Attribute-Name = %exec:/path/to/program argsexec wait = yesinput_pairs = request例 This is a more general example of the execute module.exec echo wait = yesprogram = /bin/echo %User-Nameinput_pa

33、irs = requestoutput_pairs = replyIP地址池模块服务器端IP地址池管理，应该在post-auth和accounting域应该被添加.例:ippool main_pool range-start = range-stop = 54netmask = cache-size = 800session-db = $raddbdir/db.ippoolip-index = $raddbdir/db.ipindexoverride = nomaximum-timeout = 01.4关键域实例化域(Instantiation)这部分的目的是装载模块，那些被列在该域的模块讲在

34、authorize, authenticate，等域 之前装载.本部分并不是必须步骤.instantiate execexprauthorize 域The preprocess module takes care of sanitizing some bizarre attributes in the request， and turning them into attributes which are more standard. It takes care of processing the raddb/hints and the raddb/huntgroups files. It al

35、so adds the %Client-IP-Address attribute to the request.这个预处理模块解决对request包中的那些奇怪的属性的处理，并把这些奇怪的属性放到 标准的属性中.它同样处理hints与huntgroups文件.并在request包中添加%Client-IP-Address属性.authorize preprocessauth_logattr_filterChapMschapdigestIPASSsuffixntdomainEapFilesSqletc_smbpasswdldapdailycheckvalAuthentication 域这部分列出

36、验证所需要的模块.但各个模块并不是按照顺序进行尝试的.它的含义是在 authorize域添加一份配置属性Auth-Type := FOO.这个验证类型用来拿去域模块列表 中合适的模块.一般来说，不应该设置Auth-Type属性.Radius服务器会自己来判断， 然后做正确的事.Auth-Type 一般来说，不正确设置的最普通效果就是只有一种认证方法 运行，其他的全部失败.手动设置Auth-Type attribute的原因一般为要强制拒绝用户，或者强制通过认证用户.authenticate Auth-Type PAP papAuth-Type CHAP chapAuth-Type MS-CHA

37、P mschapdigestpamUnixAuth-Type LDAP ldapeapPre-accounting 域决定用何种计费方式preacct preprocessacct_uniqueIPASSsuffixntdomainfilesAccounting 域accounting 建立packets的详细日志记录那些代理的计费requests，并在detail文件中记录detaildailyUpdate the wtmp file#如果你不使用radlast，你就不能删掉下面这行unix#For Simultaneous-Use tracking.#Due to packet losse

38、s in the network，the data heremay be incorrect. There is little we can do about it.#由于网络上数据包的丢失，这里的数据有可能会不正确，对此我们无能为力radutmpsradutmpReturn an address to the IP Pool when we see a stop record.#当我们看到停止记录时向IP Pool中返回地址信息main_pool#Log traffic to an SQL database.#向SQL数据库中记录日志#See Accounting queries in sq

39、l.conf#在sql.conf中查看”计费queries”sql#Instead of sending the query to the SQL server，write it into a log file.#除了向SQL数据库中写入query信息，还可以将信息写入log file来代替.sql_logCisco VoIP specific bulk accountingpgsql-voipSession 域Session database， used for checking Simultaneous-Use. Either the radutmpor rlm_sql module ca

40、n handle this.The rlm_sql module is *much* fasterSession数据库用来检查用户的并发使用.不论是Radutmp还是rlm_sql模块都在这里 被处理，rlm_sql模块相比来说速度更快.session radutmp#See Simultaneous Use Checking Querie in sql.confsqlpost-auth 域Post-AuthenticationOnce we KNOW that the user has been authenticated, there areadditional steps we can

41、take.当用户已经通过前面的认证过程，我们还可以额外添加一些步骤.post-auth Get an address from the IP Pool.#从IP Pool中拿到地址main_pool#If you want to have a log of authentication replies，un-comment the following line， and the detail reply_log#如果你想获得一个认证replies信息的日志记录，解除掉这行与detail reply_log的 注释.section， above.reply_log#After authentic

42、ating the user， do another SQL query.#在认证用户后，进行另外的SQL querySee Authentication Logging Queries in sql.conf详细请看 sql.conf 文件中Authentication Logging Queries部分.sql#Instead of sending the query to the SQL server,write it into a log file.#除了向数据库中写入query信息，还可以写在文件中作为代替.#sql_log#Un-comment the following if y

43、ou have setedir_account_policy_check = yes in the ldap module sub-section ofthe modules section.如果你设置了edir_account_policy_check = yes在 ldap 模块的域中（见上）.#ldap#Access-Reject packets are sent through the REJECT sub-section of thepost-auth section.Uncomment the following and set the module name to the lda

44、p instancename if you have set edir_account_policy_check = yes in the ldapmodule sub-section of the modules section.#如果你设置了edir_account_policy_check = yes在ldap模块的域中，请解除下面 的注释信息Post-Auth-Type REJECT insert-module-name-herepre-proxy 域When the server decides to proxy a request to a home server,the prox

45、ied request is first passed through the pre-proxystage. This stage can re-write the request, or decide tocancel the proxy.#Only a few modules currently have this method.pre-proxy attr_rewriteUncomment the following line if you want to change attributesas defined in the preproxy_users file.filesIf yo

46、u want to have a log of packets proxied to a homeserver, un-comment the following line, and thedetail pre_proxy_log section, above.pre_proxy_logpost-proxy 域# When the server receives a reply to a request it proxiedto a home server, the request may be massaged here, in thepost-proxy stage.#post-proxy

47、 If you want to have a log of replies from a home server,un-comment the following line, and the detail post_proxy_logsection, above.post_proxy_logattr_rewriteUncomment the following line if you want to filter replies fromremote proxies based on the rules defined in the attrs file.attr_filter#If you

48、are proxying LEAP, you MUST configure the EAPmodule, and you MUST list it here, in the post-proxystage.#You MUST also use the nostrip option in the realmconfiguration. Otherwise, the User-Name attributein the proxied request will not match the user namehidden inside of the EAP packet, and the end se

49、rver willreject the EAP request.# eapSql.conf文件配置说明sql driver = rlm_sql_mysql /*使用的数据库类型，当前表示MySQLserver = /*数据库服务器地址login = root/*连接数据库使用的用户名password = /*连接数据库的密码radius_db = radius/* 数据库名称acct_table1 = radacct/*计费开始时写记录到此表acct_table2 = radacct/*计费结束时写记录到此表num_sql_socks = 5/*启动数据库连接数量#Authorization

50、Queries#These queries compare the check items for the userin $authcheck_table and setup the reply items in$authreply_table. You can use any query/tablesyou want, but the return data for each row MUSTbe in the following order:#0. Row ID (currently unused)1. UserName/GroupName2. Item Attr Name3. Item

51、Attr Value4. Item Attr Operation#authorize_check_query=call online_is(%SQL-User-Name,%Calling-Station-Id,a)authorize_reply_query = SELECT id, UserName, Attribute, Value, op FROM $authreply_table WHERE Username = BINARY%SQL-User-Name ORDER BYid#Accounting Queries#accounting_onoff_query - query for Ac

52、counting On/Off packetsaccounting_update_query - query for Accounting update packetsaccounting_update_query_alt - query for Accounting update packets(alternate in case first query fails)accounting_start_query - query for Accounting start packetsaccounting_start_query_alt - query for Accounting start

53、 packets(alternate in case first query fails)accounting_stop_query- query for Accounting stop packetsaccounting_stop_query_alt - query for Accounting start packets(alternate in case first query doesntaffect any existing rows in the table)#accounting_onoff_query = UPDATE $acct_table1 SET AcctStopTime

54、=%S, AcctSessionTime=unix_timestamp(%S)-unix_timestamp(AcctStartTime),accounting_update_query = accounting_update_query = UPDATE $acct_table1 SET FramedIPAddressAcctSessionTimeAcctInputOctets=%Framed-IP-Address, =%Acct-Session-Time, =%Acct-Input-Gigawords:-0 32 I %Acct-Input-Octets:-0, AcctOutputOct

55、ets=%Acct-Output-Gigawords:-0 32 I %Acct-Output-Octets:-0 WHERE AcctSessionId = %Acct-Session-Id AND UserName= %SQL-User-Name AcctOutputOctetsaccounting_update_query_alt = accounting_update_query_alt = INSERT INTO $acct_table1 (AcctSessionId,Realm, NASPortType, AcctAuthentic,AcctUniqueId,NASIPAddres

56、s, AcctStartTime,AcctUniqueId,NASIPAddress, AcctStartTime,NASPortId, AcctSessionTime, ConnectInfo_start, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, XAscendSessionSvrKey) VALUES (%Acct-Session-Id, %Acct-Unique-Se

57、ssion-Id, %SQL-User-Name, %Realm, %NAS-IP-Address, %NAS-Port, %NAS-Port-Type, DATE_SUB(%S, INTERVAL (%Acct-Session-Time:-0 + %Acct-Delay-Time:-0) SECOND), %Acct-Session-Time, %Acct-Authentic, , %Acct-Input-Gigawords:-0 32 I %Acct-Input-Octets:-0, %Acct-Output-Gigawords:-0 32 I %Acct-Output-Octets:-0

58、, %Called-Station-Id, %Calling-Station-Id, %Service-Type, %Framed-Protocol, %Framed-IP-Address, 0, %X-Ascend-Session-Svr-Key)accounting_start_query = AcctUniqueId,NASIPAddress,AcctUniqueId,NASIPAddress,AcctStartTime,AcctAuthentic,UserName, NASPortId, UserName, NASPortId, AcctStopTime, ConnectInfo_st

59、art, CallingStationId, AcctTerminateCause, FramedProtocol, FramedIPAddress, CallingStationId, AcctTerminateCause, FramedProtocol, FramedIPAddress, AcctStopDelay, XAscendSessionSvrKey) (%Acct-Session-Id, %Acct-Unique-Session-Id, %SQL-User-Name, %Realm, %NAS-IP-Address, %NAS-Port, %NAS-Port-Type, %S,

60、0, 0, %Acct-Authentic, %Connect-Info, ,0, 0, %Called-Station-Id, %Calling-Station-Id, , %Service-Type, %Framed-Protocol, %Framed-IP-Address, %Acct-Delay-Time:-0, 0, %X-Ascend-Session-Svr-Key)accounting_start_query_alt = UPDATE $acct_table1 SET AcctStartTime = %S, AcctStartDelay = %Acct-Delay-Time, C