1. Install RADIUS Packages
# Online install from command yum
yum install -y freeradius freeradius-utils
# Manually download packages and install from yum/rpm
wget http://mirror.centos.org/centos/7/os/x86_64/Packages/freeradius-3.0.13-15.el7.x86_64.rpm
wget http://mirror.centos.org/centos/7/os/x86_64/Packages/freeradius-utils-3.0.13-15.el7.x86_64.rpm
wget http://mirror.centos.org/centos/7/os/x86_64/Packages/openssl-devel-1.0.2k-19.el7.x86_64.rpm
wget http://mirror.centos.org/centos/7/os/x86_64/Packages/openssl-libs-1.0.2k-19.el7.x86_64.rpm
yum install -y ./freeradius-*.rpm
# or install from rpm.
rpm -ivh ./freeradius-*.rpm
2. Configure the radiusd.conf
# if want these information had record in logs. default location: ${logdir}/radius.log
# (logdir = ${localstatedir}/log/radius, localstatedir = /var)
vim /etc/raddb/radiusd.conf
#----------------------------------------------#
log {
auth = yes
auth_badpass = yes
auth_goodpass = yes
}
#----------------------------------------------#
3. Configure the clients.conf
# Make sure the parameter as blow is in the file
vi /etc/raddb/clients.conf
#----------------------------------------------#
client testnetwork1 {
ipaddr = 192.168.0.0/24
secret = radius
require_message_authenticator = no
nas_type = other
}
client testnetwork2 {
ipaddr = 192.168.1.0/24
secret = radius
require_message_authenticator = no
nas_type = other
}
3. Configure the users list.
# Set Basic user list for RADIUS. (FreeRADIUS also support mysql and LDAP database/directory.)
vim /etc/raddb/users
#---------(FreeRADIUS version: 3.0.13)----------#
###### The User List as below is used to AMI BMC-WebUI ######
radius Auth-Type := Accept, Cleartext-Password := "abcdef"
radiusadmin Auth-Type := Accept, Cleartext-Password := "abcdef"
Attr-26 = 0x483d34
#Attr-26 = 0x483D342C20493D34
#Vendor-Specific = "H=4"
#Vendor-Specific = "H=4, I=4"
#Vendor-Specific := "H=4, I=4"
radiusoperator Auth-Type := Accept, Cleartext-Password := "abcdef"
Attr-26 = 0x483D33
# Attr-26 = 0x483D332C20493D33
radiususer Auth-Type := Accept, Cleartext-Password := "abcdef"
Attr-26 = 0x483D32
# Attr-26 = 0x483D322C20493D32
radiuscallback Auth-Type := Accept, Cleartext-Password := "abcdef"
Attr-26 = 0x483D31
# Attr-26 = 0x483D312C20493D31
radiush4 Auth-Type := PAP, Cleartext-Password := "abcdef"
# Vendor-Specific="H=4"
radiush0 Auth-Type := PAP, Cleartext-Password := "abcdef"
# Vendor-Specific="H=0"
###### The User List as below is used to APC PDU ######
## simple setting.
testapc1 Cleartext-Password := "apc"
## To set permission of login.
testapc Cleartext-Password := "apc"
APC-Service-Type := Admin
## ok to use. If need set limit from Outlets.
apcport Cleartext-Password := "apc"
APC-Service-Type = Outlet, APC-Outlets = "1,2,3,4,5,6,7,8"
# ok to use. But have message "Auth-Type has set" from radiusd-logs.
testAdmin Auth-Type := Accept, Cleartext-Password := "admin"
APC-Service-Type := Admin
### Users for APC PDU ###
apc Cleartext-Password := "apc"
APC-Service-Type := Admin
PDUadmin Cleartext-Password := "admin"
APC-Service-Type := Admin
PDUDevice Cleartext-Password := "device"
APC-Service-Type := Device
PDUReadOnly Cleartext-Password := "readonly"
APC-Service-Type := ReadOnly
apc-1 Cleartext-Password := "apc"
APC-Service-Type := Admin
apc-2 Cleartext-Password := "apc"
APC-Service-Type := Admin
#----------------------------------------------#
## About RADIUS User permission of AMI BMC WebUI ##
Channel Privilege Level Limit:
0h = reserved
1h = CALLBACK level
2h = USER level
3h = OPERATOR level
4h = ADMINISTRATOR level
5h = OEM Proprietary level
查某些廠商的說明書,標示RADIUS的權限設定仰賴RADIUS Users的設定
E.g.: Administrator是
a) Vendor-Specific Attributes: "H=4"
或
b) Vendor-Specific Attributes: "H=4, I=4"
(取決於RADIUS Advanced)
a) 如果使用AMI Codebase(Advanced RADIUS Settings)是"H=4"這樣的內容,對應的users則是
Callback "H=1" - Attr-26 = 0x483D31
User "H=2" - Attr-26 = 0x483D32
Operator "H=3," - Attr-26 = 0x483D33
Administrator "H=4" - Attr-26 = 0x483D34
b) 如果使用AMI Codebase(Advanced RADIUS Settings)是"H=4, I=4"這樣的內容,對應的users則是
Callback "H=1, I=1" - Attr-26 = 0x483D312C20493D31
User "H=2, I=2" - Attr-26 = 0x483D322C20493D32
Operator "H=3, I=3" - Attr-26 = 0x483D332C20493D33
Administrator "H=4, I=4" - Attr-26 = 0x483D342C20493D34
實際上從RADIUS debug mode看到(Advanced RADIUS Settings範例a)AMI BMC 請求RADIUS服務的訊息
Attr-26 = 0x00000000
所以FreeRADIUS users 檔案內的設定是
radiusadmin Auth-Type := Accept, Cleartext-Password := "abcdef"
Attr-26 = 0x483d34 #<-- 可以用
#Attr-26 = 0x483D342C20493D34 #<-- 如果Attr-26字串長度夠長,我認為這個可以用
#Vendor-Specific = "H=4" #<-- 我以為可以這樣設定,實際上是不行(service啟動失敗)
#Vendor-Specific = "H=4, I=4" #<-- 我以為可以這樣設定,實際上是不行(service啟動失敗)
#Vendor-Specific := "H=4, I=4" #<-- 我以為可以這樣設定,實際上是不行(service啟動失敗)
#----------------------------------------------#
# (Old-Version FreeRADIUS) Set Basic user list for RADIUS.
vim /etc/raddb/users
#---------(FreeRADIUS Version 2.1.12)----------#
radius Cleartext-Password := "abcdef"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 255.255.255.254,
Framed-IP-Netmask = 255.255.255.0
radius Auth-Type := PAP, Cleartext-Password := "abcdef"
Vendor-Specific Attributes: "H=4, I=4"
Vendor-Specific="H=4"
radiush0 Auth-Type := PAP, Cleartext-Password := "abcdef"
Vendor-Specific="H=0"
### Users for APC PDU ###
apc Auth-Type = Local, Password = "apc"
APC-Service-Type = Admin
PDUadmin Auth-Type = Local, Password = "admin"
APC-Service-Type = Admin
PDUDevice Auth-Type = Local, Password = "device"
APC-Service-Type = Device
PDUReadOnly Auth-Type = Local, Password = "readonly"
APC-Service-Type = ReadOnly
apc-1 Auth-Type = Local, Password = "apc"
APC-Service-Type = Admin
apc-2 Auth-Type = Local, Password = "apc"
APC-Service-Type = Admin
#----------------------------------------------#
4. Run RADIUS with debug Mode
# Run as debug mode:
radiusd -X
# Use another terminal or Linux client to check service is running well
radtest testapc1 apc {IP/FDQN} 0 radius
radtest testapc apc {IP/FDQN} 0 radius
# And check the message at Server Host/Client is get "Access-Accept"
5. Start RADIUS service and enable service (auto)start when boot OS.
#Start RADIUS service.
systemctl start radiusd # old version OS: service radiusd start
systemctl enable radiusd # old version OS: chkconfig radiusd on
systemctl status radiusd # old version OS: service radiusd status
6. Service is running, enjoy the service.
#--------------------------------------------------------------------------------------------#
Update at 2023/07/18
被AMI弄到= =TMD在某版Code之後,改了RADIUS請求的架構
要求新增一個dictionary,內容如下
# vim /etc/raddb/dictionary.adtest
#----------------------------------------------#
# dictionary.adtest
VENDOR ADTest 58
# Standard attribute
BEGIN-VENDOR ADTest
ATTRIBUTE ADTest-group 1 string
END-VENDOR ADTest
#----------------------------------------------#
並把它加到dictionary,內容如下
# vim /etc/raddb/dictionary
#----------------------------------------------#
$INCLUDE dictionary.adtest
#----------------------------------------------#
接著users的設定如下
備註:以下有兩種user帳號的設定都可以用,Cleartext-Password的下一行開頭一定要有空白,照AMI BMC WebUI Help的敘述設User,RADIUS服務沒辦法啟用
#vim /etc/raddb/users
#----------------------------------------------#
############### AMI new version WebUI ###############
RadiusAdmin Auth-Type := PAP,Cleartext-Password := "abcdef"
Service-Type = Administrative-User,
ADTest-group := "H=4"
RadiusOper Cleartext-Password := "abcdef"
Service-Type = Administrative-User,
Auth-Type := PAP,
ADTest-group := "H=3"
RadiusUser Cleartext-Password := "abcdef"
Service-Type = Administrative-User,
Auth-Type := PAP,
ADTest-group := "H=2"
RadiusOEM Cleartext-Password := "abcdef"
Service-Type = Administrative-User,
Auth-Type := PAP,
ADTest-group := "H=1"
RadiusNoAccess Cleartext-Password := "abcdef"
Service-Type = Administrative-User,
Auth-Type := PAP,
ADTest-group := "H=0"
####################
留言列表
