計算機関係/freeradius設定 の変更点

• 追加された行はこの色です。
• 削除された行はこの色です。
• 計算機関係/freeradius設定 へ行く。
• 計算機関係/freeradius設定 の差分を削除

#author("2024-08-24T14:40:24+09:00","hasegawa","hasegawa")
#author("2024-08-24T14:42:05+09:00","hasegawa","hasegawa")
[[研究室関係]]

&ref("計算機関係/freeradius設定/freeradius.txt");

# apt install freeradius freeradius-ldap
 
 /etc/freeradius/3.0/radiusd.conf
 変更前:
 log {
     ...
     auth = no
     ...
     auth_badpass = no
     auth_goodpass = no
     ...
 }
 変更後：
 log {
     ...
     auth = yes
     ...
     auth_badpass = yes
     auth_goodpass = yes
     ...
 }
 
 /etc/freeradius/3.0/mods-available/ldap
 変更前:
 ldap {
     ...
     server = 'localhost'
     ...
 #   identity = 'cn=admin,dc=example,dc=org'
 #   password = mypass
     ...
     base_dn = 'dc=example,dc=org'
     ...
     user_dn = "LDAP-UserDn"
     ...
 }
 変更後:
 ldap {
     ...
     server = 'ldap://localhost'
     ...
     identity = 'cn=admin,dc=phys,dc=shinshu-u,dc=ac,dc=jp'
     password = 'ewCG/O.Zhpk'
     ...
     base_dn = 'ou=People,dc=phys,dc=shinshu-u,dc=ac,dc=jp'
     ...
 #    user_dn = "LDAP-UserDn"
     ...
 }
 
 # cd /etc/freeradius/3.0/mods-enabled
 # sudo -u freerad ln -s ../mods-available/ldap .
 
 /etc/freeradius/3.0/mods-available/eap
 変更前:
 eap {
     ...
     default_eap_type = md5
     ...
     tls-config tls-common {
         ...
         private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
         ...
         certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
         ...
         disable_tlsv1_1 = yes
         disable_tlsv1 = yes
         ...
         tls_min_version = "1.2"
         ...
     }
     ...
 }
 変更後:
 # mkdir /etc/freeradius/3.0/certs/letsencrypt
 #以下は証明書が更新されるたびに行う必要あり->cronを使えばよい。
 # cp /etc/letsencrypt/live/azusa.shinshu-u.ac.jp/privkey.pem /etc/freeradius/3.0/certs/letsencrypt
 # cp /etc/letsencrypt/live/azusa.shinshu-u.ac.jp/fullchain.pem /etc/freeradius/3.0/certs/letsencrypt
 # chown freerad:freerad /etc/freeradius/3.0/certs/letsencrypt/*
 eap {
     ...
     default_eap_type = mschapv2
     ...
     tls-config tls-common {
         ...
         private_key_file = ${certdir}/letsencrypt/privkey.pem
         ...
         certificate_file = ${certdir}/letsencrypt/fullchain.pem
         ...
     #   disable_tlsv1_1 = no 変更しなくてよいかも
     #   disable_tlsv1 = no 変更しなくてよいかも
         ...
     #   tls_min_version = "1.2"
         ...
     }
     ...
 }
 
 /etc/freeradius/3.0/mods-available/mschap 変更しなくてよい
 変更前:
 mschap {
     ...
 #   use_mppe = no
     ...
 #   require_encryption = yes
     ...
 #   require_strong = yes
     ...
 }
 
 変更後:
 mschap {
     ...
     use_mppe = yes
     ...
     require_encryption = yes
     ...
     require_strong = yes
     ...
 }
 
 /etc/freeradius/3.0/mods-available/ntlm_auth: 変更しなくてよい
 変更前:
 exec ntlm_auth {
     wait = yes
     program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
 }
 
 変更後:
 ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{mschap:User-Name}:-%{%{User-Name}:-None}}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
 
 /etc/freeradius/3.0/sites-available/tls
 変更前:
 listen {
     ...
     tls {
         ...
         private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
         ...
         certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
         ...
     }
     ...
 }
 変更後:
 listen {
     ...
     tls {
         ...
         private_key_file = ${certdir}/letsencrypt/privkey.pem
         ...
         certificate_file = ${certdir}/letsencrypt/fullchain.pem
         ...
     }
     ...
 }
 
 /etc/freeradius/3.0/sites-available/inner-tunnel
 変更前:
 server inner-tunnel {
     ...
 listen {
     ipaddr = 127.0.0.1
     ...
 }
 authorize {
     ...
     mschap
     ...
     -ldap
     ...
 }
 ...
 authenticate {
     ...
 #   Auth-Type LDAP {
 #       ldap
 #   }
     ...
 }
 ...
 post-auth {
     ...
 #    ldap
     ...
 }
 ...
 }
 
 変更後:
 server inner-tunnel {
     ...
 listen {
     ipaddr = *
     ...
 }
 authorize {
     ...
     if (!control:Auth-Type) {
         mschap
         if (ok && User-Password) {
             update {
                 control:Auth-Type := MS-CHAP
             }
         }
     }
     ...
     ldap
     ...
 }
 ...
 authenticate {
     ...
     Auth-Type LDAP {
         ldap
     }
     ...
 }
 ...
 post-auth {
     ...
     -ldap 変更しなくてよいかも
     ...
 }
 ...
 }
 
 /etc/freeradius/3.0/sites-available/default
 変更前:
 server default {
     ...
 authorize {
     ...
 #   auth_log
     ...
     -ldap
     ...
 }
     ...
 authenticate {
     ...
 #   Auth-Type LDAP {
 #       ldap
 #   }    
     ...
 }
     ...
 }
 
 変更後:
 server default {
     ...
 authorize {
     ...
     auth_log
     ...
     if (!control:Auth-Type) {
         ldap
         if (ok && User-Password) {
             update {
                 control:Auth-Type := LDAP
             }
         }
     }
     ...
 }
     ...
 authenticate {
     ...
     Auth-Type LDAP {
         ldap
     }    
     ...
 }
     ...
 }
 
 /etc/freeradius/3.0/mods-config/files/authorize
 変更前:
 # DEFAULT
 #       Service-Type = Administrative-User
 
 変更後:
 # DEFAULT
 #       Service-Type = Administrative-User
 DEFAULT Auth-Type = LDAP
 Fall-Through = Yes
 
 /etc/freeradius/3.0/clients.conf
 追加前:
 ...
 #client private-network-2 {
 #       ipaddr          = 198.51.100.0/24
 #       secret          = testing123-2
 #}
 ...
 
 追加後:
 ...
 #client private-network-2 {
 #       ipaddr          = 198.51.100.0/24
 #       secret          = testing123-2
 #}
 client HEPNet1 {
         ipaddr          = 192.168.1.0/24
         secret          = ff0510d903
         shortname       = yamaha-radius-1
 }
 client HEPNet2 {
         ipaddr          = 192.168.2.0/24
         secret          = ff0510d093
         shortname       = yamaha-radius-2
 }
 client HEPNet3 {
         ipaddr          = 192.168.3.0/24
         secret          = ff0510d903
         shortname       = yamaha-radius-3
 }
 client HEPNet4 {
         ipaddr          = 192.168.4.0/24
         secret          = ff0510d903
         shortname       = yamaha-radius-4
 }
 ...