計算機関係/freeradius設定
をテンプレートにして作成
[
トップ
] [
新規
|
一覧
|
検索
|
最終更新
|
ヘルプ
|
ログイン
]
開始行:
[[研究室関係]]
&ref("計算機関係/freeradius設定/freeradius.txt");
# apt install freeradius freeradius-ldap
/etc/freeradius/3.0/radiusd.conf
変更前:
log {
...
auth = no
...
auth_badpass = no
auth_goodpass = no
...
}
変更後:
log {
...
auth = yes
...
auth_badpass = yes
auth_goodpass = yes
...
}
/etc/freeradius/3.0/mods-available/ldap
変更前:
ldap {
...
server = 'localhost'
...
# identity = 'cn=admin,dc=example,dc=org'
# password = mypass
...
base_dn = 'dc=example,dc=org'
...
user_dn = "LDAP-UserDn"
...
}
変更後:
ldap {
...
server = 'ldap://localhost'
...
identity = 'cn=admin,dc=phys,dc=shinshu-u,dc=ac,dc=jp'
password = 'ewCG/O.Zhpk'
...
base_dn = 'ou=People,dc=phys,dc=shinshu-u,dc=ac,dc=jp'
...
# user_dn = "LDAP-UserDn"
...
}
# cd /etc/freeradius/3.0/mods-enabled
# sudo -u freerad ln -s ../mods-available/ldap .
/etc/freeradius/3.0/mods-available/eap
変更前:
eap {
...
default_eap_type = md5
...
tls-config tls-common {
...
private_key_file = /etc/ssl/private/ssl-cert-sna...
...
certificate_file = /etc/ssl/certs/ssl-cert-snake...
...
disable_tlsv1_1 = yes
disable_tlsv1 = yes
...
tls_min_version = "1.2"
...
}
...
}
変更後:
# mkdir /etc/freeradius/3.0/certs/letsencrypt
#以下は証明書が更新されるたびに行う必要あり->cronを使え...
# cp /etc/letsencrypt/live/azusa.shinshu-u.ac.jp/privkey...
# cp /etc/letsencrypt/live/azusa.shinshu-u.ac.jp/fullcha...
# chown freerad:freerad /etc/freeradius/3.0/certs/letsen...
eap {
...
default_eap_type = mschapv2
...
tls-config tls-common {
...
private_key_file = ${certdir}/letsencrypt/privke...
...
certificate_file = ${certdir}/letsencrypt/fullch...
...
# disable_tlsv1_1 = no 変更しなくてよいかも
# disable_tlsv1 = no 変更しなくてよいかも
...
# tls_min_version = "1.2"
...
}
...
}
/etc/freeradius/3.0/mods-available/mschap 変更しなくてよい
変更前:
mschap {
...
# use_mppe = no
...
# require_encryption = yes
...
# require_strong = yes
...
}
変更後:
mschap {
...
use_mppe = yes
...
require_encryption = yes
...
require_strong = yes
...
}
/etc/freeradius/3.0/mods-available/ntlm_auth: 変更しなく...
変更前:
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --dom...
}
変更後:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --usern...
/etc/freeradius/3.0/sites-available/tls
変更前:
listen {
...
tls {
...
private_key_file = /etc/ssl/private/ssl-cert-sna...
...
certificate_file = /etc/ssl/certs/ssl-cert-snake...
...
}
...
}
変更後:
listen {
...
tls {
...
private_key_file = ${certdir}/letsencrypt/privke...
...
certificate_file = ${certdir}/letsencrypt/fullch...
...
}
...
}
/etc/freeradius/3.0/sites-available/inner-tunnel
変更前:
server inner-tunnel {
...
listen {
ipaddr = 127.0.0.1
...
}
authorize {
...
mschap
...
-ldap
...
}
...
authenticate {
...
# Auth-Type LDAP {
# ldap
# }
...
}
...
post-auth {
...
# ldap
...
}
...
}
変更後:
server inner-tunnel {
...
listen {
ipaddr = *
...
}
authorize {
...
if (!control:Auth-Type) {
mschap
if (ok && User-Password) {
update {
control:Auth-Type := MS-CHAP
}
}
}
...
ldap
...
}
...
authenticate {
...
Auth-Type LDAP {
ldap
}
...
}
...
post-auth {
...
-ldap 変更しなくてよいかも
...
}
...
}
/etc/freeradius/3.0/sites-available/default
変更前:
server default {
...
authorize {
...
# auth_log
...
-ldap
...
}
...
authenticate {
...
# Auth-Type LDAP {
# ldap
# }
...
}
...
}
変更後:
server default {
...
authorize {
...
auth_log
...
if (!control:Auth-Type) {
ldap
if (ok && User-Password) {
update {
control:Auth-Type := LDAP
}
}
}
...
}
...
authenticate {
...
Auth-Type LDAP {
ldap
}
...
}
...
}
/etc/freeradius/3.0/mods-config/files/authorize
変更前:
# DEFAULT
# Service-Type = Administrative-User
変更後:
# DEFAULT
# Service-Type = Administrative-User
DEFAULT Auth-Type = LDAP
Fall-Through = Yes
/etc/freeradius/3.0/clients.conf
追加前:
...
#client private-network-2 {
# ipaddr = 198.51.100.0/24
# secret = testing123-2
#}
...
追加後:
...
#client private-network-2 {
# ipaddr = 198.51.100.0/24
# secret = testing123-2
#}
client HEPNet1 {
ipaddr = 192.168.1.0/24
secret = ff0510d903
shortname = yamaha-radius-1
}
client HEPNet2 {
ipaddr = 192.168.2.0/24
secret = ff0510d093
shortname = yamaha-radius-2
}
client HEPNet3 {
ipaddr = 192.168.3.0/24
secret = ff0510d903
shortname = yamaha-radius-3
}
client HEPNet4 {
ipaddr = 192.168.4.0/24
secret = ff0510d903
shortname = yamaha-radius-4
}
...
終了行:
[[研究室関係]]
&ref("計算機関係/freeradius設定/freeradius.txt");
# apt install freeradius freeradius-ldap
/etc/freeradius/3.0/radiusd.conf
変更前:
log {
...
auth = no
...
auth_badpass = no
auth_goodpass = no
...
}
変更後:
log {
...
auth = yes
...
auth_badpass = yes
auth_goodpass = yes
...
}
/etc/freeradius/3.0/mods-available/ldap
変更前:
ldap {
...
server = 'localhost'
...
# identity = 'cn=admin,dc=example,dc=org'
# password = mypass
...
base_dn = 'dc=example,dc=org'
...
user_dn = "LDAP-UserDn"
...
}
変更後:
ldap {
...
server = 'ldap://localhost'
...
identity = 'cn=admin,dc=phys,dc=shinshu-u,dc=ac,dc=jp'
password = 'ewCG/O.Zhpk'
...
base_dn = 'ou=People,dc=phys,dc=shinshu-u,dc=ac,dc=jp'
...
# user_dn = "LDAP-UserDn"
...
}
# cd /etc/freeradius/3.0/mods-enabled
# sudo -u freerad ln -s ../mods-available/ldap .
/etc/freeradius/3.0/mods-available/eap
変更前:
eap {
...
default_eap_type = md5
...
tls-config tls-common {
...
private_key_file = /etc/ssl/private/ssl-cert-sna...
...
certificate_file = /etc/ssl/certs/ssl-cert-snake...
...
disable_tlsv1_1 = yes
disable_tlsv1 = yes
...
tls_min_version = "1.2"
...
}
...
}
変更後:
# mkdir /etc/freeradius/3.0/certs/letsencrypt
#以下は証明書が更新されるたびに行う必要あり->cronを使え...
# cp /etc/letsencrypt/live/azusa.shinshu-u.ac.jp/privkey...
# cp /etc/letsencrypt/live/azusa.shinshu-u.ac.jp/fullcha...
# chown freerad:freerad /etc/freeradius/3.0/certs/letsen...
eap {
...
default_eap_type = mschapv2
...
tls-config tls-common {
...
private_key_file = ${certdir}/letsencrypt/privke...
...
certificate_file = ${certdir}/letsencrypt/fullch...
...
# disable_tlsv1_1 = no 変更しなくてよいかも
# disable_tlsv1 = no 変更しなくてよいかも
...
# tls_min_version = "1.2"
...
}
...
}
/etc/freeradius/3.0/mods-available/mschap 変更しなくてよい
変更前:
mschap {
...
# use_mppe = no
...
# require_encryption = yes
...
# require_strong = yes
...
}
変更後:
mschap {
...
use_mppe = yes
...
require_encryption = yes
...
require_strong = yes
...
}
/etc/freeradius/3.0/mods-available/ntlm_auth: 変更しなく...
変更前:
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --dom...
}
変更後:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --usern...
/etc/freeradius/3.0/sites-available/tls
変更前:
listen {
...
tls {
...
private_key_file = /etc/ssl/private/ssl-cert-sna...
...
certificate_file = /etc/ssl/certs/ssl-cert-snake...
...
}
...
}
変更後:
listen {
...
tls {
...
private_key_file = ${certdir}/letsencrypt/privke...
...
certificate_file = ${certdir}/letsencrypt/fullch...
...
}
...
}
/etc/freeradius/3.0/sites-available/inner-tunnel
変更前:
server inner-tunnel {
...
listen {
ipaddr = 127.0.0.1
...
}
authorize {
...
mschap
...
-ldap
...
}
...
authenticate {
...
# Auth-Type LDAP {
# ldap
# }
...
}
...
post-auth {
...
# ldap
...
}
...
}
変更後:
server inner-tunnel {
...
listen {
ipaddr = *
...
}
authorize {
...
if (!control:Auth-Type) {
mschap
if (ok && User-Password) {
update {
control:Auth-Type := MS-CHAP
}
}
}
...
ldap
...
}
...
authenticate {
...
Auth-Type LDAP {
ldap
}
...
}
...
post-auth {
...
-ldap 変更しなくてよいかも
...
}
...
}
/etc/freeradius/3.0/sites-available/default
変更前:
server default {
...
authorize {
...
# auth_log
...
-ldap
...
}
...
authenticate {
...
# Auth-Type LDAP {
# ldap
# }
...
}
...
}
変更後:
server default {
...
authorize {
...
auth_log
...
if (!control:Auth-Type) {
ldap
if (ok && User-Password) {
update {
control:Auth-Type := LDAP
}
}
}
...
}
...
authenticate {
...
Auth-Type LDAP {
ldap
}
...
}
...
}
/etc/freeradius/3.0/mods-config/files/authorize
変更前:
# DEFAULT
# Service-Type = Administrative-User
変更後:
# DEFAULT
# Service-Type = Administrative-User
DEFAULT Auth-Type = LDAP
Fall-Through = Yes
/etc/freeradius/3.0/clients.conf
追加前:
...
#client private-network-2 {
# ipaddr = 198.51.100.0/24
# secret = testing123-2
#}
...
追加後:
...
#client private-network-2 {
# ipaddr = 198.51.100.0/24
# secret = testing123-2
#}
client HEPNet1 {
ipaddr = 192.168.1.0/24
secret = ff0510d903
shortname = yamaha-radius-1
}
client HEPNet2 {
ipaddr = 192.168.2.0/24
secret = ff0510d093
shortname = yamaha-radius-2
}
client HEPNet3 {
ipaddr = 192.168.3.0/24
secret = ff0510d903
shortname = yamaha-radius-3
}
client HEPNet4 {
ipaddr = 192.168.4.0/24
secret = ff0510d903
shortname = yamaha-radius-4
}
...
ページ名:
![[PukiWiki]](image/pukiwiki.png "[PukiWiki]")
