documentation:radius

**Ceci est une ancienne révision du document !**

Voici des extraits détaillés de la configuration RADIUS de FDN, et un exemple SQL:

users: 

DEFAULT Huntgroup-Name == 'td', Auth-Type := td
      Service-Type:1 := "Framed",
      Framed-Protocol:1 := "PPP",
      Class:1 := 0,
      Tunnel-Type:1 := "L2TP",
      Tunnel-Medium-Type:1 := "IP",

radiusd.conf: 

modules {
  pap { encryption_scheme = crypt }
  chap { authtype = CHAP }
  realm suffix {
    format = suffix
    delimiter = "@"
    ignore_default = no
    ignore_null = no
  }
  sql sqlfdn {
    driver = "rlm_sql_mysql"
    server = "localhost"
    login = "toto"
    passwd = "toto"
    radius_db = "adsl"
    authorize_check_query = "\ 
            select UATTR_ID,RADUSER_LOGIN,UATTR_ATTR,UATTR_VALUE,UATTR_OP \ 
            from RADUSER,UATTR \ 
            where   ((RADUSER_LOGIN = REPLACE('%{SQL-User-Name}','@fdn.nerim','@fdn.fr')) or (RADUSER_LOGIN = '%{SQL-User-Name}')) and \ 
                    UATTR.RADUSER_ID = RADUSER.RADUSER_ID and \ 
                    UATTR_TYPE = 'check' \ 
            order by UATTR_ID" 
    authorize_reply_query = "\
            select UATTR_ID,RADUSER_LOGIN,UATTR_ATTR,UATTR_VALUE,UATTR_OP \
            from RADUSER,UATTR \
            where   ((RADUSER_LOGIN = REPLACE('%{SQL-User-Name}','@fdn.nerim','@fdn.fr')) or (RADUSER_LOGIN = '%{SQL-User-Name}')) and \
                    UATTR.RADUSER_ID = RADUSER.RADUSER_ID and \
                    UATTR_TYPE = 'reply' \
            order by UATTR_ID"
    authorize_group_check_query = "\
            select GATTR_ID,RADUSER_LOGIN,GATTR_ATTR,GATTR_VALUE,GATTR_OP \
            from RADUSER,GATTR \
            where   ((RADUSER_LOGIN = REPLACE('%{SQL-User-Name}','@fdn.nerim','@fdn.fr')) or (RADUSER_LOGIN = '%{SQL-User-Name}')) and \
                    GATTR.RADGROUP_ID = RADUSER.RADGROUP_ID and \
                    GATTR_TYPE = 'check'"
    authorize_group_reply_query = "\
            select GATTR_ID,RADUSER_LOGIN,GATTR_ATTR,GATTR_VALUE,GATTR_OP \
            from RADUSER,GATTR \
            where   ((RADUSER_LOGIN = REPLACE('%{SQL-User-Name}','@fdn.nerim','@fdn.fr')) or (RADUSER_LOGIN = '%{SQL-User-Name}')) and \
                    GATTR.RADGROUP_ID = RADUSER.RADGROUP_ID and \
                    GATTR_TYPE = 'reply'"
    ...
  }
}
instantiate {}
authorize {
  preprocess
  suffix
  files
  Autz-Type fdn {
    chap
    sqlfdn
  }
}
authenticate {
  Auth-Type PAP { pap }
  Auth-Type CHAP { chap }
  Auth-Type essai { ok }
  eap
}

Voici un extrait des tables SQL: 

mysql> select * from RADUSER where RADUSER_LOGIN='samuel.thibault@fdn.nerim';
+------------+---------------------------+-------------+----------+
| RADUSER_ID | RADUSER_LOGIN             | RADGROUP_ID | LIGNE_ID |
+------------+---------------------------+-------------+----------+
|        111 | samuel.thibault@fdn.nerim |           1 |      154 |
+------------+---------------------------+-------------+----------+
1 row in set (0.00 sec)
mysql> select * from UATTR where RADUSER_ID=111;
+----------+-------------------+----------+--------------------+------------+------------+
| UATTR_ID | UATTR_ATTR        | UATTR_OP | UATTR_VALUE        | UATTR_TYPE | RADUSER_ID |
+----------+-------------------+----------+--------------------+------------+------------+
|      362 | User-Password     | ==       | toto               | check      |        111 |
|      363 | Framed-IP-Address | =        | 80.67.176.89       | reply      |        111 |
|      364 | Framed-IP-Netmask | =        | 255.255.255.255    | reply      |        111 |
|      389 | Framed-IPv6-Route | =        | 2001:910:1059::/48 | reply      |        111 |
+----------+-------------------+----------+--------------------+------------+------------+
4 rows in set (0.00 sec)
mysql> select * from GATTR where RADGROUP_ID=1;
+----------+-----------------+----------+-------------+------------+-------------+
| GATTR_ID | GATTR_ATTR      | GATTR_OP | GATTR_VALUE | GATTR_TYPE | RADGROUP_ID |
+----------+-----------------+----------+-------------+------------+-------------+
|        1 | Service-Type    | :=       | Framed-User | reply      |           1 |
|        2 | Framed-Protocol | :=       | PPP         | reply      |           1 |
|        3 | Framed-Routing  | :=       | None        | reply      |           1 |
|        4 | Idle-Timeout    | :=       | 86400       | reply      |           1 |
+----------+-----------------+----------+-------------+------------+-------------+
4 rows in set (0.05 sec)

Et par exemple, ça donne donc: 

$ radtest samuel.thibault@fdn.nerim toto 80.67.169.42 1 pweeet
Sending Access-Request of id 44 to 80.67.169.42 port 1812
	User-Name = "samuel.thibault@fdn.nerim"
	User-Password = "toto"
	NAS-IP-Address = 80.67.169.41
	NAS-Port = 1
	Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 80.67.169.42 port 1812, id=44, length=52
	Framed-IP-Address = 80.67.176.89
	Framed-IP-Netmask = 255.255.255.255
	Framed-IPv6-Route = "2001:910:1059::/48"
  • documentation/radius.1438898673.txt.gz
  • Dernière modification: 2015/08/07 00:04
  • de sthibaul