RHEL7 Install/Use Freeradius
原来一直在windows上用Freeradius,使用步骤简单,没仔细想工作原理,不过win版本总有些小问题。昨天把它装到RHEL7上了,折腾了一天,总算基本搞明白了里面的大概结构,如下所示:
安装部分
为了解决继承关系问题,最好安装做好的rpm包,对于freeradius有很多包,不用困惑,这是由于freeradius可以跟其他组件组合使用如LDAP或MYSQL等。我直接安装了一个干净的包,不带其他组件:
[root@frank Desktop]# yum localinstall freeradius-python-3.0.1-6.el7.x86_64.rpm Loaded plugins: langpacks Examining freeradius-python-3.0.1-6.el7.x86_64.rpm: freeradius-python-3.0.1-6.el7.x86_64 Marking freeradius-python-3.0.1-6.el7.x86_64.rpm to be installed Resolving Dependencies --> Running transaction check ---> Package freeradius-python.x86_64 0:3.0.1-6.el7 will be installed --> Processing Dependency: freeradius = 3.0.1-6.el7 for package: freeradius-python-3.0.1-6.el7.x86_64 --> Running transaction check ---> Package freeradius.x86_64 0:3.0.1-6.el7 will be installed --> Processing Dependency: libnaaeap.so.0()(64bit) for package: freeradius-3.0.1-6.el7.x86_64 --> Running transaction check ---> Package tncfhh-libs.x86_64 0:0.8.3-16.el7 will be installed --> Processing Dependency: tncfhh = 0.8.3 for package: tncfhh-libs-0.8.3-16.el7.x86_64 --> Processing Dependency: boost-system for package: tncfhh-libs-0.8.3-16.el7.x86_64 --> Processing Dependency: boost-thread for package: tncfhh-libs-0.8.3-16.el7.x86_64 --> Processing Dependency: libboost_system-mt.so.1.53.0()(64bit) for package: tncfhh-libs-0.8.3-16.el7.x86_64 --> Processing Dependency: libboost_thread-mt.so.1.53.0()(64bit) for package: tncfhh-libs-0.8.3-16.el7.x86_64 --> Processing Dependency: liblog4cxx.so.10()(64bit) for package: tncfhh-libs-0.8.3-16.el7.x86_64 --> Processing Dependency: libtncutil.so.0()(64bit) for package: tncfhh-libs-0.8.3-16.el7.x86_64 --> Processing Dependency: libxerces-c-3.1.so()(64bit) for package: tncfhh-libs-0.8.3-16.el7.x86_64 --> Running transaction check ---> Package boost-system.x86_64 0:1.53.0-18.el7 will be installed ---> Package boost-thread.x86_64 0:1.53.0-18.el7 will be installed ---> Package log4cxx.x86_64 0:0.10.0-16.el7 will be installed ---> Package tncfhh.x86_64 0:0.8.3-16.el7 will be installed ---> Package tncfhh-utils.x86_64 0:0.8.3-16.el7 will be installed ---> Package xerces-c.x86_64 0:3.1.1-6.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: freeradius-python x86_64 3.0.1-6.el7 /freeradius-python-3.0.1-6.el7.x86_64 23 k Installing for dependencies: boost-system x86_64 1.53.0-18.el7 frank-repo 38 k boost-thread x86_64 1.53.0-18.el7 frank-repo 56 k freeradius x86_64 3.0.1-6.el7 frank-repo 917 k log4cxx x86_64 0.10.0-16.el7 frank-repo 452 k tncfhh x86_64 0.8.3-16.el7 frank-repo 680 k tncfhh-libs x86_64 0.8.3-16.el7 frank-repo 160 k tncfhh-utils x86_64 0.8.3-16.el7 frank-repo 33 k xerces-c x86_64 3.1.1-6.el7 frank-repo 878 k Transaction Summary ================================================================================ Install 1 Package (+8 Dependent packages) Total size: 3.2 M Total download size: 3.1 M Installed size: 10 M Is this ok [y/d/N]: y Downloading packages: -------------------------------------------------------------------------------- Total 16 MB/s | 3.1 MB 00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : log4cxx-0.10.0-16.el7.x86_64 1/9 Installing : boost-system-1.53.0-18.el7.x86_64 2/9 Installing : boost-thread-1.53.0-18.el7.x86_64 3/9 Installing : xerces-c-3.1.1-6.el7.x86_64 4/9 Installing : tncfhh-utils-0.8.3-16.el7.x86_64 5/9 Installing : tncfhh-0.8.3-16.el7.x86_64 6/9 Installing : tncfhh-libs-0.8.3-16.el7.x86_64 7/9 Installing : freeradius-3.0.1-6.el7.x86_64 8/9 Installing : freeradius-python-3.0.1-6.el7.x86_64 9/9 Verifying : tncfhh-utils-0.8.3-16.el7.x86_64 1/9 Verifying : tncfhh-0.8.3-16.el7.x86_64 2/9 Verifying : boost-thread-1.53.0-18.el7.x86_64 3/9 Verifying : freeradius-3.0.1-6.el7.x86_64 4/9 Verifying : boost-system-1.53.0-18.el7.x86_64 5/9 Verifying : tncfhh-libs-0.8.3-16.el7.x86_64 6/9 Verifying : freeradius-python-3.0.1-6.el7.x86_64 7/9 Verifying : xerces-c-3.1.1-6.el7.x86_64 8/9 Verifying : log4cxx-0.10.0-16.el7.x86_64 9/9 Installed: freeradius-python.x86_64 0:3.0.1-6.el7 Dependency Installed: boost-system.x86_64 0:1.53.0-18.el7 boost-thread.x86_64 0:1.53.0-18.el7 freeradius.x86_64 0:3.0.1-6.el7 log4cxx.x86_64 0:0.10.0-16.el7 tncfhh.x86_64 0:0.8.3-16.el7 tncfhh-libs.x86_64 0:0.8.3-16.el7 tncfhh-utils.x86_64 0:0.8.3-16.el7 xerces-c.x86_64 0:3.1.1-6.el7 Complete!
调试部分
安装完后,如何在RHEL7上启动服务,并设置开机自启动?在以前的文章中我已经简单介绍了systemctl,它替代了chkconfig,刚开始用还真的不是很习惯。。。这里不做详解,详解可以去百度或谷歌下:
[root@frank ~]# systemctl list-units --type=service |grep radiusd <<< 没启动不显示任何信息 [root@frank ~]# systemctl start radiusd [root@frank ~]# systemctl status radiusd radiusd.service - FreeRADIUS high performance RADIUS server. Loaded: loaded (/usr/lib/systemd/system/radiusd.service; disabled) Active: active (running) since 四 2014-12-04 09:04:21 EST; 16s ago Process: 10831 ExecStart=/usr/sbin/radiusd -d /etc/raddb (code=exited, status=0/SUCCESS) Process: 10828 ExecStartPre=/usr/sbin/radiusd -C (code=exited, status=0/SUCCESS) Process: 10826 ExecStartPre=/bin/chown -R radiusd.radiusd /var/run/radiusd (code=exited, status=0/SUCCESS) Main PID: 10833 (radiusd) CGroup: /system.slice/radiusd.service └─10833 /usr/sbin/radiusd -d /etc/raddb 12月 04 09:04:21 frank systemd[1]: Starting FreeRADIUS high performance RADIUS server.... 12月 04 09:04:21 frank systemd[1]: Started FreeRADIUS high performance RADIUS server.. 12月 04 09:04:31 frank systemd[1]: Started FreeRADIUS high performance RADIUS server.. [root@frank ~]# systemctl list-units |grep radiu <<< 这里已经可以看到如下信息 UNIT LOAD ACTIVE SUB JOB DESCRIPTION radiusd.service loaded active running FreeRADIUS high performance RADIUS server. LOAD = Reflects whether the unit definition was properly loaded. ACTIVE = The high-level unit activation state, i.e. generalization of SUB. SUB = The low-level unit activation state, values depend on unit type. JOB = Pending job for the unit. 151 loaded units listed. Pass --all to see loaded but inactive units, too. To show all installed unit files use 'systemctl list-unit-files'. [root@frank ~]# systemctl enable radiusd <<< 开机自启动 ln -s '/usr/lib/systemd/system/radiusd.service' '/etc/systemd/system/multi-user.target.wants/radiusd.service'
初始配置完成,那么它的目录结构和功能模块究竟是怎么样的?下面是几个常用的配置文件:
[root@frank ~]# rpm -ql freeradius /etc/raddb/clients.conf <<<客户端配置文件 /etc/raddb/radiusd.conf <<<总配置文件,可以开启一些log相关功能 /etc/raddb/users <<<客户端的认证信息 /usr/share/freeradius/dictionary.cisco /usr/share/freeradius/dictionary.cisco.bbsm /usr/share/freeradius/dictionary.cisco.vpn3000 /usr/share/freeradius/dictionary.cisco.vpn5000 /var/log/radius /var/log/radius/radacct <<< 存accouting信息的 /var/log/radius/radius.log <<< 当开启radiusd -X时,这里面是不会存信息的,除非用systemctl启动 /var/log/radius/radutmp /var/run/radiusd /var/run/radiusd/tmp
下面是通过radius.log来查看是否客户端通过认证,这个信息非常少,基本上没什么作用:
[root@frank raddb]# more /var/log/radius/radius.log ...... Thu Dec 4 23:04:56 2014 : Auth: (0) Invalid user: [cisco-5475.d04f.da81-Gi0/1.301dslforum.org/cisco] (from client ASR9k-BNG port 0) Thu Dec 4 23:05:00 2014 : Auth: (1) Invalid user: [cisco-5475.d04f.da81-Gi0/1.301dslforum.org/cisco] (from client ASR9k-BNG port 0) Thu Dec 4 23:05:04 2014 : Auth: (2) Invalid user: [cisco-5475.d04f.da81-Gi0/1.301dslforum.org/cisco] (from client ASR9k-BNG port 0) Thu Dec 4 23:05:24 2014 : Auth: (3) Invalid user: [CPE1-CLASS_CPE/cisco] (from client ASR9k-BNG port 0) Thu Dec 4 23:05:28 2014 : Auth: (4) Invalid user: [CPE1-CLASS_CPE/cisco] (from client ASR9k-BNG port 0) Thu Dec 4 23:05:32 2014 : Auth: (5) Invalid user: [CPE1-CLASS_CPE/cisco] (from client ASR9k-BNG port 0)
想troubleshooting,必须开启debug模式,用“radiusd -X”,这里面非常详细,基本能解决遇到的问题,另外大部分问题是由于语法不对导致,下面是一个debug信息截屏:
[root@frank ~]# radiusd -X
radiusd: FreeRADIUS Version 3.0.1, for host x86_64-redhat-linux-gnu, built on Mar 5 2014 at 05:31:12
Copyright (C) 1999-2014 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /etc/raddb/dictionary
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
......
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on auth address * port 1812 as server default
Listening on acct address * port 1813 as server default
Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel
Opening new proxy address * port 1814
Listening on proxy address * port 1814
Ready to process requests.
2017-5.17更新
突然发现freeradius不能用了,启动报错,在root里查看一样:
[cisco@frank ~]$ systemctl status radiusd.service radiusd.service - FreeRADIUS high performance RADIUS server. Loaded: loaded (/usr/lib/systemd/system/radiusd.service; enabled) Active: failed (Result: exit-code) since Tue 2017-05-16 21:14:02 CST; 25s ago Process: 21083 ExecStartPre=/usr/sbin/radiusd -C (code=exited, status=1/FAILURE) Process: 21081 ExecStartPre=/bin/chown -R radiusd.radiusd /var/run/radiusd (code=exited, status=0/SUCCESS)
首先radius必须root安装并启动,另外配置文件必须无误才可以启动,现在遇到的问题就是配置模板错误导致报权限问题,具体解决方法我已更新到stackoverflow上:
http://stackoverflow.com/questions/42542475/freeradius-startup-error-code-exited-status-1-failure/44013213#44013213