wpa howto.htm

802.1x认证的认证服务器freeradius的howto文档

# User handling
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no

#  RADIUS Checker
checkrad = ${sbindir}/checkrad

# Security options
security {
    max_attributes = 200
    reject_delay = 1
    status_server = no
}

# DON'T proxy requests
proxy_requests  = no

# CLIENTS CONFIGURATION
# Include the clients here.
$INCLUDE ${confdir}/clients.conf

# Don't use SNMP.
snmp = no

# Thread-pooling
thread pool {
    start_servers = 2
    max_servers = 10

    min_spare_servers = 3
    max_spare_servers = 10

    max_requests_per_server = 0
}

# MODULE CONFIGURATION
modules {
    # This is an EAP-based operation.
    eap {
        default_eap_type = tls
        timer_expire     = 60

        tls {
            private_key_password = (server's private key password, e.g. in pass/server-name.pass)
            private_key_file = /etc/wireless-auth/server-name.pem
            certificate_file = /etc/wireless-auth/server-name.pem
            
            CA_file = /etc/wireless-auth/root.pem

            dh_file = /etc/wireless-auth/DH
            random_file = /etc/wireless-auth/random
            
            fragment_size = 1024
            include_length = yes
        }
    }

    # Preprocess the incoming RADIUS request
    preprocess {
        huntgroups = ${confdir}/huntgroups
        hints = ${confdir}/hints
    
        with_ascend_hack = no
        ascend_channels_per_line = 23

        with_ntdomain_hack = no
        with_specialix_jetstream_hack = no
        with_cisco_vsa_hack = no
    }
    
    # The users file
    files {
        usersfile = ${confdir}/users
        acctusersfile = ${confdir}/acct_users
        compat = no
    }

    # Write a detailed log of all accounting records received
    detail {
        detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
        detailperm = 0600
    }

    acct_unique {
        key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id"
    }

    radutmp {
        filename = ${logdir}/radutmp
        username = %{User-Name}
        case_sensitive = yes
        check_with_nas = yes        
        perm = 0600
        callerid = "yes"
    }

    radutmp sradutmp {
        filename = ${logdir}/sradutmp
        perm = 0644
        callerid = "no"
    }

    expr {
    }

    counter daily {
        filename = ${raddbdir}/db.daily
        key = User-Name
        count-attribute = Acct-Session-Time
        reset = daily
        counter-name = Daily-Session-Time
        check-name = Max-Daily-Session
        allowed-servicetype = Framed-User
        cache-size = 5000
    }

    always fail {
        rcode = fail
    }
    
    always reject {
        rcode = reject
    }
    
    always ok {
        rcode = ok
        simulcount = 0
        mpp = no
    }

    exec {
        wait = yes
        input_pairs = request
    }

    exec echo {
        wait = yes
        program = "/bin/echo %{User-Name}"
        input_pairs = request
        output_pairs = reply
    }
    
    ippool main_pool {
        range-3 = (starting IP address)
        range-stop = (ending IP address)
        netmask = 255.255.255.0
        cache-size = 800
        session-db = ${raddbdir}/db.ippool
        ip-index = ${raddbdir}/db.ipindex
        override = no
    }
    
}

# MODULE INSTANTIATION
instantiate {
    expr
    daily
}

# AUTHORISATION PROCESS
authorize {
    preprocess
    eap
    files
}

# AUTHENTICATION PROCESS
authenticate {
    eap
}

# ACCOUNTING
preacct {
    preprocess
    files
}

accounting {
    acct_unique
    detail
    radutmp
}