freeRADIUS 설정 파일

docker-compose.yml ``` version: "3.8" services: freeradius: image: freeradius/freeradius-server:latest container_name: freeradius ports: - "1812:1812/udp" - "1813:1813/udp" volumes: #- ./freeradius/certs/*:/etc/freeradius/certs/* - ./freeradius/mods-enabled/eap:/etc/freeradius/mods-enabled/eap - ./freeradius/mods-available/eap:/etc/freeradius/mods-available/eap - ./freeradius/mods-enabled/ldap:/etc/freeradius/mods-enabled/ldap - ./freeradius/mods-available/ldap:/etc/freeradius/mods-available/ldap - ./freeradius/clients.conf:/etc/freeradius/clients.conf #- ./freeradius/sites-available/default:/etc/freeradius/sites-available/default #- ./freeradius/sites-available/inner-tunnel:/etc/freeradius/sites-available/inner-tunnel #- ./freeradius/sites-enabled/default:/etc/freeradius/sites-enabled/default #- ./freeradius/sites-enabled/inner-tunnel:/etc/freeradius/sites-enabled/inner-tunnel - ./freeradius/proxy.conf:/etc/freeradius/proxy.conf command: ["freeradius", "-X"] restart: always ```
freeradius/mods-available/eap ``` eap { default_eap_type = ttls # 다른 방식은 hash 로 이용한 handshake 하기 때문에 비밀번호를 알 수가 없음 timer_expire = 60 ignore_unknown_eap_types = yes cisco_accounting_username_bug = no max_sessions = ${max_requests} md5 { } gtc { auth_type = PAP } tls-config tls-common { private_key_password = whatever private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem ca_file = ${cadir}/ca.pem ca_path = ${cadir} cipher_list = "DEFAULT" cipher_server_preference = no tls_min_version = "1.2" tls_max_version = "1.2" ecdh_curve = "" cache { enable = no lifetime = 24 # hours store { Tunnel-Private-Group-Id } } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" } } tls { tls = tls-common } ttls { tls = tls-common default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = yes virtual_server = "inner-tunnel" } peap { tls = tls-common default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" auth_type = PAP } mschapv2 { } } ```
freeradius/mods-available/ldap ``` ldap { server = "192.168.2.59" identity = 'cn=admin,dc=direa,dc=co,dc=kr' password = 'admin' base_dn = 'dc=direa,dc=co,dc=kr' set_auth_type = yes sasl { } update { control:Password-With-Header += 'userPassword' control: += 'radiusControlAttribute' request: += 'radiusRequestAttribute' reply: += 'radiusReplyAttribute' } Auth-Type LDAP { ldap } user_dn = "LDAP-UserDn" user { base_dn = "cn=Users,dc=direa,dc=co,dc=kr" filter = "(&(objectClass=inetOrgPerson)(cn=%{Stripped-User-Name}))" update { &control.Password.Cleartext := &User-Password } sasl { } } group { base_dn = "ou=Groups,dc=direa,dc=co,dc=kr" filter = '(objectClass=groupOfUniqueNames)' name_attribute = 'cn' membership_attribute = 'memberOf' } profile { } client { base_dn = "${..base_dn}" filter = '(objectClass=radiusClient)' template { } attribute { ipaddr = 'radiusClientIdentifier' secret = 'radiusClientSecret' } } accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" type { start { update { description := "Online at %S" } } interim-update { update { description := "Last seen at %S" } } stop { update { description := "Offline at %S" } } } } post-auth { update { description := "Authenticated at %S" } } options { chase_referrals = yes rebind = yes res_timeout = 10 srv_timelimit = 3 net_timeout = 1 idle = 60 probes = 3 interval = 3 ldap_debug = 0x00f8 } tls { require_cert = 'never' cipher_list = "DEFAULT" } pool { start = ${thread[pool].start_servers} min = 2 max = ${thread[pool].max_servers} spare = ${thread[pool].max_spare_servers} uses = 0 retry_delay = 30 lifetime = 0 idle_timeout = 60 max_retries = 5 } } ```
되돌아가기 수정