]
トップ «前の日記(2005-06-24) 最新 次の日記(2005-06-27)» 編集

Yukiharu YABUKI の tDiary



このtDiaryを検索します。

2005-06-25 [長年日記]

_ 天気

はれ

_ 本日一回目のpop3

410通

_ 作業

初稿校正.岩井氏に手伝ってもらい助かった.

_ [Debian] Free Radius #3

checkrad

desktop:/etc/freeradius# which checkrad

/usr/sbin/checkrad

desktop:/etc/freeradius# file `which checkrad `

/usr/sbin/checkrad: perl script text executable

desktop:/etc/freeradius# checkrad

Usage: checkrad nas_type nas_ip nas_port login session_id

通常 Free Radius のドキュメントには /etc/raddb/ にファイルがあることになっているが,Debianでは,/etc/freeradius/の下になっている.man clients;man radiusdは見ることができた.

_ [Debian] Free Radius #4

参照ドキュメントには下記のようにあった.
You can add a whole subnetwork or just the machines you want to authenticate
 
client 10.44.1.32/28 {
       secret      = chut
       shortname   = dwl900
       nastype     = other
}
自分の環境では,(./20050624.html#p18)のようになっているので,マシン名sarge-cubeのfree radiusの設定ファイルである clients.conf には
client 192.168.0.46/32 {
	secret		= chut
	shortname	= hrestol
	nastype		= other
}
として,192.168.0.46(aka hrestol.good-day.co.jp)一台(1 IP)だけ,繋げる準備をしてみる.後で192.168.0.46/24とかにしておくか.それと設定ファイル中には,tabを入れて良いようだ.

_ [Debian] Free Radius #4 --- users

users このファイルには,パスワードの設定などがある.
# This is an entry for a user with a space in their name.
# Note the double quotes surrounding the name.
#
#"John Doe"     Auth-Type := Local, User-Password == "hello"
#               Reply-Message = "Hello, %u"
ここの下に,下記を配置.
"mobile" Auth-Type := EAP, User-Password =="test"
"test" Auth-Type := Local, User-Password =="test"
いろいろとDEFAULTの設定あり.

_ [Debian] Free Radius #5 --- eap.conf

をー.このファイルすごく役立つ.方式についての簡単な説明がコメントになっている.デフォルトは md5 になっているな.例を見つつ,自分用のコメントを入れておくとよさそうだ.
               ## EAP-TLS
                #
                #  To generate ctest certificates, run the script
                #
                #       ../scripts/certs.sh
# ここは,Debian のパッケージにはない.もう雛型の証明書はあるからいらない?
                #
                #  The documents on http://www.freeradius.org/doc
                #  are old, but may be helpful.
                #
                #  See also:
                #
                #  http://www.dslreports.com/forum/remark,9286052~mode=flat
                #
                #tls {
ここを外す      #       private_key_password = whatever
ここを外す      #       private_key_file = ${raddbdir}/certs/cert-srv.pem
# ${raddbdir}が/etcなら,このままで良い
 
                        #  If Private key & Certificate are located in
                        #  the same file, then private_key_file &
                        #  certificate_file must contain the same file
                        #  name.
# プライベート鍵と証明書は,同じファイルにあること.そしてプライベート鍵の
# ファイルと証明書のファイルは同じファイル名を保持していること.
 
ここを外す      #       certificate_file = ${raddbdir}/certs/cert-srv.pem
  
                        #  Trusted Root CA list
# 信頼するルート証明書リスト
ここを外す      #       CA_file = ${raddbdir}/certs/demoCA/cacert.pem
 
ここを外す      #       dh_file = ${raddbdir}/certs/dh
# http://lists.debian.org/debian-devel-announce/2003/03/msg00002.html
# にある Second step を参照
ここを外す      #       random_file = ${raddbdir}/certs/random
# http://lists.debian.org/debian-devel-announce/2003/03/msg00002.html
# にある Third step を参照.乱数発生器? /dev/randomじゃなくてプログラムか.
 
                        #
                        #  This can never exceed the size of a RADIUS
                        #  packet (4096 bytes), and is preferably half
                        #  that, to accomodate other attributes in
                        #  RADIUS packet.  On most APs the MAX packet
                        #  length is configured between 1500 - 1600
                        #  In these cases, fragment size should be
                        #  1024 or less.
                        #
ここを外す      #       fragment_size = 1024
 
                        #  include_length is a flag which is
                        #  by default set to yes If set to
                        #  yes, Total Length of the message is
                        #  included in EVERY packet we send.
                        #  If set to no, Total Length of the
                        #  message is included ONLY in the
                        #  First packet of a fragment series.
                        #
ここを外す      #       include_length = yes
 
                        #  Check the Certificate Revocation List
                        #
                        #  1) Copy CA certificates and CRLs to same directory.
                        #  2) Execute 'c_rehash '.
                        #    'c_rehash' is OpenSSL's command.
                        #  3) Add 'CA_path='
                        #      to radiusd.conf's tls section.
                        #  4) uncomment the line below.
                        #  5) Restart radiusd
                #       check_crl = yes
# 例にはないけどCRLがないと困る.
 
                       #
                       #  If check_cert_cn is set, the value will
                       #  be xlat'ed and checked against the CN
                       #  in the client certificate.  If the values
                       #  do not match, the certificate verification
                       #  will fail rejecting the user.
                       #
               #       check_cert_cn = %{User-Name}
                #}
 
                #  The TTLS module implements the EAP-TTLS protocol,
                #  which can be described as EAP inside of Diameter,
                #  inside of TLS, inside of EAP, inside of RADIUS...
                #
                #  Surprisingly, it works quite well.
                #
                #  The TTLS module needs the TLS module to be installed
                #  and configured, in order to use the TLS tunnel
                #  inside of the EAP packet.  You will still need to
                #  configure the TLS module, even if you do not want
                #  to deploy EAP-TLS in your network.  Users will not
                #  be able to request EAP-TLS, as it requires them to
                #  have a client certificate.  EAP-TTLS does not
                #  require a client certificate.
                #
ここを外す      #ttls {
                       #  The tunneled EAP session needs a default
                        #  EAP type which is separate from the one for
                        #  the non-tunneled EAP module.  Inside of the
                        #  TTLS tunnel, we recommend using EAP-MD5.
                        #  If the request does not contain an EAP
                        #  conversation, then this configuration entry
                        #  is ignored.
ここを外す      #       default_eap_type = md5
 
                        #  The tunneled authentication request does
                        #  not usually contain useful attributes
                        #  like 'Calling-Station-Id', etc.  These
                        #  attributes are outside of the tunnel,
                        #  and normally unavailable to the tunneled
                        #  authentication request.
                        #
                        #  By setting this configuration entry to
                        #  'yes', any attribute which NOT in the
                        #  tunneled authentication request, but
                        #  which IS available outside of the tunnel,
                        #  is copied to the tunneled request.
                        #
                        # allowed values: {no, yes}
ここを外す      #       copy_request_to_tunnel = no
# ここは例によって値がちがう
                        #  The reply attributes sent to the NAS are
                        #  usually based on the name of the user
                        #  'outside' of the tunnel (usually
                        #  'anonymous').  If you want to send the
                        #  reply attributes based on the user name
                        #  inside of the tunnel, then set this
                        #  configuration entry to 'yes', and the reply
                        #  to the NAS will be taken from the reply to
                        #  the tunneled request.
                        #
                        # allowed values: {no, yes}
ここを外す      #       use_tunneled_reply = no
# ここは例によって値がちがう
 
                #}

_ [Debian] free radius #5 radius.conf

radius.confのlog_auth, log_auth_badpass, log_auth_goodpass は例ではyesになっているが Debian のデフォルト設定ではnoなので最初の2つはyesにするのが私の好みだ.

eap.conf

の設定は読まれるようになっていた.mschapの設定はしない.

detail auth_log

有効に.

_ [Debian] free radius #6 --- /etc/init.d/freeradius

デバッグ用オプションを付けて起動するために /etc/init.d/freeradiusに手を入れる.option は"-X -A"が良いと参考資料にはある.

_ [Debian] freeradius --- 起動

起動に失敗する.理由は,起動ログをとって眺めてみた.

rlm_eap: Failed to link EAP-Type/tls: rlm_eap_tls.so: cannot open shared object file: No such file or directory

radiusd.conf[9]: eap: Module instantiation failed.

の部分があやしい.locate *.so | lvとしてライブラリーを調べてみる.

/usr/lib/freeradius/libeap-1.0.2.so

/usr/lib/freeradius/libeap.so

/usr/lib/freeradius/libradius-1.0.2.so

/usr/lib/freeradius/libradius.so

/usr/lib/freeradius/rlm_acct_unique-1.0.2.so

/usr/lib/freeradius/rlm_acct_unique.so

/usr/lib/freeradius/rlm_always-1.0.2.so

/usr/lib/freeradius/rlm_always.so

/usr/lib/freeradius/rlm_attr_filter-1.0.2.so

/usr/lib/freeradius/rlm_attr_filter.so

/usr/lib/freeradius/rlm_attr_rewrite-1.0.2.so

/usr/lib/freeradius/rlm_attr_rewrite.so

/usr/lib/freeradius/rlm_chap-1.0.2.so

/usr/lib/freeradius/rlm_chap.so

/usr/lib/freeradius/rlm_checkval-1.0.2.so

/usr/lib/freeradius/rlm_checkval.so

/usr/lib/freeradius/rlm_counter-1.0.2.so

/usr/lib/freeradius/rlm_counter.so

/usr/lib/freeradius/rlm_dbm-1.0.2.so

/usr/lib/freeradius/rlm_dbm.so

/usr/lib/freeradius/rlm_detail-1.0.2.so

/usr/lib/freeradius/rlm_detail.so

/usr/lib/freeradius/rlm_digest-1.0.2.so

/usr/lib/freeradius/rlm_digest.so

/usr/lib/freeradius/rlm_eap-1.0.2.so

/usr/lib/freeradius/rlm_eap.so

/usr/lib/freeradius/rlm_eap_gtc-1.0.2.so

/usr/lib/freeradius/rlm_eap_gtc.so

/usr/lib/freeradius/rlm_eap_leap-1.0.2.so

/usr/lib/freeradius/rlm_eap_leap.so

/usr/lib/freeradius/rlm_eap_md5-1.0.2.so

/usr/lib/freeradius/rlm_eap_md5.so

/usr/lib/freeradius/rlm_eap_mschapv2-1.0.2.so

/usr/lib/freeradius/rlm_eap_mschapv2.so

/usr/lib/freeradius/rlm_eap_sim-1.0.2.so

/usr/lib/freeradius/rlm_eap_sim.so

/usr/lib/freeradius/rlm_exec-1.0.2.so

/usr/lib/freeradius/rlm_exec.so

/usr/lib/freeradius/rlm_expr-1.0.2.so

/usr/lib/freeradius/rlm_expr.so

/usr/lib/freeradius/rlm_fastusers-1.0.2.so

/usr/lib/freeradius/rlm_fastusers.so

/usr/lib/freeradius/rlm_files-1.0.2.so

/usr/lib/freeradius/rlm_files.so

/usr/lib/freeradius/rlm_ippool-1.0.2.so

/usr/lib/freeradius/rlm_ippool.so

/usr/lib/freeradius/rlm_mschap-1.0.2.so

/usr/lib/freeradius/rlm_mschap.so

/usr/lib/freeradius/rlm_ns_mta_md5-1.0.2.so

/usr/lib/freeradius/rlm_ns_mta_md5.so

/usr/lib/freeradius/rlm_pam-1.0.2.so

/usr/lib/freeradius/rlm_pam.so

/usr/lib/freeradius/rlm_pap-1.0.2.so

/usr/lib/freeradius/rlm_pap.so

/usr/lib/freeradius/rlm_passwd-1.0.2.so

/usr/lib/freeradius/rlm_passwd.so

/usr/lib/freeradius/rlm_preprocess-1.0.2.so

/usr/lib/freeradius/rlm_preprocess.so

/usr/lib/freeradius/rlm_radutmp-1.0.2.so

/usr/lib/freeradius/rlm_radutmp.so

/usr/lib/freeradius/rlm_realm-1.0.2.so

/usr/lib/freeradius/rlm_realm.so

/usr/lib/freeradius/rlm_sql-1.0.2.so

/usr/lib/freeradius/rlm_sql.so

/usr/lib/freeradius/rlm_unix-1.0.2.so

/usr/lib/freeradius/rlm_unix.so

たしかに該当はない.