FreeRADIUSの設定ファイル
IEEE802.1X認証に必要な,以下の三つの設定ファイルを掲載しておきます。
このラボ・シナリオでは,このうちusersとclients.confの二つに設定を加えます。
・users…赤字の部分を追加
・clients.conf…赤字の部分を追加
・eap.conf…デフォルトのままでOK
users
#
#    Please read the documentation file ../doc/processing_users_file,
#    or 'man 5 users' (after installing the server) for more information.
#
#    As of 1.1.4, you SHOULD NOT use Auth-Type. See "man rlm_pap"
#    for a much better way of dealing with differing passwords.
#    If you set Auth-Type, SOME AUTHENTICATION METHODS WILL NOT WORK.
#    If you don't set Auth-Type, the server will figure out what to do,
#    and will almost always do the right thing.
#
#    This file contains authentication security and configuration
#    information for each user. Accounting requests are NOT processed
#    through this file. Instead, see 'acct_users', in this directory.
#
#    The first field is the user's name and can be up to
#    253 characters in length. This is followed (on the same line) with
#    the list of authentication requirements for that user. This can
#    include password, comm server name, comm server port number, protocol
#    type (perhaps set by the "hints" file), and huntgroup name (set by
#    the "huntgroups" file).
#
#    Indented (with the tab character) lines following the first
#    line indicate the configuration values to be passed back to
#    the comm server to allow the initiation of a user session.
#    This can include things like the PPP configuration values
#    or the host to log the user onto.
#
#    If you are not sure why a particular reply is being sent by the
#    server, then run the server in debugging mode (radiusd -X), and
#    you will see which entries in this file are matched.
#
#    When an authentication request is received from the comm server,
#    these values are tested. Only the first match is used unless the
#    "Fall-Through" variable is set to "Yes".
#
#    A special user named "DEFAULT" matches on all usernames.
#    You can have several DEFAULT entries. All entries are processed
#    in the order they appear in this file. The first entry that
#    matches the login-request will stop processing unless you use
#    the Fall-Through variable.
#
#    You can include another `users' file with `$INCLUDE users.other'
#

#
#    For a list of RADIUS attributes, and links to their definitions,
#    see:
#
#    http://www.freeradius.org/rfc/attributes.html
#

#
# Deny access for a specific user. Note that this entry MUST
# be before any other 'Auth-Type' attribute which results in the user
# being authenticated.
#
# Note that there is NO 'Fall-Through' attribute, so the user will not
# be given any additional resources.
#
#lameuser    Auth-Type := Reject
#        Reply-Message = "Your account has been disabled."

#
# Deny access for a group of users.
#
# Note that there is NO 'Fall-Through' attribute, so the user will not
# be given any additional resources.
#
#DEFAULT    Group == "disabled", Auth-Type := Reject
#        Reply-Message = "Your account has been disabled."
#

#
# This is a complete entry for "steve". Note that there is no Fall-Through
# entry so that no DEFAULT entry will be used, and the user will NOT
# get any attributes in addition to the ones listed here.
#
#steve    Cleartext-Password := "testing"
#    Service-Type = Framed-User,
#    Framed-Protocol = PPP,
#    Framed-IP-Address = 172.16.3.33,
#    Framed-IP-Netmask = 255.255.255.0,
#    Framed-Routing = Broadcast-Listen,
#    Framed-Filter-Id = "std.ppp",
#    Framed-MTU = 1500,
#    Framed-Compression = Van-Jacobsen-TCP-IP

#auth only(user-aとuser-bという二人のユーザーを定義)
user-a   Auth-Type := EAP,User-Password == "user-a"
user-b   Auth-Type := EAP,User-Password == "user-b"

#auth VLAN(user10(VLAN10所属)と,user20(VLAN20所属)という二人のユーザーを定義)
user10   Auth-Type := EAP,User-Password == "user10"
        Tunnel-Type = 13,
        Tunnel-Medium-Type = 6,
        Tunnel-Private-Group-Id = 10
user20   Auth-Type := EAP,User-Password == "user20"
        Tunnel-Type = 13,
        Tunnel-Medium-Type = 6,
        Tunnel-Private-Group-Id = 20

#
# This is an entry for a user with a space in their name.
# Note the double quotes surrounding the name.
#
#"John Doe" Cleartext-Password := "hello"
#         Reply-Message = "Hello, %u"

#
# Dial user back and telnet to the default host for that port
#
#Deg    Cleartext-Password := "ge55ged"
#       Service-Type = Callback-Login-User,
#       Login-IP-Host = 0.0.0.0,
#       Callback-Number = "9,5551212",
#       Login-Service = Telnet,
#       Login-TCP-Port = Telnet

#
# Another complete entry. After the user "dialbk" has logged in, the
# connection will be broken and the user will be dialed back after which
# he will get a connection to the host "timeshare1".
#
#dialbk    Cleartext-Password := "callme"
#        Service-Type = Callback-Login-User,
#        Login-IP-Host = timeshare1,
#        Login-Service = PortMaster,
#        Callback-Number = "9,1-800-555-1212"

#
# user "swilson" will only get a static IP number if he logs in with
# a framed protocol on a terminal server in Alphen (see the huntgroups file).
#
# Note that by setting "Fall-Through", other attributes will be added from
# the following DEFAULT entries
#
#swilson   Service-Type == Framed-User, Huntgroup-Name == "alphen"
#        Framed-IP-Address = 192.168.1.65,
#        Fall-Through = Yes

#
# If the user logs in as 'username.shell', then authenticate them
# against the system database, give them shell access, and stop processing
# the rest of the file.
#
# Note that authenticating against an /etc/passwd file works ONLY for PAP,
# and not for CHAP, MS-CHAP, or EAP.
#
#DEFAULT  Suffix == ".shell", Auth-Type := System
#        Service-Type = Login-User,
#        Login-Service = Telnet,
#        Login-IP-Host = your.shell.machine


#
# The rest of this file contains the several DEFAULT entries.
# DEFAULT entries match with all login names.
# Note that DEFAULT entries can also Fall-Through (see first entry).
# A name-value pair from a DEFAULT entry will _NEVER_ override
# an already existing name-value pair.
#

#
# First setup all accounts to be checked against the UNIX /etc/passwd.
# (Unless a password was already given earlier in this file).
#
DEFAULT   Auth-Type = System
         Fall-Through = 1

#
# Set up different IP address pools for the terminal servers.
# Note that the "+" behind the IP address means that this is the "base"
# IP address. The Port-Id (S0, S1 etc) will be added to it.
#
#DEFAULT  Service-Type == Framed-User, Huntgroup-Name == "alphen"
#        Framed-IP-Address = 192.168.1.32+,
#        Fall-Through = Yes

#DEFAULT  Service-Type == Framed-User, Huntgroup-Name == "delft"
#        Framed-IP-Address = 192.168.2.32+,
#        Fall-Through = Yes

#
# Defaults for all framed connections.
#
DEFAULT   Service-Type == Framed-User
         Framed-IP-Address = 255.255.255.254,
         Framed-MTU = 576,
         Service-Type = Framed-User,
         Fall-Through = Yes

#
# Default for PPP: dynamic IP address, PPP mode, VJ-compression.
# NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected
#    by the terminal server in which case there may not be a "P" suffix.
#    The terminal server sends "Framed-Protocol = PPP" for auto PPP.
#
DEFAULT   Framed-Protocol == PPP
         Framed-Protocol = PPP,
         Framed-Compression = Van-Jacobson-TCP-IP

#
# Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.
#
DEFAULT   Hint == "CSLIP"
         Framed-Protocol = SLIP,
         Framed-Compression = Van-Jacobson-TCP-IP

#
# Default for SLIP: dynamic IP address, SLIP mode.
#
DEFAULT   Hint == "SLIP"
         Framed-Protocol = SLIP

#
# Last default: rlogin to our main server.
#
#DEFAULT
#         Service-Type = Login-User,
#         Login-Service = Rlogin,
#         Login-IP-Host = shellbox.ispdomain.com

# #
# # Last default: shell on the local terminal server.
# #
# DEFAULT
#          Service-Type = Shell-User

# On no match, the user is denied access.
clients.conf
#
# clients.conf - client configuration directives
#
#######################################################################

#######################################################################
#
# Definition of a RADIUS client (usually a NAS).
#
# The information given here over rides anything given in the
# 'clients' file, or in the 'naslist' file. The configuration here
# contains all of the information from those two files, and allows
# for more configuration items.
#
# The "shortname" is be used for logging. The "nastype", "login" and
# "password" fields are mainly used for checkrad and are optional.
#

#
# Defines a RADIUS client. The format is 'client [hostname|ip-address]'
#
# '127.0.0.1' is another name for 'localhost'. It is enabled by default,
# to allow testing of the server after an initial installation. If you
# are not going to be permitting RADIUS queries from localhost, we suggest
# that you delete, or comment out, this entry.
#
client 127.0.0.1 {
    #
    # The shared secret use to "encrypt" and "sign" packets between
    # the NAS and FreeRADIUS. You MUST change this secret from the
    # default, otherwise it's not a secret any more!
    #
    # The secret can be any string, up to 31 characters in length.
    #
    secret        = testing123

    #
    # The short name is used as an alias for the fully qualified
    # domain name, or the IP address.
    #
    shortname    = localhost

    #
    # the following three fields are optional, but may be used by
    # checkrad.pl for simultaneous use checks
    #

    #
    # The nastype tells 'checkrad.pl' which NAS-specific method to
    # use to query the NAS for simultaneous use.
    #
    # Permitted NAS types are:
    #
    #    cisco
    #    computone
    #    livingston
    #    max40xx
    #    multitech
    #    netserver
    #    pathras
    #    patton
    #    portslave
    #    tc
    #    usrhiper
    #    other        # for all other types

    #
    nastype = other    # localhost isn't usually a NAS...

    #
    # The following two configurations are for future use.
    # The 'naspasswd' file is currently used to store the NAS
    # login name and password, which is used by checkrad.pl
    # when querying the NAS for simultaneous use.
    #
#    login = !root
#    password = someadminpas
}

#client some.host.org {
#    secret       = testing123
#    shortname    = localhost
#}

#
# You can now specify one secret for a network of clients.
# When a client request comes in, the BEST match is chosen.
# i.e. The entry from the smallest possible network.
#
#client 192.168.0.0/24 {
#    secret       = testing123-1
#    shortname    = private-network-1
#}
#
#client 192.168.0.0/16 {
#    secret       = testing123-2
#    shortname    = private-network-2
#}

#スイッチのIPアドレス範囲を192.168.100.0/24に,RADIUSパスワードをciscoに設定
client 192.168.100.0/24 {
    secret       = cisco
    shortname    = CISCO

}

#client 10.10.10.10 {
#    # secret and password are mapped through the "secrets" file.
#    secret = testing123
#    shortname = liv1
# # the following three fields are optional, but may be used by
# # checkrad.pl for simultaneous usage checks
#    nastype = livingston
#    login = !root
#    password = someadminpas
#}
eap.conf(デフォルトのままでOK)
# -*- text -*-
#
# Whatever you do, do NOT set 'Auth-Type := EAP'. The server
# is smart enough to figure this out on its own. The most
# common side effect of setting 'Auth-Type := EAP' is that the
# users then cannot use ANY other authentication method.
#
# $Id: eap.conf,v 1.4.4.4 2006/10/18 19:15:14 aland Exp $
#
eap {
        # Invoke the default supported EAP type when
        # EAP-Identity response is received.
        #
        # The incoming EAP messages DO NOT specify which EAP
        # type they will be using, so it MUST be set here.
        #
        # For now, only one default EAP type may be used at a time.
        #
        # If the EAP-Type attribute is set by another module,
        # then that EAP type takes precedence over the
        # default type configured here.
        #
        default_eap_type = md5

        # A list is maintained to correlate EAP-Response
        # packets with EAP-Request packets. After a
        # configurable length of time, entries in the list
        # expire, and are deleted.
        #
        timer_expire = 60

        # There are many EAP types, but the server has support
        # for only a limited subset. If the server receives
        # a request for an EAP type it does not support, then
        # it normally rejects the request. By setting this
        # configuration to "yes", you can tell the server to
        # instead keep processing the request. Another module
        # MUST then be configured to proxy the request to
        # another RADIUS server which supports that EAP type.
        #
        # If another module is NOT configured to handle the
        # request, then the request will still end up being
        # rejected.
        ignore_unknown_eap_types = no

        # Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given
        # a User-Name attribute in an Access-Accept, it copies one
        # more byte than it should.
        #
        # We can work around it by configurably adding an extra
        # zero byte.
        cisco_accounting_username_bug = no

        # Supported EAP-types

        #
        # We do NOT recommend using EAP-MD5 authentication
        # for wireless connections. It is insecure, and does
        # not provide for dynamic WEP keys
        #認証方式にMD5を使う(この設定ファイルはデフォルトのままでいい)
        md5 {
        }

        # Cisco LEAP
        #
        # We do not recommend using LEAP in new deployments. See:
        # http://www.securiteam.com/tools/5TP012ACKE.html
        #
        # Cisco LEAP uses the MS-CHAP algorithm (but not
        # the MS-CHAP attributes) to perform it's authentication.
        #
        # As a result, LEAP *requires* access to the plain-text
        # User-Password, or the NT-Password attributes.
        # 'System' authentication is impossible with LEAP.
        #
        leap {
        }

        # Generic Token Card.
        #
        # Currently, this is only permitted inside of EAP-TTLS,
        # or EAP-PEAP. The module "challenges" the user with
        # text, and the response from the user is taken to be
        # the User-Password.
        #
        # Proxying the tunneled EAP-GTC session is a bad idea,
        # the users password will go over the wire in plain-text,
        # for anyone to see.
        #
        gtc {
         # The default challenge, which many clients
         # ignore..
         #challenge = "Password: "

         # The plain-text response which comes back
         # is put into a User-Password attribute,
         # and passed to another module for
         # authentication. This allows the EAP-GTC
         # response to be checked against plain-text,
         # or crypt'd passwords.
         #
         # If you say "Local" instead of "PAP", then
         # the module will look for a User-Password
         # configured for the request, and do the
         # authentication itself.
         #
         auth_type = PAP
        }

        ## EAP-TLS
        #
        # To generate ctest certificates, run the script
        #
        # ../scripts/certs.sh
        #
        # The documents on http://www.freeradius.org/doc
        # are old, but may be helpful.
        #
        # See also:
        #
        # http://www.dslreports.com/forum/remark,9286052~mode=flat
        #
        #tls {
        # private_key_password = whatever
        # private_key_file = ${raddbdir}/certs/cert-srv.pem

         # If Private key & Certificate are located in
         # the same file, then private_key_file &
         # certificate_file must contain the same file
         # name.
        # certificate_file = ${raddbdir}/certs/cert-srv.pem

         # Trusted Root CA list
        # CA_file = ${raddbdir}/certs/demoCA/cacert.pem

        # dh_file = ${raddbdir}/certs/dh
        # random_file = ${raddbdir}/certs/random

         #
         # This can never exceed the size of a RADIUS
         # packet (4096 bytes), and is preferably half
         # that, to accomodate other attributes in
         # RADIUS packet. On most APs the MAX packet
         # length is configured between 1500 - 1600
         # In these cases, fragment size should be
         # 1024 or less.
         #
        # fragment_size = 1024

         # include_length is a flag which is
         # by default set to yes If set to
         # yes, Total Length of the message is
         # included in EVERY packet we send.
         # If set to no, Total Length of the
         # message is included ONLY in the
         # First packet of a fragment series.
         #
        # include_length = yes

         # Check the Certificate Revocation List
         #
         # 1) Copy CA certificates and CRLs to same directory.
         # 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
         # 'c_rehash' is OpenSSL's command.
         # 3) Add 'CA_path=<CA certs&CRLs directory>'
         # to radiusd.conf's tls section.
         # 4) uncomment the line below.
         # 5) Restart radiusd
        # check_crl = yes

         #
         # If check_cert_issuer is set, the value will
         # be checked against the DN of the issuer in
         # the client certificate. If the values do not
         # match, the cerficate verification will fail,
         # rejecting the user.
         #
        # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"

         #
         # If check_cert_cn is set, the value will
         # be xlat'ed and checked against the CN
         # in the client certificate. If the values
         # do not match, the certificate verification
         # will fail rejecting the user.
         #
         # This check is done only if the previous
         # "check_cert_issuer" is not set, or if
         # the check succeeds.
         #
        # check_cert_cn = %{User-Name}
        #
         # Set this option to specify the allowed
         # TLS cipher suites. The format is listed
         # in "man 1 ciphers".
        # cipher_list = "DEFAULT"
        #}

        # The TTLS module implements the EAP-TTLS protocol,
        # which can be described as EAP inside of Diameter,
        # inside of TLS, inside of EAP, inside of RADIUS...
        #
        # Surprisingly, it works quite well.
        #
        # The TTLS module needs the TLS module to be installed
        # and configured, in order to use the TLS tunnel
        # inside of the EAP packet. You will still need to
        # configure the TLS module, even if you do not want
        # to deploy EAP-TLS in your network. Users will not
        # be able to request EAP-TLS, as it requires them to
        # have a client certificate. EAP-TTLS does not
        # require a client certificate.
        #
        #ttls {
         # The tunneled EAP session needs a default
         # EAP type which is separate from the one for
         # the non-tunneled EAP module. Inside of the
         # TTLS tunnel, we recommend using EAP-MD5.
         # If the request does not contain an EAP
         # conversation, then this configuration entry
         # is ignored.
        # default_eap_type = md5

         # The tunneled authentication request does
         # not usually contain useful attributes
         # like 'Calling-Station-Id', etc. These
         # attributes are outside of the tunnel,
         # and normally unavailable to the tunneled
         # authentication request.
         #
         # By setting this configuration entry to
         # 'yes', any attribute which NOT in the
         # tunneled authentication request, but
         # which IS available outside of the tunnel,
         # is copied to the tunneled request.
         #
         # allowed values: {no, yes}
        # copy_request_to_tunnel = no

         # The reply attributes sent to the NAS are
         # usually based on the name of the user
         # 'outside' of the tunnel (usually
         # 'anonymous'). If you want to send the
         # reply attributes based on the user name
         # inside of the tunnel, then set this
         # configuration entry to 'yes', and the reply
         # to the NAS will be taken from the reply to
         # the tunneled request.
         #
         # allowed values: {no, yes}
        # use_tunneled_reply = no
        #}

        ##################################################
        #
        # !!!!! WARNINGS for Windows compatibility !!!!!
        #
        ##################################################
        #
        # If you see the server send an Access-Challenge,
        # and the client never sends another Access-Request,
        # then
        #
        #        STOP!
        #
        # The server certificate has to have special OID's
        # in it, or else the Microsoft clients will silently
        # fail. See the "scripts/xpextensions" file for
        # details, and the following page:
        #
        # http://support.microsoft.com/kb/814394/en-us
        #
        # For additional Windows XP SP2 issues, see:
        #
        # http://support.microsoft.com/kb/885453/en-us
        #
        # Note that we do not necessarily agree with their
        # explanation... but the fix does appear to work.
        #
        ##################################################

        #
        # The tunneled EAP session needs a default EAP type
        # which is separate from the one for the non-tunneled
        # EAP module. Inside of the TLS/PEAP tunnel, we
        # recommend using EAP-MS-CHAPv2.
        #
        # The PEAP module needs the TLS module to be installed
        # and configured, in order to use the TLS tunnel
        # inside of the EAP packet. You will still need to
        # configure the TLS module, even if you do not want
        # to deploy EAP-TLS in your network. Users will not
        # be able to request EAP-TLS, as it requires them to
        # have a client certificate. EAP-PEAP does not
        # require a client certificate.
        #
        # peap {
         # The tunneled EAP session needs a default
         # EAP type which is separate from the one for
         # the non-tunneled EAP module. Inside of the
         # PEAP tunnel, we recommend using MS-CHAPv2,
         # as that is the default type supported by
         # Windows clients.
        # default_eap_type = mschapv2

         # the PEAP module also has these configuration
         # items, which are the same as for TTLS.
        # copy_request_to_tunnel = no
        # use_tunneled_reply = no

         # When the tunneled session is proxied, the
         # home server may not understand EAP-MSCHAP-V2.
         # Set this entry to "no" to proxy the tunneled
         # EAP-MSCHAP-V2 as normal MSCHAPv2.
        # proxy_tunneled_request_as_eap = yes
        #}

        #
        # This takes no configuration.
        #
        # Note that it is the EAP MS-CHAPv2 sub-module, not
        # the main 'mschap' module.
        #
        # Note also that in order for this sub-module to work,
        # the main 'mschap' module MUST ALSO be configured.
        #
        # This module is the *Microsoft* implementation of MS-CHAPv2
        # in EAP. There is another (incompatible) implementation
        # of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
        # currently support.
        #
        mschapv2 {
        }
}