1
0
mirror of https://github.com/vimagick/dockerfiles.git synced 2025-01-22 05:09:09 +02:00
2017-05-08 07:05:07 +08:00
..
2016-07-28 13:35:00 +08:00
2016-07-28 13:35:00 +08:00
2017-05-08 07:05:07 +08:00
2016-07-29 00:45:09 +08:00

FreeRADIUS

FreeRADIUS includes a RADIUS server, a BSD licensed client library, a PAM library, and an Apache module. In most cases, the word FreeRADIUS refers to the RADIUS server.

docker-compose.yml

freeradius:
  image: vimagick/freeradius
  ports:
    - "1812:1812/udp"
    - "1813:1813/udp"
  links:
    - mysql
  restart: always

mysql:
  image: mysql
  volumes:
    - ./mysql:/docker-entrypoint-initdb.d
  environment:
    - MYSQL_ROOT_PASSWORD=root
  restart: always

Server Setup

$ docker-compose up -d mysql
$ docker-compose exec mysql mysql -uroot -proot radius
>>> show tables;
+------------------+
| Tables_in_radius |
+------------------+
| nas              |
| radacct          |
| radcheck         |
| radgroupcheck    |
| radgroupreply    |
| radpostauth      |
| radreply         |
| radusergroup     |
+------------------+
8 rows in set (0.00 sec)

>>> SHOW GRANTS FOR radius;
+----------------------------------------------------------------+
| Grants for radius@%                                            |
+----------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'radius'@'%'                             |
| GRANT SELECT ON `radius`.* TO 'radius'@'%'                     |
| GRANT ALL PRIVILEGES ON `radius`.`radacct` TO 'radius'@'%'     |
| GRANT ALL PRIVILEGES ON `radius`.`radpostauth` TO 'radius'@'%' |
+----------------------------------------------------------------+
5 rows in set (0.00 sec)

>>> INSERT INTO radcheck VALUES
    (NULL, 'user', 'MD5-Password', ':=', MD5('pass')),
    (NULL, 'user', 'Expiration', ':=', 'Jul 31 2016 00:00:00');
Query OK, 2 row affected (0.04 sec)
Records: 2  Duplicates: 0  Warnings: 0

>>> SELECT * FROM radcheck;
+----+----------+--------------+----+----------------------------------+
| id | username | attribute    | op | value                            |
+----+----------+--------------+----+----------------------------------+
|  1 | user     | MD5-Password | := | 1a1dc91c907325c69271ddf0c944bc72 |
|  2 | user     | Expiration   | := | Jul 31 2016 00:00:00             |
+----+----------+--------------+----+----------------------------------+
2 rows in set (0.00 sec)

>>> INSERT INTO nas VALUES(NULL, '0.0.0.0/0', 'testing', NULL, NULL, 'testing321', NULL, NULL, NULL);
Query OK, 1 row affected (0.02 sec)

>>> SELECT * FROM nas;
+----+-----------+-----------+------+-------+------------+--------+-----------+-------------+
| id | nasname   | shortname | type | ports | secret     | server | community | description |
+----+-----------+-----------+------+-------+------------+--------+-----------+-------------+
|  1 | 0.0.0.0/0 | testing   | NULL |  NULL | testing321 | NULL   | NULL      | NULL        |
+----+-----------+-----------+------+-------+------------+--------+-----------+-------------+
1 row in set (0.00 sec)

>>> SELECT * FROM radpostauth;
+----+----------+------+---------------+---------------------+
| id | username | pass | reply         | authdate            |
+----+----------+------+---------------+---------------------+
|  1 | user     | pass | Access-Accept | 2016-07-28 06:28:28 |
|  2 | user     | pass | Access-Accept | 2016-07-28 06:30:04 |
|  3 | user     | xxxx | Access-Reject | 2016-07-28 06:30:22 |
+----+----------+------+---------------+---------------------+

>>> EXIT
Bye

$ docker-compose up -d freeradius
$ docker-compose exec freeradius sh
>>> vi /etc/raddb/clients.conf
>>> radtest user pass localhost 0 testing123
>>> cd /etc/raddb/certs
>>> make client.p12
>>> exit
$ docker cp freeradius_freeradius_1:/etc/raddb/certs/ca.pem /tmp
$ docker cp freeradius_freeradius_1:/etc/raddb/certs/client.p12 /tmp
$ docker-compose restart freeradius

The ca.pem and client.p12 (password: whatever) is for EAP-TLS.

# /etc/raddb/clients.conf

#client testing {
#        ipaddr = 0.0.0.0/0
#        secret = testing321
#}

Manage NAS (Network Access Server) via MySQL.

OpenWrt Setup

Network > Wireless > Wireless Security:
    Encryption: WPA2-EAP
    AuthServer: 192.168.31.138
    AuthSecret: testing321
    AcctServer: 192.168.31.138
    AcctSecret: testing321

Android Setup

# Import CA and P12(CRT+KEY)
Settings > Additional settings > Privacy > Install from SD card

# Connect WiFi
Settings > WLAN > TLS:
    CA: xxxxxx
    KEY: xxxxxx
    ID: android

Client Setup

# ssh root@192.168.31.231
$ pacman -S freeradius freeradius-client
$ radtest user pass 192.168.31.138 0 testing321
$ radtest user xxxx 192.168.31.138 0 testing321