Chinaunix首页 | 论坛 | 博客
  • 博客访问: 644669
  • 博文数量: 66
  • 博客积分: 10
  • 博客等级: 民兵
  • 技术积分: 2071
  • 用 户 组: 普通用户
  • 注册时间: 2012-12-04 15:22
个人简介

从事IT相关工作近10年,获得《网络规划师》《信息系统项目管理师》《系统分析师》、Cisco等认证,对网络和操作系统有较深理解,对认证计费系统和虚拟化技术有深入研究。

文章分类

全部博文(66)

文章存档

2019年(4)

2018年(1)

2015年(2)

2014年(16)

2013年(43)

分类: 系统运维

2013-09-13 12:58:32

关于 Clients 这些NAS客户端的文件配置

client localhost {
    ipaddr = 127.0.0.1
    netmask = 32
#  One client definition can be applied to an entire network. #  e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and #  "netmask = 8" # #  If not specified, the default netmask is 32 (i.e. /32) # #  We do NOT recommend using anything other than 32.  There #  are usually other, better ways to achieve the same goal. #  Using netmasks of other than 32 can cause security issues. # #  You can specify overlapping networks (127/8 and 127.0/16) #  In that case, the smallest possible network will be used #  as the "best match" for the client. # #  Clients can also be defined dynamically at run time, based #  on any criteria.  e.g. SQL lookups, keying off of NAS-Identifier, #  etc. #  See raddb/sites-available/dynamic-clients for details.
如果采用所谓的动态客户端的话,请使用对应的网络掩码,不推荐使用32这个掩码
    secret  = testing123
#  The shared secret use to "encrypt" and "sign" packets between #  the NAS and FreeRADIUS.  You MUST change this secret from the #  default, otherwise it's not a secret any more! # #  The secret can be any string, up to 8k characters in length. # #  Control codes can be entered vi octal encoding, #	e.g. "\101\102" == "AB" #  Quotation marks can be entered by escaping them, #	e.g. "foo\"bar" # #  A note on security:  The security of the RADIUS protocol #  depends COMPLETELY on this secret!  We recommend using a #  shared secret that is composed of: # #	upper case letters #	lower case letters #	numbers # #  And is at LEAST 8 characters long, preferably 16 characters in #  length.  The secret MUST be random, and should not be words, #  phrase, or anything else that is recognizable. # #  The default secret below is only for testing, and should #  not be used in any real environment.
强调使用复制的密码来实现安全,最长可以高达8K的长度,安全全部依靠这个了,如果需要输入控制字符,可以通过输入八进制编码实现,比如 \101\102 就是 AB,如果使用比如引号,可以使用转义字符实现 \" 因为安全性完全依靠这个了,所以设置至少8位以上的密钥

    require_message_authenticator = no
#  Old-style clients do not send a Message-Authenticator #  in an Access-Request.  RFC 5080 suggests that all clients #  SHOULD include it in an Access-Request.  The configuration #  item below allows the server to require it.  If a client #  is required to include a Message-Authenticator and it does #  not, then the packet will be silently discarded. # #  allowed values: yes, no
   旧版本的Access-Request并不包含对应的Authenticators这个认证头,包括我们的radclient,radtest也不支持,所以这里设置了为 no,如果设置为yes,但是用户没有发送这个部分,那么这个认证包会被无声且无情的丢弃。

     shortname  = localhost

	#  The short name is used as an alias for the fully qualified #  domain name, or the IP address. # #  It is accepted for compatibility with 1.x, but it is no #  longer necessary in 2.0
作为FQDN的别名,因为要兼容1.x版本所以有,但是已经不是必须的,可以不填写

    nastype = other

	# the following three fields are optional, but may be used by # checkrad.pl for simultaneous use checks # # # The nastype tells 'checkrad.pl' which NAS-specific method to #  use to query the NAS for simultaneous use. # #  Permitted NAS types are: # #	cisco #	computone #	livingston #	max40xx #	netserver #	pathras #	patton #	portslave #	tc #	usrhiper #	other		# for all other types
NAS的类型,虽然是可选的,但是会被 checkrad.pl检查,检查帐户同时使用情况,这个类型告诉 checkrad.pl 哪个特定NAS如何去检查用户同时使用情况,默认的类型由上面那些,大部分情况下使用通用的 other ,甚至包括了 Chillispot CoovaChilli 以及Mikrotik的热点。
    
     #
	#  The following two configurations are for future use. #  The 'naspasswd' file is currently used to store the NAS #  login name and password, which is used by checkrad.pl #  when querying the NAS for simultaneous use. # #	login       = !root #	password    = someadminpas # #  As of 2.0, clients can also be tied to a virtual server. #  This is done by setting the "virtual_server" configuration #  item, as in the example below. # #	virtual_server = home1 # #  A pointer to the "home_server_pool" OR a "home_server" #  section that contains the CoA configuration for this #  client.  For an example of a coa home server or pool, #  see raddb/sites-available/originate-coa
#	coa_server = coa
 
可选项目,将来使用的一些配置,比如客户端可以捆绑到特定的虚拟服务器上

下面的是精度匹配问题,越精准,越容易匹配
#  You can now specify one secret for a network of clients. #  When a client request comes in, the BEST match is chosen. #  i.e. The entry from the smallest possible network. # #client 192.168.0.0/24 { #	secret		= testing123-1 #	shortname	= private-network-1 #} # #client 192.168.0.0/16 { #	secret		= testing123-2 #	shortname	= private-network-2 #} #client 10.10.10.10 { #	# secret and password are mapped through the "secrets" file. #	secret      = testing123 #	shortname   = liv1 #       # the following three fields are optional, but may be used by #       # checkrad.pl for simultaneous usage checks #	nastype     = livingston #	login       = !root #	password    = someadminpas
下面是支持IPv6的一些情况
# IPv6 Client #client ::1 { #	secret		= testing123 #	shortname	= localhost #} # # All IPv6 Site-local clients #client fe80::/16 { #	secret		= testing123 #	shortname	= localhost #} #client some.host.org { #	secret		= testing123 #	shortname	= localhost #}

关于Users的配置文件

如果需要强制通过/拒绝一个用户,而且无视他的密码正确与否
# "alice" Cleartext-Password := "passme" Auth-Type := Reject
# "alice" Cleartext-Password := "passme" Auth-Type := Accept
 注意啦,%{} 将会把属性进行替换,比如 %{User-Name} 将会替换成用户名
#	This file contains authentication security and configuration #	information for each user.  Accounting requests are NOT processed #	through this file.  Instead, see 'acct_users', in this directory. 
因为这个文件不包含其他模块,是一个独立的文件。但是如果你改了比如 sites-enabled/default 这个虚拟服务器,比如authorize模块中启用了unix,这样系统用户也可以被当做用户名和密码使用,而且只匹配系统的,如果用户文件中也定义了,并不会以文件中的内容为准。:q 这个文件包含了每个用户的认证安全和配置信息。记账请求并不包含这这里,如果找记账信息,你可以去看 acct_usrs 那个文件。
#	The first field is the user's name and can be up to #	253 characters in length.  This is followed (on the same line) with #	the list of authentication requirements for that user.  This can #	include password, comm server name, comm server port number, protocol #	type (perhaps set by the "hints" file), and huntgroup name (set by #	the "huntgroups" file).
 第一个区域是用户名【最常253个字符】,而且在通银行需要表示认证请求信息,可以是密码,通用服务器名称,通用服务器端口,协议类型,huntgroup名称等。
 #	If you are not sure why a particular reply is being sent by the #	server, then run the server in debugging mode (radiusd -X), and #	you will see which entries in this file are matched. # #	When an authentication request is received from the comm server, #	these values are tested. Only the first match is used unless the #	"Fall-Through" variable is set to "Yes". #
当认证请求过来时,只有第一个值匹配才能继续,除非 Fall-Through 变量设置成 Yes,可以继续检查请求包中的内容,直到找到匹配的为止。
注意啦,Fall-Through 如果没设置的话,那就是 No 了~~~  #	A special user named "DEFAULT" matches on all usernames. #	You can have several DEFAULT entries. All entries are processed #	in the order they appear in this file. The first entry that #	matches the login-request will stop processing unless you use #	the Fall-Through variable. # #	If you use the database support to turn this file into a .db or .dbm #	file, the DEFAULT entries _have_ to be at the end of this file and #	you can't have multiple entries for one username.  注意啦,如果你使用数据库,比如db或者mdb文件,只有这个文件末的值有用,你不能给一个用户多个值  #	Indented (with the tab character) lines following the first #	line indicate the configuration values to be passed back to #	the comm server to allow the initiation of a user session. #	This can include things like the PPP configuration values #	or the host to log the user onto. # #	You can include another `users' file with `$INCLUDE users.other'

第一行后的值进行缩进意味着这些值会被传递回给通用服务器,以便允许知道用户初始化会话等,你也可以使用 $INCLUDE users.other 之类的办法包含其他用户文件

# Deny access for a specific user.  Note that this entry MUST # be before any other 'Auth-Type' attribute which results in the user # being authenticated. # # Note that there is NO 'Fall-Through' attribute, so the user will not # be given any additional resources. # #lameuser	Auth-Type := Reject #		Reply-Message = "Your account has been disabled."

拒绝特定用户的请求,需要把这个用户实体放到任何Auth-Type属性的前面,因为这个属性会导致用户被验证,因为没有Fall-Trough 属性,所以用户不会给与任何额外的资源。

# Deny access for a group of users. # # Note that there is NO 'Fall-Through' attribute, so the user will not # be given any additional resources. # #DEFAULT	Group == "disabled", Auth-Type := Reject #		Reply-Message = "Your account has been disabled." #
以上是拒绝特定组的用户

# This is a complete entry for "steve". Note that there is no Fall-Through # entry so that no DEFAULT entry will be used, and the user will NOT # get any attributes in addition to the ones listed here. # #steve	Cleartext-Password := "testing" #	Service-Type = Framed-User, #	Framed-Protocol = PPP, #	Framed-IP-Address = 172.16.3.33, #	Framed-IP-Netmask = 255.255.255.0, #	Framed-Routing = Broadcast-Listen, #	Framed-Filter-Id = "std.ppp", #	Framed-MTU = 1500, #	Framed-Compression = Van-Jacobsen-TCP-IP
这个是 steve用户的所有属性集,注意这里没有 Fall-Through 时期,也就是说没有 默认实体被使用,而且用户不会获得列在这里任何实体【属性】外的属性。

# This is an entry for a user with a space in their name. # Note the double quotes surrounding the name. # #"John Doe"	Cleartext-Password := "hello" #		Reply-Message = "Hello, %{User-Name}"
注意一下,这个是处理用户名有空格的情况,使用了双引号括上了

以下是其他的一些情况
# Dial user back and telnet to the default host for that port # #Deg	Cleartext-Password := "ge55ged" #	Service-Type = Callback-Login-User, #	Login-IP-Host = 0.0.0.0, #	Callback-Number = "9,5551212", #	Login-Service = Telnet, #	Login-TCP-Port = Telnet # # Another complete entry. After the user "dialbk" has logged in, the # connection will be broken and the user will be dialed back after which # he will get a connection to the host "timeshare1". # #dialbk	Cleartext-Password := "callme" #	Service-Type = Callback-Login-User, #	Login-IP-Host = timeshare1, #	Login-Service = PortMaster, #	Callback-Number = "9,1-800-555-1212" # # user "swilson" will only get a static IP number if he logs in with # a framed protocol on a terminal server in Alphen (see the huntgroups file). # # Note that by setting "Fall-Through", other attributes will be added from # the following DEFAULT entries # #swilson	Service-Type == Framed-User, Huntgroup-Name == "alphen" #		Framed-IP-Address = 192.168.1.65, # Fall-Through = Yes # # If the user logs in as 'username.shell', then authenticate them # using the default method, give them shell access, and stop processing # the rest of the file. # #DEFAULT	Suffix == ".shell" #		Service-Type = Login-User, #		Login-Service = Telnet, #		Login-IP-Host = your.shell.machine 
 
下面包含了一些默认的属性,默认用户都会包含,但是注意,用户名永远不会取代原来的用户名称
# The rest of this file contains the several DEFAULT entries. # DEFAULT entries match with all login names. # Note that DEFAULT entries can also Fall-Through (see first entry). # A name-value pair from a DEFAULT entry will _NEVER_ override # an already existing name-value pair. # # # Set up different IP address pools for the terminal servers. # Note that the "+" behind the IP address means that this is the "base" # IP address. The Port-Id (S0, S1 etc) will be added to it. # #DEFAULT	Service-Type == Framed-User, Huntgroup-Name == "alphen" #		Framed-IP-Address = 192.168.1.32+, #		Fall-Through = Yes #DEFAULT	Service-Type == Framed-User, Huntgroup-Name == "delft" #		Framed-IP-Address = 192.168.2.32+, #		Fall-Through = Yes # # Sample defaults for all framed connections. # #DEFAULT	Service-Type == Framed-User #	Framed-IP-Address = 255.255.255.254, #	Framed-MTU = 576, #	Service-Type = Framed-User, #	Fall-Through = Yes # # Default for PPP: dynamic IP address, PPP mode, VJ-compression. # NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected #	by the terminal server in which case there may not be a "P" suffix. #	The terminal server sends "Framed-Protocol = PPP" for auto PPP. #
DEFAULT	Framed-Protocol == PPP
	Framed-Protocol = PPP,
	Framed-Compression = Van-Jacobson-TCP-IP # # Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression. # DEFAULT	Hint == "CSLIP" Framed-Protocol = SLIP,
	Framed-Compression = Van-Jacobson-TCP-IP # # Default for SLIP: dynamic IP address, SLIP mode. # DEFAULT	Hint == "SLIP" Framed-Protocol = SLIP # # Last default: rlogin to our main server. # #DEFAULT #	Service-Type = Login-User, #	Login-Service = Rlogin, #	Login-IP-Host = shellbox.ispdomain.com # # # # Last default: shell on the local terminal server. # # # DEFAULT # 	Service-Type = Administrative-User # On no match, the user is denied access.
最后一句话说的是,如果没有找到用户,用户也会被拒绝登录访问。
阅读(9342) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~