freeRadius设置任意账号密码认证通过

阅读原文时间：2023年07月15日阅读：1

[root@wifi_radiusdproxy_16 raddb]# cat users

Please read the documentation file ../doc/processing_users_file,

or 'man 5 users' (after installing the server) for more information.

This file contains authentication security and configuration

information for each user. Accounting requests are NOT processed

through this file. Instead, see 'acct_users', in this directory.

The first field is the user's name and can be up to

characters in length. This is followed (on the same line) with

the list of authentication requirements for that user. This can

include password, comm server name, comm server port number, protocol

type (perhaps set by the "hints" file), and huntgroup name (set by

the "huntgroups" file).

If you are not sure why a particular reply is being sent by the

server, then run the server in debugging mode (radiusd -X), and

you will see which entries in this file are matched.

When an authentication request is received from the comm server,

these values are tested. Only the first match is used unless the

"Fall-Through" variable is set to "Yes".

A special user named "DEFAULT" matches on all usernames.

You can have several DEFAULT entries. All entries are processed

in the order they appear in this file. The first entry that

the Fall-Through variable.

If you use the database support to turn this file into a .db or .dbm

file, the DEFAULT entries _have_ to be at the end of this file and

you can't have multiple entries for one username.

Indented (with the tab character) lines following the first

line indicate the configuration values to be passed back to

the comm server to allow the initiation of a user session.

This can include things like the PPP configuration values

or the host to log the user onto.

You can include another `users' file with `$INCLUDE users.other'

For a list of RADIUS attributes, and links to their definitions,

see:

http://www.freeradius.org/rfc/attributes.html

Deny access for a specific user. Note that this entry MUST

be before any other 'Auth-Type' attribute which results in the user

being authenticated.

Note that there is NO 'Fall-Through' attribute, so the user will not

be given any additional resources.

#lameuser Auth-Type := Reject

Reply-Message = "Your account has been disabled."

Deny access for a group of users.

Note that there is NO 'Fall-Through' attribute, so the user will not

be given any additional resources.

#DEFAULT Group == "disabled", Auth-Type := Reject

Reply-Message = "Your account has been disabled."

This is a complete entry for "steve". Note that there is no Fall-Through

entry so that no DEFAULT entry will be used, and the user will NOT

get any attributes in addition to the ones listed here.

#steve Cleartext-Password := "testing"

Service-Type = Framed-User,

Framed-Protocol = PPP,

Framed-IP-Address = 172.16.3.33,

Framed-IP-Netmask = 255.255.255.0,

Framed-Routing = Broadcast-Listen,

Framed-Filter-Id = "std.ppp",

Framed-MTU = ,

Framed-Compression = Van-Jacobsen-TCP-IP

This is an entry for a user with a space in their name.

Note the double quotes surrounding the name.

#"John Doe" Cleartext-Password := "hello"

Reply-Message = "Hello, %{User-Name}"

Dial user back and telnet to the default host for that port

#Deg Cleartext-Password := "ge55ged"

Callback-Number = "9,5551212",

Another complete entry. After the user "dialbk" has logged in, the

connection will be broken and the user will be dialed back after which

he will get a connection to the host "timeshare1".

#dialbk Cleartext-Password := "callme"

Callback-Number = "9,1-800-555-1212"

user "swilson" will only get a static IP number if he logs in with

a framed protocol on a terminal server in Alphen (see the huntgroups file).

Note that by setting "Fall-Through", other attributes will be added from

the following DEFAULT entries

#swilson Service-Type == Framed-User, Huntgroup-Name == "alphen"

Framed-IP-Address = 192.168.1.65,

Fall-Through = Yes

If the user logs in as 'username.shell', then authenticate them

using the default method, give them shell access, and stop processing

the rest of the file.

#DEFAULT Suffix == ".shell"

The rest of this file contains the several DEFAULT entries.

Note that DEFAULT entries can also Fall-Through (see first entry).

A name-value pair from a DEFAULT entry will _NEVER_ override

an already existing name-value pair.

Set up different IP address pools for the terminal servers.

Note that the "+" behind the IP address means that this is the "base"

IP address. The Port-Id (S0, S1 etc) will be added to it.

#DEFAULT Service-Type == Framed-User, Huntgroup-Name == "alphen"

Framed-IP-Address = 192.168.1.32+,

Fall-Through = Yes

#DEFAULT Service-Type == Framed-User, Huntgroup-Name == "delft"

Framed-IP-Address = 192.168.2.32+,

Fall-Through = Yes

Sample defaults for all framed connections.

#DEFAULT Service-Type == Framed-User

Framed-IP-Address = 255.255.255.254,

Framed-MTU = ,

Service-Type = Framed-User,

Fall-Through = Yes

Default for PPP: dynamic IP address, PPP mode, VJ-compression.

NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected

by the terminal server in which case there may not be a "P" suffix.

The terminal server sends "Framed-Protocol = PPP" for auto PPP.

DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP

Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.

#DEFAULT Hint == "CSLIP"

Framed-Protocol = SLIP,

Framed-Compression = Van-Jacobson-TCP-IP

Default for SLIP: dynamic IP address, SLIP mode.

#DEFAULT Hint == "SLIP"

Framed-Protocol = SLIP

Last default: rlogin to our main server.

#DEFAULT

#

# Last default: shell on the local terminal server.

#

DEFAULT

Service-Type = Administrative-User

On no match, the user is denied access.

DEFAULT Auth-Type := "Accept"
Reply-Message = "Bypass Success Auth User For Remote AAA Fail."

手机扫一扫

移动阅读更方便

你可能感兴趣的文章

探讨Service Mesh中一种更高效的代理模式

Linux系统运维之FastDFS集群部署

Cookies 完全指南

ModelBox实战开发：RK3568实现摄像头虚拟背景

Linux网络管理命令

NGINX 类漏洞整理记录

第十四章 Linux三剑客之老大—awk

freeRadius设置任意账号密码认证通过

Please read the documentation file ../doc/processing_users_file,

or 'man 5 users' (after installing the server) for more information.

This file contains authentication security and configuration

information for each user. Accounting requests are NOT processed

through this file. Instead, see 'acct_users', in this directory.

The first field is the user's name and can be up to

characters in length. This is followed (on the same line) with

the list of authentication requirements for that user. This can

include password, comm server name, comm server port number, protocol

type (perhaps set by the "hints" file), and huntgroup name (set by

the "huntgroups" file).

If you are not sure why a particular reply is being sent by the

server, then run the server in debugging mode (radiusd -X), and

you will see which entries in this file are matched.

When an authentication request is received from the comm server,

these values are tested. Only the first match is used unless the

"Fall-Through" variable is set to "Yes".

A special user named "DEFAULT" matches on all usernames.

You can have several DEFAULT entries. All entries are processed

in the order they appear in this file. The first entry that

matches the login-request will stop processing unless you use

the Fall-Through variable.

If you use the database support to turn this file into a .db or .dbm

file, the DEFAULT entries _have_ to be at the end of this file and

you can't have multiple entries for one username.

Indented (with the tab character) lines following the first

line indicate the configuration values to be passed back to

the comm server to allow the initiation of a user session.

This can include things like the PPP configuration values

or the host to log the user onto.

You can include another `users' file with `$INCLUDE users.other'

For a list of RADIUS attributes, and links to their definitions,

see:

http://www.freeradius.org/rfc/attributes.html

Deny access for a specific user. Note that this entry MUST

be before any other 'Auth-Type' attribute which results in the user

being authenticated.

Note that there is NO 'Fall-Through' attribute, so the user will not

be given any additional resources.

Reply-Message = "Your account has been disabled."

Deny access for a group of users.

Note that there is NO 'Fall-Through' attribute, so the user will not

be given any additional resources.

Reply-Message = "Your account has been disabled."

This is a complete entry for "steve". Note that there is no Fall-Through

entry so that no DEFAULT entry will be used, and the user will NOT

get any attributes in addition to the ones listed here.

Service-Type = Framed-User,

Framed-Protocol = PPP,

Framed-IP-Address = 172.16.3.33,

Framed-IP-Netmask = 255.255.255.0,

Framed-Routing = Broadcast-Listen,

Framed-Filter-Id = "std.ppp",

Framed-MTU = ,

Framed-Compression = Van-Jacobsen-TCP-IP

This is an entry for a user with a space in their name.

Note the double quotes surrounding the name.

Reply-Message = "Hello, %{User-Name}"

Dial user back and telnet to the default host for that port

Service-Type = Callback-Login-User,

Login-IP-Host = 0.0.0.0,

Callback-Number = "9,5551212",

Login-Service = Telnet,

Login-TCP-Port = Telnet

Another complete entry. After the user "dialbk" has logged in, the

connection will be broken and the user will be dialed back after which

he will get a connection to the host "timeshare1".

Service-Type = Callback-Login-User,

Login-IP-Host = timeshare1,

Login-Service = PortMaster,

Callback-Number = "9,1-800-555-1212"

user "swilson" will only get a static IP number if he logs in with

a framed protocol on a terminal server in Alphen (see the huntgroups file).

Note that by setting "Fall-Through", other attributes will be added from

the following DEFAULT entries

Framed-IP-Address = 192.168.1.65,

Fall-Through = Yes

If the user logs in as 'username.shell', then authenticate them

using the default method, give them shell access, and stop processing