freeRadius设置任意账号密码认证通过
阅读原文时间:2023年07月15日阅读:1

[root@wifi_radiusdproxy_16 raddb]# cat users

Please read the documentation file ../doc/processing_users_file,

or 'man 5 users' (after installing the server) for more information.

This file contains authentication security and configuration

information for each user. Accounting requests are NOT processed

through this file. Instead, see 'acct_users', in this directory.

The first field is the user's name and can be up to

characters in length. This is followed (on the same line) with

the list of authentication requirements for that user. This can

include password, comm server name, comm server port number, protocol

type (perhaps set by the "hints" file), and huntgroup name (set by

the "huntgroups" file).

If you are not sure why a particular reply is being sent by the

server, then run the server in debugging mode (radiusd -X), and

you will see which entries in this file are matched.

When an authentication request is received from the comm server,

these values are tested. Only the first match is used unless the

"Fall-Through" variable is set to "Yes".

A special user named "DEFAULT" matches on all usernames.

You can have several DEFAULT entries. All entries are processed

in the order they appear in this file. The first entry that

matches the login-request will stop processing unless you use

the Fall-Through variable.

If you use the database support to turn this file into a .db or .dbm

file, the DEFAULT entries _have_ to be at the end of this file and

you can't have multiple entries for one username.

Indented (with the tab character) lines following the first

line indicate the configuration values to be passed back to

the comm server to allow the initiation of a user session.

This can include things like the PPP configuration values

or the host to log the user onto.

You can include another `users' file with `$INCLUDE users.other'

#

For a list of RADIUS attributes, and links to their definitions,

see:

http://www.freeradius.org/rfc/attributes.html

#

Deny access for a specific user. Note that this entry MUST

be before any other 'Auth-Type' attribute which results in the user

being authenticated.

Note that there is NO 'Fall-Through' attribute, so the user will not

be given any additional resources.

#lameuser Auth-Type := Reject

Reply-Message = "Your account has been disabled."

Deny access for a group of users.

Note that there is NO 'Fall-Through' attribute, so the user will not

be given any additional resources.

#DEFAULT Group == "disabled", Auth-Type := Reject

Reply-Message = "Your account has been disabled."

#

This is a complete entry for "steve". Note that there is no Fall-Through

entry so that no DEFAULT entry will be used, and the user will NOT

get any attributes in addition to the ones listed here.

#steve Cleartext-Password := "testing"

Service-Type = Framed-User,

Framed-Protocol = PPP,

Framed-IP-Address = 172.16.3.33,

Framed-IP-Netmask = 255.255.255.0,

Framed-Routing = Broadcast-Listen,

Framed-Filter-Id = "std.ppp",

Framed-MTU = ,

Framed-Compression = Van-Jacobsen-TCP-IP

This is an entry for a user with a space in their name.

Note the double quotes surrounding the name.

#"John Doe" Cleartext-Password := "hello"

Reply-Message = "Hello, %{User-Name}"

Dial user back and telnet to the default host for that port

#Deg Cleartext-Password := "ge55ged"

Service-Type = Callback-Login-User,

Login-IP-Host = 0.0.0.0,

Callback-Number = "9,5551212",

Login-Service = Telnet,

Login-TCP-Port = Telnet

Another complete entry. After the user "dialbk" has logged in, the

connection will be broken and the user will be dialed back after which

he will get a connection to the host "timeshare1".

#dialbk Cleartext-Password := "callme"

Service-Type = Callback-Login-User,

Login-IP-Host = timeshare1,

Login-Service = PortMaster,

Callback-Number = "9,1-800-555-1212"

user "swilson" will only get a static IP number if he logs in with

a framed protocol on a terminal server in Alphen (see the huntgroups file).

Note that by setting "Fall-Through", other attributes will be added from

the following DEFAULT entries

#swilson Service-Type == Framed-User, Huntgroup-Name == "alphen"

Framed-IP-Address = 192.168.1.65,

Fall-Through = Yes

If the user logs in as 'username.shell', then authenticate them

using the default method, give them shell access, and stop processing

the rest of the file.

#DEFAULT Suffix == ".shell"

Service-Type = Login-User,

Login-Service = Telnet,

Login-IP-Host = your.shell.machine

The rest of this file contains the several DEFAULT entries.

DEFAULT entries match with all login names.

Note that DEFAULT entries can also Fall-Through (see first entry).

A name-value pair from a DEFAULT entry will _NEVER_ override

an already existing name-value pair.

#

Set up different IP address pools for the terminal servers.

Note that the "+" behind the IP address means that this is the "base"

IP address. The Port-Id (S0, S1 etc) will be added to it.

#DEFAULT Service-Type == Framed-User, Huntgroup-Name == "alphen"

Framed-IP-Address = 192.168.1.32+,

Fall-Through = Yes

#DEFAULT Service-Type == Framed-User, Huntgroup-Name == "delft"

Framed-IP-Address = 192.168.2.32+,

Fall-Through = Yes

Sample defaults for all framed connections.

#DEFAULT Service-Type == Framed-User

Framed-IP-Address = 255.255.255.254,

Framed-MTU = ,

Service-Type = Framed-User,

Fall-Through = Yes

Default for PPP: dynamic IP address, PPP mode, VJ-compression.

NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected

by the terminal server in which case there may not be a "P" suffix.

The terminal server sends "Framed-Protocol = PPP" for auto PPP.

DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP

Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.

#DEFAULT Hint == "CSLIP"

Framed-Protocol = SLIP,

Framed-Compression = Van-Jacobson-TCP-IP

Default for SLIP: dynamic IP address, SLIP mode.

#DEFAULT Hint == "SLIP"

Framed-Protocol = SLIP

Last default: rlogin to our main server.

#DEFAULT

Service-Type = Login-User,

Login-Service = Rlogin,

Login-IP-Host = shellbox.ispdomain.com

#

# Last default: shell on the local terminal server.

#

DEFAULT

Service-Type = Administrative-User

On no match, the user is denied access.

DEFAULT Auth-Type := "Accept"
Reply-Message = "Bypass Success Auth User For Remote AAA Fail."