\u81ea\u5df1\u8a8d\u8a3c\u5c40\u306b\u3088\u308b\u30b5\u30fc\u30d0\u8a3c\u660e\u66f8\u306e\u767a\u884c\u304c\u3067\u304d\u305f\u3068\u3053\u308d\u3067\u3001RADIUS\u30b5\u30fc\u30d0\u306bEAP-PEAP(MSCHAPV2)\u8a8d\u8a3c\u3092\u884c\u3046\u305f\u3081\u306e\u8a2d\u5b9a\u3092\u52a0\u3048\u3066\u884c\u304f\u3053\u3068\u306b\u3059\u308b\uff0eFree RADIUS\u95a2\u9023\u306e\u8a2d\u5b9a\u306b\u3064\u3044\u3066\u306f\u3001\u4ee5\u524d\u306e\u8a18\u4e8b\u3067\u6982\u8981\u3092\u8a18\u3057\u3066\u3044\u308b\u306e\u3067\u91cd\u8907\u3059\u308b\u90e8\u5206\u3082\u3042\u308b\u304c\u3001EAP-PEAP\u5efb\u308a\u306e\u8a2d\u5b9a\u3092\u4e2d\u5fc3\u306b\u8aac\u660e\u3059\u308b\uff0e<\/p>\r\n
\r\n
FreeRADIUS\u306e\u5404\u7a2e\u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb\u304c\u914d\u7f6e\u3055\u308c\u308b “\/etc\/raddb\/” \u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u914d\u4e0b\u306e\u30d5\u30a1\u30a4\u30eb\u3092\u518d\u5ea6\u30ea\u30b9\u30c8\u30a2\u30c3\u30d7\u3057\u3066\u304a\u304f\uff0e<\/p>\r\n
\r\n
\r\n[root@nsauth6 raddb]# pwd\r\n\/etc\/raddb\r\n[root@nsauth6 raddb]# tree\r\n.\r\n\u251c\u2500\u2500 README.rst\r\n\u251c\u2500\u2500 certs\r\n\u2502 \u251c\u2500\u2500 01.pem\r\n\u2502 \u251c\u2500\u2500 02.pem\r\n\u2502 \u251c\u2500\u2500 Makefile\r\n\u2502 \u251c\u2500\u2500 README\r\n\u2502 \u251c\u2500\u2500 bootstrap\r\n\u2502 \u251c\u2500\u2500 ca.cnf\r\n\u2502 \u251c\u2500\u2500 ca.key\r\n\u2502 \u251c\u2500\u2500 ca.pem\r\n\u2502 \u251c\u2500\u2500 client.cnf\r\n\u2502 \u251c\u2500\u2500 client.crt\r\n\u2502 \u251c\u2500\u2500 client.csr\r\n\u2502 \u251c\u2500\u2500 client.key\r\n\u2502 \u251c\u2500\u2500 client.p12\r\n\u2502 \u251c\u2500\u2500 client.pem\r\n\u2502 \u251c\u2500\u2500 index.txt\r\n\u2502 \u251c\u2500\u2500 index.txt.attr\r\n\u2502 \u251c\u2500\u2500 inner-server.cnf\r\n\u2502 \u251c\u2500\u2500 passwords.mk\r\n\u2502 \u251c\u2500\u2500 serial\r\n\u2502 \u251c\u2500\u2500 serial.old\r\n\u2502 \u251c\u2500\u2500 server.cnf\r\n\u2502 \u251c\u2500\u2500 server.crt\r\n\u2502 \u251c\u2500\u2500 server.csr\r\n\u2502 \u251c\u2500\u2500 server.key\r\n\u2502 \u251c\u2500\u2500 server.p12\r\n\u2502 \u251c\u2500\u2500 server.pem\r\n\u2502 \u251c\u2500\u2500 xpextensions\r\n\u2502 \u2514\u2500\u2500 nanashi@y2tech.net.pem\r\n\u251c\u2500\u2500 clients.conf\r\n\u251c\u2500\u2500 dictionary\r\n\u251c\u2500\u2500 hints -> .\/mods-config\/preprocess\/hints\r\n\u251c\u2500\u2500 huntgroups -> .\/mods-config\/preprocess\/huntgroups\r\n\u251c\u2500\u2500 mods-available\r\n\u2502 \u251c\u2500\u2500 README.rst\r\n\u2502 \u251c\u2500\u2500 always\r\n\u2502 \u251c\u2500\u2500 attr_filter\r\n\u2502 \u251c\u2500\u2500 cache\r\n\u2502 \u251c\u2500\u2500 cache_eap\r\n\u2502 \u251c\u2500\u2500 chap\r\n\u2502 \u251c\u2500\u2500 counter\r\n\u2502 \u251c\u2500\u2500 cui\r\n\u2502 \u251c\u2500\u2500 date\r\n\u2502 \u251c\u2500\u2500 detail\r\n\u2502 \u251c\u2500\u2500 detail.example.com\r\n\u2502 \u251c\u2500\u2500 detail.log\r\n\u2502 \u251c\u2500\u2500 dhcp\r\n\u2502 \u251c\u2500\u2500 dhcp_sqlippool\r\n\u2502 \u251c\u2500\u2500 digest\r\n\u2502 \u251c\u2500\u2500 dynamic_clients\r\n\u2502 \u251c\u2500\u2500 eap\r\n\u2502 \u251c\u2500\u2500 echo\r\n\u2502 \u251c\u2500\u2500 etc_group\r\n\u2502 \u251c\u2500\u2500 exec\r\n\u2502 \u251c\u2500\u2500 expiration\r\n\u2502 \u251c\u2500\u2500 expr\r\n\u2502 \u251c\u2500\u2500 files\r\n\u2502 \u251c\u2500\u2500 idn\r\n\u2502 \u251c\u2500\u2500 inner-eap\r\n\u2502 \u251c\u2500\u2500 ippool\r\n\u2502 \u251c\u2500\u2500 krb5\r\n\u2502 \u251c\u2500\u2500 ldap\r\n\u2502 \u251c\u2500\u2500 linelog\r\n\u2502 \u251c\u2500\u2500 logintime\r\n\u2502 \u251c\u2500\u2500 mac2ip\r\n\u2502 \u251c\u2500\u2500 mac2vlan\r\n\u2502 \u251c\u2500\u2500 mschap\r\n\u2502 \u251c\u2500\u2500 ntlm_auth\r\n\u2502 \u251c\u2500\u2500 opendirectory\r\n\u2502 \u251c\u2500\u2500 otp\r\n\u2502 \u251c\u2500\u2500 pam\r\n\u2502 \u251c\u2500\u2500 pap\r\n\u2502 \u251c\u2500\u2500 passwd\r\n\u2502 \u251c\u2500\u2500 preprocess\r\n\u2502 \u251c\u2500\u2500 python\r\n\u2502 \u251c\u2500\u2500 python3\r\n\u2502 \u251c\u2500\u2500 radutmp\r\n\u2502 \u251c\u2500\u2500 realm\r\n\u2502 \u251c\u2500\u2500 redis\r\n\u2502 \u251c\u2500\u2500 rediswho\r\n\u2502 \u251c\u2500\u2500 replicate\r\n\u2502 \u251c\u2500\u2500 smbpasswd\r\n\u2502 \u251c\u2500\u2500 smsotp\r\n\u2502 \u251c\u2500\u2500 soh\r\n\u2502 \u251c\u2500\u2500 sometimes\r\n\u2502 \u251c\u2500\u2500 sql\r\n\u2502 \u251c\u2500\u2500 sqlcounter\r\n\u2502 \u251c\u2500\u2500 sqlippool\r\n\u2502 \u251c\u2500\u2500 sradutmp\r\n\u2502 \u251c\u2500\u2500 unix\r\n\u2502 \u251c\u2500\u2500 unpack\r\n\u2502 \u251c\u2500\u2500 utf8\r\n\u2502 \u251c\u2500\u2500 wimax\r\n\u2502 \u2514\u2500\u2500 yubikey\r\n\u251c\u2500\u2500 mods-config\r\n\u2502 \u251c\u2500\u2500 README.rst\r\n\u2502 \u251c\u2500\u2500 attr_filter\r\n\u2502 \u2502 \u251c\u2500\u2500 access_challenge\r\n\u2502 \u2502 \u251c\u2500\u2500 access_reject\r\n\u2502 \u2502 \u251c\u2500\u2500 accounting_response\r\n\u2502 \u2502 \u251c\u2500\u2500 post-proxy\r\n\u2502 \u2502 \u2514\u2500\u2500 pre-proxy\r\n\u2502 \u251c\u2500\u2500 files\r\n\u2502 \u2502 \u251c\u2500\u2500 accounting\r\n\u2502 \u2502 \u251c\u2500\u2500 authorize\r\n\u2502 \u2502 \u2514\u2500\u2500 pre-proxy\r\n\u2502 \u251c\u2500\u2500 preprocess\r\n\u2502 \u2502 \u251c\u2500\u2500 hints\r\n\u2502 \u2502 \u2514\u2500\u2500 huntgroups\r\n\u2502 \u2514\u2500\u2500 sql\r\n\u2502 \u251c\u2500\u2500 counter\r\n\u2502 \u251c\u2500\u2500 cui\r\n\u2502 \u251c\u2500\u2500 ippool\r\n\u2502 \u251c\u2500\u2500 ippool-dhcp\r\n\u2502 \u2514\u2500\u2500 main\r\n\u251c\u2500\u2500 mods-enabled\r\n\u2502 \u251c\u2500\u2500 always -> ..\/mods-available\/always\r\n\u2502 \u251c\u2500\u2500 attr_filter -> ..\/mods-available\/attr_filter\r\n\u2502 \u251c\u2500\u2500 cache_eap -> ..\/mods-available\/cache_eap\r\n\u2502 \u251c\u2500\u2500 chap -> ..\/mods-available\/chap\r\n\u2502 \u251c\u2500\u2500 date -> ..\/mods-available\/date\r\n\u2502 \u251c\u2500\u2500 detail -> ..\/mods-available\/detail\r\n\u2502 \u251c\u2500\u2500 detail.log -> ..\/mods-available\/detail.log\r\n\u2502 \u251c\u2500\u2500 digest -> ..\/mods-available\/digest\r\n\u2502 \u251c\u2500\u2500 dynamic_clients -> ..\/mods-available\/dynamic_clients\r\n\u2502 \u251c\u2500\u2500 eap -> ..\/mods-available\/eap\r\n\u2502 \u251c\u2500\u2500 echo -> ..\/mods-available\/echo\r\n\u2502 \u251c\u2500\u2500 exec -> ..\/mods-available\/exec\r\n\u2502 \u251c\u2500\u2500 expiration -> ..\/mods-available\/expiration\r\n\u2502 \u251c\u2500\u2500 expr -> ..\/mods-available\/expr\r\n\u2502 \u251c\u2500\u2500 files -> ..\/mods-available\/files\r\n\u2502 \u251c\u2500\u2500 linelog -> ..\/mods-available\/linelog\r\n\u2502 \u251c\u2500\u2500 logintime -> ..\/mods-available\/logintime\r\n\u2502 \u251c\u2500\u2500 mschap -> ..\/mods-available\/mschap\r\n\u2502 \u251c\u2500\u2500 ntlm_auth -> ..\/mods-available\/ntlm_auth\r\n\u2502 \u251c\u2500\u2500 pap -> ..\/mods-available\/pap\r\n\u2502 \u251c\u2500\u2500 passwd -> ..\/mods-available\/passwd\r\n\u2502 \u251c\u2500\u2500 preprocess -> ..\/mods-available\/preprocess\r\n\u2502 \u251c\u2500\u2500 radutmp -> ..\/mods-available\/radutmp\r\n\u2502 \u251c\u2500\u2500 realm -> ..\/mods-available\/realm\r\n\u2502 \u251c\u2500\u2500 replicate -> ..\/mods-available\/replicate\r\n\u2502 \u251c\u2500\u2500 soh -> ..\/mods-available\/soh\r\n\u2502 \u251c\u2500\u2500 sradutmp -> ..\/mods-available\/sradutmp\r\n\u2502 \u251c\u2500\u2500 unix -> ..\/mods-available\/unix\r\n\u2502 \u251c\u2500\u2500 unpack -> ..\/mods-available\/unpack\r\n\u2502 \u2514\u2500\u2500 utf8 -> ..\/mods-available\/utf8\r\n\u251c\u2500\u2500 panic.gdb\r\n\u251c\u2500\u2500 policy.d\r\n\u2502 \u251c\u2500\u2500 accounting\r\n\u2502 \u251c\u2500\u2500 canonicalization\r\n\u2502 \u251c\u2500\u2500 control\r\n\u2502 \u251c\u2500\u2500 cui\r\n\u2502 \u251c\u2500\u2500 debug\r\n\u2502 \u251c\u2500\u2500 dhcp\r\n\u2502 \u251c\u2500\u2500 eap\r\n\u2502 \u251c\u2500\u2500 filter\r\n\u2502 \u251c\u2500\u2500 operator-name\r\n\u2502 \u2514\u2500\u2500 rfc7542\r\n\u251c\u2500\u2500 proxy.conf\r\n\u251c\u2500\u2500 radiusd.conf\r\n\u251c\u2500\u2500 sites-available\r\n\u2502 \u251c\u2500\u2500 README\r\n\u2502 \u251c\u2500\u2500 buffered-sql\r\n\u2502 \u251c\u2500\u2500 challenge\r\n\u2502 \u251c\u2500\u2500 channel_bindings\r\n\u2502 \u251c\u2500\u2500 check-eap-tls\r\n\u2502 \u251c\u2500\u2500 coa\r\n\u2502 \u251c\u2500\u2500 coa-relay\r\n\u2502 \u251c\u2500\u2500 control-socket\r\n\u2502 \u251c\u2500\u2500 copy-acct-to-home-server\r\n\u2502 \u251c\u2500\u2500 decoupled-accounting\r\n\u2502 \u251c\u2500\u2500 default\r\n\u2502 \u251c\u2500\u2500 default.org\r\n\u2502 \u251c\u2500\u2500 dhcp\r\n\u2502 \u251c\u2500\u2500 dhcp.relay\r\n\u2502 \u251c\u2500\u2500 dynamic-clients\r\n\u2502 \u251c\u2500\u2500 example\r\n\u2502 \u251c\u2500\u2500 inner-tunnel\r\n\u2502 \u251c\u2500\u2500 originate-coa\r\n\u2502 \u251c\u2500\u2500 proxy-inner-tunnel\r\n\u2502 \u251c\u2500\u2500 robust-proxy-accounting\r\n\u2502 \u251c\u2500\u2500 soh\r\n\u2502 \u251c\u2500\u2500 status\r\n\u2502 \u251c\u2500\u2500 tls\r\n\u2502 \u251c\u2500\u2500 virtual.example.com\r\n\u2502 \u2514\u2500\u2500 vmps\r\n\u251c\u2500\u2500 sites-enabled\r\n\u2502 \u251c\u2500\u2500 default -> ..\/sites-available\/default\r\n\u2502 \u2514\u2500\u2500 inner-tunnel -> ..\/sites-available\/inner-tunnel\r\n\u251c\u2500\u2500 templates.conf\r\n\u251c\u2500\u2500 trigger.conf\r\n\u2514\u2500\u2500 users -> .\/mods-config\/files\/authorize\r\n\r\n<\/code>\r\n<\/pre>\r\n
\r\n\r\nFreeRADIUS\u30b5\u30fc\u30d0\u306e\u69cb\u6210\u30d5\u30a1\u30a4\u30eb\u306e\u69cb\u9020\u306f\u8907\u96d1\u306a\u306e\u3060\u304c\u3001\u3068\u308a\u3042\u3048\u305a\u4eca\u56de\u306e\u7528\u9014\u3067\u5fc5\u8981\u3068\u306a\u308b\u8a2d\u5b9a\u306b\u3064\u3044\u3066\u6982\u8981\u3092\u793a\u3059\uff0e\u5148\u305a\u306f\u30d9\u30fc\u30b9\u3068\u306a\u308b”\/etc\/raddb” \u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306b\u3042\u308b\u30d5\u30a1\u30a4\u30eb\u3092\u8a2d\u5b9a\u3057\u3066\u3044\u304f\uff0e<\/p>\r\n
\r\n
\r\n
\r\ndrwxr-xr-x. 9 root radiusd 4096 Aug 10 18:18 .\r\ndrwxr-xr-x. 113 root root 8192 Aug 10 08:26 ..\r\n-rw-r----- 1 root radiusd 20807 Aug 7 21:00 README.rst\r\ndrwxrwx---. 2 root radiusd 4096 Aug 10 08:23 certs\r\n-rw-r----- 1 root radiusd 10413 May 6 19:00 clients.conf\r\n-rw-r--r--. 1 root radiusd 1440 Aug 7 21:00 dictionary\r\nlrwxrwxrwx. 1 root radiusd 30 Aug 7 21:00 hints -> .\/mods-config\/preprocess\/hints\r\nlrwxrwxrwx. 1 root radiusd 35 Aug 7 21:00 huntgroups -> .\/mods-config\/preprocess\/huntgroups\r\ndrwxr-x---. 2 root radiusd 4096 Aug 10 08:23 mods-available\r\ndrwxr-x---. 6 root radiusd 85 Aug 10 08:23 mods-config\r\ndrwxr-x---. 2 root radiusd 4096 Aug 7 21:00 mods-enabled\r\n-rw-r-----. 1 root radiusd 52 Aug 7 21:00 panic.gdb\r\ndrwxr-x---. 2 root radiusd 160 Aug 7 21:00 policy.d\r\n-rw-r-----. 1 root radiusd 29869 Aug 7 21:00 proxy.conf\r\n-rw-r----- 1 root radiusd 40712 Aug 7 21:00 radiusd.conf\r\ndrwxr-x---. 2 root radiusd 4096 Aug 10 08:23 sites-available\r\ndrwxr-x---. 2 root radiusd 41 Aug 7 21:00 sites-enabled\r\n-rw-r-----. 1 root radiusd 3470 Aug 7 21:00 templates.conf\r\n-rw-r-----. 1 root radiusd 8536 Aug 7 21:00 trigger.conf\r\nlrwxrwxrwx. 1 root radiusd 29 Aug 7 21:00 users -> .\/mods-config\/files\/authorize\r\n<\/code>\r\n<\/pre>\r\n
\r\n“clients.conf”\u30d5\u30a1\u30a4\u30eb<\/h4>\r\n
\r\n
“clients.conf”\u30d5\u30a1\u30a4\u30eb\u306fRADIUS\u30b5\u30fc\u30d0\u3078\u30a2\u30af\u30bb\u30b9\u3092\u8a31\u53ef\u3059\u308b\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\uff08RADIUS\u8a8d\u8a3c\u3092\u53d7\u3051\u308b\u5404\u7a2eNW\u6a5f\u5668\u306a\u3069\uff09\u3092\u5b9a\u7fa9\u3057\u3066\u3044\u308b\uff0eRADIUS\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u3068RADIUS\u30b5\u30fc\u30d0\u306f\u3053\u306e\u30d5\u30a1\u30a4\u30eb\u306b\u5b9a\u7fa9\u3055\u308c\u305f\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u306e\u540d\u524d\uff08IP\u30a2\u30c9\u30ec\u30b9\uff09\u3068\u5171\u6709\u9375\u60c5\u5831\u3092\u7528\u3044\u3066\u304a\u4e92\u3044\u304c\u8a31\u53ef\u3055\u308c\u305f\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u3068\u30b5\u30fc\u30d0\u3067\u3042\u308b\u3053\u3068\u3092\u78ba\u8a8d\u3059\u308b\uff0e<\/p>\r\n
\r\n
\u521d\u671f\u72b6\u614b\u306e”clients.conf”\u30d5\u30a1\u30a4\u30eb\u306b\u306f\u30b3\u30e1\u30f3\u30c8\u3068\u5171\u306b\u8272\u3005\u3068\u8a2d\u5b9a\u5185\u5bb9\u306e\u89e3\u8aac\u304c\u8a18\u8f09\u3055\u308c\u3066\u3044\u308b\u304c\u3001localhost \u306e\u8a2d\u5b9a\uff08\u6700\u521d\u306e\u52d5\u4f5c\u78ba\u8a8d\u30c6\u30b9\u30c8\u3067\u4f7f\u3046\u7a0b\u5ea6\u3067\u3001\u30c6\u30b9\u30c8\u7d42\u4e86\u5f8c\u306f\u7121\u52b9\u5316\u3057\u3066\u304a\u3044\u305f\u65b9\u304c\u7121\u96e3\uff09\u3068\u3001\u5b9f\u969b\u306b\u63a5\u7d9a\u3059\u308bRADIUS\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u306e\u60c5\u5831\u3092\u8a18\u8f09\u3059\u308b\u3053\u3068\u306b\u306a\u308b\uff0e<\/p>\r\n
\r\n
localhost\u306e\u5b9a\u7fa9\u306b\u8a18\u8f09\u3055\u308c\u3066\u3044\u308b\u3001\u5171\u6709\u9375 (secret) \u306f\u521d\u671f\u72b6\u614b\u3067\u306f\u8ab0\u3067\u3082\u77e5\u3063\u3066\u3044\u308b “testing123” \u3068\u306a\u3063\u3066\u3044\u308b\u306e\u3067\u3001\u81ea\u5206\u3067\u5225\u306a\u30ad\u30fc\u30ef\u30fc\u30c9\u306b\u5909\u66f4\u3057\u3066\u304a\u304f\u3053\u3068\uff0e\u521d\u671f\u72b6\u614b\u306e\u307e\u307e\u653e\u7f6e\u3057\u3066\u7f6e\u304b\u306a\u3044\u3088\u3046\u306b\uff01\uff01\uff01<\/p>\r\n
\r\n
RADIUS\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u306b\u3088\u3063\u3066\u306f\u4f7f\u3048\u306a\u3044\u6587\u5b57\u3084\u6587\u5b57\u6570\u5236\u9650\u306a\u3069\u304c\u3042\u308b\u5834\u5408\u3082\u3042\u308b\u306e\u3067\u3001\u5370\u5b57\u53ef\u80fd\u306a\u4e00\u822c\u7684\u306a\u6587\u5b57\u5217\uff08\u82f1\u6570\u5b57\u3001\u7279\u6b8a\u8a18\u53f7\u306a\u3069\uff09\u3067\u3001\u9069\u5ea6\u306a\u9577\u3055\u306e\u30ad\u30fc\u30ef\u30fc\u30c9\u3092\u6307\u5b9a\u3059\u308b\u306e\u304c\u7121\u96e3\u3060\uff0e\u7d44\u7e54\u306a\u3069\u3067\u306fRADIUS\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\uff08WiFi\u30a2\u30af\u30bb\u30b9\u30dd\u30a4\u30f3\u30c8\u3084\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u6a5f\u5668\u306a\u3069\uff09\u3092\uff11\u53f0\uff11\u53f0\u500b\u5225\u306b\u767b\u9332\u3059\u308b\u3053\u3068\u3082\u3067\u304d\u308b\u304c\u3001\u901a\u5e38\u306f\u3053\u308c\u3089\u306e\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u3092\u7ba1\u7406\u3057\u3066\u3044\u308b\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30bb\u30b0\u30e1\u30f3\u30c8\u5358\u4f4d\u3067\u767b\u9332\u3059\u308b\u306e\u304c\u4e00\u822c\u7684\u3060\u308d\u3046\uff0e\u4f46\u3057\u3001\u3053\u306e\u65b9\u5f0f\u3067\u306f\u5171\u6709\u9375\u306f\u4e00\u3064\u306a\u306e\u3067\u3001\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30fc\u7684\u306b\u306f\u8106\u5f31\u306a\u306e\u3067\u3001\u53ef\u80fd\u306a\u9650\u308a1\u3064\u306e\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u6bce\u306b\u5225\u3005\u306a\u5171\u6709\u9375\u3092\u8a2d\u5b9a\u3059\u308b\u306e\u304c\u671b\u307e\u3057\u3044\uff0e<\/p>\r\n
\r\n
\r\n
\r\nclient localhost {\r\n ipaddr = 127.0.0.1\r\n secret = Hi32N0AkkoChan\r\n nas_type = other \r\n}\r\nclient localhost_ipv6 {\r\n\tipv6addr\t= ::1\r\n\tsecret\t\t= Hi32N0AkkoChan\r\n}\r\n\r\nclient myAdminNetwork {\r\n ipaddr = 192.168.xxx.0\/24\r\n secret = This#is@TopSecre10\r\n shortname = AdminNW \r\n}\r\n<\/code>\r\n<\/pre>\r\n
\r\n
\r\n“radiusd.conf”\u30d5\u30a1\u30a4\u30eb\u306e\u8a2d\u5b9a<\/h4>\r\n
\r\n
“radiusd.conf”\u30d5\u30a1\u30a4\u30eb\u306fRADIUS\u30b5\u30fc\u30d0\u306e\u5168\u822c\u306e\u8a2d\u5b9a\u3092\u884c\u3046\u30d5\u30a1\u30a4\u30eb\u3067\u3001RADIUS\u30b5\u30fc\u30d0\u95a2\u9023\u306e\u69cb\u6210\u30d5\u30a1\u30a4\u30eb\u306e\u5834\u6240\u3084\u30ed\u30b0\u306e\u632f\u308b\u821e\u3044\u3001\u30d1\u30d5\u30a9\u30fc\u30de\u30f3\u30b9\u95a2\u9023\u306e\u30d1\u30e9\u30e1\u30fc\u30bf\u306a\u3069\u306e\u8a2d\u5b9a\u3092\u884c\u3063\u3066\u3044\u308b\u304c\u3001\u4eca\u56de\u306e\u7528\u9014\u3067\u306f\u521d\u671f\u8a2d\u5b9a\u306e\u307e\u307e\u3067\u3082\u7279\u306b\u554f\u984c\u3068\u306a\u308b\u3053\u3068\u306f\u306a\u3044\uff0e\u4eca\u56de\u306f\u3001\u30ed\u30b0\u95a2\u9023\u306e\u8a2d\u5b9a\u3092\u4e00\u90e8\u5909\u66f4\u3057\u3066\u3044\u308b\uff0e<\/p>\r\n
\r\n
\u30c6\u30b9\u30c8\u671f\u9593\u4e2d\u306f\u306a\u308b\u3079\u304f\u8a73\u7d30\u306a\u30ed\u30b0\u3092\u51fa\u529b\u3057\u3001\u901a\u5e38\u904b\u7528\u30e2\u30fc\u30c9\u306b\u5165\u3063\u305f\u3089\u3001\u8a8d\u8a3c\u30a8\u30e9\u30fc\u306a\u3069\u306e\u60c5\u5831\u4ee5\u5916\u306f\u306a\u308b\u3079\u304f\u8a18\u9332\u3057\u306a\u3044\u306a\u3069\u306e\u914d\u616e\u304c\u5fc5\u8981\u3060\u308d\u3046\uff0e<\/p>\r\n
\r\n
\r\n
\r\n#\r\n# Logging section. The various \"log_*\" configuration items\r\n# will eventually be moved here.\r\n#\r\nlog {\r\n #\r\n # Destination for log messages. This can be one of:\r\n #\r\n\r\n ...\r\n\r\n#========================================================================\r\n# auth = no\r\n auth = yes \r\n# auth_reject = no\r\n auth_reject = yes\r\n# auth_badpass = no \r\n auth_badpass = yes \r\n#========================================================================\r\n \r\n ...\r\n\r\n# suppress_secrets = no\r\n}\r\n\r\n<\/code>\r\n<\/pre>\r\n
\r\nEAP-PEAP\u95a2\u9023\u306e\u8a2d\u5b9a<\/h4>\r\n
\r\n
\u3053\u3053\u307e\u3067\u306e\u8a2d\u5b9a\u3067\u3001\u57fa\u672c\u7684\u306aRADIUS\u30d7\u30ed\u30c8\u30b3\u30eb\u306b\u3088\u308b\u30e6\u30fc\u30b6\u8a8d\u8a3c\u306f\u884c\u3048\u308b\u3088\u3046\u306b\u306a\u3063\u3066\u306f\u3044\u308b\u304c\u3001\u4eca\u56de\u306eRADIUS\u30b5\u30fc\u30d0\u69cb\u7bc9\u306e\u4e3b\u306a\u76ee\u7684\u306f\u7121\u7ddaLAN\u306eAP\u306b\u5bfe\u3057\u3066802.1x\u8a8d\u8a3c\u3092\u884c\u3063\u3066\u3001\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30fc\u306e\u5f37\u5316\u3092\u8b00\u308b\u3053\u3068\u3060\uff0e802.1x\u8a8d\u8a3c\u306f\u7121\u7ddaLAN\u306eAP\u3060\u3051\u3067\u306f\u306a\u304f\u3001\u4e00\u822c\u7684\u306a\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9\u30a4\u30c3\u30c1\u3067\u3082\u6b86\u3069\u304c802.1x\u8a8d\u8a3c\u306b\u5bfe\u5fdc\u3057\u3066\u3044\u308b\u306e\u3067\u3001\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30fc\u5bfe\u7b56\u3068\u3057\u3066\u5fc5\u9808\u306e\u6a5f\u80fd\u3060\uff0e<\/p>\r\n
\r\n
802.1x\u8a8d\u8a3c\u3067\u306f\u3001EAP\uff08Extensible Authentication Protocol\uff09\u3068\u547c\u3070\u308c\u3066\u3044\u308b\u30d7\u30ed\u30c8\u30b3\u30eb\u3092\u4f7f\u7528\u3059\u308b\u304c\u3001\u3053\u306eEAP\u306b\u306f\u5e7e\u3064\u304b\u306e\u4ee3\u8868\u7684\u306a\u65b9\u5f0f\u304c\u3042\u308b\uff0e\u4eca\u56de\u306fEAP\u306e\u65b9\u5f0f\u3068\u3057\u3066\u3001EAP-PEAP(Protected EAP) \u3068\u3044\u3046\u65b9\u5f0f\u3092\u63a1\u7528\u3059\u308b\u3053\u3068\u306b\u3059\u308b\uff0eEAP-PEAP\u3092\u63a1\u7528\u3059\u308b\u306e\u306f\u3001\u73fe\u6642\u70b9\u3067\u306f\u3053\u306eEAP-PEAP\u65b9\u5f0f\u304cPC\u3084\u30b9\u30de\u30fc\u30c8\u30d5\u30a9\u30f3\u306a\u3069\u5e45\u5e83\u3044\u30c7\u30d0\u30a4\u30b9\u3084\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u6a5f\u5668\u304c\u5bfe\u5fdc\u3057\u3066\u3044\u308b\u306e\u3067\u3001\u4e00\u756a\u5c0e\u5165\u3057\u6613\u3044EAP\u30d7\u30ed\u30c8\u30b3\u30eb\u3068\u8a00\u3048\u308b\u3060\u308d\u3046\uff0e<\/p>\r\n
\r\n
802.1x\u8a8d\u8a3c\u3067\u306fPC\u3084\u30b9\u30de\u30fc\u30c8\u30d5\u30a9\u30f3\u306a\u3069\u306e\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u306b\u63a5\u7d9a\u3057\u3066\u8a8d\u8a3c\u3092\u53d7\u3051\u308b\u30c7\u30d0\u30a4\u30b9\u5074\u306e\u63a5\u7d9a\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u3092\u30b5\u30d7\u30ea\u30ab\u30f3\u30c8(Supplicant)\u3001\u7121\u7ddaLAN\u306eAP\u3084\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9\u30a4\u30c3\u30c1\u306a\u3069\u306e\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u6a5f\u5668\u3092\u30aa\u30fc\u30bb\u30f3\u30c6\u30a3\u30b1\u30fc\u30bf\uff08Authenticator\uff09\u3068\u8aad\u3093\u3067\u3044\u308b\uff0e<\/p>\r\n
\r\n\u3000\u3000\u3000\u3000\u3000Supplicant\u3000<==> Authenticator <==> Authentication Server (RADIUS\uff09
\r\n
\r\n
PEAP\u3067\u306f\u3001\u30b5\u30fc\u30d0\u5074\u306e\u8a8d\u8a3c\u306f\u30b5\u30fc\u30d0\u8a3c\u660e\u66f8\u3092\u7528\u3044\u3066\u8a8d\u8a3c\u3092\u884c\u3046\u304c\u3001\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u5074\u3067\u306f\u8a3c\u660e\u66f8\u7b49\u306b\u3088\u308b\u8a8d\u8a3c\u3092\u884c\u308f\u306a\u3044\u4ee3\u308f\u308a\u306b\u3001\u30e6\u30fc\u30b6ID\u3068\u30d1\u30b9\u30ef\u30fc\u30c9\u3092\u7528\u3044\u3066\u30e6\u30fc\u30b6\u8a8d\u8a3c\u3092\u884c\u3046\u7c21\u6613\u7684\u306a\u8a8d\u8a3c\u65b9\u5f0f\u3060\uff0eEAP-TLS\u65b9\u5f0f\u306e\u3088\u3046\u306b\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u5074\u306b\u3082\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u8a3c\u660e\u66f8\u3092\u914d\u7f6e\u3059\u308b\u3053\u3068\u306a\u304f\u8a8d\u8a3c\u304c\u53ef\u80fd\u306a\u306e\u3067\u3001\u6bd4\u8f03\u7684\u904b\u7528\u30b3\u30b9\u30c8\u304c\u4f4e\u304f\u5c0e\u5165\u3057\u6613\u3044\uff0e<\/p>\r\n
\r\n
EAP-PEAP\u306b\u306f\u5e7e\u3064\u304b\u306e\u30d0\u30ea\u30a8\u30fc\u30b7\u30e7\u30f3\u304c\u3042\u308a\u3001Microsoft\u304c\u63d0\u5531\u3057\u3066\u3044\u308bMS-PEAP\uff08MSCHAPV2<\/a>\uff09\u3084Cisco\u306eCisco-PEAP\uff08EAP-GTC\uff09\u306a\u3069\u306e\u65b9\u8a00\uff08\u7656\uff09\u304c\u3042\u308a\u3001\u5fc5\u305a\u3057\u3082\u4e92\u63db\u6027\u304c\u4fdd\u8a3c\u3055\u308c\u3066\u5c45\u308b\u308f\u3051\u3067\u306f\u7121\u3044\u304c\u3001\u3068\u308a\u3042\u3048\u305aMS-PEAP\uff08MSCHAPV2\uff09\u3092\u7528\u3044\u3066\u5b9f\u88c5\u3059\u308b\u3053\u3068\u306b\u3059\u308b\uff0e<\/p>\r\n
\r\nEAP-PEAP\u65b9\u5f0f\u306fEAP\u65b9\u5f0f\u306e\u4e2d\u3067\u306f\u6c4e\u7528\u6027\u304c\u9ad8\u3044\u3068\u8a00\u3048\u308b\u304c\u3001Windows 11\uff0822H2\uff09\u3001Windows Server 2025 \u4ee5\u964d\u3067\u306f “Credential Guard”<\/a> \u3068\u3044\u3046\u65b0\u305f\u306a\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30fc\u30ac\u30fc\u30c9\u6a5f\u80fd\u304c\u5c0e\u5165\u3055\u308c\u308b\u3088\u3046\u306b\u306a\u308a\u3001EAP-PEAP\u306b\u3088\u308b\u8a8d\u8a3c\u306b\u554f\u984c\u304c\u751f\u3058\u308b\u53ef\u80fd\u6027\u304c\u3042\u308a\u305d\u3046\u3060\u3068\u8a00\u3046\uff0e\uff08\u53c2\u8003\uff1a\u300e\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u8a8d\u8a3c\u306bPEAP\u3092\u4f7f\u3063\u3066\u3044\u308b\u3068\u3053\u308d\u306f\u4eca\u5f8c\u6ce8\u610f\u304c\u5fc5\u8981\u304b\u3082\uff1f\u306aWindows\u306eCredential Guard\u306e\u304a\u8a71\u300f<\/a>\uff09<\/p>\r\n
\r\nEAP-PEAP\u65b9\u5f0f\u306b\u95a2\u9023\u3059\u308b\u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb\u306f\u3001”mods-available”, “mods-enabled” \u306e2\u3064\u306e\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u914d\u4e0b\u306b\u7f6e\u304b\u308c\u3066\u3044\u308b\u304c\u3001”mods-available\/mschap” \u3068 “mods-available\/eap” \u306e2\u3064\u306e\u30d5\u30a1\u30a4\u30eb\u304c\u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb\u306e\u5b9f\u4f53\u3060\uff0e”mods-enabled”\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u914d\u4e0b\u306b\u306f\u3001”mods-available”\u914d\u4e0b\u306e\u30d5\u30a1\u30a4\u30eb\u3078\u306e\u30b7\u30f3\u30dc\u30ea\u30c3\u30af\u30ea\u30f3\u30af\u304c\u7f6e\u304b\u308c\u3066\u3044\u308b\u3060\u3051\u3060\uff0e<\/p>\r\n
\r\n\r\n
“mods-available\/eap” \u30d5\u30a1\u30a4\u30eb\u306e\u8a2d\u5b9a<\/h4>\r\n
\r\n
EAP\u306b\u95a2\u3059\u308b\u8a2d\u5b9a\u3092\u884c\u3046\u30d5\u30a1\u30a4\u30eb\u3067\u3001\u5168\u90e8\u30671000\u884c\u8fd1\u304f\u3042\u308b\u306e\u3067\u8a2d\u5b9a\u3092\u5909\u66f4\uff08\u8ffd\u52a0\uff09\u3059\u308b\u7b87\u6240\u3060\u3051\u3092\u793a\u3059\u3053\u3068\u306b\u3059\u308b\uff0e<\/p>\r\n
\r\n
\r\n
\r\n\r\neap {\r\n\t# Invoke the default supported EAP type when\r\n\t# EAP-Identity response is received.\r\n\r\n\u3000\u3000...\r\n\r\n\t#\r\n#=========================================================================\r\n#\tdefault_eap_type = md5 [ default_eap_type \u3092PEAP\u3078\u5909\u66f4 ] #line 27\r\n\tdefault_eap_type = PEAP \r\n#=========================================================================\r\n\r\n\u3000\u3000...\r\n\r\n\t#\r\n\ttls-config tls-common {\r\n\t\tprivate_key_password = whatever\r\n#===================================================================== \r\n\t\tprivate_key_file = ${certdir}\/server.pem #line 185 \r\n#=====================================================================\r\n ...\r\n#=====================================================================\r\n\t\tcertificate_file = ${certdir}\/server.pem #line 221 \r\n#=====================================================================\r\n ...\r\n#=====================================================================\r\n\t\tca_file = ${cadir}\/ca.pem #line 234 \r\n#=====================================================================\r\n\r\n ...\r\n\r\n\t# The tunneled EAP session needs a default EAP type\r\n\t# which is separate from the one for the non-tunneled\r\n\t# EAP module. Inside of the TLS\/PEAP tunnel, we\r\n\t# recommend using EAP-MS-CHAPv2.\r\n\t#\r\n\tpeap {\r\n\t\t# Which tls-config section the TLS negotiation parameters\r\n\t\t# are in - see EAP-TLS above for an explanation.\r\n\t\t#\r\n\r\n ...\r\n\t\t# This will cache attributes for the final Access-Accept.\r\n\t\t#\r\n#==============================================================================\t\t\r\n#\t\tuse_tunneled_reply = no #line 844\r\n\t\tuse_tunneled_reply = yes \u3000\u3000<=== \u8a8d\u8a3cVLAN\u306b\u5bfe\u5fdc\u3055\u305b\u308b\u305f\u3081\u306e\u8a2d\u5b9a\uff08\u8a8d\u8a3cVLAN\u306b\u3064\u3044\u3066\u306f\u5225\u9014\u8aac\u660e\u3059\u308b\uff09\r\n#==============================================================================\t\t\r\n\r\n ...\r\n\r\n<\/code>\r\n<\/pre>\r\n
\r\n\"mods-available\/eap\" \u30d5\u30a1\u30a4\u30eb\u3067\u306f\u3001default_eap_type\u3092PEAP\u3078\u5909\u66f4\u3057\u3066\u3044\u308b\uff0e\u4eca\u56de\u306f\u30c7\u30d5\u30a9\u30eb\u30c8\u3068\u540c\u3058\u540d\u524d\u3067\u8a3c\u660e\u66f8\u3084\u30d7\u30e9\u30a4\u30d9\u30fc\u30c8\u30ad\u30fc\u30d5\u30a1\u30a4\u30eb\u3092\u914d\u7f6e\u3057\u3066\u3044\u308b\u306e\u3067\u3001\u8a3c\u660e\u66f8\u95a2\u9023\u30d5\u30a1\u30a4\u30eb\u306e\u8a2d\u5b9a\u306f\u7279\u306b\u5909\u66f4\u306e\u5fc5\u8981\u306f\u306a\u3044\uff0e<\/p>\r\n
\r\n
844\u884c\u76ee\u306b\u3042\u308b\u3001\"use_tunneled_reply\" \u306f\u30c7\u30d5\u30a9\u30eb\u30c8\u306e \"no\" \u304b\u3089 \"yes\" \u306b\u5909\u66f4\u3057\u3066\u3044\u308b\uff0e\"use_tunneled_reply\"\u3092\"yes\"\u306b\u5909\u66f4\u3059\u308b\u3053\u3068\u3067\u3001\u8a8d\u8a3cVLAN\u306b\u5bfe\u5fdc\u53ef\u80fd\u3068\u306a\u308b\u3088\u3046\u306b\u8a2d\u5b9a\u3057\u3066\u3044\u308b\uff0e<\/p>\r\n
\r\n
\"mods-available\/mschap\" \u30d5\u30a1\u30a4\u30eb\u3067\u306f\u3001MSCHAP\u306b\u95a2\u3059\u308b\u8a2d\u5b9a\u3092\u884c\u3046\uff0e\u6b21\u306e3\u7b87\u6240\u3092\r\n
\r\n
\r\n
\r\n\r\n#\r\n# Microsoft CHAP authentication\r\n#\r\n# This module supports MS-CHAP and MS-CHAPv2 authentication.\r\n# It also enforces the SMB-Account-Ctrl attribute.\r\n#\r\nmschap {\r\n #\r\n # If you are using \/etc\/smbpasswd, see the 'passwd'\r\n # module for an example of how to use \/etc\/smbpasswd\r\n #\r\n\r\n ...\r\n\r\n#================================================================\r\n# use_mppe = no [ use_mppe = yes \u3078\u5909\u66f4 ] #line 22\r\n use_mppe = yes\r\n#================================================================\r\n\r\n ...\r\n #\r\n # If MPPE is enabled, require_encryption makes\r\n # encryption moderate\r\n #\r\n#================================================================\r\n# require_encryption = yes [ require_encryption \u3092\u6709\u52b9\u5316 ] #line 28\r\n require_encryption = yes\r\n#================================================================\r\n\r\n #\r\n # require_strong always requires 128 bit key\r\n # encryption\r\n #\r\n#================================================================\r\n# require_strong = yes \u3000[ require_strong \u3092\u6709\u52b9\u5316 ] \u3000\u3000\u3000\u3000#line 34\r\n require_strong = yes\r\n#================================================================\r\n\r\n ...\r\n\r\n<\/code>\r\n<\/pre>\r\n
\r\n
\r\nRADIUS\u30b5\u30fc\u30d0\u306e\u52d5\u4f5c\u78ba\u8a8d\u30c6\u30b9\u30c8<\/h4>\r\n
\r\n
\"radiusd.conf\" \u3068 \"clients.conf\" \u4e26\u3073\u306bEPA-PEAP\u95a2\u9023\u306e\u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb\u306e\u8a18\u8f09\u304c\u6e08\u3093\u3060\u3068\u3053\u308d\u3067\u3001RADIUS\u30b5\u30fc\u30d0\u306e\u57fa\u672c\u7684\u306a\u52d5\u4f5c\u30c6\u30b9\u30c8\u3092\u884c\u3063\u3066\u304a\u304f\u3053\u3068\u306b\u3059\u308b\uff0e<\/p>\r\n
\r\n
\u5148\u305a\u306f\u3001RADIUS\u30b5\u30fc\u30d0\u3092\u30bf\u30fc\u30df\u30ca\u30eb\u30b3\u30f3\u30bd\u30fc\u30eb\u4e0a\u3067\u30b3\u30de\u30f3\u30c9\u30e9\u30a4\u30f3\u304b\u3089\u30c7\u30d0\u30c3\u30b0\u30e2\u30fc\u30c9\u3067\u8d77\u52d5\u3055\u305b\u308b\uff0eRADIUS\u30b5\u30fc\u30d0\u304c\u7121\u4e8b\u8d77\u52d5\u3059\u308b\u3068\u3001\"-X\"\u30aa\u30d7\u30b7\u30e7\u30f3\u306e\u5834\u5408\u3001800\u884c\u8fd1\u3044\u30c7\u30d0\u30c3\u30b0\u30e1\u30c3\u30bb\u30fc\u30b8\u304c\u8868\u793a\u3055\u308c\u3001\"Ready to process requests\" \u3068\u3044\u3046\u30e1\u30c3\u30bb\u30fc\u30b8\u3068\u3068\u3082\u306b\u3001RADIUS\u30ea\u30af\u30a8\u30b9\u30c8\u3092\u53d7\u3051\u4ed8\u3051\u308b\u5f85\u3061\u30e2\u30fc\u30c9\u3068\u306a\u308b\uff0e<\/p>\r\n
\r\n
\u30c7\u30d0\u30c3\u30b0\u30aa\u30d7\u30b7\u30e7\u30f3\u3092\"-XX\" \u3068\u3059\u308b\u3068\u3001\u66f4\u306b\u8a73\u7d30\u306a\u30c7\u30d0\u30c3\u30b0\u30e1\u30c3\u30bb\u30fc\u30b8\u304c\u51fa\u529b\u3055\u308c\u308b\u306e\u3067\u3001\u4f55\u304b\u30c8\u30e9\u30d6\u30eb\u304c\u751f\u3058\u305f\u969b\u306f\u3001\u3053\u306e\u65b9\u6cd5\u3067RADIUS\u30b5\u30fc\u30d0\u306e\u30c7\u30d0\u30c3\u30b0\u3092\u884c\u3046\u3068\u826f\u3044\u3060\u308d\u3046\uff0e<\/p>\r\n
\r\n
\r\n
\r\n\r\n[root@nsauth6 raddb]# which radiusd\r\n\/usr\/sbin\/radiusd\r\n\r\n[root@nsauth6 raddb]# \/usr\/sbin\/radiusd -X\r\nFreeRADIUS Version 3.2.7\r\nCopyright (C) 1999-2023 The FreeRADIUS server project and contributors\r\nThere is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A\r\nPARTICULAR PURPOSE\r\nYou may redistribute copies of FreeRADIUS under the terms of the\r\nGNU General Public License\r\nFor more information about these matters, see the file named COPYRIGHT\r\nStarting - reading configuration files ...\r\nincluding dictionary file \/usr\/share\/freeradius\/dictionary\r\nincluding dictionary file \/usr\/share\/freeradius\/dictionary.dhcp\r\n\r\n ...\r\n\r\nlisten {\r\n \ttype = \"auth\"\r\n \tipaddr = *\r\n \tport = 18120\r\n}\r\nListening on auth address * port 1812 bound to server default\r\nListening on acct address * port 1813 bound to server default\r\nListening on auth address :: port 1812 bound to server default\r\nListening on acct address :: port 1813 bound to server default\r\nListening on auth address * port 18120 bound to server inner-tunnel\r\nListening on proxy address * port 34296\r\nListening on proxy address :: port 59292\r\nReady to process requests\r\n\r\n<\/code>\r\n<\/pre>\r\n
\r\n\u3053\u306e\u72b6\u614b\u3067\u3001RADIUS\u30b5\u30fc\u30d0\u4e0a\u3067\u3082\u3046\u4e00\u3064\u30bf\u30fc\u30df\u30ca\u30eb\u30b3\u30f3\u30bd\u30fc\u30eb\u3092\u7acb\u3061\u4e0a\u3052\u3001radtest\u30b3\u30de\u30f3\u30c9\u3092\u7528\u3044\u3066\u30ed\u30fc\u30ab\u30eb\u3067\u306eRADIUS\u30b5\u30fc\u30d0\u63a5\u7d9a\u30c6\u30b9\u30c8\u3092\u884c\u3046\uff0eradtest\u30b3\u30de\u30f3\u30c9\u304c\u898b\u3064\u304b\u3089\u306a\u3044\u5834\u5408\u306f \"freeradius-utils\" \u30d1\u30c3\u30b1\u30fc\u30b8\u3092\u8ffd\u52a0\u3067\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3059\u308b\u5fc5\u8981\u304c\u3042\u308b\uff0e [ #dnf -y install freeradius-utils ] <\/p>\r\n
\r\n
radtest \u3067\u7528\u3044\u308bRADIUS\u30a2\u30ab\u30a6\u30f3\u30c8\u3068\u30d1\u30b9\u30ef\u30fc\u30c9\u306f\u3001 \"\/etc\/raddb\/users\" \u30d5\u30a1\u30a4\u30eb\u3067\u5b9a\u7fa9\u3057\u305f\u30c6\u30b9\u30c8\u7528\u306e\u30ed\u30fc\u30ab\u30eb\u30a2\u30ab\u30a6\u30f3\u30c8\u3067\u5b9a\u7fa9\u3057\u3066\u3042\u308b\uff0e\u4eca\u56de\u306f\u3001\"radtest007\" \u3067\u30c6\u30b9\u30c8\u3059\u308b\uff0e
\r\n
\r\n
\r\n
\r\n\r\n ...\r\n\r\nradtest007 Cleartext-Password := \"Hi32da4\"\r\n\t Reply-Message := \"Welcome, %{User-Name}\" \r\n\r\n#=========================================================================#\r\n# Test user account for authenticated VLAN \r\nvl100user Auth-Type:=EAP, Cleartext-Password := \"ImVL100\"\r\n\tTunnel-Type = 13,\r\n\tTunnel-Medium-Type = 6,\r\n\tTunnel-Private-Group-Id = 100\r\n\r\nvl200user Auth-Type:=EAP, Cleartext-Password := \"ImVL200\"\r\n Tunnel-Type = 13,\r\n Tunnel-Medium-Type =6,\r\n Tunnel-Private-Group-Id = 200\r\n#=========================================================================#\r\n\r\n<\/code>\r\n<\/pre>\r\n\r\n
\r\n
\r\n\r\n\r\n[root@nsauth6 raddb]# radtest radtest007 Hi32da4 localhost 0 testing123\r\nSent Access-Request Id 32 from 0.0.0.0:48955 to 127.0.0.1:1812 length 80\r\n\tUser-Name = \"radtest007\"\r\n\tUser-Password = \"Hi32da4\"\r\n\tNAS-IP-Address = 172.25.100.6\r\n\tNAS-Port = 0\r\n\tMessage-Authenticator = 0x00\r\n\tCleartext-Password = \"Hi32da4\"\r\nReceived Access-Accept Id 32 from 127.0.0.1:1812 to 127.0.0.1:48955 length 59\r\n\tMessage-Authenticator = 0x64a0a5758eb3db98f7e3cbd8b43bccad\r\n\tReply-Message = \"Welcome, radtest007\"\r\n[root@nsauth6 raddb]# \r\n\r\n[root@nsauth6 raddb]# radtest radtest007 badpass localhost 0 testing123\r\nSent Access-Request Id 117 from 0.0.0.0:38494 to 127.0.0.1:1812 length 80\r\n\tUser-Name = \"radtest007\"\r\n\tUser-Password = \"badpass\"\r\n\tNAS-IP-Address = 172.25.100.6\r\n\tNAS-Port = 0\r\n\tMessage-Authenticator = 0x00\r\n\tCleartext-Password = \"badpass\"\r\nReceived Access-Reject Id 117 from 127.0.0.1:1812 to 127.0.0.1:38494 length 59\r\n\tMessage-Authenticator = 0x437c3a4b16bf6eedb0505c037f3fb99e\r\n\tReply-Message = \"Welcome, radtest007\"\r\n(0) -: Expected Access-Accept got Access-Reject\r\n[root@nsauth6 raddb]# \r\n\r\n<\/code>\r\n<\/pre>\r\n
\r\nradtest\u30b3\u30de\u30f3\u30c9\u306e\u30d1\u30e9\u30e1\u30fc\u30bf\u306f\u3001 radtest \u306e\u9806\u3067\u6307\u5b9a\u3059\u308b\u304c\u3001\u3067\u6307\u5b9a\u3059\u308b\u5024\u306f\u30010 \u301c 2^31 \u306e\u9593\u306e\u9069\u5f53\uff08\u30e9\u30f3\u30c0\u30e0\uff09\u306a\u6574\u6570\u5024\u3092\u6307\u5b9a\u3059\u308b\u5fc5\u8981\u304c\u3042\u308b\u304c\u3001\u3053\u306e\u63a5\u7d9a\u30c6\u30b9\u30c8\u3067\u306f\u3068\u308a\u3042\u3048\u305a \"0\" \u3092\u6307\u5b9a\u3057\u3066\u3044\u308b\uff0e<\/p>\r\n
\r\n\u6700\u521d\u306eradtest\u3067\u306f\u3001\u7121\u4e8b\u8a8d\u8a3c\u304c\u901a\u308a\u3001\"Received Access-Accept\" \u3068\u306a\u3063\u3066\u3044\u308b\u304c\u30012\u56de\u76ee\u306eradtest\u3067\u306f\u9593\u9055\u3063\u305f\u30d1\u30b9\u30ef\u30fc\u30c9\u3092\u6307\u5b9a\u3057\u3066\u3044\u308b\u305f\u3081\u3001\"Received Access-Reject\" \u3068\u306a\u308a\u3001\u8a8d\u8a3c\u306b\u5931\u6557\u3057\u3066\u3044\u308b\uff0e<\/p>\r\n
\r\n
\u4e00\u65b9\u3001RADIUS\u30b5\u30fc\u30d0\u5074\u306e\u30c7\u30d0\u30c3\u30b0\u30e1\u30c3\u30bb\u30fc\u30b8\u3067\u306f\u3001RADIUS\u8a8d\u8a3c\u306b\u95a2\u3059\u308b\u304b\u306a\u308a\u8a73\u7d30\u306a\u30ed\u30b0\u304c\u51fa\u529b\u3055\u308c\u3066\u3044\u308b\u306e\u3067\u3001RADIUS\u8a8d\u8a3c\u304c\u4e0a\u624b\u304f\u3044\u304b\u306a\u3044\u539f\u56e0\u306a\u3069\u3092\u63a2\u308b\u6709\u529b\u306a\u624b\u304c\u304b\u308a\u3068\u3057\u3066\u6d3b\u7528\u3067\u304d\u308b\u3060\u308d\u3046\uff0e<\/p>\r\n
\r\n
\r\n
\r\n(0) Received Access-Request Id 238 from 127.0.0.1:58457 to 127.0.0.1:1812 length 80\r\n(0) Message-Authenticator = 0xec87379046735b3e793cd74e9d68746f\r\n(0) User-Name = \"radtest007\"\r\n(0) User-Password = \"Hi32da4\"\r\n(0) NAS-IP-Address = 172.25.100.6\r\n(0) NAS-Port = 0\r\n(0) # Executing section authorize from file \/etc\/raddb\/sites-enabled\/default\r\n(0) authorize {\r\n(0) policy filter_username {\r\n(0) if (&User-Name) {\r\n(0) if (&User-Name) -> TRUE\r\n(0) if (&User-Name) {\r\n\r\n\u3000...\r\n\r\n(0) Found Auth-Type = PAP\r\n(0) # Executing group from file \/etc\/raddb\/sites-enabled\/default\r\n(0) Auth-Type PAP {\r\n(0) pap: Login attempt with password\r\n(0) pap: Comparing with \"known good\" Cleartext-Password\r\n(0) pap: User authenticated successfully\r\n(0) [pap] = ok\r\n(0) } # Auth-Type PAP = ok\r\n(0) # Executing section post-auth from file \/etc\/raddb\/sites-enabled\/default\r\n(0) post-auth {\r\n(0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {\r\n(0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE\r\n(0) update {\r\n(0) No attributes updated for RHS &session-state:\r\n(0) } # update = noop\r\n(0) [exec] = noop\r\n(0) policy remove_reply_message_if_eap {\r\n(0) if (&reply:EAP-Message && &reply:Reply-Message) {\r\n(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE\r\n(0) else {\r\n(0) [noop] = noop\r\n(0) } # else = noop\r\n(0) } # policy remove_reply_message_if_eap = noop\r\n(0) if (EAP-Key-Name && &reply:EAP-Session-Id) {\r\n(0) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE\r\n(0) } # post-auth = noop\r\n(0) Login OK: [radtest007\/Hi32da4] (from client localhost port 0)\r\n(0) Sent Access-Accept Id 238 from 127.0.0.1:1812 to 127.0.0.1:58457 length 59\r\n(0) Reply-Message = \"Welcome, radtest007\"\r\n(0) Finished request\r\nWaking up in 4.9 seconds.\r\n(0) Cleaning up request packet ID 238 with timestamp +5 due to cleanup_delay was reached\r\nReady to process requests\r\n\r\n\u3000\uff0e\uff0e\uff0e\r\n\r\n(1) Found Auth-Type = PAP\r\n(1) # Executing group from file \/etc\/raddb\/sites-enabled\/default\r\n(1) Auth-Type PAP {\r\n(1) pap: Login attempt with password\r\n(1) pap: Comparing with \"known good\" Cleartext-Password\r\n(1) pap: ERROR: Cleartext password does not match \"known good\" password\r\n(1) pap: Passwords don't match\r\n(1) [pap] = reject\r\n(1) } # Auth-Type PAP = reject\r\n(1) Failed to authenticate the user\r\n(1) Using Post-Auth-Type Reject\r\n(1) # Executing group from file \/etc\/raddb\/sites-enabled\/default\r\n(1) Post-Auth-Type REJECT {\r\n(1) attr_filter.access_reject: EXPAND %{User-Name}\r\n(1) attr_filter.access_reject: --> radtest007\r\n(1) attr_filter.access_reject: Matched entry DEFAULT at line 11\r\n(1) [attr_filter.access_reject] = updated\r\n(1) [eap] = noop\r\n(1) policy remove_reply_message_if_eap {\r\n(1) if (&reply:EAP-Message && &reply:Reply-Message) {\r\n(1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE\r\n(1) else {\r\n(1) [noop] = noop\r\n(1) } # else = noop\r\n(1) } # policy remove_reply_message_if_eap = noop\r\n(1) } # Post-Auth-Type REJECT = updated\r\n(1) Login incorrect (pap: Cleartext password does not match \"known good\" password): [radtest007\/badpass] (from client localhost port 0)\r\n(1) Delaying response for 1.000000 seconds\r\nWaking up in 0.3 seconds.\r\nWaking up in 0.6 seconds.\r\n(1) Sending delayed response\r\n(1) Sent Access-Reject Id 117 from 127.0.0.1:1812 to 127.0.0.1:38494 length 59\r\n(1) Reply-Message = \"Welcome, radtest007\"\r\nWaking up in 3.9 seconds.\r\n(1) Cleaning up request packet ID 117 with timestamp +873 due to cleanup_delay was reached\r\nReady to process requests\r\n\r\n\r\n<\/code>\r\n<\/pre>\r\n
\r\n
\r\nEAP-PEAP\u306e\u52d5\u4f5c\u78ba\u8a8d\u30c6\u30b9\u30c8<\/h4>\r\n
\r\n
radtest\u30b3\u30de\u30f3\u30c9\u3092\u7528\u3044\u3066RADIUS\u30b5\u30fc\u30d0\u3078\u306e\u7c21\u5358\uff08\u5358\u7d14\uff09\u306a\u63a5\u7d9a\u30c6\u30b9\u30c8\u3092\u884c\u3046\u3053\u3068\u304c\u3067\u304d\u305f\u304c\u3001EAP\u8a8d\u8a3c\u65b9\u5f0f\u3067\u306f\u901a\u4fe1\u8def\u306e\u6697\u53f7\u5316\u306a\u3069\u304b\u306a\u308a\u8907\u96d1\u306a\u624b\u9806\u3092\u8e0f\u307e\u306a\u3051\u308c\u3070RADIUS\u30b5\u30fc\u30d0\u3068\u306e\u9593\u3067\u901a\u4fe1\u3092\u884c\u3046\u3053\u3068\u304c\u3067\u304d\u306a\u3044\uff0eradtest\u30b3\u30de\u30f3\u30c9\u3067\u306fEAP\u8a8d\u8a3c\u65b9\u5f0f\u306b\u5bfe\u5fdc\u3067\u304d\u306a\u3044\u306e\u3067\u3001EAP\u8a8d\u8a3c\u65b9\u5f0f\u306e\u63a5\u7d9a\u30c6\u30b9\u30c8\u306f\u5225\u306a\u30c4\u30fc\u30eb\u3092\u7528\u3044\u3066\u884c\u3046\u5fc5\u8981\u304c\u3042\u308b\uff0e<\/p>\r\n
\r\n
\u4eca\u56deEAP\u8a8d\u8a3c\u65b9\u5f0f\u306e\u63a5\u7d9a\u30c6\u30b9\u30c8\u30c4\u30fc\u30eb\u3068\u3057\u3066 \"eapol_test\" \u3068\u3044\u3046\u30c4\u30fc\u30eb\u3092\u7528\u3044\u308b\u304c\u3001RedHat Enterprise Linux\u3067\u3042\u308c\u3070\u3001\r\n\"hostapd\"\u30d1\u30c3\u30b1\u30fc\u30b8\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3059\u308b\u3068\u3001\"eapol_test\"\u30e6\u30fc\u30c6\u30a3\u30ea\u30c6\u30a3\u30fc\u304c\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3055\u308c\u308b\uff0e\uff08\u53c2\u8003\uff1a\u300e34.5. FreeRADIUS \u30b5\u30fc\u30d0\u30fc\u307e\u305f\u306f\u30aa\u30fc\u30bb\u30f3\u30c6\u30a3\u30b1\u30fc\u30bf\u30fc\u306b\u5bfe\u3059\u308b EAP-TTLS \u8a8d\u8a3c\u306e\u30c6\u30b9\u30c8\u300f<\/a>\uff09\r\n<\/p>\r\n
\r\nAlmaLinux 9.6 \u3067\u306f\"hostapd\"\u30d1\u30c3\u30b1\u30fc\u30b8\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u3066\u3082\"eapol_test\"\u30e6\u30fc\u30c6\u30a3\u30ea\u30c6\u30a3\u30fc\u304c\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3055\u308c\u306a\u304b\u3063\u305f\u306e\u3067\u3001\u5225\u9014\u3001wpa_supplicant\u30d1\u30c3\u30b1\u30fc\u30b8\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3059\u308b\u3053\u3068\u3067\u3001\"eapol_test\"\u30e6\u30fc\u30c6\u30a3\u30ea\u30c6\u30a3\u30fc\u304c\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3055\u308c\u305f\uff0e<\/p>\r\n
\r\n
\u30c7\u30a3\u30b9\u30c8\u30ea\u30d3\u30e5\u30fc\u30b7\u30e7\u30f3\u306b\u3088\u3063\u3066\u30d1\u30c3\u30b1\u30fc\u30b8\u69cb\u6210\u306b\u9055\u3044\u304c\u3042\u308b\u3088\u3046\u306a\u306e\u3067\u3001wpa_supplicant\u30d1\u30c3\u30b1\u30fc\u30b8\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3059\u308b\u306e\u304c\u826f\u3044\u3088\u3046\u3060\uff0e<\/p>\r\n
\r\n
\r\n\r\n[root@ns7 ~]# cat \/etc\/os-release\r\nNAME=\"AlmaLinux\"\r\nVERSION=\"9.6 (Sage Margay)\"\r\nID=\"almalinux\"\r\nID_LIKE=\"rhel centos fedora\"\r\nVERSION_ID=\"9.6\"\r\nPLATFORM_ID=\"platform:el9\"\r\nPRETTY_NAME=\"AlmaLinux 9.6 (Sage Margay)\"\r\nANSI_COLOR=\"0;34\"\r\nLOGO=\"fedora-logo-icon\"\r\nCPE_NAME=\"cpe:\/o:almalinux:almalinux:9::baseos\"\r\nHOME_URL=\"https:\/\/almalinux.org\/\"\r\nDOCUMENTATION_URL=\"https:\/\/wiki.almalinux.org\/\"\r\nBUG_REPORT_URL=\"https:\/\/bugs.almalinux.org\/\"\r\n\r\nALMALINUX_MANTISBT_PROJECT=\"AlmaLinux-9\"\r\nALMALINUX_MANTISBT_PROJECT_VERSION=\"9.6\"\r\nREDHAT_SUPPORT_PRODUCT=\"AlmaLinux\"\r\nREDHAT_SUPPORT_PRODUCT_VERSION=\"9.6\"\r\nSUPPORT_END=2032-06-01\r\n\r\n[root@ns7 ~]# dnf install hostapd\r\nWarning: failed loading '\/etc\/yum.repos.d\/networkradius.repo', skipping.\r\nLast metadata expiration check: 4:20:11 ago on Tue Aug 12 03:37:53 2025.\r\nPackage hostapd-2.11-2.el9.x86_64 is already installed.\r\nDependencies resolved.\r\nNothing to do.\r\nComplete!\r\n\r\n[root@ns7 ~]# which eapol_test\r\n\/usr\/bin\/which: no eapol_test in (\/root\/.local\/bin:\/root\/bin:\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin)\r\n\r\n[root@ns7 ~]# dnf install wpa_supplicant\r\nWarning: failed loading '\/etc\/yum.repos.d\/networkradius.repo', skipping.\r\nLast metadata expiration check: 4:21:24 ago on Tue Aug 12 03:37:53 2025.\r\nDependencies resolved.\r\n========================================================================================================================\r\n Package Architecture Version Repository Size\r\n========================================================================================================================\r\nInstalling:\r\n wpa_supplicant x86_64 1:2.11-2.el9 baseos 1.7 M\r\n\r\nTransaction Summary\r\n========================================================================================================================\r\nInstall 1 Package\r\n\r\nTotal download size: 1.7 M\r\nInstalled size: 6.4 M\r\nIs this ok [y\/N]: y\r\nDownloading Packages:\r\nwpa_supplicant-2.11-2.el9.x86_64.rpm 3.9 MB\/s | 1.7 MB 00:00 \r\n------------------------------------------------------------------------------------------------------------------------\r\nTotal 1.7 MB\/s | 1.7 MB 00:01 \r\nRunning transaction check\r\nTransaction check succeeded.\r\nRunning transaction test\r\nTransaction test succeeded.\r\nRunning transaction\r\n Preparing : 1\/1 \r\n Installing : wpa_supplicant-1:2.11-2.el9.x86_64 1\/1 \r\n Running scriptlet: wpa_supplicant-1:2.11-2.el9.x86_64 1\/1 \r\n Verifying : wpa_supplicant-1:2.11-2.el9.x86_64 1\/1 \r\n\r\nInstalled:\r\n wpa_supplicant-1:2.11-2.el9.x86_64 \r\n\r\nComplete!\r\n[root@ns7 ~]# which eapol_test\r\n\/usr\/sbin\/eapol_test\r\n[root@ns7 ~]# \r\n\r\n<\/code>\r\n<\/pre>\r\n
\r\n