Linux freeradius server
浏览数:199 /
时间:2015年06月20日
远程认证拨号用户服务(Remote Authentication Dial In User Service, RADIUS)是在网络访问服务器(Network Access Server, NAS)和集中存放认证信息的Radius服务器之间传输认证,授权和配置的协议,其client端多为通过拨号方式实现的NAS,主要用来将用户信息传递给服务器,RADIUS服务器则对用户进行认证,返回配置信息,在两端之间通信包括接入认证和计费请求
freeradius软件获取
freeradius软件获取
[root@Alicia ~]# cd /usr/local/src/
[root@Alicia src]# wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-3.0.6.tar.gz
--14:09:11-- ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-3.0.6.tar.gz
=> `freeradius-server-3.0.6.tar.gz‘
Resolving ftp.freeradius.org... 195.154.231.44
Connecting to ftp.freeradius.org|195.154.231.44|:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done. ==> PWD ... done.
==> TYPE I ... done. ==> CWD /pub/freeradius ... done.
==> SIZE freeradius-server-3.0.6.tar.gz ... 4555887
==> PASV ... done. ==> RETR freeradius-server-3.0.6.tar.gz ... done.
Length: 4555887 (4.3M)
100%[=======================================>] 4,555,887 9.25K/s in 7m 55s
14:17:13 (9.36 KB/s) - `freeradius-server-3.0.6.tar.gz‘ saved [4555887]
[root@Alicia src]./configure --prefix=/usr/local/radius/
[root@Alicia src] make
[root@Alicia src]make install
test by myself to verify free-radius installed successfully
[root@Alicia radius]# sbin/radiusd -X Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /usr/local/radius/var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests.基于mysql的radius开始进行关联
[root@Alicia ~] yum install mysql-server
[root@Alicia ~] yum install mysql-devel
[root@Alicia ~]# service mysqld restart
Stopping mysqld: [ OK ]
Initializing MySQL database: Installing MySQL system tables...
OK
Filling help tables...
OK
To start mysqld at boot time you have to copy
support-files/mysql.server to the right place for your system
PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
To do so, start the server, then issue the following commands:
/usr/bin/mysqladmin -u root password ‘new-password‘
/usr/bin/mysqladmin -u root -h Alicia password ‘new-password‘
Alternatively you can run:
/usr/bin/mysql_secure_installation
which will also give you the option of removing the test
databases and anonymous user created by default. This is
strongly recommended for production servers.
See the manual for more instructions.
You can start the MySQL daemon with:
cd /usr ; /usr/bin/mysqld_safe &
You can test the MySQL daemon with mysql-test-run.pl
cd mysql-test ; perl mysql-test-run.pl
Please report any problems with the /usr/bin/mysqlbug script!
The latest information about MySQL is available on the web at
http://www.mysql.com
Support MySQL by buying support/licenses at http://shop.mysql.com
[ OK ]
Starting mysqld: [ OK ] 设置mysql账号root/password
[root@Alicia ~]# mysqladmin -u root password ‘password‘ [root@Alicia ~]# mysql -u root -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 3 Server version: 5.0.95 Source distribution Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type ‘help;‘ or ‘\h‘ for help. Type ‘\c‘ to clear the current input statement. mysql >在mysql中增加相关表项和记录
mysql> create database radius; Query OK, 1 row affected (0.03 sec) [root@Alicia radius]# cd /usr/local/radius/etc/raddb/sql/mysql/ [root@Alicia mysql]# mysql -u root -p radius < ./schema.sql Enter password: [root@Alicia mysql]# mysql -u root -p radius < ./nas.sql Enter password: [root@Alicia mysql]# mysql -u root -p Enter password: mysql> use radius; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> showtables; ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘showtables‘ at line 1 mysql> show tables; +------------------+ | Tables_in_radius | +------------------+ | nas | | radacct | | radcheck | | radgroupcheck | | radgroupreply | | radpostauth | | radreply | | radusergroup | +------------------+ 8 rows in set (0.00 sec)配置freeradiusmysql> insert into radcheck(username,attribute,op,value) values(‘alicia‘,‘User-Password‘,‘:=‘,‘password‘); Query OK, 1 row affected (0.00 sec) mysql> insert into radcheck(username,attribute,op,value) values(‘Samsun‘,‘User-Password‘,‘:=‘,‘password‘); Query OK, 1 row affected (0.00 sec) mysql> insert into radcheck(username,attribute,op,value) values(‘Laffan‘,‘User-Password‘,‘:=‘,‘password‘); Query OK, 1 row affected (0.00 sec) mysql> insert into radcheck(username,attribute,op,value) values(‘Julia‘,‘User-Password‘,‘:=‘,‘password‘); Query OK, 1 row affected (0.00 sec) mysql> insert into radusergroup(username,groupname) values(‘Samsun‘,‘qa‘) -> ; Query OK, 1 row affected (0.00 sec) mysql> insert into radusergroup(username,groupname) values(‘alicia‘,‘qa‘) -> ; Query OK, 1 row affected (0.00 sec) mysql> insert into radusergroup(username,groupname) values(‘Laffan‘,‘rd‘); Query OK, 1 row affected (0.00 sec) mysql> insert into radusergroup(username,groupname) values(‘Julia‘,‘rd‘); Query OK, 1 row affected (0.00 sec)
177 line uncomment sql
170 line comment files
406 line uncomment sql
[root@Alicia mysql]# vi /usr/local/radius/etc/raddb/sites-enabled/default
authorize {
chap
mschap
suffix
eap
170 # files
177 sql
pap
}
accounting {
detail
unix
radutmp
406 sql
}
[root@Alicia mysql]# vi /usr/local/radius/etc/raddb/sql.conf
22 sql {
23 #
24 # Set the database to one of:
25 #
26 # mysql, mssql, oracle, postgresql
27 #
28 database = "mysql"
29
30 #
31 # Which FreeRADIUS driver to use.
32 #
33 driver = "rlm_sql_${database}"
34
35 # Connection info:
36 server = "localhost"
37 #port = 3306
38 login = "root"
39 password = "password"
40
41 # Database table configuration for everything except Oracle
42 radius_db = "radius"
[root@Alicia mysql]# vi /usr/local/radius/etc/raddb/clients.conf
236 client 127.0.0.1 {
237 secret = password
238 shortname = localhost
239 nastype = other
240 }
241
242 client 10.8.117.45 {
243 secret = password
244 shortname = localhost
245 nastype = other
246 }
247 client 10.219.128.19 {
248 secret = password
249 shortname = localhost
250 nastype = other
251 }
[root@Alicia mysql]# vi /usr/local/radius/etc/raddb/radiusd.conf
731 $INCLUDE ${confdir}/modules/
732
733 # Extensible Authentication Protocol
734 #
735 # For all EAP related authentications.
736 # Now in another file, because it is very large.
737 #
738 $INCLUDE eap.conf
739
740 # Include another file that has the SQL-related configuration.
741 # This is another file only because it tends to be big.
742 #
743 $INCLUDE sql.conf //uncomment 启动server端radius
[root@Alicia radius]# sbin/radiusd -X Could not link driver rlm_sql_mysql: rlm_sql_mysql.so: cannot open shared object file: No such file or directory Make sure it (and all its dependent libraries!) are in the search path of your system‘s ld. /usr/local/radius/etc/raddb/sql.conf[22]: Instantiation failed for module "sql" /usr/local/radius/etc/raddb/sites-enabled/default[177]: Failed to find "sql" in the "modules" section. /usr/local/radius/etc/raddb/sites-enabled/default[69]: Errors parsing authorize section. 加载sql失败 [root@Alicia sbin]# cd /usr/local/src/freeradius-server-2.2.6/src/modules/rlm_sql/drivers/rlm_sql_mysql/ [root@Alicia rlm_sql_mysql]# ./configure --with-dir=/usr/share/mysql/ --with-mysql-lib=/usr/lib/mysql/ [root@Alicia rlm_sql_mysql]# make [root@Alicia src]# cd /usr/local/radius/ [root@Alicia radius]# cd sbin/ [root@Alicia sbin]# ./radiusd -X Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /usr/local/radius/var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests.client端测试
[root@ding ~]# echo "User-Name = Samsun, User-Password=password" | /usr/local/bin/radclient 10.8.118.100:1812 auth password Received response ID 58, code 2, length = 20
server log:
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /usr/local/radius/var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.8.116.8 port 51222, id=58, length=46
User-Name = "Samsun"
User-Password = "password"
# Executing section authorize from file /usr/local/radius/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No ‘@‘ in User-Name = "Samsun", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[sql] expand: %{User-Name} -> Samsun
[sql] sql_set_user escaped user --> ‘Samsun‘
rlm_sql (sql): Reserving sql socket id: 31
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = ‘%{SQL-User-Name}‘ ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = ‘Samsun‘ ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = ‘%{SQL-User-Name}‘ ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = ‘Samsun‘ ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = ‘%{SQL-User-Name}‘ ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = ‘Samsun‘ ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = ‘%{Sql-Group}‘ ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = ‘qa‘ ORDER BY id
[sql] User found in group qa
[sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = ‘%{Sql-Group}‘ ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = ‘qa‘ ORDER BY id
rlm_sql (sql): Released sql socket id: 31
++[sql] = ok
++[expiration] = noop
++[logintime] = noop
++[pap] = updated
+} # group authorize = updated
Found Auth-Type = PAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good" !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Executing group from file /usr/local/radius/etc/raddb/sites-enabled/default
+group PAP {
[pap] login attempt with password "password"
[pap] Using clear text password "password"
[pap] User authenticated successfully
++[pap] = ok
+} # group PAP = ok
# Executing section post-auth from file /usr/local/radius/etc/raddb/sites-enabled/default
+group post-auth {
++[exec] = noop
+} # group post-auth = noop
Sending Access-Accept of id 58 to 10.8.116.8 port 51222
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 58 with timestamp +789
Ready to process requests. client端alicia测试
[root@ding ~]# radtest alicia password 10.8.118.100:1812 0 password
Sending Access-Request of id 153 to 10.8.118.100 port 1812
User-Name = "alicia"
User-Password = "password"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 10.8.118.100 port 1812, id=153, length=20
server log:
rad_recv: Access-Request packet from host 10.8.116.8 port 40531, id=153, length=76
User-Name = "alicia"
User-Password = "password"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Message-Authenticator = 0x65dc0b64af155a18136889edeaea43a5
# Executing section authorize from file /usr/local/radius/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No ‘@‘ in User-Name = "alicia", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[sql] expand: %{User-Name} -> alicia
[sql] sql_set_user escaped user --> ‘alicia‘
rlm_sql (sql): Reserving sql socket id: 29
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = ‘%{SQL-User-Name}‘ ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = ‘alicia‘ ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = ‘%{SQL-User-Name}‘ ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = ‘alicia‘ ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = ‘%{SQL-User-Name}‘ ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = ‘alicia‘ ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = ‘%{Sql-Group}‘ ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = ‘qa‘ ORDER BY id
[sql] User found in group qa
[sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = ‘%{Sql-Group}‘ ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = ‘qa‘ ORDER BY id
rlm_sql (sql): Released sql socket id: 29
++[sql] = ok
++[expiration] = noop
++[logintime] = noop
++[pap] = updated
+} # group authorize = updated
Found Auth-Type = PAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good" !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Executing group from file /usr/local/radius/etc/raddb/sites-enabled/default
+group PAP {
[pap] login attempt with password "password"
[pap] Using clear text password "password"
[pap] User authenticated successfully
++[pap] = ok
+} # group PAP = ok
# Executing section post-auth from file /usr/local/radius/etc/raddb/sites-enabled/default
+group post-auth {
++[exec] = noop
+} # group post-auth = noop
Sending Access-Accept of id 153 to 10.8.116.8 port 40531
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 2 ID 153 with timestamp +998
Ready to process requests.
郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。
