Linux freeradius server

远程认证拨号用户服务(Remote Authentication Dial In User Service, RADIUS)是在网络访问服务器(Network Access Server, NAS)和集中存放认证信息的Radius服务器之间传输认证,授权和配置的协议,其client端多为通过拨号方式实现的NAS,主要用来将用户信息传递给服务器,RADIUS服务器则对用户进行认证,返回配置信息,在两端之间通信包括接入认证和计费请求
freeradius软件获取
[root@Alicia ~]# cd /usr/local/src/
[root@Alicia src]# wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-3.0.6.tar.gz 
--14:09:11--  ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-3.0.6.tar.gz
           => `freeradius-server-3.0.6.tar.gz‘
Resolving ftp.freeradius.org... 195.154.231.44
Connecting to ftp.freeradius.org|195.154.231.44|:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done.    ==> PWD ... done.
==> TYPE I ... done.  ==> CWD /pub/freeradius ... done.
==> SIZE freeradius-server-3.0.6.tar.gz ... 4555887
==> PASV ... done.    ==> RETR freeradius-server-3.0.6.tar.gz ... done.
Length: 4555887 (4.3M)

100%[=======================================>] 4,555,887   9.25K/s   in 7m 55s 

14:17:13 (9.36 KB/s) - `freeradius-server-3.0.6.tar.gz‘ saved [4555887]
[root@Alicia src]./configure --prefix=/usr/local/radius/
[root@Alicia src] make
[root@Alicia src]make install

test by myself to verify free-radius installed successfully

[root@Alicia radius]# sbin/radiusd -X
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /usr/local/radius/var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
基于mysql的radius开始进行关联

[root@Alicia ~] yum install mysql-server
[root@Alicia ~] yum install mysql-devel
[root@Alicia ~]# service mysqld restart
Stopping mysqld:                                           [  OK  ]
Initializing MySQL database:  Installing MySQL system tables...
OK
Filling help tables...
OK

To start mysqld at boot time you have to copy
support-files/mysql.server to the right place for your system

PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
To do so, start the server, then issue the following commands:
/usr/bin/mysqladmin -u root password ‘new-password‘
/usr/bin/mysqladmin -u root -h Alicia password ‘new-password‘

Alternatively you can run:
/usr/bin/mysql_secure_installation

which will also give you the option of removing the test
databases and anonymous user created by default.  This is
strongly recommended for production servers.

See the manual for more instructions.

You can start the MySQL daemon with:
cd /usr ; /usr/bin/mysqld_safe &

You can test the MySQL daemon with mysql-test-run.pl
cd mysql-test ; perl mysql-test-run.pl

Please report any problems with the /usr/bin/mysqlbug script!

The latest information about MySQL is available on the web at
http://www.mysql.com
Support MySQL by buying support/licenses at http://shop.mysql.com
                                                           [  OK  ]
Starting mysqld:                                           [  OK  ]
设置mysql账号root/password

[root@Alicia ~]# mysqladmin -u root password ‘password‘
[root@Alicia ~]# mysql -u root -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.0.95 Source distribution

Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type ‘help;‘ or ‘\h‘ for help. Type ‘\c‘ to clear the current input statement.
mysql >
在mysql中增加相关表项和记录

mysql> create database radius;
Query OK, 1 row affected (0.03 sec)
[root@Alicia radius]# cd /usr/local/radius/etc/raddb/sql/mysql/
[root@Alicia mysql]# mysql -u root -p radius < ./schema.sql
Enter password: 
[root@Alicia mysql]# mysql -u root -p radius < ./nas.sql
Enter password: 
[root@Alicia mysql]# mysql -u root -p 
Enter password: 
mysql> use radius;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> showtables;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘showtables‘ at line 1
mysql> show tables;
+------------------+
| Tables_in_radius |
+------------------+
| nas              | 
| radacct          | 
| radcheck         | 
| radgroupcheck    | 
| radgroupreply    | 
| radpostauth      | 
| radreply         | 
| radusergroup     | 
+------------------+
8 rows in set (0.00 sec)

mysql> insert into radcheck(username,attribute,op,value) values(‘alicia‘,‘User-Password‘,‘:=‘,‘password‘); Query OK, 1 row affected (0.00 sec) mysql> insert into radcheck(username,attribute,op,value) values(‘Samsun‘,‘User-Password‘,‘:=‘,‘password‘);       Query OK, 1 row affected (0.00 sec) mysql> insert into radcheck(username,attribute,op,value) values(‘Laffan‘,‘User-Password‘,‘:=‘,‘password‘);       Query OK, 1 row affected (0.00 sec) mysql> insert into radcheck(username,attribute,op,value) values(‘Julia‘,‘User-Password‘,‘:=‘,‘password‘);       Query OK, 1 row affected (0.00 sec) mysql> insert into radusergroup(username,groupname) values(‘Samsun‘,‘qa‘)     -> ; Query OK, 1 row affected (0.00 sec) mysql> insert into radusergroup(username,groupname) values(‘alicia‘,‘qa‘)           -> ; Query OK, 1 row affected (0.00 sec) mysql> insert into radusergroup(username,groupname) values(‘Laffan‘,‘rd‘);       Query OK, 1 row affected (0.00 sec) mysql> insert into radusergroup(username,groupname) values(‘Julia‘,‘rd‘);        Query OK, 1 row affected (0.00 sec)

配置freeradius

177 line uncomment sql
170 line comment files
406 line uncomment sql
[root@Alicia mysql]# vi /usr/local/radius/etc/raddb/sites-enabled/default
	authorize {   
  	chap
 		mschap
  	suffix
  	eap
170  #	files
177  	sql
  	pap
}
accounting {
 		detail
 		unix
 		radutmp
406	sql
}      
[root@Alicia mysql]# vi /usr/local/radius/etc/raddb/sql.conf 
 22 sql {
 23     #
 24     #  Set the database to one of:
 25     #
 26     #   mysql, mssql, oracle, postgresql
 27     #
 28     database = "mysql"
 29 
 30     #
 31     #  Which FreeRADIUS driver to use.
 32     #
 33     driver = "rlm_sql_${database}"
 34 
 35     # Connection info:
 36     server = "localhost"
 37     #port = 3306
 38     login = "root"
 39     password = "password"
 40 
 41     # Database table configuration for everything except Oracle
 42     radius_db = "radius"
[root@Alicia mysql]# vi /usr/local/radius/etc/raddb/clients.conf 
236 client 127.0.0.1 {
237     secret = password
238     shortname = localhost
239     nastype = other
240 }
241 
242 client 10.8.117.45 {
243     secret = password
244     shortname = localhost
245     nastype = other
246 }
247 client 10.219.128.19 {
248     secret = password
249     shortname = localhost
250     nastype = other
251 }   
[root@Alicia mysql]# vi /usr/local/radius/etc/raddb/radiusd.conf 
731     $INCLUDE ${confdir}/modules/
732 
733     #  Extensible Authentication Protocol
734     #
735     #  For all EAP related authentications.
736     #  Now in another file, because it is very large.
737     #
738     $INCLUDE eap.conf
739 
740     #  Include another file that has the SQL-related configuration.
741     #  This is another file only because it tends to be big.
742     #
743     $INCLUDE sql.conf                                       //uncomment
启动server端radius

[root@Alicia radius]# sbin/radiusd -X
Could not link driver rlm_sql_mysql: rlm_sql_mysql.so: cannot open shared object file: No such file or directory
Make sure it (and all its dependent libraries!) are in the search path of your system‘s ld.
/usr/local/radius/etc/raddb/sql.conf[22]: Instantiation failed for module "sql"
/usr/local/radius/etc/raddb/sites-enabled/default[177]: Failed to find "sql" in the "modules" section.
/usr/local/radius/etc/raddb/sites-enabled/default[69]: Errors parsing authorize section. 
加载sql失败
[root@Alicia sbin]# cd /usr/local/src/freeradius-server-2.2.6/src/modules/rlm_sql/drivers/rlm_sql_mysql/
[root@Alicia rlm_sql_mysql]# ./configure --with-dir=/usr/share/mysql/ --with-mysql-lib=/usr/lib/mysql/
[root@Alicia rlm_sql_mysql]# make
[root@Alicia src]# cd /usr/local/radius/
[root@Alicia radius]# cd sbin/
[root@Alicia sbin]# ./radiusd  -X
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /usr/local/radius/var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
client端测试

[root@ding ~]# echo "User-Name = Samsun, User-Password=password" | /usr/local/bin/radclient 10.8.118.100:1812 auth password
Received response ID 58, code 2, length = 20
server log:
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /usr/local/radius/var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.8.116.8 port 51222, id=58, length=46
        User-Name = "Samsun"
        User-Password = "password"
# Executing section authorize from file /usr/local/radius/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No ‘@‘ in User-Name = "Samsun", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[sql]   expand: %{User-Name} -> Samsun
[sql] sql_set_user escaped user --> ‘Samsun‘
rlm_sql (sql): Reserving sql socket id: 31
[sql]   expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = ‘%{SQL-User-Name}‘           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = ‘Samsun‘           ORDER BY id
[sql] User found in radcheck table
[sql]   expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = ‘%{SQL-User-Name}‘           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = ‘Samsun‘           ORDER BY id
[sql]   expand: SELECT groupname           FROM radusergroup           WHERE username = ‘%{SQL-User-Name}‘           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = ‘Samsun‘           ORDER BY priority
[sql]   expand: SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = ‘%{Sql-Group}‘           ORDER BY id -> SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = ‘qa‘           ORDER BY id
[sql] User found in group qa
[sql]   expand: SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = ‘%{Sql-Group}‘           ORDER BY id -> SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = ‘qa‘           ORDER BY id
rlm_sql (sql): Released sql socket id: 31
++[sql] = ok
++[expiration] = noop
++[logintime] = noop
++[pap] = updated
+} # group authorize = updated
Found Auth-Type = PAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!    Replacing User-Password in config items with Cleartext-Password.     !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"               !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Executing group from file /usr/local/radius/etc/raddb/sites-enabled/default
+group PAP {
[pap] login attempt with password "password"
[pap] Using clear text password "password"
[pap] User authenticated successfully
++[pap] = ok
+} # group PAP = ok
# Executing section post-auth from file /usr/local/radius/etc/raddb/sites-enabled/default
+group post-auth {
++[exec] = noop
+} # group post-auth = noop
Sending Access-Accept of id 58 to 10.8.116.8 port 51222
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 58 with timestamp +789
Ready to process requests.
client端alicia测试

[root@ding ~]# radtest alicia password 10.8.118.100:1812 0 password       
Sending Access-Request of id 153 to 10.8.118.100 port 1812
        User-Name = "alicia"
        User-Password = "password"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 0
        Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 10.8.118.100 port 1812, id=153, length=20



server log:
rad_recv: Access-Request packet from host 10.8.116.8 port 40531, id=153, length=76
        User-Name = "alicia"
        User-Password = "password"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 0
        Message-Authenticator = 0x65dc0b64af155a18136889edeaea43a5
# Executing section authorize from file /usr/local/radius/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No ‘@‘ in User-Name = "alicia", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[sql]   expand: %{User-Name} -> alicia
[sql] sql_set_user escaped user --> ‘alicia‘
rlm_sql (sql): Reserving sql socket id: 29
[sql]   expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = ‘%{SQL-User-Name}‘           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = ‘alicia‘           ORDER BY id
[sql] User found in radcheck table
[sql]   expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = ‘%{SQL-User-Name}‘           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = ‘alicia‘           ORDER BY id
[sql]   expand: SELECT groupname           FROM radusergroup           WHERE username = ‘%{SQL-User-Name}‘           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = ‘alicia‘           ORDER BY priority
[sql]   expand: SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = ‘%{Sql-Group}‘           ORDER BY id -> SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = ‘qa‘           ORDER BY id
[sql] User found in group qa
[sql]   expand: SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = ‘%{Sql-Group}‘           ORDER BY id -> SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = ‘qa‘           ORDER BY id
rlm_sql (sql): Released sql socket id: 29
++[sql] = ok
++[expiration] = noop
++[logintime] = noop
++[pap] = updated
+} # group authorize = updated
Found Auth-Type = PAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!    Replacing User-Password in config items with Cleartext-Password.     !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"               !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Executing group from file /usr/local/radius/etc/raddb/sites-enabled/default
+group PAP {
[pap] login attempt with password "password"
[pap] Using clear text password "password"
[pap] User authenticated successfully
++[pap] = ok
+} # group PAP = ok
# Executing section post-auth from file /usr/local/radius/etc/raddb/sites-enabled/default
+group post-auth {
++[exec] = noop
+} # group post-auth = noop
Sending Access-Accept of id 153 to 10.8.116.8 port 40531
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 2 ID 153 with timestamp +998
Ready to process requests.



至此,redius搭建成功,可以实现基本的用户认证访问




郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。