分类: LINUX
2008-05-05 16:38:51
RADIUS( Remote Access Dial In User Service) Protocol主要用来提供认证(Authentication)机制,用来辨认使用者的身份与密码,确认通过之后,经由授权(Authorization)使用者登入网域使用相关资源,并可提供计费(Accounting)机制,保存使用者的网络使用记录。Radius协议详细介绍可参见RFC2865,RFC2866。 FreeRadius是一款OpenSource软件,基于Radius协议,实现Radius AAA(Authentication,Authorization,Accounting)功能。
本地文件 本地DB/DBM数据库 LDAP 数据库 本地可执行程序(比如一个CGI程序)
计费数据能被同步记录到不同的数据库。以下的计费记录方法都是FreeRADIUS支持的:
Turbolinux GTES10.5安装光盘中已包含freeradius-1.0.1-2.2.i386.rpm,下面将以freeradius和MySQL的应用方案为例进行安装说明:
# rpm –ivh freeradius-1.0.1-2.2.i386.rpm
进入MySQL数据库,创建名称为radius的数据库:
# mysql -uroot -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 18 Server version: 5.1.17-beta-log MySQL Community Server (GPL)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> create database radius
编辑/usr/share/doc/freeradius-1.0.1/db_mysql.sql,去掉nas建表脚本中的id 字段定义中,去掉 default ‘0’ 字符。
# mysql -uroot radius < /usr/share/doc/freeradius-1.0.1/db_mysql.sql
/etc/raddb/radiusd.conf
Radiusd.conf是freeradius的主要配置文件,包括了下面主要配置内容: 安全配置
security {
max_attributes = 200 /*允许一个Radius包中包含的属性数量
/*0表示允许任意数量的属性
reject_delay = 1 /*回复Access-Reject包延时时间(1-5)
/*0表示马上送Access-Reject包
status_server = no /*是否开启Status-Server请求应答功能
}
线程池配置
thread pool {
start_servers = 5 /*Radius Server启动时运行线程的数量
max_servers = 32 /*运行时最大允许启动线程的数量
min_spare_servers = 3 /*备用Server最低阀值
max_spare_servers = 10 /*备用Server最高阀值
max_requests_per_server = 0 /*每个线程处理的最大请求数,达到该请求
/*数后,该线程会退出,0表示不退出
}
初始化模块启动配置
authorize {
Preprocess /*预处理模块
Chap /*chap认证处理模块
Mschap /*mschap认证处理模块
Sql /*读取数据库中的用户进行认证
}/etc/raddb/clients.conf
下面配置是以本机作为NAS,进行配置。
client 127.0.0.1 {
secret = testing123 /*NAS与Freeradius之间通讯的密钥。
shortname = localhost /*NAS名称
nastype = other /*NAS类型
}
/etc/raddb/sql.conf
sql {
driver = "rlm_sql_mysql" /*使用的数据库类型,当前表示MySQL
server = "127.0.0.1" /*数据库服务器地址
login = "root" /*连接数据库使用的用户名
password = "" /*连接数据库的密码
radius_db = "radius" /*数据库名称 acct_table1 = "radacct" /*计费开始时写记录到此表
acct_table2 = "radacct" /*计费结束时写记录到此表num_sql_socks = 5 /*启动数据库连接数量 . . . }
在数据库中添加用户test,密码,123456,通过freeradius对该用户进行认证。
Insert into radcheck (username,attribute,op,value) values ('test','User-Password','==','123456');
使用下面指令启动freeradius server
# radiusd –xx (-xx表示启动debug模式)
使用freeradius自带客户端测试程序radtest作为客户端进行测试
# radtest test 123456 localhost 0 testing123
Sending Access-Request of id 48 to 127.0.0.1:1812
User-Name = "test"
User-Password = "123456"
NAS-IP-Address = turbo200
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=48, length=20
Freeradius Server端显示LOG信息如下:
Thread 1 got semaphore
Thread 1 handling request 10, (3 handled so far)
User-Name = "test"
User-Password = "123456"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 10
modcall[authorize]: module "preprocess" returns ok for request 10
modcall[authorize]: module "chap" returns noop for request 10
modcall[authorize]: module "mschap" returns noop for request 10
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 10
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 10
radius_xlat: 'test'
rlm_sql (sql): sql_set_user escaped user --> 'test'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'test' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'test' ORDER BY id'
radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'test' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 4
modcall[authorize]: module "sql" returns ok for request 10
modcall: group authorize returns ok for request 10
auth: type Local
auth: user supplied User-Password matches local User-Password
Sending Access-Accept of id 48 to 127.0.0.1:32769
Finished request 10
Going to the next request
Thread 1 waiting to be assigned a request