分类: 系统运维
2013-04-01 13:59:44
1、install FreeRADIUS via cvs
[root@centos5 ~]# yum install cvs
[root@centos5 ~]# cvs -d :pserver:anoncvs@cvs.freeradius.org:/source login
Logging in to :pserver:anoncvs@cvs.freeradius.org:2401/source
CVS password: anoncvs
[root@centos5 ~]# cvs -d :pserver:anoncvs@cvs.freeradius.org:/source checkout radiusd
./configure (如果出现错误,需要安装相应的devel rpm) make make install 生成所需的证书 /usr/local/etc/raddb/certs/bootstrap ln -s /usr/local/sbin/rc.radiusd /etc/rc.d/init.d/radiusd ln -s /usr/local/etc/raddb /etc/raddb chkconfig radiusd on /etc/rc.d/init.d/radiusd start [root@centos5]# /usr/local/sbin/radiusd -v radiusd: FreeRADIUS Version 2.0.5, for host i686-pc-linux-gnu, built on May 17 2008 at 12:20:44 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. 2、 FreeRADIUS SQL Module 通用的SQL前端(rlm_sql)+数据库后端驱动(rlm_sql_) 前端: rlm_sql 中间驱动:rlm_sql_mysql 后端: mysql_database Comment: rlm_sql_mysql不是一个完整的mysql client, 仅仅是rlm_sql、mysql database间的一个中间层。 3、MySQL Schema 3、1 7个table的说明 stop and start records logging table radacct a single user check and reply table radcheck radreply Group check and reply table radgroupcheck radgroupreply username to group relationships are stored in this table radusergroup To store post-authentication data table radpostauth 3、2 create radius database mysql> create database radius; mysql> \. /usr/local/etc/raddb/sql/mysql/schema.sql mysql> show tables; +------------------+ | Tables_in_radius | +------------------+ | radacct | | radcheck | | radgroupcheck | | radgroupreply | | radpostauth | | radreply | | radusergroup | +------------------+ 7 rows in set (0.09 sec) create NAS table msyql> use radius; mysql> \. /usr/local/etc/raddb/sql/mysql/nas.sql mysql> show tables; +------------------+ | Tables_in_radius | +------------------+ | nas | | radacct | | radcheck | | radgroupcheck | | radgroupreply | | radpostauth | | radreply | | radusergroup | +------------------+ 8 rows in set (0.03 sec) 3、3 建立FreeRadius用户和授权 mysql> \. /usr/local/etc/raddb/sql/mysql/admin.sql [root@centos5 mysql]# cat admin.sql # -*- text -*- ## ## admin.sql -- MySQL commands for creating the RADIUS user. ## ## WARNING: You should change 'localhost' and 'radpass' ## to something else. Also update raddb/sql.conf ## with the new RADIUS password. ## ## $Id: admin.sql,v 1.1 2008/04/30 08:41:30 aland Exp $ # # Create default administrator for RADIUS # CREATE USER 'radius'@'localhost'; SET PASSWORD FOR 'radius'@'localhost' = PASSWORD('radpass'); # The server can read any table in SQL GRANT SELECT ON radius.* TO 'radius'@'localhost'; # The server can write to the accounting and post-auth logging table. # # i.e. GRANT ALL on radius.radacct TO 'radius'@'localhost'; GRANT ALL on radius.radpostauth TO 'radius'@'localhost'; 4、配置FreeRadius使用mysql schema 4、1 在 sql.conf 配置database的连接参数,指定所使用的table database = "mysql" driver = "rlm_sql_${database}" server = "localhost" login = "radius" password = "radpass" radius_db = "radius" acct_table1 = "radacct" acct_table2 = "radacct" postauth_table = "radpostauth" authcheck_table = "radcheck" authreply_table = "radreply" groupcheck_table = "radgroupcheck" groupreply_table = "radgroupreply" usergroup_table = "radusergroup" [root@centos5 raddb]# mysql -u radius -pradpass radius Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 4 to server version: 5.0.22-log Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql> 4、2配置FreeRadius 查询 radius nas table # Set to 'yes' to read radius clients from the database ('nas' table) # Clients will ONLY be read on server startup. For performance # and security reasons, finding clients via SQL queries CANNOT # be done "live" while the server is running. # # readclients = yes # Table to keep radius client info nas_table = "nas" 注释client.conf 所有行,Client从nas表中查询。 clients.conf: RADIUS clients/NAS configurations. Note that NAS is the term used in RADIUS terminology. To simpilify things, just think of it as authenticator in our 3-party model. 5、配置freeradius使用MySQL Database 5、1 users 注释users所有内容, 用户信息驻留在数据库radcheck table per user configurations. Think of users as supplicants in our 3-party model. Note that user configurations could reside in other places like a MySQL database instead of the users file. vi /usr/local/etc/raddb/sites-available/inner-tunnel 去掉SQL前的注释 authorize { chap mschap unix suffix update control { Proxy-To-Realm := LOCAL } eap { ok = return } sql expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix eap } 5、2测试数据准备 nas table INSERT INTO `nas` (`id`, `nasname`, `shortname`, `type`, `ports`, `secret`, `community`, `description`) VALUES (1, '127.0.0.1', 'localhost', 'other', 1812, 'testing123', NULL, 'RADIUS Client'); radcheck table INSERT INTO `radcheck` (`id`, `username`, `attribute`, `op`, `value`) VALUES (2, 'root', 'User-Password', '==', '888888'); radusergroup table INSERT INTO `radusergroup` (`username`, `groupname`, `priority`) VALUES ('root', 'user', 1) 5、3测试 [root@centos5 ~]# radtest root 888888 localhost 1812 testing123 Sending Access-Request of id 32 to 127.0.0.1 port 1812 User-Name = "root" User-Password = "888888" NAS-IP-Address = 10.180.22.10 NAS-Port = 1812 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=32, length=20 [root@centos5 ~]# commment: root 为linux的一个用户。
