Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1424779
  • 博文数量: 269
  • 博客积分: 3602
  • 博客等级: 中校
  • 技术积分: 4536
  • 用 户 组: 普通用户
  • 注册时间: 2012-04-17 21:13
文章分类

全部博文(269)

文章存档

2014年(8)

2013年(139)

2012年(122)

分类: 系统运维

2013-04-01 13:59:44

1、install FreeRADIUS via cvs

[root@centos5 ~]# yum install cvs
[root@centos5 ~]# cvs -d :pserver:anoncvs@cvs.freeradius.org:/source login
Logging in to :pserver:anoncvs@cvs.freeradius.org:2401/source
CVS password: anoncvs
[root@centos5 ~]# cvs -d :pserver:anoncvs@cvs.freeradius.org:/source checkout radiusd

./configure  (如果出现错误,需要安装相应的devel rpm) 
make  
make install


生成所需的证书
/usr/local/etc/raddb/certs/bootstrap

ln -s /usr/local/sbin/rc.radiusd  /etc/rc.d/init.d/radiusd
ln -s /usr/local/etc/raddb  /etc/raddb

chkconfig radiusd on
/etc/rc.d/init.d/radiusd  start

[root@centos5]# /usr/local/sbin/radiusd -v
radiusd: FreeRADIUS Version 2.0.5, for host i686-pc-linux-gnu, built on May 17 2008 at 12:20:44
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT. 2、 FreeRADIUS SQL Module 通用的SQL前端(rlm_sql)+数据库后端驱动(rlm_sql_) 前端:    rlm_sql
中间驱动:rlm_sql_mysql  后端:    mysql_database  Comment: rlm_sql_mysql不是一个完整的mysql client, 仅仅是rlm_sql、mysql database间的一个中间层。  3、MySQL Schema  3、1 7个table的说明 stop and start records logging table radacct  a single user check and reply table radcheck
radreply Group check and reply table radgroupcheck
radgroupreply  username to group relationships are stored in this table radusergroup To store post-authentication data table radpostauth 3、2 create radius database mysql> create database radius; mysql> \. /usr/local/etc/raddb/sql/mysql/schema.sql
mysql> show tables;
+------------------+
| Tables_in_radius |
+------------------+
| radacct          | 
| radcheck         | 
| radgroupcheck    | 
| radgroupreply    | 
| radpostauth      | 
| radreply         | 
| radusergroup     | 
+------------------+
7 rows in set (0.09 sec)
create NAS table
msyql> use radius;
mysql> \. /usr/local/etc/raddb/sql/mysql/nas.sql
mysql> show tables;
+------------------+
| Tables_in_radius |
+------------------+
| nas              | 
| radacct          | 
| radcheck         | 
| radgroupcheck    | 
| radgroupreply    | 
| radpostauth      | 
| radreply         | 
| radusergroup     | 
+------------------+
8 rows in set (0.03 sec) 3、3 建立FreeRadius用户和授权 mysql> \. /usr/local/etc/raddb/sql/mysql/admin.sql

[root@centos5 mysql]# cat admin.sql 
# -*- text -*-
##
## admin.sql -- MySQL commands for creating the RADIUS user.
##
##      WARNING: You should change 'localhost' and 'radpass'
##               to something else.  Also update raddb/sql.conf
##               with the new RADIUS password.
##
##      $Id: admin.sql,v 1.1 2008/04/30 08:41:30 aland Exp $

#
#  Create default administrator for RADIUS
#
CREATE USER 'radius'@'localhost';
SET PASSWORD FOR 'radius'@'localhost' = PASSWORD('radpass');

# The server can read any table in SQL
GRANT SELECT ON radius.* TO 'radius'@'localhost';

# The server can write to the accounting and post-auth logging table.
#
#  i.e. 
GRANT ALL on radius.radacct TO 'radius'@'localhost';
GRANT ALL on radius.radpostauth TO 'radius'@'localhost';  4、配置FreeRadius使用mysql schema 4、1 在 sql.conf 配置database的连接参数,指定所使用的table database = "mysql"
        driver = "rlm_sql_${database}"
        server = "localhost"
        login = "radius"
        password = "radpass"
        radius_db = "radius"
        acct_table1 = "radacct"
        acct_table2 = "radacct"
        postauth_table = "radpostauth"
        authcheck_table = "radcheck"
        authreply_table = "radreply"
        groupcheck_table = "radgroupcheck"
        groupreply_table = "radgroupreply"
        usergroup_table = "radusergroup"

[root@centos5 raddb]# mysql -u radius -pradpass radius
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 4 to server version: 5.0.22-log

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> 4、2配置FreeRadius 查询 radius nas table # Set to 'yes' to read radius clients from the database ('nas' table)
 # Clients will ONLY be read on server startup.  For performance
 # and security reasons, finding clients via SQL queries CANNOT
 # be done "live" while the server is running.
 #
 #
 readclients = yes
 # Table to keep radius client info
 nas_table = "nas" 注释client.conf 所有行,Client从nas表中查询。 clients.conf: 
RADIUS clients/NAS configurations. Note that NAS is the term  used 
in RADIUS terminology. To simpilify things, just think of it as 
authenticator in our 3-party model.  5、配置freeradius使用MySQL Database 5、1 users 注释users所有内容, 用户信息驻留在数据库radcheck table per user configurations. Think of users as supplicants in our 3-party 
model. Note that user configurations could reside in other places like 
a MySQL database instead of the users file.  vi /usr/local/etc/raddb/sites-available/inner-tunnel
去掉SQL前的注释
authorize {
        chap
        mschap
        unix
        suffix
        update control {
                         Proxy-To-Realm := LOCAL
                       }
        eap {
                ok = return
            } sql expiration
        logintime
        pap
      }
authenticate {
        Auth-Type PAP {
                        pap
                      }
        Auth-Type CHAP {
                        chap
                       }
        Auth-Type MS-CHAP {
                            mschap
                          }
        unix
        eap
} 5、2测试数据准备 nas table
INSERT INTO `nas` (`id`, `nasname`, `shortname`, `type`, `ports`, `secret`, `community`, `description`) VALUES
(1, '127.0.0.1', 'localhost', 'other', 1812, 'testing123', NULL, 'RADIUS Client');

radcheck table
INSERT INTO `radcheck` (`id`, `username`, `attribute`, `op`, `value`) VALUES
(2, 'root', 'User-Password', '==', '888888');

radusergroup table
INSERT INTO `radusergroup` (`username`, `groupname`, `priority`) VALUES
('root', 'user', 1) 5、3测试 [root@centos5 ~]# radtest root 888888 localhost 1812 testing123
Sending Access-Request of id 32 to 127.0.0.1 port 1812
        User-Name = "root"
        User-Password = "888888"
        NAS-IP-Address = 10.180.22.10
        NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=32, length=20
[root@centos5 ~]# 
commment: root 为linux的一个用户。
阅读(2360) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~