RADIUS(
Remote Access Dial In User Service)
Protocol主要用来提供认证(Authentication)机制,用来辨认使用者的身份与密码,确认通过之后,经由授权
(Authorization)使用者登入网域使用相关资源,并可提供计费(Accounting)机制,保存使用者的网络使用记录。Radius协议详
细介绍可参见RFC2865,RFC2866。 FreeRadius是一款OpenSource软件,基于Radius协议,实现Radius
AAA(Authentication,Authorization,Accounting)功能。
FreeRADIUS的功能
FreeRADIUS支持的认证方法:
本地文件 本地DB/DBM数据库 LDAP 数据库 本地可执行程序(比如一个CGI程序) Perl 程序 Python 程序 SQL 数据库
Oracle
MySQL
PostgreSQL
Sybase
IBM DB2
Any iODBC or unixODBC supported database
FreeRADIUS支持的认证类型
本地配置文件中的明文密码(PAP)
本地配置文件中的加密密码
CHAP
MS-CHAP
MS-CHAPv2
windows域控制器认证
代理到其他RADIUS服务器
系统认证(通常通过/etc/passwd)
PAM(可插拔认证模块)
LDAP(只支持PAP)
CRAM
Perl 程序
Python程序
SIP Digest(Cisco VoIP,SER)
Netscape-MTA-MD5加密的密码
Kerberos 认证
X9.9认证环
EAP无线的嵌入式认证方法
EAP-MD5
CISCO LEAP
EAP-MSCHAP-V2
EAP-GTC
EAP-SIM
EAP-TLS
EAP-TTLS
EAP-PEAP
计费方法
计费数据能被同步记录到不同的数据库。以下的计费记录方法都是FreeRADIUS支持的:
本地’detail’文件
本地’wtmp’和’utmp’文件
代理到其他RADIUS服务器
复制到一台或者多台RADIUS服务器
SQL数据库
Oracle
MySQL
PostgreSQL
Sybase
DB2
任何iODBC或者unixODBC支持的数据库
Freeradius安装及配置说明
Turbolinux GTES10.5安装光盘中已包含freeradius-1.0.1-2.2.i386.rpm,下面将以freeradius和MySQL的应用方案为例进行安装说明:
Freeradius安装
# rpm –ivh freeradius-1.0.1-2.2.i386.rpm
MySQL安装
进入MySQL数据库,创建名称为radius的数据库:
#
mysql -uroot -pEnter password: Welcome to the MySQL monitor. Commands
end with ; or \g.Your MySQL connection id is 18Server version:
5.1.17-beta-log MySQL Community Server (GPL)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> create database radius
导入数据库表结构
编辑/usr/share/doc/freeradius-1.0.1/db_mysql.sql,去掉nas建表脚本中的id 字段定义中,去掉 default ‘0’ 字符。
# mysql -uroot radius < /usr/share/doc/freeradius-1.0.1/db_mysql.sql
Freeradius配置
/etc/raddb/radiusd.conf
Radiusd.conf是freeradius的主要配置文件,包括了下面主要配置内容: 安全配置
security
{ max_attributes = 200 /*允许一个Radius包中包含的属性数量
/*0表示允许任意数量的属性 reject_delay = 1
/*回复Access-Reject包延时时间(1-5) /*0表示马上送Access-Reject包
status_server = no /*是否开启Status-Server请求应答功能}
线程池配置
thread
pool { start_servers = 5 /*Radius Server启动时运行线程的数量
max_servers = 32 /*运行时最大允许启动线程的数量 min_spare_servers = 3
/*备用Server最低阀值 max_spare_servers = 10 /*备用Server最高阀值
max_requests_per_server = 0 /*每个线程处理的最大请求数,达到该请求
/*数后,该线程会退出,0表示不退出}
初始化模块启动配置
authorize { Preprocess
/*预处理模块 Chap /*chap认证处理模块 Mschap
/*mschap认证处理模块 Sql /*读取数据库中的用户进行认证}
/etc/raddb/clients.conf
下面配置是以本机作为NAS,进行配置。
client
127.0.0.1 { secret = testing123 /*NAS与Freeradius之间通讯的密钥。
shortname = localhost /*NAS名称 nastype = other
/*NAS类型}/etc/raddb/sql.confsql { driver = "rlm_sql_mysql"
/*使用的数据库类型,当前表示MySQL server = "127.0.0.1" /*数据库服务器地址
login = "root" /*连接数据库使用的用户名 password = "" /*连接数据库的密码
radius_db = "radius" /*数据库名称
acct_table1 = "radacct" /*计费开始时写记录到此表 acct_table2 = "radacct" /*计费结束时写记录到此表
num_sql_socks = 5 /*启动数据库连接数量...}
Freeradius使用举例
在数据库中添加用户test,密码,123456,通过freeradius对该用户进行认证。
Insert into radcheck (username,attribute,op,value) values ('test','User-Password','==','123456');
使用下面指令启动freeradius server
# radiusd –xx (-xx表示启动debug模式)
使用freeradius自带客户端测试程序radtest作为客户端进行测试
#
radtest test 123456 localhost 0 testing123Sending Access-Request of id
48 to 127.0.0.1:1812 User-Name = "test" User-Password =
"123456" NAS-IP-Address = turbo200 NAS-Port = 0rad_recv:
Access-Accept packet from host 127.0.0.1:1812, id=48, length=20
Freeradius Server端显示LOG信息如下:
Thread
1 got semaphoreThread 1 handling request 10, (3 handled so far)
User-Name = "test" User-Password = "123456" NAS-IP-Address =
255.255.255.255 NAS-Port = 0Processing the authorize section of
radiusd.conf modcall: entering group authorize for request
10modcall[authorize]: module "preprocess" returns ok for request
10modcall[authorize]: module "chap" returns noop for request
10modcall[authorize]: module "mschap" returns noop for request 10
rlm_realm: No in User-Name = "test", looking up realm NULL rlm_realm:
No such realm "NULL"modcall[authorize]: module "suffix" returns noop for
request 10rlm_eap: No EAP-Message, not doing EAPmodcall[authorize]:
module "eap" returns noop for request 10radius_xlat: 'test'rlm_sql
(sql): sql_set_user escaped user --> 'test'radius_xlat: 'SELECT
id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'test'
ORDER BY id'rlm_sql (sql): Reserving sql socket id: 4radius_xlat:
'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test'
AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY
radgroupcheck.id'radius_xlat: 'SELECT id,UserName,Attribute,Value,op
FROM radreply WHERE Username = 'test' ORDER BY id'radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'test' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY
radgroupreply.id'rlm_sql (sql): Released sql socket id:
4modcall[authorize]: module "sql" returns ok for request 10modcall:
group authorize returns ok for request 10auth: type Localauth: user
supplied User-Password matches local User-PasswordSending Access-Accept
of id 48 to 127.0.0.1:32769Finished request 10Going to the next
requestThread 1 waiting to be assigned a request
5、配置freeradius服务
cd /usr/local/etc/raddb/
vi sql.conf
把里面的MYSQL密码改成你的密码
vi radiusd.conf
按照下面样子修改你的文件,
就是在某些字符串前面加#,
然后在某些地方加入一行sql字符串即可
---------------------------------------
authorize {
preprocess
chap
mschap
#counter
#attr_filter
#eap
suffix
sql
#files
#etc_smbpasswd
}
authenticate {
authtype PAP {
pap
}
authtype CHAP {
chap
}
authtype MS-CHAP{
mschap
}
#pam
#unix
#authtype LDAP {
# ldap
#}
}
preacct {
preprocess
suffix
#files
}
accounting {
acct_unique
detail
#counter
unix
sql
radutmp
#sradutmp
}
session {
radutmp
}
----------------------------------
6、配置WebNasAdmin
cp -r /home/temp/freeradius-0.9.2/dialup_admin /usr/local/dialup_admin
cd /var/www/html
ln -s /usr/local/dialup_admin/htdocs dialup_admin
vi /usr/local/dialup_admin/conf/admin.conf
把general_radiusd_base_dir: /usr/local/radiusd
改成general_radiusd_base_dir: /usr/local/etc/raddb
把general_test_account_password: testpass
改成general_test_account_password: test
把general_radius_server_auth_proto: pap
改成general_radius_server_auth_proto: chap
把general_radius_server_secret: XXXXXX
改成general_radius_server_secret: testing123
把general_encryption_method: crypt
改成general_encryption_method: clear
把下面文字前面加#
nas1_name: nas1.%{general_domain}
nas1_model: Cisco 2511 access server
nas1_ip: 147.122.122.121
nas1_port_num: 16
nas1_community: public
nas2_name: nas2.%{general_domain}
nas2_model: Cisco 2511 access server
nas2_ip: 147.122.122.123
nas2_port_num: 16
nas2_community: public
nas2_finger_type: database
nas3_name: nas3.%{general_domain}
nas3_model: Cisco 5300 access server
nas3_ip: 147.122.122.124
nas3_port_num: 210
nas3_community: public
然后加入下面文字
nas1_name: nas1.GetWall
nas1_model: PxSoft PPPoE Server
nas1_ip: 127.0.0.1
nas1_port_num: 64
nas1_community: public
把下面两行
sql_username: dialup_admin
sql_password: XXXXXX
改成
sql_username: root
sql_password:
重新启动系统进行测试:
1、测试freeradius
rc.radiusd start
radtest test test localhost 0 testing123
如果服务器返回如下,说明freeradius工作正常
Sending Access-Request of id 137 to 127.0.0.1:1812
User-Name = "test"
User-Password = "test"
NAS-IP-Address = local6
# NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=137, length=44
# Framed-IP-Address = 172.16.15.10
# src/Framed-IP-Netmask = 255.255.255.0
# Framed-Protocol = PPP
# If yoService-Type = Framed-User
否则,请仔细检查你的radius配置
2、测试pptpd
pptpd
然后用WIN2K等电脑建立个VPN连接,
用户名和密码都写test,
能连上,说明正常
3、测试pppoe
pppoe-server -L 172.16.20.254 -N 10 -I eth0
然后找个机器装个RASPPPOE或ENTERNET 300/500软件,
用户名和密码都写pppoe,
能连上,说明正常
4、测试WebNasAdmin
打开浏览器输入
各个选项都点下,能显示,则正常
好了,一切OK,
最后建立个启动文件
cd /
vi pxsrv
-------------------------------
/usr/local/sbin/pptpd
/usr/local/sbin/radiusd
pppoe-server -L 172.16.10.254 -N 64 -I eth0
--------------------------------
chmod 700 pxsrv
之后运行pxsrv即可
如果想开机自动启动,编辑下面文件
vi /etc/rc.d/rc.local
加入/pxsrv
保存即可
---------------------------------
如果你想要使用内核PPPoE,方法如下:
cd /usr/src/linux-2.4
make menuconfig
进入network device support——>
把下面的选上
' target=_blank>
#
# 主机: localhost
# 生成日期: 2003 年 12 月 23 日 01:54
# 服务器版本: 3.23.58
# PHP 版本: 4.0.6
#
# 数据库 : `radius`
#
# --------------------------------------------------------
#
# 表的结构 `radacct`
#
DROP TABLE IF EXISTS `radacct`;
CREATE TABLE `radacct` (
`RadAcctId` bigint(21) NOT NULL auto_increment,
`AcctSessionId` varchar(32) NOT NULL default '',
`AcctUniqueId` varchar(32) NOT NULL default '',
`UserName` varchar(64) NOT NULL default '',
`Realm` varchar(64) default '',
`NASIPAddress` varchar(15) NOT NULL default '',
`NASPortId` int(12) default NULL,
`NASPortType` varchar(32) default NULL,
`AcctStartTime` datetime NOT NULL default '0000-00-00 00:00:00',
`AcctStopTime` datetime NOT NULL default '0000-00-00 00:00:00',
`AcctSessionTime` int(12) default NULL,
`AcctAuthentic` varchar(32) default NULL,
`ConnectInfo_start` varchar(32) default NULL,
`ConnectInfo_stop` varchar(32) default NULL,
`AcctInputOctets` bigint(12) default NULL,
`AcctOutputOctets` bigint(12) default NULL,
`CalledStationId` varchar(50) NOT NULL default '',
`CallingStationId` varchar(50) NOT NULL default '',
`AcctTerminateCause` varchar(32) NOT NULL default '',
`ServiceType` varchar(32) default NULL,
`FramedProtocol` varchar(32) default NULL,
`FramedIPAddress` varchar(15) NOT NULL default '',
`AcctStartDelay` int(12) default NULL,
`AcctStopDelay` int(12) default NULL,
PRIMARY KEY (`RadAcctId`),
KEY `UserName` (`UserName`),
KEY `FramedIPAddress` (`FramedIPAddress`),
KEY `AcctSessionId` (`AcctSessionId`),
KEY `AcctUniqueId` (`AcctUniqueId`),
KEY `AcctStartTime` (`AcctStartTime`),
KEY `AcctStopTime` (`AcctStopTime`),
KEY `NASIPAddress` (`NASIPAddress`)
) TYPE=MyISAM AUTO_INCREMENT=1 ;
#
# 导出表中的数据 `radacct`
#
# --------------------------------------------------------
#
# 表的结构 `radcheck`
#
DROP TABLE IF EXISTS `radcheck`;
CREATE TABLE `radcheck` (
`id` int(11) unsigned NOT NULL auto_increment,
`UserName` varchar(64) NOT NULL default '',
`Attribute` varchar(32) NOT NULL default '',
`op` char(2) NOT NULL default '==',
`Value` varchar(253) NOT NULL default '',
PRIMARY KEY (`id`),
KEY `UserName` (`UserName`(32))
) TYPE=MyISAM AUTO_INCREMENT=4 ;
#
# 导出表中的数据 `radcheck`
#
INSERT INTO `radcheck` (`id`, `UserName`, `Attribute`, `op`, `Value`) VALUES (2, 'pppoe', 'Password', '==', 'pppoe');
INSERT INTO `radcheck` (`id`, `UserName`, `Attribute`, `op`, `Value`) VALUES (3, 'test', 'Password', '==', 'test');
# --------------------------------------------------------
#
# 表的结构 `radgroupcheck`
#
DROP TABLE IF EXISTS `radgroupcheck`;
CREATE TABLE `radgroupcheck` (
`id` int(11) unsigned NOT NULL auto_increment,
`GroupName` varchar(64) NOT NULL default '',
`Attribute` varchar(32) NOT NULL default '',
`op` char(2) NOT NULL default '==',
`Value` varchar(253) NOT NULL default '',
PRIMARY KEY (`id`),
KEY `GroupName` (`GroupName`(32))
) TYPE=MyISAM AUTO_INCREMENT=3 ;
#
# 导出表中的数据 `radgroupcheck`
#
INSERT INTO `radgroupcheck` (`id`, `GroupName`, `Attribute`, `op`, `Value`) VALUES (1, 'dynamic', 'Auth-Type', ':=', 'Local');
INSERT INTO `radgroupcheck` (`id`, `GroupName`, `Attribute`, `op`, `Value`) VALUES (2, 'static', 'Auth-Type', ':=', 'Local');
# --------------------------------------------------------
#
# 表的结构 `radgroupreply`
#
DROP TABLE IF EXISTS `radgroupreply`;
CREATE TABLE `radgroupreply` (
`id` int(11) unsigned NOT NULL auto_increment,
`GroupName` varchar(64) NOT NULL default '',
`Attribute` varchar(32) NOT NULL default '',
`op` char(2) NOT NULL default '=',
`Value` varchar(253) NOT NULL default '',
`prio` int(10) unsigned NOT NULL default '0',
PRIMARY KEY (`id`),
KEY `GroupName` (`GroupName`(32))
) TYPE=MyISAM AUTO_INCREMENT=6 ;
#
# 导出表中的数据 `radgroupreply`
#
INSERT
INTO `radgroupreply` (`id`, `GroupName`, `Attribute`, `op`, `Value`,
`prio`) VALUES (1, 'dynamic', 'Service-Type', '=', 'Framed-User', 0);
INSERT
INTO `radgroupreply` (`id`, `GroupName`, `Attribute`, `op`, `Value`,
`prio`) VALUES (2, 'dynamic', 'Framed-Protocol', '=', 'PPP', 0);
INSERT
INTO `radgroupreply` (`id`, `GroupName`, `Attribute`, `op`, `Value`,
`prio`) VALUES (3, 'static', 'Framed-IP-Netmask', '=', '255.255.255.0',
0);
INSERT INTO `radgroupreply` (`id`, `GroupName`, `Attribute`,
`op`, `Value`, `prio`) VALUES (4, 'static', 'Framed-Protocol', '=',
'PPP', 0);
INSERT INTO `radgroupreply` (`id`, `GroupName`,
`Attribute`, `op`, `Value`, `prio`) VALUES (5, 'static', 'Service-Type',
'=', 'Framed-User', 0);
# --------------------------------------------------------
#
# 表的结构 `radreply`
#
DROP TABLE IF EXISTS `radreply`;
CREATE TABLE `radreply` (
`id` int(11) unsigned NOT NULL auto_increment,
`UserName` varchar(64) NOT NULL default '',
`Attribute` varchar(32) NOT NULL default '',
`op` char(2) NOT NULL default '=',
`Value` varchar(253) NOT NULL default '',
PRIMARY KEY (`id`),
KEY `UserName` (`UserName`(32))
) TYPE=MyISAM AUTO_INCREMENT=2 ;
#
# 导出表中的数据 `radreply`
#
INSERT
INTO `radreply` (`id`, `UserName`, `Attribute`, `op`, `Value`) VALUES
(1, 'test', 'Framed-IP-Address', '=', '172.16.15.10');
# --------------------------------------------------------
#
# 表的结构 `usergroup`
#
DROP TABLE IF EXISTS `usergroup`;
CREATE TABLE `usergroup` (
`id` int(11) unsigned NOT NULL auto_increment,
`UserName` varchar(64) NOT NULL default '',
`GroupName` varchar(64) NOT NULL default '',
PRIMARY KEY (`id`),
KEY `UserName` (`UserName`(32))
) TYPE=MyISAM AUTO_INCREMENT=4 ;
#
# 导出表中的数据 `usergroup`
#
INSERT INTO `usergroup` (`id`, `UserName`, `GroupName`) VALUES (2, 'pppoe', 'dynamic');
INSERT INTO `usergroup` (`id`, `UserName`, `GroupName`) VALUES (3, 'test', 'static');
---------------------------------------
5、配置freeradius服务
cd /usr/local/etc/raddb/
vi sql.conf
把里面的MYSQL密码改成你的密码
vi radiusd.conf
按照下面样子修改你的文件,
就是在某些字符串前面加#,
然后在某些地方加入一行sql字符串即可
---------------------------------------
authorize {
preprocess
chap
mschap
#counter
#attr_filter
#eap
suffix
sql
#files
#etc_smbpasswd
}
authenticate {
authtype PAP {
pap
}
authtype CHAP {
chap
}
authtype MS-CHAP{
mschap
}
#pam
#unix
#authtype LDAP {
# ldap
#}
}
preacct {
preprocess
suffix
#files
}
accounting {
acct_unique
detail
#counter
unix
sql
radutmp
#sradutmp
}
session {
radutmp
}
----------------------------------
6、配置WebNasAdmin
cp -r /home/temp/freeradius-0.9.2/dialup_admin /usr/local/dialup_admin
cd /var/www/html
ln -s /usr/local/dialup_admin/htdocs dialup_admin
vi /usr/local/dialup_admin/conf/admin.conf
把general_radiusd_base_dir: /usr/local/radiusd
改成general_radiusd_base_dir: /usr/local/etc/raddb
把general_test_account_password: testpass
改成general_test_account_password: test
把general_radius_server_auth_proto: pap
改成general_radius_server_auth_proto: chap
把general_radius_server_secret: XXXXXX
改成general_radius_server_secret: testing123
把general_encryption_method: crypt
改成general_encryption_method: clear
把下面文字前面加#
nas1_name: nas1.%{general_domain}
nas1_model: Cisco 2511 access server
nas1_ip: 147.122.122.121
nas1_port_num: 16
nas1_community: public
nas2_name: nas2.%{general_domain}
nas2_model: Cisco 2511 access server
nas2_ip: 147.122.122.123
nas2_port_num: 16
nas2_community: public
nas2_finger_type: database
nas3_name: nas3.%{general_domain}
nas3_model: Cisco 5300 access server
nas3_ip: 147.122.122.124
nas3_port_num: 210
nas3_community: public
然后加入下面文字
nas1_name: nas1.GetWall
nas1_model: PxSoft PPPoE Server
nas1_ip: 127.0.0.1
nas1_port_num: 64
nas1_community: public
把下面两行
sql_username: dialup_admin
sql_password: XXXXXX
改成
sql_username: root
sql_password:
重新启动系统进行测试:
1、测试freeradius
rc.radiusd start
radtest test test localhost 0 testing123
如果服务器返回如下,说明freeradius工作正常
Sending Access-Request of id 137 to 127.0.0.1:1812
User-Name = "test"
User-Password = "test"
NAS-IP-Address = local6
# NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=137, length=44
# Framed-IP-Address = 172.16.15.10
# src/Framed-IP-Netmask = 255.255.255.0
# Framed-Protocol = PPP
# If yoService-Type = Framed-User
否则,请仔细检查你的radius配置
2、测试pptpd
pptpd
然后用WIN2K等电脑建立个VPN连接,
用户名和密码都写test,
能连上,说明正常
3、测试pppoe
pppoe-server -L 172.16.20.254 -N 10 -I eth0
然后找个机器装个RASPPPOE或ENTERNET 300/500软件,
用户名和密码都写pppoe,
能连上,说明正常
4、测试WebNasAdmin
打开浏览器输入
各个选项都点下,能显示,则正常
好了,一切OK,
最后建立个启动文件
cd /
vi pxsrv
-------------------------------
/usr/local/sbin/pptpd
/usr/local/sbin/radiusd
pppoe-server -L 172.16.10.254 -N 64 -I eth0
--------------------------------
chmod 700 pxsrv
之后运行pxsrv即可
如果想开机自动启动,编辑下面文件
vi /etc/rc.d/rc.local
加入/pxsrv
保存即可
---------------------------------
如果你想要使用内核PPPoE,方法如下:
cd /usr/src/linux-2.4
make menuconfig
进入network device support——>
把下面的选上
[ ] ppp over Ethernet (experimental)
让其变成
[M] ppp over Ethernet (experimental)
然后退出
make dep
make bzImage
make modules
make modules_install
cd arch/i386/boot
cp bzImage /boot/kernelnew
cd /boot
mkinitrd initrdnew.img 2.4.7-10
vi grub/grub.conf
在下面加上
-----------------------------
title Red Hat new
root (hd0,0)
kernel /boot/kernelnew ro root=/dev/hda1
initrd /boot/initrd.img
-----------------------------
保存,退出
然后重新启动,选Red Hat new
然后重复安装过程的6即可
启动PPPOE-SERVER时,要加-k参数