如果通过以上两个博客配置的信息不能通过验证,请参考以下配置
此文章比较老,有些文件路径以换位置,但是配置什么还是可以用。本人已做过测试
PHP交流群:294088839
Python交流群:652376983
freeRadius自带8张表
nas nas配置表
radcheck 用户检查信息表
radreply 用户回复信息表
radgroupcheck 用户组检查信息表
radgroupreply 用户组回复信息表
radusergroup 用户和组关系表
radacct 计费情况表
radpostauth 认证后处理信息,可以包括认证请求成功和拒绝的记录。
例:
nas表中
nasname shortname type ports secret server community description
ip地址 随便写 other 端口号:1812 访问radius的秘钥 可以留空 可以为空 可以为空
默认:testing123
radcheck表
创建的用户账号就在这里
username attribute op value
用户名 加密方式 := 密码
Cleartext-Password 密码关键字
expiration 到期时间关键字
Simultaneous-Use限制登录个数关键字
(明文)
更多方式请搭建
daloradius管理平台
进行参考
配置daloradius参考http://blog.csdn.net/zy517863543/article/details/78914150
官网配置链接 :http://wiki.freeradius.org/guide/SQL-HOWTO-for-freeradius-3.x-on-Debian-Ubuntu
radusergroup表
username groupname priority
用户账号名称 用户组回复名称 默认值1
radacct表
在认证通过后会radius会自动写入数据 来计算费用
radgroupreply表 插入信息
insert into radgroupreply (groupname,attribute,op,value) values ('user','Auth-Type',':=','Local');
insert into radgroupreply (groupname,attribute,op,value) values ('user','Service-Type',':=','Framed-User');
insert into radgroupreply (groupname,attribute,op,value) values ('user','Framed-IP-Address',':=','255.255.255.255');
insert into radgroupreply (groupname,attribute,op,value) values ('user','Framed-IP-Netmask',':=','255.255.255.0');
radpostauth表
认证后处理信息 在认证通过后会radius会自动写入数据
安装freeradius也可以通过上面apt命令在线安装,但是不能确定安装的freeradius是最新的版本,所以还是建议通过源码安装
-
下载源码
1
wget ftp:
//ftp.freeradius.org/pub/freeradius/old/freeradius-server-3.0.13.tar.bz2
-
安装依赖的库
1
apt-
get
install libssl-dev libtalloc-dev libkqueue-dev
-
安装
1
2
3
4
5
tar xvf freeradius-server-
3.0
.
13
.tar.bz2
cd freeradius-server-
3.0
.
13
/
./configure
make
make install
-
测试freeradius是否安装成功
A、先进入cd /usr/local/etc/raddb;
B、执行命令radiusd -X(其中-X是指从调试模块启动,会打印相关的调试信息),如果出现以下错误信息表示ssl库版本不对应
修改对应的配置文件:vim radiusd.conf将allow_vulnerable_openssl = no修改为allow_vulnerable_openssl = yes,在此执行radiusd -X出现下面截图表示启动成功
C、修改配置users,将下面部分前面的#号去掉
1 2 3 4 5 6 7 8 9 |
|
D、freeradius自带了一个测试工具radtest,执行命令radtest steve testing 127.0.0.1 1812 testing123,如果出现下面截图红色框起来的信息表上radius服务器搭建成功;
1 2 3 4 5 |
|
三、radius和mysql结合
-
执行mysql -u root -p会提示输入密码,该密码就是之前安装时候的密码;
-
建立数据库并且导入radius数据库结构
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
mysql>
create
database
radius;
Query OK, 1 row affected (0.00 sec)
mysql>
grant
all
on
radius.*
to
'radius'
@
'localhost'
identified
by
'radpass'
;
Query OK, 0
rows
affected, 1 warning (0.00 sec)
mysql> flush
privileges
;
Query OK, 0
rows
affected (0.00 sec)
mysql> use radius;
Database
changed
mysql> source /usr/
local
/etc/raddb/mods-config/sql/main/mysql/
schema
.sql
Query OK, 0
rows
affected (0.02 sec)
Query OK, 0
rows
affected (0.00 sec)
Query OK, 0
rows
affected (0.01 sec)
Query OK, 0
rows
affected (0.01 sec)
Query OK, 0
rows
affected (0.01 sec)
Query OK, 0
rows
affected (0.01 sec)
Query OK, 0
rows
affected (0.01 sec)
Query OK, 0
rows
affected (0.02 sec)
mysql>
-
建立组(在此新建组名称为user)
1
2
3
4
5
6
7
8
9
10
11
12
13
mysql>
insert
into
radgroupreply (groupname,attribute,op,value)
values
(
'user'
,
'Auth-Type'
,
':='
,
'Local'
);
Query OK, 1 row affected (0.01 sec)
mysql>
insert
into
radgroupreply (groupname,attribute,op,value)
values
(
'user'
,
'Service-Type'
,
':='
,
'Framed-User'
);
Query OK, 1 row affected (0.02 sec)
mysql>
insert
into
radgroupreply (groupname,attribute,op,value)
values
(
'user'
,
'Framed-IP-Address'
,
':='
,
'255.255.255.255'
);
Query OK, 1 row affected (0.00 sec)
mysql>
insert
into
radgroupreply (groupname,attribute,op,value)
values
(
'user'
,
'Framed-IP-Netmask'
,
':='
,
'255.255.255.0'
);
Query OK, 1 row affected (0.00 sec)
mysql>
-
建立用户(在此新建用户名test1和test2,密码为testpwd)
1
2
3
4
5
6
7
8
9
10
mysql>
insert
into
radcheck (username,attribute,op,value)
values
(
'test1'
,
'Cleartext-Password'
,
':='
,
'testpwd'
);
Query OK, 1 row affected (0.00 sec)
mysql>
insert
into
radcheck (username,attribute,op,value)
values
(
'test2'
,
'Cleartext-Password'
,
':='
,
'testpwd'
);
Query OK, 1 row affected (0.00 sec)
mysql>
insert
into
radcheck (username,attribute,op,value)
values
(
'zz'
,
'Cleartext-Password'
,
':='
,
'547188'
);
Query OK, 1 row affected (0.00 sec)
mysql>
-
将用户加入组中
1
2
3
4
5
6
7
8
9
10
mysql>
insert
into
radusergroup (username,groupname)
values
(
'test1'
,
'user'
);
Query OK, 1 row affected (0.00 sec)
mysql>
insert
into
radusergroup (username,groupname)
values
(
'test2'
,
'user'
);
Query OK, 1 row affected (0.00 sec)
mysql>
insert
into
radusergroup (username,groupname)
values
(
'zz'
,
'user'
);
Query OK, 1 row affected (0.00 sec)
mysql>
-
创建软连接(将radius有效的的sql模块放到启用列表里),启用sql模块
1
ln -s /usr/local/etc/raddb/mods-available/sql /usr/local/etc/raddb/mods-enabled/
-
修改sql 模块连接数据库信息,文件路径/usr/local/etc/raddb/mods-available/sql,按照如下修改
31行修改为:1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
20
sql {
21
# The sub-module to
use
to execute queries. This should match
22
# the database you're attempting to connect to.
23
#
24
# * rlm_sql_mysql
25
# * rlm_sql_mssql
26
# * rlm_sql_oracle
27
# * rlm_sql_postgresql
28
# * rlm_sql_sqlite
29
# * rlm_sql_null (log queries to disk)
30
#
31
driver =
"rlm_sql_mysql"
32
33
#
34
# Several drivers accept specific options, to
set
them, a
35
# config section
with
the the name
as
the driver should be added
36
# to the sql instance.
37
#
38
# Driver specific options are:
39
#
40
# sqlite {
87、91、92、93、97修改为:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
82
# The dialect of SQL you want to
use
,
this
should usually match
83
# the driver you selected above.
84
#
85
# If you're using rlm_sql_null, then it should be the type of
86
# database the logged queries are going to be executed against.
87
dialect =
"mysql"
88
89
# Connection info:
90
#
91
server =
"localhost"
92
port =
3306
93
login =
"radius"
94
password =
"radpass"
95
96
# Database table configuration
for
everything except Oracle
97
radius_db =
"radius"
98
99
# If you are using Oracle then
use
this
instead
100
# radius_db =
"(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SID=your_sid)))"
245行修改为:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
237
# also log a WARNING message.
238
#
239
# The solution
is
to either lower the
"min"
connections,
240
# or increase lifetime/idle_timeout.
241
}
242
243
# Set to
'yes'
to read radius clients from the database (
'nas'
table)
244
# Clients will ONLY be read on server startup.
245
read_clients = yes
246
247
# Table to keep radius client info
248
client_table =
"nas"
249
250
#
251
# The group attribute specific to
this
instance of rlm_sql
252
#
253
254
# This entry should be used
for
additional instances (sql foo {})
255
# of the SQL module.
256
# group_attribute =
"${.:instance}-SQL-Group"
-
检查模块目录启用,修改文件/usr/local/etc/raddb/radiusd.conf
确保一下内容没有被注释
1
2
$INCLUDE mods-enabled/
$INCLUDE sites-enabled/
开启认证的日子记录,记录log日子文件,这个可以不开启,只是用来方便调试
1
2
3
auth = yes
auth_badpass = yes
auth_goodpass = yes
-
开启sql模块的支持,修改文件/usr/local/etc/raddb/sites-available/default
去掉下面行sql注释,这里的注释是‘-’,找到去掉即可
405行修改为:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
396
# Read the
'users'
file. In v3,
this
is
located
in
397
# raddb/mods-config/files/authorize
398
files
399
400
#
401
# Look
in
an SQL database. The schema of the database
402
#
is
meant to mirror the
"users"
file.
403
#
404
# See
"Authorization Queries"
in
mods-available/sql
405
sql
406
407
#
408
# If you are using /etc/smbpasswd, and are also doing
409
# mschap authentication, the un-comment
this
line, and
410
# configure the
'smbpasswd'
module.
411
# smbpasswd
640行修改为:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
633
# Return an address to the IP Pool when we see a stop record.
634
# main_pool
635
636
#
637
# Log traffic to an SQL database.
638
#
639
# See
"Accounting queries"
in
mods-available/sql
640
sql
641
642
#
643
# If you receive stop packets
with
zero session length,
644
# they will NOT be logged
in
the database. The SQL module
645
# will print a message (only
in
debugging mode), and will
646
#
return
"noop"
.
647
#
648
# You can ignore these packets by uncommenting the following
649
# three lines. Otherwise, the server will not respond to the
650
# accounting request, and the NAS will retransmit.
651
#
652
#
if
(noop) {
738行修改为:
1
2
3
4
5
6
7
8
9
10
11
12
13
732
# reply_log
733
734
#
735
# After authenticating the user,
do
another SQL query.
736
#
737
# See
"Authentication Logging Queries"
in
mods-available/sql
738
sql
739
740
#
741
# Instead of sending the query to the SQL server,
742
# write it into a log file.
743
#
744
# sql_log
843行修改为:
1
2
3
4
5
6
7
8
9
10
11
839
# The
"session-state"
attributes are not available here.
840
#
841
Post-Auth-Type REJECT {
842
# log failed authentications
in
SQL, too.
843
sql
844
attr_filter.access_reject
845
846
# Insert EAP-Failure message
if
the request was
847
# rejected by policy instead of because of an
848
# authentication failure
849
eap
-
配置客户端信息/usr/local/etc/raddb/clients.conf,在该文件的最好添加,其中supperadmin是秘钥,0.0.0.0/0表示那些网段的客户端可以连接radius服务器;
1
2
3
4
client alladdress {
ipaddr =
0.0
.
0.0
/
0
secret = supperadmin
}
-
启动radiu服务器
1
raiusd