ubuntu安装freeradius3, freeradius3-mysql并配置

GitHub - pan2za/freeradius3-mysql-conf

详细配置各位大爷可以上去对比

0.安装freeradius-mysql，

#apt-get install freeradius freeradius-mysql

1.创建freeradius数据库

#service mysql start

...

#mysql -u root -p

Enter password: 456456

...

mysql> create database radius;    //freeradius为数据库的名字

...

mysql> quit

2.导入数据表

mysql -uroot -p radius < mods-config/sql/main/mysql/schema.sql

Enter password: 456456

/usr/local/etc/raddb/sql/mysql/schema.sql 主数据库定义，7个表，包括

radacct 计费情况表

radcheck 用户检查信息表

radgroupcheck 用户组检查信息表

radgroupreply 用户组检查信息表

radpostauth 认证后处理信息，可以包括认证请求成功和拒绝的记录

radreply 用户回复信息表

radusergroup 用户和组关系表

Create MySQL User and grant permissions

In the file mods-config/sql/main/mysql/setup.sql set a more secure password than 'radpass'. If your SQL server is running on a different machine you also have to replace the localhost with your radius server.

mysql -uroot -p radius < mods-config/sql/main/mysql/setup.sql

3.修改配置文件

3.1

更改

/etc/freeradius/3.0/sites-available/default
文件，使其支持sql;并把authorize{} 中的files前加#

把 sql前的#去掉 

3.2

更改/usr/local/etc/raddb/sites-enabled/inner-tunnel

将authorize{}模块中的

files前加注释

取消sql前的注释

3.3

更改/etc/freeradius/3.0/mods-available/sql使其与mysql连接

修改以下内容

driver = “rlm_sql_null”   改为  driver = “rlm_sql_mysql”，

dialect = "sqlite"        改为 dialect = "mysql"

server=”localhost”

login=”abills”

password=”mysql的abills的密码ixnfo.com”  

radius_db=”radius”

取消read_clients = yes 前的注释

再更改/usr/local/etc/raddb/radiusd.conf

将$INCLUDE sql.conf前的#去掉

Edit /etc/freeradius/3.0/mods-available/sql module and enter the SQL dialect, driver, server, username and password details to connect to your SQL server and the RADIUS database.

The database and table names should be left at the defaults if you used the default schema. For testing/debug purposes, uncomment the logfile = ... line - FreeRADIUS will dump all SQL commands to the log file specified here.

3.4 做软连接（这个必须）

Next enable the sql module by executing

    cd mods-enabled

    ln -s ../mods-available/sql sql

3.5 修改default文件（同3.1）

Edit /sites-available/default (or whatever site config you use) and uncomment the line containing sql in the authorize{} section.

authorize {
…
sql
…
}
accounting {
…
sql
…
}
session {
…
sql
…
}
post-auth {
…
sql
…
}
Post-Auth-Type REJECT {
sql
}

Additionally, edit sites-available/inner-tunnel and uncomment the line containing 'sql' under "authorize {}".

Also uncomment the line saying 'sql' in the accounting{} section to tell FreeRADIUS to store accounting records in SQL as well.

Optionally add or uncomment 'sql' to the session{} section if you want to do Simultaneous-Use detection.

Optionally add or uncomment 'sql' to the post-auth{} section if you want to log all Authentication attempts to SQL.

Optionally, if you want to strip all realm names (i.e. you want user joe@domain.com to authenticate as just 'joe'), then in file mods-config/sql/main/*sql_dialect*/queries.conf , under the 'query config: username' section, you MAY need to adjust the line(s) referring to sql_user_name. For example, in uncomment the line:

sql_user_name = '%{Stripped-User-Name}'

...and comment out the following line referring to just User-Name. If you want to see what's happening here, switch on all the logging options in radiusd.conf and run radiusd in debug mode (-X) to see what's happening : you'll see " user@domain" being passed to SQL when using User-Name, but just "user" when using Stripped-User-Name. Of course, set all your other SQL options as needed (database login details, etc)

'''You should not change/delete any other lines in the config file without reading and understanding the comments!'''

The config you use (e.g. sites-enabled/default) should then look something like this:

 authorize {

        preprocess

        chap

        mschap

        suffix

        eap

        # We leave "files" enabled to allow creation of test users in the "users" file

        files

        sql

        pap

 }

 accounting {

        # We leave "detail" enabled to additionally log accounting to /var/log/radius/radacct

        detail

        sql

 }

4.在数据库中加入测试账号

　　(1)建立组信息

#mysql -u root -p

Enter password:456456

...

mysql> use radius;

...

mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Auth-Type',':=','Local');

mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Service-Type',':=','Framed-User');

mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Framed-IP-Address',':=','255.255.255.255');

mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Framed-IP-Netmask',':=','255.255.255.0');

　　(2)建立用户信息

mysql> insert into radcheck (username,attribute,op,value) values ('test','Cleartext-Password',':=','testpwd');

　　(3)将用户与组关联

mysql> insert into radusergroup (username,groupname) values ('test','user');

　　(4)添加用户回复信息

mysql> insert  into radreply(username,attribute,op,value) values('test','Reply-Message','=','Yes,Good!');

查表信息，

mysql> select * from radusergroup;

+----------+-----------+----------+

| username | groupname | priority |

+----------+-----------+----------+

| test     | user      |        1 |

+----------+-----------+----------+

1 row in set (0.00 sec)

mysql> select * from radcheck;

+----+----------+--------------------+----+---------+

| id | username | attribute          | op | value   |

+----+----------+--------------------+----+---------+

|  5 | test     | Cleartext-Password | := | testpwd |

+----+----------+--------------------+----+---------+

1 row in set (0.00 sec)1 row in set (0.00 sec)

mysql> select * from radreply;

+----+----------+---------------+----+-----------+

| id | username | attribute     | op | value     |

+----+----------+---------------+----+-----------+

|  1 | test     | Reply-Message | =  | Yes,Good! |

+----+----------+---------------+----+-----------+

1 row in set (0.00 sec)

mysql>  select * from radgroupreply;

+----+-----------+-------------------+----+-----------------+

| id | groupname | attribute         | op | value           |

+----+-----------+-------------------+----+-----------------+

|  1 | user      | Auth-Type         | := | Local           |

|  2 | user      | Service-Type      | := | Framed-User     |

|  3 | user      | Framed-IP-Address | := | 255.255.255.255 |

|  4 | user      | Framed-IP-Netmask | := | 255.255.255.0   |

+----+-----------+-------------------+----+-----------------+

4 rows in set (0.00 sec)

mysql>

5.测试freeradius---mysql关联是否成功

#freeradius -X

# radtest test testpwd localhost 0 testing123

Sent Access-Request Id 232 from 0.0.0.0:45389 to 127.0.0.1:1812 length 74

         User-Name = "test"

         User-Password = "testpwd"

         NAS-IP-Address = 127.0.1.1

         NAS-Port = 0

         Message-Authenticator = 0x00

         Cleartext-Password = "testpwd"

Received Access-Accept Id 232 from 127.0.0.1:1812 to 0.0.0.0:0 length 49

         Reply-Message = "Yes,Good!"

         Service-Type = Framed-User

         Framed-IP-Address = 255.255.255.255

         Framed-IP-Netmask = 255.255.255.0

附件 修改mysql的默认密码

2、登录root用户mysql -uroot -p，这个时候直接回车，不要密码。

3、修改root密码

1. use mysql;
2.  
3. ALTER user 'root'@'localhost' IDENTIFIED BY '123456';
4.  
5. flush privileges;

附件2 freeradius3修改

guide/SQL HOWTO for freeradius 3.x on Debian Ubuntu

附件3 FAQ

1 ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject

答复：sql方言需要选择为mysql

2

FreeRadius. error solution rlm_sql_mysql: Couldn’t connect to MySQL server

答复：不能用root这个mysql用户连接mysql，改用abills用户

CREATE USER 'abills'@'127.0.0.1' IDENTIFIED BY 'ixnfo.com';

GRANT ALL PRIVILEGES ON *.* TO 'abills'@'127.0.0.1';

GRANT ALL PRIVILEGES ON *.* TO 'abills'@'localhost';

3 创建用户是注意属性是Cleartext-Password

insert into radcheck (username,attribute,op,value) values ('test','Cleartext-Password',':=','testpwd');