官网 http://freeradius.org/
文档 http://networkradius.com/doc/FreeRADIUS%20Technical%20Guide.pdf
wiki http://wiki.freeradius.org
使用之前最好学习一下文档 FreeRADIUS Technical Guide
下面一些内容摘录自该文档,并做了粗略的翻译。估计还有些翻译不恰当的地方,见谅。
What is AAA
AAA 即 “Authenication, Authorization, and Accounting”. RADIUS就是AAA协议的一种。
Authentication
Authentication refers to the process of validating the identity of the user by matching the credentials supplied by the user (for example, name, password) to those configured on the AAA server (for example, name, password). If the credentials match, the user is authenticated and gains access to the network. If the credentials do not match, authentication fails, and network access is denied
Authentication 即认证,验证用户的凭证(如用户名和密码)是否正确
Authorization
Authorization refers to the process of determining what permissions are granted to the user. For example, the user may or may not be permitted certain kinds of network access or allowed to issue certain commands.
Authorization 即授权,确定赋予用户有哪些权限的过程。如一个用户可能有/可能没有访问某网络的权利。
What is Radius
RADIUS, which stands for “Remote Authentication Dial In User Service”, is a network protocol - a system that defines rules and conventions for communication between network devices - for remote user
authentication and accounting. Commonly used by Internet Service Providers (ISPs), cellular network providers, and corporate and educational networks, the RADIUS protocol serves three primary functions:
• Authenticates users or devices before allowing them access to a network
• Authorizes those users or devices for specific network services
• Accounts for and tracks the usage of those services
RADIUS, 是一个网络协议,定义了网络设备间通信的一些规则。Radius协议承担3个主要功能:
- 认证(Authenticate):在允许用户访问网络之前,对其进行认证
- 授权(Authorize):授权用户使用特定的网络服务
- 计帐(Account):记录用户对各种网络服务的用量,并提供给计费系统。
wikipedia https://en.wikipedia.org/wiki/RADIUS
What is FreeRadius
FreeRADIUS is a high-performance and highly configurable RADIUS server. It supports many database back-ends such as flat-text files, SQL, LDAP, Perl, Python, etc. It also supports many authentication protocols such as PAP, CHAP, MS-CHAP(v2), HTTP Digest, and EAP (EAP-MD5, EAP-TLS, PEAP, EAP-TTLS, EAP-SIM, etc.).
It also has fullsupport for Cisco’s VLAN Query Protocol (VMPS) and DHCP.
Please read the DEBUGGING section below. It contains instructions for quickly configuring the server for your local system.
FreeRadius是一款高性能、可配置的RADIUS服务器。它支持支持多种数据后端,如:文本文件、SQL、LDAP…
同时支持多种认证协议,如:PAP、CHAP、MS-CHAP、HTTP Digest 和 EAP(EAP-MD5, EAP-TLS, PEAP, EAP-TTLS, EAP-SIM, etc.).
有哪些角色
- User/Device 用户
- NAS:Network Access Server 如交换机,无线网AP
- Authentication Server 认证服务器,如Free Radis
The server cannot negotiate with an NAS to request more information: the server simply takes what the NAS sends and returns either an acknowledgment or a non-acknowledgment. This limitation is another key concept.
认证服务器仅仅是监听NAS发送过来的请求,然后给出一个应答。
各个角色的职责:
- An NAS is responsible for requesting and enforcing network access, filtering traffic, and sending summaries of accounting data.
- The RADIUS server is responsible for receiving access requests, interpreting complex policies, and returning a response to the NAS.
- A data store (i.e., directory or database) is responsible for storing large amounts of data, most often keyed by user name. This data may include user passwords, credit amounts, session data, and more.
NAS是用户和用户要访问的网络之间的网关(路由器等设备),当用户试图访问网络时,NAS将认证信息(authentication information)比如用户名和密码发送给RADIUS服务器,这个过程称为Authentication Session。用户登陆时便启动启动了一个Authentication Session。
在Authentication Session的最后阶段,RADIUS 服务器会告诉NAS是应该拒绝用户还是允许用户访问网络资源。
源码编译安装 FreeRadius 3.X
安装依赖的库,如libtalloc
$ sudo apt-get install libtalloc-dev
从官网下载源码,解压,进入源代码目录执行(参考INSTALL文件):
$ ./configure
$ make
$ make install
默认情况下,radiusd的安装路径为:
/usr/local/sbin/radiusd
,/usr/local/var/run/radiusd
当然,可以在configure时通过--prefix
来指定自定义的安装路径。
配置文件路径:/usr/local/etc/raddb/radiusd.conf
启动
以调试模式打开radiusd
# radiusd -X
启动出错,提示libssl的heartbleed问题,参考这里
添加测试用户
向配置文件/usr/local/etc/raddb/users
添加测试用户,名字为bob,密码为hello,返回消息为Hello bob。
bob Cleartext-Password := "hello"
Reply-Message := "Hello, %{User-Name}"
设置shared secret
NAS与radius-server之间通过共享密钥(shared secret)来加密通信过程。可以通过client.conf来配置。默认位置:/usr/local/etc/raddb/client.conf
。我的配置文件中的shared secret为testing123
使用radclient
FreeRadius提供了一个radius 客户端程序,即radclient。可以使用它向服务器发送一些请求。注意上面讲到的shared secret。如果不正确,服务器会提示shared secret错误。
使用bob进行认证:
# echo "User-Name=bob,User-Password=hello,Framed-Protocol=PPP " | /usr/local/bin/radclient localhost:1812 auth testing123
Sent Access-Request Id 226 from 0.0.0.0:58356 to 127.0.0.1:1812 length 49
Received Access-Accept Id 226 from 127.0.0.1:1812 to 0.0.0.0:0 length 32
从radiusd的调试信息可以看到,服务器成功认证了该请求。
radclient的wiki: http://wiki.freeradius.org/config/Radclient
源码分析
原文见这里,下载地址:http://pan.baidu.com/s/1dFv3qwh
使用FreeRadius的实例
西安交大图书馆: http://www.cmee-online.com/disp_n.asp?id=138
FreeRadius 3.x & Mysql
http://wiki.freeradius.org/guide/SQL-HOWTO-for-freeradius-3.x-on-Debian-Ubuntu
增加一个模块
Problems
windows eap_peap: ERROR: TLS Alert read:fatal:unknown CA
使用windows登陆时,服务器报错:“fatal:unknown CA”
解决方法:install freeradius/certs/ca.der to window.
(手动选择证书路径,安装到受信任的证书。此外,需要开启Wire AutoConfig和Wlan AutoConfig这两项服务,然后再“本地连接”的属性窗口中点击“身份认证窗口”,启用802.1x,验证服务器证书)