OpenSER+Radius全攻略

6 篇文章 0 订阅

OpenSER+Radius全攻略

freeradius需要openssl库,在quicklinux中已经预装好openssl-0.9.7a-46.i686

如果mysql不是安装在/usr/local/目录下需要做个连接:
# ln -s /opt/lapmcp/apmc/ /usr/local/mysql

首先安装freeradius,并在不连接mysql的情况下测试:
# cd /home/zyq/tempfile/OpenSER_ins/AAA
# tar -xzvf freeradius-1.1.4.tar.gz
# cd freeradius-1.1.4
# ./configure --with-rlm-sql-lib-dir=/opt/lapmcp/apmc/lib/mysql/ --with-rlm-sql-include-dir=/opt/lapmcp/apmc/include/mysql/
# make
# make install WITH_MYSQL=yes

配置freeradius;
1) 修改 clients.conf
# vi /usr/local/etc/raddb/clients.conf
client 127.0.0.1 {
secret = testing123
shortname = localhost
nastype = other
} //默认已有。这里secret = testing123 表示从127.0.0.1这个客户端连接radius服务所需要用的密码。

2) 修改 naslist ,加入:
# vi /usr/local/etc/raddb/naslist
localhost local portslave
//默认已有

3) 编辑 users ,加入用户: (这个用户是保存在文本文件里的,做测试用)
# vi /usr/local/etc/raddb/users
在例子中的steve这段下面加入
hefish     Auth-Type:=local, User-Password == "123456"
           Service-Type = Framed-User,
           Framed-Protocol = PPP,
           Framed-IP-Address = 192.168.137.2,
           Framed-IP-Netmask = 255.255.255.0
在例子Jone Doe这段下面加入
powerlift Auth-Type := Local, User-Password == "ilovelinux"
          Reply-Message = "Hello, powerlift!"
保存退出。

4)执行测试
# /usr/local/sbin/radiusd -X
然后另开一个终端,测试:
# radtest hefish 123456 localhost 0 testing123
返回:
Sending Access-Request of id 11 to 127.0.0.1 port 1812
        User-Name = "hefish"
        User-Password = "123456"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=11, length=44
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Framed-IP-Address = 192.168.137.2
        Framed-IP-Netmask = 255.255.255.0
测试通过,再测试:
# radtest powerlift ilovelinux localhost 0 testing123
返回:
Sending Access-Request of id 15 to 127.0.0.1 port 1812
        User-Name = "powerlift"
        User-Password = "ilovelinux"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=15, length=39
        Reply-Message = "Hello, powerlift!"
测试通过。

5)配置radiusd用mysql来认证。先在mysql里面创建数据库:
# /usr/local/mysql/bin/mysqladmin -u root -p create radius
# cd /home/zyq/tempfile/OpenSER_ins/AAA/freeradius-1.1.4/doc/examples
# /usr/local/mysql/bin/mysql -u root -p radius < mysql.sql

6) 编辑 radiusd.conf 使其支持mysql认证;
# vi /usr/local/etc/raddb/radiusd.conf
authorize {
preprocess
chap
mschap
suffix
sql
...
}
accounting {
...
sql
...
}

7) 编辑 sql.conf ,使radius可以访问mysql
# vi /usr/local/etc/raddb/sql.conf
sql {
driver = "rlm_sql_mysql"
server = "localhost"
login = "root"
password = "mysql的密码"
radius_db = "radius"
// 剩下的配置就默认吧 (如果您要做用户帐号/网卡MAC/电话号码绑定之类的东西,那就例外,可以改下面的配置)
}

8) 向数据库里增加一些数据;
# /usr/local/mysql/bin/mysql -u root -p radius
先加入一些组信息:
insert into radgroupreply (groupname,attribute,op,value) values ('user','Auth-Type',':=','Local');
insert into radgroupreply (groupname,attribute,op,value) values ('user','Service-Type','=','Framed-User');
insert into radgroupreply (groupname,attribute,op,value) values ('user','Framed-IP-Netmask','=','255.255.255.255');
insert into radgroupcheck (groupname, attribute, op, value) values ("user", "Auth-Type", ":=", "Local");
然后加入用户信息:
insert into radcheck (username,attribute,op,value) values ('zyq','User-Password','==','12345678');
然后把用户加到组里:
insert into usergroup(username,groupname) values('zyq','user');

9) 为了让radius能正确地调用mysql,还要指定一下库的位置:
# echo /usr/lib >> /etc/ld.so.conf
# echo /usr/local/lib >> /etc/ld.so.conf
# echo /opt/lapmcp/apmc/lib >> /etc/ld.so.conf
# ldconfig

10) 测试freeradius+mysql:
# radtest zyq 12345678 localhost 0 testing123
收到:
Sending Access-Request of id 146 to 127.0.0.1 port 1812
        User-Name = "zyq"
        User-Password = "12345678"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=146, length=32
        Service-Type = Framed-User
        Framed-IP-Netmask = 255.255.255.255
      
===================================
安装radius-client:
~# tar xvfz radiusclient-ng-X.Y.Z.tar.gz
~# cd radiusclient-ng-X.Y.Z
~# ./configure
~# make
~# make install

安装OpenSER with freeradius:
检查mysql.h及libmysqlclient.so等是否就位
将libmysqlclient.so、libmysqlclient.so.15、libmysqlclient_r.so及libmysqlclient_r.so.15从/usr/local/mysql/lib/mysql下cp到/usr/lib下
mysql.h在/usr/local/mysql/include/mysql下,如果mysql不是标准安装则把mysql目录cp到/usr/local/include下

编译安装OpenSER:
~> tar xzvf openser-1.1.0_src.tar.gz
~> cd openser-1.1.0
~> vi modules/acc/Makefile
将以下两行前的注释去掉:
DEFS+=-DRAD_ACC -I$(LOCALBASE)/include
LIBS=-L$(LOCALBASE)/lib -lradiusclient-ng
~> vi Makefile
exclude_modules?=               jabber cpl-c pa mysql postgres osp unixodbc \
                                              avp_radius auth_radius group_radius uri_radius
注释掉第二行,删除第一行的mysql
~> NICER=1 make all
~> make install

完了后在/usr/local/sbin下面会生成
openser,openserctl,openserunix,openser_mysql.sh这四个文件
用openser_mysql.sh create创建数据库:
~> openser_mysql.sh create
MySql password for root:                               //mysql的密码
Domain (realm) for the default user 'admin':           //直接回车
       creating database openser ...
Install SERWEB tables ?(y/n):y                         //按y然后回车
Domain (realm) for the default user 'admin':           //直接回车
       creating serweb tables into openser ...
     
修改openser的配置文件/usr/local/etc/openser/openser.cfg
接着修改相同目录下的openserctlrc

此时用openserctl start/stop已经可以启动/关闭openser了

===============================================

配置openser with freeradius:
1)生成OpenSER RADIUS Dictionary
~# cp /usr/local/etc/openser/dictionary.radius /usr/local/etc/radiusclient-ng/dictionary.openser
~# vi /usr/local/etc/radiusclient-ng/dictionary.openser
用以下内容替换原有的:
#### Attributes ###
#ATTRIBUTE User-Name                 1 string     # RFC2865
#ATTRIBUTE Service-Type                 6 integer    # RFC2865
#ATTRIBUTE Called-Station-Id             30 string     # RFC2865, acc
#ATTRIBUTE Calling-Station-Id            31 string     # RFC2865, acc
#ATTRIBUTE Acct-Status-Type              40 integer    # RFC2865, acc
#ATTRIBUTE Acct-Session-Id               44 string     # RFC2865, acc
ATTRIBUTE Sip-Method                   101 integer    # Schulzrinne, acc
ATTRIBUTE Sip-Response-Code            102 integer    # Schulzrinne, acc
ATTRIBUTE Sip-Cseq                     103 string     # Schulzrinne, acc
ATTRIBUTE Sip-To-Tag                   104 string     # Schulzrinne, acc
ATTRIBUTE Sip-From-Tag                 105 string     # Schulzrinne, acc
ATTRIBUTE Sip-Translated-Request-URI   107 string     # Proprietary, acc
ATTRIBUTE Sip-Src-IP                   108 string     # Proprietary, acc
ATTRIBUTE Sip-Src-Port                 109 string     # Proprietary, acc
ATTRIBUTE Digest-Response      206 string     # Sterman, auth_radius
ATTRIBUTE Sip-Uri-User         208 string     # Proprietary, auth_radius
ATTRIBUTE Sip-Group            211 string     # Proprietary, group_radius
ATTRIBUTE Sip-Rpid             213 string     # Proprietary, auth_radius
ATTRIBUTE SIP-AVP              225 string     # Proprietary, avp_radius
ATTRIBUTE Digest-Realm                1063 string     # Sterman, auth_radius
ATTRIBUTE Digest-Nonce                1064 string     # Sterman, auth_radius
ATTRIBUTE Digest-Method               1065 string     # Sterman, auth_radius
ATTRIBUTE Digest-URI                  1066 string     # Sterman, auth_radius
ATTRIBUTE Digest-QOP                  1067 string     # Sterman, auth_radius
ATTRIBUTE Digest-Algorithm            1068 string     # Sterman, auth_radius
ATTRIBUTE Digest-Body-Digest          1069 string     # Sterman, auth_radius
ATTRIBUTE Digest-CNonce               1070 string     # Sterman, auth_radius
ATTRIBUTE Digest-Nonce-Count          1071 string     # Sterman, auth_radius
ATTRIBUTE Digest-User-Name            1072 string     # Sterman, auth_radius

~# cd /usr/local/etc/raddb
~# vi clients.conf
加入以下内容:
client 192.168.137.2 {
   secret       = testing123
   shortname   = openser
}
~# vi radiusd.conf
在modules {下面找到digest,去掉注释,默认已去掉
在authorize {和authenticate {下去掉digest的注释,保存退出
~# vi /usr/local/etc/raddb/dictionary
加入下面这行:
$INCLUDE /usr/local/etc/radiusclient-ng/dictionary.openser

~# vi /usr/local/etc/raddb/users
在最后加入以下内容:
### --- avps ---
101@192.168.137.2 Auth-Type := Accept, Service-Type == "SIP-Callee-AVPs"
   Sip-Avp += "#3#1",
   Sip-Avp += "#4:08:00",
   Sip-Avp += "#5:16:00",
   Sip-Avp += "#6:Mon,Wed,Thu,Fri"

102@192.168.137.2 Auth-Type := Accept, Service-Type == "SIP-Callee-AVPs"
   Sip-Avp += "#3#1",
   Sip-Avp += "#4:08:00",
   Sip-Avp += "#5:16:00",
   Sip-Avp += "#6:Mon,Wed,Thu,Free"

DEFAULT Auth-Type := Accept, Service-Type == "SIP-Callee-AVPs"

### --- group checking ---
### --- user 101 ---
101@192.168.137.2 Auth-Type := Accept, Sip-Group == "voip", Service-Type == "Group-Check"
   Reply-Message = "Authorized"

101@192.168.137.2 Auth-Type := Accept, Sip-Group == "pstn", Service-Type == "Group-Check"
   Reply-Message = "Authorized"

### --- user 102 ---
102@192.168.137.2 Auth-Type := Accept, Sip-Group == "voip", Service-Type == "Group-Check"
   Reply-Message = "Authorized"

DEFAULT Auth-Type := Reject, Service-Type == "Group-Check"

### --- user authentication ---
101@192.168.137.2 Auth-Type := Digest, User-Password == "101"
   Reply-Message = "Authenticated",
   Sip-Avp += "rpid:101",
   Sip-Avp += "#2:192.168.137.1",
   Sip-Avp += "#2:192.168.137.11"

102@192.168.137.2 Auth-Type := Digest, User-Password == "102"
   Reply-Message = "Authenticated",
   Sip-Avp += "rpid:102",
   Sip-Avp += "#2:192.168.137.1"

================================================

配置RadiusClient-ng :
~# vi /usr/local/etc/radiusclient-ng/radiusclient.conf
将以下localhost改成服务器地址:
...
authserver      localhost
...
acctserver      localhost
...

~# vi /usr/local/etc/radiusclient-ng/servers
加入服务器地址和secret的对应
192.168.137.2   testing123

~# vi /usr/local/etc/radiusclient-ng/dictionary
加入下面这行:
$INCLUDE /usr/local/etc/radiusclient-ng/dictionary.openser

~# vi /usr/local/etc/raddb/users
加入测试Digest的数据:
test Auth-Type := Digest, User-Password == "test"
   Reply-Message = "Hello, test with digest"
测试:
~# /usr/local/sbin/radiusd -X
新开一个终端,按下面来做:
Create a file named “digest” and put following in it, all in a single line:

...
User-Name = "test", Digest-Response = "631d6d73147add2f9e437f59bbc3aeb7",
Digest-Realm = "testrealm", Digest-Nonce = "1234abcd" ,
Digest-Method = "INVITE", Digest-URI = "sip:5555551212@example.com",
Digest-Algorithm = "MD5", Digest-User-Name = "test"
...

Use “radclient” for testing the server. It is assumed that you run “radclient” on OpenSER system. You have to install it there, since this tool comes with FreeRADIUS server.

...
radclient -f digest 192.168.137.2 auth testing123
...

In case of correct response from the server, you should see something like:

...
Received response ID 224, code 2, length = 45
        Reply-Message = "Hello, test with digest"
...

=======================================================

配置OpenSER:
~# vi /usr/local/etc/openser/openser.cfg
见附件。

CDR位于"var/log/radius/radacct/"

--------------------------------
Debug:
1、不能load libradius-ng.so.2:
在环境变量中加入LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib

2、1.0.0以上版本中已经没有modparam ( " auth_radius " , " rpid_old_compat " , 1 )

3、the syntax of avp parameters for avpops modules has changed. Please see:

http://openser.org/dokuwiki/doku.php?id=migrating_openser_v1.0.x_to_v1.1.x

For example, in your case:

avp_write("$ruri", "i:10"); => avp_write("$ruri", "$avp(i:10)");

4、ERROR: acc: can't get code for the Sip-Method attribute
Did you include dictionary.ser into your main libradiusclient dictionary?

5、ERROR: tcp_init: bind on 127.0.0.1
在ser.cfg中加入listen=udp:192.168.137.5

6、raddb下创建digest文件,里面加入各个用户的信息;
打开freeradius的mysql支持,在radiusd.conf中把sql注释去掉就支持了,users文件就不起作用了;
在acc的配置文件基础上加入radius-acc计费,再参照ser下台湾人配置的认证文档,加入radius认证;
关键在于radius_www_authorize,只要它在,就用radius来认证,否则就用本机来认证
在用radius认证的情况下acc中也会有cdr,证明cdr的产生跟subscriber无关。

mysql -uroot -p123456 radius

insert into radgroupreply (GroupName,Attribute,op,Value) values ('user','Auth-Type',':=','Local');
insert into radgroupreply (GroupName,Attribute,op,value) values ('user','Service-Type',':=','Framed-User');
insert into radgroupreply (GroupName,Attribute,op,value) values ('user','Framed-IP-Address',':=','255.255.255.254');
insert into radgroupreply (GroupName,Attribute,op,value) values ('user','Framed-IP-Netmask',':=','255.255.255.0');

insert into radcheck (UserName,Attribute,op,Value) values ('8001@192.168.137.2','User-Password','==','1111');
insert into radcheck (UserName,Attribute,op,Value) values ('8001@192.168.137.2','Auth-Type',':=','Digest');
insert into radcheck (UserName,Attribute,op,Value) values ('8002@192.168.137.2','User-Password','==','1111');
insert into radcheck (UserName,Attribute,op,Value) values ('8002@192.168.137.2','Auth-Type',':=','Digest');


评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值