freeRadius的配置1

最新推荐文章于 2024-08-09 08:02:56 发布

junmoxie

最新推荐文章于 2024-08-09 08:02:56 发布

阅读量1.9k

点赞数

分类专栏： freeRadius linux 文章标签： centos mysql database table sql server

linux 同时被 2 个专栏收录

31 篇文章 1 订阅

订阅专栏

freeRadius

7 篇文章 0 订阅

订阅专栏

FreeRADIUS with rlm_sql_mysql

1、install FreeRADIUS via cvs

[root@centos5 ~]# yum install cvs
[root@centos5 ~]# cvs -d :pserver:anoncvs@cvs.freeradius.org:/source login
Logging in to :pserver:anoncvs@cvs.freeradius.org:2401/source
CVS password: anoncvs
[root@centos5 ~]# cvs -d :pserver:anoncvs@cvs.freeradius.org:/source checkout radiusd
./configure (如果出现错误，需要安装相应的devel rpm)
make
make install

生成所需的证书
/usr/local/etc/raddb/certs/bootstrap

ln -s /usr/local/sbin/rc.radiusd /etc/rc.d/init.d/radiusd
ln -s /usr/local/etc/raddb /etc/raddb

chkconfig radiusd on
/etc/rc.d/init.d/radiusd start

[root@centos5]# /usr/local/sbin/radiusd -v
radiusd: FreeRADIUS Version 2.0.5, for host i686-pc-linux-gnu, built on May 17 2008 at 12:20:44
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.

2、 FreeRADIUS SQL Module

通用的SQL前端(rlm_sql)+数据库后端驱动（rlm_sql_mysql）

前端： rlm_sql
中间驱动：rlm_sql_mysql
后端： mysql_database

Comment:
rlm_sql_mysql不是一个完整的mysql client, 仅仅是rlm_sql、mysql database间的一个中间层。

3、MySQL Schema
3、1 7个table的说明
stop and start records logging table
radacct

a single user check and reply table
radcheck
radreply

Group check and reply table
radgroupcheck
radgroupreply

username to group relationships are stored in this table
radusergroup

To store post-authentication data table
radpostauth

3、2 create radius database
mysql> create database radius;
mysql> \. /usr/local/etc/raddb/sql/mysql/schema.sql
mysql> show tables;
+------------------+
| Tables_in_radius |
+------------------+
| radacct |
| radcheck |
| radgroupcheck |
| radgroupreply |
| radpostauth |
| radreply |
| radusergroup |
+------------------+
7 rows in set (0.09 sec)
create NAS table
msyql> use radius;
mysql> \. /usr/local/etc/raddb/sql/mysql/nas.sql
mysql> show tables;
+------------------+
| Tables_in_radius |
+------------------+
| nas |
| radacct |
| radcheck |
| radgroupcheck |
| radgroupreply |
| radpostauth |
| radreply |
| radusergroup |
+------------------+
8 rows in set (0.03 sec)

3、3 建立FreeRadius用户和授权
mysql> \. /usr/local/etc/raddb/sql/mysql/admin.sql

[root@centos5 mysql]# cat admin.sql
# -*- text -*-
##
## admin.sql -- MySQL commands for creating the RADIUS user.
##
## WARNING: You should change 'localhost' and 'radpass'
## to something else. Also update raddb/sql.conf
## with the new RADIUS password.
##
## $Id: admin.sql,v 1.1 2008/04/30 08:41:30 aland Exp $

#
# Create default administrator for RADIUS
#
CREATE USER 'radius'@'localhost';
SET PASSWORD FOR 'radius'@'localhost' = PASSWORD('radpass');

# The server can read any table in SQL
GRANT SELECT ON radius.* TO 'radius'@'localhost';

# The server can write to the accounting and post-auth logging table.
#
# i.e.
GRANT ALL on radius.radacct TO 'radius'@'localhost';
GRANT ALL on radius.radpostauth TO 'radius'@'localhost';

4、配置FreeRadius使用mysql schema
4、1 在 sql.conf 配置database的连接参数，指定所使用的table
database = "mysql"
driver = "rlm_sql_${database}"
server = "localhost"
login = "radius"
password = "radpass"
radius_db = "radius"
acct_table1 = "radacct"
acct_table2 = "radacct"
postauth_table = "radpostauth"
authcheck_table = "radcheck"
authreply_table = "radreply"
groupcheck_table = "radgroupcheck"
groupreply_table = "radgroupreply"
usergroup_table = "radusergroup"

[root@centos5 raddb]# mysql -u radius -pradpass radius
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 4 to server version: 5.0.22-log

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql>

4、2配置FreeRadius 查询 radius nas table
# Set to 'yes' to read radius clients from the database ('nas' table)
# Clients will ONLY be read on server startup. For performance
# and security reasons, finding clients via SQL queries CANNOT
# be done "live" while the server is running.
#
#
readclients = yes
# Table to keep radius client info
nas_table = "nas"
注释client.conf 所有行，Client从nas表中查询。
clients.conf:
RADIUS clients/NAS configurations. Note that NAS is the term used
in RADIUS terminology. To simpilify things, just think of it as
authenticator in our 3-party model.

5、配置freeradius使用MySQL Database

5、1 users
注释users所有内容, 用户信息驻留在数据库radcheck table
per user configurations. Think of users as supplicants in our 3-party
model. Note that user configurations could reside in other places like
a MySQL database instead of the users file.

vi /usr/local/etc/raddb/sites-available/inner-tunnel
去掉SQL前的注释
authorize {
chap
mschap
unix
suffix
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
sql
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
eap
}
5、2测试数据准备
nas table
INSERT INTO `nas` (`id`, `nasname`, `shortname`, `type`, `ports`, `secret`, `community`, `description`) VALUES
(1, '127.0.0.1', 'localhost', 'other', 1812, 'testing123', NULL, 'RADIUS Client');

radcheck table
INSERT INTO `radcheck` (`id`, `username`, `attribute`, `op`, `value`) VALUES
(2, 'root', 'User-Password', '==', '888888');

radusergroup table
INSERT INTO `radusergroup` (`username`, `groupname`, `priority`) VALUES
('root', 'user', 1)

5、3测试
[root@centos5 ~]# radtest root 888888 localhost 1812 testing123
Sending Access-Request of id 32 to 127.0.0.1 port 1812
User-Name = "root"
User-Password = "888888"
NAS-IP-Address = 10.180.22.10
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=32, length=20
[root@centos5 ~]#
commment: root 为linux的一个用户。