RedHat as4常用应用之freeradius
一、概述
RADIUS(
Remote Access Dial In User Service)
Protocol主要用来提供认证(Authentication)机制,用来辨认使用者的身份与密码,确认通过之后,经由授权(Authorization)使用者登入网域使用相关资源,并可提供计费(Accounting)机制,保存使用者的网络使用记录。Radius协议详细介绍可参见RFC2865,RFC2866。
FreeRadius是一款OpenSource软件,基于Radius协议,实现Radius
AAA(Authentication,Authorization,Accounting)功能。
1、FreeRADIUS的功能
1)FreeRADIUS支持的认证方法:
本地文件
本地DB/DBM数据库
LDAP 数据库
本地可执行程序(比如一个CGI程序)
Perl 程序
Python 程序
SQL 数据库
Oracle
MySQL
PostgreSQL
Sybase
IBM DB2
Any iODBC or unixODBC supported database
2)FreeRADIUS支持的认证类型
本地配置文件中的明文密码(PAP)
本地配置文件中的加密密码
CHAP
MS-CHAP
MS-CHAPv2
windows域控制器认证
代理到其他RADIUS服务器
系统认证(通常通过/etc/passwd)
PAM(可插拔认证模块)
LDAP(只支持PAP)
CRAM
Perl 程序
Python程序
SIP Digest(Cisco VoIP,SER)
Netscape-MTA-MD5加密的密码
Kerberos 认证
X9.9认证环
3)EAP无线的嵌入式认证方法
EAP-MD5
CISCO LEAP
EAP-MSCHAP-V2
EAP-GTC
EAP-SIM
EAP-TLS
EAP-TTLS
EAP-PEAP
4)计费方法
计费数据能被同步记录到不同的数据库。以下的计费记录方法都是FreeRADIUS支持的:
本地’detail’文件
本地’wtmp’和’utmp’文件
代理到其他RADIUS服务器
复制到一台或者多台RADIUS服务器
SQL数据库
Oracle
MySQL
PostgreSQL
Sybase
IBM DB2
任何iODBC或者unixODBC支持的数据库
二、Freeradius安装及配置说明
1、在RedHat as4系统光盘中有freeradius-1.0.1-3.RHEL4.3.i386.rpm软件包:
#rpm -ivh freeradius-1.0.1-3.RHEL4.3.i386.rpm
2、安装mysql数据库
#rpm -ivh mysqlclient10-3.23.58-4.RHEL4.1.i386.rpm
#rpm -ivh mysql-server-4.1.20-1.RHEL4.1.i386.rpm
#rpm -ivh mysql-4.1.20-1.RHEL4.1.i386.rpm
#rpm -ivh mysql-devel-4.1.20-1.RHEL4.1.i386.rpm
3、配置数据库
导入数据库表结构:
在/usr/share/doc/freeradius-1.0.1/中有db_mysql.sql,
#cp db_mysql.sql /root
#vi /root/db_mysql.sql
去掉nas建表脚本中的id 字段定义中,去掉 default '0' 字符。
进入MySQL数据库,创建名称为radius的数据库:
#mysql -u root -p
mysql>create database radius;
mysql>use radius;
mysql>source /root/db_mysql.sql;
至此radius数据库创建,表也创建了。
Freeradius配置:
/etc/raddb/radiusd.conf
Radiusd.conf是freeradius的主要配置文件,包括了下面主要配置内容:
security {
max_attributes = 200 /*允许一个Radius包中包含的属性数量,0表示允许任意数量的属性
reject_delay = 1
/*回复Access-Reject包延时时间(1-5),0表示马上送Access-Reject包
status_server = no /*是否开启Status-Server请求应答功能
}
thread pool {
start_servers = 5 /*Radius Server启动时运行线程的数量
max_servers = 32 /*运行时最大允许启动线程的数量
min_spare_servers = 3 /*备用Server最低阀值
max_spare_servers = 10 /*备用Server最高阀值
max_requests_per_server = 0 /*每个线程处理的最大请求数,达到该请求数后,
/*该线程会退出,0表示不退出
}
authorize {
Preprocess /*预处理模块
Chap /*chap认证处理模块
Mschap /*mschap认证处理模块
Sql /*读取数据库中的用户进行认证
}
/etc/raddb/clients.conf
下面配置是以本机作为NAS,进行配置。
client 127.0.0.1 {
secret = testing123 /*NAS与Freeradius之间通讯的密钥。
shortname = localhost /*NAS名称
nastype =
other /*NAS类型
}
/etc/raddb/sql.conf
sql {
driver = "rlm_sql_mysql" /*使用的数据库类型,当前表示MySQL
server = "127.0.0.1" /*数据库服务器地址
login = "root" /*连接数据库使用的用户名
password = "" /*连接数据库的密码
radius_db = "radius" /*数据库名称
acct_table1 = "radacct" /*计费开始时写记录到此表
acct_table2 = "radacct" /*计费结束时写记录到此表
num_sql_socks = 5 /*启动数据库连接数量
}
三、Freeradius使用举例
在数据库中添加用户test,密码,123456,通过freeradius对该用户进行认证。
#mysql -u root -p
mysql>Insert into radcheck
(username,attribute,op,value) values
('test','User-Password','==','123456');
mysql>quit
使用下面指令启动freeradius server
# radiusd –xx (-xx表示启动debug模式)(在service radiusd stop下,可以使用)
服务器显示:
[root@as4 raddb]# radiusd -xx
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file:
/etc/raddb/proxy.conf
Config: including file:
/etc/raddb/clients.conf
Config: including file:
/etc/raddb/snmp.conf
Config: including file:
/etc/raddb/eap.conf
Config: including file:
/etc/raddb/sql.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/lib"
main: radacctdir =
"/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file =
"/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile =
"/var/run/radiusd/radiusd.pid"
main: user = "radiusd"
main: group = "radiusd"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this
will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean
output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "/etc/shadow"
unix: group = "(null)"
unix: radwtmp = "/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "md5"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups =
"/etc/raddb/huntgroups"
preprocess: hints = "/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack =
no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/etc/raddb/users"
files: acctusersfile =
"/etc/raddb/acct_users"
files: preproxy_usersfile =
"/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id,
NAS-IP-Address, Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename =
"/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Initializing the thread pool...
thread: start_servers = 5
thread: max_servers = 32
thread: min_spare_servers = 3
thread: max_spare_servers = 10
thread: max_requests_per_server = 0
thread: cleanup_delay = 5
Thread spawned new child 1. Total threads in pool: 1
Thread spawned new child 2. Total threads in pool: 2
Thread spawned new child 3. Total threads in pool: 3
Thread spawned new child 4. Total threads in pool: 4
Thread spawned new child 5. Total threads in pool: 5
Thread pool initialized
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
Thread 1 waiting to be assigned a request
Thread 2 waiting to be assigned a request
Thread 3 waiting to be assigned a request
Thread 4 waiting to be assigned a request
Thread 5 waiting to be assigned a request
使用freeradius自带客户端测试程序radtest作为客户端进行测试
# radtest test 123456 localhost 0 testing123
客户端信息:
[root@as4 ~]# radtest test 123456 localhost 0 testing123
Sending Access-Request of id 155 to 127.0.0.1:1812
User-Name = "test"
User-Password = "123456"
NAS-IP-Address = as4
NAS-Port = 0
Re-sending Access-Request of id 155 to 127.0.0.1:1812
User-Name = "test"
User-Password =
"\236\324\021\360\375\031>\260f\330\347/\206Y\304\260"
NAS-IP-Address = as4
NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=155,
length=20
服务器端信息:
rad_recv: Access-Request packet from host 127.0.0.1:32771,
id=155, length=56
--- Walking the entire request list ---
Waking up in 31 seconds...
Threads: total/active/spare threads = 5/0/5
Thread 1 got semaphore
Thread 1 handling request 0, (1 handled so far)
User-Name = "test"
User-Password = "123456"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Processing the authorize section of
radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns
ok for request 0
modcall[authorize]: module "chap" returns noop
for request 0
modcall[authorize]: module "mschap" returns noop
for request 0
rlm_realm:
No '@' in User-Name = "test", looking up
realm NULL
rlm_realm:
No such realm "NULL"
modcall[authorize]: module "suffix" returns noop
for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop
for request 0
users:
Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok
for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found
Auth-Type System
auth: type "System"
Processing the authenticate section of
radiusd.conf
modcall: entering group authenticate for request 0
modcall[authenticate]: module "unix" returns
notfound for request 0
modcall: group authenticate returns notfound for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
Thread 1 waiting to be assigned a request
rad_recv: Access-Request packet from host 127.0.0.1:32771, id=155,
length=56
Sending Access-Reject of id 155 to 127.0.0.1:32771
--- Walking the entire request list ---
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 155 with timestamp 4b0312b9
Nothing to do. Sleeping until we see a
request.
四、radius+mysql+cisco路由器登陆
1、按照上文安装
radius
mysql
配置数据库,添加用户。
2、配置/etc/raddb/clients.conf,添加如下内容:
client 192.168.0.190
{ /*也可以是192.168.0.0/24配置一个网段
secret =
cisco /*NAS与Freeradius之间通讯的密钥。
shortname =
wangfb /*NAS名称,日志上能看到,可以随便取
nastype =
cisco /*NAS类型,各种类型,在clients.conf文件里有描述
}
3、配置/etc/raddb/sql.conf,修改以下内容:
sql {
server="localhost" /*数据库服务器地址
login="root" /*连接数据库使用的用户名
password="rootpass" /*连接数据库的密码,此处要修改
radius_db="radius" /*数据库名称
}
4、配置/etc/raddb/radius.conf,
authorize
{ Preprocess /*预处理模块
# Chap /*chap认证处理模块
# Mschap /*mschap认证处理模块
Sql /*读取数据库中的用户进行认证
}
当去掉sql前的#号,启动radiusd -x时,报以下错误:
rlm_sql (sql): Could not link driver rlm_sql_mysql:
rlm_sql_mysql.so: cannot open shared object file: No such file or
directory
rlm_sql (sql): Make sure it (and all its dependent libraries!) are
in the search path of your system's ld.
radiusd.conf[14]: sql: Module instantiation failed.
这是由于没安装freeradius-mysql-1.0.1-3.RHEL4.3.i386.rpm软件包,
#rpm -ivh freeradius-mysql-1.0.1-3.RHEL4.3.i386.rpm
安装即可。
此时,登陆cisco路由器,还不能登陆:
[root@youjian root]# telnet 192.168.0.190
Trying 192.168.0.190...
Connected to 192.168.0.190.
Escape character is '^]'.
User Access Verification
Username: wfb
Password:
% Authentication failed.
在authorize { }中,在file前加#即可。
也可以用#号注释掉其他授权方式,只留下预处理模块和SQL数据库认证方式。
5、配置Cisco路由器
此路由器左nas使用:
aaa new-model
aaa authentication login wangfb group radius
local /*对login启用radius认证
aaa authentication login conno
none /*在console端不进行认证,防止自己被锁在外面
radius-server host 192.168.0.8 auth 1812 acc
1813 /*注意Cisco默认auth 1645 acc
1646
radius-server key
cisco /*与radius服务器的clients.conf文件相同
int f0/0
ip add 192.168.0.190
255.255.255.0
line con 0
login authentication conno
line vty 0 15
login authentication wangfb
6、测试
[root@youjian root]# telnet 192.168.0.190
Trying 192.168.0.190...
Connected to 192.168.0.190.
Escape character is '^]'.
User Access Verification
Username: wfb
Password:
Router>
测试成功。
五、查看日志
1、配置/etc/raddb/radiusd.conf:
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir =
${localstatedir}/log/radius /*默认logdir为/var/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
log_auth =
yes /*默认为no,修改为yes
log_auth_badpass =
yes /*默认为no,修改为yes
log_auth_goodpass =
yes /*默认为no,修改为yes
2、查看日志/var/log/radius/radius.log
Fri Nov 20 10:16:55 2009 : Auth: Login OK: [test/123456] (from
client wangfb port 2 cli 192.168.0.252)
能看到登陆时间、认证状态、用户名、密码、登陆IP、NAS名称等。