Hha mysql_RedHat as4常用应用之mysql+freeradius+cisco路由器

最新推荐文章于 2021-05-12 14:52:31 发布

TechTornado

最新推荐文章于 2021-05-12 14:52:31 发布

阅读量336

点赞数

文章标签： Hha mysql

本文链接：https://blog.csdn.net/weixin_29677553/article/details/113567312

版权

RedHat as4常用应用之freeradius

一、概述

RADIUS(

Remote Access Dial In User Service)

Protocol主要用来提供认证(Authentication)机制，用来辨认使用者的身份与密码，确认通过之后，经由授权(Authorization)使用者登入网域使用相关资源，并可提供计费(Accounting)机制，保存使用者的网络使用记录。Radius协议详细介绍可参见RFC2865,RFC2866。

FreeRadius是一款OpenSource软件，基于Radius协议，实现Radius

AAA(Authentication，Authorization，Accounting)功能。

1、FreeRADIUS的功能

1)FreeRADIUS支持的认证方法：

本地文件

本地DB/DBM数据库

LDAP 数据库

本地可执行程序(比如一个CGI程序)

Perl 程序

Python 程序

SQL 数据库

Oracle

MySQL

PostgreSQL

Sybase

IBM DB2

Any iODBC or unixODBC supported database

2)FreeRADIUS支持的认证类型

本地配置文件中的明文密码(PAP)

本地配置文件中的加密密码

CHAP

MS-CHAP

MS-CHAPv2

windows域控制器认证

代理到其他RADIUS服务器

系统认证(通常通过/etc/passwd)

PAM(可插拔认证模块)

LDAP(只支持PAP)

CRAM

Perl 程序

Python程序

SIP Digest(Cisco VoIP，SER)

Netscape-MTA-MD5加密的密码

Kerberos 认证

X9.9认证环

3)EAP无线的嵌入式认证方法

EAP-MD5

CISCO LEAP

EAP-MSCHAP-V2

EAP-GTC

EAP-SIM

EAP-TLS

EAP-TTLS

EAP-PEAP

4)计费方法

计费数据能被同步记录到不同的数据库。以下的计费记录方法都是FreeRADIUS支持的：

本地’detail’文件

本地’wtmp’和’utmp’文件

代理到其他RADIUS服务器

复制到一台或者多台RADIUS服务器

SQL数据库

Oracle

MySQL

PostgreSQL

Sybase

IBM DB2

任何iODBC或者unixODBC支持的数据库

二、Freeradius安装及配置说明

1、在RedHat as4系统光盘中有freeradius-1.0.1-3.RHEL4.3.i386.rpm软件包：

#rpm -ivh freeradius-1.0.1-3.RHEL4.3.i386.rpm

2、安装mysql数据库

#rpm -ivh mysqlclient10-3.23.58-4.RHEL4.1.i386.rpm

#rpm -ivh mysql-server-4.1.20-1.RHEL4.1.i386.rpm

#rpm -ivh mysql-4.1.20-1.RHEL4.1.i386.rpm

#rpm -ivh mysql-devel-4.1.20-1.RHEL4.1.i386.rpm

3、配置数据库

导入数据库表结构：

在/usr/share/doc/freeradius-1.0.1/中有db_mysql.sql，

#cp db_mysql.sql /root

#vi /root/db_mysql.sql

去掉nas建表脚本中的id 字段定义中，去掉 default '0' 字符。

进入MySQL数据库，创建名称为radius的数据库：

#mysql -u root -p

mysql>create database radius;

mysql>use radius;

mysql>source /root/db_mysql.sql;

至此radius数据库创建，表也创建了。

Freeradius配置：

/etc/raddb/radiusd.conf

Radiusd.conf是freeradius的主要配置文件，包括了下面主要配置内容：

security {

max_attributes = 200 /*允许一个Radius包中包含的属性数量，0表示允许任意数量的属性

reject_delay = 1

/*回复Access-Reject包延时时间(1-5)，0表示马上送Access-Reject包

status_server = no /*是否开启Status-Server请求应答功能

}

thread pool {

start_servers = 5 /*Radius Server启动时运行线程的数量

max_servers = 32 /*运行时最大允许启动线程的数量

min_spare_servers = 3 /*备用Server最低阀值

max_spare_servers = 10 /*备用Server最高阀值

max_requests_per_server = 0 /*每个线程处理的最大请求数，达到该请求数后，

/*该线程会退出，0表示不退出

}

authorize {

Preprocess /*预处理模块

Chap /*chap认证处理模块

Mschap /*mschap认证处理模块

Sql /*读取数据库中的用户进行认证

}

/etc/raddb/clients.conf

下面配置是以本机作为NAS，进行配置。

client 127.0.0.1 {

secret = testing123 /*NAS与Freeradius之间通讯的密钥。

shortname = localhost /*NAS名称

nastype =

other /*NAS类型

}

/etc/raddb/sql.conf

sql {

driver = "rlm_sql_mysql" /*使用的数据库类型，当前表示MySQL

server = "127.0.0.1" /*数据库服务器地址

password = "" /*连接数据库的密码

radius_db = "radius" /*数据库名称

acct_table1 = "radacct" /*计费开始时写记录到此表

acct_table2 = "radacct" /*计费结束时写记录到此表

num_sql_socks = 5 /*启动数据库连接数量

}

三、Freeradius使用举例

在数据库中添加用户test，密码,123456，通过freeradius对该用户进行认证。

#mysql -u root -p

mysql>Insert into radcheck

(username,attribute,op,value) values

('test','User-Password','==','123456');

mysql>quit

使用下面指令启动freeradius server

# radiusd –xx (-xx表示启动debug模式)(在service radiusd stop下，可以使用)

服务器显示：

[root@as4 raddb]# radiusd -xx

Starting - reading configuration files ...

reread_config: reading radiusd.conf

Config: including file:

/etc/raddb/proxy.conf

Config: including file:

/etc/raddb/clients.conf

Config: including file:

/etc/raddb/snmp.conf

Config: including file:

/etc/raddb/eap.conf

Config: including file:

/etc/raddb/sql.conf

main: prefix = "/usr"

main: localstatedir = "/var"

main: logdir = "/var/log/radius"

main: libdir = "/usr/lib"

main: radacctdir =

"/var/log/radius/radacct"

main: hostname_lookups = no

main: max_request_time = 30

main: cleanup_delay = 5

main: max_requests = 1024

main: delete_blocked_requests = 0

main: port = 0

main: allow_core_dumps = no

main: log_stripped_names = no

main: log_file =

"/var/log/radius/radius.log"

main: log_auth = no

main: log_auth_badpass = no

main: log_auth_goodpass = no

main: pidfile =

"/var/run/radiusd/radiusd.pid"

main: user = "radiusd"

main: group = "radiusd"

main: usercollide = no

main: lower_user = "no"

main: lower_pass = "no"

main: nospace_user = "no"

main: nospace_pass = "no"

main: checkrad = "/usr/sbin/checkrad"

main: proxy_requests = yes

proxy: retry_delay = 5

proxy: retry_count = 3

proxy: synchronous = no

proxy: default_fallback = yes

proxy: dead_time = 120

proxy: post_proxy_authorize = yes

proxy: wake_all_if_all_dead = no

security: max_attributes = 200

security: reject_delay = 1

security: status_server = no

main: debug_level = 0

read_config_files: reading dictionary

read_config_files: reading naslist

Using deprecated naslist file. Support for this

will go away soon.

read_config_files: reading clients

read_config_files: reading realms

radiusd: entering modules setup

Module: Library search path is /usr/lib

Module: Loaded exec

exec: wait = yes

exec: program = "(null)"

exec: input_pairs = "request"

exec: output_pairs = "(null)"

exec: packet_type = "(null)"

rlm_exec: Wait=yes but no output defined. Did you mean

output=none?

Module: Instantiated exec (exec)

Module: Loaded expr

Module: Instantiated expr (expr)

Module: Loaded PAP

pap: encryption_scheme = "crypt"

Module: Instantiated pap (pap)

Module: Loaded CHAP

Module: Instantiated chap (chap)

Module: Loaded MS-CHAP

mschap: use_mppe = yes

mschap: require_encryption = no

mschap: require_strong = no

mschap: with_ntdomain_hack = no

mschap: passwd = "(null)"

mschap: authtype = "MS-CHAP"

mschap: ntlm_auth = "(null)"

Module: Instantiated mschap (mschap)

Module: Loaded System

unix: cache = no

unix: passwd = "(null)"

unix: shadow = "/etc/shadow"

unix: group = "(null)"

unix: radwtmp = "/var/log/radius/radwtmp"

unix: usegroup = no

unix: cache_reload = 600

Module: Instantiated unix (unix)

Module: Loaded eap

eap: default_eap_type = "md5"

eap: timer_expire = 60

eap: ignore_unknown_eap_types = no

eap: cisco_accounting_username_bug = no

rlm_eap: Loaded and initialized type md5

rlm_eap: Loaded and initialized type leap

gtc: challenge = "Password: "

gtc: auth_type = "PAP"

rlm_eap: Loaded and initialized type gtc

mschapv2: with_ntdomain_hack = no

rlm_eap: Loaded and initialized type mschapv2

Module: Instantiated eap (eap)

Module: Loaded preprocess

preprocess: huntgroups =

"/etc/raddb/huntgroups"

preprocess: hints = "/etc/raddb/hints"

preprocess: with_ascend_hack = no

preprocess: ascend_channels_per_line = 23

preprocess: with_ntdomain_hack = no

preprocess: with_specialix_jetstream_hack =

preprocess: with_cisco_vsa_hack = no

Module: Instantiated preprocess (preprocess)

Module: Loaded realm

realm: format = "suffix"

realm: delimiter = "@"

realm: ignore_default = no

realm: ignore_null = no

Module: Instantiated realm (suffix)

Module: Loaded files

files: usersfile = "/etc/raddb/users"

files: acctusersfile =

"/etc/raddb/acct_users"

files: preproxy_usersfile =

"/etc/raddb/preproxy_users"

files: compat = "no"

Module: Instantiated files (files)

Module: Loaded Acct-Unique-Session-Id

acct_unique: key = "User-Name, Acct-Session-Id,

NAS-IP-Address, Client-IP-Address, NAS-Port"

Module: Instantiated acct_unique (acct_unique)

Module: Loaded detail

detail: detailfile =

"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"

detail: detailperm = 384

detail: dirperm = 493

detail: locking = no

Module: Instantiated detail (detail)

Module: Loaded radutmp

radutmp: filename =

"/var/log/radius/radutmp"

radutmp: username = "%{User-Name}"

radutmp: case_sensitive = yes

radutmp: check_with_nas = yes

radutmp: perm = 384

radutmp: callerid = yes

Module: Instantiated radutmp (radutmp)

Initializing the thread pool...

thread: start_servers = 5

thread: max_servers = 32

thread: min_spare_servers = 3

thread: max_spare_servers = 10

thread: max_requests_per_server = 0

thread: cleanup_delay = 5

Thread spawned new child 1. Total threads in pool: 1

Thread spawned new child 2. Total threads in pool: 2

Thread spawned new child 3. Total threads in pool: 3

Thread spawned new child 4. Total threads in pool: 4

Thread spawned new child 5. Total threads in pool: 5

Thread pool initialized

Listening on authentication *:1812

Listening on accounting *:1813

Listening on proxy *:1814

Ready to process requests.

Thread 1 waiting to be assigned a request

Thread 2 waiting to be assigned a request

Thread 3 waiting to be assigned a request

Thread 4 waiting to be assigned a request

Thread 5 waiting to be assigned a request

使用freeradius自带客户端测试程序radtest作为客户端进行测试

# radtest test 123456 localhost 0 testing123

客户端信息：

[root@as4 ~]# radtest test 123456 localhost 0 testing123

Sending Access-Request of id 155 to 127.0.0.1:1812

User-Name = "test"

User-Password = "123456"

NAS-IP-Address = as4

NAS-Port = 0

Re-sending Access-Request of id 155 to 127.0.0.1:1812

User-Name = "test"

User-Password =

"\236\324\021\360\375\031>\260f\330\347/\206Y\304\260"

NAS-IP-Address = as4

NAS-Port = 0

rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=155,

length=20

服务器端信息：

rad_recv: Access-Request packet from host 127.0.0.1:32771,

id=155, length=56

--- Walking the entire request list ---

Waking up in 31 seconds...

Threads: total/active/spare threads = 5/0/5

Thread 1 got semaphore

Thread 1 handling request 0, (1 handled so far)

User-Name = "test"

User-Password = "123456"

NAS-IP-Address = 255.255.255.255

NAS-Port = 0

Processing the authorize section of

radiusd.conf

modcall: entering group authorize for request 0

modcall[authorize]: module "preprocess" returns

ok for request 0

modcall[authorize]: module "chap" returns noop

for request 0

modcall[authorize]: module "mschap" returns noop

for request 0

rlm_realm:

No '@' in User-Name = "test", looking up

realm NULL

rlm_realm:

No such realm "NULL"

modcall[authorize]: module "suffix" returns noop

for request 0

rlm_eap: No EAP-Message, not doing EAP

modcall[authorize]: module "eap" returns noop

for request 0

users:

Matched DEFAULT at 152

modcall[authorize]: module "files" returns ok

for request 0

modcall: group authorize returns ok for request 0

rad_check_password: Found

Auth-Type System

auth: type "System"

Processing the authenticate section of

radiusd.conf

modcall: entering group authenticate for request 0

modcall[authenticate]: module "unix" returns

notfound for request 0

modcall: group authenticate returns notfound for request 0

auth: Failed to validate the user.

Delaying request 0 for 1 seconds

Finished request 0

Going to the next request

Thread 1 waiting to be assigned a request

rad_recv: Access-Request packet from host 127.0.0.1:32771, id=155,

length=56

Sending Access-Reject of id 155 to 127.0.0.1:32771

--- Walking the entire request list ---

Waking up in 3 seconds...

--- Walking the entire request list ---

Cleaning up request 0 ID 155 with timestamp 4b0312b9

Nothing to do. Sleeping until we see a

request.

四、radius+mysql+cisco路由器登陆

1、按照上文安装

radius

mysql

配置数据库，添加用户。

2、配置/etc/raddb/clients.conf，添加如下内容：

client 192.168.0.190

{ /*也可以是192.168.0.0/24配置一个网段

secret =

cisco /*NAS与Freeradius之间通讯的密钥。

shortname =

wangfb /*NAS名称，日志上能看到，可以随便取

nastype =

cisco /*NAS类型，各种类型，在clients.conf文件里有描述

}

3、配置/etc/raddb/sql.conf，修改以下内容：

sql {

server="localhost" /*数据库服务器地址

password="rootpass" /*连接数据库的密码，此处要修改

radius_db="radius" /*数据库名称

}

4、配置/etc/raddb/radius.conf，

authorize

{ Preprocess /*预处理模块

# Chap /*chap认证处理模块

# Mschap /*mschap认证处理模块

Sql /*读取数据库中的用户进行认证

}

当去掉sql前的#号，启动radiusd -x时，报以下错误：

rlm_sql (sql): Could not link driver rlm_sql_mysql:

rlm_sql_mysql.so: cannot open shared object file: No such file or