英文原文:
Populating MySQL
You should now created some dummy data in the database to test against. It goes something like this:
In usergroup, put entries matching a user account name to a group name.
In radcheck, put an entry for each user account name with a 'Password' attribute with a value of their password.
In radreply, create entries for each user-specific radius reply attribute against their username
In radgroupreply, create attributes to be returned to all group members
Here's a dump of tables from the 'radius' database from mysql on my test box (edited slightly for clarity). This example includes three users, one with a dynamically assigned IP by the NAS (fredf), one assigned a static IP (barney), and one representing a dial-up routed connection (dialrouter):
mysql> select * from usergroup;
+----+---------------+-----------+
| id | UserName | GroupName |
+----+---------------+-----------+
| 1 | fredf | dynamic |
| 2 | barney | static |
| 2 | dialrouter | netdial |
+----+---------------+-----------+
3 rows in set (0.00 sec)
mysql> select * from radcheck;
+----+----------------+----------------+------------------+------+
| id | UserName | Attribute | Value | Op |
+----+----------------+----------------+------------------+------+
| 1 | fredf | Password | wilma | == |
| 2 | barney | Password | betty | == |
| 2 | dialrouter | Password | dialup | == |
+----+----------------+----------------+------------------+------+
3 rows in set (0.02 sec)
mysql> select * from radgroupcheck;
+----+------------+-------------------+---------------------+------+
| id | GroupName | Attribute | Value | Op |
+----+------------+-------------------+---------------------+------+
| 1 | dynamic | Auth-Type | Local | := |
| 2 | static | Auth-Type | Local | := |
| 3 | netdial | Auth-Type | Local | := |
+----+------------+-------------------+---------------------+------+
3 rows in set (0.01 sec)
mysql> select * from radreply;
+----+------------+-------------------+---------------------------------+------+
| id | UserName | Attribute | Value | Op |
+----+------------+-------------------+---------------------------------+------+
| 1 | barney | Framed-IP-Address | 1.2.3.4 | := |
| 2 | dialrouter | Framed-IP-Address | 2.3.4.1 | := |
| 3 | dialrouter | Framed-IP-Netmask | 255.255.255.255 | := |
| 4 | dialrouter | Framed-Routing | Broadcast-Listen | := |
| 5 | dialrouter | Framed-Route | 2.3.4.0 255.255.255.248 | := |
| 6 | dialrouter | Idle-Timeout | 900 | := |
+----+------------+-------------------+---------------------------------+------+
6 rows in set (0.01 sec)
mysql> select * from radgroupreply;
+----+-----------+--------------------+---------------------+------+
| id | GroupName | Attribute | Value | Op |
+----+-----------+--------------------+---------------------+------+
| 34 | dynamic | Framed-Compression | Van-Jacobsen-TCP-IP | := |
| 33 | dynamic | Framed-Protocol | PPP | := |
| 32 | dynamic | Service-Type | Framed-User | := |
| 35 | dynamic | Framed-MTU | 1500 | := |
| 37 | static | Framed-Protocol | PPP | := |
| 38 | static | Service-Type | Framed-User | := |
| 39 | static | Framed-Compression | Van-Jacobsen-TCP-IP | := |
| 41 | netdial | Service-Type | Framed-User | := |
| 42 | netdial | Framed-Protocol | PPP | := |
+----+-----------+--------------------+---------------------+------+
12 rows in set (0.01 sec)
mysql>
In this example, 'barney' (who is a single user dialup) only needs an attribute for IP address in radreply so he gets his static IP - he does not need any other attributes here as all the others get picked up from the 'static' group entries in radgroupreply.
'fred' needs no entries in radreply as he is dynamically assigned an IP via the NAS - so he'll just get the 'dynamic' group entries from radgroupreply ONLY.
'dialrouter' is a dial-up router, so as well as needing a static IP it needs route and mask attributes (etc) to be returned. Hence the additional entries.
'dialrouter' also has an idle-timeout attribute so the router gets kicked if it's not doing anything - you could add this for other users too if you wanted to. Of course, if you feel like or need to add any other attributes, that's kind of up to you!
Note the operator ('op') values used in the various tables. The password check attribute should use ==. Most return attributes should have a := operator, although if you're returning multiple attributes of the same type (e.g. multiple Cisco- AVpair's) you should use the += operator instead otherwise only the first one will be returned. Read the docs for more details on operators.
If you're stripping all domain name elements from usernames via realms, remember NOT to include the domain name elements in the usernames you put in the MySQL tables - they should get stripped BEFORE the database is checked, so name@domain will NEVER match if you're realm stripping (assuming you follow point 2 above) – you should just have 'name' as a user in the database. Once it's working without, and if you want more complex realm handling, go back to work out not stripping (and keeping name@domain in the db) if you really want to.
Using FreeRadius and MySQL
Fire up radiusd again in debug mode. The debug output should show it connecting to the MySQL database. Use radtest (or NTradPing) to test again - the user should authenticate and the debug output should show FreeRadius talking to MySQL.
You're done!
译文:填充Mysql
你现在应该已经在数据库里创建了一些用于测试的数据了,它现在看起来应该是这样:
在uesrgroup中,有一个与用户帐号匹配的名字是group的名字的条目。
在radcheck中,有一个所有具有"password"属性的用户帐号名的密码的条目。
在radreply中,为每个具有密码属性的用户名以他们的密码创建一个条目。
在radgroupreply中,创建需要被所有组成员返回的属性。
这里有一个从我的测试工具箱(为了编辑的简便和清晰)里的"radius"数据库的存储表。这个例子包含了三个用户,一个是由NAS(fredf)动态分配IP,一个是被静态指定的IP(barney),还有一个是通过拨号路由连接的(dialrouter)。
mysql> select * from usergroup;
+----+---------------+-----------+
| id | UserName | GroupName |
+----+---------------+-----------+
| 1 | fredf | dynamic |
| 2 | barney | static |
| 2 | dialrouter | netdial |
+----+---------------+-----------+
3 rows in set (0.00 sec)
mysql> select * from radcheck;
+----+----------------+----------------+------------------+------+
| id | UserName | Attribute | Value | Op |
+----+----------------+----------------+------------------+------+
| 1 | fredf | Password | wilma | == |
| 2 | barney | Password | betty | == |
| 2 | dialrouter | Password | dialup | == |
+----+----------------+----------------+------------------+------+
3 rows in set (0.02 sec)
mysql> select * from radgroupcheck;
+----+------------+-------------------+---------------------+------+
| id | GroupName | Attribute | Value | Op |
+----+------------+-------------------+---------------------+------+
| 1 | dynamic | Auth-Type | Local | := |
| 2 | static | Auth-Type | Local | := |
| 3 | netdial | Auth-Type | Local | := |
+----+------------+-------------------+---------------------+------+
3 rows in set (0.01 sec)
mysql> select * from radreply;
+----+------------+-------------------+---------------------------------+------+
| id | UserName | Attribute | Value | Op |
+----+------------+-------------------+---------------------------------+------+
| 1 | barney | Framed-IP-Address | 1.2.3.4| := |
| 2 | dialrouter | Framed-IP-Address | 2.3.4.1| := |
| 3 | dialrouter | Framed-IP-Netmask | 255.255.255.255| := |
| 4 | dialrouter | Framed-Routing | Broadcast-Listen | := |
| 5 | dialrouter | Framed-Route | 2.3.4.0 255.255.255.248 | := |
| 6 | dialrouter | Idle-Timeout | 900 | := |
+----+------------+-------------------+---------------------------------+------+
6 rows in set (0.01 sec)
mysql> select * from radgroupreply;
+----+-----------+--------------------+---------------------+------+
| id | GroupName | Attribute | Value | Op |
+----+-----------+--------------------+---------------------+------+
| 34 | dynamic | Framed-Compression | Van-Jacobsen-TCP-IP | := |
| 33 | dynamic | Framed-Protocol | PPP | := |
| 32 | dynamic | Service-Type | Framed-User | := |
| 35 | dynamic | Framed-MTU | 1500 | := |
| 37 | static | Framed-Protocol | PPP | := |
| 38 | static | Service-Type | Framed-User | := |
| 39 | static | Framed-Compression | Van-Jacobsen-TCP-IP | := |
| 41 | netdial | Service-Type | Framed-User | := |
| 42 | netdial | Framed-Protocol | PPP | := |
+----+-----------+--------------------+---------------------+------+
12 rows in set (0.01 sec)
mysql>
在这个例子中,"barney"(单个拨号用户)在redreply中仅仅需要被分配一个IP地址,因此他获得了一个静态IP-在这儿他不需要获得其他任何的分配了,因为其他所有的都通过radgroupreply中的'static'组条目来获得。
'fred'不需要任何的radgroup条目因为他是有NAS动态分配IP的-因此他只需要通过radgroupreply的'dyanmic'组入口获得就行了。
'dialrouter'是一个拨号路由器,因此他也需要一个静态IP,他需要返回路由和掩码属性,因此他需要其他的条目。
'dialrouter'也有一个超时属性,因此如果该路由器无响应的话它会被剔除掉,如果你愿意的话你也可以为其他用户也加上这个属性。当然,如果你喜欢或需要添加其他的属性,这完全取决于你。
需要注意的是操作符('op')这个值也被用在了变量表里面。密码检查属性应该使用=.大多数的返回变量都应该具有:=这个操作符,如果你要返回同种类型的多个属性(比如说多个cisco-AVpair),你应该使用+=操作符而不是其他仅仅用于返回第一个属性的任何操作符。你可以阅读文档来获取更多关于操作符的细节知识。
如果你通过域去掉了所有的用户名的域名元素,记得当你在Mysql表中输入用户名的时候不要包含域名—他们应该在检查数据库之前被去掉,因此如果你去掉了域名的话(假设你按照上面两条做了),name@domain将永远不会被匹配。你应该用'name'作为数据库里的用户。如果你不想这样做,或者你想使用复杂的域,那么返回并且不要去掉域名(并且保持name@domain在数据库里),前提是真的想这么做。
使用FreeRadius和MySQL
再一次让radiusd运行在debug模式。debug的输出可以显示它连接到MySQL。使用radtest(或者NTradPing)来再测一次-这个用户应该通过认证并且debug会显示出FreeRadius和MySQL的会话。
你完成了!
185
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
