RADIUS是一種C/S結構的協議,它的客戶端最初就是NAS(Net Access Server)服務器,現在任何運行RADIUS客戶端軟件的計算機都可以成為RADIUS的客戶端。RADIUS協議認證機制靈活,可以采用PAPCHAP或者Unix登錄認證等多種方式.
RADIUS是一種可擴展的協議,它進行的全部工作都是基於Attribute-Length-Value的向量進行的。RADIUS也支持廠商擴充廠家專有屬性.由於RADIUS協議簡單明確,可擴充,因此得到了廣泛應用,包括普通電話上網、ADSL上網、小區寬帶上網、IP電話、VPDN(Virtual Private Dialup Networks,基於撥號用戶的虛擬專用撥號網業務)、移動電話預付費等業務。最近IEEE提出了802.1x標准,這是一種基於端口的標准,用於對無線網絡的接入認證,在認證時也采用RADIUS協議。
1.系統環境centos6
2.軟件freeradius-2.1.10-5.el6.i686,mysql-5.1.61-1.el6_2.1.i686 php-5.3.3-3.el6_2.8.i686,freeradius-dialupadmin-2.1.1-2.fc10.i386,httpd-2.2.15-15.el6.centos.1.i686
3.安裝軟件
[root@localhost ~]# yum -y httpd mysql mysql-devel mysql-server php freeradius freeradius-mysql httpd-devel php-devel php-gd php-mbstring php-mysql php-xml freeradius-
dialupadmin perl-DateManip php-pgsql php-ldap
4.設置開機啟動
[root@localhost ~]# chkconfig httpd on
[root@localhost ~]# chkconfig mysqld on
[root@localhost ~]# chkconfig radius on
[root@localhost ~]# chkconfig radiusd on
5.配置radiusd.conf文件如下:
[root@localhost ~]# cd /etc/raddb/ //這個主要是配置文件所在地
[root@localhost raddb]# ls
acct_users clients.conf.1 policy.conf sql//數據庫文件.sql文件所在目錄這個需要導入數據庫。
attrs dictionary policy.txt sql.conf//sql配置文件
attrs.access_challenge eap.conf preproxy_users sql.conf.1
attrs.access_reject example.pl proxy.conf sqlippool.conf
attrs.accounting_response hints radiusd.conf//主配置文件 templates.conf
attrs.pre-proxy huntgroups radiusd.conf.1 users
certs ldap.attrmap sites-available users.1
clients.conf//客戶端配置文件 modules sites-enabled
6.[root@localhost raddb]# cat radiusd.conf//主配置文件
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
name = radiusd
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/${name}.pid
user = radiusd
group = radiusd
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
type = auth
ipaddr = *
port = 0
}
listen {
ipaddr = *
port = 0
type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
proxy_requests = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
$INCLUDE ${confdir}/modules/
$INCLUDE eap.conf
}
instantiate {
exec
expr
expiration
logintime
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/
$INCLUDE sql.conf //這個是本人加入的
7.[root@localhost raddb]# cat sql.conf//查看sql配置文件
sql {
database = "mysql"
driver = "rlm_sql_${database}"
server = "localhost"
login = "root"//修改數據用戶名為root
password = "123456"//密碼為123456
radius_db = "radius"//數據庫名字叫radius
acct_table1 = "radacct"
acct_table2 = "radacct"
postauth_table = "radpostauth"
authcheck_table = "radcheck"
authreply_table = "radreply"
groupcheck_table = "radgroupcheck"
groupreply_table = "radgroupreply"
usergroup_table = "radusergroup"
deletestalesessions = yes
sqltrace = no
sqltracefile = ${logdir}/sqltrace.sql
num_sql_socks = 5
connect_failure_retry_delay = 60
lifetime = 0
max_queries = 0
nas_table = "nas"
$INCLUDE sql/${database}/dialup.conf
}
8.[root@localhost raddb]# cat clients.conf//客戶端配置文件
client localhost {
ipaddr = 127.0.0.1
secret = testing123
require_message_authenticator = no
}
client 192.168.40.39 {
secret =testing123
shortname =test
nastype =other
}
//為你NAS的相應值
192.168.40.39為NAS要地址
secret = testing123為密鑰
shortname = test任意
nastype = other為你NAS設備的類型
9.配置httpd.conf /etc/httpd/conf/httpd.conf
文件添加兩處如下:
DirectoryIndex index.html index.php index.html.var//添加index.php
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
AddType application/x-httpd-php .html
修改apache的radius.conf配置文件
# vi /etc/httpd/conf.d/radius.conf
<Directory /usr/share/dialup_admin/htdocs/>
Options None
order deny,allow
deny from all
allow from 127.0.0.1 192.168.40.39
</Directory>
在allow from 處添加你允許訪問freeradius-dialupadmin的ip 用空格分開
修改apache的php.conf配置文件
# vi /etc/httpd/conf.d/php.conf
在未尾添加
AddType application/x-httpd-php .php .php3
10.配置主配置文件admin.conf文件
[root@localhost raddb]# cd /usr/share/dialup_admin/
[root@localhost dialup_admin]# ls
bin Changelog conf doc htdocs html lib Makefile README sql
[root@localhost conf]# ls
accounting.attrs auth.request naslist.conf user_edit.attrs
admin.conf //主配置 captions.conf naslist.conf.1 username.mappings
admin.conf.1 //為備份1 config.php3 naslist.conf.2
admin.conf.2 default.vals sql.attrmap
admin.conf.3 extra.ldap-attrmap sql.attrs
11.[root@localhost conf]# cat admin.conf//查看主配置文件如下:
general_prefered_lang: en
general_prefered_lang_name: English
general_charset: iso-8859-1
general_base_dir: /usr/share/dialup_admin
general_radiusd_base_dir: /usr
general_domain: company.com
general_use_session: no
general_most_recent_fl: 30
general_realm_delimiter: @
general_realm_format: suffix
general_show_user_password: yes
general_raddb_dir: /etc/raddb
general_ldap_attrmap: /etc/raddb/ldap.attrmap
general_clients_conf: /etc/raddb/clients.conf
general_sql_attrmap: %{general_base_dir}/conf/sql.attrmap
general_accounting_attrs_file: %{general_base_dir}/conf/accounting.attrs
general_extra_ldap_attrmap: %{general_base_dir}/conf/extra.ldap-attrmap
general_username_mappings_file: %{general_base_dir}/conf/username.mappings
general_lib_type: mysql
general_user_edit_attrs_file: %{general_base_dir}/conf/user_edit.attrs
general_sql_attrs_file: %{general_base_dir}/conf/sql.attrs
general_default_file: %{general_base_dir}/conf/default.vals
general_finger_type: snmp
general_nas_type: cisco
general_snmpfinger_bin: %{general_base_dir}/bin/snmpfinger
general_sessionclear_bin: %{general_base_dir}/bin/clearsession
general_sessionclear_method: snmp
general_radclient_bin: /usr/bin/radclient
general_test_account_login: test
general_test_account_password: test
general_radius_server: localhost
general_radius_server_port: 1812
general_radius_server_auth_proto: chap
general_radius_server_secret: testing123
general_auth_request_file: %{general_base_dir}/conf/auth.request
general_encryption_method: clear
general_accounting_info_order: desc
general_stats_use_totacct: no
general_restrict_badusers_access: no
general_restrict_nasadmin_access: no
INCLUDE: %{general_base_dir}/conf/naslist.conf
INCLUDE: %{general_base_dir}/conf/captions.conf
ldap_server: ldap.%{general_domain}
ldap_base: dc=company,dc=com
ldap_binddn: cn=Directory Manager
ldap_bindpw: XXXXXXX
ldap_default_new_entry_suffix: ou=dialup,ou=guests,%{ldap_base}
ldap_default_dn: uid=default-dialup,%{ldap_base}
ldap_regular_profile_attr: dialupregularprofile
sql_type: mysql
sql_server: localhost
sql_port: 3306
sql_username: root
sql_password: 123456
sql_database: radius
sql_accounting_table: radacct
#sql_badusers_table: badusers
sql_check_table: radcheck
sql_reply_table: radreply
#sql_user_info_table: userinfo
sql_groupcheck_table: radgroupcheck
sql_groupreply_table: radgroupreply
#sql_usergroup_table: radusergroup
sql_total_accounting_table: totacct
sql_nas_table: nas
sql_show_all_groups: true
sql_command: /usr/bin/mysql
general_snmp_type: net
general_snmpwalk_command: /usr/local/bin/snmpwalk
general_snmpget_command: /usr/local/bin/snmpget
#sql_debug: true
#sql_use_user_info_table: true
#sql_use_operators: true
sql_password_attribute: User-Password
sql_date_format: Y-m-d
sql_full_date_format: Y-m-d H:i:s
sql_row_limit: 40
sql_connect_timeout: 3
counter_default_daily: none
counter_default_weekly: none
counter_default_monthly: none
[root@localhost conf]# cat naslist.conf//配置文件二
nas1_name: nas1.%{general_domain}
nas1_model: Computer
nas1_ip: 192.168.40.39
nas1_port_num: 16
nas1_community: public
//
as1_model: Computer 為nas類型
nas1_ip: 192.168.40.39 為nas ip
nas可添加多個修改nas號則可。
[root@localhost conf]# cat captions.conf//配置文件三
general_caption_finger_free_lines: free lines
12.配置mysql數據庫和創建數據庫radius
[root@localhost conf]# service mysqld start//啟動mysqld服務
[root@localhost conf]mysqladmin -u root password "your password" //兩種方法設置root連接mysql的密碼。
使用mysql庫
mysql> use mysql
修改root密碼
mysql> update user set password=password("123456") where user="root";
mysql> flush privileges;
[root@localhost conf]mysql -uroot -p123456 -e "create database radius;" //創建數據庫radius
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| radius |
| test |
+--------------------+
4 rows in set (0.00 sec)
mysql> use radius;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+------------------+
| Tables_in_radius |
+------------------+
| nas |
| radacct |
| radcheck |
| radgroupcheck |
| radgroupreply |
| radippool |
| radpostauth |
| radreply |
| radusergroup |
+------------------+
9 rows in set (0.01 sec)
[root@localhost mysql]# pwd
/etc/raddb/sql/mysql
[root@localhost mysql]# ls//把帶.sql的文件全部倒入radius數據中
admin.sql cui.conf dialup.conf ippool.sql schema.sql wimax.sql
counter.conf cui.sql ippool.conf nas.sql wimax.conf
倒入數據庫的方法為:
mysql> show databases;//查看數據庫
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| radius |
| test |
+--------------------+
4 rows in set (0.00 sec)
mysql> use radius;//進入數據庫radius
Database changed
mysql> show tables;//show表為空
Empty set (0.00 sec)
mysql>source /etc/raddb/sql/mysql/admin.sql //利用source導入數據庫
mysql>source /etc/raddb/sql/mysql/cui.sql
mysql>source /etc/raddb/sql/mysql/ippool.sql
mysql>source /etc/raddb/sql/mysql/as.sql
mysql>source /etc/raddb/sql/mysql/schema.sql
mysql>source /etc/raddb/sql/mysql/wimax.sql
還有一種方法就是用[root@localhost mysql]#mysql -uroot -p radius </etc/raddb/sql/mysql/admin.sql//其它省略
mysql> show tables;
+------------------+
| Tables_in_radius |
+------------------+
| nas |
| radacct |
| radcheck |
| radgroupcheck |
| radgroupreply |
| radippool |
| radpostauth |
| radreply |
| radusergroup |
+------------------+
9 rows in set (0.00 sec)
mysql> desc radusergroup;
+-----------+-------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+-----------+-------------+------+-----+---------+-------+
| username | varchar(64) | NO | MUL | | |
| groupname | varchar(64) | NO | | | |
| priority | int(11) | NO | | 1 | |
+-----------+-------------+------+-----+---------+-------+
3 rows in set (0.00 sec)
mysql> desc nas;//顯示NAS表的結構
+-------------+--------------+------+-----+---------------+----------------+
| Field | Type | Null | Key | Default | Extra |
+-------------+--------------+------+-----+---------------+----------------+
| id | int(10) | NO | PRI | NULL | auto_increment |
| nasname | varchar(128) | NO | MUL | NULL | |
| shortname | varchar(32) | YES | | NULL | |
| type | varchar(30) | YES | | other | |
| ports | int(5) | YES | | NULL | |
| secret | varchar(60) | NO | | secret | |
| server | varchar(64) | YES | | NULL | |
| community | varchar(50) | YES | | NULL | |
| description | varchar(200) | YES | | RADIUS Client | |
+-------------+--------------+------+-----+---------------+----------------+
9 rows in set (0.00 sec)
接著創建radius用戶
[root@localhost conf]#useradd radius
使用mysql庫
mysql> use mysql
修改radius密碼
mysql> update user set password=password("radius") where user="radius";
mysql> flush privileges;
創建radius數據庫用戶
mysql> grant all privileges on radius.* to radius@localhost identified by "radius";
mysql> flush privileges;
mysql> exit
//
相信結果不會讓你滿意.因為服務器比較的是加密的值,所以服務器連接一定失敗.這裡需要說明的是flush privileges;這條命令起到了重新加載授權表.你也可以在shell下直接用mysqladmin -u root
reload或者mysqladmin -u root flush-privileges來實現重載授權表.在Mysql環境下,你可以使用以下語句進行設置密碼:
1.insert into user(host,user,password) values('%','user_name',password("your password");
2.set password for user_name = password("your password")
以上兩種方法都必須進行重載授權表.
3.當然你也可以在創建一個用戶時直接設置密碼,grant語句將為你自動加密口令.
如 grant all on *.* to user_name@% identified by "your password";
另外你也可以在shell環境下用mysqladmin程序來設置密碼
如 mysqladmin -u root password "your password"
13.啟動apache服務
[root@localhost conf]# service httpd start
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
配置test.php
[root@localhost mysql]# cat /var/www/html/test.php
<?php
phpinfo();
?>
14.最後客戶端ie浏覽器http://ip/test.php如果看到信息說明是好的,如果要進入freeradius-dialupadmin,直接http://ip/radius/即可.
本文出自 “有志者事竟成!” 博客,請務必保留此出處http://zh888.blog.51cto.com/1684752/861742