RADIUS是一种C/S结构的协议,它的客户端最初就是NAS(Net Access Server)服务器,现在任何运行RADIUS客户端软件的计算机都可以成为RADIUS的客户端。RADIUS协议认证机制灵活,可以采用PAPCHAP或者Unix登录认证等多种方式.
RADIUS是一种可扩展的协议,它进行的全部工作都是基于Attribute-Length-Value的向量进行的。RADIUS也支持厂商扩充厂家专有属性.由于RADIUS协议简单明确,可扩充,因此得到了广泛应用,包括普通电话上网、ADSL上网、小区宽带上网、IP电话、VPDN(Virtual Private Dialup Networks,基于拨号用户的虚拟专用拨号网业务)、移动电话预付费等业务。最近IEEE提出了802.1x标准,这是一种基于端口的标准,用于对无线网络的接入认证,在认证时也采用RADIUS协议。
1.系统环境centos6
2.软件freeradius-2.1.10-5.el6.i686,mysql-5.1.61-1.el6_2.1.i686 php-5.3.3-3.el6_2.8.i686,freeradius-dialupadmin-2.1.1-2.fc10.i386,httpd-2.2.15-15.el6.centos.1.i686
3.安装软件
[root@localhost ~]# yum -y httpd mysql mysql-devel mysql-server php freeradius freeradius-mysql httpd-devel php-devel php-gd php-mbstring php-mysql php-xml freeradius-
dialupadmin perl-DateManip php-pgsql php-ldap
4.设置开机启动
[root@localhost ~]# chkconfig httpd on
[root@localhost ~]# chkconfig mysqld on
[root@localhost ~]# chkconfig radius on
[root@localhost ~]# chkconfig radiusd on
[root@localhost ~]# chkconfig httpd on
[root@localhost ~]# chkconfig mysqld on
[root@localhost ~]# chkconfig radius on
[root@localhost ~]# chkconfig radiusd on
5.配置radiusd.conf文件如下:
[root@localhost ~]# cd /etc/raddb/ //这个主要是配置文件所在地
[root@localhost raddb]# ls
acct_users clients.conf.1 policy.conf sql//数据库文件.sql文件所在目录这个需要导入数据库。
attrs dictionary policy.txt sql.conf//sql配置文件
attrs.access_challenge eap.conf preproxy_users sql.conf.1
attrs.access_reject example.pl proxy.conf sqlippool.conf
attrs.accounting_response hints radiusd.conf//主配置文件 templates.conf
attrs.pre-proxy huntgroups radiusd.conf.1 users
certs ldap.attrmap sites-available users.1
clients.conf//客户端配置文件 modules sites-enabled
[root@localhost ~]# cd /etc/raddb/ //这个主要是配置文件所在地
[root@localhost raddb]# ls
acct_users clients.conf.1 policy.conf sql//数据库文件.sql文件所在目录这个需要导入数据库。
attrs dictionary policy.txt sql.conf//sql配置文件
attrs.access_challenge eap.conf preproxy_users sql.conf.1
attrs.access_reject example.pl proxy.conf sqlippool.conf
attrs.accounting_response hints radiusd.conf//主配置文件 templates.conf
attrs.pre-proxy huntgroups radiusd.conf.1 users
certs ldap.attrmap sites-available users.1
clients.conf//客户端配置文件 modules sites-enabled
6.[root@localhost raddb]# cat radiusd.conf//主配置文件
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
name = radiusd
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/${name}.pid
user = radiusd
group = radiusd
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
type = auth
type = auth
ipaddr = *
port = 0
}
listen {
ipaddr = *
port = 0
type = acct
}
ipaddr = *
port = 0
type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
extended_expressions = yes
log {
destination = files
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
proxy_requests = yes
$INCLUDE proxy.conf
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_spare_servers = 10
max_requests_per_server = 0
}
}
modules {
$INCLUDE ${confdir}/modules/
$INCLUDE eap.conf
}
instantiate {
exec
exec
expr
expiration
logintime
logintime
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/
$INCLUDE sql.conf //这个是本人加入的
$INCLUDE sql.conf //这个是本人加入的
7.[root@localhost raddb]# cat sql.conf//查看sql配置文件
sql {
database = "mysql"
driver = "rlm_sql_${database}"
server = "localhost"
login = "root"//修改数据用户名为root
password = "123456"//密码为123456
login = "root"//修改数据用户名为root
password = "123456"//密码为123456
radius_db = "radius"//数据库名字叫radius
acct_table1 = "radacct"
acct_table2 = "radacct"
acct_table1 = "radacct"
acct_table2 = "radacct"
postauth_table = "radpostauth"
authcheck_table = "radcheck"
authreply_table = "radreply"
authreply_table = "radreply"
groupcheck_table = "radgroupcheck"
groupreply_table = "radgroupreply"
groupreply_table = "radgroupreply"
usergroup_table = "radusergroup"
deletestalesessions = yes
sqltrace = no
sqltracefile = ${logdir}/sqltrace.sql
sqltracefile = ${logdir}/sqltrace.sql
num_sql_socks = 5
connect_failure_retry_delay = 60
lifetime = 0
max_queries = 0
nas_table = "nas"
$INCLUDE sql/${database}/dialup.conf
}
}
8.[root@localhost raddb]# cat clients.conf//客户端配置文件
client localhost {
ipaddr = 127.0.0.1
ipaddr = 127.0.0.1
secret = testing123
require_message_authenticator = no
}
client 192.168.40.39 {
secret =testing123
shortname =test
nastype =other
}
secret =testing123
shortname =test
nastype =other
}
//为你NAS的相应值
192.168.40.39为NAS要地址
secret = testing123为密钥
shortname = test任意
nastype = other为你NAS设备的类型
192.168.40.39为NAS要地址
secret = testing123为密钥
shortname = test任意
nastype = other为你NAS设备的类型
9.配置httpd.conf /etc/httpd/conf/httpd.conf
文件添加两处如下:
DirectoryIndex index.html index.php index.html.var//添加index.php
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
AddType application/x-httpd-php .html
AddType application/x-httpd-php-source .phps
AddType application/x-httpd-php .html
修改apache的radius.conf配置文件
# vi /etc/httpd/conf.d/radius.conf
<Directory /usr/share/dialup_admin/htdocs/>
Options None
order deny,allow
deny from all
allow from 127.0.0.1 192.168.40.39
</Directory>
在allow from 处添加你允许访问freeradius-dialupadmin的ip 用空格分开
修改apache的php.conf配置文件
# vi /etc/httpd/conf.d/php.conf
在未尾添加
AddType application/x-httpd-php .php .php3
# vi /etc/httpd/conf.d/radius.conf
<Directory /usr/share/dialup_admin/htdocs/>
Options None
order deny,allow
deny from all
allow from 127.0.0.1 192.168.40.39
</Directory>
在allow from 处添加你允许访问freeradius-dialupadmin的ip 用空格分开
修改apache的php.conf配置文件
# vi /etc/httpd/conf.d/php.conf
在未尾添加
AddType application/x-httpd-php .php .php3
10.配置主配置文件admin.conf文件
[root@localhost raddb]# cd /usr/share/dialup_admin/
[root@localhost dialup_admin]# ls
bin Changelog conf doc htdocs html lib Makefile README sql
[root@localhost conf]# ls
accounting.attrs auth.request naslist.conf user_edit.attrs
admin.conf //主配置 captions.conf naslist.conf.1 username.mappings
admin.conf.1 //为备份1 config.php3 naslist.conf.2
admin.conf.2 default.vals sql.attrmap
admin.conf.3 extra.ldap-attrmap sql.attrs
accounting.attrs auth.request naslist.conf user_edit.attrs
admin.conf //主配置 captions.conf naslist.conf.1 username.mappings
admin.conf.1 //为备份1 config.php3 naslist.conf.2
admin.conf.2 default.vals sql.attrmap
admin.conf.3 extra.ldap-attrmap sql.attrs
11.[root@localhost conf]# cat admin.conf//查看主配置文件如下:
general_prefered_lang: en
general_prefered_lang_name: English
general_charset: iso-8859-1
general_base_dir: /usr/share/dialup_admin
general_radiusd_base_dir: /usr
general_domain: company.com
general_use_session: no
general_most_recent_fl: 30
general_prefered_lang: en
general_prefered_lang_name: English
general_charset: iso-8859-1
general_base_dir: /usr/share/dialup_admin
general_radiusd_base_dir: /usr
general_domain: company.com
general_use_session: no
general_most_recent_fl: 30
general_realm_delimiter: @
general_realm_format: suffix
general_realm_format: suffix
general_show_user_password: yes
general_raddb_dir: /etc/raddb
general_ldap_attrmap: /etc/raddb/ldap.attrmap
general_clients_conf: /etc/raddb/clients.conf
general_sql_attrmap: %{general_base_dir}/conf/sql.attrmap
general_accounting_attrs_file: %{general_base_dir}/conf/accounting.attrs
general_extra_ldap_attrmap: %{general_base_dir}/conf/extra.ldap-attrmap
general_username_mappings_file: %{general_base_dir}/conf/username.mappings
general_lib_type: mysql
general_user_edit_attrs_file: %{general_base_dir}/conf/user_edit.attrs
general_sql_attrs_file: %{general_base_dir}/conf/sql.attrs
general_default_file: %{general_base_dir}/conf/default.vals
general_finger_type: snmp
general_nas_type: cisco
general_snmpfinger_bin: %{general_base_dir}/bin/snmpfinger
general_sessionclear_bin: %{general_base_dir}/bin/clearsession
general_sessionclear_method: snmp
general_radclient_bin: /usr/bin/radclient
general_test_account_login: test
general_test_account_password: test
general_radius_server: localhost
general_radius_server_port: 1812
general_radius_server_auth_proto: chap
general_radius_server_secret: testing123
general_auth_request_file: %{general_base_dir}/conf/auth.request
general_encryption_method: clear
general_accounting_info_order: desc
general_stats_use_totacct: no
general_restrict_badusers_access: no
general_restrict_nasadmin_access: no
general_ldap_attrmap: /etc/raddb/ldap.attrmap
general_clients_conf: /etc/raddb/clients.conf
general_sql_attrmap: %{general_base_dir}/conf/sql.attrmap
general_accounting_attrs_file: %{general_base_dir}/conf/accounting.attrs
general_extra_ldap_attrmap: %{general_base_dir}/conf/extra.ldap-attrmap
general_username_mappings_file: %{general_base_dir}/conf/username.mappings
general_lib_type: mysql
general_user_edit_attrs_file: %{general_base_dir}/conf/user_edit.attrs
general_sql_attrs_file: %{general_base_dir}/conf/sql.attrs
general_default_file: %{general_base_dir}/conf/default.vals
general_finger_type: snmp
general_nas_type: cisco
general_snmpfinger_bin: %{general_base_dir}/bin/snmpfinger
general_sessionclear_bin: %{general_base_dir}/bin/clearsession
general_sessionclear_method: snmp
general_radclient_bin: /usr/bin/radclient
general_test_account_login: test
general_test_account_password: test
general_radius_server: localhost
general_radius_server_port: 1812
general_radius_server_auth_proto: chap
general_radius_server_secret: testing123
general_auth_request_file: %{general_base_dir}/conf/auth.request
general_encryption_method: clear
general_accounting_info_order: desc
general_stats_use_totacct: no
general_restrict_badusers_access: no
general_restrict_nasadmin_access: no
INCLUDE: %{general_base_dir}/conf/naslist.conf
INCLUDE: %{general_base_dir}/conf/captions.conf
ldap_server: ldap.%{general_domain}
ldap_base: dc=company,dc=com
ldap_binddn: cn=Directory Manager
ldap_bindpw: XXXXXXX
ldap_default_new_entry_suffix: ou=dialup,ou=guests,%{ldap_base}
ldap_default_dn: uid=default-dialup,%{ldap_base}
ldap_regular_profile_attr: dialupregularprofile
ldap_base: dc=company,dc=com
ldap_binddn: cn=Directory Manager
ldap_bindpw: XXXXXXX
ldap_default_new_entry_suffix: ou=dialup,ou=guests,%{ldap_base}
ldap_default_dn: uid=default-dialup,%{ldap_base}
ldap_regular_profile_attr: dialupregularprofile
sql_type: mysql
sql_server: localhost
sql_port: 3306
sql_username: root
sql_password: 123456
sql_database: radius
sql_accounting_table: radacct
#sql_badusers_table: badusers
sql_check_table: radcheck
sql_reply_table: radreply
#sql_user_info_table: userinfo
sql_groupcheck_table: radgroupcheck
sql_groupreply_table: radgroupreply
#sql_usergroup_table: radusergroup
sql_total_accounting_table: totacct
sql_nas_table: nas
sql_show_all_groups: true
sql_command: /usr/bin/mysql
general_snmp_type: net
general_snmpwalk_command: /usr/local/bin/snmpwalk
general_snmpget_command: /usr/local/bin/snmpget
#sql_debug: true
sql_server: localhost
sql_port: 3306
sql_username: root
sql_password: 123456
sql_database: radius
sql_accounting_table: radacct
#sql_badusers_table: badusers
sql_check_table: radcheck
sql_reply_table: radreply
#sql_user_info_table: userinfo
sql_groupcheck_table: radgroupcheck
sql_groupreply_table: radgroupreply
#sql_usergroup_table: radusergroup
sql_total_accounting_table: totacct
sql_nas_table: nas
sql_show_all_groups: true
sql_command: /usr/bin/mysql
general_snmp_type: net
general_snmpwalk_command: /usr/local/bin/snmpwalk
general_snmpget_command: /usr/local/bin/snmpget
#sql_debug: true
#sql_use_user_info_table: true
#sql_use_operators: true
sql_password_attribute: User-Password
sql_date_format: Y-m-d
sql_full_date_format: Y-m-d H:i:s
sql_row_limit: 40
sql_connect_timeout: 3
counter_default_daily: none
counter_default_weekly: none
counter_default_monthly: none
counter_default_weekly: none
counter_default_monthly: none
[root@localhost conf]# cat naslist.conf//配置文件二
nas1_name: nas1.%{general_domain}
nas1_model: Computer
nas1_ip: 192.168.40.39
nas1_port_num: 16
nas1_community: public
//
as1_model: Computer 为nas类型
nas1_ip: 192.168.40.39 为nas ip
nas可添加多个修改nas号则可。
nas1_name: nas1.%{general_domain}
nas1_model: Computer
nas1_ip: 192.168.40.39
nas1_port_num: 16
nas1_community: public
//
as1_model: Computer 为nas类型
nas1_ip: 192.168.40.39 为nas ip
nas可添加多个修改nas号则可。
[root@localhost conf]# cat captions.conf//配置文件三
general_caption_finger_free_lines: free lines
12.配置mysql数据库和创建数据库radius
[root@localhost conf]# service mysqld start//启动mysqld服务
[root@localhost conf]mysqladmin -u root password "your password" //两种方法设置root连接mysql的密码。
使用mysql库
mysql> use mysql
修改root密码
mysql> update user set password=password("123456") where user="root";
mysql> flush privileges;
使用mysql库
mysql> use mysql
修改root密码
mysql> update user set password=password("123456") where user="root";
mysql> flush privileges;
[root@localhost conf]mysql -uroot -p123456 -e "create database radius;" //创建数据库radius
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| radius |
| test |
+--------------------+
4 rows in set (0.00 sec)
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| radius |
| test |
+--------------------+
4 rows in set (0.00 sec)
mysql> use radius;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+------------------+
| Tables_in_radius |
+------------------+
| nas |
| radacct |
| radcheck |
| radgroupcheck |
| radgroupreply |
| radippool |
| radpostauth |
| radreply |
| radusergroup |
+------------------+
9 rows in set (0.01 sec)
mysql> show tables;
+------------------+
| Tables_in_radius |
+------------------+
| nas |
| radacct |
| radcheck |
| radgroupcheck |
| radgroupreply |
| radippool |
| radpostauth |
| radreply |
| radusergroup |
+------------------+
9 rows in set (0.01 sec)
[root@localhost mysql]# pwd
/etc/raddb/sql/mysql
[root@localhost mysql]# ls//把带.sql的文件全部倒入radius数据中
admin.sql cui.conf dialup.conf ippool.sql schema.sql wimax.sql
counter.conf cui.sql ippool.conf nas.sql wimax.conf
/etc/raddb/sql/mysql
[root@localhost mysql]# ls//把带.sql的文件全部倒入radius数据中
admin.sql cui.conf dialup.conf ippool.sql schema.sql wimax.sql
counter.conf cui.sql ippool.conf nas.sql wimax.conf
倒入数据库的方法为:
mysql> show databases;//查看数据库
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| radius |
| test |
+--------------------+
4 rows in set (0.00 sec)
mysql> show databases;//查看数据库
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| radius |
| test |
+--------------------+
4 rows in set (0.00 sec)
mysql> use radius;//进入数据库radius
Database changed
Database changed
mysql> show tables;//show表为空
Empty set (0.00 sec)
Empty set (0.00 sec)
mysql>source /etc/raddb/sql/mysql/admin.sql //利用source导入数据库
mysql>source /etc/raddb/sql/mysql/cui.sql
mysql>source /etc/raddb/sql/mysql/ippool.sql
mysql>source /etc/raddb/sql/mysql/as.sql
mysql>source /etc/raddb/sql/mysql/schema.sql
mysql>source /etc/raddb/sql/mysql/wimax.sql
还有一种方法就是用[root@localhost mysql]#mysql -uroot -p radius </etc/raddb/sql/mysql/admin.sql//其它省略
mysql> show tables;
+------------------+
| Tables_in_radius |
+------------------+
| nas |
| radacct |
| radcheck |
| radgroupcheck |
| radgroupreply |
| radippool |
| radpostauth |
| radreply |
| radusergroup |
+------------------+
9 rows in set (0.00 sec)
mysql> desc radusergroup;
+-----------+-------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+-----------+-------------+------+-----+---------+-------+
| username | varchar(64) | NO | MUL | | |
| groupname | varchar(64) | NO | | | |
| priority | int(11) | NO | | 1 | |
+-----------+-------------+------+-----+---------+-------+
3 rows in set (0.00 sec)
+-----------+-------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+-----------+-------------+------+-----+---------+-------+
| username | varchar(64) | NO | MUL | | |
| groupname | varchar(64) | NO | | | |
| priority | int(11) | NO | | 1 | |
+-----------+-------------+------+-----+---------+-------+
3 rows in set (0.00 sec)
mysql> desc nas;//显示NAS表的结构
+-------------+--------------+------+-----+---------------+----------------+
| Field | Type | Null | Key | Default | Extra |
+-------------+--------------+------+-----+---------------+----------------+
| id | int(10) | NO | PRI | NULL | auto_increment |
| nasname | varchar(128) | NO | MUL | NULL | |
| shortname | varchar(32) | YES | | NULL | |
| type | varchar(30) | YES | | other | |
| ports | int(5) | YES | | NULL | |
| secret | varchar(60) | NO | | secret | |
| server | varchar(64) | YES | | NULL | |
| community | varchar(50) | YES | | NULL | |
| description | varchar(200) | YES | | RADIUS Client | |
+-------------+--------------+------+-----+---------------+----------------+
9 rows in set (0.00 sec)
接着创建radius用户
[root@localhost conf]#useradd radius
+-------------+--------------+------+-----+---------------+----------------+
| Field | Type | Null | Key | Default | Extra |
+-------------+--------------+------+-----+---------------+----------------+
| id | int(10) | NO | PRI | NULL | auto_increment |
| nasname | varchar(128) | NO | MUL | NULL | |
| shortname | varchar(32) | YES | | NULL | |
| type | varchar(30) | YES | | other | |
| ports | int(5) | YES | | NULL | |
| secret | varchar(60) | NO | | secret | |
| server | varchar(64) | YES | | NULL | |
| community | varchar(50) | YES | | NULL | |
| description | varchar(200) | YES | | RADIUS Client | |
+-------------+--------------+------+-----+---------------+----------------+
9 rows in set (0.00 sec)
接着创建radius用户
[root@localhost conf]#useradd radius
使用mysql库
mysql> use mysql
修改radius密码
mysql> update user set password=password("radius") where user="radius";
mysql> flush privileges;
创建radius数据库用户
mysql> grant all privileges on radius.* to radius@localhost identified by "radius";
mysql> flush privileges;
mysql> exit
//
相信结果不会让你满意.因为服务器比较的是加密的值,所以服务器连接一定失败.这里需要说明的是flush privileges;这条命令起到了重新加载授权表.你也可以在shell下直接用mysqladmin -u root
mysql> use mysql
修改radius密码
mysql> update user set password=password("radius") where user="radius";
mysql> flush privileges;
创建radius数据库用户
mysql> grant all privileges on radius.* to radius@localhost identified by "radius";
mysql> flush privileges;
mysql> exit
//
相信结果不会让你满意.因为服务器比较的是加密的值,所以服务器连接一定失败.这里需要说明的是flush privileges;这条命令起到了重新加载授权表.你也可以在shell下直接用mysqladmin -u root
reload或者mysqladmin -u root flush-privileges来实现重载授权表.在Mysql环境下,你可以使用以下语句进行设置密码:
1.insert into user(host,user,password) values('%','user_name',password("your password");
2.set password for user_name = password("your password")
以上两种方法都必须进行重载授权表.
3.当然你也可以在创建一个用户时直接设置密码,grant语句将为你自动加密口令.
如 grant all on *.* to user_name@% identified by "your password";
另外你也可以在shell环境下用mysqladmin程序来设置密码
如 mysqladmin -u root password "your password"
1.insert into user(host,user,password) values('%','user_name',password("your password");
2.set password for user_name = password("your password")
以上两种方法都必须进行重载授权表.
3.当然你也可以在创建一个用户时直接设置密码,grant语句将为你自动加密口令.
如 grant all on *.* to user_name@% identified by "your password";
另外你也可以在shell环境下用mysqladmin程序来设置密码
如 mysqladmin -u root password "your password"
13.启动apache服务
[root@localhost conf]# service httpd start
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
Starting httpd: [ OK ]
配置test.php
[root@localhost mysql]# cat /var/www/html/test.php
<?php
phpinfo();
?>
[root@localhost mysql]# cat /var/www/html/test.php
<?php
phpinfo();
?>
本文转自zh888 51CTO博客,原文链接:http://blog.51cto.com/zh888/861742,如需转载请自行联系原作者