freeradius需要openssl库,在quicklinux中已经预装好openssl-0.9.7a-46.i686
如果mysql不是安装在/usr/local/目录下需要做个连接:
# ln -s /opt/lapmcp/apmc/ /usr/local/mysql
首先安装freeradius,并在不连接mysql的情况下测试:
# cd /home/zyq/tempfile/OpenSER_ins/AAA
# tar -xzvf freeradius-1.1.4.tar.gz
# cd freeradius-1.1.4
# ./configure --with-rlm-sql-lib-dir=/opt/lapmcp/apmc/lib/mysql/ --with-rlm-sql-include-dir=/opt/lapmcp/apmc/include/mysql/
# make
# make install WITH_MYSQL=yes
配置freeradius;
1) 修改 clients.conf
# vi /usr/local/etc/raddb/clients.conf
client 127.0.0.1 {
secret = testing123
shortname = localhost
nastype = other
} //默认已有。这里secret = testing123 表示从127.0.0.1这个客户端连接radius服务所需要用的密码。
2) 修改 naslist ,加入:
# vi /usr/local/etc/raddb/naslist
localhost local portslave
//默认已有
3) 编辑 users ,加入用户: (这个用户是保存在文本文件里的,做测试用)
# vi /usr/local/etc/raddb/users
在例子中的steve这段下面加入
hefish Auth-Type:=local, User-Password == "123456"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 192.168.137.2,
Framed-IP-Netmask = 255.255.255.0
在例子Jone Doe这段下面加入
powerlift Auth-Type := Local, User-Password == "ilovelinux"
Reply-Message = "Hello, powerlift!"
保存退出。
4)执行测试
# /usr/local/sbin/radiusd -X
然后另开一个终端,测试:
# radtest hefish 123456 localhost 0 testing123
返回:
Sending Access-Request of id 11 to 127.0.0.1 port 1812
User-Name = "hefish"
User-Password = "123456"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=11, length=44
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 192.168.137.2
Framed-IP-Netmask = 255.255.255.0
测试通过,再测试:
# radtest powerlift ilovelinux localhost 0 testing123
返回:
Sending Access-Request of id 15 to 127.0.0.1 port 1812
User-Name = "powerlift"
User-Password = "ilovelinux"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=15, length=39
Reply-Message = "Hello, powerlift!"
测试通过。
5)配置radiusd用mysql来认证。先在mysql里面创建数据库:
# /usr/local/mysql/bin/mysqladmin -u root -p create radius
# cd /home/zyq/tempfile/OpenSER_ins/AAA/freeradius-1.1.4/doc/examples
# /usr/local/mysql/bin/mysql -u root -p radius < mysql.sql
6) 编辑 radiusd.conf 使其支持mysql认证;
# vi /usr/local/etc/raddb/radiusd.conf
authorize {
preprocess
chap
mschap
suffix
sql
...
}
accounting {
...
sql
...
}
7) 编辑 sql.conf ,使radius可以访问mysql
# vi /usr/local/etc/raddb/sql.conf
sql {
driver = "rlm_sql_mysql"
server = "localhost"
login = "root"
password = "mysql的密码"
radius_db = "radius"
// 剩下的配置就默认吧 (如果您要做用户帐号/网卡MAC/电话号码绑定之类的东西,那就例外,可以改下面的配置)
}
8) 向数据库里增加一些数据;
# /usr/local/mysql/bin/mysql -u root -p radius
先加入一些组信息:
insert into radgroupreply (groupname,attribute,op,value) values ('user','Auth-Type',':=','Local');
insert into radgroupreply (groupname,attribute,op,value) values ('user','Service-Type','=','Framed-User');
insert into radgroupreply (groupname,attribute,op,value) values ('user','Framed-IP-Netmask','=','255.255.255.255');
insert into radgroupcheck (groupname, attribute, op, value) values ("user", "Auth-Type", ":=", "Local");
然后加入用户信息:
insert into radcheck (username,attribute,op,value) values ('zyq','User-Password','==','12345678');
然后把用户加到组里:
insert into usergroup(username,groupname) values('zyq','user');
9) 为了让radius能正确地调用mysql,还要指定一下库的位置:
# echo /usr/lib >> /etc/ld.so.conf
# echo /usr/local/lib >> /etc/ld.so.conf
# echo /opt/lapmcp/apmc/lib >> /etc/ld.so.conf
# ldconfig
10) 测试freeradius+mysql:
# radtest zyq 12345678 localhost 0 testing123
收到:
Sending Access-Request of id 146 to 127.0.0.1 port 1812
User-Name = "zyq"
User-Password = "12345678"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=146, length=32
Service-Type = Framed-User
Framed-IP-Netmask = 255.255.255.255
===================================
安装radius-client:
~# tar xvfz radiusclient-ng-X.Y.Z.tar.gz
~# cd radiusclient-ng-X.Y.Z
~# ./configure
~# make
~# make install
安装OpenSER with freeradius:
检查mysql.h及libmysqlclient.so等是否就位
将libmysqlclient.so、libmysqlclient.so.15、libmysqlclient_r.so及libmysqlclient_r.so.15从/usr/local/mysql/lib/mysql下cp到/usr/lib下
mysql.h在/usr/local/mysql/include/mysql下,如果mysql不是标准安装则把mysql目录cp到/usr/local/include下
编译安装OpenSER:
~> tar xzvf openser-1.1.0_src.tar.gz
~> cd openser-1.1.0
~> vi modules/acc/Makefile
将以下两行前的注释去掉:
DEFS+=-DRAD_ACC -I$(LOCALBASE)/include
LIBS=-L$(LOCALBASE)/lib -lradiusclient-ng
~> vi Makefile
exclude_modules?= jabber cpl-c pa mysql postgres osp unixodbc /
avp_radius auth_radius group_radius uri_radius
注释掉第二行,删除第一行的mysql
~> NICER=1 make all
~> make install
完了后在/usr/local/sbin下面会生成
openser,openserctl,openserunix,openser_mysql.sh这四个文件
用openser_mysql.sh create创建数据库:
~> openser_mysql.sh create
MySql password for root: //mysql的密码
Domain (realm) for the default user 'admin': //直接回车
creating database openser ...
Install SERWEB tables ?(y/n):y //按y然后回车
Domain (realm) for the default user 'admin': //直接回车
creating serweb tables into openser ...
修改openser的配置文件/usr/local/etc/openser/openser.cfg
接着修改相同目录下的openserctlrc
此时用openserctl start/stop已经可以启动/关闭openser了
===============================================
配置openser with freeradius:
1)生成OpenSER RADIUS Dictionary
~# cp /usr/local/etc/openser/dictionary.radius /usr/local/etc/radiusclient-ng/dictionary.openser
~# vi /usr/local/etc/radiusclient-ng/dictionary.openser
用以下内容替换原有的:
#### Attributes ###
#ATTRIBUTE User-Name 1 string # RFC2865
#ATTRIBUTE Service-Type 6 integer # RFC2865
#ATTRIBUTE Called-Station-Id 30 string # RFC2865, acc
#ATTRIBUTE Calling-Station-Id 31 string # RFC2865, acc
#ATTRIBUTE Acct-Status-Type 40 integer # RFC2865, acc
#ATTRIBUTE Acct-Session-Id 44 string # RFC2865, acc
ATTRIBUTE Sip-Method 101 integer # Schulzrinne, acc
ATTRIBUTE Sip-Response-Code 102 integer # Schulzrinne, acc
ATTRIBUTE Sip-Cseq 103 string # Schulzrinne, acc
ATTRIBUTE Sip-To-Tag 104 string # Schulzrinne, acc
ATTRIBUTE Sip-From-Tag 105 string # Schulzrinne, acc
ATTRIBUTE Sip-Translated-Request-URI 107 string # Proprietary, acc
ATTRIBUTE Sip-Src-IP 108 string # Proprietary, acc
ATTRIBUTE Sip-Src-Port 109 string # Proprietary, acc
ATTRIBUTE Digest-Response 206 string # Sterman, auth_radius
ATTRIBUTE Sip-Uri-User 208 string # Proprietary, auth_radius
ATTRIBUTE Sip-Group 211 string # Proprietary, group_radius
ATTRIBUTE Sip-Rpid 213 string # Proprietary, auth_radius
ATTRIBUTE SIP-AVP 225 string # Proprietary, avp_radius
ATTRIBUTE Digest-Realm 1063 string # Sterman, auth_radius
ATTRIBUTE Digest-Nonce 1064 string # Sterman, auth_radius
ATTRIBUTE Digest-Method 1065 string # Sterman, auth_radius
ATTRIBUTE Digest-URI 1066 string # Sterman, auth_radius
ATTRIBUTE Digest-QOP 1067 string # Sterman, auth_radius
ATTRIBUTE Digest-Algorithm 1068 string # Sterman, auth_radius
ATTRIBUTE Digest-Body-Digest 1069 string # Sterman, auth_radius
ATTRIBUTE Digest-CNonce 1070 string # Sterman, auth_radius
ATTRIBUTE Digest-Nonce-Count 1071 string # Sterman, auth_radius
ATTRIBUTE Digest-User-Name 1072 string # Sterman, auth_radius
~# cd /usr/local/etc/raddb
~# vi clients.conf
加入以下内容:
client 192.168.137.2 {
secret = testing123
shortname = openser
}
~# vi radiusd.conf
在modules {下面找到digest,去掉注释,默认已去掉
在authorize {和authenticate {下去掉digest的注释,保存退出
~# vi /usr/local/etc/raddb/dictionary
加入下面这行:
$INCLUDE /usr/local/etc/radiusclient-ng/dictionary.openser
~# vi /usr/local/etc/raddb/users
在最后加入以下内容:
### --- avps ---
101@192.168.137.2 Auth-Type := Accept, Service-Type == "SIP-Callee-AVPs"
Sip-Avp += "#3#1",
Sip-Avp += "#4:08:00",
Sip-Avp += "#5:16:00",
Sip-Avp += "#6:Mon,Wed,Thu,Fri"
102@192.168.137.2 Auth-Type := Accept, Service-Type == "SIP-Callee-AVPs"
Sip-Avp += "#3#1",
Sip-Avp += "#4:08:00",
Sip-Avp += "#5:16:00",
Sip-Avp += "#6:Mon,Wed,Thu,Free"
DEFAULT Auth-Type := Accept, Service-Type == "SIP-Callee-AVPs"
### --- group checking ---
### --- user 101 ---
101@192.168.137.2 Auth-Type := Accept, Sip-Group == "voip", Service-Type == "Group-Check"
Reply-Message = "Authorized"
101@192.168.137.2 Auth-Type := Accept, Sip-Group == "pstn", Service-Type == "Group-Check"
Reply-Message = "Authorized"
### --- user 102 ---
102@192.168.137.2 Auth-Type := Accept, Sip-Group == "voip", Service-Type == "Group-Check"
Reply-Message = "Authorized"
DEFAULT Auth-Type := Reject, Service-Type == "Group-Check"
### --- user authentication ---
101@192.168.137.2 Auth-Type := Digest, User-Password == "101"
Reply-Message = "Authenticated",
Sip-Avp += "rpid:101",
Sip-Avp += "#2:192.168.137.1",
Sip-Avp += "#2:192.168.137.11"
102@192.168.137.2 Auth-Type := Digest, User-Password == "102"
Reply-Message = "Authenticated",
Sip-Avp += "rpid:102",
Sip-Avp += "#2:192.168.137.1"
================================================
配置RadiusClient-ng :
~# vi /usr/local/etc/radiusclient-ng/radiusclient.conf
将以下localhost改成服务器地址:
...
authserver localhost
...
acctserver localhost
...
~# vi /usr/local/etc/radiusclient-ng/servers
加入服务器地址和secret的对应
192.168.137.2 testing123
~# vi /usr/local/etc/radiusclient-ng/dictionary
加入下面这行:
$INCLUDE /usr/local/etc/radiusclient-ng/dictionary.openser
~# vi /usr/local/etc/raddb/users
加入测试Digest的数据:
test Auth-Type := Digest, User-Password == "test"
Reply-Message = "Hello, test with digest"
测试:
~# /usr/local/sbin/radiusd -X
新开一个终端,按下面来做:
Create a file named “digest” and put following in it, all in a single line:
...
User-Name = "test", Digest-Response = "631d6d73147add2f9e437f59bbc3aeb7",
Digest-Realm = "testrealm", Digest-Nonce = "1234abcd" ,
Digest-Method = "INVITE", Digest-URI = "sip:5555551212@example.com",
Digest-Algorithm = "MD5", Digest-User-Name = "test"
...
Use “radclient” for testing the server. It is assumed that you run “radclient” on OpenSER system. You have to install it there, since this tool comes with FreeRADIUS server.
...
radclient -f digest 192.168.137.2 auth testing123
...
In case of correct response from the server, you should see something like:
...
Received response ID 224, code 2, length = 45
Reply-Message = "Hello, test with digest"
...
=======================================================
配置OpenSER:
~# vi /usr/local/etc/openser/openser.cfg
见附件。
CDR位于"var/log/radius/radacct/"
--------------------------------
Debug:
1、不能load libradius-ng.so.2:
在环境变量中加入LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib
2、1.0.0以上版本中已经没有modparam ( " auth_radius " , " rpid_old_compat " , 1 )
3、the syntax of avp parameters for avpops modules has changed. Please see:
http://openser.org/dokuwiki/doku.php?id=migrating_openser_v1.0.x_to_v1.1.x
For example, in your case:
avp_write("$ruri", "i:10"); => avp_write("$ruri", "$avp(i:10)");
4、ERROR: acc: can't get code for the Sip-Method attribute
Did you include dictionary.ser into your main libradiusclient dictionary?
5、ERROR: tcp_init: bind on 127.0.0.1
在ser.cfg中加入listen=udp:192.168.137.5
6、raddb下创建digest文件,里面加入各个用户的信息;
打开freeradius的mysql支持,在radiusd.conf中把sql注释去掉就支持了,users文件就不起作用了;
在acc的配置文件基础上加入radius-acc计费,再参照ser下台湾人配置的认证文档,加入radius认证;
关键在于radius_www_authorize,只要它在,就用radius来认证,否则就用本机来认证
在用radius认证的情况下acc中也会有cdr,证明cdr的产生跟subscriber无关。
mysql -uroot -p123456 radius
insert into radgroupreply (GroupName,Attribute,op,Value) values ('user','Auth-Type',':=','Local');
insert into radgroupreply (GroupName,Attribute,op,value) values ('user','Service-Type',':=','Framed-User');
insert into radgroupreply (GroupName,Attribute,op,value) values ('user','Framed-IP-Address',':=','255.255.255.254');
insert into radgroupreply (GroupName,Attribute,op,value) values ('user','Framed-IP-Netmask',':=','255.255.255.0');
insert into radcheck (UserName,Attribute,op,Value) values ('8001@192.168.137.2','User-Password','==','1111');
insert into radcheck (UserName,Attribute,op,Value) values ('8001@192.168.137.2','Auth-Type',':=','Digest');
insert into radcheck (UserName,Attribute,op,Value) values ('8002@192.168.137.2','User-Password','==','1111');
insert into radcheck (UserName,Attribute,op,Value) values ('8002@192.168.137.2','Auth-Type',':=','Digest');
