快速自架一台radius server

Duncan
Duncan
Jul 21, 2017 · 9 min read

環境採用Ubuntu

  • 安裝freeradius套件
$ sudo apt-get install freeradius freeradius-ldap freeradius-mysql
  • 等等我們需啟動debug mode,所以先關閉服務
$ service freeradius stop

注意

利用apt-get或是source code方式安裝,路徑會有所不同

apt-get的路徑 : /etc/freeradius/

source code的路徑: /usr/local/etc/raddb/

  • 修改/etc/freeradius/users
$ vim /etc/freeradius/users
將76行-85行反註解
steve Cleartext-Password := "testing"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 172.16.3.33,
Framed-IP-Netmask = 255.255.255.0,
Framed-Routing = Broadcast-Listen,
Framed-Filter-Id = "std.ppp",
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP
  • 啟用debug mode
$ freeradius -X
  • 開啟另一個terminal畫面
$ radtest steve testing localhost 1812 testing123
  • 上述指令最後有一個testing123,,這是freeradius server端與client端之間通訊的密碼,可以經由client.conf去做設定與修改
$ vim /etc/freeradius/client.conf
  • 所以今天有一台client端IP為172.20.3.18,可以做以下設定
client 172.20.3.18 {
ipaddr = 172.20.3.18
secret = testing123
require_message_authenticator = no
nastype = other
}

  • 今天想用mysql當作存放使用者資料的地方可以參考以下作法
$ apt-get install mysql
$ mysql -uroot -p
mysql> CREATE DATABASE radius;
mysql> exit
  • 執行freeradius的sql腳本
$ cd /etc/freeradius/sql/mysql
$ mysql -uUSERNAME -pPASSWD radius < admin.sql
$ mysql -uUSERNAME -pPASSWD radius < schema.sql
  • 修改 /etc/freeradius/radiusd.conf
$ vim /etc/freeradius/radiusd.conf
搜尋$INCLUDE sql.conf,並反註解
  • 修改 /etc/freeradius/sql.conf,如果是用apt-get的方式裝,這一步驟可以略過
sql {
#
# Set the database to one of:
#
# mysql, mssql, oracle, postgresql
#
database = "mysql"

#
# Which FreeRADIUS driver to use.
#
driver = "rlm_sql_${database}"

# Connection info:
server = "localhost"
#port = 3306
login = "radius"
password = "radpass"

# Database table configuration for everything except Oracle
radius_db = "radius"
...}
  • 修改 /etc/freeradius/sites-available/default

authorize{}把file註解,sql反註解 - 這裡是指不用file儲存使用者資訊,改用sql儲存

accounting{}把sql反註解 - 啟用sql來統計訊息

session{}把sql反註解,並啟用使用者同時登入功能

post-auth{}把sql反註解,啟用使用者資料紀錄功能

$ vim /etc/freeradius/sites-available/default
修改好大致如下
authorize {
...
...
# files
sql
...
}

accounting {
...
sql
...
}

session {
radutmp

# See "Simultaneous Use Checking Queries" in sql.conf
sql
}

post-auth {
...
sql
...
}
  • 如果啟用了限制使用者同時登入功能,修改 dialup.conf
$ vim /etc/freeradius/sql/mysql/dialup.conf
反註解下列幾行
simul_count_query = "SELECT COUNT(*) \
FROM ${acct_table1} \
WHERE username = '%{SQL-User-Name}' \
AND acctstoptime IS NULL"
  • 進入radius DB建立使用者
$ mysql> use radius;$ mysql> INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('test', 'Password', 'z');
insert into radusergroup(username,groupname) values('test','user');
  • 查詢結果
$ mysql> select * from radusergroup;
+----------+-----------+----------+
| username | groupname | priority |
+----------+-----------+----------+
| test | user | 1 |
+----------+-----------+----------+
1 row in set (0.00 sec)
$ mysql> select * from radcheck;
+----+----------+-----------+----+-------+
| id | username | attribute | op | value |
+----+----------+-----------+----+-------+
| 1 | test | Password | == | z |
+----+----------+-----------+----+-------+
1 row in set (0.00 sec)

  • 利用php5-radius驗證
$ php -v
版本為PHP 5.5.9-1ubuntu4.21
$ apt-get install php5-radius
$ vim /etc/php5/cli/php.ini
加入extension=radius.so

如果今天採用php 5.6,可以參考下面安裝方式

$ apt-get install  php5.6-dev php5.6-xml make
$ pear install radius Auth_RADIUS
  • 撰寫測試腳本
$ vim test_radius.php
<?php
$radius = radius_auth_open();
radius_add_server($radius, 'localhost', '1812', 'testing123', 5, 3);
radius_create_request($radius, RADIUS_ACCESS_REQUEST);
radius_put_attr($radius, RADIUS_USER_NAME, 'test');
radius_put_attr($radius, RADIUS_USER_PASSWORD, 'z');
$result = radius_send_request($radius);switch ($result) {
case RADIUS_ACCESS_ACCEPT:
// An Access-Accept response to an Access-Request indicating that the RADIUS server authenticated the user successfully.
echo 'Authentication successful';
break;
case RADIUS_ACCESS_REJECT:
// An Access-Reject response to an Access-Request indicating that the RADIUS server could not authenticate the user.
echo 'Authentication failed';
break;
case RADIUS_ACCESS_CHALLENGE:
// An Access-Challenge response to an Access-Request indicating that the RADIUS server requires further information in another Access-Request before authenticating the user.
echo 'Challenge required';
break;
default:
die('A RADIUS error has occurred: ' . radius_strerror($radius));
}

)
Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade