快速自架一台radius server
Jul 21, 2017 · 9 min read
環境採用Ubuntu
- 安裝freeradius套件
$ sudo apt-get install freeradius freeradius-ldap freeradius-mysql- 等等我們需啟動debug mode,所以先關閉服務
$ service freeradius stop注意
利用apt-get或是source code方式安裝,路徑會有所不同
apt-get的路徑 : /etc/freeradius/
source code的路徑: /usr/local/etc/raddb/
- 修改/etc/freeradius/users
$ vim /etc/freeradius/users
將76行-85行反註解steve Cleartext-Password := "testing"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 172.16.3.33,
Framed-IP-Netmask = 255.255.255.0,
Framed-Routing = Broadcast-Listen,
Framed-Filter-Id = "std.ppp",
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP
- 啟用debug mode
$ freeradius -X- 開啟另一個terminal畫面
$ radtest steve testing localhost 1812 testing123- 上述指令最後有一個testing123,,這是freeradius server端與client端之間通訊的密碼,可以經由client.conf去做設定與修改
$ vim /etc/freeradius/client.conf- 所以今天有一台client端IP為172.20.3.18,可以做以下設定
client 172.20.3.18 {
ipaddr = 172.20.3.18
secret = testing123
require_message_authenticator = no
nastype = other
}- 今天想用mysql當作存放使用者資料的地方可以參考以下作法
$ apt-get install mysql
$ mysql -uroot -p
mysql> CREATE DATABASE radius;
mysql> exit- 執行freeradius的sql腳本
$ cd /etc/freeradius/sql/mysql
$ mysql -uUSERNAME -pPASSWD radius < admin.sql
$ mysql -uUSERNAME -pPASSWD radius < schema.sql- 修改 /etc/freeradius/radiusd.conf
$ vim /etc/freeradius/radiusd.conf
搜尋$INCLUDE sql.conf,並反註解- 修改 /etc/freeradius/sql.conf,如果是用apt-get的方式裝,這一步驟可以略過
sql {
#
# Set the database to one of:
#
# mysql, mssql, oracle, postgresql
#
database = "mysql"
#
# Which FreeRADIUS driver to use.
#
driver = "rlm_sql_${database}"
# Connection info:
server = "localhost"
#port = 3306
login = "radius"
password = "radpass"
# Database table configuration for everything except Oracle
radius_db = "radius"...}
- 修改 /etc/freeradius/sites-available/default
authorize{}把file註解,sql反註解 - 這裡是指不用file儲存使用者資訊,改用sql儲存
accounting{}把sql反註解 - 啟用sql來統計訊息
session{}把sql反註解,並啟用使用者同時登入功能
post-auth{}把sql反註解,啟用使用者資料紀錄功能
$ vim /etc/freeradius/sites-available/default
修改好大致如下
authorize {
...
...
# files
sql
...
}
accounting {
...
sql
...
}
session {
radutmp
# See "Simultaneous Use Checking Queries" in sql.conf
sql
}
post-auth {
...
sql
...
}- 如果啟用了限制使用者同時登入功能,修改 dialup.conf
$ vim /etc/freeradius/sql/mysql/dialup.conf
反註解下列幾行
simul_count_query = "SELECT COUNT(*) \
FROM ${acct_table1} \
WHERE username = '%{SQL-User-Name}' \
AND acctstoptime IS NULL"- 進入radius DB建立使用者
$ mysql> use radius;$ mysql> INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('test', 'Password', 'z');
insert into radusergroup(username,groupname) values('test','user');
- 查詢結果
$ mysql> select * from radusergroup;
+----------+-----------+----------+
| username | groupname | priority |
+----------+-----------+----------+
| test | user | 1 |
+----------+-----------+----------+
1 row in set (0.00 sec)$ mysql> select * from radcheck;
+----+----------+-----------+----+-------+
| id | username | attribute | op | value |
+----+----------+-----------+----+-------+
| 1 | test | Password | == | z |
+----+----------+-----------+----+-------+
1 row in set (0.00 sec)
- 利用php5-radius驗證
$ php -v
版本為PHP 5.5.9-1ubuntu4.21
$ apt-get install php5-radius
$ vim /etc/php5/cli/php.ini
加入extension=radius.so如果今天採用php 5.6,可以參考下面安裝方式
$ apt-get install php5.6-dev php5.6-xml make
$ pear install radius Auth_RADIUS- 撰寫測試腳本
$ vim test_radius.php
<?php
$radius = radius_auth_open();
radius_add_server($radius, 'localhost', '1812', 'testing123', 5, 3);
radius_create_request($radius, RADIUS_ACCESS_REQUEST);
radius_put_attr($radius, RADIUS_USER_NAME, 'test');
radius_put_attr($radius, RADIUS_USER_PASSWORD, 'z');$result = radius_send_request($radius);switch ($result) {
case RADIUS_ACCESS_ACCEPT:
// An Access-Accept response to an Access-Request indicating that the RADIUS server authenticated the user successfully.
echo 'Authentication successful';
break;
case RADIUS_ACCESS_REJECT:
// An Access-Reject response to an Access-Request indicating that the RADIUS server could not authenticate the user.
echo 'Authentication failed';
break;
case RADIUS_ACCESS_CHALLENGE:
// An Access-Challenge response to an Access-Request indicating that the RADIUS server requires further information in another Access-Request before authenticating the user.
echo 'Challenge required';
break;
default:
die('A RADIUS error has occurred: ' . radius_strerror($radius));
}