| |
First, to achieve the environment:
1. System: CentOS release 6.6 (Final)
2. The need for a package:
1) freeradius-2.1.12-6.e16.x86_64
freeradius-mysql-2.1.12-6.e16.x86_64
2) ppp-2.4.5-5.e16.x86_64
3) rp-pppoe-3.10-11.e16.x86_64
4) mysql-5.1.73-3.e16_5.x86_64
mysql-devel-5.1.73-3.e16_5.x86_64
5) openssl-1.0.1e-30.e16_6.5.x86_64
Second, the actual deployment server environment analysis and simple principle:
Radius is the Remote Access Dial In User Service abbreviation. Radius is mainly used to provide authentication (Authentication) mechanism, used to identify the user's identity and password confirmation through via authorization (Authorization) user access to your domain using resources and provide billing (Accounting) mechanism, save the use of network's record. Freeradius is an OpenSource software, based on radius protocol to implement RADIUS AAA (Authentication, Authorization, Accounting) function.
The actual operating environment and functions for the radius server.
Radius server and access server in conjunction with implementing user broadband account billing obtain permission to connect to the Internet dial-up network.
Third, Radius server structures:
After using the command 1. Install CentOS system to configure your network: #yum update to update your system.
2. Check each package is installed: #rpm -q ppp rp-pppoe freeradius mysql- * openssl
If you do not use the command: #yum install ppp rp-pppoe freeradius- * mysql- * openssl
Installation, general openssl update after the system has been installed. After installing the individual software, use the command:
#wget ftp://ftp.samba.org/pub/ppp/ppp-2.4.5.tar.gz Download ppp source code package to the next / etc / ppp / radius directory created. (#mkdir / Etc / ppp / radius // create directories)
Below configure each service:
1. Configure the / etc / ppp / options file:
lock
crtscts
nobsdcomp
nodeflate
nopcomp
2. Configure / etc / ppp / pppoe-server-options file, reads:
# PPP options for the PPPoE server
# LIC: GPL
auth
require-chap
default-mru
default-asyncmap
lcp-echo-interval 60
lcp-echo-failure 5
ms-dns 202.96.128.86
noipdefault
noipx
nodefaultroute
proxyarp
noktune
logfile /var/log/pppd.log
3. Let pppoe service uses freeradius server for authentication.
1) First change the / etc / ppp / pppoe-server-options, add two lines set:
#PPP Options for the PPPoE server
#LIC: GPL
auth
require-chap
default-mru
default-asyncmap
lcp-echo-interval 60
lcp-echo-failure 5
ms-dns 202.96.128.86
noipdefault
noipx
nodefaultroute
proxyarp
noktune
-> Plugin /usr/lib/pppd/2.4.5/radius.so
-> Radius-config-file /etc/ppp/radiuds/radiusclient.conf
logfile /var/log/pppd.log
Let denote pppoe-server at run time to join a search radius of pppd, allowing pppoe services through freeradius to validate and accounting. After you add this line, you can create / etc / ppp / radiuds / directory, after you've created, you need look ppp source code. Unzip ppp source code directory:
#tar -xzf ppp-2.4.5.tar.gz
#cd ppp-2.4.5
#cd pppd / plugins / radius / etc /
#cp * / etc / ppp / radiuds /
2) Under this directory there is a need for all relevant configuration file, of which the most important is /etc/ppp/radiuds/radiusclient.conf, first open the configuration file, its contents (annotation has been removed):
auth_order radius
login_tries 4
login_timeout 60
nologin / etc / nologin
issue / etc / ppp / radiuds / issue
authserver localhost: 1812
acctserver localhost: 1813
servers / etc / ppp / radiuds / servers
dictionary / etc / ppp / radiuds / dictionary
login_radius /usr/local/sbin/login.radius
seqfile /var/run/radius.seq
mapfile / etc / ppp / radiuds / port-id-map
default_realm
radius_timeout 10
radius_retries 3
login_local / bin / login
3) In addition, the need to change the files in this directory servers, this file is used to specify the name of the host to read the radius server and key value (in freeradius need to specify the configuration).
Edit / etc / ppp / radius / servers, set the radius server location
localhost testing123 // here is the password testing123
4) Edit / etc / ppp / radius / dictionary, modify some path settings, mainly the last dictionary.microsoft path settings.
INCLUDE /etc/ppp/radiuds/dictionary.microsoft
5) At this point pppoe service it has been certified by radius. Then freeradius configuration.
Wherein freeradius-mysql package uses to make freeradius connect mysql database, this section less than.
First open /etc/raddb/clients.conf configure client access control, document reads as follows:
Client localhost {
Secret = testing123
Shortname = localhost
Nastype = other
}
It indicates that the client's permit from 127.0.0.1 ip login radius of service, and the need to verify the secret of testing123, the above information is in the file servers to be configured. To achieve can be accessed from another machine, please refer to the comments for assistance.
6) Then configure / etc / raddb / naslist file, reads:
# NAS Name Short Name Type
# Portmaster1.isp.com pm1.NY
livingston
# Portmaster2.isp.com pm1.LA
livingston
localhost local portslave
This file is used to configure recording which requires the use of a specified radius nas server be accounted for. Now specifying the localhost.
7) the master configuration file is radiusd.conf, this file is mainly used to specify the default freeradius server authentication and accounting mode. We currently use local papers is / etc / raddb / users file, add the need to provide services to pppoe authentication of user information, as follows (in front of the user name must not have spaces):
Aaa Auth-Type: = Local, Simultaneous-Use: = 1, User-Password: = "aaa"
[Tab] Service-Type = Framed-User,
[Tab] Framed-Protocol = PPP,
[Tab] Framed-IP-Netmask = 255.255.255.255
Wherein Simultaneous-Use: = 1 field to set the number of simultaneous logons for each user.
8) In order to be able to call mysql radius correctly, but also to specify what position the library:
echo / usr / lib >> /etc/ld.so.conf
ldconfig
After 9) are configured, you can radiusd -X command debugging way to start, then re-start pppoe-server, verify with a client dialing, check whether the pppoe service success by freeradius to authenticate users. If successful, this part is completed. By service radius restart to start normally radius service.
Radiusd -X
radtest aaa aaa localhost 0 testing123
Access-Accept see words like on that success. Then you can start official radiusd.
5. Configure freeradius user information is read from mysql database
1. # mysql -u root -p 123 // Login mysql
2.> create database radius; // create a database
3.> exit // Exit Database
4. # cd / etc / raddb / sql / mysql
5. # mysql -u root -p radius < schema.sql // the table into the database, the database to see if the import table 7
6. Modify the / etc / raddb / sites-enabled / default file to authorize {}, accounting {} The sql annotation # removed, and to authorize {} in the files notes # plus. As follows:
Authorize {
Chap
Mschap
Suffix
Eap
#files
Sql
Pap
}
Accounting {
Detail
Unix
Redutmp
sql
}
7. Modify the mysql database connection profile /etc/raddb/sql.conf
Server = "localhost"
Login = "root"
Password = "123"
Radius_db = "radius" // Database Name
8. Modify /etc/raddb/radius.conf file:
The $ INCLUDE sql.conf Notes # removed.
9. Add the database test account:
#mysql -u root -p 123
> Use radius;
Establishment of group information:
> Insert into radgroupreply (groupname, attribute, op, value) values ( 'user', 'Auth-Type', ': =', 'Local');
> Insert into radgroupreply (groupname, attribute, op, value) values ( 'user', 'Service-Type', ': =', 'Framed-User');
> Insert into radgroupreply (groupname, attribute, op, value) values ( 'user', 'Feamed-IP-Address', ': =', '255.255.255.255');
> Insert into radgroupreply (groupname, attribute, op, value) values ( 'user', 'Framed-IP-Netmask', ': =', '255.255.255.0');
The establishment of user information:
> Insert into radcheck (username, attribute, op, value) values ( 'test', 'User-Password', ': =', '110');
Adding a user group:
> Insert into radusergroup (username, groupname) values ( 'test', 'user');
> Exit; // exit database
Fourth, the test radius:
1. # radius -X // error detection mode to start the service radius
2. open another terminal using the command:
#radtest test 110 localhost 10 testing123 testing.
If the Access-Accept the installation was successful. |
|
|
|