Build a free RADIUS authentication server

The RADIUS authentication server (RemoteAuthenticationDialInUserService) is currently the most widely used AAA protocol (AAAauthentication, Authorization, and Accounting ). A typical operation of the AAA protocol is to verify that the User name and password are valid (Remote Authentication Dial In User Service, Remote User dialing Authentication system) it is currently the most widely used AAA protocol (AAA = authentication, Authorization, and Accounting, namely authentication, Authorization, and billing ). A typical operation of the AAA protocol is to verify that the user name and password are valid (authentication), assign an IP address (authorization), and register the online/offline time (billing ), large RADIUS authentication servers are used for narrowband/broadband dialing in the telecom industry. With the increasing demand for network security, small and medium-sized enterprises need to establish their own authentication servers to manage dial-up users, especially when using VPDN private networks. These users do not need to use expensive professional systems. they can be reliably implemented using PC servers and Linux Freeradius + MySQL. This article focuses on the application of the RADIUS system in VPDN dial-up secondary authentication.



Install Freeradius

I use FC4 for x86_64 system on the freeradius-1.1.2, in the mid-range PC server running, the system runs stably and reliably. Linux FC4 comes with Freeradius and MySQL, but the test is not ideal. FC4 MySQL does not support Chinese characters, while freeradius only supports its own MySQL. Therefore, when compiling MySQL, add the option "-- with-charset = gb2312" to support Chinese character encoding. The default option can be used to compile Freeradius. In a 64-bit Linux system, you need to add the option "-with-snmp = no" during pre-compilation configuration, because the library related to the library file snmp has a problem with 64-bit support, the latest FC7 may not have these problems. Freeradius provides the MySQL database creation script-db-MySQL. SQL, but the nas database creation has a syntax error that defaults "id int (10) DEFAULT '0 '; "" DEFAULT '0' "to create a Radius database.

Freeradius settings

A few users can use the Freeradius default users file to configure users and work according to the file rules and users. Start the Radius service after installation:/usr/loca

L/sbin/radiusd-X. The local machine runs radtest test localhost 0 testing123 to send an authentication request. if a response is received, the Radius server is working properly.

The Radius server uses the/usr/local/etc/raddb/users file workpiece authentication by default, which is simple and easy to use, but only applies to a few users. If you manage dozens or more users, you should use the database. for less than 10 thousand users, MySQL is an appropriate choice.

MySQL authentication settings

In the configuration file radiusd. conf, remove the pre-SQL annotator in The authorize {} and accountingt {} settings. Set the connection information, user/password, and address of MySQL in SQL. conf. use localhost in this tutorial. Www.linuxidc.com also needs to set the DEFAULT user in users as follows: Auth-Type = Local, Fall-Through = 1. In this way, you can use MySQL for authentication.

Setting user rules in MySQL corresponds to user settings in the users file. Radius authentication provides authentication and response messages in the form of Attribute = Value. In the users file, the attributes that are separated by commas (,) are the attributes that must be provided and verified by the authentication request. The following attributes, such as IP addresses, are added to the response packet. If MySQL is not grouped, you only need to add a password to the radcheck table and add the response information such as the IP address to radreply.

In actual use, users are often authenticated in the form of username @ domain. When using a file, you can set the domain name to be stripped, and only create username authentication. Add a realm domain {format = suffix… to radiusd. conf... } Domain description, and use LOCAL authentication for realm DEFAULT in proxy. conf. When using MySQL for authentication, the default SQL. conf file uses the full name with the domain name for authentication. Remove the default SQL _user_name = "% {User-Name}" by using the User authentication of the Stripped domain Name, and open the originally commented out SQL _user_name = "% {Stripped-User-Name: -% {User-Name:-DEFAULT} ", authentication is performed with the separated domain Name username first. You only need to write the user name for the user name in the table, without the domain name.

Finally, it is necessary to open the firewall. By default, the Radius authentication server uses UDP 1812 port authentication, and the UDP1813 port is billed. inbound and outbound UDP packets should be enabled.

Iptables-a output-p udp-d 192.168.10.3 -- sport 1812-j ACCEPT

Iptables-a input-p udp-s 192.168.10.3 -- dport 1812-j ACCEPT

192.168.10.3 is the address of the authentication client, usually the LNS Router. Similarly, the UDP 1813 billing port is opened.

CISCO router settings

A cisco router is a classic RADIUS Client. in the VPDN dial-up system, LNS acts as the secondary authentication client. In clie

Define the client IP address and the shared key in the. conf file. For a low-level router with a single network port, the IP address of the client is the IP address of the network port. For medium-and high-level routers, the first IP address of the network port is used as the source IP address of the client by default. if the IP address is an internal IP address that cannot be routed, the client cannot receive the authentication response packet. To specify an IP address, use the following statement:

Ip radius source-interface FastEthernet0/1

The FastEthernet0/1 IP address is specified as the source address of the authentication client. The general practice is to use the source-ip statement in the VPDN-GROUP definition to specify the IP, but after the router is restarted, you must reset the RADIUS server to take effect.

Another CISCO setting is to use multiple authentication servers. High-end routers generally support different dial-up access. Different dial-up access uses different authentication servers. Different server-group implementations are used in CISCO.

Aaa authorization network aaa-radius1 start-stop group radius1

Aaa authorization network aaa-radius2 start-stop group radius2

You can also define the server-group used by authentication/accounting as needed.

In each connected PPP Virtual-Template, you can select a different server-group for AAA authentication.

Interface Virtual-Template1

Ppp authorization aaa-radius1

......

Interface Virtual-Template2

Ppp authorization aaa-radius2

......

In this way, a vro acts as multiple dialing LNS routers that use different RADIUS servers.

Implementation of user physical binding

Physical binding of users. a specific user can initiate a connection on a specific phone number or port number to successfully authenticate the authentication. This greatly improves the authentication security. In a narrowband system, when the LAC is transferred to the access server for one authentication, it provides the caller number to the RADIUS server. during the second authentication, this attribute is submitted to the RADIUS server. For example, if the phone number is 1234567 and the user dials, the request contains the property Calling-Station-Id = "1234567 ". To bind a caller's number, check the caller's number in the configuration file radiusd. conf, that is, the content in checkval. When using the users file for authentication, add Calling-Station-Id = "1234567" to the same row defined by the user name. When using MySQL authentication, add the "Calling-Station-Id," + = "," 1234567 "record to the radcheck table.

For ADSL broadband, you cannot bind a phone number. Different broadband devices provide different binding methods. The main point of implementation is that the authentication request must contain its physical port or other physical information. The Radius server defines this attribute in the dictionary and adds the constraint value to the users file or MySQL.