Create a RADIUS server in Linux

Article Title: Create a RADIUS server in Linux. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
By Li Chaojun
　　
---- Remote Authentication Dial-Up User Service (RADIUS) is a Network Access Server (NAS) and the Radius server that stores authentication information in a centralized manner. The protocol standards are defined in RFC 2865 and RFC 2866 of IETF. For small and medium-sized enterprise NAS applications, it is a good choice to build a RADIUS server on the Linux platform. Using shared software, you can create a simple and efficient RADIUS server without any software costs.
　　
---- 1. Working Principle of RADIUS
　　
---- RADIUS uses Client/Server to implement identity authentication, authorization, and billing for remote dialing users. Most of the Client end is the NAS that is implemented through dialing. It is mainly used to transmit user information to the server. The RADIUS server authenticates the user and returns the user configuration information. To ensure transmission security, the data transmitted between the Client and Server is encrypted in MD5 mode. There are two main communication situations between the Server and Client of RADIUS: access authentication and billing requests.
　　
---- Using RADIUS can implement centralized authentication and billing functions, reduce the management burden and cost, and implement many extended functions, for example, user dialing time limit, user dialing time quota, and user-specific IP Address allocation. RADIUS is a UDP-based Upper-layer protocol. The listening port number of the authentication service is 1812, and the listening port number of the recording service is 1813. The RADIUS workflow is as follows: (1) Users dial into NAS; (2) NAS sends a series of encrypted "attributes/Values" to the RADIUS server; (3) the RADIUS server checks whether the user exists and whether the attributes/values match. (4) The RADIUS server sends a message "accept" or "reject" to the NAS.
　　
---- The RADIUS server is usually implemented based on databases. Large backend databases such as Oracle are usually used for large ISPs. It is sufficient for Small and Medium-sized applications to use databases such as mySQL. In fact, RADIUS Authentication can also be implemented through LDAP, but its application is not as extensive as that of databases.
　　
---- Here is a solution to build a RADIUS server using IC-RADIUS and mySQL. This section describes how to use Cisco2610 + Modem Pool as the NAS and how to use Linux as the NAS configuration instance.
　　
---- 2. Create a RADIUS server
　　
---- First install and configure the basic Linux system. Be sure to install development tools, Perl, Perl DBI, and mySQL DBD modules. Of course, you must also install the mySQL database. Here we assume that the database and RADIUS service are deployed on the same server. Currently, almost every Linux release version contains mySQL, so it can be directly installed in the system. The procedure is as follows.
　　
---- 1. install and configure ICRADIUS
　　
---- (1) enter the following command
　　
---- # Tar xvfz icradius-0.18.1.tar.gz
　　
---- # Cd icradius-0.18.1/src
　　
---- Copy Makefile. lnx of the Make file for Linux as Makefile. The command is as follows:
　　
---- Cp Makefile. lnx Makefile
　　
---- It is important to note that you may need to modify the Makefile file and modify the location of the mySQL library and header file according to the actual installation conditions. You can also modify the installation location of executable files.
　　
---- (2) run the following command:
　　
---- # Make
　　
---- # Make install
　　
---- 2. Create a RADIUS Database
　　
---- (1) connect to the mysql database. The command is as follows:
　　
---- # Mysql-u root-pyourpassword
　　
----> Create database radius; ### CREATE a radius DATABASE
　　
---- Then you need to create the various tables required by the RADIUS database. here you need to use the radius. db file in the script subdirectory under the icradius-0.18.1 directory, this file has defined the required tables, here just use the command
　　
---- # Mysql-u root-pyourpassword radius <radius. db
　　
---- You Can. In this case, the tables required for Radius Authentication and billing are created, as shown in table 1.
　　
---- 3. Fill in the tables
　　
---- Add content to the tables of each database created above. The icradius software provides a script file script/dictimport. pl to create the contents of a dictionary table. The steps are as follows.
　　
---- (1) edit the file and modify
　　
---- My $ dbusername = root;
　　
---- My $ dbpassword = yourpassword;
　　
---- The username and password of the corresponding database administrator.
　　
---- (2) run the script with the following command:
　　
---- #./Dictimport. pl ../raddb/dictionary
　　
---- If you are using a Cisco router, you also need to load the Cisco dictionary file. The command is as follows:
　　
---- #./Dictimport. pl ../raddb/dictionary. cisco
　　
---- (3) add content to the nas table and go to mysql first:
　　
---- # Mysql-u root-pyourpassword radius
　　
---- Execute the SQL command as follows:
　　
---- Insert into nas
　　
---- Values (0, "cisco nas", "nas", "10.60.39.250", "cisco", 32, "cisco", "public", "on ");
　　
---- For the meanings of each field, see appendix 2.
　　
---- (4) radius in the srcipts directory. cgi is a CGI program that enables you to manage users and charge information on the Web interface. before using the script program, add the following content to the radcheck table:
　　
---- Insert into radcheck VALUES ("", "admin", "Password", "adminpassword ");
　　
---- Insert into radcheck VALUES ("", "admin", "Radius-Operator", "Yes ");
　　
---- Here, admin is the user name of the RADIUS administrator and adminpassword is the administrator password.
　　
---- (5) Copy radius. cgi and usage. cgi to the cgi-bin directory of the Web server, edit these two files, and set the username and password of the Database Administrator correctly. Specify $ cookiedomain and $ radhost in the two files as null. $ Radsecret in the two files specifies the password shared by NAS and RADIUS.
　　
---- 4. Configure to start radiusd
　　
---- (1) create a subdirectory raddb under the/etc/directory
　　
---- # Mkdir/etc/raddb
　　
---- (2) create a file client in this directory and set its access permissions:
　　
---- # Touch clients
　　
---- # Chmod 664 clients
　　
---- (3) Copy radiusd. conf under the icradius-0.18.1/raddb/directory to the/etc/raddb directory:
　　
---- # Cp ~ /Icradius-0.18.1/raddb/radius. conf/etc/raddb/
　　
---- (4) convert ~ Copy all files in/icradius-0.18.1/raddb/to the/etc/raddb directory.
　　
---- In ~ /Icradius-0.18.1/redhat/directory has a name named rc. radiusd-redhat file. It is the radiusd Startup file in the redhat environment and copies it to/etc/rc. d/init. d directory:
　　
---- # Cp ~ /Icradius-0.18.1/redhat/rc. radiusd-redhat/etc/rc. d/init. d/rc. radiusd
　　
---- (5) edit the/etc/raddb/radius. conf file and change the password to the administrator password of mysql.
　　
---- (6) edit the file/etc/rc. d/init. d/rc. radius and set the following content:
　　
---- RADIUSD =/usr/sbin/radiusd
　　
---- WATCHER =/usr/sbin/radwatch to (when installed by default)
　　
---- RADIUSD =/usr/local/sbin/radiusd
　　
---- WATCHER =/usr/local/sbin/radwatch
　　
---- (7) Copy ~ /Icradius-0.18.1/scripts directory radwatch to/usr/local/sbin directory. Copy ~ Radiusd. cron. daily under/icradius-0.18.1/scripts directory to/etc/cron. daily/directory. Copy ~ Radiusd. cron. monthly under/icradius-0.18.1/scripts directory to/etc/cron. daily/directory.
　　
---- (8) Start radiusd. The command is as follows:
　　
----/Etc/rc. d/init/rc. radiusd start
　　
---- 5. Add a user
　　
---- Enter http: // radiusserver/cgi-bin/radius. cgi in the browser to enter the management interface. Enter the user name and password of the RADIUS administrator here.
　　
---- (1) create a group, which has the characteristics that all users should have, and name the group.
　　
---- (2) enter the group property setting interface and set the most basic attributes in "reply item". The command is as follows:
　　
---- Framed-Protocol PPP
　　
---- Service-Type Framed-User
　　
---- (3) Add a user, name the user group aaa, and set the user password.
　　
---- (4) Go to the user attribute settings page and select "add to group" * "all_user group" * "OK". The following "reply item" is displayed ":
　　
---- Framed-Protocol PPP
　　
---- Service-Type Framed-User
　　
---- (5) if you need to set the time limit for this user, you need to enter the number of time limit. Note that the time unit is seconds ), therefore, the "Total-Time-Limte" attribute value corresponding to the one-hour Time limit is 3600.
　　
---- (6 if you need to set a callback, select "Cisco-AVPair lcp: callback-dialstring = 1234567 (the phone number of the callback)" in "reply item )". For "check item" and "reply item", there are many options for different NAS device types, and their functions are rich.
　　
---- III. Dialing server settings
　　
---- The preceding steps have basically completed the setup of the RADIUS server. To enable the dial-up server to use RADIUS as the identity authentication method for the dial-up user, you must set it on the dial-up server. In the example discussed in this article, the Cisco 2610 router is used as the dial-up server. After the asynchronous serial port module with port 16 is configured, 16 users can dial in at the same time. After basic dialing configuration on Cisco 2610 can work properly, add the following statement to use RADIUS for identity authentication and accounting.
　　
----...
　　
---- Aaa new-model # activate AAA (authentication, authorization, and accounting) Access Control
　　
---- Aaa authentication login default line enable # perform login authentication. If the RADIUS Server does not find
　　
---- Aaa authentication ppp default radius local # P