Radius is used to authorize and authenticate the remote dial-in user. It can only use a single "Database" to authenticate users (verify the user name and password ). It mainly targets remote logon types such as slip, PPP, telnet, and rlogin.
Its main features include:
1. Client/Server (C/S) Mode
A Network Access Server (NAS) serves as a radius client. It is responsible for transmitting user information to the RADIUS server and then taking corresponding actions according to the different responses of the RADIUS server. In addition, the RADIUS server can act as a proxy customer of another RADIUS server or another type of authentication server.
2. Network Security)
The transaction information exchange between the NAS and the RADIUS server is encrypted by the keys shared by the two, and the information is not leaked between the two.
3. Flexible authentication mechanism)
The RADIUS server supports multiple authentication mechanisms. It can verify the validity of user information from logon to PPP, pap, chap, and UNIX systems.
4. extensible Protocol)
All authentication protocols are composed of three elements: "Attribute-length-attribute value. Therefore, the Protocol is very convenient to expand. In many later versions of Linux, they all include the radius installer in the system source code. In this way, we can easily learn the principles and applications of radius authorization and Authentication through the free Linux system.
To find out why the RADIUS protocol implements authorization and authentication, we must understand the RADIUS protocol in four aspects: Basic Principles of the protocol, data packet structure, data packet type, and Protocol attributes. Next we will introduce these contents in detail.
Basic Principles
There may be many types of services that nas provides to users. For example, when using telnet, the user provides the user name and password information, while when using PPP, the user sends data packets with authentication information.
Once NAS obtains this information, it creates and sends an "Access-request" packet to the RADIUS server, which contains the user name and password (based on MD5 encryption) the ID of the NAS instance and the port number accessed by the user.
If the RADIUS server does not respond within a specified period of time, NAS will resend the preceding data packet. If there are multiple RADIUS servers, after the NAS fails to attempt the master RADIUS server repeatedly, other RADIUS servers will be used instead.
The RADIUS server directly discards requests without the "Shared Secret" and does not respond. If the data packet is valid, the RADIUS server accesses the authenticated database to check whether the user exists. If yes, the user information list is extracted, including the user password, access port, and access permission.
When a RADIUS server cannot meet your needs, it will turn to other RADIUS servers, which act as a client.
If the user information is denied, the RADIUS server sends an "Access-reject" packet to the client, indicating that the user is illegal. If necessary, the RADIUS server also adds a text message containing the error information to the packet, so that the client can feedback the error information to the user.
On the contrary, if the user is confirmed, the RADIUS server sends an "Access-Challenge" packet to the client, and adds the information that the client sends to the user in the packet, including the status attribute. Next, the client prompts the user to respond to provide further information. After the client obtains the information, it submits the "Access-request" packet with the new request ID to the RADIUS server again, what is different from the original "Access-request" packet content is: at first, the "user name/password" information in the "Access-request" packet is replaced with the current response information of this user (encrypted ), the data packet also contains the status attribute (expressed as 0 or 1) in "Access-Challenge ). In this case, the RADIUS server may have three reactions to the new "Access-request": "Access-accept", "Access-reject", or "Access-Challenge ".
If all the requirements are valid, radius returns an "Access-accept" response, including the service type (slip, PPP, login user, etc.) and its ancillary information. For example, for slip and PPP, The response includes IP addresses, subnet masks, MTU, and packet filtering information.
Data Packet Structure
The radius packet is encapsulated in the data field of the UDP datagram, And the destination port is 1812. The specific data packet structure is shown in table 1.
8-digit |
8-digit |
16-bit |
Code |
Identifier |
Length |
Authenticator (128 bits) |
Attributes... (Not long) |
· The length of the Code field is 8 bits. The specific values are shown in table 2. Among them, 1, 2, 3 are used for user authentication, while 4 and 5 are used for traffic statistics, 12 and 13 are used for the test phase, and 255 are reserved.
Code |
Description |
1 |
Access-Request |
2 |
Access-accept |
3 |
Access-reject |
4 |
Accounting-Request |
5 |
5accounting-response |
11 |
Access-Challenge |
12 |
Status-server (Experimenta) |
13 |
Status-client (Experimenta) |
255 |
Reserved |
· The length of the identifier domain is 8 bits. It is mainly used to match request and response data packets, that is, the number of data packets.
· Length is 16 bits, value range (20 <= length <= 4096 ), this length includes the total length of the five data fields code, identifier, length, authenticator, and attribute (Code, identifier, length, authenticator is set to a fixed length, attribute is variable length ). Data out of the range will be considered as additional data (padding) or directly ignored.
· The Authenticator consists of 16 bytes (128 bits) and is mainly used to authenticator responses from the RADIUS server. It is also used to encrypt user passwords.
(1) Request authenticator
In an "Access-request" packet, authenticator is a 16-byte random number called "request authenticator ". It is unique throughout the entire life cycle of data transmission between the NAS and the RADIUS server through the "secret.
(2) response authenticator
The Authenticator domain in "Access-accept", "Access-reject", and "Access-Challenge" is called "response authenticator ".
There are the following calculation methods:
Responseauth = MD5 (code + ID + Length + requestauth + attributes + secret )- -(Formula 1) |
· The data format of the attributes attribute field is shown in table 3.
8-digit |
8-digit |
Not long (0 or multiple bytes) |
Type |
Length |
Value... |
Type indicates the atribute type. There are dozens of generic types, as shown in table 4.
Type |
Description |
Type |
Description |
1 |
User-name |
5 |
NAS-Port-ID |
2 |
Password |
6 |
Service-type |
3 |
Chap-Password |
7 |
Framed-Protocol |
4 |
NAS-IP-address |
... |
... |
Data Packet type
The radius data packet type is specified by its code field (the first 8 bits.
· Access-Request (access-request)
The "Access-request" packet is sent by the NAS and received by the RADIUS server.
The "user-Password" or "chap-Password" attribute values are encrypted by MD5 by default.
The data packet structure is shown in table 5.
8-digit |
8-digit |
16-bit |
Code = 1 |
Identifier-changes with the value of attributes, and remains unchanged during re-transmission |
Length |
Authenticator (128-bit)-changed based on identifier changes |
Attributes... (Not long) |
Attributes should include the following attributes:
◆ "User-name" ◆ "User-Password" or "chap-Password" ◆ "Nas-IP-address" ◆ "Nas-identifier" ◆ "Nas-port" ◆ "Nas-Port-type" |
· Access-accept
"Access-accept" is sent by the RADIUS server and returned to the NAs. Indicates that the user information is valid. It includes necessary configuration information for the next step to provide services to users. The data packet structure is shown in table 6.
8-digit |
8-digit |
16-bit |
Code = 2 |
The identifier-and "Access-request" are the same |
Length |
Authenticator (128 bits)-belongs to response authenticator and is calculated by Formula 1. |
Attributes... (Not long) |
Access-reject "Access-reject" is sent by the RADIUS server and returned to the NAs. Indicates that the user information is invalid. It should include one or more "reply-messages" (reply messages, including some error messages that are convenient for NAs to return to users ). The data packet structure is shown in table 7.
8-digit |
8-digit |
16-bit |
Code = 3 |
The identifier-and "Access-request" are the same |
Length |
Authenticator (128 bits)-belonging to the response authenticator, calculated by Formula 1 |
Attributes... (Not long) |
Attribute
The attributes are shown in table 8. Here, the length calculation method is: Type + Length + value.
8-digit |
8-digit |
Not long (0 or multiple bytes) |
Type |
Length |
Value... |
There are four types of values:
◆ String -- 0 ~ 253 bytes, string
◆ IPaddress -- 32-bit, IP address
◆ Integer -- 32-bit, integer
◆ Time -- 32-bit, from 00:00:00 GMT, January 1, 1970 to the current total number of seconds
The RADIUS protocol is an indefinite protocol stack.
Install RADIUS server
To install a full set of IC-RADIUS, first we need several packages, as shown in table 9. Note: The Source Code packages in Table 9 are free of charge. They can help us build a complete radius application environment.
Software source package |
Description |
Mysql-3.23.39.tar.gz |
MySQL Database System |
DBI-1.18.tar.gz |
Perl calls Common Database Interfaces |
Msql-Mysql-modules-1.2216.tar.gz |
Perl DBI driver for MySQL, that is, DBD for MySQL |
RadiusPerl-1.05.tar.gz |
Perl Authen module for radius |
Icradius-0.18.1.tar.gz |
IC-RADIUS source package |
Assume that all the original code packages are copied to the/usr/tmp directory.
Install MySQL
1. decompress the source code package:
Linux]#cd /usr/tmp Linux]#gzip zxvf mysql-3.23.39.tar.gz Linux]#cd mysql-3.23.39 |
2. Configure parameters and install the software:
// Install MySql in/usr/local/MySQL Linux] #./configure prefix =/usr/local/MySQL Linux] # Make // compilation, which takes a long time and requires patience Linux] # make install // install to/usr/local/MySQL |
3. Create an initial database:
Linux]#cd /usr/local/msyql/bin Linux]#./mysql_install_db |
4. Create a Shared Library Link
Linux] # ldconfig // updates the System Shared Library Link |
5. Copy the start/stop script:
Linux]#cp /usr/tmp/mysql-3.23.39/support-files/mysql.server /etc/rc.d/init.d/mysql.server |
6. Copy and modify the initialization configuration file:
Linux]#cp /usr/tmp/mysql-3.23.39/support-files/my-medium.cnf /etc/my.cnf |
Use VI to open my. CNF, add user = root under [client], and leave the password blank.
7. Change the root password:
Linux] # mysqladmin U root P password 'new password' |
8. If multiple versions of MySQL coexist
Add the following content to [mysqld] of/etc/My. CNF:
1. Log-bin 2. Server-id = 1 // must be unique to distinguish it from the ID of another MySQL. server. |
Install DBI
Linux] # cd/usr/tmp Linux] # tar zxvf DBI-1.18.tar.gz # Cd DBI-1.18 Linux] # Perl makefile. pl Linux] # Make Test // If the test fails, use make test test_verbose = 1 Linux] # make install |
Install DBD for MySQL
Linux]#cd /usr/tmp Linux]#tar zxvf Msql-Mysql-modules-1.2216.tar.gz Linux]#cd Msql-Mysql-modules-1.2216 Linux]#perl Makefile.PL |
At this time, the system starts to interact with the user as follows:
MySQL only mSQL only (either of mSQL 1 or mSQL 2) MySQL and mSQL (either of mSQL 1 or mSQL 2) mSQL 1 and mSQL 2 MySQL,mSQL1andmSQL2 Enter the appropriate number: [3] 1 |
In our requirements, we should answer 1 (indicating that this module is for MySQL and msql at the same time)
Do you want to install the mysqlperl emulation? You might keep your old MySQL module (to be distinguished from DBD: MySQL !) If you are concerned
About compatibility to existing applications! [N] n answer n here
Where is your MySQL installed? Please tell me the directory that
Contains the subdir 'include '. [/usr/local/MySQL]?
This is the default MySQL installation directory. We have installed it as above. MySQL is automatically installed under this directory. Press enter here.
Which database shocould I use for testing the MySQL drivers? [Test]
Press enter.
On which host is database test running (hostname, IP address
Or host: Port) [localhost]?
If the MySQL server and icradius server are installed on the same server, press Enter.
User name for connecting to database test? [UNDEF] root?
Root Password for connecting to database test? [UNDEF] passwd?
Enter the password of the root user of MySQL.
make make test make install |
Install the radiusperl: Authen Module
Radius Database |
Dictionary |
Radgroupcheck |
Hints |
Radgroupreply |
NAS |
Radreply |
Radacct |
Realmgroup |
Radact_summary |
Realms |
Radcheck |
Usergroup |
Install IC-RADIUS
1. Install software:
Linux]#cd /usr/tmp Linux]#tar zxvf icradius-0.18.1.tar.gz Linux]#cd icradius-0.18.1 Linux]#cp Makefile.lnx Makefile Linux]#make Linux]#make install |
2. Create a radius database:
Linux] # cd scripts Linux] # MySQL U root P MySQL Mysql> Create Database radius; // create a radius Database // Add a RADIUS user Mysql> grant all on radius. * On radius @ localhost identified by 'radius '; Linux] # mysqladmin U root P refresh // refresh the database content |
3. import data tables:
Linux] # mysql-u root-pyourpassword radius <radius. DB Modify dictimport. pl and set My $ dbusername = 'radius '; My $ dbpassword = 'radius' |
Then, import the dictionary content so that the radius. Dictionary data table contains basic attributes and values.
Linux]# ./dictimport.pl ../raddb/dictionary |
The radius database structure is shown in table 10.
Radius Database |
Dictionary |
Radgroupcheck |
Hints |
Radgroupreply |
NAS |
Radreply |
Radacct |
Realmgroup |
Radact_summary |
Realms |
Radcheck |
Usergroup |
4. Start radiusd
Linux]#cd /etc/rc.d/init.d Linux]#radiusd start |
In this way, we have successfully installed a complete RADIUS server on Linux. you can experience the running of the RADIUS server. If you are still interested in the development of the RADIUS protocol, you can perform in-depth research on this basis.