Introduction to the concept of radius and its construction in Linux

Source: Internet
Author: User
Tags md5 encryption stop script

Radius is used to authorize and authenticate the remote dial-in user. It can only use a single "Database" to authenticate users (verify the user name and password ). It mainly targets remote logon types such as slip, PPP, telnet, and rlogin.
Its main features include:

1. Client/Server (C/S) Mode

A Network Access Server (NAS) serves as a radius client. It is responsible for transmitting user information to the RADIUS server and then taking corresponding actions according to the different responses of the RADIUS server. In addition, the RADIUS server can act as a proxy customer of another RADIUS server or another type of authentication server.

2. Network Security)

The transaction information exchange between the NAS and the RADIUS server is encrypted by the keys shared by the two, and the information is not leaked between the two.

3. Flexible authentication mechanism)

The RADIUS server supports multiple authentication mechanisms. It can verify the validity of user information from logon to PPP, pap, chap, and UNIX systems.

4. extensible Protocol)

All authentication protocols are composed of three elements: "Attribute-length-attribute value. Therefore, the Protocol is very convenient to expand. In many later versions of Linux, they all include the radius installer in the system source code. In this way, we can easily learn the principles and applications of radius authorization and Authentication through the free Linux system.

To find out why the RADIUS protocol implements authorization and authentication, we must understand the RADIUS protocol in four aspects: Basic Principles of the protocol, data packet structure, data packet type, and Protocol attributes. Next we will introduce these contents in detail.

Basic Principles

There may be many types of services that nas provides to users. For example, when using telnet, the user provides the user name and password information, while when using PPP, the user sends data packets with authentication information.

Once NAS obtains this information, it creates and sends an "Access-request" packet to the RADIUS server, which contains the user name and password (based on MD5 encryption) the ID of the NAS instance and the port number accessed by the user.

If the RADIUS server does not respond within a specified period of time, NAS will resend the preceding data packet. If there are multiple RADIUS servers, after the NAS fails to attempt the master RADIUS server repeatedly, other RADIUS servers will be used instead.

The RADIUS server directly discards requests without the "Shared Secret" and does not respond. If the data packet is valid, the RADIUS server accesses the authenticated database to check whether the user exists. If yes, the user information list is extracted, including the user password, access port, and access permission.

When a RADIUS server cannot meet your needs, it will turn to other RADIUS servers, which act as a client.

If the user information is denied, the RADIUS server sends an "Access-reject" packet to the client, indicating that the user is illegal. If necessary, the RADIUS server also adds a text message containing the error information to the packet, so that the client can feedback the error information to the user.

On the contrary, if the user is confirmed, the RADIUS server sends an "Access-Challenge" packet to the client, and adds the information that the client sends to the user in the packet, including the status attribute. Next, the client prompts the user to respond to provide further information. After the client obtains the information, it submits the "Access-request" packet with the new request ID to the RADIUS server again, what is different from the original "Access-request" packet content is: at first, the "user name/password" information in the "Access-request" packet is replaced with the current response information of this user (encrypted ), the data packet also contains the status attribute (expressed as 0 or 1) in "Access-Challenge ). In this case, the RADIUS server may have three reactions to the new "Access-request": "Access-accept", "Access-reject", or "Access-Challenge ".

If all the requirements are valid, radius returns an "Access-accept" response, including the service type (slip, PPP, login user, etc.) and its ancillary information. For example, for slip and PPP, The response includes IP addresses, subnet masks, MTU, and packet filtering information.

Data Packet Structure

The radius packet is encapsulated in the data field of the UDP datagram, And the destination port is 1812. The specific data packet structure is shown in table 1.


8-digit 8-digit 16-bit
Code Identifier Length
Authenticator (128 bits)
Attributes... (Not long)

· The length of the Code field is 8 bits. The specific values are shown in table 2. Among them, 1, 2, 3 are used for user authentication, while 4 and 5 are used for traffic statistics, 12 and 13 are used for the test phase, and 255 are reserved.


Code Description
1 Access-Request
2 Access-accept
3 Access-reject
4 Accounting-Request
5 5accounting-response
11 Access-Challenge
12 Status-server (Experimenta)
13 Status-client (Experimenta)
255 Reserved

· The length of the identifier domain is 8 bits. It is mainly used to match request and response data packets, that is, the number of data packets.

· Length is 16 bits, value range (20 <= length <= 4096 ), this length includes the total length of the five data fields code, identifier, length, authenticator, and attribute (Code, identifier, length, authenticator is set to a fixed length, attribute is variable length ). Data out of the range will be considered as additional data (padding) or directly ignored.

· The Authenticator consists of 16 bytes (128 bits) and is mainly used to authenticator responses from the RADIUS server. It is also used to encrypt user passwords.

(1) Request authenticator

In an "Access-request" packet, authenticator is a 16-byte random number called "request authenticator ". It is unique throughout the entire life cycle of data transmission between the NAS and the RADIUS server through the "secret.

(2) response authenticator

The Authenticator domain in "Access-accept", "Access-reject", and "Access-Challenge" is called "response authenticator ".

There are the following calculation methods:

     Responseauth = MD5 (code + ID + Length + requestauth + attributes + secret )-
-(Formula 1)

· The data format of the attributes attribute field is shown in table 3.


8-digit 8-digit Not long (0 or multiple bytes)
Type Length Value...

Type indicates the atribute type. There are dozens of generic types, as shown in table 4.


Type Description Type Description
1 User-name 5 NAS-Port-ID
2 Password 6 Service-type
3 Chap-Password 7 Framed-Protocol
4 NAS-IP-address ... ...

  

Data Packet type

The radius data packet type is specified by its code field (the first 8 bits.

· Access-Request (access-request)

The "Access-request" packet is sent by the NAS and received by the RADIUS server.

The "user-Password" or "chap-Password" attribute values are encrypted by MD5 by default.

The data packet structure is shown in table 5.

8-digit 8-digit 16-bit

Code = 1

Identifier-changes with the value of attributes, and remains unchanged during re-transmission

Length

Authenticator (128-bit)-changed based on identifier changes

Attributes... (Not long)

Attributes should include the following attributes:

     ◆ "User-name"
◆ "User-Password" or "chap-Password"
◆ "Nas-IP-address"
◆ "Nas-identifier"
◆ "Nas-port"
◆ "Nas-Port-type"

· Access-accept

"Access-accept" is sent by the RADIUS server and returned to the NAs. Indicates that the user information is valid. It includes necessary configuration information for the next step to provide services to users. The data packet structure is shown in table 6.

8-digit 8-digit 16-bit
Code = 2 The identifier-and "Access-request" are the same Length
Authenticator (128 bits)-belongs to response authenticator and is calculated by Formula 1.
Attributes... (Not long)

Access-reject "Access-reject" is sent by the RADIUS server and returned to the NAs. Indicates that the user information is invalid. It should include one or more "reply-messages" (reply messages, including some error messages that are convenient for NAs to return to users ). The data packet structure is shown in table 7.


8-digit 8-digit 16-bit
Code = 3 The identifier-and "Access-request" are the same Length
Authenticator (128 bits)-belonging to the response authenticator, calculated by Formula 1
Attributes... (Not long)

Attribute

The attributes are shown in table 8. Here, the length calculation method is: Type + Length + value.

8-digit 8-digit Not long (0 or multiple bytes)
Type Length Value...

There are four types of values:

◆ String -- 0 ~ 253 bytes, string

◆ IPaddress -- 32-bit, IP address

◆ Integer -- 32-bit, integer

◆ Time -- 32-bit, from 00:00:00 GMT, January 1, 1970 to the current total number of seconds

The RADIUS protocol is an indefinite protocol stack.

 

Install RADIUS server

To install a full set of IC-RADIUS, first we need several packages, as shown in table 9. Note: The Source Code packages in Table 9 are free of charge. They can help us build a complete radius application environment.


Software source package Description
Mysql-3.23.39.tar.gz MySQL Database System
DBI-1.18.tar.gz Perl calls Common Database Interfaces
Msql-Mysql-modules-1.2216.tar.gz Perl DBI driver for MySQL, that is, DBD for MySQL
RadiusPerl-1.05.tar.gz Perl Authen module for radius
Icradius-0.18.1.tar.gz IC-RADIUS source package

Assume that all the original code packages are copied to the/usr/tmp directory.

Install MySQL

1. decompress the source code package:

     Linux]#cd /usr/tmp
Linux]#gzip zxvf mysql-3.23.39.tar.gz
Linux]#cd mysql-3.23.39

2. Configure parameters and install the software:

     // Install MySql in/usr/local/MySQL
Linux] #./configure prefix =/usr/local/MySQL
Linux] # Make // compilation, which takes a long time and requires patience
Linux] # make install // install to/usr/local/MySQL

3. Create an initial database:

     Linux]#cd /usr/local/msyql/bin
Linux]#./mysql_install_db

4. Create a Shared Library Link

     Linux] # ldconfig // updates the System Shared Library Link

5. Copy the start/stop script:

     Linux]#cp /usr/tmp/mysql-3.23.39/support-files/mysql.server
     /etc/rc.d/init.d/mysql.server

6. Copy and modify the initialization configuration file:

     Linux]#cp /usr/tmp/mysql-3.23.39/support-files/my-medium.cnf  
/etc/my.cnf

Use VI to open my. CNF, add user = root under [client], and leave the password blank.

7. Change the root password:

     Linux] # mysqladmin U root P password 'new password'

8. If multiple versions of MySQL coexist

Add the following content to [mysqld] of/etc/My. CNF:

     1. Log-bin
2. Server-id = 1 // must be unique to distinguish it from the ID of another MySQL. server.

Install DBI

     Linux] # cd/usr/tmp
Linux] # tar zxvf DBI-1.18.tar.gz
# Cd DBI-1.18
Linux] # Perl makefile. pl
Linux] # Make Test
// If the test fails, use make test test_verbose = 1
Linux] # make install

Install DBD for MySQL

     Linux]#cd /usr/tmp
Linux]#tar zxvf Msql-Mysql-modules-1.2216.tar.gz
Linux]#cd Msql-Mysql-modules-1.2216
Linux]#perl Makefile.PL

At this time, the system starts to interact with the user as follows:

     MySQL only
mSQL only (either of mSQL 1 or mSQL 2)
MySQL and mSQL (either of mSQL 1 or mSQL 2)
mSQL 1 and mSQL 2
MySQL,mSQL1andmSQL2
Enter the appropriate number: [3] 1

In our requirements, we should answer 1 (indicating that this module is for MySQL and msql at the same time)

Do you want to install the mysqlperl emulation? You might keep your old MySQL module (to be distinguished from DBD: MySQL !) If you are concerned

About compatibility to existing applications! [N] n answer n here

Where is your MySQL installed? Please tell me the directory that

Contains the subdir 'include '. [/usr/local/MySQL]?

This is the default MySQL installation directory. We have installed it as above. MySQL is automatically installed under this directory. Press enter here.

Which database shocould I use for testing the MySQL drivers? [Test]

Press enter.

On which host is database test running (hostname, IP address

Or host: Port) [localhost]?

If the MySQL server and icradius server are installed on the same server, press Enter.

User name for connecting to database test? [UNDEF] root?

Root Password for connecting to database test? [UNDEF] passwd?

Enter the password of the root user of MySQL.

     make
make test
make install

  
Install the radiusperl: Authen Module

Radius Database
Dictionary Radgroupcheck
Hints Radgroupreply
NAS Radreply
Radacct Realmgroup
Radact_summary Realms
Radcheck Usergroup

Install IC-RADIUS

1. Install software:

     Linux]#cd /usr/tmp
Linux]#tar zxvf icradius-0.18.1.tar.gz
Linux]#cd icradius-0.18.1
Linux]#cp Makefile.lnx Makefile
Linux]#make
Linux]#make install

2. Create a radius database:

     Linux] # cd scripts
Linux] # MySQL U root P MySQL
Mysql> Create Database radius; // create a radius Database
// Add a RADIUS user
Mysql> grant all on radius. * On radius @ localhost identified by 'radius ';
Linux] # mysqladmin U root P refresh // refresh the database content

3. import data tables:

     Linux] # mysql-u root-pyourpassword radius <radius. DB
Modify dictimport. pl and set
My $ dbusername = 'radius ';
My $ dbpassword = 'radius'

Then, import the dictionary content so that the radius. Dictionary data table contains basic attributes and values.

     Linux]# ./dictimport.pl ../raddb/dictionary

The radius database structure is shown in table 10.

Radius Database
Dictionary Radgroupcheck
Hints Radgroupreply
NAS Radreply
Radacct Realmgroup
Radact_summary Realms
Radcheck Usergroup

4. Start radiusd

     Linux]#cd /etc/rc.d/init.d
Linux]#radiusd start

In this way, we have successfully installed a complete RADIUS server on Linux. you can experience the running of the RADIUS server. If you are still interested in the development of the RADIUS protocol, you can perform in-depth research on this basis.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.