Remote Authentication Dial-up User Service (Remote authentication Dial in User Service, RADIUS) is the Network access server ( NAS) and the centralized storage of authentication information between the RADIUS server transfer authentication, authorization and configuration of the protocol, its client side is mostly implemented by dial-up NAS, mainly used to pass the user information to the server, the RADIUS server authenticates the user, returns the configuration information, Communication between the two ends includes access authentication and billing requests
Freeradius Software Acquisition
[[email protected] ~]# cd/usr/local/src/[[email protected] src]# wget ftp://ftp.freeradius.org/pub/ freeradius/freeradius-server-3.0.6.tar.gz--14:09:11--ftp://ftp.freeradius.org/pub/freeradius/ freeradius-server-3.0.6.tar.gz = ' freeradius-server-3.0.6.tar.gz ' Resolving ftp.freeradius.org ... 195.154.231.44Connecting to ftp.freeradius.org|195.154.231.44|:21 ... Connected. Logging in as anonymous ... Logged in!==> Syst ... done. ==> PWD ... done.==> TYPE I ... done. ==> Cwd/pub/freeradius ... done.==> SIZE freeradius-server-3.0.6.tar.gz ... 4555887==> PASV ... done. ==> RETR freeradius-server-3.0.6.tar.gz ... done. length:4555887 (4.3M) 100%[=======================================>] 4,555,887 9.25k/s in 7m 55s 14:17:13 (9.36 KB/ s)-' freeradius-server-3.0.6.tar.gz ' saved [4555887][[email protected] src]./configure--prefix=/usr/local/ Radius/[[email protected] src] make[[email protected] src]make Install
test by myself to verify Free-radius installed successfully
[[email protected] radius]# sbin/radiusd-xlistening on authentication address * Port 1812Listening on accounting address * Port 1813Listening on command file/usr/local/radius/var/run/radiusd/radiusd.socklistening on authentication address 127.0.0.1 Port 18120 as server inner-tunnellistening on proxy address * Port 1814Ready to process requests.
MySQL-based radius starts to correlate
[[email protected] ~] Yum install mysql-server[[email protected] ~] Yum Install mysql-devel[[email Protected] ~]# service mysqld restartstopping mysqld: [OK]initializing MySQL Database:installing MySQL system tables ... Okfilling Help Tables ... OKto start mysqld at boot time has to copysupport-files/mysql.server to the right place for your systemplease Remembe R to SET A PASSWORD for the MySQL root USER! To does, start the server, then issue the following commands:/usr/bin/mysqladmin-u root password ' new-password '/usr/bin/ Mysqladmin-u root-h Alicia password ' new-password ' Alternatively you can Run:/usr/bin/mysql_secure_installationwhich Would also give you the option of removing the testdatabases and anonymous user created by default. This isstrongly recommended for production servers. See the Manual for more instructions. You can start the MySQL daemon with:cd/usr; /usr/bin/mysqld_safe &you can test the MySQL Daemon with MYSQL-TEST-RUN.PLCD Mysql-test; Perl mysql-test-run.plplease Report No problems with The/usr/bin/mysqlbug script! The latest information about MySQL was available on the web Athttp://www.mysql.comsupport mysql by buying support/licenses At http://shop.mysql.com [OK]starting mysqld: [OK]
Set up MySQL account Root/password
[Email protected] ~]# mysqladmin-u root password ' password ' [[email protected] ~]# mysql-u root-penter password:welcom E to the MySQL Monitor. Commands End With; or \g.your MySQL connection ID is 3Server version:5.0.95 Source distributioncopyright (c) #, Oracle and/or its a Ffiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or itsaffiliates. Other names trademarks of their respectiveowners. Type ' help ', ' or ' \h ' for help. Type ' \c ' to clear the current input Statement.mysql >
Add related table entries and records to MySQL
mysql> CREATE database radius; Query OK, 1 row affected (0.03 sec) [[email protected] radius]# cd/usr/local/radius/etc/raddb/sql/mysql/[[email& Nbsp;protected] mysql]# mysql-u root-p radius </schema.sqlenter password: [[email protected] mysql]# mysql-u Root-p radius <./nas.sqlenter password: [[email protected] mysql]# mysql-u root-p Enter password:mysql> US e radius; Reading table information for completion of table and column namesyou can turn off this feature to get a quicker startup W Ith-adatabase changedmysql> Showtables; Error 1064 (42000): You have a error in your SQL syntax; Check the manual-corresponds to your MySQL server version for the right syntax-use-near ' showtables ' on line 1mysq L> Show tables;+------------------+| Tables_in_radius |+------------------+| nas | | radacct | | radcheck | | radgroupcheck | | radgroupreply | | radpostauth | | radreply | | radusergroup | +------------------+8 rows in Set (0.00 sec)mysql> INSERT INTO Radcheck (username,attribute,op,value) VALUES (' Alicia ', ' User-password ', ': = ', ' Password '); Query OK, 1 row Affected (0.00 sec) mysql> INSERT into Radcheck (username,attribute,op,value) VALUES (' Samsun ', ' User-pas Sword ', ': = ', ' password '); Query OK, 1 row Affected (0.00 sec) mysql> INSERT into Radcheck (Username,attribute,op,value) VALUES (' Laffan ', ' User-password ', ': = ', ' Password '); Query OK, 1 row Affected (0.00 sec) mysql> INSERT into Radcheck (username,attribute,op,value) VALUES (' Julia ', ' User-pass Word ', ': = ', ' password '); Query OK, 1 row Affected (0.00 sec) mysql> INSERT into Radusergr OUP (Username,groupname) VALUES (' Samsun ', ' QA ') ; Query OK, 1 row Affected (0.00 sec) mysql> INSERT into Radusergroup (username,groupname) VALUES (' Alicia ', ' QA ') &nb sp; , Query OK, 1 row Affected (0.00 sec) Mysql> INSert into Radusergroup (username,groupname) VALUES (' Laffan ', ' Rd '); Query OK, 1 row Affected (0.00 sec) mysql> INSERT into Radusergroup (username,groupname) VALUES (' Julia ', ' Rd '); Query OK, 1 row Affected (0.00 sec)
Configure Freeradius
177 line Uncomment sql170 line comment files406 line uncomment sql[[email protected] mysql]# Vi/usr/local/radius/etc/radd B/sites-enabled/defaultauthorize { chap mschap suffix eap170 #files177 sql pap} Accounting {Detail Unix radutmp406sql}
[Email protected] mysql]# vi/usr/local/radius/etc/raddb/radiusd.conf 731 $INCLUDE ${confdir}/modules/732 733 # Extensible Authentication Protocol734 #735 # for all EAP related authentications.736 # now in Another file, because it is very large.737 #738 $INCLUDE eap.conf739 740 # INCLUDE another file The sql-related configuration.741 # Another file only because it tends to be big.742 #743 $IN Clude sql.conf //uncomment
Start server-Side radius
[[email protected] radius]# sbin/radiusd-xcould not link driver Rlm_sql_mysql:rlm_sql_mysql.so:cannot open shared Object File:no such file or directorymake sure it (and all its dependent libraries!) is in the search path of your Syst Em ' s ld./usr/local/radius/etc/raddb/sql.conf[22]: Instantiation failed for module "SQL"/usr/local/radius/etc/raddb/ SITES-ENABLED/DEFAULT[177]: Failed to find "SQL" in the "modules" section./usr/local/radius/etc/raddb/sites-enabled/ DEFAULT[69]: Errors parsing authorize section. Failed to load SQL [[email protected] sbin]# cd/usr/local/src/freeradius-server-2.2.6/src/modules/rlm_sql/drivers/rlm_ Sql_mysql/[[email protected] rlm_sql_mysql]#./configure--with-dir=/usr/share/mysql/--with-mysql-lib=/usr/ Lib/mysql/[[email protected] rlm_sql_mysql]# make[[email protected] src]# cd/usr/local/radius/[[email protected] radius]# CD sbin/[[email protected] sbin]#./radiusd-xlistening on Authentication address * Port 1 812Listening on AccoUnting Address * Port 1813Listening on command file/usr/local/radius/var/run/radiusd/radiusd.socklistening on Authentication address 127.0.0.1 Port 18120 as server inner-tunnellistening on proxy address * Port 1814Ready to process R Equests.
Client Side Testing
[Email protected] ~]# echo "user-name = Samsun, User-password=password" | /usr/local/bin/radclient 10.8.118.100:1812 Auth passwordreceived response ID, code 2, length = 20
Server log:listening on authentication address * Port 1812Listening in Accounting address * port 1813Listening on command File/usr/local/radius/var/run/radiusd/radiusd.socklistening on authentication address 127.0.0.1 Port 18120 as server inner-tunnellistening on proxy address * Port 1814Ready to process requests.rad_recv:access-request packet from host 10.8 .116.8 Port 51222, id=58, length=46 user-name = "Samsun" User-password = "Password" # Executing section Autho Rize from File/usr/local/radius/etc/raddb/sites-enabled/default+group authorize {++[preprocess] = Ok++[chap] = noop++[ MSCHAP] = noop++[digest] = Noop[suffix] no ' @ user-name = ' Samsun ', looking up realm Null[suffix] No such realm "NULL" ++[suffix] = noop[eap] No eap-message, not doing eap++[eap] = noop[sql] Expand:%{user-name}, Samsun[sql] Sql_set_u Ser escaped user---Samsun ' Rlm_sql (SQL): Reserving SQL socket ID:31[SQL] Expand:select ID, username, attribute, Value, op from RadcheCK WHERE username = '%{sql-user-name} ' ORDER by ID, SELECT ID, username, attribute, value, op From Radcheck WHERE username = ' Samsun ' ORDER by Id[sql] User found in Radcheck Table[sql] Ex Pand:select ID, username, attribute, value, op from radreply WHERE username = '%{sql-user-name} ' ORDER by ID-SELECT ID, username, attribute, value, op from radreply WHERE username = ' Sams Un ' ORDER by id[sql] expand:select groupname from radusergroup WHERE username = '%{sql-us Er-name} ' ORDER by Priority-SELECT groupname from radusergroup WHERE username = ' Samsu N ' ORDER by priority[sql] Expand:select ID, groupname, attribute, Value, op from Radgroup Check WHERE groupname = '%{sql-group} ' ORDER by ID, SELECT ID, groupname, attribute, Va Lue, op from RAdgroupcheck WHERE groupname = ' QA ' ORDER by Id[sql] The User found in group Qa[sql] Expand:select ID, GroupName, attribute, value, op from radgroupreply WHERE groupname = '%{sql-group} ' ORDER by ID-SELECT ID, groupname, attribute, value, op from radgroupreply WHERE Grou pname = ' QA ' ORDER by Idrlm_sql (SQL): Released SQL socket ID:31++[SQL] = ok++[expiration] = Noop++[logintime] = Noop++[pap] = updated+} # Group authorize = Updatedfound Auth-type = Pap!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Replacing User-password in config items with Cleartext-password. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Please update your configuration so, the "known Good"!!!!!! Clear text password is in Cleartext-password, and not in User-password. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Executing group from File/usr/local/radius/etc/raddb/sites-enabled/default+group PAP {[PAP] login attempt with Passwor d "Password" [pap] Using Clear text password "password" [pap] User authenticated SUCCESSFULLY++[PAP] = ok+} # Group Pap = OK # Executing section Post-auth from File/usr/local/radius/etc/raddb/sites-enabled/default+group post-auth {++[exec] = noop+} # Group Post-auth = noopsending access-accept of ID to 10.8.116.8 port 51222Finished request 0.Going to the next Requestwaking up in 4.9 seconds. Cleaning up request 0 ID, with timestamp +789ready to process requests.
Client Side Alicia Test
[[email protected] ~]# radtest alicia password 10.8.118.100:1812 0 password sending access-request of ID 153 to 10.8.1 18.100 Port 1812 user-name = "Alicia" User-password = "Password" nas-ip-address = 127.0.0.1 nas-port = 0 message-authenticator = 0x00000000000000000000000000000000rad_recv:access-accept packet from host 10.8.118.100 Port 1812, id=153, length=20
Server Log:rad_recv:access-request packet from host 10.8.116.8 Port 40531, id=153, length=76 user-name = "Alicia" User-password = "Password" nas-ip-address = 127.0.0.1 Nas-port = 0 Message-authenticator = 0x6 5dc0b64af155a18136889edeaea43a5# executing section authorize from file/usr/local/radius/etc/raddb/sites-enabled/ Default+group Authorize {++[preprocess] = Ok++[chap] = Noop++[mschap] = noop++[digest] = Noop[suffix] No ' @ ' in User-Name = "Alicia", looking up realm Null[suffix] No such realm ' NULL ' ++[suffix] = noop[eap] No eap-message, not doing eap++[eap] = Noop[sql] Expand:%{user-name}, Alicia[sql] Sql_set_user escaped User-to ' Alicia ' Rlm_sql (SQL): Reserving SQL Socket ID:29[SQL] Expand:select ID, username, attribute, value, op from radcheck WHERE username = '%{sql-user-name} ' ORDER by ID--SELECT ID, username, attribute, value, op from Radcheck WHERE username = ' Alicia ' ORDER by Id[sql] User found in Radcheck Table[sql] expand:select ID, username, attribute, value, op from Radreply WHERE username = '%{sql-user-name} ' ORDER by ID, SELECT ID, username, attribute, value, Op from radreply WHERE username = ' Alicia ' ORDER by Id[sql] Expand:select groupname From Radusergroup WHERE username = '%{sql-user-name} ' ORDER by Priority-SELECT groupname From Radusergroup WHERE username = ' Alicia ' ORDER by Priority[sql] Expand:select ID, group Name, attribute, Value, op from radgroupcheck WHERE groupname = '%{sql-group} ' ORD ER by ID-SELECT ID, groupname, attribute, Value, op from Radgroupcheck WHERE groupname = ' QA ' ORDER by Id[sql] User found in group Qa[sql] Expand:select ID, groupname, attribute, value, Op from Radgroupreply WHERE groupname = '%{sql-group} ' ORDER by ID, SELECT ID, groupname, attribute, Value, op from radgroupreply WHERE groupname = ' QA ' ORDER by Idrlm_sql (SQL): Released SQL Socket Id:29++[sql] = ok++[expiration] = Noop++[logintime] = Noop++[pap] = updated+} # Group authorize = Updatedfound Aut H-type = PAP!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Replacing User-password in config items with Cleartext-password. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Please update your configuration so, the "known Good"!!!!!! Clear text password is in Cleartext-password, and not in User-password. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Executing group from File/usr/local/radius/etc/raddb/sites-enabled/default+group PAP {[PAP] login attempt with Passwor d "Password" [PAP] Using CLEAr text password "password" [pap] User authenticated SUCCESSFULLY++[PAP] = ok+} # Group PAP = ok# executing section Post-au Th from File/usr/local/radius/etc/raddb/sites-enabled/default+group post-auth {++[exec] = noop+} # Group Post-auth = NoOp Sending access-accept of ID 153 to 10.8.116.8 Port 40531Finished request 2.Going to the next requestwaking up in 4.9 secon Ds. Cleaning up request 2 ID 153 with timestamp +998ready to process requests.
At this point, redius build successfully, can achieve basic user authentication access
Linux Freeradius Server