Original Build a RADIUS server under CentOS

Source: Internet
Author: User
Tags freeradius

First, Implementing the Environment:

1. System: CentOS release 6.6 (Final)

2. Required Packages:

1) freeradius-2.1.12-6.e16.x86_64

Freeradius-mysql-2.1.12-6.e16.x86_64

2) ppp-2.4.5-5.e16.x86_64

3) rp-pppoe-3.10-11.e16.x86_64

4) mysql-5.1.73-3.e16_5.x86_64

Mysql-devel-5.1.73-3.e16_5.x86_64

5) openssl-1.0.1e-30.e16_6.5.x86_64

Second, the server actual deployment environment and simple principle analysis:

RADIUS is the short name of the remote Access Dial in User service. RADIUS is primarily used to provide an authentication (authentication) mechanism to identify the user's identity and password and, after confirmation, to use the relevant resources and to provide a billing (Accounting) mechanism via the authorized (Authorization) user login domain. Save the user's network record. The Freeradius is a opensource software that enables RADIUS AAA (authentication, Authorization, Accounting) capabilities based on the RADIUS protocol.

The actual environment and functionality for the RADIUS server are as shown in the topology diagram below.

The RADIUS server and access server are used to implement user broadband account billing Dial-up access to an Internet network.

Third, Radius Server Setup:

1. Install the CentOS system after the network is configured with the command: #yum update updates the system.

2. See if each package is installed: #rpm –q PPP Rp-pppoe Freeradius mysql-* OpenSSL

If not installed, use the command: #yum install PPP Rp-pppoe freeradius-* mysql-* OpenSSL

For installation, the general OpenSSL is installed after the system has been updated. After installing each software, use the command:

#wget ftp://ftp.samba.org/pub/ppp/ppp-2.4.5.tar.gz Download the PPP source code package to the created/etc/ppp/radius directory. (#mkdir/etc/ppp/radius//Create directory)

The services are configured as follows:

1. Configure the/etc/ppp/options file:

Lock

Crtscts

Nobsdcomp

Nodeflate

Nopcomp

2. Configure the/etc/ppp/pppoe-server-options file with the content:

# PPP options for the PPPoE server

# LIC:GPL

Auth

Require-chap

Default-mru

Default-asyncmap

Lcp-echo-interval 60

Lcp-echo-failure 5

Ms-dns 202.96.128.86

Noipdefault

Noipx

Nodefaultroute

Proxyarp

Noktune

Logfile/var/log/pppd.log

3. Let the PPPoE service authenticate with the Freeradius server

1) First change/etc/ppp/pppoe-server-options, add two lines of settings:

#PPP options for the PPPoE server

#LIC: GPL

Auth

Require-chap

Default-mru

Default-asyncmap

Lcp-echo-interval 60

Lcp-echo-failure 5

Ms-dns 202.96.128.86

Noipdefault

Noipx

Nodefaultroute

Proxyarp

Noktune

->plugin/usr/lib/pppd/2.4.5/radius.so

->radius-config-file/etc/ppp/radiuds/radiusclient.conf

Logfile/var/log/pppd.log

A RADIUS check that allows Pppoe-server to join PPPD at run time allows the PPPoE service to authenticate and account with Freeradius. After adding this line, you can create the/etc/ppp/radiuds/directory and use the source code of PPP after the creation. Unzip the source code directory for PPP:
#tar-xzf ppp-2.4.5.tar.gz

#cd ppp-2.4.5

#cd pppd/plugins/radius/etc/

#cp */etc/ppp/radiuds/

2) This directory has all the necessary relevant configuration files, the most important of which is/etc/ppp/radiuds/radiusclient.conf, first open this file configuration, its content is (removed comments):

Auth_order radius

Login_tries 4

Login_timeout 60

Nologin/etc/nologin

Issue/etc/ppp/radiuds/issue

Authserver localhost:1812

Acctserver localhost:1813

Servers/etc/ppp/radiuds/servers

Dictionary/etc/ppp/radiuds/dictionary

Login_radius/usr/local/sbin/login.radius

Seqfile/var/run/radius.seq

Mapfile/etc/ppp/radiuds/port-id-map

Default_realm

Radius_timeout 10

Radius_retries 3

Login_local/bin/login

3) In addition, change the servers file in this directory to specify the host name of the read RADIUS server and the key value (which needs to be specified in the Freeradius configuration).

Edit the/etc/ppp/radius/servers, set the location of the RADIUS server

localhost testing123//The testing123 here is the password

4) Edit/etc/ppp/radius/dictionary, modify some path settings, mainly the last Dictionary.microsoft path setting.

Include/etc/ppp/radiuds/dictionary.microsoft

5) The PPPoE service is now available through RADIUS authentication. The Freeradius is then configured.

Where the Freeradius-mysql package is used to let Freeradius connect to the MySQL database, this section is still not available.

First open the/ETC/RADDB/CLIENTS.CONF configuration Client access control, the file contents are as follows:

Client localhost {

Secret = testing123

ShortName = localhost

Nastype = Other

}

Indicates that the client is allowed to log in to the RADIUS service from 127.0.0.1 IP and needs to verify that secret is testing123, which is the information that needs to be configured in the servers file above. To enable access from other machines, refer to the comments for help.

6) Then configure the/etc/raddb/naslist file with the content:

# NAS name Short name Type

#portmaster1. isp.com PM1. NY

Livingston

#portmaster2. isp.com PM1. LA

Livingston

localhost local portslave

This file is used to configure which specified NAS servers need to be accounted for using radius. LocalHost is now specified.

7) The Master profile is radiusd.conf, which is used primarily to specify the default authentication and accounting methods of the Freeradius server. We currently use the local file method, that is, the/etc/raddb/users file, in which to add the user information required to provide the PPPoE service authentication, the content is as follows (the user name must not have space in front):

AAA Auth-type: = Local, Simultaneous-use: = 1,user-password:= "AAA"

[Tab] Service-type = Framed-user,

[Tab] Framed-protocol = PPP,

[Tab] Framed-ip-netmask = 255.255.255.255

where Simultaneous-use: = 1 field is used to set the number of simultaneous logins per user.

8) in order for RADIUS to call MySQL correctly, also specify the location of the library:

Echo/usr/lib >>/etc/ld.so.conf

Ldconfig

9) After the configuration is complete, you can start by Radiusd-x command in the wrong way, at this time to start Pppoe-server, with the client dial verification, check whether the PPPoE service successfully through Freeradius to verify the user. If successful, this part is done. The RADIUS service can be started normally through service radius restart.

Radiusd-x

Radtest AAA AAA localhost 0 testing123

Seeing the words like access-accept is a sign of success. At this point can formally start RADIUSD.

5. Configure Freeradius to read user information from the MySQL database

1. #mysql –u root–p 123//login MySQL

2.>create database radius; Create a database

3.>exit//Exit Database

4. #cd/etc/raddb/sql/mysql

5. #mysql –u root–p Radius < schema.sql//import tables into the database to see if 7 tables are imported into the database

6. Modify the/etc/raddb/sites-enabled/default file, remove the comment # of SQL in authorize{}, accounting{}, and add the note # of files in authorize{}. As shown below:

authorize{

Chap

Mschap

Suffix

Eap

#files

Sql

Pap

}

accounting{

Detail

Unix

Redutmp

Sql

}

7. Modify the configuration file for the MySQL database connection/etc/raddb/sql.conf

Server = "localhost"

Login = "root"

Password = "123"

radius_db = "radius"//Database name

8. Modify the/etc/raddb/radius.conf file:

Remove the $include sql.conf Note #.

9. Add a test account to the database:

#mysql –u root–p 123

>use radius;

To set up group information:

>insert into radgroupreply (groupname,attribute,op,value) VALUES (' User ', ' auth-type ', ': = ', ' Local ');

> INSERT into radgroupreply (groupname,attribute,op,value) VALUES (' User ', ' service-type ', ': = ', ' Framed-user ');

> INSERT into radgroupreply (groupname,attribute,op,value) VALUES (' User ', ' feamed-ip-address ', ': = ', ' 255.255.255.255 ');

> INSERT into radgroupreply (groupname,attribute,op,value) VALUES (' User ', ' framed-ip-netmask ', ': = ', ' 255.255.255.0 ');

Create User information:

> INSERT into Radcheck (username,attribute,op,value) VALUES (' Test ', ' User-password ', ': = ', ' 110 ');

To join a user in a group:

> INSERT into Radusergroup (username,groupname) VALUES (' Test ', ' user ');

>exit; Exit database

Iv. Testing radius :

1. #radius –X//Start the RADIUS service in error-checking mode

2. Open another terminal using the command:

#radtest test, localhost testing123.

If Access-accept is displayed, the installation is successful.

Original Build a RADIUS server under CentOS

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.