First, Implementing the Environment:
1. System: CentOS release 6.6 (Final)
2. Required Packages:
1) freeradius-2.1.12-6.e16.x86_64
Freeradius-mysql-2.1.12-6.e16.x86_64
2) ppp-2.4.5-5.e16.x86_64
3) rp-pppoe-3.10-11.e16.x86_64
4) mysql-5.1.73-3.e16_5.x86_64
Mysql-devel-5.1.73-3.e16_5.x86_64
5) openssl-1.0.1e-30.e16_6.5.x86_64
Second, the server actual deployment environment and simple principle analysis:
RADIUS is the short name of the remote Access Dial in User service. RADIUS is primarily used to provide an authentication (authentication) mechanism to identify the user's identity and password and, after confirmation, to use the relevant resources and to provide a billing (Accounting) mechanism via the authorized (Authorization) user login domain. Save the user's network record. The Freeradius is a opensource software that enables RADIUS AAA (authentication, Authorization, Accounting) capabilities based on the RADIUS protocol.
The actual environment and functionality for the RADIUS server are as shown in the topology diagram below.
The RADIUS server and access server are used to implement user broadband account billing Dial-up access to an Internet network.
Third, Radius Server Setup:
1. Install the CentOS system after the network is configured with the command: #yum update updates the system.
2. See if each package is installed: #rpm –q PPP Rp-pppoe Freeradius mysql-* OpenSSL
If not installed, use the command: #yum install PPP Rp-pppoe freeradius-* mysql-* OpenSSL
For installation, the general OpenSSL is installed after the system has been updated. After installing each software, use the command:
#wget ftp://ftp.samba.org/pub/ppp/ppp-2.4.5.tar.gz Download the PPP source code package to the created/etc/ppp/radius directory. (#mkdir/etc/ppp/radius//Create directory)
The services are configured as follows:
1. Configure the/etc/ppp/options file:
Lock
Crtscts
Nobsdcomp
Nodeflate
Nopcomp
2. Configure the/etc/ppp/pppoe-server-options file with the content:
# PPP options for the PPPoE server
# LIC:GPL
Auth
Require-chap
Default-mru
Default-asyncmap
Lcp-echo-interval 60
Lcp-echo-failure 5
Ms-dns 202.96.128.86
Noipdefault
Noipx
Nodefaultroute
Proxyarp
Noktune
Logfile/var/log/pppd.log
3. Let the PPPoE service authenticate with the Freeradius server
1) First change/etc/ppp/pppoe-server-options, add two lines of settings:
#PPP options for the PPPoE server
#LIC: GPL
Auth
Require-chap
Default-mru
Default-asyncmap
Lcp-echo-interval 60
Lcp-echo-failure 5
Ms-dns 202.96.128.86
Noipdefault
Noipx
Nodefaultroute
Proxyarp
Noktune
->plugin/usr/lib/pppd/2.4.5/radius.so
->radius-config-file/etc/ppp/radiuds/radiusclient.conf
Logfile/var/log/pppd.log
A RADIUS check that allows Pppoe-server to join PPPD at run time allows the PPPoE service to authenticate and account with Freeradius. After adding this line, you can create the/etc/ppp/radiuds/directory and use the source code of PPP after the creation. Unzip the source code directory for PPP:
#tar-xzf ppp-2.4.5.tar.gz
#cd ppp-2.4.5
#cd pppd/plugins/radius/etc/
#cp */etc/ppp/radiuds/
2) This directory has all the necessary relevant configuration files, the most important of which is/etc/ppp/radiuds/radiusclient.conf, first open this file configuration, its content is (removed comments):
Auth_order radius
Login_tries 4
Login_timeout 60
Nologin/etc/nologin
Issue/etc/ppp/radiuds/issue
Authserver localhost:1812
Acctserver localhost:1813
Servers/etc/ppp/radiuds/servers
Dictionary/etc/ppp/radiuds/dictionary
Login_radius/usr/local/sbin/login.radius
Seqfile/var/run/radius.seq
Mapfile/etc/ppp/radiuds/port-id-map
Default_realm
Radius_timeout 10
Radius_retries 3
Login_local/bin/login
3) In addition, change the servers file in this directory to specify the host name of the read RADIUS server and the key value (which needs to be specified in the Freeradius configuration).
Edit the/etc/ppp/radius/servers, set the location of the RADIUS server
localhost testing123//The testing123 here is the password
4) Edit/etc/ppp/radius/dictionary, modify some path settings, mainly the last Dictionary.microsoft path setting.
Include/etc/ppp/radiuds/dictionary.microsoft
5) The PPPoE service is now available through RADIUS authentication. The Freeradius is then configured.
Where the Freeradius-mysql package is used to let Freeradius connect to the MySQL database, this section is still not available.
First open the/ETC/RADDB/CLIENTS.CONF configuration Client access control, the file contents are as follows:
Client localhost {
Secret = testing123
ShortName = localhost
Nastype = Other
}
Indicates that the client is allowed to log in to the RADIUS service from 127.0.0.1 IP and needs to verify that secret is testing123, which is the information that needs to be configured in the servers file above. To enable access from other machines, refer to the comments for help.
6) Then configure the/etc/raddb/naslist file with the content:
# NAS name Short name Type
#portmaster1. isp.com PM1. NY
Livingston
#portmaster2. isp.com PM1. LA
Livingston
localhost local portslave
This file is used to configure which specified NAS servers need to be accounted for using radius. LocalHost is now specified.
7) The Master profile is radiusd.conf, which is used primarily to specify the default authentication and accounting methods of the Freeradius server. We currently use the local file method, that is, the/etc/raddb/users file, in which to add the user information required to provide the PPPoE service authentication, the content is as follows (the user name must not have space in front):
AAA Auth-type: = Local, Simultaneous-use: = 1,user-password:= "AAA"
[Tab] Service-type = Framed-user,
[Tab] Framed-protocol = PPP,
[Tab] Framed-ip-netmask = 255.255.255.255
where Simultaneous-use: = 1 field is used to set the number of simultaneous logins per user.
8) in order for RADIUS to call MySQL correctly, also specify the location of the library:
Echo/usr/lib >>/etc/ld.so.conf
Ldconfig
9) After the configuration is complete, you can start by Radiusd-x command in the wrong way, at this time to start Pppoe-server, with the client dial verification, check whether the PPPoE service successfully through Freeradius to verify the user. If successful, this part is done. The RADIUS service can be started normally through service radius restart.
Radiusd-x
Radtest AAA AAA localhost 0 testing123
Seeing the words like access-accept is a sign of success. At this point can formally start RADIUSD.
5. Configure Freeradius to read user information from the MySQL database
1. #mysql –u root–p 123//login MySQL
2.>create database radius; Create a database
3.>exit//Exit Database
4. #cd/etc/raddb/sql/mysql
5. #mysql –u root–p Radius < schema.sql//import tables into the database to see if 7 tables are imported into the database
6. Modify the/etc/raddb/sites-enabled/default file, remove the comment # of SQL in authorize{}, accounting{}, and add the note # of files in authorize{}. As shown below:
authorize{
Chap
Mschap
Suffix
Eap
#files
Sql
Pap
}
accounting{
Detail
Unix
Redutmp
Sql
}
7. Modify the configuration file for the MySQL database connection/etc/raddb/sql.conf
Server = "localhost"
Login = "root"
Password = "123"
radius_db = "radius"//Database name
8. Modify the/etc/raddb/radius.conf file:
Remove the $include sql.conf Note #.
9. Add a test account to the database:
#mysql –u root–p 123
>use radius;
To set up group information:
>insert into radgroupreply (groupname,attribute,op,value) VALUES (' User ', ' auth-type ', ': = ', ' Local ');
> INSERT into radgroupreply (groupname,attribute,op,value) VALUES (' User ', ' service-type ', ': = ', ' Framed-user ');
> INSERT into radgroupreply (groupname,attribute,op,value) VALUES (' User ', ' feamed-ip-address ', ': = ', ' 255.255.255.255 ');
> INSERT into radgroupreply (groupname,attribute,op,value) VALUES (' User ', ' framed-ip-netmask ', ': = ', ' 255.255.255.0 ');
Create User information:
> INSERT into Radcheck (username,attribute,op,value) VALUES (' Test ', ' User-password ', ': = ', ' 110 ');
To join a user in a group:
> INSERT into Radusergroup (username,groupname) VALUES (' Test ', ' user ');
>exit; Exit database
Iv. Testing radius :
1. #radius –X//Start the RADIUS service in error-checking mode
2. Open another terminal using the command:
#radtest test, localhost testing123.
If Access-accept is displayed, the installation is successful.
Original Build a RADIUS server under CentOS