一、安裝FreeRadius 和 MySQL
[root@radius ~]# yum install freeradius2 freeradius2-mysql freeradius2-utils
[root@radius ~]# yum install mysql mysql-server
二、開啓MySQL和Radius服務
[root@radius ~]# service mysqld start
[root@radius ~]# radiusd –X
[root@radius ~]# service radiusd start
三、設置服務開機啓動
[root@radius ~]# chkconfig mysqld --level 2345 on
[root@radius ~]# chkconfig radiusd --level 2345 on
四、做個簡單的測試(可選操作)
①定義一個radius客戶端ip
[root@radius ~]# vim /etc/raddb/clients.conf
刪除原來的所有
配置示例:
client localhost {
ipaddr = 127.0.0.1
secret = testing123
require_message_authenticator = no
nastype = other
}
②定義一個用戶和密碼
[root@radius ~]# vim /etc/raddb/users
在第一行添加
配置示例:
testing Cleartext-Password := "password"
③以調試模式開啓radius
[root@radius ~]# radiusd –X
狀態如下:
Ready to process requests.
④測試服務是否正常
[root@radius ~]# radtest testing password localhost 0 testing123
返回結果(關鍵是返回Access-Accept)示例:
Sending Access-Request of id 152 to 127.0.0.1 port 1812
User-Name = "testing"
User-Password = "password"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=152, length=20
五、創建一個MySQL數據庫
[root@radius ~]# mysql -uroot –p
mysql> CREATE DATABASE radius;
mysql> GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "radpass";
mysql> exit
[root@radius ~]# cd /etc/raddb/sql/mysql/
[root@radius mysql]# mysql -uroot -p radius < schema.sql
六、檢查一下是否創建成功
[root@radius mysql]# mysql -uroot -p
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| radius |
| test |
+--------------------+
4 rows in set (0.03 sec)
mysql> use radius
mysql> show tables;
+------------------+
| Tables_in_radius |
+------------------+
| radacct |
| radcheck |
| radgroupcheck |
| radgroupreply |
| radpostauth |
| radreply |
| radusergroup |
+------------------+
7 rows in set (0.00 sec)
七、配置FreeRadius使用SQL
[root@radius ~]# vim /etc/raddb/sql.conf
示例:
sql {
database = "mysql"
driver = "rlm_sql_${database}"
server = "localhost"
login = "radius"
password = "radpass"
radius_db = "radius"
acct_table1 = "radacct"
acct_table2 = "radacct"
postauth_table = "radpostauth"
authcheck_table = "radcheck"
authreply_table = "radreply"
groupcheck_table = "radgroupcheck"
groupreply_table = "radgroupreply"
usergroup_table = "radusergroup"
deletestalesessions = yes
sqltrace = no
sqltracefile = ${logdir}/sqltrace.sql
num_sql_socks = 5
connect_failure_retry_delay = 60
lifetime = 0
max_queries = 0
nas_table = "nas"
$INCLUDE sql/${database}/dialup.conf
}
[root@radius ~]# vim /etc/raddb/radiusd.conf
找到:
$INCLUDE sql.conf
去掉註釋
以下區段需要註釋掉files,去掉sql前的註釋(沒有則不需要)
[root@radius ~]# vim /etc/raddb/sites-available/default
authorize{}
accounting{}
session{}
post-auth{}
[root@radius ~]# vim /etc/raddb/sites-available/inner-tunnel
authorize {}
八、創建測試數據
①創建用戶組[radgroupcheck]
②創建用戶密碼[radcheck]
③創建用戶應答屬性[radreply]
④創建組應答屬性[radgroupreply]
下面是一個示例:
這個例子包含三個用戶fredf,barney,dialrouter
fredf由NAS(網絡接入服務器)動態分配ip
barney分配一個靜態的ip
dialrouter表示的是一個典型的撥號路由
mysql> select * from radcheck;
+----+----------------+--------------------+------------------+------+
| id | UserName | Attribute | Value | Op |
+----+----------------+--------------------+------------------+------+
| 1 | fredf | Cleartext-Password | wilma | := |
| 2 | barney | Cleartext-Password | betty | := |
| 2 | dialrouter | Cleartext-Password | dialup | := |
+----+----------------+--------------------+------------------+------+
3 rows in set (0.01 sec)
mysql> select * from radreply;
+----+------------+-------------------+---------------------------------+------+
| id | UserName | Attribute | Value | Op |
+----+------------+-------------------+---------------------------------+------+
| 1 | barney | Framed-IP-Address | 1.2.3.4 | := |
| 2 | dialrouter | Framed-IP-Address | 2.3.4.1 | := |
| 3 | dialrouter | Framed-IP-Netmask | 255.255.255.255 | := |
| 4 | dialrouter | Framed-Routing | Broadcast-Listen | := |
| 5 | dialrouter | Framed-Route | 2.3.4.0 255.255.255.248 | := |
| 6 | dialrouter | Idle-Timeout | 900 | := |
+----+------------+-------------------+---------------------------------+------+
6 rows in set (0.01 sec)
mysql> select * from radgroupreply;
+----+-----------+--------------------+---------------------+------+
| id | GroupName | Attribute | Value | Op |
+----+-----------+--------------------+---------------------+------+
| 34 | dynamic | Framed-Compression | Van-Jacobsen-TCP-IP | := |
| 33 | dynamic | Framed-Protocol | PPP | := |
| 32 | dynamic | Service-Type | Framed-User | := |
| 35 | dynamic | Framed-MTU | 1500 | := |
| 37 | static | Framed-Protocol | PPP | := |
| 38 | static | Service-Type | Framed-User | := |
| 39 | static | Framed-Compression | Van-Jacobsen-TCP-IP | := |
| 41 | netdial | Service-Type | Framed-User | := |
| 42 | netdial | Framed-Protocol | PPP | := |
+----+-----------+--------------------+---------------------+------+
12 rows in set (0.01 sec)
創建測試用戶
INSERT INTO radcheck (username,attribute,op,value) VALUES ('dialrouter','Cleartext-Password',':=','dialup');
INSERT INTO radreply (username,attribute,op,value) VALUES ('dialrouter','Framed-IP-Address',':=','2.3.4.1');
INSERT INTO radreply (username,attribute,op,value) VALUES ('dialrouter','Framed-IP-Netmask',':=','255.255.255.255');
INSERT INTO radreply (username,attribute,op,value) VALUES ('dialrouter','Framed-Routing',':=','Broadcast-Listen');
INSERT INTO radreply (username,attribute,op,value) VALUES ('dialrouter','Framed-Route',':=','2.3.4.0 255.255.255.248');
INSERT INTO radreply (username,attribute,op,value) VALUES ('dialrouter','Idle-Timeout',':=','900');
INSERT INTO radgroupreply (groupname,attribute,op,value) VALUES ('netdial','Service-Type',':=','Framed-User');
INSERT INTO radgroupreply (groupname,attribute,op,value) VALUES ('netdial','Framed-Protocol',':=','PPP');
九、測試是否創建成功
[root@radius ~]# radiusd -X
[root@radius ~]# radtest dialrouter dialup localhost 1812 testing123
Sending Access-Request of id 148 to 127.0.0.1 port 1812
User-Name = "dialrouter"
User-Password = "dialup"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=148, length=69
Framed-IP-Address = 2.3.4.1
Framed-IP-Netmask = 255.255.255.255
Framed-Routing = Broadcast-Listen
Framed-Route = "2.3.4.0 255.255.255.248"
Idle-Timeout = 900
十、配置RouteOS 使用radius認證
[root@radius ~]# vim /etc/raddb/clients.conf
client RouterOS {
ipaddr = 192.168.137.50
secret = 111
shortname = RouterOS
nastype = other
}
RouteOS的配置如下:
附上參考鏈接:
http://wiki.freeradius.org/guide/SQL-HOWTO
http://wiki.freeradius.org/config/Operators
http://www.cnblogs.com/fly1988happy/archive/2011/12/15/2288554.html
http://www.cnblogs.com/eastson/archive/2012/07/11/2584937.html