[root@radius ~]# yum install freeradius2 freeradius2-mysql freeradius2-utils
[root@radius ~]# yum install mysql mysql-server
[root@radius ~]# service mysqld start
[root@radius ~]# radiusd –X
[root@radius ~]# service radiusd start
[root@radius ~]# chkconfig mysqld --level 2345 on
[root@radius ~]# chkconfig radiusd --level 2345 on
①定义一个radius客户端ip
[root@radius ~]# vim /etc/raddb/clients.conf
删除原来的所有
配置示例:
client localhost {
ipaddr = 127.0.0.1
secret = testing123
require_message_authenticator = no
nastype = other
}
②定义一个用户和密码
[root@radius ~]# vim /etc/raddb/users
在第一行添加
配置示例:
testing Cleartext-Password := "password"
③以调试模式开启radius
[root@radius ~]# radiusd –X
状态如下:
Ready to process requests.
④测试服务是否正常
[root@radius ~]# radtest testing password localhost 0 testing123
返回结果(关键是返回Access-Accept)示例:
Sending Access-Request of id 152 to 127.0.0.1 port 1812
User-Name = "testing"
User-Password = "password"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=152, length=20
[root@radius ~]# mysql -uroot –p
mysql> CREATE DATABASE radius;
mysql> GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "radpass";
mysql> exit
[root@radius ~]# cd /etc/raddb/sql/mysql/
[root@radius mysql]# mysql -uroot -p radius < schema.sql
[root@radius mysql]# mysql -uroot -p
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| radius |
| test |
+--------------------+
4 rows in set (0.03 sec)
mysql> use radius
mysql> show tables;
+------------------+
| Tables_in_radius |
+------------------+
| radacct |
| radcheck |
| radgroupcheck |
| radgroupreply |
| radpostauth |
| radreply |
| radusergroup |
+------------------+
7 rows in set (0.00 sec)
[root@radius ~]# vim /etc/raddb/sql.conf
示例:
sql {
database = "mysql"
driver = "rlm_sql_${database}"
server = "localhost"
login = "radius"
password = "radpass"
radius_db = "radius"
acct_table1 = "radacct"
acct_table2 = "radacct"
postauth_table = "radpostauth"
authcheck_table = "radcheck"
authreply_table = "radreply"
groupcheck_table = "radgroupcheck"
groupreply_table = "radgroupreply"
usergroup_table = "radusergroup"
deletestalesessions = yes
sqltrace = no
sqltracefile = ${logdir}/sqltrace.sql
num_sql_socks = 5
connect_failure_retry_delay = 60
lifetime = 0
max_queries = 0
nas_table = "nas"
$INCLUDE sql/${database}/dialup.conf
}
[root@radius ~]# vim /etc/raddb/radiusd.conf
找到:
$INCLUDE sql.conf
去掉注释
以下区段需要注释掉files,去掉sql前的注释(没有则不需要)
[root@radius ~]# vim /etc/raddb/sites-available/default
authorize{}
accounting{}
session{}
post-auth{}
[root@radius ~]# vim /etc/raddb/sites-available/inner-tunnel
authorize {}
①创建用户组[radgroupcheck]
②创建用户密码[radcheck]
③创建用户应答属性[radreply]
④创建组应答属性[radgroupreply]
下面是一个示例:
这个例子包含三个用户fredf,barney,dialrouter
fredf由NAS(网络接入服务器)动态分配ip
barney分配一个静态的ip
dialrouter表示的是一个典型的拨号路由
mysql> select * from radcheck; +----+----------------+--------------------+------------------+------+ | id | UserName | Attribute | Value | Op | +----+----------------+--------------------+------------------+------+ | 1 | fredf | Cleartext-Password | wilma | := | | 2 | barney | Cleartext-Password | betty | := | | 2 | dialrouter | Cleartext-Password | dialup | := | +----+----------------+--------------------+------------------+------+ 3 rows in set (0.01 sec) mysql> select * from radreply; +----+------------+-------------------+---------------------------------+------+ | id | UserName | Attribute | Value | Op | +----+------------+-------------------+---------------------------------+------+ | 1 | barney | Framed-IP-Address | 1.2.3.4 | := | | 2 | dialrouter | Framed-IP-Address | 2.3.4.1 | := | | 3 | dialrouter | Framed-IP-Netmask | 255.255.255.255 | := | | 4 | dialrouter | Framed-Routing | Broadcast-Listen | := | | 5 | dialrouter | Framed-Route | 2.3.4.0 255.255.255.248 | := | | 6 | dialrouter | Idle-Timeout | 900 | := | +----+------------+-------------------+---------------------------------+------+ 6 rows in set (0.01 sec) mysql> select * from radgroupreply; +----+-----------+--------------------+---------------------+------+ | id | GroupName | Attribute | Value | Op | +----+-----------+--------------------+---------------------+------+ | 34 | dynamic | Framed-Compression | Van-Jacobsen-TCP-IP | := | | 33 | dynamic | Framed-Protocol | PPP | := | | 32 | dynamic | Service-Type | Framed-User | := | | 35 | dynamic | Framed-MTU | 1500 | := | | 37 | static | Framed-Protocol | PPP | := | | 38 | static | Service-Type | Framed-User | := | | 39 | static | Framed-Compression | Van-Jacobsen-TCP-IP | := | | 41 | netdial | Service-Type | Framed-User | := | | 42 | netdial | Framed-Protocol | PPP | := | +----+-----------+--------------------+---------------------+------+ 12 rows in set (0.01 sec)
创建测试用户
INSERT INTO radcheck (username,attribute,op,value) VALUES ('dialrouter','Cleartext-Password',':=','dialup');
INSERT INTO radreply (username,attribute,op,value) VALUES ('dialrouter','Framed-IP-Address',':=','2.3.4.1');
INSERT INTO radreply (username,attribute,op,value) VALUES ('dialrouter','Framed-IP-Netmask',':=','255.255.255.255');
INSERT INTO radreply (username,attribute,op,value) VALUES ('dialrouter','Framed-Routing',':=','Broadcast-Listen');
INSERT INTO radreply (username,attribute,op,value) VALUES ('dialrouter','Framed-Route',':=','2.3.4.0 255.255.255.248');
INSERT INTO radreply (username,attribute,op,value) VALUES ('dialrouter','Idle-Timeout',':=','900');
INSERT INTO radgroupreply (groupname,attribute,op,value) VALUES ('netdial','Service-Type',':=','Framed-User');
INSERT INTO radgroupreply (groupname,attribute,op,value) VALUES ('netdial','Framed-Protocol',':=','PPP');
[root@radius ~]# radiusd -X
[root@radius ~]# radtest dialrouter dialup localhost 1812 testing123
Sending Access-Request of id 148 to 127.0.0.1 port 1812
User-Name = "dialrouter"
User-Password = "dialup"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=148, length=69
Framed-IP-Address = 2.3.4.1
Framed-IP-Netmask = 255.255.255.255
Framed-Routing = Broadcast-Listen
Framed-Route = "2.3.4.0 255.255.255.248"
Idle-Timeout = 900
[root@radius ~]# vim /etc/raddb/clients.conf
client RouterOS {
ipaddr = 192.168.137.50
secret = 111
shortname = RouterOS
nastype = other
}
RouteOS的配置如下:
附上参考链接:
http://wiki.freeradius.org/guide/SQL-HOWTO
http://wiki.freeradius.org/config/Operators
http://www.cnblogs.com/fly1988happy/archive/2011/12/15/2288554.html
http://www.cnblogs.com/eastson/archive/2012/07/11/2584937.html
本文出自 “吴章未的博客” 博客,谢绝转载!