radius+httpd+php+mysql+dialupadmin總結

科技小先鋒發表於2017-11-07
 RADIUS是一種C/S結構的協議,它的客戶端最初就是NAS(Net Access Server)伺服器,現在任何執行RADIUS客戶端軟體的計算機都可以成為RADIUS的客戶端。RADIUS協議認證機制靈活,可以採用PAPCHAP或者Unix登入認證等多種方式.
 
    
      RADIUS是一種可擴充套件的協議,它進行的全部工作都是基於Attribute-Length-Value的向量進行的。RADIUS也支援廠商擴充廠家專有屬性.由於RADIUS協議簡單明確,可擴充,因此得到了廣泛應用,包括普通電話上網、ADSL上網、小區寬頻上網、IP電話、VPDN(Virtual Private Dialup Networks,基於撥號使用者的虛擬專用撥號網業務)、行動電話預付費等業務。最近IEEE提出了802.1x標準,這是一種基於埠的標準,用於對無線網路的接入認證,在認證時也採用RADIUS協議。
 
1.系統環境centos6
 
2.軟體freeradius-2.1.10-5.el6.i686,mysql-5.1.61-1.el6_2.1.i686 php-5.3.3-3.el6_2.8.i686,freeradius-dialupadmin-2.1.1-2.fc10.i386,httpd-2.2.15-15.el6.centos.1.i686
 
3.安裝軟體
[root@localhost ~]# yum -y httpd mysql mysql-devel mysql-server php freeradius freeradius-mysql httpd-devel php-devel php-gd php-mbstring php-mysql php-xml freeradius-
dialupadmin perl-DateManip php-pgsql php-ldap
 
4.設定開機啟動

[root@localhost ~]# chkconfig httpd on

[root@localhost ~]# chkconfig mysqld on

[root@localhost ~]# chkconfig radius on

[root@localhost ~]# chkconfig radiusd on
 
5.配置radiusd.conf檔案如下:

[root@localhost ~]# cd /etc/raddb/ //這個主要是配置檔案所在地

[root@localhost raddb]# ls

acct_users                 clients.conf.1  policy.conf      sql//資料庫檔案.sql檔案所在目錄這個需要匯入資料庫。

attrs                      dictionary      policy.txt       sql.conf//sql配置檔案

attrs.access_challenge     eap.conf        preproxy_users   sql.conf.1

attrs.access_reject        example.pl      proxy.conf       sqlippool.conf

attrs.accounting_response  hints           radiusd.conf//主配置檔案     templates.conf

attrs.pre-proxy            huntgroups      radiusd.conf.1   users

certs                      ldap.attrmap    sites-available  users.1

clients.conf//客戶端配置檔案              modules         sites-enabled
 
6.[root@localhost raddb]# cat radiusd.conf//主配置檔案
prefix = /usr

exec_prefix = /usr

sysconfdir = /etc

localstatedir = /var

sbindir = /usr/sbin

logdir = ${localstatedir}/log/radius

raddbdir = ${sysconfdir}/raddb

radacctdir = ${logdir}/radacct
name = radiusd
confdir = ${raddbdir}

run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/${name}.pid


user = radiusd

group = radiusd
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {

        type = auth


        ipaddr = *


        port = 0


}
listen {

        ipaddr = *

        port = 0

        type = acct

}
hostname_lookups = no
allow_core_dumps = no
regular_expressions     = yes

extended_expressions    = yes
log {

        destination = files
        file = ${logdir}/radius.log


        syslog_facility = daemon
        stripped_names = no
        auth = no
        auth_badpass = no

        auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {

        max_attributes = 200
        reject_delay = 1
        status_server = yes

}
proxy_requests  = yes

$INCLUDE proxy.conf
 
$INCLUDE clients.conf


thread pool {

        start_servers = 5
        max_servers = 32
        min_spare_servers = 3

        max_spare_servers = 10
        max_requests_per_server = 0

}
modules {
        $INCLUDE ${confdir}/modules/
        $INCLUDE eap.conf
 
}
instantiate {

        exec
        expr
        expiration

        logintime
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/

$INCLUDE sql.conf //這個是本人加入的
 
7.[root@localhost raddb]# cat sql.conf//檢視sql配置檔案


sql {

        database = “mysql”
        driver = “rlm_sql_${database}”
        server = “localhost”

        login = “root”//修改資料使用者名稱為root

        password = “123456”//密碼為123456
        radius_db = “radius”//資料庫名字叫radius

        acct_table1 = “radacct”

        acct_table2 = “radacct”
        postauth_table = “radpostauth”
        authcheck_table = “radcheck”

        authreply_table = “radreply”
        groupcheck_table = “radgroupcheck”

        groupreply_table = “radgroupreply”
        usergroup_table = “radusergroup”


        deletestalesessions = yes
        sqltrace = no

        sqltracefile = ${logdir}/sqltrace.sql
        num_sql_socks = 5
        connect_failure_retry_delay = 60
        lifetime = 0
        max_queries = 0


        nas_table = “nas”
        $INCLUDE sql/${database}/dialup.conf

}
8.[root@localhost raddb]# cat clients.conf//客戶端配置檔案
 
client localhost {

        ipaddr = 127.0.0.1
        secret          = testing123
        require_message_authenticator = no
 
}
 
client 192.168.40.39 {

      secret =testing123

      shortname =test

nastype =other

}
//為你NAS的相應值

192.168.40.39為NAS要地址

secret      = testing123為金鑰

shortname   = test任意

nastype     = other為你NAS裝置的型別


9.配置httpd.conf /etc/httpd/conf/httpd.conf

檔案新增兩處如下:
DirectoryIndex index.html index.php index.html.var//新增index.php
AddType application/x-httpd-php .php

AddType application/x-httpd-php-source .phps

AddType application/x-httpd-php .html
修改apache的radius.conf配置檔案

# vi /etc/httpd/conf.d/radius.conf

<Directory /usr/share/dialup_admin/htdocs/>

   Options None

   order deny,allow

   deny from all

   allow from 127.0.0.1 192.168.40.39

</Directory> 

在allow from 處新增你允許訪問freeradius-dialupadmin的ip 用空格分開

修改apache的php.conf配置檔案

# vi /etc/httpd/conf.d/php.conf

在未尾新增

AddType application/x-httpd-php .php .php3


10.配置主配置檔案admin.conf檔案
[root@localhost raddb]# cd /usr/share/dialup_admin/
[root@localhost dialup_admin]# ls
bin  Changelog  conf  doc  htdocs  html  lib  Makefile  README  sql
[root@localhost conf]# ls

accounting.attrs  auth.request        naslist.conf    user_edit.attrs

admin.conf //主配置       captions.conf       naslist.conf.1  username.mappings

admin.conf.1 //為備份1     config.php3         naslist.conf.2

admin.conf.2      default.vals        sql.attrmap

admin.conf.3      extra.ldap-attrmap  sql.attrs
11.[root@localhost conf]# cat admin.conf//檢視主配置檔案如下:

general_prefered_lang: en

general_prefered_lang_name: English

general_charset: iso-8859-1

general_base_dir: /usr/share/dialup_admin

general_radiusd_base_dir: /usr

general_domain: company.com

general_use_session: no

general_most_recent_fl: 30
general_realm_delimiter: @

general_realm_format: suffix
general_show_user_password: yes
general_raddb_dir: /etc/raddb

general_ldap_attrmap: /etc/raddb/ldap.attrmap

general_clients_conf: /etc/raddb/clients.conf

general_sql_attrmap: %{general_base_dir}/conf/sql.attrmap

general_accounting_attrs_file: %{general_base_dir}/conf/accounting.attrs

general_extra_ldap_attrmap: %{general_base_dir}/conf/extra.ldap-attrmap

general_username_mappings_file: %{general_base_dir}/conf/username.mappings

general_lib_type: mysql

general_user_edit_attrs_file: %{general_base_dir}/conf/user_edit.attrs

general_sql_attrs_file: %{general_base_dir}/conf/sql.attrs

general_default_file: %{general_base_dir}/conf/default.vals

general_finger_type: snmp

general_nas_type: cisco

general_snmpfinger_bin: %{general_base_dir}/bin/snmpfinger

general_sessionclear_bin: %{general_base_dir}/bin/clearsession

general_sessionclear_method: snmp

general_radclient_bin: /usr/bin/radclient

general_test_account_login: test

general_test_account_password: test

general_radius_server: localhost

general_radius_server_port: 1812

general_radius_server_auth_proto: chap

general_radius_server_secret: testing123

general_auth_request_file: %{general_base_dir}/conf/auth.request

general_encryption_method: clear

general_accounting_info_order: desc

general_stats_use_totacct: no

general_restrict_badusers_access: no

general_restrict_nasadmin_access: no


INCLUDE: %{general_base_dir}/conf/naslist.conf


INCLUDE: %{general_base_dir}/conf/captions.conf
ldap_server: ldap.%{general_domain}

ldap_base: dc=company,dc=com

ldap_binddn: cn=Directory Manager

ldap_bindpw: XXXXXXX

ldap_default_new_entry_suffix: ou=dialup,ou=guests,%{ldap_base}

ldap_default_dn: uid=default-dialup,%{ldap_base}

ldap_regular_profile_attr: dialupregularprofile
 
sql_type: mysql

sql_server: localhost

sql_port: 3306

sql_username: root

sql_password: 123456

sql_database: radius

sql_accounting_table: radacct

#sql_badusers_table: badusers

sql_check_table: radcheck

sql_reply_table: radreply

#sql_user_info_table: userinfo

sql_groupcheck_table: radgroupcheck

sql_groupreply_table: radgroupreply

#sql_usergroup_table: radusergroup

sql_total_accounting_table: totacct

sql_nas_table: nas

sql_show_all_groups: true

sql_command: /usr/bin/mysql

general_snmp_type: net

general_snmpwalk_command: /usr/local/bin/snmpwalk

general_snmpget_command: /usr/local/bin/snmpget

#sql_debug: true


#sql_use_user_info_table: true

#sql_use_operators: true

sql_password_attribute: User-Password

sql_date_format: Y-m-d

sql_full_date_format: Y-m-d H:i:s

sql_row_limit: 40

sql_connect_timeout: 3
counter_default_daily: none

counter_default_weekly: none

counter_default_monthly: none
[root@localhost conf]# cat naslist.conf//配置檔案二

nas1_name: nas1.%{general_domain}

nas1_model: Computer

nas1_ip: 192.168.40.39

nas1_port_num: 16

nas1_community: public

//

as1_model: Computer 為nas型別

nas1_ip: 192.168.40.39 為nas ip

nas可新增多個修改nas號則可。


[root@localhost conf]# cat captions.conf//配置檔案三

general_caption_finger_free_lines: free lines


12.配置mysql資料庫和建立資料庫radius


[root@localhost conf]# service mysqld start//啟動mysqld服務
[root@localhost conf]mysqladmin -u root password “your password” //兩種方法設定root連線mysql的密碼。

使用mysql庫

mysql> use mysql

修改root密碼

mysql> update user set password=password(“123456″) where user=”root”;

mysql> flush privileges;
[root@localhost conf]mysql -uroot -p123456 -e “create database radius;” //建立資料庫radius
mysql> show databases;

+——————–+

| Database           |

+——————–+

| information_schema |

| mysql              |

| radius             |

| test               |

+——————–+

4 rows in set (0.00 sec)


mysql> use radius;

Reading table information for completion of table and column names

You can turn off this feature to get a quicker startup with -A
Database changed

mysql> show tables;

+——————+

| Tables_in_radius |

+——————+

| nas              |

| radacct          |

| radcheck         |

| radgroupcheck    |

| radgroupreply    |

| radippool        |

| radpostauth      |

| radreply         |

| radusergroup     |

+——————+

9 rows in set (0.01 sec)
[root@localhost mysql]# pwd

/etc/raddb/sql/mysql

[root@localhost mysql]# ls//把帶.sql的檔案全部倒入radius資料中

admin.sql     cui.conf  dialup.conf  ippool.sql  schema.sql  wimax.sql

counter.conf  cui.sql   ippool.conf  nas.sql     wimax.conf
倒入資料庫的方法為:

mysql> show databases;//檢視資料庫

+——————–+

| Database           |

+——————–+

| information_schema |

| mysql              |

| radius             |

| test               |

+——————–+

4 rows in set (0.00 sec)
mysql> use radius;//進入資料庫radius

Database changed
mysql> show tables;//show表為空

Empty set (0.00 sec)


mysql>source /etc/raddb/sql/mysql/admin.sql //利用source匯入資料庫

mysql>source /etc/raddb/sql/mysql/cui.sql

mysql>source /etc/raddb/sql/mysql/ippool.sql

mysql>source /etc/raddb/sql/mysql/as.sql 

mysql>source /etc/raddb/sql/mysql/schema.sql  

mysql>source /etc/raddb/sql/mysql/wimax.sql
還有一種方法就是用[root@localhost mysql]#mysql -uroot -p radius </etc/raddb/sql/mysql/admin.sql//其它省略


mysql> show tables;

+——————+

| Tables_in_radius |

+——————+

| nas              |

| radacct          |

| radcheck         |

| radgroupcheck    |

| radgroupreply    |

| radippool        |

| radpostauth      |

| radreply         |

| radusergroup     |

+——————+

9 rows in set (0.00 sec)
mysql> desc radusergroup;

+———–+————-+——+—–+———+——-+

| Field     | Type        | Null | Key | Default | Extra |

+———–+————-+——+—–+———+——-+

| username  | varchar(64) | NO   | MUL |         |       |

| groupname | varchar(64) | NO   |     |         |       |

| priority  | int(11)     | NO   |     | 1       |       |

+———–+————-+——+—–+———+——-+

3 rows in set (0.00 sec)
mysql> desc nas;//顯示NAS表的結構

+————-+————–+——+—–+—————+—————-+

| Field       | Type         | Null | Key | Default       | Extra          |

+————-+————–+——+—–+—————+—————-+

| id          | int(10)      | NO   | PRI | NULL          | auto_increment |

| nasname     | varchar(128) | NO   | MUL | NULL          |                |

| shortname   | varchar(32)  | YES  |     | NULL          |                |

| type        | varchar(30)  | YES  |     | other         |                |

| ports       | int(5)       | YES  |     | NULL          |                |

| secret      | varchar(60)  | NO   |     | secret        |                |

| server      | varchar(64)  | YES  |     | NULL          |                |

| community   | varchar(50)  | YES  |     | NULL          |                |

| description | varchar(200) | YES  |     | RADIUS Client |                |

+————-+————–+——+—–+—————+—————-+

9 rows in set (0.00 sec)

接著建立radius使用者

[root@localhost conf]#useradd radius
使用mysql庫

mysql> use mysql

修改radius密碼

mysql> update user set password=password(“radius”) where user=”radius”;

mysql> flush privileges;

建立radius資料庫使用者

mysql> grant all privileges on radius.* to radius@localhost identified by “radius”;

mysql> flush privileges;

mysql> exit

//

相信結果不會讓你滿意.因為伺服器比較的是加密的值,所以伺服器連線一定失敗.這裡需要說明的是flush privileges;這條命令起到了重新載入授權表.你也可以在shell下直接用mysqladmin -u root
reload或者mysqladmin -u root flush-privileges來實現過載授權表.在Mysql環境下,你可以使用以下語句進行設定密碼:


1.insert into user(host,user,password) values(`%`,`user_name`,password(“your password”);


2.set password for user_name = password(“your password”)


以上兩種方法都必須進行過載授權表.


3.當然你也可以在建立一個使用者時直接設定密碼,grant語句將為你自動加密口令.


如 grant all on *.* to user_name@% identified by “your password”;


另外你也可以在shell環境下用mysqladmin程式來設定密碼


如 mysqladmin -u root password “your password”


13.啟動apache服務
[root@localhost conf]# service httpd start
Stopping httpd:                                            [  OK  ]

Starting httpd:                                            [  OK  ]
配置test.php

[root@localhost mysql]# cat /var/www/html/test.php 

<?php

phpinfo();

?>
14.最後客戶端ie瀏覽器http://ip/test.php如果看到資訊說明是好的,如果要進入freeradius-dialupadmin,直接http://ip/radius/即可.
 
本文轉自zh888 51CTO部落格,原文連結:http://blog.51cto.com/zh888/861742,如需轉載請自行聯絡原作者