- 论坛徽章:
- 0
|
The main notes below
are basically unchanged from update on 10th February 2003. Since then I
am now running FreeRadius 1.0.2 with MySQL 4.1.10, having upgraded from
FreeRadius 0.8.1 and MySQL 3.23. In summary: the only thing of note I
needed to do, aside from a standard compile of FreeRadius and a
standard rpm upgrade for MySQL, was to copy hints, huntgroups and all the dictionary (dictionary*) from the FreeRadius 1.0.2 source raddb directory to my live one and replace the old ones. That seemed to do the trick, at least for what I need.
Introduction
In September 2001 I
started playing around with
FreeRadius (then at version 0.2!) and storing user authorisation details
in a
MySQL
database.
I had previously been using a proprietary RADIUS solution and wanted rid of it.
Lots of people seemed to be posting
to the
freeradius-users list that they were trying to do the
same and found it tricky due to the lack of documentation. Thus, to help anyone
out there who needed it, I wrote down all the snippets of info, tips I'd
received, and steps I'd used to make it work. This is the result.
This document assumes that you are familiar with:
- *nix system admin and networking
- What RADIUS is and should do
- MySQL administration
- The basics of how to compile and install open source software.
I'm not going to
describe any of the above stuff, especially the latter as I'm far from
an
expert on it. This document focuses on getting FreeRadius
running with MySQL. It does NOT describe a basic FreeRadius
installation in detail (e.g. getting it up
and running with a 'users' text file or other FreeRadius
configurations), nor does it cover using multiple
authentication methods, fall-through's or any
of that stuff. Just plain-old-MySQL-only.
If you don't know about RADIUS itself, go do some background reading...
the O'Reilly book ('RADIUS') is pretty good and covers FreeRadius too.
Please note: This isn't
official documentation. It's not even UNofficial
documentation. It's not documentation of any type by any stretch of the
imagination. So far, it's just my own personal notes, written on the fly.
Little editing, little detail. You takes
your chances. I will try to improve when I can, or have additional information
- don't hold your breath though, as life can get busy around here. The notes
focus on the SQL element, NOT generally on getting
FreeRadius installed and configured and operational with
text files (maybe later!) although there is a little bit on that.
Also note: I'm not a
programmer - editing low-level code and compiling stuff is not something I'm
particularly familiar with. Ask me to read C code and I'll probably
panic. My background and experience on Linux (and other stuff) puts me in the
system admin/networking bracket (I'm a network builder and web app developer by
day), so please bear that in mind here. Feel free to mail me, especially with
suggestions and any info useful to add here, but please don't ask me 'how to I
compile' stuff. Thanks.
Lastly for this
bit : a big thank you to all those that helped, emailed and
generally contributed to me getting this up and going, and thus to the creation
of these notes.
System
I did my original testing
on
SuSe
Linux 7.0
on Intel with FreeRadius 0.2 and
MySQL
3.23.42 using a
Cisco
3640 acting as a test NAS
unit. The final deployment was to
RedHat 7.1.
Today I'm running FreeRadius 0.8.1. If
you're running an older version you are strongly recommended to upgrade.
Before
You Start
Before starting with
FreeRadius, make sure your box is up and configured on your
network, that you have MySQL installed and running,
and that your NAS is configured to point to your server.
If you're using Cisco kit as your NAS, here's a quick example snippet of how to
configure IOS to authenticate PPP (e.g. dial, DSL etc) users to a RADIUS server:
aaa new-model
aaa authentication ppp default if-needed group radius local
aaa authorization network default group radius
aaa accounting update newinfo
aaa accounting exec default start-stop group radius
aaa accounting network default wait-start group radius
aaa accounting connection default start-stop group radius
radius-server host a.b.c.d auth-port 1645 acct-port 1646
radius-server host e.f.g.h auth-port 1645 acct-port 1646
radius-server key YOUR-RADIUS-KEY
[a.b.c.d and e.f.g.h are the IP's of your primary and secondary RADIUS servers.
YOUR-RADIUS-KEY is your RADIUS secret key as defined in clients.conf (see below). ]
Make SURE you have
included the development headers in your MySQL
installation otherwise the FreeRadius
installation/compilation will barf. To make my own life easy, I just installed
MySQL to the default location.
Just to clarify: ABSOLUTELY
MAKE SURE you have the mysql-devel (headers and
libraries) package installed with your MySQL, otherwise
freeradius won't compile with MySQL
support properly. Many people seem to miss having this.
Oh yep, did I mention
about having the MySQL development headers installed?
No? Make sure you do... ;-)
Getting
Started
First off, you should get
FreeRadius compiled, installed and running in a basic
text file configuration (e.g. using the 'users' file) on your box.
This I'm not going to describe in details (read the stuff in /docs, etc),
but it should basically be the following:
1 - Get the latest
FreeRadius source code tarball from
ftp://ftp.freeradius.org/pub/radius/freeradius.tar.gz
.
If you're so minded, get the
latest CVS instead.
2 - Unpack the
tarball and install it. On my own system the basic steps
were all that was needed, and everything got dumped in the standard places:
tar xvf freeradius.tar.gz
cd freeradius
./configure
make
make install
Note that you might need
to add options to ./configure if you installed
MySQL to a non-standard place, or want FreeRadius
to a non-standard place, or want or need any other odd bits and pieces. I was
keeping it simple and didn't need to.
Then you should configure FreeRadius appropriately. It's best to start with a simple config using
the standard text files, if at least only to test that FreeRadius installed OK and will work.
To very briefly summarise
getting the text files configured :
1 - Edit /usr/local/etc/raddb/clients.conf and enter the details of your NAS
unit(s). There are examples here, so it should be easy. Tip: You'll also want to enter 'localhost'
here for testing purposes (i.e. so you can use radtest).
2 - Edit /usr/local/etc/raddb/users and create an example user
account. The file is commented on how to do this. I'm not going to repeat that here. If you've
previously used another RADIUS server with text-file configuration (e.g.
Livingston, Cistron) you'll know
what goes here...
3 - Edit /usr/local/etc/raddb/realms. I just
put a single line 'DEFAULT LOCAL' and that was sufficient to strip any suffix domain
names in given user names - if you're using realms or
proxing you'll doubtless need to do something else
here, but I recommend you start with this then come back to setting up realms/
proxying when you know MySQL is
working. If you're not using realms, just ignore this.
4 - Edit /usr/local/etc/raddb/radiusd.conf
and change as needed. For my own installation I changed the default port to run on 1645
(old port) to match what our existing boxes use (but otherwise make sure your
NAS and FreeRadius are using the same) and said 'yes'
to all the logging options (I'd strongly recommend you do switch on all the logging to
start with). At this point I also said 'no' to using proxy to keep stuff simple. I then
told it to run under the 'radius' user and group (I'd
initially installed FreeRadius as root and didn't
want to run it as such, so I created a user account called 'radius' in a group
called 'radius' and then just blanket chown'd and
chgrp'd the various radius directories to that user just
to be sure the account can access all the right stuff. A bit of a sledgehammer
there, but it was quick! I'm sure there's a better and/or more
elegant way of doing this!). The rest of the radiusd.conf
file was left alone.
At this point you should
be able to manually fired up /usr/local/sbin/radiusd.
You should do this with the debug turned on so you can see what happens:
/usr/local/sbin/radiusd -X
Lots of stuff will scroll
to the screen, and it should tell you it's ready to accept requests. If
you get an error, READ THE DEBUG, then check the docs, check the above and try
again.
You should now be able to
use FreeRadius. You can use radtest
to test an account from the command line:
radtest username password servername port secret
So, if your example user
is 'fred' with password 'wilma', your server is called 'radius.domain.com', is using port 1645, and you put localhost (or
your localhost's IP) in clients.conf with a secret
of 'mysecret', you should use:
radtest fred wilma radius.domain.com 1645 mysecret
And you should get back something like:
Sending Access-Request of id 226 to 127.0.0.1:1645
User-Name = 'fred'
User-Password = '3042323326B
本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u/8057/showart_52864.html |
|
免费注册
发表于 2005-10-21 14:44