国产一级a片免费看高清,亚洲熟女中文字幕在线视频,黄三级高清在线播放,免费黄色视频在线看

什么是FreeRADIUS？

RADIUS是Remote Access Dial In User Service的簡(jiǎn)稱。 RADIUS主要用來(lái)提供認(rèn)證（Authentication）機(jī)制，用來(lái)辨認(rèn)使用者的身份與密碼 –> 確認(rèn)通過(guò)之后，經(jīng)由授權(quán) （Authorization）使用者登入網(wǎng)域使用相關(guān)資源 –> 并可提供計(jì)費(fèi)（Accounting）機(jī)制，保存使用者的網(wǎng)絡(luò)使用記錄。 FreeRADIUS是一款OpenSource軟件，基于RADIUS協(xié)議，實(shí)現(xiàn)RADIUS AAA(Authentication、Authorization、Accounting)功能。

Radius認(rèn)證的過(guò)程：

1，supplicant向NAS發(fā)起802.1X的EAP0L-START；

2，NAS收到EAP0L-START之后發(fā)給supplicant一個(gè)eap/identity；

3，supplicant收到這個(gè)eap/identity之后將username作為response發(fā)回給NAS;
4，NAS將包含有username的eap包封裝入RADIUS包的的eap_message屬性中，并作為access request包（包ID假定為1）發(fā)給RADIUS服務(wù)器；

5，RADIUS服務(wù)器收到這個(gè)含有eap_message屬性的RADIUS包之后，發(fā)回一個(gè)帶有eap_message(其內(nèi)部的EAP包為md5 challenge)給NAS；

6，NAS收到這個(gè)RADIUS包之后將eap_message屬性中的EAP包提取出來(lái)，然后封裝在EAPOL中發(fā)給supplicant；

7，supplicant收到這個(gè)EAP/MD5   CHALLENGE之后將passwd放入EAP包中發(fā)給NAS，然后NAS再次打包發(fā)給RADIUS

8，RADIUS進(jìn)行認(rèn)證，如果username和passwd匹配之后認(rèn)證通過(guò)。

目的：搭建freeradius服務(wù)器 實(shí)現(xiàn)用戶上網(wǎng)的Mac地址認(rèn)證

環(huán)境：centos+freeradius+mysql

安裝：

一、安裝openssl

二、安裝mysql

1
2
3
4
5

[root@zhinan~] yun groupinstall "MySQL Database"    /#安裝MySQL數(shù)據(jù)庫(kù)
[root@zhinan~] service mysqld start    /#啟動(dòng)數(shù)據(jù)庫(kù)
[root@zhinan~] netstat -nax    /#查看3306端口是否在使用，從而確定安裝是否成功
[root@zhinan~] mysqladmin -u root password '123'   /#修改root的密碼為123
[root@zhinan~] mysql -u root -p123   /#進(jìn)入mysql，查看數(shù)據(jù)庫(kù)是正常使用。正常使用則退出

三，安裝freeradius

最新的freeradius的版本是2.2.0。

1
2
3
4
5

[root@zhinan~] tar -xzvf  freeradius-server-2.2.0.tar.gz       /#解壓縮
[root@zhinan~] cd freeradius-server-2.2.0       /#進(jìn)入解壓縮后的目錄：
[root@zhinan~] ./config       /#檢測(cè)安裝環(huán)境
[root@zhinan~] make       /#編譯
[root@zhinan~] make install       /#安裝

安裝完后，可以使用命令

1

[root@zhinan~] radiusd -x       /#進(jìn)入radiusd服務(wù)器的調(diào)試模式，如果能進(jìn)入則安裝成功。

安裝成功后freeradius的配置文件的路徑是：usr/local/etc/raddb/
日志文件的路徑是:usr/local/var/log

一般以上過(guò)程不會(huì)出問(wèn)題，主要的問(wèn)題在于配置。

radius 服務(wù)器幾個(gè)配置文件

radiusd.conf 服務(wù)器端配置
clients.conf 存儲(chǔ)radius客戶端（NAS,ROUTER）的驗(yàn)證信息，主要是配KEY
./modules/ 主要是針對(duì)LDAP，MYSQL、數(shù)字證書等的配置

四、配置過(guò)程

1
2
3
4
5

[root@zhinan~] mysql -u root -p123      /#登陸mysql
mysql> creat database radius;     /#創(chuàng)建數(shù)據(jù)庫(kù)
mysql> exit     /#退出數(shù)據(jù)庫(kù)。
[root@zhinan~] cd usr/local/etc/raddb/sql/mysql     /#進(jìn)入usr/local/etc/raddb/sql/mysql下
[root@zhinan~] mysql -u root -p radius < schema.sql      /#把表導(dǎo)入到數(shù)據(jù)庫(kù)中

（注意，2.1.1版本的數(shù)據(jù)庫(kù)文件是scheme.sql ，這跟其他版本不同，1.1.7版本之前的數(shù)據(jù)庫(kù)文件是mysql.sql ，或者rlm_mysql.sql，而且存放路徑不同)

導(dǎo)入后，可以在用命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

mysql> use radius;
mysql> show tabels;     /#看到以下數(shù)據(jù)庫(kù)表：
 
+------------------+
 
| Tables_in_radius |
 
+------------------+
 
| radacct            |
 
| radcheck         |
 
| radgroupcheck    |
 
| radgroupreply    |
 
| radpostauth      |
 
| radreply         |
 
| radusergroup     |
 
+------------------+

修改usr/local/etc/raddb/site_enabled下的defoult文件（2.1.1與1.1.7不 同，radius.conf被分成了幾個(gè)部分，authorize 被放在了defoult文件下，請(qǐng)注意），把a(bǔ)uthorize{} 、accounting {}中的sql前面的#去掉，并把a(bǔ)uthorize{} 中的files前加#；如下示：

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

authorize {
chap
mschap
suffix
eap
#files
sql
pap
}
accounting {
detail
unix
radutmp
sql
}

修改與mysql數(shù)據(jù)庫(kù)連接的配置文件/usr/local/etc/raddb/sql.conf，

1
2
3
4

server = "localhost"
login = "root"
password = "數(shù)據(jù)庫(kù)root的登陸密碼"
radius_db = "radius"    /#radius為數(shù)據(jù)庫(kù)名

修改客戶端信息配置文件：/usr/local/etc/raddb/clients.conf

1
2
3
4
5
6
7
8
9
10
11

client 127.0.0.1 {
secret          = testing123
shortname       = localhost
nastype         = other
}
 
client 10.1.1.5 {
ipaddr = 10.1.1.5
secret = testing123  /#Secret：Radius aaa與NAS之間的key傳送是密文，而不是口令，是MD5計(jì)算結(jié)果
shortname = nas01
nastype =other

在數(shù)據(jù)庫(kù)中加入測(cè)試賬號(hào)

1
2

[root@zhinan~] mysql -u root -p123
mysql> use radius;

建立組信息：

mysql> insert into radgroupreply (groupname,attribute,op,value) values (‘user’,'Auth-Type’,':=’,'Local’);
Query OK, 1 row affected (0.01 sec)

mysql> insert into radgroupreply (groupname,attribute,op,value) values (‘user’,'Service-Type’,':=’,'Framed-User’);
Query OK, 1 row affected (0.00 sec)

mysql> insert into radgroupreply (groupname,attribute,op,value) values (‘user’,'Framed-IP-Address’,':=’,’255.255.255.255′);
Query OK, 1 row affected (0.00 sec)

mysql> insert into radgroupreply (groupname,attribute,op,value) values (‘user’,'Framed-IP-Netmask’,':=’,’255.255.255.0′);
Query OK, 1 row affected (0.01 sec)

建立用戶信息：

mysql> insert into radcheck (username,attribute,op,value) values (‘test’,'User-Password’,':=’,'test’);
Query OK, 1 row affected (0.00 sec)

配置集中式MAC認(rèn)證的時(shí)，只需往radcheck表中添加MAC地址作為用戶名和密碼就可以了。
INSERT INTO radcheck (UserName, Attribute, Value) VALUES (‘geng’, ‘Password’, ‘peng’);

將用戶加入組中：

mysql> insert into radusergroup (username,groupname) values (‘test’,'user’);
Query OK, 1 row affected (0.01 sec)
mysql> exit; /#退出數(shù)據(jù)庫(kù)

測(cè)試radius

1
2
3
4
5
6
7
8
9
10
11
12
13

[root@zhinan~] radiusd -X
然后另外打開(kāi)一個(gè)終端輸入一下信息
[root@zhinan~] radtest test test localhost 0 testing123
Sending Access-Request of id 222 to 127.0.0.1 port 1812
User-Name = "test"
User-Password = "test"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=222, length=38
Service-Type = Framed-User
Framed-IP-Address = 255.255.255.255
Framed-IP-Netmask = 255.255.255.0
如果顯示如上信息，則恭喜，freeradius安裝配置成功。

排錯(cuò):

【1】如果出現(xiàn)“rlm_sql (sql): Could not link driver rlm_sql_mysql: rlm_sql_mysql.so: cannot open shared object file: No such file or directory”

找不到驅(qū)動(dòng)包的錯(cuò)誤,就要

a:先安裝mysql-devel

b:然后進(jìn)入到freeradius的安裝文件目錄下的src/modules/rlm_sql/drivers/rlm_sql_mysql  運(yùn)行命令：./configure –with-mysql-dir=/usr/share/mysql/ –with-mysql-lib-dir=/usr/lib/mysql/

c:make；make intall　　這時(shí)候會(huì)把rlm_sql_mysql的驅(qū)動(dòng)安裝到/usr/local/lib目錄下,但是必須把這些驅(qū)動(dòng)copy到/usr/lib 目錄下才能正常運(yùn)行:#cp -a /usr/local/lib/rlm_sql_mysql* /usr/lib

【2】radiusd -X
調(diào)試提示 Failed binding to authentication address * port 1812: Address already in use /usr/local/etc/raddb/radiusd.conf[240]: Error binding to port for 0.0.0.0 port 1812

1812端口被占用

1
2
3

[root@zhinan~] lsof -i:1812    /#顯示占用1812端口的進(jìn)程
radiusd  5507  root   10u  IPv4  17199      0t0  UDP *:radius
[root@zhinan~]kill 5507   /#殺掉pid為5507的進(jìn)程，pid根據(jù)lsof命令輸出得。

交換機(jī)中的配置

MAC-authentication
MAC-authentication domain test
#
radius scheme freeradius
server-type standard
primary authentication 10.1.5.100
accounting optiona
key authentication testing123
user-name-format without-domain
nas-ip 10.1.1.5
#
domain jiubang
scheme radius-scheme freeradius
#
interface ethernet 1/0/22
port access vlan 5
MAC-authentication

測(cè)試

1

[root@zhinan~] radiusd -X   /#開(kāi)啟radius服務(wù)

當(dāng)有用戶認(rèn)證時(shí)，信息如下:
Ready to process requests.
rad_recv: Access-Request packet from host 10.1.1.5 port 5001, id=10, length=117
User-Name = “7845c40a786a@test”
User-Password = “7845c40a786a”
NAS-IP-Address = 10.1.1.5
NAS-Identifier = “3822d6bc438f”
NAS-Port = 16871429
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = “7845-c40a-786a”
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {…}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm “test” for User-Name = “7845c40a786a@test”
[suffix] No such realm “test”
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[sql] expand: %{User-Name} -> 7845c40a786a@test
[sql] sql_set_user escaped user –> ’7845c40a786a@test’
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = ‘%{SQL-User-Name}’ ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = ’7845c40a786a@test’ ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = ‘%{SQL-User-Name}’ ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = ’7845c40a786a@test’ ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
[sql] User 7845c40a786a@test not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No “known good” password found for the user. Authentication may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type REJECT
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {…}
[attr_filter.access_reject] expand: %{User-Name} -> 7845c40a786a@test
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 10 to 10.1.1.5 port 5001
Waking up in 4.9 seconds.
Cleaning up request 0 ID 10 with timestamp +61
Ready to process requests.