当前位置:七道奇文章资讯系统安全Linux安全
日期:2011-03-21 18:29:00  来源:本站整理

<b>OpenSER+Radius全攻略</b>[Linux安全]

赞助商链接



  本文“<b>OpenSER+Radius全攻略</b>[Linux安全]”是由七道奇为您精心收集,来源于网络转载,文章版权归文章作者所有,本站不对其观点以及内容做任何评价,请读者自行判断,以下是其具体内容:

freeradius需求openssl库,在quicklinux中已经预装好openssl-0.9.7a-46.i686

假如mysql不是安装在/usr/local/目录下需求做个衔接:
# ln -s /opt/lapmcp/apmc/ /usr/local/mysql

首先安装freeradius,并在不衔接mysql的情形下测试:
# cd /home/zyq/tempfile/OpenSER_ins/AAA
# tar -xzvf freeradius-1.1.4.tar.gz
# cd freeradius-1.1.4
# ./configure --with-rlm-sql-lib-dir=/opt/lapmcp/apmc/lib/mysql/ --with-rlm-sql-include-dir=/opt/lapmcp/apmc/include/mysql/
# make
# make install WITH_MYSQL=yes

配置freeradius;
1) 改正 clients.conf
# vi /usr/local/etc/raddb/clients.conf
client 127.0.0.1 {
secret = testing123
shortname = localhost
nastype = other
} //默许已有.这里secret = testing123 表示从127.0.0.1这个客户端衔接radius服务所需求用的密码.

2) 改正 naslist ,加入:
# vi /usr/local/etc/raddb/naslist
localhost local portslave
//默许已有

3) 编辑 users ,加入用户: (这个用户是保存在文本文件里的,做测试用)
# vi /usr/local/etc/raddb/users
在例子中的steve这段下面加入
hefish     Auth-Type:=local, User-Password == "123456"
           Service-Type = Framed-User,
           Framed-Protocol = PPP,
           Framed-IP-Address = 192.168.137.2,
           Framed-IP-Netmask = 255.255.255.0
在例子Jone Doe这段下面加入
powerlift Auth-Type := Local, User-Password == "ilovelinux"
          Reply-Message = "Hello, powerlift!"
保存退出.

4)履行测试
# /usr/local/sbin/radiusd -X
然后另开一个终端,测试:
# radtest hefish 123456 localhost 0 testing123
返回:
Sending Access-Request of id 11 to 127.0.0.1 port 1812
        User-Name = "hefish"
        User-Password = "123456"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=11, length=44
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Framed-IP-Address = 192.168.137.2
        Framed-IP-Netmask = 255.255.255.0
测试通过,再测试:
# radtest powerlift ilovelinux localhost 0 testing123
返回:
Sending Access-Request of id 15 to 127.0.0.1 port 1812
        User-Name = "powerlift"
        User-Password = "ilovelinux"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=15, length=39
        Reply-Message = "Hello, powerlift!"
测试通过.

5)配置radiusd用mysql来认证.先在mysql里面成立数据库:
# /usr/local/mysql/bin/mysqladmin -u root -p create radius
# cd /home/zyq/tempfile/OpenSER_ins/AAA/freeradius-1.1.4/doc/examples
# /usr/local/mysql/bin/mysql -u root -p radius < mysql.sql

6) 编辑 radiusd.conf 使其支持mysql认证;
# vi /usr/local/etc/raddb/radiusd.conf
authorize {
preprocess
chap
mschap
suffix
sql
...
}
accounting {
...
sql
...
}

7) 编辑 sql.conf ,使radius可以拜候mysql
# vi /usr/local/etc/raddb/sql.conf
sql {
driver = "rlm_sql_mysql"
server = "localhost"
login = "root"
password = "mysql的密码"
radius_db = "radius"
// 剩下的配置就默许吧 (假如您要做用户帐号/网卡MAC/电话号码绑定之类的东西,那就例外,可以改下面的配置)
}

8) 向数据库里增添一些数据;
# /usr/local/mysql/bin/mysql -u root -p radius
先加入一些组信息:
insert into radgroupreply (groupname,attribute,op,value) values ('user','Auth-Type',':=','Local');
insert into radgroupreply (groupname,attribute,op,value) values ('user','Service-Type','=','Framed-User');
insert into radgroupreply (groupname,attribute,op,value) values ('user','Framed-IP-Netmask','=','255.255.255.255');
insert into radgroupcheck (groupname, attribute, op, value) values ("user", "Auth-Type", ":=", "Local");
然后加入用户信息:
insert into radcheck (username,attribute,op,value) values ('zyq','User-Password','==','12345678');
然后把用户加到组里:
insert into usergroup(username,groupname) values('zyq','user');

9) 为了让radius能精确地调用mysql,还要指定一下库的位置:
# echo /usr/lib >> /etc/ld.so.conf
# echo /usr/local/lib >> /etc/ld.so.conf
# echo /opt/lapmcp/apmc/lib >> /etc/ld.so.conf
# ldconfig

10) 测试freeradius+mysql:
# radtest zyq 12345678 localhost 0 testing123
收到:
Sending Access-Request of id 146 to 127.0.0.1 port 1812
        User-Name = "zyq"
        User-Password = "12345678"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=146, length=32
        Service-Type = Framed-User
        Framed-IP-Netmask = 255.255.255.255
      
===================================
安装radius-client:
~# tar xvfz radiusclient-ng-X.Y.Z.tar.gz
~# cd radiusclient-ng-X.Y.Z
~# ./configure
~# make
~# make install

安装OpenSER with freeradius:
查抄mysql.h及libmysqlclient.so等能否就位
将libmysqlclient.so、libmysqlclient.so.15、libmysqlclient_r.so及libmysqlclient_r.so.15从/usr/local/mysql/lib/mysql下cp到/usr/lib下
mysql.h在/usr/local/mysql/include/mysql下,假如mysql不是尺度安装则把mysql目录cp到/usr/local/include下

编译安装OpenSER:
~> tar xzvf openser-1.1.0_src.tar.gz
~> cd openser-1.1.0
~> vi modules/acc/Makefile
将以下两行前的注释去掉:
DEFS+=-DRAD_ACC -I$(LOCALBASE)/include
LIBS=-L$(LOCALBASE)/lib -lradiusclient-ng
~> vi Makefile
exclude_modules?=               jabber cpl-c pa mysql postgres osp unixodbc \
                                              avp_radius auth_radius group_radius uri_radius
注释掉第二行,删除第一行的mysql
~> NICER=1 make all
~> make install

完了后在/usr/local/sbin下面会生成
openser,openserctl,openserunix,openser_mysql.sh这四个文件
用openser_mysql.sh create成立数据库:
~> openser_mysql.sh create
MySql password for root:                               //mysql的密码
Domain (realm) for the default user 'admin':           //直接回车
       creating database openser ...
Install SERWEB tables ?(y/n):y                         //按y然后回车
Domain (realm) for the default user 'admin':           //直接回车
       creating serweb tables into openser ...
     
改正openser的配置文件/usr/local/etc/openser/openser.cfg
接着改正相同目录下的openserctlrc

此时用openserctl start/stop已经可以启动/关闭openser了

===============================================

配置openser with freeradius:
1)生成OpenSER RADIUS Dictionary
~# cp /usr/local/etc/openser/dictionary.radius /usr/local/etc/radiusclient-ng/dictionary.openser
~# vi /usr/local/etc/radiusclient-ng/dictionary.openser
用以下内容替换原有的:
#### Attributes ###
#ATTRIBUTE User-Name                 1 string     # RFC2865
#ATTRIBUTE Service-Type                 6 integer    # RFC2865
#ATTRIBUTE Called-Station-Id             30 string     # RFC2865, acc
#ATTRIBUTE Calling-Station-Id            31 string     # RFC2865, acc
#ATTRIBUTE Acct-Status-Type              40 integer    # RFC2865, acc
#ATTRIBUTE Acct-Session-Id               44 string     # RFC2865, acc
ATTRIBUTE Sip-Method                   101 integer    # Schulzrinne, acc
ATTRIBUTE Sip-Response-Code            102 integer    # Schulzrinne, acc
ATTRIBUTE Sip-Cseq                     103 string     # Schulzrinne, acc
ATTRIBUTE Sip-To-Tag                   104 string     # Schulzrinne, acc
ATTRIBUTE Sip-From-Tag                 105 string     # Schulzrinne, acc
ATTRIBUTE Sip-Translated-Request-URI   107 string     # Proprietary, acc
ATTRIBUTE Sip-Src-IP                   108 string     # Proprietary, acc
ATTRIBUTE Sip-Src-Port                 109 string     # Proprietary, acc
ATTRIBUTE Digest-Response      206 string     # Sterman, auth_radius
ATTRIBUTE Sip-Uri-User         208 string     # Proprietary, auth_radius
ATTRIBUTE Sip-Group            211 string     # Proprietary, group_radius
ATTRIBUTE Sip-Rpid             213 string     # Proprietary, auth_radius
ATTRIBUTE SIP-AVP              225 string     # Proprietary, avp_radius
ATTRIBUTE Digest-Realm                1063 string     # Sterman, auth_radius
ATTRIBUTE Digest-Nonce                1064 string     # Sterman, auth_radius
ATTRIBUTE Digest-Method               1065 string     # Sterman, auth_radius
ATTRIBUTE Digest-URI                  1066 string     # Sterman, auth_radius
ATTRIBUTE Digest-QOP                  1067 string     # Sterman, auth_radius
ATTRIBUTE Digest-Algorithm            1068 string     # Sterman, auth_radius
ATTRIBUTE Digest-Body-Digest          1069 string     # Sterman, auth_radius
ATTRIBUTE Digest-CNonce               1070 string     # Sterman, auth_radius
ATTRIBUTE Digest-Nonce-Count          1071 string     # Sterman, auth_radius
ATTRIBUTE Digest-User-Name            1072 string     # Sterman, auth_radius

~# cd /usr/local/etc/raddb
~# vi clients.conf
加入以下内容:
client 192.168.137.2 {
   secret       = testing123
   shortname   = openser
}
~# vi radiusd.conf
在modules {下面找到digest,去掉注释,默许已去掉
在authorize {和authenticate {下去掉digest的注释,保存退出
~# vi /usr/local/etc/raddb/dictionary
加入下面这行:
$INCLUDE /usr/local/etc/radiusclient-ng/dictionary.openser

~# vi /usr/local/etc/raddb/users
在最后加入以下内容:
### --- avps ---
101@192.168.137.2 Auth-Type := Accept, Service-Type == "SIP-Callee-AVPs"
   Sip-Avp += "#3#1",
   Sip-Avp += "#4:08:00",
   Sip-Avp += "#5:16:00",
   Sip-Avp += "#6:Mon,Wed,Thu,Fri"

102@192.168.137.2 Auth-Type := Accept, Service-Type == "SIP-Callee-AVPs"
   Sip-Avp += "#3#1",
   Sip-Avp += "#4:08:00",
   Sip-Avp += "#5:16:00",
   Sip-Avp += "#6:Mon,Wed,Thu,Free"

DEFAULT Auth-Type := Accept, Service-Type == "SIP-Callee-AVPs"

### --- group checking ---
### --- user 101 ---
101@192.168.137.2 Auth-Type := Accept, Sip-Group == "voip", Service-Type == "Group-Check"
   Reply-Message = "Authorized"

101@192.168.137.2 Auth-Type := Accept, Sip-Group == "pstn", Service-Type == "Group-Check"
   Reply-Message = "Authorized"

### --- user 102 ---
102@192.168.137.2 Auth-Type := Accept, Sip-Group == "voip", Service-Type == "Group-Check"
   Reply-Message = "Authorized"

DEFAULT Auth-Type := Reject, Service-Type == "Group-Check"

### --- user authentication ---
101@192.168.137.2 Auth-Type := Digest, User-Password == "101"
   Reply-Message = "Authenticated",
   Sip-Avp += "rpid:101",
   Sip-Avp += "#2:192.168.137.1",
   Sip-Avp += "#2:192.168.137.11"

102@192.168.137.2 Auth-Type := Digest, User-Password == "102"
   Reply-Message = "Authenticated",
   Sip-Avp += "rpid:102",
   Sip-Avp += "#2:192.168.137.1"

================================================

配置RadiusClient-ng :
~# vi /usr/local/etc/radiusclient-ng/radiusclient.conf
将以下localhost改成服务器地址:
...
authserver      localhost
...
acctserver      localhost
...

~# vi /usr/local/etc/radiusclient-ng/servers
加入服务器地址和secret的对应
192.168.137.2   testing123

~# vi /usr/local/etc/radiusclient-ng/dictionary
加入下面这行:
$INCLUDE /usr/local/etc/radiusclient-ng/dictionary.openser

~# vi /usr/local/etc/raddb/users
加入测试Digest的数据:
test Auth-Type := Digest, User-Password == "test"
   Reply-Message = "Hello, test with digest"
测试:
~# /usr/local/sbin/radiusd -X
新开一个终端,按下面来做:
Create a file named “digest” and put following in it, all in a single line:

...
User-Name = "test", Digest-Response = "631d6d73147add2f9e437f59bbc3aeb7",
Digest-Realm = "testrealm", Digest-Nonce = "1234abcd" ,
Digest-Method = "INVITE", Digest-URI = "sip:5555551212@example.com",
Digest-Algorithm = "MD5", Digest-User-Name = "test"
...

Use “radclient” for testing the server. It is assumed that you run “radclient” on OpenSER system. You have to install it there, since this tool comes with FreeRADIUS server.

...
radclient -f digest 192.168.137.2 auth testing123
...

In case of correct response from the server, you should see something like:

...
Received response ID 224, code 2, length = 45
        Reply-Message = "Hello, test with digest"
...

=======================================================

配置OpenSER:
~# vi /usr/local/etc/openser/openser.cfg
见附件.

CDR位于"var/log/radius/radacct/"

--------------------------------
Debug:
1、不能load libradius-ng.so.2:
在环境变量中加入LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib

2、1.0.0以上版本中已经没有modparam ( " auth_radius " , " rpid_old_compat " , 1 )

3、the syntax of avp parameters for avpops modules has changed. Please see:

http://openser.org/dokuwiki/doku.php?id=migrating_openser_v1.0.x_to_v1.1.x

For example, in your case:

avp_write("$ruri", "i:10"); => avp_write("$ruri", "$avp(i:10)");

4、ERROR: acc: can't get code for the Sip-Method attribute
Did you include dictionary.ser into your main libradiusclient dictionary?

5、ERROR: tcp_init: bind on 127.0.0.1
在ser.cfg中加入listen=udp:192.168.137.5

6、raddb下成立digest文件,里面加入各个用户的信息;
翻开freeradius的mysql支持,在radiusd.conf中把sql注释去掉就支持了,users文件就不起作用了;
在acc的配置文件底子上加入radius-acc计费,再参照ser下台湾人配置的认证文档,加入radius认证;
关键在于radius_www_authorize,只要它在,就用radius来认证,不然就用本机来认证
在用radius认证的情形下acc中也会有cdr,证明cdr的产生跟subscriber无关.

mysql -uroot -p123456 radius

insert into radgroupreply (GroupName,Attribute,op,Value) values ('user','Auth-Type',':=','Local');
insert into radgroupreply (GroupName,Attribute,op,value) values ('user','Service-Type',':=','Framed-User');
insert into radgroupreply (GroupName,Attribute,op,value) values ('user','Framed-IP-Address',':=','255.255.255.254');
insert into radgroupreply (GroupName,Attribute,op,value) values ('user','Framed-IP-Netmask',':=','255.255.255.0');

insert into radcheck (UserName,Attribute,op,Value) values ('8001@192.168.137.2','User-Password','==','1111');
insert into radcheck (UserName,Attribute,op,Value) values ('8001@192.168.137.2','Auth-Type',':=','Digest');
insert into radcheck (UserName,Attribute,op,Value) values ('8002@192.168.137.2','User-Password','==','1111');
insert into radcheck (UserName,Attribute,op,Value) values ('8002@192.168.137.2','Auth-Type',':=','Digest');   以上是“<b>OpenSER+Radius全攻略</b>[Linux安全]”的内容,如果你对以上该文章内容感兴趣,你可以看看七道奇为您推荐以下文章:

  • <b>hosts是什么 hosts文件在什么位置 若何改正hosts</b>
  • <b>在 Windows 8 中手动安装语言包</b>
  • <b>五个常见 PHP数据库问题</b>
  • Windows中Alt键的12个高效快速的利用本领介绍
  • <b>MySQL ORDER BY 的实现解析</b>
  • <b>详解MySQL存储历程参数有三种范例(in、out、inout)</b>
  • <b>Win8系统恢复出来经典的开始菜单的办法</b>
  • <b>Win8系统花屏怎么办 Win8系统花屏的办理办法</b>
  • <b>Windows 7系统下无线网卡安装</b>
  • <b>为什么 Linux不需求碎片整理</b>
  • <b>Windows 8中删除账户的几种办法(图)</b>
  • <b>教你如安在win7下配置路由器</b>
    •
    本文地址: 与您的QQ/BBS好友分享!
    [] [返回上一页] [打 印]
    • 好的评价 如果您觉得此文章好,就请您
        0%(0)
    • 差的评价 如果您觉得此文章差,就请您
        0%(0)

    文章评论评论内容只代表网友观点,与本站立场无关!

       评论摘要(共 0 条,得分 0 分,平均 0 分) 查看完整评论

    栏目导航

    赞助商链接

    免责条款 - 广告合作 - 下载声明 - 欢迎投稿 - 友情连接 -
    Copyright © 2020-2022 www.xiamiku.com. All Rights Reserved .