Shulou(Shulou.com)05/31 Report--

This article shows you how to configure freeradius to read user information from the mysql database, the content is concise and easy to understand, it will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Configure freeradius to read user information from the mysql database

1) change / etc/raddb/radiusd.conf first, remove the original comment in the $INCLUDE ${confdir} / sql.conf field, and then edit / etc/raddb/radiusd.conf to support mysql authentication

Authorize {

Preprocess

Chap

Mschap

Suffix

Sql

...

}

Accounting {

...

# radutmp (because I want to use Simultaneous-Use:=1 (the same user can only log on to one machine at a time), it will be a problem at the unexpected end of radiusd, so disable it)

Sql

...

}

Session {

# radutmp (ibid.)

Sql

}

2) you need to change the settings in sql.conf, mainly to set the information about the read mysql server. You can change some of the following fields:

Driver = "rlm_sql_mysql"

Server = "localhost" # Database Server

Login = "mysql_username" # Database user

Password = "mysql_password" # Database password

Radius_db = "radius" # Database name

3) of course, the premise is that you need to set up the mysql service by:

First deal with the library of mysql. Freeradius looks for libmysqlclient_r.so by default, but MySQL defaults to libmysqlclient.so, and the content is exactly the same. Just make a link: (very important, otherwise you will be prompted to find rlm_sql_mysql.so:Could not link driver rlm_sql_mysql: file not found when you start freeradius)

# echo "/ usr/lib/mysql" > > / etc/ld.so.conf

# ldconfig

# cd / usr/lib/mysql/

# ln-s libmysqlclient.so.15.0.0 libmysqlclient_r.so

Start your mysqld first:

Service mysqld start

Then set the root account password:

Mysqladmin-uroot-p password 12345

Create a radius database

Mysqladmin-uroot-p123456 create radius

To set up the mysql database raius table, we can import the database through the sql script already given by the software:

Mysql-uroot-p123456 radius < / usr/share/doc/freeradius-1.1.3/examples/mysql.sql

In this way, all the databases and tables required by radius have been set up.

At this point, you can add a test account to test whether it is working properly. The specific method is not here. We will use the dialup_admin that comes with the freeradius source code to manage the database later, which is a web-based management interface written in php, which is much more convenient than using SQL statements directly.

What should be noticed here is how to add a limit in the database that does not limit the number of simultaneous logins of a user. For example, I first add a test user with a sql statement, and then limit the number of logins he can log on. The statement is as follows:

Mysql-uroot-p123456 radius

Insert into radgroupreply (groupname,attribute,op,value) values ('user','Auth-Type',':=','Local')

Insert into radgroupreply (groupname,attribute,op,value) values ('user','Service-Type','=','Framed-User')

Insert into radgroupreply (groupname,attribute,op,value) values ('user','Framed-Protocol','=','ppp')

Insert into radgroupcheck (groupname, attribute, op, value) values ('user',' Auth-Type',': =', 'Local')

Insert into radgroupcheck (groupname, attribute, op, value) values ('user',' Simultaneous-Use',': =','1')

Then add the user information:

Insert into radcheck (username,attribute,op,value) values ('bbb','User-Password','==','bbb')

Then add the user to the group:

Insert into usergroup (username,groupname) values ('bbb','user')

This adds an account test account bbb to our database and makes the bbb account belong to the user group.

Then we can set the login limit for this group by setting the check property of the user group. As long as the user joins the group, the number of logins cannot exceed one:

All right, limit completion. We can now log in using the bbb account and test whether it is authenticated by the mysql database. And you can check if you can only log in to one.

Part IV: use dialup_admin to manage radius servers

If web management is needed after the server is successfully built, freeradius comes with a web manager, dialup_admin.

First test the correctness of the Apache and PHP installation. The WEB directory of Apache first tests Apache under / var/www/html, and the Apache interface is normal when you enter Http://127.0.0.1 in the browser.

Edit a PHP test file, the content is, save as phpinfo. Php . Type Http://127.0.0.1/ phpinfo in the browser. Php sees the php-related information page, indicating that php is working properly.

Directly copy all the dialup_admin/ folders in the freeradius source code to the Apache web page directory / etc/local.

Modify the following parameters in the admin.conf file under dialup_admin/conf/:

Sql_type:mysql

Sql_server:localhost / / sql address

Sql_port:3306 / / default port

Sql_username:root

Sql_password:123456 / / password

Sql_database:radius / / Database name

General_base_dir: / var/www/html/dialup_admin / / dialup_admin home directory

General_radiusd_base_dir: / usr/sbin/radiusd

General_domain: company.com / / this can be changed or not, it doesn't have any effect, it's just a little bit of change.

General_radius_server_auth_proto: chap / / change pap to chap

General_encryption_method: clear / / change crypt to clear

To clarify, general_encryption_method: clear must be changed, otherwise the password will be encrypted and cannot be recognized after adding users with the web management interface, resulting in authentication failure. The password is stored in clear text in clear, and the password is stored in plaintext by default in freeradius. The two should correspond to each other, so clear is used here.

Modify the naslist.conf file under dialup_admin/conf/ as follows

Nas1_name: nas1.% {general_domain}

Nas1_model: type of Computer / / NAS server

Nas1_ip: 192.168.1.1 / / IP address of the NAS server

Nas1_port_num: 15

Nas1_community: public

Everything else is deleted or commented out with the # sign. The purpose of this modification is to make it easy to see how each NAS server connects to the user in the web management interface.

Import related database tables

Cd / var/www/html/dialup_admin/sql

Mysql-uroot-p123456 radius < userinfo.sql

Mysql-uroot-p123456 radius < totacct.sql

Mysql-uroot-p123456 radius < mtotacct.sql

Mysql-uroot-p123456 radius < badusers.sql

Dialup_admin uses a file in php3 format, which needs to be supported by a web server

Modify the / etc/httpd/conf/httpd.conf file and add at the end of this file

AddType application/x-httpd- php. Php .html .htm. Php3

And establish a symbolic link htdocs pointing to / usr/local/dialup_admin/htdocs in the default home page directory

Restart the httpd service after saving

Service httpd restart

Visit: http://localhost/htdocs/index.html

Ok if you can open each page normally. The default is the sql debug mode turned on. You can find sql_debug in admin.conf. Change true to false and turn it off.

Part V: use user authentication to manage radius servers

Apache server has built-in user authentication mechanism, as long as you set it properly, you can control some parts of the site to be authenticated by users. As long as you follow me step by step, you should be able to easily achieve user authentication.

Step 1:

We are in / var/www/html/dialup_admin/htdocs

Then we edit the httpd.conf

Add

Alias / radiusadmin "/ var/www/html/dialup_admin/htdocs"

Options Indexes MultiViews

AllowOverride AuthConfig # indicates authentication

Order allow,deny

Allow from all

# AllowOverride AuthConfig means to authenticate, which is a key setting

Step 3

Create an .htaccess file in / var/www/html/dialup_admin/htdocs

Vi / var/www/html/dialup_admin/htdocs/.htaccess

AuthName "radius web"

AuthType Basic

AuthUserFile / var/www/html/dialup_admin/htdocs/.htpasswd

Require valid-user

# AuthName description, write whatever you want

# AuthUserFile / var/www/html/dialup_admin/htdocs/.htpasswd

# whether the require valid-user or require user admin restriction is for all legitimate users or specified users

# password files are recommended to use .htpasswd, because the apache default system does not allow external reading of files starting with ".ht", so the safety factor will be a little higher.

Step 4

Is to create an authenticated user for apache

Htpasswd-c / var/www/html/dialup_admin/htdocs/.htpasswd radiusadmin

# the first time to create a user, you need to use the-c parameter to add a user for the second time, but not the-c parameter.

If you want to change your password, you can do the following

Htpasswd-m. Htpasswd radiusadmin

Step 5:

Ok, restart the apache service, and then visit http://10.0.0.64/radiusadmin to see a pop-up window for user authentication. Just enter the user name and password created in step 4.

The above is how to configure freeradius to read user information from the mysql database. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.