태터데스크 관리자

올려짐: 2005 1월 12, 수 2:42 pm

cd /
mkdir services

------유저 환경 설정 패스 추가----------------------------------
cd root
vi .bash_profile

PWLIBDIR=/services/pwlib
export PWLIBDIR
OPENH323DIR=/services/openh323
export OPENH323DIR
LD_LIBRARY_PATH=$PWLIBDIR/lib:$OPENH323DIR/lib
export LD_LIBRARY_PATH

:wq

--------pwlib 라이브러리 추가---http://www.openh323.org-------
tar zxvf pwlib~~~
cd pwlib
./configure --prefix=/services
make
make install

--------openh323 추가---------http://www.openh323.org--------
tar zxvf openh~~
cd openh~~
./configure --prefix=/services
make opt

--------openh323 test-----
./sample/simple/obj_linux_x86_r/simph323
--------shared library 에러 발생시엔 .bash_profile파일 점검-----

--------gnugk 컴파일----------http://www.gnugk.org/-----------
--------컴파일 전에 mysql및 아파치가 올라 온지 확인후 컴파일 해야 함

NO_PGSQL=1 NO_LDAP=1 make clean
NO_PGSQL=1 NO_LDAP=1 make bothdepend
NO_PGSQL=1 NO_LDAP=1 make both

--------lmysqlclient관련 오류시 아래 링크 추가해주면 됨
ln -s /usr/lib/mysql/libmysqlclient.a /lib/libmysqlclient.a

-------------------------------------------------------------
in Linux x86 platform,
the optimized executable gnugk is produced in obj_linux_x86_r/ subdirectory.
You may copy it to /usr/sbin/, create a config in /etc/gnugk.ini and start it by
-------------------------------------------------------------

++/usr/sbin/gnugk -c /etc/gnugk.ini -o /var/log/gnugk.log -ttt

gnugk는 컴파일 하는 것은 위에서 보듯이 사용 되는 서비스를 제거 하는
즉 pgsql을 사용하지 않겠다. ldap을 사용하지 않겠다는 식으로 사용된다.
그렇다면 execute 버전은 그냥 압축을 풀고 해당 파일을 /usr/sbin 과 /etc에 복사후
명령을 실행하면 실행하는 데는 문제가 없으나 압축 푼 디렉토리의 etc아래 존재하는
ini 파일들의 설정을 참고 하여 환경 설정 파일인 ini파일을 만드는게 어렵다.

telnet 컴도메인명 7000
help
quit

--------------voipGW---------------------------------------------------
포트 8000번
root / admin

올려짐: 2005 1월 12, 수 2:44 pm

Free-Radius 가 아직 윈도우를 지원하지 않은 이유로 리눅스에 설치를 해야 한다. 그러나 다른 상용 Radius 에서는 Windows 도 지원한다. 결국 그놈의 돈이 항상 문제이다. 흠흠..

웹서버는 윈도우로 하고, DB 서버와 래디우스 서버는 리눅스에 설치하는 분산환경을 구현하게 된다. Radius 는 Oracle, PostgreSql, MsSql, mySql 등을 지원한다. 여기서는 mySql 을 사용하자.

1) 다운로드목록

가) RedHat Linux

실제 구동해본 레드햇 버전은 7.3 과 9.0 였는데, 이상없이 잘 작동됐다. 레드햇 이외의 다른

리눅스에서는 아직 설치 해보지 못했다. 그러나 큰 문제가 없을 듯 하다. 그리고 솔라리스를 기반으로 구축한 자료들도 있는것으로 보아 솔라리스에서도 구동될수 있는것 같다.

나) Mysql : http://www.mysql.com

MySql 은 지금도 끊임없이 버전업되고 있다. 그러므로 수시로 사이트에 들러서 업데이트된 권장

버전을 다운받아 사용하면 된다. 그리고 여러가지 자료들도 다운받아 읽어보면 좋을 듯 하다.

To Do List 를 보면 mySql 은 앞으로 발전가능성이 큰 데이터베이스이다.

나) Free Radius : http://www.freeradius.org

Free Radius 도 계속 버전업되고 있다. Debian GNU/Linux 에서 개발되고 있고, the GNU GPL

(version 2) 배포와 관련된 글도 보인다. 또한 이곳에는 신청을 하면 Free Radius 에 관련된 메일 포 워딩도 가능하다. 단, 신청을 하게되면 하루에 수십~수백통의 메일을 받게 되므로 넉넉한 메일

계정이 있는 사람에게 권한다.

2)설치

가) 주의사항

모든 작업은 root 권한으로 한다

퍼포먼스를 위하여 리눅스를 처음 설치할때 사용자 설치를 선택하고, 서버 운영에 필요한 최소한을 설치하고, 나머지 유틸리티들은 소스를 다운받아 컴파일하여 설치하는것을 원칙으로 한다. 작업과 관리의 편의성을 위해 소스 폴더와 설치 폴더를 구분해서 위치시킨다.

나) Mysql 설치

# tar xvfz mysql-4.0.12-pc-linux-i686.tar.gz

# mv /home/src/mysql-4.0.12-pc-linux-i686.tar.gz /home/server/mysql

# groupadd mysql

# useradd -d /home/server/mysql -g mysql mysql

# chown -R root.mysql /home/server/mysql

# chown -R mysql /home/server/mysql/data

# /home/server/mysql/scripts/mysql_install_db

# /home/server/mysql/bin/safe_mysqld --user=mysql &

# cp /home/server/mysql/support-files/mysql.server /etc/rc.d/init.d/mysqld

# ln -s /etc/rc.d/init.d/mysqld /etc/rc.d/rc3.d/S90mysqld

# ln -s /etc/rc.d/init.d/mysqld /etc/rc.d/rc5.d/S90mysqld

# vi /etc/rc.d/init.d/mysqld basedir=/home/server/mysql 로 수정.

# ntsysv //에서 [*]mysqld 체크

다) Free Radius 설치

Free Radius 사이트의 ( http://www.freeradius.org/) 맨 앞귀절은 다음과 같다.

" The FreeRADIUS Server Project is a high-performance and highly configurable

GPL'd free RADIUS server. "

free Radius 를 설치할때 주의사항은 Optional configuration를 잘해야 한다는 점이다.

즉 mySql 과 연동되는 옵션 설정에 주의할것.

# tar -zxvf freeradius.tar.gz

컴파일 한다.

./configure --localstatedir=/var --sysconfdir=/etc

--with-mysql-include-dir=DIR

--with-mysql-lib-dir=DIR

--with-mysql-dir=DIR

make

make install

설치가 제대로 되었는지 확인하려면 /etc/raddb 폴더의 내용을 보면된다.

디폴트 설치 폴더로 수백개의 파일들이 있는것을 볼수 있다.

라) 환경설정

환경설정 파일들은 매우 많다. 그러나 clients, radius.conf, users, sql.conf 정도만 손보면 된다.

(1) clients

먼저 /etc/raddb/clients 파일을 살펴본다. 이 파일을 접속할 클라이언트의 이름과 인증키를

설정해준다.

# Client Name Key

#---------------- ----------

#portmaster1.isp.com testing123

localhost testing123

192.168.0.100 testing123

(2) radius.conf

말 그대로 radius 의 환경설정 파일. 몇가지 중요 환경설정을 살펴보자면..

user = [username], group =[groupname] (user = anybody, group =anybody)

port = [value] (port=1812)

(3) users

사용자 설정

steve Auth-Type := Local, User-Password == "testing"

Service-Type = Framed-User,

Framed-Protocol = PPP,

Framed-IP-Address = 172.16.3.33,

Framed-IP-Netmask = 255.255.255.0,

Framed-Routing = Broadcast-Listen,

Framed-Filter-Id = "std.ppp",

Framed-MTU = 1500,

Framed-Compression = Van-Jacobsen-TCP-IP

(4) mySql 과의 연동

clients, radius.conf, users 설정을 해주면 radius 를 사용하여 인증을 할수 있다.

그러나 보통 freeRadius 는 mySql 과 함게 사용하여 사용자의 인증과 로그인시각, 종료시각, 사용시간..

등의 정보를 관리하게 된다. radius 와 mySql 을 연동하는 방법을 살펴보자

{unpacked} /src/modules/rlm_sql/drivers/rlm_sql_mysql

mysql -u{root} -p{rootpass} radius < db_mySql.sql

이렇게 sql 스크립트를 실행하면 mysql 에 radius 테이블이 형성된다. 이제

radius.conf 를 수정하여 mysal 을 사용할수 있도록 환경설정을 해야 한다.

# 로그파일 생성

log_file = ${logdir}/radius.log

# 로그인한 사용자의 유니크한 accounting session Id 생성

acct_unique {

key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id"

}

# include sql.conf

$INCLUDE ${confdir}/sql.conf

# 인증 Authorization.

authorize {

preprocess

chap

suffix

# files

sql

mschap

}

# 회계 Acoounting

accounting {

acct_unique

detail

unix # wtmp file

sql

}

자, 이제는 sql.conf 를 수정하자.

# Configuration for the SQL module, when using MySQL.

# If you are using PostgreSQL, please use 'postgresql.conf', instead.

# If you are using Oracle, please use 'oracle.conf', instead.

# If you are using MS-SQL, please use 'mssql.conf', instead.

sql {

driver = "rlm_sql_mysql"

server = "localhost"

login = "root"

password = "test"

# Database table configuration

radius_db = "radius"

acct_table1 = "radacct"

acct_table2 = "radacct"

authcheck_table = "radcheck"

authreply_table = "radreply"

groupcheck_table = "radgroupcheck"

groupreply_table = "radgroupreply"

usergroup_table = "usergroup"

}

mySql 에 설치된 테이블명이 설명되어 있다.

즉 디비명은 "radius", 사용자acct 테이블 "radacct", 인증 테이블 "radchek"

사용자 그룹 테이블 "usergroup", 사용자그룹 체크테이블 "radgroupcheck"

앞에러 우리는 환경설정 파일들에서 여러가지 환경설정을 하였다. 그러나 이제 mysql 과

연동된 radius 에서는 이러한 환경설정들이 mysql 테이블의 필드와

레코드로 지정되어야 한다는 점이다. 즉 radius 는 mysql 에 저장된 테이블의 정보들을

읽어서 사용자 인증(Authentication)과 회계(Accounting) 의 작업을 수행한다.

그리고 radius 에는 standard attribute 가 많이 준비되어 있다. 이러한 attribute 를 이용하여

사용자의 여러 정보를 관리할수 있다.

마) Radius 실행

radius 의 사용 포트는 디폴트로 1812 이다. 부가적으로 1813 포트도 사용할수 있다.

radius:/etc/raddb # radius -p 1812

radius: Starting - reading configration files

radius:/etc/raddb #

http://www.frontios.com/freeradius.html

SB's very rough notes to
FreeRadius and MySQL

Scott Bartlett ( contact ). Last updated February 10th 2003. FreeRadius is currently at version 0.8.1.

This page is an update on my original notes, hopefully now with things in a more readable order to make life easier. The original notes can be found here.

--------------------------------------------------------------------------------

Introduction

In September 2001 I started playing around with FreeRadius (then at version 0.2!) and storing user authorisation details in a MySQL database. I had previously been using a proprietary RADIUS solution and wanted rid of it. Lots of people seemed to be posting to the freeradius-users list that they were trying to do the same and found it tricky due to the lack of documentation. Thus, to help anyone out there who needed it, I wrote down all the snippets of info, tips I'd received, and steps I'd used to make it work. This is the result.

This document assumes that you are familiar with:

*nix system admin and networking
What RADIUS is and should do
MySQL administration
The basics of how to compile and install open source software.
I'm not going to describe any of the above stuff, especially the latter as I'm far from an expert on it. This document focuses on getting FreeRadius running with MySQL. It does NOT describe a basic FreeRadius installation in detail (e.g. getting it up and running with a 'users' text file or other FreeRadius configurations), nor does it cover using multiple authentication methods, fall-through's or any of that stuff. Just plain-old-MySQL-only. If you don't know about RADIUS itself, go do some background reading... the O'Reilly book ('RADIUS') is pretty good and covers FreeRadius too.

Please note: This isn't official documentation. It's not even UNofficial documentation. It's not documentation of any type by any stretch of the imagination. So far, it's just my own personal notes, written on the fly. Little editing, little detail. You takes your chances. I will try to improve when I can, or have additional information - don't hold your breath though, as life can get busy around here. The notes focus on the SQL element, NOT generally on getting FreeRadius installed and configured and operational with text files (maybe later!) although there is a little bit on that.

Also note: I'm not a programmer - editing low-level code and compiling stuff is not something I'm particularly familiar with. Ask me to read C code and I'll probably panic. My background and experience on Linux (and other stuff) puts me in the system admin/networking bracket (I'm a network builder and web app developer by day), so please bear that in mind here. Feel free to mail me, especially with suggestions and any info useful to add here, but please don't ask me 'how to I compile' stuff. Thanks.

Lastly for this bit : a big thank you to all those that helped, emailed and generally contributed to me getting this up and going, and thus to the creation of these notes.

System

I did my original testing on SuSe Linux 7.0 on Intel with FreeRadius 0.2 and MySQL 3.23.42 using a Cisco 3640 acting as a test NAS unit. The final deployment was to RedHat 7.1. Today I'm running FreeRadius 0.8.1. If you're running an older version you are strongly recommended to upgrade.

Before You Start

Before starting with FreeRadius, make sure your box is up and configured on your network, that you have MySQL installed and running, and that your NAS is configured to point to your server.

If you're using Cisco kit as your NAS, here's a quick example snippet of how to configure IOS to authenticate PPP (e.g. dial, DSL etc) users to a RADIUS server:

aaa new-model
aaa authentication ppp default if-needed group radius local
aaa authorization network default group radius
aaa accounting update newinfo
aaa accounting exec default start-stop group radius
aaa accounting network default wait-start group radius
aaa accounting connection default start-stop group radius

radius-server host a.b.c.d auth-port 1645 acct-port 1646
radius-server host e.f.g.h auth-port 1645 acct-port 1646
radius-server key YOUR-RADIUS-KEY

[a.b.c.d and e.f.g.h are the IP's of your primary and secondary RADIUS servers. YOUR-RADIUS-KEY is your RADIUS secret key as defined in clients.conf (see below). ]

Make SURE you have included the development headers in your MySQL installation otherwise the FreeRadius installation/compilation will barf. To make my own life easy, I just installed MySQL to the default location.

Just to clarify: ABSOLUTELY MAKE SURE you have the mysql-devel (headers and libraries) package installed with your MySQL, otherwise freeradius won't compile with MySQL support properly. Many people seem to miss having this.

Oh yep, did I mention about having the MySQL development headers installed? No? Make sure you do...

Getting Started

First off, you should get FreeRadius compiled, installed and running in a basic text file configuration (e.g. using the 'users' file) on your box. This I'm not going to describe in details (read the stuff in /docs, etc), but it should basically be the following:

1 - Get the latest FreeRadius source code tarball from ftp://ftp.freeradius.org/pub/radius/freeradius.tar.gz. If you're so minded, get the latest CVS instead.

2 - Unpack the tarball and install it. On my own system the basic steps were all that was needed, and everything got dumped in the standard places:

tar xvf freeradius.tar.gz
cd freeradius
./configure
make
make install

Note that you might need to add options to ./configure if you installed MySQL to a non-standard place, or want FreeRadius to a non-standard place, or want or need any other odd bits and pieces. I was keeping it simple and didn't need to.

Then you should configure FreeRadius appropriately. It's best to start with a simple config using the standard text files, if at least only to test that FreeRadius installed OK and will work. To very briefly summarise getting the text files configured :

1 - Edit /usr/local/etc/raddb/clients.conf and enter the details of your NAS unit(s). There are examples here, so it should be easy. Tip: You'll also want to enter 'localhost' here for testing purposes (i.e. so you can use radtest).

2 - Edit /usr/local/etc/raddb/users and create an example user account. The file is commented on how to do this. I'm not going to repeat that here. If you've previously used another RADIUS server with text-file configuration (e.g. Livingston, Cistron) you'll know what goes here...

3 - Edit /usr/local/etc/raddb/realms. I just put a single line 'DEFAULT LOCAL' and that was sufficient to strip any suffix domain names in given user names - if you're using realms or proxing you'll doubtless need to do something else here, but I recommend you start with this then come back to setting up realms/ proxying when you know MySQL is working. If you're not using realms, just ignore this.

4 - Edit /usr/local/etc/raddb/radiusd.conf and change as needed. For my own installation I changed the default port to run on 1645 (old port) to match what our existing boxes use (but otherwise make sure your NAS and FreeRadius are using the same) and said 'yes' to all the logging options (I'd strongly recommend you do switch on all the logging to start with). At this point I also said 'no' to using proxy to keep stuff simple. I then told it to run under the 'radius' user and group (I'd initially installed FreeRadius as root and didn't want to run it as such, so I created a user account called 'radius' in a group called 'radius' and then just blanket chown'd and chgrp'd the various radius directories to that user just to be sure the account can access all the right stuff. A bit of a sledgehammer there, but it was quick! I'm sure there's a better and/or more elegant way of doing this!). The rest of the radiusd.conf file was left alone.

At this point you should be able to manually fired up /usr/local/sbin/radiusd. You should do this with the debug turned on so you can see what happens:

/usr/local/sbin/radiusd -X

Lots of stuff will scroll to the screen, and it should tell you it's ready to accept requests. If you get an error, READ THE DEBUG, then check the docs, check the above and try again.

You should now be able to use FreeRadius. You can use radtest to test an account from the command line:

radtest username password servername port secret

So, if your example user is 'fred' with password 'wilma', your server is called 'radius.domain.com', is using port 1645, and you put localhost (or your localhost's IP) in clients.conf with a secret of 'mysecret', you should use:

radtest fred wilma radius.domain.com 1645 mysecret

And you should get back something like:

Sending Access-Request of id 226 to 127.0.0.1:1645
User-Name = 'fred'
User-Password = '\304\2323\326B\017\376\322?K\332\350Z;}'
NAS-IP-Address = radius.domain.com
NAS-Port = 1645

rad_recv : Access-Accept packet from host 127.0.0.1:1645,id=226, length=56
Framed-IP-Address = 80.84.161.1
Framed-Protocol = PPP
Service-Type = Framed-User
Framed-Compression = Van-Jacobson-TCP-IP
Framed-IP- Netmask = 255.255.255.255

You should get an 'Access Accept' response. If you don't, do not pass Go, do not collect £200. Go back and check everything. Read the docs, READ THE DEBUG!!

Personally, I used NTradPing (downloadable from MasterSoft) on a desktop Windows PC to send test packets towards the radius server - very handy tool. If you do this, or test from any other machine, remember your PC (or other machine) needs to be in your NAS list in clients.conf too!

OK, so at this point you should have text-file authentication working in FreeRadius...

Setting up the RADIUS database in MySQL

First, you should a new empty 'radius' database in MySQL and login user with permissions to that database. You could of course call the database and the user anything you like but we'll stick to 'radius' for both for the purposes of this discussion

Next up, you need to create the schema for the database. There is a file which describes this and is actually a SQL script file. It can be found at /src/modules/rlm_sql/drivers/rlm_sql_mysql/db_mysql.sql where you untar'd FreeRadius. This is the bit that, at least at the time I originally wrote these notes, wasn't really documented anywhere and was the thing most people seemed to be asking.

How you run that script is up to you and how you like to admin MySQL. The easiest way is to:

mysql -uroot -prootpass radius < db_mysql.sql

...where 'root' and 'rootpass' are your mysql root name and password respectively.

I happened to run it using MacSQL 2.0 on my Powerbook G4/OS X machine (Cool...). You could do it on the server, or use a MySQL admin tool from a Windows PC (e.g. MySQL CC, SQLion, dbtools etc) or whatever.

Now you have the database running, albeit empty.

Configuring FreeRadius to use MySQL

Edit /usr/local/etc/raddb/sql.conf and enter the server, name and password details to connect to your MySQL server and the RADIUS database. The database and table names should be left at the defaults if you used the default schema. For testing/debug purposes, switch on sqltrace if you wish - FreeRadius will dump all SQL commands to the debug output with this on.

If you're stripping all realm names (i.e. you want user joe@domain.com to authenticate as just 'joe'), then in sql.conf, under the 'query config: username' section, you MAY need to adjust the line(s) referring to sql_user_name. I needed to do this originally because we want to dump all realms, but you probably won't need to do this with the latest FreeRadius. For example, in our case I needed to uncomment the line:

sql_user_name = '%{Stripped-User-Name}'

...and comment out the following line referring to just User-Name. If you want to see what's happening here, switch on all the logging options in radiusd.conf and run radiusd in debug mode (-X) to see what's happening : you'll see " user@domain" being passed to MySQL when using User-Name, but just "user" when using Stripped-User-Name. Using the latter, realms worked for me (basically, I strip everything, as all user names are unique on the server anyway). Of course, set all your other SQL options as needed (database login details, etc)

Edit /usr/local/etc/raddb/radiusd.conf and add a line saying 'sql' to the authorize{} section (which is towards the end of the file). The best place to put it is just before the 'files' entry. Indeed, if you'll just be using MySQL, and not falling back to text files, you could comment out or lose the 'files' entry altogether.

Also add a line saying 'sql' to the accounting{} section too between 'unix' and 'radutmp'. FreeRadius will now do accounting to MySQL as well.

The end of your radiusd.conf should then look something like this:

authorise {
preprocess
chap
mschap
#counter
#attr_filter
#eap
suffix
sql
#files
#etc_smbpasswd
}

authenticate {
authtype PAP {
pap
}
authtype CHAP {
chap
}
authtype MS-CHAP{
mschap
}
#pam
#unix
#authtype LDAP {
# ldap
#}
}

preacct {
preprocess
suffix
#files
}

accounting {
acct_unique
detail
#counter
unix
sql
radutmp
#sradutmp
}

session {
radutmp
}

Populating MySQL

You should now created some dummy data in the database to test against. It goes something like this:

In usergroup, put entries matching a user account name to a group name.
In radcheck, put an entry for each user account name with a 'Password' attribute with a value of their password.
In radreply, create entries for each user-specific radius reply attribute against their username
In radgroupreply, create attributes to be returned to all group members
Here's a dump of tables from the 'radius' database from mysql on my test box (edited slightly for clarity). This example includes three users, one with a dynamically assigned IP by the NAS (fredf), one assigned a static IP (barney), and one representing a dial-up routed connection (dialrouter):

mysql> select * from usergroup;
+----+---------------+-----------+
| id | UserName | GroupName |
+----+---------------+-----------+
| 1 | fredf | dynamic |
| 2 | barney | static |
| 2 | dialrouter | netdial |
+----+---------------+-----------+
3 rows in set (0.00 sec)

mysql> select * from radcheck;
+----+----------------+----------------+------------------+------+
| id | UserName | Attribute | Value | Op |
+----+----------------+----------------+------------------+------+
| 1 | fredf | Password | wilma | == |
| 2 | barney | Password | betty | == |
| 2 | dialrouter | Password | dialup | == |
+----+----------------+----------------+------------------+------+
3 rows in set (0.02 sec)

mysql> select * from radgroupcheck;

+----+------------+-------------------+---------------------+------+
| id | GroupName | Attribute | Value | Op |
+----+------------+-------------------+---------------------+------+
| 1 | dynamic | Auth-Type | Local | := |
| 2 | static | Auth-Type | Local | := |
| 3 | netdial | Auth-Type | Local | := |
+----+------------+-------------------+---------------------+------+
3 rows in set (0.01 sec)

mysql> select * from radreply;

+----+------------+-------------------+---------------------------------+------+
| id | UserName | Attribute | Value | Op |
+----+------------+-------------------+---------------------------------+------+
| 1 | barney | Framed-IP-Address | 1.2.3.4 | := |
| 2 | dialrouter | Framed-IP-Address | 2.3.4.1 | := |
| 3 | dialrouter | Framed-IP-Netmask | 255.255.255.255 | := |
| 4 | dialrouter | Framed-Routing | Broadcast-Listen | := |
| 5 | dialrouter | Framed-Route | 2.3.4.0 255.255.255.248 | := |
| 6 | dialrouter | Idle-Timeout | 900 | := |
+----+------------+-------------------+---------------------------------+------+
6 rows in set (0.01 sec)

mysql> select * from radgroupreply;
+----+-----------+--------------------+---------------------+------+
| id | GroupName | Attribute | Value | Op |
+----+-----------+--------------------+---------------------+------+
| 34 | dynamic | Framed-Compression | Van-Jacobsen-TCP-IP | := |
| 33 | dynamic | Framed-Protocol | PPP | := |
| 32 | dynamic | Service-Type | Framed-User | := |
| 35 | dynamic | Framed-MTU | 1500 | := |
| 37 | static | Framed-Protocol | PPP | := |
| 38 | static | Service-Type | Framed-User | := |
| 39 | static | Framed-Compression | Van-Jacobsen-TCP-IP | := |
| 41 | netdial | Service-Type | Framed-User | := |
| 42 | netdial | Framed-Protocol | PPP | := |
+----+-----------+--------------------+---------------------+------+
12 rows in set (0.01 sec)

mysql>

In this example, 'barney' (who is a single user dialup) only needs an attribute for IP address in radreply so he gets his static IP - he does not need any other attributes here as all the others get picked up from the 'static' group entries in radgroupreply.

'fred' needs no entries in radreply as he is dynamically assigned an IP via the NAS - so he'll just get the 'dynamic' group entries from radgroupreply ONLY.

'dialrouter' is a dial-up router, so as well as needing a static IP it needs route and mask attributes (etc) to be returned. Hence the additional entries.

'dialrouter' also has an idle-timeout attribute so the router gets kicked if it's not doing anything - you could add this for other users too if you wanted to. Of course, if you feel like or need to add any other attributes, that's kind of up to you!

Note the operator ('op') values used in the various tables. The password check attribute should use ==. Most return attributes should have a := operator, although if you're returning multiple attributes of the same type (e.g. multiple Cisco- AVpair's) you should use the += operator instead otherwise only the first one will be returned. Read the docs for more details on operators.

If you're stripping all domain name elements from usernames via realms, remember NOT to include the domain name elements in the usernames you put in the MySQL tables - they should get stripped BEFORE the database is checked, so name@domain will NEVER match if you're realm stripping (assuming you follow point 2 above) – you should just have 'name' as a user in the database. Once it's working without, and if you want more complex realm handling, go back to work out not stripping (and keeping name@domain in the db) if you really want to.

Auth-Type Note, Feb 2003: At the time of writing (i.e. up to and including FreeRadius 0.8.1), FreeRadius will default to an Auth-Type of 'local' if one is not found. This means that you do not need to include this (i.e. the radgroupcheck table above could actually be empty, and indeed is on my own box), but you probably should include it for clarity and for future-proofing in case FreeRadius changes. Please note that a previous version of this page indicated that Auth-Type should be included in the rad(group)reply tables. It appears that this is incorrect and that Auth-Type should be in the rad(group)check tables. Other than Auth-Type, for simple setups, you probably need nothing in radgroupcheck - unless you want users dialing certain nas'es, etc etc.

Using FreeRadius and MySQL

Fire up radiusd again in debug mode. The debug output should show it connecting to the MySQL database. Use radtest (or NTradPing) to test again - the user should authenticate and the debug output should show FreeRadius talking to MySQL.

You're done!

Additional Snippets:

To use encrypted passwords in radcheck use the attribute 'Crypt-Password', instead of 'Password', and just put the encrypted password in the value field. ( i.e. UNIX crypt'd password).

To get NTradPing to send test accounting (e.g. stop) packets it needs arguments, namely acct-session-time. Put something like 'Acct-Session-Time=99999' into the 'Additional RADIUS Attributes' box when sending stops. Thanks to JL for the tip.

If you have a Cisco nas, set the cisco-vsa-hack

Running a backup FreeRadius server and need to replicate the RADIUS database to it? I followed Colin Bloch's basic instructions at http://www.ls-l.net/mysql/ and got replication setup between two MySQL servers. Real easy. Read the MySQL docs on replication for more details. Note that MySQL replication is one-way-only.

On the subject of backup servers. If you want to run TWO MySQL servers and have FreeRadius fall over between them, you'll need to do something like this: duplicate your sql.conf and edit the second copy to reflect connecting to your backup server ; then name the files something like sql1.conf and sql2.conf ; in radiusd.conf change and duplicate the include line for sql.conf to include sql1.conf and sql2.conf instead ; in the 'authorize' section of radiusd.conf change the 'sql' entry to a 'group' one, like this:

group {
sql1 {
fail = 1
notfound = return
noop = 2
ok = return
updated = 3
reject = return
userlock = 4
invalid = 5
handled = 6
}
sql2 {
fail = 1
notfound = return
noop = 2
ok = return
updated = 3
reject = return
userlock = 4
invalid = 5
handled = 6
}
}

Note that if FreeRadius fails over to the second MySQL server and tries to update the accounting table (radacct), nasty things might possibly happen to your replication setup and database integrity as the first MySQL server won't have got the updates...

-- end--

올려짐: 2005 1월 12, 수 2:45 pm

tar cfvz radius_conf0906.tar /etc/raddb/
openhphone으로 racc까지 가능한 설정 파일
radius설정 및 GK설정 파일 포함

올려짐: 2005 1월 12, 수 2:45 pm

--Radius실행--디버깅 모드
cd /etc/raddb/
radiusd -X

--GK 실행------
/usr/sbin/gnugk -c /services/gnugk/radius.ini -o /services/gnugk/radius.log -i 172.21.82.251 -ttt

--GK 로그 분석--
tail -f /services/gnugk/radius.log

--GW 설정 ------
http://172.21.82.250:8000 root/admin

--Radius 현황 뷰--
http://xxx.xxx.85.38/admin/htdocs/index.html

Video Blogging using Django and Flash(tm) Video (FLV) (0)	2007/06/07
동영상 to FLV (0)	2007/06/07
voip GNUGK 셋업 0508.25 (0)	2007/06/07
awstats 의 webmin 모듈첨부 (0)	2007/06/01
qmail-1.03설치 + courier-imap (0)	2007/06/01
다람쥐 메일 설치 (0)	2007/06/01

태터데스크 관리자

태터데스크 메시지

voip GNUGK 셋업 0508.25

'O / S > Linux' 카테고리의 다른 글

TRACKBACK :: http://webjoy.kr/trackback/398

최근에 달린 댓글

링크

최근에 받은 트랙백

-최근에 올라온 글-

태그목록