部署手册:开源AAA解决方案 —FreeRADIUS
1 软件介绍
RADIUS(Remote Authentication and Dial-In User Service)是做拨号用户接入认证和服务请求认证的网络协议。RADIUS提供中心式认证、鉴权和计费(AAA)能力,用于管理接入用户使用网络资源。RADIUS允许使用集中式的数据库来保存所有用户的配置信息,以供所有用户共享使用。
FreeRADIUS是一个开源的、模块化、高性能并且功能丰富的一套RADIUS程序,包含服务器、客户端、开发库和一些额外的相关RADIUS工具。作为第一款开源发布的RADIUS程序,源码几乎可以被任何系统编译安装。并且,产品为大规模的AAA认证服务器(1000万用户和每天百万级的请求)部署设计。FreeRADIUS没有Web界面,因此我们使用第三方Web界面DaloRADIUS作为管理界面。
2 基础环境
2.1 部署环境
- 服务器硬件:KVM虚拟机,2 vCPU + 2GB vMem + 8GB Disk
- 操作系统:CentOS Linux release 7.8.2003
- 数据库:PostgreSQL 15.4
- Web:v2.4.6
- PHP:v5.4.16
- FreeRADIUS:v3.0.13
- DaloRADIUS:v1.3
2.2 操作系统基础设置
关闭SELinux
SELinux不关闭会导致Web访问异常。
# setenforce 0
# sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux关闭防火墙
防止安装完成后无法从外部访问的情况。
# systemctl stop firewalld && systemctl disable firewalld 配置YUM源
配置系统的基础YUM源、EPEL源以及PostgreSQL数据库的源。
# mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
# wget -P /etc/yum.repos.d/ https://mirrors.163.com/.help/CentOS7-Base-163.repo
# yum clean all
# yum makecache
# yum install epel-release -y
# yum install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-7-x86_64/pgdg-redhat-repo-latest.noarch.rpm下载安装包
提前准备好DaloRADIUS的安装包。
# wget https://codeload.github.com/lirantal/daloradius/tar.gz/refs/tags/1.3 -O /tmp/freeradius3 安装配置数据库
# yum install -y mariadb-server mariadb
# systemctl start mariadb
# systemctl enable mariadb
# mysql_secure_installation
# mysql -u root -p
MariaDB [(none)]> create database radius;
MariaDB [(none)]> grant all on radius.* to radius@localhost identified by 'radius';
MariaDB [(none)]> flush privileges;
MariaDB [(none)]> exit4 安装配置Web和PHP
# yum install -y httpd
# systemctl enable httpd
# systemctl start httpd
# yum install -y php php-mysql php-pear php-devel php-common php-gd php-mbstring php-mcrypt php-xml php-pear-DB
# systemctl restart httpd5 安装配置FreeRADIUS
# yum install -y freeradius freeradius-utils freeradius-mysql
# systemctl start radiusd.service
# systemctl enable radiusd.service
# mysql -u root -p radius < /etc/raddb/mods-config/sql/main/mysql/schema.sql
# vim /etc/raddb/mods-available/sql
# cat /etc/raddb/mods-available/sql | grep -v ^#
sql {
# The sub-module to use to execute queries. This should match
# the database you're attempting to connect to.
#
# * rlm_sql_mysql
# * rlm_sql_mssql
# * rlm_sql_oracle
# * rlm_sql_postgresql
# * rlm_sql_sqlite
# * rlm_sql_null (log queries to disk)
#
driver = "rlm_sql_mysql"
# The dialect of SQL you want to use, this should usually match
# the driver you selected above.
#
# If you're using rlm_sql_null, then it should be the type of
# database the logged queries are going to be executed against.
dialect = "mysql"
# Connection info:
#
server = "localhost"
port = 3306
login = "radius"
password = "radius"
# Database table configuration for everything except Oracle
radius_db = "radius"
# chgrp -h radiusd /etc/raddb/mods-available/sql
# systemctl restart radiusd.service6 安装配置DaloRaDIUS
# cd /tmp/freeradius
# tar xvf daloradius-1.3.tar.gz
# mv daloradius-1.3/ /var/www/html/daloradius
# chown -R apache:apache /var/www/html/daloradius
# cd /var/www/html/daloradius/
# mv library/daloradius.conf.php.sample library/daloradius.conf.php
# chmod -R 644 library/daloradius.conf.php
# mysql -u root -p radius < /var/www/html/daloradius/contrib/db/fr2-mysql-daloradius-and-freeradius.sql
# mysql -u root -p radius < /var/www/html/daloradius/contrib/db/mysql-daloradius.sql
# vim library/daloradius.conf.php
# cat library/daloradius.conf.php
……
$configValues['FREERADIUS_VERSION'] = '2';
$configValues['CONFIG_DB_ENGINE'] = 'mysqli';
$configValues['CONFIG_DB_HOST'] = 'localhost';
$configValues['CONFIG_DB_PORT'] = '3306';
$configValues['CONFIG_DB_USER'] = 'radius';
$configValues['CONFIG_DB_PASS'] = 'radius';
$configValues['CONFIG_DB_NAME'] = 'radius';
# systemctl restart httpd7 部署结果
完成FreeRADIUS的安装部署后,可通过浏览器访问网址:http://freeradius-ip/daloradius/验证部署结果,默认的用户名和密码为administrator/radius。
