freeradius + oracle 无限认证

Radius安装配置维护文档

一、下载软件包

freeradius-server-3.0.9.tar.gz和talloc-2.1.3.tar.gz

二、配置/root目录下的.bash_profile文件，添加如下内容

export ORACLE_BASE=/u01/app/oracle

export ORACLE_HOME=$ORACLE_BASE/product/11.2.4

export ORACLE_SID=radiusdb

export PATH=$PATH:$HOME/bin:$ORACLE_HOME/bin

export LD_LIBRARY_PATH=$ORACLE_HOME/lib:/lib:/usr/lib

三、编译安装

1、  安装talloc

./configure --prefix=/usr/local/talloc

make;make install

2、  安装freeradius

1)       进入freeradius-server-3.0.9/src/modules/rlm_sql/drivers/rlm_sql_oracle目录

2)       执行./configure --with-oracle-include-dir=/u01/app/oracle/product/11.2.4/rdbms/public --with-oracle-lib-dir=/u01/app/oracle/product/11.2.4/lib，编译oracle连接驱动库文件

3)       在freeradius-server-3.0.9目录下执行

./configure --with-oracle-include-dir=/u01/app/oracle/product/11.2.4/rdbms/public --with-oracle-lib-dir=/u01/app/oracle/product/11.2.4/lib --with-talloc-lib-dir=/usr/local/talloc/lib/ --with-talloc-include-dir=/usr/local/talloc/include --with-openssl=no

make;make install

3、  freeradius配置

1）  进入/usr/local/etc/raddb，编辑文件clients.conf，sites-available/default，mods-available/sql

2）  Client.conf文件

添加如下内容：

client test {

       ipaddr          = 10.55.0.0/16

       secret          = testing

}

定义可接入radius的客户端ip

3）  sites-available/default

将该文件中authorize、eap、accounting、session、post-auth模块中sql前的注释全部去掉，让radius使用数据库进行验证。

4）  mods-available/sql（配置文件中的红字部分需做修改）

sql {

        driver = "rlm_sql_oracle"  #数据库驱动使用oracle

 

        dialect = "oracle"

 

      

        server = "10.55.1.3"

#       port = 3306

        login = "radius"

        password = "123456"

 

        # Database table configuration for everything except Oracle

#       radius_db = "radius"  #这行注释掉

 

        # If you are using Oracle then use this instead

        radius_db = "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=10.55.1.3)(PORT=1521))(CONNECT_DATA=(SID=radiusdb)))"

 

       #       radius_db = "dbname=radius host=localhost user=radius password=raddpass"

 

        acct_table1 = "radacct"

        acct_table2 = "radacct"

 

        # Allow for storing data after authentication

        postauth_table = "radpostauth"

 

        # Tables containing 'check' items

        authcheck_table = "radcheck"

        groupcheck_table = "radgroupcheck"

 

        # Tables containing 'reply' items

        authreply_table = "radreply"

        groupreply_table = "radgroupreply"

 

        # Table to keep group info

        usergroup_table = "radusergroup"

 

#       read_groups = yes

 

#       read_profiles = yes

 

        # Remove stale session if checkrad does not see a double login

        delete_stale_sessions = yes

 

        # Write SQL queries to a logfile. This is potentially useful for tracing

        # issues with authorization queries.

#       logfile = ${logdir}/sqllog.sql

 

        #       sql1 {

        #           ...

        #           pool {

        #                ...

        #           }

        #       }

        #

        #       # sql2 will use the connection pool from sql1

        #       sql2 {

        #            ...

        #            pool = sql1

        #       }

        #

        pool {

                start = ${thread[pool].start_servers}

                min = ${thread[pool].min_spare_servers}

                max = ${thread[pool].max_servers}

 

                spare = ${thread[pool].max_spare_servers}

                uses = 0

                retry_delay = 30

                lifetime = 0

                idle_timeout = 60

 

        }

 

#       read_clients = yes

        client_table = "nas"

#       group_attribute = "${.:instance}-SQL-Group"

        group_attribute = "SQL-Group"

        $INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf

}

4)       在mods-enabled文件夹中做mods-available/sql的软连接

sql -> ../mods-available/sql

5)       切换到oracle用户，进入到mods-config/sql/main/oracle目录下，运行schema.sql脚本，创建应用表。

四、radius维护

1、  停机重启

1）  重启数据库

切换到oracle账户

#su - oracle

$sqlplus / as sysdba

SQL>startup

启动监听

$lsnrctl start

检查监听状态，有显示红字部分即为正常。

$lsnrctl status

 

LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 20-AUG-2015 10:27:27

 

Copyright (c) 1991, 2013, Oracle.  All rights reserved.

 

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=Radius)(PORT=1521)))

STATUS of the LISTENER

------------------------

Alias                     LISTENER

Version                   TNSLSNR for Linux: Version 11.2.0.4.0 - Production

Start Date                20-AUG-2015 10:20:15

Uptime                    0 days 0 hr. 7 min. 12 sec

Trace Level               off

Security                  ON: Local OS Authentication

SNMP                      OFF

Listener Parameter File   /u01/app/oracle/product/11.2.4/network/admin/listener.ora

Listener Log File         /u01/app/oracle/diag/tnslsnr/Radius/listener/alert/log.xml

Listening Endpoints Summary...

  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=Radius)(PORT=1521)))

  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))

Services Summary...

Service "radiusdb" has 1 instance(s).

  Instance "radiusdb", status READY, has 1 handler(s) for this service...

Service "radiusdbXDB" has 1 instance(s).

  Instance "radiusdb", status READY, has 1 handler(s) for this service...

The command completed successfully

切换为root账户，执行radiusd启动radius服务

#radiusd

检查1812、1813端口是否存在

#netstat –lntup|grep 1812

如果存在即为正常，如果失败检查/usr/local/var/log/radius/radius.log日志文件