Ключевые слова:cisco, dialup, dialin, aaa, auth, radius, (найти похожие документы)
From: Karen Mkoyan <[email protected]>
Subject: [Cisco] RADIUS для авторизации, аутентификации и аккаутинга Dialup пользователей
Remote Authentication Dial-In User Service for Cisco (RADIUS)
-------------------
By Karen Mkoyan [email protected]
Draft version: 0.1
Friday, January 31, 2003
03:52:32
------
Introduction:
Remote Authentication Dial-In User Service (RADIUS) is a
client/server protocol and software that enables remote access servers
to communicate with a central server to authenticate dial-in users and
authorize their access to the requested system or service. In this
particular case the requested system is Cisco dial-up pool. RADIUS
allows a company to maintain user profiles in a central database that
all remote servers can share. It provides better security, allowing a
company to set up a policy that can be applied at a single administered
network point. Having a central service also means that it's easier to
track usage for billing and for keeping network statistics. Current
standard is detailed described in RFC 2138 and 2139
ftp://ftp.ripe.net/rfc/ This is a very good solution for Internet
Service Providers.
------
Getting started:
Before the actual installation you need to make sure you have, otherwise
install the following:
1. PERL
2. MySQL
3. Perl DBI module
4. Perl DATA-DUMPER module
5. Perl DATA-SHOWTABLE module
6. Perl IC-Radius module
7. MySQL DBD
8. BERKLEY SOCKETS (optional for IC-Radius, but you will need for MySQL later).
9. SNMP (optional)
10. PHP MyAdmin (optional)
1. PERL INSTALLATION
Most, if not all, of the scripts that come with IC-RADIUS are written in
Perl. This, of course, means that you must have Perl installed in order
to use them. Most Linux distributions already have Perl installed, so
you probably can skip this step if you want to. This section describes
how to install or upgrade to Perl 5.6.0, the latest stable release as of
this writing. There is nothing about IC-RADIUS or the support scripts
that come with it that would require you to perform this upgrade.
1. Download the Perl distribution to /usr/local/src. You can get the latest
Perl distribution from http://www.perl.com.
2. Expand the archive: tar -zxvf perl5.6.0.tar.gz
3. Optional step. Delete the archive to save space: rm -f perl5.6.0.tar.gz
4. Move to source directory: cd /usr/local/src/perl5.6.0
5. Read the installation instructions: pico -w INSTALL
6. rm -f config.sh Policy.sh
7. sh Configure -de
8. make
9. make test
10. make install
11. If it installed correctly, you can confirm the correct version: perl -v
DONE!
2. MySQL INSTALLATION
For installing MySQL package you will need mysql-version.rpm;
mysql-client.rpm; mysql-server.rpm; mysql-devel.rpm packages. The latest
versions are available at http://www.mysql.com
You will also need PERL with it's libraries. I assume you have
perl installed, because perl is provided with linux default
installation, and in most cases installs automatically. But in case you
do not have the prel here are the
For installing the rpm packages do rpm -i <package name>
Installing the rpm package will automatically run the mysql server. To
make sure the server is running do /usr/bin/mysqladmin ping
If the answer is "mysql is alive" than it's okay, if
there is no answer, try to do: /etc/init.d/mysql start
As soon as the server is running do: /usr/bin/mysql_install_db
By default there's no password for the 'root' user. To
do that run /usr/bin/mysqladmin -u root password
"password"
Now you can run the MySQL mysql -u username -p
"password"
You should get mysql> command prompt.
DONE!
3.4.5.6 Perl DBI, DATA-DUMPER, Perl DATA-SHOWTABLE, IC-Radius modules INSTALLATION
This is quite easy. From http://search.cpan.org download above mentioned
modules, unpack, and run the following (in each directory).
perl Makefile.PL
make test (optional)
make install
DONE!
7. MySQL DBD INSTALLATION
You can get the latest distribution from http://search.cpan.org. By the
way, just to confuse things, it's not named DBD - it's named
Msql-Mysql-Modules! Makes perfect sense if you already know what you
are looking for, but for newbies it can be quite confusing. Expand the
archive: tar -zxvf Msql-Mysql-1.2215.tar.gz perl Makefile.PL
Note: the defaults are right for most of the questions. Be sure to give
the username and password you defined for MySQL when asked or the tests
will all fail! make test
8. BERKLEY SOCETS INSTALLATION (optional)
1. Download the Berkley Sockets distribution to /usr/local/src. You can get
the latest distribution from http://www.sleepycat.com/.
2. Expand the archive: tar -zxvf Berkleydb-3.2.9a.tar.gz
3. Optional step. Delete the archive to save space:
rm -f Berkleydb-3.2.9a.tar.gz
4. Move to source directory: cd /usr/local/src/db-3.2.9a
5. ./configure
6. make
7. make install
8. SNMP INSTALLATION (optional)
1. Download the SNMP distribution to /usr/local/src. You can get the latest
distribution from http://search.cpan.org.
2. Expand the archive: tar -zxvf ucd-snmp-4.1.tar.gz
3. Optional step. Delete the archive to save space: rm -f ucd-snmp.tar.gz
4. Move to source directory: cd /usr/local/src/ucd-snmp-4.1
5. ./configure
6. make
7. make test
8. make install
9. PHP MyAdmin INSTALLATION (optional)
You will need php myadmin to make easier crating the radius database,
importing sql tables, etc. Of course you can do that manually but I
think having a web based toolkit will make your life easier in your
future MySQL related works.
Well, here's what you need to do. From http://www.phpmyadmin.net
download the latest stabile version, at this moment it is phpMyAdmin
2.3.2. Expand the archive to directory PMA (for instance) . Edit
config.inc.php
Change $cfg['PmaAbsoluteUri'] variable to your needs, it should look like:
$cfg['PmaAbsoluteUri'] = 'http://www.yourhost.com/pma/';
Point your we browser to that URL.
Congratulation on this stage, let's proceed to another, the actual
installation.
-----
Server side Installation:
I found out several free radius software, which are FreeRADIUS,
XtRadius, Cistron RADIUS, Gnu-Radius, IC-RADIUS. Below mentioned
instructions are about 2001-06-29 - IC-RADIUS 0.18.1 released. I
recommend this version. IC Radius is a variation of Cistron RADIUS, but
it uses mysql database for storing data.
Okay, the first step is downloading the software. Download the
distributive from ftp://ftp.innercite.com/pub/icradius/icradius-0.18.1.tar.gz
Unpack the archive and cd icradius-0.18.1
Cisco side "installation":
Here is what you need to add to your cisco.
Enableing aaa service
aaa new-model
aaa authentication login default local
aaa authentication ppp default radius
aaa authorization network default radius none
aaa accounting update newinfo
aaa accounting network default wait-start radius
aaa accounting system default start-stop radius
Configuring async interface
interface Async1
description tel.-411
ip unnumbered Ethernet0
no ip directed-broadcast
encapsulation ppp
async mode interactive
peer default ip address 217.113.7.246
ppp authentication pap chap
!
interface Async2
description tel.-414
ip unnumbered Ethernet0
no ip directed-broadcast
encapsulation ppp
async mode interactive
peer default ip address 217.113.7.248
ppp authentication pap chap
!
Or you can create an async-group
interface Group-Async1
physical-layer async
no ip address
no ip directed-broadcast
peer default ip address pool dial-upers
!
Than add the following:
ip local pool dial-upers 217.113.13.73 217.113.13.79
ip nat translation timeout never
ip nat translation tcp-timeout never
ip nat translation udp-timeout never
ip nat translation finrst-timeout never
ip nat translation syn-timeout never
ip nat translation dns-timeout never
ip nat translation icmp-timeout never
ip classless
ip route 0.0.0.0 0.0.0.0 217.113.7.241
!
radius-server host 217.113.7.241 auth-port 1812 acct-port 1813
radius-server retransmit 10
radius-server timeout 3
radius-server deadtime 1
radius-server key cisco