Freeradius原理

FreeRadius原理，轉載自：chinaunix

FreeRadius原理

分爲3個部分:用戶/nas/radius

用戶提供認證名、密碼到NAS（Network Access Server）

NAS一般是路由器、交換機等設備

NAS提交相應信息到radius服務器，由radius服務器進行認證，其中認證信息也可以存放於mysql、ldap、oracle、postgreSQL等數據庫中

 

NAS發送radius-request到radius服務器，如果多次連接失敗，則NAS可發送數據包到其他radius服務器

 

Radius服務器根據用戶名查找相應記錄，包括用戶口令、訪問端口、訪問權限等，如果用戶被否認的話，radius服務器發送radius-reject包到NAS

如果用戶被確認，則radius服務器發送radius-challenge數據包，要求NAS提供更多的相關屬性數值；NAS通知用戶要求提供更多信息，然後再創建radius-request包，而radius服務器經覈實後，再次發送radius-accept包，返回用戶所需的屬性（ip、mask、MTU等）

 

Radius數據包結構：

Code（8bit）、identifier(8bit)、length(16bit)、Authenticator(128bit)、Attributes（不定長）

 

Attribute結構：

Type、length、value

 

常用的Type類型：

User-Name     Password              CHAP-Password    NAS-IP-Address    NAS-Post-ID  Service-Type  Frame-Protocol等等

User-Password或CHAP-Password默認以md5加密

 

Attributes應該包括以下幾個屬性： 

◆ “User-Name”
◆ “User-Password”或“CHAP-Password”
◆ “NAS-IP-Address”
* “NAS-Identifier”
◆ “NAS-Port”
◆ “NAS-Port-Type”

 

早期的users文件格式：(man 5 users)

Username       check_items

                     Reply_items

其中，check items中的屬性值和radius-request包中的屬性值做比較，如果匹配則將reply items中的屬性值添加到radius-reply包中去

如果username爲DEFAULT 則匹配所有用戶名

屬性：Fall_Through=No表示不再查詢下一條匹配記錄，直接返回。

 

屬性操作符：

“＝”    賦值操作符，不得用於check items，如之前無相應屬性則添加

“：＝”       總用於check items，如果request包中沒有該屬性，則添加，並且覆蓋config items中的相同屬性值

“＋＝”       用戶check items，總是添加當前屬性值到config items中。

“＝＝”、“！＝”、“＝～”、“！～”、“＝*”、“!*”都是邏輯判斷符

 

Sql模塊分爲：

前端：rlm_sql

後端：rlm_sql_mysql/rlm_sql_postgresql等

 

Sql查看流程：

1. Search the radcheck table for any check attributes specific to the user

 2. If check attributes are found, and there's a match, pull the reply items

     from the radreply table for this user and add them to the reply

  3. Group processing then begins if any of the following conditions are met:

     a. The user IS NOT found in radcheck

     b. The user IS found in radcheck, but the check items don't match

     c. The user IS found in radcheck, the check items DO match AND

        the read_groups directive is set to 'yes'

  4. If groups are to be processed for this user, the first thing that is

     done is the list of groups this user is a member of is pulled from the

     usergroup table ordered by the priority field.  The priority field of

     the usergroup table allows us to control the order in which groups are

     processed, so that we can emulate the ordering in the users file.  This

     can be important in many cases.

  5. For each group this user is a member of, the corresponding check items

     are pulled from radgroupcheck table and compared with the request.  If

     there is a match, the reply items for this group are pulled from the

     radgroupreply table and applied.

  6. Processing continues to the next group IF:

     a. There was not a match for the last group's check items

     (The above is exactly the same as in the users file)

  7. Finally, if the user has a User-Profile attribute set or the Default

     Profile option is set in the sql.conf, then steps 4-6 are repeated for

     the groups that the profile is a member of