前言:Radius通常用于企业网络设备等统一认证,本文参照DaloRadius项目官方文档进行安装配置,原文地址:Installing daloRADIUS · lirantal/daloradius Wiki

背景:应公司加强无线管理,实现mac地址层面的认证的需求,搭建Radius服务器进行统一认证。

前提:一台Linux服务器,我这里用的是Debian13

安装 MariaDB 并配置数据库

通过APT安装MariaDB

apt --no-install-recommends install mariadb-server

执行MariaDB初始化

mariadb-secure-installation

为 daloRADIUS 和 FreeRADIUS 创建一个新数据库和新用户

mariadb -u root -p

CREATE DATABASE raddb;
GRANT ALL ON raddb.* TO 'raduser'@'localhost' IDENTIFIED BY 'radpass';
FLUSH PRIVILEGES;
EXIT;

执行以下命令确保MariaDB在系统启动时自动启动

systemctl enable mariadb

安装 FreeRADIUS

安装FreeRadius及相关包

apt --no-install-recommends install freeradius freeradius-mysql mariadb-client

将FreeRadius的sql导入到Mariadb

cd /etc/freeradius/3.0/mods-config/sql/main/mysql
mariadb -u raduser -p raddb < schema.sql

编辑FreeRADIUS的sql驱动文件,修改相关内容以连接Mariadb

nano /etc/freeradius/3.0/mods-available/sql

dialect = "mysql"
driver = "rlm_sql_${dialect}"
...
server = "localhost"
port = 3306
login = "raduser"
password = "radpass"
radius_db = "raddb"
...
read_clients = yes
client_table = "nas"

禁用tls选项(生产环境或安全要求较高不建议禁用)

sed -Ei '/^[\t\s#]*tls\s+\{/, /[\t\s#]*\}/ s/^/#/' /etc/freeradius/3.0/mods-available/sql

创建软链接,启用sql模块

ln -s /etc/freeradius/3.0/mods-available/sql /etc/freeradius/3.0/mods-enabled/

重启服务并加入开机自启

systemctl enable freeradius
systemctl restart freeradius

安装 daloRADIUS

安装daloRadius及Apache2等相关包

apt --no-install-recommends install apache2 php libapache2-mod-php \
                                    php-mysql php-zip php-mbstring php-common php-curl \
                                    php-gd php-db php-mail php-mail-mime \
                                    mariadb-client freeradius-utils rsyslog

使用 git 下载 daloRADIUS 包(需要提前准备好网络以访问github)

apt --no-install-recommends install git
cd /var/www
git clone https://github.com/lirantal/daloradius.git

创建用户日志目录

mkdir -p /var/log/apache2/daloradius/{operators,users}

修改Apache2 配置文件定义环境变量

cat <<EOF >> /etc/apache2/envvars
# daloRADIUS users interface port
export DALORADIUS_USERS_PORT=80

# daloRADIUS operators interface port
export DALORADIUS_OPERATORS_PORT=8000

# daloRADIUS package root directory
export DALORADIUS_ROOT_DIRECTORY=/var/www/daloradius  

# daloRADIUS administrator's email
export DALORADIUS_SERVER_ADMIN=admin@daloradius.local
EOF

修改ports.conf

cat <<EOF > /etc/apache2/ports.conf

# daloRADIUS
Listen \${DALORADIUS_USERS_PORT}
Listen \${DALORADIUS_OPERATORS_PORT}
EOF

通过这样做,Apache2将监听由之前设置的环境变量和指定的端口。DALORADIUS_USERS_PORTDALORADIUS_OPERATORS_PORT

为管理员创建Apache2站点文件:operators.conf

cat <<EOF > /etc/apache2/sites-available/operators.conf
<VirtualHost *:\${DALORADIUS_OPERATORS_PORT}>
  ServerAdmin \${DALORADIUS_SERVER_ADMIN}
  DocumentRoot \${DALORADIUS_ROOT_DIRECTORY}/app/operators
  
  <Directory \${DALORADIUS_ROOT_DIRECTORY}/app/operators>
    Options -Indexes +FollowSymLinks
    AllowOverride All
    Require all granted
  </Directory>

  <Directory \${DALORADIUS_ROOT_DIRECTORY}>
    Require all denied
  </Directory>

  ErrorLog \${APACHE_LOG_DIR}/daloradius/operators/error.log
  CustomLog \${APACHE_LOG_DIR}/daloradius/operators/access.log combined
</VirtualHost>
EOF

为用户创建Apache2站点文件:users.conf

cat <<EOF > /etc/apache2/sites-available/users.conf
<VirtualHost *:\${DALORADIUS_USERS_PORT}>
  ServerAdmin \${DALORADIUS_SERVER_ADMIN}
  DocumentRoot \${DALORADIUS_ROOT_DIRECTORY}/app/users

  <Directory \${DALORADIUS_ROOT_DIRECTORY}/app/users>
    Options -Indexes +FollowSymLinks
    AllowOverride None
    Require all granted
  </Directory>

  <Directory \${DALORADIUS_ROOT_DIRECTORY}>
    Require all denied
  </Directory>

  ErrorLog \${APACHE_LOG_DIR}/daloradius/users/error.log
  CustomLog \${APACHE_LOG_DIR}/daloradius/users/access.log combined
</VirtualHost>
EOF

复制daloRadius的示例配置文件,并修改权限

cd /var/www/daloradius/app/common/includes
cp daloradius.conf.php.sample daloradius.conf.php
chown www-data:www-data daloradius.conf.php  
chmod 664 daloradius.conf.php

chown www-data:www-data /var/www/daloradius/contrib/scripts/dalo-crontab

修改以上配置文件,需匹配之前FreeRadius和MariaDB的配置

nano daloradius.conf.php

...  
$configValues['FREERADIUS_VERSION'] = '3';
$configValues['CONFIG_DB_ENGINE'] = 'mysqli';
$configValues['CONFIG_DB_HOST'] = 'localhost';
$configValues['CONFIG_DB_PORT'] = '3306';
$configValues['CONFIG_DB_USER'] = 'raduser';
$configValues['CONFIG_DB_PASS'] = 'radpass';
$configValues['CONFIG_DB_NAME'] = 'raddb';  
...

导入daloRadius的sql,与FreeRadius共享数据库表

cd /var/www/daloradius/contrib/db
mariadb -u raduser -p raddb < fr3-mariadb-freeradius.sql
mariadb -u raduser -p raddb < mariadb-daloradius.sql

禁用Apache2的默认站点,启用新创建的站点

a2dissite 000-default.conf  
a2ensite operators.conf users.conf
systemctl enable apache2
systemctl restart apache2

完成安装并登录

在浏览器中输入URL:http://daloradius.local:8000以访问管理员界面,http://daloradius.local访问用户界面,daloradius.local替换为服务器相应的IP或域名

daloRadius默认用户名和密码:

  • 用户名:administrator

  • 密码:radius