freeradius的https查询功能
一、服务器要求
Radius服务器:centos6.6、ip、hostname、selinux disabled、stop iptables
freeradius版本:3.0.12
二、源码安装freeradius
#yum -y install wget expat-devel gcc make gmp-devel gmp pkgconfig perl libpcap gcc-c++ logrotate tar cpio gawk flex bison bison-devel lsof libpcap-devel patch openssl openssl-devel libgcrypt* crypt* autoconf automake libtasn1-devel zlib zlib-devel trousers trousers-devel texinfo libnl-devellibnl dbus dbus-devel ncurses-devel readline-devel libtool-ltdl libtalloc* hiredis* redhat-lsb python libcurl-devel freeradius-utils
#tar zxf freeradius-server-3.0.12.tar.gz –c /data
#cd freeradius-server-3.0.12
# ./configure --with-static_modules=rest
(这里有坑一:用./configure –help 找到的模块是这样的--with-static-modules,但是实际上编译文件里面是这样的--with-static_modules;坑二:这个提示是rlm_rest安装不成功的提示,但是这是编译过程的中间显示的,而且显示的是warning而不是error。)
#make && make install
默认配置文件会安装到/usr/local/etc/raddb目录下
二、配置rlm_rest模块
#cd /usr/local/etc/raddb
# ln -s ../mods-available/rest
# vim mods-available/rest (需要改两处地方)
connect_uri = "https://test.meizu.com"
authenticate {
uri = "${..connect_uri}/radius/login.do?test=true&action=authenticate&calledStationId=%{Called-Station-ID}&userName=%{User-Name}" //此uri不是默认的 ,需要根据https的代码调整
method = 'get'
auth = 'basic'
tls = ${..tls}
}
#vim sites-enabled/default
authorize {
rest
}
authenticate {
Auth-Type REST {
rest
}
}
#radiusd –X (启动freeradius的debug模式)
#radtest test test localhost 0 testing123 (用test用户和test密码测试https端是否能接收相关信息)
三、问题解决
错误信息:Refusing to start with libssl version OpenSSL 1.0.1e-fips 11 Feb 2013 (in range 1.0.1 - 1.0.1f). Security advisory CVE-2014-0160 (Heartbleed) For more information see http://heartbleed.com
解决:将radiusd.conf中的allow_vulnerable_openssl = no 改为:allow_vulnerable_openssl = yes
以上需要开发人员配合配置