SER+FreeRADIUS實現3A
- 2020 年 1 月 6 日
- 筆記
文檔說明
部分內容轉自VOIPFC,原文使用的SER版本不是最新的了,我在自己實踐的基礎上將對文檔進行一下完善。
—————————————–
版本歷史
2008.11.24 –初始版本,轉貼原文檔,做部分刪改。
—————————————–
文檔正文
SER 0.9.4+Freeradius安裝(源程式碼安裝)配置過程
環境: centos4.2: 相當於redhat el4或fc4. SER0.9.4, radiusclient-ng-0.5.2(ser的radius客戶端) freeradius1.0.1(centos自帶) mysql4.1.12(centos自帶)
目標: 1).SER通過mysql資料庫對sip客戶進行認證. 2).SER通過radius對sip客戶進行計費.
安裝: 1.安裝ser伺服器 ==>到[url]www.iptel.org/ser[/url]下載ser-0.9.4_src.tar.gz. ==>到[url]http://developer.berlios.de/projects/radiusclient-ng[/url]下載 radiusclient-ng-0.5.2.tar.gz. ==>編譯/安裝radiusclient-ng-0.5.2.tar.gz. ==>tar zxvf ser-0.9.4_src.tar.gz解壓文件. ==>進入解壓後目錄的modules/acc目錄下, 修改Makefile使ser啟用sql 計費和radius計費支援. 去掉#DEFS+=-DSQL_ACC行前面的"#"號 去掉#DEFS+=-DRAD_ACC #include ../../Makefile.radius兩行前面的"#"號 ==>進入ser主目錄, 執行make編譯ser, 執行make install安裝ser.
2.配置ser的mysql支援 ==>進入ser源程式的modules/mysql目錄. ==>執行make編譯ser的mysql支援模組. ==>執行cp mysql.so /usr/local/lib/ser/modules把生成的動態鏈接 庫拷貝到ser的模組目錄中. ==>執行/usr/local/sbin/ser_mysql.sh create生成mysql資料庫結構 需要輸入mysql的root用戶的密碼, 執行成功後會在創建一個名叫ser 的mysql資料庫.
3.配置ser的radius計費支援 ==>到[url]http://mirror.centos.org/centos/4.2/os/i386/CentOS/RPMS/[/url] 下載radius伺服器的支援(5個文件), 如果安裝centos4.2時選擇的是 完全安裝, 則不需要這一步. freeradius-1.0.1-3.RHEL4.i386.rpm freeradius-mysql-1.0.1-3.RHEL4.i386.rpm libtool-libs-1.5.6-4.EL4.1.i386.rpm net-snmp-5.1.2-11.EL4.6.i386.rpm net-snmp-utils-5.1.2-11.EL4.6.i386.rpm ==>執行rpm -ivh freeradius-1.0.1-3.RHEL4.i386.rpm, 根據提示信 息安裝相應的freeradius支援庫, 再安裝這個包. ==>cd /usr/share/doc/freeradius-1.0.1目錄 執行:mysql -uroot -ppassw0rd radius < db_mysql.sql安裝free radius的mysql資料庫, 執行成功後會在mysql中創建一個名為radius 的資料庫 ==>進入/etc/raddb目錄, 修改radiusd.conf配置文件. 去掉#passwd = /etc/passwd行前面的"#"號 去掉#group = /etc/group行前面的"#"號 去掉authorize {…}中#sql前的"#"號 去掉accounting {…}中#sql前的"#"號 ==>進入/etc/raddb目錄, 修改sql.conf配置文件. 修改password = "rootpass"這行為password = "passw0rd"(即root 用戶的密碼) ==>進入/etc/raddb目錄, 修改users配置文件. 注釋掉: DEFAULT Auth-Type = System Fall-Through = 1 這兩行, 目的是禁止radius用本地帳號對用戶進行驗證.
4.配置ser伺服器的sql計費/radius計費支援 ==>進入/usr/local/etc/ser目錄, 根據"ser源程式安裝目錄/modules/ acc目錄中的README文件配置ser的sql計費和radius計費支援, 具體 配置參數參考/usr/local/etc/ser目錄
5.啟動各個伺服器, 測試 ==>radius -X以debug模式啟動freeradius伺服器 ==>ser start啟動ser伺服器 ==>使用serctl工具添加分機, 格式serctl add user secret email ==>執行serctl add 1111 1111 1111@localhost添加一個分機, 需要輸 入mysql用戶ser的密碼heslo, 並且export SIP_DOMAIN=localhost這 個環境變數 ==>執行serctl add 2222 2222 2222@localhost添加一個分機, 需要輸 入mysql用戶ser的密碼heslo, 並且export SIP_DOMAIN=localhost這 個環境變數
==>在另一個窗口中執行serctl moni命令, 觀察ser的調試輸出, 開始 用兩個分機撥號, 接通後, 觀察radius的調試窗口, 發現有資訊輸出 通話結束, 查看ser資料庫中的acc表和radius資料庫中的radacct表, 會發現它們各自都多了三行, 分別記錄sip的INVITE/ACK/BYE方法的 時間, 這樣, 就可以實現ser的計費功能了.
6.ser的web管理方式
關於SERWEB的內容本文不做過多涉及,將另開新貼討論,下面的兩個工具我目前都在用,而且正在計劃改寫,包括漢化、整合、做Extmail的語音郵箱插件、移植到Postgresql等。 以下資訊從voip-info網站得到 ==>serweb可以查看帳戶等資訊, 但不能修改. ==>ser-sip-prov-0_1.tar.gz可以添加帳戶. 附錄: 1.注意, 有時候SER不能正常啟動, 需要使用命令: ldconfig 使系統註冊SER所依賴的某些庫. 2.SER配置文件(/usr/local/etc/ser.cfg): # # $Id: ser.cfg,v 1.25.2.1 2005/02/18 14:30:44 andrei Exp $ # # simple quick-start config script #
# ———– global configuration parameters ————————
debug=10 # debug level (cmd line: -dddddddddd) fork=yes #log_stderror=no # (cmd line: -E)
#fork=yes log_stderror=yes
check_via=no # (cmd. line: -v) dns=no # (cmd. line: -r) rev_dns=no # (cmd. line: -R) #port=5060 #children=4 fifo="/tmp/ser_fifo"
# —————— module loading ———————————-
# Uncomment this if you want to use SQL database loadmodule "/usr/local/lib/ser/modules/mysql.so"
loadmodule "/usr/local/lib/ser/modules/sl.so" loadmodule "/usr/local/lib/ser/modules/tm.so" loadmodule "/usr/local/lib/ser/modules/rr.so" loadmodule "/usr/local/lib/ser/modules/maxfwd.so" loadmodule "/usr/local/lib/ser/modules/usrloc.so" loadmodule "/usr/local/lib/ser/modules/registrar.so" loadmodule "/usr/local/lib/ser/modules/textops.so"
# Uncomment this if you want digest authentication # mysql.so must be loaded ! loadmodule "/usr/local/lib/ser/modules/auth.so" loadmodule "/usr/local/lib/ser/modules/auth_db.so"
loadmodule "/usr/local/lib/ser/modules/acc.so"
modparam("acc", "log_level", 1) modparam("acc", "log_flag", 1) modparam("acc", "db_flag", 1) modparam("acc", "db_url", "mysql://ser:heslo@localhost/ser") modparam("acc", "db_table_acc", "acc") modparam("acc", "report_cancels", 1)
modparam("acc", "acc_sip_from_column", "sip_from") modparam("acc", "acc_sip_to_column", "sip_to") modparam("acc", "acc_sip_status_column", "sip_status") modparam("acc", "acc_sip_method_column", "sip_method") modparam("acc", "acc_i_uri_column", "i_uri") modparam("acc", "acc_o_uri_column", "o_uri") modparam("acc", "acc_from_uri_column", "from_uri") modparam("acc", "acc_to_uri_column", "to_uri") modparam("acc", "acc_sip_callid_column", "sip_callid") modparam("acc", "acc_user_column", "username") modparam("acc", "acc_domain_column", "domain") modparam("acc", "acc_fromtag_column", "fromtag") modparam("acc", "acc_totag_column", "totag") modparam("acc", "acc_time_column", "time")
modparam("acc", "radius_config", "/usr/local/etc/ser/radius/radiusclient.conf") modparam("acc", "radius_flag", 1) modparam("acc", "radius_missed_flag", 2)
# —————– setting module-specific parameters —————
# — usrloc params —
#modparam("usrloc", "db_mode", 0)
# Uncomment this if you want to use SQL database # for persistent storage and comment the previous line modparam("usrloc", "db_mode", 2)
# — auth params — # Uncomment if you are using auth module # modparam("auth_db", "calculate_ha1", yes) # # If you set "calculate_ha1" parameter to yes (which true in this config), # uncomment also the following parameter) # modparam("auth_db", "password_column", "password")
# — rr params — # add value to ;lr param to make some broken UAs happy modparam("rr", "enable_full_lr", 1)
# ————————- request routing logic ——————-
# main routing logic
route{
# initial sanity checks — messages with # max_forwards==0, or excessively long requests if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); break; }; if (msg:len >= 2048 ) { sl_send_reply("513", "Message too big"); break; };
# we record-route all messages — to make sure that # subsequent messages will go through our proxy; that's # particularly good if upstream and downstream entities # use different transport protocol # if (!method=="REGISTER") record_route();
# subsequent messages withing a dialog should take the # path determined by record-routing if (loose_route()) { # mark routing logic in request setflag(1); if (method=="INVITE") record_route(); append_hf("P-hint: rr-enforcedrn"); if (!t_relay()) { sl_reply_error(); break; }; #route(1); #break; };
setflag(1);
if (method=="INVITE") record_route(); if (method=="BYE") record_route(); # if (!method=="REGISTER") record_route();
if (!uri==myself) { # mark routing logic in request append_hf("P-hint: outboundrn"); route(1); break; };
if ( (uri=~"^sip:[0-9]{11,20}@.*") ) { record_route(); rewritehostport("1.2.3.4:5060"); forward(uri:host, uri:port); setflag(1); t_relay(); break; };
# if the request is for other domain use UsrLoc # (in case, it does not work, use the following command # with proper names and addresses in it) if (uri==myself) {
if (method=="REGISTER") {
# Uncomment this if you want to use digest authentication if (!www_authorize("localhost", "subscriber")) { www_challenge("localhost", "0"); break; };
save("location"); break; };
lookup("aliases"); if (!uri==myself) { append_hf("P-hint: outbound aliasrn"); route(1); break; };
# native SIP destinations are handled using our USRLOC DB if (!lookup("location")) { sl_send_reply("404", "Not Found"); break; }; }; append_hf("P-hint: usrloc appliedrn"); route(1); }
