SER+FreeRADIUS实现3A
短信预约 -IT技能 免费直播动态提醒
文档说明
部分内容转自VOIPFC,原文使用的SER版本不是最新的了,我在自己实践的基础上将对文档进行一下完善。
-----------------------------------------
版本历史
2008.11.24 --初始版本,转贴原文档,做部分删改。
-----------------------------------------
文档正文
SER 0.9.4+Freeradius安装(源代码安装)配置过程
环境:
centos4.2: 相当于redhat el4或fc4.
SER0.9.4, radiusclient-ng-0.5.2(ser的radius客户端)
freeradius1.0.1(centos自带)
mysql4.1.12(centos自带)
centos4.2: 相当于redhat el4或fc4.
SER0.9.4, radiusclient-ng-0.5.2(ser的radius客户端)
freeradius1.0.1(centos自带)
mysql4.1.12(centos自带)
目标:
1).SER通过mysql数据库对sip客户进行认证.
2).SER通过radius对sip客户进行计费.
1).SER通过mysql数据库对sip客户进行认证.
2).SER通过radius对sip客户进行计费.
安装:
1.安装ser服务器
==>到[url]www.iptel.org/ser[/url]下载ser-0.9.4_class="lazy" data-src.tar.gz.
==>到[url]http://developer.berlios.de/projects/radiusclient-ng[/url]下载
radiusclient-ng-0.5.2.tar.gz.
==>编译/安装radiusclient-ng-0.5.2.tar.gz.
==>tar zxvf ser-0.9.4_class="lazy" data-src.tar.gz解压文件.
==>进入解压后目录的modules/acc目录下, 修改Makefile使ser启用sql
计费和radius计费支持.
去掉#DEFS+=-DSQL_ACC行前面的"#"号
去掉#DEFS+=-DRAD_ACC
#include ../../Makefile.radius两行前面的"#"号
==>进入ser主目录, 执行make编译ser, 执行make install安装ser.
1.安装ser服务器
==>到[url]www.iptel.org/ser[/url]下载ser-0.9.4_class="lazy" data-src.tar.gz.
==>到[url]http://developer.berlios.de/projects/radiusclient-ng[/url]下载
radiusclient-ng-0.5.2.tar.gz.
==>编译/安装radiusclient-ng-0.5.2.tar.gz.
==>tar zxvf ser-0.9.4_class="lazy" data-src.tar.gz解压文件.
==>进入解压后目录的modules/acc目录下, 修改Makefile使ser启用sql
计费和radius计费支持.
去掉#DEFS+=-DSQL_ACC行前面的"#"号
去掉#DEFS+=-DRAD_ACC
#include ../../Makefile.radius两行前面的"#"号
==>进入ser主目录, 执行make编译ser, 执行make install安装ser.
2.配置ser的mysql支持
==>进入ser源程序的modules/mysql目录.
==>执行make编译ser的mysql支持模块.
==>执行cp mysql.so /usr/local/lib/ser/modules把生成的动态链接
库拷贝到ser的模块目录中.
==>执行/usr/local/sbin/ser_mysql.sh create生成mysql数据库结构
需要输入mysql的root用户的密码, 执行成功后会在创建一个名叫ser
的mysql数据库.
3.配置ser的radius计费支持
==>到[url]http://mirror.centos.org/centos/4.2/os/i386/CentOS/RPMS/[/url]
下载radius服务器的支持(5个文件), 如果安装centos4.2时选择的是
完全安装, 则不需要这一步.
freeradius-1.0.1-3.RHEL4.i386.rpm
freeradius-mysql-1.0.1-3.RHEL4.i386.rpm
libtool-libs-1.5.6-4.EL4.1.i386.rpm
net-snmp-5.1.2-11.EL4.6.i386.rpm
net-snmp-utils-5.1.2-11.EL4.6.i386.rpm
==>执行rpm -ivh freeradius-1.0.1-3.RHEL4.i386.rpm, 根据提示信
息安装相应的freeradius支持库, 再安装这个包.
==>cd /usr/share/doc/freeradius-1.0.1目录
执行:mysql -uroot -ppassw0rd radius < db_mysql.sql安装free
radius的mysql数据库, 执行成功后会在mysql中创建一个名为radius
的数据库
==>进入/etc/raddb目录, 修改radiusd.conf配置文件.
去掉#passwd = /etc/passwd行前面的"#"号
去掉#group = /etc/group行前面的"#"号
去掉authorize {...}中#sql前的"#"号
去掉accounting {...}中#sql前的"#"号
==>进入/etc/raddb目录, 修改sql.conf配置文件.
修改password = "rootpass"这行为password = "passw0rd"(即root
用户的密码)
==>进入/etc/raddb目录, 修改users配置文件.
注释掉:
DEFAULT Auth-Type = System
Fall-Through = 1
这两行, 目的是禁止radius用本地账号对用户进行验证.
4.配置ser服务器的sql计费/radius计费支持
==>进入/usr/local/etc/ser目录, 根据"ser源程序安装目录/modules/
acc目录中的README文件配置ser的sql计费和radius计费支持, 具体
配置参数参考/usr/local/etc/ser目录
5.启动各个服务器, 测试
==>radius -X以debug模式启动freeradius服务器
==>ser start启动ser服务器
==>使用serctl工具添加分机, 格式serctl add user secret email
==>执行serctl add 1111 1111 1111@localhost添加一个分机, 需要输
入mysql用户ser的密码heslo, 并且export SIP_DOMAIN=localhost这
个环境变量
==>执行serctl add 2222 2222 2222@localhost添加一个分机, 需要输
入mysql用户ser的密码heslo, 并且export SIP_DOMAIN=localhost这
个环境变量
==>在另一个窗口中执行serctl moni命令, 观察ser的调试输出, 开始
用两个分机拨号, 接通后, 观察radius的调试窗口, 发现有信息输出
通话结束, 查看ser数据库中的acc表和radius数据库中的radacct表,
会发现它们各自都多了三行, 分别记录sip的INVITE/ACK/BYE方法的
时间, 这样, 就可以实现ser的计费功能了.
用两个分机拨号, 接通后, 观察radius的调试窗口, 发现有信息输出
通话结束, 查看ser数据库中的acc表和radius数据库中的radacct表,
会发现它们各自都多了三行, 分别记录sip的INVITE/ACK/BYE方法的
时间, 这样, 就可以实现ser的计费功能了.
6.ser的web管理方式
关于SERWEB的内容本文不做过多涉及,将另开新贴讨论,下面的两个工具我目前都在用,而且正在计划改写,包括汉化、整合、做Extmail的语音邮箱插件、移植到Postgresql等。
以下信息从voip-info网站得到
==>serweb可以查看帐户等信息, 但不能修改.
==>ser-sip-prov-0_1.tar.gz可以添加帐户.
附录:
1.注意, 有时候SER不能正常启动, 需要使用命令:
ldconfig 使系统注册SER所依赖的某些库.
2.SER配置文件(/usr/local/etc/ser.cfg):
#
# $Id: ser.cfg,v 1.25.2.1 2005/02/18 14:30:44 andrei Exp $
#
# simple quick-start config script
#
以下信息从voip-info网站得到
==>serweb可以查看帐户等信息, 但不能修改.
==>ser-sip-prov-0_1.tar.gz可以添加帐户.
附录:
1.注意, 有时候SER不能正常启动, 需要使用命令:
ldconfig 使系统注册SER所依赖的某些库.
2.SER配置文件(/usr/local/etc/ser.cfg):
#
# $Id: ser.cfg,v 1.25.2.1 2005/02/18 14:30:44 andrei Exp $
#
# simple quick-start config script
#
# ----------- global configuration parameters ------------------------
debug=10 # debug level (cmd line: -dddddddddd)
fork=yes
#log_stderror=no # (cmd line: -E)
fork=yes
#log_stderror=no # (cmd line: -E)
#fork=yes
log_stderror=yes
log_stderror=yes
check_via=no # (cmd. line: -v)
dns=no # (cmd. line: -r)
rev_dns=no # (cmd. line: -R)
#port=5060
#children=4
fifo="/tmp/ser_fifo"
dns=no # (cmd. line: -r)
rev_dns=no # (cmd. line: -R)
#port=5060
#children=4
fifo="/tmp/ser_fifo"
# ------------------ module loading ----------------------------------
# Uncomment this if you want to use SQL database
loadmodule "/usr/local/lib/ser/modules/mysql.so"
loadmodule "/usr/local/lib/ser/modules/mysql.so"
loadmodule "/usr/local/lib/ser/modules/sl.so"
loadmodule "/usr/local/lib/ser/modules/tm.so"
loadmodule "/usr/local/lib/ser/modules/rr.so"
loadmodule "/usr/local/lib/ser/modules/maxfwd.so"
loadmodule "/usr/local/lib/ser/modules/usrloc.so"
loadmodule "/usr/local/lib/ser/modules/registrar.so"
loadmodule "/usr/local/lib/ser/modules/textops.so"
loadmodule "/usr/local/lib/ser/modules/tm.so"
loadmodule "/usr/local/lib/ser/modules/rr.so"
loadmodule "/usr/local/lib/ser/modules/maxfwd.so"
loadmodule "/usr/local/lib/ser/modules/usrloc.so"
loadmodule "/usr/local/lib/ser/modules/registrar.so"
loadmodule "/usr/local/lib/ser/modules/textops.so"
# Uncomment this if you want digest authentication
# mysql.so must be loaded !
loadmodule "/usr/local/lib/ser/modules/auth.so"
loadmodule "/usr/local/lib/ser/modules/auth_db.so"
# mysql.so must be loaded !
loadmodule "/usr/local/lib/ser/modules/auth.so"
loadmodule "/usr/local/lib/ser/modules/auth_db.so"
loadmodule "/usr/local/lib/ser/modules/acc.so"
modparam("acc", "log_level", 1)
modparam("acc", "log_flag", 1)
modparam("acc", "db_flag", 1)
modparam("acc", "db_url", "mysql://ser:heslo@localhost/ser")
modparam("acc", "db_table_acc", "acc")
modparam("acc", "report_cancels", 1)
modparam("acc", "log_flag", 1)
modparam("acc", "db_flag", 1)
modparam("acc", "db_url", "mysql://ser:heslo@localhost/ser")
modparam("acc", "db_table_acc", "acc")
modparam("acc", "report_cancels", 1)
modparam("acc", "acc_sip_from_column", "sip_from")
modparam("acc", "acc_sip_to_column", "sip_to")
modparam("acc", "acc_sip_status_column", "sip_status")
modparam("acc", "acc_sip_method_column", "sip_method")
modparam("acc", "acc_i_uri_column", "i_uri")
modparam("acc", "acc_o_uri_column", "o_uri")
modparam("acc", "acc_from_uri_column", "from_uri")
modparam("acc", "acc_to_uri_column", "to_uri")
modparam("acc", "acc_sip_callid_column", "sip_callid")
modparam("acc", "acc_user_column", "username")
modparam("acc", "acc_domain_column", "domain")
modparam("acc", "acc_fromtag_column", "fromtag")
modparam("acc", "acc_totag_column", "totag")
modparam("acc", "acc_time_column", "time")
modparam("acc", "acc_sip_to_column", "sip_to")
modparam("acc", "acc_sip_status_column", "sip_status")
modparam("acc", "acc_sip_method_column", "sip_method")
modparam("acc", "acc_i_uri_column", "i_uri")
modparam("acc", "acc_o_uri_column", "o_uri")
modparam("acc", "acc_from_uri_column", "from_uri")
modparam("acc", "acc_to_uri_column", "to_uri")
modparam("acc", "acc_sip_callid_column", "sip_callid")
modparam("acc", "acc_user_column", "username")
modparam("acc", "acc_domain_column", "domain")
modparam("acc", "acc_fromtag_column", "fromtag")
modparam("acc", "acc_totag_column", "totag")
modparam("acc", "acc_time_column", "time")
modparam("acc", "radius_config", "/usr/local/etc/ser/radius/radiusclient.conf")
modparam("acc", "radius_flag", 1)
modparam("acc", "radius_missed_flag", 2)
modparam("acc", "radius_flag", 1)
modparam("acc", "radius_missed_flag", 2)
# ----------------- setting module-specific parameters ---------------
# -- usrloc params --
#modparam("usrloc", "db_mode", 0)
# Uncomment this if you want to use SQL database
# for persistent storage and comment the previous line
modparam("usrloc", "db_mode", 2)
# for persistent storage and comment the previous line
modparam("usrloc", "db_mode", 2)
# -- auth params --
# Uncomment if you are using auth module
#
modparam("auth_db", "calculate_ha1", yes)
#
# If you set "calculate_ha1" parameter to yes (which true in this config),
# uncomment also the following parameter)
#
modparam("auth_db", "password_column", "password")
# Uncomment if you are using auth module
#
modparam("auth_db", "calculate_ha1", yes)
#
# If you set "calculate_ha1" parameter to yes (which true in this config),
# uncomment also the following parameter)
#
modparam("auth_db", "password_column", "password")
# -- rr params --
# add value to ;lr param to make some broken UAs happy
modparam("rr", "enable_full_lr", 1)
# add value to ;lr param to make some broken UAs happy
modparam("rr", "enable_full_lr", 1)
# ------------------------- request routing logic -------------------
# main routing logic
route{
# initial sanity checks -- messages with
# max_forwards==0, or excessively long requests
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483","Too Many Hops");
break;
};
if (msg:len >= 2048 ) {
sl_send_reply("513", "Message too big");
break;
};
# max_forwards==0, or excessively long requests
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483","Too Many Hops");
break;
};
if (msg:len >= 2048 ) {
sl_send_reply("513", "Message too big");
break;
};
# we record-route all messages -- to make sure that
# subsequent messages will go through our proxy; that's
# particularly good if upstream and downstream entities
# use different transport protocol
# if (!method=="REGISTER") record_route();
# subsequent messages will go through our proxy; that's
# particularly good if upstream and downstream entities
# use different transport protocol
# if (!method=="REGISTER") record_route();
# subsequent messages withing a dialog should take the
# path determined by record-routing
if (loose_route()) {
# mark routing logic in request
setflag(1);
if (method=="INVITE") record_route();
append_hf("P-hint: rr-enforced\r\n");
if (!t_relay()) {
sl_reply_error();
break;
};
#route(1);
#break;
};
# path determined by record-routing
if (loose_route()) {
# mark routing logic in request
setflag(1);
if (method=="INVITE") record_route();
append_hf("P-hint: rr-enforced\r\n");
if (!t_relay()) {
sl_reply_error();
break;
};
#route(1);
#break;
};
setflag(1);
if (method=="INVITE") record_route();
if (method=="BYE") record_route();
# if (!method=="REGISTER") record_route();
if (method=="BYE") record_route();
# if (!method=="REGISTER") record_route();
if (!uri==myself) {
# mark routing logic in request
append_hf("P-hint: outbound\r\n");
route(1);
break;
};
# mark routing logic in request
append_hf("P-hint: outbound\r\n");
route(1);
break;
};
if ( (uri=~"^sip:[0-9]{11,20}@.*") ) {
record_route();
rewritehostport("1.2.3.4:5060");
forward(uri:host, uri:port);
setflag(1);
t_relay();
break;
};
record_route();
rewritehostport("1.2.3.4:5060");
forward(uri:host, uri:port);
setflag(1);
t_relay();
break;
};
# if the request is for other domain use UsrLoc
# (in case, it does not work, use the following command
# with proper names and addresses in it)
if (uri==myself) {
# (in case, it does not work, use the following command
# with proper names and addresses in it)
if (uri==myself) {
if (method=="REGISTER") {
# Uncomment this if you want to use digest authentication
if (!www_authorize("localhost", "subscriber")) {
www_challenge("localhost", "0");
break;
};
if (!www_authorize("localhost", "subscriber")) {
www_challenge("localhost", "0");
break;
};
save("location");
break;
};
break;
};
lookup("aliases");
if (!uri==myself) {
append_hf("P-hint: outbound alias\r\n");
route(1);
break;
};
if (!uri==myself) {
append_hf("P-hint: outbound alias\r\n");
route(1);
break;
};
# native SIP destinations are handled using our USRLOC DB
if (!lookup("location")) {
sl_send_reply("404", "Not Found");
break;
};
};
append_hf("P-hint: usrloc applied\r\n");
route(1);
}
if (!lookup("location")) {
sl_send_reply("404", "Not Found");
break;
};
};
append_hf("P-hint: usrloc applied\r\n");
route(1);
}
免责声明:
① 本站未注明“稿件来源”的信息均来自网络整理。其文字、图片和音视频稿件的所属权归原作者所有。本站收集整理出于非商业性的教育和科研之目的,并不意味着本站赞同其观点或证实其内容的真实性。仅作为临时的测试数据,供内部测试之用。本站并未授权任何人以任何方式主动获取本站任何信息。
② 本站未注明“稿件来源”的临时测试数据将在测试完成后最终做删除处理。有问题或投稿请发送至: 邮箱/279061341@qq.com QQ/279061341