SER+FreeRADIUS实现3A

py3study

发布于 2020-01-06 16:30:24

8690

发布于 2020-01-06 16:30:24

文章被收录于专栏：python3

文档说明

部分内容转自VOIPFC，原文使用的SER版本不是最新的了，我在自己实践的基础上将对文档进行一下完善。

-----------------------------------------

版本历史

2008.11.24 --初始版本，转贴原文档，做部分删改。

-----------------------------------------

文档正文

SER 0.9.4+Freeradius安装(源代码安装)配置过程

环境： centos4.2: 相当于redhat el4或fc4. SER0.9.4, radiusclient-ng-0.5.2(ser的radius客户端) freeradius1.0.1(centos自带) mysql4.1.12(centos自带)

目标： 1).SER通过mysql数据库对sip客户进行认证. 2).SER通过radius对sip客户进行计费.

安装： 1.安装ser服务器 ==>到[url]www.iptel.org/ser[/url]下载ser-0.9.4_src.tar.gz. ==>到[url]http://developer.berlios.de/projects/radiusclient-ng[/url]下载 radiusclient-ng-0.5.2.tar.gz. ==>编译/安装radiusclient-ng-0.5.2.tar.gz. ==>tar zxvf ser-0.9.4_src.tar.gz解压文件. ==>进入解压后目录的modules/acc目录下, 修改Makefile使ser启用sql 计费和radius计费支持. 去掉#DEFS+=-DSQL_ACC行前面的"#"号去掉#DEFS+=-DRAD_ACC #include ../../Makefile.radius两行前面的"#"号 ==>进入ser主目录, 执行make编译ser, 执行make install安装ser.

2.配置ser的mysql支持 ==>进入ser源程序的modules/mysql目录. ==>执行make编译ser的mysql支持模块. ==>执行cp mysql.so /usr/local/lib/ser/modules把生成的动态链接库拷贝到ser的模块目录中. ==>执行/usr/local/sbin/ser_mysql.sh create生成mysql数据库结构需要输入mysql的root用户的密码, 执行成功后会在创建一个名叫ser 的mysql数据库.

3.配置ser的radius计费支持 ==>到[url]http://mirror.centos.org/centos/4.2/os/i386/CentOS/RPMS/[/url] 下载radius服务器的支持(5个文件), 如果安装centos4.2时选择的是完全安装, 则不需要这一步. freeradius-1.0.1-3.RHEL4.i386.rpm freeradius-mysql-1.0.1-3.RHEL4.i386.rpm libtool-libs-1.5.6-4.EL4.1.i386.rpm net-snmp-5.1.2-11.EL4.6.i386.rpm net-snmp-utils-5.1.2-11.EL4.6.i386.rpm ==>执行rpm -ivh freeradius-1.0.1-3.RHEL4.i386.rpm, 根据提示信息安装相应的freeradius支持库, 再安装这个包. ==>cd /usr/share/doc/freeradius-1.0.1目录执行：mysql -uroot -ppassw0rd radius < db_mysql.sql安装free radius的mysql数据库, 执行成功后会在mysql中创建一个名为radius 的数据库 ==>进入/etc/raddb目录, 修改radiusd.conf配置文件. 去掉#passwd = /etc/passwd行前面的"#"号去掉#group = /etc/group行前面的"#"号去掉authorize {...}中#sql前的"#"号去掉accounting {...}中#sql前的"#"号 ==>进入/etc/raddb目录, 修改sql.conf配置文件. 修改password = "rootpass"这行为password = "passw0rd"(即root 用户的密码) ==>进入/etc/raddb目录, 修改users配置文件. 注释掉： DEFAULT Auth-Type = System Fall-Through = 1 这两行, 目的是禁止radius用本地账号对用户进行验证.

4.配置ser服务器的sql计费/radius计费支持 ==>进入/usr/local/etc/ser目录, 根据"ser源程序安装目录/modules/ acc目录中的README文件配置ser的sql计费和radius计费支持, 具体配置参数参考/usr/local/etc/ser目录

5.启动各个服务器, 测试 ==>radius -X以debug模式启动freeradius服务器 ==>ser start启动ser服务器 ==>使用serctl工具添加分机, 格式serctl add user secret email ==>执行serctl add 1111 1111 1111@localhost添加一个分机, 需要输入mysql用户ser的密码heslo, 并且export SIP_DOMAIN=localhost这个环境变量 ==>执行serctl add 2222 2222 2222@localhost添加一个分机, 需要输入mysql用户ser的密码heslo, 并且export SIP_DOMAIN=localhost这个环境变量

==>在另一个窗口中执行serctl moni命令, 观察ser的调试输出, 开始用两个分机拨号, 接通后, 观察radius的调试窗口, 发现有信息输出通话结束, 查看ser数据库中的acc表和radius数据库中的radacct表, 会发现它们各自都多了三行, 分别记录sip的INVITE/ACK/BYE方法的时间, 这样, 就可以实现ser的计费功能了.

6.ser的web管理方式

关于SERWEB的内容本文不做过多涉及，将另开新贴讨论，下面的两个工具我目前都在用，而且正在计划改写，包括汉化、整合、做Extmail的语音邮箱插件、移植到Postgresql等。以下信息从voip-info网站得到 ==>serweb可以查看帐户等信息, 但不能修改. ==>ser-sip-prov-0_1.tar.gz可以添加帐户. 附录： 1.注意, 有时候SER不能正常启动, 需要使用命令: ldconfig 使系统注册SER所依赖的某些库. 2.SER配置文件(/usr/local/etc/ser.cfg): # # $Id: ser.cfg,v 1.25.2.1 2005/02/18 14:30:44 andrei Exp $ # # simple quick-start config script #

# ----------- global configuration parameters ------------------------

debug=10 # debug level (cmd line: -dddddddddd) fork=yes #log_stderror=no # (cmd line: -E)

#fork=yes log_stderror=yes

check_via=no # (cmd. line: -v) dns=no # (cmd. line: -r) rev_dns=no # (cmd. line: -R) #port=5060 #children=4 fifo="/tmp/ser_fifo"

# ------------------ module loading ----------------------------------

# Uncomment this if you want to use SQL database loadmodule "/usr/local/lib/ser/modules/mysql.so"

loadmodule "/usr/local/lib/ser/modules/sl.so" loadmodule "/usr/local/lib/ser/modules/tm.so" loadmodule "/usr/local/lib/ser/modules/rr.so" loadmodule "/usr/local/lib/ser/modules/maxfwd.so" loadmodule "/usr/local/lib/ser/modules/usrloc.so" loadmodule "/usr/local/lib/ser/modules/registrar.so" loadmodule "/usr/local/lib/ser/modules/textops.so"

# Uncomment this if you want digest authentication # mysql.so must be loaded ! loadmodule "/usr/local/lib/ser/modules/auth.so" loadmodule "/usr/local/lib/ser/modules/auth_db.so"

loadmodule "/usr/local/lib/ser/modules/acc.so"

modparam("acc", "log_level", 1) modparam("acc", "log_flag", 1) modparam("acc", "db_flag", 1) modparam("acc", "db_url", "mysql://ser:heslo@localhost/ser") modparam("acc", "db_table_acc", "acc") modparam("acc", "report_cancels", 1)

modparam("acc", "acc_sip_from_column", "sip_from") modparam("acc", "acc_sip_to_column", "sip_to") modparam("acc", "acc_sip_status_column", "sip_status") modparam("acc", "acc_sip_method_column", "sip_method") modparam("acc", "acc_i_uri_column", "i_uri") modparam("acc", "acc_o_uri_column", "o_uri") modparam("acc", "acc_from_uri_column", "from_uri") modparam("acc", "acc_to_uri_column", "to_uri") modparam("acc", "acc_sip_callid_column", "sip_callid") modparam("acc", "acc_user_column", "username") modparam("acc", "acc_domain_column", "domain") modparam("acc", "acc_fromtag_column", "fromtag") modparam("acc", "acc_totag_column", "totag") modparam("acc", "acc_time_column", "time")

modparam("acc", "radius_config", "/usr/local/etc/ser/radius/radiusclient.conf") modparam("acc", "radius_flag", 1) modparam("acc", "radius_missed_flag", 2)

# ----------------- setting module-specific parameters ---------------

# -- usrloc params --

#modparam("usrloc", "db_mode", 0)

# Uncomment this if you want to use SQL database # for persistent storage and comment the previous line modparam("usrloc", "db_mode", 2)

# -- auth params -- # Uncomment if you are using auth module # modparam("auth_db", "calculate_ha1", yes) # # If you set "calculate_ha1" parameter to yes (which true in this config), # uncomment also the following parameter) # modparam("auth_db", "password_column", "password")

# -- rr params -- # add value to ;lr param to make some broken UAs happy modparam("rr", "enable_full_lr", 1)

# ------------------------- request routing logic -------------------

# main routing logic

route{

# initial sanity checks -- messages with # max_forwards==0, or excessively long requests if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); break; }; if (msg:len >= 2048 ) { sl_send_reply("513", "Message too big"); break; };

# we record-route all messages -- to make sure that # subsequent messages will go through our proxy; that's # particularly good if upstream and downstream entities # use different transport protocol # if (!method=="REGISTER") record_route();

# subsequent messages withing a dialog should take the # path determined by record-routing if (loose_route()) { # mark routing logic in request setflag(1); if (method=="INVITE") record_route(); append_hf("P-hint: rr-enforced\r\n"); if (!t_relay()) { sl_reply_error(); break; }; #route(1); #break; };

setflag(1);

if (method=="INVITE") record_route(); if (method=="BYE") record_route(); # if (!method=="REGISTER") record_route();

if (!uri==myself) { # mark routing logic in request append_hf("P-hint: outbound\r\n"); route(1); break; };

if ( (uri=~"^sip:[0-9]{11,20}@.*") ) { record_route(); rewritehostport("1.2.3.4:5060"); forward(uri:host, uri:port); setflag(1); t_relay(); break; };

# if the request is for other domain use UsrLoc # (in case, it does not work, use the following command # with proper names and addresses in it) if (uri==myself) {

if (method=="REGISTER") {

# Uncomment this if you want to use digest authentication if (!www_authorize("localhost", "subscriber")) { www_challenge("localhost", "0"); break; };

save("location"); break; };

lookup("aliases"); if (!uri==myself) { append_hf("P-hint: outbound alias\r\n"); route(1); break; };

# native SIP destinations are handled using our USRLOC DB if (!lookup("location")) { sl_send_reply("404", "Not Found"); break; }; }; append_hf("P-hint: usrloc applied\r\n"); route(1); }

本文参与腾讯云自媒体同步曝光计划，分享自作者个人站点/博客。

原始发表：2019/09/16 ，如有侵权请联系 cloudcommunity@tencent.com 删除

云数据库 SQL Server