OSSH华为Portal调试笔记

更新时间：2024-01-30 17:13:01 阅读量：教育文库文档下载

说明：文章内容仅供预览，部分内容可能不全。下载后的文档，内容与下面显示的完全一致。下载之前请确认下面内容是否您想要的，是否完整无缺。

OSSH华为推荐度：
相关推荐

Portal Server调试笔记

感谢OSSH给予的资料，感谢站长支持。经过1个月调试，我把痛苦的调试过程写下来，希望能让大家少走弯路。

1. 环境搭建架构

PC------SWITCH--------SERVER

PC：192.168.10.5，网关为10.1

Switch：用户侧为10网段，服务器侧为20网段，详见交换机配置章节 Server：CETOS 64bit ，192.168.20.30 ，内含Portal Server，FreeRadius

2. 技术原理

这里的AC可以是LSW

下文中的命令凡是在radius相关的目录，都是FreeRadius组件（开源代码可以下载） PortalServer目录里面，都是OSSH安装的服务器

3. 操作系统启动

1，下载Ossh-Portal-0.1-cd.iso ，一定要用64bit vmware虚拟机环境； 2， VM先建立物理机—稍后安装操作系统（其他方法安装不行） 3，再安装光盘，选择linux2.6.4 4， 1cpu，2core，2G内存，5G硬盘

5，网卡不用NAT，而是桥接，与物理PC同网段即可，否则可能网络不通； Image

C:\\Users\\z\\Documents\\Virtual Machines

4. VM IP设置

1. VM地址：192.168.20.30 2. 密码： m0n0Radius

很多时候，只修改第一步就可以HOST ? VM ping通了

1，ifconfig 命令配置

ifconfig eth0 192.168.20.30 netmask 255.255.255.0

2，修改网关

vi /etc/sysconfig/network 192.168.20.1

#上外网必须设置路由器默认路由，否则不通 route add default gw 192.168.20.1

3，设置IP参数， vi /etc/sysconfig/network-scrips/ifcfg-eth0 DEVICE=eth0

IPADDR=192.168.20.30 NETMASK=255.255.255.0 GATEWAY=192.168.20.1

DNS 一般在 /etc/resolv.conf 里面

4，设置DNS

vi /etc/resolv.conf 增加/修改如下两行，配置两个服务器 nameserver 202.197.64.6 nameserver 202.197.64.22 第一个是首选DNS 第二个是备用DNS 5，重启端口 #ifdown eth0 #ifup eth0

#service network restart

采用ssh登录linux（也可以直接配置）

用web登录 192.168.20.30:8088，显示下面页面

[root@ossh ~]# netstat -antupl

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address tcp 0 0 0.0.0.0:22 0.0.0.0:* tcp 0 0 127.0.0.1:25 0.0.0.0:* tcp 0 48 192.168.1.50:22 192.168.1.107:53151 tcp 0 0 ::ffff:127.0.0.1:8005 :::* tcp 0 0 :::8009 :::* tcp 0 0 :::22 :::* tcp 0 0 :::8088 :::* tcp 0 0 ::1:25 :::* udp 0 0 0.0.0.0:1812 0.0.0.0:* udp 0 0 0.0.0.0:1813 0.0.0.0:* udp 0 0 0.0.0.0:1814 0.0.0.0:* udp 0 0 127.0.0.1:18120 0.0.0.0:* udp 0 0 0.0.0.0:51274 0.0.0.0:* udp 0 0 :::34153 :::* [root@ossh ~]# ^C

5. nginx服务开启

? 每次重启linux，都要手工启动

service nginx start

State PID/Program name LISTEN 1070/sshd LISTEN 1146/master ESTABLISHED 3034/sshd LISTEN 1183/java LISTEN 1183/java LISTEN 1070/sshd LISTEN 1183/java LISTEN 1146/master 3028/radiusd 3028/radiusd 3028/radiusd 3028/radiusd 3028/radiusd 1183/java

6. Web Portal配置

? 编辑配置文件：

vi /usr/local/portalServer/webapps/portalServer/WEB-NF/classes/configs.prod.properties 修改以下内容：

acHost=192.168.20.1 // AC服务器(交换机上行口)的地址 acPort=2000 // 与AC服务器通信的端口 sharedSecret=www.ossh.org // AC上配置与radius和portalServer通信的共享密钥 #chap 0 pap 1

authType=0 // 认证方式chap为0 pap为1 timeoutSec=3 // 报文发送超时时间，默认为3，单位秒

修改后保存，注意：每次修改配置文件后，需重启portalServer服务后方能生

? 启动portalServer服务，执行： /usr/local/portalServer/bin/startup.sh

等待片刻后后，启动本地浏览器，输入http://portal的地址:8088，如果出现网页OSSH的网页，则OK。

7. 用户管理

? 添加用户

vi /usr/local/etc/raddb/users

本例子采用users文件保存用户名，高级方式可以采用mysql来做。

截图中的信息如下：

#steve Cleartext-Password := \steve Cleartext-Password := \

111 Cleartext-Password := \

在文件中创建一个用户 111 密码111

注意事项：格式非常敏感，建议把原文件的steve用户注释删掉即可，

? 保存该文件后重启radius服务

/etc/init.d/rc.radiusd restart

测试认证信息

使用命令

echo \ 127.0.0.1:1812 auth testing123 用户一：用户名steve 密码 testing 认证 auth

echo \ 127.0.0.1:1812 auth testing123

由上图可以看出已经测试认证成功，并且下发了一些列的参数 ? 测试记账信息（如果不计费，则不必测试）

使用命令

echo \| radclient -x 127.0.0.1:1813 acct testing123

用户一：用户名steve 密码 testing 计费 acct

echo \ 127.0.0.1:1813 acct testing123 用户二：用户名111 密码 111 计费 acct

由上图可以看出响应了记账信息返回信息如下：

Sending Accounting-Request of id 128 to 127.0.0.1 port 1813 User-Name = \ User-Password = \

rad_recv: Accounting-Response packet from host 127.0.0.1 port 1813, id=128, length=20

蓝色文字的返回信息，表示已经记账包测试成功

这时候就可以使用111这帐号进行WEB弹出页面的登录认证测试了 AC端需要配置相应的认证和记账模版

调试笔记

8. 交换机配置

Vlan 10: 用户口, g0/04， 192.168.10.x Vlan 20: 服务器口，g0/0/24 20.30

交换机配置如下配置步骤步骤 1

创建 VLAN 并配置接口允许通过的 VLAN，保证网络通畅。 # 创建 VLAN10 和 VLAN20。 [SWITCH] vlan batch 10 20

# 配置交换机连接上行网络的接口 E0/0/1 为 Access 类型接口，并将 GE0/0/1 加入 VLAN20。

[SWITCH] interface Ethernet0/0/1

[SWITCH-Ethernet0/0/2] port link-type access [SWITCH-Ethernet0/0/2] port default vlan 20 [SWITCH-Ethernet0/0/2] quit

# 配置交换机连接 RADIUS 和 portalServer 的接口 E0/0/2 为Access 类型接口，并将 GE0/0/2 加入 VLAN20。 [SWITCH] interface Ethernet0/0/2

[SWITCH-Ethernet0/0/2] port link-type access [SWITCH-Ethernet0/0/2] port default vlan 20 [SWITCH-Ethernet0/0/2] quit

# 创建 VLANIF10 和 VLANIF20，并配置VLANIF 的 IP 地址，以使用户终端、Switch、

企业内网资源之间能够建立起路由。此处假设 VLANIF10 的 IP 地址为192.168.10.20/24； VLANIF20 的 IP 地址为 192.168.20.29/24。 [SWITCH] interface vlanif 10

[SWITCH-Vlanif10] ip address 192.168.10.20 24 //10.1

[SWITCH] interface vlanif 20

[SWITCH-Vlanif20] ip address 192.168.20.29 24 //20.1 [SWITCH-Vlanif20] quit 步骤 2

创建并配置 RADIUS 服务器模板、AAA 方案以及认证域。 # 创建并配置 RADIUS 服务器模板“rd1”。 [SWITCH] radius-server template rd1

[SWITCH-radius-rd1] radius-server authentication 192.168.20.30 1812

[SWITCH-radius-rd1] radius-server shared-key simple testing123 ( 手册里面的不对

www.ossh.org )

[SWITCH-radius-rd1] radius-server retransmit 2 [SWITCH-radius-rd1] quit

# 创建 AAA 方案“abc”并配置认证方式为 RADIUS。 [SWITCH] aaa

[SWITCH-aaa] authentication-scheme abc

[SWITCH-aaa-authen-abc] authentication-mode radius [SWITCH-aaa-authen-abc] quit

# 创建认证域“ossh.org”，并在其上绑定AAA 方案“abc”与RADIUS 服务器模板“rd1”。 [SWITCH-aaa] domain ossh.org

[SWITCH-aaa-domain-isp1] authentication-scheme abc [SWITCH-aaa-domain-isp1] radius-server rd1 [SWITCH-aaa-domain-isp1] quit [SWITCH-aaa] quit

# 配置全局默认域为“ossh.org”。用户进行接入认证时，以格式“user@ossh.org”输入用户名即可在 ossh.org 域下进行 aaa 认证。如果用户名中不携带域名或携带的域名不存在，用户将会在默认域中进行认证。 [SWITCH] domain ossh.org

步骤 3

配置外部 Portal 认证

# 创建并配置名称为“abc”的 Portal 服务器模板。 [SWITCH] web-auth-server abc

[SWITCH -web-auth-server-abc] server-ip 192.168.20.30 [SWITCH -web-auth-server-abc] port 50100

[SWITCH -web-auth-server-abc] shared-key cipher www.ossh.org [SWITCH -web-auth-server-abc] url http://192.168.20.30:8088 [SWITCH -web-auth-server-abc] quit

# 使能 Portal 认证功能。 [SWITCH] interface vlanif 10

[SWITCH -Vlanif10] web-auth-server abc direct [SWITCH -Vlanif10] quit

步骤 4

查看配置的 Portal 服务器的参数信息。

# 执行命令 display web-auth-server configuration 查看 Portal 服务器相关的配置信息。

display web-auth-server configuration Listening port : 2000

Portal : version 1, version 2 Include reply message : enabled

----------------------------------------------------------------------- - Web-auth-server Name : abc IP-address : 192.168.20.30

Shared-key : %$%$]$c{$)Bp!XFdN>G2DBG(T#wn%$%$ Port / PortFlag : 50100 / NO

URL : http://192.168.20.30:8088 Bounded Vlanif : 10

----------------------------------------------------------------------- - 1 Web authentication server(s) in total

步骤 5

在交换机上添加默认路由：ip route-static 0.0.0.0 0.0.0.0 192.168.20.1 其中 192.168.20.1为交换机上行端口的网关地址

步骤 6

配置 portal 白名单

portal free-rule 0 destination ip 192.168.1.1 mask 255.255.255.255

其中的 192.168.1.1 为用户认证之后上网所需的 DNS 地址，实际以真实网络环境中的 DNS 为准

可选配置：

接口视图下（vlan-if，ge）： dhcp select relay # 使能接口VLANIF100的DHCP Relay功能。 [HUAWEI] dhcp enable

[HUAWEI] interface vlanif 100

[HUAWEI-Vlanif100] dhcp select relay

# Portal用户下线探测

portal timer offline-detect命令用来配置Portal认证用户下线探测周期。 undo portal timer offline-detect命令用来恢复下线探测周期的缺省值。缺省情况下，下线探测周期为300秒。

注意：portal timer offline-detect命令功能仅适用于二层Portal认证方式。

9. Portal配置

安装portalServer ---本系统OSSH已经安装，不必再操作 1)、解压portal安装文件:

tar –zxvf ./portalServer_2013-12-26.tar.gz

2)、移动文件到指定目录：mv ./portalServer /usr/local

3)、配置portal参数—重要：

vi/usr/local/portalServer/webapps/portalServer/WEB-INF/classes/configs.prod.pro

perties

修改以下内容：

acHost=192.168.20.1 // AC服务器(交换机上行口)的地址 acPort=2000 // 与AC服务器通信的端口

sharedSecret=www.ossh.org // AC上配置与radius和portalServer通信的共享密钥 #chap 0 pap 1

authType=0// 认证方式chap为0 pap为1

timeoutSec=3// 报文发送超时时间，默认为3，单位秒

修改后保存，注意：每次修改配置文件后，需重启portalServer服务后方能生效

4)、启动portalServer服务，执行：

/usr/local/portalServer/bin/startup.sh

等待片刻后后，启动本地浏览器，输入http://portal的地址:8088，如果出现登录界面表明安装成功：

10. Free Radius配置

? 修改radius client：

vi /usr/local/etc/raddb/clients.conf

client localhost {

# Allowed values are:

# dotted quad (1.2.3.4)

# hostname (radius.example.com)

ipaddr = 192.168.20.30 [127.0.0.1要改成此服务器ip]

# OR, you can use an IPv6 address, but not both # at the same time. ??

secret = testing123 [ 密码，默认可以不改，跟交换机radius key一致 ]

client 192.168.10.5/24 {

secret = testing123 shortname = private-network-1 }

一定要把20.1网段加入否则不通，radius服务器认为用户是LSW上行口来的。

client 192.168.20.1/24 {

secret = testing123 shortname = private-network-1 }

注意格式，tab对齐重启radius

/etc/init.d/rc.radiusd restart

? Radius 服务器： vi /usr/local/etc/raddb/radiusd.conf

重启： /etc/init.d/rc.radiusd restart

? 测试开启调试模式：

# radiusd –X 如果开启失败，可能是已经开了radius进程，kill后再执行；再开启一个窗口，测试用户在radius服务器认证情况 radtest steve testing 127.0.0.1 0 testing123

Ignoring request to authentication address * port 1812 from unknown client 127.0.0.1 port 48374

Ready to process requests.

★问题解决：修改clients.conf里面的localhost（原值为127.0.0.1）为自己的192.168.20.30解决ignore问题，测试时用192的IP替代127

? radtest steve testing 127.0.0.1 0 testing123

radtest steve testing 192.168.20.30 0 testing123

[root@ossh ~]# radtest steve testing 192.168.20.30 0 testing123 radclient:: Failed to find IP address for ossh radclient: Nothing to send.

★ 失败问题解决：修改/etc/hosts，增加一行：“127.0.0.1 ossh”解决host名字（ossh）找不到问题

/etc/init.d/rc.radiusd restart

其他参考材料：

Good材料

http://blog.csdn.net/freefalcon/article/details/1363258 ? portal重启：

/usr/local/portalServer/bin/startup.sh

[root@ossh raddb]# radiusd -X

FreeRADIUS Version 2.2.0, for host i686-pc-linux-gnu, built on Jan 26 2014 at 22:21:06 Copyright (C) 1999-2012 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2.

Starting - reading configuration files ...

including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/

including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/cache including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/replicate including configuration file /usr/local/etc/raddb/modules/detail.log

including configuration file /usr/local/etc/raddb/modules/dhcp_sqlippool including configuration file /usr/local/etc/raddb/sql/mysql/ippool-dhcp.conf including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/redis including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/mac2ip

including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/digest

including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/radrelay

including configuration file /usr/local/etc/raddb/modules/dynamic_clients including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/counter

including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/echo

including configuration file /usr/local/etc/raddb/modules/opendirectory including configuration file /usr/local/etc/raddb/modules/perl

including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/rediswho including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/soh

including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/

including configuration file /usr/local/etc/raddb/sites-enabled/control-socket including configuration file /usr/local/etc/raddb/sites-enabled/default

including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel

11. Bingo 用户登录成功

中间会经历大量失败，九死一生请参考附录中的参考。

12. 关键点汇总

? 添加用户： vi /usr/local/etc/raddb/users

steve Cleartext-Password := \\

Service-Type = Framed-User, Framed-Protocol = PPP,

Framed-IP-Address = 192.168.10.5, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = \ Framed-MTU = 1500,

Framed-Compression = Van-Jacobsen-TCP-IP

? 修改radius client： vi /usr/local/etc/raddb/clients.conf

client localhost {

# Allowed values are:

# dotted quad (1.2.3.4)

# hostname (radius.example.com)

ipaddr = 192.168.20.30 [127.0.0.1要改成此服务器ip]

# OR, you can use an IPv6 address, but not both # at the same time.

?? ??

secret = testing123 [ 密码，默认可以不改，跟交换机radius key一致 ]

client 192.168.10.5/24 {

secret = testing123 shortname = private-network-1 }

一定要把20.1网段加入否则不通

client 192.168.20.1/24 {

secret = testing123 shortname = private-network-1 }

/etc/init.d/rc.radiusd restart

? Radius 服务器： vi /usr/local/etc/raddb/radiusd.conf

重启： /etc/init.d/rc.radiusd restart

? radtest steve testing 127.0.0.1 0 testing123

radtest steve testing 192.168.20.30 0 testing123

[root@ossh ~]# radtest steve testing 192.168.20.30 0 testing123 radclient:: Failed to find IP address for ossh radclient: Nothing to send.

采用修改/etc/hosts，增加127.0.0.1 ossh解决host名字（ossh）找不到问题

修改clients.conf里面的localhost为自己的20.30解决ignore问题

/etc/init.d/rc.radiusd restart

? service nginx start ? 用户测试：

[root@ossh ~]# echo \ 192.168.20.30:1812 auth testing123 Sending Access-Request of id 167 to 192.168.20.30 port 1812 User-Name = \ User-Password = \

rad_recv: Access-Accept packet from host 192.168.20.30 port 1812, id=167, length=32 Service-Type = Framed-User Framed-Protocol = PPP [root@ossh ~]#

echo \ 192.168.20.30:1812 auth testing123 echo \ 192.168.20.30:1812 auth testing123

http://hi.http://www.wodefanwen.com//michael7768/item/aae1c733f11333483075a196 在freeradius 所在的服务器中增加client信息修改client.conf，增加： client 125.216.243.40/24 {

secret = 123456 //这个是与client共享的密钥，

shorname = client1 //这个可有可无，只是为了与freeradius 1相兼容 }

http://my.oschina.net/zhangdapeng89/blog/49975

4. 新打开一个SSH终端，测试服务器是否连通：

radtest testing password 127.0.0.1 0 testing123

如果看到Access-Accept就说明连接成功了。如果看到类似“Ignoring request to authentication address * port 1812 from unknownclient”的文字，可能需要去修改/etc/raddb/clients.conf，将client localhost段下的ipaddr改为服务器的IP，而不是127.0.0.1。里临时加上去的第一行删除。测试连接成功后，我们可以把users

13. 切换到mysql

以上操作采用了文件存储用户，添加用户需要每次都要重启radius，下面用数据库方式进行修改存储用户信息。

? 操作系统 : Centos5.5 X86_64

Radius: Freeradius-1.1.8 ----OSSH 采用2.0版本

? 安装MysqL

# yum install mysql （网络安装，一路选择y） # yum install mysql-devel # yum install mysql-server

? 安装OpenSSL (OSSH ISO已经安装) # yum install openssl

# yum install openssl097a.i386 # yum install openssl097a

? 安装FreeRadius (OSSH ISO已经安装)

# tar -zxvf freeradius-1.1.8.tar.gz # cd freeradius-1.1.8 # ./configure

# yum -y install libtool-ltdl-devel # make # make install

? 配置FreeRadius

# cd /usr/local/etc/raddb/

# vi radiusd.conf //将authorize和accounting中的sql#去掉 -----新版本不比修改此字段 authorize { preprocess chap mschap suffix sql }

accounting { …. sql … }

? 配置sql

# vi sql.conf ( vi /usr/local/etc/raddb/sql.conf )

server=\login=\

password=\的root的密码 radius_db=\

# vi users //注释掉下两行-----实测不必修改，且找不到Fall-Through #DEFAULT Auth-Type = System # Fall-Through = 1

? Mysql配置启动Mysql

# /etc/init.d/mysqld restart 修改默认密码

mysql> UPDATE mysql.user SET password=PASSWORD('123456') WHERE User='root';

mysql> FLUSH PRIVILEGES; 或

# mysqladmin -uroot -p password 123456 连接Mysql

# mysql -uroot -p123456 创建radius数据库

# mysqladmin -uroot -p123456 create radius

创建radius表（此命令执行不成功，需要想其他办法创建）

# mysql -uroot -p123456 radius < /root/freeradius-1.1.8/doc/examples/mysql.sql 创建组及测试账号

# mysql -uroot -p123456 radius

创建组

mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Auth-Type',':=','Local');

mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Service-Type',':=','Framed-User');

mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Framed-IP-Address',':=','255.255.255.254');

mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Framed-IP-Netmask',':=','255.255.255.0');

创建测试账号

mysql> insert into radcheck (username,attribute,op,value) values ('test','User-Password',':=','test');

测试账号加入组

mysql> insert into usergroup (username,groupname) values ('test','user'); ? 启动Radius服务并测试账号启动到debug模式 # radiusd -X 测试

# radtest test test localhost 0 testing123 //能看到raidus应答说明成功 ? WEB管理的安装与配置---仅供参考，不必须配置

安装PHP

# yum install php # yum install php-mysql # yum install mod_auth_mysql 安装Apache # yum install httpd 启动Apache

# /etc/init.d/httpd restart 测试Apache

# cd /var/www/html/ # vi phpinfo.php

浏览器访问

http://192.168.0.10/phpinfo.php 拷贝dialup_admin

# cp -r /root/freeradius-1.1.8/dialup_admin/ /var/www/html/ 修改admin.conf

# vi /var/www/html/dialup_admin/conf/admin.conf sql_type:mysql

sql_server:localhost //sql地址 sql_port:3306 //默认端口 sql_username:root

sql_password:123456 //密码 sql_database:radius //数据库名

general_charset: UTF-8 //避免浏览器乱码

general_base_dir: /var/www/html/dialup_admin //dialup_admin主目录

general_domain: company.com //这个可改也可不改，没什么影响，改了还看点而已 general_radius_server_auth_proto: chap //将pap改成chap general_encryption_method: clear //将crypt改成clear

general_encryption_method: clear是必须得改的，否则用web管理界面添加用户后会出现密码被加密后无法识别导致认证失败，clear方式是以明文存储密码，freeradius默认是用明文存储密码，两者要对应，所以这里要用clear方式。修改naslist.conf

# vi /var/www/html/dialup_admin/conf/naslist.conf nas1_name: nas1.%{general_domain} nas1_model: Computer //NAS服务器的类型 nas1_ip: 192.168.1.1 //NAS服务器的IP地址 nas1_port_num: 15 nas1_community: public

其他的通通删掉或用#号注释掉，这样修改的目的是方便在web管理界面中直观的看到每个NAS服务器连接用户的情况。导入相关数据库表

# cd /var/www/html/dialup_admin/sql

mysql -uroot -p123456 radius < userinfo.sql //去掉default '0' mysql -uroot -p123456 radius < totacct.sql mysql -uroot -p123456 radius < mtotacct.sql

mysql -uroot -p123456 radius < badusers.sql //去掉default '0' 修改httpd.conf ，让其支持PHP3 # vi /etc/httpd/conf/httpd.conf 在此文件最后添加

AddType application/x-httpd-php .php .html .htm .php3 关闭Sql调试模式

# vi /var/www/html/dialup_admin/conf/admin.conf sql_debug: false 重启Httpd

# /etc/init.d/httpd restart

访问Web

http://192.168.0.10/dialup_admin/htdocs/index.html 注意

如果要对其他NAS服务器提供验证服务，只需修改/usr/local/etc/raddb下的clients.conf文件，在后面加上

client 192.168.1.1 { //IP地址修改为NAS服务器的地址

secret = testing123 //NAS服务器与Radius服务器通信的密码 shortname = NAS //这个无所谓，随便填 nastype = other }

14. 附录1-调试过程记录

Web输入用户名后，反应如下：

开启radiux调试模式 OSSH# radiuxd –X

如果开启失败，就netstat –antpul查看1812/1813所在的现成，kill掉，再启动这个命令

Listening on authentication address * port 1812 Listening on accounting address * port 1813

Listening on command file /usr/local/var/run/radiusd/radiusd.sock

Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests.

Ignoring request to authentication address * port 1812 from unknown client 127.0.0.1 port 48374

Ready to process requests.

Ignoring request to authentication address * port 1812 from unknown client 127.0.0.1 port 48374

Ready to process requests.

Ignoring request to authentication address * port 1812 from unknown client 127.0.0.1 port 48374

Ready to process requests.

Ignoring request to authentication address * port 1812 from unknown client 127.0.0.1 port 60625

Ready to process requests.

Ignoring request to authentication address * port 1812 from unknown client 127.0.0.1 port 60625

Ready to process requests.

Ignoring request to authentication address * port 1812 from unknown client 127.0.0.1 port 60625

Ready to process requests.

rad_recv: Access-Request packet from host 192.168.20.1 port 1812, id=3, length=295 User-Name = \

CHAP-Password = 0x03ca026f1a3349e9ba24a758df6caf60a9 CHAP-Challenge = 0x41d94f7d395dbf652bef1b9749a9cbb9 NAS-Port = 16394

Service-Type = Framed-User Framed-Protocol = PPP

Framed-IP-Address = 192.168.10.5 Calling-Station-Id = \ NAS-Identifier = \ NAS-Port-Type = Ethernet

NAS-Port-Id = \ Called-Station-Id = \77\\377\\377\\377\\377\\377\\377\\377\\377\\377\\377\\377\\377\\377\\377\\377\\377\\377\\377\\377\\377\\377\\377\\377\\377\\377\\377\\377\\377\\377\\377\\377\\377\\377\\377\\377\\377\\377\\377\\377\\377\\377\\377\\377\

NAS-IP-Address = 192.168.20.1

Huawei-Startup-Stamp = 1222819255

Huawei-IPHost-Addr = \ Huawei-Connect-ID = 20

Huawei-Version = \ Huawei-Product-ID = \

# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok

[chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok

++[mschap] returns noop ++[digest] returns noop

[suffix] No '@' in User-Name = \[suffix] No such realm \++[suffix] returns noop

[eap] No EAP-Message, not doing EAP ++[eap] returns noop

[files] users: Matched entry DEFAULT at line 172 ++[files] returns ok

++[expiration] returns noop ++[logintime] returns noop

[pap] WARNING! No \good\password found for the user. Authentication may fail because of this.

++[pap] returns noop Found Auth-Type = CHAP

# Executing group from file /usr/local/etc/raddb/sites-enabled/default

+- entering group CHAP {...}

[chap] login attempt by \

[chap] Cleartext-Password is required for authentication ++[chap] returns invalid

Failed to authenticate the user. Using Post-Auth-Type REJECT

# Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...}

[attr_filter.access_reject] expand: %{User-Name} -> 111 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds.

Sending delayed reject for request 0

Sending Access-Reject of id 3 to 192.168.20.1 port 1812 Waking up in 4.9 seconds.

Cleaning up request 0 ID 3 with timestamp +613 Ready to process requests. ^C

[root@ossh ~]#

? 在被注释掉的用户名基础上修改，不在出问题（提前写用户，格式有要求，内容多？）：

rad_recv: Access-Request packet from host 192.168.20.1 port 1812, id=1, length=134 User-Name = \

CHAP-Password = 0x12a2089683ab41fb41f2bdb17fb7f55ac8 CHAP-Challenge = 0xb6184d31bf1eaa1be245aa57d77f4365 Service-Type = Framed-User Framed-Protocol = PPP NAS-Identifier = \ NAS-Port-Type = Ethernet

Acct-Session-Id = \ NAS-IP-Address = 192.168.20.1

# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok

[chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok

++[mschap] returns noop ++[digest] returns noop

[suffix] No '@' in User-Name = \[suffix] No such realm \++[suffix] returns noop

[eap] No EAP-Message, not doing EAP ++[eap] returns noop

[files] users: Matched entry steve at line 76 ++[files] returns ok

++[expiration] returns noop ++[logintime] returns noop

[pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = CHAP

# Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group CHAP {...}

[chap] login attempt by \

[chap] Using clear text password \[chap] chap user steve authenticated succesfully ++[chap] returns ok

# Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop

Sending Access-Accept of id 1 to 192.168.20.1 port 1812 Service-Type = Framed-User Framed-Protocol = PPP

Framed-IP-Address = 192.168.10.5 Framed-IP-Netmask = 255.255.255.0 Framed-Routing = Broadcast-Listen Framed-Filter-Id = \ Framed-MTU = 1500

Framed-Compression = Van-Jacobson-TCP-IP Finished request 12.

Going to the next request Waking up in 4.9 seconds.

Cleaning up request 12 ID 1 with timestamp +1975 Ready to process requests.

15. 附录2-调试过程

ess-Accept packet from host 127.0.0.1 port 1812, id=71, length=20 [root@ossh ~]# [root@ossh ~]# [root@ossh ~]#

[root@ossh ~]# echo \= 0x00\| radclient -x 127.0.0.1:1813 testing123

status Sending Status-Server of id 66 to 127.0.0.1 port 1813

Message-Authenticator = 0x00000000000000000000000000000000

rad_recv: Accounting-Response packet from host 127.0.0.1 port 1813, id=66, length=20 [root@ossh ~]#

[root@ossh ~]#

[root@ossh ~]# vi /usr/local/etc/raddb/clients.conf # -*- text -*- ##

## clients.conf -- client configuration directives ##

## $Id$

####################################################################### #

# Define RADIUS clients (usually a NAS, Access Point, etc.). #

# Defines a RADIUS client. #

# '127.0.0.1' is another name for 'localhost'. It is enabled by default, # to allow testing of the server after an initial installation. If you

# are not going to be permitting RADIUS queries from localhost, we suggest # that you delete, or comment out, this entry. # # #

# Each client has a \# other clients. #

# In version 1.x, the string after the word \# address of the client. In 2.0, the IP address is configured via # the \ For compatibility, the 1.x # format is still accepted. #

client localhost {

# Allowed values are:

# dotted quad (1.2.3.4)

# hostname (radius.example.com) ipaddr = 127.0.0.1

# OR, you can use an IPv6 address, but not both

# at the same time.

# ipv6addr = :: # any. ::1 == localhost

# A note on DNS: We STRONGLY recommend using IP addresses # rather than host names. Using host names means that the

# server will do DNS lookups when it starts, making it # dependent on DNS. i.e. If anything goes wrong with DNS,

# the server won't start! # # The server also looks up the IP address from DNS once, and # only once, when it starts. If the DNS record is later # updated, the server WILL NOT see that update. #

# One client definition can be applied to an entire network. # e.g. 127/8 should be defined with \ # \

# # If not specified, the default netmask is 32 (i.e. /32)

# # We do NOT recommend using anything other than 32. There # are usually other, better ways to achieve the same goal. # Using netmasks of other than 32 can cause security issues.

# # You can specify overlapping networks (127/8 and 127.0/16) # In that case, the smallest possible network will be used # as the \

# # Clients can also be defined dynamically at run time, based # on any criteria. e.g. SQL lookups, keying off of NAS-Identifier,

# etc. # See raddb/sites-available/dynamic-clients for details. #

# netmask = 32

# # The shared secret use to \and \packets between # the NAS and FreeRADIUS. You MUST change this secret from the

# default, otherwise it's not a secret any more! # # The secret can be any string, up to 8k characters in length. #

# Control codes can be entered vi octal encoding,

# e.g. \== \ # Quotation marks can be entered by escaping them,

# e.g. \ # # A note on security: The security of the RADIUS protocol # depends COMPLETELY on this secret! We recommend using a # shared secret that is composed of: #

# upper case letters # lower case letters

# numbers # # And is at LEAST 8 characters long, preferably 16 characters in # length. The secret MUST be random, and should not be words,

# phrase, or anything else that is recognizable. # # The default secret below is only for testing, and should

# not be used in any real environment. #

secret = testing123

# # Old-style clients do not send a Message-Authenticator # in an Access-Request. RFC 5080 suggests that all clients # SHOULD include it in an Access-Request. The configuration # item below allows the server to require it. If a client # is required to include a Message-Authenticator and it does # not, then the packet will be silently discarded. #

# allowed values: yes, no require_message_authenticator = no

# # The short name is used as an alias for the fully qualified # domain name, or the IP address.

# # It is accepted for compatibility with 1.x, but it is no # longer necessary in 2.0 #

# shortname = localhost

# # the following three fields are optional, but may be used by # checkrad.pl for simultaneous use checks #

# # The nastype tells 'checkrad.pl' which NAS-specific method to # use to query the NAS for simultaneous use. #

# Permitted NAS types are: # # cisco # computone # livingston

# juniper # max40xx # multitech # netserver # pathras # patton # portslave

# tc # usrhiper

# other # for all other types

# nastype = other # localhost isn't usually a NAS...

# The following two configurations are for future use. # The 'naspasswd'

file is currently used to store the NAS

# login name and password, which is used by checkrad.pl # when querying the NAS for simultaneous use. #

# login = !root

# password = someadminpas

# # As of 2.0, clients can also be tied to a virtual server. # This is done by setting the \ # item, as in the example below. #

# virtual_server = home1

# # A pointer to the \ # section that contains the CoA configuration for this # client. For an example of a coa home server or pool,

# see raddb/sites-available/originate-coa# coa_server = coa }

# IPv6 Client #client ::1 {

# secret = testing123 # shortname = localhost #}

## All IPv6 Site-local clients

#client fe80::/16 {# secret = testing123 # shortname = localhost #}

#client some.host.org {

# secret = testing123 # shortname = localhost#} #

# You can now specify one secret for a network of clients. # When a client request comes in, the BEST match is chosen. # i.e. The entry from the smallest possible network. #

#client 192.168.0.0/24 {

# secret = testing123-1

# shortname = private-network-1 #} #

#client 192.168.0.0/16 {

# secret = testing123-2

# shortname = private-network-2 #}

#client 10.10.10.10 {# # secret and password are mapped through the \# secret = testing123

# shortname = liv1# # the following three fields are optional, but may be used by

# # checkrad.pl for simultaneous usage checks # nastype = livingston # login = !root

# password = someadminpas #}

####################################################################### ## Per-socket client lists. The configuration entries are exactly # the same as above, but they are nested inside of a section. # secret = testing123 # shortname = liv1

# # the following three fields are optional, but may be used by # # checkrad.pl for simultaneous usage checks # nastype = livingston # login = !root

# password = someadminpas #}

####################################################################### #

# Per-socket client lists. The configuration entries are exactly # the same as above, but they are nested inside of a section.

## You can have as many per-socket client lists as you have \ sections, or you can re-use a list among multiple \

# Un-comment this section, and edit a \# secret = testing123 # shortname = liv1

# # the following three fields are optional, but may be used by # # checkrad.pl for simultaneous usage checks # nastype = livingston # login = !root

# password = someadminpas #}

####################################################################### #

# Per-socket client lists. The configuration entries are exactly # the same as above, but they are nested inside of a section. #

# You can have as many per-socket client lists as you have \# sections, or you can re-use a list among multiple \#

# Un-comment this section, and edit a \

# \ That IP address/port combination # will then accept ONLY the clients listed in this section. #

#clients per_socket_clients { # client 192.168.3.4 {

# secret = testing123 # } #} #zxg

client 192.168.1.107 {

ipaddr = 192.158.100.2 secret = testing123 }

http://bbs.chinaunix.net/thread-1363488-1-1.html

认为要把users文件语法问题，要求把用户添加到最前面---把steve的注释去掉，可以用了

16. 附录3-交换机调试信息

交换机显示用户失败

display aaa online-fail-record all ------------------------------------------------------------------- User name : steve Domain name : ossh.org User MAC : 0021-cc71-c906 User access type : Unknown

User access interface : GigabitEthernet0/0/4 Qinq Vlan/User Vlan: 0/10 User IP address : 192.168.10.5 User ID : 38

User login time : 2008/10/01 07:02:07 User online fail reason: Authenticate fail Authen reply message : -

? 交换机测试AAA流程

test-aaa steve testing radius-template rd1 Info: Account test time out.

说明radius/portal与交换机认证错误解决办法，检查密码是否匹配：

交换机radius share-key == radius服务器密码（secret）---本文testing123 交换机web-portal share-key == portal server密码（）---本文www.ossh.org

17. 附录4-portal服务器调试

查看Portal失败日志

发现失败，建议查看users/cient文件，注意格式敏感，尽量用已有用户的格式。 [root@ossh jdk]# tail -n 100 /usr/local/portalServer/logs/catalina.out

2014-05-11 01:23:37,358 DEBUG [portal.util.PortalClient] sending: 192.168.20.29:2000

2014-05-11 01:23:37,360 DEBUG [portal.util.PortalClient] [1, 1, 0, 0, de, 1c, 0, 0, c0, a8, 1, 6b, 0, 0, 0, 0]

2014-05-11 01:23:37,442 ERROR [org.codehaus.groovy.grails.web.errors.GrailsExceptionResolver] IOException occurred when processing request: [GET] /portalServer/auth/plogin Network is unreachable. Stacktrace follows: java.io.IOException: Network is unreachable

at java.net.DatagramSocket.send(DatagramSocket.java:625) at portal.util.PortalClient.send(PortalClient.groovy:51) at portal.packet.PortalSend.send(PortalSend.groovy:91) at portal.packet.ReqChallenge.(ReqChallenge.groovy:15) at portal.user.PortalUser.reqChallenge(PortalUser.groovy:238)

at portal.user.PortalUser$__clinit__closure5_closure6_closure17.doCall(PortalUser.groovy:108) at grails.plugin.fsm.FsmSupport.fire(FsmSupport.groovy:172)

at grails.plugin.fsm.FsmUtils$__clinit__closure10.doCall(FsmUtils.groovy:82) at portal.user.serv.UserService.login(UserService.groovy:24)

at portal.user.AuthController$_closure7.doCall(AuthController.groovy:322) at

grails.plugin.cache.web.filter.PageFragmentCachingFilter.doFilter(PageFragmentCachingFilter.java:195) at grails.plugin.cache.web.filter.AbstractFilter.doFilter(AbstractFilter.java:63)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918) at java.lang.Thread.run(Thread.java:662)

2014-05-11 01:46:14,774 DEBUG [portal.util.PortalClient] sending: 192.168.20.29:2000

2014-05-11 01:46:14,778 DEBUG [portal.util.PortalClient] [1, 1, 0, 0, af, 48, 0, 0, c0, a8, 1, 6b, 0, 0, 0, 0]

2014-05-11 01:46:14,922 ERROR [org.codehaus.groovy.grails.web.errors.GrailsExceptionResolver] IOException occurred when processing request: [GET] /portalServer/auth/plogin Network is unreachable. Stacktrace follows: java.io.IOException: Network is unreachable

at java.net.DatagramSocket.send(DatagramSocket.java:625) at portal.util.PortalClient.send(PortalClient.groovy:51)

at portal.packet.PortalSend.send(PortalSend.groovy:91) at portal.packet.ReqChallenge.(ReqChallenge.groovy:15) at portal.user.PortalUser.reqChallenge(PortalUser.groovy:238)

at portal.user.PortalUser$__clinit__closure5_closure6_closure17.doCall(PortalUser.groovy:108) at grails.plugin.fsm.FsmSupport.fire(FsmSupport.groovy:172)

at grails.plugin.fsm.FsmUtils$__clinit__closure10.doCall(FsmUtils.groovy:82) at portal.user.serv.UserService.login(UserService.groovy:24)

at portal.user.AuthController$_closure7.doCall(AuthController.groovy:322) at

grails.plugin.cache.web.filter.PageFragmentCachingFilter.doFilter(PageFragmentCachingFilter.java:195) at grails.plugin.cache.web.filter.AbstractFilter.doFilter(AbstractFilter.java:63)

2014-05-11 01:46:15,869 DEBUG [portal.util.PortalClient] sending: 192.168.20.29:2000

2014-05-11 01:46:15,871 DEBUG [portal.util.PortalClient] [1, 1, 0, 0, 54, 14, 0, 0, c0, a8, 1, 6b, 0, 0, 0, 0]

2014-05-11 01:46:15,973 ERROR [org.codehaus.groovy.grails.web.errors.GrailsExceptionResolver] IOException occurred when processing request: [GET] /portalServer/auth/plogin Network is unreachable. Stacktrace follows: java.io.IOException: Network is unreachable

at portal.user.PortalUser$__clinit__closure5_closure6_closure17.doCall(PortalUser.groovy:108) at grails.plugin.fsm.FsmSupport.fire(FsmSupport.groovy:172)

at grails.plugin.fsm.FsmUtils$__clinit__closure10.doCall(FsmUtils.groovy:82) at portal.user.serv.UserService.login(UserService.groovy:24)

at portal.user.AuthController$_closure7.doCall(AuthController.groovy:322) at

grails.plugin.cache.web.filter.PageFragmentCachingFilter.doFilter(PageFragmentCachingFilter.java:195) at grails.plugin.cache.web.filter.AbstractFilter.doFilter(AbstractFilter.java:63)

2014-05-11 01:46:26,105 DEBUG [portal.util.PortalClient] sending: 192.168.20.29:2000

2014-05-11 01:46:26,107 DEBUG [portal.util.PortalClient] [1, 1, 0, 0, 9f, 62, 0, 0, c0, a8, 1, 6b, 0, 0, 0, 0]

2014-05-11 01:46:26,187 ERROR [org.codehaus.groovy.grails.web.errors.GrailsExceptionResolver] IOException occurred when processing request: [GET] /portalServer/auth/plogin Network is unreachable. Stacktrace follows: java.io.IOException: Network is unreachable

at java.net.DatagramSocket.send(DatagramSocket.java:625) at portal.util.PortalClient.send(PortalClient.groovy:51)

at portal.packet.PortalSend.send(PortalSend.groovy:91) at portal.packet.ReqChallenge.(ReqChallenge.groovy:15) at portal.user.PortalUser.reqChallenge(PortalUser.groovy:238)

at portal.user.PortalUser$__clinit__closure5_closure6_closure17.doCall(PortalUser.groovy:108) at grails.plugin.fsm.FsmSupport.fire(FsmSupport.groovy:172)

at grails.plugin.fsm.FsmUtils$__clinit__closure10.doCall(FsmUtils.groovy:82) at portal.user.serv.UserService.login(UserService.groovy:24)

at portal.user.AuthController$_closure7.doCall(AuthController.groovy:322) at

grails.plugin.cache.web.filter.PageFragmentCachingFilter.doFilter(PageFragmentCachingFilter.java:195) at grails.plugin.cache.web.filter.AbstractFilter.doFilter(AbstractFilter.java:63)

2014-05-11 01:46:41,394 DEBUG [portal.util.PortalClient] sending: 192.168.20.29:2000

2014-05-11 01:46:41,395 DEBUG [portal.util.PortalClient] [1, 1, 0, 0, 46, a7, 0, 0, c0, a8, 1, 6b, 0, 0, 0, 0]

2014-05-11 01:46:41,530 ERROR [org.codehaus.groovy.grails.web.errors.GrailsExceptionResolver] IOException occurred when processing request: [GET] /portalServer/auth/plogin Network is unreachable. Stacktrace follows: java.io.IOException: Network is unreachable

at portal.user.PortalUser$__clinit__closure5_closure6_closure17.doCall(PortalUser.groovy:108) at grails.plugin.fsm.FsmSupport.fire(FsmSupport.groovy:172)

at grails.plugin.fsm.FsmUtils$__clinit__closure10.doCall(FsmUtils.groovy:82) at portal.user.serv.UserService.login(UserService.groovy:24)

at portal.user.AuthController$_closure7.doCall(AuthController.groovy:322) at

grails.plugin.cache.web.filter.PageFragmentCachingFilter.doFilter(PageFragmentCachingFilter.java:195) at grails.plugin.cache.web.filter.AbstractFilter.doFilter(AbstractFilter.java:63)

18. 附录5-常用命令

vi 命令使用方法：

i ：标示插入命令

ESC键呼出命令模式，最后行方式命令：w ：保存当前文件：q：退出vi

：q!：不保存文件并退出vi

：e filename：打开文件filename进行编辑：x：保存当前文件并退出 /keyword 查找，n 下一个 pwd 当前路径

一、 vi查找:

当你用vi打开一个文件后，因为文件太长，如何才能找到你所要查找的关键字呢？在vi里可没有菜单-〉查找，不过没关系,你在命令模式下敲斜杆(/)这时在状态栏（也就是屏幕左下脚）就出现了 “/”然后输入你要查找的关键字

敲回车就可以了。如果你要继续查找此关键字，敲字符n就可以继续查找了。值得注意的是“/”是向下查找，而“?”是向上查找，而在键盘定义上“?”刚好是“/”的上档符.

看radius版本 radiusd -v

i ：标示插入命令

ESC键呼出命令模式，最后行方式命令：w ：保存当前文件：q：退出vi