分类: LINUX
2009-01-06 19:07:29
Contents Page
目录
1.1.1 -----------------------------------------------------最稳定的linux服务器
1.1.2 ------------------------------------------2.6.19内核
1.1.3 --------------内核的mppe-mppc补丁
1.1.4 ---------------------------------------------PPP主程序
1.1.5 ------------------ppp的mppe-mppc补丁
1.1.6 ---------------------------------------PPPOE主程序
1.1.7 -------------------------------FreeRadius服务器主程序
1.1.8 mysql-5.0.67-linux-i686.tar.gz---------------------------MySQL数据库主程序
1.1.9 MySQL-shared-compat-5.0.67-0.rhel5.i386.rpm—MySQL共享库
1.1.10 --------------------------freeradius与MySQL链接程序
1.1.11 -------------------------------------------最流行的web服务器
1.1.12 ----------------------------------------------PHP程序
1.1.13 ----优化PHP程序代码的工具
1.1.14 -------web方式管理mysql数据库的工具
1.1.15 ----------------------------伯克利数据库—openldap的后台数据库
1.1.16 -----------------------OpenLDAP实现web管理方式的后台语言支持工具
1.1.17 -------------OpenLDAP主程序
1.1.18 --------------------------OpenLDAP的WEB访问工具
我们的试验网络拓扑如下图所示:
首先编译内核,以加入对mppe和mppc的支持,然后架设PPPOE服务器,实现终结用户PPPOE拨号的功能,此时,对用户的验证以文本文件(存储在PPPOE程序组)的方式进行。
然后架设Radius服务器,将用户的PPPOE拨号请求转送到Radius服务器进行验证。
Radius服务器分别挂接OpenLDAP服务器和MySQL服务器,其中的OpenLDAP服务器实现对用户名、密码等信息的验证和属性返回,Mysql服务器实现对用户带宽、连接时间、产生流量等的记录和属性返回。
最后实现Radius服务器、MySQL服务器、OpenLDAP服务器的Web管理功能,从而能够批量产生用户,并方便管理用户(新建、删除、修改属性等)。通过以上步骤建立的一个服务器体系完全能够适应现代网络对拨号
快速认证、属性返回等要求,达到物理服务器的水平,如Redback SmartEdge、Juniper ERX。但却拥有更高的性价比。同时Radius服务器和OpenLDAP服务器同现在各省市正在使用的服务器拥有相近的稳定性和性能,甚至有的省份只采用Radius来管理用户,并没有OpenLDAP服务器,如浙江省。
具体步骤不再赘述,主要配置文件如下:
1.[root@mm
modules]# cat /etc/ppp/options
lock
crtscts
nobsdcomp
nodeflate
nopcomp
#require-mppe
#mppe-40
#mppe-128
#mppe-stateless
plugin /etc/ppp/plugins/radius.so
radius-config-file /etc/ppp/radius/radiusclient.conf
2.[root@mm
modules]# cat /etc/ppp/pppoe-server-options
# PPP options for the PPPoE server
# LIC: GPL
#require-pap
#login
#lcp-echo-interval 10
#lcp-echo-failure 2
##############################################
auth
require-chap
#require-mppe
default-mru
default-asyncmap
lcp-echo-interval 60
lcp-echo-failure 5
ms-dns 202.101.172.35
ms-dns 202.101.172.47
noipdefault
noipx
nodefaultroute
noproxyarp
noktune
172.16.1.10:172.17.1.254
netmask 255.255.255.255
logfile /var/log/pppd.log
3.OpenLDAP的数据库设置如下:
dn: cn=radius,ou=profils,dc=mm,dc=comobjectClass: radiusObjectProfileobjectClass: radiusprofilecn: radiusradiusGroupName: radiusradiusServiceType: Framed-UserradiusFramedProtocol: pppradiusFramedIPAddress: 10.10.10.11radiusFramedIPNetmask: 255.255.255.0uid: ldaptest1radiusFramedCompression: Van-Jacobsen-TCP-IPradiusFramedRouting: Broadcast-ListenradiusFramedMTU: 1500radiusFilterId: "std.ppp"userPassword: ldaptest1radiusAuthType: chap
4.然后在MYSQL中加入该用户信息(ldaptest1),以便计费:
mysql> insert into radcheck (username,attribute,op,value) values ('ldaptest1','User-Password','==','ldaptest1');
然后把用户加到组里:
mysql> insert into usergroup(username,groupname) values('ldaptest1','user');
5.设置radius的ldap认证模块
/usr/local/freeradius/etc/raddb/modules/ldap,修改如下:
ldap {
server = "localhost"
identity = "cn=Manager,dc=mm,dc=com"
password = testing123
basedn = "ou=profils,dc=mm,dc=com"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
password_attribute = userPassword
edir_account_policy_check = no
set_auth_type = yes
}
6.修改/usr/local/freeradius/etc/raddb/sites-available/,
来指定Radius认证方式,相应部分修改如下:
authorize {
ldap
}
authenticate {
Auth-Type LDAP {
ldap
}
}
accounting {
sql
}
其它的方式全部注释掉即可。
通过以上配置,我们就完成了全部服务器的配置:
#radiusd -X
验证过程如下:(包括认证请求、计费开始请求、计费结束请求三个部分)
rad_recv: Access-Request packet from host 127.0.0.1 port 32768, id=10, length=114
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "ldaptest1"
CHAP-Challenge = 0x7abcb9ac6f368f318969c7351fbdb7b615a49e
CHAP-Password = 0x242e7e2035dad2d954264e4eef46c00047
Calling-Station-Id = "00:1C:C4:CD:68:06"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
[ldap] performing user authorization for ldaptest1
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
[ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=ldaptest1)
[ldap] expand: ou=profils,dc=mm,dc=com -> ou=profils,dc=mm,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=profils,dc=mm,dc=com, with filter (uid=ldaptest1)
[ldap] Added User-Password = ldaptest1 in check items
[ldap] looking for check items in directory...
rlm_ldap: userPassword -> Cleartext-Password == "ldaptest1"
rlm_ldap: radiusAuthType -> Auth-Type == CHAP
[ldap] looking for reply items in directory...
rlm_ldap: radiusFramedCompression -> Framed-Compression = Van-Jacobson-TCP-IP
rlm_ldap: radiusFramedMTU -> Framed-MTU = 1500
rlm_ldap: radiusFilterId -> Filter-Id = "std.ppp"
rlm_ldap: radiusFramedRouting -> Framed-Routing = Broadcast-Listen
rlm_ldap: radiusFramedIPNetmask -> Framed-IP-Netmask = 255.255.255.0
rlm_ldap: radiusFramedIPAddress -> Framed-IP-Address = 10.10.10.11
rlm_ldap: radiusFramedProtocol -> Framed-Protocol = PPP
rlm_ldap: radiusServiceType -> Service-Type = Framed-User
[ldap] user ldaptest1 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = CHAP
+- entering group CHAP {...}
[chap] login attempt by "ldaptest1" with CHAP password
[chap] Using clear text password "ldaptest1" for user ldaptest1 authentication.
[chap] chap user ldaptest1 authenticated succesfully
++[chap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 10 to 127.0.0.1 port 32768
Framed-Compression = Van-Jacobson-TCP-IP
Framed-MTU = 1500
Filter-Id = "std.ppp"
Framed-Routing = Broadcast-Listen
Framed-IP-Netmask = 255.255.255.0
Framed-IP-Address = 10.10.10.11
Framed-Protocol = PPP
Service-Type = Framed-User
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 127.0.0.1 port 32768, id=11, length=120
Acct-Session-Id = "49631DF90A6E00"
User-Name = "ldaptest1"
Acct-Status-Type = Start
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "00:1C:C4:CD:68:06"
Acct-Authentic = RADIUS
NAS-Port-Type = Async
Framed-IP-Address = 10.10.10.11
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Acct-Delay-Time = 0
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = 127.0.0.1,NAS-IP-Address = 127.0.0.1,Acct-Session-Id = "49631DF90A6E00",User-Name = "ldaptest1"'
[acct_unique] Acct-Unique-Session-ID = "b4f40c620cbc699b".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "ldaptest1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail] expand: /usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /usr/local/freeradius/var/log/radius/radacct/127.0.0.1/detail-20090106
[detail] /usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /usr/local/freeradius/var/log/radius/radacct/127.0.0.1/detail-20090106
[detail] expand: %t -> Tue Jan 6 17:01:45 2009
++[detail] returns ok
++[unix] returns ok
[radutmp] expand: /usr/local/freeradius/var/log/radius/radutmp -> /usr/local/freeradius/var/log/radius/radutmp
[radutmp] expand: %{User-Name} -> ldaptest1
++[radutmp] returns ok
[sql] expand: %{User-Name} -> ldaptest1
[sql] sql_set_user escaped user --> 'ldaptest1'
[sql] expand: %{Acct-Delay-Time} -> 0
[sql] expand: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql_mysql: MYSQL check_error: 1054 received
[sql] Couldn't insert SQL accounting START record - Unknown column 'xascendsessionsvrkey' in 'field list'
[sql] expand: %{Acct-Delay-Time} -> 0
[sql] expand: UPDATE radacct SET acctstarttime = '%S', acctstartdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_start = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}' -> UPDATE radacct SET acctstarttime = '2009-01-06 17:01:45', acctstartdelay = '0', connectinfo_start = '' WHERE acctsessionid = '49631DF90A6E00' AND username = 'ldaptest1' AND nasipaddress = '127.0.0.1'
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
[attr_filter.accounting_response] expand: %{User-Name} -> ldaptest1
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 11 to 127.0.0.1 port 32768
Finished request 4.
Cleaning up request 4 ID 11 with timestamp +224
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 127.0.0.1 port 32768, id=12, length=156
Acct-Session-Id = "49631DF90A6E00"
User-Name = "ldaptest1"
Acct-Status-Type = Stop
Service-Type = Framed-User
Framed-Protocol = PPP
Acct-Authentic = RADIUS
Acct-Session-Time = 3
Acct-Output-Octets = 0
Acct-Input-Octets = 56882
Acct-Output-Packets = 0
Acct-Input-Packets = 233
Calling-Station-Id = "00:1C:C4:CD:68:06"
NAS-Port-Type = Async
Acct-Terminate-Cause = User-Request
Framed-IP-Address = 10.10.10.11
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Acct-Delay-Time = 0
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = 127.0.0.1,NAS-IP-Address = 127.0.0.1,Acct-Session-Id = "49631DF90A6E00",User-Name = "ldaptest1"'
[acct_unique] Acct-Unique-Session-ID = "b4f40c620cbc699b".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "ldaptest1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail] expand: /usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /usr/local/freeradius/var/log/radius/radacct/127.0.0.1/detail-20090106
[detail] /usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /usr/local/freeradius/var/log/radius/radacct/127.0.0.1/detail-20090106
[detail] expand: %t -> Tue Jan 6 17:01:48 2009
++[detail] returns ok
++[unix] returns ok
[radutmp] expand: /usr/local/freeradius/var/log/radius/radutmp -> /usr/local/freeradius/var/log/radius/radutmp
[radutmp] expand: %{User-Name} -> ldaptest1
++[radutmp] returns ok
[sql] expand: %{User-Name} -> ldaptest1
[sql] sql_set_user escaped user --> 'ldaptest1'
[sql] expand: %{Acct-Input-Gigawords} ->
[sql] expand: %{Acct-Input-Octets} -> 56882
[sql] expand: %{Acct-Output-Gigawords} ->
[sql] expand: %{Acct-Output-Octets} -> 0
[sql] expand: %{Acct-Delay-Time} -> 0
[sql] expand: UPDATE radacct SET acctstoptime = '%S', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_stop = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}' -> UPDATE radacct SET acctstoptime = '2009-01-06 17:01:48', acctsessiontime = '3', acctinputoctets = '0' << 32 | '56882', acctoutputoctets = '0' << 32 |
rlm_sql (sql): Reserving sql socket id: 1
[sql] expand: %{Acct-Session-Time} -> 3
[sql] expand: %{Acct-Delay-Time} -> 0
[sql] expand: %{Acct-Input-Gigawords} ->
[sql] expand: %{Acct-Input-Octets} -> 56882
[sql] expand: %{Acct-Output-Gigawords} ->
[sql] expand: %{Acct-Output-Octets} -> 0
[sql] expand: %{Acct-Delay-Time} -> 0
[sql] expand: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Inpu
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
[attr_filter.accounting_response] expand: %{User-Name} -> ldaptest1
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 12 to 127.0.0.1 port 32768
Finished request 5.
Cleaning up request 5 ID 12 with timestamp +227
Going to the next request
Waking up in 1.3 seconds.
Cleaning up request 3 ID 10 with timestamp +224
Ready to process requests.
下面正式启用这些服务:
#cd /
#vi pppoeboot
/usr/local/sbin/pppoe-server -k -I eth0 -L 192.168.1.251 -R 172.16.1.11 -N 65534
radiusd
httpd
slapd
/sbin/modprobe ppp_mppe_mppc
添加以上内容,然后保存退出。
再在/etc/rc.d/rc.local文件中加入一行:
/pppoeboot
这样,以上服务就能够开机自启动了。
[root@mm /]# pstree
init─┬─dbus-daemon
├─events/0
├─gam_server
├─hald───hald-runner─┬─hald-addon-acpi
│ ├─hald-addon-keyb
│ └─hald-addon-stor
├─httpd───10*[httpd]
├─khelper
├─klogd
├─ksoftirqd/0
├─migration/0
├─6*[mingetty]
├─mysqld_safe───mysqld───mysqld───13*[mysqld]
├─pppoe-server
├─radiusd───5*[{radiusd}]
├─slapd───4*[{slapd}]
├─sshd───sshd───bash───pstree
├─syslogd
├─udevd
├─watchdog/0
└─yum-updatesd
[root@mm /]#
图片欣赏:
OpenLDAP服务器管理界面:
整个服务器的架设大体就是这些内容了,其中有些功能还没实现,如eap验证等,并且OpenLDAP服务器也很有意思,有待进一步的研究、实践。
希望和朋友们一起讨论!
张蒙
2009-1-6
chinaunix网友2010-01-12 22:52:17
Radius管理界面是freeradius自带的管理套件:dialup_admin。 另外,ara也可以实现web管理radius,在我的另外一篇较晚的博文里提到了。
chinaunix网友2009-06-02 13:48:32
我在自己的虚拟机上用ppp-2.4.4和rp-pppoe3.8建了一个pppoe-server,希望通过连到远端的radius-server来实现计费其他功能。在你的博客里还有网上找到的很多其他资料,似乎都是又安装了freeradius,把pppoe-server和radiu-server放在一台主机上。 我在ppp那包代码下面看到了radius的一个文件夹,有radiusclient.conf 以及server等文件,我想问一下,这个是否就是ppp提供的radius 客户端呢?是不是我不用再安装其他radius client的软件 就可以去连接远端的radius server? 另外,/etc/ppp/radius/radiusclient.conf 中有两行命令: login_radius /usr/local/sbin/login.radius seqfile /var/run/radius.seq 无法找到login.radius和radius.seq 请问该如何配置radiusclient.conf 呢?