原文地址:%E5%AE%89%E8%A3%85%E9%85%8D%E7%BD%AE.htm
一. VPN服务器安装配置
# 安装编译环境
yum install -y wget gcc gcc-c++ make
# ppp安装
yum install -y ppp
# pptpd安装
wget http://downloads.sourceforge.net/project/poptop/pptpd/pptpd-1.3.4/pptpd-1.3.4.tar.gz
tar zxvf pptpd-1.3.4.tar.gz
cd pptpd-1.3.4
./configure && make && make install
# pptpd配置
vi /etc/pptpd.conf
option /etc/ppp/options
#logwtmp
localip 192.168.0.1
remoteip 192.168.0.2-254
vi /etc/ppp/options #(这里已经把freeradius-client模块加载进了)
name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
proxyarp
lock
nobsdcomp
novj
novjccomp
nologfd
idle 2592000
ms-dns 8.8.8.8
ms-dns 8.8.4.4
logfile /var/log/pptpd.log
plugin /usr/lib/pppd/2.4.4/radius.so
radius-config-file /usr/local/etc/radiusclient/radiusclient.conf
# freeradius-client安装
wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-client-1.1.6.tar.gz
tar zxvf freeradius-client-1.1.6.tar.gz
cd freeradius-client-1.1.6
./configure && make && make install
# freeradius-client配置
# vi /usr/local/etc/radiusclient/radiusclient.conf
找到 authserver 和 acctserver 将值改为 freeradius-server 的IP
找到 radius_deadtime 0 和 bindaddr * 将这两项注释掉
# vi /usr/local/etc/radiusclient/servers (所有内容如下)
192.168.1.100 testing123
192.168.1.100是freeradius-server的IP地址,testing123是连接的服务器的密码
vi /usr/local/etc/radiusclient/dictionary.microsoft #(所有内容如下)
#
# Microsoft's VSA's, from RFC 2548
#
# $Id: dictionary.microsoft,v 1.1 2002/03/06 13:23:09 dfs Exp $
#
VENDOR Microsoft 311 Microsoft
ATTRIBUTE MS-CHAP-Response 1 string Microsoft
ATTRIBUTE MS-CHAP-Error 2 string Microsoft
ATTRIBUTE MS-CHAP-CPW-1 3 string Microsoft
ATTRIBUTE MS-CHAP-CPW-2 4 string Microsoft
ATTRIBUTE MS-CHAP-LM-Enc-PW 5 string Microsoft
ATTRIBUTE MS-CHAP-NT-Enc-PW 6 string Microsoft
ATTRIBUTE MS-MPPE-Encryption-Policy 7 string Microsoft
# This is referred to as both singular and plural in the RFC.
# Plural seems to make more sense.
ATTRIBUTE MS-MPPE-Encryption-Type 8 string Microsoft
ATTRIBUTE MS-MPPE-Encryption-Types 8 string Microsoft
ATTRIBUTE MS-RAS-Vendor 9 integer Microsoft
ATTRIBUTE MS-CHAP-Domain 10 string Microsoft
ATTRIBUTE MS-CHAP-Challenge 11 string Microsoft
ATTRIBUTE MS-CHAP-MPPE-Keys 12 string Microsoft
ATTRIBUTE MS-BAP-Usage 13 integer Microsoft
ATTRIBUTE MS-Link-Utilization-Threshold 14 integer Microsoft
ATTRIBUTE MS-Link-Drop-Time-Limit 15 integer Microsoft
ATTRIBUTE MS-MPPE-Send-Key 16 string Microsoft
ATTRIBUTE MS-MPPE-Recv-Key 17 string Microsoft
ATTRIBUTE MS-RAS-Version 18 string Microsoft
ATTRIBUTE MS-Old-ARAP-Password 19 string Microsoft
ATTRIBUTE MS-New-ARAP-Password 20 string Microsoft
ATTRIBUTE MS-ARAP-PW-Change-Reason 21 integer Microsoft
ATTRIBUTE MS-Filter 22 string Microsoft
ATTRIBUTE MS-Acct-Auth-Type 23 integer Microsoft
ATTRIBUTE MS-Acct-EAP-Type 24 integer Microsoft
ATTRIBUTE MS-CHAP2-Response 25 string Microsoft
ATTRIBUTE MS-CHAP2-Success 26 string Microsoft
ATTRIBUTE MS-CHAP2-CPW 27 string Microsoft
ATTRIBUTE MS-Primary-DNS-Server 28 ipaddr Microsoft
ATTRIBUTE MS-Secondary-DNS-Server 29 ipaddr Microsoft
ATTRIBUTE MS-Primary-NBNS-Server 30 ipaddr Microsoft
ATTRIBUTE MS-Secondary-NBNS-Server 31 ipaddr Microsoft
#ATTRIBUTE MS-ARAP-Challenge 33 string Microsoft
#
# Integer Translations
#
# MS-BAP-Usage Values
VALUE MS-BAP-Usage Not-Allowed 0
VALUE MS-BAP-Usage Allowed 1
VALUE MS-BAP-Usage Required 2
# MS-ARAP-Password-Change-Reason Values
VALUE MS-ARAP-PW-Change-Reason Just-Change-Password 1
VALUE MS-ARAP-PW-Change-Reason Expired-Password 2
VALUE MS-ARAP-PW-Change-Reason Admin-Requires-Password-Change 3
VALUE MS-ARAP-PW-Change-Reason Password-Too-Short 4
# MS-Acct-Auth-Type Values
VALUE MS-Acct-Auth-Type PAP 1
VALUE MS-Acct-Auth-Type CHAP 2
VALUE MS-Acct-Auth-Type MS-CHAP-1 3
VALUE MS-Acct-Auth-Type MS-CHAP-2 4
VALUE MS-Acct-Auth-Type EAP 5
# MS-Acct-EAP-Type Values
VALUE MS-Acct-EAP-Type MD5 4
VALUE MS-Acct-EAP-Type OTP 5
VALUE MS-Acct-EAP-Type Generic-Token-Card 6
VALUE MS-Acct-EAP-Type TLS 13
#
# Experimental extensions, configuration only (for check-items)
# Names/numbers as per the MERIT extensions (if possible).
#
ATTRIBUTE NAS-Identifier 32 string
ATTRIBUTE Proxy-State 33 string
ATTRIBUTE Login-LAT-Service 34 string
ATTRIBUTE Login-LAT-Node 35 string
ATTRIBUTE Login-LAT-Group 36 string
ATTRIBUTE Framed-AppleTalk-Link 37 integer
ATTRIBUTE Framed-AppleTalk-Network 38 integer
ATTRIBUTE Framed-AppleTalk-Zone 39 string
ATTRIBUTE Acct-Input-Packets 47 integer
ATTRIBUTE Acct-Output-Packets 48 integer
# 8 is a MERIT extension.
VALUE Service-Type Authenticate-Only 8
vi /usr/local/etc/radiusclient/dictionary (在最底行加入)
INCLUDE /usr/local/etc/radiusclient/dictionary.sip
INCLUDE /usr/local/etc/radiusclient/dictionary.ascend
INCLUDE /usr/local/etc/radiusclient/dictionary.merit
INCLUDE /usr/local/etc/radiusclient/dictionary.compat
INCLUDE /usr/local/etc/radiusclient/dictionary.microsoft
# 启动pptpd
modprobe ppp-compress-18
sysctl -w net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
/usr/local/sbin/pptpd
二、Freeradius验证端安装配置
wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.10.tar.gz
tar zxvf freeradius-server-2.1.10.tar.gz
cd freeradius-server-2.1.10
./configure | grep mysql
grep 这步操作主要是查看mysql的几个参数是不是都是yes,如果不是,需要检查下mysql安装.
make && make install
# 基本文本数据的本地测试
vi /usr/local/etc/raddb/users
# 找到 steve Cleartext-Password := "testing" , 取消该段的相关注释
steve Cleartext-Password := "testing"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 172.16.3.33,
Framed-IP-Netmask = 255.255.255.0,
Framed-Routing = Broadcast-Listen,
Framed-Filter-Id = "std.ppp",
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP
radiusd -X # 执行debug日志输出模式
如果有出现
Quote
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.
上面这些字样说明正常启动成功了
# radtest steve testing localhost 1812 testing123 # 用户名steve密码testing , 连接密钥testing123
# 出现 rad_recv: Access-Accept packet 字样说明验证成功
# freeradius和mysql集成
yum install mysql mysql-devel mysql-server
service mysqld start
mysqladmin -uroot -p password "新密码"
mysqladmin -u root -p create radius
mysql -u root -p radius < /usr/local/etc/raddb/sql/mysql/schema.sql
mysql -u root -p radius < /usr/local/etc/raddb/sql/mysql/nas.sql
mysql -u root -p radius < /usr/local/etc/raddb/sql/mysql/ippool.sql
mysql -u root -p radius < /usr/local/etc/raddb/sql/mysql/wimax.sql
mysql -u root -p
mysql> GRANT SELECT ON radius.* TO 'radius'@'localhost' IDENTIFIED BY 'radpass';
mysql> GRANT ALL on radius.radacct TO 'radius'@'localhost';
mysql> GRANT ALL on radius.radpostauth TO 'radius'@'localhost';
mysql> use radius;
# 加入组信息
mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Auth-Type',':=','Local');
mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Service-Type','=','Framed-User');
mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Framed-IP-Netmask',':=','255.255.255.0');
# 加入用户信息
mysql> INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('sqltest', 'Password', 'testpwd');
# 用户加到组里
mysql> insert into radusergroup(username,groupname) values('sqltest','user');
# 限制账户同时登陆次数
mysql> INSERT INTO radgroupcheck (GroupName, Attribute, op, Value) values("user", "Simultaneous-Use", ":=", "1");
# vi /usr/local/etc/raddb/sql.conf
# 设定数据库类型,帐号,密码,数据库,根据实际情况修改
# 找到 readclients = yes 取消前面的注释,取消该注释主要是启用nas表查询,clients.conf就可以不需要了.
# vi /usr/local/etc/raddb/sites-enabled/default
注释152行,files
取消注释159行,sql
注释355行,files
取消注释389行,sql
取消注释437行,sql
取消注释458行,sql
取消注释546行,sql
注释564行,files
# vi /usr/local/etc/raddb/sites-enabled/inner-tunnel
注释124行,files
取消注释131行,sql
取消注释255行,sql
取消注释277行,sql
取消注释301行,sql
注释353行,files
# vi /usr/local/etc/raddb/radiusd.conf
取消683行 $INCLUDE sql.conf前的#注释
# 再次执行测试
# radiusd -X
如果出现下面信息
Quote
/usr/local/etc/raddb/sites-enabled/inner-tunnel[118]: Failed to find module "sql".
/usr/local/etc/raddb/sites-enabled/inner-tunnel[34]: Errors parsing authorize section.
在系统里找下是否有rlm_sql_mysql.so这个文件,如果没有则要检测一下编译,或者在freeradius-server-2.1.10/src/modules/rlm_sql/drivers/rlm_sql_mysql下重新编译
如果有出现
Quote
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.
上面这些字样说明正常启动成功了
# 添加VPN服务器授权验证(如果readclients = yes这步就可以省了)
vi /usr/local/etc/raddb/clients.conf
client 192.168.1.0/24 {
# ipaddr = 192.168.1.1
secret = testing123
require_message_authenticator = no
nastype = other
}
# radtest sqltest testpwd localhost 1812 testing123 # 用户名sqltest密码testpwd , 连接密钥testing123
# 出现 rad_recv: Access-Accept packet 字样说明验证成功
附: (限制VPN流量)
# vi /usr/local/etc/raddb/radiusd.conf
取消注释695行, $INCLUDE sql/mysql/counter.conf
vi /usr/local/etc/raddb/sql/mysql/counter.conf
# 最底行加入
sqlcounter monthlytrafficcounter {
counter-name = Monthly-Traffic
check-name = Max-Monthly-Traffic
reply-name = Monthly-Traffic-Limit
sqlmod-inst = sql
key = User-Name
reset = monthly
query = "SELECT SUM(acctinputoctets + acctoutputoctets) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAM(AcctStartTime) > '%b'"
}
# vi /usr/local/etc/raddb/sites-enabled/default
找到 authorize {
...
}这栏
在 " } " 前面一行加入monthlytrafficcounter
vi /usr/local/etc/raddb/dictionary
# 最底行插入
ATTRIBUTE Max-Monthly-Traffic 3003 integer
ATTRIBUTE Monthly-Traffic-Limit 3004 integer
# 限制用户组流量SQL操作
mysql> INSERT INTO radgroupcheck (GroupName, Attribute, op, Value) values("user1", "Max-Monthly-Traffic", ":=", "1024");
附2
# 针对每个用户分配特定IP
mysql> INSERT INTO radreply (UserName, Attribute, op, Value) values("user", "Framed-IP-Address", ":=", "192.168.0.99");
===============================================================================================
PPTP/L2TP With FreeRadius + MySQL on Debian
作 者:ihipop
原文地址:
设置freeradius server部分
apt-get install freeradius freeradius-mysql
cd /etc/freeradius/
#启用sql.conf
sed -ie 's/^[ \t]#\$INCLUDE sql.conf$/\$INCLUDE sql.conf/' radiusd.conf
#取消sites-available/default每个SQL前面的注释
sed -ie 's/^#[ \t]sql$/sql/' sites-available/default
此外 还需要取消sites-available/default里面所有unix和PAM(如果有必要)否则和系统同名的帐户就可能有登录问题
另外radutmp和file也可以注释 用了SQL方式后这些都没有必要了
vim sql.conf
填写数据库用户名 密码 数据库名字等
然后停止radius服务 启用radius调试模式
freeradius -X
试一下
radtest sqltest testpwd localhost 1812 testing123
应该是不通过Access-Reject packet 才对 同时开freeradius -X的那个终端会打印消息 说明ok了
freeradius server部分设置完毕
设置radiusclient部分
查看PPP版本
apt-cache policy ppp
Quote
ppp:
已安装:2.4.4rel-10.1
候选的软件包:2.4.4rel-10.1
版本列表:
*** 2.4.4rel-10.1 0
500 lenny/main Packages
100 /var/lib/dpkg/status
找到PPPD官网找到PPP2.4.4的源代码
wget ftp://ftp.samba.org/pub/ppp/ppp-2.4.4.tar.gz
tar zxvf ppp-2.4.4.tar.gz
cd ppp-2.4.4/pppd/plugins/radius/
cp -rf etc /etc/radiusclient
当然 也可以在这里找到ftp://ftp.freeradius.org/pub/freeradius/
修改修改里面所有usr开头的路径为etc开头
sed -ie "s/\/usr\/local\/etc\/radiusclient/\/etc\/radiusclient/g" /etc/radiusclient/radiusclient.conf
vim /etc/radiusclient/radiusclient.conf
按需要修改radius认证服务器的端口和路径
Quote
authserver localhost:1812
acctserver localhost:1813
vim /etc/radiusclient/servers
写入Radius认证服务起和密钥对
比如
Quote
radiusclient部分设置完毕
设置mysql server+daloradius部分
写这篇文章的时候 刚好daloradius0.9-9-rc1出来了 这是三年来首次更新(虽然SVN一直在更新)先装依赖(PHPDB)
apt-get install php5-gd php-pear php-db
wget http://sourceforge.net/projects/daloradius/files/daloradius/daloradius0.9-9/daloradius-0.9-9-rc1.tar.gz
解压缩放到web目录下面
先用PHPmyAdmin创建一个radius/radius用户 同时创建一个同名数据库 赋予所有权限,然后
cd contrib/db/
#导入数据库
mysql -uradius -pradius radius <fr2-mysql-daloradius-and-freeradius.sql
cd ../../library/
vim daloradius.conf.php
设定CONFIG_DB_USER CONFIG_DB_PASS CONFIG_DB_NAME以及其他为对应的值
然后创建一些基本用户组什么的
INSERT INTO `radius`.`radgroupcheck` (
`id` ,
`groupname` ,
`attribute` ,
`op` ,
`value`)
VALUES (
NULL , 'user', 'Simultaneous-Use', ':=', '1'
), (
NULL , 'vip', 'Simultaneous-Use', ':=', '3');
INSERT INTO `radius`.`radgroupreply` (
`id` ,
`groupname` ,
`attribute` ,
`op` ,
`value`)
VALUES (
NULL , 'user', 'Acct-Interim-Interval', ':=', '300'
), (
NULL , 'vip', 'Acct-Interim-Interval', ':=', '600');
使用默认密码administrator/radius登录daloradius,然后用daloradius添加一个用户test 隶属于user用户组 使用radtest测试下
radtest test pwd localhost 1812 testing123
Quote
Sending Access-Request of id 1 to 127.0.0.1 port 1812
User-Name = "test"
User-Password = "pwd"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=1, length=20
mysql server+daloradius部分设置完毕
设置L2TP/PPTP和Radius对接
locate radius.so
查找radius.so的位置 一般是/usr/lib/pppd/2.4.4/
编辑xl2tpd的option文件(这个文件可能是/etc/ppp/options.xl2tpd) 在末尾加上
Quote
plugin /usr/lib/pppd/2.4.4/radius.so
plugin /usr/lib/pppd/2.4.4/radattr.so
radius-config-file /etc/radiusclient/radiusclient.conf
PPTP如法炮制(这个文件可能是/etc/ppp/pptpd-options) ,即可。
这时候就可以使用PPTP/L2TP来连接下,如果没错误。当然是恭喜了。如果出错,看看freeradius -X的前端输出,可以用来诊断下。
关键还是细心谨慎。其实也不是很困难
阅读(1872) | 评论(0) | 转发(0) |