Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1198248
  • 博文数量: 253
  • 博客积分: 5892
  • 博客等级: 大校
  • 技术积分: 1942
  • 用 户 组: 普通用户
  • 注册时间: 2011-02-24 14:20
文章分类

全部博文(253)

文章存档

2012年(98)

2011年(155)

分类: 网络与安全

2011-11-27 13:46:46

原文地址:%E5%AE%89%E8%A3%85%E9%85%8D%E7%BD%AE.htm


一. VPN服务器安装配置

# 安装编译环境
yum install -y wget gcc gcc-c++ make
# ppp安装
yum install -y ppp
# pptpd安装
wget http://downloads.sourceforge.net/project/poptop/pptpd/pptpd-1.3.4/pptpd-1.3.4.tar.gz
tar zxvf pptpd
-1.3.4.tar.gz
cd pptpd
-1.3.4
./configure && make && make install
# pptpd配置
vi /etc/pptpd.conf
option
/etc/ppp/options
#logwtmp
localip
192.168.0.1
remoteip
192.168.0.2-254
vi /etc/ppp/options #(这里已经把freeradius-client模块加载进了)
name pptpd
refuse
-pap
refuse
-chap
refuse
-mschap
require-mschap-v2
require-mppe-128
proxyarp
lock
nobsdcomp
novj
novjccomp
nologfd
idle
2592000
ms
-dns 8.8.8.8
ms
-dns 8.8.4.4
logfile
/var/log/pptpd.log
plugin
/usr/lib/pppd/2.4.4/radius.so
radius
-config-file /usr/local/etc/radiusclient/radiusclient.conf
# freeradius-client安装
wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-client-1.1.6.tar.gz
tar zxvf freeradius
-client-1.1.6.tar.gz
cd freeradius
-client-1.1.6
./configure && make && make install
# freeradius-client配置
# vi /usr/local/etc/radiusclient/radiusclient.conf
找到 authserver 和 acctserver 将值改为 freeradius-server 的IP
找到 radius_deadtime 0 和 bindaddr * 将这两项注释掉
# vi /usr/local/etc/radiusclient/servers (所有内容如下)
192.168.1.100   testing123
192.168.1.100是freeradius-server的IP地址,testing123是连接的服务器的密码
vi /usr/local/etc/radiusclient/dictionary.microsoft #(所有内容如下)
#
# Microsoft's VSA's, from RFC 2548
#
# $Id: dictionary.microsoft,v 1.1 2002/03/06 13:23:09 dfs Exp $
#
 
VENDOR
Microsoft 311 Microsoft
 
ATTRIBUTE MS
-CHAP-Response 1 string Microsoft
ATTRIBUTE MS
-CHAP-Error 2 string Microsoft
ATTRIBUTE MS
-CHAP-CPW-1 3 string Microsoft
ATTRIBUTE MS
-CHAP-CPW-2 4 string Microsoft
ATTRIBUTE MS
-CHAP-LM-Enc-PW 5 string Microsoft
ATTRIBUTE MS
-CHAP-NT-Enc-PW 6 string Microsoft
ATTRIBUTE MS
-MPPE-Encryption-Policy 7 string Microsoft
# This is referred to as both singular and plural in the RFC.
# Plural seems to make more sense.
ATTRIBUTE MS
-MPPE-Encryption-Type 8 string Microsoft
ATTRIBUTE MS
-MPPE-Encryption-Types 8 string Microsoft
ATTRIBUTE MS
-RAS-Vendor 9 integer Microsoft
ATTRIBUTE MS
-CHAP-Domain 10 string Microsoft
ATTRIBUTE MS
-CHAP-Challenge 11 string Microsoft
ATTRIBUTE MS
-CHAP-MPPE-Keys 12 string Microsoft
ATTRIBUTE MS
-BAP-Usage 13 integer Microsoft
ATTRIBUTE MS
-Link-Utilization-Threshold 14 integer Microsoft
ATTRIBUTE MS
-Link-Drop-Time-Limit 15 integer Microsoft
ATTRIBUTE MS
-MPPE-Send-Key 16 string Microsoft
ATTRIBUTE MS
-MPPE-Recv-Key 17 string Microsoft
ATTRIBUTE MS
-RAS-Version 18 string Microsoft
ATTRIBUTE MS
-Old-ARAP-Password 19 string Microsoft
ATTRIBUTE MS
-New-ARAP-Password 20 string Microsoft
ATTRIBUTE MS
-ARAP-PW-Change-Reason 21 integer Microsoft

ATTRIBUTE MS
-Filter 22 string Microsoft
ATTRIBUTE MS
-Acct-Auth-Type 23 integer Microsoft
ATTRIBUTE MS
-Acct-EAP-Type 24 integer Microsoft
 
ATTRIBUTE MS
-CHAP2-Response 25 string Microsoft
ATTRIBUTE MS
-CHAP2-Success 26 string Microsoft
ATTRIBUTE MS
-CHAP2-CPW 27 string Microsoft

ATTRIBUTE MS
-Primary-DNS-Server 28 ipaddr Microsoft
ATTRIBUTE MS
-Secondary-DNS-Server 29 ipaddr Microsoft
ATTRIBUTE MS
-Primary-NBNS-Server 30 ipaddr Microsoft
ATTRIBUTE MS
-Secondary-NBNS-Server 31 ipaddr Microsoft

#ATTRIBUTE MS-ARAP-Challenge 33 string Microsoft

#
# Integer Translations
#

# MS-BAP-Usage Values

VALUE MS
-BAP-Usage Not-Allowed 0
VALUE MS
-BAP-Usage Allowed 1
VALUE MS
-BAP-Usage Required 2

# MS-ARAP-Password-Change-Reason Values

VALUE MS
-ARAP-PW-Change-Reason Just-Change-Password 1
VALUE MS
-ARAP-PW-Change-Reason Expired-Password 2
VALUE MS
-ARAP-PW-Change-Reason Admin-Requires-Password-Change 3
VALUE MS
-ARAP-PW-Change-Reason Password-Too-Short 4

# MS-Acct-Auth-Type Values

VALUE MS
-Acct-Auth-Type PAP 1
VALUE MS
-Acct-Auth-Type CHAP 2
VALUE MS
-Acct-Auth-Type MS-CHAP-1 3
VALUE MS
-Acct-Auth-Type MS-CHAP-2 4
VALUE MS
-Acct-Auth-Type EAP 5

# MS-Acct-EAP-Type Values

VALUE MS
-Acct-EAP-Type MD5 4
VALUE MS
-Acct-EAP-Type OTP 5
VALUE MS
-Acct-EAP-Type Generic-Token-Card 6
VALUE MS
-Acct-EAP-Type TLS 13

#
# Experimental extensions, configuration only (for check-items)
# Names/numbers as per the MERIT extensions (if possible).
#
ATTRIBUTE NAS
-Identifier 32 string
ATTRIBUTE
Proxy-State 33 string
ATTRIBUTE
Login-LAT-Service 34 string
ATTRIBUTE
Login-LAT-Node 35 string
ATTRIBUTE
Login-LAT-Group 36 string
ATTRIBUTE
Framed-AppleTalk-Link 37 integer
ATTRIBUTE
Framed-AppleTalk-Network 38 integer
ATTRIBUTE
Framed-AppleTalk-Zone 39 string
ATTRIBUTE
Acct-Input-Packets 47 integer
ATTRIBUTE
Acct-Output-Packets 48 integer
# 8 is a MERIT extension.
VALUE
Service-Type Authenticate-Only 8
vi /usr/local/etc/radiusclient/dictionary (在最底行加入)
INCLUDE
/usr/local/etc/radiusclient/dictionary.sip
INCLUDE
/usr/local/etc/radiusclient/dictionary.ascend
INCLUDE
/usr/local/etc/radiusclient/dictionary.merit
INCLUDE
/usr/local/etc/radiusclient/dictionary.compat
INCLUDE
/usr/local/etc/radiusclient/dictionary.microsoft
# 启动pptpd
modprobe ppp-compress-18
sysctl
-w net.ipv4.ip_forward=1
iptables
-t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
/usr/local/sbin/pptpd
二、Freeradius验证端安装配置
wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.10.tar.gz
tar zxvf freeradius
-server-2.1.10.tar.gz
cd freeradius
-server-2.1.10
./configure | grep mysql
grep
这步操作主要是查看mysql的几个参数是不是都是yes,如果不是,需要检查下mysql安装.
make
&& make install
# 基本文本数据的本地测试
vi /usr/local/etc/raddb/users
# 找到 steve Cleartext-Password := "testing" , 取消该段的相关注释
steve  
Cleartext-Password := "testing"
       
Service-Type = Framed-User,
       
Framed-Protocol = PPP,
       
Framed-IP-Address = 172.16.3.33,
       
Framed-IP-Netmask = 255.255.255.0,
       
Framed-Routing = Broadcast-Listen,
       
Framed-Filter-Id = "std.ppp",
       
Framed-MTU = 1500,
       
Framed-Compression = Van-Jacobsen-TCP-IP
radiusd -X # 执行debug日志输出模式 如果有出现

Quote

Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.
上面这些字样说明正常启动成功了
# radtest steve testing localhost 1812 testing123 # 用户名steve密码testing , 连接密钥testing123
# 出现 rad_recv: Access-Accept packet 字样说明验证成功

# freeradius和mysql集成
yum install mysql mysql-devel mysql-server
service mysqld start
mysqladmin
-uroot -p password "新密码"
mysqladmin
-u root -p create radius
mysql
-u root -p radius < /usr/local/etc/raddb/sql/mysql/schema.sql
mysql
-u root -p radius < /usr/local/etc/raddb/sql/mysql/nas.sql
mysql
-u root -p radius < /usr/local/etc/raddb/sql/mysql/ippool.sql
mysql
-u root -p radius < /usr/local/etc/raddb/sql/mysql/wimax.sql
mysql
-u root -p
mysql
> GRANT SELECT ON radius.* TO 'radius'@'localhost' IDENTIFIED BY 'radpass';
mysql
> GRANT ALL on radius.radacct TO 'radius'@'localhost';
mysql
> GRANT ALL on radius.radpostauth TO 'radius'@'localhost';
mysql
> use radius;
# 加入组信息
mysql
> insert into radgroupreply (groupname,attribute,op,value) values ('user','Auth-Type',':=','Local');
mysql
> insert into radgroupreply (groupname,attribute,op,value) values ('user','Service-Type','=','Framed-User');
mysql
> insert into radgroupreply (groupname,attribute,op,value) values ('user','Framed-IP-Netmask',':=','255.255.255.0');
# 加入用户信息
mysql
> INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('sqltest', 'Password', 'testpwd');
# 用户加到组里
mysql
> insert into radusergroup(username,groupname) values('sqltest','user');
# 限制账户同时登陆次数
mysql
> INSERT INTO radgroupcheck (GroupName, Attribute, op, Value) values("user", "Simultaneous-Use", ":=", "1");
# vi /usr/local/etc/raddb/sql.conf
# 设定数据库类型,帐号,密码,数据库,根据实际情况修改
# 找到 readclients = yes 取消前面的注释,取消该注释主要是启用nas表查询,clients.conf就可以不需要了.

# vi /usr/local/etc/raddb/sites-enabled/default
注释152行,files
取消注释159行,sql
注释355行,files
取消注释389行,sql
取消注释437行,sql
取消注释458行,sql
取消注释546行,sql
注释564行,files
# vi /usr/local/etc/raddb/sites-enabled/inner-tunnel
注释124行,files
取消注释131行,sql
取消注释255行,sql
取消注释277行,sql
取消注释301行,sql
注释353行,files
# vi /usr/local/etc/raddb/radiusd.conf
取消683行 $INCLUDE sql.conf前的#注释

# 再次执行测试
# radiusd -X
如果出现下面信息

Quote

/usr/local/etc/raddb/sites-enabled/inner-tunnel[118]: Failed to find module "sql".
/usr/local/etc/raddb/sites-enabled/inner-tunnel[34]: Errors parsing authorize section.
在系统里找下是否有rlm_sql_mysql.so这个文件,如果没有则要检测一下编译,或者在freeradius-server-2.1.10/src/modules/rlm_sql/drivers/rlm_sql_mysql下重新编译
如果有出现

Quote

Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.
上面这些字样说明正常启动成功了

# 添加VPN服务器授权验证(如果readclients = yes这步就可以省了)
vi /usr/local/etc/raddb/clients.conf
client
192.168.1.0/24 {
#       ipaddr = 192.168.1.1
        secret
= testing123
        require_message_authenticator
= no
        nastype
= other
}
# radtest sqltest testpwd localhost 1812 testing123 # 用户名sqltest密码testpwd , 连接密钥testing123
# 出现 rad_recv: Access-Accept packet 字样说明验证成功

附: (限制VPN流量)
# vi /usr/local/etc/raddb/radiusd.conf
取消注释695行, $INCLUDE sql/mysql/counter.conf
vi /usr/local/etc/raddb/sql/mysql/counter.conf
# 最底行加入
sqlcounter monthlytrafficcounter
{
        counter
-name = Monthly-Traffic
        check
-name = Max-Monthly-Traffic
        reply
-name = Monthly-Traffic-Limit
        sqlmod
-inst = sql
        key
= User-Name
        reset
= monthly
        query
= "SELECT SUM(acctinputoctets + acctoutputoctets) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAM(AcctStartTime) > '%b'"
}
# vi /usr/local/etc/raddb/sites-enabled/default
找到 authorize {
...
}这栏
在 " } " 前面一行加入monthlytrafficcounter
vi /usr/local/etc/raddb/dictionary
# 最底行插入
ATTRIBUTE
Max-Monthly-Traffic 3003 integer
ATTRIBUTE
Monthly-Traffic-Limit 3004 integer
# 限制用户组流量SQL操作
mysql> INSERT INTO radgroupcheck (GroupName, Attribute, op, Value) values("user1", "Max-Monthly-Traffic", ":=", "1024");
附2
# 针对每个用户分配特定IP
mysql> INSERT INTO radreply (UserName, Attribute, op, Value) values("user", "Framed-IP-Address", ":=", "192.168.0.99");

===============================================================================================
PPTP/L2TP With FreeRadius + MySQL on Debian

 作  者:ihipop
  原文地址:
设置freeradius server部分
apt-get install freeradius freeradius-mysql
cd
/etc/freeradius/
#启用sql.conf
sed
-ie 's/^[ \t]#\$INCLUDE sql.conf$/\$INCLUDE sql.conf/' radiusd.conf
#取消sites-available/default每个SQL前面的注释
sed
-ie 's/^#[ \t]sql$/sql/' sites-available/default
此外 还需要取消sites-available/default里面所有unix和PAM(如果有必要)否则和系统同名的帐户就可能有登录问题

另外radutmp和file也可以注释 用了SQL方式后这些都没有必要了
vim sql.conf
填写数据库用户名 密码 数据库名字等
然后停止radius服务 启用radius调试模式
freeradius  -X
试一下
radtest sqltest testpwd localhost 1812 testing123
应该是不通过Access-Reject packet 才对 同时开freeradius -X的那个终端会打印消息 说明ok了
freeradius server部分设置完毕

设置radiusclient部分

查看PPP版本
apt-cache policy ppp

Quote

ppp:
已安装:2.4.4rel-10.1
候选的软件包:2.4.4rel-10.1
版本列表:
*** 2.4.4rel-10.1 0
500 lenny/main Packages
100 /var/lib/dpkg/status

找到PPPD官网找到PPP2.4.4的源代码
wget ftp://ftp.samba.org/pub/ppp/ppp-2.4.4.tar.gz
tar zxvf ppp
-2.4.4.tar.gz
cd ppp
-2.4.4/pppd/plugins/radius/
cp
-rf etc /etc/radiusclient
当然 也可以在这里找到ftp://ftp.freeradius.org/pub/freeradius/
修改修改里面所有usr开头的路径为etc开头
sed -ie "s/\/usr\/local\/etc\/radiusclient/\/etc\/radiusclient/g" /etc/radiusclient/radiusclient.conf vim /etc/radiusclient/radiusclient.conf
按需要修改radius认证服务器的端口和路径

Quote

authserver localhost:1812
acctserver localhost:1813

vim  /etc/radiusclient/servers
写入Radius认证服务起和密钥对
比如

Quote

localhost testing123

radiusclient部分设置完毕

设置mysql server+daloradius部分

写这篇文章的时候 刚好daloradius0.9-9-rc1出来了 这是三年来首次更新(虽然SVN一直在更新)先装依赖(PHPDB)
apt-get install php5-gd php-pear php-db wget http://sourceforge.net/projects/daloradius/files/daloradius/daloradius0.9-9/daloradius-0.9-9-rc1.tar.gz
解压缩放到web目录下面
先用PHPmyAdmin创建一个radius/radius用户 同时创建一个同名数据库 赋予所有权限,然后
cd contrib/db/
#导入数据库
mysql
-uradius -pradius radius <fr2-mysql-daloradius-and-freeradius.sql
cd
../../library/
vim daloradius
.conf.php
设定CONFIG_DB_USER CONFIG_DB_PASS CONFIG_DB_NAME以及其他为对应的值
然后创建一些基本用户组什么的
INSERT INTO `radius`.`radgroupcheck` (
`id` ,
`groupname` ,
`attribute` ,
`op` ,
`value`)
VALUES (
NULL , 'user', 'Simultaneous-Use', ':=', '1'
), (
NULL , 'vip', 'Simultaneous-Use', ':=', '3');

INSERT INTO `radius`.`radgroupreply` (
`id` ,
`groupname` ,
`attribute` ,
`op` ,
`value`)
VALUES (
NULL , 'user', 'Acct-Interim-Interval', ':=', '300'
), (
NULL , 'vip', 'Acct-Interim-Interval', ':=', '600');
使用默认密码administrator/radius登录daloradius,然后用daloradius添加一个用户test 隶属于user用户组 使用radtest测试下
radtest test pwd localhost 1812 testing123

Quote

Sending Access-Request of id 1 to 127.0.0.1 port 1812
User-Name = "test"
User-Password = "pwd"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=1, length=20

mysql server+daloradius部分设置完毕

设置L2TP/PPTP和Radius对接

locate radius.so
查找radius.so的位置 一般是/usr/lib/pppd/2.4.4/
编辑xl2tpd的option文件(这个文件可能是/etc/ppp/options.xl2tpd) 在末尾加上

Quote

plugin /usr/lib/pppd/2.4.4/radius.so
plugin /usr/lib/pppd/2.4.4/radattr.so
radius-config-file /etc/radiusclient/radiusclient.conf

PPTP如法炮制(这个文件可能是/etc/ppp/pptpd-options) ,即可。
这时候就可以使用PPTP/L2TP来连接下,如果没错误。当然是恭喜了。如果出错,看看freeradius -X的前端输出,可以用来诊断下。
关键还是细心谨慎。其实也不是很困难

阅读(1872) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~