| |
| pptp+dhcp+mysql+freeradius(AS5.3上配置) |
|
| 来源:
ChinaUnix博客 日期:
2009.06.23 17:58 (共有条评论) 我要评论 |
| |
pptp+mysql+freeradius配置
一、软件版本号:
mysql 5.0.45 freeradius-server-2.1.3 pptp redhat AS5.3 自带
说明: freeradius 2.1.3 (才能够与myql 5.0.45的版本匹配),高于此版本不能够编译成功mysql模块,就是不能与mysql 5.0.45 数据库连接,至少额的编译是这样的。
二、
通过安装盘安装pptp 软件包,不多说了。
要下载 dkms-2.0.17.5-1.noarch.rpm
ppp-devel-2.4.4-9.0.rhel5.x86_64.rpm
ppp-2.4.4-9.0.rhel5.x86_64.rpm
pptpd-1.3.4-1.rhel5.1.x86_64.rpm
直接rpm 安装即可。
ppp配置文件
cat /etc/ppp/options.pptpd
# Authentication
# Name of the local system for authentication purposes
# (must match the second field in /etc/ppp/chap-secrets entries)
name pptpd
# Strip the domain prefix from the username before authentication.
# (applies if you use pppd with chapms-strip-domain patch)
#chapms-strip-domain
# Encryption
# (There have been multiple versions of PPP with encryption support,
# choose with of the following sections you will use.)
# BSD licensed ppp-2.4.2 upstream with MPPE only, kernel module ppp_mppe.o
# {{{
refuse-pap
refuse-chap
refuse-mschap
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
# Challenge Handshake Authentication Protocol, Version 2] authentication.
require-mschap-v2
# Require MPPE 128-bit encryption
# (note that MPPE requires the use of MSCHAP-V2 during authentication)
require-mppe-128
# }}}
# OpenSSL licensed ppp-2.4.1 fork with MPPE only, kernel module mppe.o
# {{{
-chap
#-chapms
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
# Challenge Handshake Authentication Protocol, Version 2] authentication.
#+chapms-v2
# Require MPPE encryption
# (note that MPPE requires the use of MSCHAP-V2 during authentication)
#mppe-40 # enable either 40-bit or 128-bit, not both
#mppe-128
#mppe-stateless
# }}}
# Network and Routing
# If pppd is acting as a server for Microsoft Windows clients, this
# option allows pppd to supply one or two DNS (Domain Name Server)
# addresses to the clients. The first instance of this option
# specifies the primary DNS address; the second instance (if given)
# specifies the secondary DNS address.
#ms-dns 10.0.0.1
#ms-dns 10.0.0.2
# If pppd is acting as a server for Microsoft Windows or "Samba"
# clients, this option allows pppd to supply one or two WINS (Windows
# Internet Name Services) server addresses to the clients. The first
# instance of this option specifies the primary WINS address; the
# second instance (if given) specifies the secondary WINS address.
#ms-wins 10.0.0.3
#ms-wins 10.0.0.4
# Add an entry to this system's ARP [Address Resolution Protocol]
# table with the IP address of the peer and the Ethernet address of this
# system. This will have the effect of making the peer appear to other
# systems to be on the local ethernet.
# (you do not need this if your PPTP server is responsible for routing
# packets to the clients -- James Cameron)
proxyarp
# Normally pptpd passes the IP address to pppd, but if pptpd has been
# given the delegate option in pptpd.conf or the --delegate command line
# option, then pppd will use chap-secrets or radius to allocate the
# client IP address. The default local IP address used at the server
# end is often the same as the address of the server. To override this,
# specify the local IP address here.
# (you must not use this unless you have used the delegate option)
#10.8.0.100
# Logging
# Enable connection debugging facilities.
# (see your syslog configuration for where pppd sends to)
#debug
# Print out all the option values which have been set.
# (often requested by mailing list to verify options)
#dump
# Miscellaneous
# Create a UUCP-style lock file for the pseudo-tty to ensure exclusive
# access.
lock
# Disable BSD-Compress compression
nobsdcomp
# Disable Van Jacobson compression
# (needed on some networks with Windows 9x/ME/XP clients, see posting to
# poptop-server on 14th April 2005 by Pawel Pokrywka and followups,
# http://marc.theaimsgroup.com/?t=111343175400006&r=1&w=2 )
novj
novjccomp
# turn off logging to stderr, since this may be redirected to pptpd,
# which may trigger a loopback
nologfd
添加用户:
vi /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
vpntest pptpd 111111 * #添加该行
=========================================
##添加模块
modprobe ppp-compress-18 && echo ok
[root@mail freeradius]# lsmod |grep ppp
ppp_mppe 39881 2
ppp_async 45377 1
crc_ccitt 35265 1 ppp_async
ppp_generic 62689 6 ppp_mppe,ppp_async
slhc 39745 1 ppp_generic
防火墙设置:
vi iptable.sh
#!/bin/sh
# load any special modules
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
# delete any existing chains
iptables -F
iptables -F -t nat
iptables -X
iptables -Z
# turn on ip forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
###freeradius 防火墙设置
iptables -A INPUT -p udp --dport 1812 -j ACCEPT
iptables -A INPUT -p udp --dport 1813 -j ACCEPT
iptables -A INPUT -p udp --dport 1814 -j ACCEPT
##(VPN客户端到服务器本机地址)
iptables -t nat -A POSTROUTING -s 192.88.0.0/24 -j SNAT --to-source 192.88.50.35
说明,我给客户端分配的IP地址和vpn server在一个段,50.35 就是vpn服务器
================
编辑/etc/pptpd.conf
localip 192.88.50.35
remoteip 192.88.50.234-238,192.88.50.245
这样客户端建立vpn拨号连接就可以拨号进去了。
注意客户端设置。
三、mysql 编译
CFLAGS="-O3 -mpentiumpro" CXX=gcc CXXFLAGS="-O3 -felide-constructors -fno-exceptions -fno-rtti -fomit-frame-pointer -ffixed-ebp" ./configure --prefix=/usr/local/mysql5.0.45 --with-unix-socket-path=/tmp/mysql.sock --enable-assembler --with-pthread --with-mysqld-ldflags=-all-static --with-client-ldflags=-all-static --with-mysqld-user=mysql --enable-thread-safe-client --with-charset=utf8 --with-extra-charsets=all --with-mysqld-user=mysql --with-big-tables --with-archive-storage-engine --with-example-storage-engine --with-max-indexes=128 --enable-thread-safe-client --enable-server
编译时要加上:--enable-thread-safe-client --enable-server 这两个参数
make
make install
useradd -M -s /sbin/nologin mysql
/usr/local/mysql5.0.45/bin/mysql_install_db --user=mysql
ln -sv /usr/local/mysql5.0.45 /usr/local/mysql
vi /etc/profile
export PATH=$PATH:/usr/local/mysql/bin:/usr/local/freeradius/sbin:/usr/local/freeradius/bin
source /etc/profile
vi /etc/ld.so.conf
/usr/local/mysql/lib/mysql
/usr/local/freeradius/lib ##提前加入,呵呵
ldconfig -v
mysqld_safe --user=mysql &
就可以启动mysql数据库了
四:下载安装freeradius
#wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.3.tar.gz
# tar zxvf freeradius-server-2.1.3.tar.gz
# cd freeradius-server-2.1.3 (2.1.3 版本才能够与myql 5.0.45的版本匹配,高于次版本不能够编译成功mysql模块)
./configure --prefix=/usr/local/freeradius |grep "mysql_config"
主要查看 关于 mysql 几个参数是不是全是(mysqlclient_r)yes ,如果不是,编译失败
make
make install
cd /usr/local/freeradius
# vi +76 /etc/raddb/users取消注释
# radiusd -Xs
# radtest steve testing localhost 1812 testing123
出现Access-Accept字样说明成功。
测试成功后把/etc/raddb/users改回去。
注意 开放防火墙端口
五、freeradius和mysql的集成
# mysqladmin -u root -p create radius
# mysql -u root -p radius GRANT SELECT ON radius.* TO 'radius'@'localhost' IDENTIFIED BY 'radpass';
mysql> GRANT ALL on radius.radacct TO 'radius'@'localhost';
mysql> GRANT ALL on radius.radpostauth TO 'radius'@'localhost';
先加入一些组信息:
mysql>use radius;
mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Auth-Type',':=','Local');
mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Service-Type','=','Framed-User');
mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Framed-IP-Netmask','=','255.255.255.255');
mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Framed-IP-Netmask',':=','255.255.255.0');
然后加入用户信息:
mysql> INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('test', 'Password', 'test');
然后把用户加到组里:
mysql> insert into radusergroup(username,groupname) values('test','user');
mysql> select * from radcheck where UserName='test';
1.编辑/usr/local/freeradius/etc/raddb/sql.conf
mysql用户名,密码根据自己的情况填写
第88行取消readclients = yes 前的注释
2.编辑/usr/local/freeradius/etc/raddb/sites-enabled/default
第145 行files前加注释
第152 行取消sql前的注释
第308 行files 前加注释
第342 行取消sql前的注释
第374 行取消sql前的注释
第395 行取消sql前的注释
3.编辑/usr/local/freeradius/etc/raddb/sites-enabled/inner-tunnel
第111 行files前加注释
第118行取消sql前的注释
第242行取消sql前的注释
第264行取消sql前的注释
###总之就是去掉files模块,开启sql模块
4.编辑/usr/local/freeradius/etc/raddb/eap.conf
第30行default_eap_type = md5改为default_eap_type = peap
6.测试
# radtest sqltest testpwd localhost 1812 testing123
出现Access-Accept字样说明成功。
参考网址:http://linux.chinaunix.net/bbs/thread-1061085-1-2.html
到目前为止:整合了freeradius+mysql, pptpd还是单独运行.
六、pptpd+mysql+freeradius整合,激动人心的时刻到了。
mkdir /etc/radiusclient/
下载源码ppp-2.4.4,解压
cd ppp-2.4.4/ppp-2.4.4/pppd/plugins/radius/etc
cp * /etc/radiusclient/
vi /etc/radiusclient/radiusclient.conf
auth_order radius
login_tries 4
login_timeout 60
# logins on /dev/ttyS2) (default /etc/nologin)
nologin /sbin/nologin
issue /etc/radiusclient/issue
authserver localhost:1812
acctserver localhost:1813
servers /etc/radiusclient/servers
dictionary /etc/radiusclient/dictionary
login_radius /usr/local/sbin/login.radius
seqfile /var/run/radius.seq
# file which specifies mapping between ttyname and NAS-Port attribute
mapfile /etc/radiusclient/port-id-map
default_realm
# time to wait for a reply from the RADIUS server
radius_timeout 10
# resend request this many times before trying the next server
radius_retries 3
login_local /bin/login
vi /etc/ppp/options.pptpd
在最后添加:
# put plugins here
# (putting them higher up may cause them to sent messages to the pty)
logfile /var/log/pptpd.log
plugin /usr/lib64/pppd/2.4.4/radius.so
#plugin /usr/lib64/pppd/2.4.4/radattr.so
radius-config-file /etc/radiusclient/radiusclient.conf
###注意,我的是64位系统,所以模块在/usr/lib64/pppd/2.4.4 下面。32位的在 /usr/lib/pppd/2.4.4
vi /etc/radiusclient/server
localhost testing123
vi /etc/radiusclient/dictionary
添加:
INCLUDE /etc/radiusclient/dictionary.microsoft
INCLUDE /etc/radiusclient/dictionary.ascend
INCLUDE /etc/radiusclient/dictionary.merit
INCLUDE /etc/radiusclient/dictionary.compat
否则拨号时后台日志会报错,无法拨入,客户端报691错误:
Connect: ppp0 /dev/pts/5
rc_avpair_new: unknown attribute 11 rc_avpair_new: unknown attribute 25
Peer test failed CHAP authentication
Connection terminated.
哈哈,从启freeradius 与pptpd ,连接就可以通过了。
如果是无法访问其他的机器,请注意防火墙的设置。这是我的配置文档,绝对的能够跑通。
后记:
后来想通过mac地址来帮定客户端,但是实践了后发现ppp根本就不可能实现这个功能,绑定IP对于内网用户来说,没有任何问题,但是对于从公网连接到公司的用户来说,根本没有作用。只能放弃。
欢迎大家来讨论。
本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u/26978/showart_1974853.html
|
| 发表评论
查看评论(共有条评论)
|
| |
|
|
|
