pptpd+radius+mysql 安装攻略(part2 radius部分)
2006.02.10 by i_amok
1。需要软件
freeradius
原先pppd源码目录中的一些关于radius外挂模块的配置文件。
2。安装freeradius的前期准备
安装mysql-devel.i386
yum install mysql-devel.i386
3。安装freeradius
http://www.freeradius.org
下载源码,我测试的时候是用 freeradius-1.1.0
用指定安装目录的方法安装
./configure --prefix=/usr/local/freeradius-1.1.0
make
make install
4。配置pppd支持radius
4.1拷贝文件
从pppd的源码目录把下面这个目录复制到/etc/radiusclient/
cp -R ppp-2.4.4b1/pppd/plugins/radius/etc /etc/radiusclient/
4.2修改options.pptpd中的配置
在/etc/ppp/options.pptpd
中加入
plugin /usr/local/lib/pppd/2.4.4b1/radius.so
4.3 配置 /etc/radiusclient中的servers和radiusclient.conf
在servers中,你需要增加一个radiusd的地址和密码
[root@kdfng radiusclient]# cat servers
#Server Name or Client/Server pair Key
#---------------- ---------------
#portmaster.elemental.net hardlyasecret
#portmaster2.elemental.net donttellanyone
localhost netdragon
这里localhost表示你的radiusd就在本机,并且访问的密码是netdragon
radiusclient.conf中
# service. if this fails also a compiled in default is used.
authserver localhost:1812
# RADIUS server to use for accouting requests. All that I
# said for authserver applies, too.
#
acctserver localhost:1813
确认上面也是本地的,默认就是本地,所以一般不需要修改。
同时确保这个文件中radiusclient相关的路径所有的路径都是 /etc/radiusclient 开头的。
5。配置freeradius
cd /usr/local/freeradius-1.1.0/etc/raddb
raddb这个目录就是所有的freeradius配置文件所在了
5.1 修改clients.conf
这里说明一下,所有的nas都是radiusd的client,nas就是那个pptpd,所以这个文件就是配置pptpd的登陆权限的。
client 127.0.0.1 {
secret = netdragon
shortname = iamok
nastype = other
}
修改127.0.0.1部分为上面的样子。secret就是我们刚才在/etc/radiusclient中servers里设置的那个。这两个要一致
5.2 在users文件的最上面加入一个用户
ww Auth-Type:= MS-CHAP, User-Password=="ww", Simultaneous-Use:=1
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 255.255.255.254,
Framed-IP-Netmask = 255.255.255.0
说明一下 ww是用户名
auth-type是验证的类型
第二个ww是密码
Simultaneous-Use是允许这个用户名同时登陆的个数
所有这些都是check属性,要写在第一行
然后第二行开始用tab开头,是服务器返回给radius客户端的(也就是返回给pptpd)时reply属性。
其中ip地址设置为255.255.255.254表示ip地址的分配是由radius客户端决定的,也就是由pptpd决定。
最后一个是子网掩码。
5.3用debug模式运行radiusd
../../sbin/radiusd -x
你会看到
Starting - reading configuration files ...
Using deprecated naslist file. Support for this will go away soon.
Module: Loaded exec
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
Module: Instantiated mschap (mschap)
Module: Loaded eap
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
rlm_eap: Loaded and initialized type gtc
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
Module: Instantiated preprocess (preprocess)
Module: Loaded files
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
Module: Instantiated acct_unique (acct_unique)
Module: Loaded realm
Module: Instantiated realm (suffix)
Module: Loaded detail
Module: Instantiated detail (detail)
Module: Loaded radutmp
Module: Instantiated radutmp (radutmp)
Initializing the thread pool...
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
6。测试
建立一个新的vpn连接
用户名ww密码ww
然后拨号
成功的话,会看到。
rad_recv: Access-Request packet from host 127.0.0.1:32768, id=214, length=144
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "ww"
MS-CHAP-Challenge = 0x729e2492953298b498a766e778defe74
MS-CHAP2-Response = 0xfc00475dd294431a52ee1187d13127c3bf49000000000000000043aad8bb5cd6f5ece16ddae9d20c63d857836053b2197144
Calling-Station-Id = "192.168.8.53"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Sending Access-Accept of id 214 to 127.0.0.1 port 32768
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 255.255.255.254
Framed-IP-Netmask = 255.255.255.0
MS-CHAP2-Success = 0xfc533d31303637323037453037384244433138333441303536434337433044373046363942414446343039
MS-MPPE-Recv-Key = 0x0211fcb6f599479e8ee0a7d8a16a3252
MS-MPPE-Send-Key = 0x91242cedc84a2dc69355c56951119065
MS-MPPE-Encryption-Policy = 0x00000002
MS-MPPE-Encryption-Types = 0x00000004
rad_recv: Accounting-Request packet from host 127.0.0.1:32768, id=215, length=108
Acct-Session-Id = "43EBFF39048300"
User-Name = "ww"
Acct-Status-Type = Start
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "192.168.8.53"
Acct-Authentic = RADIUS
NAS-Port-Type = Async
Framed-IP-Address = 10.10.110.1
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Acct-Delay-Time = 0
Sending Accounting-Response of id 215 to 127.0.0.1 port 32768
这样pptp+radius的部分就完成了,下面一部分是对radiusd增加mysql的支持
用ctrl+c退出radius
| 