原文地址:http://www.zhukun.net/archives/5375
PPTP + FreeRADIUS + MySQL 安裝與配置
FreeRADIUS 是實現 RADIUS 協議的開源軟體,而 RADIUS 主要用來實現認證(Authentication)、授權(Authorization)以及計費(Accounting)功能。本文內容在Centos 5.7 32bit下測試成功。
一,VPN伺服器安裝配置
# 安裝編譯環境
yum install -y wget gcc gcc-c++ make |
# 安裝ppp
yum install -y ppp |
# 安裝PPTP VPN
wget http://hello-linux.googlecode.com/files/pptpd_with_freeradius_plugins.sh chmod +x pptpd_with_freeradius_plugins.sh ./pptpd_with_freeradius_plugins.sh |
注意:此PPTP VPN指令碼已經加入了FreeRADIUS外掛,不能脫離FreeRADIUS獨立使用。如果你只想安裝PPTP VPN的話,請不要使用此指令碼。
此時如果提示“錯誤691:由於域上的使用者名稱和/或密碼無效而拒絕訪問”,請不要擔心,這是正常的。
二,FreeRADIUS 客戶端安裝與配置
# freeradius-client安裝
cd /root wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-client-1.1.6.tar.gz tar zxvf freeradius-client-1.1.6.tar.gz cd freeradius-client-1.1.6 ./configure && make && make install |
# freeradius-client配置
vi /usr/local/etc/radiusclient/radiusclient.conf |
找到 authserver 和 acctserver 將值改為 localhost
將 radius_deadtime 0 和 bindaddr * 將這兩項註釋掉(或者通過以下命令來註釋之)
sed -i 's/radius_deadtime/\#radius_deadtime/g' /usr/local/etc/radiusclient/radiusclient.conf sed -i 's/bindaddr/\#bindaddr/g' /usr/local/etc/radiusclient/radiusclient.conf |
# 指定FreeRADIUS Server地址,並設定通訊密碼
cat >>/usr/local/etc/radiusclient/servers<<EOF localhost testing123 EOF |
注意:這裡的通訊密碼不建議更改!經本人測試,更改後使用不正常。
# 增加字典。這一步很重要!否則windows客戶端無法連線伺服器
wget -c http://hello-linux.googlecode.com/files/dictionary.microsoft mv ./dictionary.microsoft /usr/local/etc/radiusclient/ cat >>/usr/local/etc/radiusclient/dictionary<<EOF INCLUDE /usr/local/etc/radiusclient/dictionary.sip INCLUDE /usr/local/etc/radiusclient/dictionary.ascend INCLUDE /usr/local/etc/radiusclient/dictionary.merit INCLUDE /usr/local/etc/radiusclient/dictionary.compat INCLUDE /usr/local/etc/radiusclient/dictionary.microsoft EOF |
三,FreeRADIUS 服務端安裝與配置
# 安裝 mysql
yum install mysql mysql-devel mysql-server service mysqld start chkconfig mysqld on mysqladmin -uroot -p password 新密碼 # 此時會讓你輸入原密碼,一般 mysql 安裝好以後的初始密碼為空,因此直接回車即可 # 如果使用非上述方式安裝了MySQL(比如lnmp一鍵安裝包裡自帶的mysql),請執行以下兩條語句 ln -s /usr/local/mysql/bin/mysql /usr/bin ln -s /usr/local/mysql/bin/mysqladmin /usr/bin |
# 安裝 freeradius-server
wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.12.tar.gz tar zxf freeradius-server-2.1.12.tar.gz cd freeradius-server-2.1.12 ./configure | grep mysql # grep 這步操作主要是檢視mysql的幾個引數是不是都是yes,如果不是,需要檢查下mysql安裝. make && make install |
# 基本文字資料的本地測試
vi /usr/local/etc/raddb/users # 找到 steve Cleartext-Password := “testing” , 取消該段的相關注釋 steve Cleartext-Password := "testing" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 172.16.3.33, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = "std.ppp", Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP |
radiusd -X # 進入debug日誌輸出模式 # 如果有出現 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /usr/local/var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. # 這些字樣說明正常啟動成功了 # 重新開啟一個視窗,執行下面這條命令 radtest steve testing localhost 1812 testing123 # 使用者名稱steve密碼testing , 連線金鑰testing123 # 出現 rad_recv: Access-Accept packet 字樣說明驗證成功 |
# freeradius 和 mysql 整合
mysqladmin -u root -p create radius mysql -u root -p radius < /usr/local/etc/raddb/sql/mysql/schema.sql mysql -u root -p radius < /usr/local/etc/raddb/sql/mysql/nas.sql mysql -u root -p radius < /usr/local/etc/raddb/sql/mysql/ippool.sql mysql -u root -p radius < /usr/local/etc/raddb/sql/mysql/wimax.sql mysql -u root -p mysql> GRANT SELECT ON radius.* TO 'radius'@'localhost' IDENTIFIED BY 'radpass'; mysql> GRANT ALL on radius.radacct TO 'radius'@'localhost'; mysql> GRANT ALL on radius.radpostauth TO 'radius'@'localhost'; mysql> use radius; # 加入組資訊,本例中的組名為user mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Auth-Type',':=','Local'); mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Service-Type','=','Framed-User'); mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Framed-IP-Netmask',':=','255.255.255.0'); # 加入使用者資訊 mysql> INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('sqltest', 'Password', 'testpwd'); # 使用者加到組裡 mysql> insert into radusergroup(username,groupname) values('sqltest','user'); # 限制賬戶同時登陸次數 mysql> INSERT INTO radgroupcheck (GroupName, Attribute, op, Value) values("user", "Simultaneous-Use", ":=", "1"); |
vi /usr/local/etc/raddb/sql.conf # 設定資料庫型別,帳號,密碼,資料庫,根據實際情況修改 # 找到 readclients = yes 取消前面的註釋,取消該註釋主要是啟用nas表查詢,clients.conf就可以不需要了 vi /usr/local/etc/raddb/radiusd.conf # 查詢$INCLUDE sql.conf(第700行),去掉#號 vi /usr/local/etc/raddb/sites-enabled/default # 找到authorize {}模組,註釋掉files(170行),去掉sql前的#號(177行) # 找到accounting {}模組,註釋掉radutmp(396行),去掉sql前面的#號(406行) # 找到session {}模組,註釋掉radutmp(450行),去掉sql前面的#號(454行) # 找到post-auth {}模組,去掉sql前的#號(475行),去掉sql前的#號(563行) vi /usr/local/etc/raddb/sites-enabled/inner-tunnel # 找到authorize {}模組,註釋掉files(124行),去掉sql前的#號(131行) # 找到session {}模組,註釋掉radutmp(251行),去掉sql前面的#號(255行) # 找到post-auth {}模組,去掉sql前的#號(277行),去掉sql前的#號(301行) |
# 正常啟動 FreeRADIUS 並加入開機自啟動項
cd /root wget http://hello-linux.googlecode.com/files/radiusd mv radiusd /etc/init.d/ chmod +x /etc/init.d/radiusd vi /etc/init.d/radiusd # 找到prefix=/usr/local/radius(第25行),將其改為prefix=/usr/local /etc/init.d/radiusd start vi /etc/rc.local # 在最後一行插入/etc/init.d/radiusd start |
# 最終測試
# 用剛才插入資料庫的使用者名稱和密碼來檢驗 radtest sqltest testpwd localhost 1812 testing123 # 出現 rad_recv: Access-Accept packet 字樣說明安裝已經成功 |
至此,安裝已完成。
可能出現的問題:
/usr/local/etc/raddb/sites-enabled/inner-tunnel[118]: Failed to find module “sql”. /usr/local/etc/raddb/sites-enabled/inner-tunnel[34]: Errors parsing authorize section. # 在系統裡找下是否有rlm_sql_mysql.so這個檔案,如果沒有,那麼依次執行以下命令: cd /root/freeradius-server-2.1.12/src/modules/rlm_sql/drivers/rlm_sql_mysql ./configure --with-mysql-dir=/var/lib/mysql --with-mysql-lib-dir=/var/lib/mysql/lib --with-mysql-include-dir=/var/lib/mysql/include make && make install cd /usr/local/lib cp rlm_sql_mysql.* /root/freeradius-server-2.1.12/src/modules/rlm_sql/drivers/rlm_sql_mysql/ |
radiusd -X radiusd: error while loading shared libraries:libfreeradius-radius-2.1.12.so: cannot open shared object file: No such file or directory 執行以下命令即可: ldconfig |
本文參考:
系統之家
WangYan Blog