原文地址:http://www.zhukun.net/archives/5375
PPTP + FreeRADIUS + MySQL 安裝與配置
FreeRADIUS 是實現 RADIUS 協議的開源軟體,而 RADIUS 主要用來實現認證(Authentication)、授權(Authorization)以及計費(Accounting)功能。本文內容在Centos 5.7 32bit下測試成功。
一,VPN伺服器安裝配置
# 安裝編譯環境
yum install -y wget gcc gcc-c++ make |
# 安裝ppp
yum install -y ppp |
# 安裝PPTP VPN
wget http://hello-linux.googlecode.com/files/pptpd_with_freeradius_plugins.shchmod +x pptpd_with_freeradius_plugins.sh./pptpd_with_freeradius_plugins.sh |
注意:此PPTP VPN指令碼已經加入了FreeRADIUS外掛,不能脫離FreeRADIUS獨立使用。如果你只想安裝PPTP VPN的話,請不要使用此指令碼。
此時如果提示“錯誤691:由於域上的使用者名稱和/或密碼無效而拒絕訪問”,請不要擔心,這是正常的。
二,FreeRADIUS 客戶端安裝與配置
# freeradius-client安裝
cd /rootwget ftp://ftp.freeradius.org/pub/freeradius/freeradius-client-1.1.6.tar.gztar zxvf freeradius-client-1.1.6.tar.gzcd freeradius-client-1.1.6./configure && make && make install |
# freeradius-client配置
vi /usr/local/etc/radiusclient/radiusclient.conf |
找到 authserver 和 acctserver 將值改為 localhost
將 radius_deadtime 0 和 bindaddr * 將這兩項註釋掉(或者通過以下命令來註釋之)
sed -i 's/radius_deadtime/\#radius_deadtime/g' /usr/local/etc/radiusclient/radiusclient.confsed -i 's/bindaddr/\#bindaddr/g' /usr/local/etc/radiusclient/radiusclient.conf |
# 指定FreeRADIUS Server地址,並設定通訊密碼
cat >>/usr/local/etc/radiusclient/servers<<EOFlocalhost testing123EOF |
注意:這裡的通訊密碼不建議更改!經本人測試,更改後使用不正常。
# 增加字典。這一步很重要!否則windows客戶端無法連線伺服器
wget -c http://hello-linux.googlecode.com/files/dictionary.microsoftmv ./dictionary.microsoft /usr/local/etc/radiusclient/cat >>/usr/local/etc/radiusclient/dictionary<<EOFINCLUDE /usr/local/etc/radiusclient/dictionary.sipINCLUDE /usr/local/etc/radiusclient/dictionary.ascendINCLUDE /usr/local/etc/radiusclient/dictionary.meritINCLUDE /usr/local/etc/radiusclient/dictionary.compatINCLUDE /usr/local/etc/radiusclient/dictionary.microsoftEOF |
三,FreeRADIUS 服務端安裝與配置
# 安裝 mysql
yum install mysql mysql-devel mysql-serverservice mysqld startchkconfig mysqld onmysqladmin -uroot -p password 新密碼# 此時會讓你輸入原密碼,一般 mysql 安裝好以後的初始密碼為空,因此直接回車即可# 如果使用非上述方式安裝了MySQL(比如lnmp一鍵安裝包裡自帶的mysql),請執行以下兩條語句ln -s /usr/local/mysql/bin/mysql /usr/binln -s /usr/local/mysql/bin/mysqladmin /usr/bin |
# 安裝 freeradius-server
wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.12.tar.gztar zxf freeradius-server-2.1.12.tar.gzcd freeradius-server-2.1.12./configure | grep mysql# grep 這步操作主要是檢視mysql的幾個引數是不是都是yes,如果不是,需要檢查下mysql安裝.make && make install |
# 基本文字資料的本地測試
vi /usr/local/etc/raddb/users# 找到 steve Cleartext-Password := “testing” , 取消該段的相關注釋steve Cleartext-Password := "testing" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 172.16.3.33, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = "std.ppp", Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP |
radiusd -X# 進入debug日誌輸出模式# 如果有出現Listening on authentication address * port 1812Listening on accounting address * port 1813Listening on command file /usr/local/var/run/radiusd/radiusd.sockListening on proxy address * port 1814Ready to process requests.# 這些字樣說明正常啟動成功了# 重新開啟一個視窗,執行下面這條命令radtest steve testing localhost 1812 testing123 # 使用者名稱steve密碼testing , 連線金鑰testing123# 出現 rad_recv: Access-Accept packet 字樣說明驗證成功 |
# freeradius 和 mysql 整合
mysqladmin -u root -p create radiusmysql -u root -p radius < /usr/local/etc/raddb/sql/mysql/schema.sqlmysql -u root -p radius < /usr/local/etc/raddb/sql/mysql/nas.sqlmysql -u root -p radius < /usr/local/etc/raddb/sql/mysql/ippool.sqlmysql -u root -p radius < /usr/local/etc/raddb/sql/mysql/wimax.sqlmysql -u root -pmysql> GRANT SELECT ON radius.* TO 'radius'@'localhost' IDENTIFIED BY 'radpass';mysql> GRANT ALL on radius.radacct TO 'radius'@'localhost';mysql> GRANT ALL on radius.radpostauth TO 'radius'@'localhost';mysql> use radius;# 加入組資訊,本例中的組名為usermysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Auth-Type',':=','Local');mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Service-Type','=','Framed-User');mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Framed-IP-Netmask',':=','255.255.255.0');# 加入使用者資訊mysql> INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('sqltest', 'Password', 'testpwd');# 使用者加到組裡mysql> insert into radusergroup(username,groupname) values('sqltest','user');# 限制賬戶同時登陸次數mysql> INSERT INTO radgroupcheck (GroupName, Attribute, op, Value) values("user", "Simultaneous-Use", ":=", "1"); |
vi /usr/local/etc/raddb/sql.conf# 設定資料庫型別,帳號,密碼,資料庫,根據實際情況修改# 找到 readclients = yes 取消前面的註釋,取消該註釋主要是啟用nas表查詢,clients.conf就可以不需要了vi /usr/local/etc/raddb/radiusd.conf# 查詢$INCLUDE sql.conf(第700行),去掉#號vi /usr/local/etc/raddb/sites-enabled/default# 找到authorize {}模組,註釋掉files(170行),去掉sql前的#號(177行)# 找到accounting {}模組,註釋掉radutmp(396行),去掉sql前面的#號(406行)# 找到session {}模組,註釋掉radutmp(450行),去掉sql前面的#號(454行)# 找到post-auth {}模組,去掉sql前的#號(475行),去掉sql前的#號(563行)vi /usr/local/etc/raddb/sites-enabled/inner-tunnel# 找到authorize {}模組,註釋掉files(124行),去掉sql前的#號(131行)# 找到session {}模組,註釋掉radutmp(251行),去掉sql前面的#號(255行)# 找到post-auth {}模組,去掉sql前的#號(277行),去掉sql前的#號(301行) |
# 正常啟動 FreeRADIUS 並加入開機自啟動項
cd /rootwget http://hello-linux.googlecode.com/files/radiusdmv radiusd /etc/init.d/chmod +x /etc/init.d/radiusdvi /etc/init.d/radiusd# 找到prefix=/usr/local/radius(第25行),將其改為prefix=/usr/local/etc/init.d/radiusd startvi /etc/rc.local# 在最後一行插入/etc/init.d/radiusd start |
# 最終測試
# 用剛才插入資料庫的使用者名稱和密碼來檢驗radtest sqltest testpwd localhost 1812 testing123# 出現 rad_recv: Access-Accept packet 字樣說明安裝已經成功 |
至此,安裝已完成。
可能出現的問題:
/usr/local/etc/raddb/sites-enabled/inner-tunnel[118]: Failed to find module “sql”./usr/local/etc/raddb/sites-enabled/inner-tunnel[34]: Errors parsing authorize section.# 在系統裡找下是否有rlm_sql_mysql.so這個檔案,如果沒有,那麼依次執行以下命令:cd /root/freeradius-server-2.1.12/src/modules/rlm_sql/drivers/rlm_sql_mysql./configure --with-mysql-dir=/var/lib/mysql --with-mysql-lib-dir=/var/lib/mysql/lib --with-mysql-include-dir=/var/lib/mysql/includemake && make installcd /usr/local/libcp rlm_sql_mysql.* /root/freeradius-server-2.1.12/src/modules/rlm_sql/drivers/rlm_sql_mysql/ |
radiusd -Xradiusd: error while loading shared libraries:libfreeradius-radius-2.1.12.so: cannot open shared object file: No such file or directory執行以下命令即可:ldconfig |
本文參考:
系統之家
WangYan Blog