FreeRADIUS 、DaloRADIUS 搭建记录
一. 安装环境
系统环境:centos6.5 IP:192.168.30.242 hostname:vpn.org
软件:PPTP、LAMP均已安装。(请确保这些正常安装,并能使用)。
二. 软件包
ppp-2.4.5.tar.gz、daloradius-0.9-8.tar.gz、go-pear.phar。这些只是需要单独下载文件,可以在官网去下载wget,也可去网盘下载:百度链接地址,密码:rjs8
三. 开始正式的安装
- 利用yum 安装以下freeradius软件包,并进行配置。
-
[root@vpn ~]# yum -y install freeradius freeradius-mysql freeradius-utils
安装完成后,去修改配置文件/etc/raddb/users(修改文件前记得备份一下原文件),在此文件的最后添加下面一行内容:
testing Cleartext-Password := “password”
这句话的大概含义是 testing是一个用户名,这个是安装后系统默认的一个测试帐号,密码是明文加密的password,无需任何改动,修改后保存。
执行 radiusd -X 命令,这是进入测试模式(运行此命令,会输出很多信息,最后会停在
Listening on proxy address * port 1814
Ready to process requests.
这两行内容后,一直等待登陆测试。还有个需要注意的,在进入测试模式时,radius服务必须是停止状态,不然会报错)。然后在打开一个新的终端。
在新的命令行里输入
[root@vpn ~]# radtest testing password 127.0.0.1 0 testing123 Sending Access-Request of id 249 to 127.0.0.1 port 1812 User-Name = "testing" User-Password = "password" NAS-IP-Address = 192.168.30.242 NAS-Port = 0 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=249, length=20
根据最后一行的提示:Access-Accept 表明,表示成功啦。然后我们把上一步添加的一行内容注释掉。
- 这一步去下载ppp的源码包。
附上链接:http://download.chinaunix.net/download.php?id=35207&ResourceID=8334
下载完成后,解压,copy文件。
[root@vpn ~]# tar zxvf ppp-2.4.5.tar.gz [root@vpn ~]# cp -R /root/ppp-2.4.5/pppd/plugins/radius/etc/ /usr/local/etc/radiusclient
- 现在去编辑/usr/local/etc/radiusclient/servers,加上一组服务器和密钥。我添加的是localhost yxzcVPN。
[root@vpn ~]# vi /usr/local/etc/radiusclient/servers #Server Name or Client/Server pair Key #---------------- --------------- #portmaster.elemental.net hardlyasecret #portmaster2.elemental.net donttellanyone localhost yxzcVPN
编辑/usr/local/etc/radiusclient/dictionary,在文件最后添加内容
[root@vpn ~]# vim /usr/local/etc/radiusclient/dictionary #INCLUDE /etc/radiusclient/dictionary.microsoft (此处是默认的,手动注释后,添加下面两行内容) INCLUDE /usr/local/etc/radiusclient/dictionary.microsoft INCLUDE /usr/local/etc/radiusclient/dictionary.merit
编辑/etc/raddb/clients.conf,将client localhost段落下的secret改成刚才指定的密钥yxzcVPN
[root@vpn ~]# vim /etc/raddb/clients.conf
secret = testing123 修改成下面
secret = yxzcVPN编辑/etc/raddb/radiusd.conf,找到$INCLUDE sql.conf,去掉前面的#;找到$INCLUDE sql/mysql/counter.conf,去掉前面的#注释。
[root@vpn ~]# vim /etc/raddb/radiusd.conf $INCLUDE sql.conf $INCLUDE sql/mysql/counter.conf
- 进入mysql,创建raduys数据库
[root@vpn ~]# mysql mysql> create database radius; Query OK, 1 row affected (0.00 sec) mysql> flush privileges; Query OK, 0 rows affected (0.00 sec) mysql> exit
- 编辑/etc/raddb/sql.conf,配置login(用户名),password(密码),radius_db(数据库名)等字段
[root@vpn ~]# vim /etc/raddb/sql.conf sql { # # Set the database to one of: # # mysql, mssql, oracle, postgresql # database = "mysql" # # Which FreeRADIUS driver to use. # driver = "rlm_sql_${database}" # Connection info: server = "localhost" #port = 3306
login = "root" password = "" # Database table configuration for everything except Oracle radius_db = "radius" readclients = yes 并找到这行,设为yes并去掉注释符号#编辑/etc/raddb/sites-enabled/default
[root@vpn ~]# vim /etc/raddb/sites-enabled/default authorize段,关掉files,打开sql preacct段,关掉files accounting段,打开sql session段,打开sql post-auth段,打开sql pre-proxy段,关掉files
2.配置DaloRADIUS
- 先去下载daloradius软件包,再下载一个pear包(需要安装php-db)。
[root@vpn ~]# wget wget http://sourceforge.net/projects/daloradius/files/daloradius/daloradius-0.9-8/daloradius-0.9-8.tar.gz
[root@vpn ~]# wget http://pear.php.net/go-pear.phar [root@vpn ~]# php go-pear.phar [root@vpn ~]# pear install DB
创建目录并解压
[root@vpn ~]# mkdir /usr/share/daloRadius [root@vpn ~]# tar zxvf daloradius-0.9-8.tar.gz [root@vpn ~]# mv daloradius-0.9-8/* /usr/share/daloRadius/ [root@vpn ~]# rm -rf daloradius-0.9-8
- 下面是数据库的导入
[root@vpn ~]# mysql -uroot -p radius < /usr/share/daloRadius/contrib/db/fr2-mysql-daloradius-and-freeradius.sql
编辑/usr/share/daloRadius/library/daloradius.conf.php,修改daloRADIUS的配置文件。如下所示,修改成这样
[root@vpn ~]# vim /usr/share/daloRadius/library/daloradius.conf.php $configValues[\'CONFIG_DB_HOST\'] = \'localhost\'; $configValues[\'CONFIG_DB_USER\'] = \'root\'; $configValues[\'CONFIG_DB_PASS\'] = \'\'; $configValues[\'CONFIG_DB_NAME\'] = \'radius\'; $configValues[\'CONFIG_DB_TBL_RADUSERGROUP\'] = \'radusergroup\'; $configValues[\'CONFIG_PATH_DALO_VARIABLE_DATA\'] = \'/usr/share/daloRadius/var\';
修改网站目录链接
[root@vpn ~]# cd /var/www/html/ [root@vpn ~]# ln -s /usr/share/daloRadius/ admin
在本环境中,daloRADIUS管理页面地址就是 http://192.168.30.242/admin,默认用户administrator,密码radius来登录。
- 重启httpd,mysqld,并设为自启动
[root@vpn ~]# service mysqld restart [root@vpn ~]# service httpd restart [root@vpn ~]# chkconfig httpd on [root@vpn ~]# chkconfig mysqld on
3.配置PPPD
-
编辑/etc/ppp/options.pptpd[root@vpn ~]# vim /etc/ppp/options.pptpd (保证有以下5行内容并设置一致) refuse-pap refuse-chap refuse-mschap require-mppe-128 require-mschap-v2 (添加下面3行内容) plugin radius.so plugin radattr.so radius-config-file /usr/local/etc/radiusclient/radiusclient.conf
-
流量控制,进入mysql,插入语句
[root@vpn ~]# mysql mysql> use radius; mysql> INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES (\'user\',\'Auth-Type\',\':=\',\'Local\'); mysql> INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES (\'user\',\'Service-Type\',\':=\',\'Framed-User\'); mysql> INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES (\'user\',\'Framed-IP-Address\',\':=\',\'255.255.255.255\'); mysql> INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES (\'user\',\'Framed-IP-Netmask\',\':=\',\'255.255.255.0\'); mysql> INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES (\'user\',\'Acct-Interim-Interval\',\':=\',\'600\'); mysql> INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES (\'user\',\'Max-Monthly-Traffic\',\':=\',\'5368709120\'); mysql> INSERT INTO radgroupcheck (groupname,attribute,op,VALUE) VALUES (\'user\',\'Simultaneous-Use\',\':=\',\'1\');
-
现在我们访问daloRADIUS,在Management中添加一个新用户,注意密码类型选择Cleartext-Password。创建完会弹出窗口提示,如下图
-
-
现在进行测试一下,开启测试模式 radiusd -X (开启测试模式,先把radiusd服务停止了。) ,另外开一个窗口,进行登录测试
[root@vpn ~]# radtest xiaoming xiaoming localhost 0 yxzcVPN Sending Access-Request of id 227 to 127.0.0.1 port 1812 User-Name = "xiaoming" User-Password = "xiaoming" NAS-IP-Address = 192.168.30.242 NAS-Port = 0 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=227, length=20
测试成功。测试完成后,启动 radiusd 服务!
- 在上一步有个需要注意的情况,如果你在开启测试模式时,报以下错误
/etc/raddb/sql.conf[22]:Instantiation failed for module “sql” /etc/raddb/sites-enabled/default[177]: Failed to load module “sql”. /etc/raddb/sites-enabled/default[69]: Errors parsing authorize section.
- 解决方法:进入数据库
[root@vpn ~]# mysql mysql> use radius; mysql> ALTER TABLE `radius`.`nas` ADD COLUMN `server` VARCHAR(45) NOT NULL AFTER `secret` ;
- 测试成功的话添加在认证时检测流量的语句,打开/etc/raddb/sites-enabled/default,在authorize一段插入:
[root@vpn ~]# vi /etc/raddb/sites-enabled/default update request { Group-Name := "%{sql:SELECT groupname FROM radusergroup WHERE username=\'%{User-Name}\' ORDER BY priority}" } if ("%{sql: SELECT SUM(acctinputoctets+acctoutputoctets) FROM radacct WHERE username=\'%{User-Name}\' AND date_format(acctstarttime, \'%Y-%m-%d\') >= date_format(now(),\'%Y-%m-01\') AND date_format(acctstoptime, \'%Y-%m-%d\') <= last_day(now());}" >= "%{sql: SELECT value FROM radgroupreply WHERE groupname=\'%{Group-Name}\' AND attribute=\'Max-Monthly-Traffic\';}") { reject }
- 最后,重启服务:
[root@vpn ~]# service radiusd restart [root@vpn ~]# service pptpd restart [root@vpn ~]# chkconfig pptpd on [root@vpn ~]# chkconfig radiusd on
本次实验记录结束,如果有错误之处,还请及时指出,我会完善的哈。