Linux 系统 pptpd+radius+mysql 安装攻略
内核最好能升级到2.6
如果你是centos的用户,可以通过yum update来升级到最新的centos4.2
升级内核是为了待会安装一个内核模块增加对mppe的支持。这样才能支持pptp拨号。
pppd ppp拨号服务器
pptpd 在pppd拨号的基础上增加pptpd的支持
freeradius 作拨号用户验证的。
mysql 增加freeradius的数据库支持
2。确定你的内核是否支持mppe
modprobe ppp-compress-18 && echo ok
如果显示ok,那么恭喜,你的内核已经具备了mppe支持。请到第4部分
3。升级内核支持mppe
http://sourceforge.net/project/showfiles.php?group_id=44827
到上面这个网址。下载2个rpm包。
dkms-2.0.6-1.noarch.rpm
kernel_ppp_mppe-1.0.2-3dkms.noarch.rpm
dkms是一个新的软件,能让你在不编译内核的基础上,外挂一些内核的模块。
kernel_ppp_mppe就是mppe支持的内核模块了。
ok后重起你的系统。
4。安装pppd
http://www.samba.org/ppp
在上面的网址下载最新的ppp软件包,我测试的时候是 ppp-2.4.4b1
用最常规的方法,configure,make,make install
由于新版的没有复制范例配置文件,需要用 make install-etcppp 来安装范例配置文件
5。安装pptpd
http://poptop.sourceforge.net/
在上面的网址下载最新的pptpd包,我测试的时候是pptpd-1.2.3
也是最常规的方法 configure,make,make install
6。配置你的pppd和pptpd
pppd的默认配置文件在 /etc/ppp
pptpd的配置文件在 /etc/pptpd.conf
pptpd和pppd的关系好比 pptpd是pppd的外挂一样。
6.1
/etc/pptpd.conf中需要配置的地方只有几个
你首先要确定下面这个
ppp /usr/local/sbin/pppd
他给pptpd指名了pppd的所在
option /etc/ppp/options.pptpd
这个说明了pptpd在ppp下的配置文件
localip 192.168.8.22 remoteip 10.10.110.1-100
localip是pptpd的对外服务的ip,也就是客户端需要拨号的ip
remoteip是拨号服务器分配给拨号用户的ip ,可以用-表示ip范围
6.2
配置/etc/ppp/options.pptpd
为了测试,请打开debug和dump
# Logging # Enable connection debugging facilities. # (see your syslog configuration for where pppd sends to) debug # Print out all the option values which have been set. # (often requested by mailing list to verify options) dump
默认的信息会写在/var/log/messages
6.3
编辑 /etc/ppp/chap-secrets
添加一个测试用户
# Secrets for authentication using CHAP # client server secret IP addresses "iamok" pptpd "iamok" *
第一个iamok是用户,第二个iamok是密码 ,*表示任意ip
pptpd表示和/etc/ppp/options.pptpd中的name 部分的pptpd要匹配,一般不用修改,我们只是
测试以下pptpd是否正常。
7。测试你的pptpd
如果是默认安装,你在任意路径打pptpd就可以了。
如果成功,你就会在
/var/log/messages里面看到
Feb 10 09:51:46 kdfng pptpd[926]: MGR: Manager process started Feb 10 09:51:46 kdfng pptpd[926]: MGR: Maximum of 100 connections available
然后你可以在任意一个win2k系统上建立一个vpn连接,用pptp方式的,用户名用上面设置的,这样你就能拨号了
而且ip就是你在上面所设置的ip
现在复查以下log文件
Feb 10 09:54:53 kdfng pptpd[937]: MGR: Manager process started Feb 10 09:54:53 kdfng pptpd[937]: MGR: Maximum of 100 connections available Feb 10 09:55:06 kdfng pptpd[939]: CTRL: Client 192.168.8.53 control connection started Feb 10 09:55:06 kdfng pptpd[939]: CTRL: Starting call (launching pppd, opening GRE) Feb 10 09:55:06 kdfng pppd[940]: pppd options in effect: Feb 10 09:55:06 kdfng pppd[940]: debug # (from /etc/ppp/options.pptpd) Feb 10 09:55:06 kdfng pppd[940]: nologfd # (from /etc/ppp/options.pptpd) Feb 10 09:55:06 kdfng pppd[940]: dump # (from /etc/ppp/options.pptpd) Feb 10 09:55:06 kdfng pppd[940]: require-mschap-v2 # (from /etc/ppp/options.pptpd) Feb 10 09:55:06 kdfng pppd[940]: refuse-pap # (from /etc/ppp/options.pptpd) Feb 10 09:55:06 kdfng pppd[940]: refuse-chap # (from /etc/ppp/options.pptpd) Feb 10 09:55:06 kdfng pppd[940]: refuse-mschap # (from /etc/ppp/options.pptpd) Feb 10 09:55:06 kdfng pppd[940]: name pptpd # (from /etc/ppp/options.pptpd) Feb 10 09:55:06 kdfng pppd[940]: 115200 # (from command line) Feb 10 09:55:06 kdfng pppd[940]: lock # (from /etc/ppp/options.pptpd) Feb 10 09:55:06 kdfng pppd[940]: local # (from command line) Feb 10 09:55:06 kdfng pppd[940]: ipparam 192.168.8.53 # (from command line) Feb 10 09:55:06 kdfng pppd[940]: 192.168.8.22:10.10.110.1 # (from command line) Feb 10 09:55:06 kdfng pppd[940]: nobsdcomp # (from /etc/ppp/options.pptpd) Feb 10 09:55:06 kdfng pppd[940]: require-mppe-128 # (from /etc/ppp/options.pptpd) Feb 10 09:55:06 kdfng pppd[940]: pppd 2.4.4b1 started by root, uid 0 Feb 10 09:55:06 kdfng pppd[940]: Using interface ppp0 Feb 10 09:55:06 kdfng pppd[940]: Connect: ppp0 <--> /dev/pts/1 Feb 10 09:55:06 kdfng pptpd[939]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Feb 10 09:55:06 kdfng pppd[940]: MPPE 128-bit stateless compression enabled Feb 10 09:55:08 kdfng pppd[940]: local IP address 192.168.8.22 Feb 10 09:55:08 kdfng pppd[940]: remote IP address 10.10.110.1 Feb 10 09:55:17 kdfng pppd[940]: LCP terminated by peer (^Z^HEO^@<M-Mt^@^@^@^@) Feb 10 09:55:17 kdfng pppd[940]: Connect time 0.2 minutes. Feb 10 09:55:17 kdfng pppd[940]: Sent 0 bytes, received 3492 bytes. Feb 10 09:55:17 kdfng pppd[940]: Modem hangup Feb 10 09:55:17 kdfng pppd[940]: Connection terminated. Feb 10 09:55:17 kdfng pppd[940]: Exit. Feb 10 09:55:17 kdfng pptpd[939]: CTRL: Client 192.168.8.53 control connection finished
这样你的pptpd就配置完成了。
pptpd+radius+mysql 安装攻略(part2 radius部分)
文章作者: i_amok
信息来源:CCF
1。需要软件
freeradius
原先pppd源码目录中的一些关于radius外挂模块的配置文件。
2。安装freeradius的前期准备
安装mysql-devel.i386
yum install mysql-devel.i386
3。安装freeradius
http://www.freeradius.org
下载源码,我测试的时候是用 freeradius-1.1.0
用指定安装目录的方法安装
代码:
./configure --prefix=/usr/local/freeradius-1.1.0
make
make install
4。配置pppd支持radius
4.1拷贝文件
从pppd的源码目录把下面这个目录复制到/etc/radiusclient/
代码:
cp -R ppp-2.4.4b1/pppd/plugins/radius/etc /etc/radiusclient/
4.2修改options.pptpd中的配置
在/etc/ppp/options.pptpd
中加入
代码:
plugin /usr/local/lib/pppd/2.4.4b1/radius.so
4.3 配置 /etc/radiusclient中的servers和radiusclient.conf
在servers中,你需要增加一个radiusd的地址和密码
代码:
[root@kdfng radiusclient]# cat servers
#Server Name or Client/Server pair Key
#---------------- ---------------
#portmaster.elemental.net hardlyasecret
#portmaster2.elemental.net donttellanyone
localhost netdragon
BT无线网络破解教程
这里localhost表示你的radiusd就在本机,并且访问的密码是netdragon
radiusclient.conf中
代码:
# service. if this fails also a compiled in default is used.
authserver localhost:1812
# RADIUS server to use for accouting requests. All that I
# said for authserver applies, too.
#
acctserver localhost:1813
确认上面也是本地的,默认就是本地,所以一般不需要修改。
同时确保这个文件中radiusclient相关的路径所有的路径都是 /etc/radiusclient 开头的。
5。配置freeradius
cd /usr/local/freeradius-1.1.0/etc/raddb
raddb这个目录就是所有的freeradius配置文件所在了
5.1 修改clients.conf
这里说明一下,所有的nas都是radiusd的client,nas就是那个pptpd,所以这个文件就是配置pptpd的登陆权限的。
代码:
client 127.0.0.1 {
secret = netdragon
shortname = iamok
nastype = other
}
修改127.0.0.1部分为上面的样子。secret就是我们刚才在/etc/radiusclient中servers里设置的那个。这两个要一致
5.2 在users文件的最上面加入一个用户
代码:
ww Auth-Type:= MS-CHAP, User-Password=="ww", Simultaneous-Use:=1
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 255.255.255.254,
Framed-IP-Netmask = 255.255.255.0
说明一下 ww是用户名
auth-type是验证的类型
第二个ww是密码
Simultaneous-Use是允许这个用户名同时登陆的个数
所有这些都是check属性,要写在第一行
然后第二行开始用tab开头,是服务器返回给radius客户端的(也就是返回给pptpd)时reply属性。
其中ip地址设置为255.255.255.254表示ip地址的分配是由radius客户端决定的,也就是由pptpd决定。
最后一个是子网掩码。
5.3用debug模式运行radiusd
代码:
../../sbin/radiusd -x
你会看到
代码:
Starting - reading configuration files ...
Using deprecated naslist file. Support for this will go away soon.
Module: Loaded exec
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
Module: Instantiated pap (pap)
Module: Loaded CHAP 思科学习视频资料下载中心
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
Module: Instantiated mschap (mschap)
Module: Loaded eap
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
rlm_eap: Loaded and initialized type gtc
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
Module: Instantiated preprocess (preprocess)
Module: Loaded files
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
Module: Instantiated acct_unique (acct_unique)
Module: Loaded realm
Module: Instantiated realm (suffix)
Module: Loaded detail
Module: Instantiated detail (detail)
Module: Loaded radutmp
Module: Instantiated radutmp (radutmp)
Initializing the thread pool...
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
6。测试
建立一个新的vpn连接
用户名ww密码ww
然后拨号
成功的话,会看到。
代码:
rad_recv: Access-Request packet from host 127.0.0.1:32768, id=214, length=144
Service-Type = Framed-User
Framed-Protocol = PPP思科路由器配置
User-Name = "ww"
MS-CHAP-Challenge = 0x729e2492953298b498a766e778defe74
MS-CHAP2-Response =
0xfc00475dd294431a52ee1187d13127c3bf49000000000000000043aad8bb5cd6f5ece16ddae9d20c63d857836053b2197144
Calling-Station-Id = "192.168.8.53"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Sending Access-Accept of id 214 to 127.0.0.1 port 32768
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 255.255.255.254
Framed-IP-Netmask = 255.255.255.0
MS-CHAP2-Success = 0xfc533d31303637323037453037384244433138333441303536434337433044373046363942414446343039
MS-MPPE-Recv-Key = 0x0211fcb6f599479e8ee0a7d8a16a3252
MS-MPPE-Send-Key = 0x91242cedc84a2dc69355c56951119065
MS-MPPE-Encryption-Policy = 0x00000002
MS-MPPE-Encryption-Types = 0x00000004
rad_recv: Accounting-Request packet from host 127.0.0.1:32768, id=215, length=108
Acct-Session-Id = "43EBFF39048300"
User-Name = "ww"
Acct-Status-Type = Start
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "192.168.8.53"
Acct-Authentic = RADIUS
NAS-Port-Type = Async
Framed-IP-Address = 10.10.110.1
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Acct-Delay-Time = 0
Sending Accounting-Response of id 215 to 127.0.0.1 port 32768
这样pptp+radius的部分就完成了,下面一部分是对radiusd增加mysql的支持
用ctrl+c退出radius
]pptpd+radius+mysql 安装攻略(part3 mysql部分)
信息来源:CCF
1.需要软件,什么都不需要。
你只要给各mysql的库就好了,库结构在
freeradius源码目录下的/src/modules/rlm_sql/drivers/rlm_sql_mysql/db_mysql.sql
你建立一个数据库就好了,我在我自己的机器上建立了一个名字为radius的数据库
并且导入了这个数据库的结构。
2。配置sql.conf
先回到刚才的freeradius的配置文件目录
代码:
cd /usr/local/freeradius-1.1.0/etc/raddb
vi sql.conf
思科路由器交换机
修改连接信息
代码:
# Connect info
server = "192.168.8.53"
login = "radius"
password = "radius"
# Database table configuration
radius_db = "radius"
去掉下面的simul。。。。前面的#
打开sql的用户同时连接数测试的语句
代码:
# Uncomment simul_count_query to enable simultaneous use checking
simul_count_query = "SELECT COUNT(*) FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0"
3.配置radiusd.conf
注释掉 authorize {
的files
去掉sql前的注释
注释掉 preacct {
的files
注释掉 accounting {
的radutmp
去掉sql前面的#
注释掉 session{
的radutmp
去掉sql前面的#
去掉 post-auth {
sql前的#
总之就是去掉files模块,开启sql模块
4。在数据库中添加用户
在usergroup中添加一个test用户,组名为vpn
在radgroupcheck中添加一个vpn组,
attribute为Simultaneous-Use
op为:=
value为1
的纪录
在radcheck中添加
username为test
attribute为 User-Password
op为==
value为test
这样就添加了一个用户为test,组为vpn,密码为test
并且所有的组用户的都只能1个用户名登陆一次
5.测试
用debug模式启动radiusd
会看到
代码:
思科路由器交换机模拟软件
[root@kdfng raddb]# ../../sbin/radiusd -x
Starting - reading configuration files ...
Using deprecated naslist file. Support for this will go away soon.
Module: Loaded exec
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
Module: Instantiated mschap (mschap)
Module: Loaded eap
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
rlm_eap: Loaded and initialized type gtc
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
Module: Instantiated preprocess (preprocess)
Module: Loaded SQL
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to radius@192.168.8.53:/radius
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
Module: Instantiated sql (sql)
Module: Loaded Acct-Unique-Session-Id
Module: Instantiated acct_unique (acct_unique)
Module: Loaded realm
Module: Instantiated realm (suffix)
Module: Loaded detail
Module: Instantiated detail (detail)
Initializing the thread pool...
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
用test用户登陆一下.
会看到
代码:
rad_recv: Access-Request packet from host 127.0.0.1:32768, id=222, length=146
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "test"
MS-CHAP-Challenge = 0xb6a9e94b94c3c386875043efd5144e17
MS-CHAP2-Response =
0x38006d78036bb5e40ddeca0ce96b944619e000000000000000007b887b8762be38eb111a94a4b581925b85e07453a38a070f
Calling-Station-Id = "192.168.8.53"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Released sql socket id: 4
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): Released sql socket id: 3
rlm_sql (sql): Processing sql_postauth
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
Sending Access-Accept of id 222 to 127.0.0.1 port 32768
MS-CHAP2-Success = 0x38533d33453434464142394232444230413143464539453832444536453534373331383833454238414536
MS-MPPE-Recv-Key = 0x53a3812a0fd5b6f7b1cf4f6f6796f26b
MS-MPPE-Send-Key = 0xb8be60559cbc46fd4da277516d6584f3
MS-MPPE-Encryption-Policy = 0x00000002
MS-MPPE-Encryption-Types = 0x00000004
rad_recv: Accounting-Request packet from host 127.0.0.1:32768, id=223, length=110
Acct-Session-Id = "43EC0822056A00"
User-Name = "test"
Acct-Status-Type = Start
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "192.168.8.53"
Acct-Authentic = RADIUS
NAS-Port-Type = Async
Framed-IP-Address = 10.10.110.1
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Acct-Delay-Time = 0
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql (sql): Released sql socket id: 1
Sending Accounting-Response of id 223 to 127.0.0.1 port 32768
如果你把Simultaneous-Use改成0
会看到
代码:
rad_recv: Access-Request packet from host 127.0.0.1:32768, id=225, length=146
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "test"
MS-CHAP-Challenge = 0x2295d4d65913cbc0a7836e986fe4a998
MS-CHAP2-Response =
0x34001739a3331c1a1a938eed99cda89b691f0000000000000000a8a9e9ae2eadaa6b1acb93e368113dc4ed47dac0a20b1ed8
Calling-Station-Id = "192.168.8.53"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Released sql socket id: 4
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): Released sql socket id: 3
rad_recv: Access-Request packet from host 127.0.0.1:32768, id=225, length=146
Sending Access-Reject of id 225 to 127.0.0.1 port 32768
Reply-Message := "\r\nYou are already logged in - access denied\r\n\n"
提示已经登陆过了,可见那个选项时生效的.
另,我找一个会俄语的,帮我看看
FreeNIBS
FreeNIBS is a loadable plugin for the FreeRADIUSradius server. FreeNIBS provides authorization,authentication, and
accounting for dial-in(PPP/PPPOE/PPTP) users. It can be used forreal-time prepaid and postpaid billing. FreeNIBScan bill
users based on service accuration, time,traffic, and both time and traffic. FreeNIBS hasvery flexible settings for groups,
users, andprices. All data is stored in SQL databases suchas MySQl, PgSQL, and Oracle.
这个东西只有俄文的手册,死活看不来.连配置文件都是俄文的......
如果加上这个就能实现时间和流量的限制.linux 论坛 思科论坛 Cisco
Cisco N7K 的硬件架构 Cisco R&S N4 版本解密视频分享
http://bbs.net527.cn/forum-26-1.html
http://www.net527.cn/a/luyoujiaohuan/index.html
http://www.net527.com
Linux 系统
posted on 2013-09-28 16:16 cn三少<script></script> 阅读(1396) 评论(0) 编辑 收藏 举报