注:在此之前,我已完成对pptp的安装与配置并且正常工作。
一、安装基本的软件包:
freeradius:
# yum install freeradius2 :High-performance and highly configurable free RADIUS server
# yum install freeradius2-mysql :MySQL support for freeradius
# yum install freeradius2-utils :FreeRADIUS utilities
MySQL:
# yum install mysql mysql-server mysql-devel
二、基本配置与测试:
MySQL:
设置开机启动:
# chkconfig --level 345 mysqld on
启动服务:
# service mysqld start
设置root密码:
# mysql -u root -p
删除匿名用户:
# mysql -u root -p
mysql> use mysql
mysql> delete from user where User='';
mysql> quit
# mysqladmin -u root -p reload
freeradius:
设置开机启动:
# chkconfig --level 345 radiusd on
打开/etc/raddb/users,定位steve Cleartext-Password := "testing",取消该行注释;
启动freeradius调试模式:
# radiusd -X
在另一个终端下运行:
radtest steve testing localhost 1812 testing123
出现Access-Accept即说明成功,然后将/etc/raddb/users还原到最初的状态。
三、freeradius MySQL 模块配置:
启动MySQL模块支持:
打开/etc/raddb/radiusd.conf,定位“sql.conf”,并将该行注释去掉。
创建radius数据库及表:
创建radius数据库:
mysqladmin -u root -p create radius;
打开目录/etc/raddb/sql/mysql,并查看admin.sql文件:
CREATE USER 'radius'@'localhost'; SET PASSWORD FOR 'radius'@'localhost' = PASSWORD('radpass'); GRANT SELECT ON radius.* TO 'radius'@'localhost'; GRANT ALL on radius.radacct TO 'radius'@'localhost'; GRANT ALL on radius.radpostauth TO 'radius'@'localhost';
由此可以看出,该文件的功能是创建一个名为radius的MySQL帐户,请自行修改其中的密码。
运行以下命令:
# mysql -uroot -p < admin.sql
# mysql -uroot -p radius < ippool.sql
# mysql -uroot -p radius < schema.sql
# mysql -uroot -p radius < wimax.sql
# mysql -uroot -p radius < cui.sql
# mysql -uroot -p radius < nas.sql
打开/etc/raddb/sql.conf,定位password,将密码修改为之前修改的。再次定位readclients,将该行注释取消。
打开/etc/raddb/sites-enabled/default,修改如下内容:
authorize模块:注释掉files,去掉sql前的#号;
accounting模块:注释掉radutmp,注释掉去掉sql前面的#号;
session模块:注释掉radutmp,去掉sql前面的#号;
post-auth模块:去掉sql前的#号(两处)。
打开/etc/raddb/sites-enabled/inner-tunnel,修改如下内容:
authorize模块:注释掉files,去掉sql前的#号;
session模块:注释掉radutmp,去掉sql前面的#号;
post-auth模块:去掉sql前的#号(两处)。
打开/etc/raddb/eap.conf,定位default_eap_type = md5,将其改为default_eap_type = peap
四、freeradius-client配置:
下载源码ppp-2.4.4:
# wget ftp://ftp.samba.org/pub/ppp/ppp-2.4.4.tar.gz
解压并进入目录:
# cd ppp-2.4.4/ppp-2.4.4/pppd/plugins/radius/etc
将该目录下所有内容复制到/etc/radiusclient/:
# cp * /etc/radiusclient/
打开/etc/radiusclient/radiusclient.conf,编辑内容如下:
vi /etc/radiusclient/radiusclient.conf
auth_order radius
login_tries 4
login_timeout 60
# logins on /dev/ttyS2) (default /etc/nologin)
nologin /sbin/nologin
issue /etc/radiusclient/issue
authserver localhost:1812
acctserver localhost:1813
servers /etc/radiusclient/servers
dictionary /etc/radiusclient/dictionary
login_radius /usr/local/sbin/login.radius
seqfile /var/run/radius.seq
# file which specifies mapping between ttyname and NAS-Port attribute
mapfile /etc/radiusclient/port-id-map
default_realm
# time to wait for a reply from the RADIUS server
radius_timeout 10
# resend request this many times before trying the next server
radius_retries 3
login_local /bin/login
打开/etc/ppp/options.pptpd,在末尾添加:
# put plugins here
# (putting them higher up may cause them to sent messages to the pty)
logfile /var/log/pptpd.log
# 针对64位系统
plugin /usr/lib64/pppd/2.4.4/radius.so
# 针对32位系统
#plugin /usr/lib/pppd/2.4.4/radius.so
#plugin /usr/lib64/pppd/2.4.4/radattr.so
radius-config-file /etc/radiusclient/radiusclient.conf
注意几处配置项的路径,请自行检查或修改。
打开/etc/radiusclient/servers,添加:
localhost testing123
增加字典:
wget -c http://small-script.googlecode.com/files/dictionary.microsoft
mv ./dictionary.microsoft /etc/radiusclient/
打开/etc/radiusclient/dictionary,添加如下内容:
INCLUDE /etc/radiusclient/dictionary.ascend
INCLUDE /etc/radiusclient/dictionary.merit
INCLUDE /etc/radiusclient/dictionary.compat
INCLUDE /etc/radiusclient/dictionary.microsoft
打开/etc/ppp/options.pptpd,在末尾增加如下内容:
logfile /var/log/pptpd.log
plugin /usr/lib/pppd/2.4.4/radius.so
#plugin /usr/lib64/pppd/2.4.4/radattr.so
radius-config-file /etc/radiusclient/radiusclient.conf
五、增加用户:
登录到MySQL:
# mysql -u root -p
切换到radius数据库:
mysql> USE radius
添加用户demo,密码demo,注意是在radcheck表:
mysql> INSERT INTO radcheck (username,attribute,op,VALUE) VALUES ('demo','Cleartext-Password',':=','demo');
将用户demo加入VIP1用户组:
mysql> INSERT INTO radusergroup (username,groupname) VALUES ('demo','VIP1');
限制同时登陆人数,注意是在radgroupcheck表:
mysql> INSERT INTO radgroupcheck (groupname,attribute,op,VALUE) VALUES ('normal','Simultaneous-Use',':=','1');
其它:
INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('VIP1','Auth-Type',':=','Local');
INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('VIP1','Service-Type',':=','Framed-User');
INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('VIP1','Framed-Protocol',':=','PPP');
INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('VIP1','Framed-MTU',':=','1500');
INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('VIP1','Framed-Compression',':=','Van-Jacobson-TCP-IP');
INSERT INTO radgroupcheck (groupname,attribute,op,VALUE) VALUES ('VIP1','Acct-Interim-Interval',':=','60');
在此,基本的VPN用户认证就完成了。
参考资料: