freeradius+mysql+pppoe认证
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了freeradius+mysql+pppoe认证相关的知识,希望对你有一定的参考价值。
1.首先下载要安装的软件包如下:
radiusclient-0.3.2.tar.gz
ppp-2.4.3.tar.gz
freeradius-server-2.1.12.tar.gz
在安装之前要确保pppoe-server已经安装
[[email protected] ~]# rpm -q rp-pppoe ppp
rp-pppoe-3.5-32.1
ppp-2.4.4-2.el5
2.安装freeradius-server
[[email protected] ~]# tar xvf freeradius-server-2.1.12.tar.gz
[[email protected] freeradius-server-2.1.12]# ./configure
[[email protected] freeradius-server-2.1.12]# make && make install
进入以下目录就会看到安装的信息
[[email protected] freeradius-server-2.1.12]# cd /usr/local/bin/
[[email protected] bin]# ls
radclient radcrypt radlast radtest radzap
radconf2xml radeapclient radsqlrelay radwho smbencrypt
[[email protected] bin]# cd /usr/local/sbin/
[[email protected] sbin]# ls
checkrad radacct radexample radlogin radstatus rc.radiusd
login.radius raddebug radiusd radmin radwatch
[[email protected] sbin]# cd /usr/local/etc/raddb/
[[email protected] raddb]# ls
acct_users clients.conf ldap.attrmap sites-available
attrs dictionary modules sites-enabled
attrs.access_challenge eap.conf policy.conf sql
attrs.access_reject example.pl policy.txt sql.conf
attrs.accounting_response experimental.conf preproxy_users sqlippool.conf
attrs.pre-proxy hints proxy.conf templates.conf
certs huntgroups radiusd.conf users
3.测试radius
[[email protected] raddb]#vi users
去掉前面的注释 steve Cleartext-Password := "testing"
[[email protected]]#radius -X
... adding new socket proxy address * port 52873
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
证明能正常启动
[[email protected]]#radtest steve testing localhost 0 testing123
看到Access-Accept证明测试成功
4.安装radiusclient
不安装就会缺少依赖的文件
[[email protected] ~]# tar xvf radiusclient-0.3.2.tar.gz
[[email protected] radiusclient-0.3.2]# ./configure
[[email protected] radiusclient-0.3.2]# make && make install
5.配置pppd使其与radius一起工作
[[email protected] ~]# tar xvf ppp-2.4.3.tar.gz
[[email protected] ]#mkdir /etc/ppp/radius
[[email protected] ]#cp ppp-2.4.3/pppd/plugins/radius/etc/* /etc/ppp/radius
6.配置pppoe
配置/etc/ppp/pppoe-server-options文件
# PPP options for the PPPoE server
# LIC: GPL
require-chap
login
lcp-echo-interval 10
lcp-echo-failure 2
ms-dns 202.106.0.20
ms-dns 8.8.8.8
noipdefault
noipx
nodefaultroute
proxyarp
noktune
plugin /usr/lib/pppd/2.4.4/radius.so
radius-config-file /etc/ppp/radius/radiusclient.conf
logfile /var/log/pppd.log //记录拨号信息
配置/etc/ppp/ chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
ttt * 123 *
然后可以启动pppoe服务了,命令是: # /usr/sbin/pppoe-server -I eth0 -L 192.168.85.132 -R 172.16.10.20 -N 20
通过电脑就可以拨号连接了
7.通过数据库拨号认证,下来安装配置数据库
yum install mysql-server mysql-devel
创建数据库
[[email protected] ~]mysql -p
#create database radius;
#exit;
[[email protected] ~]cd /usr/local/etc/raddb/sql/mysql
[[email protected] ~]mysql -p radius <./schema.sql
[[email protected] ~]mysql -p radius <./nas.sql
8.修改配置文件vi sites-enabled/default ,去掉sql前的注释,注释掉files
authorize {
chap
mschap
suffix
eap
#files
sql
pap
}
accounting{
detail
unix
radiutmp
sql
}
session {
radutmp
# # See "Simultaneous Use Checking Queries" in sql.conf
sql }
修改与mysql数据库连接的配置文件/usr/local/etc/raddb/sql.conf //只修改这几处
server ="localhost"
login = “root”
password = "数据库登录密码"
radius_db = "数据库名"
修改radius的配置文件,在目录/usr/local/etc/raddb/radiusd.conf中
去掉这一行的注释
$ INCLUDE sql.conf
此时启动radius -X会报错
现在来安装一下rlm_sql_mysql
cd /root/freeradius-server-2.1.12/src/modules/rlm_sql/drivers/rlm_sql_mysql
./configure --with-mysql-dir=/usr/share/mysql/ --with-mysql-lib/=/usr/lib/mysql/
make
make install
9.向数据库添加用户测试
insert into radgroupreply (groupname,attribute,op,value) values (‘user‘,‘Auth-Type‘,‘:=‘,‘Local‘);
insert into radgroupreply (groupname,attribute,op,value) values (‘user‘,‘Service-Type‘,‘:=‘,‘Framed-User‘);
insert into radgroupreply (groupname,attribute,op,value) values (‘user‘,‘Framed-IP-Address‘,‘:=‘,‘255.255.255.254‘);
insert into radgroupcheck (groupname, attribute, op, value) values (‘user‘, ‘ Framed-IP-Netmask‘, ‘:=‘, ‘255.255.255.0‘);
然后加入用户信息:
insert into radcheck (username,attribute,op,value) values (‘test‘,‘User-Password‘,‘:=‘,‘test‘);
然后把用户加到组里:
insert into usergroup(username,groupname) values(‘test‘,‘user‘);
mysql> select * from radcheck;
+----+----------+---------------+----+-------+
| id | username | attribute | op | value |
+----+----------+---------------+----+-------+
| 1 | test | User-Password | := | test |
+----+----------+---------------+----+-------+
1 row in set (0.00 sec)
现在来测试有没有成功:
[[email protected] raddb]# radiusd -X
安装完后默认只允许本机的client客户端访问radius服务器
[[email protected] raddb]# vim clients.conf
# 只允许本机的客户端访问
client localhost {
ipaddr = 127.0.0.1
secret = testing123
}
# 添加一个子网 192.168.230.0/24 的网段可访问
client 192.168.230.0/24 {
secret = testing123
shortname = lan-w3pc
}
另开一个终端测试本机
[[email protected]]# radtest test test 127.0.0.1 0 testing123
看Access-Accept 字样就说明成功了
10.pppoe结合radius认证
让pppoe服务使用freeradius服务器进行验证
首先更改/etc/ppp/pppoe-server-options,添加一行设置
# PPP options for the PPPoE server
# LIC: GPL
require-chap
login
lcp-echo-interval 10
lcp-echo-failure 2
ms-dns 202.106.0.20
ms-dns 8.8.8.8
noipdefault
noipx
nodefaultroute
proxyarp
noktune
plugin /usr/lib/pppd/2.4.4/radius.so
radius-config-file /etc/ppp/radius/radiusclient.conf
logfile /var/log/pppd.log
最重要的是配置/etc/ppp/radiuds/radiusclient.conf
# General settings
auth_order radius
login_tries 4
login_timeout 60
nologin /sbin/nologin
issue /etc/ppp/radius/issue
authserver 【服务器IP】:1812
acctserver 【服务器IP】:1813
servers /etc/ppp/radius/servers
dictionary /etc/ppp/radius/dictionary
login_radius /usr/local/sbin/login.radius
seqfile /var/run/radius.seq
mapfile /etc/ppp/radius/port-id-map
default_realm
radius_timeout 10
radius_retries 3
login_local /bin/login
主要就是修改相应文件的路径,根据自己选择
编辑 servers ,设定radius 服务器的位置
[[email protected] radius]# cat servers
#Server Name or Client/Server pair Key
【服务器IP】 testing123
编辑 dictionary ,修改一些路径设置,主要是最后一个dictionary.microsoft 的路径设置
vi /etc/ppp/radius/dictionary
INCLUDE /etc/ppp/radius/dictionary.microsoft
11.拨号认证
在电脑上打开宽带连接
连接成功后可以看到分配的Ip
到此结束
本文出自 “Linux_woniu” 博客,请务必保留此出处http://llu1314.blog.51cto.com/5925801/1965321
以上是关于freeradius+mysql+pppoe认证的主要内容,如果未能解决你的问题,请参考以下文章
freeradius 3.0使用ldap bind windows ad 来认证用户
Cisco AnyConnect 通过FreeRADIUS集成域账号+Google MFA认证