Linux 系统 pptpd+radius+mysql 安装攻略

时间:2022-08-06 11:56:50

分类:

原文地址:Linux 系统 pptpd+radius+mysql 安装攻略 作者:wfeng

.你所需要的软件 
内核最好能升级到2.6 
如果你是centos的用户,可以通过yum update来升级到最新的centos4.2 
升级内核是为了待会安装一个内核模块增加对mppe的支持。这样才能支持pptp拨号。

pppd     ppp拨号服务器 
pptpd    在pppd拨号的基础上增加pptpd的支持 
freeradius    作拨号用户验证的。 
mysql         增加freeradius的数据库支持

2。确定你的内核是否支持mppe 
modprobe ppp-compress-18 && echo ok

如果显示ok,那么恭喜,你的内核已经具备了mppe支持。请到第4部分

3。升级内核支持mppe

http://sourceforge.net/project/showfiles.php?group_id=44827

到上面这个网址。下载2个rpm包。

dkms-2.0.6-1.noarch.rpm 
kernel_ppp_mppe-1.0.2-3dkms.noarch.rpm

dkms是一个新的软件,能让你在不编译内核的基础上,外挂一些内核的模块。 
kernel_ppp_mppe就是mppe支持的内核模块了。

ok后重起你的系统

4。安装pppd

http://www.samba.org/ppp

在上面的网址下载最新的ppp软件包,我测试的时候是 ppp-2.4.4b1 
用最常规的方法,configure,make,make install 
由于新版的没有复制范例配置文件,需要用 make install-etcppp 来安装范例配置文件

5。安装pptpd

http://poptop.sourceforge.net/

在上面的网址下载最新的pptpd包,我测试的时候是pptpd-1.2.3

也是最常规的方法 configure,make,make install

6。配置你的pppd和pptpd

pppd的默认配置文件在 /etc/ppp

pptpd的配置文件在 /etc/pptpd.conf

pptpd和pppd的关系好比 pptpd是pppd的外挂一样。

6.1 
/etc/pptpd.conf中需要配置的地方只有几个

你首先要确定下面这个

ppp   /usr/local/sbin/pppd

他给pptpd指名了pppd的所在

option /etc/ppp/options.pptpd

这个说明了pptpd在ppp下的配置文件

localip 192.168.8.22 remoteip 10.10.110.1-100

localip是pptpd的对外服务的ip,也就是客户端需要拨号的ip 
remoteip是拨号服务器分配给拨号用户的ip ,可以用-表示ip范围

6.2 
配置/etc/ppp/options.pptpd

为了测试,请打开debug和dump

# Logging # Enable connection debugging facilities. # (see your syslog configuration for where pppd sends to) debug # Print out all the option values which have been set. # (often requested by mailing list to verify options) dump

默认的信息会写在/var/log/messages

6.3 
编辑 /etc/ppp/chap-secrets

添加一个测试用户 
# Secrets for authentication using CHAP # client         server   secret                   IP addresses "iamok" pptpd    "iamok" *

第一个iamok是用户,第二个iamok是密码 ,*表示任意ip 
pptpd表示和/etc/ppp/options.pptpd中的name 部分的pptpd要匹配,一般不用修改,我们只是 
测试以下pptpd是否正常。

7。测试你的pptpd

如果是默认安装,你在任意路径打pptpd就可以了。

如果成功,你就会在 
/var/log/messages里面看到

Feb 10 09:51:46 kdfng pptpd[926]: MGR: Manager process started Feb 10 09:51:46 kdfng pptpd[926]: MGR: Maximum of 100 connections available

然后你可以在任意一个win2k系统上建立一个vpn连接,用pptp方式的,用户名用上面设置的,这样你就能拨号了 
而且ip就是你在上面所设置的ip

现在复查以下log文件

Feb 10 09:54:53 kdfng pptpd[937]: MGR: Manager process started Feb 10 09:54:53 kdfng pptpd[937]: MGR: Maximum of 100 connections available Feb 10 09:55:06 kdfng pptpd[939]: CTRL: Client 192.168.8.53 control connection started Feb 10 09:55:06 kdfng pptpd[939]: CTRL: Starting call (launching pppd, opening GRE) Feb 10 09:55:06 kdfng pppd[940]: pppd options in effect: Feb 10 09:55:06 kdfng pppd[940]: debug           # (from /etc/ppp/options.pptpd) Feb 10 09:55:06 kdfng pppd[940]: nologfd                 # (from /etc/ppp/options.pptpd) Feb 10 09:55:06 kdfng pppd[940]: dump            # (from /etc/ppp/options.pptpd) Feb 10 09:55:06 kdfng pppd[940]: require-mschap-v2               # (from /etc/ppp/options.pptpd) Feb 10 09:55:06 kdfng pppd[940]: refuse-pap              # (from /etc/ppp/options.pptpd) Feb 10 09:55:06 kdfng pppd[940]: refuse-chap             # (from /etc/ppp/options.pptpd) Feb 10 09:55:06 kdfng pppd[940]: refuse-mschap           # (from /etc/ppp/options.pptpd) Feb 10 09:55:06 kdfng pppd[940]: name pptpd              # (from /etc/ppp/options.pptpd) Feb 10 09:55:06 kdfng pppd[940]: 115200          # (from command line) Feb 10 09:55:06 kdfng pppd[940]: lock            # (from /etc/ppp/options.pptpd) Feb 10 09:55:06 kdfng pppd[940]: local           # (from command line) Feb 10 09:55:06 kdfng pppd[940]: ipparam 192.168.8.53            # (from command line) Feb 10 09:55:06 kdfng pppd[940]: 192.168.8.22:10.10.110.1                # (from command line) Feb 10 09:55:06 kdfng pppd[940]: nobsdcomp               # (from /etc/ppp/options.pptpd) Feb 10 09:55:06 kdfng pppd[940]: require-mppe-128                # (from /etc/ppp/options.pptpd) Feb 10 09:55:06 kdfng pppd[940]: pppd 2.4.4b1 started by root, uid 0 Feb 10 09:55:06 kdfng pppd[940]: Using interface ppp0 Feb 10 09:55:06 kdfng pppd[940]: Connect: ppp0 <--> /dev/pts/1 Feb 10 09:55:06 kdfng pptpd[939]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Feb 10 09:55:06 kdfng pppd[940]: MPPE 128-bit stateless compression enabled Feb 10 09:55:08 kdfng pppd[940]: local   IP address 192.168.8.22 Feb 10 09:55:08 kdfng pppd[940]: remote IP address 10.10.110.1 Feb 10 09:55:17 kdfng pppd[940]: LCP terminated by peer (^Z^HEO^@<M-Mt^@^@^@^@) Feb 10 09:55:17 kdfng pppd[940]: Connect time 0.2 minutes. Feb 10 09:55:17 kdfng pppd[940]: Sent 0 bytes, received 3492 bytes. Feb 10 09:55:17 kdfng pppd[940]: Modem hangup Feb 10 09:55:17 kdfng pppd[940]: Connection terminated. Feb 10 09:55:17 kdfng pppd[940]: Exit. Feb 10 09:55:17 kdfng pptpd[939]: CTRL: Client 192.168.8.53 control connection finished

这样你的pptpd就配置完成了。

pptpd+radius+mysql 安装攻略(part2 radius部分)

文章作者: i_amok 
信息来源:CCF

1。需要软件

freeradius

原先pppd源码目录中的一些关于radius外挂模块的配置文件。

2。安装freeradius的前期准备

安装mysql-devel.i386

yum install mysql-devel.i386

3。安装freeradius

http://www.freeradius.org

下载源码,我测试的时候是用 freeradius-1.1.0

用指定安装目录的方法安装

代码:
./configure --prefix=/usr/local/freeradius-1.1.0
make
make install

4。配置pppd支持radius

4.1拷贝文件

从pppd的源码目录把下面这个目录复制到/etc/radiusclient/

代码:
cp -R ppp-2.4.4b1/pppd/plugins/radius/etc   /etc/radiusclient/

4.2修改options.pptpd中的配置

在/etc/ppp/options.pptpd

中加入
代码:

plugin /usr/local/lib/pppd/2.4.4b1/radius.so

4.3 配置 /etc/radiusclient中的servers和radiusclient.conf

在servers中,你需要增加一个radiusd的地址和密码

代码:
[root@kdfng radiusclient]# cat servers 
#Server Name or Client/Server pair       Key
#----------------                   ---------------
#portmaster.elemental.net             hardlyasecret
#portmaster2.elemental.net             donttellanyone
localhost     netdragon
BT无线网络破解教程 
这里localhost表示你的radiusd就在本机,并且访问的密码是netdragon

radiusclient.conf中

代码:
# service. if this fails also a compiled in default is used.
authserver localhost:1812

# RADIUS server to use for accouting requests. All that I
# said for authserver applies, too.
#
acctserver localhost:1813
确认上面也是本地的,默认就是本地,所以一般不需要修改。
同时确保这个文件中radiusclient相关的路径所有的路径都是 /etc/radiusclient 开头的。

5。配置freeradius

cd /usr/local/freeradius-1.1.0/etc/raddb

raddb这个目录就是所有的freeradius配置文件所在了

5.1 修改clients.conf

这里说明一下,所有的nas都是radiusd的client,nas就是那个pptpd,所以这个文件就是配置pptpd的登陆权限的。

代码:
client 127.0.0.1 {
            secret = netdragon
            shortname = iamok
            nastype = other
                   }
修改127.0.0.1部分为上面的样子。secret就是我们刚才在/etc/radiusclient中servers里设置的那个。这两个要一致

5.2 在users文件的最上面加入一个用户

代码:
ww Auth-Type:= MS-CHAP, User-Password=="ww", Simultaneous-Use:=1
   Service-Type = Framed-User,
   Framed-Protocol = PPP,
   Framed-IP-Address = 255.255.255.254,
   Framed-IP-Netmask = 255.255.255.0
说明一下 ww是用户名
auth-type是验证的类型
第二个ww是密码
Simultaneous-Use是允许这个用户名同时登陆的个数

所有这些都是check属性,要写在第一行
然后第二行开始用tab开头,是服务器返回给radius客户端的(也就是返回给pptpd)时reply属性。
其中ip地址设置为255.255.255.254表示ip地址的分配是由radius客户端决定的,也就是由pptpd决定。
最后一个是子网掩码。

5.3用debug模式运行radiusd
代码:

../../sbin/radiusd -x

你会看到

代码:
Starting - reading configuration files ...
Using deprecated naslist file.   Support for this will go away soon.
Module: Loaded exec 
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec) 
Module: Loaded expr 
Module: Instantiated expr (expr) 
Module: Loaded PAP 
Module: Instantiated pap (pap) 
Module: Loaded CHAP 思科学习视频资料下载中心
Module: Instantiated chap (chap) 
Module: Loaded MS-CHAP 
Module: Instantiated mschap (mschap) 
Module: Loaded eap 
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
rlm_eap: Loaded and initialized type gtc
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap) 
Module: Loaded preprocess 
Module: Instantiated preprocess (preprocess) 
Module: Loaded files 
Module: Instantiated files (files) 
Module: Loaded Acct-Unique-Session-Id 
Module: Instantiated acct_unique (acct_unique) 
Module: Loaded realm 
Module: Instantiated realm (suffix) 
Module: Loaded detail 
Module: Instantiated detail (detail) 
Module: Loaded radutmp 
Module: Instantiated radutmp (radutmp) 
Initializing the thread pool...
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.

6。测试

建立一个新的vpn连接

用户名ww密码ww

然后拨号

成功的话,会看到。

代码:
rad_recv: Access-Request packet from host 127.0.0.1:32768, id=214, length=144
   Service-Type = Framed-User
   Framed-Protocol = PPP思科路由器配置
   User-Name = "ww"
   MS-CHAP-Challenge = 0x729e2492953298b498a766e778defe74
   MS-CHAP2-Response =

0xfc00475dd294431a52ee1187d13127c3bf49000000000000000043aad8bb5cd6f5ece16ddae9d20c63d857836053b2197144
   Calling-Station-Id = "192.168.8.53"
   NAS-IP-Address = 127.0.0.1
   NAS-Port = 0
Sending Access-Accept of id 214 to 127.0.0.1 port 32768
   Service-Type = Framed-User
   Framed-Protocol = PPP
   Framed-IP-Address = 255.255.255.254
   Framed-IP-Netmask = 255.255.255.0
   MS-CHAP2-Success = 0xfc533d31303637323037453037384244433138333441303536434337433044373046363942414446343039
   MS-MPPE-Recv-Key = 0x0211fcb6f599479e8ee0a7d8a16a3252
   MS-MPPE-Send-Key = 0x91242cedc84a2dc69355c56951119065
   MS-MPPE-Encryption-Policy = 0x00000002
   MS-MPPE-Encryption-Types = 0x00000004
rad_recv: Accounting-Request packet from host 127.0.0.1:32768, id=215, length=108
   Acct-Session-Id = "43EBFF39048300"
   User-Name = "ww"
   Acct-Status-Type = Start
   Service-Type = Framed-User
   Framed-Protocol = PPP
   Calling-Station-Id = "192.168.8.53"
   Acct-Authentic = RADIUS
   NAS-Port-Type = Async
   Framed-IP-Address = 10.10.110.1
   NAS-IP-Address = 127.0.0.1
   NAS-Port = 0
   Acct-Delay-Time = 0
Sending Accounting-Response of id 215 to 127.0.0.1 port 32768

这样pptp+radius的部分就完成了,下面一部分是对radiusd增加mysql的支持

用ctrl+c退出radius

]pptpd+radius+mysql 安装攻略(part3 mysql部分)

文章作者: i_amok 
信息来源:CCF

1.需要软件,什么都不需要。

你只要给各mysql的库就好了,库结构在

freeradius源码目录下的/src/modules/rlm_sql/drivers/rlm_sql_mysql/db_mysql.sql

你建立一个数据库就好了,我在我自己的机器上建立了一个名字为radius的数据库

并且导入了这个数据库的结构。

2。配置sql.conf

先回到刚才的freeradius的配置文件目录
代码:

cd /usr/local/freeradius-1.1.0/etc/raddb

vi sql.conf
思科路由器交换机

修改连接信息

代码:

# Connect info
   server = "192.168.8.53"
   login = "radius"
   password = "radius"

# Database table configuration
   radius_db = "radius"

去掉下面的simul。。。。前面的#
打开sql的用户同时连接数测试的语句
代码:

# Uncomment simul_count_query to enable simultaneous use checking
   simul_count_query = "SELECT COUNT(*) FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0"

3.配置radiusd.conf

注释掉 authorize {
的files
去掉sql前的注释

注释掉 preacct {
的files

注释掉 accounting {
的radutmp
去掉sql前面的#

注释掉 session{
的radutmp
去掉sql前面的#

去掉 post-auth {
sql前的#

总之就是去掉files模块,开启sql模块

4。在数据库中添加用户

在usergroup中添加一个test用户,组名为vpn

在radgroupcheck中添加一个vpn组,
attribute为Simultaneous-Use
op为:=
value为1
的纪录

在radcheck中添加
username为test
attribute为 User-Password
op为==
value为test

这样就添加了一个用户为test,组为vpn,密码为test
并且所有的组用户的都只能1个用户名登陆一次

5.测试
用debug模式启动radiusd

会看到

代码:
思科路由器交换机模拟软件
[root@kdfng raddb]# ../../sbin/radiusd -x
Starting - reading configuration files ...
Using deprecated naslist file.   Support for this will go away soon.
Module: Loaded exec 
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec) 
Module: Loaded expr 
Module: Instantiated expr (expr) 
Module: Loaded PAP 
Module: Instantiated pap (pap) 
Module: Loaded CHAP 
Module: Instantiated chap (chap) 
Module: Loaded MS-CHAP 
Module: Instantiated mschap (mschap) 
Module: Loaded eap 
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
rlm_eap: Loaded and initialized type gtc
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap) 
Module: Loaded preprocess 
Module: Instantiated preprocess (preprocess) 
Module: Loaded SQL 
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to radius@192.168.8.53:/radius
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
Module: Instantiated sql (sql) 
Module: Loaded Acct-Unique-Session-Id 
Module: Instantiated acct_unique (acct_unique) 
Module: Loaded realm 
Module: Instantiated realm (suffix) 
Module: Loaded detail 
Module: Instantiated detail (detail) 
Initializing the thread pool...
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.

用test用户登陆一下.

会看到

代码:

rad_recv: Access-Request packet from host 127.0.0.1:32768, id=222, length=146
   Service-Type = Framed-User
   Framed-Protocol = PPP
   User-Name = "test"
   MS-CHAP-Challenge = 0xb6a9e94b94c3c386875043efd5144e17
   MS-CHAP2-Response =

0x38006d78036bb5e40ddeca0ce96b944619e000000000000000007b887b8762be38eb111a94a4b581925b85e07453a38a070f
   Calling-Station-Id = "192.168.8.53"
   NAS-IP-Address = 127.0.0.1
   NAS-Port = 0
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Released sql socket id: 4
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): Released sql socket id: 3
rlm_sql (sql): Processing sql_postauth
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
Sending Access-Accept of id 222 to 127.0.0.1 port 32768
   MS-CHAP2-Success = 0x38533d33453434464142394232444230413143464539453832444536453534373331383833454238414536
   MS-MPPE-Recv-Key = 0x53a3812a0fd5b6f7b1cf4f6f6796f26b
   MS-MPPE-Send-Key = 0xb8be60559cbc46fd4da277516d6584f3
   MS-MPPE-Encryption-Policy = 0x00000002
   MS-MPPE-Encryption-Types = 0x00000004
rad_recv: Accounting-Request packet from host 127.0.0.1:32768, id=223, length=110
   Acct-Session-Id = "43EC0822056A00"
   User-Name = "test"
   Acct-Status-Type = Start
   Service-Type = Framed-User
   Framed-Protocol = PPP
   Calling-Station-Id = "192.168.8.53"
   Acct-Authentic = RADIUS
   NAS-Port-Type = Async
   Framed-IP-Address = 10.10.110.1
   NAS-IP-Address = 127.0.0.1
   NAS-Port = 0
   Acct-Delay-Time = 0
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql (sql): Released sql socket id: 1
Sending Accounting-Response of id 223 to 127.0.0.1 port 32768

如果你把Simultaneous-Use改成0

会看到

代码:

rad_recv: Access-Request packet from host 127.0.0.1:32768, id=225, length=146
   Service-Type = Framed-User
   Framed-Protocol = PPP
   User-Name = "test"
   MS-CHAP-Challenge = 0x2295d4d65913cbc0a7836e986fe4a998
   MS-CHAP2-Response =

0x34001739a3331c1a1a938eed99cda89b691f0000000000000000a8a9e9ae2eadaa6b1acb93e368113dc4ed47dac0a20b1ed8
   Calling-Station-Id = "192.168.8.53"
   NAS-IP-Address = 127.0.0.1
   NAS-Port = 0
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Released sql socket id: 4
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): Released sql socket id: 3
rad_recv: Access-Request packet from host 127.0.0.1:32768, id=225, length=146
Sending Access-Reject of id 225 to 127.0.0.1 port 32768
   Reply-Message := "\r\nYou are already logged in - access denied\r\n\n"

提示已经登陆过了,可见那个选项时生效的.

另,我找一个会俄语的,帮我看看

FreeNIBS

FreeNIBS is a loadable plugin for the FreeRADIUSradius server. FreeNIBS provides authorization,authentication, and

accounting for dial-in(PPP/PPPOE/PPTP) users. It can be used forreal-time prepaid and postpaid billing. FreeNIBScan bill

users based on service accuration, time,traffic, and both time and traffic. FreeNIBS hasvery flexible settings for groups,

users, andprices. All data is stored in SQL databases suchas MySQl, PgSQL, and Oracle.

这个东西只有俄文的手册,死活看不来.连配置文件都是俄文的......

如果加上这个就能实现时间和流量的限制.linux 论坛 思科论坛 Cisco
Cisco N7K 的硬件架构 Cisco R&S N4 版本解密视频分享
http://bbs.net527.cn/forum-26-1.html
http://www.net527.cn/a/luyoujiaohuan/index.html 
http://www.net527.com 
Linux 系统