FreeRADIUS+DaloRADIUS 实现vpn的用户管理

  vpn默认需要在配置文件里面添加用户密码，如果用户离职啊，新员工入职等情形，对一些不懂技术的管理人员，去修改配置文件，显然不太合理。所以，需要一套非技术人员也能操作的web管理系统来管理用户。

工具介绍：

freeradius一般用来进行账户认证管理，记账管理，常见的电信运营商的宽带账户，上网账户管理，记账，都是使用的radius服务器进行鉴权记账的。

Freeradius包含一个radius服务器和radius-client，可以对支持radius协议的网络设备进行鉴权记账，常见的开源路由器操作系统：如Openwrt,DD-wrt等，都支持radius协议，对PPPOE，热点，VPN等服务器进行账户管理认证，记账。

freeradius功能十分强大，支持众多的数据库。

Freeradius操作稍显麻烦，内置diaup_admin简单web管理，需要更简单易用的管理功能可以使用第三方的管理程序对Freeradius进行账户管理，系统配置等。

daloRADIUS是高级的RADIUS页面管理应用目的是对于hotspots和ISP的部署进行管理。同时还提供了用户管理，图形化的报告、报表引擎以及于google地图的集成。

本文以l2tp为例，其他类似。

前提：

安装好vpn,mysql 

安装步骤：

在开始安装之前，建议关闭SELinux或将其设置为disabled，最好建议永久关闭SELinux

     sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config

临时关闭  setenforce 0

一、FreeRADIUS 服务端安装

1.1 下载、编译、安装

wget -c ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-3.0.17.tar.gz

tar zxf freeradius-server-3.0.17.tar.gz

cd freeradius-server-3.0.17

./configure

make && make install

一般安装过程中提示缺少libtalloc 库，需要安装talloc-2.1.7.tar.gz

  先从 https://www.samba.org/ftp/talloc/talloc-2.1.13.tar.gz 下载 talloc-2.1.13.tar.gz  然后安装.

1.2 测试是否安装成功

vi /usr/local/etc/raddb/users

在第一行添加 

steve Cleartext-Password := "testing" 

退出后命令行执行 radiusd -X

另外一个窗口执行radtest steve testing localhost 0 testing123

看到 "Access-Accept packet" 表示成功了，"Access-Reject" 表示失败了。

成功后去掉上面的那一行配置。

备注：服务端如果编译安装不通过，也可以通过yum安装.

yum -y install freeradius freeradius-utils freeradius-mysql

1.3 配置radius

cd /usr/local/etc/raddb/sites-enabled

vi  default

将authorize {}下的sql去掉注释，并且将file注释掉。

cd /usr/local/etc/raddb/mods-available

vi  sql

找到driver = “rlm_sql_null”这一行，修改为driver = “rlm_sql_mysql”。保持并退出。

去掉注释，设置用户名和密码等信息

修改 FreeRADIUS中的mysql 认证配置

执行如下命令：

cd /etc/raddb/mods-enabled

ln -s ../mods-available/sql

二、FreeRADIUS 客户端安装与配置

2.1 编译与安装

wget -c  ftp://ftp.freeradius.org/pub/freeradius/freeradius-client-1.1.7.tar.gz

tar -zxf freeradius-client-1.1.7.tar.gz

cd freeradius-client-1.1.7

./configure

make && make install

2.2 设置通信密码

vi  /usr/local/etc/radiusclient/servers

添加一行

localhost   testing123

2.3 增加字典

 wget -c http://small-script.googlecode.com/files/dictionary.microsoft

  mv ./dictionary.microsoft /usr/local/etc/radiusclient/

vi /usr/local/etc/radiusclient/dictionary

最后添加

INCLUDE /usr/local/etc/radiusclient/dictionary.sip

INCLUDE /usr/local/etc/radiusclient/dictionary.ascend

INCLUDE /usr/local/etc/radiusclient/dictionary.merit

INCLUDE /usr/local/etc/radiusclient/dictionary.compat

INCLUDE /usr/local/etc/radiusclient/dictionary.microsoft

2.4增加ppp插件配置

vi /etc/ppp/options.xl2tpd

最后添加

plugin /usr/lib64/pppd/2.4.5/radius.so

plugin /usr/lib64/pppd/2.4.5/radattr.so

radius-config-file /usr/local/etc/radiusclient/radiusclient.conf

pppd的radius.so根据路径配置，如果没有搜到，安装一下pppd

三  配置mysql

3.1 创建radius库

#mysql -uroot -p

mysql>create database radius;

3.2 创建radius用户

mysql>grant all on radius.* to radius@localhost identified by 'radius';

mysql>flush privileges;

3.3 导入sql文件

#cd /usr/local/etc/raddb/mods-config/sql/main/mysql

#mysql -u radius -p radius<schema.sql

3.4  初始设置MySQL，设置root密码,出于安全考虑，考虑删除匿名用户和禁用远程根登录,参见下面的示例配置。

# mysql_secure_installation

Set root password? [Y/n]  y

New password: 

Re-enter new password: 

Password updated successfully!

Reloading privilege tables..

 ... Success!

Remove anonymous users? [Y/n] y

Disallow root login remotely? [Y/n] y

Remove test database and access to it? [Y/n] y

Reload privilege tables now? [Y/n] y

四. 安装apache

yum -y install httpd httpd-devel

设置开机启动和启动Apache服务

# systemctl enable httpd

# systemctl start httpd

五.  安装php7

# curl 'https://setup.ius.io/' -o setup-ius.sh

# bash setup-ius.sh

# yum remove php-cli mod_php php-common

# yum -y install mod_php70u php70u-cli php70u-mysqlnd php70u-devel php70u-gd php70u-mcrypt php70u-mbstring php70u-xml php70u-pear

六   安装FreeRADIUS管理界面Daloradius

进入Apache网站根目录,下载源文件

# cd /var/www/html/

# wget https://github.com/lirantal/daloradius/archive/master.zip

# unzip master.zip

# mv daloradius-master/ daloradius

# wget http://liquidtelecom.dl.sourceforge.net/project/daloradius/daloradius/daloradius0.9-9/daloradius-0.9-9.tar.gz

# unzip master.zip

# mv daloradius-master/ daloradius

进入daloradius目录，导入daloradius数据库

# cd daloradius

# mysql -u root -p radius < contrib/db/fr2-mysql-daloradius-and-freeradius.sql 

# mysql -u root -p radius < contrib/db/mysql-daloradius.sql

设置daloradius目录用户组和用户，设置daloradius.conf.php权限

# chown -R apache:apache /var/www/html/daloradius/

# chmod 664 /var/www/html/daloradius/library/daloradius.conf.php

设置daloradius数据库连接信息，打开daloradius.conf.php文件,修改CONFIG_DB_USER，CONFIG_DB_PASS，CONFIG_DB_NAME。

# vi  /var/www/html/daloradius/library/daloradius.conf.php

填入mysql的用户密码和数据库名称

重启服务

# systemctl restart xl2tpd

# systemctl restart mysql

# systemctl restart httpd

# cp /usr/local/sbin/rc.radiusd /etc/init.d/radiusd

/etc/init.d/radiusd start

- 安装php-pear

# yum install php-pear

# pear install DB

登录web界面 

默认用户名: administrator 

密码: radius

http://ip-address/daloradius/login.php

安装后可以在界面进行添加用户，用添加的用户登陆vpn 

如果连接时后台/var/log/messages如下错误：

rc_read_dictionary: invalid type on line 92 of dictionary /usr/local/etc/radiusclient/dictionary

将dictionary内容替换如下：

#

# Updated 97/06/13 to livingston-radius-2.01 miquels@cistron.nl

#

# This file contains dictionary translations for parsing

# requests and generating responses.  All transactions are

# composed of Attribute/Value Pairs.  The value of each attribute

# is specified as one of 4 data types.  Valid data types are:

#

# string - 0-253 octets

# ipaddr - 4 octets in network byte order

# integer - 32 bit value in big endian order (high byte first)

# date - 32 bit value in big endian order - seconds since

# 00:00:00 GMT,  Jan.  1,  1970

#

# Enumerated values are stored in the user file with dictionary

# VALUE translations for easy administration.

#

# Example:

#

# ATTRIBUTE   VALUE

# ---------------   -----

# Framed-Protocol = PPP

# 7 = 1 (integer encoding)

#

# The dictionary format now supports vendor-specific attributes.

# Vendors are introduced like this:

#

# VENDOR vendor_name vendor_number

#

# For example:

#

# VENDOR RoaringPenguin 10055

#

# Vendor-specific attributes have a fifth field with the name of the

# vendor.  For example:

#

#       ATTRIBUTE RP-Upstream-Speed-Limit 1 integer RoaringPenguin

#

# introduces a Roaring Penguin vendor-specific attribbute with name

# RP-Upstream-Speed-Limit, number 1, type integer and vendor RoaringPenguin.

#

# Following are the proper new names. Use these.

#

ATTRIBUTE User-Name 1 string

ATTRIBUTE Password 2 string

ATTRIBUTE CHAP-Password 3 string

ATTRIBUTE NAS-IP-Address 4 ipaddr

ATTRIBUTE NAS-Port-Id 5 integer

ATTRIBUTE Service-Type 6 integer

ATTRIBUTE Framed-Protocol 7 integer

ATTRIBUTE Framed-IP-Address 8 ipaddr

ATTRIBUTE Framed-IP-Netmask 9 ipaddr

ATTRIBUTE Framed-Routing 10 integer

ATTRIBUTE Filter-Id 11 string

ATTRIBUTE Framed-MTU 12 integer

ATTRIBUTE Framed-Compression 13 integer

ATTRIBUTE Login-IP-Host 14 ipaddr

ATTRIBUTE Login-Service 15 integer

ATTRIBUTE Login-TCP-Port 16 integer

ATTRIBUTE Reply-Message 18 string

ATTRIBUTE Callback-Number 19 string

ATTRIBUTE Callback-Id 20 string

ATTRIBUTE Framed-Route 22 string

ATTRIBUTE Framed-IPX-Network 23 ipaddr

ATTRIBUTE State 24 string

ATTRIBUTE Class 25 string

ATTRIBUTE Session-Timeout 27 integer

ATTRIBUTE Idle-Timeout 28 integer

ATTRIBUTE Termination-Action 29 integer

ATTRIBUTE Called-Station-Id 30 string

ATTRIBUTE Calling-Station-Id 31 string

ATTRIBUTE NAS-Identifier 32 string

ATTRIBUTE Acct-Status-Type 40 integer

ATTRIBUTE Acct-Delay-Time 41 integer

ATTRIBUTE Acct-Input-Octets 42 integer

ATTRIBUTE Acct-Output-Octets 43 integer

ATTRIBUTE Acct-Session-Id 44 string

ATTRIBUTE Acct-Authentic 45 integer

ATTRIBUTE Acct-Session-Time 46 integer

ATTRIBUTE Acct-Input-Packets 47 integer

ATTRIBUTE Acct-Output-Packets 48 integer

ATTRIBUTE Acct-Terminate-Cause 49 integer

ATTRIBUTE       Chap-Challenge          60      string

ATTRIBUTE NAS-Port-Type 61 integer

ATTRIBUTE Port-Limit 62 integer

ATTRIBUTE Connect-Info 77 string

# RFC 2869

ATTRIBUTE Acct-Interim-Interval 85 integer

#

# Experimental Non Protocol Attributes used by Cistron-Radiusd

#

ATTRIBUTE Huntgroup-Name 221 string

ATTRIBUTE User-Category 1029 string

ATTRIBUTE Group-Name 1030 string

ATTRIBUTE Simultaneous-Use 1034 integer

ATTRIBUTE Strip-User-Name 1035 integer

ATTRIBUTE Fall-Through 1036 integer

ATTRIBUTE Add-Port-To-IP-Address 1037 integer

ATTRIBUTE Exec-Program 1038 string

ATTRIBUTE Exec-Program-Wait 1039 string

ATTRIBUTE Hint 1040 string

#

# Non-Protocol Attributes

# These attributes are used internally by the server

#

ATTRIBUTE Expiration   21 date

ATTRIBUTE Auth-Type 1000 integer

ATTRIBUTE Menu 1001 string

ATTRIBUTE Termination-Menu 1002 string

ATTRIBUTE Prefix 1003 string

ATTRIBUTE Suffix 1004 string

ATTRIBUTE Group 1005 string

ATTRIBUTE Crypt-Password 1006 string

ATTRIBUTE Connect-Rate 1007 integer

#

#       Experimental, implementation specific attributes

#

# Limit session traffic

ATTRIBUTE Session-Octets-Limit 227 integer

# What to assume as limit - 0 in+out, 1 in, 2 out, 3 max(in,out)

ATTRIBUTE Octets-Direction 228 integer

#

# Integer Translations

#

# User Types

VALUE Service-Type Login-User 1

VALUE Service-Type Framed-User 2

VALUE Service-Type Callback-Login-User 3

VALUE Service-Type Callback-Framed-User 4

VALUE Service-Type Outbound-User 5

VALUE Service-Type Administrative-User 6

VALUE Service-Type NAS-Prompt-User 7

# Framed Protocols

VALUE Framed-Protocol PPP 1

VALUE Framed-Protocol SLIP 2

# Framed Routing Values

VALUE Framed-Routing None 0

VALUE Framed-Routing Broadcast 1

VALUE Framed-Routing Listen 2

VALUE Framed-Routing Broadcast-Listen 3

# Framed Compression Types

VALUE Framed-Compression None 0

VALUE Framed-Compression Van-Jacobson-TCP-IP 1

# Login Services

VALUE Login-Service Telnet 0

VALUE Login-Service Rlogin 1

VALUE Login-Service TCP-Clear 2

VALUE Login-Service PortMaster 3

# Status Types

VALUE Acct-Status-Type Start 1

VALUE Acct-Status-Type Stop 2

VALUE Acct-Status-Type Accounting-On 7

VALUE Acct-Status-Type Accounting-Off 8

# Authentication Types

VALUE Acct-Authentic RADIUS 1

VALUE Acct-Authentic Local 2

VALUE Acct-Authentic PowerLink128 100

# Termination Options

VALUE Termination-Action Default 0

VALUE Termination-Action RADIUS-Request 1

# NAS Port Types, available in 3.3.1 and later

VALUE NAS-Port-Type Async 0

VALUE NAS-Port-Type Sync 1

VALUE NAS-Port-Type ISDN 2

VALUE NAS-Port-Type ISDN-V120 3

VALUE NAS-Port-Type ISDN-V110 4

# Acct Terminate Causes, available in 3.3.2 and later

VALUE           Acct-Terminate-Cause    User-Request            1

VALUE           Acct-Terminate-Cause    Lost-Carrier            2

VALUE           Acct-Terminate-Cause    Lost-Service            3

VALUE           Acct-Terminate-Cause    Idle-Timeout            4

VALUE           Acct-Terminate-Cause    Session-Timeout         5

VALUE           Acct-Terminate-Cause    Admin-Reset             6

VALUE           Acct-Terminate-Cause    Admin-Reboot            7

VALUE           Acct-Terminate-Cause    Port-Error              8

VALUE           Acct-Terminate-Cause    NAS-Error               9

VALUE           Acct-Terminate-Cause    NAS-Request             10

VALUE           Acct-Terminate-Cause    NAS-Reboot              11

VALUE           Acct-Terminate-Cause    Port-Unneeded           12

VALUE           Acct-Terminate-Cause    Port-Preempted          13

VALUE           Acct-Terminate-Cause    Port-Suspended          14

VALUE           Acct-Terminate-Cause    Service-Unavailable     15

VALUE           Acct-Terminate-Cause    Callback                16

VALUE           Acct-Terminate-Cause    User-Error              17

VALUE           Acct-Terminate-Cause    Host-Request            18

#

# Non-Protocol Integer Translations

#

VALUE Auth-Type Local 0

VALUE Auth-Type System 1

VALUE Auth-Type SecurID 2

VALUE Auth-Type Crypt-Local 3

VALUE Auth-Type Reject 4

#

# Cistron extensions

#

VALUE Auth-Type Pam 253

VALUE Auth-Type None 254

#

# Experimental Non-Protocol Integer Translations for Cistron-Radiusd

#

VALUE Fall-Through No 0

VALUE Fall-Through Yes 1

VALUE Add-Port-To-IP-Address No 0

VALUE Add-Port-To-IP-Address Yes 1

#

# Configuration Values

# uncomment these two lines to turn account expiration on

#

#VALUE Server-Config Password-Expiration 30

#VALUE Server-Config Password-Warning 5

#       Octets-Direction

VALUE Octets-Direction        Sum 0

VALUE Octets-Direction        Input 1

VALUE Octets-Direction        Output 2

VALUE Octets-Direction        MaxOveral 3

VALUE Octets-Direction        MaxSession 4

INCLUDE /usr/local/etc/radiusclient/dictionary.microsoft

INCLUDE /usr/local/etc/radiusclient/dictionary.ascend

INCLUDE /usr/local/etc/radiusclient/dictionary.compat

INCLUDE /usr/local/etc/radiusclient/dictionary.merit

如果后台报如下错误：

rc_read_dictionary: invalid type on line 11 of dictionary /usr/local/etc/radiusclient/dictionary.microsoft

将dictionary.microsoft内容替换如下：

#

# Microsoft's VSA's, from RFC 2548

#

# $Id: dictionary.microsoft,v 1.1 2004/11/14 07:26:26 paulus Exp $

#

VENDOR Microsoft 311 Microsoft

ATTRIBUTE MS-CHAP-Response 1 string Microsoft

ATTRIBUTE MS-CHAP-Error 2 string Microsoft

ATTRIBUTE MS-CHAP-CPW-1 3 string Microsoft

ATTRIBUTE MS-CHAP-CPW-2 4 string Microsoft

ATTRIBUTE MS-CHAP-LM-Enc-PW 5 string Microsoft

ATTRIBUTE MS-CHAP-NT-Enc-PW 6 string Microsoft

ATTRIBUTE MS-MPPE-Encryption-Policy 7 string Microsoft

# This is referred to as both singular and plural in the RFC.

# Plural seems to make more sense.

ATTRIBUTE MS-MPPE-Encryption-Type 8 string Microsoft

ATTRIBUTE MS-MPPE-Encryption-Types  8 string Microsoft

ATTRIBUTE MS-RAS-Vendor 9 integer Microsoft

ATTRIBUTE MS-CHAP-Domain 10 string Microsoft

ATTRIBUTE MS-CHAP-Challenge 11 string Microsoft

ATTRIBUTE MS-CHAP-MPPE-Keys 12 string Microsoft

ATTRIBUTE MS-BAP-Usage 13 integer Microsoft

ATTRIBUTE MS-Link-Utilization-Threshold 14 integer Microsoft

ATTRIBUTE MS-Link-Drop-Time-Limit 15 integer Microsoft

ATTRIBUTE MS-MPPE-Send-Key 16 string Microsoft

ATTRIBUTE MS-MPPE-Recv-Key 17 string Microsoft

ATTRIBUTE MS-RAS-Version 18 string Microsoft

ATTRIBUTE MS-Old-ARAP-Password 19 string Microsoft

ATTRIBUTE MS-New-ARAP-Password 20 string Microsoft

ATTRIBUTE MS-ARAP-PW-Change-Reason 21 integer Microsoft

ATTRIBUTE MS-Filter 22 string Microsoft

ATTRIBUTE MS-Acct-Auth-Type 23 integer Microsoft

ATTRIBUTE MS-Acct-EAP-Type 24 integer Microsoft

ATTRIBUTE MS-CHAP2-Response 25 string Microsoft

ATTRIBUTE MS-CHAP2-Success 26 string Microsoft

ATTRIBUTE MS-CHAP2-CPW 27 string Microsoft

ATTRIBUTE MS-Primary-DNS-Server 28 ipaddr Microsoft

ATTRIBUTE MS-Secondary-DNS-Server 29 ipaddr Microsoft

ATTRIBUTE MS-Primary-NBNS-Server 30 ipaddr Microsoft

ATTRIBUTE MS-Secondary-NBNS-Server 31 ipaddr Microsoft

#ATTRIBUTE MS-ARAP-Challenge 33 string Microsoft

#

# Integer Translations

#

# MS-BAP-Usage Values

VALUE MS-BAP-Usage Not-Allowed 0

VALUE MS-BAP-Usage Allowed 1

VALUE MS-BAP-Usage Required 2

# MS-ARAP-Password-Change-Reason Values

VALUE MS-ARAP-PW-Change-Reason Just-Change-Password 1

VALUE MS-ARAP-PW-Change-Reason Expired-Password 2

VALUE MS-ARAP-PW-Change-Reason Admin-Requires-Password-Change 3

VALUE MS-ARAP-PW-Change-Reason Password-Too-Short 4

# MS-Acct-Auth-Type Values

VALUE MS-Acct-Auth-Type PAP 1

VALUE MS-Acct-Auth-Type CHAP 2

VALUE MS-Acct-Auth-Type MS-CHAP-1 3

VALUE MS-Acct-Auth-Type MS-CHAP-2 4

VALUE MS-Acct-Auth-Type EAP 5

# MS-Acct-EAP-Type Values

VALUE MS-Acct-EAP-Type MD5 4

VALUE MS-Acct-EAP-Type OTP 5

VALUE MS-Acct-EAP-Type Generic-Token-Card 6

VALUE MS-Acct-EAP-Type TLS 13

--------------------- 

作者：LibertyFly 

来源：CSDN 

原文：https://blog.csdn.net/sky835202/article/details/80651700 

版权声明：本文为博主原创文章，转载请附上博文链接！

打赏

支付宝微信扫一扫，打赏作者吧～

本文链接：https://www.kinber.cn/post/841.html 转载需授权！

推荐本站淘宝优惠价购买喜欢的宝贝:

 您阅读本篇文章共花了：