×

FreeRADIUS+DaloRADIUS 实现vpn的用户管理

hqy hqy 发表于2019-07-15 15:26:12 浏览3755 评论0

抢沙发发表评论

  vpn默认需要在配置文件里面添加用户密码,如果用户离职啊,新员工入职等情形,对一些不懂技术的管理人员,去修改配置文件,显然不太合理。所以,需要一套非技术人员也能操作的web管理系统来管理用户。


工具介绍:


freeradius一般用来进行账户认证管理,记账管理,常见的电信运营商的宽带账户,上网账户管理,记账,都是使用的radius服务器进行鉴权记账的。


Freeradius包含一个radius服务器和radius-client,可以对支持radius协议的网络设备进行鉴权记账,常见的开源路由器操作系统:如Openwrt,DD-wrt等,都支持radius协议,对PPPOE,热点,VPN等服务器进行账户管理认证,记账。

freeradius功能十分强大,支持众多的数据库。


Freeradius操作稍显麻烦,内置diaup_admin简单web管理,需要更简单易用的管理功能可以使用第三方的管理程序对Freeradius进行账户管理,系统配置等。


daloRADIUS是高级的RADIUS页面管理应用目的是对于hotspots和ISP的部署进行管理。同时还提供了用户管理,图形化的报告、报表引擎以及于google地图的集成。


本文以l2tp为例,其他类似。


前提:


安装好vpn,mysql 


安装步骤:


在开始安装之前,建议关闭SELinux或将其设置为disabled,最好建议永久关闭SELinux

     sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config

临时关闭  setenforce 0




一、FreeRADIUS 服务端安装

1.1 下载、编译、安装

wget -c ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-3.0.17.tar.gz

tar zxf freeradius-server-3.0.17.tar.gz

cd freeradius-server-3.0.17

./configure


make && make install


一般安装过程中提示缺少libtalloc 库,需要安装talloc-2.1.7.tar.gz


  先从 https://www.samba.org/ftp/talloc/talloc-2.1.13.tar.gz 下载 talloc-2.1.13.tar.gz  然后安装.


1.2 测试是否安装成功


vi /usr/local/etc/raddb/users


在第一行添加 


steve Cleartext-Password := "testing" 


退出后命令行执行 radiusd -X


另外一个窗口执行radtest steve testing localhost 0 testing123


看到 "Access-Accept packet" 表示成功了,"Access-Reject" 表示失败了。


成功后去掉上面的那一行配置。


备注:服务端如果编译安装不通过,也可以通过yum安装.


yum -y install freeradius freeradius-utils freeradius-mysql


1.3 配置radius

cd /usr/local/etc/raddb/sites-enabled

vi  default


将authorize {}下的sql去掉注释,并且将file注释掉。


cd /usr/local/etc/raddb/mods-available

vi  sql

找到driver = “rlm_sql_null”这一行,修改为driver = “rlm_sql_mysql”。保持并退出。

去掉注释,设置用户名和密码等信息

修改 FreeRADIUS中的mysql 认证配置

执行如下命令:

cd /etc/raddb/mods-enabled

ln -s ../mods-available/sql



二、FreeRADIUS 客户端安装与配置


2.1 编译与安装

wget -c  ftp://ftp.freeradius.org/pub/freeradius/freeradius-client-1.1.7.tar.gz

tar -zxf freeradius-client-1.1.7.tar.gz

cd freeradius-client-1.1.7

./configure


make && make install


2.2 设置通信密码

vi  /usr/local/etc/radiusclient/servers


添加一行


localhost   testing123


2.3 增加字典


 wget -c http://small-script.googlecode.com/files/dictionary.microsoft


  mv ./dictionary.microsoft /usr/local/etc/radiusclient/


vi /usr/local/etc/radiusclient/dictionary


最后添加


INCLUDE /usr/local/etc/radiusclient/dictionary.sip

INCLUDE /usr/local/etc/radiusclient/dictionary.ascend

INCLUDE /usr/local/etc/radiusclient/dictionary.merit

INCLUDE /usr/local/etc/radiusclient/dictionary.compat


INCLUDE /usr/local/etc/radiusclient/dictionary.microsoft


2.4增加ppp插件配置


vi /etc/ppp/options.xl2tpd


最后添加


plugin /usr/lib64/pppd/2.4.5/radius.so

plugin /usr/lib64/pppd/2.4.5/radattr.so


radius-config-file /usr/local/etc/radiusclient/radiusclient.conf


pppd的radius.so根据路径配置,如果没有搜到,安装一下pppd


三  配置mysql

3.1 创建radius库

#mysql -uroot -p

mysql>create database radius;

3.2 创建radius用户

mysql>grant all on radius.* to radius@localhost identified by 'radius';

mysql>flush privileges;

3.3 导入sql文件

#cd /usr/local/etc/raddb/mods-config/sql/main/mysql


#mysql -u radius -p radius<schema.sql



3.4  初始设置MySQL,设置root密码,出于安全考虑,考虑删除匿名用户和禁用远程根登录,参见下面的示例配置。


# mysql_secure_installation


Set root password? [Y/n]  y

New password: 

Re-enter new password: 

Password updated successfully!

Reloading privilege tables..

 ... Success!


Remove anonymous users? [Y/n] y

Disallow root login remotely? [Y/n] y

Remove test database and access to it? [Y/n] y


Reload privilege tables now? [Y/n] y


四. 安装apache


yum -y install httpd httpd-devel


设置开机启动和启动Apache服务


# systemctl enable httpd

# systemctl start httpd


五.  安装php7


# curl 'https://setup.ius.io/' -o setup-ius.sh

# bash setup-ius.sh

# yum remove php-cli mod_php php-common

# yum -y install mod_php70u php70u-cli php70u-mysqlnd php70u-devel php70u-gd php70u-mcrypt php70u-mbstring php70u-xml php70u-pear


六   安装FreeRADIUS管理界面Daloradius

进入Apache网站根目录,下载源文件

# cd /var/www/html/

# wget https://github.com/lirantal/daloradius/archive/master.zip

# unzip master.zip

# mv daloradius-master/ daloradius

# wget http://liquidtelecom.dl.sourceforge.net/project/daloradius/daloradius/daloradius0.9-9/daloradius-0.9-9.tar.gz

# unzip master.zip

# mv daloradius-master/ daloradius

进入daloradius目录,导入daloradius数据库

# cd daloradius

# mysql -u root -p radius < contrib/db/fr2-mysql-daloradius-and-freeradius.sql 

# mysql -u root -p radius < contrib/db/mysql-daloradius.sql

设置daloradius目录用户组和用户,设置daloradius.conf.php权限

# chown -R apache:apache /var/www/html/daloradius/

# chmod 664 /var/www/html/daloradius/library/daloradius.conf.php

设置daloradius数据库连接信息,打开daloradius.conf.php文件,修改CONFIG_DB_USER,CONFIG_DB_PASS,CONFIG_DB_NAME。

# vi  /var/www/html/daloradius/library/daloradius.conf.php

填入mysql的用户密码和数据库名称

重启服务

# systemctl restart xl2tpd

# systemctl restart mysql


# systemctl restart httpd

# cp /usr/local/sbin/rc.radiusd /etc/init.d/radiusd

/etc/init.d/radiusd start


- 安装php-pear


# yum install php-pear

# pear install DB

登录web界面 

默认用户名: administrator 

密码: radius

http://ip-address/daloradius/login.php


安装后可以在界面进行添加用户,用添加的用户登陆vpn 




如果连接时后台/var/log/messages如下错误:


rc_read_dictionary: invalid type on line 92 of dictionary /usr/local/etc/radiusclient/dictionary


将dictionary内容替换如下:


#

# Updated 97/06/13 to livingston-radius-2.01 miquels@cistron.nl

#

# This file contains dictionary translations for parsing

# requests and generating responses.  All transactions are

# composed of Attribute/Value Pairs.  The value of each attribute

# is specified as one of 4 data types.  Valid data types are:

#

# string - 0-253 octets

# ipaddr - 4 octets in network byte order

# integer - 32 bit value in big endian order (high byte first)

# date - 32 bit value in big endian order - seconds since

# 00:00:00 GMT,  Jan.  1,  1970

#

# Enumerated values are stored in the user file with dictionary

# VALUE translations for easy administration.

#

# Example:

#

# ATTRIBUTE   VALUE

# ---------------   -----

# Framed-Protocol = PPP

# 7 = 1 (integer encoding)

#



# The dictionary format now supports vendor-specific attributes.

# Vendors are introduced like this:

#

# VENDOR vendor_name vendor_number

#

# For example:

#

# VENDOR RoaringPenguin 10055

#

# Vendor-specific attributes have a fifth field with the name of the

# vendor.  For example:

#

#       ATTRIBUTE RP-Upstream-Speed-Limit 1 integer RoaringPenguin

#

# introduces a Roaring Penguin vendor-specific attribbute with name

# RP-Upstream-Speed-Limit, number 1, type integer and vendor RoaringPenguin.



#

# Following are the proper new names. Use these.

#

ATTRIBUTE User-Name 1 string

ATTRIBUTE Password 2 string

ATTRIBUTE CHAP-Password 3 string

ATTRIBUTE NAS-IP-Address 4 ipaddr

ATTRIBUTE NAS-Port-Id 5 integer

ATTRIBUTE Service-Type 6 integer

ATTRIBUTE Framed-Protocol 7 integer

ATTRIBUTE Framed-IP-Address 8 ipaddr

ATTRIBUTE Framed-IP-Netmask 9 ipaddr

ATTRIBUTE Framed-Routing 10 integer

ATTRIBUTE Filter-Id 11 string

ATTRIBUTE Framed-MTU 12 integer

ATTRIBUTE Framed-Compression 13 integer

ATTRIBUTE Login-IP-Host 14 ipaddr

ATTRIBUTE Login-Service 15 integer

ATTRIBUTE Login-TCP-Port 16 integer

ATTRIBUTE Reply-Message 18 string

ATTRIBUTE Callback-Number 19 string

ATTRIBUTE Callback-Id 20 string

ATTRIBUTE Framed-Route 22 string

ATTRIBUTE Framed-IPX-Network 23 ipaddr

ATTRIBUTE State 24 string

ATTRIBUTE Class 25 string

ATTRIBUTE Session-Timeout 27 integer

ATTRIBUTE Idle-Timeout 28 integer

ATTRIBUTE Termination-Action 29 integer

ATTRIBUTE Called-Station-Id 30 string

ATTRIBUTE Calling-Station-Id 31 string

ATTRIBUTE NAS-Identifier 32 string

ATTRIBUTE Acct-Status-Type 40 integer

ATTRIBUTE Acct-Delay-Time 41 integer

ATTRIBUTE Acct-Input-Octets 42 integer

ATTRIBUTE Acct-Output-Octets 43 integer

ATTRIBUTE Acct-Session-Id 44 string

ATTRIBUTE Acct-Authentic 45 integer

ATTRIBUTE Acct-Session-Time 46 integer

ATTRIBUTE Acct-Input-Packets 47 integer

ATTRIBUTE Acct-Output-Packets 48 integer

ATTRIBUTE Acct-Terminate-Cause 49 integer

ATTRIBUTE       Chap-Challenge          60      string

ATTRIBUTE NAS-Port-Type 61 integer

ATTRIBUTE Port-Limit 62 integer

ATTRIBUTE Connect-Info 77 string



# RFC 2869

ATTRIBUTE Acct-Interim-Interval 85 integer



#

# Experimental Non Protocol Attributes used by Cistron-Radiusd

#

ATTRIBUTE Huntgroup-Name 221 string

ATTRIBUTE User-Category 1029 string

ATTRIBUTE Group-Name 1030 string

ATTRIBUTE Simultaneous-Use 1034 integer

ATTRIBUTE Strip-User-Name 1035 integer

ATTRIBUTE Fall-Through 1036 integer

ATTRIBUTE Add-Port-To-IP-Address 1037 integer

ATTRIBUTE Exec-Program 1038 string

ATTRIBUTE Exec-Program-Wait 1039 string

ATTRIBUTE Hint 1040 string



#

# Non-Protocol Attributes

# These attributes are used internally by the server

#

ATTRIBUTE Expiration   21 date

ATTRIBUTE Auth-Type 1000 integer

ATTRIBUTE Menu 1001 string

ATTRIBUTE Termination-Menu 1002 string

ATTRIBUTE Prefix 1003 string

ATTRIBUTE Suffix 1004 string

ATTRIBUTE Group 1005 string

ATTRIBUTE Crypt-Password 1006 string

ATTRIBUTE Connect-Rate 1007 integer



#

#       Experimental, implementation specific attributes

#

# Limit session traffic

ATTRIBUTE Session-Octets-Limit 227 integer

# What to assume as limit - 0 in+out, 1 in, 2 out, 3 max(in,out)

ATTRIBUTE Octets-Direction 228 integer



#

# Integer Translations

#



# User Types



VALUE Service-Type Login-User 1

VALUE Service-Type Framed-User 2

VALUE Service-Type Callback-Login-User 3

VALUE Service-Type Callback-Framed-User 4

VALUE Service-Type Outbound-User 5

VALUE Service-Type Administrative-User 6

VALUE Service-Type NAS-Prompt-User 7



# Framed Protocols



VALUE Framed-Protocol PPP 1

VALUE Framed-Protocol SLIP 2



# Framed Routing Values



VALUE Framed-Routing None 0

VALUE Framed-Routing Broadcast 1

VALUE Framed-Routing Listen 2

VALUE Framed-Routing Broadcast-Listen 3



# Framed Compression Types



VALUE Framed-Compression None 0

VALUE Framed-Compression Van-Jacobson-TCP-IP 1



# Login Services



VALUE Login-Service Telnet 0

VALUE Login-Service Rlogin 1

VALUE Login-Service TCP-Clear 2

VALUE Login-Service PortMaster 3



# Status Types



VALUE Acct-Status-Type Start 1

VALUE Acct-Status-Type Stop 2

VALUE Acct-Status-Type Accounting-On 7

VALUE Acct-Status-Type Accounting-Off 8



# Authentication Types



VALUE Acct-Authentic RADIUS 1

VALUE Acct-Authentic Local 2

VALUE Acct-Authentic PowerLink128 100



# Termination Options



VALUE Termination-Action Default 0

VALUE Termination-Action RADIUS-Request 1



# NAS Port Types, available in 3.3.1 and later



VALUE NAS-Port-Type Async 0

VALUE NAS-Port-Type Sync 1

VALUE NAS-Port-Type ISDN 2

VALUE NAS-Port-Type ISDN-V120 3

VALUE NAS-Port-Type ISDN-V110 4



# Acct Terminate Causes, available in 3.3.2 and later



VALUE           Acct-Terminate-Cause    User-Request            1

VALUE           Acct-Terminate-Cause    Lost-Carrier            2

VALUE           Acct-Terminate-Cause    Lost-Service            3

VALUE           Acct-Terminate-Cause    Idle-Timeout            4

VALUE           Acct-Terminate-Cause    Session-Timeout         5

VALUE           Acct-Terminate-Cause    Admin-Reset             6

VALUE           Acct-Terminate-Cause    Admin-Reboot            7

VALUE           Acct-Terminate-Cause    Port-Error              8

VALUE           Acct-Terminate-Cause    NAS-Error               9

VALUE           Acct-Terminate-Cause    NAS-Request             10

VALUE           Acct-Terminate-Cause    NAS-Reboot              11

VALUE           Acct-Terminate-Cause    Port-Unneeded           12

VALUE           Acct-Terminate-Cause    Port-Preempted          13

VALUE           Acct-Terminate-Cause    Port-Suspended          14

VALUE           Acct-Terminate-Cause    Service-Unavailable     15

VALUE           Acct-Terminate-Cause    Callback                16

VALUE           Acct-Terminate-Cause    User-Error              17

VALUE           Acct-Terminate-Cause    Host-Request            18



#

# Non-Protocol Integer Translations

#



VALUE Auth-Type Local 0

VALUE Auth-Type System 1

VALUE Auth-Type SecurID 2

VALUE Auth-Type Crypt-Local 3

VALUE Auth-Type Reject 4



#

# Cistron extensions

#

VALUE Auth-Type Pam 253

VALUE Auth-Type None 254



#

# Experimental Non-Protocol Integer Translations for Cistron-Radiusd

#

VALUE Fall-Through No 0

VALUE Fall-Through Yes 1

VALUE Add-Port-To-IP-Address No 0

VALUE Add-Port-To-IP-Address Yes 1



#

# Configuration Values

# uncomment these two lines to turn account expiration on

#



#VALUE Server-Config Password-Expiration 30

#VALUE Server-Config Password-Warning 5



#       Octets-Direction

VALUE Octets-Direction        Sum 0

VALUE Octets-Direction        Input 1

VALUE Octets-Direction        Output 2

VALUE Octets-Direction        MaxOveral 3

VALUE Octets-Direction        MaxSession 4



INCLUDE /usr/local/etc/radiusclient/dictionary.microsoft

INCLUDE /usr/local/etc/radiusclient/dictionary.ascend

INCLUDE /usr/local/etc/radiusclient/dictionary.compat

INCLUDE /usr/local/etc/radiusclient/dictionary.merit



如果后台报如下错误:


rc_read_dictionary: invalid type on line 11 of dictionary /usr/local/etc/radiusclient/dictionary.microsoft


将dictionary.microsoft内容替换如下:


#

# Microsoft's VSA's, from RFC 2548

#

# $Id: dictionary.microsoft,v 1.1 2004/11/14 07:26:26 paulus Exp $

#



VENDOR Microsoft 311 Microsoft



ATTRIBUTE MS-CHAP-Response 1 string Microsoft

ATTRIBUTE MS-CHAP-Error 2 string Microsoft

ATTRIBUTE MS-CHAP-CPW-1 3 string Microsoft

ATTRIBUTE MS-CHAP-CPW-2 4 string Microsoft

ATTRIBUTE MS-CHAP-LM-Enc-PW 5 string Microsoft

ATTRIBUTE MS-CHAP-NT-Enc-PW 6 string Microsoft

ATTRIBUTE MS-MPPE-Encryption-Policy 7 string Microsoft

# This is referred to as both singular and plural in the RFC.

# Plural seems to make more sense.

ATTRIBUTE MS-MPPE-Encryption-Type 8 string Microsoft

ATTRIBUTE MS-MPPE-Encryption-Types  8 string Microsoft

ATTRIBUTE MS-RAS-Vendor 9 integer Microsoft

ATTRIBUTE MS-CHAP-Domain 10 string Microsoft

ATTRIBUTE MS-CHAP-Challenge 11 string Microsoft

ATTRIBUTE MS-CHAP-MPPE-Keys 12 string Microsoft

ATTRIBUTE MS-BAP-Usage 13 integer Microsoft

ATTRIBUTE MS-Link-Utilization-Threshold 14 integer Microsoft

ATTRIBUTE MS-Link-Drop-Time-Limit 15 integer Microsoft

ATTRIBUTE MS-MPPE-Send-Key 16 string Microsoft

ATTRIBUTE MS-MPPE-Recv-Key 17 string Microsoft

ATTRIBUTE MS-RAS-Version 18 string Microsoft

ATTRIBUTE MS-Old-ARAP-Password 19 string Microsoft

ATTRIBUTE MS-New-ARAP-Password 20 string Microsoft

ATTRIBUTE MS-ARAP-PW-Change-Reason 21 integer Microsoft



ATTRIBUTE MS-Filter 22 string Microsoft

ATTRIBUTE MS-Acct-Auth-Type 23 integer Microsoft

ATTRIBUTE MS-Acct-EAP-Type 24 integer Microsoft



ATTRIBUTE MS-CHAP2-Response 25 string Microsoft

ATTRIBUTE MS-CHAP2-Success 26 string Microsoft

ATTRIBUTE MS-CHAP2-CPW 27 string Microsoft



ATTRIBUTE MS-Primary-DNS-Server 28 ipaddr Microsoft

ATTRIBUTE MS-Secondary-DNS-Server 29 ipaddr Microsoft

ATTRIBUTE MS-Primary-NBNS-Server 30 ipaddr Microsoft

ATTRIBUTE MS-Secondary-NBNS-Server 31 ipaddr Microsoft



#ATTRIBUTE MS-ARAP-Challenge 33 string Microsoft





#

# Integer Translations

#



# MS-BAP-Usage Values



VALUE MS-BAP-Usage Not-Allowed 0

VALUE MS-BAP-Usage Allowed 1

VALUE MS-BAP-Usage Required 2



# MS-ARAP-Password-Change-Reason Values



VALUE MS-ARAP-PW-Change-Reason Just-Change-Password 1

VALUE MS-ARAP-PW-Change-Reason Expired-Password 2

VALUE MS-ARAP-PW-Change-Reason Admin-Requires-Password-Change 3

VALUE MS-ARAP-PW-Change-Reason Password-Too-Short 4



# MS-Acct-Auth-Type Values



VALUE MS-Acct-Auth-Type PAP 1

VALUE MS-Acct-Auth-Type CHAP 2

VALUE MS-Acct-Auth-Type MS-CHAP-1 3

VALUE MS-Acct-Auth-Type MS-CHAP-2 4

VALUE MS-Acct-Auth-Type EAP 5



# MS-Acct-EAP-Type Values



VALUE MS-Acct-EAP-Type MD5 4

VALUE MS-Acct-EAP-Type OTP 5

VALUE MS-Acct-EAP-Type Generic-Token-Card 6

VALUE MS-Acct-EAP-Type TLS 13



--------------------- 

作者:LibertyFly 

来源:CSDN 

原文:https://blog.csdn.net/sky835202/article/details/80651700 

版权声明:本文为博主原创文章,转载请附上博文链接!


打赏

本文链接:https://www.kinber.cn/post/841.html 转载需授权!

分享到:


推荐本站淘宝优惠价购买喜欢的宝贝:

image.png

 您阅读本篇文章共花了: 

群贤毕至

访客