vpn默认需要在配置文件里面添加用户密码,如果用户离职啊,新员工入职等情形,对一些不懂技术的管理人员,去修改配置文件,显然不太合理。所以,需要一套非技术人员也能操作的web管理系统来管理用户。
工具介绍:
freeradius一般用来进行账户认证管理,记账管理,常见的电信运营商的宽带账户,上网账户管理,记账,都是使用的radius服务器进行鉴权记账的。
Freeradius包含一个radius服务器和radius-client,可以对支持radius协议的网络设备进行鉴权记账,常见的开源路由器操作系统:如Openwrt,DD-wrt等,都支持radius协议,对PPPOE,热点,VPN等服务器进行账户管理认证,记账。
freeradius功能十分强大,支持众多的数据库。
Freeradius操作稍显麻烦,内置diaup_admin简单web管理,需要更简单易用的管理功能可以使用第三方的管理程序对Freeradius进行账户管理,系统配置等。
daloRADIUS是高级的RADIUS页面管理应用目的是对于hotspots和ISP的部署进行管理。同时还提供了用户管理,图形化的报告、报表引擎以及于google地图的集成。
本文以l2tp为例,其他类似。
前提:
安装好vpn,mysql
安装步骤:
在开始安装之前,建议关闭SELinux或将其设置为disabled,最好建议永久关闭SELinux
sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config
临时关闭 setenforce 0
一、FreeRADIUS 服务端安装
1.1 下载、编译、安装
wget -c ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-3.0.17.tar.gz
tar zxf freeradius-server-3.0.17.tar.gz
cd freeradius-server-3.0.17
./configure
make && make install
一般安装过程中提示缺少libtalloc 库,需要安装talloc-2.1.7.tar.gz
先从 https://www.samba.org/ftp/talloc/talloc-2.1.13.tar.gz 下载 talloc-2.1.13.tar.gz 然后安装.
1.2 测试是否安装成功
vi /usr/local/etc/raddb/users
在第一行添加
steve Cleartext-Password := "testing"
退出后命令行执行 radiusd -X
另外一个窗口执行radtest steve testing localhost 0 testing123
看到 "Access-Accept packet" 表示成功了,"Access-Reject" 表示失败了。
成功后去掉上面的那一行配置。
备注:服务端如果编译安装不通过,也可以通过yum安装.
yum -y install freeradius freeradius-utils freeradius-mysql
1.3 配置radius
cd /usr/local/etc/raddb/sites-enabled
vi default
将authorize {}下的sql去掉注释,并且将file注释掉。
cd /usr/local/etc/raddb/mods-available
vi sql
找到driver = “rlm_sql_null”这一行,修改为driver = “rlm_sql_mysql”。保持并退出。
去掉注释,设置用户名和密码等信息
修改 FreeRADIUS中的mysql 认证配置
执行如下命令:
cd /etc/raddb/mods-enabled
ln -s ../mods-available/sql
二、FreeRADIUS 客户端安装与配置
2.1 编译与安装
wget -c ftp://ftp.freeradius.org/pub/freeradius/freeradius-client-1.1.7.tar.gz
tar -zxf freeradius-client-1.1.7.tar.gz
cd freeradius-client-1.1.7
./configure
make && make install
2.2 设置通信密码
vi /usr/local/etc/radiusclient/servers
添加一行
localhost testing123
2.3 增加字典
wget -c http://small-script.googlecode.com/files/dictionary.microsoft
mv ./dictionary.microsoft /usr/local/etc/radiusclient/
vi /usr/local/etc/radiusclient/dictionary
最后添加
INCLUDE /usr/local/etc/radiusclient/dictionary.sip
INCLUDE /usr/local/etc/radiusclient/dictionary.ascend
INCLUDE /usr/local/etc/radiusclient/dictionary.merit
INCLUDE /usr/local/etc/radiusclient/dictionary.compat
INCLUDE /usr/local/etc/radiusclient/dictionary.microsoft
2.4增加ppp插件配置
vi /etc/ppp/options.xl2tpd
最后添加
plugin /usr/lib64/pppd/2.4.5/radius.so
plugin /usr/lib64/pppd/2.4.5/radattr.so
radius-config-file /usr/local/etc/radiusclient/radiusclient.conf
pppd的radius.so根据路径配置,如果没有搜到,安装一下pppd
三 配置mysql
3.1 创建radius库
#mysql -uroot -p
mysql>create database radius;
3.2 创建radius用户
mysql>grant all on radius.* to radius@localhost identified by 'radius';
mysql>flush privileges;
3.3 导入sql文件
#cd /usr/local/etc/raddb/mods-config/sql/main/mysql
#mysql -u radius -p radius<schema.sql
3.4 初始设置MySQL,设置root密码,出于安全考虑,考虑删除匿名用户和禁用远程根登录,参见下面的示例配置。
# mysql_secure_installation
Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!
Remove anonymous users? [Y/n] y
Disallow root login remotely? [Y/n] y
Remove test database and access to it? [Y/n] y
Reload privilege tables now? [Y/n] y
四. 安装apache
yum -y install httpd httpd-devel
设置开机启动和启动Apache服务
# systemctl enable httpd
# systemctl start httpd
五. 安装php7
# curl 'https://setup.ius.io/' -o setup-ius.sh
# bash setup-ius.sh
# yum remove php-cli mod_php php-common
# yum -y install mod_php70u php70u-cli php70u-mysqlnd php70u-devel php70u-gd php70u-mcrypt php70u-mbstring php70u-xml php70u-pear
六 安装FreeRADIUS管理界面Daloradius
进入Apache网站根目录,下载源文件
# cd /var/www/html/
# wget https://github.com/lirantal/daloradius/archive/master.zip
# unzip master.zip
# mv daloradius-master/ daloradius
# wget http://liquidtelecom.dl.sourceforge.net/project/daloradius/daloradius/daloradius0.9-9/daloradius-0.9-9.tar.gz
# unzip master.zip
# mv daloradius-master/ daloradius
进入daloradius目录,导入daloradius数据库
# cd daloradius
# mysql -u root -p radius < contrib/db/fr2-mysql-daloradius-and-freeradius.sql
# mysql -u root -p radius < contrib/db/mysql-daloradius.sql
设置daloradius目录用户组和用户,设置daloradius.conf.php权限
# chown -R apache:apache /var/www/html/daloradius/
# chmod 664 /var/www/html/daloradius/library/daloradius.conf.php
设置daloradius数据库连接信息,打开daloradius.conf.php文件,修改CONFIG_DB_USER,CONFIG_DB_PASS,CONFIG_DB_NAME。
# vi /var/www/html/daloradius/library/daloradius.conf.php
填入mysql的用户密码和数据库名称
重启服务
# systemctl restart xl2tpd
# systemctl restart mysql
# systemctl restart httpd
# cp /usr/local/sbin/rc.radiusd /etc/init.d/radiusd
/etc/init.d/radiusd start
- 安装php-pear
# yum install php-pear
# pear install DB
登录web界面
默认用户名: administrator
密码: radius
http://ip-address/daloradius/login.php
安装后可以在界面进行添加用户,用添加的用户登陆vpn
如果连接时后台/var/log/messages如下错误:
rc_read_dictionary: invalid type on line 92 of dictionary /usr/local/etc/radiusclient/dictionary
将dictionary内容替换如下:
#
# Updated 97/06/13 to livingston-radius-2.01 miquels@cistron.nl
#
# This file contains dictionary translations for parsing
# requests and generating responses. All transactions are
# composed of Attribute/Value Pairs. The value of each attribute
# is specified as one of 4 data types. Valid data types are:
#
# string - 0-253 octets
# ipaddr - 4 octets in network byte order
# integer - 32 bit value in big endian order (high byte first)
# date - 32 bit value in big endian order - seconds since
# 00:00:00 GMT, Jan. 1, 1970
#
# Enumerated values are stored in the user file with dictionary
# VALUE translations for easy administration.
#
# Example:
#
# ATTRIBUTE VALUE
# --------------- -----
# Framed-Protocol = PPP
# 7 = 1 (integer encoding)
#
# The dictionary format now supports vendor-specific attributes.
# Vendors are introduced like this:
#
# VENDOR vendor_name vendor_number
#
# For example:
#
# VENDOR RoaringPenguin 10055
#
# Vendor-specific attributes have a fifth field with the name of the
# vendor. For example:
#
# ATTRIBUTE RP-Upstream-Speed-Limit 1 integer RoaringPenguin
#
# introduces a Roaring Penguin vendor-specific attribbute with name
# RP-Upstream-Speed-Limit, number 1, type integer and vendor RoaringPenguin.
#
# Following are the proper new names. Use these.
#
ATTRIBUTE User-Name 1 string
ATTRIBUTE Password 2 string
ATTRIBUTE CHAP-Password 3 string
ATTRIBUTE NAS-IP-Address 4 ipaddr
ATTRIBUTE NAS-Port-Id 5 integer
ATTRIBUTE Service-Type 6 integer
ATTRIBUTE Framed-Protocol 7 integer
ATTRIBUTE Framed-IP-Address 8 ipaddr
ATTRIBUTE Framed-IP-Netmask 9 ipaddr
ATTRIBUTE Framed-Routing 10 integer
ATTRIBUTE Filter-Id 11 string
ATTRIBUTE Framed-MTU 12 integer
ATTRIBUTE Framed-Compression 13 integer
ATTRIBUTE Login-IP-Host 14 ipaddr
ATTRIBUTE Login-Service 15 integer
ATTRIBUTE Login-TCP-Port 16 integer
ATTRIBUTE Reply-Message 18 string
ATTRIBUTE Callback-Number 19 string
ATTRIBUTE Callback-Id 20 string
ATTRIBUTE Framed-Route 22 string
ATTRIBUTE Framed-IPX-Network 23 ipaddr
ATTRIBUTE State 24 string
ATTRIBUTE Class 25 string
ATTRIBUTE Session-Timeout 27 integer
ATTRIBUTE Idle-Timeout 28 integer
ATTRIBUTE Termination-Action 29 integer
ATTRIBUTE Called-Station-Id 30 string
ATTRIBUTE Calling-Station-Id 31 string
ATTRIBUTE NAS-Identifier 32 string
ATTRIBUTE Acct-Status-Type 40 integer
ATTRIBUTE Acct-Delay-Time 41 integer
ATTRIBUTE Acct-Input-Octets 42 integer
ATTRIBUTE Acct-Output-Octets 43 integer
ATTRIBUTE Acct-Session-Id 44 string
ATTRIBUTE Acct-Authentic 45 integer
ATTRIBUTE Acct-Session-Time 46 integer
ATTRIBUTE Acct-Input-Packets 47 integer
ATTRIBUTE Acct-Output-Packets 48 integer
ATTRIBUTE Acct-Terminate-Cause 49 integer
ATTRIBUTE Chap-Challenge 60 string
ATTRIBUTE NAS-Port-Type 61 integer
ATTRIBUTE Port-Limit 62 integer
ATTRIBUTE Connect-Info 77 string
# RFC 2869
ATTRIBUTE Acct-Interim-Interval 85 integer
#
# Experimental Non Protocol Attributes used by Cistron-Radiusd
#
ATTRIBUTE Huntgroup-Name 221 string
ATTRIBUTE User-Category 1029 string
ATTRIBUTE Group-Name 1030 string
ATTRIBUTE Simultaneous-Use 1034 integer
ATTRIBUTE Strip-User-Name 1035 integer
ATTRIBUTE Fall-Through 1036 integer
ATTRIBUTE Add-Port-To-IP-Address 1037 integer
ATTRIBUTE Exec-Program 1038 string
ATTRIBUTE Exec-Program-Wait 1039 string
ATTRIBUTE Hint 1040 string
#
# Non-Protocol Attributes
# These attributes are used internally by the server
#
ATTRIBUTE Expiration 21 date
ATTRIBUTE Auth-Type 1000 integer
ATTRIBUTE Menu 1001 string
ATTRIBUTE Termination-Menu 1002 string
ATTRIBUTE Prefix 1003 string
ATTRIBUTE Suffix 1004 string
ATTRIBUTE Group 1005 string
ATTRIBUTE Crypt-Password 1006 string
ATTRIBUTE Connect-Rate 1007 integer
#
# Experimental, implementation specific attributes
#
# Limit session traffic
ATTRIBUTE Session-Octets-Limit 227 integer
# What to assume as limit - 0 in+out, 1 in, 2 out, 3 max(in,out)
ATTRIBUTE Octets-Direction 228 integer
#
# Integer Translations
#
# User Types
VALUE Service-Type Login-User 1
VALUE Service-Type Framed-User 2
VALUE Service-Type Callback-Login-User 3
VALUE Service-Type Callback-Framed-User 4
VALUE Service-Type Outbound-User 5
VALUE Service-Type Administrative-User 6
VALUE Service-Type NAS-Prompt-User 7
# Framed Protocols
VALUE Framed-Protocol PPP 1
VALUE Framed-Protocol SLIP 2
# Framed Routing Values
VALUE Framed-Routing None 0
VALUE Framed-Routing Broadcast 1
VALUE Framed-Routing Listen 2
VALUE Framed-Routing Broadcast-Listen 3
# Framed Compression Types
VALUE Framed-Compression None 0
VALUE Framed-Compression Van-Jacobson-TCP-IP 1
# Login Services
VALUE Login-Service Telnet 0
VALUE Login-Service Rlogin 1
VALUE Login-Service TCP-Clear 2
VALUE Login-Service PortMaster 3
# Status Types
VALUE Acct-Status-Type Start 1
VALUE Acct-Status-Type Stop 2
VALUE Acct-Status-Type Accounting-On 7
VALUE Acct-Status-Type Accounting-Off 8
# Authentication Types
VALUE Acct-Authentic RADIUS 1
VALUE Acct-Authentic Local 2
VALUE Acct-Authentic PowerLink128 100
# Termination Options
VALUE Termination-Action Default 0
VALUE Termination-Action RADIUS-Request 1
# NAS Port Types, available in 3.3.1 and later
VALUE NAS-Port-Type Async 0
VALUE NAS-Port-Type Sync 1
VALUE NAS-Port-Type ISDN 2
VALUE NAS-Port-Type ISDN-V120 3
VALUE NAS-Port-Type ISDN-V110 4
# Acct Terminate Causes, available in 3.3.2 and later
VALUE Acct-Terminate-Cause User-Request 1
VALUE Acct-Terminate-Cause Lost-Carrier 2
VALUE Acct-Terminate-Cause Lost-Service 3
VALUE Acct-Terminate-Cause Idle-Timeout 4
VALUE Acct-Terminate-Cause Session-Timeout 5
VALUE Acct-Terminate-Cause Admin-Reset 6
VALUE Acct-Terminate-Cause Admin-Reboot 7
VALUE Acct-Terminate-Cause Port-Error 8
VALUE Acct-Terminate-Cause NAS-Error 9
VALUE Acct-Terminate-Cause NAS-Request 10
VALUE Acct-Terminate-Cause NAS-Reboot 11
VALUE Acct-Terminate-Cause Port-Unneeded 12
VALUE Acct-Terminate-Cause Port-Preempted 13
VALUE Acct-Terminate-Cause Port-Suspended 14
VALUE Acct-Terminate-Cause Service-Unavailable 15
VALUE Acct-Terminate-Cause Callback 16
VALUE Acct-Terminate-Cause User-Error 17
VALUE Acct-Terminate-Cause Host-Request 18
#
# Non-Protocol Integer Translations
#
VALUE Auth-Type Local 0
VALUE Auth-Type System 1
VALUE Auth-Type SecurID 2
VALUE Auth-Type Crypt-Local 3
VALUE Auth-Type Reject 4
#
# Cistron extensions
#
VALUE Auth-Type Pam 253
VALUE Auth-Type None 254
#
# Experimental Non-Protocol Integer Translations for Cistron-Radiusd
#
VALUE Fall-Through No 0
VALUE Fall-Through Yes 1
VALUE Add-Port-To-IP-Address No 0
VALUE Add-Port-To-IP-Address Yes 1
#
# Configuration Values
# uncomment these two lines to turn account expiration on
#
#VALUE Server-Config Password-Expiration 30
#VALUE Server-Config Password-Warning 5
# Octets-Direction
VALUE Octets-Direction Sum 0
VALUE Octets-Direction Input 1
VALUE Octets-Direction Output 2
VALUE Octets-Direction MaxOveral 3
VALUE Octets-Direction MaxSession 4
INCLUDE /usr/local/etc/radiusclient/dictionary.microsoft
INCLUDE /usr/local/etc/radiusclient/dictionary.ascend
INCLUDE /usr/local/etc/radiusclient/dictionary.compat
INCLUDE /usr/local/etc/radiusclient/dictionary.merit
如果后台报如下错误:
rc_read_dictionary: invalid type on line 11 of dictionary /usr/local/etc/radiusclient/dictionary.microsoft
将dictionary.microsoft内容替换如下:
#
# Microsoft's VSA's, from RFC 2548
#
# $Id: dictionary.microsoft,v 1.1 2004/11/14 07:26:26 paulus Exp $
#
VENDOR Microsoft 311 Microsoft
ATTRIBUTE MS-CHAP-Response 1 string Microsoft
ATTRIBUTE MS-CHAP-Error 2 string Microsoft
ATTRIBUTE MS-CHAP-CPW-1 3 string Microsoft
ATTRIBUTE MS-CHAP-CPW-2 4 string Microsoft
ATTRIBUTE MS-CHAP-LM-Enc-PW 5 string Microsoft
ATTRIBUTE MS-CHAP-NT-Enc-PW 6 string Microsoft
ATTRIBUTE MS-MPPE-Encryption-Policy 7 string Microsoft
# This is referred to as both singular and plural in the RFC.
# Plural seems to make more sense.
ATTRIBUTE MS-MPPE-Encryption-Type 8 string Microsoft
ATTRIBUTE MS-MPPE-Encryption-Types 8 string Microsoft
ATTRIBUTE MS-RAS-Vendor 9 integer Microsoft
ATTRIBUTE MS-CHAP-Domain 10 string Microsoft
ATTRIBUTE MS-CHAP-Challenge 11 string Microsoft
ATTRIBUTE MS-CHAP-MPPE-Keys 12 string Microsoft
ATTRIBUTE MS-BAP-Usage 13 integer Microsoft
ATTRIBUTE MS-Link-Utilization-Threshold 14 integer Microsoft
ATTRIBUTE MS-Link-Drop-Time-Limit 15 integer Microsoft
ATTRIBUTE MS-MPPE-Send-Key 16 string Microsoft
ATTRIBUTE MS-MPPE-Recv-Key 17 string Microsoft
ATTRIBUTE MS-RAS-Version 18 string Microsoft
ATTRIBUTE MS-Old-ARAP-Password 19 string Microsoft
ATTRIBUTE MS-New-ARAP-Password 20 string Microsoft
ATTRIBUTE MS-ARAP-PW-Change-Reason 21 integer Microsoft
ATTRIBUTE MS-Filter 22 string Microsoft
ATTRIBUTE MS-Acct-Auth-Type 23 integer Microsoft
ATTRIBUTE MS-Acct-EAP-Type 24 integer Microsoft
ATTRIBUTE MS-CHAP2-Response 25 string Microsoft
ATTRIBUTE MS-CHAP2-Success 26 string Microsoft
ATTRIBUTE MS-CHAP2-CPW 27 string Microsoft
ATTRIBUTE MS-Primary-DNS-Server 28 ipaddr Microsoft
ATTRIBUTE MS-Secondary-DNS-Server 29 ipaddr Microsoft
ATTRIBUTE MS-Primary-NBNS-Server 30 ipaddr Microsoft
ATTRIBUTE MS-Secondary-NBNS-Server 31 ipaddr Microsoft
#ATTRIBUTE MS-ARAP-Challenge 33 string Microsoft
#
# Integer Translations
#
# MS-BAP-Usage Values
VALUE MS-BAP-Usage Not-Allowed 0
VALUE MS-BAP-Usage Allowed 1
VALUE MS-BAP-Usage Required 2
# MS-ARAP-Password-Change-Reason Values
VALUE MS-ARAP-PW-Change-Reason Just-Change-Password 1
VALUE MS-ARAP-PW-Change-Reason Expired-Password 2
VALUE MS-ARAP-PW-Change-Reason Admin-Requires-Password-Change 3
VALUE MS-ARAP-PW-Change-Reason Password-Too-Short 4
# MS-Acct-Auth-Type Values
VALUE MS-Acct-Auth-Type PAP 1
VALUE MS-Acct-Auth-Type CHAP 2
VALUE MS-Acct-Auth-Type MS-CHAP-1 3
VALUE MS-Acct-Auth-Type MS-CHAP-2 4
VALUE MS-Acct-Auth-Type EAP 5
# MS-Acct-EAP-Type Values
VALUE MS-Acct-EAP-Type MD5 4
VALUE MS-Acct-EAP-Type OTP 5
VALUE MS-Acct-EAP-Type Generic-Token-Card 6
VALUE MS-Acct-EAP-Type TLS 13
---------------------
作者:LibertyFly
来源:CSDN
原文:https://blog.csdn.net/sky835202/article/details/80651700
版权声明:本文为博主原创文章,转载请附上博文链接!
本文链接:https://www.kinber.cn/post/841.html 转载需授权!
推荐本站淘宝优惠价购买喜欢的宝贝: