架设基于FreeRadius带有认证计费功能的Openvpn Server
来源:互联网 发布:白苹果修复后数据恢复 编辑:程序博客网 时间:2024/05/21 06:37
在尝试配置的过程中,发现目前互联网根本没有任何关于此项目的中英文的资料,只有少许关于此问题的求助信息,但是完成这个项目的软件资源却很丰富, Openvpn及FreeRasius 已经开发出了现成的Openvpn+FreeRadius 协同工作的插件。openvpn官方插件是PAM-Radius,FreeRadius官方插件是radiusplugin,这两者不同的之处是,PAM-Radius仅有认证功能,不能向FreeRadius服务器发送计费报文。
这里我使用的是挂载FreeRadius 官方的radiusplugin模块,因为此模块可以向FreeRasius服务器发送计费报文,从而实现计费功能。测试环境是一台安装Redhat Linux As4 操作系统的主机上做的测试,安装操作系统时为了省事我选择了安装所有软件包。
以下为具体的安装及配置方法:
一.为了使openvpn 服务器支持lzo 方式进行加密,我们首先要安装lzo
mkdir /usr/local/lzo/lib && mkdir /usr/local/lzo/include &&/
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.00.tar.gz &&/
tar zxvf lzo-2.00.tar.gz &&/
cd lzo-2.00 &&/
./configure --prefix= /usr/local/lzo --includedir= /usr/local/lzo/include /
--libdir= usr/local/lzo/lib --enable-shared &&/
make &&/
make check &&/
make test &&/
make install &&/
cd .. &&/
rm –rf ./lzo*
二.安装openvpn
wget http://openvpn.net/release/openvpn-2.0.9.tar.gz &&/
tar zxvf openvpn-2.0.9.tar.gz &&/
mv openvpn-2.0.9 openvpn &&/
cd openvpn &&/
./configure --with-lzo-headers=/usr/local/lzo/include /
--with-lzo-lib= usr/local/lzo/lib &&/
make &&/
make install &&/
mkdir /e ct/openvpn &&/
cp –Rf easy-rsa /ect/openvpn/conf &&/
cd .. &&/
rm open* -rf
三.安装radiusplugin
wget http://www.nongnu.org/radiusplugin/radiusplugin_v2.0.tar.gz &&/
tar zxvf radiusplugin_v2.0.tar.gz && /
cd radiusplugin_v2.0 &&/
g++ -Wall -I/usr/local/include -L/usr/local/lib -shared –o /
radiusplugin.so AccountingProcess.cpp Exception.cpp /
PluginContext.cpp UserAuth.cpp AcctScheduler.cpp /
IpcSocket.cpp radiusplugin.cpp User.cpp /
AuthenticationProcess.cpp main.cpp UserAcct.cpp /
UserPlugin.cpp Config.cpp RadiusClass/RadiusAttribute.cpp /
RadiusClass/RadiusPacket.cpp RadiusClass/RadiusConfig.cpp /
RadiusClass/RadiusServer.cpp RadiusClass/RadiusVendorSpecificAttribute.cpp /
-lgcrypt -lgpg-error -lstdc++ -lm &&/
cp radiusplugin.cnf /etc/openvpn/server.cnf &&/
cp radiusplugin.so /etc/openvpn/ && /
cd .. && /
rm open* -rf
配置Free Radius与Myself服务器的联接、账号等
虽然AS4 系统已经默认安装了FreeRadius 版本为-1.0.1,但是因为我在安装目录中没有找到初始化Mysql数据库的脚本,所以还是需要下载Freeradius-1.0.1 的源码包,以及使用此源码包中的初始化Mysql数据库的脚本创建数据库。
# 将Mysql 数据库服务设为开机自动启动
chkconfig –level 3456 mysql off
# 启动mysql服务
service mysqld start
# 更改mysql的root密码及创建radius数据库
mysql –uroot –p
creat database radius;
use mysql;
update user set password=password(‘yourpassword’) where user=’root’;
#允许远程机器连接
update user set host=’%’ where user=’root’;
#退出及重新启动mysql
quit
service mysqld restart
# 下载freeeradius 源码包及对radius库进行初始化操作
Wget ftp://ftp.freeradius.org/pub/radius/old/freeradius-1.1.0.tar.gz && /
tar zxvf freeradius-1.1.0.tar.gz &&/
cd freeradius-1.1.0.tar.gz &&/
mysql –uroot –pyourpassword –h 127.0.0.1 < radius /
./src/modules/rlm_sql/drivers/rlm_sql_mysql/db_mysql.sql
# 向数据库中加入测试帐号
mysql –uroot –pyourpassword radius
insert into radgroupreply (groupname,attribute,op,values) values (‘user’,‘Auth-Type’,’:=’,’Local’);
insert into radgroupreply (groupname,attribute,op,values) values (‘user’,‘Service-Type’,’:=’,’Framed-User’);
insert into radgroupreply (groupname,attribute,op,values) values (‘user’,‘Framed-IP-Address’,’:=’,’10.8.0.0’);
insert into radgroupreply (groupname,attribute,op,values) values (‘user’,‘Framed-IP-Netmask’,’:=’,’255.255.255.252’);
#加入测试账号
insert into radcheck (username,attribute,op,value) values (‘test’,’User-Password’,’:=’,’vpntest’)
#测试账号加入组
insert into usergroup (username,groupname) values (‘test’,’vpnuser’);
# 配置FreeRadius及FreeRadius与Mysql联接
#这儿为了省事只将测试成功的配置文件粘贴出来,实现了同一个时间只有一个用户登陆和三分钟内收不到BAS发出的计费报文,就视用户为离线结束计费。
#这种配置下存在一个问题,就是正常离线的用户,也需要等三分钟后生,才能重新连接。目前还没有找到解决办法。
-----------------------cut-------------------------------------
# radiusd.conf
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = /usr/lib
pidfile = ${run_dir}/radiusd.pid
user = radiusd
group = radiusd
max_request_time = 30
delete_blocked_requests = no
#当迸发用户量大的时间,这个设置很重要。5是default 设置。这项设置是多少个缓冲池
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
regular_expressions = yes
extended_expressions = yes
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp = no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
shadow = /etc/shadow
radwtmp = ${logdir}/radwtmp
}
$INCLUDE ${confdir}/eap.conf
mschap {
authtype = MS-CHAP
}
ldap {
server = "ldap.your.domain"
basedn = "o=My Org,c=UA"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
realm IPASS {
format = prefix
delimiter = "/"
ignore_default = no
ignore_null = no
}
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
}
realm realmpercent {
format = suffix
delimiter = "%"
ignore_default = no
ignore_null = no
}
realm ntdomain {
format = prefix
delimiter = "//"
ignore_default = no
ignore_null = no
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
detail {
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
$INCLUDE ${confdir}/sql.conf
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
digest {
}
exec {
wait = yes
input_pairs = request
}
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
}
ippool main_pool {
range-start = 10.8.0.10
range-stop = 10.8.254.254
netmask = 255.255.0.0
cache-size = 800
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = no
maximum-timeout = 0
}
}
instantiate {
exec
expr
}
authorize {
chap
mschap
suffix
eap
sql
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
pam
eap
}
preacct {
preprocess
suffix
files
}
accounting {
detail
# 下面这两项是用来限止同时时间只能有一个用户登陆,可是使用MYSQL的时候好像并不生效。
radutmp
# sradutmp
sql
}
session {
sql
}
post-auth {
sql
}
pre-proxy {
}
post-proxy {
eap
}
# 下面这两项是用来限止同时时间只能有一个用户登陆,可是使用MYSQL的时候好像并不生效。
radutmp
# sradutmp
sql
}
session {
sql
}
post-auth {
sql
}
pre-proxy {
}
post-proxy {
eap
------------------------cut---------------------------
#sql.conf
sql {
driver = "rlm_sql_mysql"
server = "youripadd"
login = "root"
password = "yourpasswd"
radius_db = "radius"
acct_table1 = "radacct"
acct_table2 = "radacct"
postauth_table = "radpostauth"
authcheck_table = "radcheck"
authreply_table = "radreply"
- 架设基于FreeRadius带有认证计费功能的Openvpn Server
- 基于freeradius的无线认证
- openvpn+mysql+freeradius+daloradius认证
- 基于daloridus认证的openvpn部署
- Ubuntu 12.04下OpenVPN+MySQL+FreeRadius搭建基于用户名密码验证的虚拟网络
- Ubuntu 12.04下OpenVPN+MySQL+FreeRadius搭建基于用户名密码验证的虚拟网络
- freeRADIUS的proxy功能
- 架设freeradius+mysql 的radius服务器[转]
- 架设freeradius+mysql的radius服务器
- 架设freeradius+mysql 的radius服务器
- 架设freeradius+mysql 的radius服务器
- 架设freeradius+mysql 的radius服务器
- CentOS 6.6 x64搭建基于用户密码认证的openvpn
- 基于用户名/密码认证和流量控制的OpenVPN系统配置
- 构建虚拟专用通道:基于Linux的OpenVPN服务器详解与架设指南
- 为大家分享daloradius+freeradius+openvpn的安装脚本
- Mysql + Freeradius 搭建计费服务器
- openvpn部署之基于证书认证
- Linux Device Driver
- 男女朋友的最高境界
- C++ 中 export 关键字的尴尬处境
- Linux学习好书链接
- GpuCV: GPU-accelerated Computer Vision
- 架设基于FreeRadius带有认证计费功能的Openvpn Server
- MS SQL SERVER同一张表中两列值如何互换?
- poj 1083
- 高效编程的秘诀
- 界面设计的原则:同一操作只引发同一结果
- 搭建gtk+开发环境
- Linux文件查找命令find
- 开通自己的博客
- sadddddddddd