架设基于FreeRadius带有认证计费功能的Openvpn Server

在尝试配置的过程中，发现目前互联网根本没有任何关于此项目的中英文的资料，只有少许关于此问题的求助信息，但是完成这个项目的软件资源却很丰富， Openvpn及FreeRasius 已经开发出了现成的Openvpn＋FreeRadius 协同工作的插件。openvpn官方插件是PAM-Radius，FreeRadius官方插件是radiusplugin，这两者不同的之处是，PAM-Radius仅有认证功能，不能向FreeRadius服务器发送计费报文。

这里我使用的是挂载FreeRadius 官方的radiusplugin模块，因为此模块可以向FreeRasius服务器发送计费报文，从而实现计费功能。测试环境是一台安装Redhat Linux As4 操作系统的主机上做的测试，安装操作系统时为了省事我选择了安装所有软件包。

 以下为具体的安装及配置方法：

 一．为了使openvpn 服务器支持lzo 方式进行加密，我们首先要安装lzo

mkdir /usr/local/lzo/lib && mkdir /usr/local/lzo/include &&/

wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.00.tar.gz  &&/

tar zxvf lzo-2.00.tar.gz  &&/

cd lzo-2.00 &&/

./configure --prefix= /usr/local/lzo --includedir= /usr/local/lzo/include /

   --libdir= usr/local/lzo/lib --enable-shared  &&/

make &&/

    make check  &&/

    make test   &&/ 

    make install &&/

    cd .. &&/

rm –rf ./lzo*

 

二．安装openvpn

   wget http://openvpn.net/release/openvpn-2.0.9.tar.gz  &&/

   tar zxvf openvpn-2.0.9.tar.gz  &&/

mv openvpn-2.0.9 openvpn  &&/

cd openvpn  &&/

./configure --with-lzo-headers=/usr/local/lzo/include /

--with-lzo-lib= usr/local/lzo/lib &&/

make  &&/

  make install  &&/

mkdir /e    ct/openvpn &&/

cp –Rf   easy-rsa  /ect/openvpn/conf  &&/

cd .. &&/

rm open* -rf

 

三．安装radiusplugin

   

wget  http://www.nongnu.org/radiusplugin/radiusplugin_v2.0.tar.gz  &&/

tar zxvf  radiusplugin_v2.0.tar.gz && /

cd radiusplugin_v2.0 &&/

g++ -Wall -I/usr/local/include -L/usr/local/lib -shared –o  /

radiusplugin.so AccountingProcess.cpp Exception.cpp  /

PluginContext.cpp UserAuth.cpp AcctScheduler.cpp /

IpcSocket.cpp radiusplugin.cpp User.cpp /

AuthenticationProcess.cpp main.cpp UserAcct.cpp /

UserPlugin.cpp Config.cpp RadiusClass/RadiusAttribute.cpp /

RadiusClass/RadiusPacket.cpp RadiusClass/RadiusConfig.cpp /

RadiusClass/RadiusServer.cpp RadiusClass/RadiusVendorSpecificAttribute.cpp /

-lgcrypt  -lgpg-error  -lstdc++ -lm &&/

cp  radiusplugin.cnf  /etc/openvpn/server.cnf &&/

cp  radiusplugin.so  /etc/openvpn/  && /

cd .. && /

rm open* -rf

配置Free Radius与Myself服务器的联接、账号等

虽然AS4 系统已经默认安装了FreeRadius 版本为－1.0.1，但是因为我在安装目录中没有找到初始化Mysql数据库的脚本，所以还是需要下载Freeradius-1.0.1 的源码包，以及使用此源码包中的初始化Mysql数据库的脚本创建数据库。

# 将Mysql 数据库服务设为开机自动启动

chkconfig –level 3456 mysql off

#  启动mysql服务
service mysqld start
# 更改mysql的root密码及创建radius数据库

mysql –uroot –p
creat database radius;
use mysql;
update user set password=password(‘yourpassword’) where user=’root’;
#允许远程机器连接
update user set host=’%’ where user=’root’;
#退出及重新启动mysql
quit
service mysqld restart

# 下载freeeradius 源码包及对radius库进行初始化操作

Wget ftp://ftp.freeradius.org/pub/radius/old/freeradius-1.1.0.tar.gz && /

tar zxvf freeradius-1.1.0.tar.gz &&/

  cd freeradius-1.1.0.tar.gz &&/

mysql –uroot –pyourpassword –h 127.0.0.1  <  radius /

 ./src/modules/rlm_sql/drivers/rlm_sql_mysql/db_mysql.sql

 

# 向数据库中加入测试帐号

      mysql –uroot –pyourpassword radius
insert into radgroupreply (groupname,attribute,op,values) values (‘user’，‘Auth-Type’,’:=’,’Local’);
insert into radgroupreply (groupname,attribute,op,values) values (‘user’，‘Service-Type’,’:=’,’Framed-User’);
insert into radgroupreply (groupname,attribute,op,values) values (‘user’，‘Framed-IP-Address’,’:=’,’10.8.0.0’);
insert into radgroupreply (groupname,attribute,op,values) values (‘user’，‘Framed-IP-Netmask’,’:=’,’255.255.255.252’);
#加入测试账号
insert into radcheck (username,attribute,op,value) values (‘test’,’User-Password’,’:=’,’vpntest’)
#测试账号加入组
insert into usergroup (username,groupname) values (‘test’,’vpnuser’);

# 配置FreeRadius及FreeRadius与Mysql联接

#这儿为了省事只将测试成功的配置文件粘贴出来，实现了同一个时间只有一个用户登陆和三分钟内收不到BAS发出的计费报文，就视用户为离线结束计费。

#这种配置下存在一个问题，就是正常离线的用户，也需要等三分钟后生，才能重新连接。目前还没有找到解决办法。

-----------------------cut-------------------------------------

# radiusd.conf

prefix = /usr

exec_prefix = /usr

sysconfdir = /etc

localstatedir = /var

sbindir = /usr/sbin

logdir = ${localstatedir}/log/radius

raddbdir = ${sysconfdir}/raddb

radacctdir = ${logdir}/radacct

confdir = ${raddbdir}

run_dir = ${localstatedir}/run/radiusd

log_file = ${logdir}/radius.log

libdir = /usr/lib

pidfile = ${run_dir}/radiusd.pid

user = radiusd

group = radiusd

max_request_time = 30

delete_blocked_requests = no

#当迸发用户量大的时间，这个设置很重要。5是default 设置。这项设置是多少个缓冲池

cleanup_delay = 5

max_requests = 1024

bind_address = *

port = 0

hostname_lookups = no

regular_expressions  = yes

extended_expressions = yes

log_auth = no

log_auth_badpass = no

log_auth_goodpass = no

usercollide = no

lower_user = no

lower_pass = no

nospace_user = no

nospace_pass = no

security {

    max_attributes = 200

    reject_delay = 1

    status_server = no

}

proxy_requests  = yes

$INCLUDE  ${confdir}/proxy.conf

$INCLUDE  ${confdir}/clients.conf

snmp    = no

$INCLUDE  ${confdir}/snmp.conf

thread pool {

    start_servers = 5

    max_servers = 32

    min_spare_servers = 3

    max_spare_servers = 10

    max_requests_per_server = 0

}

modules {

    pap {

        encryption_scheme = crypt

    }

    chap {

        authtype = CHAP

    }

    pam {

        pam_auth = radiusd

    }

 

    unix {

        cache = no

        cache_reload = 600

        shadow = /etc/shadow

        radwtmp = ${logdir}/radwtmp

    }

$INCLUDE ${confdir}/eap.conf

    mschap {

        authtype = MS-CHAP

    }

    ldap {

        server = "ldap.your.domain"

        basedn = "o=My Org,c=UA"

        filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"

        start_tls = no

        access_attr = "dialupAccess"

        dictionary_mapping = ${raddbdir}/ldap.attrmap

        ldap_connections_number = 5

        timeout = 4

        timelimit = 3

        net_timeout = 1

    }

    realm IPASS {

        format = prefix

        delimiter = "/"

        ignore_default = no

        ignore_null = no

    }

    realm suffix {

        format = suffix

        delimiter = "@"

        ignore_default = no

        ignore_null = no

    }

    realm realmpercent {

        format = suffix

        delimiter = "%"

        ignore_default = no

        ignore_null = no

    }

    realm ntdomain {

        format = prefix

        delimiter = "//"

        ignore_default = no

        ignore_null = no

    }  

    checkval {

        item-name = Calling-Station-Id

        check-name = Calling-Station-Id

        data-type = string

    }

    preprocess {

        huntgroups = ${confdir}/huntgroups

        hints = ${confdir}/hints

        with_ascend_hack = no

        ascend_channels_per_line = 23

        with_ntdomain_hack = no

        with_specialix_jetstream_hack = no

        with_cisco_vsa_hack = no

    }

 

    files {

        usersfile = ${confdir}/users

        acctusersfile = ${confdir}/acct_users

        compat = no

    }

    detail {

             detailperm = 0600

    }

    acct_unique {

        key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"

    }

    $INCLUDE  ${confdir}/sql.conf

    radutmp {

        filename = ${logdir}/radutmp

        username = %{User-Name}

        case_sensitive = yes

        check_with_nas = yes    

        perm = 0600

        callerid = "yes"

    }

    radutmp sradutmp {

        filename = ${logdir}/sradutmp

        perm = 0644

        callerid = "no"

    }

    attr_filter {

        attrsfile = ${confdir}/attrs

    }

    counter daily {

        filename = ${raddbdir}/db.daily

        key = User-Name

        count-attribute = Acct-Session-Time

        reset = daily

        counter-name = Daily-Session-Time

        check-name = Max-Daily-Session

        allowed-servicetype = Framed-User

        cache-size = 5000

    }

always fail {

        rcode = fail

    }

    always reject {

        rcode = reject

    }

    always ok {

        rcode = ok

        simulcount = 0

        mpp = no

    }

    expr {

    }

    digest {

    }

    exec {

        wait = yes

        input_pairs = request

    }

    exec echo {

   

        wait = yes

        program = "/bin/echo %{User-Name}"

        input_pairs = request

        output_pairs = reply

    }

    ippool main_pool {

                   range-start = 10.8.0.10

                   range-stop = 10.8.254.254

                   netmask = 255.255.0.0

        cache-size = 800

        session-db = ${raddbdir}/db.ippool

        ip-index = ${raddbdir}/db.ipindex

        override = no

        maximum-timeout = 0

    }

 

}

 

instantiate {

    exec

    expr

}

authorize {

    chap

    mschap

    suffix

    eap

    sql

}

 

authenticate {

    Auth-Type PAP {

        pap

    }

    Auth-Type CHAP {

        chap

    }

    Auth-Type MS-CHAP {

        mschap

    }

    pam

    eap

}

preacct {

    preprocess

    suffix

    files

}

accounting {

    detail

# 下面这两项是用来限止同时时间只能有一个用户登陆，可是使用MYSQL的时候好像并不生效。   

    radutmp

#    sradutmp

        sql

        }

session {

    sql

}

post-auth {

    sql

}

pre-proxy {

}

post-proxy {

    eap

}

 

# 下面这两项是用来限止同时时间只能有一个用户登陆，可是使用MYSQL的时候好像并不生效。   

    radutmp

#    sradutmp

        sql

        }

session {

    sql

}

post-auth {

    sql

}

pre-proxy {

}

post-proxy {

    eap

------------------------cut---------------------------

#sql.conf

 

 

sql {

    driver = "rlm_sql_mysql"

    server = "youripadd"

    login = "root"

    password = "yourpasswd"

    radius_db = "radius"

    acct_table1 = "radacct"

    acct_table2 = "radacct"

    postauth_table = "radpostauth"

    authcheck_table = "radcheck"

    authreply_table = "radreply"