PPTP + FreeRADIUS + MySQL 安装与配置

FreeRADIUS 是实现 RADIUS 协议的开源软件,而 RADIUS 主要用来实现认证(Authentication)、授权(Authorization)以及计费(Accounting)功能。本文内容在Centos 5.7 32bit下测试成功。

一,VPN服务器安装配置

# 安装编译环境

yum install -y wget gcc gcc-c++ make

# 安装ppp

yum install -y ppp

# 安装PPTP VPN

wget http://hello-linux.googlecode.com/files/pptpd_with_freeradius_plugins.sh
chmod +x pptpd_with_freeradius_plugins.sh
./pptpd_with_freeradius_plugins.sh

注意:此PPTP VPN脚本已经加入了FreeRADIUS插件,不能脱离FreeRADIUS独立使用。如果你只想安装PPTP VPN的话,请不要使用此脚本。
此时如果提示“错误691:由于域上的用户名和/或密码无效而拒绝访问”,请不要担心,这是正常的。

二,FreeRADIUS 客户端安装与配置

# freeradius-client安装

cd /root
wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-client-1.1.6.tar.gz
tar zxvf freeradius-client-1.1.6.tar.gz
cd freeradius-client-1.1.6
./configure && make && make install

# freeradius-client配置

vi /usr/local/etc/radiusclient/radiusclient.conf

找到 authserver 和 acctserver 将值改为 localhost
将 radius_deadtime 0 和 bindaddr * 将这两项注释掉(或者通过以下命令来注释之)

sed -i 's/radius_deadtime/\#radius_deadtime/g' /usr/local/etc/radiusclient/radiusclient.conf
sed -i 's/bindaddr/\#bindaddr/g' /usr/local/etc/radiusclient/radiusclient.conf

# 指定FreeRADIUS Server地址,并设置通信密码

cat >>/usr/local/etc/radiusclient/servers<

注意:这里的通信密码不建议更改!经本人测试,更改后使用不正常。

# 增加字典。这一步很重要!否则windows客户端无法连接服务器

wget -c http://hello-linux.googlecode.com/files/dictionary.microsoft
mv ./dictionary.microsoft /usr/local/etc/radiusclient/
cat >>/usr/local/etc/radiusclient/dictionary<

三,FreeRADIUS 服务端安装与配置

# 安装 mysql

yum install mysql mysql-devel mysql-server
service mysqld start
chkconfig mysqld on
mysqladmin -uroot -p password 新密码
# 此时会让你输入原密码,一般 mysql 安装好以后的初始密码为空,因此直接回车即可
# 如果使用非上述方式安装了MySQL(比如lnmp一键安装包里自带的mysql),请执行以下两条语句
ln -s /usr/local/mysql/bin/mysql /usr/bin
ln -s /usr/local/mysql/bin/mysqladmin /usr/bin

# 安装 freeradius-server

wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.12.tar.gz
tar zxf freeradius-server-2.1.12.tar.gz
cd freeradius-server-2.1.12
./configure | grep mysql
# grep 这步操作主要是查看mysql的几个参数是不是都是yes,如果不是,需要检查下mysql安装.
make && make install

# 基本文本数据的本地测试

vi /usr/local/etc/raddb/users
# 找到 steve Cleartext-Password := “testing” , 取消该段的相关注释
steve   Cleartext-Password := "testing"
        Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Framed-IP-Address = 172.16.3.33,
        Framed-IP-Netmask = 255.255.255.0,
        Framed-Routing = Broadcast-Listen,
        Framed-Filter-Id = "std.ppp",
        Framed-MTU = 1500,
        Framed-Compression = Van-Jacobsen-TCP-IP
radiusd -X
# 进入debug日志输出模式
# 如果有出现
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.
# 这些字样说明正常启动成功了

# 重新打开一个窗口,执行下面这条命令
radtest steve testing localhost 1812 testing123 # 用户名steve密码testing , 连接密钥testing123
# 出现 rad_recv: Access-Accept packet 字样说明验证成功

# freeradius 和 mysql 集成

mysqladmin -u root -p create radius
mysql -u root -p radius < /usr/local/etc/raddb/sql/mysql/schema.sql
mysql -u root -p radius < /usr/local/etc/raddb/sql/mysql/nas.sql
mysql -u root -p radius < /usr/local/etc/raddb/sql/mysql/ippool.sql
mysql -u root -p radius < /usr/local/etc/raddb/sql/mysql/wimax.sql
mysql -u root -p
mysql> GRANT SELECT ON radius.* TO 'radius'@'localhost' IDENTIFIED BY 'radpass';
mysql> GRANT ALL on radius.radacct TO 'radius'@'localhost';
mysql> GRANT ALL on radius.radpostauth TO 'radius'@'localhost';
mysql> use radius;

# 加入组信息,本例中的组名为user
mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Auth-Type',':=','Local');
mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Service-Type','=','Framed-User');
mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Framed-IP-Netmask',':=','255.255.255.0');

# 加入用户信息
mysql> INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('sqltest', 'Password', 'testpwd');

# 用户加到组里
mysql> insert into radusergroup(username,groupname) values('sqltest','user');

# 限制账户同时登陆次数
mysql> INSERT INTO radgroupcheck (GroupName, Attribute, op, Value) values("user", "Simultaneous-Use", ":=", "1");
vi /usr/local/etc/raddb/sql.conf
# 设定数据库类型,帐号,密码,数据库,根据实际情况修改
# 找到 readclients = yes 取消前面的注释,取消该注释主要是启用nas表查询,clients.conf就可以不需要了

vi /usr/local/etc/raddb/radiusd.conf
# 查找$INCLUDE sql.conf(第700行),去掉#号

vi /usr/local/etc/raddb/sites-enabled/default
# 找到authorize {}模块,注释掉files(170行),去掉sql前的#号(177行)
# 找到accounting {}模块,注释掉radutmp(396行),去掉sql前面的#号(406行)
# 找到session {}模块,注释掉radutmp(450行),去掉sql前面的#号(454行)
# 找到post-auth {}模块,去掉sql前的#号(475行),去掉sql前的#号(563行)

vi /usr/local/etc/raddb/sites-enabled/inner-tunnel
# 找到authorize {}模块,注释掉files(124行),去掉sql前的#号(131行)
# 找到session {}模块,注释掉radutmp(251行),去掉sql前面的#号(255行)
# 找到post-auth {}模块,去掉sql前的#号(277行),去掉sql前的#号(301行)

# 正常启动 FreeRADIUS 并加入开机自启动项

cd /root
wget http://hello-linux.googlecode.com/files/radiusd
mv radiusd /etc/init.d/
chmod +x /etc/init.d/radiusd
vi /etc/init.d/radiusd
# 找到prefix=/usr/local/radius(第25行),将其改为prefix=/usr/local
/etc/init.d/radiusd start

vi /etc/rc.local
# 在最后一行插入/etc/init.d/radiusd start

# 最终测试

# 用刚才插入数据库的用户名和密码来检验
radtest sqltest testpwd localhost 1812 testing123
# 出现 rad_recv: Access-Accept packet 字样说明安装已经成功

至此,安装已完成。

可能出现的问题:

/usr/local/etc/raddb/sites-enabled/inner-tunnel[118]: Failed to find module “sql”.
/usr/local/etc/raddb/sites-enabled/inner-tunnel[34]: Errors parsing authorize section.

# 在系统里找下是否有rlm_sql_mysql.so这个文件,如果没有,那么依次执行以下命令:
cd /root/freeradius-server-2.1.12/src/modules/rlm_sql/drivers/rlm_sql_mysql
./configure --with-mysql-dir=/var/lib/mysql --with-mysql-lib-dir=/var/lib/mysql/lib --with-mysql-include-dir=/var/lib/mysql/include
make && make install
cd /usr/local/lib
cp rlm_sql_mysql.* /root/freeradius-server-2.1.12/src/modules/rlm_sql/drivers/rlm_sql_mysql/
radiusd -X
radiusd: error while loading shared libraries:libfreeradius-radius-2.1.12.so: cannot open shared object file: No such file or directory

执行以下命令即可:
ldconfig

本文参考:
系统之家
WangYan Blog

13 thoughts on “PPTP + FreeRADIUS + MySQL 安装与配置

  1. 到最终测试这一步卡住了

    [[email protected] ~]# radtest sqltest testpwd localhost 1812 testing123
    Sending Access-Request of id 154 to 127.0.0.1 port 1812
    User-Name = “sqltest”
    User-Password = “testpwd”
    NAS-IP-Address = 199.175.48.38
    NAS-Port = 1812
    Message-Authenticator = 0x00000000000000000000000000000000
    Sending Access-Request of id 154 to 127.0.0.1 port 1812
    User-Name = “sqltest”
    User-Password = “testpwd”
    NAS-IP-Address = 199.175.48.38
    NAS-Port = 1812
    Message-Authenticator = 0x00000000000000000000000000000000
    Sending Access-Request of id 154 to 127.0.0.1 port 1812
    User-Name = “sqltest”
    User-Password = “testpwd”
    NAS-IP-Address = 199.175.48.38
    NAS-Port = 1812
    Message-Authenticator = 0x00000000000000000000000000000000
    radclient: no response from server for ID 154 socket 3

    1. 执行radiusd -X以后,要打开一个新的窗口来执行radtest steve testing localhost 1812 testing123

      1. 我也是这个问题
        [[email protected] etc]# radtest testing testing localhost 0 testing123
        Sent Access-Request Id 13 from 0.0.0.0:39297 to 127.0.0.1:1812 length 77
        User-Name = “testing”
        User-Password = “testing”
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 0
        Message-Authenticator = 0x00
        Cleartext-Password = “testing”
        Sent Access-Request Id 13 from 0.0.0.0:39297 to 127.0.0.1:1812 length 77
        User-Name = “testing”
        User-Password = “testing”
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 0
        Message-Authenticator = 0x00
        Cleartext-Password = “testing”
        Sent Access-Request Id 13 from 0.0.0.0:39297 to 127.0.0.1:1812 length 77
        User-Name = “testing”
        User-Password = “testing”
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 0
        Message-Authenticator = 0x00
        Cleartext-Password = “testing”
        (0) No reply from server for ID 13 socket 3

        我是在一个SSH里执行的radiusd -X,另外打开一个新的执行的radtest,求指教~~

  2. how about it?? i do’t know why is that on radius -X…
    Ready to process requests.
    Ignoring request to authentication address * port 1812 from unknown client 127.0.0.1 port 34007
    Ready to process requests.

    please help me thank’s sory if my engglis so bad

        1. 经过测试,如果是使用lnmp lamp一键安装包 或者是 yum install安装的mysql server 应该是版本的问题 会引起导入提示错误:
          int(12) default NULL
          3天,还没有找到解决方案

          1. 我就是这样的导入不进去呀,你有解决方案了麻烦告诉我下~

发表评论

您的电子邮箱地址不会被公开。