事实上,用pptpd使用radius的重头戏在freeradius和pptpd的配置,postgresql只是配角而已;这里讨论的是,如果你已经存在一个用户数据库了,怎样让它不经修改直接用到这里的pptpd认证中来。
一、debian上的Freeradius 2.0 配置
1.1、重新编译FreeRadius以支持加密
Debian上的Freeradius由于版权方面的原因不支持openssl,所以,如果你用的是debian上的freeradius,要让它支持加密,必须重新编译
aptitude update
apt-get source freeradius
修改debian/rules,找到
–without-rlm_eap_tls \
–without-rlm_eap_ttls \
–without-rlm_eap_peap \
–without-openssl \
修改为
–with-rlm_eap_tls \
–with-rlm_eap_ttls \
–with-rlm_eap_peap \
–with-openssl \
找到
for pkg in ${pkgs} ; do \
if dh_shlibdeps -p $$pkg — -O 2>/dev/null | grep -q libssl; then \
echo "$$pkg links to openssl" ;\
exit 1 ;\
fi ;\
done
将这段全部删除
修改debian/control,在Build-depends:最后加上libssl-dev
检查系统是否满足所有的build depend,然后
dpkg-buildpackages -r
编译完成后,生产几个安装包,在我们这个例子里,需要安装以下几个包
freeradius-common_2.0.4+dfsg-6_all.deb
freeradius-utils_2.0.4+dfsg-6_i386.deb
freeradius_2.0.4+dfsg-6_i386.deb
freeradius-postgresql_2.0.4+dfsg-6_i386.deb
1.2、配置Freeradius
修改/etc/freeradius/radiusd.conf,将sql_log这段的注释全部去掉,改为:
sql_log {
path = "${radacctdir}/sql-relay"
acct_table = "radacct"
postauth_table = "radpostauth"
sql_user_name = "%{%{User-Name}:-DEFAULT}"
Start = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \
NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
AcctSessionTime, AcctTerminateCause) VALUES \
(‘%{Acct-Session-Id}’, ‘%{User-Name}’, ‘%{NAS-IP-Address}’, \
‘%{Framed-IP-Address}’, ‘%S’, ’0′, ’0′, ”);"
Stop = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \
NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
AcctSessionTime, AcctTerminateCause) VALUES \
(‘%{Acct-Session-Id}’, ‘%{User-Name}’, ‘%{NAS-IP-Address}’, \
‘%{Framed-IP-Address}’, ’0′, ‘%S’, ‘%{Acct-Session-Time}’, \
‘%{Acct-Terminate-Cause}’);"
Alive = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \
NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
AcctSessionTime, AcctTerminateCause) VALUES \
(‘%{Acct-Session-Id}’, ‘%{User-Name}’, ‘%{NAS-IP-Address}’, \
‘%{Framed-IP-Address}’, ’0′, ’0′, ‘%{Acct-Session-Time}’,”);"
Post-Auth = "INSERT INTO ${postauth_table} \
(username, pass, reply, authdate) VALUES \
(‘%{User-Name}’, ‘%{User-Password:-Chap-Password}’, \
‘%{reply:Packet-Type}’, ‘%S’);"
}
修改/etc/freeradius/sql.conf,这个应该比较容易,将数据库类型改为"postgresql",修改数据库信息连接信息,将authcheck_table改为你的用户表:
database = "postgresql"
driver = "rlm_sql_${database}"
server = "1.2.3.4"
login = "username"
password = "password"
radius_db = "dbname"
authcheck_table = "usertable"
修改/etc/freeradius/postgresql/diaup.conf,将authorize_check_query这段替换为(具体字段取决于你的表结构):
authorize_check_query = "SELECT ’1′ AS id,user_id,’Cleartext-Password’ AS Attribute,passwd,’:=’ AS Op \
FROM ${authcheck_table} \
WHERE user_id = ‘%{SQL-User-Name}’
修改/etc/freeradius/eap.conf,将default_eap_type 修改为
default_eap_type = peap
1.3、freeradius 配置EAP/PEAP/TTLS加密的部分
创建ca和key
openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out ca.pem -days 3650 (这步设定的密码为test)
openssl req -new -nodes -keyout server_key.pem -out server_req.pem -days 3650 (设定密码为servertest)
openssl ca -policy policy_anything -out server_cert.pem -extensions
xpserver_ext -extfile /etc/ssl/xpextensions -infiles
/etc/ssl/server_req.pem
cat server_key.pem server_cert.pem > server.pem
openssl dhparam -check -text -5 512 -out dh
dd if=/dev/urandom of=random count=2
上面的xpextensions在/usr/share/doc/freeradius/examples/certs目录里面。
将上面生成的文件复制到/etc/freeradius/certs/,并修改/etc/freeradius/eap.conf:
private_key_password = test
private_key_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
1.4、freeradius其它方面的配置
将/etc/freeradius/sites-enabled目录下的default和inner-tunnel中sql和sql_log前面的注释去掉,将files注释
编辑/etc/freeradius/clients.conf,加上:
client localhost {
ipaddr=127.0.0.1
secret=testing123
nastype=other
}
二、pptpd的配置
2.1、pptpd的配置
重点在/etc/ppp/pptpd-options
ms-dns 1.2.3.4
ms-dns 4.3.2.1
在最后面加上一段
plugin radius.so
2.2、pptpd radius plugin的配置
这里特别说pptpd的radius plugin是因为pptpd的radius plugin使用的是旧版本的radiusclient库,它不能识别新版本(2.0freeradius client)格式的dictionary,解决方法有两个,一个就是给pptpd的radius plugin打补丁,一个就是使用旧版本的dictionary以兼容现有版本的radius plugin,这里用的是方法二
配置/etc/radiusclient/servers
127.0.0.1 secrect
配置/etc/radiusclient/radiusclient.conf
将下面这两行里的地址改成实际地址
authserver localhost
acctserver localhost
添加/etc/radiusclient/port-id-map,内容如下:
#
# port-id-map
#
# This file describes the ttyname to port id mapping. The port id
# is reported as part of a RADIUS authentication or accouting request.
#
#ttyname (as returned by ttyname(3)) port-id
/dev/tty1 1
/dev/tty2 2
/dev/tty3 3
/dev/tty4 4
/dev/tty5 5
/dev/tty6 6
/dev/tty7 7
/dev/tty8 8
/dev/ttyS0 9
/dev/ttyS1 10
/dev/ttyS2 11
/dev/ttyS3 12
/dev/ttyS4 13
/dev/ttyS5 14
/dev/ttyS6 15
/dev/ttyS7 16
新建/etc/radiusclient/dictionary.microsoft,内容如下:
VENDOR Microsoft 311 Microsoft
ATTRIBUTE MS-CHAP-Response 1 string Microsoft
ATTRIBUTE MS-CHAP-Error 2 string Microsoft
ATTRIBUTE MS-CHAP-CPW-1 3 string Microsoft
ATTRIBUTE MS-CHAP-CPW-2 4 string Microsoft
ATTRIBUTE MS-CHAP-LM-Enc-PW 5 string Microsoft
ATTRIBUTE MS-CHAP-NT-Enc-PW 6 string Microsoft
ATTRIBUTE MS-MPPE-Encryption-Policy 7 string Microsoft
# This is referred to as both singular and plural in the RFC.
# Plural seems to make more sense.
ATTRIBUTE MS-MPPE-Encryption-Type 8 string Microsoft
ATTRIBUTE MS-MPPE-Encryption-Types 8 string Microsoft
ATTRIBUTE MS-RAS-Vendor 9 integer Microsoft
ATTRIBUTE MS-CHAP-Domain 10 string Microsoft
ATTRIBUTE MS-CHAP-Challenge 11 string Microsoft
ATTRIBUTE MS-CHAP-MPPE-Keys 12 string Microsoft
ATTRIBUTE MS-BAP-Usage 13 integer Microsoft
ATTRIBUTE MS-Link-Utilization-Threshold 14 integer Microsoft
ATTRIBUTE MS-Link-Drop-Time-Limit 15 integer Microsoft
ATTRIBUTE MS-MPPE-Send-Key 16 string Microsoft
ATTRIBUTE MS-MPPE-Recv-Key 17 string Microsoft
ATTRIBUTE MS-RAS-Version 18 string Microsoft
ATTRIBUTE MS-Old-ARAP-Password 19 string Microsoft
ATTRIBUTE MS-New-ARAP-Password 20 string Microsoft
ATTRIBUTE MS-ARAP-PW-Change-Reason 21 integer Microsoft
ATTRIBUTE MS-Filter 22 string Microsoft
ATTRIBUTE MS-Acct-Auth-Type 23 integer Microsoft
ATTRIBUTE MS-Acct-EAP-Type 24 integer Microsoft
ATTRIBUTE MS-CHAP2-Response 25 string Microsoft
ATTRIBUTE MS-CHAP2-Success 26 string Microsoft
ATTRIBUTE MS-CHAP2-CPW 27 string Microsoft
ATTRIBUTE MS-Primary-DNS-Server 28 ipaddr Microsoft
ATTRIBUTE MS-Secondary-DNS-Server 29 ipaddr Microsoft
ATTRIBUTE MS-Primary-NBNS-Server 30 ipaddr Microsoft
ATTRIBUTE MS-Secondary-NBNS-Server 31 ipaddr Microsoft
#ATTRIBUTE MS-ARAP-Challenge 33 string Microsoft
#
# Integer Translations
#
# MS-BAP-Usage Values
VALUE MS-BAP-Usage Not-Allowed 0
VALUE MS-BAP-Usage Allowed 1
VALUE MS-BAP-Usage Required 2
# MS-ARAP-Password-Change-Reason Values
VALUE MS-ARAP-PW-Change-Reason Just-Change-Password 1
VALUE MS-ARAP-PW-Change-Reason Expired-Password 2
VALUE MS-ARAP-PW-Change-Reason Admin-Requires-Password-Change 3
VALUE MS-ARAP-PW-Change-Reason Password-Too-Short 4
# MS-Acct-Auth-Type Values
VALUE MS-Acct-Auth-Type PAP 1
VALUE MS-Acct-Auth-Type CHAP 2
VALUE MS-Acct-Auth-Type MS-CHAP-1 3
VALUE MS-Acct-Auth-Type MS-CHAP-2 4
VALUE MS-Acct-Auth-Type EAP 5
# MS-Acct-EAP-Type Values
VALUE MS-Acct-EAP-Type MD5 4
VALUE MS-Acct-EAP-Type OTP 5
VALUE MS-Acct-EAP-Type Generic-Token-Card 6
VALUE MS-Acct-EAP-Type TLS 13
新建/etc/radiusclient/dictionary.merit,内容如下:
#
# Experimental extensions, configuration only (for check-items)
# Names/numbers as per the MERIT extensions (if possible).
#
ATTRIBUTE NAS-Identifier 32 string
ATTRIBUTE Proxy-State 33 string
ATTRIBUTE Login-LAT-Service 34 string
ATTRIBUTE Login-LAT-Node 35 string
ATTRIBUTE Login-LAT-Group 36 string
ATTRIBUTE Framed-AppleTalk-Link 37 integer
ATTRIBUTE Framed-AppleTalk-Network 38 integer
ATTRIBUTE Framed-AppleTalk-Zone 39 string
ATTRIBUTE Acct-Input-Packets 47 integer
ATTRIBUTE Acct-Output-Packets 48 integer
# 8 is a MERIT extension.
VALUE Service-Type Authenticate-Only 8
在/etc/radiusclient/dictionary最后添加:
INCLUDE /etc/radiusclient/dictionary.microsoft
INCLUDE /etc/radiusclient/dictionary.merit
三、PostGreSQL的配置
3.1、相关表的建立
导入/etc/freeradius/sql/postgresql/scheme.sql
3.2、postgresql连接权限的配置
修改pg_hba.conf,加入freeradius服务器地址,然后pg_ctl reload即可
四、测试
五、单用户限制
|