后端

daloradius+freeradius+strongswan操作记录

vpn配置(strongswan)

关闭防火墙并安装iptables(centos6用户可以略过这一步)

systemctl stop firewalld.service
systemctl disable firewalld.service
yum -y install iptables-services

部署mysql环境

yum -y install mysql-server mysql mysql-devel

部署gmp环境

yum install gmp-devel -y

下载strongswan

wget https://download.strongswan.org/strongswan-5.5.2.tar.gz

解压

tar -zxvf strongswan-5.5.2.tar.gz

进入解压后目录

cd strongswan-5.5.2

编译并激活所需模块

./configure --prefix=/usr --sysconfdir=/etc/strongswan --enable-xauth-eap --enable-openssl --enable-ext-auth --enable-nat-transport --enable-sql --enable-mysql --enable-shared --enable-md4 --enable-eap-mschapv2 --enable-eap-aka --enable-eap-aka-3gpp2 --enable-eap-gtc --enable-eap-identity --enable-eap-md5 --enable-eap-peap --enable-eap-radius --enable-eap-sim --enable-eap-sim-file --enable-eap-simaka-pseudonym --enable-eap-simaka-reauth --enable-eap-simaka-sql --enable-eap-tls --enable-eap-tnc --enable-eap-ttls

需要注意的是,如果VPS采用openVZ方案,一般内核都是2.6,不包含ipsec模块,需要增加一个配置选项:–enable-kernel-libipsec,kvm主机的内核一般在3.0以上,不需要再编译该模块。

解释

make

安装

make install

进入strongswan目录

cd /etc/strongswan/

需要配置3个文件ipsec.secrets ipsec.conf strongswan.conf

建议从现成的配置好的复制,并稍作修改
对于ipsec.conf,只需要把leftcert改成服务器证书及两个leftid修改成对应的域名即可
对于strongswan.conf则不需要修改
对于ipsec.secrets,只需要把第一行的RSA右边改成对应的服务器私钥

上传服务器私钥和证书

证书上传目录/etc/strongswan/ipsec.d/certs/
私钥上传目录/etc/strongswan/ipsec.d/private/

修改radius模块

vim /etc/strongswan/strongswan.d/charon/eap-radius.conf
找到servers,修改成

servers {
vpnserver {
secret = ddianxin1746944
address = 119.23.14.184
}
}

此处地址即为radius服务器地址,口令为radius上设置的口令
找到开始的#accounting = no修改成accounting = yes
找到#accounting_close_on_timeout = yes修改成accounting_close_on_timeout = yes

建立日志文件

touch /var/log/strongswan.charon.log

设置iptables转发

建立iptables.sh
touch iptables.sh
里面输入

#!/bin/bash
# policy for iptables
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p udp --dport 1813 -j ACCEPT
iptables -A INPUT -p udp --dport 1814 -j ACCEPT
iptables -A INPUT -p udp --dport 1812 -j ACCEPT
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -p tcp --sport 53 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.86.87.0/24 -o eno16777984 -j MASQUERADE
iptables -A OUTPUT -j ACCEPT
iptables -A INPUT -j REJECT
iptables -A INPUT -j LOG --log-prefix "iptables"
iptables -A OUTPUT -j LOG --log-prefix "iptables"
service iptables save

注意,eno16777984为centos7网卡名称

启动vpn

ipsec start

观察日志的连接过程

tail -f /var/log/strongswan.charon.log

配置radius

安装freeradius

yum -y install freeradius freeradius-mysql freeradius-utils

安装mysql

yum -y install mysql-server mysql mysql-devel

启动mysql

service mysqld start

设置开机启动mysql

chkconfig mysqld on

导入freeradius数据库表

mysql -u root -p

初始mysql密码为空,直接回车登录

建立数据库

mysql> create database radius;(注意加分号结尾)

建立用户并赋予权限

mysql> GRANT ALL PRIVILEGES ON radius.* TO radius@'localhost' IDENTIFIED BY "

此处写radius连mysql的密码";

mysql> GRANT ALL PRIVILEGES ON radius.* TO radius@'%' IDENTIFIED BY "此处写radius连mysql的密码";
mysql> flush privileges;(使设置生效)
mysql> use radius; (切换到radius数据库)

开始导入freeradius预定义表结构

mysql> SOURCE /etc/raddb/sql/mysql/schema.sql
mysql> SOURCE /etc/raddb/sql/mysql/cui.sql
mysql> SOURCE /etc/raddb/sql/mysql/ippool.sql
mysql> SOURCE /etc/raddb/sql/mysql/nas.sql
mysql> SOURCE /etc/raddb/sql/mysql/wimax.sql

配置freeradius连接数据库的信息

vim /etc/raddb/sql.conf

# Connection info:
server = "localhost"
#port = 3306
login = "radius"
password = "radpass"

# Database table configuration for everything except Oracle
radius_db = "radius"

设置freeradius使用mysql表内信息认证

首先设置引入sql.conf

vim /etc/raddb/radiusd.conf

# $INCLUDE sql.conf修改为$INCLUDE sql.conf

#$INCLUDE sql/mysql/counter.conf修改成$INCLUDE sql/mysql/counter.conf

#$INCLUDE eap.conf修改成$INCLUDE eap.conf

接着

vim /etc/raddb/sites-available/default

#170行 #files
#177行 sql
#396行 #radutmp
#397行 sradutmp
#406行 sql
#450行 #radutmp
#454行 sql
#475行 sql
#577行 sql

接着

vim /etc/raddb/sites-available/inner-tunnel

#125行 #file
#132行 sql
#252行 #radutmp
#256行 sql
#278行 sql
#302行 sql

然后

vim /etc/raddb/sql.conf

#readclients = yes修改成eadclients = yes

修改radius认证密码

vim /etc/raddb/clients.conf

secret = testing123testing123替换成自己想设置的密码

添加测试用户(可不做,测试用)

mysql -uroot -p
mysql> use radius;
mysql> insert into radcheck (username,attribute,op,value) values ('test','User-Password',':=','test');
mysql> flush privileges;
mysql> exit;

测试

以调试模式启动radius(按CTRL+C可退出)

radiusd -X

本机新开shell输入

radtest test test 127.0.0.1 0 testing123

观察调试窗口信息,正常则说明没问题

部署daloradius,首先配置好LAMP环境

yum -y install php-mysql php php-gd php-pear-DB httpd

这里一般php都是5版本,太高版本会有问题

下载daloradius

wget http://jaist.dl.sourceforge.net/project/daloradius/daloradius/daloradius0.9-9/daloradius-0.9-9.tar.gz

解压缩

tar zxvf daloradius-0.9-9.tar.gz

将daloradius数据库表导入mysql

mysql -uroot -p
mysql> use radius;
mysql> SOURCE /soft/daloradius-0.9-9/contrib/db/fr2-mysql-daloradius-and-freeradius.sql

修改daloradius数据库连接配置

vim daloradius-0.9-9/library/daloradius.conf.php

$configValues['DALORADIUS_VERSION'] = '0.9-9';
$configValues['FREERADIUS_VERSION'] = '2';
$configValues['CONFIG_DB_ENGINE'] = 'mysql';
$configValues['CONFIG_DB_HOST'] = 'localhost';
$configValues['CONFIG_DB_USER'] = 'radius';
$configValues['CONFIG_DB_PASS'] = 'radpass';
$configValues['CONFIG_DB_NAME'] = 'radius';
$configValues['CONFIG_FILE_RADIUS_PROXY'] = '/etc/raddb/proxy.conf';
$configValues['CONFIG_PATH_RADIUS_DICT'] = '/etc/raddb';
$configValues['CONFIG_PATH_DALO_VARIABLE_DATA'] = '/var/www/html/daloradius/var';
$configValues['CONFIG_LOG_FILE'] = '/var/www/html/daloradius/var/daloradius.log';

将daloradius拷贝至web目录

cp daloradius-0.9-9 /var/www/html/daloradius -fr

创建日志文件

touch /var/www/html/daloradius/var/daloradius.log

设置radius.log读写权限

chmod 644 /var/log/radius.log

赋权给apache组及用户,否则无法读取log

chown -R apache:apache /var/www/html/daloradius

修改radius日志导向

vim /etc/raddb/radiusd.conf

#file = ${logdir}/radius.log
file = /var/log/radius.log

赋予读写执行权限

chmod 644 /var/log/messages

修改daloradius日志配置(只需增加最后一行,其他一般已存在)

vim /var/www/html/daloradius/library/exten-radius_log.php
$logfile_loc = array();
$logfile_loc[1] = '/var/log/freeradius/radius.log';
$logfile_loc[2] = '/usr/local/var/log/radius/radius.log';
$logfile_loc[3] = '/var/log/radius/radius.log';
$logfile_loc[4] = '/var/log/radius.log';

设置用户的同步会话限制,这里限制成3个

vim /etc/raddb/sql/mysql/dialup.conf

将290-293行最开始的#去掉

插入验证规则

mysql -uroot -p
mysql> use radius;
mysql> INSERT INTO radgroupcheck ( id , GroupName , Attribute , op , Value ) VALUES (NULL , 'users', 'Simultaneous-Use', ':=', '3');

apache主机名设置

vim /etc/httpd/conf/httpd.conf

查找ServerName 修改成

ServerName 0.0.0.0:80

配置已经基本完成

启动apache并且设置开机启动

service httpd start
chkconfig httpd on

启动radius并设置开机启动

service radiusd start
chkconfig radiusd on

最后配置防火墙

清空防火墙策略

iptables -F

建立防火墙脚本

touch iptables.sh

写入防火墙配置(注意eno16777984替换成相应网卡名)

vim iptables.sh

#!/bin/bash
# policy for iptables
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p udp --dport 1813 -j ACCEPT
iptables -A INPUT -p udp --dport 1814 -j ACCEPT
iptables -A INPUT -p udp --dport 1812 -j ACCEPT
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -p tcp --sport 53 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.86.87.0/24 -o eno16777984 -j MASQUERADE
iptables -A OUTPUT -j ACCEPT
iptables -A INPUT -j REJECT
iptables -A INPUT -j LOG --log-prefix "iptables"
iptables -A OUTPUT -j LOG --log-prefix "iptables"
service iptables save

执行脚本

bash iptables.sh

打开web管理界面

http://ip/daloradius

用户名administrator

密码radius 密码自行修改

(0)

本文由 永烁星光 作者:linus 发表,转载请注明来源!

关键词:

热评文章

发表评论