Centos6.2+Open***+Radius+Mysql+daloRADIUS
Centos6.2+Open***+Radius+Mysql+daloRADIUShttp://www.cactifans.org/***/615.html
Open***是不同于PPTP、L2TP的另一种***软件包,基于SSL的***。Open***使用需要客户端支持。
OS:CentOS 6.2 I386
Open***:open***-2.2.1-1.el6.i686
Radius:freeradius-2.1.10-5.el6.i686
Mysql:mysql 5.1.61
Daloradiuus:daloradius-0.9-9
一、CentOS系统设置和LAMP
1.安装系统并设置源
最小化安装centos6.2,并添加centos的升级镜像,添加epel镜像
首先备份/etc/yum.repos.d/CentOS-Base.repo
?1mv/etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup 下载对应版本repo文件, 放入/etc/yum.repos.d/(操作前请做好相应备份)
?12345678910cd/etc/yum.repos.d/wget http://mirrors.163.com/.help/CentOS6-Base-163.repoyum -y updaterebootsudo-sLANG=Cyum -y installwget ntpntpdate pool.ntp.orgyum -y installhttpd mysql mysql-devel mysql-server php php-mysql php-gd php-imap php-ldap php-odbc php-pear php-xml php-xmlrpcyum -y installgcc gcc-c++ autoconf libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel libxml2 libxml2-devel zlib zlib-devel glibc glibc-devel glib2 glib2-devel bzip2bzip2-devel ncurses ncurses-devel curl curl-devel e2fsprogs e2fsprogs-devel krb5 krb5-devel libidn libidn-devel openssl openssl-devel openldap openldap-devel nss_ldap openldap-clients openldap-servers2.关闭selinux
?1234567891011121314151617181920vi/etc/sysconfig/selinux# This file controls the state of SELinux on the system.# SELINUX= can take one of these three values:# enforcing - SELinux security policy is enforced.# permissive - SELinux prints warnings instead of enforcing.# disabled - SELinux is fully disabled.SELINUX=enforcing# SELINUXTYPE= type of policy in use. Possible values are:# targeted - Only targeted network daemons are protected.# strict - Full SELinux protection.SELINUXTYPE=targeted 把SELINUX=enforcing改为SELINUX=disabled并保存!在这个时候SElinux还在运行关闭,再执行以下命令
?123456setenforce 0chkconfig httpd onchkconfig mysqld on/etc/init.d/httpdstart/etc/init.d/mysqldstartmysqladmin -u root password mysqlpwd 清除防火墙规则
?1iptables -F3.建立php测试文件
?1vi/var/www/html/test.php 输入如下内容
?123二、安装raidus,并配置mysql验证
1.安装radius
?1yum install-y freeradius freeradius-mysql freeradius-utils 配置本地用户测试radius
?1vi/etc/raddb/users 在文件最后一行把前面的注释去掉
?1testuser Cleartext-Password := "testpassword" 然后执行
?12chkconfig radiusd on/etc/init.d/radiusdrestart 运行
?1radtest testuser testpassword localhost 1812 testing123 如果看到
?123456Sending Access-Request of id86 to 127.0.0.1 port 1812User-Name = "testuser"User-Password = "testpassword"NAS-IP-Address = 127.0.0.1NAS-Port = 1812rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=86, length=20 则表示radius服务器配置成功。
2.为radius配置mysql验证
?12cp/etc/raddb/clients.conf /etc/raddb/clients.conf.bakgrep-v\# /etc/raddb/clients.conf.bak > /etc/raddb/clients.conf 编辑client文件
?123456vi/etc/raddb/clients.confclient 0.0.0.0 {ipaddr=127.0.0.1secret = testing123shortname = localhost} 编辑用户文件,注释掉测试用户
?12vi/etc/raddb/users#testuser Cleartext-Password := "testpassword" 备份并导入数据库
?123456cp/etc/raddb/sql/mysql/admin.sql /etc/raddb/sql/mysql/admin.sql.bakgrep-v\# /etc/raddb/sql/mysql/admin.sql.bak > /etc/raddb/sql/mysql/admin.sqlvi/etc/raddb/sql/mysql/admin.sqlCREATE USER 'radius'@'localhost';SET PASSWORD FOR 'radius'@'localhost'= PASSWORD('radpass');GRANT All ON radius.* TO 'radius'@'localhost'; 数据库为radius,密码为radpass,如果要自己设置,设置完成后还要修改sql.conf把密码改为自己设置的
?1vi/etc/raddb/sql.conf 更改数据库密码为 radpass
导入radius数据库
?1234567mysql -u root -pcreate database radius;exitmysql -u root -p radius < /etc/raddb/sql/mysql/admin.sqlmysql -u root -p radius < /etc/raddb/sql/mysql/schema.sqlmysql -u root -p radius < /etc/raddb/sql/mysql/nas.sqlmysql -u root -p radius < /etc/raddb/sql/mysql/ippool.sql 编辑radius配置文件,使其使用sql认证,去掉INCLUDE sql.conf 前面的#号
?12vi/etc/raddb/radiusd.conf$INCLUDE sql.conf 修改sql.conf
?1234567vi/etc/raddb/sql.confserver = "localhost"port = 3306login = "radius"password = "radpass"radius_db = "radius"readclients = yes 修改认证的方式
?12345678910111213141516171819vi/etc/raddb/sites-enabled/defaultauthorize {preprocesschapmschapsuffixeapsql}accounting {detailsql}session {radutmpsql} 插入测试数据
?1234mysql -u root -pmuse radius;INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('user1', 'Password','password1');exit 运行radius服务器
?1/etc/init.d/radiusdrestart 测试radius服务器执行
?1radtest user1 password1 localhost 1812 testing123 如果看到如下信息,表示radius服务器工作正常
?123456Sending Access-Request of id129 to 127.0.0.1 port 1812User-Name = "user1"User-Password = "password1"NAS-IP-Address = 127.0.0.1NAS-Port = 1812rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=129, length=20 如果看到以上信息,表示radius服务器可以用mysql验证了。
三、安装open***
1.安装open***
?1yum install-y open***2.建立证书
?1cp-R /usr/share/open***/easy-rsa//etc/open***/ 然后开始建立server的ca,key
?1cd/etc/open***/easy-rsa/2.0/ 编辑vars,按shit+g跳转到最下面,编辑成你需要的信息。
?12345exportKEY_COUNTRY="CN"exportKEY_PROVINCE="CN"exportKEY_CITY="XiangYang"exportKEY_ORG="cactifans"exportKEY_EMAIL="cactifans@gmail.com" 然后指定编译源
?1source./vars 下面开始生成ca证书
?12./clean-all./build-caca 直接回车完成
再生成server.key
?1./build-key-serverserver 回车直到最后两项,按“Y”确认。
然后我们需要生成Diffie Hellman参数,这个需要一点时间的。
?1./build-dh 下面,我们还需要生成一个tls验证key
?1open*** --genkey --secret keys/ta.key 到这里先做个小结:我们生成的文件都放在/etc/open***/easy-rsa/2.0/keys/,记住,我们等会会用到这个路径。
3.安装radiusplugin
radiusplugin是radius的一个插件,可以让open***使用radius服务器来验证
?1234567yum install-y libgcrypt libgpg-error libgcrypt-develwget http://www.nongnu.org/radiusplugin/radiusplugin_v2.1.tar.gztarzxvf radiusplugin_v2.1.tar.gzcdradiuspluginmakecpradiusplugin.so /etc/openpn***cpradiusplugin.cnf /etc/open*** 编辑radiusplugin.cnf
?123456789101112131415vi/etc/open***/radiusplugin.cnfserver{# The UDP port for radius accounting.acctport=1813# The UDP port for radius authentication.authport=1812# The name or ip address of the radius server.name=127.0.0.1# How many times should the plugin send the if there is no response?retry=1# How long should the plugin wait for a response?wait=1# The shared secret.sharedsecret=testing1234.配置open***
?123456789101112131415161718192021222324252627282930313233343536cp/usr/share/doc/open***-2.2.1/sample-config-files/server.conf /etc/open***/vi/etc/open***/server.confport 1194proto udpdev tun#指定位置ca /etc/open***/easy-rsa/2.0/keys/ca.crtcert /etc/open***/easy-rsa/2.0/keys/server.crtkey /etc/open***/easy-rsa/2.0/keys/server.keydh /etc/open***/easy-rsa/2.0/keys/dh1024.pemtls-auth /etc/open***/easy-rsa/2.0/keys/ta.key 0client-config-dir/etc/raddb/clients.confserver10.8.0.0 255.255.255.0push "redirect-gateway def1"push "dhcp-option DNS 8.8.8.8"push "dhcp-option DNS 8.8.4.4"push "dhcp-option DNS 10.8.0.1"client-to-clientkeepalive 10 120comp-lzopersist-keypersist-tunclient-cert-not-requiredusername-as-common-name#这里是指定radiusplugin.so这个插件plugin /etc/open***/radiusplugin.so /etc/open***/radiusplugin.cnf#log#日志存放目录log /var/log/open***.logstatus /var/log/open***-status.log# Verbosity level.# 0 -- quiet except for fatal errors.# 1 -- mostly quiet, but display non-fatal network errors.# 3 -- medium output, good for normal operation.# 9 -- verbose, good for troubleshooting#日志级别verb 3 更改系统参数
?1vi/etc/sysctl.conf 将net.ipv4.ip_forward = 0修改为net.ipv4.ip_forward = 1
并使其立即生效
?1sysctl -p 配置iptables
?123456789101112iptables -t nat -A POSTROUTING -s 10.8.0.0/24-o eth0 -j SNAT --to-source192.168.1.2iptables -A INPUT -p udp -m udp --dport 1194 -j ACCEPTiptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPTiptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPTiptables -A INPUT -i tun0 -j ACCEPTiptables -A INPUT -i tun0 -j ACCEPTiptables -A FORWARD -i tun0 -j ACCEPTiptables -A OUTPUT -o tun0 -j ACCEPTservice iptables saveservice iptables restartchkconfig open*** onservice open*** start 192.168.1.2为你的服务器的ip
四、安装daloradius
?12345678910wget http://download.pear.php.net/package/DB-1.7.14RC2.tgzpear installDB-1.7.14RC2.tgzwget http://nchc.dl.sourceforge.net/project/daloradius/daloradius/daloradius0.9-9/daloradius-0.9-9.tar.gztar-zxvf daloradius-0.9-9.tar.gzmvdaloradius-0.9-9 daloradiuscp-rf daloradius/* /var/www/html/chownapache:apache -R /var/www/html/chmod644 /var/www/html/library/daloradius.conf.phpcd/var/www/html/contrib/db/mysql -u root -p radius < mysql-daloradius.sql 修改daloradius配置文件
?123456789101112131415161718vi/var/www/html/library/daloradius.conf.php###########$configValues['DALORADIUS_VERSION'] = '0.9-9';$configValues['FREERADIUS_VERSION'] = '2';$configValues['CONFIG_DB_ENGINE'] = 'mysql';$configValues['CONFIG_DB_HOST'] = 'localhost';$configValues['CONFIG_DB_USER'] = 'radius';$configValues['CONFIG_DB_PASS'] = 'radpass';$configValues['CONFIG_DB_NAME'] = 'radius';$configValues['CONFIG_DB_TBL_RADCHECK'] = 'radcheck';$configValues['CONFIG_DB_TBL_RADREPLY'] = 'radreply';$configValues['CONFIG_DB_TBL_RADGROUPREPLY'] = 'radgroupreply';$configValues['CONFIG_DB_TBL_RADGROUPCHECK'] = 'radgroupcheck';$configValues['CONFIG_DB_TBL_RADUSERGROUP'] = 'radusergroup';$configValues['CONFIG_DB_TBL_RADNAS'] = 'nas';$configValues['CONFIG_DB_TBL_RADPOSTAUTH'] = 'radpostauth';$configValues['CONFIG_DB_TBL_RADACCT'] = 'radacct'; ………..
建立daloradius日志
?12touch/tmp/daloradius.logchownapache.apache /tmp/daloradius.log 安装完后打开Http://xxx.xxx.xxx.xxx就可以看到daloradius了,登录的用户名密码为
?12username: administratorpassword: radius五、client端设置
下载http://swupdate.open***.org/community/releases/open***-2.2.1-install.exe
在安装目录下有个config目录,
将服务器上了的ca.crt,ca.key,ta.key三个文件复制到config下。
新建一个文本文件,输入以下内容。
?1234567891011121314clientdev tunproto udpremote 192.168.1.2 1194resolv-retry infinitenobindpersist-keypersist-tunca ca.crttls-auth ta.key 1ns-cert-typeservercomp-lzoverb 3auth-user-pass 保存为client.o***,remote为你的open***服务器外网ip,端口1194
设置运行open***-gui,在左面右下角,右键点击,connect,就可以连接到open***服务器了。
页:
[1]