The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]

Установка VPN с использованием MPD + FreeRadius (vpn radius auth aaa billing pptp freebsd)


<< Предыдущая ИНДЕКС Поиск в статьях src Установить закладку Перейти на закладку Следующая >>
Ключевые слова: vpn, radius, auth, aaa, billing, pptp, freebsd,  (найти похожие документы)
From: Cyrill Malevanov <[email protected]> Newsgroups: email Date: Mon, 11 Nov 2003 14:31:37 +0000 (UTC) Subject: Установка VPN с использованием MPD + FreeRadius Установка VPN с использованием MPD+FreeRadius В статье рассматривается установка VPN-сервера, совместимого с MS WindowsTM. Заранее предполагается, что уже установлена СУБД PostgreSQL, в ней будет храниться информация о пользователях. Disclaimer Я ни в коем разе не претендую, что установка сделана правильно, корректно, "так как надо" и прочая. Я описываю только что, что у меня работает. Установка FreeRadius Сначала необходимо установить и настроить FreeRadius. cd /usr/ports/net/freeradius make install Удалять файлы, которые получились при работе установщика, мы пока не будем, так как они нам понадобятся. Заходим в /usr/local/etc/raddb, копируем файлы dictionary.*.sample в dictionary.* - это файлы словарей атрибутов, которые используются различными сервисами Теперь создаем пустой файл acct-users, затем файл attrs со следующим содержимым: DEFAULT Service-Type == Framed-User, Service-Type == Login-User, Login-Service == Telnet, Login-Service == Rlogin, Login-Service == TCP-Clear, Login-TCP-Port <= 65536, Framed-IP-Address == 255.255.255.254, Framed-IP-Netmask == 255.255.255.255, Framed-Protocol == PPP, Framed-Protocol == SLIP, Framed-Compression == Van-Jacobson-TCP-IP, Framed-MTU >= 576, Framed-Filter-ID =* ANY, Reply-Message =* ANY, Proxy-State =* ANY, Session-Timeout <= 28800, Idle-Timeout <= 600, Port-Limit <= 2 В файле clients прописываем IP-адреса тех хостов, которые будут обращаться к радиусу, и для каждого хоста задаем пароль: # Client Name Key #---------------- ---------- #portmaster1.isp.com testing123 #portmaster2.isp.com testing123 #proxyradius.isp2.com TheirKey 192.168.1.200 test1 localhost test2 Файл clients вообще относится к obsoleted (устаревшим), но просто оставим его, на случай каких-либо несовместимостей. Точно ту же информацию, но в другом формате, заносим в файл clients.conf: # clients.conf - client configuration directives # # This file is included by default. To disable it, you will need # to modify the CLIENTS CONFIGURATION section of "radiusd.conf". # ####################################################################### ####################################################################### # # Definition of a RADIUS client (usually a NAS). # # The information given here over rides anything given in the 'clients' # file, or in the 'naslist' file. The configuration here contains # all of the information from those two files, and also allows for more # configuration items. # # The "shortname" can be used for logging, and the "nastype", # "login" and "password" fields are mainly used for checkrad and are # optional. # # # Defines a RADIUS client. The format is 'client [hostname|ip-address]' # # '127.0.0.1' is another name for 'localhost'. It is enabled by default, # to allow testing of the server after an initial installation. If you # are not going to be permitting RADIUS queries from localhost, we suggest # that you delete, or comment out, this entry. # client 127.0.0.1 { # # The shared secret use to "encrypt" and "sign" packets between # the NAS and FreeRADIUS. You MUST change this secret from the # default, otherwise it's not a secret any more! # # The secret can be any string, up to 32 characters in length. # secret = test2 # # The short name is used as an alias for the fully qualified # domain name, or the IP address. # shortname = localhost # # the following three fields are optional, but may be used by # checkrad.pl for simultaneous use checks # # # The nastype tells 'checkrad.pl' which NAS-specific method to # use to query the NAS for simultaneous use. # # Permitted NAS types are: # # cisco # computone # livingston # max40xx # multitech # netserver # pathras # patton # portslave # tc # usrhiper # other # for all other types # nastype = other # localhost isn't usually a NAS... # # The following two configurations are for future use. # The 'naspasswd' file is currently used to store the NAS # login name and password, which is used by checkrad.pl # when querying the NAS for simultaneous use. # # login = !root # password = someadminpas } client 192.168.1.200 { secret = test1 shortname = user } # # You can now specify one secret for a network of clients. # When a client request comes in, the BEST match is chosen. # i.e. The entry from the smallest possible network. # #client 192.168.0.0/24 { # secret = testing123-1 # shortname = private-network-1 #} # #client 192.168.0.0/16 { # secret = testing123-2 # shortname = private-network-2 #} client 10.1.1.1 { # # secret and password are mapped through the "secrets" file. secret = test2 shortname = local # # the following three fields are optional, but may be used by # # checkrad.pl for simultaneous usage checks nastype = other # login = !root # password = someadminpas } Создаем файл hints со следующим содержимым: DEFAULT Suffix = ".ppp", Strip-User-Name = Yes Hint = "PPP", Service-Type = Framed-User, Framed-Protocol = PPP DEFAULT Suffix = ".slip", Strip-User-Name = Yes Hint = "SLIP", Service-Type = Framed-User, Framed-Protocol = SLIP DEFAULT Suffix = ".cslip", Strip-User-Name = Yes Hint = "CSLIP", Service-Type = Framed-User, Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP Создаем пустой файл huntgroups и файл naslist со следующим содержанием: localhost local portslave Создаем пустой файл preproxy_users и файл users следующего содержания: DEFAULT Auth-Type := MS-CHAP Здесь мы задаем, что все пользователи должны использовать тип авторизации MS-CHAP, версий 1 или 2. Все версии MS WindowsTM благополучно авторизируются по этому протоколу. Затем настраиваем доступ FreeRadius к PostgreSQL, для этого копируем файл postgresql.conf.sample в postgresql.conf и меняем одну строчку: находим строку, начинающуюся с authorize_group_check_query и меняем текст запроса на "SELECT ${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Attribute, ${groupcheck_table}.Value,${groupcheck_table}.Op FROM ${groupcheck_table}, ${usergroup_table} WHERE ${usergroup_table}.Username = '%{SQL-User-Name}' AND ${usergroup_table}.GroupName = ${groupcheck_table}.GroupName ORDER BY ${groupcheck_table}.id" ------------------- Файл proxy.conf: ------------------- proxy server { # # If the NAS re-sends the request to us, we can immediately re-send # the proxy request to the end server. To do so, use 'yes' here. # # If this is set to 'no', then we send the retries on our own schedule, # and ignore any duplicate NAS requests. # # If you want to have the server send proxy retries ONLY when the NAS # sends it's retries to the server, then set this to 'yes', and # set the other proxy configuration parameters to 0 (zero). # synchronous = no # # The time (in seconds) to wait for a response from the proxy, before # re-sending the proxied request. # # If this time is set too high, then the NAS may re-send the request, # or it may give up entirely, and reject the user. # # If it is set too low, then the RADIUS server which receives the proxy # request will get kicked unnecessarily. # retry_delay = 5 # # The number of retries to send before giving up, and sending a reject # message to the NAS. # retry_count = 3 # # If the home server does not respond to any of the multiple retries, # then FreeRADIUS will stop sending it proxy requests, and mark it 'dead'. # # If there are multiple entries configured for this realm, then the # server will fail-over to the next one listed. If no more are listed, # then no requests will be proxied to that realm. # # # After a configurable 'dead_time', in seconds, FreeRADIUS will # speculatively mark the home server active, and start sending requests # to it again. # # If this dead time is set too low, then you will lose requests, # as FreeRADIUS will quickly switch back to the home server, even if # it isn't up again. # # If this dead time is set too high, then FreeRADIUS may take too long # to switch back to the primary home server. # # Realistic values for this number are in the range of minutes to hours. # (60 to 3600) # dead_time = 120 # If you choose to list a realm more then once for fall-through or # round-robin, then specify the total number of alternates here. Specify # a ldflag attribute for all realms to be included in a round-robin # setup. Currently (0 or fail_over) and (1 or round_robin) are the # supported values for ldflag. Fail-Over is the default setup. # servers_per_realm = 15 # # If all exact matching realms did not respond, we can try the # DEFAULT realm, too. This is what the server normally does. # # This behaviour may be undesired for some cases. e.g. You are proxying # for two different ISP's, and then act as a general dial-up for Gric. # If one of the first two ISP's has their RADIUS server go down, you do # NOT want to proxy those requests to GRIC. Instead, you probably want # to just drop the requests on the floor. In that case, set this value # to 'no'. # # allowed values: {yes, no} # default_fallback = yes } --------------------- Файл radiusd.conf: --------------------- # ## radiusd.conf -- FreeRADIUS server configuration file. ## ## http://www.freeradius.org/ ## $Id: radiusd.conf.in,v 1.123 2002/11/12 20:22:48 aland Exp $ ## # The location of other config files and # logfiles are declared in this file # # Also general configuration for modules can be done # in this file, it is exported through the API to # modules that ask for it. # # The configuration variables defined here are of the form ${foo} # They are local to this file, and do not change from request to # request. # # The per-request variables are of the form %{Attribute-Name}, and # are taken from the values of the attribute in the incoming # request. See 'doc/variables.txt' for more information. prefix = /usr/local exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct # Location of config and logfiles. confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd # # The logging messages for the server are appended to the # tail of this file. # log_file = ${logdir}/radius.log # # libdir: Where to find the rlm_* modules. # # This should be automatically set at configuration time. # # If the server builds and installs, but fails at execution time # with an 'undefined symbol' error, then you can use the libdir # directive to work around the problem. # # The cause is usually that a library has been installed on your # system in a place where the dynamic linker CANNOT find it. When # executing as root (or another user), your personal environment MAY # be set up to allow the dynamic linker to find the library. When # executing as a daemon, FreeRADIUS MAY NOT have the same # personalized configuration. # # To work around the problem, find out which library contains that symbol, # and add the directory containing that library to the end of 'libdir', # with a colon separating the directory names. NO spaces are allowed. # # e.g. libdir = /usr/local/lib:/opt/package/lib # # You can also try setting the LD_LIBRARY_PATH environment variable # in a script which starts the server. # # If that does not work, then you can re-configure and re-build the # server to NOT use shared libraries, via: # # ./configure --disable-shared # make # make install # libdir = ${exec_prefix}/lib # pidfile: Where to place the PID of the RADIUS server. # # The server may be signalled while it's running by using this # file. # # This file is written when ONLY running in daemon mode. # # e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid` # pidfile = ${run_dir}/radiusd.pid # user/group: The name (or #number) of the user/group to run radiusd as. # # If these are commented out, the server will run as the user/group # that started it. In order to change to a different user/group, you # MUST be root ( or have root privleges ) to start the server. # # We STRONGLY recommend that you run the server with as few permissions # as possible. That is, if you're not using shadow passwords, the # user and group items below should be set to 'nobody'. # # On SCO (ODT 3) use "user = nouser" and "group = nogroup". # # NOTE that some kernels refuse to setgid(group) when the value of # (unsigned)group is above 60000; don't use group nobody on these systems! # # On systems with shadow passwords, you might have to set 'group = shadow' # for the server to be able to read the shadow password file. If you can # authenticate users while in debug mode, but not in daemon mode, it may be # that the debugging mode server is running as a user that can read the # shadow info, and the user listed below can not. # user = nobody group = nogroup # max_request_time: The maximum time (in seconds) to handle a request. # # Requests which take more time than this to process may be killed, and # a REJECT message is returned. # # WARNING: If you notice that requests take a long time to be handled, # then this MAY INDICATE a bug in the server, in one of the modules # used to handle a request, OR in your local configuration. # # This problem is most often seen when using an SQL database. If it takes # more than a second or two to receive an answer from the SQL database, # then it probably means that you haven't indexed the database. See your # SQL server documentation for more information. # # Useful range of values: 5 to 120 # max_request_time = 5 # delete_blocked_requests: If the request takes MORE THAN 'max_request_time' # to be handled, then maybe the server should delete it. # # If you're running in threaded, or thread pool mode, this setting # should probably be 'no'. Setting it to 'yes' when using a threaded # server MAY cause the server to crash! # delete_blocked_requests = no # cleanup_delay: The time to wait (in seconds) before cleaning up # a reply which was sent to the NAS. # # The RADIUS request is normally cached internally for a short period # of time, after the reply is sent to the NAS. The reply packet may be # lost in the network, and the NAS will not see it. The NAS will then # re-send the request, and the server will respond quickly with the # cached reply. # # If this value is set too low, then duplicate requests from the NAS # MAY NOT be detected, and will instead be handled as seperate requests. # # If this value is set too high, then the server will cache too many # requests, and some new requests may get blocked. (See 'max_requests'.) # # Useful range of values: 2 to 10 # cleanup_delay = 5 # max_requests: The maximum number of requests which the server keeps # track of. This should be 256 multiplied by the number of clients. # e.g. With 4 clients, this number should be 1024. # # If this number is too low, then when the server becomes busy, # it will not respond to any new requests, until the 'cleanup_delay' # time has passed, and it has removed the old requests. # # If this number is set too high, then the server will use a bit more # memory for no real benefit. # # If you aren't sure what it should be set to, it's better to set it # too high than too low. Setting it to 1000 per client is probably # the highest it should be. # # Useful range of values: 256 to infinity # max_requests = 1024 # bind_address: Make the server listen on a particular IP address, and # send replies out from that address. This directive is most useful # for machines with multiple IP addresses on one interface. # # It can either contain "*", or an IP address, or a fully qualified # Internet domain name. The default is "*" # bind_address = 10.1.1.1 # port: Allows you to bind FreeRADIUS to a specific port. # # The default port that most NAS boxes use is 1645, which is historical. # RFC 2138 defines 1812 to be the new port. Many new servers and # NAS boxes use 1812, which can create interoperability problems. # # The port is defined here to be 0 so that the server will pick up # the machine's local configuration for the radius port, as defined # in /etc/services. # # If you want to use the default RADIUS port as defined on your server, # (usually through 'grep radius /etc/services') set this to 0 (zero). # # A port given on the command-line via '-p' over-rides this one. # port = 1812 # hostname_lookups: Log the names of clients or just their IP addresses # e.g., www.freeradius.org (on) or 206.47.27.232 (off). # # The default is 'off' because it would be overall better for the net # if people had to knowingly turn this feature on, since enabling it # means that each client request will result in AT LEAST one lookup # request to the nameserver. Enabling hostname_lookups will also # mean that your server may stop randomly for 30 seconds from time # to time, if the DNS requests take too long. # # Turning hostname lookups off also means that the server won't block # for 30 seconds, if it sees an IP address which has no name associated # with it. # # allowed values: {no, yes} # hostname_lookups = no # Core dumps are a bad thing. This should only be set to 'yes' # if you're debugging a problem with the server. # # allowed values: {no, yes} # allow_core_dumps = no # Regular expressions # # These items are set at configure time. If they're set to "yes", # then setting them to "no" turns off regular expression support. # # If they're set to "no" at configure time, then setting them to "yes" # WILL NOT WORK. It will give you an error. # regular_expressions = yes extended_expressions = yes # Log the full User-Name attribute, as it was found in the request. # # allowed values: {no, yes} # log_stripped_names = yes # Log authentication requests to the log file. # # allowed values: {no, yes} # log_auth = yes # Log passwords with the authentication requests. # log_auth_badpass - logs password if it's rejected # log_auth_goodpass - logs password if it's correct # # allowed values: {no, yes} # log_auth_badpass = yes log_auth_goodpass = no # usercollide: Turn "username collision" code on and off. See the # "doc/duplicate-users" file # usercollide = no # lower_user / lower_pass: # Lower case the username/password "before" or "after" # attempting to authenticate. # # If "before", the server will first modify the request and then try # to auth the user. If "after", the server will first auth using the # values provided by the user. If that fails it will reprocess the # request after modifying it as you specify below. # # This is as close as we can get to case insensitivity. It is the # admin's job to ensure that the username on the auth db side is # *also* lowercase to make this work # # Default is 'no' (don't lowercase values) # Valid values = "before" / "after" / "no" # lower_user = yes lower_pass = no # nospace_user / nospace_pass: # # Some users like to enter spaces in their username or password # incorrectly. To save yourself the tech support call, you can # eliminate those spaces here: # # Default is 'no' (don't remove spaces) # Valid values = "before" / "after" / "no" (explanation above) # nospace_user = yes nospace_pass = no # The program to execute to do concurrency checks. checkrad = ${sbindir}/checkrad # SECURITY CONFIGURATION # # There may be multiple methods of attacking on the server. This # section holds the configuration items which minimize the impact # of those attacks # security { # # max_attributes: The maximum number of attributes # permitted in a RADIUS packet. Packets which have MORE # than this number of attributes in them will be dropped. # # If this number is set too low, then no RADIUS packets # will be accepted. # # If this number is set too high, then an attacker may be # able to send a small number of packets which will cause # the server to use all available memory on the machine. # # Setting this number to 0 means "allow any number of attributes" max_attributes = 200 # # delayed_reject: When sending an Access-Reject, it can be # delayed for a few seconds. This may help slow down a DoS # attack. It also helps to slow down people trying to brute-force # crack a users password. # # Setting this number to 0 means "send rejects immediately" # # If this number is set higher than 'cleanup_delay', then the # rejects will be sent at 'cleanup_delay' time, when the request # is deleted from the internal cache of requests. # # Useful ranges: 1 to 5 reject_delay = 1 # # status_server: Whether or not the server will respond # to Status-Server requests. # # Normally this should be set to "no", because they're useless. # See: http://www.freeradius.org/rfc/rfc2865.html#Keep-Alives # # However, certain NAS boxes may require them. # # When sent a Status-Server message, the server responds with # and Access-Accept packet, containing a Reply-Message attribute, # which is a string describing how long the server has been # running. # status_server = no } # PROXY CONFIGURATION # # proxy_requests: Turns proxying of RADIUS requests on or off. # # The server has proxying turned on by default. If your system is NOT # set up to proxy requests to another server, then you can turn proxying # off here. This will save a small amount of resources on the server. # # If you have proxying turned off, and your configuration files say # to proxy a request, then an error message will be logged. # # To disable proxying, change the "yes" to "no", and comment the # $INCLUDE line. # # allowed values: {no, yes} # proxy_requests = yes $INCLUDE ${confdir}/proxy.conf # CLIENTS CONFIGURATION # # Client configuration is defined in "clients.conf". # # The 'clients.conf' file contains all of the information from the old # 'clients' and 'naslist' configuration files. We recommend that you # do NOT use 'client's or 'naslist', although they are still # supported. # # Anything listed in 'clients.conf' will take precedence over the # information from the old-style configuration files. # $INCLUDE ${confdir}/clients.conf # SNMP CONFIGURATION # # Snmp configuration is only valid if you enabled SNMP support when # you compiled radiusd. # $INCLUDE ${confdir}/snmp.conf # THREAD POOL CONFIGURATION # # The thread pool is a long-lived group of threads which # take turns (round-robin) handling any incoming requests. # # You probably want to have a few spare threads around, # so that high-load situations can be handled immediately. If you # don't have any spare threads, then the request handling will # be delayed while a new thread is created, and added to the pool. # # You probably don't want too many spare threads around, # otherwise they'll be sitting there taking up resources, and # not doing anything productive. # # The numbers given below should be adequate for most situations. # thread pool { # Number of servers to start initially --- should be a reasonable # ballpark figure. start_servers = 2 # Limit on the total number of servers running. # # If this limit is ever reached, clients will be LOCKED OUT, so it # should NOT BE SET TOO LOW. It is intended mainly as a brake to # keep a runaway server from taking the system with it as it spirals # down... # # You may find that the server is regularly reaching the # 'max_servers' number of threads, and that increasing # 'max_servers' doesn't seem to make much difference. # # If this is the case, then the problem is MOST LIKELY that # your back-end databases are taking too long to respond, and # are preventing the server from responding in a timely manner. # # The solution is NOT do keep increasing the 'max_servers' # value, but instead to fix the underlying cause of the # problem: slow database, or 'hostname_lookups=yes'. # # For more information, see 'max_request_time', above. # max_servers = 10 # Server-pool size regulation. Rather than making you guess # how many servers you need, FreeRADIUS dynamically adapts to # the load it sees, that is, it tries to maintain enough # servers to handle the current load, plus a few spare # servers to handle transient load spikes. # # It does this by periodically checking how many servers are # waiting for a request. If there are fewer than # min_spare_servers, it creates a new spare. If there are # more than max_spare_servers, some of the spares die off. # The default values are probably OK for most sites. # min_spare_servers = 2 max_spare_servers = 10 # There may be memory leaks or resource allocation problems with # the server. If so, set this value to 300 or so, so that the # resources will be cleaned up periodically. # # This should only be necessary if there are serious bugs in the # server which have not yet been fixed. # # '0' is a special value meaning 'infinity', or 'the servers never # exit' max_requests_per_server = 0 } # MODULE CONFIGURATION # # The names and configuration of each module is located in this section. # # After the modules are defined here, they may be referred to by name, # in other sections of this configuration file. # modules { # CHAP module # # To authenticate requests containing a CHAP-Password attribute. # chap { authtype = CHAP } unix { # # Cache /etc/passwd, /etc/shadow, and /etc/group # # The default is to NOT cache them. # # For FreeBSD, you do NOT want to enable the cache, # as it's password lookups are done via a database, so # set this value to 'no'. # # Some systems (e.g. RedHat Linux with pam_pwbd) can # take *seconds* to check a password, from a passwd # file containing 1000's of entries. For those systems, # you should set the cache value to 'yes', and set # the locations of the 'passwd', 'shadow', and 'group' # files, below. # # allowed values: {no, yes} cache = no # Reload the cache every 600 seconds (10mins). 0 to disable. cache_reload = 600 # # Define the locations of the normal passwd, shadow, and # group files. # # 'shadow' is commented out by default, because not all # systems have shadow passwords. # # To force the module to use the system password functions, # instead of reading the files, leave the following entries # commented out. # # This is required for some systems, like FreeBSD, # and Mac OSX. # # passwd = /etc/passwd # shadow = /etc/shadow # group = /etc/group # # Where the 'wtmp' file is located. # This should be moved to it's own module soon. # # The only use for 'radlast'. If you don't use # 'radlast', then you can comment out this item. # radwtmp = ${logdir}/radwtmp } # Microsoft CHAP authentication # # This module supports SAMBA passwd file authorization # and MS-CHAP, MS-CHAPv2 authentication. However, we recommend # using the 'passwd' module, below, as it's more general. # mschap { # Location of the SAMBA passwd file # passwd = /etc/smbpasswd # authtype value, if present, will be used # to overwrite (or add) Auth-Type during # authorization. Normally should be MS-CHAP authtype = MS-CHAP # If ignore_password is set to yes mschap will # ignore the password set by any other module during # authorization and will always use the SAMBA password file # ignore_password = yes # if use_mppe is not set to no mschap will # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2 # use_mppe = yes # if mppe is enabled require_encryption makes # encryption moderate # require_encryption = yes # require_strong always requires 128 bit key # encryption # require_strong = yes } # Realm module, for proxying. # # You can have multiple instances of the realm module to # support multiple realm syntaxs at the same time. The # search order is defined the order in the authorize and # preacct blocks after the module config block. # # Two config options: # format - must be 'prefix' or 'suffix' # delimiter - must be a single character # 'username@realm' # realm suffix { format = suffix delimiter = "@" } # 'realm/username' # # Using this entry, IPASS users have their realm set to "IPASS". realm realmslash { format = prefix delimiter = "/" } # 'username%realm' # realm realmpercent { format = suffix delimiter = "%" } # rewrite arbitrary packets. Useful in accounting and authorization. # ## This module is highly experimental at the moment. Please give ## feedback to the mailing list. # # The module can also use the Rewrite-Rule attribute. If it # is set and matches the name of the module instance, then # that module instance will be the only one which runs. # # Also if new_attribute is set to yes then a new attribute # will be created containing the value replacewith and it # will be added to searchin (packet, reply or config). # searchfor,ignore_case and max_matches will be ignored in that case. # #attr_rewrite sanecallerid { # attribute = Called-Station-Id # may be "packet", "reply", or "config" # searchin = packet # searchfor = "[+ ]" # replacewith = "" # ignore_case = no # new_attribute = no # max_matches = 10 # ## If set to yes then the replace string will be appended to the original string # append = no #} # Preprocess the incoming RADIUS request, before handing it off # to other modules. # # This module processes the 'huntgroups' and 'hints' files. # In addition, it re-writes some weird attributes created # by some NASes, and converts the attributes into a form which # is a little more standard. # preprocess { # huntgroups = ${confdir}/huntgroups # hints = ${confdir}/hints # # This hack changes Ascend's wierd port numberings # to standard 0-??? port numbers so that the "+" works # for IP address assignments. # with_ascend_hack = no # ascend_channels_per_line = 23 # Windows NT machines often authenticate themselves as # NT_DOMAIN\username # # If this is set to 'yes', then the NT_DOMAIN portion # of the user-name is silently discarded. # with_ntdomain_hack = no # Specialix Jetstream 8500 24 port access server. # # If the user name is 10 characters or longer, a "/" # and the excess characters after the 10th are # appended to the user name. # # If you're not running that NAS, you don't need # this hack. # with_specialix_jetstream_hack = no # Cisco sends it's VSA attributes with the attribute # name *again* in the string, like: # # H323-Attribute = "h323-attribute=value". # # If this configuration item is set to 'yes', then # the redundant data in the the attribute text is stripped # out. The result is: # # H323-Attribute = "value" # # If you're not running a Cisco NAS, you don't need # this hack. with_cisco_vsa_hack = no } # Livingston-style 'users' file # files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users # If you want to use the old Cistron 'users' file # with FreeRADIUS, you should change the next line # to 'compat = cistron'. You can the copy your 'users' # file from Cistron. compat = no } # Write a detailed log of all accounting records received. # detail { # Note that we do NOT use NAS-IP-Address here, as # that attribute MAY BE from the originating NAS, and # NOT from the proxy which actually sent us the # request. The Client-IP-Address attribute is ALWAYS # the address of the client which sent us the # request. # # The following line creates a new detail file for # every radius client (by IP address or hostname). # In addition, a new detail file is created every # day, so that the detail file doesn't have to go # through a 'log rotation' # # If your detail files are large, you may also want # to add a ':%H' (see doc/variables.txt) to the end # of it, to create a new detail file every hour, e.g.: # # ..../detail-%Y%m%d:%H # # This will create a new detail file for every hour. # detailfile = ${logdir}/radius-detail.log # # The Unix-style permissions on the 'detail' file. # # The detail file often contains secret or private # information about users. So by keeping the file # permissions restrictive, we can prevent unwanted # people from seeing that information. detailperm = 0644 } # Create a unique accounting session Id. Many NASes re-use or # repeat values for Acct-Session-Id, causing no end of # confusion. # # This module will add a (probably) unique session id # to an accounting packet based on the attributes listed # below found in the packet. See doc/rlm_acct_unique for # more information. # acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id" } # Include another file that has the SQL-related configuration. # This is another file solely because it tends to be big. # # The following configuration file is for use with MySQL. # # For Postgresql, use: ${confdir}/postgresql.conf # For MS-SQL, use: ${confdir}/mssql.conf # $INCLUDE ${confdir}/postgresql.conf # Write a 'utmp' style log file, of which users are currently # logged in, and where they've logged in from. # radutmp { filename = ${logdir}/radutmp # Set the file permissions, as the contents of this file # are usually private. perm = 0600 callerid = "yes" } # "Safe" radutmp - does not contain caller ID, so it can be # world-readable, and radwho can work for normal users, without # exposing any information that isn't already exposed by who(1). # # This is another instance of the radutmp module, but it is given # then name "sradutmp" to identify it later in the "accounting" # section. radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } # attr_filter - filters the attributes received in replies from # proxied servers, to make sure we send back to our RADIUS client # only allowed attributes. attr_filter { attrsfile = ${confdir}/attrs } # This module takes an attribute (count-attribute). # It also takes a key, and creates a counter for each unique # key. The count is incremented when accounting packets are # received by the server. The value of the increment depends # on the attribute type. # If the attribute is Acct-Session-Time or an integer we add the # value of the attribute. If it is anything else we increase the # counter by one. # # The 'reset' parameter defines when the counters are all reset to # zero. It can be hourly, daily, weekly, monthly or never. # It can also be user defined. It should be of the form: # num[hdwm] where: # h: hours, d: days, w: weeks, m: months # If the letter is ommited days will be assumed. In example: # reset = 10h (reset every 10 hours) # reset = 12 (reset every 12 days) # # # The check-name attribute defines an attribute which will be # registered by the counter module and can be used to set the # maximum allowed value for the counter after which the user # is rejected. # Something like: # # DEFAULT Max-Daily-Session := 36000 # Fall-Through = 1 # # You should add the counter module in the instantiate # section so that it registers check-name before the files # module reads the users file. # # If check-name is set and the user is to be rejected then we # send back a Reply-Message and we log a Failure-Message in # the radius.log # # The counter-name can also be used like below: # # DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject # Reply-Message = "You've used up more than one hour today" # # The allowed-servicetype attribute can be used to only take # into account specific sessions. For example if a user first # logs in through a login menu and then selects ppp there will # be two sessions. One for Login-User and one for Framed-User # service type. We only need to take into account the second one. # # The module should be added in the instantiate, authorize and # accounting sections. Make sure that in the authorize # section it comes after any module which sets the # 'check-name' attribute. # counter { filename = ${raddbdir}/db.counter key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } # The "always" module is here for debugging purposes. Each # instance simply returns the same result, always, without # doing anything. always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } # # The 'expression' module current has no configuration. expr { } # ANSI X9.9 token support. Not included by default. # $INCLUDE ${confdir}/x99.conf } # Instantiation # # This section orders the loading of the modules. Modules # listed here will get loaded BEFORE the later sections like # authorize, authenticate, etc. get examined. # # This section is not strictly needed. When a section like # authorize refers to a module, it's automatically loaded and # initialized. However, some modules may not be listed in any # of the following sections, so they can be listed here. # # Also, listing modules here ensures that you have control over # the order in which they are initalized. If one module needs # something defined by another module, you can list them in order # here, and ensure that the configuration will be OK. # instantiate { # # The expression module doesn't do authorization, # authentication, or accounting. It only does dynamic # translation, of the form: # # Session-Timeout = `%{expr:2 + 3}` # # So the module needs to be instantiated, but CANNOT be # listed in any other section. See 'doc/rlm_expr' for # more information. # expr } # Authorization. First preprocess (hints and huntgroups files), # then realms, and finally look in the "users" file. # # The order of the realm modules will determine the order that # we try to find a matching realm. # # Make *sure* that 'preprocess' comes before any realm if you # need to setup hints for the remote radius server authorize { preprocess # chap # counter # attr_filter # eap suffix # files # etc_smbpasswd sql mschap } # Authentication. # # This section lists which modules are available for authentication. # Note that it does NOT mean 'try each module in order'. It means # that you have to have a module from the 'authorize' section add # a configuration attribute 'Auth-Type := FOO'. That authentication type # is then used to pick the apropriate module from the list below. # # The default Auth-Type is Local. That is, whatever is not included inside # an authtype section will be called only if Auth-Type is set to Local. # # So you should do the following: # - Set Auth-Type to an appropriate value in the authorize modules above. # For example, the chap module will set Auth-Type to CHAP, ldap to LDAP, etc. # - After that create corresponding authtype sections in the # authenticate section below and call the appropriate modules. authenticate { # authtype CHAP { # chap # } authtype MS-CHAP { mschap } } # Pre-accounting. Look for proxy realm in order of realms, then # acct_users file, then preprocess (hints file). preacct { preprocess suffix # files } # Accounting. Log to detail file, and to the radwtmp file, and maintain # radutmp. accounting { acct_unique detail # counter unix # wtmp file sql radutmp # sradutmp } # Session database, used for checking Simultaneous-Use. Either the radutmp # or rlm_sql module can handle this. # The rlm_sql module is *much* faster session { # radutmp sql } # Post-Authentication # Once we KNOW that the user has been authenticated, there are # additional steps we can take. post-auth { # Get an address from the IP Pool. #main_pool } ------------------- Файл snmp.conf оставляем пустым. Прописывание пользователей в СУБД Для начала необходимо создать базу данных и в ней создать таблицы. Смотрим в postgresql.conf и видим там server = "10.1.1.1" login = "cm" password = "" # Database table configuration radius_db = "radius" Соответственно, нам надо создать базу данных radius от пользователя cm. /usr/local/pgsql/bin/createuser cm /usr/local/pgsql/bin/createdb -U cm radius /usr/local/pgsql/bin/psql -U cm radius Теперь мы вошли в нужную нам базу данных и должны создать в ней таблицы: \i /usr/ports/net/freeradius/work/freeradius-0.8.1/src/modules/rlm_sql/drivers/rlm_sql_postgresql/db_postgresql.sql \q Теперь можно создавать пользователей. Предполагается, что радиус будет проверять правильность пары login/password у пользователя и выдавать IP-адрес. На каждого пользователя необходимо обладать следующей информацией: login, password, ip. Тогда для каждого пользователя получаем следующие 4 SQL-оператора: insert into usergroup(username, groupname) values('login', 'users'); insert into radcheck(username, attribute, op, value) values('login', 'Password', ':=', 'password'); insert into radreply(username, attribute, op, value) values('login', 'Framed-IP-Address', ':=', 'IP'); insert into radreply(username, attribute, op, value) values('login', 'Framed-IP-Netmask', ':=', '255.255.255.255'); Всех пользователей заносим в базу данных. Теперь можно запускать freeradius. /usr/local/etc/rc.d/radiusd.sh start Сообщений об ошибках в /var/log/radius.log быть не должно. Проверка FreeRadius Для проверки - с локальной машины (надеюсь, ее в clients.conf вписали) выполняем radtest user password <IP-адрес radius-сервера> 1812 <пароль к radius-серверу> , например, radtest testuser testpassword 10.1.1.1 1812 test2 Конечно, testuser и testpassword должны быть прописаны в базе пользователей. В итоге получим: Sending Access-Request of id 148 to 10.1.1.1:1812 User-Name = "testuser" User-Password = "W\202$Y\374x\251p^\302M\376\202U\212\031" NAS-IP-Address = host.domain NAS-Port = 1812 rad_recv: Access-Accept packet from host 10.1.1.1:1812, id=41, length=32 Framed-IP-Address = 10.1.5.2 Framed-IP-Netmask = 255.255.255.255 То-есть, радиус-сервер проверил правильность пароля для этого пользователя и выдал IP-адрес. В случае, если пароль не прошел, то получим rad_recv: Access-Reject packet from host 10.1.1.1:1812, id=148, length=20 ------------- Настройка mpd ------------- mpd - это программа, способная обрабатывать различные соединения, в том числе и входящие VPN. Именно это нам и интересно. Перед установкой и настройкой mpd необходимо проверить, все ли необходимые опции есть в ядре: # netgraph(4). Enable the base netgraph code with the NETGRAPH option. # Individual node types can be enabled with the corresponding option # listed below; however, this is not strictly necessary as netgraph # will automatically load the corresponding KLD module if the node type # is not already compiled into the kernel. Each type below has a # corresponding man page, e.g., ng_async(8). options NETGRAPH #netgraph(4) system options NETGRAPH_ASYNC options NETGRAPH_BPF options NETGRAPH_ECHO options NETGRAPH_ETHER options NETGRAPH_HOLE options NETGRAPH_IFACE options NETGRAPH_KSOCKET options NETGRAPH_L2TP options NETGRAPH_LMI # MPPC compression requires proprietary files (not included) #options NETGRAPH_MPPC_COMPRESSION options NETGRAPH_MPPC_ENCRYPTION options NETGRAPH_ONE2MANY options NETGRAPH_PPP options NETGRAPH_PPTPGRE options NETGRAPH_RFC1490 options NETGRAPH_SOCKET options NETGRAPH_TEE options NETGRAPH_TTY options NETGRAPH_UI options NETGRAPH_VJC Проверяем, есть ли они, если нет, то включаем в конфиг ядра и перекомпилируем ядро. Возможен вариант с подключением netgraph в качестве модуля ядра. cd /usr/ports/net/mpd make install clean distclean Сервер поставился. Можно настраивать. Рекомендую использовать последнюю версию mpd из портов, сейчас (22.10.2003) это 3.14.. Создаем файл /usr/local/etc/mpd/mpd.conf: default: load pptp0 load pptp1 load pptp2 load pptp3 load pptp4 load pptp5 load pptp6 load pptp7 load pptp8 load pptp9 load pptp10 load pptp11 load pptp12 load pptp13 load pptp14 load pptp15 load pptp16 load pptp17 load pptp18 load pptp19 load pptp20 load pptp21 load pptp22 load pptp23 load pptp24 load pptp25 load pptp26 load pptp27 load pptp28 load pptp29 load pptp30 load pptp31 load pptp32 load pptp33 load pptp34 load pptp35 load pptp36 load pptp37 load pptp38 load pptp39 load pptp40 load pptp41 load pptp42 load pptp43 load pptp44 load pptp45 load pptp46 load pptp47 load pptp48 load pptp49 load pptp50 load pptp51 load pptp52 load pptp53 load pptp54 load pptp55 load pptp56 load pptp57 load pptp58 load pptp59 load pptp60 load pptp61 load pptp62 load pptp63 load pptp64 load pptp65 load pptp66 load pptp67 load pptp68 load pptp69 load pptp70 load pptp71 load pptp72 load pptp73 load pptp74 load pptp75 load pptp76 load pptp77 load pptp78 load pptp79 load pptp80 load pptp81 load pptp82 load pptp83 load pptp84 load pptp85 load pptp86 load pptp87 load pptp88 load pptp89 load pptp90 load pptp91 load pptp92 load pptp93 load pptp94 load pptp95 load pptp96 load pptp97 load pptp98 load pptp99 pptp0: new -i ng00 pptp0 pptp0 set ipcp ranges 10.1.4.1/32 10.1.5.1/32 load pptp_standart pptp1: new -i ng01 pptp1 pptp1 set ipcp ranges 10.1.4.1/32 10.1.5.2/32 load pptp_standart pptp2: new -i ng02 pptp2 pptp2 set ipcp ranges 10.1.4.1/32 10.1.5.3/32 load pptp_standart pptp3: new -i ng03 pptp3 pptp3 set ipcp ranges 10.1.4.1/32 10.1.5.4/32 load pptp_standart pptp4: new -i ng04 pptp4 pptp4 set ipcp ranges 10.1.4.1/32 10.1.5.5/32 load pptp_standart pptp5: new -i ng05 pptp5 pptp5 set ipcp ranges 10.1.4.1/32 10.1.5.6/32 load pptp_standart pptp6: new -i ng06 pptp6 pptp6 set ipcp ranges 10.1.4.1/32 10.1.5.7/32 load pptp_standart pptp7: new -i ng07 pptp7 pptp7 set ipcp ranges 10.1.4.1/32 10.1.5.8/32 load pptp_standart pptp8: new -i ng08 pptp8 pptp8 set ipcp ranges 10.1.4.1/32 10.1.5.9/32 load pptp_standart pptp9: new -i ng09 pptp9 pptp9 set ipcp ranges 10.1.4.1/32 10.1.5.10/32 load pptp_standart pptp10: new -i ng10 pptp10 pptp10 set ipcp ranges 10.1.4.1/32 10.1.5.11/32 load pptp_standart pptp11: new -i ng11 pptp11 pptp11 set ipcp ranges 10.1.4.1/32 10.1.5.12/32 load pptp_standart pptp12: new -i ng12 pptp12 pptp12 set ipcp ranges 10.1.4.1/32 10.1.5.13/32 load pptp_standart pptp13: new -i ng13 pptp13 pptp13 set ipcp ranges 10.1.4.1/32 10.1.5.14/32 load pptp_standart pptp14: new -i ng14 pptp14 pptp14 set ipcp ranges 10.1.4.1/32 10.1.5.15/32 load pptp_standart pptp15: new -i ng15 pptp15 pptp15 set ipcp ranges 10.1.4.1/32 10.1.5.16/32 load pptp_standart pptp16: new -i ng16 pptp16 pptp16 set ipcp ranges 10.1.4.1/32 10.1.5.17/32 load pptp_standart pptp17: new -i ng17 pptp17 pptp17 set ipcp ranges 10.1.4.1/32 10.1.5.18/32 load pptp_standart pptp18: new -i ng18 pptp18 pptp18 set ipcp ranges 10.1.4.1/32 10.1.5.19/32 load pptp_standart pptp19: new -i ng19 pptp19 pptp19 set ipcp ranges 10.1.4.1/32 10.1.5.20/32 load pptp_standart pptp20: new -i ng20 pptp20 pptp20 set ipcp ranges 10.1.4.1/32 10.1.5.21/32 load pptp_standart pptp21: new -i ng21 pptp21 pptp21 set ipcp ranges 10.1.4.1/32 10.1.5.22/32 load pptp_standart pptp22: new -i ng22 pptp22 pptp22 set ipcp ranges 10.1.4.1/32 10.1.5.23/32 load pptp_standart pptp23: new -i ng23 pptp23 pptp23 set ipcp ranges 10.1.4.1/32 10.1.5.24/32 load pptp_standart pptp24: new -i ng24 pptp24 pptp24 set ipcp ranges 10.1.4.1/32 10.1.5.25/32 load pptp_standart pptp25: new -i ng25 pptp25 pptp25 set ipcp ranges 10.1.4.1/32 10.1.5.26/32 load pptp_standart pptp26: new -i ng26 pptp26 pptp26 set ipcp ranges 10.1.4.1/32 10.1.5.27/32 load pptp_standart pptp27: new -i ng27 pptp27 pptp27 set ipcp ranges 10.1.4.1/32 10.1.5.28/32 load pptp_standart pptp28: new -i ng28 pptp28 pptp28 set ipcp ranges 10.1.4.1/32 10.1.5.29/32 load pptp_standart pptp29: new -i ng29 pptp29 pptp29 set ipcp ranges 10.1.4.1/32 10.1.5.30/32 load pptp_standart pptp30: new -i ng30 pptp30 pptp30 set ipcp ranges 10.1.4.1/32 10.1.5.31/32 load pptp_standart pptp31: new -i ng31 pptp31 pptp31 set ipcp ranges 10.1.4.1/32 10.1.5.32/32 load pptp_standart pptp32: new -i ng32 pptp32 pptp32 set ipcp ranges 10.1.4.1/32 10.1.5.33/32 load pptp_standart pptp33: new -i ng33 pptp33 pptp33 set ipcp ranges 10.1.4.1/32 10.1.5.34/32 load pptp_standart pptp34: new -i ng34 pptp34 pptp34 set ipcp ranges 10.1.4.1/32 10.1.5.35/32 load pptp_standart pptp35: new -i ng35 pptp35 pptp35 set ipcp ranges 10.1.4.1/32 10.1.5.36/32 load pptp_standart pptp36: new -i ng36 pptp36 pptp36 set ipcp ranges 10.1.4.1/32 10.1.5.37/32 load pptp_standart pptp37: new -i ng37 pptp37 pptp37 set ipcp ranges 10.1.4.1/32 10.1.5.38/32 load pptp_standart pptp38: new -i ng38 pptp38 pptp38 set ipcp ranges 10.1.4.1/32 10.1.5.39/32 load pptp_standart pptp39: new -i ng39 pptp39 pptp39 set ipcp ranges 10.1.4.1/32 10.1.5.40/32 load pptp_standart pptp40: new -i ng40 pptp40 pptp40 set ipcp ranges 10.1.4.1/32 10.1.5.41/32 load pptp_standart pptp41: new -i ng41 pptp41 pptp41 set ipcp ranges 10.1.4.1/32 10.1.5.42/32 load pptp_standart pptp42: new -i ng42 pptp42 pptp42 set ipcp ranges 10.1.4.1/32 10.1.5.43/32 load pptp_standart pptp43: new -i ng43 pptp43 pptp43 set ipcp ranges 10.1.4.1/32 10.1.5.44/32 load pptp_standart pptp44: new -i ng44 pptp44 pptp44 set ipcp ranges 10.1.4.1/32 10.1.5.45/32 load pptp_standart pptp45: new -i ng45 pptp45 pptp45 set ipcp ranges 10.1.4.1/32 10.1.5.46/32 load pptp_standart pptp46: new -i ng46 pptp46 pptp46 set ipcp ranges 10.1.4.1/32 10.1.5.47/32 load pptp_standart pptp47: new -i ng47 pptp47 pptp47 set ipcp ranges 10.1.4.1/32 10.1.5.48/32 load pptp_standart pptp48: new -i ng48 pptp48 pptp48 set ipcp ranges 10.1.4.1/32 10.1.5.49/32 load pptp_standart pptp49: new -i ng49 pptp49 pptp49 set ipcp ranges 10.1.4.1/32 10.1.5.50/32 load pptp_standart pptp50: new -i ng50 pptp50 pptp50 set ipcp ranges 10.1.4.1/32 10.1.5.51/32 load pptp_standart pptp51: new -i ng51 pptp51 pptp51 set ipcp ranges 10.1.4.1/32 10.1.5.52/32 load pptp_standart pptp52: new -i ng52 pptp52 pptp52 set ipcp ranges 10.1.4.1/32 10.1.5.53/32 load pptp_standart pptp53: new -i ng53 pptp53 pptp53 set ipcp ranges 10.1.4.1/32 10.1.5.54/32 load pptp_standart pptp54: new -i ng54 pptp54 pptp54 set ipcp ranges 10.1.4.1/32 10.1.5.55/32 load pptp_standart pptp55: new -i ng55 pptp55 pptp55 set ipcp ranges 10.1.4.1/32 10.1.5.56/32 load pptp_standart pptp56: new -i ng56 pptp56 pptp56 set ipcp ranges 10.1.4.1/32 10.1.5.57/32 load pptp_standart pptp57: new -i ng57 pptp57 pptp57 set ipcp ranges 10.1.4.1/32 10.1.5.58/32 load pptp_standart pptp58: new -i ng58 pptp58 pptp58 set ipcp ranges 10.1.4.1/32 10.1.5.59/32 load pptp_standart pptp59: new -i ng59 pptp59 pptp59 set ipcp ranges 10.1.4.1/32 10.1.5.60/32 load pptp_standart pptp60: new -i ng60 pptp60 pptp60 set ipcp ranges 10.1.4.1/32 10.1.5.61/32 load pptp_standart pptp61: new -i ng61 pptp61 pptp61 set ipcp ranges 10.1.4.1/32 10.1.5.62/32 load pptp_standart pptp62: new -i ng62 pptp62 pptp62 set ipcp ranges 10.1.4.1/32 10.1.5.63/32 load pptp_standart pptp63: new -i ng63 pptp63 pptp63 set ipcp ranges 10.1.4.1/32 10.1.5.64/32 load pptp_standart pptp64: new -i ng64 pptp64 pptp64 set ipcp ranges 10.1.4.1/32 10.1.5.65/32 load pptp_standart pptp65: new -i ng65 pptp65 pptp65 set ipcp ranges 10.1.4.1/32 10.1.5.66/32 load pptp_standart pptp66: new -i ng66 pptp66 pptp66 set ipcp ranges 10.1.4.1/32 10.1.5.67/32 load pptp_standart pptp67: new -i ng67 pptp67 pptp67 set ipcp ranges 10.1.4.1/32 10.1.5.68/32 load pptp_standart pptp68: new -i ng68 pptp68 pptp68 set ipcp ranges 10.1.4.1/32 10.1.5.69/32 load pptp_standart pptp69: new -i ng69 pptp69 pptp69 set ipcp ranges 10.1.4.1/32 10.1.5.70/32 load pptp_standart pptp70: new -i ng70 pptp70 pptp70 set ipcp ranges 10.1.4.1/32 10.1.5.71/32 load pptp_standart pptp71: new -i ng71 pptp71 pptp71 set ipcp ranges 10.1.4.1/32 10.1.5.72/32 load pptp_standart pptp72: new -i ng72 pptp72 pptp72 set ipcp ranges 10.1.4.1/32 10.1.5.73/32 load pptp_standart pptp73: new -i ng73 pptp73 pptp73 set ipcp ranges 10.1.4.1/32 10.1.5.74/32 load pptp_standart pptp74: new -i ng74 pptp74 pptp74 set ipcp ranges 10.1.4.1/32 10.1.5.75/32 load pptp_standart pptp75: new -i ng75 pptp75 pptp75 set ipcp ranges 10.1.4.1/32 10.1.5.76/32 load pptp_standart pptp76: new -i ng76 pptp76 pptp76 set ipcp ranges 10.1.4.1/32 10.1.5.77/32 load pptp_standart pptp77: new -i ng77 pptp77 pptp77 set ipcp ranges 10.1.4.1/32 10.1.5.78/32 load pptp_standart pptp78: new -i ng78 pptp78 pptp78 set ipcp ranges 10.1.4.1/32 10.1.5.79/32 load pptp_standart pptp79: new -i ng79 pptp79 pptp79 set ipcp ranges 10.1.4.1/32 10.1.5.80/32 load pptp_standart pptp80: new -i ng80 pptp80 pptp80 set ipcp ranges 10.1.4.1/32 10.1.5.81/32 load pptp_standart pptp81: new -i ng81 pptp81 pptp81 set ipcp ranges 10.1.4.1/32 10.1.5.82/32 load pptp_standart pptp82: new -i ng82 pptp82 pptp82 set ipcp ranges 10.1.4.1/32 10.1.5.83/32 load pptp_standart pptp83: new -i ng83 pptp83 pptp83 set ipcp ranges 10.1.4.1/32 10.1.5.84/32 load pptp_standart pptp84: new -i ng84 pptp84 pptp84 set ipcp ranges 10.1.4.1/32 10.1.5.85/32 load pptp_standart pptp85: new -i ng85 pptp85 pptp85 set ipcp ranges 10.1.4.1/32 10.1.5.86/32 load pptp_standart pptp86: new -i ng86 pptp86 pptp86 set ipcp ranges 10.1.4.1/32 10.1.5.87/32 load pptp_standart pptp87: new -i ng87 pptp87 pptp87 set ipcp ranges 10.1.4.1/32 10.1.5.88/32 load pptp_standart pptp88: new -i ng88 pptp88 pptp88 set ipcp ranges 10.1.4.1/32 10.1.5.89/32 load pptp_standart pptp89: new -i ng89 pptp89 pptp89 set ipcp ranges 10.1.4.1/32 10.1.5.90/32 load pptp_standart pptp90: new -i ng90 pptp90 pptp90 set ipcp ranges 10.1.4.1/32 10.1.5.91/32 load pptp_standart pptp91: new -i ng91 pptp91 pptp91 set ipcp ranges 10.1.4.1/32 10.1.5.92/32 load pptp_standart pptp92: new -i ng92 pptp92 pptp92 set ipcp ranges 10.1.4.1/32 10.1.5.93/32 load pptp_standart pptp93: new -i ng93 pptp93 pptp93 set ipcp ranges 10.1.4.1/32 10.1.5.94/32 load pptp_standart pptp94: new -i ng94 pptp94 pptp94 set ipcp ranges 10.1.4.1/32 10.1.5.95/32 load pptp_standart pptp95: new -i ng95 pptp95 pptp95 set ipcp ranges 10.1.4.1/32 10.1.5.96/32 load pptp_standart pptp96: new -i ng96 pptp96 pptp96 set ipcp ranges 10.1.4.1/32 10.1.5.97/32 load pptp_standart pptp97: new -i ng97 pptp97 pptp97 set ipcp ranges 10.1.4.1/32 10.1.5.98/32 load pptp_standart pptp98: new -i ng98 pptp98 pptp98 set ipcp ranges 10.1.4.1/32 10.1.5.99/32 load pptp_standart pptp99: new -i ng99 pptp99 pptp99 set ipcp ranges 10.1.4.1/32 10.1.5.100/32 load pptp_standart pptp_standart: set iface disable on-demand set bundle enable multilink set link yes acfcomp protocomp #Требуем chap авторизации set link no pap chap set link enable chap set link keep-alive 60 180 set ipcp yes vjcomp #Устанавливаем DNS и Wins set ipcp dns 10.1.1.1 #set ipcp nbns 10.1.1.1 #Включаем proxy-arp, чтобы компьютер "видел" без маршрутизации #корпоративную сеть (по протоколу arp) set iface enable proxy-arp #Включаем компрессию данных set bundle enable compression #Включаем компрессию данных, совсестимую с Microsoft-клиентами, должно быть вкомпилено в ядро set ccp yes mppc #Включаем шифрование, совместимое с Microsoft-клиентами, должно быть вкомпилено в ядро set ccp yes mpp-e40 set ccp yes mpp-e56 set ccp yes mpp-e128 set ccp yes mpp-stateless #set bundle yes crypt-reqd #Задаем адрес для входящих соединений, если закомментирован - то mpd будет слушать все интерфейсы. #set pptp self 192.168.1.221 #Разрешаем входящие соединения set pptp enable incoming set pptp disable originate set iface mtu 1500 set link mtu 1500 # какой скрипт запускать при поднятии интерфейса #set iface up-script /usr/local/traff/up.pl # какой скрипт запускать при опускании интерфейса #set iface down-script /usr/local/traff/down.pl set radius server 10.1.1.1 test2 1812 1813 set radius timeout 10 set radius config /etc/radius.conf set radius retries 3 #set bundle enable radius-acct set bundle enable radius-auth set ipcp yes radius-ip Создаем /etc/radius.conf: acct 10.1.1.1 test2 auth 10.1.1.1 test2 Создаем файл /usr/local/etc/mpd/mpd.links: pptp0: set link type pptp pptp1: set link type pptp pptp2: set link type pptp pptp3: set link type pptp pptp4: set link type pptp pptp5: set link type pptp pptp6: set link type pptp pptp7: set link type pptp pptp8: set link type pptp pptp9: set link type pptp pptp10: set link type pptp pptp11: set link type pptp pptp12: set link type pptp pptp13: set link type pptp pptp14: set link type pptp pptp15: set link type pptp pptp16: set link type pptp pptp17: set link type pptp pptp18: set link type pptp pptp19: set link type pptp pptp20: set link type pptp pptp21: set link type pptp pptp22: set link type pptp pptp23: set link type pptp pptp24: set link type pptp pptp25: set link type pptp pptp26: set link type pptp pptp27: set link type pptp pptp28: set link type pptp pptp29: set link type pptp pptp30: set link type pptp pptp31: set link type pptp pptp32: set link type pptp pptp33: set link type pptp pptp34: set link type pptp pptp35: set link type pptp pptp36: set link type pptp pptp37: set link type pptp pptp38: set link type pptp pptp39: set link type pptp pptp40: set link type pptp pptp41: set link type pptp pptp42: set link type pptp pptp43: set link type pptp pptp44: set link type pptp pptp45: set link type pptp pptp46: set link type pptp pptp47: set link type pptp pptp48: set link type pptp pptp49: set link type pptp pptp50: set link type pptp pptp51: set link type pptp pptp52: set link type pptp pptp53: set link type pptp pptp54: set link type pptp pptp55: set link type pptp pptp56: set link type pptp pptp57: set link type pptp pptp58: set link type pptp pptp59: set link type pptp pptp60: set link type pptp pptp61: set link type pptp pptp62: set link type pptp pptp63: set link type pptp pptp64: set link type pptp pptp65: set link type pptp pptp66: set link type pptp pptp67: set link type pptp pptp68: set link type pptp pptp69: set link type pptp pptp70: set link type pptp pptp71: set link type pptp pptp72: set link type pptp pptp73: set link type pptp pptp74: set link type pptp pptp75: set link type pptp pptp76: set link type pptp pptp77: set link type pptp pptp78: set link type pptp pptp79: set link type pptp pptp80: set link type pptp pptp81: set link type pptp pptp82: set link type pptp pptp83: set link type pptp pptp84: set link type pptp pptp85: set link type pptp pptp86: set link type pptp pptp87: set link type pptp pptp88: set link type pptp pptp89: set link type pptp pptp90: set link type pptp pptp91: set link type pptp pptp92: set link type pptp pptp93: set link type pptp pptp94: set link type pptp pptp95: set link type pptp pptp96: set link type pptp pptp97: set link type pptp pptp98: set link type pptp pptp99: set link type pptp Все, можно запускать mpd: /usr/local/sbin/mpd -b. Теперь mpd будет принимать входящие VPN-соединения (PPTP, совместимо с MS WindowsTM) Оригинал: http://www.malevanov.spb.ru/mpd

<< Предыдущая ИНДЕКС Поиск в статьях src Установить закладку Перейти на закладку Следующая >>

Обсуждение [ Линейный режим | Показать все | RSS ]
  • 1.1, Petr (?), 01:25, 23/12/2003 [ответить] [﹢﹢﹢] [ · · · ]  
  • +/
    Ремарка:
    Пробовал все это на RedHat9
    PostgreSQL должен быть установлен вручную.
    Не через RPM или в процессе установки ОС, а из дистрибутива путем копиляции. Иначе к нему Radius не пристыковывается, библиотек ему не хватает каких-то. Полдня въезжал.
     
     
  • 2.13, logan (??), 11:11, 07/02/2007 [^] [^^] [^^^] [ответить]  
  • +/
    нужно поставить postgresql-devel пакет. Эти библиотеки живут там
     

  • 1.2, Vasia (?), 09:29, 29/07/2004 [ответить] [﹢﹢﹢] [ · · · ]  
  • +/
    Обясните чайнику пожалуйста. Какие команды для занесения пользователей(login password ip) во вновь созданную базу?
     
  • 1.3, Aqualine (?), 17:22, 10/10/2004 [ответить] [﹢﹢﹢] [ · · · ]  
  • +/
    А как лучше организовать биллинг при помощи FreeRADIUS? Что для этого требуется?
     
  • 1.4, Executor (?), 08:11, 09/01/2005 [ответить] [﹢﹢﹢] [ · · · ]  
  • +/
    Хотел бы сказать про базу.
    Я настраивал на MySQL и вот тут ни слова нет что есть что в строке:
    insert into radcheck(username, attribute, op, value) values('login', 'Password', ':=', 'password');
    методом прочтения большого количества файлов, узнал что первый password это означает что проиходит или нет шифрование пороля, а вот второй это сам пороль.
    Но вообще дока хороша но нет некоторых тонкостей. например описание IP-адрисов, где какие и зачем.
     
     
  • 2.5, Аноним (5), 16:23, 18/03/2005 [^] [^^] [^^^] [ответить]  
  • +/
    >Я настраивал на MySQL и вот тут ни слова нет что есть
    >что в строке:
    >insert into radcheck(username, attribute, op, value) values('login', 'Password', ':=', 'password');
    >методом прочтения большого количества файлов, узнал что первый password это означает что
    >проиходит или нет шифрование пороля, а вот второй это сам пороль.
    >

    Советую Вам в следующий раз читать не большое количество файлов, а RFC 2138. Так вот, первый Password является именем атрибута, то что следует за ним - это знак присваения значения, которое уже и является паролем.

     

  • 1.6, crac (ok), 11:30, 10/04/2005 [ответить] [﹢﹢﹢] [ · · · ]  
  • +/
    Есть SuSE 8.2 хочу установить Radius с чего начать подскажите если можно подробнее а то я в этом деле новичок
     
  • 1.7, узер (?), 16:46, 24/05/2005 [ответить] [﹢﹢﹢] [ · · · ]  
  • +/
    шота я тут кроме как в загаловке нигде про биллинг ни слова не нашел. афтар предлагаю сменить название темы на "мои конфиги"
     
  • 1.8, Lokarius (??), 07:08, 22/08/2005 [ответить] [﹢﹢﹢] [ · · · ]  
  • +/
    так радиус складывает в мускул базу кто когда скоко вошло скоко вышло (байт)
     
  • 1.9, Мишка (?), 19:45, 11/10/2005 [ответить] [﹢﹢﹢] [ · · · ]  
  • +/
    Использовал такую связку около полугода... возникла проблемма мпд теряет пакеты на слабых машинках... рекомендую вместо MPD перейти на PopTop, из портов собрать, да и настраивать не впример легче в отличии от мпд.
     
  • 1.10, Wel (?), 23:42, 14/04/2006 [ответить] [﹢﹢﹢] [ · · · ]  
  • +/
    Не получается завести mpd ПЛИЗЗ ХЕЛП
    Не то, что Еще и радиус туда подрубить...
    Сначала с Радиусом пытался

    Сервер(Фря) 192.168.10.1
    Клиент: 192.168.10.99
    Может Я путаю set ipcp ranges?
    Я посмотрел - и не понял, что Оно такое...
    И еще mpd.secret - как правильно записывать?

    root@freebsd# mpd4
    Multi-link PPP for FreeBSD, by Archie L. Cobbs.
    Based on iij-ppp, by Toshiharu OHNO.
    mpd: pid 761, version 4.0b4 (root@freebsd 22:24 27-Mar-2006)
    [pptp0] ppp node is "mpd761-pptp0"
    tcpmss node is "mpd761-mss"
    [pptp0] using interface ng0
    mpd: bundle "pptp0" already exists

    root@freebsd# cat /usr/local/etc/mpd4/mpd.conf|grep -v '#'
    default:
    load pptp0
    load pptp1
    pptp0:
    new -i ng00 pptp0 pptp0
    set ipcp ranges 192.168.10.1/24 192.168.11.1/32
    load pptp_standart
    pptp1:
    new -i ng00 pptp0 pptp0
    set ipcp ranges 192.168.10.1/24 192.168.11.99/32
    load pptp_standart
    pptp_standart:
    set iface disable on-demand
    set bundle enable multilink
    set link yes acfcomp protocomp
    set link no pap chap
    set link enable chap
    set link keep-alive 60 180
    set ipcp yes vjcomp
    set ipcp dns 192.168.10.1
    set iface enable proxy-arp
    set pptp self 192.168.10.1
    set pptp enable incoming
    set pptp disable originate
    set iface mtu 1500
    set link mtu 1500


    #ifconfig
    ng0: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> mtu 1500

    cat /usr/local/etc/mpd4/mpd.links
    pptp0:
    set link type pptp
    pptp1:
    set link type pptp


    #cat /usr/local/etc/mpd4/mpd.secret
    test1 test1 *
    "test" "test" *
    test2 test2 192.168.10.99

     
  • 1.11, Wel (?), 04:11, 15/04/2006 [ответить] [﹢﹢﹢] [ · · · ]  
  • +/
    Все оказалось легко - проблема в переносах и пробелах...
    +неправильно кое-что прописал...
    Вот привожу свои настройки:
    Клиент:192.168.10.99
    Сервер:192.168.10.1

    ifconfig
    rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
         options=8<VLAN_MTU>
         inet 192.168.10.1 netmask 0xffffff00 broadcast 192.168.10.255

    #cat /usr/local/etc/mpd4/mpd.secret
    test2 test2 *

    # cat /usr/local/etc/mpd4/mpd.conf
    default:
        load pptp0
        load pptp1
    pptp0:
        new -i ng00 pptp0 pptp0
        set ipcp ranges 192.168.10.1/24 192.168.11.1/32
        load pptp_standart
    pptp1:
        new -i ng00 pptp0 pptp0
        set ipcp ranges 192.168.10.1/24 192.168.11.99/32
        load pptp_standart
    pptp_standart:
        set iface disable on-demand
        set bundle enable multilink
        set link yes acfcomp protocomp
        set link no pap chap
        set link enable chap
        set link keep-alive 60 180
        set ipcp yes vjcomp
        set ipcp dns 192.168.10.1
        set iface enable proxy-arp
        set bundle enable compression
        set ccp yes mppc
        set ccp yes mpp-e40
        set ccp yes mpp-e56
        set ccp yes mpp-e128
        set ccp yes mpp-stateless
        set bundle yes crypt-reqd
        set pptp enable incoming
        set pptp disable originate
        set iface mtu 1500
        set link mtu 1500
      
    # cat /usr/local/etc/mpd4/mpd.links
    pptp0:    
           set link type pptp    
    pptp1:
           set link type pptp

     
  • 1.12, Николай (??), 17:32, 01/08/2006 [ответить] [﹢﹢﹢] [ · · · ]  
  • +/
    А как в таблице radreply прописать DNS сервер?
    Какой атрибут за него отвечает?
     
     
  • 2.14, gumenyuk (??), 14:53, 12/05/2009 [^] [^^] [^^^] [ответить]  
  • +/
    dns передает mpd:
    set icpc dns xxx.xxx.xxx.xxx
     

     Добавить комментарий
    Имя:
    E-Mail:
    Заголовок:
    Текст:




    Партнёры:
    PostgresPro
    Inferno Solutions
    Hosting by Hoster.ru
    Хостинг:

    Закладки на сайте
    Проследить за страницей
    Created 1996-2024 by Maxim Chirkov
    Добавить, Поддержать, Вебмастеру