Centos6.2+Open***+Radius+Mysql+daloRADIUS
http://www.cactifans.org/***/615.html
Open×××是不同于PPTP、L2TP的另一种×××软件包,基于SSL的×××。Open×××使用需要客户端支持。
OS:CentOS 6.2 I386
Open***:open***-2.2.1-1.el6.i686
Radius:freeradius-2.1.10-5.el6.i686
Mysql:mysql 5.1.61
Daloradiuus:daloradius-0.9-9
一、CentOS系统设置和LAMP
1.安装系统并设置源
最小化安装centos6.2,并添加centos的升级镜像,添加epel镜像
首先备份/etc/yum.repos.d/CentOS-Base.repo
1
|
mv /etc/yum .repos.d /CentOS-Base .repo /etc/yum .repos.d /CentOS-Base .repo.backup
|
下载对应版本repo文件, 放入/etc/yum.repos.d/(操作前请做好相应备份)
1
2
3
4
5
6
7
8
9
10
|
cd /etc/yum .repos.d/
wget http: //mirrors .163.com/.help /CentOS6-Base-163 .repo
yum -y update
reboot
sudo -s
LANG=C
yum -y
install wget ntp
ntpdate pool.ntp.org
yum -y
install httpd mysql mysql-devel mysql-server php php-mysql php-gd php-imap php-ldap php-odbc php-pear php-xml php-xmlrpc
yum -y
install gcc gcc-c++ autoconf libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel libxml2 libxml2-devel zlib zlib-devel glibc glibc-devel glib2 glib2-devel bzip2 bzip2 -devel ncurses ncurses-devel curl curl-devel e2fsprogs e2fsprogs-devel krb5 krb5-devel libidn libidn-devel openssl openssl-devel openldap openldap-devel nss_ldap openldap-clients openldap-servers
|
2.关闭selinux
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
vi /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=enforcing
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
|
把SELINUX=enforcing改为SELINUX=disabled并保存!在这个时候SElinux还在运行关闭,再执行以下命令
1
2
3
4
5
6
|
setenforce 0
chkconfig httpd on
chkconfig mysqld on
/etc/init .d /httpd
start
/etc/init .d /mysqld
start
mysqladmin -u root password mysqlpwd
|
清除防火墙规则
1
|
iptables -F
|
3.建立php测试文件
1
|
vi /var/www/html/test .php
|
输入如下内容
1
2
3
|
<?php
phpinfo();
?>
|
二、安装raidus,并配置mysql验证
1.安装radius
1
|
yum
install -y freeradius freeradius-mysql freeradius-utils
|
配置本地用户测试radius
1
|
vi /etc/raddb/users
|
在文件最后一行把前面的注释去掉
1
|
testuser Cleartext-Password := "testpassword"
|
然后执行
1
2
|
chkconfig radiusd on
/etc/init .d /radiusd
restart
|
运行
1
|
radtest testuser testpassword localhost 1812 testing123
|
如果看到
1
2
3
4
5
6
|
Sending Access-Request of
id 86 to 127.0.0.1 port 1812
User-Name = "testuser"
User-Password = "testpassword"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id =86, length=20
|
则表示radius服务器配置成功。
2.为radius配置mysql验证
1
2
|
cp /etc/raddb/clients .conf /etc/raddb/clients .conf.bak
grep - v \ # /etc/raddb/clients.conf.bak > /etc/raddb/clients.conf
|
编辑client文件
1
2
3
4
5
6
|
vi /etc/raddb/clients .conf
client 0.0.0.0 {
ipaddr=127.0.0.1
secret = testing123
shortname = localhost
}
|
编辑用户文件,注释掉测试用户
1
2
|
vi /etc/raddb/users
#testuser Cleartext-Password := "testpassword"
|
备份并导入数据库
1
2
3
4
5
6
|
cp /etc/raddb/sql/mysql/admin .sql /etc/raddb/sql/mysql/admin .sql.bak
grep - v \ # /etc/raddb/sql/mysql/admin.sql.bak > /etc/raddb/sql/mysql/admin.sql
vi /etc/raddb/sql/mysql/admin .sql
CREATE USER 'radius' @ 'localhost' ;
SET PASSWORD FOR
'radius' @ 'localhost' = PASSWORD( 'radpass' );
GRANT All ON radius.* TO 'radius' @ 'localhost' ;
|
数据库为radius,密码为radpass,如果要自己设置,设置完成后还要修改sql.conf把密码改为自己设置的
1
|
vi /etc/raddb/sql .conf
|
更改数据库密码为 radpass
导入radius数据库
1
2
3
4
5
6
7
|
mysql -u root -p
create database radius;
exit
mysql -u root -p radius < /etc/raddb/sql/mysql/admin .sql
mysql -u root -p radius < /etc/raddb/sql/mysql/schema .sql
mysql -u root -p radius < /etc/raddb/sql/mysql/nas .sql
mysql -u root -p radius < /etc/raddb/sql/mysql/ippool .sql
|
编辑radius配置文件,使其使用sql认证,去掉INCLUDE sql.conf 前面的#号
1
2
|
vi /etc/raddb/radiusd .conf
$INCLUDE sql.conf
|
修改sql.conf
1
2
3
4
5
6
7
|
vi /etc/raddb/sql .conf
server = "localhost"
port = 3306
login = "radius"
password = "radpass"
radius_db = "radius"
readclients = yes
|
修改认证的方式
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
vi /etc/raddb/sites-enabled/default
authorize {
preprocess
chap
mschap
suffix
eap
sql
}
accounting {
detail
sql
}
session {
radutmp
sql
}
|
插入测试数据
1
2
3
4
|
mysql -u root -p
muse radius;
INSERT INTO radcheck (UserName, Attribute, Value) VALUES ( 'user1' , 'Password' , 'password1' );
exit
|
运行radius服务器
1
|
/etc/init .d /radiusd
restart
|
测试radius服务器执行
1
|
radtest user1 password1 localhost 1812 testing123
|
如果看到如下信息,表示radius服务器工作正常
1
2
3
4
5
6
|
Sending Access-Request of
id 129 to 127.0.0.1 port 1812
User-Name = "user1"
User-Password = "password1"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id =129, length=20
|
如果看到以上信息,表示radius服务器可以用mysql验证了。
三、安装open***
1.安装open***
1
|
yum
install -y open***
|
2.建立证书
1
|
cp -R /usr/share/open***/easy-rsa/ /etc/open***/
|
然后开始建立server的ca,key
1
|
cd /etc/open***/easy-rsa/2 .0/
|
编辑vars,按shit+g跳转到最下面,编辑成你需要的信息。
1
2
3
4
5
|
export KEY_COUNTRY= "CN"
export KEY_PROVINCE= "CN"
export KEY_CITY= "XiangYang"
export KEY_ORG= "cactifans"
export KEY_EMAIL= "cactifans@gmail.com"
|
然后指定编译源
1
|
source . /vars
|
下面开始生成ca证书
1
2
|
. /clean-all
. /build-ca
ca
|
直接回车完成
再生成server.key
1
|
. /build-key-server
server
|
回车直到最后两项,按“Y”确认。
然后我们需要生成Diffie Hellman参数,这个需要一点时间的。
1
|
. /build-dh
|
下面,我们还需要生成一个tls验证key
1
|
open*** --genkey --secret keys /ta .key
|
到这里先做个小结:我们生成的文件都放在/etc/open***/easy-rsa/2.0/keys/,记住,我们等会会用到这个路径。
3.安装radiusplugin
radiusplugin是radius的一个插件,可以让open***使用radius服务器来验证
1
2
3
4
5
6
7
|
yum
install -y libgcrypt libgpg-error libgcrypt-devel
wget http: //www .nongnu.org /radiusplugin/radiusplugin_v2 .1. tar .gz
tar zxvf radiusplugin_v2.1. tar .gz
cd radiusplugin
make
cp radiusplugin.so /etc/openpn***
cp radiusplugin.cnf /etc/open***
|
编辑radiusplugin.cnf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
vi /etc/open***/radiusplugin .cnf
server
{
# The UDP port for radius accounting.
acctport=1813
# The UDP port for radius authentication.
authport=1812
# The name or ip address of the radius server.
name=127.0.0.1
# How many times should the plugin send the if there is no response?
retry=1
# How long should the plugin wait for a response?
wait=1
# The shared secret.
sharedsecret=testing123
|
4.配置open***
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
|
cp /usr/share/doc/open***-2 .2.1 /sample-config-files/server .conf /etc/open***/
vi /etc/open***/server .conf
port 1194
proto udp
dev tun
#指定位置
ca /etc/open***/easy-rsa/2 .0 /keys/ca .crt
cert /etc/open***/easy-rsa/2 .0 /keys/server .crt
key /etc/open***/easy-rsa/2 .0 /keys/server .key
dh /etc/open***/easy-rsa/2 .0 /keys/dh1024 .pem
tls-auth /etc/open***/easy-rsa/2 .0 /keys/ta .key 0
client-config-
dir /etc/raddb/clients .conf
server10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "dhcp-option DNS 10.8.0.1"
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
client-cert-not-required
username-as-common-name
#这里是指定radiusplugin.so这个插件
plugin /etc/open***/radiusplugin .so /etc/open***/radiusplugin .cnf
#log#日志存放目录
log /var/log/open*** .log
status /var/log/open***-status .log
# Verbosity level.
# 0 -- quiet except for fatal errors.
# 1 -- mostly quiet, but display non-fatal network errors.
# 3 -- medium output, good for normal operation.
# 9 -- verbose, good for troubleshooting
#日志级别
verb 3
|
更改系统参数
1
|
vi /etc/sysctl .conf
|
将net.ipv4.ip_forward = 0修改为net.ipv4.ip_forward = 1
并使其立即生效
1
|
sysctl -p
|
配置iptables
1
2
3
4
5
6
7
8
9
10
11
12
|
iptables -t nat -A POSTROUTING -s 10.8.0.0 /24
-o eth0 -j SNAT --to-
source 192.168.1.2
iptables -A INPUT -p udp -m udp --dport 1194 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -i tun0 -j ACCEPT
iptables -A INPUT -i tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -j ACCEPT
iptables -A OUTPUT -o tun0 -j ACCEPT
service iptables save
service iptables restart
chkconfig open*** on
service open*** start
|
192.168.1.2为你的服务器的ip
四、安装daloradius
1
2
3
4
5
6
7
8
9
10
|
wget http: //download .pear.php.net /package/DB-1 .7.14RC2.tgz
pear
install DB-1.7.14RC2.tgz
wget http: //nchc .dl.sourceforge.net /project/daloradius/daloradius/daloradius0 .9-9 /daloradius-0 .9-9. tar .gz
tar -zxvf daloradius-0.9-9. tar .gz
mv daloradius-0.9-9 daloradius
cp -rf daloradius/* /var/www/html/
chown apache:apache -R /var/www/html/
chmod 644 /var/www/html/library/daloradius .conf.php
cd /var/www/html/contrib/db/
mysql -u root -p radius < mysql-daloradius.sql
|
修改daloradius配置文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
vi /var/www/html/library/daloradius .conf.php
###########
$configValues[ 'DALORADIUS_VERSION' ] = '0.9-9' ;
$configValues[ 'FREERADIUS_VERSION' ] = '2' ;
$configValues[ 'CONFIG_DB_ENGINE' ] = 'mysql' ;
$configValues[ 'CONFIG_DB_HOST' ] = 'localhost' ;
$configValues[ 'CONFIG_DB_USER' ] = 'radius' ;
$configValues[ 'CONFIG_DB_PASS' ] = 'radpass' ;
$configValues[ 'CONFIG_DB_NAME' ] = 'radius' ;
$configValues[ 'CONFIG_DB_TBL_RADCHECK' ] = 'radcheck' ;
$configValues[ 'CONFIG_DB_TBL_RADREPLY' ] = 'radreply' ;
$configValues[ 'CONFIG_DB_TBL_RADGROUPREPLY' ] = 'radgroupreply' ;
$configValues[ 'CONFIG_DB_TBL_RADGROUPCHECK' ] = 'radgroupcheck' ;
$configValues[ 'CONFIG_DB_TBL_RADUSERGROUP' ] = 'radusergroup' ;
$configValues[ 'CONFIG_DB_TBL_RADNAS' ] = 'nas' ;
$configValues[ 'CONFIG_DB_TBL_RADPOSTAUTH' ] = 'radpostauth' ;
$configValues[ 'CONFIG_DB_TBL_RADACCT' ] = 'radacct' ;
|
………..
建立daloradius日志
1
2
|
touch /tmp/daloradius .log
chown apache.apache /tmp/daloradius .log
|
安装完后打开Http://xxx.xxx.xxx.xxx就可以看到daloradius了,登录的用户名密码为
1
2
|
username: administrator
password: radius
|
五、client端设置
下载http://swupdate.open***.org/community/releases/open***-2.2.1-install.exe
在安装目录下有个config目录,
将服务器上了的ca.crt,ca.key,ta.key三个文件复制到config下。
新建一个文本文件,输入以下内容。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
client
dev tun
proto udp
remote 192.168.1.2 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
tls-auth ta.key 1
ns-cert-
type server
comp-lzo
verb 3
auth-user-pass
|
保存为client.o***,remote为你的open***服务器外网ip,端口1194
设置运行open***-gui,在左面右下角,右键点击,connect,就可以连接到open***服务器了。
转载于:https://blog.51cto.com/ljl2013/1344513