×××:PPTP+MySQL+Freeradiux的安装配置
MySQL存储***帐号
Freeradiux验证***帐号
1.安装ppp
2.安装pptp
配置文件如下:
# vim options.pptpd
name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
proxyarp
lock
nobsdcomp
novj
novjccomp
nologfd
ms-dns 218.85.157.99
ms-dns 218.85.152.99
plugin /usr/local/ppp/lib/pppd/2.4.4/radius.so
plugin /usr/local/ppp/lib/pppd/2.4.4/radattr.so
radius-config-file /usr/local/freeradius/etc/radiusclient/radiusclient.conf
# vim pptpd.conf
option /usr/local/pptpd/etc/options.pptpd
localip 192.168.100.100
remoteip 192.168.100.150-200
黄底为新加配置内容。
3.安装mysql
4.安装freeradius
#tar zxvpf freeradius-server-2.1.10.tar.gz -C ../software
#./configure --prefix=/usr/local/freeradius
#make
#make install
#makdir /usr/local/freeradius/etc/radiusclient
#cp /usr/local/src/tarbag/ppp-2.4.4/pppd/plugins/radius/etc/* \
/usr/local/freeradius/etc/radiusclient
#chown -R radiusd.radiusd /usr/local/freeradius
#vim servers //修改key
#Server Name or Client/Server pair Key
#---------------- ---------------
#localhost testing123
localhost ***
#/usr/local/freeradius/sbin/radiusd -X //此过程会生产证书
如果要修改key首先要删除之前的证书文件
#cd /usr/local/freeradius/etc/raddb/certs
#rm -rf *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt*
5.关联mysql
文件在这个目录下/usr/local/freeradius/etc/raddb/sql/mysql,包括一些授权命令都写好了。
>create database ***
>source /usr/local/freeradius/etc/raddb/sql/mysql/schema.sql
>source /usr/local/freeradius/etc/raddb/sql/mysql/nas.sql
>source /usr/local/freeradius/etc/raddb/sql/mysql/ippool.sql
>source /usr/local/freeradius/etc/raddb/sql/mysql/wimax.sql
>grant select,insert,update,delete on `***`.* to 'user'@' x.x.x.x' identified by 'password'
>insertinto radgroupreply (groupname,attribute,op,value)\
values ('user','Auth-Type',':=','Local')
>insert into radgroupreply (groupname,attribute,op,value)\
values ('user','Service-Type','=','Framed-User')
>insert into radgroupreply (groupname,attribute,op,value)\
values ('user','Framed-IP-Netmask','=','255.255.255.255')
>insert into radgroupreply (groupname,attribute,op,value)\
values ('user','Framed-IP-Netmask',':=','255.255.255.0')
>insertintoradcheck (UserName, Attribute, Value)\
values('test', 'User-Password', '123456)
>insert into radusergroup(username,groupname) values ('test','user')
>insert into radgroupcheck(groupname,attribute,op,value) \
Values('user','simultaneous-use',':=','1') //限制同一帐号同时只允许登录一次
>insert into radreply (username,attribute,op,value) \
values ('***name', 'Framed-IP-Address', ':=', 'xxx.xxx.xxx.xxx') //分配固定IP
6.连接数据库
#vim /usr/local/freeradius/etc/raddb/sql.conf
修改数据库类型;数据库地址;用户名;密码;数据库名;数据表名
#readclients = yes 前面的#去掉
7.开启sql模块
#/usr/local/freeradius/etc/raddb/sites-enabled/default
files行前面加#
sql行前面去掉#
#/usr/local/freeradius/etc/raddb/sites-enabled/inner-tunnel
files行前面加#
sql行前面去掉#
8.修改eap类型
#vim /usr/local/freeradius/etc/raddb/eap.conf
defalt_eap_type = md5改为default_eap_type = peap
9.修改相应的路径
#vim /usr/local/freeradius/etc/radiusclient/radiusclient.conf
/usr/local/etc/改为/usr/local/freeradius/etc/
10.修改radius以radiusd用户运行
#/usr/local/freeradius/etc/raddb/radiusd.conf
user = radiusd
group = radiusd
11.修改clients.conf
#/usr/local/freeradius/etc/raddb/clients.conf
secret = ***
client 192.168.100.0/24 {
secret = ***
shortname = ***-network
}
12.修改dictionary
#/usr/local/freeradius/etc/radiusclient/dictionary
INCLUDE /usr/local/freeradius/etc/radiusclient/dictionary.microsoft
INCLUDE /usr/local/freeradius/etc/radiusclient/dictionary.ascend
INCLUDE /usr/local/freeradius/etc/radiusclient/dictionary.merit
INCLUDE /usr/local/freeradius/etc/radiusclient/dictionary.compat
13.测试帐号
## /usr/local/freeradius/bin/radtest test 123456 localhost 1812 ***
Sending Access-Request of id 7 to 127.0.0.1 port 1812
User-Name = "JSB_TEST_11"
User-Password = "ABC1234567890?aaa"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
rad_recv:Access-Acceptpacket from host 127.0.0.1 port 1812, id=7, length=32
Service-Type = Framed-User
Framed-IP-Netmask = 255.255.255.0
出现access-accept帐号可以使用不一定可以登录(比如禁用帐号后验证是通过的但是不能登录的),出现Access-Reject则失败。
===========================================================
ppp/pptp日志的分离
#vim /etc/syslog.conf
daemon.* /var/log/ppp.log
#servie syslog restart
拨上×××后部分网站内容显示不全或打不开原因及解决办法:
mtu:Maxitum Transmission Unit 最大传输单元
mss:Maxitum Segment Size 最大分段大小
mtu mss(应用层数据)+tcp包头+IP包头
mss大小是通讯双方在建立TCP连接时根据双方提供的MSS值的最小值确定为这次连接的最大MSS值
tcp数据包包头大小20Byte
ip数据包包头大小20Byte
如果超过mtu的大小就需要对ip报文进行分片。
如果ip报文中有DF(Donot Fragment)标记就表示不可分片。
如果报文超过MTU值又不能分片,就会丢弃报文,返回一个错误信息unreachable-need to frag(不可到达,需要分片)。
解决办法:
iptables -A FORWARD -p tcp --syn -s 192.168.100.0/24 -j TCPMSS --set-mss 1356
凡是来自192.168.100.0/24网段的tcp包,mss设置为1356.