在上一篇文章中记录了pptp ***的创建过程和简单实用测试,其中用户名和密码均使用文本数据库/etc/ppp/chap-secrets,小规模用户下,尚可使用这种登陆验证方式,如果用户数多了,则需要将用户登录验证方式修改为查询数据库,在本文中将介绍如何将pptp ***的用户名和密码认证信息存储在mysql数据库中。
一、安装和配置整合mysql-server和freeradius,和前文一样采用rpm方式安装
1、安装软件包
#yum -y install mysql* freeradius*
2、配置数据库# service mysqld start
# mysql
mysql> use mysql
mysql> delete from user where user='';
mysql> update user set password=PASSWORD('password');
mysql> flush privileges;
mysql> create database radius;
mysql> use radius;
mysql> source /etc/raddb/sql/mysql/admin.sql;
mysql> source /etc/raddb/sql/mysql/cui.sql;
mysql> source /etc/raddb/sql/mysql/nas.sql;
mysql> source /etc/raddb/sql/mysql/schema.sql;
mysql> source /etc/raddb/sql/mysql/wimax.sql;
mysql> insert into radcheck (Username,Attribute,op,Value)
values ('yang','password','==','yang123!')
3、修改配置文件,注意,第一行为行号,对应的行修改成相应的值# vi /etc/raddb/radiusd.conf
700 $INCLUDE sql.conf
# vi /etc/raddb/sql.conf
28 database = "mysql"
33 driver = "rlm_sql_${database}"
36 server = "localhost"
38 login = "root"
39 password = "password"
42 radius_db = "radius"
50 acct_table1 = "radacct"
51 acct_table2 = "radacct"
100 readclients = yes
# vi /etc/raddb/sites-enabled/default
69 authorize {
170 # files
177 sql
252 authenticate {
297 # unix
333 preacct {
372 # files
389 # unix
406 sql
449 session {
454 sql
461 post-auth {
475 sql
# vi /etc/raddb/sites-enabled/inner-tunnel
125 # files
132 sql
224 # unix
256 sql
276 sql
4、测试radius和mysql的整合
# radtest yang yang123! 127.0.0.1 10 testing123
出现rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=101, length=20提示,代表radius和mysql整合成功。
这里面tesing123为密码# grep -v '^#' /etc/raddb/clients.conf |grep -v '#' |grep -v '^$'
二、整合pptp和freeradius
1、查看操作系统所安装ppp版本
# rpm -qa |grep ppp
ppp-2.4.5-10.el6.x86_64
2、下载对应版本的源码包并修改配置文件# tar -zxvpf ppp-2.4.5.tar.gz
# mkdir /etc/ppp/radius
# cp -R ppp-2.4.5/pppd/plugins/radius/etc/ /etc/ppp/radius/
# cat /etc/ppp/radius/etc/radiusclient.conf
auth_order radius
login_tries 4
login_timeout 60
nologin /etc/nologin
issue /etc/ppp//radius/etc/issue
authserver localhost:1812
acctserver localhost:1813
servers /etc/ppp/radius/etc/servers
dictionary /etc/ppp/radius/etc/dictionary
login_radius /usr/local/sbin/login.radius
seqfile /var/run/radius.seq
mapfile /etc/ppp/radius/etc/port-id-map
default_realm
radius_timeout 10
radius_retries 3
login_local /bin/login
# tail -4 /etc/ppp/radius/etc/dictionary
INCLUDE /etc/ppp/radius/etc/dictionary.microsoft
INCLUDE /etc/ppp/radius/etc/dictionary.ascend
INCLUDE /etc/ppp/radius/etc/dictionary.merit
INCLUDE /etc/ppp/radius/etc/dictionary.compat
3、修改options.pptpd配置文件# tail -2 /etc/ppp/options.pptpd
plugin /usr/lib64/pppd/2.4.5/radius.so
radius-config-file /etc/ppp/radius/etc/radiusclient.conf
4、修改radius认证密钥# grep -v '^#' /etc/ppp/radius/etc/servers
localhost tesing123
三、客户端拨号测试与debug
客户端拨号报错:rc_check_reply: received invalid reply digest from RADIUS server
把radiusd服务运行在调试模式下观察日志输出,并未发现任何报错信息#service radiusd stop
#radiusd -X
rad_recv: Access-Request packet from host 127.0.0.1 port 43268, id=213, length=148
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "yang"
MS-CHAP-Challenge = 0x939a7b4308644d99c2f5f9b777207c42
MS-CHAP2-Response = 0xbc00666bc61ad32272c3ea4db4937b4bd9b4000000000000000000f4da56184820a839a25c1ba0fc5a9f239bf6be4fed9da2
Calling-Station-Id = "27.151.123.121"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
# Executing section authorize from file /etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] = ok
++[digest] = noop
[suffix] No '@' in User-Name = "yang", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[sql] expand: %{User-Name} -> yang
[sql] sql_set_user escaped user --> 'yang'
rlm_sql (sql): Reserving sql socket id: 30
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'yang' ORDER BY id
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'yang' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'yang' ORDER BY priority
rlm_sql (sql): Released sql socket id: 30
++[sql] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = ok
Found Auth-Type = MSCHAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good" !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Executing group from file /etc/raddb/sites-enabled/default
+group MS-CHAP {
[mschap] Creating challenge hash with username: yang
[mschap] Client is using MS-CHAPv2 for yang, we need NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] = ok
+} # group MS-CHAP = ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+group post-auth {
[sql] expand: %{User-Name} -> yang
[sql] sql_set_user escaped user --> 'yang'
[sql] expand: %{User-Password} ->
[sql] ... expanding second conditional
[sql] expand: %{Chap-Password} ->
[sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'yang', '', 'Access-Accept', '2016-06-29 17:05:21')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'yang', '', 'Access-Accept', '2016-06-29 17:05:21')
rlm_sql (sql): Reserving sql socket id: 29
rlm_sql (sql): Released sql socket id: 29
++[sql] = ok
++[exec] = noop
+} # group post-auth = ok
Sending Access-Accept of id 213 to 127.0.0.1 port 43268
Password == "yang123!"
MS-CHAP2-Success = 0xbc533d42383941354543303444354634354438323638414534323146323944344144443935424246433130
MS-MPPE-Recv-Key = 0xf60049baea9bf3462b5b90d8311848fd
MS-MPPE-Send-Key = 0x59e4dc74e5310b0fdb7ef0bf10ff10f4
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 213 with timestamp +11
Ready to process requests.
通过google搜索发现一个重要信息,参考文档:
https://community.ubnt.com/t5/EdgeMAX/PPTP-L2TP-Radius-Problem/td-p/630855
修改secert为test之后重启radiusd和pptpd服务,重新拨号测试。发现一切正常!
数据库中记录的客户端拨号信息
至此,PPTP ×××用户登陆采用mysql数据库和freeradiusd服务认证配置完成,对拨号用户的流量控制和同一时刻只允许一个终端登录将在下文中介绍,尽情期待!