Ключевые слова:vpn, radius, auth, aaa, billing, pptp, freebsd, (найти похожие документы)
From: Cyrill Malevanov <cyrill@malevanov.spb.ru>
Newsgroups: email
Date: Mon, 11 Nov 2003 14:31:37 +0000 (UTC)
Subject: Установка VPN с использованием MPD + FreeRadius
Установка VPN с использованием MPD+FreeRadius
В статье рассматривается установка VPN-сервера, совместимого с MS
WindowsTM. Заранее предполагается, что уже установлена СУБД
PostgreSQL, в ней будет храниться информация о пользователях.
Disclaimer
Я ни в коем разе не претендую, что установка сделана правильно,
корректно, "так как надо" и прочая. Я описываю только что, что у меня
работает.
Установка FreeRadius
Сначала необходимо установить и настроить FreeRadius.
cd /usr/ports/net/freeradius
make install
Удалять файлы, которые получились при работе установщика, мы пока не
будем, так как они нам понадобятся.
Заходим в /usr/local/etc/raddb, копируем файлы dictionary.*.sample в
dictionary.* - это файлы словарей атрибутов, которые используются
различными сервисами
Теперь создаем пустой файл acct-users, затем файл attrs со следующим
содержимым:
DEFAULT
Service-Type == Framed-User,
Service-Type == Login-User,
Login-Service == Telnet,
Login-Service == Rlogin,
Login-Service == TCP-Clear,
Login-TCP-Port <= 65536,
Framed-IP-Address == 255.255.255.254,
Framed-IP-Netmask == 255.255.255.255,
Framed-Protocol == PPP,
Framed-Protocol == SLIP,
Framed-Compression == Van-Jacobson-TCP-IP,
Framed-MTU >= 576,
Framed-Filter-ID =* ANY,
Reply-Message =* ANY,
Proxy-State =* ANY,
Session-Timeout <= 28800,
Idle-Timeout <= 600,
Port-Limit <= 2
В файле clients прописываем IP-адреса тех хостов, которые будут
обращаться к радиусу, и для каждого хоста задаем пароль:
# Client Name Key
#---------------- ----------
#portmaster1.isp.com testing123
#portmaster2.isp.com testing123
#proxyradius.isp2.com TheirKey
192.168.1.200 test1
localhost test2
Файл clients вообще относится к obsoleted (устаревшим), но просто
оставим его, на случай каких-либо несовместимостей.
Точно ту же информацию, но в другом формате, заносим в файл
clients.conf:
# clients.conf - client configuration directives
#
# This file is included by default. To disable it, you will need
# to modify the CLIENTS CONFIGURATION section of "radiusd.conf".
#
#######################################################################
#######################################################################
#
# Definition of a RADIUS client (usually a NAS).
#
# The information given here over rides anything given in the 'clients'
# file, or in the 'naslist' file. The configuration here contains
# all of the information from those two files, and also allows for more
# configuration items.
#
# The "shortname" can be used for logging, and the "nastype",
# "login" and "password" fields are mainly used for checkrad and are
# optional.
#
#
# Defines a RADIUS client. The format is 'client [hostname|ip-address]'
#
# '127.0.0.1' is another name for 'localhost'. It is enabled by default,
# to allow testing of the server after an initial installation. If you
# are not going to be permitting RADIUS queries from localhost, we suggest
# that you delete, or comment out, this entry.
#
client 127.0.0.1 {
#
# The shared secret use to "encrypt" and "sign" packets between
# the NAS and FreeRADIUS. You MUST change this secret from the
# default, otherwise it's not a secret any more!
#
# The secret can be any string, up to 32 characters in length.
#
secret = test2
#
# The short name is used as an alias for the fully qualified
# domain name, or the IP address.
#
shortname = localhost
#
# the following three fields are optional, but may be used by
# checkrad.pl for simultaneous use checks
#
#
# The nastype tells 'checkrad.pl' which NAS-specific method to
# use to query the NAS for simultaneous use.
#
# Permitted NAS types are:
#
# cisco
# computone
# livingston
# max40xx
# multitech
# netserver
# pathras
# patton
# portslave
# tc
# usrhiper
# other # for all other types
#
nastype = other # localhost isn't usually a NAS...
#
# The following two configurations are for future use.
# The 'naspasswd' file is currently used to store the NAS
# login name and password, which is used by checkrad.pl
# when querying the NAS for simultaneous use.
#
# login = !root
# password = someadminpas
}
client 192.168.1.200 {
secret = test1
shortname = user
}
#
# You can now specify one secret for a network of clients.
# When a client request comes in, the BEST match is chosen.
# i.e. The entry from the smallest possible network.
#
#client 192.168.0.0/24 {
# secret = testing123-1
# shortname = private-network-1
#}
#
#client 192.168.0.0/16 {
# secret = testing123-2
# shortname = private-network-2
#}
client 10.1.1.1 {
# # secret and password are mapped through the "secrets" file.
secret = test2
shortname = local
# # the following three fields are optional, but may be used by
# # checkrad.pl for simultaneous usage checks
nastype = other
# login = !root
# password = someadminpas
}
Создаем файл hints со следующим содержимым:
DEFAULT Suffix = ".ppp", Strip-User-Name = Yes
Hint = "PPP",
Service-Type = Framed-User,
Framed-Protocol = PPP
DEFAULT Suffix = ".slip", Strip-User-Name = Yes
Hint = "SLIP",
Service-Type = Framed-User,
Framed-Protocol = SLIP
DEFAULT Suffix = ".cslip", Strip-User-Name = Yes
Hint = "CSLIP",
Service-Type = Framed-User,
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
Создаем пустой файл huntgroups и файл naslist со следующим
содержанием:
localhost local portslave
Создаем пустой файл preproxy_users и файл users следующего содержания:
DEFAULT Auth-Type := MS-CHAP
Здесь мы задаем, что все пользователи должны использовать тип
авторизации MS-CHAP, версий 1 или 2. Все версии MS WindowsTM
благополучно авторизируются по этому протоколу.
Затем настраиваем доступ FreeRadius к PostgreSQL, для этого копируем
файл postgresql.conf.sample в postgresql.conf и меняем одну строчку:
находим строку, начинающуюся с
authorize_group_check_query
и меняем текст запроса на
"SELECT ${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Attribute,
${groupcheck_table}.Value,${groupcheck_table}.Op FROM ${groupcheck_table},
${usergroup_table} WHERE ${usergroup_table}.Username = '%{SQL-User-Name}'
AND ${usergroup_table}.GroupName = ${groupcheck_table}.GroupName
ORDER BY ${groupcheck_table}.id"
-------------------
Файл proxy.conf:
-------------------
proxy server {
#
# If the NAS re-sends the request to us, we can immediately re-send
# the proxy request to the end server. To do so, use 'yes' here.
#
# If this is set to 'no', then we send the retries on our own schedule,
# and ignore any duplicate NAS requests.
#
# If you want to have the server send proxy retries ONLY when the NAS
# sends it's retries to the server, then set this to 'yes', and
# set the other proxy configuration parameters to 0 (zero).
#
synchronous = no
#
# The time (in seconds) to wait for a response from the proxy, before
# re-sending the proxied request.
#
# If this time is set too high, then the NAS may re-send the request,
# or it may give up entirely, and reject the user.
#
# If it is set too low, then the RADIUS server which receives the proxy
# request will get kicked unnecessarily.
#
retry_delay = 5
#
# The number of retries to send before giving up, and sending a reject
# message to the NAS.
#
retry_count = 3
#
# If the home server does not respond to any of the multiple retries,
# then FreeRADIUS will stop sending it proxy requests, and mark it 'dead'.
#
# If there are multiple entries configured for this realm, then the
# server will fail-over to the next one listed. If no more are listed,
# then no requests will be proxied to that realm.
#
#
# After a configurable 'dead_time', in seconds, FreeRADIUS will
# speculatively mark the home server active, and start sending requests
# to it again.
#
# If this dead time is set too low, then you will lose requests,
# as FreeRADIUS will quickly switch back to the home server, even if
# it isn't up again.
#
# If this dead time is set too high, then FreeRADIUS may take too long
# to switch back to the primary home server.
#
# Realistic values for this number are in the range of minutes to hours.
# (60 to 3600)
#
dead_time = 120
# If you choose to list a realm more then once for fall-through or
# round-robin, then specify the total number of alternates here. Specify
# a ldflag attribute for all realms to be included in a round-robin
# setup. Currently (0 or fail_over) and (1 or round_robin) are the
# supported values for ldflag. Fail-Over is the default setup.
#
servers_per_realm = 15
#
# If all exact matching realms did not respond, we can try the
# DEFAULT realm, too. This is what the server normally does.
#
# This behaviour may be undesired for some cases. e.g. You are proxying
# for two different ISP's, and then act as a general dial-up for Gric.
# If one of the first two ISP's has their RADIUS server go down, you do
# NOT want to proxy those requests to GRIC. Instead, you probably want
# to just drop the requests on the floor. In that case, set this value
# to 'no'.
#
# allowed values: {yes, no}
#
default_fallback = yes
}
---------------------
Файл radiusd.conf:
---------------------
#
## radiusd.conf -- FreeRADIUS server configuration file.
##
## http://www.freeradius.org/
## $Id: radiusd.conf.in,v 1.123 2002/11/12 20:22:48 aland Exp $
##
# The location of other config files and
# logfiles are declared in this file
#
# Also general configuration for modules can be done
# in this file, it is exported through the API to
# modules that ask for it.
#
# The configuration variables defined here are of the form ${foo}
# They are local to this file, and do not change from request to
# request.
#
# The per-request variables are of the form %{Attribute-Name}, and
# are taken from the values of the attribute in the incoming
# request. See 'doc/variables.txt' for more information.
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
# Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
#
# The logging messages for the server are appended to the
# tail of this file.
#
log_file = ${logdir}/radius.log
#
# libdir: Where to find the rlm_* modules.
#
# This should be automatically set at configuration time.
#
# If the server builds and installs, but fails at execution time
# with an 'undefined symbol' error, then you can use the libdir
# directive to work around the problem.
#
# The cause is usually that a library has been installed on your
# system in a place where the dynamic linker CANNOT find it. When
# executing as root (or another user), your personal environment MAY
# be set up to allow the dynamic linker to find the library. When
# executing as a daemon, FreeRADIUS MAY NOT have the same
# personalized configuration.
#
# To work around the problem, find out which library contains that symbol,
# and add the directory containing that library to the end of 'libdir',
# with a colon separating the directory names. NO spaces are allowed.
#
# e.g. libdir = /usr/local/lib:/opt/package/lib
#
# You can also try setting the LD_LIBRARY_PATH environment variable
# in a script which starts the server.
#
# If that does not work, then you can re-configure and re-build the
# server to NOT use shared libraries, via:
#
# ./configure --disable-shared
# make
# make install
#
libdir = ${exec_prefix}/lib
# pidfile: Where to place the PID of the RADIUS server.
#
# The server may be signalled while it's running by using this
# file.
#
# This file is written when ONLY running in daemon mode.
#
# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid`
#
pidfile = ${run_dir}/radiusd.pid
# user/group: The name (or #number) of the user/group to run radiusd as.
#
# If these are commented out, the server will run as the user/group
# that started it. In order to change to a different user/group, you
# MUST be root ( or have root privleges ) to start the server.
#
# We STRONGLY recommend that you run the server with as few permissions
# as possible. That is, if you're not using shadow passwords, the
# user and group items below should be set to 'nobody'.
#
# On SCO (ODT 3) use "user = nouser" and "group = nogroup".
#
# NOTE that some kernels refuse to setgid(group) when the value of
# (unsigned)group is above 60000; don't use group nobody on these systems!
#
# On systems with shadow passwords, you might have to set 'group = shadow'
# for the server to be able to read the shadow password file. If you can
# authenticate users while in debug mode, but not in daemon mode, it may be
# that the debugging mode server is running as a user that can read the
# shadow info, and the user listed below can not.
#
user = nobody
group = nogroup
# max_request_time: The maximum time (in seconds) to handle a request.
#
# Requests which take more time than this to process may be killed, and
# a REJECT message is returned.
#
# WARNING: If you notice that requests take a long time to be handled,
# then this MAY INDICATE a bug in the server, in one of the modules
# used to handle a request, OR in your local configuration.
#
# This problem is most often seen when using an SQL database. If it takes
# more than a second or two to receive an answer from the SQL database,
# then it probably means that you haven't indexed the database. See your
# SQL server documentation for more information.
#
# Useful range of values: 5 to 120
#
max_request_time = 5
# delete_blocked_requests: If the request takes MORE THAN 'max_request_time'
# to be handled, then maybe the server should delete it.
#
# If you're running in threaded, or thread pool mode, this setting
# should probably be 'no'. Setting it to 'yes' when using a threaded
# server MAY cause the server to crash!
#
delete_blocked_requests = no
# cleanup_delay: The time to wait (in seconds) before cleaning up
# a reply which was sent to the NAS.
#
# The RADIUS request is normally cached internally for a short period
# of time, after the reply is sent to the NAS. The reply packet may be
# lost in the network, and the NAS will not see it. The NAS will then
# re-send the request, and the server will respond quickly with the
# cached reply.
#
# If this value is set too low, then duplicate requests from the NAS
# MAY NOT be detected, and will instead be handled as seperate requests.
#
# If this value is set too high, then the server will cache too many
# requests, and some new requests may get blocked. (See 'max_requests'.)
#
# Useful range of values: 2 to 10
#
cleanup_delay = 5
# max_requests: The maximum number of requests which the server keeps
# track of. This should be 256 multiplied by the number of clients.
# e.g. With 4 clients, this number should be 1024.
#
# If this number is too low, then when the server becomes busy,
# it will not respond to any new requests, until the 'cleanup_delay'
# time has passed, and it has removed the old requests.
#
# If this number is set too high, then the server will use a bit more
# memory for no real benefit.
#
# If you aren't sure what it should be set to, it's better to set it
# too high than too low. Setting it to 1000 per client is probably
# the highest it should be.
#
# Useful range of values: 256 to infinity
#
max_requests = 1024
# bind_address: Make the server listen on a particular IP address, and
# send replies out from that address. This directive is most useful
# for machines with multiple IP addresses on one interface.
#
# It can either contain "*", or an IP address, or a fully qualified
# Internet domain name. The default is "*"
#
bind_address = 10.1.1.1
# port: Allows you to bind FreeRADIUS to a specific port.
#
# The default port that most NAS boxes use is 1645, which is historical.
# RFC 2138 defines 1812 to be the new port. Many new servers and
# NAS boxes use 1812, which can create interoperability problems.
#
# The port is defined here to be 0 so that the server will pick up
# the machine's local configuration for the radius port, as defined
# in /etc/services.
#
# If you want to use the default RADIUS port as defined on your server,
# (usually through 'grep radius /etc/services') set this to 0 (zero).
#
# A port given on the command-line via '-p' over-rides this one.
#
port = 1812
# hostname_lookups: Log the names of clients or just their IP addresses
# e.g., www.freeradius.org (on) or 206.47.27.232 (off).
#
# The default is 'off' because it would be overall better for the net
# if people had to knowingly turn this feature on, since enabling it
# means that each client request will result in AT LEAST one lookup
# request to the nameserver. Enabling hostname_lookups will also
# mean that your server may stop randomly for 30 seconds from time
# to time, if the DNS requests take too long.
#
# Turning hostname lookups off also means that the server won't block
# for 30 seconds, if it sees an IP address which has no name associated
# with it.
#
# allowed values: {no, yes}
#
hostname_lookups = no
# Core dumps are a bad thing. This should only be set to 'yes'
# if you're debugging a problem with the server.
#
# allowed values: {no, yes}
#
allow_core_dumps = no
# Regular expressions
#
# These items are set at configure time. If they're set to "yes",
# then setting them to "no" turns off regular expression support.
#
# If they're set to "no" at configure time, then setting them to "yes"
# WILL NOT WORK. It will give you an error.
#
regular_expressions = yes
extended_expressions = yes
# Log the full User-Name attribute, as it was found in the request.
#
# allowed values: {no, yes}
#
log_stripped_names = yes
# Log authentication requests to the log file.
#
# allowed values: {no, yes}
#
log_auth = yes
# Log passwords with the authentication requests.
# log_auth_badpass - logs password if it's rejected
# log_auth_goodpass - logs password if it's correct
#
# allowed values: {no, yes}
#
log_auth_badpass = yes
log_auth_goodpass = no
# usercollide: Turn "username collision" code on and off. See the
# "doc/duplicate-users" file
#
usercollide = no
# lower_user / lower_pass:
# Lower case the username/password "before" or "after"
# attempting to authenticate.
#
# If "before", the server will first modify the request and then try
# to auth the user. If "after", the server will first auth using the
# values provided by the user. If that fails it will reprocess the
# request after modifying it as you specify below.
#
# This is as close as we can get to case insensitivity. It is the
# admin's job to ensure that the username on the auth db side is
# *also* lowercase to make this work
#
# Default is 'no' (don't lowercase values)
# Valid values = "before" / "after" / "no"
#
lower_user = yes
lower_pass = no
# nospace_user / nospace_pass:
#
# Some users like to enter spaces in their username or password
# incorrectly. To save yourself the tech support call, you can
# eliminate those spaces here:
#
# Default is 'no' (don't remove spaces)
# Valid values = "before" / "after" / "no" (explanation above)
#
nospace_user = yes
nospace_pass = no
# The program to execute to do concurrency checks.
checkrad = ${sbindir}/checkrad
# SECURITY CONFIGURATION
#
# There may be multiple methods of attacking on the server. This
# section holds the configuration items which minimize the impact
# of those attacks
#
security {
#
# max_attributes: The maximum number of attributes
# permitted in a RADIUS packet. Packets which have MORE
# than this number of attributes in them will be dropped.
#
# If this number is set too low, then no RADIUS packets
# will be accepted.
#
# If this number is set too high, then an attacker may be
# able to send a small number of packets which will cause
# the server to use all available memory on the machine.
#
# Setting this number to 0 means "allow any number of attributes"
max_attributes = 200
#
# delayed_reject: When sending an Access-Reject, it can be
# delayed for a few seconds. This may help slow down a DoS
# attack. It also helps to slow down people trying to brute-force
# crack a users password.
#
# Setting this number to 0 means "send rejects immediately"
#
# If this number is set higher than 'cleanup_delay', then the
# rejects will be sent at 'cleanup_delay' time, when the request
# is deleted from the internal cache of requests.
#
# Useful ranges: 1 to 5
reject_delay = 1
#
# status_server: Whether or not the server will respond
# to Status-Server requests.
#
# Normally this should be set to "no", because they're useless.
# See: http://www.freeradius.org/rfc/rfc2865.html#Keep-Alives
#
# However, certain NAS boxes may require them.
#
# When sent a Status-Server message, the server responds with
# and Access-Accept packet, containing a Reply-Message attribute,
# which is a string describing how long the server has been
# running.
#
status_server = no
}
# PROXY CONFIGURATION
#
# proxy_requests: Turns proxying of RADIUS requests on or off.
#
# The server has proxying turned on by default. If your system is NOT
# set up to proxy requests to another server, then you can turn proxying
# off here. This will save a small amount of resources on the server.
#
# If you have proxying turned off, and your configuration files say
# to proxy a request, then an error message will be logged.
#
# To disable proxying, change the "yes" to "no", and comment the
# $INCLUDE line.
#
# allowed values: {no, yes}
#
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
# CLIENTS CONFIGURATION
#
# Client configuration is defined in "clients.conf".
#
# The 'clients.conf' file contains all of the information from the old
# 'clients' and 'naslist' configuration files. We recommend that you
# do NOT use 'client's or 'naslist', although they are still
# supported.
#
# Anything listed in 'clients.conf' will take precedence over the
# information from the old-style configuration files.
#
$INCLUDE ${confdir}/clients.conf
# SNMP CONFIGURATION
#
# Snmp configuration is only valid if you enabled SNMP support when
# you compiled radiusd.
#
$INCLUDE ${confdir}/snmp.conf
# THREAD POOL CONFIGURATION
#
# The thread pool is a long-lived group of threads which
# take turns (round-robin) handling any incoming requests.
#
# You probably want to have a few spare threads around,
# so that high-load situations can be handled immediately. If you
# don't have any spare threads, then the request handling will
# be delayed while a new thread is created, and added to the pool.
#
# You probably don't want too many spare threads around,
# otherwise they'll be sitting there taking up resources, and
# not doing anything productive.
#
# The numbers given below should be adequate for most situations.
#
thread pool {
# Number of servers to start initially --- should be a reasonable
# ballpark figure.
start_servers = 2
# Limit on the total number of servers running.
#
# If this limit is ever reached, clients will be LOCKED OUT, so it
# should NOT BE SET TOO LOW. It is intended mainly as a brake to
# keep a runaway server from taking the system with it as it spirals
# down...
#
# You may find that the server is regularly reaching the
# 'max_servers' number of threads, and that increasing
# 'max_servers' doesn't seem to make much difference.
#
# If this is the case, then the problem is MOST LIKELY that
# your back-end databases are taking too long to respond, and
# are preventing the server from responding in a timely manner.
#
# The solution is NOT do keep increasing the 'max_servers'
# value, but instead to fix the underlying cause of the
# problem: slow database, or 'hostname_lookups=yes'.
#
# For more information, see 'max_request_time', above.
#
max_servers = 10
# Server-pool size regulation. Rather than making you guess
# how many servers you need, FreeRADIUS dynamically adapts to
# the load it sees, that is, it tries to maintain enough
# servers to handle the current load, plus a few spare
# servers to handle transient load spikes.
#
# It does this by periodically checking how many servers are
# waiting for a request. If there are fewer than
# min_spare_servers, it creates a new spare. If there are
# more than max_spare_servers, some of the spares die off.
# The default values are probably OK for most sites.
#
min_spare_servers = 2
max_spare_servers = 10
# There may be memory leaks or resource allocation problems with
# the server. If so, set this value to 300 or so, so that the
# resources will be cleaned up periodically.
#
# This should only be necessary if there are serious bugs in the
# server which have not yet been fixed.
#
# '0' is a special value meaning 'infinity', or 'the servers never
# exit'
max_requests_per_server = 0
}
# MODULE CONFIGURATION
#
# The names and configuration of each module is located in this section.
#
# After the modules are defined here, they may be referred to by name,
# in other sections of this configuration file.
#
modules {
# CHAP module
#
# To authenticate requests containing a CHAP-Password attribute.
#
chap {
authtype = CHAP
}
unix {
#
# Cache /etc/passwd, /etc/shadow, and /etc/group
#
# The default is to NOT cache them.
#
# For FreeBSD, you do NOT want to enable the cache,
# as it's password lookups are done via a database, so
# set this value to 'no'.
#
# Some systems (e.g. RedHat Linux with pam_pwbd) can
# take *seconds* to check a password, from a passwd
# file containing 1000's of entries. For those systems,
# you should set the cache value to 'yes', and set
# the locations of the 'passwd', 'shadow', and 'group'
# files, below.
#
# allowed values: {no, yes}
cache = no
# Reload the cache every 600 seconds (10mins). 0 to disable.
cache_reload = 600
#
# Define the locations of the normal passwd, shadow, and
# group files.
#
# 'shadow' is commented out by default, because not all
# systems have shadow passwords.
#
# To force the module to use the system password functions,
# instead of reading the files, leave the following entries
# commented out.
#
# This is required for some systems, like FreeBSD,
# and Mac OSX.
#
# passwd = /etc/passwd
# shadow = /etc/shadow
# group = /etc/group
#
# Where the 'wtmp' file is located.
# This should be moved to it's own module soon.
#
# The only use for 'radlast'. If you don't use
# 'radlast', then you can comment out this item.
#
radwtmp = ${logdir}/radwtmp
}
# Microsoft CHAP authentication
#
# This module supports SAMBA passwd file authorization
# and MS-CHAP, MS-CHAPv2 authentication. However, we recommend
# using the 'passwd' module, below, as it's more general.
#
mschap {
# Location of the SAMBA passwd file
# passwd = /etc/smbpasswd
# authtype value, if present, will be used
# to overwrite (or add) Auth-Type during
# authorization. Normally should be MS-CHAP
authtype = MS-CHAP
# If ignore_password is set to yes mschap will
# ignore the password set by any other module during
# authorization and will always use the SAMBA password file
# ignore_password = yes
# if use_mppe is not set to no mschap will
# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
# use_mppe = yes
# if mppe is enabled require_encryption makes
# encryption moderate
# require_encryption = yes
# require_strong always requires 128 bit key
# encryption
# require_strong = yes
}
# Realm module, for proxying.
#
# You can have multiple instances of the realm module to
# support multiple realm syntaxs at the same time. The
# search order is defined the order in the authorize and
# preacct blocks after the module config block.
#
# Two config options:
# format - must be 'prefix' or 'suffix'
# delimiter - must be a single character
# 'username@realm'
#
realm suffix {
format = suffix
delimiter = "@"
}
# 'realm/username'
#
# Using this entry, IPASS users have their realm set to "IPASS".
realm realmslash {
format = prefix
delimiter = "/"
}
# 'username%realm'
#
realm realmpercent {
format = suffix
delimiter = "%"
}
# rewrite arbitrary packets. Useful in accounting and authorization.
#
## This module is highly experimental at the moment. Please give
## feedback to the mailing list.
#
# The module can also use the Rewrite-Rule attribute. If it
# is set and matches the name of the module instance, then
# that module instance will be the only one which runs.
#
# Also if new_attribute is set to yes then a new attribute
# will be created containing the value replacewith and it
# will be added to searchin (packet, reply or config).
# searchfor,ignore_case and max_matches will be ignored in that case.
#
#attr_rewrite sanecallerid {
# attribute = Called-Station-Id
# may be "packet", "reply", or "config"
# searchin = packet
# searchfor = "[+ ]"
# replacewith = ""
# ignore_case = no
# new_attribute = no
# max_matches = 10
# ## If set to yes then the replace string will be appended to the original string
# append = no
#}
# Preprocess the incoming RADIUS request, before handing it off
# to other modules.
#
# This module processes the 'huntgroups' and 'hints' files.
# In addition, it re-writes some weird attributes created
# by some NASes, and converts the attributes into a form which
# is a little more standard.
#
preprocess {
# huntgroups = ${confdir}/huntgroups
# hints = ${confdir}/hints
#
# This hack changes Ascend's wierd port numberings
# to standard 0-??? port numbers so that the "+" works
# for IP address assignments.
# with_ascend_hack = no
# ascend_channels_per_line = 23
# Windows NT machines often authenticate themselves as
# NT_DOMAIN\username
#
# If this is set to 'yes', then the NT_DOMAIN portion
# of the user-name is silently discarded.
# with_ntdomain_hack = no
# Specialix Jetstream 8500 24 port access server.
#
# If the user name is 10 characters or longer, a "/"
# and the excess characters after the 10th are
# appended to the user name.
#
# If you're not running that NAS, you don't need
# this hack.
# with_specialix_jetstream_hack = no
# Cisco sends it's VSA attributes with the attribute
# name *again* in the string, like:
#
# H323-Attribute = "h323-attribute=value".
#
# If this configuration item is set to 'yes', then
# the redundant data in the the attribute text is stripped
# out. The result is:
#
# H323-Attribute = "value"
#
# If you're not running a Cisco NAS, you don't need
# this hack.
with_cisco_vsa_hack = no
}
# Livingston-style 'users' file
#
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
# If you want to use the old Cistron 'users' file
# with FreeRADIUS, you should change the next line
# to 'compat = cistron'. You can the copy your 'users'
# file from Cistron.
compat = no
}
# Write a detailed log of all accounting records received.
#
detail {
# Note that we do NOT use NAS-IP-Address here, as
# that attribute MAY BE from the originating NAS, and
# NOT from the proxy which actually sent us the
# request. The Client-IP-Address attribute is ALWAYS
# the address of the client which sent us the
# request.
#
# The following line creates a new detail file for
# every radius client (by IP address or hostname).
# In addition, a new detail file is created every
# day, so that the detail file doesn't have to go
# through a 'log rotation'
#
# If your detail files are large, you may also want
# to add a ':%H' (see doc/variables.txt) to the end
# of it, to create a new detail file every hour, e.g.:
#
# ..../detail-%Y%m%d:%H
#
# This will create a new detail file for every hour.
#
detailfile = ${logdir}/radius-detail.log
#
# The Unix-style permissions on the 'detail' file.
#
# The detail file often contains secret or private
# information about users. So by keeping the file
# permissions restrictive, we can prevent unwanted
# people from seeing that information.
detailperm = 0644
}
# Create a unique accounting session Id. Many NASes re-use or
# repeat values for Acct-Session-Id, causing no end of
# confusion.
#
# This module will add a (probably) unique session id
# to an accounting packet based on the attributes listed
# below found in the packet. See doc/rlm_acct_unique for
# more information.
#
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id"
}
# Include another file that has the SQL-related configuration.
# This is another file solely because it tends to be big.
#
# The following configuration file is for use with MySQL.
#
# For Postgresql, use: ${confdir}/postgresql.conf
# For MS-SQL, use: ${confdir}/mssql.conf
#
$INCLUDE ${confdir}/postgresql.conf
# Write a 'utmp' style log file, of which users are currently
# logged in, and where they've logged in from.
#
radutmp {
filename = ${logdir}/radutmp
# Set the file permissions, as the contents of this file
# are usually private.
perm = 0600
callerid = "yes"
}
# "Safe" radutmp - does not contain caller ID, so it can be
# world-readable, and radwho can work for normal users, without
# exposing any information that isn't already exposed by who(1).
#
# This is another instance of the radutmp module, but it is given
# then name "sradutmp" to identify it later in the "accounting"
# section.
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
# attr_filter - filters the attributes received in replies from
# proxied servers, to make sure we send back to our RADIUS client
# only allowed attributes.
attr_filter {
attrsfile = ${confdir}/attrs
}
# This module takes an attribute (count-attribute).
# It also takes a key, and creates a counter for each unique
# key. The count is incremented when accounting packets are
# received by the server. The value of the increment depends
# on the attribute type.
# If the attribute is Acct-Session-Time or an integer we add the
# value of the attribute. If it is anything else we increase the
# counter by one.
#
# The 'reset' parameter defines when the counters are all reset to
# zero. It can be hourly, daily, weekly, monthly or never.
# It can also be user defined. It should be of the form:
# num[hdwm] where:
# h: hours, d: days, w: weeks, m: months
# If the letter is ommited days will be assumed. In example:
# reset = 10h (reset every 10 hours)
# reset = 12 (reset every 12 days)
#
#
# The check-name attribute defines an attribute which will be
# registered by the counter module and can be used to set the
# maximum allowed value for the counter after which the user
# is rejected.
# Something like:
#
# DEFAULT Max-Daily-Session := 36000
# Fall-Through = 1
#
# You should add the counter module in the instantiate
# section so that it registers check-name before the files
# module reads the users file.
#
# If check-name is set and the user is to be rejected then we
# send back a Reply-Message and we log a Failure-Message in
# the radius.log
#
# The counter-name can also be used like below:
#
# DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject
# Reply-Message = "You've used up more than one hour today"
#
# The allowed-servicetype attribute can be used to only take
# into account specific sessions. For example if a user first
# logs in through a login menu and then selects ppp there will
# be two sessions. One for Login-User and one for Framed-User
# service type. We only need to take into account the second one.
#
# The module should be added in the instantiate, authorize and
# accounting sections. Make sure that in the authorize
# section it comes after any module which sets the
# 'check-name' attribute.
#
counter {
filename = ${raddbdir}/db.counter
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
# The "always" module is here for debugging purposes. Each
# instance simply returns the same result, always, without
# doing anything.
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
#
# The 'expression' module current has no configuration.
expr {
}
# ANSI X9.9 token support. Not included by default.
# $INCLUDE ${confdir}/x99.conf
}
# Instantiation
#
# This section orders the loading of the modules. Modules
# listed here will get loaded BEFORE the later sections like
# authorize, authenticate, etc. get examined.
#
# This section is not strictly needed. When a section like
# authorize refers to a module, it's automatically loaded and
# initialized. However, some modules may not be listed in any
# of the following sections, so they can be listed here.
#
# Also, listing modules here ensures that you have control over
# the order in which they are initalized. If one module needs
# something defined by another module, you can list them in order
# here, and ensure that the configuration will be OK.
#
instantiate {
#
# The expression module doesn't do authorization,
# authentication, or accounting. It only does dynamic
# translation, of the form:
#
# Session-Timeout = `%{expr:2 + 3}`
#
# So the module needs to be instantiated, but CANNOT be
# listed in any other section. See 'doc/rlm_expr' for
# more information.
#
expr
}
# Authorization. First preprocess (hints and huntgroups files),
# then realms, and finally look in the "users" file.
#
# The order of the realm modules will determine the order that
# we try to find a matching realm.
#
# Make *sure* that 'preprocess' comes before any realm if you
# need to setup hints for the remote radius server
authorize {
preprocess
# chap
# counter
# attr_filter
# eap
suffix
# files
# etc_smbpasswd
sql
mschap
}
# Authentication.
#
# This section lists which modules are available for authentication.
# Note that it does NOT mean 'try each module in order'. It means
# that you have to have a module from the 'authorize' section add
# a configuration attribute 'Auth-Type := FOO'. That authentication type
# is then used to pick the apropriate module from the list below.
#
# The default Auth-Type is Local. That is, whatever is not included inside
# an authtype section will be called only if Auth-Type is set to Local.
#
# So you should do the following:
# - Set Auth-Type to an appropriate value in the authorize modules above.
# For example, the chap module will set Auth-Type to CHAP, ldap to LDAP, etc.
# - After that create corresponding authtype sections in the
# authenticate section below and call the appropriate modules.
authenticate {
# authtype CHAP {
# chap
# }
authtype MS-CHAP {
mschap
}
}
# Pre-accounting. Look for proxy realm in order of realms, then
# acct_users file, then preprocess (hints file).
preacct {
preprocess
suffix
# files
}
# Accounting. Log to detail file, and to the radwtmp file, and maintain
# radutmp.
accounting {
acct_unique
detail
# counter
unix # wtmp file
sql
radutmp
# sradutmp
}
# Session database, used for checking Simultaneous-Use. Either the radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
# radutmp
sql
}
# Post-Authentication
# Once we KNOW that the user has been authenticated, there are
# additional steps we can take.
post-auth {
# Get an address from the IP Pool.
#main_pool
}
-------------------
Файл snmp.conf оставляем пустым.
Прописывание пользователей в СУБД
Для начала необходимо создать базу данных и в ней создать таблицы.
Смотрим в postgresql.conf и видим там
server = "10.1.1.1"
login = "cm"
password = ""
# Database table configuration
radius_db = "radius"
Соответственно, нам надо создать базу данных radius от пользователя
cm.
/usr/local/pgsql/bin/createuser cm
/usr/local/pgsql/bin/createdb -U cm radius
/usr/local/pgsql/bin/psql -U cm radius
Теперь мы вошли в нужную нам базу данных и должны создать в ней
таблицы: \i
/usr/ports/net/freeradius/work/freeradius-0.8.1/src/modules/rlm_sql/drivers/rlm_sql_postgresql/db_postgresql.sql
\q
Теперь можно создавать пользователей. Предполагается, что радиус будет
проверять правильность пары login/password у пользователя и выдавать
IP-адрес. На каждого пользователя необходимо обладать следующей
информацией: login, password, ip. Тогда для каждого пользователя
получаем следующие 4 SQL-оператора:
insert into usergroup(username, groupname) values('login', 'users');
insert into radcheck(username, attribute, op, value) values('login', 'Password', ':=', 'password');
insert into radreply(username, attribute, op, value) values('login', 'Framed-IP-Address', ':=', 'IP');
insert into radreply(username, attribute, op, value) values('login', 'Framed-IP-Netmask', ':=', '255.255.255.255');
Всех пользователей заносим в базу данных.
Теперь можно запускать freeradius.
/usr/local/etc/rc.d/radiusd.sh start
Сообщений об ошибках в /var/log/radius.log быть не должно.
Проверка FreeRadius
Для проверки - с локальной машины (надеюсь, ее в clients.conf вписали)
выполняем
radtest user password <IP-адрес radius-сервера> 1812 <пароль к radius-серверу>
, например,
radtest testuser testpassword 10.1.1.1 1812 test2
Конечно, testuser и testpassword должны быть прописаны в базе
пользователей. В итоге получим:
Sending Access-Request of id 148 to 10.1.1.1:1812
User-Name = "testuser"
User-Password = "W\202$Y\374x\251p^\302M\376\202U\212\031"
NAS-IP-Address = host.domain
NAS-Port = 1812
rad_recv: Access-Accept packet from host 10.1.1.1:1812, id=41, length=32
Framed-IP-Address = 10.1.5.2
Framed-IP-Netmask = 255.255.255.255
То-есть, радиус-сервер проверил правильность пароля для этого
пользователя и выдал IP-адрес. В случае, если пароль не прошел, то
получим
rad_recv: Access-Reject packet from host 10.1.1.1:1812, id=148, length=20
-------------
Настройка mpd
-------------
mpd - это программа, способная обрабатывать различные соединения, в
том числе и входящие VPN. Именно это нам и интересно. Перед установкой
и настройкой mpd необходимо проверить, все ли необходимые опции есть в
ядре:
# netgraph(4). Enable the base netgraph code with the NETGRAPH option.
# Individual node types can be enabled with the corresponding option
# listed below; however, this is not strictly necessary as netgraph
# will automatically load the corresponding KLD module if the node type
# is not already compiled into the kernel. Each type below has a
# corresponding man page, e.g., ng_async(8).
options NETGRAPH #netgraph(4) system
options NETGRAPH_ASYNC
options NETGRAPH_BPF
options NETGRAPH_ECHO
options NETGRAPH_ETHER
options NETGRAPH_HOLE
options NETGRAPH_IFACE
options NETGRAPH_KSOCKET
options NETGRAPH_L2TP
options NETGRAPH_LMI
# MPPC compression requires proprietary files (not included)
#options NETGRAPH_MPPC_COMPRESSION
options NETGRAPH_MPPC_ENCRYPTION
options NETGRAPH_ONE2MANY
options NETGRAPH_PPP
options NETGRAPH_PPTPGRE
options NETGRAPH_RFC1490
options NETGRAPH_SOCKET
options NETGRAPH_TEE
options NETGRAPH_TTY
options NETGRAPH_UI
options NETGRAPH_VJC
Проверяем, есть ли они, если нет, то включаем в конфиг ядра и
перекомпилируем ядро. Возможен вариант с подключением netgraph в
качестве модуля ядра.
cd /usr/ports/net/mpd
make install clean distclean
Сервер поставился. Можно настраивать. Рекомендую использовать
последнюю версию mpd из портов, сейчас (22.10.2003) это 3.14.. Создаем
файл /usr/local/etc/mpd/mpd.conf:
default:
load pptp0
load pptp1
load pptp2
load pptp3
load pptp4
load pptp5
load pptp6
load pptp7
load pptp8
load pptp9
load pptp10
load pptp11
load pptp12
load pptp13
load pptp14
load pptp15
load pptp16
load pptp17
load pptp18
load pptp19
load pptp20
load pptp21
load pptp22
load pptp23
load pptp24
load pptp25
load pptp26
load pptp27
load pptp28
load pptp29
load pptp30
load pptp31
load pptp32
load pptp33
load pptp34
load pptp35
load pptp36
load pptp37
load pptp38
load pptp39
load pptp40
load pptp41
load pptp42
load pptp43
load pptp44
load pptp45
load pptp46
load pptp47
load pptp48
load pptp49
load pptp50
load pptp51
load pptp52
load pptp53
load pptp54
load pptp55
load pptp56
load pptp57
load pptp58
load pptp59
load pptp60
load pptp61
load pptp62
load pptp63
load pptp64
load pptp65
load pptp66
load pptp67
load pptp68
load pptp69
load pptp70
load pptp71
load pptp72
load pptp73
load pptp74
load pptp75
load pptp76
load pptp77
load pptp78
load pptp79
load pptp80
load pptp81
load pptp82
load pptp83
load pptp84
load pptp85
load pptp86
load pptp87
load pptp88
load pptp89
load pptp90
load pptp91
load pptp92
load pptp93
load pptp94
load pptp95
load pptp96
load pptp97
load pptp98
load pptp99
pptp0:
new -i ng00 pptp0 pptp0
set ipcp ranges 10.1.4.1/32 10.1.5.1/32
load pptp_standart
pptp1:
new -i ng01 pptp1 pptp1
set ipcp ranges 10.1.4.1/32 10.1.5.2/32
load pptp_standart
pptp2:
new -i ng02 pptp2 pptp2
set ipcp ranges 10.1.4.1/32 10.1.5.3/32
load pptp_standart
pptp3:
new -i ng03 pptp3 pptp3
set ipcp ranges 10.1.4.1/32 10.1.5.4/32
load pptp_standart
pptp4:
new -i ng04 pptp4 pptp4
set ipcp ranges 10.1.4.1/32 10.1.5.5/32
load pptp_standart
pptp5:
new -i ng05 pptp5 pptp5
set ipcp ranges 10.1.4.1/32 10.1.5.6/32
load pptp_standart
pptp6:
new -i ng06 pptp6 pptp6
set ipcp ranges 10.1.4.1/32 10.1.5.7/32
load pptp_standart
pptp7:
new -i ng07 pptp7 pptp7
set ipcp ranges 10.1.4.1/32 10.1.5.8/32
load pptp_standart
pptp8:
new -i ng08 pptp8 pptp8
set ipcp ranges 10.1.4.1/32 10.1.5.9/32
load pptp_standart
pptp9:
new -i ng09 pptp9 pptp9
set ipcp ranges 10.1.4.1/32 10.1.5.10/32
load pptp_standart
pptp10:
new -i ng10 pptp10 pptp10
set ipcp ranges 10.1.4.1/32 10.1.5.11/32
load pptp_standart
pptp11:
new -i ng11 pptp11 pptp11
set ipcp ranges 10.1.4.1/32 10.1.5.12/32
load pptp_standart
pptp12:
new -i ng12 pptp12 pptp12
set ipcp ranges 10.1.4.1/32 10.1.5.13/32
load pptp_standart
pptp13:
new -i ng13 pptp13 pptp13
set ipcp ranges 10.1.4.1/32 10.1.5.14/32
load pptp_standart
pptp14:
new -i ng14 pptp14 pptp14
set ipcp ranges 10.1.4.1/32 10.1.5.15/32
load pptp_standart
pptp15:
new -i ng15 pptp15 pptp15
set ipcp ranges 10.1.4.1/32 10.1.5.16/32
load pptp_standart
pptp16:
new -i ng16 pptp16 pptp16
set ipcp ranges 10.1.4.1/32 10.1.5.17/32
load pptp_standart
pptp17:
new -i ng17 pptp17 pptp17
set ipcp ranges 10.1.4.1/32 10.1.5.18/32
load pptp_standart
pptp18:
new -i ng18 pptp18 pptp18
set ipcp ranges 10.1.4.1/32 10.1.5.19/32
load pptp_standart
pptp19:
new -i ng19 pptp19 pptp19
set ipcp ranges 10.1.4.1/32 10.1.5.20/32
load pptp_standart
pptp20:
new -i ng20 pptp20 pptp20
set ipcp ranges 10.1.4.1/32 10.1.5.21/32
load pptp_standart
pptp21:
new -i ng21 pptp21 pptp21
set ipcp ranges 10.1.4.1/32 10.1.5.22/32
load pptp_standart
pptp22:
new -i ng22 pptp22 pptp22
set ipcp ranges 10.1.4.1/32 10.1.5.23/32
load pptp_standart
pptp23:
new -i ng23 pptp23 pptp23
set ipcp ranges 10.1.4.1/32 10.1.5.24/32
load pptp_standart
pptp24:
new -i ng24 pptp24 pptp24
set ipcp ranges 10.1.4.1/32 10.1.5.25/32
load pptp_standart
pptp25:
new -i ng25 pptp25 pptp25
set ipcp ranges 10.1.4.1/32 10.1.5.26/32
load pptp_standart
pptp26:
new -i ng26 pptp26 pptp26
set ipcp ranges 10.1.4.1/32 10.1.5.27/32
load pptp_standart
pptp27:
new -i ng27 pptp27 pptp27
set ipcp ranges 10.1.4.1/32 10.1.5.28/32
load pptp_standart
pptp28:
new -i ng28 pptp28 pptp28
set ipcp ranges 10.1.4.1/32 10.1.5.29/32
load pptp_standart
pptp29:
new -i ng29 pptp29 pptp29
set ipcp ranges 10.1.4.1/32 10.1.5.30/32
load pptp_standart
pptp30:
new -i ng30 pptp30 pptp30
set ipcp ranges 10.1.4.1/32 10.1.5.31/32
load pptp_standart
pptp31:
new -i ng31 pptp31 pptp31
set ipcp ranges 10.1.4.1/32 10.1.5.32/32
load pptp_standart
pptp32:
new -i ng32 pptp32 pptp32
set ipcp ranges 10.1.4.1/32 10.1.5.33/32
load pptp_standart
pptp33:
new -i ng33 pptp33 pptp33
set ipcp ranges 10.1.4.1/32 10.1.5.34/32
load pptp_standart
pptp34:
new -i ng34 pptp34 pptp34
set ipcp ranges 10.1.4.1/32 10.1.5.35/32
load pptp_standart
pptp35:
new -i ng35 pptp35 pptp35
set ipcp ranges 10.1.4.1/32 10.1.5.36/32
load pptp_standart
pptp36:
new -i ng36 pptp36 pptp36
set ipcp ranges 10.1.4.1/32 10.1.5.37/32
load pptp_standart
pptp37:
new -i ng37 pptp37 pptp37
set ipcp ranges 10.1.4.1/32 10.1.5.38/32
load pptp_standart
pptp38:
new -i ng38 pptp38 pptp38
set ipcp ranges 10.1.4.1/32 10.1.5.39/32
load pptp_standart
pptp39:
new -i ng39 pptp39 pptp39
set ipcp ranges 10.1.4.1/32 10.1.5.40/32
load pptp_standart
pptp40:
new -i ng40 pptp40 pptp40
set ipcp ranges 10.1.4.1/32 10.1.5.41/32
load pptp_standart
pptp41:
new -i ng41 pptp41 pptp41
set ipcp ranges 10.1.4.1/32 10.1.5.42/32
load pptp_standart
pptp42:
new -i ng42 pptp42 pptp42
set ipcp ranges 10.1.4.1/32 10.1.5.43/32
load pptp_standart
pptp43:
new -i ng43 pptp43 pptp43
set ipcp ranges 10.1.4.1/32 10.1.5.44/32
load pptp_standart
pptp44:
new -i ng44 pptp44 pptp44
set ipcp ranges 10.1.4.1/32 10.1.5.45/32
load pptp_standart
pptp45:
new -i ng45 pptp45 pptp45
set ipcp ranges 10.1.4.1/32 10.1.5.46/32
load pptp_standart
pptp46:
new -i ng46 pptp46 pptp46
set ipcp ranges 10.1.4.1/32 10.1.5.47/32
load pptp_standart
pptp47:
new -i ng47 pptp47 pptp47
set ipcp ranges 10.1.4.1/32 10.1.5.48/32
load pptp_standart
pptp48:
new -i ng48 pptp48 pptp48
set ipcp ranges 10.1.4.1/32 10.1.5.49/32
load pptp_standart
pptp49:
new -i ng49 pptp49 pptp49
set ipcp ranges 10.1.4.1/32 10.1.5.50/32
load pptp_standart
pptp50:
new -i ng50 pptp50 pptp50
set ipcp ranges 10.1.4.1/32 10.1.5.51/32
load pptp_standart
pptp51:
new -i ng51 pptp51 pptp51
set ipcp ranges 10.1.4.1/32 10.1.5.52/32
load pptp_standart
pptp52:
new -i ng52 pptp52 pptp52
set ipcp ranges 10.1.4.1/32 10.1.5.53/32
load pptp_standart
pptp53:
new -i ng53 pptp53 pptp53
set ipcp ranges 10.1.4.1/32 10.1.5.54/32
load pptp_standart
pptp54:
new -i ng54 pptp54 pptp54
set ipcp ranges 10.1.4.1/32 10.1.5.55/32
load pptp_standart
pptp55:
new -i ng55 pptp55 pptp55
set ipcp ranges 10.1.4.1/32 10.1.5.56/32
load pptp_standart
pptp56:
new -i ng56 pptp56 pptp56
set ipcp ranges 10.1.4.1/32 10.1.5.57/32
load pptp_standart
pptp57:
new -i ng57 pptp57 pptp57
set ipcp ranges 10.1.4.1/32 10.1.5.58/32
load pptp_standart
pptp58:
new -i ng58 pptp58 pptp58
set ipcp ranges 10.1.4.1/32 10.1.5.59/32
load pptp_standart
pptp59:
new -i ng59 pptp59 pptp59
set ipcp ranges 10.1.4.1/32 10.1.5.60/32
load pptp_standart
pptp60:
new -i ng60 pptp60 pptp60
set ipcp ranges 10.1.4.1/32 10.1.5.61/32
load pptp_standart
pptp61:
new -i ng61 pptp61 pptp61
set ipcp ranges 10.1.4.1/32 10.1.5.62/32
load pptp_standart
pptp62:
new -i ng62 pptp62 pptp62
set ipcp ranges 10.1.4.1/32 10.1.5.63/32
load pptp_standart
pptp63:
new -i ng63 pptp63 pptp63
set ipcp ranges 10.1.4.1/32 10.1.5.64/32
load pptp_standart
pptp64:
new -i ng64 pptp64 pptp64
set ipcp ranges 10.1.4.1/32 10.1.5.65/32
load pptp_standart
pptp65:
new -i ng65 pptp65 pptp65
set ipcp ranges 10.1.4.1/32 10.1.5.66/32
load pptp_standart
pptp66:
new -i ng66 pptp66 pptp66
set ipcp ranges 10.1.4.1/32 10.1.5.67/32
load pptp_standart
pptp67:
new -i ng67 pptp67 pptp67
set ipcp ranges 10.1.4.1/32 10.1.5.68/32
load pptp_standart
pptp68:
new -i ng68 pptp68 pptp68
set ipcp ranges 10.1.4.1/32 10.1.5.69/32
load pptp_standart
pptp69:
new -i ng69 pptp69 pptp69
set ipcp ranges 10.1.4.1/32 10.1.5.70/32
load pptp_standart
pptp70:
new -i ng70 pptp70 pptp70
set ipcp ranges 10.1.4.1/32 10.1.5.71/32
load pptp_standart
pptp71:
new -i ng71 pptp71 pptp71
set ipcp ranges 10.1.4.1/32 10.1.5.72/32
load pptp_standart
pptp72:
new -i ng72 pptp72 pptp72
set ipcp ranges 10.1.4.1/32 10.1.5.73/32
load pptp_standart
pptp73:
new -i ng73 pptp73 pptp73
set ipcp ranges 10.1.4.1/32 10.1.5.74/32
load pptp_standart
pptp74:
new -i ng74 pptp74 pptp74
set ipcp ranges 10.1.4.1/32 10.1.5.75/32
load pptp_standart
pptp75:
new -i ng75 pptp75 pptp75
set ipcp ranges 10.1.4.1/32 10.1.5.76/32
load pptp_standart
pptp76:
new -i ng76 pptp76 pptp76
set ipcp ranges 10.1.4.1/32 10.1.5.77/32
load pptp_standart
pptp77:
new -i ng77 pptp77 pptp77
set ipcp ranges 10.1.4.1/32 10.1.5.78/32
load pptp_standart
pptp78:
new -i ng78 pptp78 pptp78
set ipcp ranges 10.1.4.1/32 10.1.5.79/32
load pptp_standart
pptp79:
new -i ng79 pptp79 pptp79
set ipcp ranges 10.1.4.1/32 10.1.5.80/32
load pptp_standart
pptp80:
new -i ng80 pptp80 pptp80
set ipcp ranges 10.1.4.1/32 10.1.5.81/32
load pptp_standart
pptp81:
new -i ng81 pptp81 pptp81
set ipcp ranges 10.1.4.1/32 10.1.5.82/32
load pptp_standart
pptp82:
new -i ng82 pptp82 pptp82
set ipcp ranges 10.1.4.1/32 10.1.5.83/32
load pptp_standart
pptp83:
new -i ng83 pptp83 pptp83
set ipcp ranges 10.1.4.1/32 10.1.5.84/32
load pptp_standart
pptp84:
new -i ng84 pptp84 pptp84
set ipcp ranges 10.1.4.1/32 10.1.5.85/32
load pptp_standart
pptp85:
new -i ng85 pptp85 pptp85
set ipcp ranges 10.1.4.1/32 10.1.5.86/32
load pptp_standart
pptp86:
new -i ng86 pptp86 pptp86
set ipcp ranges 10.1.4.1/32 10.1.5.87/32
load pptp_standart
pptp87:
new -i ng87 pptp87 pptp87
set ipcp ranges 10.1.4.1/32 10.1.5.88/32
load pptp_standart
pptp88:
new -i ng88 pptp88 pptp88
set ipcp ranges 10.1.4.1/32 10.1.5.89/32
load pptp_standart
pptp89:
new -i ng89 pptp89 pptp89
set ipcp ranges 10.1.4.1/32 10.1.5.90/32
load pptp_standart
pptp90:
new -i ng90 pptp90 pptp90
set ipcp ranges 10.1.4.1/32 10.1.5.91/32
load pptp_standart
pptp91:
new -i ng91 pptp91 pptp91
set ipcp ranges 10.1.4.1/32 10.1.5.92/32
load pptp_standart
pptp92:
new -i ng92 pptp92 pptp92
set ipcp ranges 10.1.4.1/32 10.1.5.93/32
load pptp_standart
pptp93:
new -i ng93 pptp93 pptp93
set ipcp ranges 10.1.4.1/32 10.1.5.94/32
load pptp_standart
pptp94:
new -i ng94 pptp94 pptp94
set ipcp ranges 10.1.4.1/32 10.1.5.95/32
load pptp_standart
pptp95:
new -i ng95 pptp95 pptp95
set ipcp ranges 10.1.4.1/32 10.1.5.96/32
load pptp_standart
pptp96:
new -i ng96 pptp96 pptp96
set ipcp ranges 10.1.4.1/32 10.1.5.97/32
load pptp_standart
pptp97:
new -i ng97 pptp97 pptp97
set ipcp ranges 10.1.4.1/32 10.1.5.98/32
load pptp_standart
pptp98:
new -i ng98 pptp98 pptp98
set ipcp ranges 10.1.4.1/32 10.1.5.99/32
load pptp_standart
pptp99:
new -i ng99 pptp99 pptp99
set ipcp ranges 10.1.4.1/32 10.1.5.100/32
load pptp_standart
pptp_standart:
set iface disable on-demand
set bundle enable multilink
set link yes acfcomp protocomp
#Требуем chap авторизации
set link no pap chap
set link enable chap
set link keep-alive 60 180
set ipcp yes vjcomp
#Устанавливаем DNS и Wins
set ipcp dns 10.1.1.1
#set ipcp nbns 10.1.1.1
#Включаем proxy-arp, чтобы компьютер "видел" без маршрутизации
#корпоративную сеть (по протоколу arp)
set iface enable proxy-arp
#Включаем компрессию данных
set bundle enable compression
#Включаем компрессию данных, совсестимую с Microsoft-клиентами, должно быть вкомпилено в ядро
set ccp yes mppc
#Включаем шифрование, совместимое с Microsoft-клиентами, должно быть вкомпилено в ядро
set ccp yes mpp-e40
set ccp yes mpp-e56
set ccp yes mpp-e128
set ccp yes mpp-stateless
#set bundle yes crypt-reqd
#Задаем адрес для входящих соединений, если закомментирован - то mpd будет слушать все интерфейсы.
#set pptp self 192.168.1.221
#Разрешаем входящие соединения
set pptp enable incoming
set pptp disable originate
set iface mtu 1500
set link mtu 1500
# какой скрипт запускать при поднятии интерфейса
#set iface up-script /usr/local/traff/up.pl
# какой скрипт запускать при опускании интерфейса
#set iface down-script /usr/local/traff/down.pl
set radius server 10.1.1.1 test2 1812 1813
set radius timeout 10
set radius config /etc/radius.conf
set radius retries 3
#set bundle enable radius-acct
set bundle enable radius-auth
set ipcp yes radius-ip
Создаем /etc/radius.conf:
acct 10.1.1.1 test2
auth 10.1.1.1 test2
Создаем файл /usr/local/etc/mpd/mpd.links:
pptp0:
set link type pptp
pptp1:
set link type pptp
pptp2:
set link type pptp
pptp3:
set link type pptp
pptp4:
set link type pptp
pptp5:
set link type pptp
pptp6:
set link type pptp
pptp7:
set link type pptp
pptp8:
set link type pptp
pptp9:
set link type pptp
pptp10:
set link type pptp
pptp11:
set link type pptp
pptp12:
set link type pptp
pptp13:
set link type pptp
pptp14:
set link type pptp
pptp15:
set link type pptp
pptp16:
set link type pptp
pptp17:
set link type pptp
pptp18:
set link type pptp
pptp19:
set link type pptp
pptp20:
set link type pptp
pptp21:
set link type pptp
pptp22:
set link type pptp
pptp23:
set link type pptp
pptp24:
set link type pptp
pptp25:
set link type pptp
pptp26:
set link type pptp
pptp27:
set link type pptp
pptp28:
set link type pptp
pptp29:
set link type pptp
pptp30:
set link type pptp
pptp31:
set link type pptp
pptp32:
set link type pptp
pptp33:
set link type pptp
pptp34:
set link type pptp
pptp35:
set link type pptp
pptp36:
set link type pptp
pptp37:
set link type pptp
pptp38:
set link type pptp
pptp39:
set link type pptp
pptp40:
set link type pptp
pptp41:
set link type pptp
pptp42:
set link type pptp
pptp43:
set link type pptp
pptp44:
set link type pptp
pptp45:
set link type pptp
pptp46:
set link type pptp
pptp47:
set link type pptp
pptp48:
set link type pptp
pptp49:
set link type pptp
pptp50:
set link type pptp
pptp51:
set link type pptp
pptp52:
set link type pptp
pptp53:
set link type pptp
pptp54:
set link type pptp
pptp55:
set link type pptp
pptp56:
set link type pptp
pptp57:
set link type pptp
pptp58:
set link type pptp
pptp59:
set link type pptp
pptp60:
set link type pptp
pptp61:
set link type pptp
pptp62:
set link type pptp
pptp63:
set link type pptp
pptp64:
set link type pptp
pptp65:
set link type pptp
pptp66:
set link type pptp
pptp67:
set link type pptp
pptp68:
set link type pptp
pptp69:
set link type pptp
pptp70:
set link type pptp
pptp71:
set link type pptp
pptp72:
set link type pptp
pptp73:
set link type pptp
pptp74:
set link type pptp
pptp75:
set link type pptp
pptp76:
set link type pptp
pptp77:
set link type pptp
pptp78:
set link type pptp
pptp79:
set link type pptp
pptp80:
set link type pptp
pptp81:
set link type pptp
pptp82:
set link type pptp
pptp83:
set link type pptp
pptp84:
set link type pptp
pptp85:
set link type pptp
pptp86:
set link type pptp
pptp87:
set link type pptp
pptp88:
set link type pptp
pptp89:
set link type pptp
pptp90:
set link type pptp
pptp91:
set link type pptp
pptp92:
set link type pptp
pptp93:
set link type pptp
pptp94:
set link type pptp
pptp95:
set link type pptp
pptp96:
set link type pptp
pptp97:
set link type pptp
pptp98:
set link type pptp
pptp99:
set link type pptp
Все, можно запускать mpd: /usr/local/sbin/mpd -b. Теперь mpd будет
принимать входящие VPN-соединения (PPTP, совместимо с MS WindowsTM)
Оригинал: http://www.malevanov.spb.ru/mpd
Ремарка:
Пробовал все это на RedHat9
PostgreSQL должен быть установлен вручную.
Не через RPM или в процессе установки ОС, а из дистрибутива путем копиляции. Иначе к нему Radius не пристыковывается, библиотек ему не хватает каких-то. Полдня въезжал.
Хотел бы сказать про базу.
Я настраивал на MySQL и вот тут ни слова нет что есть что в строке:
insert into radcheck(username, attribute, op, value) values('login', 'Password', ':=', 'password');
методом прочтения большого количества файлов, узнал что первый password это означает что проиходит или нет шифрование пороля, а вот второй это сам пороль.
Но вообще дока хороша но нет некоторых тонкостей. например описание IP-адрисов, где какие и зачем.
>Я настраивал на MySQL и вот тут ни слова нет что есть
>что в строке:
>insert into radcheck(username, attribute, op, value) values('login', 'Password', ':=', 'password');
>методом прочтения большого количества файлов, узнал что первый password это означает что
>проиходит или нет шифрование пороля, а вот второй это сам пороль.
>
Советую Вам в следующий раз читать не большое количество файлов, а RFC 2138. Так вот, первый Password является именем атрибута, то что следует за ним - это знак присваения значения, которое уже и является паролем.
Использовал такую связку около полугода... возникла проблемма мпд теряет пакеты на слабых машинках... рекомендую вместо MPD перейти на PopTop, из портов собрать, да и настраивать не впример легче в отличии от мпд.
Не получается завести mpd ПЛИЗЗ ХЕЛП
Не то, что Еще и радиус туда подрубить...
Сначала с Радиусом пытался
Сервер(Фря) 192.168.10.1
Клиент: 192.168.10.99
Может Я путаю set ipcp ranges?
Я посмотрел - и не понял, что Оно такое...
И еще mpd.secret - как правильно записывать?
root@freebsd# mpd4
Multi-link PPP for FreeBSD, by Archie L. Cobbs.
Based on iij-ppp, by Toshiharu OHNO.
mpd: pid 761, version 4.0b4 (root@freebsd 22:24 27-Mar-2006)
[pptp0] ppp node is "mpd761-pptp0"
tcpmss node is "mpd761-mss"
[pptp0] using interface ng0
mpd: bundle "pptp0" already exists
root@freebsd# cat /usr/local/etc/mpd4/mpd.conf|grep -v '#'
default:
load pptp0
load pptp1
pptp0:
new -i ng00 pptp0 pptp0
set ipcp ranges 192.168.10.1/24 192.168.11.1/32
load pptp_standart
pptp1:
new -i ng00 pptp0 pptp0
set ipcp ranges 192.168.10.1/24 192.168.11.99/32
load pptp_standart
pptp_standart:
set iface disable on-demand
set bundle enable multilink
set link yes acfcomp protocomp
set link no pap chap
set link enable chap
set link keep-alive 60 180
set ipcp yes vjcomp
set ipcp dns 192.168.10.1
set iface enable proxy-arp
set pptp self 192.168.10.1
set pptp enable incoming
set pptp disable originate
set iface mtu 1500
set link mtu 1500
#ifconfig
ng0: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> mtu 1500
cat /usr/local/etc/mpd4/mpd.links
pptp0:
set link type pptp
pptp1:
set link type pptp
Все оказалось легко - проблема в переносах и пробелах...
+неправильно кое-что прописал...
Вот привожу свои настройки:
Клиент:192.168.10.99
Сервер:192.168.10.1
# cat /usr/local/etc/mpd4/mpd.conf
default:
load pptp0
load pptp1
pptp0:
new -i ng00 pptp0 pptp0
set ipcp ranges 192.168.10.1/24 192.168.11.1/32
load pptp_standart
pptp1:
new -i ng00 pptp0 pptp0
set ipcp ranges 192.168.10.1/24 192.168.11.99/32
load pptp_standart
pptp_standart:
set iface disable on-demand
set bundle enable multilink
set link yes acfcomp protocomp
set link no pap chap
set link enable chap
set link keep-alive 60 180
set ipcp yes vjcomp
set ipcp dns 192.168.10.1
set iface enable proxy-arp
set bundle enable compression
set ccp yes mppc
set ccp yes mpp-e40
set ccp yes mpp-e56
set ccp yes mpp-e128
set ccp yes mpp-stateless
set bundle yes crypt-reqd
set pptp enable incoming
set pptp disable originate
set iface mtu 1500
set link mtu 1500
# cat /usr/local/etc/mpd4/mpd.links
pptp0:
set link type pptp
pptp1:
set link type pptp