CentOS PPTP configuration Freeradius+daloradius for advanced user Control + flow control

Prerequisites before reading this article, you need to build a good PPTP, if not yet set up, you can refer to: http://www.xj123.info/2301.html If you need to configure Daloradius, you also need to install lamp, you can refer to:/http Www.xj123.info/2223.html

Ppp:point-to-point Protocol, point-to-Point protocol, is a connection protocol that works on the data link layer. The common ADSL connection used by PPPoE is referred to as the point-to-Point Protocol on the Ethernet (point-to-point Protocol over Ethernet). When we create a VPN connection, we also use PPP, and the PPPD on the *nix operating system can do this, and the default method for user authentication is chap-secrets file. After configuring the Freeradius, we need to give the user authentication to the RADIUS server to complete.

Radius:remote authentication Dial In User Service, remote user dial-up authentication service, based on RFC2865 and RFC2866. The specific working principle is quite complicated, read these two RFC standards carefully should be able to understand. Simply put, it is an agreement that balances authentication (authentication), Authorization (authorization), and bookkeeping (accounting) Three services, the AAA agreement. RADIUS runs on the application tier and is transmitted using UDP, which is widely used by ISPs and enterprises to control access to the Internet or the internal network and wireless networks.

Freeradius: is a software that implements the RADIUS protocol, based on GPLV2 open source. It is currently the most widely deployed open source radius software.

Daloradius: is a Freeradius Web calendar program, written in PHP.

Installation configuration

Yum Install Freeradius2 Freeradius2-mysql freeradius2-utils

2014.12.10 Update Now that the Yum official source has canceled the FREERADIUS1 installation package, perform the following command to install the Freeradius

Yum Install Freeradius Freeradius-mysql freeradius-utils

After installation, edit/etc/raddb/users, plus

Testing Cleartext-password: = "Password"

Open RADIUS test mode, execute Radiusd-x, then open a new terminal, execute radtest testing password 127.0.0.1 0 testing123, if see access-accept, explain no problem if not seen , go back to check.
After the test connection is successful, we can delete the first line that was added to the users.

Download PPP source code

wget Ftp://ftp.samba.org/pub/ppp/ppp-2.4.5.tar.gztar zxvf ppp-2.4.5.tar.gzcp-r/root/ppp-2.4.5/pppd/plugins/radius /etc//usr/local/etc/radiusclient

Edit/usr/local/etc/radiusclient/servers, plus a set of servers and keys, in this case "Laoxievpn"

localhost Laoxievpn

Edit/usr/local/etc/radiusclient/dictionary

Change the last line to Include/usr/local/etc/radiusclient/dictionary.microsoft, and then add a row include/usr/local/etc/radiusclient/ Dictionary.merit

Edit/etc/raddb/clients.conf

Change the secret under client localhost to the key you just specified.

Edit/etc/raddb/radiusd.conf, find $include sql.conf, remove the previous #, find $include sql/mysql/counter.conf, remove the previous #.

Go to MySQL, add a database

Create Database Radius;flush privileges;exit;

Edit/etc/raddb/sql.conf, configure login (username), password (password), radius_db (database name) fields, and find the Readclients line, set to Yes and remove the comment symbol #.

Edit the/etc/raddb/sites-enabled/default to comment or uncomment the corresponding line according to the following instructions:

• Authorize section, turn off files, open SQL, or turn off Unix
• Preacct, turn off files.
• Accounting segment, open SQL, or turn off Unix
• Session segment, open SQL
• Post-auth section, opening SQL
• Pre-proxy, turn off files.

At this point, our Freeradius will be saved in the MySQL database, even if it is configured properly. As for the tables in the database, we import them uniformly later.

Configure Daloradius

wget http://sourceforge.net/projects/daloradius/files/daloradius/daloradius-0.9-8/daloradius-0.9-8.tar.gzpear Install Dbmkdir/usr/share/daloradiustar zxvf daloradius-0.9-8.tar.gzmv daloradius-0.9-8/*/usr/share/daloRadius/rm- R daloradius-0.9-8

Note that you need to install pear here, if the bash prompt cannot find the command, then please Google install method

Import the database below

Mysql-uroot-p Radius </usr/share/daloradius/contrib/db/fr2-mysql-daloradius-and-freeradius.sql

Edit the/usr/share/daloradius/library/daloradius.conf.php and modify the Daloradius configuration file. The first is MySQL login information:

$configValues [' config_db_host '] = ' localhost '; $configValues [' config_db_user '] = ' radius '; According to their actual situation fill $configvalues[' config_db_pass '] = "; Set your own password $configvalues[' config_db_name ' = ' radius ';

The following is a Daloradius bug, the default configuration has a table name and we import different, change it over:

$configValues [' config_db_tbl_radusergroup '] = ' radusergroup ';

Then modify the path of the Daloradius:

$configValues [' config_path_dalo_variable_data '] = '/usr/share/daloradius/var ';

Web directory under the directory link

Cd/usr/local/apache/htdocs/ln-s/usr/share/daloradius/admin

Daloradius Admin page address is http://ip/admin Default user name administrator and password radius login

Restart MySQL and Apache services

Service httpd Restartservice mysqld restart

Daloradius does not seem to be writing well, the latest stable version is three years ago, but the author is still updating SVN, the next opportunity to use the latest SVN version to try it. Add a new user to management, and note the password type selection Cleartext-password.

Start the radiusd-x again in the terminal, at the same time in another terminal with radtest username password localhost 0 laoxievpn test, to see if it is still normal to connect, if there is no problem on the OK, Let's get this system connected to PPP.

Configure PPPD

Edit/ETC/PPP/OPTIONS.PPTPD, there are already many configuration options, we want to ensure that there are the following lines, if not added up, in order to ensure the security of user login we restrict the use of only Ms-chapv2:

Refuse-paprefuse-chaprefuse-mschaprequire-mppe-128require-mschap-v2

Add 3 lines at the end of the configuration file:

Plugin Radius.soplugin radattr.soradius-config-file/usr/local/etc/radiusclient/radiusclient.conf

Flow Control Services

Create a table

Insert into radgroupreply (groupname,attribute,op,value) VALUES (' User ', ' auth-type ', ': = ', ' Local ') and insert into Radgroupreply (Groupname,attribute,op,value) VALUES (' User ', ' service-type ', ': = ', ' Framed-user '); INSERT into Radgroupreply (Groupname,attribute,op,value) VALUES (' User ', ' framed-ip-address ', ': = ', ' 255.255.255.255 '); INSERT Into Radgroupreply (groupname,attribute,op,value) VALUES (' User ', ' framed-ip-netmask ', ': = ', ' 255.255.255.0 '); INSERT Into Radgroupreply (groupname,attribute,op,value) VALUES (' User ', ' acct-interim-interval ', ': = ', ' + '); INSERT into Radgroupreply (Groupname,attribute,op,value) VALUES (' User ', ' max-monthly-traffic ', ': = ', ' 5368709120 '); INSERT into Radgroupcheck (Groupname,attribute,op,value) VALUES (' User ', ' simultaneous-use ', ': = ', ' 1 ');

The first four lines above do not change, Acct-interim-interval is the interval (600 seconds) to calculate traffic, which means that the current traffic is recorded every 10 minutes. The second-to-last line is the maximum monthly traffic, which is 5G (in bytes). The last line is the number of simultaneous connections allowed.

To access Daloradius, add a new user to management, and note the password type selection Cleartext-password. Users group Select User

Radius-xradtest username password localhost 0 laoxievpn

Test it and see if it can be switched on normally, OK if it's okay.

If there is access-accept in the result, it will be successful, otherwise go back to check the settings.

If the test succeeds, add the statement that detects the traffic at the time of authentication, open/usr/local/etc/raddb/sites-enabled/default, and find the authorize section to insert:

Update request {group-name: = "%{sql:select groupname from Radusergroup WHERE username= '%{user-name} ' ORDER by"} if ("%{sql:select SUM" (acctinputoctets+acctoutputoctets) from Radacct WHERE username= '%{user-name} ' and Date_format ( Acctstarttime, '%y-%m-%d ') >= Date_format (now (), '%y-%m-01 ') and Date_format (Acctstoptime, '%y-%m-%d ') <= last_ Day (now ());} " >= "%{sql:select value from radgroupreply WHERE groupname= '%{group-name} ' and&nbsp;attribute= ' Max-monthly-traffic ';} ") {Reject}

Start the service

Service RADIUSD startchkconfig RADIUSD onchkconfig pptpd on

What's new in 2013.06.03: Automatic break detection script

#!/bin/bash mysql_pass=xxxxxxxxxx/usr/local/mysql/bin/mysql-uroot-p$mysql_pass-e "UPDATE Radius.radacct SET Acctstoptime = Acctstarttime + acctsessiontime WHERE ((Unix_timestamp (acctstarttime) + Acctsessiontime + 240-unix_timest AMP ()) <0) and Acctstoptime is NULL; "

At this point, all the operations have been completed!

This article mainly refers to the following articles, thanks to all the following text creators

Configuring Freeradius+daloradius on a PPTP VPN server for user tracking management
Pptp+freeradius+mysql build VPN authentication and flow control
ARA (ASN RADIUS Admin) –freeradius hypervisor Installation Summary

Original address: http://www.xj123.info/2323.html

CentOS PPTP configuration Freeradius+daloradius for advanced user Control + flow control