Shulou(Shulou.com)05/31 Report--

RHEL5U4 platform how to achieve pppoe+freeradius+mysql authentication server, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

Software requirements:

Red Hat comes with: rp-pppoe,ppp,freeradius,freeradius-mysql,mysql,mysql-devel,mysql-server,openssl.

Also required: freeradius-2.1.3 and ppp2.4.4 source code package.

It is important to note that freeradius requires the openssl library, so if it is not installed on the system, it should be installed in advance.

Part one: implement a simple pppoe dialing service

Check to see if rp-pppoe and ppp software are installed on the system, command:

# rpm-Q rp-pppoe ppp

If installed, the name of the package will be displayed. If not, find the relevant rpm package installation on the installation disk.

Configuration / etc/ppp/options

Lock

Crtscts

Nobsdcomp

Nodeflate

Nopcomp

Then configure the / etc/ppp/pppoe-server-options file, which reads:

# PPP options for the PPPoE server

# LIC: GPL

Auth

Require-chap

Default-mru

Default-asyncmap

Lcp-echo-interval 60

Lcp-echo-failure 5

Ms-dns 202.106.0.20

Noipdefault

Noipx

Nodefaultroute

Proxyarp

Noktune

Logfile / var/log/pppd.log

The contents of the file are not explained, you can find relevant help through man pppd. At this point, the pppoe server reads the authenticated username and password information from the / etc/ppp/ chap-secrets file, which is in the format:

# Secrets for authentication using CHAP

# client server secret IP addresses

Aaa * aaa *

If you want to add more users, just add a new line.

Then you can start the pppoe service with the command:

# pppoe-server-I eth2-L 10.0.0.64-R 192.168.0.5-N 10

Let me briefly introduce the meaning of the parameters in this command.

I: specify the port that responds to the PPPOE request, in this case on the eth2 port.

The IP address of the L:PPPOE server, which is the address of the PPPOE server filled in by the client.

R: this is the pool start address assigned to the client, starting from 192.168.0.5 in this example

N: the IP address of the address pool is incremented by several. In this example, 10 is added, that is, from 192.168.0.5 to 192.168.0.14.

You can see that we have completed all the above steps in LINUX, that is, when the PPPOE service is ready, the client PPPOE dialing, and if it goes well, the dialing will be successful.

Of course, the client cannot surf the Internet yet, because NAT has not been enabled on the PPPOE server. We use IPTABLES software to implement it, and we can write a script like this:

Echo "1" > > / proc/sys/net/ipv4/ip_forward

Iptables-t nat-A POSTROUTING-s 192.168.0 to 24-o wan-j SNAT-- to 10.0.0.65

The function of the first line is to enable IP forwarding, and the second line is to start IPTABLES for NAT conversion. Here is the explanation of each parameter.

-t nat means to convert to NAT

-s 192.168.0.0Comp24 indicates the network segment where the source address is 192.168.0.0and24.

-j SNAT-- to 10.0.0.65 means that all source addresses are converted to the public network address of 10.0.0.65.

After starting NAT, the PPPOE server is fully functional, and the client can not only dial the server, but also surf the Internet after dialing.

Note: the pppoe server that comes with Red Hat conflicts with the syslog service of the system on the RHEL5 to RHEL5U2 version. You can now turn off the syslog service and let the pppoe server run normally.

Part 2: let the pppoe service use the freeradius server for authentication

1) first change the / etc/ppp/pppoe-server-options and add a line of settings:

# PPP options for the PPPoE server

# LIC: GPL

Auth

Require-chap

Default-mru

Default-asyncmap

Lcp-echo-interval 60

Lcp-echo-failure 5

Ms-dns 202.106.0.20

Noipdefault

Noipx

Nodefaultroute

Proxyarp

Noktune

Plugin / usr/lib/pppd/2.4.4/radius.so

Radius-config-file / etc/ppp/radiuds/radiusclient.conf

Logfile / var/log/pppd.log

Indicates that if pppoe-server is added to pppd's radius check at run time, the pppoe service can be verified and accounted for through freeradius. After adding this line, we can create the / etc/ppp/radiuds/ directory, and after that, we need to use the source code of ppp, because Red Hat did not provide us with the corresponding configuration file. Extract the ppp source code directory:

# wget ftp://ftp.samba.org/pub/ppp/ppp-2.4.4.tar.gz

# tar xvfz ppp-2.4.4.tar.gz

# cd ppp-2.4.4

# cd pppd/plugins/radius/etc/

# cp * / etc/ppp/radiuds/

2) there are all the relevant configuration files we need in this directory, the most important of which is / etc/ppp/radiuds/radiusclient.conf. Let's open this file configuration first, and its content is (uncommented):

Auth_order radius

Login_tries 4

Login_timeout 60

Nologin / etc/nologin

Issue / etc/ppp/radiuds/issue

Authserver localhost:1812

Acctserver localhost:1813

Servers / etc/ppp/radiuds/servers

Dictionary / etc/ppp/radiuds/dictionary

Login_radius / usr/local/sbin/login.radius

Seqfile / var/run/radius.seq

Mapfile / etc/ppp/radiuds/port-id-map

Default_realm

Radius_timeout 10

Radius_retries 3

Login_local / bin/login

3) in addition, you need to change the servers file in this directory, which is used to specify the host name and key value of the read radius server (which needs to be specified in the freeradius configuration).

Edit / etc/ppp/radius/servers to set the location of the radius server

Localhost 123 / / here 123 is the password for nas (localhost) to access the radius server that I set earlier.

4) Edit / etc/ppp/radius/dictionary and modify some path settings, mainly the path settings of the last dictionary.microsoft

INCLUDE / etc/ppp/radiuds/dictionary.microsoft

# INCLUDE / etc/ppp/radiuds/dictionary.ascend

# INCLUDE / etc/ppp/radiuds/dictionary.merit

# INCLUDE / etc/ppp/radiuds/dictionary.compat

5) at this point, the pppoe service can be authenticated by radius. Then configure the freeradius.

First check to see if freeradius is installed:

# rpm-Q freeradius freeradius-mysql

This section is not needed for the freeradius-mysql package used to allow freeradius to connect to the mysql database.

First, open / etc/raddb/clients.conf to configure client access control. The contents of the file are as follows:

Client 127.0.0.1 {

Secret = 123

Shortname = localhost

Nastype = othe

}

Indicates that the client is allowed to log in to the radius service from the ip of 127.0.0.1, and the secret to be verified is 123, which is the information that needs to be configured in the servers file above. To make the implementation accessible from another machine, please refer to the comments for help.

6) then configure the naslist file as follows:

# NAS Name Short Name Type

#-

# portmaster1.isp.com pm1.NY livingston

# portmaster2.isp.com pm1.LA livingston

Localhost local portslave

This file is used to configure and record which specified nas servers need to be accounted for using radius. Localhost is now specified.

7) the master configuration file is radiusd.conf, which does not need to be changed at present. You can learn how to configure it through comments. This file is mainly used to specify the default authentication and accounting method for the freeradius server. We currently use the local file method, namely / etc/raddb/users file, to add the user information we need to provide to the pppoe service authentication, as follows (the user name must not be preceded by a space):

Aaa Auth-Type: = Local, Simultaneous-Use: = 1, User-Password = = "aaa"

Service-Type = Framed-User

Framed-Protocol = PPP

Framed-IP-Address = 192.168.0.8

Framed-IP-Netmask = 255.255.255.255

The Simultaneous-Use: = 1 field is used to set the number of simultaneous logins for each user. All field information is documented in the freeradius source code. Also note that the added user field should be written before the file DEFAULT field, otherwise it may not take effect.

8) in order for radius to call mysql correctly, specify the location of the library:

Echo / usr/lib > > / etc/ld.so.conf

Ldconfig

9) after all the configurations are completed, you can start pppoe-server by debugging with the radiusd-X command, and verify that the pppoe service successfully authenticates the user through freeradius by dialing the client. If successful, this part is completed. The radius service can be started normally through service radiusd restart.

Radiusd-X

Radtest aaa aaa localhost 0 123

When you see something like Access-Accept, it means OK. At this point, you can officially start radiusd.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.