分享
 
 
 

PPTP+MPPE+RADIUS+MySQL

王朝mysql·作者佚名  2008-05-18
窄屏简体版  字體: |||超大  

PPTP + MPPE + RADIUS + MySQL

Requirements:

kernel sources. (2.4.18 or later prefered.) www.kernel.org

ppp sources from cvs or recent snapshot. www.samba.org/ppp

Freeradius 0.7.1 or later. www.freeradius.org

PoPToP 1.1.3 www.sourceforge.net/projects/poptop

Should be present in most distributions these days:

MySQL www.mysql.com

openssl 0.9.6b or later. www.openssl.org

Caveats: MPPE encryption seems to be available with MS-CHAP authentication only. Not PAP and CHAP. This document assumes only MS-CHAP v2 is used. (As version 1 is totally broken securitywise.)

PPP and kernel:

Patch your kernel sources with the mppeinstall.sh script in linux/mppe/

Configure your kernel source for mppe support (make menuconfig or your prefered way.) The patch makes a new choice for a MPPE module under Network devices - PPP.

Compile and install your kernel and modules. I take it everybody knows how to do this and update their lilo/grub/whatever bootloader.

Doublecheck /etc/modules.conf for aliases to ppp_mppe and so on.

alias char-major-108 ppp_generic

alias tty-ldisc-3 ppp_async

alias tty-ldisc-14 ppp_synctty

alias ppp-compress-18 ppp_mppe

alias ppp-comress-21 bsd_comp

alias ppp-compress-24 ppp_deflate

alias ppp-compress-26 ppp_deflate

Now is as good a time as any to reboot with your MPPE enabled kernel. (Some docs tells you to install ppp before reboot. Reason unknown, it shouldn't matter.)

Compile and install ppp. MPPE and ms-chapv2 support is compiled in by default.

PoPToP:

Compile and install. Nothing fancy needed, as it's pppd that does the magic.

PoPToP and pppd Configuration:

In my /etc/pptpd.conf I have

localip some.ip.add.ress

option /etc/options.pptpd

This is just for clarity, the default is off course /etc/ppp/options The clients get remoteip from radius, so we don't need it here as they will be overridden, but you could have them for clarity/confusion/easy testing without radius...

I only use mschap-v2, so my /etc/ppp/options.pptpd file is:

#-----------start----------

lock

#uncomment when testing:

#debug

name pptpd

proxyarp

asyncmap 0

-chap

-mschap

+mschap-v2

require-mppe

lcp-echo-failure 30

lcp-echo-interval 5

ipcp-accept-local

ipcp-accept-remote

ms-wins wins.server.ip.address

ms-dns dns.server.ip.address

plugin radius.so

#-----------end----------

Note: It might be "chapms" and not "mschap" as changes might be happening in the cvs.

The radius.so plugin uses the settings from radiusclient, so make sure:

/etc/radiusclient/servers contains the secret for your radius server(s)

Like:

localhost testing123

If the radius is on localhost using the default freeradius secret (bad idea off course...)

I think you must have the dictionary.microsoft file in /etc/radiusclient if you use ms-chap 1 or 2.

It should be there by default.

Set authserver and acctserver in /etc/radiusclient/radiusclient.conf if your radius server is not on the same machine as your poptop.

This file sure makes splitting authentication and accounting between two radius servers very easy.

Make sure both servers(if different) are listed in /etc/radiusclient/servers

Freeradius:

Compile and install. Also has all we need by default.

Freeradius configuration:

/etc/raddb/clients.conf: Should contain entries corresponding to the servers in /etc/radiusclient/servers for the client/NAS

(our pptp server):

client 127.0.0.1 {

secret = testing123

shortname = localhost

}

/etc/raddb/radiusd.conf: This is the relevant parts of my radiusd.conf for authentication and accounting in MySQL. Thanks to Charles J. Boening (charlieb@cot.net) for this. Just remove the sql parts if you don't want them, and add files or unix module or something.

Modules {

# You might have more here

# this is just the relevant part

mschap {

authtype = MS-CHAP

use_mppe = yes

#force 128bit:

require_strong = yes

}

}

authorize {

preprocess

suffix

sql

mschap

}

authenticate {

mschap

}

preacct {

preprocess

suffix

files

}

accounting {

acct_unique

detail

sql

# radutmp

}

session {

sql

# radutmp

}

#-----------end----------

set the correct server, user and pass in /etc/raddb/sql.conf

MySQL:

Mysql configuration should be trival, and basically consists of:

Create a database called for example "radius" in mysql. Fill it with the tables from the schema found in /src/modules/rlm_sql/drivers/rlm_sql_mysql/db_mysql.sql:

mysql radius < /path/to/db_mysql.sql

Populate your tables with usernames, passwords, reply items and so on. Consult the radius docs for more info.

Windows Clients: Remember, you need 128 bit encryption support. Win98/95 users needs dun14 update.

VPN connection properties: require encryption and allow ms-chap v2 protocol

Good luck.

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有