linuxpppoemysqlwebradius认证教学内容

1、Good is good, but better carries it.精益求精，善益求善。linuxpppoemysqlwebradius认证【原创】架设PPPOEServer及RadiusServer（OpenLDAP+Mysql）Normal0false7.8磅02falsefalsefalseEN-USZH-CNX-NONEMicrosoftInternetExplorer4ContentsPage目录TOCo1-3hzuHyperlink/u2/68952/showart_1777964.html#_Toc2190276591说明.PAGEREF_Toc219027659h2Hype

2、rlink/u2/68952/showart_1777964.html#_Toc2190276601.1所需软件及下载地址.PAGEREF_Toc219027660h2Hyperlink/u2/68952/showart_1777964.html#_Toc2190276611.2实现过程及功能特性.PAGEREF_Toc219027661h3Hyperlink/u2/68952/showart_1777964.html#_Toc2190276622架设服务器.PAGEREF_Toc219027662h4Hyperlink/u2/68952/showart_1777964.html#_Toc21

3、90276632.1准备工作编译内核.PAGEREF_Toc219027663h4Hyperlink/u2/68952/showart_1777964.html#_Toc2190276642.2架设PPPOE服务器.PAGEREF_Toc219027664h8Hyperlink/u2/68952/showart_1777964.html#_Toc2190276652.3架设Raius服务器并挂接PPPOE服务器.PAGEREF_Toc219027665h13Hyperlink/u2/68952/showart_1777964.html#_Toc2190276662.5挂接Radius与PPPO

4、E服务器.PAGEREF_Toc219027666h34Hyperlink/u2/68952/showart_1777964.html#_Toc2190276672.6架设OpenLDAP服务器并挂接Radius服务器.PAGEREF_Toc219027667h36Hyperlink/u2/68952/showart_1777964.html#_Toc2190276682.7实现Radius服务器的Web管理功能.PAGEREF_Toc219027668h39Hyperlink/u2/68952/showart_1777964.html#_Toc2190276692.8实现OpenLDAP服务

5、器的Web管理功能.PAGEREF_Toc219027669h511说明1.1所需软件及下载地址1.1.1HYPERLINK/CentOS5.2最稳定的linux服务器1.1.2HYPERLINK/linux-2.6.19.tar.gz2.6.19内核1.1.3HYPERLINKhttp:/isn.front.ru/files/patches/linux-2.6.19-mppe-mppc-1.3.patch.bz2内核的mppe-mppc补丁1.1.4HYPERLINK/ppp-2.4.3.tar.gzPPP主程序1.1.5HYPERLINKhttp:/mppe-mppc.alphacron.

6、de/ppp-2.4.3-mppe-mppc-1.1.patch.gzppp的mppe-mppc补丁1.1.6HYPERLINK/products/pppoerp-pppoe-3.10.tar.gzPPPOE主程序1.1.7HYPERLINK/freeradius-server-2.1.3.tarFreeRadius服务器主程序1.1.8HYPERLINK/downloads/mysql-5.0.67-linux-i686.tar.gzMySQL数据库主程序1.1.9HYPERLINK/downloads/MySQL-shared-compat-5.0.67-0.rhel5.i386.rpmM

7、ySQL共享库1.1.10HYPERLINK/freeradius-mysql-1.1.3-1.2.el5freeradius与MySQL链接程序1.1.11HYPERLINK/httpd-2.2.9.tar.gz最流行的web服务器1.1.12HYPERLINK/php-4.4.9.tar.gzPHP程序1.1.13HYPERLINK/en/ZendOptimizer-3.3.3-linux-glibc23-i386.tar.gz优化PHP程序代码的工具1.1.14HYPERLINK/home_page/index.phpphpMyAdmin-all-languages.tar.gzweb方

8、式管理mysql数据库的工具1.1.15HYPERLINK/database/berkeley-db.htmldb-4.2.52.tar.gz伯克利数据库openldap的后台数据库1.1.16HYPERLINK/gnu/gettext/gettext-0.17.tar.gz-OpenLDAP实现web管理方式的后台语言支持工具1.1.17HYPERLINK/openldap-2.4.11-stable-20080813.tgzOpenLDAP主程序1.1.18HYPERLINK/wiki/index.php/Main_Pagephpldapadmin-.tar.gzOpenLDAP的WEB访

9、问工具1.2实现过程及功能特性我们的试验网络拓扑如下图所示：首先编译内核，以加入对mppe和mppc的支持，然后架设PPPOE服务器，实现终结用户PPPOE拨号的功能，此时，对用户的验证以文本文件（存储在PPPOE程序组）的方式进行。然后架设Radius服务器，将用户的PPPOE拨号请求转送到Radius服务器进行验证。Radius服务器分别挂接OpenLDAP服务器和MySQL服务器，其中的OpenLDAP服务器实现对用户名、密码等信息的验证和属性返回，Mysql服务器实现对用户带宽、连接时间、产生流量等的记录和属性返回。最后实现Radius服务器、MySQL服务器、OpenLDAP服务器的

10、Web管理功能，从而能够批量产生用户，并方便管理用户（新建、删除、修改属性等）。通过以上步骤建立的一个服务器体系完全能够适应现代网络对拨号快速认证、属性返回等要求，达到物理服务器的水平，如RedbackSmartEdge、JuniperERX。但却拥有更高的性价比。同时Radius服务器和OpenLDAP服务器同现在各省市正在使用的服务器拥有相近的稳定性和性能，甚至有的省份只采用Radius来管理用户，并没有OpenLDAP服务器，如浙江省。具体步骤不再赘述，主要配置文件如下：1.rootmmmodules#cat/etc/ppp/optionslockcrtsctsnobsdcompnode

11、flatenopcomp#require-mppe#mppe-40#mppe-128#mppe-statelessplugin/etc/ppp/plugins/radius.soradius-config-file/etc/ppp/radius/radiusclient.conf2.rootmmmodules#cat/etc/ppp/pppoe-server-options#PPPoptionsforthePPPoEserver#LIC:GPL#require-pap#login#lcp-echo-interval10#lcp-echo-failure2#authrequire-chap#re

12、quire-mppedefault-mrudefault-asyncmaplcp-echo-interval60lcp-echo-failure5ms-dns5ms-dns7noipdefaultnoipxnodefaultroutenoproxyarpnoktune0:54netmask55logfile/var/log/pppd.log3.OpenLDAP的数据库设置如下：dn:cn=radius,ou=profils,dc=mm,dc=comobjectClass:radiusObjectProfileobjectClass:radiusprofilecn:radiusradiusGro

13、upName:radiusradiusServiceType:Framed-UserradiusFramedProtocol:pppradiusFramedIPAddress:1radiusFramedIPNetmask:uid:ldaptest1radiusFramedCompression:Van-Jacobsen-TCP-IPradiusFramedRouting:Broadcast-ListenradiusFramedMTU:1500radiusFilterId:std.pppuserPassword:ldaptest1radiusAuthType:chap4.然后在MYSQL中加入该

14、用户信息（ldaptest1），以便计费：mysqlinsertintoradcheck(username,attribute,op,value)values(ldaptest1,User-Password,=,ldaptest1);然后把用户加到组里：mysqlinsertintousergroup(username,groupname)values(ldaptest1,user);5.设置radius的ldap认证模块/usr/local/freeradius/etc/raddb/modules/ldap，修改如下：ldapserver=localhostidentity=cn=Manag

15、er,dc=mm,dc=compassword=testing123basedn=ou=profils,dc=mm,dc=comfilter=(uid=%Stripped-User-Name:-%User-Name)ldap_connections_number=5timeout=4timelimit=3net_timeout=1tlsstart_tls=nopassword_attribute=userPasswordedir_account_policy_check=noset_auth_type=yes6.修改/usr/local/freeradius/etc/raddb/sites-a

16、vailable/，来指定Radius认证方式，相应部分修改如下：authorizeldapauthenticateAuth-TypeLDAPldapaccountingsql其它的方式全部注释掉即可。通过以上配置，我们就完成了全部服务器的配置：#radiusd-X验证过程如下：（包括认证请求、计费开始请求、计费结束请求三个部分）rad_recv:Access-Requestpacketfromhostport32768,id=10,length=114Service-Type=Framed-UserFramed-Protocol=PPPUser-Name=ldaptest1CHAP-Chal

17、lenge=0 x7abcb9ac6f368f318969c7351fbdb7b615a49eCHAP-Password=0 x242e7e2035dad2d954264e4eef46c00047Calling-Station-Id=00:1C:C4:CD:68:06NAS-IP-Address=NAS-Port=0+-enteringgroupauthorize.+preprocessreturnsokchapSettingAuth-Type:=CHAP+chapreturnsok+mschapreturnsnoopldapperforminguserauthorizationforldap

18、test1ldapWARNING:Deprecatedconditionalexpansion:-.Seemanunlangfordetailsldapexpand:(uid=%Stripped-User-Name:-%User-Name)-(uid=ldaptest1)ldapexpand:ou=profils,dc=mm,dc=com-ou=profils,dc=mm,dc=comrlm_ldap:ldap_get_conn:CheckingId:0rlm_ldap:ldap_get_conn:GotId:0rlm_ldap:performingsearchinou=profils,dc=

19、mm,dc=com,withfilter(uid=ldaptest1)ldapAddedUser-Password=ldaptest1incheckitemsldaplookingforcheckitemsindirectory.rlm_ldap:userPassword-Cleartext-Password=ldaptest1rlm_ldap:radiusAuthType-Auth-Type=CHAPldaplookingforreplyitemsindirectory.rlm_ldap:radiusFramedCompression-Framed-Compression=Van-Jacob

20、son-TCP-IPrlm_ldap:radiusFramedMTU-Framed-MTU=1500rlm_ldap:radiusFilterId-Filter-Id=std.ppprlm_ldap:radiusFramedRouting-Framed-Routing=Broadcast-Listenrlm_ldap:radiusFramedIPNetmask-Framed-IP-Netmask=rlm_ldap:radiusFramedIPAddress-Framed-IP-Address=1rlm_ldap:radiusFramedProtocol-Framed-Protocol=PPPr

21、lm_ldap:radiusServiceType-Service-Type=Framed-Userldapuserldaptest1authorizedtouseremoteaccessrlm_ldap:ldap_release_conn:ReleaseId:0+ldapreturnsok+expirationreturnsnoop+logintimereturnsnooppapFoundexistingAuth-Type,notchangingit.+papreturnsnoopFoundAuth-Type=CHAP+-enteringgroupCHAP.chaploginattemptb

22、yldaptest1withCHAPpasswordchapUsingcleartextpasswordldaptest1foruserldaptest1authentication.chapchapuserldaptest1authenticatedsuccesfully+chapreturnsok+-enteringgrouppost-auth.+execreturnsnoopSendingAccess-Acceptofid10toport32768Framed-Compression=Van-Jacobson-TCP-IPFramed-MTU=1500Filter-Id=std.pppF

23、ramed-Routing=Broadcast-ListenFramed-IP-Netmask=Framed-IP-Address=1Framed-Protocol=PPPService-Type=Framed-UserFinishedrequest3.GoingtothenextrequestWakingupin4.9seconds.rad_recv:Accounting-Requestpacketfromhostport32768,id=11,length=120Acct-Session-Id=49631DF90A6E00User-Name=ldaptest1Acct-Status-Typ

24、e=StartService-Type=Framed-UserFramed-Protocol=PPPCalling-Station-Id=00:1C:C4:CD:68:06Acct-Authentic=RADIUSNAS-Port-Type=AsyncFramed-IP-Address=1NAS-IP-Address=NAS-Port=0Acct-Delay-Time=0+-enteringgrouppreacct.+preprocessreturnsokacct_uniqueHashingNAS-Port=0,Client-IP-Address=,NAS-IP-Address=,Acct-S

25、ession-Id=49631DF90A6E00,User-Name=ldaptest1acct_uniqueAcct-Unique-Session-ID=b4f40c620cbc699b.+acct_uniquereturnsoksuffixNoinUser-Name=ldaptest1,lookinguprealmNULLsuffixNosuchrealmNULL+suffixreturnsnoop+filesreturnsnoop+-enteringgroupaccounting.detailexpand:/usr/local/freeradius/var/log/radius/rada

26、cct/%Client-IP-Address/detail-%Y%m%d-/usr/local/freeradius/var/log/radius/radacct/detail-20090106detail/usr/local/freeradius/var/log/radius/radacct/%Client-IP-Address/detail-%Y%m%dexpandsto/usr/local/freeradius/var/log/radius/radacct/detail-20090106detailexpand:%t-TueJan617:01:452009+detailreturnsok

27、+unixreturnsokradutmpexpand:/usr/local/freeradius/var/log/radius/radutmp-/usr/local/freeradius/var/log/radius/radutmpradutmpexpand:%User-Name-ldaptest1+radutmpreturnsoksqlexpand:%User-Name-ldaptest1sqlsql_set_userescapeduser-ldaptest1sqlexpand:%Acct-Delay-Time-0sqlexpand:INSERTINTOradacct(acctsessio

28、nid,acctuniqueid,username,realm,nasipaddress,nasportid,nasporttype,acctstarttime,acctstoptime,acctsessiontime,acctauthentic,connectinfo_start,connectinfo_stop,acctinputoctets,acctoutputoctets,calledstationid,callingstationid,acctterminatecause,servicetype,framedprotocol,framedipaddress,acctstartdela

29、y,acctstopdelay,xascendsessionsvrkey)VALUES(%Acct-Session-Id,%Acct-Unique-Session-Id,%SQL-User-Name,%Realm,%NAS-IP-Address,%NAS-Port,%NAS-Port-Type,%S,NULL,0,%Acct-Authentic,%Connect-Info,0,0,%Called-Station-Id,%Calling-Station-Id,%Service-Type,%Framed-Protocol,%Framed-IP-Address,rlm_sql(sql):Reserv

30、ingsqlsocketid:2rlm_sql_mysql:MYSQLcheck_error:1054receivedsqlCouldntinsertSQLaccountingSTARTrecord-Unknowncolumnxascendsessionsvrkeyinfieldlistsqlexpand:%Acct-Delay-Time-0sqlexpand:UPDATEradacctSETacctstarttime=%S,acctstartdelay=%Acct-Delay-Time:-0,connectinfo_start=%Connect-InfoWHEREacctsessionid=

31、%Acct-Session-IdANDusername=%SQL-User-NameANDnasipaddress=%NAS-IP-Address-UPDATEradacctSETacctstarttime=2009-01-0617:01:45,acctstartdelay=0,connectinfo_start=WHEREacctsessionid=49631DF90A6E00ANDusername=ldaptest1ANDnasipaddress=rlm_sql(sql):Releasedsqlsocketid:2+sqlreturnsokattr_filter.accounting_re

32、sponseexpand:%User-Name-ldaptest1attr_filter:MatchedentryDEFAULTatline12+attr_filter.accounting_responsereturnsupdatedSendingAccounting-Responseofid11toport32768Finishedrequest4.Cleaninguprequest4ID11withtimestamp+224GoingtothenextrequestWakingupin4.9seconds.rad_recv:Accounting-Requestpacketfromhost

33、port32768,id=12,length=156Acct-Session-Id=49631DF90A6E00User-Name=ldaptest1Acct-Status-Type=StopService-Type=Framed-UserFramed-Protocol=PPPAcct-Authentic=RADIUSAcct-Session-Time=3Acct-Output-Octets=0Acct-Input-Octets=56882Acct-Output-Packets=0Acct-Input-Packets=233Calling-Station-Id=00:1C:C4:CD:68:0

34、6NAS-Port-Type=AsyncAcct-Terminate-Cause=User-RequestFramed-IP-Address=1NAS-IP-Address=NAS-Port=0Acct-Delay-Time=0+-enteringgrouppreacct.+preprocessreturnsokacct_uniqueHashingNAS-Port=0,Client-IP-Address=,NAS-IP-Address=,Acct-Session-Id=49631DF90A6E00,User-Name=ldaptest1acct_uniqueAcct-Unique-Sessio

35、n-ID=b4f40c620cbc699b.+acct_uniquereturnsoksuffixNoinUser-Name=ldaptest1,lookinguprealmNULLsuffixNosuchrealmNULL+suffixreturnsnoop+filesreturnsnoop+-enteringgroupaccounting.detailexpand:/usr/local/freeradius/var/log/radius/radacct/%Client-IP-Address/detail-%Y%m%d-/usr/local/freeradius/var/log/radius

36、/radacct/detail-20090106detail/usr/local/freeradius/var/log/radius/radacct/%Client-IP-Address/detail-%Y%m%dexpandsto/usr/local/freeradius/var/log/radius/radacct/detail-20090106detailexpand:%t-TueJan617:01:482009+detailreturnsok+unixreturnsokradutmpexpand:/usr/local/freeradius/var/log/radius/radutmp-

37、/usr/local/freeradius/var/log/radius/radutmpradutmpexpand:%User-Name-ldaptest1+radutmpreturnsoksqlexpand:%User-Name-ldaptest1sqlsql_set_userescapeduser-ldaptest1sqlexpand:%Acct-Input-Gigawords-sqlexpand:%Acct-Input-Octets-56882sqlexpand:%Acct-Output-Gigawords-sqlexpand:%Acct-Output-Octets-0sqlexpand

38、:%Acct-Delay-Time-0sqlexpand:UPDATEradacctSETacctstoptime=%S,acctsessiontime=%Acct-Session-Time,acctinputoctets=%Acct-Input-Gigawords:-032|%Acct-Input-Octets:-0,acctoutputoctets=%Acct-Output-Gigawords:-0UPDATEradacctSETacctstoptime=2009-01-0617:01:48,acctsessiontime=3,acctinputoctets=032|56882,accto

39、utputoctets=03sqlexpand:%Acct-Delay-Time-0sqlexpand:%Acct-Input-Gigawords-sqlexpand:%Acct-Input-Octets-56882sqlexpand:%Acct-Output-Gigawords-sqlexpand:%Acct-Output-Octets-0sqlexpand:%Acct-Delay-Time-0sqlexpand:INSERTINTOradacct(acctsessionid,acctuniqueid,username,realm,nasipaddress,nasportid,nasporttype,acctstarttime,acctstoptime,acctsessiontime,acctauthentic,connectinfo_start,connectinfo_stop,a