VipiEn ples Radiyus alias radi jayus hihihi...

| Thursday, June 07, 2007

Instalasi Mysql
Set password

shell> mysql --user=root mysql
mysql> SET PASSWORD FOR 'root'@'localhost' = PASSWORD('');
mysql> flush privileges;
mysql> quit;2.3-

Buat database
mysqladmin --user=root -p create radius

Buat user mengakses database radius
shell> mysql --user=root -p mysql
mysql> GRANT ALL ON ftp.* TO radius@localhost IDENTIFIED BY '';
mysql> flush privileges;
mysql> quit;


shell> gunzip /usr/share/doc/freeradius/examples/db_mysql.sql.gz
shell> mysql --user=radius -p radius < /usr/share/doc/freeradius/examples/db_mysql.sql

shell> gunzip /usr/share/doc/freeradius/examples/mysql.sql.gz
shell> mysql --user=radius -p radius < /usr/share/doc/freeradius/examples/mysql.sql



The data base is made up of 8 tables making it possible to define: rights of each user drooits of each groups

The table: nas
Cetta table contains same information as the /etc/freeradius/clients.conf file. It makes it possible to add NAS.
key value
nasname 127.0.0.1
shortname nas1
type other
ports
secret mySecret
community public
description NAS1 for the tests

The table: radacct This table contains all information of connection, disconnection, etc… It is a table which you accederer in reading primarily. No parameter to be carried out in this table.

The table: radcheck This table contains information to be checked at the time of the authentification. Primarily it will contain login/password.
key value
UserName yoann
Attribute User-Password
op ==
Value test

This table functions like the table radcheck, but with a concept of group. (It allows for example checked that the users of group PPTP have well the value “1” (PPP) for the Framed-Protocol key, value 2 would have been for SLIPWAY)
key value
GroupName PPTP
Attribute Framed-Protocol
op ==
Value 1

The table: radreply This table contains the parameters returned with the customers after an authentification succeeded. (It makes it possible for example to allot an address IP specific to a user.)
key value
UserName yoann
Attribute Framed-IP-Address
op :=
Value 192.168.40.101

The table: radgroupreply This table functions like the table radreply, but with a concept of group. (It makes it possible for example to allot the IP of a waiter DNS has all the users of group PPTP)
key value
GroupName PPTP
Attribute MS-Primary-DNS-Server
op :=
Value 192.168.40.1

The table: usergroup This table definite the membership of a user has a group. It is indeed possible to define duties applicable to a user group.
key value
UserName yoann
GroupName PPTP
priority 1

The table: radpostauth To define…

KONFIGURASI RADIUS
/etc/freeradius/sql.conf
sql {
# Database type
driver = "rlm_sql_mysql"

# Connect info
server = "localhost"
login = "radius"
password = ""

# Database table configuration
radius_db = "radius"

...

# Set to 'yes' to read radius clients from the database ('nas' table)
readclients = yesFramed-IP-Address
}

Note: The value readclients with yes, makes it possible to store the list of the NAS in the table nas of the data base radius, in addition to the NAS present in the /etc/freeradius/clients.conf file. The addition of a new entry in the table nas is not dynamic, enframed-IP-Address effect the list of the NAS is built with the launching of freeradius starting from the /etc/freeradius/clients.conf file and the table sql nas.

To take into account the changes, it to reload the files of configuration:
shell> /etc/init.d/freeradius
the /etc/freeradius/radiusd.conf file
modules {
chap {
authtype = CHAP
}

mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
}

$INCLUDE ${confdir}/sql.conf #1249
}

authorize { #1774
chap
mschap
suffix
sql
}

authenticate { #1887
Auth-Type CHAP {
chap
}

Auth-Type MS-CHAP {
mschap
}
}

accounting {
sql
}

session {
sql
}

Test of the installation of freeradius
We will add a local NAS to test the configuration. For that it is necessary to publish the /etc/freeradius/clients.conf file
client 127.0.0.1 {
secret = mySecret
shortname = localhost
nastype = other
}

It is necessary for us to create an entry for the NAS whose IP is 127.0.0.1, and to specify a key secrecy which will be used for encoding of information between the NAS and the Waiter Radius. Note: We could here, to add an entry in the table nas base sql, but we will approach this solution further.
To launch freeradius in mode comforts: debug mode

To have a maximum of information for debuger our installation, and to include/understand what it occurs, we will stop the service freeradius and the throw in mode comforts with the options which are well:

shell> /etc/init.d/freeradius stop
shell> freeradius -XXX

To add an account of test in our table radcheck

shell> mysql --user=radius -p radius
mysql> INSERT INTO radcheck(UserName,Attribute,op,Value) VALUES ('yoann','User-Password','==','test');
mysql> quit;

We added here the user “yoann” with the password “test”
Test of the authentification We go use the tool radtest whose syntax is as follows:
radtest
Note: to use the port by default radius you can use 0.

shell> radtest yoann test 127.0.0.1 0 mySecret
Sending Access-Request of id 186 to 127.0.0.1 port 1812
User-Name = "yoann"
User-Password = "test"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=186, length=20

If the authentification is correct, you will receive the Access-Accept message. You can now stop freeradius in mode comforts (Ctrl+C) and start again it in time that service. shell> /etc/init.d/freeradius start

Installation/Configuration of pptpd
You must, above all, you ensure that your kernel supports the MMPE Encryption which will allow us crypter the data in MPPE-128, in addition to authentification MS-CHAP-V2

/etc/pptpd.conf
option /etc/ppp/pptpd-options
logwtmp
localip 10.1.100.254
remoteip 10.1.100.1-200
Note: The line remoteip optional, because it is perhaps replaced by the value of attribute Framed-IP-Address contained in our table radreply

/etc/ppp/pptpd-options
Name of the local system for authentication purposes
# (must match the second field in /etc/ppp/chap-secrets entries)
name pptpd

# Authentification Encryption
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2

# Data Encryption
require-mppe-128

# Disable BSD Compression
nobsdcomp

# Network and Routing
ms-dns 10.1.100.254
proxyarp
nodefaultroute

# Create a UUCP-style lock file for the pseudo-tty to ensure exclusive access.
lock

# Enable connection debugging facilities.
debug

# Print out all the option values which have been set.
# (often requested by mailing list to verify options)
dump

# Miscellaneous
ipcp-accept-local
ipcp-accept-remote

lcp-echo-failure 3
lcp-echo-interval 5

# Plugins
plugin radius.so

1 komentar:

YoK said...

source : http://www.queret.net/blog/index.php/2007/04/02/70-freeradius-mysql-pptpd