'Freeradius'에 해당되는 글 2건
- 2011.03.19 Radius를 이용한 ssh 인증 서버 구축하기
- 2011.03.15 PPTP VPN 계정관리 Radius + MySQL (2)
트윗하기 | |||
#apt-get install freeradius
Reading package lists... DoneBuilding dependency treeReading state information... DoneThe following extra packages will be installed:freeradius-common freeradius-utils libdbi-perl libfreeradius2 libltdl7libnet-daemon-perl libperl5.10 libplrpc-perl perl perl-base perl-modulesSuggested packages:freeradius-ldap freeradius-postgresql freeradius-mysql freeradius-krb5dbishell perl-doc libterm-readline-gnu-perl libterm-readline-perl-perlThe following NEW packages will be installed:freeradius freeradius-common freeradius-utils libdbi-perl libfreeradius2libltdl7 libnet-daemon-perl libperl5.10 libplrpc-perlThe following packages will be upgraded:perl perl-base perl-modules3 upgraded, 9 newly installed, 0 to remove and 34 not upgraded.Need to get 11.0MB of archives.After this operation, 8,290kB of additional disk space will be used.Do you want to continue [Y/n]?(생략)Updating default SSL certificate settings, if any...Adding user freerad to group ssl-certGenerating DH parameters, 1024 bit long safe prime, generator 2This is going to take a long time...............................+.......................+.......+...................+........................................................+............+................+.......+...+...........................................+..................................................................................................................................................+....+.+............+.........+.+.................................+.....+..............+.......+.................................................+.............................................+...................+..............+.............................+..............................................................................................+....................................................................................................................................+........................................................................+........................+....................................+....................+.....................+................................................................................................................................+......................................++*++*++** Starting FreeRADIUS daemon freeradius [ OK ]Setting up freeradius-utils (2.1.8+dfsg-1ubuntu1) ...Setting up perl-modules (5.10.1-8ubuntu2) ...Setting up perl (5.10.1-8ubuntu2) ...Setting up libnet-daemon-perl (0.43-1) ...Setting up libplrpc-perl (0.2020-2) ...Setting up libdbi-perl (1.609-1build1) ...Processing triggers for libc-bin ...ldconfig deferred processing now taking placeroot@UAT:/home/iprize#
client 192.168.111.0/24 {
secret = radius_authshortname = private-network}
# apt-get install libpam-radius-auth
# server[:port] shared_secret timeout (s)
192.168.111.111 radius_auth 1
auth sufficient pam_radius_auth.so
#adduser -home /home/iprize iprize
rad_recv: Access-Request packet from host 192.168.111.131 port 6767, id=147, length=91
User-Name = "iprize"User-Password = "testing123"NAS-IP-Address = 127.0.1.1NAS-Identifier = "sshd"NAS-Port = 5742NAS-Port-Type = VirtualService-Type = Authenticate-OnlyCalling-Station-Id = "192.168.111.1"+- entering group authorize {...}++[preprocess] returns ok++[chap] returns noop++[mschap] returns noop[suffix] No '@' in User-Name = "iprize", looking up realm NULL[suffix] No such realm "NULL"++[suffix] returns noop[eap] No EAP-Message, not doing EAP++[eap] returns noop++[unix] returns updated++[files] returns noop++[expiration] returns noop++[logintime] returns noop++[pap] returns updatedFound Auth-Type = PAP+- entering group PAP {...}[pap] login attempt with password "testing123"[pap] Using CRYPT encryption.[pap] User authenticated successfully++[pap] returns ok+- entering group post-auth {...}++[exec] returns noopSending Access-Accept of id 147 to 192.168.111.131 port 6767Finished request 0.Going to the next requestWaking up in 4.9 seconds.Cleaning up request 0 ID 147 with timestamp +25Ready to process requests.
출처 : iprize.tistory.com

트윗하기 | |||
Caveats: MPPE encryption seems to be available with MS-CHAP authentication only. Not PAP and CHAP. This document assumes only MS-CHAP v2 is used. (As version 1 is totally broken securitywise.)
PPP and kernel:
Note: patching the kernel is only required if you are using a kernel version below 2.6.15-rc1 -- James Cameron, 2005-11-16.
Patch your kernel sources with the mppeinstall.sh script in linux/mppe/
Configure your kernel source for mppe support (make menuconfig or your prefered way.) The patch makes a new choice for a MPPE module under Network devices - PPP.
Compile and install your kernel and modules. I take it everybody knows how to do this and update their lilo/grub/whatever bootloader.
Note: current versions of modutils already have these aliases, you may not need them. -- James Cameron, 2005-11-16.
Doublecheck /etc/modules.conf for aliases to ppp_mppe and so on.
alias char-major-108 ppp_generic
alias tty-ldisc-3 ppp_async
alias tty-ldisc-14 ppp_synctty
alias ppp-compress-18 ppp_mppe
alias ppp-compress-21 bsd_comp
alias ppp-compress-24 ppp_deflate
alias ppp-compress-26 ppp_deflate
Now is as good a time as any to reboot with your MPPE enabled kernel. (Some docs tells you to install ppp before reboot. Reason unknown, it shouldn't matter.)
Compile and install ppp. MPPE and ms-chapv2 support is compiled in by default.
PoPToP:
Compile and install. Nothing fancy needed, as it's pppd that does the magic.
PoPToP and pppd Configuration:
In my /etc/pptpd.conf I have
localip some.ip.add.ress
option /etc/options.pptpd
This is just for clarity, the default is off course /etc/ppp/options The clients get remoteip from radius, so we don't need it here as they will be overridden, but you could have them for clarity/confusion/easy testing without radius...
I only use mschap-v2, so my /etc/ppp/options.pptpd file is:
#-----------start----------
lock
#uncomment when testing:
#debug
name pptpd
proxyarp
asyncmap 0
-chap
-mschap
+mschap-v2
require-mppe
lcp-echo-failure 30
lcp-echo-interval 5
ipcp-accept-local
ipcp-accept-remote
ms-wins wins.server.ip.address
ms-dns dns.server.ip.address
plugin radius.so
#-----------end----------
Note: It might be "chapms" and not "mschap" as changes might be happening in the cvs.
Note: nologfd option may need to be placed above the plugin line in order to prevent a serial line loopback event. -- James Cameron, 2005-08-15.
The radius.so plugin uses the settings from radiusclient, so make sure:
/etc/radiusclient/servers contains the secret for your radius server(s)
Like:
localhost testing123
If the radius is on localhost using the default freeradius secret (bad idea off course...)
I think you must have the dictionary.microsoft file in /etc/radiusclient if you use ms-chap 1 or 2.
It should be there by default.
Set authserver and acctserver in /etc/radiusclient/radiusclient.conf if your radius server is not on the same machine as your poptop.
This file sure makes splitting authentication and accounting between two radius servers very easy.
Make sure both servers(if different) are listed in /etc/radiusclient/servers
Freeradius:
Compile and install. Also has all we need by default.
Freeradius configuration:
/etc/raddb/clients.conf: Should contain entries corresponding to the servers in /etc/radiusclient/servers for the client/NAS
(our pptp server):
client 127.0.0.1 {
secret = testing123
shortname = localhost
}
/etc/raddb/radiusd.conf: This is the relevant parts of my radiusd.conf for authentication and accounting in MySQL. Thanks to Charles J. Boening (charlieb@cot.net) for this. Just remove the sql parts if you don't want them, and add files or unix module or something.
Modules {
# You might have more here
# this is just the relevant part
mschap {
authtype = MS-CHAP
use_mppe = yes
#force 128bit:
require_strong = yes
}
}
authorize {
preprocess
suffix
sql
mschap
}
authenticate {
mschap
}
preacct {
preprocess
suffix
files
}
accounting {
acct_unique
detail
sql
# radutmp
}
session {
sql
# radutmp
}
#-----------end----------
set the correct server, user and pass in /etc/raddb/sql.conf
MySQL:
Mysql configuration should be trival, and basically consists of:
Create a database called for example "radius" in mysql. Fill it with the tables from the schema found in
mysql radius < /path/to/db_mysql.sql
Populate your tables with usernames, passwords, reply items and so on. Consult the radius docs for more info.
Windows Clients: Remember, you need 128 bit encryption support. Win98/95 users needs dun14 update.
VPN connection properties: require encryption and allow ms-chap v2 protocol
Good luck.
출처 : poptop.sourceforge.net
