在CentOS 6系统上安装lnmp + pptp + freeradius + daloradius的过程,已在原生CentOS 6、Linode、digitalocen等VPS上测试过均无问题。
一,安装LNMP
地址见http://lnmp.org/install.html,发布本文时,博主本人安装的是lnmp1.0版
安装完成需要作一些简单的优化,DaloRADIUS需要PEAR的DB插件,原生的LNMP并未安装pear,故这里也需要安装
编辑/usr/local/php/etc/php.ini,找到disable_functions,去掉scandir、fsockopen函数ln -s /usr/local/php/etc/php.ini /etc/php.iniwget http://pear.php.net/go-pear.pharphp -f go-pear.phar按1(修改Installation base),输入/usr/local/pear按5(修改PHP code directory),输入/usr/local/php/share/pear按9(修改Public Web Files directory),输入/home/wwwroot然后回车,提示alter php.ini,选择Y,一路回车检查一下/usr/local/php/etc/php.ini,检查如下一行,如果没有就加上include_path=".:/usr/local/php/share/pear"ln -s /usr/local/pear/bin/pear /usr/bin/pearpear install DB/etc/init.d/php-fpm reload |
二,安装pptp vpn
wget http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpmrpm -ivh epel-release-6-8.noarch.rpmyum install pptpd ppp dkmsmknod /dev/ppp c 108 0echo "mknod /dev/ppp c 108 0" >> /etc/rc.local编辑/etc/sysctl.conf修改net.ipv4.ip_forward = 1sysctl -pecho "echo 1 > /proc/sys/net/ipv4/ip_forward" >> /etc/rc.localecho "localip 172.16.36.1" >> /etc/pptpd.confecho "remoteip 172.16.36.2-254" >> /etc/pptpd.confecho "ms-dns 8.8.8.8" >> /etc/ppp/options.pptpdecho "ms-dns 8.8.4.4" >> /etc/ppp/options.pptpdiptables -Fiptables -Xiptables -Ziptables -t nat -A POSTROUTING -s 172.16.36.0/24 -j SNAT --to-source `ifconfig | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 | awk 'NR==1 { print $1}'`iptables -A FORWARD -p tcp --syn -s 172.16.36.0/24 -j TCPMSS --set-mss 1356/etc/init.d/iptables save/etc/init.d/iptables restart/etc/init.d/pptpd startchkconfig --level 2345 pptpd on |
三,安装FreeRADIUS
FreeRADIUS:是一个实现RADIUS协议的软件,基于GPLv2开源。它是目前部署最广泛的开源RADIUS软件。
daloRADIUS:是一个FreeRADIUS的Web管理接口,使用PHP编写。
yum install perl-DBI freeradius freeradius-mysql freeradius-utils编辑/etc/raddb/users,文件开头加上testing Cleartext-Password := "password"注意,这里就是password,不要把password改成testing123或者其它的密码 |
打开radius的测试模式,执行radiusd -X
然后打开一个新终端,执行radtest testing password 127.0.0.1 0 testing123
如果看到Access-Accept,说明连接成功了
如果看到类似“Ignoring request to authentication address * port 1812 from unknownclient”的文字,可能需要去修改/etc/raddb/clients.conf,将client localhost段下的ipaddr改为服务器的IP,而不是127.0.0.1
测试连接成功后,可以把/etc/raddb/users里临时加上去的第一行删除
下载ppp源码,因为要用到其中的配置文件wget ftp://ftp.samba.org/pub/ppp/ppp-2.4.5.tar.gztar zxvf ppp-2.4.5.tar.gzcp -R ppp-2.4.5/pppd/plugins/radius/etc/ /usr/local/etc/radiusclient编辑/usr/local/etc/radiusclient/servers,加上一组服务器和密钥,本例中为bear123localhost bear123编辑/usr/local/etc/radiusclient/dictionary最后一行改成INCLUDE /usr/local/etc/radiusclient/dictionary.microsoft然后添加一行INCLUDE /usr/local/etc/radiusclient/dictionary.merit编辑/etc/raddb/clients.conf把client localhost段下的secret改成刚才指定的密钥编辑/etc/raddb/radiusd.conf找到$INCLUDE sql.conf,去掉前面的#;找到$INCLUDE sql/mysql/counter.conf,去掉前面的#。 |
进入mysql,添加数据库
CREATE USER 'radius'@'localhost' IDENTIFIED BY '密码';CREATE DATABASE IF NOT EXISTS `radius` ;GRANT ALL PRIVILEGES ON `radius` . * TO 'radius'@'localhost';flush privileges; |
编辑/etc/raddb/sql.conf配置login(用户名),password(密码),radius_db(数据库名)等字段找到readclients一行,设为yes并去掉注释符号#编辑/etc/raddb/sites-enabled/defaultauthorize段,关掉files,打开sql,也可以把unix关掉preacct段,关掉filesaccounting段,打开sql,也可以把unix关掉session段,打开sqlpost-auth段,打开sqlpre-proxy段,关掉files |
到这一步,我们的FreeRADIUS就算配置好了,用户信息都将保存在MySQL数据库中。至于数据库中的表,我们在后面统一导入
四,安装daloRADIUS
mkdir /usr/share/daloradiuswget http://sourceforge.net/projects/daloradius/files/daloradius/daloradius0.9-9/daloradius-0.9-9.tar.gztar -zxvf daloradius-0.9-9.tar.gzmv daloradius-0.9-9/* /usr/share/daloradius/rm -rf daloradius-0.9-9将daloRADIUS中附带的sql文件导入MySQL数据库mysql -uroot -p radius < /usr/share/daloradius/contrib/db/fr2-mysql-daloradius-and-freeradius.sql编辑/usr/share/daloradius/library/daloradius.conf.php,这是daloRADIUS的配置文件。首先是MySQL登录信息:$configValues['CONFIG_DB_HOST'] = 'localhost';$configValues['CONFIG_DB_USER'] = 'radius';$configValues['CONFIG_DB_PASS'] = '密码';$configValues['CONFIG_DB_NAME'] = 'radius';然后修改daloRADIUS的路径$configValues['CONFIG_PATH_DALO_VARIABLE_DATA'] = '/usr/share/daloradius/var';将daloRADIUS接入nginxln -s /usr/share/daloradius/ /home/wwwroot/default/admin/etc/init.d/nginx restart/etc/init.d/mysql restart |
打开浏览器,进入daloRADIUS的管理页面(本例中为http://your.ip/admin),使用默认用户名administrator和密码radius登录;
点击Login以后有可能出现“HTTP 500内部服务器错误”或者一片空白,可能原因:1,pear未正确安装;2,php.ini中的pear配置不要放到最底端
登陆成功以后,建议立即到“Config”-“Operators”中修改密码
注意在Management中添加的用户,注意密码类型选择Cleartext-Password
再一次测试
在终端里启动radiusd -X(需要先停止radiusd服务)
打开另一个终端,运行radtest username password localhost 0 bear123
正常情况应该出现Access-Reject packet from……
添加用户测试
打开daloRADIUS的管理页面,点击“Management”-“Users”添加一个用户(假设用户名zhang3,密码12345)
在终端里启动radiusd -X(需要先停止radiusd服务)
打开另一个终端,运行radtest zhang3 12345 localhost 0 bear123
正常情况应该出现Access-Accept packet from……
五,设置RADIUS与PPP对接
编辑/etc/ppp/options.pptpd,确保有以下配置项refuse-chaprefuse-mschaprequire-mppe-128require-mschap-v2在末尾加上3行plugin radius.soplugin radattr.soradius-config-file /usr/local/etc/radiusclient/radiusclient.conf |
/etc/init.d/pptpd restart && chkconfig --level 2345 pptpd on/etc/init.d/radiusd start && chkconfig --level 2345 radiusd on |
六,设置流量控制
1,修改数据库
use radius;INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('user','Auth-Type',':=','Local');INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('user','Service-Type',':=','Framed-User');INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('user','Framed-IP-Address',':=','255.255.255.255');INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('user','Framed-IP-Netmask',':=','255.255.255.0');INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('user','Acct-Interim-Interval',':=','600');INSERT INTO radgroupcheck (groupname,attribute,op,value) VALUES ('user','Max-Monthly-Traffic',':=','1024');INSERT INTO radgroupcheck (groupname,attribute,op,VALUE) VALUES ('user','Simultaneous-Use',':=','1'); |
以上前四行不用改动,acct-interim-interval是计算流量的间隔(600秒),意味着每隔10分钟记录当前流量
Max-Monthly-Traffic是每月最大流量,这里是1024M,Simultaneous-Use是允许每个用户同时连接的客户端数量
然后在Management中添加的新用户,注意密码类型选择Cleartext-Password,用户组选择user
2、修改配置
编辑/etc/raddb/sql/mysql/dialup.conf注释sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}"并取消注释下一行如果需要打开simultanoues-use(控制同时在线用户数)的话需要把simul_count_query取消注释注意:我这里注释了simul_count_query,但在数据库radgroupcheck表里设定的用户数量限制仍然有效,原因未知编辑/etc/raddb/dictionary,添加如下两行ATTRIBUTE Max-Monthly-Traffic 3003 integerATTRIBUTE Monthly-Traffic-Limit 3004 integer编辑/etc/raddb/sites-enabled/default,找到authorize在该区域的尾部(即“}”前一行)添加一行monthlytrafficcounter编辑/etc/raddb/sql/mysql/counter.conf,在最后加入sqlcounter monthlytrafficcounter { counter-name = Monthly-Traffic check-name = Max-Monthly-Traffic reply-name = Monthly-Traffic-Limit sqlmod-inst = sql key = User-Name reset = monthly query = "SELECT SUM(acctinputoctets + acctoutputoctets) DIV 1048576 FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) > '%b'"} |
3、向数据库中添加一个测试用户
INSERT INTO radcheck (username,attribute,op,VALUE) VALUES ('用户名','Cleartext-Password',':=','密码');INSERT INTO radusergroup (username,groupname) VALUES ('用户名','user'); |
4、初步测试
/etc/init.d/radiusd stop |
在终端里启动radiusd -X
重新打开一个终端运行radtest 用户名 密码 localhost 0 bear123,有Access-Accept就代表成功
按Ctrl+C取消测试
5,设置radiusclient
编辑/usr/local/etc/radiusclient/radiusclient.conf,修改authserver localhost:1812acctserver localhost:1813编辑/usr/local/etc/radiusclient/servers,最后加上localhost bear123(就是/etc/raddb/clients.conf里面定义的secret)编辑/usr/local/etc/radiusclient/dictionary,最后加上INCLUDE /usr/local/etc/radiusclient/dictionary.meritINCLUDE /usr/local/etc/radiusclient/dictionary.microsoft |
6,重启服务
/etc/init.d/radiusd restart |
七,补充内容
查询月流量限制SELECT value FROM radgroupreply WHERE groupname='user' AND attribute='Max-Monthly-Traffic';查询用户当月总流量SELECT SUM(acctinputoctets+acctoutputoctets) FROM radacct WHERE username='用户名' AND date_format(acctstarttime, '%Y-%m-%d') >= date_format(now(),'%Y-%m-01') AND date_format(acctstoptime, '%Y-%m-%d') <= last_day(now());查询用户当月总流量(以MB显示)SELECT ROUND(SUM(acctinputoctets+acctoutputoctets)/1024/1024,2) AS 'acctinputoctets+acctoutputoctets(MB)' FROM radacct WHERE username='用户名' AND date_format(acctstarttime, '%Y-%m-%d') >= date_format(now(),'%Y-%m-01') AND date_format(acctstoptime, '%Y-%m-%d') <= last_day(now());查询用户当月详情(每次登入登出时间,发送和接收的流量)SELECT username,acctstarttime,acctstoptime,acctinputoctets,acctoutputoctets FROM radacct WHERE username='用户名' AND date_format(acctstarttime, '%Y-%m-%d') >= date_format(now(),'%Y-%m-01') AND date_format(acctstoptime, '%Y-%m-%d') <= last_day(now());查询用户当月详情(每次登入登出时间,发送和接收的流量),并将流量转化为MB来显示SELECT username,acctstarttime,acctstoptime, ROUND(acctinputoctets/1024/1024,2) '(acctinputoctets(MB))',ROUND(acctoutputoctets/1024/1024,2) '(acctoutputoctets(MB))' FROM radacct WHERE username='用户名' AND date_format(acctstarttime, '%Y-%m-%d') >= date_format(now(),'%Y-%m-01') AND date_format(acctstoptime, '%Y-%m-%d') <= last_day(now());查询用户当月详情(每次登入登出时间,发送和接收的流量),并将流量转化为GB来显示SELECT username,acctstarttime,acctstoptime, ROUND(acctinputoctets/1024/1024/1024,2) '(acctinputoctets(GB))',ROUND(acctoutputoctets/1024/1024/1024,2) '(acctoutputoctets(GB))' FROM radacct WHERE username='用户名' AND date_format(acctstarttime, '%Y-%m-%d') >= date_format(now(),'%Y-%m-01') AND date_format(acctstoptime, '%Y-%m-%d') <= last_day(now()); |
注意:
1,如果单次登陆流量不足10M,转化为GB以后显示为0.00
2,通过MYSQL更改总流量限制以后,无需重启radiusd服务,流量超限的用户立即就可以重新登陆
3,如果需要需要限制用户上传、下载速度,可以参考http://www.zhukun.net/archives/7406
可能遇到的问题:
1,执行radiusd -X的时候,提示:
/etc/raddb/sql.conf[22]: Instantiation failed for module “sql”
/etc/raddb/sites-enabled/default[177]: Failed to load module “sql”.
/etc/raddb/sites-enabled/default[69]: Errors parsing authorize section.
解决办法:
mysql> ALTER TABLE `radius`.`nas` ADD COLUMN `server` VARCHAR(45) NOT NULL AFTER `secret` ;
service mysqld restart