PPPoE with FreeRadius and MySQL: Difference between revisions

From D3xt3r01.tk
Jump to navigationJump to search
mNo edit summary
mNo edit summary
Line 14: Line 14:
Put this in your package.use ( this will set the support for packages
Put this in your package.use ( this will set the support for packages


net-dialup/ppp radius <br/>
net-dialup/ppp-2.4.5-r1  USE="pam radius -activefilter -atm -dhcp -eap-tls -gtk -ipv6" <br/>
dev-db/mysql -minimal <br/>
dev-db/mysql-5.1.51  USE="community perl ssl -big-tables -cluster (-debug) -embedded -extraengine -latin1 -max-idx-128 -minimal -pbxt -profiling (-selinux) -static -test -xtradb" <br/>
net-dialup/freeradius mysql threads <br/>
net-dialup/rp-pppoe-3.10-r1  USE="-X"
net-dialup/freeradius-2.1.7  USE="mysql pam ssl threads udpfromto -bindist -debug -edirectory (-firebird) -frascend -frxp -kerberos -ldap -postgres -snmp" <br/>


And do an "emerge mysql freeradius rp-pppoe".  If this is a new mysql installation .. don't forget to "mysql_install_db && /etc/init.d/mysql start && mysql_secure_installation".
<source lang="bash">
emerge mysql freeradius rp-pppoe ppp
chown radiusd:radiusd /etc/raddb/certs
# If this is a new mysql installation
mysql_install_db && /etc/init.d/mysql start && mysql_secure_installation
cat << EOF > /etc/ppp/options
plugin radius.so
plugin radattr.so
ms-dns your.dns.goes.here
auth
crtscts
lock
modem
mtu 1492
mru 1492
debug
proxyarp
lcp-echo-interval 60
lcp-echo-failure 5
EOF
 
cat << EOF > /etc/ppp/pppoe-server-options
require-chap
auth
debug
lcp-echo-interval 10
lcp-echo-failure 2
EOF
 
cat << EOF > /etc/ppp/chap-secrets
* * "" *
EOF


I'll only have myself as a client so in /etc/raddb/clients.conf I just changed the "secret".
I'll only have myself as a client so in /etc/raddb/clients.conf I just changed the "secret".
Line 34: Line 66:
</source>
</source>


In /etc/raddb/radiusd.conf set user and group to "radiusd" ( without quotes ).
cat << EOF > /etc/raddb/radiusd.conf
prefix = /usr
exec_prefix = ${prefix}
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
name = radiusd
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib64/freeradius
pidfile = ${run_dir}/${name}.pid
user = radiusd
group = radiusd
max_request_time = 120
cleanup_delay = 1
max_requests = 1024
listen {
        type = auth
        ipaddr = *
        port = 0
}
listen {
        ipaddr = *
        port = 0
        type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions    = yes
extended_expressions    = yes
log {
        destination = files
        file = ${logdir}/radius.log
        syslog_facility = daemon
        stripped_names = yes
        auth = yes
        auth_badpass = yes
        auth_goodpass = yes
}
checkrad = ${sbindir}/checkrad
security {
        max_attributes = 200
        reject_delay = 1
        status_server = yes
}
proxy_requests  = no
$INCLUDE clients.conf
thread pool {
        start_servers = 5
        max_servers = 32
        min_spare_servers = 3
        max_spare_servers = 10
        max_requests_per_server = 0
}
 
modules {
        $INCLUDE ${confdir}/modules/
        $INCLUDE sql.conf
        $INCLUDE sqlippool.conf
}
instantiate {
        exec
        expr
}
$INCLUDE sites-enabled/
EOF
 
cat << EOF > /etc/raddb/sites-enabled/default
authorize {
        preprocess
        auth_log
        chap
        mschap
        sql
        expiration
        logintime
}
authenticate {
        Auth-Type CHAP {
                chap
        }
        Auth-Type MS-CHAP {
                mschap
        }
}
preacct {
        preprocess
        acct_unique
}
accounting {
        radutmp
        sradutmp
        sql
        sql_log
        sqlippool
        attr_filter.accounting_response
}


In /etc/raddb/sites-enabled/default in the authorize{} section comment out the eap{}, uncomment "sql". In authenticate{} comment out "pam" and "unix". In session {} uncomment "sql".
session {
        radutmp
        sradutmp
        sql
}


Also do a chown radiusd:radiusd /etc/raddb/certs
post-auth {
        reply_log
        sql
        sql_log
        sqlippool
        exec
        Post-Auth-Type REJECT {
                attr_filter.access_reject
        }
}
pre-proxy {
}
post-proxy {
}
EOF


Edit /etc/raddb/sql/mysql/admin.sql and change the default "radpass" to something more convenient to you. Then do
# Edit /etc/raddb/sql/mysql/admin.sql and change the default "radpass" to something more convenient to you. Then do


<source lang="bash">
mysql -u root -p < admin.sql
mysql -u root -p < admin.sql
mysqladmin -p create radius
mysqladmin -p create radius
mysql -u root -p -D radius < schema.sql
mysql -u root -p -D radius < schema.sql
mysql -u root -p -D radius < nas.sql
mysql -u root -p -D radius < nas.sql
</source>


Edit /etc/raddb/sql.conf . Set up the "password" field to whatever you set for the admin.sql. In /etc/raddb/sql/mysql/dialup.conf you probably want these:
# Set up the "password" field to whatever you set for the admin.sql.
cat << EOF > /etc/raddb/sql.conf
sql {
        database = "mysql"
        driver = "rlm_sql_${database}"
        server = "localhost"
        login = "radius"
        password = "r4d1usP4ssw0rd"
        radius_db = "radius"
        acct_table1 = "radacct"
        acct_table2 = "radacct"
        postauth_table = "radpostauth"
        authcheck_table = "radcheck"
        authreply_table = "radreply"
        groupcheck_table = "radgroupcheck"
        groupreply_table = "radgroupreply"
        usergroup_table = "radusergroup"
        deletestalesessions = yes
        sqltrace = yes
        sqltracefile = ${logdir}/sqltrace.sql
        num_sql_socks = 5
        connect_failure_retry_delay = 30
        lifetime = 0
        max_queries = 0
        nas_table = "nas"
        $INCLUDE sql/${database}/dialup.conf
}
EOF


<source lang="text"
In /etc/raddb/sql/mysql/dialup.conf you want: sql_user_name = "%{User-Name}"
sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}"
</source>


And now do something in your mysql radius tables (I'm adding myself as a test user):
And now do something in your mysql radius tables (I'm adding myself as a test user):


<source lang="mysql">
<source lang="mysql">
insert into `radgroupcheck` (`groupname`, `attribute`, `op`, `value`) VALUES ('dynamic', 'Auth-Type', ':=', 'Local');
insert into `radusergroup` (`username`, `groupname`) VALUES ('dex', 'dynamic');
insert into `radgroupreply` (`groupname`, `attribute`, `op`, `value`) VALUES ('dynamic', 'Framed-Compression', ':=', 'Van-Jacobsen-TCP-IP');
 
insert into `radgroupreply` (`groupname`, `attribute`, `op`, `value`) VALUES ('dynamic', 'Framed-Protocol', ':=', 'PPP');
insert into `radippool` (`pool_name`, `framedipaddress`, `expiry_time`, `pool_key`) VALUES ('main', 'x.x.x.x', NULL, '0');
insert into `radgroupreply` (`groupname`, `attribute`, `op`, `value`) VALUES ('dynamic', 'Service-Type', ':=', 'Framed-User');
insert into `radippool` (`pool_name`, `framedipaddress`, `expiry_time`, `pool_key`) VALUES ('main', 'x.x.x.y', NULL, '0');
insert into `radgroupreply` (`groupname`, `attribute`, `op`, `value`) VALUES ('dynamic', 'Framed-MTU', ':=', '1500');
insert into `radippool` (`pool_name`, `framedipaddress`, `expiry_time`, `pool_key`) VALUES ('main', 'x.x.x.z', NULL, '0');
insert into `radusergroup` (`username`, `groupname`) VALUES ('dexter', 'dynamic');
 
insert into `radcheck` (`username`, `attribute`, `op`, `value`) VALUES ('dexter', 'Password', '==', 'P4ssw0rd');
insert into `radcheck` (`username`, `attribute`, `op`, `value`) VALUES ('dex', 'Cleartext-Password', ':=', 'P4ssw0rd');
insert into `radcheck` (`username`, `attribute`, `op`, `value`) VALUES ('dex', 'Pool-Name', ':=', 'main');
insert into `radcheck` (`username`, `attribute`, `op`, `value`) VALUES ('dex', 'Fall-Through', ':=', 'Yes');
 
insert into `radreply` (`username`, `attribute`, `op`, `value`) VALUES ('dex', 'Framed-Protocol', ':=', 'PPP');
insert into `radreply` (`username`, `attribute`, `op`, `value`) VALUES ('dex', 'Service-Type', ':=', 'Framed-User');
insert into `radreply` (`username`, `attribute`, `op`, `value`) VALUES ('dex', 'Framed-Compression', ':=', 'Van-Jacobsen-TCP-IP');
insert into `radreply` (`username`, `attribute`, `op`, `value`) VALUES ('dex', 'Framed-MTU', ':=', '1500');
 
</source>
</source>


Finally start yout PPPoE Server with :
<source lang="bash">
#eth1.add.ress should be an local ip address binded on the interface where the internet will be gotten from ...
#eth2.int.er.face should be "eth2" or an interface name on which it'll listen for PPPoE requests ( doesn't need an ip binded to it ! )
# -k is needed to send the calling mac address ( if you need it )
pppoe-server -L eth1.add.re.ss -T 60 -I eth2.int.er.face -N 200 -C Platinium -S Platinium -k -u -s
</source>


==OTHER RESOURCES==
==OTHER RESOURCES==

Revision as of 13:18, 8 December 2010

WHY

At my old ISP I setup the PPPoE server with the authentication part .. and I forgot how to do it again at my new workplace .. I'll take notes this time

HOW

Be sure to have your gentoo machine up to date ( emerge --sync ). On the gentoo machine:

Put this in your package.keywords ( so you get the "latest" versions ... they're stable enough ). I'm gonna use MySQL as a backend.

net-dialup/rp-pppoe **
net-dialup/ppp **

Put this in your package.use ( this will set the support for packages

net-dialup/ppp-2.4.5-r1 USE="pam radius -activefilter -atm -dhcp -eap-tls -gtk -ipv6"
dev-db/mysql-5.1.51 USE="community perl ssl -big-tables -cluster (-debug) -embedded -extraengine -latin1 -max-idx-128 -minimal -pbxt -profiling (-selinux) -static -test -xtradb"
net-dialup/rp-pppoe-3.10-r1 USE="-X" net-dialup/freeradius-2.1.7 USE="mysql pam ssl threads udpfromto -bindist -debug -edirectory (-firebird) -frascend -frxp -kerberos -ldap -postgres -snmp"

emerge mysql freeradius rp-pppoe ppp
chown radiusd:radiusd /etc/raddb/certs
# If this is a new mysql installation
mysql_install_db && /etc/init.d/mysql start && mysql_secure_installation
cat << EOF > /etc/ppp/options
plugin radius.so
plugin radattr.so
ms-dns your.dns.goes.here
auth
crtscts
lock
modem
mtu 1492
mru 1492
debug
proxyarp
lcp-echo-interval 60
lcp-echo-failure 5
EOF

cat << EOF > /etc/ppp/pppoe-server-options
require-chap
auth
debug
lcp-echo-interval 10
lcp-echo-failure 2
EOF

cat << EOF > /etc/ppp/chap-secrets
* * "" *
EOF

I'll only have myself as a client so in /etc/raddb/clients.conf I just changed the "secret".

Add "localhost secret" (replace secret with your secret) in /etc/ppp/radius/servers and set this up in your /etc/ppp/options

<source lang="text">
lock
mtu 1492
mru 1492
proxyarp
ms-dns your.dns.goes.here
plugin radius.so
plugin radattr.so

cat << EOF > /etc/raddb/radiusd.conf prefix = /usr exec_prefix = ${prefix} sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct name = radiusd confdir = ${raddbdir} run_dir = ${localstatedir}/run/${name} db_dir = ${raddbdir} libdir = /usr/lib64/freeradius pidfile = ${run_dir}/${name}.pid user = radiusd group = radiusd max_request_time = 120 cleanup_delay = 1 max_requests = 1024 listen {

       type = auth
       ipaddr = *
       port = 0

} listen {

       ipaddr = *
       port = 0
       type = acct

} hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log {

       destination = files
       file = ${logdir}/radius.log
       syslog_facility = daemon
       stripped_names = yes
       auth = yes
       auth_badpass = yes
       auth_goodpass = yes

} checkrad = ${sbindir}/checkrad security {

       max_attributes = 200
       reject_delay = 1
       status_server = yes

} proxy_requests = no $INCLUDE clients.conf thread pool {

       start_servers = 5
       max_servers = 32
       min_spare_servers = 3
       max_spare_servers = 10
       max_requests_per_server = 0

}

modules {

       $INCLUDE ${confdir}/modules/
       $INCLUDE sql.conf
       $INCLUDE sqlippool.conf

} instantiate {

       exec
       expr

} $INCLUDE sites-enabled/ EOF

cat << EOF > /etc/raddb/sites-enabled/default authorize {

       preprocess
       auth_log
       chap
       mschap
       sql
       expiration
       logintime

} authenticate {

       Auth-Type CHAP {
               chap
       }
       Auth-Type MS-CHAP {
               mschap
       }

} preacct {

       preprocess
       acct_unique

} accounting {

       radutmp
       sradutmp
       sql
       sql_log
       sqlippool
       attr_filter.accounting_response

}

session {

       radutmp
       sradutmp
       sql

}

post-auth {

       reply_log
       sql
       sql_log
       sqlippool
       exec
       Post-Auth-Type REJECT {
               attr_filter.access_reject
       }

} pre-proxy { } post-proxy { } EOF

  1. Edit /etc/raddb/sql/mysql/admin.sql and change the default "radpass" to something more convenient to you. Then do

mysql -u root -p < admin.sql mysqladmin -p create radius mysql -u root -p -D radius < schema.sql mysql -u root -p -D radius < nas.sql

  1. Set up the "password" field to whatever you set for the admin.sql.

cat << EOF > /etc/raddb/sql.conf sql {

       database = "mysql"
       driver = "rlm_sql_${database}"
       server = "localhost"
       login = "radius"
       password = "r4d1usP4ssw0rd"
       radius_db = "radius"
       acct_table1 = "radacct"
       acct_table2 = "radacct"
       postauth_table = "radpostauth"
       authcheck_table = "radcheck"
       authreply_table = "radreply"
       groupcheck_table = "radgroupcheck"
       groupreply_table = "radgroupreply"
       usergroup_table = "radusergroup"
       deletestalesessions = yes
       sqltrace = yes
       sqltracefile = ${logdir}/sqltrace.sql
       num_sql_socks = 5
       connect_failure_retry_delay = 30
       lifetime = 0
       max_queries = 0
       nas_table = "nas"
       $INCLUDE sql/${database}/dialup.conf

} EOF

In /etc/raddb/sql/mysql/dialup.conf you want: sql_user_name = "%{User-Name}"

And now do something in your mysql radius tables (I'm adding myself as a test user):

insert into `radusergroup` (`username`, `groupname`) VALUES ('dex', 'dynamic');

insert into `radippool` (`pool_name`, `framedipaddress`, `expiry_time`, `pool_key`) VALUES ('main', 'x.x.x.x', NULL, '0');
insert into `radippool` (`pool_name`, `framedipaddress`, `expiry_time`, `pool_key`) VALUES ('main', 'x.x.x.y', NULL, '0');
insert into `radippool` (`pool_name`, `framedipaddress`, `expiry_time`, `pool_key`) VALUES ('main', 'x.x.x.z', NULL, '0');

insert into `radcheck` (`username`, `attribute`, `op`, `value`) VALUES ('dex', 'Cleartext-Password', ':=', 'P4ssw0rd');
insert into `radcheck` (`username`, `attribute`, `op`, `value`) VALUES ('dex', 'Pool-Name', ':=', 'main');
insert into `radcheck` (`username`, `attribute`, `op`, `value`) VALUES ('dex', 'Fall-Through', ':=', 'Yes');

insert into `radreply` (`username`, `attribute`, `op`, `value`) VALUES ('dex', 'Framed-Protocol', ':=', 'PPP');
insert into `radreply` (`username`, `attribute`, `op`, `value`) VALUES ('dex', 'Service-Type', ':=', 'Framed-User');
insert into `radreply` (`username`, `attribute`, `op`, `value`) VALUES ('dex', 'Framed-Compression', ':=', 'Van-Jacobsen-TCP-IP');
insert into `radreply` (`username`, `attribute`, `op`, `value`) VALUES ('dex', 'Framed-MTU', ':=', '1500');

Finally start yout PPPoE Server with :

#eth1.add.ress should be an local ip address binded on the interface where the internet will be gotten from ...
#eth2.int.er.face should be "eth2" or an interface name on which it'll listen for PPPoE requests ( doesn't need an ip binded to it ! )
# -k is needed to send the calling mac address ( if you need it )
pppoe-server -L eth1.add.re.ss -T 60 -I eth2.int.er.face -N 200 -C Platinium -S Platinium -k -u -s

OTHER RESOURCES

PPPoE Server HOW-TO

FreeRadius with MySQL HowTo Notes

SQL HOWTO - FreeRADIUS Wiki