PPPoE with FreeRadius and MySQL: Difference between revisions
mNo edit summary |
mNo edit summary |
||
Line 14: | Line 14: | ||
Put this in your package.use ( this will set the support for packages | Put this in your package.use ( this will set the support for packages | ||
net-dialup/ppp radius <br/> | net-dialup/ppp-2.4.5-r1 USE="pam radius -activefilter -atm -dhcp -eap-tls -gtk -ipv6" <br/> | ||
dev-db/mysql -minimal <br/> | dev-db/mysql-5.1.51 USE="community perl ssl -big-tables -cluster (-debug) -embedded -extraengine -latin1 -max-idx-128 -minimal -pbxt -profiling (-selinux) -static -test -xtradb" <br/> | ||
net-dialup/freeradius mysql threads <br/> | net-dialup/rp-pppoe-3.10-r1 USE="-X" | ||
net-dialup/freeradius-2.1.7 USE="mysql pam ssl threads udpfromto -bindist -debug -edirectory (-firebird) -frascend -frxp -kerberos -ldap -postgres -snmp" <br/> | |||
<source lang="bash"> | |||
emerge mysql freeradius rp-pppoe ppp | |||
chown radiusd:radiusd /etc/raddb/certs | |||
# If this is a new mysql installation | |||
mysql_install_db && /etc/init.d/mysql start && mysql_secure_installation | |||
cat << EOF > /etc/ppp/options | |||
plugin radius.so | |||
plugin radattr.so | |||
ms-dns your.dns.goes.here | |||
auth | |||
crtscts | |||
lock | |||
modem | |||
mtu 1492 | |||
mru 1492 | |||
debug | |||
proxyarp | |||
lcp-echo-interval 60 | |||
lcp-echo-failure 5 | |||
EOF | |||
cat << EOF > /etc/ppp/pppoe-server-options | |||
require-chap | |||
auth | |||
debug | |||
lcp-echo-interval 10 | |||
lcp-echo-failure 2 | |||
EOF | |||
cat << EOF > /etc/ppp/chap-secrets | |||
* * "" * | |||
EOF | |||
I'll only have myself as a client so in /etc/raddb/clients.conf I just changed the "secret". | I'll only have myself as a client so in /etc/raddb/clients.conf I just changed the "secret". | ||
Line 34: | Line 66: | ||
</source> | </source> | ||
cat << EOF > /etc/raddb/radiusd.conf | |||
prefix = /usr | |||
exec_prefix = ${prefix} | |||
sysconfdir = /etc | |||
localstatedir = /var | |||
sbindir = ${exec_prefix}/sbin | |||
logdir = ${localstatedir}/log/radius | |||
raddbdir = ${sysconfdir}/raddb | |||
radacctdir = ${logdir}/radacct | |||
name = radiusd | |||
confdir = ${raddbdir} | |||
run_dir = ${localstatedir}/run/${name} | |||
db_dir = ${raddbdir} | |||
libdir = /usr/lib64/freeradius | |||
pidfile = ${run_dir}/${name}.pid | |||
user = radiusd | |||
group = radiusd | |||
max_request_time = 120 | |||
cleanup_delay = 1 | |||
max_requests = 1024 | |||
listen { | |||
type = auth | |||
ipaddr = * | |||
port = 0 | |||
} | |||
listen { | |||
ipaddr = * | |||
port = 0 | |||
type = acct | |||
} | |||
hostname_lookups = no | |||
allow_core_dumps = no | |||
regular_expressions = yes | |||
extended_expressions = yes | |||
log { | |||
destination = files | |||
file = ${logdir}/radius.log | |||
syslog_facility = daemon | |||
stripped_names = yes | |||
auth = yes | |||
auth_badpass = yes | |||
auth_goodpass = yes | |||
} | |||
checkrad = ${sbindir}/checkrad | |||
security { | |||
max_attributes = 200 | |||
reject_delay = 1 | |||
status_server = yes | |||
} | |||
proxy_requests = no | |||
$INCLUDE clients.conf | |||
thread pool { | |||
start_servers = 5 | |||
max_servers = 32 | |||
min_spare_servers = 3 | |||
max_spare_servers = 10 | |||
max_requests_per_server = 0 | |||
} | |||
modules { | |||
$INCLUDE ${confdir}/modules/ | |||
$INCLUDE sql.conf | |||
$INCLUDE sqlippool.conf | |||
} | |||
instantiate { | |||
exec | |||
expr | |||
} | |||
$INCLUDE sites-enabled/ | |||
EOF | |||
cat << EOF > /etc/raddb/sites-enabled/default | |||
authorize { | |||
preprocess | |||
auth_log | |||
chap | |||
mschap | |||
sql | |||
expiration | |||
logintime | |||
} | |||
authenticate { | |||
Auth-Type CHAP { | |||
chap | |||
} | |||
Auth-Type MS-CHAP { | |||
mschap | |||
} | |||
} | |||
preacct { | |||
preprocess | |||
acct_unique | |||
} | |||
accounting { | |||
radutmp | |||
sradutmp | |||
sql | |||
sql_log | |||
sqlippool | |||
attr_filter.accounting_response | |||
} | |||
session { | |||
radutmp | |||
sradutmp | |||
sql | |||
} | |||
post-auth { | |||
reply_log | |||
sql | |||
sql_log | |||
sqlippool | |||
exec | |||
Post-Auth-Type REJECT { | |||
attr_filter.access_reject | |||
} | |||
} | |||
pre-proxy { | |||
} | |||
post-proxy { | |||
} | |||
EOF | |||
Edit /etc/raddb/sql/mysql/admin.sql and change the default "radpass" to something more convenient to you. Then do | # Edit /etc/raddb/sql/mysql/admin.sql and change the default "radpass" to something more convenient to you. Then do | ||
mysql -u root -p < admin.sql | mysql -u root -p < admin.sql | ||
mysqladmin -p create radius | mysqladmin -p create radius | ||
mysql -u root -p -D radius < schema.sql | mysql -u root -p -D radius < schema.sql | ||
mysql -u root -p -D radius < nas.sql | mysql -u root -p -D radius < nas.sql | ||
# Set up the "password" field to whatever you set for the admin.sql. | |||
cat << EOF > /etc/raddb/sql.conf | |||
sql { | |||
database = "mysql" | |||
driver = "rlm_sql_${database}" | |||
server = "localhost" | |||
login = "radius" | |||
password = "r4d1usP4ssw0rd" | |||
radius_db = "radius" | |||
acct_table1 = "radacct" | |||
acct_table2 = "radacct" | |||
postauth_table = "radpostauth" | |||
authcheck_table = "radcheck" | |||
authreply_table = "radreply" | |||
groupcheck_table = "radgroupcheck" | |||
groupreply_table = "radgroupreply" | |||
usergroup_table = "radusergroup" | |||
deletestalesessions = yes | |||
sqltrace = yes | |||
sqltracefile = ${logdir}/sqltrace.sql | |||
num_sql_socks = 5 | |||
connect_failure_retry_delay = 30 | |||
lifetime = 0 | |||
max_queries = 0 | |||
nas_table = "nas" | |||
$INCLUDE sql/${database}/dialup.conf | |||
} | |||
EOF | |||
In /etc/raddb/sql/mysql/dialup.conf you want: sql_user_name = "%{User-Name}" | |||
sql_user_name = "%{ | |||
And now do something in your mysql radius tables (I'm adding myself as a test user): | And now do something in your mysql radius tables (I'm adding myself as a test user): | ||
<source lang="mysql"> | <source lang="mysql"> | ||
insert into ` | insert into `radusergroup` (`username`, `groupname`) VALUES ('dex', 'dynamic'); | ||
insert into ` | |||
insert into ` | insert into `radippool` (`pool_name`, `framedipaddress`, `expiry_time`, `pool_key`) VALUES ('main', 'x.x.x.x', NULL, '0'); | ||
insert into ` | insert into `radippool` (`pool_name`, `framedipaddress`, `expiry_time`, `pool_key`) VALUES ('main', 'x.x.x.y', NULL, '0'); | ||
insert into ` | insert into `radippool` (`pool_name`, `framedipaddress`, `expiry_time`, `pool_key`) VALUES ('main', 'x.x.x.z', NULL, '0'); | ||
insert into ` | |||
insert into ` | insert into `radcheck` (`username`, `attribute`, `op`, `value`) VALUES ('dex', 'Cleartext-Password', ':=', 'P4ssw0rd'); | ||
insert into `radcheck` (`username`, `attribute`, `op`, `value`) VALUES ('dex', 'Pool-Name', ':=', 'main'); | |||
insert into `radcheck` (`username`, `attribute`, `op`, `value`) VALUES ('dex', 'Fall-Through', ':=', 'Yes'); | |||
insert into `radreply` (`username`, `attribute`, `op`, `value`) VALUES ('dex', 'Framed-Protocol', ':=', 'PPP'); | |||
insert into `radreply` (`username`, `attribute`, `op`, `value`) VALUES ('dex', 'Service-Type', ':=', 'Framed-User'); | |||
insert into `radreply` (`username`, `attribute`, `op`, `value`) VALUES ('dex', 'Framed-Compression', ':=', 'Van-Jacobsen-TCP-IP'); | |||
insert into `radreply` (`username`, `attribute`, `op`, `value`) VALUES ('dex', 'Framed-MTU', ':=', '1500'); | |||
</source> | </source> | ||
Finally start yout PPPoE Server with : | |||
<source lang="bash"> | |||
#eth1.add.ress should be an local ip address binded on the interface where the internet will be gotten from ... | |||
#eth2.int.er.face should be "eth2" or an interface name on which it'll listen for PPPoE requests ( doesn't need an ip binded to it ! ) | |||
# -k is needed to send the calling mac address ( if you need it ) | |||
pppoe-server -L eth1.add.re.ss -T 60 -I eth2.int.er.face -N 200 -C Platinium -S Platinium -k -u -s | |||
</source> | |||
==OTHER RESOURCES== | ==OTHER RESOURCES== |
Revision as of 13:18, 8 December 2010
WHY
At my old ISP I setup the PPPoE server with the authentication part .. and I forgot how to do it again at my new workplace .. I'll take notes this time
HOW
Be sure to have your gentoo machine up to date ( emerge --sync ). On the gentoo machine:
Put this in your package.keywords ( so you get the "latest" versions ... they're stable enough ). I'm gonna use MySQL as a backend.
net-dialup/rp-pppoe **
net-dialup/ppp **
Put this in your package.use ( this will set the support for packages
net-dialup/ppp-2.4.5-r1 USE="pam radius -activefilter -atm -dhcp -eap-tls -gtk -ipv6"
dev-db/mysql-5.1.51 USE="community perl ssl -big-tables -cluster (-debug) -embedded -extraengine -latin1 -max-idx-128 -minimal -pbxt -profiling (-selinux) -static -test -xtradb"
net-dialup/rp-pppoe-3.10-r1 USE="-X"
net-dialup/freeradius-2.1.7 USE="mysql pam ssl threads udpfromto -bindist -debug -edirectory (-firebird) -frascend -frxp -kerberos -ldap -postgres -snmp"
emerge mysql freeradius rp-pppoe ppp
chown radiusd:radiusd /etc/raddb/certs
# If this is a new mysql installation
mysql_install_db && /etc/init.d/mysql start && mysql_secure_installation
cat << EOF > /etc/ppp/options
plugin radius.so
plugin radattr.so
ms-dns your.dns.goes.here
auth
crtscts
lock
modem
mtu 1492
mru 1492
debug
proxyarp
lcp-echo-interval 60
lcp-echo-failure 5
EOF
cat << EOF > /etc/ppp/pppoe-server-options
require-chap
auth
debug
lcp-echo-interval 10
lcp-echo-failure 2
EOF
cat << EOF > /etc/ppp/chap-secrets
* * "" *
EOF
I'll only have myself as a client so in /etc/raddb/clients.conf I just changed the "secret".
Add "localhost secret" (replace secret with your secret) in /etc/ppp/radius/servers and set this up in your /etc/ppp/options
<source lang="text">
lock
mtu 1492
mru 1492
proxyarp
ms-dns your.dns.goes.here
plugin radius.so
plugin radattr.so
cat << EOF > /etc/raddb/radiusd.conf prefix = /usr exec_prefix = ${prefix} sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct name = radiusd confdir = ${raddbdir} run_dir = ${localstatedir}/run/${name} db_dir = ${raddbdir} libdir = /usr/lib64/freeradius pidfile = ${run_dir}/${name}.pid user = radiusd group = radiusd max_request_time = 120 cleanup_delay = 1 max_requests = 1024 listen {
type = auth ipaddr = * port = 0
} listen {
ipaddr = * port = 0 type = acct
} hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log {
destination = files file = ${logdir}/radius.log syslog_facility = daemon stripped_names = yes auth = yes auth_badpass = yes auth_goodpass = yes
} checkrad = ${sbindir}/checkrad security {
max_attributes = 200 reject_delay = 1 status_server = yes
} proxy_requests = no $INCLUDE clients.conf thread pool {
start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0
}
modules {
$INCLUDE ${confdir}/modules/ $INCLUDE sql.conf $INCLUDE sqlippool.conf
} instantiate {
exec expr
} $INCLUDE sites-enabled/ EOF
cat << EOF > /etc/raddb/sites-enabled/default authorize {
preprocess auth_log chap mschap sql expiration logintime
} authenticate {
Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap }
} preacct {
preprocess acct_unique
} accounting {
radutmp sradutmp sql sql_log sqlippool attr_filter.accounting_response
}
session {
radutmp sradutmp sql
}
post-auth {
reply_log sql sql_log sqlippool exec Post-Auth-Type REJECT { attr_filter.access_reject }
} pre-proxy { } post-proxy { } EOF
- Edit /etc/raddb/sql/mysql/admin.sql and change the default "radpass" to something more convenient to you. Then do
mysql -u root -p < admin.sql mysqladmin -p create radius mysql -u root -p -D radius < schema.sql mysql -u root -p -D radius < nas.sql
- Set up the "password" field to whatever you set for the admin.sql.
cat << EOF > /etc/raddb/sql.conf sql {
database = "mysql" driver = "rlm_sql_${database}" server = "localhost" login = "radius" password = "r4d1usP4ssw0rd" radius_db = "radius" acct_table1 = "radacct" acct_table2 = "radacct" postauth_table = "radpostauth" authcheck_table = "radcheck" authreply_table = "radreply" groupcheck_table = "radgroupcheck" groupreply_table = "radgroupreply" usergroup_table = "radusergroup" deletestalesessions = yes sqltrace = yes sqltracefile = ${logdir}/sqltrace.sql num_sql_socks = 5 connect_failure_retry_delay = 30 lifetime = 0 max_queries = 0 nas_table = "nas" $INCLUDE sql/${database}/dialup.conf
} EOF
In /etc/raddb/sql/mysql/dialup.conf you want: sql_user_name = "%{User-Name}"
And now do something in your mysql radius tables (I'm adding myself as a test user):
insert into `radusergroup` (`username`, `groupname`) VALUES ('dex', 'dynamic');
insert into `radippool` (`pool_name`, `framedipaddress`, `expiry_time`, `pool_key`) VALUES ('main', 'x.x.x.x', NULL, '0');
insert into `radippool` (`pool_name`, `framedipaddress`, `expiry_time`, `pool_key`) VALUES ('main', 'x.x.x.y', NULL, '0');
insert into `radippool` (`pool_name`, `framedipaddress`, `expiry_time`, `pool_key`) VALUES ('main', 'x.x.x.z', NULL, '0');
insert into `radcheck` (`username`, `attribute`, `op`, `value`) VALUES ('dex', 'Cleartext-Password', ':=', 'P4ssw0rd');
insert into `radcheck` (`username`, `attribute`, `op`, `value`) VALUES ('dex', 'Pool-Name', ':=', 'main');
insert into `radcheck` (`username`, `attribute`, `op`, `value`) VALUES ('dex', 'Fall-Through', ':=', 'Yes');
insert into `radreply` (`username`, `attribute`, `op`, `value`) VALUES ('dex', 'Framed-Protocol', ':=', 'PPP');
insert into `radreply` (`username`, `attribute`, `op`, `value`) VALUES ('dex', 'Service-Type', ':=', 'Framed-User');
insert into `radreply` (`username`, `attribute`, `op`, `value`) VALUES ('dex', 'Framed-Compression', ':=', 'Van-Jacobsen-TCP-IP');
insert into `radreply` (`username`, `attribute`, `op`, `value`) VALUES ('dex', 'Framed-MTU', ':=', '1500');
Finally start yout PPPoE Server with :
#eth1.add.ress should be an local ip address binded on the interface where the internet will be gotten from ...
#eth2.int.er.face should be "eth2" or an interface name on which it'll listen for PPPoE requests ( doesn't need an ip binded to it ! )
# -k is needed to send the calling mac address ( if you need it )
pppoe-server -L eth1.add.re.ss -T 60 -I eth2.int.er.face -N 200 -C Platinium -S Platinium -k -u -s