PPPoE with FreeRadius and MySQL: Difference between revisions
mNo edit summary |
mNo edit summary |
||
Line 222: | Line 222: | ||
} | } | ||
EOF | EOF | ||
</source> | |||
In /etc/raddb/sql/mysql/dialup.conf you want: sql_user_name = "%{User-Name}" | In /etc/raddb/sql/mysql/dialup.conf you want: sql_user_name = "%{User-Name}" |
Revision as of 13:23, 8 December 2010
WHY
At my old ISP I setup the PPPoE server with the authentication part .. and I forgot how to do it again at my new workplace .. I'll take notes this time
HOW
Be sure to have your gentoo machine up to date ( emerge --sync ). On the gentoo machine:
Put this in your package.keywords ( so you get the "latest" versions ... they're stable enough ). I'm gonna use MySQL as a backend.
net-dialup/rp-pppoe **
net-dialup/ppp **
Put this in your package.use ( this will set the support for packages
net-dialup/ppp-2.4.5-r1 USE="pam radius -activefilter -atm -dhcp -eap-tls -gtk -ipv6"
dev-db/mysql-5.1.51 USE="community perl ssl -big-tables -cluster (-debug) -embedded -extraengine -latin1 -max-idx-128 -minimal -pbxt -profiling (-selinux) -static -test -xtradb"
net-dialup/rp-pppoe-3.10-r1 USE="-X"
net-dialup/freeradius-2.1.7 USE="mysql pam ssl threads udpfromto -bindist -debug -edirectory (-firebird) -frascend -frxp -kerberos -ldap -postgres -snmp"
emerge mysql freeradius rp-pppoe ppp
chown radiusd:radiusd /etc/raddb/certs
# If this is a new mysql installation
mysql_install_db && /etc/init.d/mysql start && mysql_secure_installation
cat << EOF > /etc/ppp/options
plugin radius.so
plugin radattr.so
ms-dns your.dns.goes.here
auth
crtscts
lock
modem
mtu 1492
mru 1492
debug
proxyarp
lcp-echo-interval 60
lcp-echo-failure 5
EOF
cat << EOF > /etc/ppp/pppoe-server-options
require-chap
auth
debug
lcp-echo-interval 10
lcp-echo-failure 2
EOF
cat << EOF > /etc/ppp/chap-secrets
* * "" *
EOF
cat << EOF > /etc/raddb/clients.conf
client localhost {
ipaddr = 127.0.0.1
secret = r4d1usP4ssw0rd
require_message_authenticator = no
nastype = other
}
EOF
echo "localhost r4d1usP4ssw0rd" > /etc/ppp/radius/servers
cat << EOF > /etc/raddb/radiusd.conf
prefix = /usr
exec_prefix = ${prefix}
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
name = radiusd
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib64/freeradius
pidfile = ${run_dir}/${name}.pid
user = radiusd
group = radiusd
max_request_time = 120
cleanup_delay = 1
max_requests = 1024
listen {
type = auth
ipaddr = *
port = 0
}
listen {
ipaddr = *
port = 0
type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = yes
auth = yes
auth_badpass = yes
auth_goodpass = yes
}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
proxy_requests = no
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
$INCLUDE ${confdir}/modules/
$INCLUDE sql.conf
$INCLUDE sqlippool.conf
}
instantiate {
exec
expr
}
$INCLUDE sites-enabled/
EOF
cat << EOF > /etc/raddb/sites-enabled/default
authorize {
preprocess
auth_log
chap
mschap
sql
expiration
logintime
}
authenticate {
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
}
preacct {
preprocess
acct_unique
}
accounting {
radutmp
sradutmp
sql
sql_log
sqlippool
attr_filter.accounting_response
}
session {
radutmp
sradutmp
sql
}
post-auth {
reply_log
sql
sql_log
sqlippool
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
}
EOF
# Edit /etc/raddb/sql/mysql/admin.sql and change the default "radpass" to something more convenient to you. Then do
mysql -u root -p < admin.sql
mysqladmin -p create radius
mysql -u root -p -D radius < schema.sql
mysql -u root -p -D radius < nas.sql
# Set up the "password" field to whatever you set for the admin.sql.
cat << EOF > /etc/raddb/sql.conf
sql {
database = "mysql"
driver = "rlm_sql_${database}"
server = "localhost"
login = "radius"
password = "r4d1usP4ssw0rd"
radius_db = "radius"
acct_table1 = "radacct"
acct_table2 = "radacct"
postauth_table = "radpostauth"
authcheck_table = "radcheck"
authreply_table = "radreply"
groupcheck_table = "radgroupcheck"
groupreply_table = "radgroupreply"
usergroup_table = "radusergroup"
deletestalesessions = yes
sqltrace = yes
sqltracefile = ${logdir}/sqltrace.sql
num_sql_socks = 5
connect_failure_retry_delay = 30
lifetime = 0
max_queries = 0
nas_table = "nas"
$INCLUDE sql/${database}/dialup.conf
}
EOF
In /etc/raddb/sql/mysql/dialup.conf you want: sql_user_name = "%{User-Name}"
And now do something in your mysql radius tables (I'm adding myself as a test user):
insert into `radusergroup` (`username`, `groupname`) VALUES ('dex', 'dynamic');
insert into `radippool` (`pool_name`, `framedipaddress`, `expiry_time`, `pool_key`) VALUES ('main', 'x.x.x.x', NULL, '0');
insert into `radippool` (`pool_name`, `framedipaddress`, `expiry_time`, `pool_key`) VALUES ('main', 'x.x.x.y', NULL, '0');
insert into `radippool` (`pool_name`, `framedipaddress`, `expiry_time`, `pool_key`) VALUES ('main', 'x.x.x.z', NULL, '0');
insert into `radcheck` (`username`, `attribute`, `op`, `value`) VALUES ('dex', 'Cleartext-Password', ':=', 'P4ssw0rd');
insert into `radcheck` (`username`, `attribute`, `op`, `value`) VALUES ('dex', 'Pool-Name', ':=', 'main');
insert into `radcheck` (`username`, `attribute`, `op`, `value`) VALUES ('dex', 'Fall-Through', ':=', 'Yes');
insert into `radreply` (`username`, `attribute`, `op`, `value`) VALUES ('dex', 'Framed-Protocol', ':=', 'PPP');
insert into `radreply` (`username`, `attribute`, `op`, `value`) VALUES ('dex', 'Service-Type', ':=', 'Framed-User');
insert into `radreply` (`username`, `attribute`, `op`, `value`) VALUES ('dex', 'Framed-Compression', ':=', 'Van-Jacobsen-TCP-IP');
insert into `radreply` (`username`, `attribute`, `op`, `value`) VALUES ('dex', 'Framed-MTU', ':=', '1500');
Finally start yout PPPoE Server with :
#eth1.add.ress should be an local ip address binded on the interface where the internet will be gotten from ...
#eth2.int.er.face should be "eth2" or an interface name on which it'll listen for PPPoE requests ( doesn't need an ip binded to it ! )
# -k is needed to send the calling mac address ( if you need it )
pppoe-server -L eth1.add.re.ss -T 60 -I eth2.int.er.face -N 200 -C Platinium -S Platinium -k -u -s