PPPoE with FreeRadius and MySQL

From D3xt3r01.tk
Jump to navigationJump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

WHY

At my old ISP I setup the PPPoE server with the authentication part .. and I forgot how to do it again at my new workplace .. I'll take notes this time

HOW

Be sure to have your gentoo machine up to date ( emerge --sync ). On the gentoo machine:

Put this in your package.keywords ( so you get the "latest" versions ... they're stable enough ). I'm gonna use MySQL as a backend.

net-dialup/rp-pppoe **
net-dialup/ppp **

Put this in your package.use ( this will set the support for packages

net-dialup/ppp-2.4.5-r1 USE="pam radius -activefilter -atm -dhcp -eap-tls -gtk -ipv6"
dev-db/mysql-5.1.51 USE="community perl ssl -big-tables -cluster (-debug) -embedded -extraengine -latin1 -max-idx-128 -minimal -pbxt -profiling (-selinux) -static -test -xtradb"
net-dialup/rp-pppoe-3.10-r1 USE="-X" net-dialup/freeradius-2.1.7 USE="mysql pam ssl threads udpfromto -bindist -debug -edirectory (-firebird) -frascend -frxp -kerberos -ldap -postgres -snmp"

emerge mysql freeradius rp-pppoe ppp
chown radiusd:radiusd /etc/raddb/certs
# If this is a new mysql installation
mysql_install_db && /etc/init.d/mysql start && mysql_secure_installation
cat << EOF > /etc/ppp/options
plugin radius.so
plugin radattr.so
ms-dns your.dns.goes.here
auth
crtscts
lock
modem
mtu 1492
mru 1492
debug
proxyarp
lcp-echo-interval 60
lcp-echo-failure 5
EOF

cat << EOF > /etc/ppp/pppoe-server-options
require-chap
auth
debug
lcp-echo-interval 10
lcp-echo-failure 2
EOF

cat << EOF > /etc/ppp/chap-secrets
* * "" *
EOF

cat << EOF > /etc/raddb/clients.conf
client localhost {
        ipaddr = 127.0.0.1
        secret          = r4d1usP4ssw0rd
        require_message_authenticator = no
        nastype     = other
}
EOF

echo "localhost r4d1usP4ssw0rd" > /etc/ppp/radius/servers

cat << EOF > /etc/raddb/radiusd.conf
prefix = /usr
exec_prefix = ${prefix}
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
name = radiusd
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib64/freeradius
pidfile = ${run_dir}/${name}.pid
user = radiusd
group = radiusd
max_request_time = 120
cleanup_delay = 1
max_requests = 1024
listen {
        type = auth
        ipaddr = *
        port = 0
}
listen {
        ipaddr = *
        port = 0
        type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions     = yes
extended_expressions    = yes
log {
        destination = files
        file = ${logdir}/radius.log
        syslog_facility = daemon
        stripped_names = yes
        auth = yes
        auth_badpass = yes
        auth_goodpass = yes
}
checkrad = ${sbindir}/checkrad
security {
        max_attributes = 200
        reject_delay = 1
        status_server = yes
}
proxy_requests  = no
$INCLUDE clients.conf
thread pool {
        start_servers = 5
        max_servers = 32
        min_spare_servers = 3
        max_spare_servers = 10
        max_requests_per_server = 0
}

modules {
        $INCLUDE ${confdir}/modules/
        $INCLUDE sql.conf
        $INCLUDE sqlippool.conf
}
instantiate {
        exec
        expr
}
$INCLUDE sites-enabled/
EOF

cat << EOF > /etc/raddb/sites-enabled/default
authorize {
        preprocess
        auth_log
        chap
        mschap
        sql
        expiration
        logintime
}
authenticate {
        Auth-Type CHAP {
                chap
        }
        Auth-Type MS-CHAP {
                mschap
        }
}
preacct {
        preprocess
        acct_unique
}
accounting {
        radutmp
        sradutmp
        sql
        sql_log
        sqlippool
        attr_filter.accounting_response
}

session {
        radutmp
        sradutmp
        sql
}

post-auth {
        reply_log
        sql
        sql_log
        sqlippool
        exec
        Post-Auth-Type REJECT {
                attr_filter.access_reject
                sql
        }
}
pre-proxy {
}
post-proxy {
}
EOF

# Edit /etc/raddb/sql/mysql/admin.sql and change the default "radpass" to something more convenient to you. Then do

mysql -u root -p < admin.sql
mysqladmin -p create radius
mysql -u root -p -D radius < schema.sql
mysql -u root -p -D radius < nas.sql

# Set up the "password" field to whatever you set for the admin.sql.
cat << EOF > /etc/raddb/sql.conf
sql {
        database = "mysql"
        driver = "rlm_sql_${database}"
        server = "localhost"
        login = "radius"
        password = "r4d1usP4ssw0rd"
        radius_db = "radius"
        acct_table1 = "radacct"
        acct_table2 = "radacct"
        postauth_table = "radpostauth"
        authcheck_table = "radcheck"
        authreply_table = "radreply"
        groupcheck_table = "radgroupcheck"
        groupreply_table = "radgroupreply"
        usergroup_table = "radusergroup"
        deletestalesessions = yes
        sqltrace = yes
        sqltracefile = ${logdir}/sqltrace.sql
        num_sql_socks = 5
        connect_failure_retry_delay = 30
        lifetime = 0
        max_queries = 0
        nas_table = "nas"
        $INCLUDE sql/${database}/dialup.conf
}
EOF

In /etc/raddb/sql/mysql/dialup.conf you want: sql_user_name = "%{User-Name}"

And now do something in your mysql radius tables (I'm adding myself as a test user):

insert into `radusergroup` (`username`, `groupname`) VALUES ('dex', 'dynamic');

insert into `radippool` (`pool_name`, `framedipaddress`, `expiry_time`, `pool_key`) VALUES ('main', 'x.x.x.x', NULL, '0');
insert into `radippool` (`pool_name`, `framedipaddress`, `expiry_time`, `pool_key`) VALUES ('main', 'x.x.x.y', NULL, '0');
insert into `radippool` (`pool_name`, `framedipaddress`, `expiry_time`, `pool_key`) VALUES ('main', 'x.x.x.z', NULL, '0');

insert into `radcheck` (`username`, `attribute`, `op`, `value`) VALUES ('dex', 'Cleartext-Password', ':=', 'P4ssw0rd');
insert into `radcheck` (`username`, `attribute`, `op`, `value`) VALUES ('dex', 'Pool-Name', ':=', 'main');
insert into `radcheck` (`username`, `attribute`, `op`, `value`) VALUES ('dex', 'Fall-Through', ':=', 'Yes');

insert into `radreply` (`username`, `attribute`, `op`, `value`) VALUES ('dex', 'Framed-Protocol', ':=', 'PPP');
insert into `radreply` (`username`, `attribute`, `op`, `value`) VALUES ('dex', 'Service-Type', ':=', 'Framed-User');
insert into `radreply` (`username`, `attribute`, `op`, `value`) VALUES ('dex', 'Framed-Compression', ':=', 'Van-Jacobsen-TCP-IP');
insert into `radreply` (`username`, `attribute`, `op`, `value`) VALUES ('dex', 'Framed-MTU', ':=', '1500');

Finally start yout PPPoE Server with :

#eth1.add.ress should be an local ip address binded on the interface where the internet will be gotten from ...
#eth2.int.er.face should be "eth2" or an interface name on which it'll listen for PPPoE requests ( doesn't need an ip binded to it ! )
# -k is needed to send the calling mac address ( if you need it )
pppoe-server -L eth1.add.re.ss -T 60 -I eth2.int.er.face -N 200 -C Platinium -S Platinium -k -u -s

OTHER RESOURCES

PPPoE Server HOW-TO

FreeRadius with MySQL HowTo Notes

SQL HOWTO - FreeRADIUS Wiki