由于公司使用OpenLDAP统一管理员工的账号密码信息
而现在需要搭建VPN以方便出差员工能访问公司内部网络
在对比流行的几种VPN类型后,选择了PPTP方式
OpenVPN/ipsec VPN虽然安全性比较高,但操作较麻烦,而公司大多数的员工对电脑都不是太懂,所以放弃
PS: 本人只讲如何结合PPTP+Freeradius+LDAP,并不涉及PPTP及LDAP的配置
系统环境: Centos 6.4 x86_64      已经配置好PPTP及LDAP

配置Radius
1.安装Radius:

[root@ldap ~]# yum install freeradius freeradius-ldap freeradius-utils

2.测试
编辑

/etc/raddb/users

 ,在最后加入一行

test Cleartext-Password := "123456"

启动radius

[root@ldap ~]# /etc/init.d/radiusd start

测试服务器是否连通

[root@ldap ~]# radtest test 123456 localhost 0 testing123
# 解释: # radtest username password server port key

如果看到Access-Accept就说明连接成功了。如果看到类似“Ignoring request to authentication address * port 1812 from unknownclient”的文字, 可能需要去修改

/etc/raddb/clients.conf

,将

client localhost

段下的

ipaddr

改为服务器的IP,而不是127.0.0.1。

在测试成功之后,就可以将 

/etc/raddb/users

中添加的内容删除掉了

3. 下载ppp源码,需要用到其中radius的配置文件

[root@ldap ~]# tar zxvf ppp-2.4.5.tar.gz
[root@ldap ~]# cp

 

-R

 

/root/ppp-2.4.5/pppd/plugins/radius/etc/ /etc/radiusclient

4. 编辑

/etc/radiusclient/servers

,添加服务器和密钥

1
[root@ldap ~]# echo 'localhost MyVPN' >> /etc/radiusclient/servers

5. 下载

dictionary.microsoft

字典文件

[root@ldap ~]# cp dictionary.microsoft /etc/radiusclient/

 

-f

6. 更改 

/etc/radiusclient/dictionary

 文件
在文件末尾加入两行
INCLUDE /etc/radiusclient/dictionary.merit
INCLUDE /etc/radiusclient/dictionary.microsoft

7. 修改 /etc/raddb/clients.conf 文件

[root@ldap ~]# grep

 

-v

 

'#' /etc/raddb/clients.conf  | grep

 

-v
'^$'
client localhost {
    
ipaddr = 127.0.0.1
    
secret  = MyVPN
    
require_message_authenticator = no
    
shortname   = pptp
}

8. 更改 /etc/raddb/radiusd.conf

[root@ldap ~]# grep

 

-v

 

'#' /etc/raddb/radiusd.conf  | grep

 

-v
'^$'
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
name = radiusd
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib64/freeradius
pidfile = ${run_dir}/${name}.pid
user = radiusd
group = radiusd
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
    
type = auth
    
ipaddr = *
    
port = 0
}
listen {
    
ipaddr = *
    
port = 0
    
type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions    = yes
log {
    
destination = files
    
file = ${logdir}/radius.log
    
syslog_facility = daemon
    
stripped_names = no
    
auth = no
    
auth_badpass = no
    
auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
    
max_attributes = 200
    
reject_delay = 1
    
status_server = yes
}
proxy_requests  = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
    
start_servers = 5
    
max_servers = 32
    
min_spare_servers = 3
    
max_spare_servers = 10
    
max_requests_per_server = 0
}
modules {
    
mschap {
        
use_mppe = yes
        
require_encryption = yes
        
require_strong = yes
    
}
    
$INCLUDE ${confdir}/modules/
    
$INCLUDE eap.conf
}
instantiate {
    
exec
    
expr
    
expiration
    
logintime
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/

9.  编辑 /etc/raddb/sites-available/default

authorize {
    
preprocess
    
chap
    
mschap
    
digest
    
suffix
    
eap {
        
ok = return
    
}
    
files
    
ldap
    
expiration
    
logintime
    
pap
}
authenticate {
    
Auth-Type PAP {
        
pap
    
}
    
Auth-Type CHAP {
        
chap
    
}
    
Auth-Type MS-CHAP {
        
mschap
    
}
    
digest
    
unix
    
Auth-Type LDAP {
        
ldap
    
}
    
eap
}
preacct {
    
preprocess
    
acct_unique
    
suffix
    
files
}
accounting {
    
detail
    
unix
    
radutmp
    
exec
    
attr_filter.accounting_response
}
session {
    
radutmp
}
post-auth {
    
exec
    
Post-Auth-Type REJECT {
        
attr_filter.access_reject
    
}
}
pre-proxy {
}
post-proxy {
    
eap
}

10.  编辑 /etc/raddb/modules/ldap

[root@ldap ~]# grep

 

-v

 

'#' /etc/raddb/modules/ldap  | grep

 

-v
'^$'
ldap {
    
server = "localhost"
    
identity = "cn=root,dc=verystar,dc=cn"
    
password = 此处为LDAP root的密码
    
basedn = "ou=Users,dc=verystar,dc=cn"
    
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
    
password_attribute = userPassword
    
ldap_connections_number = 5
    
timeout = 4
    
timelimit = 3
    
net_timeout = 1
    
tls {
        
start_tls = no
    
}
    
dictionary_mapping = ${confdir}/ldap.attrmap
    
edir_account_policy_check = no
    
keepalive {
        
idle = 60
        
probes = 3
        
interval = 3
    
}
}

11. 编辑  /etc/raddb/proxy.conf

[root@ldap ~]# grep

 

-v

 

'#' /etc/raddb/proxy.conf  | grep

 

-v
'^$'
proxy server {
    
default_fallback = no
}
home_server localhost {
    
type = auth
    
ipaddr = 127.0.0.1
    
port = 1812
    
secret = testing123
    
require_message_authenticator = yes
    
response_window = 20
    
zombie_period = 40
    
revive_interval = 120
    
status_check = status-server
    
check_interval = 30
    
num_answers_to_alive = 3
    
max_outstanding = 65536
    
coa {
        
irt = 2
        
mrt = 16
        
mrc = 5
        
mrd = 30
    
}
}
home_server_pool my_auth_failover {
    
type = fail-over
    
home_server = localhost
}
realm example.com {
    
auth_pool = my_auth_failover
}
realm LOCAL {
    
type        = radius
    
authhost    = LOCAL
    
accthost    = LOCAL
}
realm NULL {
    
authhost    = LOCAL
    
accthost    = LOCAL
    
secret      = MyVPN
    
type        = radius
    
nostrip
}
# 更改最后两段就行了

12. 为LDAP添加radius支持

[root@ldap ~]# cp /usr/share/doc/freeradius-2.1.12/examples/openldap.schema /etc/openldap/schema/radius.schema
[root@ldap ~]# vim /etc/openldap/slapd.conf
添加一行
include         /etc/openldap/schema/radius.schema

13. 修改 /etc/ppp/options.pptpd ,添加对radius的支持
在文件最后添加以下三行
plugin /usr/lib64/pppd/2.4.5/radius.so
plugin /usr/lib64/pppd/2.4.5/radattr.so
radius-config-file      /etc/radiusclient/radiusclient.conf

14.修改 /etc/radiusclient/radiusclient.conf ,将里面所有配置文件路径由 /usr/local/etc/xxx 改为 /etc/xxx

[root@ldap ~]# grep

 

-v

 

'#' /etc/radiusclient/radiusclient.conf  | grep

 

-v

 

'^$'
auth_order  radius
login_tries 4
login_timeout   60
nologin /etc/nologin
issue   /etc/radiusclient/issue
authserver  localhost:1812
acctserver  localhost:1813
servers     /etc/radiusclient/servers
dictionary  /etc/radiusclient/dictionary
login_radius    /usr/local/sbin/login.radius
seqfile     /var/run/radius.seq
mapfile     /etc/radiusclient/port-id-map
default_realm
radius_timeout  10
radius_retries  3
login_local /bin/login

15. 重启 radius / pptpd / slapd

[root@ldap ~]# /etc/init.d/slapd restart
[root@ldap ~]# /etc/init.d/pptpd restart
[root@ldap ~]# /etc/init.d/radiusd restart