CentOS6.5 部署***管理系统(StrongSwan+iKEv2+Freeradiu+Mysql+Daloradius)
一、环境介绍Server IP:192.168.30.133System: CentOS 6.5Client:Winodows 7
二、编译安装StrongSwan
1.下载StrongSwan
# wget http://download.strongswan.org/strongswan.tar.gz 2.安装相关库
# yum update -y# yum install pam-devel openssl-devel make gcc gmp-devel 3.编译安装
# ./configure--enable-eap-identity --enable-eap-md5 \--enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap\--enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap\--enable-xauth-pam--enable-dhcp--enable-openssl--enable-addrblock --enable-unity\--enable-certexpire --enable-radattr --enable-swanctl --enable-openssl --disable-gmpmake -j 8 && make install && echo OK 注:如果出现错误:
configure: WARNING: unrecognized options: --enable-nat-transportchecking for a BSD-compatible install... /usr/bin/install -cchecking whether build environment is sane... configure: error: newly created file is older than distributed files!Check your system clock解决方法:(原因:时间不对)# cp -Rf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime# cat /etc/sysconfig/clock# ntpdate 133.100.11.8(或 s2m.time.edu.cn)# sed -i 's#ZONE="America/New_York"#ZONE="Asia/Shanghai"#g' /etc/sysconfig/clock# hwclock -w# date -R
4、生成证书
# mkdir key && cd key#### 生成一个私钥 ##### ipsec pki --gen --outform pem > ca.pem# ipsec pki --self --in ca.pem --dn "C=cn, O=***stsck, CN=××× CA" \--ca --lifetime 3650 --outform pem >ca.cert.pem# ipsec pki --gen --outform pem > server.pem# ipsec pki --pub --in server.pem | ipsec pki --issue --lifetime 1200 \--cacert ca.cert.pem --cakey ca.pem --dn "C=cn, O=***stsck, CN=192.168.30.133" \--san="192.168.30.133" --flag serverAuth --flag ikeIntermediate --outform pem > server.cert.pem# ipsec pki --gen --outform pem > client.pem# ipsec pki --pub --in client.pem | ipsec pki --issue --cacert \ca.cert.pem --cakey ca.pem --dn "C=cn, O=***stsck, CN=××× Client" --outform pem > client.cert.pem备注:C 表示国家,O 表示组织名,如***stack CN为通用名保持默认。(在整个部署过程中要保持一致)CN=192.168.30.133为你的VPS外网地址
5、安装证书
cp ca.cert.pem /usr/local/etc/ipsec.d/cacerts/cp server.cert.pem /usr/local/etc/ipsec.d/certs/cp server.pem /usr/local/etc/ipsec.d/private/cp client.cert.pem /usr/local/etc/ipsec.d/certs/cp client.pem/usr/local/etc/ipsec.d/private/【卸载证书:非第一次安装时需要此步操作,如果第一次安装不用此步骤】 rm -rf /usr/local/etc/ipsec.d/cacerts/ca.cert.pem rm -rf /usr/local/etc/ipsec.d/certs/server.cert.pem rm -rf /usr/local/etc/ipsec.d/private/server.pem rm -rf /usr/local/etc/ipsec.d/certs/client.cert.pem rm -rf /usr/local/etc/ipsec.d/private/client.pem
6、配置strongswan
a、修改/usr/local/etc/ipsec.conf;如下:
#vim /etc/ipsec.confconfig setup
strictcrlpolicy=no
uniqueids=no #多台设备同时在线 conn iOS_cert keyexchange=ikev1 fragmentation=yes left=%defaultroute leftauth=pubkey leftsubnet=0.0.0.0/0 leftcert=server.cert.pem right=%any rightauth=pubkey rightauth2=xauth rightsourceip=10.11.0.0/24 rightcert=client.cert.pem auto=addconn android_xauth_psk keyexchange=ikev1 left=%defaultroute leftauth=psk leftsubnet=0.0.0.0/0 right=%any rightauth=psk rightauth2=xauth rightsourceip=10.12.0.0/24 auto=addconn networkmanager-strongswan keyexchange=ikev2 left=%defaultroute leftauth=pubkey leftsubnet=0.0.0.0/0 leftcert=server.cert.pem right=%any rightauth=pubkey rightsourceip=10.13.0.0/24 rightcert=client.cert.pem auto=addconn ios_ikev2 keyexchange=ikev2 ike=aes256-sha256-modp2048,3des-sha1-modp2048,aes256-sha1-modp2048! esp=aes256-sha256,3des-sha1,aes256-sha1! rekey=no left=%defaultroute leftid=192.168.30.133 leftsendcert=always leftsubnet=0.0.0.0/0 leftcert=server.cert.pem right=%any rightauth=eap-mschapv2 rightsourceip=10.14.0.0/24 rightsendcert=never eap_identity=%any dpdaction=clear fragmentation=yes auto=addconn windows7 keyexchange=ikev2 ike=aes256-sha1-modp1024! rekey=no left=%defaultroute leftauth=pubkey leftsubnet=0.0.0.0/0 leftcert=server.cert.pem right=%any rightauth=eap-mschapv2 rightsourceip=10.15.0.0/24 rightsendcert=never eap_identity=%any auto=add[该配置文件详解请参考:https://zh.opensuse.org/SDB:Setup_Ipsec_×××_with_Strongswan]
b、修改/usrlocal/etc/strongswan.conf 将内容替换成如下:
# vim /usr/local/etc/strongswan.conf charon { load_modular = yes duplicheck.enable = no compress = yes plugins { include strongswan.d/charon/*.conf } dns1 = 8.8.8.8 dns2 = 8.8.4.4 nbns1 = 8.8.8.8 nbns2 = 8.8.4.4}include strongswan.d/*.conf
c、修改/usr/local/etc/ipsec.secrets(没有此文件请自行创建)
# vim /usr/local/etc/ipsec.secrets : RSA server.pem : PSK "myPSKkey" : XAUTH "myXAUTHPass" [用户名] %any : EAP "[密码]【解:】将上面的myPSKkey单词更改为你需要的PSK认证方式的密钥;将上面的myXAUTHPass单词更改为你需要的XAUTH认证方式的密码,该认证方式的用户名是随意的;将上面的[用户名]改为自己想要的登录名,[密码]改为自己想要的密码([]符号去掉),可以添加多行,得到多个用户,这即是使用IKEv2的用户名+密码认证方式的登录凭据.
7、配置网络转发规则转发
a、设置iptables规则
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 10.10.0.0/24-j ACCEPT iptables -A FORWARD -s 10.11.0.0/24-j ACCEPT iptables -A FORWARD -s 10.12.0.0/24-j ACCEPT iptables -A FORWARD -s 10.13.0.0/24-j ACCEPT iptables -A INPUT -p esp -j ACCEPT iptables -A INPUT -p udp --dport 500 -j ACCEPT iptables -A INPUT -p tcp --dport 500 -j ACCEPT iptables -A INPUT -p udp --dport 4500 -j ACCEPT iptables -A INPUT -p udp --dport 1701 -j ACCEPT iptables -A INPUT -p tcp --dport 1723 -j ACCEPT iptables -A FORWARD -j REJECT iptables -t nat -A POSTROUTING -s 10.10.0.0/24 -j MASQUERADE # service iptables save注意iptables规则的顺序。以下做为参考:
# Generated by iptables-save v1.4.7 on Thu Dec 8 12:51:52 2016
*nat
:PREROUTING ACCEPT
:POSTROUTING ACCEPT
:OUTPUT ACCEPT
-A POSTROUTING -s 10.10.0.0/24 -j MASQUERADE
-A POSTROUTING -s 10.11.0.0/24 -j MASQUERADE
-A POSTROUTING -s 10.12.0.0/24 -j MASQUERADE
-A POSTROUTING -s 10.13.0.0/24 -j MASQUERADE
COMMIT
# Completed on Thu Dec 8 12:51:52 2016
# Generated by iptables-save v1.4.7 on Thu Dec 8 12:51:52 2016
*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.10.0.0/24 -j ACCEPT
-A FORWARD -s 10.11.0.0/24 -j ACCEPT
-A FORWARD -s 10.12.0.0/24 -j ACCEPT
-A FORWARD -s 10.13.0.0/24 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Thu Dec 8 12:51:52 2016
# service iptables restart
b、设置ip_forward转发
# vim /etc/sysctl.conf net.ipv4.ip_forward = 0 改为: net.ipv4.ip_forward = 1 sysctl -p
c、下载ca.cert.pem证书导入windows客户端或苹果Mac系统:证书的具体导入方法:
Windows 7测试拨号:http://zlyang.blog.51cto.com/1196234/1881212
# yum -y install lrzsz # cd /soft/strongswan-5.5.1/key # sz ca.cert.pem
二、部署Freeradius+mysql+daloradius
1、安装Freeradius和Mysql
# yum -y install freeradius freeradius-mysql freeradius-utils mysql-server
2、启动Mysql及设置密码
# service mysqld start # chkconfig mysqld on # mysql_secure_installation
3、导入Freeradius库数据
# mysql -uroot -p mysql> CREATE DATABASE radius; mysql> GRANT ALL PRIVILEGES ON radius.* TO radius@'localhost' IDENTIFIED BY "radpass"; mysql> GRANT ALL PRIVILEGES ON radius.* TO radius@'%' IDENTIFIED BY "radpass"; mysql> flush privileges; mysql> use radius; mysql> SOURCE /etc/raddb/sql/mysql/schema.sql mysql> SOURCE /etc/raddb/sql/mysql/cui.sql mysql> SOURCE /etc/raddb/sql/mysql/ippool.sql mysql> SOURCE /etc/raddb/sql/mysql/nas.sql mysql> SOURCE /etc/raddb/sql/mysql/wimax.sql
4、配置Freeradius连接Mysql
# vim /etc/raddb/sql.conf # Connection info: server = "localhost" #port = 3306 login = "radius" password = "radpass" # Database table configuration for everything except Oracle radius_db = "radius" #第108行 readclients = yes
5、使用sql数据库里的nas表读取客户端信息
# vim /etc/raddb/radiusd.conf #$INCLUDE sql.conf 修改后: $INCLUDE sql.conf # vim /etc/raddb/sites-available/default 需要修改的行数及修改后的结果:例:#001行 line001 #170行 #files #177 sql #396 #radutmp #397 sradutmp #406 sql #450 #radutmp #454 sql #475 sql #577 sql # vim /etc/raddb/sites-available/inner-tunnel #125 #file #132 sql #252 #radutmp #256 sql #278 sql #302 sql 修改密钥:
# vim /etc/raddb/clients.conf secret = testing123
6、添加测试用户:
# mysql -uroot -p mysql> use radius; mysql> insert into radcheck (username,attribute,op,value) \ values ('test','User-Password',':=','test'); mysql> flush privileges; mysql> exit;
测试Freeradius+Mysql
以Debug模式启动Freeradius:
# radiusd -X 另启一个窗口测试下:
# radtest test test .testing123 Sending Access-Request of id 71 to 127.0.0.1 port 1812 User-Name = "yzl" User-Password = "yzl" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=71, length=55 Reply-Message = "Hello yzl !" Reply-Message = "Regexp match for PAP"
看到”Access-Accept“说明成功。
7、部署Daloradius
a、安装LAMP环境:
# yum -y install php-mysql php php-gd php-pear-DB httpd
b、下载Daloradius
下载地址:http://jaist.dl.sourceforge.net/project/daloradius/daloradius/daloradius0.9-9/daloradius-0.9-9.tar.gz汉化版地址:http://pan.baidu.com/s/1c2h2h2K # cd /soft # wget \ http://jaist.dl.sourceforge.net/project/daloradius/daloradius/daloradius0.9-9/daloradius-0.9-9.tar.gz # tar xf daloradius-0.9-9.tar.gz
c、导入daloradius库文件
# mysql -uroot -p mysql> use radius; mysql> SOURCE /soft/daloradius-0.9-9/contrib/db/fr2-mysql-daloradius-and-freeradius.sql
d、修改daloradius连接库文件:
# vim /soft/daloradius-0.9-9/library/daloradius.conf.php $configValues['DALORADIUS_VERSION'] = '0.9-9'; $configValues['FREERADIUS_VERSION'] = '2'; $configValues['CONFIG_DB_ENGINE'] = 'mysql'; $configValues['CONFIG_DB_HOST'] = 'localhost'; $configValues['CONFIG_DB_USER'] = 'radius'; $configValues['CONFIG_DB_PASS'] = 'radpass'; $configValues['CONFIG_DB_NAME'] = 'radius'; $configValues['CONFIG_FILE_RADIUS_PROXY'] = '/etc/raddb/proxy.conf'; $configValues['CONFIG_PATH_RADIUS_DICT'] = '/etc/raddb'; $configValues['CONFIG_PATH_DALO_VARIABLE_DATA'] = '/var/www/html/daloradius/var'; $configValues['CONFIG_LOG_FILE'] = '/var/www/html/daloradius/var/daloradius.log';
e、拷备文件至apache工作目录:/var/www/html
# mv /soft/daloradius-0.9-9 /var/www/html/daloradius
f、创建日志文件:
# touch /var/www/html/daloradius/var/daloradius.log
g、赋权给apache:
# chown -R apache:apache /var/www/html/daloradius
h、修改redius日志文件:
# vim /etc/raddb/radiusd.conf #file = ${logdir}/radius.log file = /var/log/radius.log # chmod 644 /var/log/messages # vim /var/www/html/daloradius/library/exten-radius_log.php $logfile_loc = array(); $logfile_loc = '/var/log/freeradius/radius.log'; $logfile_loc = '/usr/local/var/log/radius/radius.log'; $logfile_loc = '/var/log/radius/radius.log'; $logfile_loc = '/var/log/radius.log';
i、将用户的同步会话限制为只有一个,新用户必须添加到用户组
# vim /etc/raddb/sql/mysql/dialup.conf 查找simul_count_query将290-293行注释去掉 # mysql -uroot -p mysql> use radius; mysql> INSERT INTO radgroupcheck ( id , GroupName , Attribute , op , Value ) \ VALUES (NULL , 'users', 'Simultaneous-Use', ':=', '1');
j、修改apache配置文件
# vim /etc/httpd/conf/httpd.conf # ServerName x.x.x.x:80 注:x.x.x.x为你的本机ip或域名
k、启动apache
# service httpd start # chkconfig httpd on # service radiusd start # chkconfig radiusd on # iptables -I INPUT 5 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT /etc/init.d/iptables save /etc/init.d/iptables restart # chmod 644 /var/log/radius.log
可以使用web登录:
http://ip-address-or-hostname/daloradiusUsername: administratorPassword: radius
三、StrongSwan和Freeradius整合:
a、修改:/usr/local/etc/strongswan.d/charon/eap-radius.conf
# vim /usr/local/etc/strongswan.d/charon/eap-radius.conf #开启在线人数查询 #第4行 accounting = yes #第8行 accounting_close_on_timeout = yes #查找server{}在这里添加以下内容 #93行 ***server { secret = testing123 address = 127.0.0.1 }
b、修改/usr/local/etc/ipsec.conf
c、配置ikev2支苹果Mac系统:/etc/raddb/eap.conf
d、重启服务
# service radiusd restart # ipsec stop # ipsec start --nofork 测试下看是否成功拨号
四、Daloradius优化及设置计费
1、Web汉化
下载Daloradius汉化版:http://pan.baidu.com/s/1c2h2h2K 将其中的main.conf、config-lang.conf做相应的替换;把zh-cn.conf上传到/var/www/html/daloradius/lang/
service httpd restart
然后在daloradius的管理页面中选择:config--language settings----Chinese---apply 2、限制用户的每日总使用时间和登录时间:
# vim /etc/raddb/radiusd.conf #将747行取消注释 $INCLUDE sql/mysql/counter.conf # vim /etc/raddb/sql/mysql/counter.conf #将60-63行加注释,然后添加以下 60 # query = "SELECT SUM(acctsessiontime - \61 # GREATEST((%b - UNIX_TIMESTAMP(acctstarttime)), 0)) \62 # FROM radacct WHERE username = '%{%k}' AND \63 # UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%b'"64 65 query = "SELECT IFNULL(SUM(acctsessiontime - \66 GREATEST((%b - UNIX_TIMESTAMP(acctstarttime)), 0)),0) \67 FROM radacct WHERE username = '%{%k}' AND \68 UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%b'" # # vim /etc/raddb/dictionary #在最后添加以下: ATTRIBUTE Daily-Session-Time 3000 integer ATTRIBUTE Max-Daily-Session 3001 integer 在mysql库创建相应的字段:
# mysql -uradius -p mysql> use radius; mysql> delete from radacct; mysql> INSERT INTO radgroupcheck ( id , GroupName , Attribute , op , Value ) \ VALUES (NULL , 'users', 'Max-Daily-Session', ':=', '28800'); # 28800 is seconds = 8h mysql> INSERT INTO radgroupcheck ( id , GroupName , Attribute , op , Value ) \ VALUES (NULL , 'users', 'Login-Time', ':=', 'Al0001-2359');
3、限制用户的每日和每月的数据使用和帐户到期
# vim /etc/raddb/sql/mysql/counter.conf #在最后添加以下: sqlcounter dailytrafficcounter { counter-name = Daily-Traffic check-name = Max-Daily-Traffic reply-name = Daily-Traffic-Limit sqlmod-inst = sql key = User-Name reset = daily query = "SELECT (SUM(AcctInputOctets + AcctOutputOctets)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) > '%b'" } sqlcounter monthlytrafficcounter { counter-name = Monthly-Traffic check-name = Max-Monthly-Traffic reply-name = Monthly-Traffic-Limit sqlmod-inst = sql key = User-Name reset = monthly query = "SELECT (SUM(AcctInputOctets + AcctOutputOctets)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) > '%b'" } # vim /etc/raddb/dictionary #在最后添加以下: ATTRIBUTE Max-Daily-Traffic 3002 integer ATTRIBUTE Daily-Traffic-Limit 3003 integer ATTRIBUTE Max-Monthly-Traffic 3004 integer ATTRIBUTE Monthly-Traffic-Limit 3005 integer # vim /etc/raddb/sites-available/default #在193行之后添加 dailytrafficcounter monthlytrafficcounter
在mysql库创建相应的字段:
# mysql -uroot -p mysql> use radius; mysql> delete from radacct; mysql> INSERT INTO radgroupcheck ( id , GroupName , Attribute , op , Value ) \ VALUES (NULL , 'users', 'Max-Monthly-Traffic', ':=', '1073741824'); # 1073741824 bytes=1024*1024*1024 bytes=1 Gbyte, 填写时以byte为单位 每月最大流量1G mysql> INSERT INTO radgroupcheck ( id , GroupName , Attribute , op , Value ) \ VALUES (NULL , 'users', 'Max-Daily-Traffic', ':=', '104857600'); # 104857600 bytes=100*1024*1024=100 Mbyte 每天最大流量为100M mysql> INSERT INTO radgroupcheck ( id , GroupName , Attribute , op , Value ) \ VALUES (NULL , 'users', 'Expiration', ':=', '1 Oct 2017'); # 设定账号过期 mysql> exit # service radiusd restart
到此,所有的都已经部署完毕了!祝你成功!
如有问题可在下方回复!
页:
[1]