Mysql+radius+pptp in Linux11

Настройка сетевых служб, маршрутизации, фаерволлов. Проблемы с сетевым оборудованием.
Правила форума
Убедительная просьба юзать теги [code] при оформлении листингов.
Сообщения не оформленные должным образом имеют все шансы быть незамеченными.
Dron_
проходил мимо
Сообщения: 2
Зарегистрирован: 2007-05-11 22:28:32

Mysql+radius+pptp in Linux11

Непрочитанное сообщение Dron_ » 2007-05-11 23:47:34

Мне нужно зделат сервер так сказать для корпаротивных организаций которые подключены к нету и чтоб пользователи могли подключаться к нету по ВПНу ну вот я вродебы все настроил и взял готовый пхп примитивную билинговую штуку (учет только трафика, деньги там считать не требуют) потом настроил радиус и pptp. так вот все вродебы должно работать я создаю пользователей через вэб интерфейс в базе mysql проверяю все нормально видно пользователей и их пароли а вот когда соединяюсь по VPN-у то непроходит проверку имени и пароля! Хотя это все работает на виртуалке Linux 10 правда настраивал все это препод! а я сейчас пробую все это же зделать на Linux 11. Вот так вот такая проблема !!!! Никак нераздуплюсь. Надеюсь на помощь!

Хостинговая компания Host-Food.ru
Хостинг HostFood.ru
 

Услуги хостинговой компании Host-Food.ru

Хостинг HostFood.ru

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2460 рублей (8 CPU, 8Gb RAM, 2x500Gb HDD, RAID 3ware 9750):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/

Dron_
проходил мимо
Сообщения: 2
Зарегистрирован: 2007-05-11 22:28:32

Непрочитанное сообщение Dron_ » 2007-05-12 23:17:55

посморите может тут бока какието?


prefix =
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = /var/log/radius/radius.log
libdir = ${exec_prefix}/lib
pidfile = /var/log/radius/radiusd.pid

# user/group: The name (or #number) of the user/group to run radiusd as.
user = radiusd
group = radiusd

#user = nobody
#group = nobody

# max_request_time: The maximum time (in seconds) to handle a request.
max_request_time = 30

# delete_blocked_requests: If the request takes MORE THAN 'max_request_time'
# to be handled, then maybe the server should delete it.
delete_blocked_requests = no

cleanup_delay = 5

#
max_requests = 256000

#
bind_address = 127.0.0.1


#
port = 1812

hostname_lookups = no

allow_core_dumps = no

#
regular_expressions = yes
extended_expressions = yes

log_stripped_names = yes

log_auth = yes

#
log_auth_badpass = yes
log_auth_goodpass = yes

usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad

#
security {
max_attributes = 200

# Useful ranges: 1 to 5
reject_delay = 1

#status_server = no
status_server = yes
}

proxy_requests = no

$INCLUDE ${confdir}/clients.conf


#
snmp = no
###$INCLUDE ${confdir}/snmp.conf


#
thread pool {
# Number of servers to start initially --- should be a reasonable
# ballpark figure.
start_servers = 5

max_servers = 32

min_spare_servers = 3
max_spare_servers = 10

max_requests_per_server = 0
}

modules {
# PAP module to authenticate users based on their stored password
#
# Supports multiple encryption schemes
# clear: Clear text
# crypt: Unix crypt
# md5: MD5 ecnryption
# sha1: SHA1 encryption.
# DEFAULT: crypt
pap {
encryption_scheme = crypt
}

# CHAP module
#
# To authenticate requests containing a CHAP-Password attribute.
#
chap {
authtype = CHAP
}


# Unix /etc/passwd style authentication
#
unix {
#
# allowed values: {no, yes}
cache = no

# Reload the cache every 600 seconds (10mins). 0 to disable.
cache_reload = 600

radwtmp = ${logdir}/radwtmp
}

mschap {
#
# As of 0.9, the mschap module does NOT support
# reading from /etc/smbpasswd.
#
# If you are using /etc/smbpasswd, see the 'passwd'
# module for an example of how to use /etc/smbpasswd

# authtype value, if present, will be used
# to overwrite (or add) Auth-Type during
# authorization. Normally should be MS-CHAP
authtype = MS-CHAP

# if use_mppe is not set to no mschap will
# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
# use_mppe = no

# if mppe is enabled require_encryption makes
# encryption moderate
# require_encryption = yes

# require_strong always requires 128 bit key
# encryption
# require_strong = yes
}

#
realm realmslash {
format = prefix
delimiter = "/"
}

# 'username@realm'
#
realm suffix {
format = suffix
delimiter = "@"
}

# 'username%realm'
#
realm realmpercent {
format = suffix
delimiter = "%"
}

preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints

with_ascend_hack = no
ascend_channels_per_line = 23

with_ntdomain_hack = no

with_specialix_jetstream_hack = no

with_cisco_vsa_hack = no
}

# Livingston-style 'users' file
#
files {
usersfile = ${confdir}/users
# acctusersfile = ${confdir}/acct_users

# If you want to use the old Cistron 'users' file
# with FreeRADIUS, you should change the next line
# to 'compat = cistron'. You can the copy your 'users'
# file from Cistron.
compat = no
}

# Write a detailed log of all accounting records received.
#
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d

detailperm = 0600
}

acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id"
}

#
### $INCLUDE ${confdir}/sql.conf

$INCLUDE /etc/raddb/sql.conf
# $INCLUDE ${confdir}/sqlcounter.conf

radutmp {
# Where the file is stored. It's not a log file,
# so it doesn't need rotating.
#
filename = ${logdir}/radutmp

# The field in the packet to key on for the
username = %{User-Name}

# Whether or not we want to treat "user" the same
case_sensitive = yes

# Accounting information may be lost, so the user MAY
# have logged off of the NAS, but we haven't noticed.
# If so, we can verify this information with the NAS,
#
# If we want to believe the 'utmp' file, then this
# configuration entry can be set to 'no'.
#
check_with_nas = yes

# Set the file permissions, as the contents of this file
# are usually private.
perm = 0600

callerid = "yes"
}

# "Safe" radutmp - does not contain caller ID, so it can be
# world-readable, and radwho can work for normal users, without
# exposing any information that isn't already exposed by who(1).
#
# This is another 'instance' of the radutmp module, but it is given
# then name "sradutmp" to identify it later in the "accounting"
# section.
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}

# attr_filter - filters the attributes received in replies from
# proxied servers, to make sure we send back to our RADIUS client
# only allowed attributes.
attr_filter {
attrsfile = ${confdir}/attrs
}

counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}

# The "always" module is here for debugging purposes. Each
# instance simply returns the same result, always, without
# doing anything.
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}

#
# The 'expression' module currently has no configuration.
expr {
}

#
# The 'digest' module currently has no configuration.
#
# "Digest" authentication against a Cisco SIP server.
# See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details
# on performing digest authentication for Cisco SIP servers.
#
#digest {
#}

exec {
wait = yes
input_pairs = request
}

exec echo {
wait = yes

program = "/bin/echo %{User-Name}"

#
input_pairs = request

#
output_pairs = reply

#packet_type = Access-Accept
}


}

#
instantiate {
#
expr

# daily
}

authorize {
preprocess
redundant {
#
# The chap module will set 'Auth-Type := CHAP' if we are
# handling a CHAP request and Auth-Type has not already been set
sql
chap

# }

# attr_filter


# realmslash
suffix

#
# Read the 'users' file
# files
}

#
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
# to the request, which will cause the server to then use
# the mschap module for authentication.
mschap

# daily
# sql
}


# Authentication.
#
# The default Auth-Type is Local. That is, whatever is not included inside
# an authtype section will be called only if Auth-Type is set to Local.
#
# For example, the chap module will set Auth-Type to CHAP, ldap to LDAP, etc.
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
# Auth-Type PAP {
# pap
# }

#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}

#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}

### unix


}

# Pre-accounting. Decide which accounting type to use.
#
preacct {
preprocess

# realmslash
suffix

#
# Read the 'acct_users' file
# files
}

#
# Accounting. Log the accounting data.
#
accounting {

##redundant {
acct_unique

# Create a 'detail'ed log of the packets.
# Note that accounting requests which are proxied
# are also logged in the detail file.

detail

# esli vkuchit to duplitciruytcia zapici start

sql

# daily

## unix # wtmp file
# radutmp
####sradutmp
}


# Session database, used for checking Simultaneous-Use. Either the radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
# radutmp
sql
}

post-auth {

sql

}

Аватара пользователя
alex3
лейтенант
Сообщения: 872
Зарегистрирован: 2006-11-20 16:47:56
Откуда: Переславль
Контактная информация:

Непрочитанное сообщение alex3 » 2007-05-13 0:08:14

Кнопочка "code"
Если ipfw можно считать речью обычного человека, то pf - речь политика. За каждой ошибкой -ядерный песец.

almos
ефрейтор
Сообщения: 55
Зарегистрирован: 2006-03-31 0:24:24
Контактная информация:

Непрочитанное сообщение almos » 2007-05-14 14:21:05

Попробуйте Abills (http://abills.asmodeus.com.ua) - хорошая биллинговая система.
Просто удобная система и не более, кроме того бесплатная, постоянно дорабатывается.
Позволяет тарифицировать VPN(PPTP,PPPOE), Dialup, Wifi, вобщем все что захотите.

Там есть все что нужно + мануал по настройке. Есть варианты под юрю и линух.
Зачем изобретать велосипед?