Страница 1 из 1
					
				Mysql+radius+pptp in Linux11
				Добавлено: 2007-05-11 23:47:34
				 Dron_
				Мне нужно зделат сервер так сказать для корпаротивных организаций которые подключены к нету и чтоб пользователи могли подключаться к нету по ВПНу ну вот я вродебы все настроил и взял готовый пхп примитивную билинговую штуку (учет только трафика, деньги там считать не требуют) потом настроил радиус и pptp. так вот все вродебы должно работать я создаю пользователей через вэб интерфейс в базе mysql проверяю все нормально видно пользователей и их пароли а вот когда соединяюсь по VPN-у то непроходит проверку имени и пароля! Хотя это все работает на виртуалке Linux 10 правда настраивал все это препод! а я сейчас пробую все это же зделать на Linux 11. Вот так вот такая проблема  !!!! Никак нераздуплюсь. Надеюсь на помощь!
			 
			
					
				
				Добавлено: 2007-05-12 23:17:55
				 Dron_
				посморите может тут бока какието?
prefix = 
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = /var/log/radius/radius.log
libdir = ${exec_prefix}/lib
pidfile = /var/log/radius/radiusd.pid
# user/group: The name (or #number) of the user/group to run radiusd as.
user = radiusd
group = radiusd
#user = nobody
#group = nobody
#  max_request_time: The maximum time (in seconds) to handle a request.
max_request_time = 30
#  delete_blocked_requests: If the request takes MORE THAN 'max_request_time'
#  to be handled, then maybe the server should delete it.
delete_blocked_requests = no
cleanup_delay = 5
#
max_requests = 256000
#
bind_address = 127.0.0.1
#
port = 1812
hostname_lookups = no
allow_core_dumps = no
#
regular_expressions	= yes
extended_expressions	= yes
log_stripped_names = yes
log_auth = yes
#
log_auth_badpass = yes
log_auth_goodpass = yes
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
#
security {
	max_attributes = 200
	#  Useful ranges: 1 to 5
	reject_delay = 1
	#status_server = no
	status_server = yes
}
proxy_requests  = no
$INCLUDE  ${confdir}/clients.conf
#
snmp	= no
###$INCLUDE  ${confdir}/snmp.conf
#
thread pool {
	#  Number of servers to start initially --- should be a reasonable
	#  ballpark figure.
	start_servers = 5
	max_servers = 32
	min_spare_servers = 3
	max_spare_servers = 10
	max_requests_per_server = 0
}
modules {
	# PAP module to authenticate users based on their stored password
	#
	#  Supports multiple encryption schemes
	#  clear: Clear text
	#  crypt: Unix crypt
	#    md5: MD5 ecnryption
	#   sha1: SHA1 encryption.
	#  DEFAULT: crypt
	pap {
		encryption_scheme = crypt
	}
	# CHAP module
	#
	#  To authenticate requests containing a CHAP-Password attribute.
	#
	chap {
		authtype = CHAP
	}
	# Unix /etc/passwd style authentication
	#
	unix {
		#
		# allowed values: {no, yes}
		cache = no
		# Reload the cache every 600 seconds (10mins). 0 to disable.
		cache_reload = 600
		radwtmp = ${logdir}/radwtmp
	}
	mschap {
		#
		#  As of 0.9, the mschap module does NOT support
		#  reading from /etc/smbpasswd.
		#
		#  If you are using /etc/smbpasswd, see the 'passwd'
		#  module for an example of how to use /etc/smbpasswd
		# authtype value, if present, will be used
		# to overwrite (or add) Auth-Type during
		# authorization. Normally should be MS-CHAP
		authtype = MS-CHAP
		
		# if use_mppe is not set to no mschap will
		# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
		# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
		#	use_mppe = no
		# if mppe is enabled require_encryption makes
		# encryption moderate
		#	require_encryption = yes
		# require_strong always requires 128 bit key
		# encryption
		#	require_strong = yes
	}
	#
	realm realmslash {
		format = prefix
		delimiter = "/"
	}
	#  'username@realm'
	#
	realm suffix {
		format = suffix
		delimiter = "@"
	}
	#  'username%realm'
	#
	realm realmpercent {
		format = suffix
		delimiter = "%"
	}
	
	preprocess {
		huntgroups = ${confdir}/huntgroups
		hints = ${confdir}/hints
		with_ascend_hack = no
		ascend_channels_per_line = 23
		with_ntdomain_hack = no
		with_specialix_jetstream_hack = no
		with_cisco_vsa_hack = no
	}
	# Livingston-style 'users' file
	#
	files {
		usersfile = ${confdir}/users
	#	acctusersfile = ${confdir}/acct_users
		#  If you want to use the old Cistron 'users' file
		#  with FreeRADIUS, you should change the next line
		#  to 'compat = cistron'.  You can the copy your 'users'
		#  file from Cistron.
		compat = no
	}
	# Write a detailed log of all accounting records received.
	#
	detail {
		detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
		detailperm = 0600
	}
	acct_unique {
		key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id"
	}
	#
###	$INCLUDE  ${confdir}/sql.conf
	    $INCLUDE  /etc/raddb/sql.conf
#	    $INCLUDE  ${confdir}/sqlcounter.conf	    
	
	radutmp {
		#  Where the file is stored.  It's not a log file,
		#  so it doesn't need rotating.
		#
		filename = ${logdir}/radutmp
		#  The field in the packet to key on for the
		username = %{User-Name}
		#  Whether or not we want to treat "user" the same
		case_sensitive = yes
		#  Accounting information may be lost, so the user MAY
		#  have logged off of the NAS, but we haven't noticed.
		#  If so, we can verify this information with the NAS,
		#
		#  If we want to believe the 'utmp' file, then this
		#  configuration entry can be set to 'no'.
		#
		check_with_nas = yes		
		# Set the file permissions, as the contents of this file
		# are usually private.
		perm = 0600
		callerid = "yes"
	}
	# "Safe" radutmp - does not contain caller ID, so it can be
	# world-readable, and radwho can work for normal users, without
	# exposing any information that isn't already exposed by who(1).
	#
	# This is another 'instance' of the radutmp module, but it is given
	# then name "sradutmp" to identify it later in the "accounting"
	# section.
	radutmp sradutmp {
		filename = ${logdir}/sradutmp
		perm = 0644
		callerid = "no"
	}
	# attr_filter - filters the attributes received in replies from
	# proxied servers, to make sure we send back to our RADIUS client
	# only allowed attributes.
	attr_filter {
		attrsfile = ${confdir}/attrs
	}
	counter daily {
		filename = ${raddbdir}/db.daily
		key = User-Name
		count-attribute = Acct-Session-Time
		reset = daily
		counter-name = Daily-Session-Time
		check-name = Max-Daily-Session
		allowed-servicetype = Framed-User
		cache-size = 5000
	}
	# The "always" module is here for debugging purposes. Each
	# instance simply returns the same result, always, without
	# doing anything.
	always fail {
		rcode = fail
	}
	always reject {
		rcode = reject
	}
	always ok {
		rcode = ok
		simulcount = 0
		mpp = no
	}
	#
	#  The 'expression' module currently has no configuration.
	expr {
	}
	#
	#  The 'digest' module currently has no configuration.
	#
	#  "Digest" authentication against a Cisco SIP server.
	#  See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details
	#  on performing digest authentication for Cisco SIP servers.
	#
	#digest {
	#}
	exec {
		wait = yes
		input_pairs = request
	}
	exec echo {
		wait = yes
		program = "/bin/echo %{User-Name}"
		#
		input_pairs = request
		#
		output_pairs = reply
		#packet_type = Access-Accept
	}
}
#
instantiate {
	#
	expr
#	daily
}
authorize {
	preprocess
	redundant {
	#
	#  The chap module will set 'Auth-Type := CHAP' if we are
	#  handling a CHAP request and Auth-Type has not already been set
	sql
	chap
	
#    }
#	attr_filter
#	realmslash
	suffix
	#
	#  Read the 'users' file
#	files
    }
	#
	#  the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
	#  to the request, which will cause the server to then use
	#  the mschap module for authentication.
	mschap
#	daily
#	sql
}
# Authentication.
#
#  The default Auth-Type is Local.  That is, whatever is not included inside
# an authtype section will be called only if Auth-Type is set to Local.
#
#   For example, the chap module will set Auth-Type to CHAP, ldap to LDAP, etc.
authenticate {
	#
	#  PAP authentication, when a back-end database listed
	#  in the 'authorize' section supplies a password.  The
	#  password can be clear-text, or encrypted.
#	Auth-Type PAP {
#		pap
#	}
	#
	#  Most people want CHAP authentication
	#  A back-end database listed in the 'authorize' section
	#  MUST supply a CLEAR TEXT password.  Encrypted passwords
	#  won't work.
	Auth-Type CHAP {
		chap
	}
	#
	#  MSCHAP authentication.
	Auth-Type MS-CHAP {
		mschap
	}
###	unix
}
#  Pre-accounting.  Decide which accounting type to use.
#
preacct {
	preprocess
#	realmslash
	suffix
	#
	#  Read the 'acct_users' file
#	files
}
#
#  Accounting.  Log the accounting data.
#
accounting {
	##redundant {
	acct_unique
	#  Create a 'detail'ed log of the packets.
	#  Note that accounting requests which are proxied
	#  are also logged in the detail file.
	detail
#	esli vkuchit to duplitciruytcia zapici start
	sql 
#	daily
##	unix		# wtmp file
#	radutmp
	####sradutmp
}
#  Session database, used for checking Simultaneous-Use. Either the radutmp 
#  or rlm_sql module can handle this.
#  The rlm_sql module is *much* faster
session {
#	radutmp
	sql
}
post-auth {
	sql
	
}
			 
			
					
				
				Добавлено: 2007-05-13 0:08:14
				 alex3
				Кнопочка "code"
			 
			
					
				
				Добавлено: 2007-05-14 14:21:05
				 almos
				Попробуйте Abills (
http://abills.asmodeus.com.ua) - хорошая биллинговая система. 
Просто удобная система и не более, кроме того бесплатная, постоянно дорабатывается.
Позволяет тарифицировать VPN(PPTP,PPPOE), Dialup, Wifi, вобщем все что захотите.
Там есть все что нужно + мануал по настройке. Есть варианты под юрю и линух.
Зачем изобретать велосипед?