Book creator
Добавить страницу в книгу
Добавить страницу в книгу Book creator
Удалить страницу из книги
Удалить страницу из книги 
Показать или изменить шаблон книги (
Помощь Это старая версия документа.
IPv6
Добавляем в /etc/sysctl.conf
net.ipv6.conf.default.forwarding=1 net.ipv6.conf.all.forwarding=1
устанавливаем miredo
apt-get install miredo
ping6 ipv6.google.com
Ставим с исходников радиус и настраиваем
vim /usr/local/etc/raddb/sql.conf
sql {
database = "mysql"
driver = "rlm_sql_${database}"
server = "localhost"
#port = 3306
login = "radius"
password = "radsecret"
radius_db = "radius"
acct_table1 = "radacct"
acct_table2 = "radacct"
postauth_table = "radpostauth"
authcheck_table = "radcheck"
authreply_table = "radreply"
groupcheck_table = "radgroupcheck"
groupreply_table = "radgroupreply"
usergroup_table = "radusergroup"
deletestalesessions = yes
sqltrace = yes
sqltracefile = ${logdir}/sqltrace.sql
num_sql_socks = 5
connect_failure_retry_delay = 60
lifetime = 0
max_queries = 0
readclients = yes
nas_table = "nas"
$INCLUDE sql/${database}/dialup.conf
}
#ls sites-enabled/
default
# cat default
authorize {
preprocess
chap
mschap
digest
suffix
files
expiration
logintime
pap
sql
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
digest
unix
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
exec
attr_filter.accounting_response
}
session {
radutmp
}
post-auth {
sql
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
}
# vim /usr/local/etc/raddb/radiusd.conf
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
name = radiusd
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/local/lib/freeradius-2.1.12
pidfile = ${run_dir}/${name}.pid
user = freeradius
group = freeradius
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
type = auth
ipaddr = *
port = 0
}
listen {
ipaddr = *
# ipv6addr = ::
port = 0
type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
$INCLUDE ${confdir}/modules/
$INCLUDE sql.conf
# IP addresses managed in an SQL table.
# $INCLUDE sqlippool.conf
}
instantiate {
exec
expr
expiration
logintime
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/
Настройка MySQL для работы с Freeradius
добавляем базу и права на нее
CREATE DATABASE radius;
SET PASSWORD FOR 'radius'@'localhost' = PASSWORD('radpass');
GRANT SELECT ON radius.* TO 'radius'@'localhost';
GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "radpass";
Добавляем таблицы
#mysql -D radius < schema.sql #mysql -D radius < nas.sql #mysql> show tables;
+------------------+ | Tables_in_radius | +------------------+ | cui | | nas | | radacct | | radcheck | | radgroupcheck | | radgroupreply | | radippool | | radpostauth | | radreply | | radusergroup | +------------------+
Заполняем таблицы для тестирования
INSERT INTO radcheck (UserName, Attribute, op, Value) VALUES ('test', 'ClearText-Password', ':=', '123456');
INSERT INTO radreply (UserName, Attribute, op, Value) VALUES ('test', 'Framed-IP-Address', ':=', '192.168.15.1');
INSERT INTO radreply (UserName, Attribute, op, Value) VALUES ('test', 'Framed-IP-Netmask', ':=', '255.255.255.255');
INSERT INTO radreply (UserName, Attribute, op, Value) VALUES ('test', 'Framed-IPv6-Prefix', ':=', '2001:0:c38c:c38c:1804::/64');
#radtest test 123456 localhost 1812 radsecret
Sending Access-Request of id 101 to 127.0.0.1 port 1812
User-Name = "test"
User-Password = "123456"
NAS-IP-Address = 192.168.3.122
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=101, length=52
Framed-IP-Netmask = 255.255.255.255
Framed-IP-Address = 192.168.15.1
Framed-IPv6-Prefix = 2001:0:c38c:c38c:1804::/64
Ставим accel-ppp-1.4
Правим конфигурационный файл /etc/accel-ppp.conf
[modules] log_file pptp pppoe auth_mschap_v2 radius sigchld pppd_compat #shaper_tbf ipv6_nd ipv6_dhcp [core] log-error=/var/log/accel-ppp/core.log thread-count=4 [ppp] verbose=1 min-mtu=1280 mtu=1400 mru=1400 ipv6=require ipv6=allow #ipv6=allow включать только когда клиент запросил #ipv6=require требовать ipv6 ipv6-intf-id=0:0:0:2 ipv6-peer-intf-id=0:0:0:2 ipv6-accept-peer-intf-id=1 #ipv6-intf-id и ipv6-peer-intf-id читаем rfc5072, rfc4861 если зделали чтобы радиус передавал префикс 2001:0:c38c:c38c:1804::/64, тогда на стороне сервера адрес будет этот префикс + ipv6-intf-id(из конфига), на стороне клиента этот префикс + ipv6-peer-intf-id либо то что предложит клиент если в конфиге ipv6-accept-peer-intf-id=1 [lcp] echo-interval=30 echo-failure=3 [auth] #any-login=0 #noauth=0 [pptp] verbose=1 [pppoe] interface=eth1 verbose=1 [dns] dns1=10.0.0.1 #dns2=172.16.1.1 [radius] dictionary=/usr/local/share/accel-ppp/radius/dictionary nas-identifier=accel-ppp nas-ip-address=127.0.0.1 gw-ip-address=10.0.0.1 auth-server=127.0.0.1:1812,radsecret acct-server=127.0.0.1:1813,radsecret server=127.0.0.1,radsecret dae-server=127.0.0.1:3799,testing123 verbose=1 #timeout=3 #max-try=3 #acct-timeout=120 #acct-delay-time=0 [client-ip-range] 10.0.0.0/8 [ip-pool] gw-ip-address=192.168.0.1 [log] log-file=/var/log/accel-ppp/accel-ppp.log log-emerg=/var/log/accel-ppp/emerg.log log-fail-file=/var/log/accel-ppp/auth-fail.log copy=1 level=3 [pppd-compat] #ip-pre-up=/etc/ppp/ip-pre-up #ip-up=/etc/ppp/ip-up #ip-down=/etc/ppp/ip-down #ip-change=/etc/ppp/ip-change radattr-prefix=/var/run/radattr verbose=1 [tbf] #attr=Filter-Id #down-burst-factor=0.1 #up-burst-factor=1.0 #latency=50 [cli] telnet=127.0.0.1:2000 tcp=127.0.0.1:2001 [ipv6-dns] 2001:05c0:1000:0011::2 #2001:470:20::2 #dnssl=suffix1.local.net #dnssl=suffix2.local.net. [ipv6-dhcp] verbose=1 pref-lifetime=604800 valid-lifetime=2592000 route-via-gw=1
Подключились Виндовс 7 клиентом смотрим что выдал ПППоЕ сервер