strongswan openswan freeradius讨论QQ群:892427461
Strongswan+freeradius+daloradius+ad认证实现ikev2接入服务
第四部分 安装mysql、daloradius实现freeradius的web管理
实验时间:2018年8月14日-2018年8月15日
拓扑图:
环境:
防火墙1:FW1 USG2200
IP地址外网:10.99.101.170 域名:strongswan.test.com
IP地址内网:192.168.20.3
防火墙2:FW2 USG2200
IP地址外网:10.99.101.129 域名:mystrongswan.test.com
IP地址内网:192.168.20.2
防火墙5:FW5 USG2200
IP地址外网:10.99.101.167
IP地址内网:131.107.0.1
服务器:
域控服务器:
Windows Server2016
IP地址:192.168.20.10 域名:dc.test.com
strongswan服务器:
Centos7
IP地址:192.168.20.29
Strongswan-5.6.3
freeradius服务器:
Centos7
IP地址:192.168.20.27
freeradius-4.0.0
客户端:Windows7
自带客户端 epa-mschapv2模式 、 计算机证书模式
第四部分 安装mysql、daloradius实现freeradius的web管理
实验时间:2018年8月14日-2018年8月15日
1、在freeradius服务器上安装mariadb数据库
yum install -y mariadb-server systemctl enable mariadb systemctl start mariadb systemctl status mariadb mysql_secure_installation
设置数据库root初始密码。
[root@freeradius ~]# mysql_secure_installation NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY! In order to log into MariaDB to secure it, we'll need the current password for the root user. If you've just installed MariaDB, and you haven't set the root password yet, the password will be blank, so you should just press enter here. Enter current password for root (enter for none): OK, successfully used password, moving on... Setting the root password ensures that nobody can log into the MariaDB root user without the proper authorisation. You already have a root password set, so you can safely answer 'n'. Change the root password? [Y/n] y New password: Re-enter new password: Password updated successfully! Reloading privilege tables.. ... Success! By default, a MariaDB installation has an anonymous user, allowing anyone to log into MariaDB without having to have a user account created for them. This is intended only for testing, and to make the installation go a bit smoother. You should remove them before moving into a production environment. Remove anonymous users? [Y/n] y ... Success! Normally, root should only be allowed to connect from 'localhost'. This ensures that someone cannot guess at the root password from the network. Disallow root login remotely? [Y/n] y ... Success! By default, MariaDB comes with a database named 'test' that anyone can access. This is also intended only for testing, and should be removed before moving into a production environment. Remove test database and access to it? [Y/n] y - Dropping test database... ... Success! - Removing privileges on test database... ... Success! Reloading the privilege tables will ensure that all changes made so far will take effect immediately. Reload privilege tables now? [Y/n] y ... Success! Cleaning up... All done! If you've completed all of the above steps, your MariaDB installation should now be secure. Thanks for using MariaDB!
防火墙端口打开,赋予root远程连接,方便phpmyadmin查看数据,实验环境用着方便,生产环境不用开。
firewall-cmd --add-port=3306/tcp --permanent firewall-cmd --reload mysql -u root -p MariaDB [(none)]> GRANT ALL ON *.* TO root@'%' IDENTIFIED BY "rootpasswd"; MariaDB [(none)]> FLUSH PRIVILEGES; MariaDB [(none)]> exit
2、建立数据库radius,导入freeradius的数据库结构,并建立数据库用户分配权限
mysql -u root -p MariaDB [(none)]> CREATE DATABASE radius; MariaDB [(none)]> exit cat /usr/local/etc/raddb/mods-config/sql/main/mysql/schema.sql mysql -uroot -p radius < /usr/local/etc/raddb/mods-config/sql/main/mysql/schema.sql cat /usr/local/etc/raddb/mods-config/sql/main/mysql/setup.sql #这个文件将建立用户radius 密码 radpass 并对radius分配权限。 mysql -uroot -p radius < /usr/local/etc/raddb/mods-config/sql/main/mysql/setup.sql #权限分配不够,重新分配 mysql -u root -p MariaDB [(none)]> GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "radpass"; MariaDB [(none)]> FLUSH PRIVILEGES; MariaDB [(none)]> exit
3、开启freeradius加载sql模块
ln -s /usr/local/etc/raddb/mods-available/sql /usr/local/etc/raddb/mods-enabled/
编辑sql连接mysql
vim /usr/local/etc/raddb/mods-enabled/sql dialect = "mysql" driver = "rlm_sql_mysql" server = "localhost" port = 3306 login = "radius" password = "radpass" radius_db = "radius" #启动调试模式 radiusd -Xx
启动成功,使用账号sswanuser1 拨号成功。
查看数据库计费信息radacct表数据
[root@freeradius ~]# mysql -uroot -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 16 Server version: 5.5.56-MariaDB MariaDB Server Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> use radius; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed MariaDB [radius]> select * from radacct; +-----------+---------------+----------------------------------+------------+-----------+-------+---------------+-----------+-------------+---------------------+---------------------+--------------+--------------+-----------------+---------------+-------------------+------------------+-----------------+------------------+---------------------+--------------------+--------------------+-------------+----------------+-----------------+ | radacctid | acctsessionid | acctuniqueid | username | groupname | realm | nasipaddress | nasportid | nasporttype | acctstarttime | acctupdatetime | acctstoptime | acctinterval | acctsessiontime | acctauthentic | connectinfo_start | connectinfo_stop | acctinputoctets | acctoutputoctets | calledstationid | callingstationid | acctterminatecause | servicetype | framedprotocol | framedipaddress | +-----------+---------------+----------------------------------+------------+-----------+-------+---------------+-----------+-------------+---------------------+---------------------+--------------+--------------+-----------------+---------------+-------------------+------------------+-----------------+------------------+---------------------+--------------------+--------------------+-------------+----------------+-----------------+ | 1 | 1534175521-47 | cb7c5bf16f592673e5dc87be799bae54 | sswanuser1 | | | 192.168.20.29 | IKEv2-EAP | Virtual | 2018-08-14 22:58:31 | 2018-08-14 23:00:31 | NULL | 60 | 120 | | | | 101637 | 107925 | 192.168.20.29[4500] | 192.168.20.3[2079] | | Framed-User | | 192.168.20.163 | +-----------+---------------+----------------------------------+------------+-----------+-------+---------------+-----------+-------------+---------------------+---------------------+--------------+--------------+-----------------+---------------+-------------------+------------------+-----------------+------------------+---------------------+--------------------+--------------------+-------------+----------------+-----------------+ 1 row in set (0.00 sec)
一切正常!!!
4、安装daloradius环境apache、php
安装apache
yum install -y httpd systemctl enable httpd systemctl start httpd firewall-cmd --zone=public --add-port=80/tcp --permanent firewall-cmd --reload
安装php
cd /usr/src curl 'https://setup.ius.io/' -o setup-ius.sh bash setup-ius.sh yum -y install mod_php70u php70u-cli php70u-mysqlnd php70u-devel php70u-gd php70u-mcrypt php70u-mbstring php70u-xml php70u-pear pear install DB php -v
5、下载安装配置daloradius
cd /usr/src wget https://github.com/lirantal/daloradius/archive/master.zip yum install -y unzip unzip master.zip mv daloradius-master/ daloradius mv daloradius/ /var/www/html cd /var/www/html/daloradius #导入数据库结构 mysql -u root -p radius < contrib/db/mysql-daloradius.sql #编辑mysql连接参数 vim /var/www/html/daloradius/library/daloradius.conf.php $configValues['CONFIG_DB_HOST'] = 'localhost'; $configValues['CONFIG_DB_PORT'] = '3306'; $configValues['CONFIG_DB_USER'] = 'radius'; $configValues['CONFIG_DB_PASS'] = 'radpass'; $configValues['CONFIG_DB_NAME'] = 'radius'; systemctl restart httpd mariadb
浏览器打开http://192.168.20.27/daloradius 用户名 administrator 密码 radius
拨入用户sswanuser1
Reports --> onlie Users
看到拨入用户信息:
过段时间会有在线时间及流量显示
其他功能请自行研究。
第四部分 安装mysql、daloradius实现freeradius的web管理
实验时间:2018年8月14日-2018年8月15日
配置完毕
第一部分 Centos7 strongswan安装配置支持 Windows7 ikev2 eap-machapv2模式、计算机证书模式
第二部分 安装配置freeradius-4.0.0 samba 使用winbind 集成Windiows Active Directory 域账户认证并实现用户组认证
第三部分 集成Strongswan+freeradius实现使用域用户组认证ikev2接入
第四部分 安装mysql、daloradius实现freeradius的web管理
第五部分 配置根据拨入用户名即域账户分配固定IP地址以实现对用户的追踪
未完待续。。。