Strongswan+freeradius+daloradius+ad認證實現ikev2接入服務
第四部分 安裝mysql、daloradius實現freeradius的web管理
實驗時間:2018年8月14日-2018年8月15日
拓撲圖:
環境:
防火牆1:FW1 USG2200
IP地址外網:10.99.101.170 域名:strongswan.test.com
IP地址內網:192.168.20.3
防火牆2:FW2 USG2200
IP地址外網:10.99.101.129 域名:mystrongswan.test.com
IP地址內網:192.168.20.2
防火牆5:FW5 USG2200
IP地址外網:10.99.101.167
IP地址內網:131.107.0.1
服務器:
域控服務器:
Windows Server2016
IP地址:192.168.20.10 域名:dc.test.com
strongswan服務器:
Centos7
IP地址:192.168.20.29
Strongswan-5.6.3
freeradius服務器:
Centos7
IP地址:192.168.20.27
freeradius-4.0.0
客戶端:Windows7
自帶客戶端 epa-mschapv2模式 、 計算機證書模式
第四部分 安裝mysql、daloradius實現freeradius的web管理
實驗時間:2018年8月14日-2018年8月15日
1、在freeradius服務器上安裝mariadb數據庫
yum install -y mariadb-server systemctl enable mariadb systemctl start mariadb systemctl status mariadb mysql_secure_installation
設置數據庫root初始密碼。
[root@freeradius ~]# mysql_secure_installation NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY! In order to log into MariaDB to secure it, we'll need the current password for the root user. If you've just installed MariaDB, and you haven't set the root password yet, the password will be blank, so you should just press enter here. Enter current password for root (enter for none): OK, successfully used password, moving on... Setting the root password ensures that nobody can log into the MariaDB root user without the proper authorisation. You already have a root password set, so you can safely answer 'n'. Change the root password? [Y/n] y New password: Re-enter new password: Password updated successfully! Reloading privilege tables.. ... Success! By default, a MariaDB installation has an anonymous user, allowing anyone to log into MariaDB without having to have a user account created for them. This is intended only for testing, and to make the installation go a bit smoother. You should remove them before moving into a production environment. Remove anonymous users? [Y/n] y ... Success! Normally, root should only be allowed to connect from 'localhost'. This ensures that someone cannot guess at the root password from the network. Disallow root login remotely? [Y/n] y ... Success! By default, MariaDB comes with a database named 'test' that anyone can access. This is also intended only for testing, and should be removed before moving into a production environment. Remove test database and access to it? [Y/n] y - Dropping test database... ... Success! - Removing privileges on test database... ... Success! Reloading the privilege tables will ensure that all changes made so far will take effect immediately. Reload privilege tables now? [Y/n] y ... Success! Cleaning up... All done! If you've completed all of the above steps, your MariaDB installation should now be secure. Thanks for using MariaDB!
防火牆端口打開,賦予root遠程連接,方便phpmyadmin查看數據,實驗環境用着方便,生產環境不用開。
firewall-cmd --add-port=3306/tcp --permanent firewall-cmd --reload mysql -u root -p MariaDB [(none)]> GRANT ALL ON *.* TO root@'%' IDENTIFIED BY "rootpasswd"; MariaDB [(none)]> FLUSH PRIVILEGES; MariaDB [(none)]> exit
2、建立數據庫radius,導入freeradius的數據庫結構,並建立數據庫用戶分配權限
mysql -u root -p MariaDB [(none)]> CREATE DATABASE radius; MariaDB [(none)]> exit cat /usr/local/etc/raddb/mods-config/sql/main/mysql/schema.sql mysql -uroot -p radius < /usr/local/etc/raddb/mods-config/sql/main/mysql/schema.sql cat /usr/local/etc/raddb/mods-config/sql/main/mysql/setup.sql #這個文件將建立用戶radius 密碼 radpass 並對radius分配權限。 mysql -uroot -p radius < /usr/local/etc/raddb/mods-config/sql/main/mysql/setup.sql #權限分配不夠,重新分配 mysql -u root -p MariaDB [(none)]> GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "radpass"; MariaDB [(none)]> FLUSH PRIVILEGES; MariaDB [(none)]> exit
3、開啓freeradius加載sql模塊
ln -s /usr/local/etc/raddb/mods-available/sql /usr/local/etc/raddb/mods-enabled/
編輯sql連接mysql
vim /usr/local/etc/raddb/mods-enabled/sql dialectt = "mysql" driver = "rlm_sql_mysql" server = "localhost" port = 3306 login = "radius" password = "radpass" radius_db = "radius" #啓動調試模式 radiusd -Xx
啓動成功,使用賬號sswanuser1 撥號成功。
查看數據庫計費信息radacct表數據
[root@freeradius ~]# mysql -uroot -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 16 Server version: 5.5.56-MariaDB MariaDB Server Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> use radius; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed MariaDB [radius]> select * from radacct; +-----------+---------------+----------------------------------+------------+-----------+-------+---------------+-----------+-------------+---------------------+---------------------+--------------+--------------+-----------------+---------------+-------------------+------------------+-----------------+------------------+---------------------+--------------------+--------------------+-------------+----------------+-----------------+ | radacctid | acctsessionid | acctuniqueid | username | groupname | realm | nasipaddress | nasportid | nasporttype | acctstarttime | acctupdatetime | acctstoptime | acctinterval | acctsessiontime | acctauthentic | connectinfo_start | connectinfo_stop | acctinputoctets | acctoutputoctets | calledstationid | callingstationid | acctterminatecause | servicetype | framedprotocol | framedipaddress | +-----------+---------------+----------------------------------+------------+-----------+-------+---------------+-----------+-------------+---------------------+---------------------+--------------+--------------+-----------------+---------------+-------------------+------------------+-----------------+------------------+---------------------+--------------------+--------------------+-------------+----------------+-----------------+ | 1 | 1534175521-47 | cb7c5bf16f592673e5dc87be799bae54 | sswanuser1 | | | 192.168.20.29 | IKEv2-EAP | Virtual | 2018-08-14 22:58:31 | 2018-08-14 23:00:31 | NULL | 60 | 120 | | | | 101637 | 107925 | 192.168.20.29[4500] | 192.168.20.3[2079] | | Framed-User | | 192.168.20.163 | +-----------+---------------+----------------------------------+------------+-----------+-------+---------------+-----------+-------------+---------------------+---------------------+--------------+--------------+-----------------+---------------+-------------------+------------------+-----------------+------------------+---------------------+--------------------+--------------------+-------------+----------------+-----------------+ 1 row in set (0.00 sec)
一切正常!!!
4、安裝daloradius環境apache、php
安裝apache
yum install -y httpd systemctl enable httpd systemctl start httpd firewall-cmd --zone=public --add-port=80/tcp --permanent firewall-cmd --reload
安裝php
cd /usr/src curl 'https://setup.ius.io/' -o setup-ius.sh bash setup-ius.sh yum -y install mod_php70u php70u-cli php70u-mysqlnd php70u-devel php70u-gd php70u-mcrypt php70u-mbstring php70u-xml php70u-pear pear install DB php -v
5、下載安裝配置daloradius
cd /usr/src wget https://github.com/lirantal/daloradius/archive/master.zip yum install -y unzip unzip master.zip mv daloradius/ /var/www/html cd /var/www/html/daloradius #導入數據庫結構 mysql -u root -p radius < contrib/db/mysql-daloradius.sql #編輯mysql連接參數 vim /var/www/html/daloradius/library/daloradius.conf.php $configValues['CONFIG_DB_HOST'] = 'localhost'; $configValues['CONFIG_DB_PORT'] = '3306'; $configValues['CONFIG_DB_USER'] = 'radius'; $configValues['CONFIG_DB_PASS'] = 'radpass'; $configValues['CONFIG_DB_NAME'] = 'radius'; systemctl restart httpd mariadb
瀏覽器打開http://192.168.20.27/daloradius 用戶名 administrator 密碼 radius
撥入用戶sswanuser1
Reports --> onlie Users
看到撥入用戶信息:
過段時間會有在線時間及流量顯示
其他功能請自行研究。
第四部分 安裝mysql、daloradius實現freeradius的web管理
實驗時間:2018年8月14日-2018年8月15日
配置完畢
第一部分 Centos7 strongswan安裝配置支持 Windows7 ikev2 eap-machapv2模式、計算機證書模式
第二部分 安裝配置freeradius-4.0.0 samba 使用winbind 集成Windiows Active Directory 域賬戶認證並實現用戶組認證
第三部分 集成Strongswan+freeradius實現使用域用戶組認證ikev2接入
第四部分 安裝mysql、daloradius實現freeradius的web管理
第五部分 配置根據撥入用戶名即域賬戶分配固定IP地址以實現對用戶的追蹤
未完待續。。。