Nasser Heidari

2010-02-16

FreeBSD 8: Poptop – Freeradius – Mysql

Filed under: freebsd — Nasser Heidari @ 01:34

I’ve Installed FreeBSD with Default Configuration, and then I need to Install required packages:

# pkg_add -r mysql51-server poptop
#  cd /usr/ports/net/freeradius2/
# make install clean && rehash
           - Don't forget here to select mysql

Now we have installed required packages, lets start configuration:
– we need to enable ip forwarding and nat, lets see my system configuration files:

# uname -a
FreeBSD BSD.linax.com 8.0-STABLE FreeBSD 8.0-STABLE #0: Mon Feb 15 07:57:39 IRST 2010     root@BSD.linax.com:/usr/obj/usr/src/sys/LINAX  i386

# cat /etc/rc.conf.local
defaultrouter="192.168.126.2"
ifconfig_em0="inet 192.168.126.130 netmask 255.255.255.0"
ifconfig_em1="inet 10.10.10.1 netmask 255.255.255.0"
gateway_enable="YES"
hostname="BSD.linax.com"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""                
#pflog_enable="YES"        
#pflog_logfile="/var/log/pflog" 
#pflog_flags=""

mysql_enable="YES"
radiusd_enable="YES"

pptpd_enable="YES"

# cat /etc/pf.conf

## TRANSLATION RULES (NAT)
nat on em0 inet proto { tcp, udp, icmp } from 172.16.1.0/24 to any -> 192.168.126.130

## FILTER RULES
pass in log all keep state
pass out log all keep state

Note:I’ve reconfigured and added following lines to my kernel to support nat, :
device pf
device pflog
device pfsync
options ALTQ
options ALTQ_CBQ
options ALTQ_RED
options ALTQ_RIO
options ALTQ_HFSC
options ALTQ_CDNR
options ALTQ_PRIQ

– Configuring PPTP :

/usr/local/etc/pptpd.conf
nobsdcomp
proxyarp
localip 10.10.10.1
remoteip 172.16.1.1-155
pidfile /var/run/pptpd.pid
+chapms-v2
mppe-40
mppe-128
mppe-stateless
plugin radius.so
plugin radattr.so

/etc/ppp/ppp.conf
loop:
    set timeout 0
    set log phase chat connect lcp ipcp command
    set device localhost:pptp
    set dial
    set login
    set ifaddr 10.10.10.1 172.16.1.1-172.16.1.155 255.255.255.255
    add default HISADDR
    set server /tmp/loop "" 0177

loop-in:
    set timeout 0
    set log phase lcp ipcp command
    allow mode direct

pptp:
    load loop
    disable pap
    disable ipv6cp
    enable proxy
    accept dns
    enable MSChapV2
    enable mppe
    disable deflate pred1
    deny deflate pred1
    set dns 8.8.8.8
    set device !/etc/ppp/secure
    set radius /etc/ppp/radius.conf

/etc/ppp/secure
#!/bin/sh
exec /usr/sbin/ppp -direct loop-in

/etc/ppp/radius.conf
auth 127.0.0.1  nasser
acct 127.0.0.1  nasser

– Configuring Mysql & FreeRadius :

# cp /usr/local/share/mysql/my-medium.cnf /usr/local/etc/my.cnf
# sed -i.bak 's:/tmp/:/var/db/mysql/:'  /usr/local/etc/my.cnf
# mysql_install_db
# chown -R mysql:mysql /var/db/mysql/
# /usr/local/etc/rc.d/mysql-server start
# mysql -u root
          mysql> create schema radius;
          mysql> grant all on radius.* to 'radius'@'localhost' identified by 'radpass';
          mysql> flush privileges;
          mysql> \q
# mysql -u root radius < /usr/local/etc/raddb/sql/mysql/schema.sql

– Edit /usr/local/etc/raddb/sql.conf and enter the server, name and password details to connect to your MySQL server and the RADIUS database. The database and table names should be left at the defaults if you used the default schema. For testing/debug purposes, switch on sqltrace if you wish – FreeRadius will dump all SQL commands to the debug output with this on.

– Edit /usr/local/etc/raddb/radiusd.conf and uncomment $INCLUDE sql.conf and $INCLUDE sql/mysql/counter.conf .

– Edit /usr/local/etc/raddb/sites-enabled/default and add a line saying ‘sql’ to the authorize{} section (which is towards the end of the file). The best place to put it is just before the ‘files’ entry. Indeed, if you’ll just be using MySQL, and not falling back to text files, you could comment out or lose the ‘files’ entry altogether.

Also add a line saying ‘sql’ to the accounting{} section too between ‘unix’ and ‘radutmp’. FreeRadius will now do accounting to MySQL as well.
At the end your authorize and accounting should look something like this:

authorize {
	preprocess
        chap
        mschap
        unix
        sql
        expiration
        logintime
        noresetcounter
        dailycounter
        monthlycounter
        pap
}
accounting {
	acct_unique
        detail
        unix
        sql
        radutmp
        attr_filter.accounting_response
}

– now setup clients.conf:

 /usr/local/etc/raddb/clients.conf 
client 127.0.0.1 {
        secret          = nasser
        shortname       = PPTP
        nastype         = other
}

- OK , That's IT . lets create a user in mysql :

use radius;
INSERT INTO radgroupcheck (GroupName, Attribute, Value) VALUES ('normalusers', 'Auth-Type', 'MS-CHAP');
INSERT INTO radgroupreply (GroupName, Attribute, Value) VALUES ('normalusers', 'Framed-Compression','Van-Jacobson-TCP-IP' );
INSERT INTO radgroupreply (GroupName, Attribute, Value) VALUES ('normalusers', 'Framed-Protocol', 'PPP' );
INSERT INTO radgroupreply (GroupName, Attribute, Value) VALUES ('normalusers', 'Service-Type', 'Framed-User' );
INSERT INTO radusergroup (UserName, GroupName, priority) VALUES ('nasser', 'normalusers', 1);
INSERT INTO radcheck     (UserName, Attribute, Value)    VALUES ('nasser', 'Password', '123456');
INSERT INTO radcheck VALUES ('2','nasser','Login-Time',':=','Al0800-1200');
INSERT INTO radcheck VALUES ('','nasser','Max-Daily-Session',':=','3600');
INSERT INTO radreply     (UserName, Attribute, Value)    VALUES ('nasser', 'Framed-IP-Address', '172.16.1.33');

Now Reboot the Server.
you should able to connect this server via microsoft VPN Client from Windows .

Thanks to:
http://www.linux-bsd-central.com/index.php/content/view/8/
http://poripori.net/PPTPD_on_FreeBSD.html
http://www.frontios.com/freeradius.html
http://www.rensel.com/wireless/pppoe.cfm
http://www.altctrldel.com/blog/categories/Slackware/PoPToP – Freeradius – MySQL.txt
http://old.nabble.com/account-interim-update-from-pptp-server-td24068962.html
http://cipitunk.wordpress.com/2009/04/08/vpn-server-using-pptp-protocol-and-freeradius-as-aaa-implementation/
http://www.pingle.org/2006/04/11/getting-poptop-to-run-under-freebsd-5-6

Advertisements

1 Comment »

  1. Please clarify your brief input:

    – OK , That’s IT . lets create a user in mysql :

    use radius;

    What are you referring to in this statement “use radius”?

    Please show detailed comments breaking out each line and explaining each action:

    INSERT INTO radgroupcheck (GroupName, Attribute, Value) VALUES (‘normalusers’, ‘Auth-Type’, ‘MS-CHAP’);
    INSERT INTO radgroupreply (GroupName, Attribute, Value) VALUES (‘normalusers’, ‘Framed-Compression’,’Van-Jacobson-TCP-IP’ );
    INSERT INTO radgroupreply (GroupName, Attribute, Value) VALUES (‘normalusers’, ‘Framed-Protocol’, ‘PPP’ );
    INSERT INTO radgroupreply (GroupName, Attribute, Value) VALUES (‘normalusers’, ‘Service-Type’, ‘Framed-User’ );
    INSERT INTO radusergroup (UserName, GroupName, priority) VALUES (‘nasser’, ‘normalusers’, 1);
    INSERT INTO radcheck (UserName, Attribute, Value) VALUES (‘nasser’, ‘Password’, ‘123456’);
    INSERT INTO radcheck VALUES (‘2′,’nasser’,’Login-Time’,’:=’,’Al0800-1200′);
    INSERT INTO radcheck VALUES (”,’nasser’,’Max-Daily-Session’,’:=’,’3600′);
    INSERT INTO radreply (UserName, Attribute, Value) VALUES (‘nasser’, ‘Framed-IP-Address’, ‘172.16.1.33’);

    Thank you

    Comment by PLanet 0.00000 — 2010-10-15 @ 05:34


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: