第十三节:Centos7 l2tp Freeradius对接
本节内容主要讲述如何在Centos7上配置xl2tp服务器,使得VPN客户端账号通过Freeradius进行管理,对接Freeradius的好处是,增加、修改或删除用户后立即生效,无需重启xl2tp服务。
1、安装radiusclient-ng
yum install radiusclient-ng -y
2、配置radius服务器
vi /etc/radiusclient-ng/servers
增加如下内容,第一个为raidus服务器地址,第二个为密钥
127.0.0.1 testing123
3、配置radius服务器-radius服务器与xl2tp服务器不是同一台计算机时配置
注意:如果radius服务器不是本机需要修改radiusclient.conf文件
vi /etc/radiusclient-ng/radiusclient.conf
将其中的 authserver localhost acctserver localhost 修改为 authserver radiusIP地址::1812 acctserver radiusIP地址:1813
4、配置dictionary
cp /usr/share/radiusclient-ng/dictionary /etc/radiusclient-ng/ echo 'INCLUDE /etc/radiusclient-ng/dictionary.microsoft' >> /etc/radiusclient-ng/dictionary vi /etc/radiusclient-ng/dictionary.microsoft
#dictionary.microsoft全部内容 # # Microsoft's VSA's, from RFC 2548 # # $Id: dictionary.microsoft,v 1.1 2004/11/14 07:26:26 paulus Exp $ # VENDOR Microsoft 311 Microsoft ATTRIBUTE MS-CHAP-Response 1 string Microsoft ATTRIBUTE MS-CHAP-Error 2 string Microsoft ATTRIBUTE MS-CHAP-CPW-1 3 string Microsoft ATTRIBUTE MS-CHAP-CPW-2 4 string Microsoft ATTRIBUTE MS-CHAP-LM-Enc-PW 5 string Microsoft ATTRIBUTE MS-CHAP-NT-Enc-PW 6 string Microsoft ATTRIBUTE MS-MPPE-Encryption-Policy 7 string Microsoft # This is referred to as both singular and plural in the RFC. # Plural seems to make more sense. ATTRIBUTE MS-MPPE-Encryption-Type 8 string Microsoft ATTRIBUTE MS-MPPE-Encryption-Types 8 string Microsoft ATTRIBUTE MS-RAS-Vendor 9 integer Microsoft ATTRIBUTE MS-CHAP-Domain 10 string Microsoft ATTRIBUTE MS-CHAP-Challenge 11 string Microsoft ATTRIBUTE MS-CHAP-MPPE-Keys 12 string Microsoft ATTRIBUTE MS-BAP-Usage 13 integer Microsoft ATTRIBUTE MS-Link-Utilization-Threshold 14 integer Microsoft ATTRIBUTE MS-Link-Drop-Time-Limit 15 integer Microsoft ATTRIBUTE MS-MPPE-Send-Key 16 string Microsoft ATTRIBUTE MS-MPPE-Recv-Key 17 string Microsoft ATTRIBUTE MS-RAS-Version 18 string Microsoft ATTRIBUTE MS-Old-ARAP-Password 19 string Microsoft ATTRIBUTE MS-New-ARAP-Password 20 string Microsoft ATTRIBUTE MS-ARAP-PW-Change-Reason 21 integer Microsoft ATTRIBUTE MS-Filter 22 string Microsoft ATTRIBUTE MS-Acct-Auth-Type 23 integer Microsoft ATTRIBUTE MS-Acct-EAP-Type 24 integer Microsoft ATTRIBUTE MS-CHAP2-Response 25 string Microsoft ATTRIBUTE MS-CHAP2-Success 26 string Microsoft ATTRIBUTE MS-CHAP2-CPW 27 string Microsoft ATTRIBUTE MS-Primary-DNS-Server 28 ipaddr Microsoft ATTRIBUTE MS-Secondary-DNS-Server 29 ipaddr Microsoft ATTRIBUTE MS-Primary-NBNS-Server 30 ipaddr Microsoft ATTRIBUTE MS-Secondary-NBNS-Server 31 ipaddr Microsoft #ATTRIBUTE MS-ARAP-Challenge 33 string Microsoft # # Integer Translations # # MS-BAP-Usage Values VALUE MS-BAP-Usage Not-Allowed 0 VALUE MS-BAP-Usage Allowed 1 VALUE MS-BAP-Usage Required 2 # MS-ARAP-Password-Change-Reason Values VALUE MS-ARAP-PW-Change-Reason Just-Change-Password 1 VALUE MS-ARAP-PW-Change-Reason Expired-Password 2 VALUE MS-ARAP-PW-Change-Reason Admin-Requires-Password-Change 3 VALUE MS-ARAP-PW-Change-Reason Password-Too-Short 4 # MS-Acct-Auth-Type Values VALUE MS-Acct-Auth-Type PAP 1 VALUE MS-Acct-Auth-Type CHAP 2 VALUE MS-Acct-Auth-Type MS-CHAP-1 3 VALUE MS-Acct-Auth-Type MS-CHAP-2 4 VALUE MS-Acct-Auth-Type EAP 5 # MS-Acct-EAP-Type Values VALUE MS-Acct-EAP-Type MD5 4 VALUE MS-Acct-EAP-Type OTP 5 VALUE MS-Acct-EAP-Type Generic-Token-Card 6 VALUE MS-Acct-EAP-Type TLS 13
修改xl2tpd配置文件,
echo 'plugin radius.so' >> /etc/ppp/options.xl2tpd echo 'radius-config-file /etc/radiusclient-ng/radiusclient.conf' >> /etc/ppp/options.xl2tpd
#重启strongswan与xl2tp服务 service strongswan restart service xl2tpd restart
到此实现了xl2tp与radius对接,可以通过daloradius增加账户,然后通过windows连接测试