В примере будет использоваться виртуальный сервер под openvz. Прежде всего, создадим виртуальный сервер.
vzctl create 803 --ostemplate centos-5-x86_64
настройка лимитов виртуальной машины
vzctl set 803 --save --onboot "yes" vzctl set 803 --save --kmemsize "104239923:114663915" vzctl set 803 --save --lockedpages "5089:5089" vzctl set 803 --save --privvmpages "152695:167964" vzctl set 803 --save --shmpages "15269:15269" vzctl set 803 --save --numproc "4000:4000" vzctl set 803 --save --physpages "0:9223372036854775807" vzctl set 803 --save --vmguarpages "152695:9223372036854775807" vzctl set 803 --save --oomguarpages "152695:9223372036854775807" vzctl set 803 --save --numtcpsock "4000:4000" vzctl set 803 --save --numflock "1000:1100" vzctl set 803 --save --numpty "400:400" vzctl set 803 --save --numsiginfo "1024:1024" vzctl set 803 --save --tcpsndbuf "18362641:34746641" vzctl set 803 --save --tcprcvbuf "18362641:34746641" vzctl set 803 --save --othersockbuf "9181320:25565320" vzctl set 803 --save --dgramrcvbuf "9181320:9181320" vzctl set 803 --save --numothersock "4000:4000" vzctl set 803 --save --dcachesize "22762625:23445504" vzctl set 803 --save --numfile "40704:40704" vzctl set 803 --save --avnumproc "1272:1272" vzctl set 803 --save --numiptent "200:200" vzctl set 803 --save --diskspace "1163682:1280051" vzctl set 803 --save --diskinodes "421490:463640" vzctl set 803 --save --quotatime "0" vzctl set 803 --save --cpuunits "100050" vzctl set 803 --save --ipadd "80.94.174.231" vzctl set 803 --save --hostname "roaming.eduroam.by" vzctl set 803 --iptables ipt_REJECT --iptables ipt_tos --iptables ipt_TOS --iptables ipt_LOG \ --iptables ip_conntrack --iptables ipt_limit --iptables ipt_multiport --iptables iptable_filter \ --iptables iptable_mangle --iptables ipt_TCPMSS --iptables ipt_tcpmss --iptables ipt_ttl \ --iptables ipt_length --iptables ipt_state --iptables iptable_nat --iptables ip_nat_ftp --save
запуск виртуальной машины
vzctl start 803
вход на сервер
vzctl enter 803
настройка днс
echo nameserver "80.94.160.3" > /etc/resolv.conf
апдейт системы, установка vim
yum update yum install vim-enhanced cp /usr/share/vim/vim70/vimrc_example.vim ~/.vimrc vim ~/.vimrc
yum install freeradius2.x86_64 freeradius2-utils.x86_64 rpm -Uvh freeradius2-2.1.7-7.el5.src.rpm cd /usr/src/redhat/SOURCES tar jxfv freeradius-server-2.1.7.tar.bz2 wget https://raw.github.com/mcnewton/freeradius-server/089c108c472a6a9d2a21ae86b41343b06274f95d/src/modules/rlm_linelog/rlm_linelog.c mv rlm_linelog.c ./freeradius-server-2.1.7/src/modules/rlm_linelog/rlm_linelog.c tar cjf freeradius-server-2.1.7.tar.bz2 freeradius-server-2.1.7 cd /usr/src/redhat/ yum install autoconf gdbm-devel libtool libtool-ltdl-devel openssl-devel pam-devel zlib-devel \ net-snmp-devel readline-devel libpcap-devel openldap-devel krb5-devel python-devel mysql-devel postgresql-devel unixODBC-devel rpm-build rpmbuild -bb SPECS/freeradius2.spec cd RPMS/ cd x86_64/ rpm -Uvh --force freeradius2-2.1.7-7.x86_64.rpm freeradius2-mysql-2.1.7-7.x86_64.rpm freeradius2-utils-2.1.7-7.x86_64.rpm
/etc/raddb/proxy.conf
realm eduroam.by { nostrip authhost = 80.94.174.233 accthost = 80.94.174.233 secret = [secret-of-eduroam.by-here] } realm basnet.by { nostrip authhost = 80.94.174.234 accthost = 80.94.174.234 secret = [secret-of-basnet.by-here] } home_server etlr1-v4 { type = auth+acct ipaddr = 192.87.106.34 port = 1812 secret = [secret-of-etlr1-v4-here] response_window = 20 zombie_period = 40 revive_interval = 60 status_check = status-server check_interval = 30 num_answers_to_alive = 3 } home_server etlr2-v4 { type = auth+acct ipaddr = 130.225.242.109 port = 1812 secret = [secret-of-etlr2-v4-here] response_window = 20 zombie_period = 40 revive_interval = 60 status_check = status-server check_interval = 30 num_answers_to_alive = 3 } home_server_pool EDUROAM-ETLR { type = fail-over home_server = etlr1-v4 home_server = etlr2-v4 } realm DEFAULT { pool = EDUROAM-ETLR nostrip }
/etc/raddb/eap.conf
ttls { default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes } peap { default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel" }
/etc/raddb/clients.conf
client descriptivename { ipaddr = 212.98.162.58 netmask = 32 secret = [passwordforeapoltest] require_message_authenticator = no shortname = eduroam-ap-v4 nastype = other virtual_server = eduroam } client idp.eduroam.by { ipaddr = 80.94.174.233 netmask = 32 secret = [passwordofidpeduroam] require_message_authenticator = no shortname = idp-eduroam nastype = other virtual_server = eduroam } client idp.basnet.by { ipaddr = 80.94.174.234 netmask = 32 secret = [passwordofidpbasnet] require_message_authenticator = no shortname = idp-basnet nastype = other virtual_server = eduroam }
/etc/raddb/sites-enabled/eduroam
rm -rf /etc/raddb/sites-enabled/* vim /etc/raddb/sites-enabled/eduroam
server eduroam { authorize { preprocess auth_log suffix eap } authenticate { } preacct { preprocess acct_unique suffix } accounting { detail } session { } post-auth { reply_log f_ticks Post-Auth-Type REJECT { reply_log f_ticks attr_filter.access_reject } } pre-proxy { pre_proxy_log } post-proxy { post_proxy_log } }
/etc/raddb/modules/f_ticks
linelog f_ticks { filename = syslog syslog_facility = local7 format = "" reference = "f_ticks.%{%{reply:Packet-Type}:-format}" f_ticks { # Access-Accept = "F-TICKS/eduroam/1.0#REALM=%{Realm}#VISCOUNTRY=BY#VISINST=YOUR-ID#CSI=%{Calling-Station-Id}#RESULT=OK#" # Access-Reject = "F-TICKS/eduroam/1.0#REALM=%{Realm}#VISCOUNTRY=BY#VISINST=YOUR-ID#CSI=%{Calling-Station-Id}#RESULT=FAIL#" Access-Accept = "F-TICKS/eduroam/1.0#REALM=%{Realm}#VISCOUNTRY=BY#CSI=%{Calling-Station-Id}#RESULT=OK#" Access-Reject = "F-TICKS/eduroam/1.0#REALM=%{Realm}#VISCOUNTRY=BY#CSI=%{Calling-Station-Id}#RESULT=FAIL#" } }
radius autostart
chkconfig radiusd on
/etc/syslog.conf
... local7.* @ip.address.of.stat.server.for.f_ticks
/etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Mon Apr 18 12:02:16 2011 *mangle :PREROUTING ACCEPT [1239:134578] :INPUT ACCEPT [1239:134578] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [270:78700] :POSTROUTING ACCEPT [270:78700] COMMIT # Completed on Mon Apr 18 12:02:16 2011 # Generated by iptables-save v1.3.5 on Mon Apr 18 12:02:16 2011 *filter :INPUT DROP [966:55207] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [270:78700] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 212.98.162.58 -j ACCEPT -A INPUT -s 80.94.174.233 -j ACCEPT -A INPUT -s 80.94.174.234 -j ACCEPT -A INPUT -s 192.87.106.34 -j ACCEPT -A INPUT -s 130.225.242.109 -j ACCEPT COMMIT # Completed on Mon Apr 18 12:02:16 2011
chkconfig iptables on /etc/init.d/iptables restart
В примере будет использоваться виртуальный сервер под openvz с виртуальным сетевым интерфейсом типа veth. Прежде всего, создадим виртуальный сервер.
vzctl create 903 --ostemplate centos-5-x86_64
настройка лимитов виртуальной машины
vzctl set 903 --save --onboot "yes" vzctl set 903 --save --kmemsize "104239923:114663915" vzctl set 903 --save --lockedpages "5089:5089" vzctl set 903 --save --privvmpages "152695:167964" vzctl set 903 --save --shmpages "15269:15269" vzctl set 903 --save --numproc "4000:4000" vzctl set 903 --save --physpages "0:9223372036854775807" vzctl set 903 --save --vmguarpages "152695:9223372036854775807" vzctl set 903 --save --oomguarpages "152695:9223372036854775807" vzctl set 903 --save --numtcpsock "4000:4000" vzctl set 903 --save --numflock "1000:1100" vzctl set 903 --save --numpty "400:400" vzctl set 903 --save --numsiginfo "1024:1024" vzctl set 903 --save --tcpsndbuf "18362641:34746641" vzctl set 903 --save --tcprcvbuf "18362641:34746641" vzctl set 903 --save --othersockbuf "9181320:25565320" vzctl set 903 --save --dgramrcvbuf "9181320:9181320" vzctl set 903 --save --numothersock "4000:4000" vzctl set 903 --save --dcachesize "22762625:23445504" vzctl set 903 --save --numfile "40704:40704" vzctl set 903 --save --avnumproc "1272:1272" vzctl set 903 --save --numiptent "200:200" vzctl set 903 --save --diskspace "1163682:1280051" vzctl set 903 --save --diskinodes "421490:463640" vzctl set 903 --save --quotatime "0" vzctl set 903 --save --cpuunits "100050" vzctl set 903 --save --hostname "idp.eduroam.by" vzctl set 903 --netif_add eth0 --save vzctl set 903 --iptables ipt_REJECT --iptables ipt_tos --iptables ipt_TOS --iptables ipt_LOG \ --iptables ip_conntrack --iptables ipt_limit --iptables ipt_multiport --iptables iptable_filter \ --iptables iptable_mangle --iptables ipt_TCPMSS --iptables ipt_tcpmss --iptables ipt_ttl \ --iptables ipt_length --iptables ipt_state --iptables iptable_nat --iptables ip_nat_ftp --save
Для корректной работы veth создадим файл /etc/vz/conf/903.mount
#!/bin/bash # This script source VPS configuration files in the same order as vzctl does # if one of these files does not exist then something is really broken [ -f /etc/vz/vz.conf ] || exit 1 [ -f $VE_CONFFILE ] || exit 1 # source both files. Note the order, it is important . /etc/vz/vz.conf . $VE_CONFFILE # Configure veth with IP after VPS has started { IP=80.94.174.233 DEV=veth903.0 while sleep 1; do /sbin/ifconfig $DEV 0 >/dev/null 2>&1 if [ $? -eq 0 ]; then /sbin/ip route add $IP dev $DEV break fi done } &
сделаем исполняемым:
chmod +x /etc/vz/conf/903.mount
запуск виртуальной машины
vzctl start 903
вход на сервер
vzctl enter 903
настройка днс
echo nameserver "80.94.160.3" > /etc/resolv.conf
настройка сети
/etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0 BOOTPROTO=static ONBOOT=yes IPADDR=80.94.174.233 NETMASK=255.255.255.255 BROADCAST=0.0.0.0
Приводим к следующему виду файл /etc/sysconfig/network-scripts/ifup-eth
# Add Zeroconf route. if [ -z "${NOZEROCONF}" -a "${ISALIAS}" = "no" -a "${REALDEVICE}" != "lo" ]; then ip route replace 169.254.0.0/16 dev ${REALDEVICE} ip route add 80.94.174.193 dev eth0 ip route add default via 80.94.174.193 fi
рестаруем сеть
/etc/init.d/network restart
апдейт системы
yum update yum install vim-enhanced cp /usr/share/vim/vim70/vimrc_example.vim ~/.vimrc vim ~/.vimrc
yum install openldap-servers openldap-clients
сгенерируем хэш пароля (в примере пароль будет test)
slappasswd New password: Re-enter new password: {SSHA}k4PBNKscSEeqobzNBRdaYYBa2EYtGZ8m
правим /etc/openldap/slapd.conf
database bdb suffix "dc=eduroam,dc=by" rootdn "cn=root,dc=eduroam,dc=by" rootpw {SSHA}k4PBNKscSEeqobzNBRdaYYBa2EYtGZ8m
копируем стандартные настройки базы и стартуем ldap
cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG /etc/init.d/ldap start
делаем тестовые ldif-файлы для наполнения ldap.
base.ldif
dn: dc=eduroam,dc=by objectClass: dcObject objectClass: organization objectClass: top dc:eduroam o:eduroam
people.ldif
## FIRST Level hierarchy - people ## uses mixed upper and lower case for objectclass # this is an ENTRY sequence and is preceded by a BLANK line dn: ou=people, dc=eduroam,dc=by ou: people description: All people in organisation objectclass: organizationalunit
slayer.ldif
## SECOND Level hierarchy ## ADD a single entry under FIRST (people) level # this is an ENTRY sequence and is preceded by a BLANK line # the ou: Human Resources is the department name dn: cn=Valery Ciareszka,ou=people,dc=eduroam,dc=by objectclass: inetOrgPerson cn: Valery Ciareszka cn: Valery J Ciareszka sn: Ciareszka uid: slayer userpassword: test123 carlicense: HISCAR 123 homephone: 555-111-2222 mail: slayer@eduroam.by mail: suka.slayer@eduroam.by description: swell guy ou: Human Resources
Добавляем все это в ldap
ldapadd -x -D "cn=root,dc=eduroam,dc=by" -W -f base.ldif ldapadd -x -D "cn=root,dc=eduroam,dc=by" -W -f people.ldif ldapadd -x -D "cn=root,dc=eduroam,dc=by" -W -f slayer.ldif
добавляем ldap в автозагрузку
chkconfig ldap on
ставим и запускаем mysql, добавляем в автозагрузку
yum install mysql-server /etc/init.d/mysqld start chkconfig mysqld on
создаем базу, таблицы, пользователя
create database radius; grant all privileges on radius.* to radiusd@localhost identified by 'radpasswd'; USE radius; CREATE TABLE ACCOUNTING ( `User-Name` varchar(100) NOT NULL default '', `Calling-Station-Id` varchar(100) NOT NULL default '', `Client-IP-Address` varchar(100) NOT NULL default '', `Called-Station-Id` varchar(100) NOT NULL default '', `NAS-IP-Address` varchar(100) NOT NULL default '', `NAS-Port` int(10) unsigned NOT NULL default '0', `Timestamp Start` datetime NOT NULL default '1970-01-01 01:00:00', `Timestamp Dhcp` datetime NOT NULL default '1970-01-01 01:00:00', `Timestamp Stop` datetime NOT NULL default '1970-01-01 01:00:00', `Acct-Unique-Session-Id` varchar(100) NOT NULL default '', `Acct-Session-Time` int(10) unsigned NOT NULL default '0', `Acct-Input-Octets` bigint(20) unsigned NOT NULL default '0', `Acct-Output-Octets` bigint(20) unsigned NOT NULL default '0', `Acct-Input-Packets` bigint(20) unsigned NOT NULL default '0', `Acct-Output-Packets` bigint(20) unsigned NOT NULL default '0', `Acct-Terminate-Cause` varchar(100) NOT NULL default '' ) TYPE=MyISAM; create table access_points ( `IP address` varchar(100) PRIMARY KEY NOT NULL, `snmp secret` varchar(100) NOT NULL default '', `radius secret` varchar(100) NOT NULL default '', `root username` varchar(100) NOT NULL default '', `root password` varchar(100) NOT NULL default '' ) TYPE=MyISAM; CREATE TABLE denied ( `User-Name` varchar(100) NOT NULL default '', `Calling-Station-Id` varchar(100) NOT NULL default '', `NAS-Shortname` varchar(100) NOT NULL default '', `NAS-Port` int(10) unsigned NOT NULL default '0', `Timestamp` datetime NOT NULL default '1970-01-01 01:00:00', `Cause` varchar(100) NOT NULL default '' ) TYPE=MyISAM;
ставим freeradius, и модули ldap,mysql к нему
yum install freeradius2.x86_64 freeradius2-utils.x86_64 freeradius2-ldap freeradius2-mysql
/etc/raddb/proxy.conf
proxy server { default_fallback = yes } realm LOCAL { } realm eduroam.by { nostrip } home_server roaming.eduroam.by { type = auth+acct ipaddr = 80.94.174.231 port = 1812 secret = [secrethere] response_window = 20 zombie_period = 40 revive_interval = 60 status_check = status-server check_interval = 30 num_answers_to_alive = 3 } home_server_pool EDUROAM-FTLR-BY { type = fail-over home_server = roaming.eduroam.by } realm DEFAULT { pool = EDUROAM-FTLR-BY nostrip }
/etc/raddb/eap.conf
eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 md5 { } leap { } gtc { auth_type = PAP } tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = whatever private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = ${certdir}/random cipher_list = "DEFAULT" make_cert_command = "${certdir}/bootstrap" cache { enable = no max_entries = 255 } } ttls { default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "eduroam-inner-tunnel" } peap { default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "eduroam-inner-tunnel" } mschapv2 { } }
/etc/raddb/clients.conf
client roaming.eduroam.by { ipaddr = 80.94.174.231 netmask = 32 secret = [password-of-flrs-roaming-eduroam-by] require_message_authenticator = no shortname = eduroam-flrs nastype = other virtual_server = eduroam } client eapoltest { ipaddr = 212.98.162.58 netmask = 32 secret = [passwordforeapoltest] require_message_authenticator = no shortname = eduroam-ap-v4 nastype = other virtual_server = eduroam }
/etc/raddb/modules/pap
pap { auto_header = yes }
/etc/raddb/modules/ldap
ldap { server = "127.0.0.1" identity = "cn=root,dc=eduroam,dc=by" password = test basedn = "dc=eduroam,dc=by" filter = "(mail=%{User-Name})" base_filter = "(objectclass=inetOrgPerson)" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } profile_attribute = "eduPersonPrincipalName" dictionary_mapping = ${confdir}/ldap.attrmap password_attribute = userPassword edir_account_policy_check = no }
sites-enabled/eduroam
rm -rf /etc/raddb/sites-enabled/* vim /etc/raddb/sites-enabled/eduroam
server eduroam { authorize { auth_log suffix if (("%{control:Proxy-To-Realm}" == "DEFAULT") && (User-Name =~ /.*@.*.eduroam.by$/)) { update control { Proxy-To-Realm := NULL } } eap } authenticate { Auth-Type EAP { eap } } preacct { suffix acct_unique if ((Proxy-To-Realm == DEFAULT) && (User-Name =~ /.*@.*.eduroam.by$/)) { update control { Proxy-To-Realm := NULL } } } accounting { detail sql } post-auth { reply_log Post-Auth-Type REJECT { attr_filter.access_reject reply_log } } pre-proxy { attr_filter.pre-proxy pre_proxy_log } post-proxy { post_proxy_log attr_filter.post-proxy } } server eduroam-inner-tunnel { authorize { auth_log ldap eap } authenticate { Auth-Type LDAP { ldap } eap } preacct { } accounting { } session { } post-auth { update outer.reply { User-Name = "%{User-Name}" } reply_log Post-Auth-Type REJECT { attr_filter.access_reject reply_log } } pre-proxy { } post-proxy { } }
/etc/raddb/radiusd.conf
prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = /usr/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct name = radiusd confdir = ${raddbdir} run_dir = ${localstatedir}/run/${name} db_dir = ${raddbdir} libdir = /usr/lib64/freeradius pidfile = ${run_dir}/${name}.pid user = radiusd group = radiusd max_request_time = 30 cleanup_delay = 5 max_requests = 1024 listen { type = auth ipaddr = * port = 0 } listen { ipaddr = * port = 0 type = acct } hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log { destination = files file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = yes } proxy_requests = yes $INCLUDE proxy.conf $INCLUDE clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { $INCLUDE ${confdir}/modules/ $INCLUDE eap.conf $INCLUDE sql.conf $INCLUDE sql/mysql/counter.conf } instantiate { exec expr expiration logintime } $INCLUDE policy.conf $INCLUDE sites-enabled/
/etc/raddb/sql.conf
sql { database = "mysql" driver = "rlm_sql_${database}" server = "localhost" login = "radiusd" password = "radpasswd" radius_db = "radius" num_sql_socks = 5 connect_failure_retry_delay = 60 # Eduroam specific logging of Accounting start and stop records accounting_start_query = "INSERT into ACCOUNTING SET\ `User-Name` = '%{User-Name}',\ `Calling-Station-Id` = '%{Calling-Station-Id}',\ `Called-Station-Id` = '%{Called-Station-Id}',\ `NAS-IP-Address` = '%{NAS-IP-Address}',\ `NAS-Port` = '%{NAS-Port}',\ `Timestamp Start` = NOW(),\ `Acct-Unique-Session-Id` = '%{Acct-Unique-Session-Id}'" accounting_update_query = "UPDATE ACCOUNTING SET\ `Acct-Session-Time` = '%{Acct-Session-Time}',\ `Acct-Input-Octets` = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}',\ `Acct-Output-Octets` = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}',\ `Acct-Input-Packets` = '%{Acct-Input-Packets}',\ `Acct-Output-Packets` = '%{Acct-Output-Packets}'\ WHERE `Acct-Unique-Session-Id` = '%{Acct-Unique-Session-Id}'\ LIMIT 1" accounting_stop_query = "UPDATE ACCOUNTING SET\ `Timestamp Stop` = NOW(),\ `Acct-Session-Time` = '%{Acct-Session-Time}',\ `Acct-Input-Octets` = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}',\ `Acct-Output-Octets` = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}',\ `Acct-Input-Packets` = '%{Acct-Input-Packets}',\ `Acct-Output-Packets` = '%{Acct-Output-Packets}',\ `Acct-Terminate-Cause` = '%{Acct-Terminate-Cause:-Unknown}'\ WHERE `Acct-Unique-Session-Id` = '%{Acct-Unique-Session-Id}'\ LIMIT 1" }
добавляем freedadius в автозагрузку
chkconfig radiusd on
/etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Mon Apr 18 12:00:21 2011 *mangle :PREROUTING ACCEPT [1054:112214] :INPUT ACCEPT [1054:112214] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [213:66193] :POSTROUTING ACCEPT [213:66193] COMMIT # Completed on Mon Apr 18 12:00:21 2011 # Generated by iptables-save v1.3.5 on Mon Apr 18 12:00:21 2011 *filter :INPUT DROP [772:40258] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [213:66193] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 212.98.162.58 -j ACCEPT -A INPUT -s 80.94.174.231 -j ACCEPT -A INPUT -i lo -j ACCEPT COMMIT # Completed on Mon Apr 18 12:00:21 2011
chkconfig iptables on /etc/init.d/iptables restart
cd wget thesuki.org/scripts/eduroam/eduroam_monitor-20090509.tar.gz cd / tar zxfv /root/eduroam_monitor-20090509.tar.gz rpm -Uhv http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS//rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm yum install perl-File-Tail yum install perl-Net-SNMP touch /var/log/dhcpd.log vim /usr/sbin/eduroam_monitor.pl vim /vim var/eduroam/etc/sys_db /usr/sbin/eduroam_monitor.pl echo "/usr/sbin/eduroam_monitor.pl" >> /etc/rc.local
создание виртуального сервера
vzctl create 904 --ostemplate centos-5-x86_64
настройка лимитов виртуальной машины
vzctl set 904 --save --onboot "yes" vzctl set 904 --save --kmemsize "104239923:114663915" vzctl set 904 --save --lockedpages "5089:5089" vzctl set 904 --save --privvmpages "152695:167964" vzctl set 904 --save --shmpages "15269:15269" vzctl set 904 --save --numproc "4000:4000" vzctl set 904 --save --physpages "0:9223372036854775807" vzctl set 904 --save --vmguarpages "152695:9223372036854775807" vzctl set 904 --save --oomguarpages "152695:9223372036854775807" vzctl set 904 --save --numtcpsock "4000:4000" vzctl set 904 --save --numflock "1000:1100" vzctl set 904 --save --numpty "400:400" vzctl set 904 --save --numsiginfo "1024:1024" vzctl set 904 --save --tcpsndbuf "18362641:34746641" vzctl set 904 --save --tcprcvbuf "18362641:34746641" vzctl set 904 --save --othersockbuf "9181320:25565320" vzctl set 904 --save --dgramrcvbuf "9181320:9181320" vzctl set 904 --save --numothersock "4000:4000" vzctl set 904 --save --dcachesize "22762625:23445504" vzctl set 904 --save --numfile "40704:40704" vzctl set 904 --save --avnumproc "1272:1272" vzctl set 904 --save --numiptent "200:200" vzctl set 904 --save --diskspace "1163682:1280051" vzctl set 904 --save --diskinodes "421490:463640" vzctl set 904 --save --quotatime "0" vzctl set 904 --save --cpuunits "100050" vzctl set 904 --save --hostname "idp.basnet.by" vzctl set 904 --netif_add eth0 --save vzctl set 904 --iptables ipt_REJECT --iptables ipt_tos --iptables ipt_TOS --iptables ipt_LOG \ --iptables ip_conntrack --iptables ipt_limit --iptables ipt_multiport --iptables iptable_filter \ --iptables iptable_mangle --iptables ipt_TCPMSS --iptables ipt_tcpmss --iptables ipt_ttl \ --iptables ipt_length --iptables ipt_state --iptables iptable_nat --iptables ip_nat_ftp --save
Для корректной работы veth создадим файл /etc/vz/conf/904.mount
#!/bin/bash # This script source VPS configuration files in the same order as vzctl does # if one of these files does not exist then something is really broken [ -f /etc/vz/vz.conf ] || exit 1 [ -f $VE_CONFFILE ] || exit 1 # source both files. Note the order, it is important . /etc/vz/vz.conf . $VE_CONFFILE # Configure veth with IP after VPS has started { IP=80.94.174.234 DEV=veth904.0 while sleep 1; do /sbin/ifconfig $DEV 0 >/dev/null 2>&1 if [ $? -eq 0 ]; then /sbin/ip route add $IP dev $DEV break fi done } &
сделаем исполняемым
chmod +x /etc/vz/conf/904.mount
запуск виртуальной машины
vzctl start 904
вход на сервер
vzctl enter 904
настройка днс
echo nameserver "80.94.160.3" > /etc/resolv.conf
настройка сети
/etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0 BOOTPROTO=static ONBOOT=yes IPADDR=80.94.174.234 NETMASK=255.255.255.255 BROADCAST=0.0.0.0
Приводим к следующему виду файл /etc/sysconfig/network-scripts/ifup-eth
# Add Zeroconf route. if [ -z "${NOZEROCONF}" -a "${ISALIAS}" = "no" -a "${REALDEVICE}" != "lo" ]; then ip route replace 169.254.0.0/16 dev ${REALDEVICE} ip route add 80.94.174.193 dev eth0 ip route add default via 80.94.174.193 fi
апдейт системы
yum update yum install vim-enhanced cp /usr/share/vim/vim70/vimrc_example.vim ~/.vimrc vim ~/.vimrc
ставим kerberos
yum install krb5-workstation
файл конфига /etc/krb5.conf
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = BASNET.BY dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] BASNET.BY = { kdc = 80.94.174.204:88 admin_server = 80.94.174.204:749 default_domain = basnet.by } [domain_realm] .basnet.by = BASNET.BY basnet.by = BASNET.BY [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
Получаем тикет
/usr/kerberos/bin/kinit administrator@BASNET.BY
конфиг самбы /etc/samba/smb.conf
[global] workgroup = BASNET server string = Samba Server Version %v netbios name = idp security = ads printcap name = /etc/printcap load printers = no printing = idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/bash winbind use default domain = no password server = 80.94.174.204 realm = BASNET.BY [homes] comment = Home Directories browseable = no writable = yes
меняем резолвер на контроллер домена
echo nameserver 80.94.174.204 > /etc/resolv.conf
в файле /etc/nsswitch.conf изменяем строчки:
passwd: files winbind shadow: files winbind group: files winbind protocols: files winbind services: files winbind netgroup: nisplus winbind automount: files nisplus winbind
добавляем сервер в домен
net join -U Administrator%PASSWORDHERE
стартуем samba/winbind
/etc/init.d/smb start /etc/init.d/winbind start
добавляем в автозапуск
chkconfig smb on chkconfig winbind on
ставим и запускаем mysql, добавляем в автозагрузку
yum install mysql-server /etc/init.d/mysqld start chkconfig mysqld on
создаем базу, таблицы, пользователя
create database radius; grant all privileges on radius.* to radiusd@localhost identified by 'radpasswd'; USE radius; CREATE TABLE ACCOUNTING ( `User-Name` varchar(100) NOT NULL default '', `Calling-Station-Id` varchar(100) NOT NULL default '', `Client-IP-Address` varchar(100) NOT NULL default '', `Called-Station-Id` varchar(100) NOT NULL default '', `NAS-IP-Address` varchar(100) NOT NULL default '', `NAS-Port` int(10) unsigned NOT NULL default '0', `Timestamp Start` datetime NOT NULL default '1970-01-01 01:00:00', `Timestamp Dhcp` datetime NOT NULL default '1970-01-01 01:00:00', `Timestamp Stop` datetime NOT NULL default '1970-01-01 01:00:00', `Acct-Unique-Session-Id` varchar(100) NOT NULL default '', `Acct-Session-Time` int(10) unsigned NOT NULL default '0', `Acct-Input-Octets` bigint(20) unsigned NOT NULL default '0', `Acct-Output-Octets` bigint(20) unsigned NOT NULL default '0', `Acct-Input-Packets` bigint(20) unsigned NOT NULL default '0', `Acct-Output-Packets` bigint(20) unsigned NOT NULL default '0', `Acct-Terminate-Cause` varchar(100) NOT NULL default '' ) TYPE=MyISAM; create table access_points ( `IP address` varchar(100) PRIMARY KEY NOT NULL, `snmp secret` varchar(100) NOT NULL default '', `radius secret` varchar(100) NOT NULL default '', `root username` varchar(100) NOT NULL default '', `root password` varchar(100) NOT NULL default '' ) TYPE=MyISAM; CREATE TABLE denied ( `User-Name` varchar(100) NOT NULL default '', `Calling-Station-Id` varchar(100) NOT NULL default '', `NAS-Shortname` varchar(100) NOT NULL default '', `NAS-Port` int(10) unsigned NOT NULL default '0', `Timestamp` datetime NOT NULL default '1970-01-01 01:00:00', `Cause` varchar(100) NOT NULL default '' ) TYPE=MyISAM;
ставим freeradius, и модуль mysql к нему
yum install freeradius2.x86_64 freeradius2-utils.x86_64 freeradius2-mysql
/etc/raddb/proxy.conf
proxy server { default_fallback = yes } realm LOCAL { } realm basnet.by { nostrip } home_server roaming.eduroam.by { type = auth+acct ipaddr = 80.94.174.231 port = 1812 secret = [passwordhere] response_window = 20 zombie_period = 40 revive_interval = 60 status_check = status-server check_interval = 30 num_answers_to_alive = 3 } home_server_pool EDUROAM-FTLR-BY { type = fail-over home_server = roaming.eduroam.by } realm DEFAULT { pool = EDUROAM-FTLR-BY nostrip }
/etc/raddb/eap.conf
eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 md5 { } leap { } gtc { auth_type = PAP } tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = whatever private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = ${certdir}/random cipher_list = "DEFAULT" make_cert_command = "${certdir}/bootstrap" cache { enable = no max_entries = 255 } } ttls { default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "eduroam-inner-tunnel" } peap { default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "eduroam-inner-tunnel" } mschapv2 { } }
/etc/raddb/clients.conf
client roaming.eduroam.by { ipaddr = 80.94.174.231 netmask = 32 secret = [password-of-flrs-roaming-eduroam-by] require_message_authenticator = no shortname = eduroam-flrs nastype = other virtual_server = eduroam } client eapoltest { ipaddr = 212.98.162.58 netmask = 32 secret = [passwordforeapoltest] require_message_authenticator = no shortname = eduroam-ap-v4 nastype = other virtual_server = eduroam }
pap { auto_header = yes }
/etc/raddb/modules/mschap
mschap { use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth.sh --request-nt-key --username=%{Stripped-User-Name:-%{mschap:User-Name}} \ --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" }
ntlm_auth не умеет авторизировать по юзернейму вида –user=user@domain.org, только –user=user –domain=domain.org. Stripped-User-Name почему-то отдает пустоту, а mschap:User-Name - user@domain.org. Поэтому используем workaround в виде скрипта /usr/bin/ntlm_auth.sh
#!/bin/sh USERNAME=`echo $2|sed -e 's/@basnet.by//g'` /usr/bin/ntlm_auth $1 $USERNAME $3 $4
делаем исполняемым
chmod +x /usr/bin/ntlm_auth.sh
sites-enabled/eduroam
rm -rf /etc/raddb/sites-enabled/* vim /etc/raddb/sites-enabled/eduroam
server eduroam { authorize { auth_log suffix if (("%{control:Proxy-To-Realm}" == "DEFAULT") && (User-Name =~ /.*@.*.basnet.by$/)) { update control { Proxy-To-Realm := NULL } } eap } authenticate { Auth-Type EAP { eap } } preacct { suffix acct_unique if ((Proxy-To-Realm == DEFAULT) && (User-Name =~ /.*@.*.basnet.by$/)) { update control { Proxy-To-Realm := NULL } } } accounting { detail sql } post-auth { reply_log Post-Auth-Type REJECT { attr_filter.access_reject reply_log } } pre-proxy { attr_filter.pre-proxy pre_proxy_log } post-proxy { post_proxy_log attr_filter.post-proxy } } server eduroam-inner-tunnel { authorize { auth_log mschap eap } authenticate { Auth-Type MS-CHAP { mschap } eap } preacct { } accounting { } session { } post-auth { update outer.reply { User-Name = "%{User-Name}" } reply_log Post-Auth-Type REJECT { attr_filter.access_reject reply_log } } pre-proxy { } post-proxy { } }
/etc/raddb/radiusd.conf
prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = /usr/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct name = radiusd confdir = ${raddbdir} run_dir = ${localstatedir}/run/${name} db_dir = ${raddbdir} libdir = /usr/lib64/freeradius pidfile = ${run_dir}/${name}.pid user = radiusd group = radiusd max_request_time = 30 cleanup_delay = 5 max_requests = 1024 listen { type = auth ipaddr = * port = 0 } listen { ipaddr = * port = 0 type = acct } hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log { destination = files file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = yes } proxy_requests = yes $INCLUDE proxy.conf $INCLUDE clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { $INCLUDE ${confdir}/modules/ $INCLUDE eap.conf $INCLUDE sql.conf $INCLUDE sql/mysql/counter.conf } instantiate { exec expr expiration logintime } $INCLUDE policy.conf $INCLUDE sites-enabled/
/etc/raddb/sql.conf
sql { database = "mysql" driver = "rlm_sql_${database}" server = "localhost" login = "radiusd" password = "radpasswd" radius_db = "radius" num_sql_socks = 5 connect_failure_retry_delay = 60 # Eduroam specific logging of Accounting start and stop records accounting_start_query = "INSERT into ACCOUNTING SET\ `User-Name` = '%{User-Name}',\ `Calling-Station-Id` = '%{Calling-Station-Id}',\ `Called-Station-Id` = '%{Called-Station-Id}',\ `NAS-IP-Address` = '%{NAS-IP-Address}',\ `NAS-Port` = '%{NAS-Port}',\ `Timestamp Start` = NOW(),\ `Acct-Unique-Session-Id` = '%{Acct-Unique-Session-Id}'" accounting_update_query = "UPDATE ACCOUNTING SET\ `Acct-Session-Time` = '%{Acct-Session-Time}',\ `Acct-Input-Octets` = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}',\ `Acct-Output-Octets` = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}',\ `Acct-Input-Packets` = '%{Acct-Input-Packets}',\ `Acct-Output-Packets` = '%{Acct-Output-Packets}'\ WHERE `Acct-Unique-Session-Id` = '%{Acct-Unique-Session-Id}'\ LIMIT 1" accounting_stop_query = "UPDATE ACCOUNTING SET\ `Timestamp Stop` = NOW(),\ `Acct-Session-Time` = '%{Acct-Session-Time}',\ `Acct-Input-Octets` = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}',\ `Acct-Output-Octets` = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}',\ `Acct-Input-Packets` = '%{Acct-Input-Packets}',\ `Acct-Output-Packets` = '%{Acct-Output-Packets}',\ `Acct-Terminate-Cause` = '%{Acct-Terminate-Cause:-Unknown}'\ WHERE `Acct-Unique-Session-Id` = '%{Acct-Unique-Session-Id}'\ LIMIT 1" }
Чтобы радиус мог авторизоваться в самбе
chgrp radiusd /var/cache/samba/winbindd_privileged
стартуем radius
/etc/init.d/radiusd start
добавляем в автозагрузку
chkconfig radiusd on
/etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Mon Apr 18 11:01:02 2011 *mangle :PREROUTING ACCEPT [3182:259335] :INPUT ACCEPT [3182:259335] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [3233:320119] :POSTROUTING ACCEPT [3233:320119] COMMIT # Completed on Mon Apr 18 11:01:02 2011 # Generated by iptables-save v1.3.5 on Mon Apr 18 11:01:02 2011 *filter :INPUT DROP [539:30177] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [3233:320119] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 212.98.162.58 -j ACCEPT -A INPUT -s 80.94.174.231 -j ACCEPT -A INPUT -s 80.94.164.26 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -s 80.94.174.204 -j ACCEPT COMMIT # Completed on Mon Apr 18 11:01:02 2011
chkconfig iptables on /etc/init.d/iptables restart
cd wget thesuki.org/scripts/eduroam/eduroam_monitor-20090509.tar.gz cd / tar zxfv /root/eduroam_monitor-20090509.tar.gz rpm -Uhv http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS//rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm yum install perl-File-Tail yum install perl-Net-SNMP touch /var/log/dhcpd.log vim /usr/sbin/eduroam_monitor.pl vim /var/eduroam/etc/sys_db /usr/sbin/eduroam_monitor.pl echo "/usr/sbin/eduroam_monitor.pl" >> /etc/rc.local
тестируем всю полученную конструкцию. Для этого будем использовать эмулятор точки доступа eapol тестировать будем с хоста 212.98.162.58 (мы для него создавали запись в clients.conf)
wget thesuki.org/scripts/eduroam/eapol/eapol_test chmod +x eapol_test
Конфиг для теста EAP/TTLS/PAP (eduroam.by) ttlspap.conf
network={ ssid="eduroam" key_mgmt=IEEE8021X eap=TTLS pairwise=CCMP TKIP group=CCMP TKIP WEP104 WEP40 phase2="auth=PAP" identity="slayer@eduroam.by" password="test123" }
Конфиг для теста EAP/PEAP/MSCHAP (basnet.by) peapmschap.conf
network={ ssid="eduroam" key_mgmt=IEEE8021X eap=PEAP pairwise=CCMP TKIP group=CCMP TKIP WEP104 WEP40 phase2="auth=MSCHAPV2" identity="slayer@basnet.by" password="test123" }
Тестируем вход в родной домен eduroam.by (на сервере idp.eduroam.by 80.94.174.233)
./eapol_test -c ttlspap.conf -a 80.94.174.233 -s [sharedsecretfromclientsconfonradius]
Тестируем вход в чужой домен eduroam.by (на сервере idp.basnet.by 80.94.174.234, при этом запрос должен проксироваться через flrs roaming.eduroam.by)
./eapol_test -c ttlspap.conf -a 80.94.174.234 -s [sharedsecretfromclientsconfonradius]
Тестируем вход в родной домен basnet.by (на сервере idp.basnet.by 80.94.174.234)
./eapol_test -c peapmschap.conf -a 80.94.174.234 -s [sharedsecretfromclientsconfonradius]
Тестируем вход в чужой домен basnet.by (на сервере idp.basnet.by 80.94.174.233, при этом запрос должен проксироваться через flrs roaming.eduroam.by)
./eapol_test -c peapmschap.conf -a 80.94.174.233 -s [sharedsecretfromclientsconfonradius]
Если все настроено корректно, должны получить везде SUCCESS.
Для отладки можно запускать radius с дополнительными ключами в foreground
/etc/init.d/radiusd stop radiusd -Xxx
http://www.eduroam.org/index.php?p=faq#setup
https://confluence.terena.org/display/H2eduroam/eduroam+IdP
https://confluence.terena.org/display/H2eduroam/How+to+deploy+eduroam+at+national+level
https://confluence.terena.org/display/H2eduroam/freeradius-sp
https://confluence.terena.org/display/H2eduroam/freeradius-idp
2do: single dhcp server for AP dhcp-relay inside VE
http://aai.arnes.si/eduroam/dhcp.html
http://aai.arnes.si/eduroam/statistika
http://aai.arnes.si/eduroam/belezenje-ip.html
http://aai.arnes.si/eduroam/mysql.html
http://osdir.com/ml/network.dhcp.isc.dhcp-server/2004-04/msg00129.html