romantix74 Posted November 22, 2013 · Report post Добрый день , есть сервера доступа PPTP , которые берут логины и IP-информацию из базы биллинга. Сервер биллинга будет переезжать. Можно ли сделать так чтобы PPTP разрешал всех, не авторизуясь в биллинге , и выдавал IP из локального пула? Может быть это реализуемо средствами freeradius , который можно поднять на время в другом месте? Share this post Link to post Share on other sites
Saab95 Posted November 22, 2013 · Report post Можно, достаточно что бы он на все запросы отвечал разрешением доступа. Если биллинг позволяет сделать выгрузку логинов и паролей, можно завести локальную базу на сервере доступа на время переезда. Share this post Link to post Share on other sites
Diamont Posted November 22, 2013 · Report post У нас именно так и было только для РРРоЕ.Взял тазик с FreeRADIUS и там разрешил доступ всем.Адреса микротик (не получив от радиуса) раздаст из своего пула. Share this post Link to post Share on other sites
romantix74 Posted November 22, 2013 · Report post У нас именно так и было только для РРРоЕ.Взял тазик с FreeRADIUS и там разрешил доступ всем.Адреса микротик (не получив от радиуса) раздаст из своего пула. можно продробней про этот механизм "разрешить доступ всем " ? Базы как таковой не будет , а пользователи все равно будут пытаться с логинами коннектиться. Он же будет access-reject -ами отвечать . Какая опция отвечает чтобы так не делать? Можно, достаточно что бы он на все запросы отвечал разрешением доступа. Если биллинг позволяет сделать выгрузку логинов и паролей, можно завести локальную базу на сервере доступа на время переезда. базу можно выгрузить , но это долго , легче всем все разрешить Share this post Link to post Share on other sites
Diamont Posted November 22, 2013 (edited) · Report post можно продробней про этот механизм "разрешить доступ всем " ? Базы как таковой не будет , а пользователи все равно будут пытаться с логинами коннектиться. Он же будет access-reject -ами отвечать . Какая опция отвечает чтобы так не делать? Я добавил в самый верх файла raddb/users строку DEFAULT Auth-Type := Accept согласно инструкции: http://wiki.freeradius.org/guide/FAQ#How-do-I-permit-access-to-any-user-regardless-of-password? Edited November 22, 2013 by Diamont Share this post Link to post Share on other sites
romantix74 Posted November 22, 2013 · Report post можно продробней про этот механизм "разрешить доступ всем " ? Базы как таковой не будет , а пользователи все равно будут пытаться с логинами коннектиться. Он же будет access-reject -ами отвечать . Какая опция отвечает чтобы так не делать? Я добавил в самый верх файла raddb/users строку DEFAULT Auth-Type := Accept согласно инструкции: http://wiki.freeradius.org/guide/FAQ#How-do-I-permit-access-to-any-user-regardless-of-password? Спасибо большое . Все проще, чем я думал ) эту функцию можно сделать в качестве резерва если вдруг главный радиус сервер откажет ? В наследство достался такой древний сервак , что резервный биллинг с радиусом уже не поднять Share this post Link to post Share on other sites
Ivan_83 Posted November 22, 2013 · Report post Там если немного покопаться можно много всего сделать. Если в кратце, то фрирадиус обвешан всякими модулями которые реализуют некоторый функционал, обычно довольно простой. Можно выкинуть почти все модули и конфиги, и в единственном оставшемся конфиге прописать реакции на события. В папке $INCLUDE ${confdir}/modules/always оставляем: ok, allways и может что то ещё, уже не помню. Базовая конфига, просто почищенная чтобы не грузить лишних модулей. # -*- text -*- ## ## radiusd.conf -- FreeRADIUS server configuration file. ## ## http://www.freeradius.org/ ## $Id$ ## ###################################################################### # # The location of other config files and logfiles are declared # in this file. # # Also general configuration for modules can be done in this # file, it is exported through the API to modules that ask for # it. # # See "man radiusd.conf" for documentation on the format of this # file. Note that the individual configuration items are NOT # documented in that "man" page. They are only documented here, # in the comments. # # As of 2.0.0, FreeRADIUS supports a simple processing language # in the "authorize", "authenticate", "accounting", etc. sections. # See "man unlang" for details. # prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct # # name of the running server. See also the "-n" command-line option. name = freeradius # Location of config and logfiles. confdir = ${raddbdir} run_dir = ${localstatedir}/run/${name} # Should likely be ${localstatedir}/lib/radiusd db_dir = ${raddbdir} # libdir: Where to find the rlm_* modules. libdir = /usr/lib/freeradius # pidfile: Where to place the PID of the RADIUS server. # This file is written when ONLY running in daemon mode. pidfile = ${run_dir}/${name}.pid # chroot: directory where the server does "chroot". #chroot = /path/to/chroot/directory user = freerad group = freerad # max_request_time: The maximum time (in seconds) to handle a request. max_request_time = 15 # cleanup_delay: The time to wait (in seconds) before cleaning up a reply which was sent to the NAS. cleanup_delay = 10 # max_requests: The maximum number of requests which the server keeps # track of. This should be 256 multiplied by the number of clients. # e.g. With 4 clients, this number should be 1024. max_requests = 65535 # hostname_lookups: Log the names of clients or just their IP addresses # e.g., www.freeradius.org (on) or 206.47.27.232 (off). hostname_lookups = no allow_core_dumps = no # Regular expressions regular_expressions = yes extended_expressions = yes # THREAD POOL CONFIGURATION # # The thread pool is a long-lived group of threads which # take turns (round-robin) handling any incoming requests. # # You probably want to have a few spare threads around, # so that high-load situations can be handled immediately. If you # don't have any spare threads, then the request handling will # be delayed while a new thread is created, and added to the pool. thread pool { # Number of servers to start initially start_servers = 2 # Limit on the total number of servers running. # If this limit is ever reached, clients will be LOCKED OUT, so it # should NOT BE SET TOO LOW. It is intended mainly as a brake to # keep a runaway server from taking the system with it as it spirals # down... # 6 - sql max_servers = 2 # It does this by periodically checking how many servers are # waiting for a request. If there are fewer than # min_spare_servers, it creates a new spare. If there are # more than max_spare_servers, some of the spares die off. # The default values are probably OK for most sites. min_spare_servers = 1 max_spare_servers = 16 # num requests before server exit # 0 - the servers never exit max_requests_per_server = 0 } # Logging section. The various "log_*" configuration items # will eventually be moved here. log { # Destination for log messages. This can be one of: # files - log to "file", as defined below. # syslog - to syslog (see also the "syslog_facility", below. # stdout - standard output # stderr - standard error. destination = files # The logging messages for the server are appended to the # tail of this file if destination == "files" #file = ${logdir}/radius.log file = /dev/null # If this configuration parameter is set, then log messages for # a *request* go to this file, rather than to radius.log. #requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log # Which syslog facility to use, if ${destination} == "syslog" syslog_facility = daemon # Log the full User-Name attribute, as it was found in the request. stripped_names = no # Log authentication requests to the log file. auth = no # Log passwords with the authentication requests. # auth_badpass - logs password if it's rejected # auth_goodpass - logs password if it's correct auth_badpass = no auth_goodpass = no # Log additional text at the end of the "Login OK" messages. # for these to work, the "auth" and "auth_goopass" or "auth_badpass" # configurations above have to be set to "yes". # # The strings below are dynamically expanded, which means that # you can put anything you want in them. However, note that # this expansion can be slow, and can negatively impact server # performance. # # msg_goodpass = "" # msg_badpass = "" } # The program to execute to do concurrency checks. checkrad = ${sbindir}/checkrad # SECURITY CONFIGURATION security { # max_attributes: The maximum number of attributes # permitted in a RADIUS packet. Packets which have MORE # than this number of attributes in them will be dropped. # Setting this number to 0 means "allow any number of attributes" max_attributes = 200 # reject_delay: When sending an Access-Reject, it can be # delayed for a few seconds. This may help slow down a DoS # attack. It also helps to slow down people trying to brute-force # crack a users password. # Setting this number to 0 means "send rejects immediately" # If this number is set higher than 'cleanup_delay', then the # rejects will be sent at 'cleanup_delay' time, when the request # is deleted from the internal cache of requests. reject_delay = 1 # status_server: Whether or not the server will respond to Status-Server requests. status_server = yes } # PROXY CONFIGURATION # proxy_requests: Turns proxying of RADIUS requests on or off. proxy_requests = no #$INCLUDE proxy.conf # CLIENTS CONFIGURATION #$INCLUDE clients.conf # MODULE CONFIGURATION # # The names and configuration of each module is located in this section. # # After the modules are defined here, they may be referred to by name, # in other sections of this configuration file. # modules { $INCLUDE ${confdir}/modules/always } # Instantiation # # This section orders the loading of the modules. Modules # listed here will get loaded BEFORE the later sections like # authorize, authenticate, etc. get examined. # # This section is not strictly needed. When a section like # authorize refers to a module, it's automatically loaded and # initialized. However, some modules may not be listed in any # of the following sections, so they can be listed here. # # Also, listing modules here ensures that you have control over # the order in which they are initalized. If one module needs # something defined by another module, you can list them in order # here, and ensure that the configuration will be OK. # instantiate { } ###################################################################### # # Policies that can be applied in multiple places are listed # globally. That way, they can be defined once, and referred # to multiple times. # ###################################################################### $INCLUDE policy.conf ###################################################################### ## Load virtual servers. $INCLUDE sites-enabled/ ###################################################################### # # All of the other configuration sections like "authorize {}", # "authenticate {}", "accounting {}", have been moved to the # the file: # # raddb/sites-available/default # # This is the "default" virtual server that has the same # configuration as in version 1.0.x and 1.1.x. The default # installation enables this virtual server. You should # edit it to create policies for your local site. # # For more documentation on virtual servers, see: # # raddb/sites-available/README # ###################################################################### в $INCLUDE sites-enabled/ убираем всё и создаём такой такой файл: server acc_sw { # Listen for Access-Requests listen { ipaddr = * #ipv6addr = :: #interface = eth0 port = 1812 type = auth clients = acc_per_socket_clients } authorize { ok } authenticate { ok } # Post-Authentication # Once we KNOW that the user has been authenticated, there are # additional steps we can take. post-auth { ok } } # Define a network where clients may be dynamically defined. clients acc_per_socket_clients { client acc_dynamic_client { ipaddr = 0.0.0.0 netmask = 0 # Define the virtual server used to discover dynamic clients. dynamic_clients = acc_dynamic_client_server # Define the lifetime (in seconds) for dynamic clients. # They will be cached for this lifetime, and deleted afterwards. # If the lifetime is "0", then the dynamic client is never # deleted. The only way to delete the client is to re-start # the server. lifetime = 60 } } # This is the virtual server referenced above by "dynamic_clients". server acc_dynamic_client_server { # The only contents of the virtual server is the "authorize" section. authorize { update control { # Echo the IP address of the client. FreeRADIUS-Client-IP-Address = "%{request:Packet-Src-IP-Address}" # secret FreeRADIUS-Client-Secret = "PASSSSWWWWOOOORRRRDDDD" } ok } } PASSSSWWWWOOOORRRRDDDD - shared secret Мне такая конфига более понятна чем правка непонятно каких файлов. И сам фрирадиус стартует быстрее и не грузит непонятных модулей которые непонятно как сконфигурены. Это всё порезанная конфигурация от фрирадиуса который для каждого коммутатора из базы брал свой shared secret, проверял логин с паролем опять же по базе и выдавал соотвествующий уровень доступа: юзер, оператор, админ. Share this post Link to post Share on other sites
Diamont Posted November 22, 2013 (edited) · Report post Мне такая конфига более понятна чем правка непонятно каких файлов. Да ваша конфига для новичка гораздо понятней, чем 1 строка в конфиге с официального сайта))) Ох уж эти Группа: VIP... Edited November 22, 2013 by Diamont Share this post Link to post Share on other sites
