我从yum安装openvpn和freeradius,我安装了radiusplugin_v2.1a_beta1.tar.gz,但是我遇到了连接问题:
XML-RPC: ConnectionRefusedError: 10061: No connection could be made because the target machine actively refused it.. 我将以下内容添加到数据库(mysql)
mysql> INSERT INTO radcheck VALUES (1,'jpeterson','Password','==','netopia1'); mysql> INSERT INTO radreply VALUES (1,'jpeterson','Trapeze-VLAN-Name',':=','corp'); mysql> INSERT INTO radreply VALUES (2,'jpeterson','Session-Timeout',':=','300');
试图使用用户jpeterson和密码netopia1
我一直在看/ var / log / messages和/var/log/radius/radius.log,但是我看不到太多。
/etc/openvpn/server.conf
port 1194 #- port proto udp #- protocol dev tun tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 reneg-sec 0 ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt cert /etc/openvpn/easy-rsa/2.0/keys/server.crt key /etc/openvpn/easy-rsa/2.0/keys/server.key dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem #plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login #- Comment this line if you are using FreeRADIUS plugin /etc/openvpn/plugins/radiusplugin.so /etc/openvpn/radiusplugin.cnf #- Uncomment this line if you are using FreeRADIUS client-cert-not-required username-as-common-name server 10.8.0.0 255.255.255.0 push "redirect-gateway def1" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 5 30 comp-lzo persist-key persist-tun status 1194.log verb 4
这是radiusplugin.cnf
# The NAS identifier which is sent to the RADIUS server NAS-Identifier=OpenVpn # The service type which is sent to the RADIUS server Service-Type=5 # The framed protocol which is sent to the RADIUS server Framed-Protocol=1 # The NAS port type which is sent to the RADIUS server NAS-Port-Type=5 # The NAS IP address which is sent to the RADIUS server NAS-IP-Address=127.0.0.1 # Path to the OpenVPN configfile. The plugin searches there for # client-config-dir PATH (searches for the path) # status FILE (searches for the file, version must be 1) # client-cert-not-required (if the option is used or not) # username-as-common-name (if the option is used or not) #OpenVPNConfig=/etc/openvpn/radiusvpn.conf OpenVPNConfig=/etc/openvpn/server.conf # Support for topology option in OpenVPN 2.1 # If you don't specify anything, option "net30" (default in OpenVPN) is used. # You can only use one of the options at the same time. # If you use topology option "subnet", fill in the right netmask, eg from OpenVPN option "--server NETWORK NETMASK" subnet=255.255.255.0 # If you use topology option "p2p", fill in the right network, eg from OpenVPN option "--server NETWORK NETMASK" # p2p=10.8.0.1 # Allows the plugin to overwrite the client config in client config file directory, # default is true overwriteccfiles=true # Allows the plugin to use auth control files if OpenVPN (>= 2.1 rc8) provides them. # default is false # useauthcontrolfile=false # Only the accouting functionality is used, if no user name to forwarded to the plugin, the common name of certificate is used # as user name for radius accounting. # default is false # accountingonly=false # If the accounting is non essential, nonfatalaccounting can be set to true. # If set to true all errors during the accounting procedure are ignored, which can be # - radius accounting can fail # - FramedRouted (if configured) maybe not configured correctly # - errors during vendor specific attributes script execution are ignored # But if set to true the performance is increased because OpenVPN does not block during the accounting procedure. # default is false nonfatalaccounting=false # Path to a script for vendor specific attributes. # Leave it out if you don't use an own script. # vsascript=/root/workspace/radiusplugin_v2.0.5_beta/vsascript.pl # Path to the pipe for communication with the vsascript. # Leave it out if you don't use an own script. # vsanamedpipe=/tmp/vsapipe # A radius server definition, there could be more than one. # The priority of the server depends on the order in this file. The first one has the highest priority. server { # The UDP port for radius accounting. acctport=1813 # The UDP port for radius authentication. authport=1812 # The name or ip address of the radius server. name=127.0.0.1 # How many times should the plugin send the if there is no response? retry=1 # How long should the plugin wait for a response? wait=1 # The shared secret. sharedsecret=sekr3tz }
编辑:我有使用PAM时openvpn工作。
编辑:
现在,当我使用我的手机或旧的vpn连接帽子有server.crt文件我在控制台上得到这个:
[root@vpn ~]# Mon Jan 7 23:03:54 2013 RADIUS-PLUGIN: Got no response from radius server. Mon Jan 7 23:03:54 2013 Error: RADIUS-PLUGIN: BACKGROUND AUTH: Auth failed!. [root@vpn ~]# Mon Jan 7 23:05:23 2013 RADIUS-PLUGIN: Got no response from radius server. Mon Jan 7 23:05:23 2013 Error: RADIUS-PLUGIN: BACKGROUND AUTH: Auth failed!.
经过一番研究,我发现这一点,但不知道这是什么意思:
“radius server没有响应”表示插件没有收到来自RADIUS服务器的任何数据包。
你能否检查你的RADIUS服务器对ACCESS-REQUEST RADIUS数据包的响应是否包含一个响应消息的ACCESS_REJECT数据包? 服务器是否在插件configuration文件中configuration的时间间隔内响应?
即使使用FreeRadius,我是否也需要有一个证书文件才能login?
我认为它有必要拥有证书颁发机构,但是当您使用LDAP等活动目录和其他授权工具(如radius)时,不需要使用.key和.crt文件的私钥