{"id":62,"date":"2008-05-21T14:54:18","date_gmt":"2008-05-21T12:54:18","guid":{"rendered":"https:\/\/vpn.univ-fcomte.fr\/?p=62"},"modified":"2008-05-30T11:11:13","modified_gmt":"2008-05-30T09:11:13","slug":"installation-dun-serveur-vpn-ajout-dun-realm","status":"publish","type":"post","link":"https:\/\/vpn.univ-fcomte.fr\/?p=62","title":{"rendered":"installation d&rsquo;un serveur VPN : ajout d&rsquo;un REALM"},"content":{"rendered":"<p>Ajout d&rsquo;un REALM \u00ab\u00a0le-realm\u00a0\u00bb sur un r\u00e9seau \u00ab\u00a0ttt.ttt.ttt.nnn 255.255.255.ZZZ\u00a0\u00bb, vlan XXX<\/p>\n<p>creation du vlan sur le commutateur CISCO<br \/>\n<code><small>conf t<br \/>\nvlan XXX<br \/>\n name blabla<br \/>\n exit<br \/>\nint vlanXXX<br \/>\n desc blabla<br \/>\n ip vrf forwarding FW_YYYYY<br \/>\n ip address ttt.ttt.ttt.ttt 255.255.255.ZZZ<br \/>\n no shutdown<br \/>\n exit<br \/>\ninterface GigabitEthernet3\/29<br \/>\n switchport trunk allowed vlan add XXX<br \/>\ninterface GigabitEthernet3\/38<br \/>\n switchport trunk allowed vlan add XXX<\/small><\/code><\/p>\n<p>sur le serveur VPN<br \/>\n<code><small>emacs \/etc\/network\/interfaces<\/small><\/code><br \/>\n<code><small>auto eth0.XXX<br \/>\niface eth0.XXX inet static<br \/>\n\taddress ttt.ttt.ttt.ttu<br \/>\n\tnetmask 255.255.255.ZZZ<br \/>\n\tnetwork ttt.ttt.ttt.0<br \/>\n\tbroadcast ttt.ttt.ttt.ttv<br \/>\n\tup ip route add default via ttt.ttt.ttt.ttt dev eth0.XXX table le.realm<br \/>\n\tup ip rule add fwmark MMM table le-realm<br \/>\n\tdown ip rule del fwmark MMM<br \/>\n\tdown ip route del table le.realm<\/small><\/code><\/p>\n<p><code><small>emacs \/etc\/iproute2\/rt_tables<br \/>\n10      femto.ext<br \/>\n11      lifc.lab<br \/>\n12      lifc.edu<br \/>\n13      ufc.generic<br \/>\nMMM     le.realm<\/small><\/code><\/p>\n<p>modification de la base de donn\u00e9es realmacl<br \/>\n<code><small>add realm<\/small><\/code><br \/>\n<code><small>add network<br \/>\n=> choix du nas<br \/>\n=> tranche ip<br \/>\n=> marque iptable<\/small><\/code><\/p>\n<p>sur le serveur RADIUS (exemple avec le realm ufc-pub sur 194.57.81.0\/24 coup\u00e9 en trois parties) :<br \/>\n<code><small>\/etc\/raddb\/radiusd.conf<br \/>\n\trealm ufc-pub {<br \/>\n                format = suffix<br \/>\n                delimiter = \"@\"<br \/>\n                ignore_default = no<br \/>\n                ignore_null = no<br \/>\n        }<\/p>\n<p>\tippool ufc_pub_pool {<br \/>\n\t\tname = ufc_pub_pool<br \/>\n\t\trange-start = 194.57.81.1<br \/>\n\t\trange-stop = 194.57.81.10<br \/>\n\t\tnetmask = 255.255.255.0<br \/>\n\t\tcache-size = 800<br \/>\n\t\tsession-db = ${raddbdir}\/db-ufc_pub_pool.ippool<br \/>\n\t\tip-index = ${raddbdir}\/db-ufc_pub_pool.ipindex<br \/>\n\t\toverride = no<br \/>\n\t\tmaximum-timeout = 0<br \/>\n\t}<\/p>\n<p>\tippool ufc_pub_pool1 {<br \/>\n\t\tname = ufc_pub_pool1<br \/>\n\t\trange-start = 194.57.81.11<br \/>\n\t\trange-stop = 194.57.81.251<br \/>\n\t\tnetmask = 255.255.255.0<br \/>\n\t\tcache-size = 800<br \/>\n\t\tsession-db = ${raddbdir}\/db-ufc_pub_pool1.ippool<br \/>\n\t\tip-index = ${raddbdir}\/db-ufc_pub_pool1.ipindex<br \/>\n\t\toverride = no<br \/>\n\t\tmaximum-timeout = 0<br \/>\n\t}<br \/>\n        ...<br \/>\n}<\/p>\n<p>authorize {<br \/>\n        ufc-pub<br \/>\n}<\/p>\n<p>accounting {<br \/>\n        ufc_pub_pool<br \/>\n        ufc_pub_pool1<br \/>\n}<\/p>\n<p>post-auth {<br \/>\n\tufc_pub_pool<br \/>\n\tufc_pub_pool1<br \/>\n}<br \/>\n<\/small><\/code><\/p>\n<p>cr\u00e9er et attribuer \u00e0 radiusd.radiusd les fichier $<code><small>{raddbdir}\/db-ufc_pub_pool.ippool<\/small><\/code> et <code><small>${raddbdir}\/db-ufc_pub_pool.ipindex<\/small><\/code>.<\/p>\n<p>dans le fichier <code><small>\/etc\/raddb\/users<\/small><\/code> on attribue les m\u00e9thodes d&rsquo;authentification, d&rsquo;autorisation et les pool pour le DHCP :<br \/>\n<code><small>DEFAULT Realm == \"ufc-pub\", NAS-IP-Address == 194.57.91.251, Pool-Name := \"ufc_pub_pool\", Auth-Type = \"LDAP_UFC\", Autz-Type = \"LDAP_UFC\"<br \/>\n        Fall-Through = No<br \/>\nDEFAULT Realm == \"ufc-pub\", NAS-IP-Address == 194.57.91.250, Pool-Name := \"ufc_pub_pool1\", Auth-Type = \"LDAP_UFC\", Autz-Type = \"LDAP_UFC\"<br \/>\n        Fall-Through = No<br \/>\nDEFAULT Realm == \"ufc-pub\", NAS-IP-Address == 194.57.89.65, Pool-Name := \"ufc_pub_pool2\", Auth-Type = \"LDAP_UFC\", Autz-Type = \"LDAP_UFC\"<br \/>\n        Fall-Through = No<\/small><\/code><\/p>\n<p>Ne pas oublier le fichier <code><small>\/etc\/raddb\/clients.conf<\/small><\/code> :<br \/>\n<code><small>client 194.57.91.250 {<br \/>\n        secret    = blabla<br \/>\n        shortname = test-vpn<br \/>\n        nastype   = other<br \/>\n}<\/p>\n<p>client 194.57.91.251 {<br \/>\n        secret    = blabla<br \/>\n        shortname = vpn1<br \/>\n        nastype   = other<br \/>\n}<\/p>\n<p>client 194.57.89.65 {<br \/>\n        secret    = blabla<br \/>\n        shortname = vpn2<br \/>\n        nastype   = other<br \/>\n}<\/small><\/code><\/p>\n<p>comme nous avons un identificateur de realm il faut aussi (m\u00eame si ce realm est g\u00e9r\u00e9 en local sur ce radius) configurer le fichier <code><small>\/etc\/raddb\/proxy.conf<\/small><\/code> :<br \/>\n<code><small>realm ufc-pub {<br \/>\n        type = radius<br \/>\n        authhost = LOCAL<br \/>\n        accthost = LOCAL<br \/>\n#        strip<br \/>\n}<\/small><\/code><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Ajout d&rsquo;un REALM \u00ab\u00a0le-realm\u00a0\u00bb sur un r\u00e9seau \u00ab\u00a0ttt.ttt.ttt.nnn 255.255.255.ZZZ\u00a0\u00bb, vlan XXX creation du vlan sur le commutateur CISCO conf t vlan XXX name blabla exit int vlanXXX desc blabla ip vrf forwarding FW_YYYYY ip address ttt.ttt.ttt.ttt 255.255.255.ZZZ no shutdown exit interface GigabitEthernet3\/29 switchport trunk allowed vlan add XXX interface GigabitEthernet3\/38 switchport trunk allowed vlan add [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[85,68,14,31],"class_list":["post-62","post","type-post","status-publish","format-standard","hentry","category-informations-techniques","tag-installation","tag-realm","tag-serveur","tag-vpn"],"_links":{"self":[{"href":"https:\/\/vpn.univ-fcomte.fr\/index.php?rest_route=\/wp\/v2\/posts\/62","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/vpn.univ-fcomte.fr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/vpn.univ-fcomte.fr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/vpn.univ-fcomte.fr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/vpn.univ-fcomte.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=62"}],"version-history":[{"count":0,"href":"https:\/\/vpn.univ-fcomte.fr\/index.php?rest_route=\/wp\/v2\/posts\/62\/revisions"}],"wp:attachment":[{"href":"https:\/\/vpn.univ-fcomte.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=62"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/vpn.univ-fcomte.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=62"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/vpn.univ-fcomte.fr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=62"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}