Maxuelbm / ISP-Toolbox

Inventário de infraestrutura com aplicação prática e didática num ambiente de provedores de Internet.
0 stars 0 forks source link

Configuração do servidor de autenticação RADIUS #13

Closed fredericont closed 10 months ago

wellyngton-sena commented 10 months ago

Realizado integração do PPPoE com o servidor radius do sistema de gerenciamento para provedor. Foi utilizado o script abaixo, no qual cria regras de firewall para bloquear cliente, VPN para comunicação com o servidor RADIUS, script de backup para os clientes não ficarem sem comunicação.

:global USERVPN "toolbox01"
:global AUC "5212"
:global ACC "5213"
:global AVS "6612"
:global BLQ "6613"
:global PASSVPNUSER "pD6f85xKdyE9wLnZPIWE"
:global RADIUS "172.16.116.1"
:global TOKEN "2a5fadc1-aadd-486a-954b-12041f16cb0b"
:global LINKDOSGP "https://baseteste.sgp.net.br"
:global IPSGP "177.52.37.146"

:global NAS "172.16.140.10"

/system backup save name=BACKUP_ANTES_DO_SGP
/export file=BACKUP_ANTES_DO_SGP_TXT
# AJUSTES NO MIKROTIK
/system ntp client set enabled=yes primary-ntp=200.160.0.8
/system ntp client set enabled=yes servers=200.160.0.8
/system clock set time-zone-name=America/Recife
/radius incoming set accept=yes
/ip service set api disabled=no port=3540 address="$RADIUS,$IPSGP"
/user aaa set use-radius=yes
/ppp aaa set interim-update=5m use-radius=yes
/snmp community disable public
/snmp community add addresses="$RADIUS,$IPSGP" name=SGP-GRAPHICs
/snmp set enabled=yes trap-community=SGP-GRAPHICs trap-version=2
/user add name=SGP comment="NAO MUDAR SENHA E NÃO ALTERAR NADA, USUARIO QUE O SERVIDOR SGP ACESSA A RB" \
    group=full password=$PASSVPNUSER
/system logging set 0 action=memory disabled=no prefix="" topics=info,!account
/radius
add comment="RADIUS SGP" secret=sgp@radius service=ppp,dhcp address=$RADIUS accounting-port=$ACC \
    authentication-port=$AUC timeout=00:00:03 src-address=$NAS

/ppp profile add name=VPN-SGP use-encryption=yes
/interface pptp-client add connect-to=$IPSGP user=$USERVPN password=$PASSVPNUSER  name="SGP-PPTP"\
    disabled=no comment=SGP-PPTP profile=VPN-SGP keepalive-timeout=30

/interface  l2tp-client add connect-to=$IPSGP user=$USERVPN password=$PASSVPNUSER name="SGP-L2TP"\
    disabled=no profile=VPN-SGP comment=SGP-L2TP keepalive-timeout=30

/interface ovpn-client
add connect-to=$IPSGP user=$USERVPN password=$PASSVPNUSER profile=VPN-SGP name="SGP-OVPN"\
    disabled=no comment=SGP-OVPN
# REGRAS DE AVISO E BLOQUEIO

/ip firewall address-list 
add address=$RADIUS list=SITES-LIBERADOS
add address=$IPSGP list=SITES-LIBERADOS
add address=208.67.222.222 list=SITES-LIBERADOS
add address=208.67.222.220 list=SITES-LIBERADOS
add address=8.8.8.8 list=SITES-LIBERADOS
add address=8.8.4.4 list=SITES-LIBERADOS
add address=1.1.1.1 list=SITES-LIBERADOS
add address=10.24.0.0/20 list=BLOQUEADOS

/ip firewall filter
add chain=forward connection-mark=BLOQUEIO-AVISAR action=add-src-to-address-list \
    address-list=BLOQUEIO-AVISADOS address-list-timeout=00:01:00 comment="SGP REGRAS" dst-address=$IPSGP \
    dst-port=$AVS protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="SGP REGRAS" dst-address-list=\
    SITES-LIBERADOS src-address-list=BLOQUEADOS
add action=dst-nat chain=dstnat comment="SGP REGRAS" dst-address-list=\
    !SITES-LIBERADOS dst-port=80,443 log-prefix="" protocol=tcp \
    src-address-list=BLOQUEADOS to-addresses=$IPSGP to-ports=$BLQ 
add action=dst-nat chain=dstnat comment="SGP REGRAS" connection-mark=\
    BLOQUEIO-AVISAR log-prefix="" protocol=tcp to-addresses=$IPSGP to-ports=$AVS
/ip firewall mangle
add chain=prerouting connection-state=new src-address-list=BLOQUEIO-AVISAR protocol=tcp dst-port=80,443 \
    action=mark-connection new-connection-mark=BLOQUEIO-VERIFICAR passthrough=yes comment="SGP REGRAS" 
add chain=prerouting connection-mark=BLOQUEIO-VERIFICAR src-address-list=!BLOQUEIO-AVISADOS \
    action=mark-connection new-connection-mark=BLOQUEIO-AVISAR comment="SGP REGRAS" 
/ip firewall raw
add action=notrack chain=output comment="SGP NAO FAZER NAT PARA O RADIUS" \
    dst-address=$RADIUS dst-port="$AUC-$ACC,3799" protocol=udp
add action=drop chain=prerouting comment="SGP BLOQUEIO" dst-address-list=\
    !SITES-LIBERADOS src-address-list=BLOQUEADOS
/system scheduler
add interval=4h name=sgp-aviso on-event=sgp-aviso policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive start-time=01:00:00 disabled=yes
/system script
add name=sgp-aviso policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive source=":log info\
    \_\"sgp aviso\";\r\
    \n/file remove [find where name=sgp_aviso.rsc]\r\
    \n/tool fetch url=\"$LINKDOSGP/ws/mikrotik/aviso/pendencia/\\?token=$TOKEN&app=mikrotik\" dst-path=sgp_aviso.rsc;\r\
    \n:delay 30s\r\
    \nimport file-name=sgp_aviso.rsc;\r\
    \n:delay 10s;\r\
    \n/ip firewall address-list set timeout=00:15:00 [/ip firewall address-list find list=BLOQUEIO-AVISAR]";\

# CONFIGURACAO IPv6 MIKROTIK

:global versao [/system package get number=0 version ]; :global versao2 [:pick $versao 0 [:find "$versao" "." -3]];
:delay 2s
:put $versao2
:if ($versao2=7) do={
    :global ipv6 [/ipv6 settings get disable-ipv6]
    :if ($ipv6=false) do={
    :log info "############\nTEM IPV6 HABILITADO NESSA RB - CONFIGURAR VARIAVEIS E SCRIPT NO PROFILE\n############"
    :log info "CONFIGURANDO O POOL DE BLOQUEIO IPv6"
    /ipv6 pool add name=bloqueiov6pd prefix-length=64 prefix=2001:DB9:100::/40
    /ipv6 pool add name=bloqueiov6prefix prefix-length=64 prefix=2001:DBA:900::/40    
    } else={
        :log info "############\nNAO TEM IPV6 HABILITADO NESSA RB\n############"
    }
} else={
    :if ($versao2=6) do={
    :global ipv6 [/system package get ipv6 disabled ]
    :if ($ipv6=false) do={
    :log info "############\nTEM IPV6 HABILITADO NESSA RB - CONFIGURAR VARIAVEIS E SCRIPT NO PROFILE\n############"
    :log info "CONFIGURANDO O POOL DE BLOQUEIO IPv6"
    /ipv6 pool add name=bloqueiov6pd prefix-length=64 prefix=2001:DB9:100::/40
    /ipv6 pool add name=bloqueiov6prefix prefix-length=64 prefix=2001:DBA:900::/40   
    } else={
    :log info "############\nNAO TEM IPV6 HABILITADO NESSA RB\n############"
    }
    }
}

# CRIAR BACKUP DOS PPPoEs

:global wurl "ws/mikrotik/login/local"
/system script
add name=sgp_login_local owner=SGP policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":global filename \"sgp_login_local.txt\";\r\
    \n/file remove [/file find name=\$filename]\r\
    \n/tool fetch url=\"$LINKDOSGP/$wurl/\\?token=$TOKEN&app=mikrotik&nas=$NAS&disabled=1\" duration=30 dst-path=\$filename;\r\
    \n:delay 32s;\r\
    \n/import file-name=\$filename;"
/system scheduler
add disabled=no interval=6h name=sgp_login_local on-event=sgp_login_local policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-time=12:00:00
/tool netwatch
add comment="ATIVAR O SECRETS CASO O RADIUS PARE" disabled=yes \
    down-script="/ppp secret ; :foreach i in [ find comment~\"SGP:\
    \" ] do={ enable \$i }; /ppp active; :foreach p in [find \\ radius=no comment~\"SGP:\"] do=\
    { remove \$p; :delay 1};" host=$RADIUS interval=3m timeout=10000ms \
    up-script="/ppp secret ; :foreach i in [ find comment~\"SGP:\" ] do={ disa\
    ble \$i }; /ppp active; :foreach p in [find \\ radius=no comment~\"SGP:\"] do={ remove \$p;\
    \_:delay 1};"

:log print where message="TEM IPV6 HABILITADO NESSA RB - CONFIGURAR VARIAVEIS E SCRIPT NO PROFILE" or message="NAO TEM IPV6 HABILITADO NESSA RB"
wellyngton-sena commented 10 months ago

Configuração do servidor radius:

image

VPN de comunicação com o servidor radius:

image

Cliente online através do servidor radius:

image