3Com-User-Access-Level Not Applied

"Alexandre Soares" <alexandre.asoares@gmail.com> · Mon, 15 Jan 2007 17:24:33 -0200

client 127.0.0.1 {
	secret		= testing123
	shortname	= localhost
	nastype     	= other	
}

client 192.168.0.30 {
	secret 		= MeuSegredo
	shortname	= SWRJO-01
	nastype     	= other	
}

# -*- text -*-
#
# Version $Id: dictionary,v 1.93.2.5.2.7 2006/11/26 19:29:19 aland Exp $
#
#	DO NOT EDIT THE FILES IN THIS DIRECTORY
#
#	The files in this directory are maintained and updated by
#	the FreeRADIUS project.  Newer releases of software may update
#	or change these files.
#
#	Use the main dictionary file (usually /etc/raddb/dictionary)
#	for local system attributes and $INCLUDEs.
#
#
#
#	This file contains dictionary translations for parsing
#	requests and generating responses.  All transactions are
#	composed of Attribute/Value Pairs.  The value of each attribute
#	is specified as one of 4 data types.  Valid data types are:
#
#	text       - printable, generally UTF-8 encoded (subset of 'string')
#	string     - 0-253 octets
#	ipaddr     - 4 octets in network byte order
#	integer    - 32 bit value in big endian order (high byte first)
#	date       - 32 bit value in big endian order - seconds since
#		     00:00:00 GMT,  Jan.  1,  1970
#	ifid       - 8 octets in network byte order
#	ipv6addr   - 16 octets in network byte order
#	ipv6prefix - 18 octets in network byte order
#
#	FreeRADIUS includes extended data types which are not defined
#	in the RFC's.  These data types are:
#
#	abinary - Ascend's binary filter format.
#	octets  - raw octets, printed and input as hex strings.
#		  e.g.: 0x123456789abcdef
#
#
#	Enumerated values are stored in the user file with dictionary
#	VALUE translations for easy administration.
#
#	Example:
#
#	ATTRIBUTE	  VALUE
#	---------------   -----
#	Framed-Protocol = PPP
#	7		= 1	(integer encoding)
#

#
#	Include compatibility dictionary for older users file. Move
#	this directive to the end of this file if you want to see the
#	old names in the logfiles, INSTEAD OF the new names.
#
$INCLUDE dictionary.compat

#
#	Include the RFC dictionaries next.
#
#	For a complete list of the standard attributes and values,
#	see:
#		http://www.iana.org/assignments/radius-types
#
$INCLUDE dictionary.rfc2865
$INCLUDE dictionary.rfc2866
$INCLUDE dictionary.rfc2867
$INCLUDE dictionary.rfc2868
$INCLUDE dictionary.rfc2869
$INCLUDE dictionary.rfc3162
$INCLUDE dictionary.rfc3576
$INCLUDE dictionary.rfc3580

#
#	Include vendor dictionaries after the standard ones.
#
$INCLUDE dictionary.3com

#
#	And finally the server internal attributes.
#
$INCLUDE dictionary.freeradius.internal

#
#	Miscellaneous attributes defined in weird places that
#	don't really belong anywhere else...
#
ATTRIBUTE	Originating-Line-Info			94	string

#  As defined in draft-sterman-aaa-sip-00.txt
ATTRIBUTE	Digest-Response				206	string
ATTRIBUTE	Digest-Attributes			207	octets	# stupid format

#
#	Integer Translations
#
VALUE	Service-Type			Voice			12
VALUE	Service-Type			Fax			13
VALUE	Service-Type			Modem-Relay		14
VALUE	Service-Type			IAPP-Register		15
VALUE	Service-Type			IAPP-AP-Check		16

VALUE	Framed-Protocol			GPRS-PDP-Context	7

VALUE	NAS-Port-Type			Wireless-CDMA2000	22
VALUE	NAS-Port-Type			Wireless-UMTS		23
VALUE	NAS-Port-Type			Wireless-1X-EV		24
VALUE	NAS-Port-Type			IAPP			25

VALUE	Framed-Protocol			PPTP			9

# -*- text -*-
#
#	3com SuperStack Firewall dictionary
#	Bought from Sonicwall, apparently, from Enterprise number 8741.
#
#		$Id: dictionary.3com,v 1.3.2.1.2.1 2005/11/30 22:17:18 aland Exp $
#

VENDOR		3com				43

#
#	These attributes contain the access-level value.
#
BEGIN-VENDOR	3com

ATTRIBUTE	3Com-User-Access-Level		1			integer
VALUE		3Com-User-Access-Level		3Com-Visit		0
VALUE		3Com-User-Access-Level		3Com-Monitor		1
VALUE		3Com-User-Access-Level		3Com-Manager		2
VALUE		3Com-User-Access-Level		3Com-Administrator	3

END-VENDOR	3com

prefix 			= /usr/local
exec_prefix 		= ${prefix}
sysconfdir 		= ${prefix}/etc
localstatedir 		= ${prefix}/var
sbindir 		= ${exec_prefix}/sbin
logdir 			= ${localstatedir}/log/radius
raddbdir 		= ${sysconfdir}/raddb
radacctdir 		= ${logdir}/radacct
confdir 		= ${raddbdir}
run_dir 		= ${localstatedir}/run/radiusd
log_file 		= ${logdir}/radius.log
libdir 			= ${exec_prefix}/lib
pidfile 		= ${run_dir}/radiusd.pid
checkrad 		= ${sbindir}/checkrad

max_request_time 	= 30
delete_blocked_requests = no
cleanup_delay 		= 5
max_requests 		= 1024
bind_address 		= *
port 			= 0
hostname_lookups 	= no
allow_core_dumps 	= no
regular_expressions	= yes
extended_expressions	= yes
log_stripped_names 	= no
log_auth 		= no
log_auth_badpass 	= no
log_auth_goodpass 	= no
usercollide 		= no
lower_user 		= no
lower_pass 		= no
nospace_user 		= no
nospace_pass 		= no
proxy_requests  	= no

$INCLUDE  ${confdir}/clients.conf

security {
	max_attributes = 200
	reject_delay = 1
	status_server = no
}

thread pool {
 	start_servers		= 5
 	max_servers 		= 32
 	min_spare_servers 	= 3
 	max_spare_servers 	= 10
 	max_requests_per_server	= 0
}

modules {
	unix {
		cache 		= no
		cache_reload 	= 600
		radwtmp 	= ${logdir}/radwtmp
	}

	realm suffix {
		format 		= suffix
		delimiter 	= "@"
		ignore_default 	= no
		ignore_null 	= no
	}

	realm realmpercent {
		format 		= suffix
		delimiter 	= "%"
		ignore_default 	= no
		ignore_null 	= no
	}

	checkval {
		item-name 	= Calling-Station-Id
		check-name 	= Calling-Station-Id
		data-type 	= string
	}

	preprocess {
		huntgroups 			= ${confdir}/huntgroups
		hints 				= ${confdir}/hints
		with_ascend_hack 		= no
		ascend_channels_per_line 	= 23
		with_ntdomain_hack 		= no
		with_specialix_jetstream_hack 	= no
		with_cisco_vsa_hack 		= no
	}

	files {
		usersfile 	= ${confdir}/users
		acctusersfile 	= ${confdir}/acct_users
		compat 		= no
	}

	detail {
		detailfile 	= ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
		detailperm 	= 0600
	}

	acct_unique {
		key 		= "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
	}

	radutmp {
		filename 	= ${logdir}/radutmp
		username 	= %{User-Name}
		case_sensitive 	= yes
		check_with_nas 	= yes		
		perm 		= 0600
		callerid 	= "yes"
	}

	attr_filter {
		attrsfile 	= ${confdir}/attrs
	}

	counter daily {
		filename 	= ${raddbdir}/db.daily
		key 		= User-Name
		count-attribute = Acct-Session-Time
		reset 		= daily
		counter-name 	= Daily-Session-Time
		check-name 	= Max-Daily-Session
		allowed-servicetype 	= Framed-User
		cache-size 		= 5000
	}

	always fail {
		rcode 		= fail
	}
	always reject {
		rcode 		= reject
	}
	always ok {
		rcode 		= ok
		simulcount 	= 0
		mpp 		= no
	}

	expr {
	}

	digest {
	}

	exec {
		wait 		= yes
		input_pairs 	= request
	}

	exec echo {
		wait 		= yes
		program 	= "/bin/echo %{User-Name}"
		input_pairs 	= request
		output_pairs 	= reply
		#packet_type 	= Access-Accept
	}
}

instantiate {
 exec
 expr
}

authorize {
 preprocess
 suffix
 files
}

authenticate {
 unix
}

preacct {
 preprocess
 acct_unique
 suffix
 files
}

accounting {
 detail
 unix
 radutmp
}

session {
 radutmp
}

#
#	Please read the documentation file ../doc/processing_users_file,
#	or 'man 5 users' (after installing the server) for more information.
#
#	This file contains authentication security and configuration
#	information for each user.  Accounting requests are NOT processed
#	through this file.  Instead, see 'acct_users', in this directory.
#
#	The first field is the user's name and can be up to
#	253 characters in length.  This is followed (on the same line) with
#	the list of authentication requirements for that user.  This can
#	include password, comm server name, comm server port number, protocol
#	type (perhaps set by the "hints" file), and huntgroup name (set by
#	the "huntgroups" file).
#
#	If you are not sure why a particular reply is being sent by the
#	server, then run the server in debugging mode (radiusd -X), and
#	you will see which entries in this file are matched.
#
#	When an authentication request is received from the comm server,
#	these values are tested. Only the first match is used unless the
#	"Fall-Through" variable is set to "Yes".
#
#	A special user named "DEFAULT" matches on all usernames.
#	You can have several DEFAULT entries. All entries are processed
#	in the order they appear in this file. The first entry that
#	matches the login-request will stop processing unless you use
#	the Fall-Through variable.
#
#	If you use the database support to turn this file into a .db or .dbm
#	file, the DEFAULT entries _have_ to be at the end of this file and
#	you can't have multiple entries for one username.
#
#	You don't need to specify a password if you set Auth-Type += System
#	on the list of authentication requirements. The RADIUS server
#	will then check the system password file.
#
#	Indented (with the tab character) lines following the first
#	line indicate the configuration values to be passed back to
#	the comm server to allow the initiation of a user session.
#	This can include things like the PPP configuration values
#	or the host to log the user onto.
#
#	You can include another `users' file with `$INCLUDE users.other'
#

#
#	For a list of RADIUS attributes, and links to their definitions,
#	see:
#
#	http://www.freeradius.org/rfc/attributes.html
#

#
# Deny access for a specific user.  Note that this entry MUST
# be before any other 'Auth-Type' attribute which results in the user
# being authenticated.
#
# Note that there is NO 'Fall-Through' attribute, so the user will not
# be given any additional resources.
#
#lameuser	Auth-Type := Reject
#		Reply-Message = "Your account has been disabled."

#
# Deny access for a group of users.
#
# Note that there is NO 'Fall-Through' attribute, so the user will not
# be given any additional resources.
#
#DEFAULT	Group == "disabled", Auth-Type := Reject
#		Reply-Message = "Your account has been disabled."
#

#
# This is a complete entry for "steve". Note that there is no Fall-Through
# entry so that no DEFAULT entry will be used, and the user will NOT
# get any attributes in addition to the ones listed here.
#
#steve	Auth-Type := Local, User-Password == "testing"
#	Service-Type = Framed-User,
#	Framed-Protocol = PPP,
#	Framed-IP-Address = 172.16.3.33,
#	Framed-IP-Netmask = 255.255.255.0,
#	Framed-Routing = Broadcast-Listen,
#	Framed-Filter-Id = "std.ppp",
#	Framed-MTU = 1500,
#	Framed-Compression = Van-Jacobsen-TCP-IP

#
# This is an entry for a user with a space in their name.
# Note the double quotes surrounding the name.
#
#"John Doe"	Auth-Type := Local, User-Password == "hello"
#		Reply-Message = "Hello, %u"

#
# Dial user back and telnet to the default host for that port
#
#Deg	Auth-Type := Local, User-Password == "ge55ged"
#	Service-Type = Callback-Login-User,
#	Login-IP-Host = 0.0.0.0,
#	Callback-Number = "9,5551212",
#	Login-Service = Telnet,
#	Login-TCP-Port = Telnet

#
# Another complete entry. After the user "dialbk" has logged in, the
# connection will be broken and the user will be dialed back after which
# he will get a connection to the host "timeshare1".
#
#dialbk	Auth-Type := Local, User-Password == "callme"
#	Service-Type = Callback-Login-User,
#	Login-IP-Host = timeshare1,
#	Login-Service = PortMaster,
#	Callback-Number = "9,1-800-555-1212"

#
# user "swilson" will only get a static IP number if he logs in with
# a framed protocol on a terminal server in Alphen (see the huntgroups file).
#
# Note that by setting "Fall-Through", other attributes will be added from
# the following DEFAULT entries
#
#swilson	Service-Type == Framed-User, Huntgroup-Name == "alphen"
#		Framed-IP-Address = 192.168.1.65,
#		Fall-Through = Yes

#
# If the user logs in as 'username.shell', then authenticate them
# against the system database, give them shell access, and stop processing
# the rest of the file.
#
#DEFAULT	Suffix == ".shell", Auth-Type := System
#		Service-Type = Login-User,
#		Login-Service = Telnet,
#		Login-IP-Host = your.shell.machine

#
# The rest of this file contains the several DEFAULT entries.
# DEFAULT entries match with all login names.
# Note that DEFAULT entries can also Fall-Through (see first entry).
# A name-value pair from a DEFAULT entry will _NEVER_ override
# an already existing name-value pair.
#

#
# First setup all accounts to be checked against the UNIX /etc/passwd.
# (Unless a password was already given earlier in this file).
#
DEFAULT	Auth-Type = System
	Fall-Through = 1

#
# Set up different IP address pools for the terminal servers.
# Note that the "+" behind the IP address means that this is the "base"
# IP address. The Port-Id (S0, S1 etc) will be added to it.
#
#DEFAULT	Service-Type == Framed-User, Huntgroup-Name == "alphen"
#		Framed-IP-Address = 192.168.1.32+,
#		Fall-Through = Yes

#DEFAULT	Service-Type == Framed-User, Huntgroup-Name == "delft"
#		Framed-IP-Address = 192.168.2.32+,
#		Fall-Through = Yes

#
# Defaults for all framed connections.
#
DEFAULT	Service-Type == Framed-User
	Framed-IP-Address = 255.255.255.254,
	Framed-MTU = 576,
	Service-Type = Framed-User,
	Fall-Through = Yes

#
# Default for PPP: dynamic IP address, PPP mode, VJ-compression.
# NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected
#	by the terminal server in which case there may not be a "P" suffix.
#	The terminal server sends "Framed-Protocol = PPP" for auto PPP.
#
DEFAULT	Framed-Protocol == PPP
	Framed-Protocol = PPP,
	Framed-Compression = Van-Jacobson-TCP-IP

#
# Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.
#
DEFAULT	Hint == "CSLIP"
	Framed-Protocol = SLIP,
	Framed-Compression = Van-Jacobson-TCP-IP

#
# Default for SLIP: dynamic IP address, SLIP mode.
#
DEFAULT	Hint == "SLIP"
	Framed-Protocol = SLIP

#
# Last default: rlogin to our main server.
#
#DEFAULT
#	Service-Type = Login-User,
#	Login-Service = Rlogin,
#	Login-IP-Host = shellbox.ispdomain.com

# #
# # Last default: shell on the local terminal server.
# #
# DEFAULT
# 	Service-Type = Shell-User

# On no match, the user is denied access.

asoares	Auth-Type := System, 3Com-User-Access-Level = 3Com-Administrator
visita	Auth-Type := System, 3Com-User-Access-Level = 3Com-Visit