How to send different attributes a miscellaneous nas

tnt at kalik.co.yu tnt at kalik.co.yu
Tue Sep 25 15:20:58 CEST 2007


1. You need to enter priority for the groups in usergroup table.
2. SQL group handling doesn't really work in 1.1.x versions. Upgrade to
2.0.

Ivan Kalik
Kalik Informatika ISP

Dana 25/9/2007, "Ěĺäâĺäĺâ Ěŕęńčě" <sp_root at mail.ru> piše:

>Hi,
>
>freeradius 1.1.7 + postgres 8.1.9
>
>radgroupcheck not work ((
>
>http://wiki.freeradius.org/Rlm_sql
>point 5 not work ((
>
>Why attributes are summarised ?
>
>Help me!
>
>Full info:
>
>
>INSERT INTO radcheck (id, username, attribute, op, value) VALUES (1, 'sproot', 'User-Password', '==', '123');
>
>INSERT INTO radgroupcheck (id, groupname, attribute, op, value) VALUES (2, 'juniper_pppoe_64k', 'Huntgroup-Name', '==', 'juniper');
>INSERT INTO radgroupcheck (id, groupname, attribute, op, value) VALUES (1, 'cisco_pppoe_64k', 'Client-IP-Address', '==', '172.25.0.1');
>
>
>INSERT INTO radgroupreply (id, groupname, attribute, op, value) VALUES (1, 'cisco_pppoe_64k', 'Cisco-AVPair', '=', 'lcp:interface-config#1=rate-limit input 64000 8000 8000 conform-action transmit exceed-action drop');
>INSERT INTO radgroupreply (id, groupname, attribute, op, value) VALUES (2, 'cisco_pppoe_64k', 'Cisco-AVPair', '+=', 'lcp:interface-config#1=rate-limit output 64000 8000 8000 conform-action transmit exceed-action drop');
>INSERT INTO radgroupreply (id, groupname, attribute, op, value) VALUES (3, 'juniper_pppoe_64k', 'ERX-Egress-Policy-Name', '=', 'pppoe-64kbps-policy');
>INSERT INTO radgroupreply (id, groupname, attribute, op, value) VALUES (4, 'juniper_pppoe_64k', 'ERX-Egress-Statistics', '=', '1');
>INSERT INTO radgroupreply (id, groupname, attribute, op, value) VALUES (5, 'juniper_pppoe_64k', 'ERX-Ingress-Policy-Name', '=', 'pppoe-64kbps-policy');
>INSERT INTO radgroupreply (id, groupname, attribute, op, value) VALUES (6, 'juniper_pppoe_64k', 'ERX-Ingress-Statistics', '=', '1');
>INSERT INTO radgroupreply (id, groupname, attribute, op, value) VALUES (7, 'juniper_pppoe_64k', 'ERX-Primary-Dns', '=', '1.1.1.1');
>INSERT INTO radgroupreply (id, groupname, attribute, op, value) VALUES (8, 'juniper_pppoe_64k', 'ERX-Secondary-Dns', '=', '2.2.2.2');
>
>
>INSERT INTO radreply (id, username, attribute, op, value) VALUES (1, 'sproot', 'Framed-IP-Address', '=', '192.168.1.2');
>INSERT INTO radreply (id, username, attribute, op, value) VALUES (2, 'sproot', 'Framed-IP-Netmask', '=', '255.255.255.255');
>
>
>INSERT INTO usergroup (username, groupname, priority) VALUES ('sproot', 'cisco_pppoe_64k', 0);
>INSERT INTO usergroup (username, groupname, priority) VALUES ('sproot', 'juniper_pppoe_64k', 0);
>
>################################
>
>"huntgroups" file:
>
>juniper         NAS-IP-Address == 172.25.0.10
>cisco           NAS-IP-Address == 172.25.0.1
>
>################################
>
>"users" file:
>
>DEFAULT         Simultaneous-Use := 1
>                Fall-Through = 1
>
>################################
>
>"clients.conf" file:
>
>client 127.0.0.1 {
>        secret          = testing123
>        shortname       = localhost
>        nastype         = other
>}
>
>client 10.0.1.2 {
>        secret          = testing123
>        shortname       = localhost
>        nastype         = other
>}
>
>client 172.25.0.1 {
>        secret      = test
>        shortname   = nas.lan
>        nastype     = cisco
>}
>
>################################
>
>"postgresql.conf" file:
>
>sql {
>        driver = "rlm_sql_postgresql"
>        server = "localhost"
>        login = "radius"
>        password = "diametr"
>        radius_db = "radius"
>
>        acct_table1 = "radacct"
>        acct_table2 = "radacct"
>
>        read_groups = yes
>
>        postauth_table = "radpostauth"
>
>        authcheck_table = "radcheck"
>        authreply_table = "radreply"
>
>        groupcheck_table = "radgroupcheck"
>        groupreply_table = "radgroupreply"
>
>        usergroup_table = "usergroup"
>
>        deletestalesessions = no
>
>        sqltrace = yes
>        sqltracefile = ${logdir}/sqltrace.sql
>
>        num_sql_socks = 5
>
>        sql_user_name = "%{User-Name}"
>
>        authorize_check_query = "SELECT id, UserName, Attribute, Value, Op \
>                FROM ${authcheck_table} \
>                WHERE Username = '%{SQL-User-Name}' \
>                ORDER BY id"
>
>        authorize_reply_query = "SELECT id, UserName, Attribute, Value, Op \
>                FROM ${authreply_table} \
>                WHERE Username = '%{SQL-User-Name}' \
>                ORDER BY id"
>
>        authorize_group_check_query = "SELECT ${groupcheck_table}.id, ${groupcheck_table}.GroupName, \
>                ${groupcheck_table}.Attribute, ${groupcheck_table}.Value,${groupcheck_table}.Op \
>                FROM ${groupcheck_table}, ${usergroup_table} \
>                WHERE ${usergroup_table}.Username = '%{SQL-User-Name}' AND ${usergroup_table}.GroupName = ${groupcheck_table}.GroupName \
>                ORDER BY ${groupcheck_table}.id"
>
>        authorize_group_reply_query = "SELECT ${groupreply_table}.id, ${groupreply_table}.GroupName, ${groupreply_table}.Attribute, \
>                ${groupreply_table}.Value, ${groupreply_table}.Op \
>                FROM ${groupreply_table},${usergroup_table} \
>                WHERE ${usergroup_table}.Username = '%{SQL-User-Name}' AND ${usergroup_table}.GroupName = ${groupreply_table}.GroupName \
>                ORDER BY ${groupreply_table}.id"
>
>        authenticate_query = "SELECT Value,Attribute FROM ${authcheck_table} \
>                WHERE UserName = '%{User-Name}' AND ( Attribute = 'User-Password' OR Attribute = 'Crypt-Password' ) \
>                ORDER BY Attribute DESC"
>
>        group_membership_query = "SELECT GroupName FROM ${usergroup_table} WHERE UserName='%{SQL-User-Name}'"
>
>        simul_count_query = "SELECT COUNT(*) FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime IS NULL"
>
>        accounting_start_query = "INSERT into ${acct_table1} \
>                (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctAuthentic, \
>                ConnectInfo_start, CalledStationId, CallingStationId, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, XAscendSessionSvrKey, \
>                ERXIngressPolicyName, ERXEgressPolicyName, ERXPppoeDescription, CiscoAVPair) \
>                values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', \
>                '%{NAS-Port}', '%{NAS-Port-Type}', ('%S'::timestamp - '%{Acct-Delay-Time:-0}'::interval), '%{Acct-Authentic}', '%{Connect-Info}', \
>                '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', \
>                NULLIF('%{Framed-IP-Address}', '')::inet, 0, '%{X-Ascend-Session-Svr-Key}', '%{ERX-Ingress-Policy-Name}', '%{ERX-Egress-Policy-Name}', '%{ERX-Pppoe-Description}', '%{Cisco-AVPair}')"
>
>        accounting_stop_query = "UPDATE ${acct_table2} \
>                SET AcctStopTime = ('%S'::timestamp - '%{Acct-Delay-Time:-0}'::interval), \
>                AcctSessionTime = NULLIF('%{Acct-Session-Time}', '')::bigint, \
>                AcctInputOctets = (('%{Acct-Input-Gigawords:-0}'::bigint << 32) + '%{Acct-Input-Octets:-0}'::bigint), \
>                AcctOutputOctets = (('%{Acct-Output-Gigawords:-0}'::bigint << 32) + '%{Acct-Output-Octets:-0}'::bigint), \
>                AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay = 0, \
>                FramedIPAddress = NULLIF('%{Framed-IP-Address}', '')::inet, ConnectInfo_stop = '%{Connect-Info}' \
>                WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' \
>                AND NASIPAddress = '%{NAS-IP-Address}' AND AcctStopTime IS NULL"
>}
>
>################################
>
>"radius.conf" file:
>
>prefix = /opt/freeradius
>exec_prefix = ${prefix}
>sysconfdir = ${prefix}/etc
>localstatedir = ${prefix}/var
>sbindir = ${exec_prefix}/sbin
>logdir = ${localstatedir}/log/radius
>raddbdir = ${sysconfdir}/raddb
>radacctdir = ${logdir}/radacct
>confdir = ${raddbdir}
>run_dir = ${localstatedir}/run/radiusd
>log_file = ${logdir}/radius.log
>libdir = ${exec_prefix}/lib
>pidfile = ${run_dir}/radiusd.pid
>user = radius
>group = radius
>max_request_time = 20
>delete_blocked_requests = no
>cleanup_delay = 5
>max_requests = 5120000
>bind_address = "10.0.1.2"
>port = 0
>hostname_lookups = no
>allow_core_dumps = no
>regular_expressions     = yes
>extended_expressions    = yes
>log_stripped_names = no
>log_auth = yes
>log_auth_badpass = no
>log_auth_goodpass = no
>usercollide = no
>lower_user = no
>lower_pass = no
>nospace_user = no
>nospace_pass = no
>checkrad = ${sbindir}/checkrad
>security {
>        max_attributes = 50
>        reject_delay = 1
>        status_server = no
>}
>proxy_requests  = no
>$INCLUDE  ${confdir}/proxy.conf
>$INCLUDE  ${confdir}/clients.conf
>snmp    = no
>$INCLUDE  ${confdir}/snmp.conf
>thread pool {
>        start_servers = 32
>        max_servers = 64
>        min_spare_servers = 8
>        max_spare_servers = 32
>        max_requests_per_server = 500
>}
>modules {
>        pap {
>                auto_header = yes
>        }
>        chap {
>                authtype = CHAP
>        }
>        pam {
>                pam_auth = radiusd
>        }
>        unix {
>                cache = no
>                cache_reload = 600
>                radwtmp = ${logdir}/radwtmp
>        }
>$INCLUDE ${confdir}/eap.conf
>        mschap {
>        }
>        ldap {
>                server = "ldap.your.domain"
>                basedn = "o=My Org,c=UA"
>                filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
>                start_tls = no
>                access_attr = "dialupAccess"
>                dictionary_mapping = ${raddbdir}/ldap.attrmap
>                ldap_connections_number = 5
>                edir_account_policy_check=no
>                timeout = 4
>                timelimit = 3
>                net_timeout = 1
>        }
>        checkval {
>                item-name = Calling-Station-Id
>                check-name = Calling-Station-Id
>                data-type = string
>        }
>
>        preprocess {
>                huntgroups = ${confdir}/huntgroups
>                hints = ${confdir}/hints
>                with_ascend_hack = no
>                ascend_channels_per_line = 23
>                with_ntdomain_hack = no
>                with_specialix_jetstream_hack = no
>                with_cisco_vsa_hack = no
>        }
>        files {
>                usersfile = ${confdir}/users
>                acctusersfile = ${confdir}/acct_users
>                preproxy_usersfile = ${confdir}/preproxy_users
>                compat = no
>        }
>        detail {
>                detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
>                detailperm = 0640
>        }
>         detail auth_log {
>                 detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
>                 detailperm = 0600
>         }
>         detail reply_log {
>                 detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d
>                 detailperm = 0600
>         }
>        acct_unique {
>                key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
>        }
>        $INCLUDE  ${confdir}/postgresql.conf
>
>        radutmp {
>                filename = ${logdir}/radutmp
>                username = %{User-Name}
>                case_sensitive = yes
>                check_with_nas = yes
>                perm = 0600
>                callerid = "yes"
>        }
>        radutmp sradutmp {
>                filename = ${logdir}/sradutmp
>                perm = 0644
>                callerid = "no"
>        }
>        attr_filter {
>                attrsfile = ${confdir}/attrs
>        }
>        counter daily {
>                filename = ${raddbdir}/db.daily
>                key = User-Name
>                count-attribute = Acct-Session-Time
>                reset = daily
>                counter-name = Daily-Session-Time
>                check-name = Max-Daily-Session
>                allowed-servicetype = Framed-User
>                cache-size = 5000
>        }
>        always fail {
>                rcode = fail
>        }
>        always reject {
>                rcode = reject
>        }
>        always ok {
>                rcode = ok
>                simulcount = 0
>                mpp = no
>        }
>        expr {
>        }
>        digest {
>        }
>        exec {
>                wait = yes
>                input_pairs = request
>        }
>        exec echo {
>                wait = yes
>                program = "/bin/echo %{User-Name}"
>                input_pairs = request
>                output_pairs = reply
>        }
>        ippool main_pool {
>                range-start = 192.168.1.1
>                range-stop = 192.168.3.254
>                netmask = 255.255.255.0
>                cache-size = 800
>                session-db = ${raddbdir}/db.ippool
>                ip-index = ${raddbdir}/db.ipindex
>                override = no
>                maximum-timeout = 0
>        }
>}
>instantiate {
>        exec
>        expr
>}
>authorize {
>        preprocess
>        auth_log
>        chap
>        mschap
>        files
>        sql
>        pap
>}
>authenticate {
>        Auth-Type PAP {
>                pap
>        }
>        Auth-Type CHAP {
>                chap
>        }
>        Auth-Type MS-CHAP {
>                mschap
>        }
>}
>preacct {
>        preprocess
>        acct_unique
>        files
>}
>accounting {
>        detail
>        sql
>}
>session {
>        sql
>}
>post-auth {
>        reply_log
>}
>pre-proxy {
>}
>post-proxy {
>}
>
>################################
>
>Packet-Type = Access-Request
>Sun Sep 23 02:40:21 2007
>        Cisco-AVPair = "client-mac-address=000c.293b.eba6"
>        Framed-Protocol = PPP
>        User-Name = "sproot"
>        CHAP-Password = 0x017c2048ee32d9a2fbe809c193930c17b3
>        NAS-Port-Type = Virtual
>        NAS-Port = 268435472
>        NAS-Port-Id = "1/0/0/0"
>        Service-Type = Framed-User
>        NAS-IP-Address = 172.25.0.1
>        Acct-Session-Id = "00000010"
>        Client-IP-Address = 172.25.0.1
>        CHAP-Challenge = 0xd59ee4fe7f305d7d9aace2827f6d2b72
>        Huntgroup-Name = "cisco"
>
>
>Packet-Type = Access-Accept
>Sun Sep 23 02:40:21 2007
>        Framed-IP-Address = 192.168.1.2
>        Framed-IP-Netmask = 255.255.255.255
>        Cisco-AVPair = "lcp:interface-config#1=rate-limit input 64000 8000 8000 conform-action transmit exceed-action drop"
>        Cisco-AVPair += "lcp:interface-config#1=rate-limit output 64000 8000 8000 conform-action transmit exceed-action drop"
>        ERX-Egress-Policy-Name = "pppoe-64kbps-policy"
>        ERX-Egress-Statistics = enable
>        ERX-Ingress-Policy-Name = "pppoe-64kbps-policy"
>        ERX-Ingress-Statistics = enable
>        ERX-Primary-Dns = 1.1.1.1
>        ERX-Secondary-Dns = 2.2.2.2
>
>
>P.S.
>sorry for my bad english...
>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>




More information about the Freeradius-Users mailing list