Hi, I'm using FR 1.1.3. I'd like to use the 'files' or 'mysql' backends to store temporary radius accounts used for guest accesses. I'd like to be able to enforce: * a Day-Of-Week and Time-Of-Day policy ===> using the Login-Time attribute seems appropriate * an 'account available Not-Before / Not-After' policy ===> What is the recommended setup for this last part of the policy ? - Using the 'Expiration' attribute for the 'Not-After' part is ok, but what about the Not-Before part ? - Do I have to use the Current-Login attribute to check the Not-Before part ? If yes what is the format of this attribute ? Any pointer to a faq or a sample setup file would be appreciated ;-) Regards, Thibault
Thibault Le Meur wrote:
I'd like to be able to enforce: * a Day-Of-Week and Time-Of-Day policy ===> using the Login-Time attribute seems appropriate
Yes.
* an 'account available Not-Before / Not-After' policy ===> What is the recommended setup for this last part of the policy ? - Using the 'Expiration' attribute for the 'Not-After' part is ok, but what about the Not-Before part ?
"Current-Time" should work, I think.
- Do I have to use the Current-Login attribute to check the Not-Before part ? If yes what is the format of this attribute ?
A date? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Thanks Alan for the reply,
* an 'account available Not-Before / Not-After' policy ===> What is the recommended setup for this last part of the policy ? - Using the 'Expiration' attribute for the 'Not-After' part is ok, but what about the Not-Before part ?
"Current-Time" should work, I think.
- Do I have to use the Current-Login attribute to check the
Sorry, I meant Current-Time instead of Current-Login ;-)
Not-Before part ? If yes what is the format of this attribute ?
A date?
But I'm still wondering which date format is used, and am not sure if comparison operators will work. At least the following checks do not work: * Current-Time > "19 Nov 2006" * Current-Time > "2006/11/19" Thibault
Thibault Le Meur wrote:
But I'm still wondering which date format is used, and am not sure if comparison operators will work.
At least the following checks do not work: * Current-Time > "19 Nov 2006" * Current-Time > "2006/11/19"
The date format is the same as for Login-Time. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
----- Message de aland@deployingradius.com ---------
Thibault Le Meur wrote:
But I'm still wondering which date format is used, and am not sure if comparison operators will work.
At least the following checks do not work: * Current-Time > "19 Nov 2006" * Current-Time > "2006/11/19"
The date format is the same as for Login-Time.
Alan DeKok.
If this is the case, then I'm afraid I won't be able to get the full date like "19 Nov 2006". Indeed, as far as I know (but I hope I'm wrong), the UUCP Time Strings doesn't contain the Month nor the Day of month (I've read http://www.delorie.com/gnu/docs/uucp/uucp_58.html). Is there another (Internal) Attribute, that could match these elements of a login date ? Thanks again for your help and ideas. Thibault
I'm replying to myself because I found a very ugly solution to cope with my needs: "Have an account not available before a given date". I post this here in case this could be useful to someone, and to get feedback if others have found better way to achieve this.
At least the following checks do not work: * Current-Time > "19 Nov 2006" * Current-Time > "2006/11/19"
The date format is the same as for Login-Time.
Alan DeKok.
If this is the case, then I'm afraid I won't be able to get the full date like "19 Nov 2006". Indeed, as far as I know (but I hope I'm wrong), the UUCP Time Strings doesn't contain the Month nor the Day of month (I've read http://www.delorie.com/gnu/docs/uucp/uucp_58.html).
Is there another (Internal) Attribute, that could match these elements of a login date ?
I eventually get it working by: * using the hint file: DEFAULT NAS-IP-ADDRESS == MYNASIP MYSTRINGAATRIBUTE-NOTBEFORE := `%D` * Checking the MYSTRINGATTRIBUTE-NOTBEFORE in the users file DEFAULT MYSQTRINGATTRIBUTE-NOTBEFORE >= '20061128', Expiration := '29 Nov 2006' I have then 2 questions: * for the moment I use (or mis-use) an existing String-attribute from a vendor dictionary: is there a way to define 'private Radius attributes' in order to avoid this 'attribute usurpation' ? * I've seen in the code that adding the Not-Before config attribute (similar to Expiration) to Freeradius shouldn't be too tricky: is it something that could prove to be useful for other users ? Thibault
I post here a cleaner solution to my need, and propose the opportunity to have an even better way to code this (but requires a patch). The Goal ======== I wanted to be able to manage temporary accounts for guests: * these accounts are created in advance, but mustn't be valid before a given date * these account have an expiration date * these account must be valid within a given time range One current solution to achieve this ==================================== The current solution is to create a local String attribute (3000<id<4000) in the dictionary file /etc/raddb/dictionary: ATTRIBUTE My-Local-NotBefore 3000 string Then in the hint file, I add the current date to the request (for my NAS 192.168.1.1): DEFAULT NAS-IP-ADDRESS == 192.168.1.1 My-Local-NotBefore = `%D` In the users file, I add the 'Myuser' user, who can log in within the following time range '12 Dec to 13 Dec 2006, from 8AM to 9 PM': Myuser NAS-IP-Address == 192.168.1.1, Auth-Type = Local, User-Password == MyPass, My-Local-NotBefore >= 20061212, Login-Time := 'Wk0800-2100', Expiration := "14 Dec 2006" Fall-Through = no It is working, but is just a pity that the NotBefore and Expiration part are not handled the same way, though beeing quite similar. Enhancement proposal ==================== Why not implement the NotBefore part in the FR server code as it is already done for Expiration ? It would require (AFAIK): * Adding an offical "NotBefore" internal freeradius dictionary * Add a "#define PW_NOTBEFORE" definition in include/radius.h * Add a time check to the "check_expiration" function in main/auth.c * Optionnal ??? Add a notbeforecmp function and a "paircompare_register" call to main/valuepair.c ???? However, I had no report so far that this could prove to be useful to someone else, so I wonder if It is worth implementing. If you think this could be useful, I'll try to propose a patch. Thibault
Thibault Le Meur wrote:
Enhancement proposal ====================
Why not implement the NotBefore part in the FR server code as it is already done for Expiration ?
Or, add a "Date" attribute, that will compare against the current date. You can then use configurations like: Date > "January 12 2006 13:00" And it should Just Work. I'll see if I can get a patch into 1.1.4. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
-----Message d'origine----- De : freeradius-users-bounces+thibault.lemeur=supelec.fr@lists.free radius.org [mailto:freeradius-users-bounces+thibault.lemeur=supelec.fr@li sts.freeradius.org] De la part de Alan DeKok Envoyé : lundi 11 décembre 2006 19:47 À : FreeRadius users mailing list Objet : Re: NotBefore and Epiration (was Temporary Accounts), Enhancement proposal
Thibault Le Meur wrote:
Enhancement proposal ====================
Why not implement the NotBefore part in the FR server code as it is already done for Expiration ?
Or, add a "Date" attribute, that will compare against the current date. You can then use configurations like:
Date > "January 12 2006 13:00"
And it should Just Work.
Sure, this is a simpler way to do so. The only difference will be that the reply message will not say "Password has expired" or "Password not valid yet"... which, as far as I am concerned is not very important ;-)
I'll see if I can get a patch into 1.1.4.
Thanks a lot... Thibault
participants (2)
-
Alan DeKok -
Thibault Le Meur