freeradius + Cisco-AVpair rate-limit attributes + mysql

satish patel linuxtrap at yahoo.co.in
Mon Jan 22 12:28:52 CET 2007


Dear all

                  Here I am shareing my Knowledge. for freeradius users. i have done freeradius-1.1.4 with mysql with cisco VPDN configuration as well as i have configuraed per user base bandwidth configuration and simultanious user login configuration i have sharing my configuration for my freeradius users

I have cisco router with this configuration

aaa new-model
!
!
aaa group server radius testing123
 server-private 71.5.250.243 auth-port 1812 acct-port 1813 key tulipconnect
 ip radius source-interface FastEthernet0/1
 deadtime 0
!
aaa authentication login default local group radius group testing123
aaa authentication ppp default group testing123 local
aaa authorization exec default local group radius group testing123
aaa authorization network default group testing123 local
aaa accounting update periodic 1
aaa accounting exec default start-stop group testing123
aaa accounting network default start-stop group testing123
aaa accounting connection default start-stop group testing123
!

_________________________________________________________

My all user databases in mysql and simultanius login also in mysql 

mysql tables :-

mysql> select * from radcheck;
+----+----------+---------------+----+-------+
| id | UserName | Attribute     | op | Value |
+----+----------+---------------+----+-------+
|  1 | satish   | User-Password | := | tulip |
|  2 | priya    | User-Password | := | tulip |
+----+----------+---------------+----+-------+
2 rows in set (0.00 sec)


mysql> select * from radgroupcheck;;
+----+-----------+------------------+----+-------+
| id | GroupName | Attribute        | op | Value |
+----+-----------+------------------+----+-------+
|  1 | 64KB      | Simultaneous-Use | := | 1     |
|  4 | 128KB     | Simultaneous-Use | := | 1     |
+----+-----------+------------------+----+-------+
2 rows in set (0.00 sec)


mysql> select * from radgroupreply;;
+----+-----------+-----------------+----+--------------------------------------------------------------------------------------------------------+------+
| id | GroupName | Attribute       | op | Value                                                                                                  | prio |
+----+-----------+-----------------+----+--------------------------------------------------------------------------------------------------------+------+
|  1 | 64KB      | Framed-Protocol | =  | PPP                                                                                                    |    0 |
|  2 | 64KB      | Framed-MTU      | =  | 1400                                                                                                   |    0 |
|  3 | 64KB      | Service-Type    | =  | Framed-User                                                                                            |    0 |
|  4 | 128KB     | Framed-Protocol | =  | PPP                                                                                                    |    0 |
|  5 | 128KB     | Framed-MTU      | =  | 1450                                                                                                   |    0 |
|  6 | 128KB     | Service-Type    | =  | Framed-User                                                                                            |    0 |
|  7 | 128KB     | Cisco-Avpair    | =  | lcp:interface-config#1=rate-limit output 128000 10000 10000 conform-action continue exceed-action drop |    0 |
+----+-----------+-----------------+----+--------------------------------------------------------------------------------------------------------+------+
7 rows in set (0.00 sec)


mysql> select * from usergroup;
+----+----------+-----------+
| id | UserName | GroupName |
+----+----------+-----------+
|  1 | satish   | 64KB      |
|  3 | priya    | 128KB     |
+----+----------+-----------+
2 rows in set (0.00 sec)

________________________________________________________

Simultanious Login configuration ( edit this file /etc/raddb/sql.conf )

 #######################################################################
        # Simultaneous Use Checking Queries
        #######################################################################
        # simul_count_query     - query for the number of current connections
        #                       - If this is not defined, no simultaneouls use checking
        #                       - will be performed by this module instance
        # simul_verify_query    - query to return details of current connections for verification
        #                       - Leave blank or commented out to disable verification step
        #                       - Note that the returned field order should not be changed.
        #######################################################################

        # Uncomment simul_count_query to enable simultaneous use checking
         simul_count_query = "SELECT COUNT(*) FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0"
        simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0"

____________________________________________________________



My Sqlcounter.conf file for time limit for user and u cat read more about in freeradius tarball doc directory there is some more help regarding sqlcounter.conf

edit file   /etc/raddb/sqlcounter.conf

suse:/etc/raddb # cat sqlcounter.conf
sqlcounter noresetcounter {
            counter-name = Max-All-Session-Time
            check-name = Max-All-Session
            sqlmod-inst = sql
            key = User-Name
            reset = never
            query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}'"

}

sqlcounter dailycounter {
            driver = "rlm_sqlcounter"
            counter-name = Daily-Session-Time
            check-name = Max-Daily-Session
            sqlmod-inst = sqlcca3
            key = User-Name
            reset = daily
            query = "SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"

}

sqlcounter monthlycounter {
            counter-name = Monthly-Session-Time
            check-name = Max-Monthly-Session
            sqlmod-inst = sqlcca3
            key = User-Name
            reset = monthly
            query = "SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"

}
___________________________________________________________

/etc/raddbd/client.conf


My client.conf  u have to change NAS type when u use Simultanious use with Mysql databases so take care of this configuration 

In my care i have useing other caz my cisco not support it so if u would use NAS type other it will work fine ....enjoy

client 127.0.0.1 {
        secret          = testing123
        shortname       = localhost
}
client 71.5.250.199 {
        secret          = tulipconnect
        shortname       = test
        nastype         = other  <----------  ( care full about it if u want to simultanous user tih mysql ) 
}

_________________________________________________________

/etc/raddb/radius.conf

My main radius.conf file 

prefix = /usr
exec_prefix = ${prefix}
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/radiusd.pid
user = radiusd
group = radiusd
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions     = yes
extended_expressions    = yes
log_stripped_names = no
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
        max_attributes = 200
        reject_delay = 1
        status_server = no
}
proxy_requests  = yes
$INCLUDE  ${confdir}/proxy.conf
$INCLUDE  ${confdir}/clients.conf
snmp    = no
$INCLUDE  ${confdir}/snmp.conf
thread pool {
        start_servers = 5
        max_servers = 32
        min_spare_servers = 3
        max_spare_servers = 10
        max_requests_per_server = 0
}
modules {
        $INCLUDE ${confdir}/sqlcounter.conf

        pap {
                encryption_scheme = crypt
        }
        chap {
                authtype = CHAP
        }
        pam {
                pam_auth = radiusd
        }
        unix {
                cache = no
                cache_reload = 600
                radwtmp = ${logdir}/radwtmp
        }
$INCLUDE ${confdir}/eap.conf
        mschap {
                authtype = MS-CHAP

        }
        ldap {
                server = "ldap.your.domain"
                basedn = "o=My Org,c=UA"
                filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
                start_tls = no
                access_attr = "dialupAccess"
                dictionary_mapping = ${raddbdir}/ldap.attrmap
                ldap_connections_number = 5
                edir_account_policy_check=no
                timeout = 4
                timelimit = 3
                net_timeout = 1
        }
        realm IPASS {
                format = prefix
                delimiter = "/"
                ignore_default = no
                ignore_null = no
        }
        realm suffix {
                format = suffix
                delimiter = "@"
                ignore_default = no
                ignore_null = no
        }
        realm realmpercent {
                format = suffix
                delimiter = "%"
                ignore_default = no
                ignore_null = no
        }
        realm ntdomain {
                format = prefix
                delimiter = "\\"
                ignore_default = no
                ignore_null = no
        }
        checkval {
                item-name = Calling-Station-Id
                check-name = Calling-Station-Id
                data-type = string
        }

        preprocess {
                huntgroups = ${confdir}/huntgroups
                hints = ${confdir}/hints
                with_ascend_hack = no
                ascend_channels_per_line = 23
                with_ntdomain_hack = no
                with_specialix_jetstream_hack = no
                with_cisco_vsa_hack = no
        }
        files {
                usersfile = ${confdir}/users
                acctusersfile = ${confdir}/acct_users
                preproxy_usersfile = ${confdir}/preproxy_users
                compat = no
        }
        detail {
                detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
                detailperm = 0600
        }
        acct_unique {
                key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
        }
        $INCLUDE  ${confdir}/sql.conf


        radutmp {
                filename = ${logdir}/radutmp
                username = %{User-Name}
                case_sensitive = yes
                check_with_nas = yes
                perm = 0600
                callerid = "yes"
        }
        radutmp sradutmp {
                filename = ${logdir}/sradutmp
                perm = 0644
                callerid = "no"
        }
        attr_filter {
                attrsfile = ${confdir}/attrs
        }
        counter daily {
                filename = ${raddbdir}/db.daily
                key = User-Name
                count-attribute = Acct-Session-Time
                reset = daily
                counter-name = Daily-Session-Time
                check-name = Max-Daily-Session
                allowed-servicetype = Framed-User
                cache-size = 5000
        }
        always fail {
                rcode = fail
        }
        always reject {
                rcode = reject
        }
        always ok {
                rcode = ok
                simulcount = 0
                mpp = no
        }
        expr {
        }
        digest {
        }
        exec {
                wait = yes
                input_pairs = request
        }
        exec echo {
                wait = yes
                program = "/bin/echo %{User-Name}"
                input_pairs = request
                output_pairs = reply
        }
        ippool main_pool {
                range-start = 192.168.1.1
                range-stop = 192.168.3.254
                netmask = 255.255.255.0
                cache-size = 800
                session-db = ${raddbdir}/db.ippool
                ip-index = ${raddbdir}/db.ipindex
                override = no
                maximum-timeout = 0
        }
}
instantiate {
        exec
        expr
}
authorize {
        preprocess

        chap
        mschap
        suffix
        sql
        noresetcounter
        dailycounter
        monthlycounter
        daily
}
authenticate {
        Auth-Type PAP {
                pap
        }
        Auth-Type CHAP {
                chap
        }
        Auth-Type MS-CHAP {
                mschap
        }
}
preacct {
        preprocess
        acct_unique
        suffix
        files
}
accounting {
        detail
        daily
        unix
        sql
        radutmp
}
session {
        sql
}
post-auth {
}
pre-proxy {
}
post-proxy {
        eap
}


_________________________________________________________



I will charge for this document and help ....................Kidding...........><))));>


contect me if u get more help regarding freeradius 

Name :- Satish Patel
Company:- Tulip It Services ( Data Center ) ( Delhi )
Email :- linuxtrap at yahoo.co.in
Mobile : - +91-9818875535













satish patel <linuxtrap at yahoo.co.in> wrote: Thx dear ...
 
                
 Satish Patel

Alexander Serkin <als at cell.ru> wrote: satish patel wrote:
> Thanks  dear
> 
>                        now my cisco-AVPair working with users file but 
> tell me is it work with mysql tables ?  but i have notice when i set 

why not?

> 64000 then my bandwidth meter give me 500 kbps u r passing is it any 
> issue regarding rate-limit ???

I'm not aware about any rate-limit issues. It may depend on platform and 
IOS version.
You should accurately check which attributes you're giving by the radius 
running it in debug mode (radiusd -X) or say "debug radius" on cisco box 
to check the request/accept attributes. If your cisco is in production 
don't forget to set debug condition  on username tested in order to limit 
debug output to the session being tested.

-- 
Sincerely Yours,
Alexander
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

         

---------------------------------
  Here’s a new way to find what you're looking for - Yahoo! Answers - 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

 				
---------------------------------
 Here’s a new way to find what you're looking for - Yahoo! Answers 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070122/80203d22/attachment.html>


More information about the Freeradius-Users mailing list