From users file to SQL

tnt at kalik.co.yu tnt at kalik.co.yu
Tue Jun 5 11:16:15 CEST 2007


It will work fine if you set the pool to override the IP address already
set.

1. Leave the # Default profile for everyone in the users file

2. Make groups SUSPENDED, DSL500 etc. in groupcheck table. You need 2
entries for group SUSPENDED, and one for others:

(GroupName, Attribute, op, Value)
SUSPENDED, Auth-Type, :=, Accept
SUSPENDED, Pool-Name, :=, disabled

DSL500, Pool-Name, :=, dsl500

3. Make groupreply entries:

(GroupName, Attribute, op, Value)
DSL500, Qos-Policy-Metering, :=, DL512
DSL500, Qos-Policy-Policing, :=, UL128

4. Create user entries in radcheck table:

(UserName, Attribute, op, Value)
testuser, Cleartext-Password, :=, test

5. Set static IP addresses and routes in radreply table:

(UserName, Attribute, op, Value)
testuser, Framed-IP-Address, :=, ...
etc.

6. Connect users to groups in usergroup table

If the user is suspended IP address from the "disabled" IP pool will
override the static IP address from the radreply table. Without the
correct IP address route won't work.

WARNING: Are you sure that you don't want to reject connections from
suspended/non-existatnt users? All they have to do is set a static IP
address from your pool on their end (it's ever so simple to force a
static IP address in Connection Properties) and gain access.


Dana 5/6/2007, "David Majorel" <dm at lagoon.nc> piše:

>Hi,
>
>I need to convert my users/group file to rlm_sql, but after reading the wiki,
>I can't figure out how to reproduce the flow.
>
>I want to authorize all connections, except if the user exists and the
>password is wrong. If the users doesn't exist or is disabled, I set an
>unrouteable address to the user. The point is to prevent DSL routers to keep
>on trying to connect when they are misconfigured, or customer is suspended.
>I use rlm_sql and rlm_sqlippool with a MySQL backend.
>
>The users file I try to convert looks like this :
>
>------
># Default profile for everyone
>
>DEFAULT Pool-Name = "default"
>  Service-Type = Framed-User,
>  Framed-Protocol = PPP,
>  Framed-IP-Netmask = 255.255.255.254,
>  Framed-MTU = 1492,
>  Framed-Compression = Van-Jacobson-TCP-IP,
>  Qos-Policy-Metering = DL128,
>  Qos-Policy-Policing = UL64,
>  Fall-Through = Yes
>
># Set group attributes
>
>DEFAULT Group-Name == "SUSPENDED", Auth-Type := Accept, \
>Pool-Name := "disabled"
>
>DEFAULT Group-Name == "DSL500", Pool-Name := "dsl500"
>  Qos-Policy-Metering := DL512,
>  Qos-Policy-Policing := UL128,
>  Fall-Through = Yes
>
>[... more groups ...]
>
># Set user attributes
>
>testuser ClearText-Password := 'test'
>  Framed-IP-Address := [...],
>  Framed-Route := [...],
>  Framed-IP-Netmask := [...],
>
>[... more users ...]
>
>DEFAULT Auth-Type := Accept
>------
>
>
>According to the wiki, rlm_sql process users first, then groups. With this
>order, a user could have his IP/routes set even if he is disabled (because he
>is not rejected).
>As I have about 10000 users, using big users/group files is not really an
>option :-)
>
>Maybe I did something wrong, any help would be appreciated.
>
>Thanks,
>--
>David Majorel
>Offratel/Lagoon ISP
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>




More information about the Freeradius-Users mailing list