How to send different attributes a miscellaneous nas
Медведев Максим
sp_root at mail.ru
Tue Sep 25 13:48:46 CEST 2007
Hi,
freeradius 1.1.7 + postgres 8.1.9
radgroupcheck not work ((
http://wiki.freeradius.org/Rlm_sql
point 5 not work ((
Why attributes are summarised ?
Help me!
Full info:
INSERT INTO radcheck (id, username, attribute, op, value) VALUES (1, 'sproot', 'User-Password', '==', '123');
INSERT INTO radgroupcheck (id, groupname, attribute, op, value) VALUES (2, 'juniper_pppoe_64k', 'Huntgroup-Name', '==', 'juniper');
INSERT INTO radgroupcheck (id, groupname, attribute, op, value) VALUES (1, 'cisco_pppoe_64k', 'Client-IP-Address', '==', '172.25.0.1');
INSERT INTO radgroupreply (id, groupname, attribute, op, value) VALUES (1, 'cisco_pppoe_64k', 'Cisco-AVPair', '=', 'lcp:interface-config#1=rate-limit input 64000 8000 8000 conform-action transmit exceed-action drop');
INSERT INTO radgroupreply (id, groupname, attribute, op, value) VALUES (2, 'cisco_pppoe_64k', 'Cisco-AVPair', '+=', 'lcp:interface-config#1=rate-limit output 64000 8000 8000 conform-action transmit exceed-action drop');
INSERT INTO radgroupreply (id, groupname, attribute, op, value) VALUES (3, 'juniper_pppoe_64k', 'ERX-Egress-Policy-Name', '=', 'pppoe-64kbps-policy');
INSERT INTO radgroupreply (id, groupname, attribute, op, value) VALUES (4, 'juniper_pppoe_64k', 'ERX-Egress-Statistics', '=', '1');
INSERT INTO radgroupreply (id, groupname, attribute, op, value) VALUES (5, 'juniper_pppoe_64k', 'ERX-Ingress-Policy-Name', '=', 'pppoe-64kbps-policy');
INSERT INTO radgroupreply (id, groupname, attribute, op, value) VALUES (6, 'juniper_pppoe_64k', 'ERX-Ingress-Statistics', '=', '1');
INSERT INTO radgroupreply (id, groupname, attribute, op, value) VALUES (7, 'juniper_pppoe_64k', 'ERX-Primary-Dns', '=', '1.1.1.1');
INSERT INTO radgroupreply (id, groupname, attribute, op, value) VALUES (8, 'juniper_pppoe_64k', 'ERX-Secondary-Dns', '=', '2.2.2.2');
INSERT INTO radreply (id, username, attribute, op, value) VALUES (1, 'sproot', 'Framed-IP-Address', '=', '192.168.1.2');
INSERT INTO radreply (id, username, attribute, op, value) VALUES (2, 'sproot', 'Framed-IP-Netmask', '=', '255.255.255.255');
INSERT INTO usergroup (username, groupname, priority) VALUES ('sproot', 'cisco_pppoe_64k', 0);
INSERT INTO usergroup (username, groupname, priority) VALUES ('sproot', 'juniper_pppoe_64k', 0);
################################
"huntgroups" file:
juniper NAS-IP-Address == 172.25.0.10
cisco NAS-IP-Address == 172.25.0.1
################################
"users" file:
DEFAULT Simultaneous-Use := 1
Fall-Through = 1
################################
"clients.conf" file:
client 127.0.0.1 {
secret = testing123
shortname = localhost
nastype = other
}
client 10.0.1.2 {
secret = testing123
shortname = localhost
nastype = other
}
client 172.25.0.1 {
secret = test
shortname = nas.lan
nastype = cisco
}
################################
"postgresql.conf" file:
sql {
driver = "rlm_sql_postgresql"
server = "localhost"
login = "radius"
password = "diametr"
radius_db = "radius"
acct_table1 = "radacct"
acct_table2 = "radacct"
read_groups = yes
postauth_table = "radpostauth"
authcheck_table = "radcheck"
authreply_table = "radreply"
groupcheck_table = "radgroupcheck"
groupreply_table = "radgroupreply"
usergroup_table = "usergroup"
deletestalesessions = no
sqltrace = yes
sqltracefile = ${logdir}/sqltrace.sql
num_sql_socks = 5
sql_user_name = "%{User-Name}"
authorize_check_query = "SELECT id, UserName, Attribute, Value, Op \
FROM ${authcheck_table} \
WHERE Username = '%{SQL-User-Name}' \
ORDER BY id"
authorize_reply_query = "SELECT id, UserName, Attribute, Value, Op \
FROM ${authreply_table} \
WHERE Username = '%{SQL-User-Name}' \
ORDER BY id"
authorize_group_check_query = "SELECT ${groupcheck_table}.id, ${groupcheck_table}.GroupName, \
${groupcheck_table}.Attribute, ${groupcheck_table}.Value,${groupcheck_table}.Op \
FROM ${groupcheck_table}, ${usergroup_table} \
WHERE ${usergroup_table}.Username = '%{SQL-User-Name}' AND ${usergroup_table}.GroupName = ${groupcheck_table}.GroupName \
ORDER BY ${groupcheck_table}.id"
authorize_group_reply_query = "SELECT ${groupreply_table}.id, ${groupreply_table}.GroupName, ${groupreply_table}.Attribute, \
${groupreply_table}.Value, ${groupreply_table}.Op \
FROM ${groupreply_table},${usergroup_table} \
WHERE ${usergroup_table}.Username = '%{SQL-User-Name}' AND ${usergroup_table}.GroupName = ${groupreply_table}.GroupName \
ORDER BY ${groupreply_table}.id"
authenticate_query = "SELECT Value,Attribute FROM ${authcheck_table} \
WHERE UserName = '%{User-Name}' AND ( Attribute = 'User-Password' OR Attribute = 'Crypt-Password' ) \
ORDER BY Attribute DESC"
group_membership_query = "SELECT GroupName FROM ${usergroup_table} WHERE UserName='%{SQL-User-Name}'"
simul_count_query = "SELECT COUNT(*) FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime IS NULL"
accounting_start_query = "INSERT into ${acct_table1} \
(AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctAuthentic, \
ConnectInfo_start, CalledStationId, CallingStationId, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, XAscendSessionSvrKey, \
ERXIngressPolicyName, ERXEgressPolicyName, ERXPppoeDescription, CiscoAVPair) \
values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', \
'%{NAS-Port}', '%{NAS-Port-Type}', ('%S'::timestamp - '%{Acct-Delay-Time:-0}'::interval), '%{Acct-Authentic}', '%{Connect-Info}', \
'%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', \
NULLIF('%{Framed-IP-Address}', '')::inet, 0, '%{X-Ascend-Session-Svr-Key}', '%{ERX-Ingress-Policy-Name}', '%{ERX-Egress-Policy-Name}', '%{ERX-Pppoe-Description}', '%{Cisco-AVPair}')"
accounting_stop_query = "UPDATE ${acct_table2} \
SET AcctStopTime = ('%S'::timestamp - '%{Acct-Delay-Time:-0}'::interval), \
AcctSessionTime = NULLIF('%{Acct-Session-Time}', '')::bigint, \
AcctInputOctets = (('%{Acct-Input-Gigawords:-0}'::bigint << 32) + '%{Acct-Input-Octets:-0}'::bigint), \
AcctOutputOctets = (('%{Acct-Output-Gigawords:-0}'::bigint << 32) + '%{Acct-Output-Octets:-0}'::bigint), \
AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay = 0, \
FramedIPAddress = NULLIF('%{Framed-IP-Address}', '')::inet, ConnectInfo_stop = '%{Connect-Info}' \
WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' \
AND NASIPAddress = '%{NAS-IP-Address}' AND AcctStopTime IS NULL"
}
################################
"radius.conf" file:
prefix = /opt/freeradius
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
user = radius
group = radius
max_request_time = 20
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 5120000
bind_address = "10.0.1.2"
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = yes
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 50
reject_delay = 1
status_server = no
}
proxy_requests = no
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp = no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 32
max_servers = 64
min_spare_servers = 8
max_spare_servers = 32
max_requests_per_server = 500
}
modules {
pap {
auto_header = yes
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
radwtmp = ${logdir}/radwtmp
}
$INCLUDE ${confdir}/eap.conf
mschap {
}
ldap {
server = "ldap.your.domain"
basedn = "o=My Org,c=UA"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
edir_account_policy_check=no
timeout = 4
timelimit = 3
net_timeout = 1
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
compat = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0640
}
detail auth_log {
detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
detailperm = 0600
}
detail reply_log {
detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
$INCLUDE ${confdir}/postgresql.conf
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
digest {
}
exec {
wait = yes
input_pairs = request
}
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
}
ippool main_pool {
range-start = 192.168.1.1
range-stop = 192.168.3.254
netmask = 255.255.255.0
cache-size = 800
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = no
maximum-timeout = 0
}
}
instantiate {
exec
expr
}
authorize {
preprocess
auth_log
chap
mschap
files
sql
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
}
preacct {
preprocess
acct_unique
files
}
accounting {
detail
sql
}
session {
sql
}
post-auth {
reply_log
}
pre-proxy {
}
post-proxy {
}
################################
Packet-Type = Access-Request
Sun Sep 23 02:40:21 2007
Cisco-AVPair = "client-mac-address=000c.293b.eba6"
Framed-Protocol = PPP
User-Name = "sproot"
CHAP-Password = 0x017c2048ee32d9a2fbe809c193930c17b3
NAS-Port-Type = Virtual
NAS-Port = 268435472
NAS-Port-Id = "1/0/0/0"
Service-Type = Framed-User
NAS-IP-Address = 172.25.0.1
Acct-Session-Id = "00000010"
Client-IP-Address = 172.25.0.1
CHAP-Challenge = 0xd59ee4fe7f305d7d9aace2827f6d2b72
Huntgroup-Name = "cisco"
Packet-Type = Access-Accept
Sun Sep 23 02:40:21 2007
Framed-IP-Address = 192.168.1.2
Framed-IP-Netmask = 255.255.255.255
Cisco-AVPair = "lcp:interface-config#1=rate-limit input 64000 8000 8000 conform-action transmit exceed-action drop"
Cisco-AVPair += "lcp:interface-config#1=rate-limit output 64000 8000 8000 conform-action transmit exceed-action drop"
ERX-Egress-Policy-Name = "pppoe-64kbps-policy"
ERX-Egress-Statistics = enable
ERX-Ingress-Policy-Name = "pppoe-64kbps-policy"
ERX-Ingress-Statistics = enable
ERX-Primary-Dns = 1.1.1.1
ERX-Secondary-Dns = 2.2.2.2
P.S.
sorry for my bad english...
More information about the Freeradius-Users
mailing list