How to send different attributes a miscellaneous nas

Медведев Максим sp_root at mail.ru
Tue Sep 25 13:48:46 CEST 2007


Hi,

freeradius 1.1.7 + postgres 8.1.9

radgroupcheck not work ((

http://wiki.freeradius.org/Rlm_sql
point 5 not work ((

Why attributes are summarised ?

Help me!

Full info:


INSERT INTO radcheck (id, username, attribute, op, value) VALUES (1, 'sproot', 'User-Password', '==', '123');

INSERT INTO radgroupcheck (id, groupname, attribute, op, value) VALUES (2, 'juniper_pppoe_64k', 'Huntgroup-Name', '==', 'juniper');
INSERT INTO radgroupcheck (id, groupname, attribute, op, value) VALUES (1, 'cisco_pppoe_64k', 'Client-IP-Address', '==', '172.25.0.1');


INSERT INTO radgroupreply (id, groupname, attribute, op, value) VALUES (1, 'cisco_pppoe_64k', 'Cisco-AVPair', '=', 'lcp:interface-config#1=rate-limit input 64000 8000 8000 conform-action transmit exceed-action drop');
INSERT INTO radgroupreply (id, groupname, attribute, op, value) VALUES (2, 'cisco_pppoe_64k', 'Cisco-AVPair', '+=', 'lcp:interface-config#1=rate-limit output 64000 8000 8000 conform-action transmit exceed-action drop');
INSERT INTO radgroupreply (id, groupname, attribute, op, value) VALUES (3, 'juniper_pppoe_64k', 'ERX-Egress-Policy-Name', '=', 'pppoe-64kbps-policy');
INSERT INTO radgroupreply (id, groupname, attribute, op, value) VALUES (4, 'juniper_pppoe_64k', 'ERX-Egress-Statistics', '=', '1');
INSERT INTO radgroupreply (id, groupname, attribute, op, value) VALUES (5, 'juniper_pppoe_64k', 'ERX-Ingress-Policy-Name', '=', 'pppoe-64kbps-policy');
INSERT INTO radgroupreply (id, groupname, attribute, op, value) VALUES (6, 'juniper_pppoe_64k', 'ERX-Ingress-Statistics', '=', '1');
INSERT INTO radgroupreply (id, groupname, attribute, op, value) VALUES (7, 'juniper_pppoe_64k', 'ERX-Primary-Dns', '=', '1.1.1.1');
INSERT INTO radgroupreply (id, groupname, attribute, op, value) VALUES (8, 'juniper_pppoe_64k', 'ERX-Secondary-Dns', '=', '2.2.2.2');


INSERT INTO radreply (id, username, attribute, op, value) VALUES (1, 'sproot', 'Framed-IP-Address', '=', '192.168.1.2');
INSERT INTO radreply (id, username, attribute, op, value) VALUES (2, 'sproot', 'Framed-IP-Netmask', '=', '255.255.255.255');


INSERT INTO usergroup (username, groupname, priority) VALUES ('sproot', 'cisco_pppoe_64k', 0);
INSERT INTO usergroup (username, groupname, priority) VALUES ('sproot', 'juniper_pppoe_64k', 0);

################################

"huntgroups" file:

juniper         NAS-IP-Address == 172.25.0.10
cisco           NAS-IP-Address == 172.25.0.1

################################

"users" file:

DEFAULT         Simultaneous-Use := 1
                Fall-Through = 1

################################

"clients.conf" file:

client 127.0.0.1 {
        secret          = testing123
        shortname       = localhost
        nastype         = other
}

client 10.0.1.2 {
        secret          = testing123
        shortname       = localhost
        nastype         = other
}

client 172.25.0.1 {
        secret      = test
        shortname   = nas.lan
        nastype     = cisco
}

################################

"postgresql.conf" file:

sql {
        driver = "rlm_sql_postgresql"
        server = "localhost"
        login = "radius"
        password = "diametr"
        radius_db = "radius"

        acct_table1 = "radacct"
        acct_table2 = "radacct"

        read_groups = yes

        postauth_table = "radpostauth"

        authcheck_table = "radcheck"
        authreply_table = "radreply"

        groupcheck_table = "radgroupcheck"
        groupreply_table = "radgroupreply"

        usergroup_table = "usergroup"

        deletestalesessions = no

        sqltrace = yes
        sqltracefile = ${logdir}/sqltrace.sql

        num_sql_socks = 5

        sql_user_name = "%{User-Name}"

        authorize_check_query = "SELECT id, UserName, Attribute, Value, Op \
                FROM ${authcheck_table} \
                WHERE Username = '%{SQL-User-Name}' \
                ORDER BY id"

        authorize_reply_query = "SELECT id, UserName, Attribute, Value, Op \
                FROM ${authreply_table} \
                WHERE Username = '%{SQL-User-Name}' \
                ORDER BY id"

        authorize_group_check_query = "SELECT ${groupcheck_table}.id, ${groupcheck_table}.GroupName, \
                ${groupcheck_table}.Attribute, ${groupcheck_table}.Value,${groupcheck_table}.Op \
                FROM ${groupcheck_table}, ${usergroup_table} \
                WHERE ${usergroup_table}.Username = '%{SQL-User-Name}' AND ${usergroup_table}.GroupName = ${groupcheck_table}.GroupName \
                ORDER BY ${groupcheck_table}.id"

        authorize_group_reply_query = "SELECT ${groupreply_table}.id, ${groupreply_table}.GroupName, ${groupreply_table}.Attribute, \
                ${groupreply_table}.Value, ${groupreply_table}.Op \
                FROM ${groupreply_table},${usergroup_table} \
                WHERE ${usergroup_table}.Username = '%{SQL-User-Name}' AND ${usergroup_table}.GroupName = ${groupreply_table}.GroupName \
                ORDER BY ${groupreply_table}.id"

        authenticate_query = "SELECT Value,Attribute FROM ${authcheck_table} \
                WHERE UserName = '%{User-Name}' AND ( Attribute = 'User-Password' OR Attribute = 'Crypt-Password' ) \
                ORDER BY Attribute DESC"

        group_membership_query = "SELECT GroupName FROM ${usergroup_table} WHERE UserName='%{SQL-User-Name}'"

        simul_count_query = "SELECT COUNT(*) FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime IS NULL"

        accounting_start_query = "INSERT into ${acct_table1} \
                (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctAuthentic, \
                ConnectInfo_start, CalledStationId, CallingStationId, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, XAscendSessionSvrKey, \
                ERXIngressPolicyName, ERXEgressPolicyName, ERXPppoeDescription, CiscoAVPair) \
                values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', \
                '%{NAS-Port}', '%{NAS-Port-Type}', ('%S'::timestamp - '%{Acct-Delay-Time:-0}'::interval), '%{Acct-Authentic}', '%{Connect-Info}', \
                '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', \
                NULLIF('%{Framed-IP-Address}', '')::inet, 0, '%{X-Ascend-Session-Svr-Key}', '%{ERX-Ingress-Policy-Name}', '%{ERX-Egress-Policy-Name}', '%{ERX-Pppoe-Description}', '%{Cisco-AVPair}')"

        accounting_stop_query = "UPDATE ${acct_table2} \
                SET AcctStopTime = ('%S'::timestamp - '%{Acct-Delay-Time:-0}'::interval), \
                AcctSessionTime = NULLIF('%{Acct-Session-Time}', '')::bigint, \
                AcctInputOctets = (('%{Acct-Input-Gigawords:-0}'::bigint << 32) + '%{Acct-Input-Octets:-0}'::bigint), \
                AcctOutputOctets = (('%{Acct-Output-Gigawords:-0}'::bigint << 32) + '%{Acct-Output-Octets:-0}'::bigint), \
                AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay = 0, \
                FramedIPAddress = NULLIF('%{Framed-IP-Address}', '')::inet, ConnectInfo_stop = '%{Connect-Info}' \
                WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' \
                AND NASIPAddress = '%{NAS-IP-Address}' AND AcctStopTime IS NULL"
}

################################

"radius.conf" file:

prefix = /opt/freeradius
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
user = radius
group = radius
max_request_time = 20
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 5120000
bind_address = "10.0.1.2"
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions     = yes
extended_expressions    = yes
log_stripped_names = no
log_auth = yes
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
        max_attributes = 50
        reject_delay = 1
        status_server = no
}
proxy_requests  = no
$INCLUDE  ${confdir}/proxy.conf
$INCLUDE  ${confdir}/clients.conf
snmp    = no
$INCLUDE  ${confdir}/snmp.conf
thread pool {
        start_servers = 32
        max_servers = 64
        min_spare_servers = 8
        max_spare_servers = 32
        max_requests_per_server = 500
}
modules {
        pap {
                auto_header = yes
        }
        chap {
                authtype = CHAP
        }
        pam {
                pam_auth = radiusd
        }
        unix {
                cache = no
                cache_reload = 600
                radwtmp = ${logdir}/radwtmp
        }
$INCLUDE ${confdir}/eap.conf
        mschap {
        }
        ldap {
                server = "ldap.your.domain"
                basedn = "o=My Org,c=UA"
                filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
                start_tls = no
                access_attr = "dialupAccess"
                dictionary_mapping = ${raddbdir}/ldap.attrmap
                ldap_connections_number = 5
                edir_account_policy_check=no
                timeout = 4
                timelimit = 3
                net_timeout = 1
        }
        checkval {
                item-name = Calling-Station-Id
                check-name = Calling-Station-Id
                data-type = string
        }
        
        preprocess {
                huntgroups = ${confdir}/huntgroups
                hints = ${confdir}/hints
                with_ascend_hack = no
                ascend_channels_per_line = 23
                with_ntdomain_hack = no
                with_specialix_jetstream_hack = no
                with_cisco_vsa_hack = no
        }
        files {
                usersfile = ${confdir}/users
                acctusersfile = ${confdir}/acct_users
                preproxy_usersfile = ${confdir}/preproxy_users
                compat = no
        }
        detail {
                detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
                detailperm = 0640
        }
         detail auth_log {
                 detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
                 detailperm = 0600
         }
         detail reply_log {
                 detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d
                 detailperm = 0600
         }
        acct_unique {
                key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
        }
        $INCLUDE  ${confdir}/postgresql.conf
        
        radutmp {
                filename = ${logdir}/radutmp
                username = %{User-Name}
                case_sensitive = yes
                check_with_nas = yes
                perm = 0600
                callerid = "yes"
        }
        radutmp sradutmp {
                filename = ${logdir}/sradutmp
                perm = 0644
                callerid = "no"
        }
        attr_filter {
                attrsfile = ${confdir}/attrs
        }
        counter daily {
                filename = ${raddbdir}/db.daily
                key = User-Name
                count-attribute = Acct-Session-Time
                reset = daily
                counter-name = Daily-Session-Time
                check-name = Max-Daily-Session
                allowed-servicetype = Framed-User
                cache-size = 5000
        }
        always fail {
                rcode = fail
        }
        always reject {
                rcode = reject
        }
        always ok {
                rcode = ok
                simulcount = 0
                mpp = no
        }
        expr {
        }
        digest {
        }
        exec {
                wait = yes
                input_pairs = request
        }
        exec echo {
                wait = yes
                program = "/bin/echo %{User-Name}"
                input_pairs = request
                output_pairs = reply
        }
        ippool main_pool {
                range-start = 192.168.1.1
                range-stop = 192.168.3.254
                netmask = 255.255.255.0
                cache-size = 800
                session-db = ${raddbdir}/db.ippool
                ip-index = ${raddbdir}/db.ipindex
                override = no
                maximum-timeout = 0
        }
}
instantiate {
        exec
        expr
}
authorize {
        preprocess
        auth_log
        chap
        mschap
        files
        sql
        pap
}
authenticate {
        Auth-Type PAP {
                pap
        }
        Auth-Type CHAP {
                chap
        }
        Auth-Type MS-CHAP {
                mschap
        }
}
preacct {
        preprocess
        acct_unique
        files
}
accounting {
        detail
        sql
}
session {
        sql
}
post-auth {
        reply_log
}
pre-proxy {
}
post-proxy {
}

################################

Packet-Type = Access-Request
Sun Sep 23 02:40:21 2007
        Cisco-AVPair = "client-mac-address=000c.293b.eba6"
        Framed-Protocol = PPP
        User-Name = "sproot"
        CHAP-Password = 0x017c2048ee32d9a2fbe809c193930c17b3
        NAS-Port-Type = Virtual
        NAS-Port = 268435472
        NAS-Port-Id = "1/0/0/0"
        Service-Type = Framed-User
        NAS-IP-Address = 172.25.0.1
        Acct-Session-Id = "00000010"
        Client-IP-Address = 172.25.0.1
        CHAP-Challenge = 0xd59ee4fe7f305d7d9aace2827f6d2b72
        Huntgroup-Name = "cisco"


Packet-Type = Access-Accept
Sun Sep 23 02:40:21 2007
        Framed-IP-Address = 192.168.1.2
        Framed-IP-Netmask = 255.255.255.255
        Cisco-AVPair = "lcp:interface-config#1=rate-limit input 64000 8000 8000 conform-action transmit exceed-action drop"
        Cisco-AVPair += "lcp:interface-config#1=rate-limit output 64000 8000 8000 conform-action transmit exceed-action drop"
        ERX-Egress-Policy-Name = "pppoe-64kbps-policy"
        ERX-Egress-Statistics = enable
        ERX-Ingress-Policy-Name = "pppoe-64kbps-policy"
        ERX-Ingress-Statistics = enable
        ERX-Primary-Dns = 1.1.1.1
        ERX-Secondary-Dns = 2.2.2.2


P.S.
sorry for my bad english...





More information about the Freeradius-Users mailing list