dear all,
i have tried with the configuration as attached, it seems that it is
partly functioning.
My problem is that:
1. if one of the user has used all its quota, the other users are not able
to connect.
2. if the user re-connect immediately after the disconnection, it seems
that the accounting file is not update correctly.
3. with reference of the log (as attached), the log is the case that the
user is logging in for the first time(not before), the reply-message
"You've used up more than one min today" is sent to the user, I think it
is not correct since it is the first time of logging in!
How can I solve the above problems? Thank you very much for your help!
Kenneth
On Thu, 9 May 2002, Kostas Kalevras wrote:
> On Thu, 9 May 2002, Kenneth Lee wrote:
>
> > the following is part of the configuration:
> >
> > in radiusd.conf:
> > counter {
> > filename = ${raddbdir}/db.counter
> > key = User-Name
> > count-attribute = Acct-Session-Time
> > reset = daily
> > counter-name = Daily-Session-Time
> > check-name = Max-Daily-Session
> > allowed-servicetype = Framed-User
> > cache-size = 5000
> > }
> > accounting {
> > # acct_unique
> > detail
> > counter
> > # unix
> > radutmp
> > # sradutmp
> > }
> > authorize {
> > preprocess
> > counter
> > # attr_filter
> > # eap
> > suffix
> > files
> > # mschap
> > }
> >
> > in users:
> > freeradius Auth-Type := Local, User-Password == "freeradius"
> > Service-Type = Framed-User,
> > Framed-Protocol = PPP
> >
> > DEFAULT Daily-Session-Time > 60, Auth-Type = Reject
> > Reply-Message = "You've used up more than one min Today"
> >
> > However, when I run the radiusd with -xx option, during a user
> > "freeradius" logging in, the following are displayed on the server:
> >
> > modcall: entering group authorize
> > modcall[authorize]: module "preprocess" returns ok
> > rlm_counter: Entering module authorize code
> > rlm_counter: Could not find Check item value pair
> > ***** modcall[authorize]: module "counter" returns noop
> > modcall[authorize]: module "suffix" returns ok
> > users: Matched freeradius at 90
> > modcall[authorize]: module "files" returns ok
> > modcall: group authorize returns ok
> > rad_check_password: Found Auth-Type Local
> > auth: type Local
> > auth: user supplied User-Password matches local User-Password
> >
> > As you can see(marked with *****), the counter module resturns noop, and I
> > find that even the quota (60s, in this case) past, the client can still
> > connect to the RAS.
> >
> > Anyone know why this would happen, I use almost all default configuration,
> > but cannot success. Thanks very much for your help!
>
> Well, first of all it worked just great here. Try sending manually an
> Accounting-Stop with Acct-Session-Time around 100 and see what happens.
>
> Now counter-name and check-item are two separate things. The first one is an
> attribute 'produced' by the counter module when you do a comparison. What
> happens is that the counter module registers a compare function for that
> attribute. This function has nothing to do with the counter module authorize
> function. You could remove it from the authorize section and it would work just
> great. The check-item is another attribute created by the counter module. This
> is a check item which should contain the allowed daily/weekly/monthly/whatever
> session for a user. The idea is to be able to set this limit for each user. You
> can use it like this:
>
> DEFAULT Max-Daily-Session := 14400
> Fall-Through = Yes
>
> --
> Kostas Kalevras Network Operations Center
> [EMAIL PROTECTED] National Technical University of Athens, Greece
> Work Phone: +30 10 7721861
> 'Go back to the shadow' Gandalf
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
DEFAULT Simultaneous-Use := 1
Fall-Through = 1
DEFAULT RAD-Max-Session-Time := 60
Fall-Through = 1
DEFAULT RAD-Session-Time > 60, Auth-Type := Reject
Reply-Message = "You've used up more than one min today",
Fall-Through = 1
freeradius Auth-Type := Local, User-Password == "freeradius"
Service-Type = Framed-User,
Framed-Protocol = PPP
freeradius2 Auth-Type := Local, User-Password == "freeradius2"
Service-Type = Framed-User,
Framed-Protocol = PPP
a Auth-Type := Local, User-Password == "a"
Service-Type = Framed-User,
Framed-Protocol = PPP
##
## radiusd.conf -- FreeRADIUS server configuration file.
##
## http://www.freeradius.org/
## $Id: radiusd.conf.in,v 1.87 2002/03/14 18:47:06 aland Exp $
##
# The location of other config files and
# logfiles are declared in this file
#
# Also general configuration for modules can be done
# in this file, it is exported through the API to
# modules that ask for it.
#
# The configuration variables defined here are of the form ${foo}
# They are local to this file, and do not change from request to
# request.
#
# The per-request variables are of the form %{Attribute-Name}, and
# are taken from the values of the attribute in the incoming
# request. See 'doc/variables.txt' for more information.
# Stuff from autoconf
prefix = /usr/local/radiusd
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
# Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run
#
# libdir: Where to find the rlm_* modules.
#
# This should be automatically set at configuration time.
#
# If the server builds and installs, but fails at execution time
# with an 'undefined symbol' error, then you can use the libdir
# directive to work around the problem.
#
# The cause is usually that a library has been installed on your
# system in a place where the dynamic linker CANNOT find it. When
# executing as root (or another user), your personal environment MAY
# be set up to allow the dynamic linker to find the library. When
# executing as a daemon, FreeRADIUS MAY NOT have the same
# personalized configuration.
#
# To work around the problem, find out which library contains that symbol,
# and add the directory containing that library to the end of 'libdir',
# with a colon separating the directory names. NO spaces are allowed.
#
# e.g. libdir = /usr/local/lib:/opt/package/lib
#
# If that does not work, then you can re-configure and re-build the
# server to NOT use shared libraries, via:
#
# ./configure --disable-shared
# make
# make install
#
libdir = ${exec_prefix}/lib
# pidfile: Where to place the PID of the RADIUS server.
#
# The server may be signalled while it's running by using this
# file.
#
# This file is written when ONLY running in daemon mode.
#
# e.g.: kill -HUP `cat /var/run/radiusd.pid`
#
pidfile = ${run_dir}/radiusd.pid
# user/group: The name (or #number) of the user/group to run radiusd as.
#
# We STRONGLY recommend that you run the server with as few permissions
# as possible. That is, if you're not using shadow passwords, the
# user and group items below should be set to 'nobody'.
#
# On SCO (ODT 3) use "user = nouser" and "group = nogroup".
#
# NOTE that some kernels refuse to setgid(group)
# when the value of (unsigned)group is above 60000;
# don't use group nobody on these systems!
#
# On systems with shadow passwords, you might have to set 'group = shadow'
# for the server to be able to read the shadow password file. If you can
# authenticate users while in debug mode, but not in normal use, it may be
# because the debugged server is running as a user that can read the shadow
# info, and the user listed below can not.
#
user = root
group = root
# max_request_time: The maximum time (in seconds) to handle a request.
#
# Requests which take more time than this to process may be killed, and
# a REJECT message is returned.
#
# WARNING: If you notice that requests take a long time to be handled,
# then this MAY INDICATE a bug in the server, in one of the modules
# used to handle a request, OR in your local configuration.
#
# Useful range of values: 5 to 120
#
max_request_time = 30
# delete_blocked_requests: If the request takes MORE THAN 'max_request_time'
# to be handled, then maybe the server should delete it.
#
# If you're running in threaded, or thread pool mode, this setting
# should probably be 'no'. Setting it to 'yes' when using a threaded
# server MAY cause the server to crash!
#
delete_blocked_requests = no
# cleanup_delay: The time to wait (in seconds) before cleaning up
# a reply which was sent to the NAS.
#
# The RADIUS request is normally cached internally for a short period
# of time, after the reply is sent to the NAS. The reply packet may be
# lost in the network, and the NAS will not see it. The NAS will then
# re-send the request, and the server will respond quickly with the
# cached reply.
#
# If this value is set too low, then duplicate requests from the NAS
# MAY NOT be detected, and will instead be handled as seperate requests.
#
# If this value is set too high, then the server will cache too many
# requests, and some new requests may get blocked. (See 'max_requests'.)
#
# Useful range of values: 2 to 10
#
cleanup_delay = 5
# max_requests: The maximum number of requests which the server keeps
# track of. This should be 256 multiplied by the number of clients.
# e.g. With 4 clients, this number should be 1024.
#
# If this number is too low, then when the server becomes busy,
# it will not respond to any new requests, until the 'cleanup_delay'
# time has passed, and it has removed the old requests.
#
# If this number is set too high, then the server will use a bit more
# memory for no real benefit.
#
# If you aren't sure what it should be set to, it's better to set it
# too high than too low. Setting it to 1000 per client is probably
# the highest it should be.
#
# Useful range of values: 256 to infinity
#
max_requests = 1024
# bind_address: Make the server listen on a particular IP address, and
# send replies out from that address. This directive is most useful
# for machines with multiple IP addresses on one interface.
#
# It can either contain "*", or an IP address, or a fully qualified
# Internet domain name. The default is "*"
#
bind_address = *
# port: Allows you to bind FreeRADIUS to a specific port.
#
# The default port that most NAS boxes use is 1645, which is historical.
# RFC 2138 defines 1812 to be the new port. Many new servers and
# NAS boxes use 1812, which can create interoperability problems.
#
# The port is defined here to be 0 so that the server will pick up
# the machine's local configuration for the radius port, as defined
# in /etc/services.
#
# If you want to use the default RADIUS port as defined on your server,
# (usually through 'grep radius /etc/services') set this to 0 (zero).
#
# A port given on the command-line via '-p' over-rides this one.
#
port = 0
# Which program to execute check doing concurrency checks.
checkrad = ${sbindir}/checkrad
# hostname_lookups: Log the names of clients or just their IP addresses
# e.g., www.freeradius.org (on) or 206.47.27.232 (off).
# The default is 'off' because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
# Turning hostname lookups off also means that the server won't block
# for 30 seconds, if it sees an IP address which has no name associated
# with it.
#
# allowed values: {no, yes}
#
hostname_lookups = no
# Core dumps are a bad thing. This should only be set to 'yes'
# if you're debugging a problem with the server.
#
# allowed values: {no, yes}
#
allow_core_dumps = no
# Regular expressions
#
# These items are set at configure time. If they're set to "yes",
# then setting them to "no" turns off regular expression support.
#
# If they're set to "no" at configure time, then setting them to "yes"
# WILL NOT WORK. It will give you an error.
#
regular_expressions = yes
extended_expressions = yes
# Log the full User-Name attribute, as it was found in the request.
#
# allowed values: {no, yes}
#
log_stripped_names = no
# Log authentication requests to the log file.
#
# allowed values: {no, yes}
#
log_auth = no
# Log passwords with the authentication requests.
# log_auth_badpass - logs password if it's rejected
# log_auth_goodpass - logs password if it's correct
#
# allowed values: {no, yes}
#
log_auth_badpass = no
log_auth_goodpass = no
# usercollide: Turn "username collision" code on and off. See the
# "doc/duplicate-users" file
#
usercollide = no
# lower_user / lower_pass:
# Lowercase the username/password "before" or "after"
# attempting to authenticate.
#
# If "before", the server will first modify the request
# and then try to auth the user. If "after", the server
# will first auth using the values provided by the
# user. If that fails it will reprocess the request
# after modifying it as you specify below.
#
# This is as close as we can get to case insensitivity. It is
# the admin's job to ensure that the username on the auth
# db side is *also* lowercase to make this work
#
# Default is 'no' (don't lowercase values)
# Valid values = "before" / "after" / "no"
#
lower_user = no
lower_pass = no
# nospace_user / nospace_pass:
# Some users like to enter spaces in their username or
# password incorrectly. To save yourself the tech support
# call, you can eliminate those spaces here:
#
# Default is 'no' (don't remove spaces)
# Valid values = "before" / "after" / "no" (explanation above)
#
nospace_user = no
nospace_pass = no
# SECURITY CONFIGURATION
#
# There may be multiple methods of attacking on the server. This
# section holds the configuration items which minimize the impact
# of those attacks
#
security {
#
# max_attributes: The maximum number of attributes
# permitted in a RADIUS packet. Packets which have MORE
# than this number of attributes in them will be dropped.
#
# If this number is set too low, then no radius packets
# will be accepted.
#
# If this number is set too high, then an attacker may be
# able to send a small number of packets which will cause
# the RADIUS server to use all available memory.
#
# Setting this number to 0 means "allow any number of attributes"
max_attributes = 200
#
# delayed_reject: When sending an Access-Reject, it can be
# delayed for a few seconds. This may help slow down a DoS
# attack. It also helps to slow down people trying to brute-force
# crack a users password.
#
# Setting this number to 0 means "send rejects immediately"
#
# If this number is set higher than "cleanup_delay", then the
# rejects will be sent after 'cleanup_delay".
#
# Useful ranges: 1 to 5
reject_delay = 1
}
# PROXY CONFIGURATION
#
# proxy_requests: Turns proxying of RADIUS requests on or off.
#
# The server has proxying turned on by default. If your system is NOT
# set up to proxy requests to another server, then you can turn proxying
# off here. This will save a small amount of resources on the server.
#
# If you have proxying turned off, and your configuration files say
# to proxy a request, then an error message will be logged.
#
# To disable proxying, change the "yes" to "no", and comment the
# $INCLUDE line.
#
# allowed values: {no, yes}
#
proxy_requests = no
#$INCLUDE ${confdir}/proxy.conf
# CLIENTS CONFIGURATION
#
# Client configuration is defined in "clients.conf". If you don't
# use the "clients.conf", you can comment the following. The use of
# "clients.conf" is recommended over the old "clients", though both
# are supported.
#
$INCLUDE ${confdir}/clients.conf
# SNMP CONFIGURATION
#
# Snmp configuration is only valid if you enabled SNMP support when
# you compiled radiusd.
#
$INCLUDE ${confdir}/snmp.conf
# THREAD POOL CONFIGURATION
#
# The thread pool is a long-lived group of threads which
# take turns (round-robin) handling any incoming requests.
#
#
# You probably want to have a few spare threads around,
# so that high-load situations can be handled immediately. If you
# don't have any spare threads, then the request handling will
# be delayed while a new thread is created, and added to the pool.
#
# You probably don't want too many spare threads around,
# otherwise they'll be sitting there taking up resources, and
# not doing anything productive.
#
# The numbers given below should be adequate for most situations.
#
thread pool {
# Number of servers to start initially --- should be a reasonable
# ballpark figure.
start_servers = 5
# Limit on the total number of servers running.
#
# If this limit is ever reached, clients will be LOCKED OUT, so it
# should NOT BE SET TOO LOW. It is intended mainly as a brake to
# keep a runaway server from taking the system with it as it spirals
# down...
#
max_servers = 32
# Server-pool size regulation. Rather than making you guess
# how many servers you need, FreeRADIUS dynamically adapts to
# the load it sees, that is, it tries to maintain enough
# servers to handle the current load, plus a few spare
# servers to handle transient load spikes.
#
# It does this by periodically checking how many servers are
# waiting for a request. If there are fewer than
# min_spare_servers, it creates a new spare. If there are
# more than max_spare_servers, some of the spares die off.
# The default values are probably OK for most sites.
#
min_spare_servers = 3
max_spare_servers = 10
# There may be memory leaks or resource allocation problems with
# the server. If so, set this value to 300 or so, so that the
# resources will be cleaned up periodically.
#
# This should only be necessary if there are serious bugs in the
# server which have not yet been fixed.
#
# '0' is a special value meaning 'infinity', or 'the servers never
# exit'
max_requests_per_server = 0
}
modules {
pam {
#
# The name to use for PAM authentication.
# PAM looks in /etc/pam.d/${pam_auth_name}
# for it's configuration. See 'redhat/radiusd-pam'
# for a sample PAM configuration file.
#
# Note that any Pam-Auth attribute set in the 'users'
# file over-rides this one.
#
pam_auth = radiusd
}
unix {
#
# Cache /etc/passwd, /etc/shadow, and /etc/group
#
# The default is to cache them.
#
# For FreeBSD, you do NOT want to enable the cache,
# as it's password lookups are done via a database.
#
# allowed values: {no, yes}
cache = yes
# Reload the cache every 600 seconds (10mins). 0 to disable.
cache_reload = 600
#
# Define the locations of the normal passwd, shadow, and
# group files.
#
# 'shadow' is commented out by default, because not all
# systems have shadow passwords.
#
# To force the module to use the system password functions,
# instead of reading the files, comment out the 'passwd'
# and 'shadow' configuration entries. This is required
# for some systems, like FreeBSD.
#
passwd = /etc/passwd
# shadow = /etc/shadow
group = /etc/group
#
# Where the 'wtmp' file is located.
# This will be moved to it's own module soon..
#
radwtmp = ${logdir}/radwtmp
}
# EAP module for all EAP related authentications
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received
# default_eap_type = md5
# Default expiry time to clean the EAP list,
# It is maintained to co-relate the
# EAP-response for each EAP-request sent.
# timer_expire = 60
# Supported EAP-types
md5 {
}
## FIXME: EAP-TLS is highly experimental EAP-Type at the moment.
# Please give feedback.
#tls {
# private_key_password = password
# private_key_file = /path/filename
# Sometimes Private key & Certificate are located
# in the same file, then private_key_file & certificate_file
# must contain the same file name.
# certificate_file = /path/filename
# Trusted Root CA list
# CA_file = /path/filename
# dh_file = /path/filename
# random_file = /path/filename
#
# This can never exceed MAX_RADIUS_LEN (4096)
# preferably half the MAX_RADIUS_LEN, to
# accomodate other attributes in RADIUS packet.
# On most APs the MAX packet length is configured
# between 1500 - 1600. In these cases, fragment
# size should be <= 1024.
# fragment_size = 1024
#
# include_length is a flag which is by default set to yes
# If set to yes, Total Length of the message is included
# in EVERY packet we send.
# If set to no, Total Length of the message is included
# ONLY in the First packet of a fragment series.
# include_length = yes
#}
}
# This module supports SAMBA passwd file authorization
# and MS-CHAP, MS-CHAPv2 authentication
mschap {
# if given passwd shows location of
# SAMBA passwd file
# passwd = /etc/smbpasswd
# authtype value, if present, will be used
# to overwrite (or add) Auth-Type during
# authorization. Normally should be MS-CHAP
authtype = MS-CHAP
# if ignore_password set to yes mschap will
# ignore password set by any other module during
# authorization and will always use password file
# ignore_password = yes
# if use_mppe is not set to no mschap will
# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
# use_mppe = no
# if mppe is enabled require_encryption makes
# encryption moderate
# require_encryption = yes
# require_strong always requires 128 bit key
# encryption
# require_strong = yes
}
# PAP module to authenticate users based on their stored password
# Supports multiple encryption schemes
# clear: Clear text
# crypt: Unix crypt
# md5: MD5 ecnryption
# sha1: SHA1 encryption. Not yet implemented
# DEFAULT: crypt
#pap {
# encryption_scheme = crypt
#}
# This module definition allows you to use LDAP for
# authorization and authentication (Auth-Type = LDAP)
# See doc/rlm_ldap for description of configuration options
# and sample authorize{} and authenticate{} blocks
ldap {
server = "ldap.your.domain"
# identity = "cn=admin,o=My Org,c=UA"
# password = mypass
basedn = "o=My Org,c=UA"
# authtype = "MS-CHAP"
filter = "(uid=%u)"
start_tls = no
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
access_group = "cn=clients,ou=dialup,o=My Org,c=UA"
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
# ldap_cache_timeout = 120
# ldap_cache_size = 0
ldap_connections_number = 5
# password_header = "{clear}"
# password_attribute = userPassword
# groupname_attribute = cn
# groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
timeout = 4
timelimit = 3
net_timeout = 1
}
# You can have multiple instances of the realm module to
# support multiple realm syntaxs at the same time. The
# search order is defined the order in the authorize and
# preacct blocks after the module config block.
#
# Two config options:
# format - must be 'prefix' or 'suffix'
# delimiter - must be a single character
#
# 'username@realm'
#
realm suffix {
format = suffix
delimiter = "@"
}
# 'realm/username'
#
# Using this entry, IPASS users have their realm set to "IPASS".
realm realmslash {
format = prefix
delimiter = "/"
}
# 'username%realm'
realm realmpercent {
format = suffix
delimiter = "%"
}
# rewrite arbitrary packets. Useful in accounting and authorization.
## FIXME: This is highly experimental at the moment. Please give
## feedback.
#attr_rewrite sanecallerid {
# attribute = Called-Station-Id
# may be "packet", "reply", or "config"
# searchin = packet
# searchfor = "[+ ]"
# replacewith = ""
# ignore_case = no
# max_matches = 10
#}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
# This hack changes Ascend's wierd port numberings
# to standard 0-??? port numbers so that the "+" works
# for IP address assignments.
with_ascend_hack = no
ascend_channels_per_line = 23
# Windows NT machines often authenticate themselves as
# NT_DOMAIN\username
#
# If this is set to 'yes', then the NT_DOMAIN portion
# of the user-name is silently discarded.
with_ntdomain_hack = no
# Specialix Jetstream 8500 24 port access server.
#
# If the user name is 10 characters or longer, a "/"
# and the excess characters after the 10th are
# appended to the user name.
#
# If you're not running that NAS, you don't need
# this hack.
with_specialix_jetstream_hack = no
# Cisco sends it's VSA attributes with the attribute
# name *again* in the string, like:
#
# H323-Attribute = "h323-attribute=value".
#
# If this configuration item is set to 'yes', then
# the redundant data in the the attribute text is stripped
# out. The result is:
#
# H323-Attribute = "value"
#
# If you're not running a Cisco NAS, you don't need
# this hack.
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
# If you want to use the old Cistron 'users' file
# with FreeRADIUS, you should change the next line
# to 'compat = cistron'. You can the copy your 'users'
# file from Cistron.
compat = no
}
# See README.rlm_fastusers before using this
# module or changing these values.
fastusers {
usersfile = ${confdir}/users_fast
hashsize = 1000
compat = no
# Reload the hash every 600 seconds (10mins)
hash_reload = 600
}
detail {
# Note that we do NOT use NAS-IP-Address here, as that
# attribute MAY BE from the originating NAS, and NOT
# from the proxy which actually sent us the request.
# The Client-IP-Address attribute is ALWAYS the address
# of the client which sent us the request.
#
detailfile = ${radacctdir}/%{Client-IP-Address}/detail
detailperm = 0600
}
# This module will add a (probably) unique session id
# to an accounting packet based on the attributes listed
# below found in the packet. see doc/README.rlm_acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port-Id"
}
# Include another file that has SQL-related stuff in it.
# This is another file solely because it tends to be big.
$INCLUDE ${confdir}/sql.conf
radutmp {
filename = ${logdir}/radutmp
perm = 0600
callerid = "yes"
}
# "Safe" radutmp - does not contain caller ID, so it can be
# world-readable, and radwho can work for normal users, without
# exposing any information that isn't already exposed by who(1).
#
# This is another instance of the radutmp module, but it is given
# then name "sradutmp" to identify it later in the "accounting"
# section.
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
# attr_filter - filters the attributes received in replies from
# proxied servers, to make sure we send back to our RADIUS client
# only allowed attributes.
attr_filter {
attrsfile = ${confdir}/attrs
}
# This module takes an attribute (count-attribute), which MUST
# be an 'integer' or 'time' attribute. It also takes a key,
# and creates a counter for each unique key. The count is
# incremented when accounting packets are received by the
# server. The value of the increment is the value of the
# count-attribute.
#
# The 'reset' parameter defines when the counters are all reset to
# zero. It can be hourly, daily, weekly, monthly or never.
# It can also be user defined. It should be of the form:
# num[hdwm] where:
# h: hours, d: days, w: weeks, m: months
# If the leter is ommited days will be assumed. In example:
# reset = 10h (reset every 10 hours)
# reset = 12 (reset every 12 days)
#
# The counter-name is the name of the attribute in the 'users'
# file used to access that counter. e.g.
#
# DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject
# Reply-Message = "You've used up more than one hour today"
counter {
filename = ${raddbdir}/db.counter
key = User-Name
count-attribute = Acct-Session-Time
reset = never
counter-name = RAD-Session-Time
check-name = RAD-Max-Session-Time
allowed-servicetype = Framed-User
cache-size = 5000
}
# The "always" module is here for debugging purposes. Each instance simply
# returns the same result, always, without doing anything.
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
# ANSI X9.9 token support. Not included by default.
# $INCLUDE ${confdir}/x99.conf
# Configuration for the Python module. EXPERIMENTAL!
#
# Where radiusd is a Python module, radiusd.py, and the
# function 'authorize' is called. Here is a dummy piece
# of code:
#
# def authorize(params):
# print params
# return (5, ('Reply-Message', 'banned'))
#
# The RADIUS value-pairs are passed as a tuple of tuple
# pairs as the first argument, e.g. (('attribute1',
# 'value1'), ('attribute2', 'value2'))
#
# The function return is a tuple with the first element
# being the return value of the function.
# The 5 corresponds to RLM_MODULE_USERLOCK. I plan to
# write the return values as Python symbols to avoid
# confusion.
#
# The remaining tuple members are the string form of
# value-pairs which are passed on to pairmake().
#
python {
mod_authorize = radiusd
func_authorize = authorize
}
# Configuration for the example module. Uncommenting it will cause it
# to get loaded and initialized, but should have no real effect as long
# it is not referencened in one of the autz/auth/preacct/acct sections
example {
# Boolean variable.
# allowed values: {no, yes}
boolean = yes
# An integer, of any value.
integer = 16
# A string.
string = "This is an example configuration string"
# An IP address, either in dotted quad (1.2.3.4) or hostname
# (example.com)
ipaddr = 127.0.0.1
# A subsection
mysubsection {
anotherinteger = 1000
# They nest
deeply nested {
string = "This is a different string"
}
}
}
}
# Authorization. First preprocess (hints and huntgroups files),
# then realms, and finally look in the "users" file.
# The order of the realm modules will determine the order that
# we try to find a matching realm.
# Make *sure* that 'preprocess' comes before any realm if you
# need to setup hints for the remote radius server
authorize {
preprocess
# counter
# attr_filter
# eap
suffix
files
# mschap
}
# Authentication.
#
# This section lists which modules are available for authentication.
# Note that it does NOT mean 'try each module in order'. It means
# that you have to have a module from the 'authorize' section add
# a configuration attribute 'Auth-Type := FOO'. That authentication type
# is then used to pick the apropriate module from the list below.
authenticate {
# pam
# unix
# ldap
# mschap
# eap
}
# Pre-accounting. Look for proxy realm in order of realms, then
# acct_users file, then preprocess (hints file).
preacct {
suffix
files
preprocess
}
# Accounting. Log to detail file, and to the radwtmp file, and maintain
# radutmp.
accounting {
acct_unique
detail
counter
# unix
radutmp
# sradutmp
}
# Session database, used for checking Simultaneous-Use. The radutmp module
# handles this
session {
radutmp
}
rad_recv: Access-Request packet from host 202.14.68.50:1131, id=56, length=112
Thread 4 assigned request 11
--- Walking the entire request list ---
Threads: total/active/spare threads = 5/3/2
Thread 4 handling request 11, (2 handled so far)
Threads: Spawning 1 spares
User-Name = "freeradius2"
User-Password = "\304R\003\206\310\255 v\3751\207P"
NAS-IP-Address = 202.14.68.50
Thread 6 waiting to be assigned a request
Thread spawned new child 6. Total threads in pool: 6
Sending Access-Reject of id 54 to 202.14.68.50:1131
Cleaning up request 6 ID 54 with timestamp 3ce36d89
WARNING: Unresponsive child (id 3076) for request 10
Server rejecting request 10.
Nothing to do. Sleeping until we see a request.
NAS-Port = 20115
NAS-Port-Type = Async
Service-Type = Framed-User
Framed-Protocol = PPP
State = 0x
Calling-Station-Id = "21587600"
Called-Station-Id = "34234416"
Acct-Session-Id = "377173438"
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "suffix" returns ok
users: Matched DEFAULT at 1
users: Matched DEFAULT at 4
users: Matched DEFAULT at 7
users: Matched freeradius2 at 15
modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type Local
auth: type Local
auth: user supplied User-Password matches local User-Password
modcall: entering group session
radius_xlat: 'freeradius2'
modcall[session]: module "radutmp" returns ok
modcall: group session returns ok
radius_xlat: 'You've used up more than one min today'
Sending Access-Accept of id 56 to 202.14.68.50:1131
Reply-Message = "You've used up more than one hour today"
Service-Type = Framed-User
Framed-Protocol = PPP
Finished request 11
Going to the next request
#
# Updated 07-Nov-1998 to RFC 2138 and RFC 2139
#
# Version $Id: dictionary,v 1.38 2002/03/04 21:14:44 aland Exp $
#
# This file contains dictionary translations for parsing
# requests and generating responses. All transactions are
# composed of Attribute/Value Pairs. The value of each attribute
# is specified as one of 4 data types. Valid data types are:
#
# string - 0-253 octets
# ipaddr - 4 octets in network byte order
# integer - 32 bit value in big endian order (high byte first)
# date - 32 bit value in big endian order - seconds since
# 00:00:00 GMT, Jan. 1, 1970
#
# FreeRADIUS includes extended data types which are not defined
# in RFC 2138 or RFC 2139. These data types are:
#
# abinary - Ascend's binary filter format.
# octets - raw octets, printed and input as hex strings.
# e.g.: 0x123456789abcdef
#
#
# Enumerated values are stored in the user file with dictionary
# VALUE translations for easy administration.
#
# Example:
#
# ATTRIBUTE VALUE
# --------------- -----
# Framed-Protocol = PPP
# 7 = 1 (integer encoding)
#
#
# Include compatibility dictionary for older users file. Move this
# directive to the end of the file if you want to see the old names
# in the logfiles too.
#
$INCLUDE dictionary.compat # compability issues
$INCLUDE dictionary.acc
$INCLUDE dictionary.ascend
$INCLUDE dictionary.bay
$INCLUDE dictionary.cisco
$INCLUDE dictionary.livingston
$INCLUDE dictionary.microsoft
$INCLUDE dictionary.quintum
$INCLUDE dictionary.redback
$INCLUDE dictionary.shasta
$INCLUDE dictionary.shiva
$INCLUDE dictionary.tunnel
$INCLUDE dictionary.usr
$INCLUDE dictionary.versanet
$INCLUDE dictionary.erx
#
# Following are the proper new names. Use these.
#
ATTRIBUTE User-Name 1 string
ATTRIBUTE User-Password 2 string
ATTRIBUTE CHAP-Password 3 octets
ATTRIBUTE NAS-IP-Address 4 ipaddr
ATTRIBUTE NAS-Port 5 integer
ATTRIBUTE Service-Type 6 integer
ATTRIBUTE Framed-Protocol 7 integer
ATTRIBUTE Framed-IP-Address 8 ipaddr
ATTRIBUTE Framed-IP-Netmask 9 ipaddr
ATTRIBUTE Framed-Routing 10 integer
ATTRIBUTE Filter-Id 11 string
ATTRIBUTE Framed-MTU 12 integer
ATTRIBUTE Framed-Compression 13 integer
ATTRIBUTE Login-IP-Host 14 ipaddr
ATTRIBUTE Login-Service 15 integer
ATTRIBUTE Login-TCP-Port 16 integer
ATTRIBUTE Reply-Message 18 string
ATTRIBUTE Callback-Number 19 string
ATTRIBUTE Callback-Id 20 string
ATTRIBUTE Framed-Route 22 string
ATTRIBUTE Framed-IPX-Network 23 ipaddr
ATTRIBUTE State 24 octets
ATTRIBUTE Class 25 octets
ATTRIBUTE Vendor-Specific 26 octets
ATTRIBUTE Session-Timeout 27 integer
ATTRIBUTE Idle-Timeout 28 integer
ATTRIBUTE Termination-Action 29 integer
ATTRIBUTE Called-Station-Id 30 string
ATTRIBUTE Calling-Station-Id 31 string
ATTRIBUTE NAS-Identifier 32 string
ATTRIBUTE Proxy-State 33 octets
ATTRIBUTE Login-LAT-Service 34 string
ATTRIBUTE Login-LAT-Node 35 string
ATTRIBUTE Login-LAT-Group 36 octets
ATTRIBUTE Framed-AppleTalk-Link 37 integer
ATTRIBUTE Framed-AppleTalk-Network 38 integer
ATTRIBUTE Framed-AppleTalk-Zone 39 string
ATTRIBUTE Acct-Status-Type 40 integer
ATTRIBUTE Acct-Delay-Time 41 integer
ATTRIBUTE Acct-Input-Octets 42 integer
ATTRIBUTE Acct-Output-Octets 43 integer
ATTRIBUTE Acct-Session-Id 44 string
ATTRIBUTE Acct-Authentic 45 integer
ATTRIBUTE Acct-Session-Time 46 integer
ATTRIBUTE Acct-Input-Packets 47 integer
ATTRIBUTE Acct-Output-Packets 48 integer
ATTRIBUTE Acct-Terminate-Cause 49 integer
ATTRIBUTE Acct-Multi-Session-Id 50 string
ATTRIBUTE Acct-Link-Count 51 integer
ATTRIBUTE Acct-Input-Gigawords 52 integer
ATTRIBUTE Acct-Output-Gigawords 53 integer
ATTRIBUTE Event-Timestamp 55 date
ATTRIBUTE CHAP-Challenge 60 string
ATTRIBUTE NAS-Port-Type 61 integer
ATTRIBUTE Port-Limit 62 integer
ATTRIBUTE Login-LAT-Port 63 integer
ATTRIBUTE Acct-Tunnel-Connection 68 string
ATTRIBUTE ARAP-Password 70 string
ATTRIBUTE ARAP-Features 71 string
ATTRIBUTE ARAP-Zone-Access 72 integer
ATTRIBUTE ARAP-Security 73 integer
ATTRIBUTE ARAP-Security-Data 74 string
ATTRIBUTE Password-Retry 75 integer
ATTRIBUTE Prompt 76 integer
ATTRIBUTE Connect-Info 77 string
ATTRIBUTE Configuration-Token 78 string
ATTRIBUTE EAP-Message 79 string
ATTRIBUTE Message-Authenticator 80 octets
ATTRIBUTE ARAP-Challenge-Response 84 string # 10 octets
ATTRIBUTE Acct-Interim-Interval 85 integer
ATTRIBUTE NAS-Port-Id 87 string
ATTRIBUTE Framed-Pool 88 string
ATTRIBUTE RAD-Session-Time 89 integer
ATTRIBUTE RAD-Max-Session-Time 90 integer
ATTRIBUTE NAS-IPv6-Address 95 octets # really IPv6
ATTRIBUTE Framed-Interface-Id 96 octets # 8 octets
ATTRIBUTE Framed-IPv6-Prefix 97 octets # stupid format
ATTRIBUTE Login-IPv6-Host 98 octets # really IPv6
ATTRIBUTE Framed-IPv6-Route 99 string
ATTRIBUTE Framed-IPv6-Pool 100 string
#
# Experimental Non Protocol Attributes used by Cistron-Radiusd
#
# These attributes CAN go in the reply item list.
ATTRIBUTE Fall-Through 500 integer
ATTRIBUTE Exec-Program 502 string
ATTRIBUTE Exec-Program-Wait 503 string
# These attributes CANNOT go in the reply item list.
ATTRIBUTE User-Category 1029 string
ATTRIBUTE Group-Name 1030 string
ATTRIBUTE Huntgroup-Name 1031 string
ATTRIBUTE Simultaneous-Use 1034 integer
ATTRIBUTE Strip-User-Name 1035 integer
ATTRIBUTE Hint 1040 string
ATTRIBUTE Pam-Auth 1041 string
ATTRIBUTE Login-Time 1042 string
ATTRIBUTE Stripped-User-Name 1043 string
ATTRIBUTE Current-Time 1044 string
ATTRIBUTE Realm 1045 string
ATTRIBUTE No-Such-Attribute 1046 string
ATTRIBUTE Packet-Type 1047 integer
ATTRIBUTE Proxy-To-Realm 1048 string
ATTRIBUTE Replicate-To-Realm 1049 string
ATTRIBUTE Acct-Session-Start-Time 1050 date
ATTRIBUTE Acct-Unique-Session-Id 1051 string
ATTRIBUTE Client-IP-Address 1052 ipaddr
ATTRIBUTE Ldap-UserDn 1053 string
ATTRIBUTE NS-MTA-MD5-Password 1054 string
ATTRIBUTE SQL-User-Name 1055 string
ATTRIBUTE Module-Message 1056 string
ATTRIBUTE LM-Password 1057 octets
ATTRIBUTE NT-Password 1058 octets
ATTRIBUTE SMB-Account-CTRL 1059 integer
ATTRIBUTE SMB-Account-CTRL-TEXT 1061 string
ATTRIBUTE User-Profile 1062 string
#
# Non-Protocol Attributes
# These attributes are used internally by the server
#
ATTRIBUTE Auth-Type 1000 integer
ATTRIBUTE Menu 1001 string
ATTRIBUTE Termination-Menu 1002 string
ATTRIBUTE Prefix 1003 string
ATTRIBUTE Suffix 1004 string
ATTRIBUTE Group 1005 string
ATTRIBUTE Crypt-Password 1006 string
ATTRIBUTE Connect-Rate 1007 integer
ATTRIBUTE Add-Prefix 1008 string
ATTRIBUTE Add-Suffix 1009 string
ATTRIBUTE Expiration 1010 date
ATTRIBUTE Autz-Type 1011 integer
#
# Integer Translations
#
# User Types
VALUE Service-Type Login-User 1
VALUE Service-Type Framed-User 2
VALUE Service-Type Callback-Login-User 3
VALUE Service-Type Callback-Framed-User 4
VALUE Service-Type Outbound-User 5
VALUE Service-Type Administrative-User 6
VALUE Service-Type NAS-Prompt-User 7
VALUE Service-Type Authenticate-Only 8
VALUE Service-Type Callback-NAS-Prompt 9
VALUE Service-Type Call-Check 10
VALUE Service-Type Callback-Administrative 11
# Framed Protocols
VALUE Framed-Protocol PPP 1
VALUE Framed-Protocol SLIP 2
VALUE Framed-Protocol ARAP 3
VALUE Framed-Protocol Gandalf-SLML 4
VALUE Framed-Protocol Xylogics-IPX-SLIP 5
VALUE Framed-Protocol X.75-Synchronous 6
# Framed Routing Values
VALUE Framed-Routing None 0
VALUE Framed-Routing Broadcast 1
VALUE Framed-Routing Listen 2
VALUE Framed-Routing Broadcast-Listen 3
# Framed Compression Types
VALUE Framed-Compression None 0
VALUE Framed-Compression Van-Jacobson-TCP-IP 1
VALUE Framed-Compression IPX-Header-Compression 2
VALUE Framed-Compression Stac-LZS 3
# Login Services
VALUE Login-Service Telnet 0
VALUE Login-Service Rlogin 1
VALUE Login-Service TCP-Clear 2
VALUE Login-Service PortMaster 3
VALUE Login-Service LAT 4
VALUE Login-Service X25-PAD 5
VALUE Login-Service X25-T3POS 6
VALUE Login-Service TCP-Clear-Quiet 7
# Login-TCP-Port (see /etc/services for more examples)
VALUE Login-TCP-Port Telnet 23
VALUE Login-TCP-Port Rlogin 513
VALUE Login-TCP-Port Rsh 514
# Status Types
VALUE Acct-Status-Type Start 1
VALUE Acct-Status-Type Stop 2
VALUE Acct-Status-Type Interim-Update 3
VALUE Acct-Status-Type Alive 3
VALUE Acct-Status-Type Accounting-On 7
VALUE Acct-Status-Type Accounting-Off 8
# RFC 2867 Additional Status-Type Values
VALUE Acct-Status-Type Tunnel-Start 9
VALUE Acct-Status-Type Tunnel-Stop 10
VALUE Acct-Status-Type Tunnel-Reject 11
VALUE Acct-Status-Type Tunnel-Link-Start 12
VALUE Acct-Status-Type Tunnel-Link-Stop 13
VALUE Acct-Status-Type Tunnel-Link-Reject 14
# Authentication Types
VALUE Acct-Authentic RADIUS 1
VALUE Acct-Authentic Local 2
# Termination Options
VALUE Termination-Action Default 0
VALUE Termination-Action RADIUS-Request 1
# NAS Port Types
VALUE NAS-Port-Type Async 0
VALUE NAS-Port-Type Sync 1
VALUE NAS-Port-Type ISDN 2
VALUE NAS-Port-Type ISDN-V120 3
VALUE NAS-Port-Type ISDN-V110 4
VALUE NAS-Port-Type Virtual 5
VALUE NAS-Port-Type PIAFS 6
VALUE NAS-Port-Type HDLC-Clear-Channel 7
VALUE NAS-Port-Type X.25 8
VALUE NAS-Port-Type X.75 9
VALUE NAS-Port-Type G.3-Fax 10
VALUE NAS-Port-Type SDSL 11
VALUE NAS-Port-Type ADSL-CAP 12
VALUE NAS-Port-Type ADSL-DMT 13
VALUE NAS-Port-Type IDSL 14
VALUE NAS-Port-Type Ethernet 15
VALUE NAS-Port-Type xDSL 16
VALUE NAS-Port-Type Cable 17
VALUE NAS-Port-Type Wireless-Other 18
VALUE NAS-Port-Type Wireless-802.11 19
# Acct Terminate Causes, available in 3.3.2 and later
VALUE Acct-Terminate-Cause User-Request 1
VALUE Acct-Terminate-Cause Lost-Carrier 2
VALUE Acct-Terminate-Cause Lost-Service 3
VALUE Acct-Terminate-Cause Idle-Timeout 4
VALUE Acct-Terminate-Cause Session-Timeout 5
VALUE Acct-Terminate-Cause Admin-Reset 6
VALUE Acct-Terminate-Cause Admin-Reboot 7
VALUE Acct-Terminate-Cause Port-Error 8
VALUE Acct-Terminate-Cause NAS-Error 9
VALUE Acct-Terminate-Cause NAS-Request 10
VALUE Acct-Terminate-Cause NAS-Reboot 11
VALUE Acct-Terminate-Cause Port-Unneeded 12
VALUE Acct-Terminate-Cause Port-Preempted 13
VALUE Acct-Terminate-Cause Port-Suspended 14
VALUE Acct-Terminate-Cause Service-Unavailable 15
VALUE Acct-Terminate-Cause Callback 16
VALUE Acct-Terminate-Cause User-Error 17
VALUE Acct-Terminate-Cause Host-Request 18
#VALUE Tunnel-Type L2TP 3
#VALUE Tunnel-Medium-Type IP 1
VALUE Prompt No-Echo 0
VALUE Prompt Echo 1
#
# Non-Protocol Integer Translations
#
VALUE Auth-Type Local 0
VALUE Auth-Type System 1
VALUE Auth-Type SecurID 2
VALUE Auth-Type Crypt-Local 3
VALUE Auth-Type Reject 4
VALUE Auth-Type ActivCard 5
VALUE Autz-Type Local 0
#
# Cistron extensions
#
VALUE Auth-Type EAP 6
VALUE Auth-Type ARAP 7
VALUE Auth-Type Ldap 252
VALUE Auth-Type Pam 253
VALUE Auth-Type Accept 254
#
# Experimental Non-Protocol Integer Translations for Cistron-Radiusd
#
VALUE Fall-Through No 0
VALUE Fall-Through Yes 1
VALUE Packet-Type Access-Request 1
VALUE Packet-Type Access-Accept 2
VALUE Packet-Type Access-Reject 3
VALUE Packet-Type Accounting-Request 4
VALUE Packet-Type Accounting-Response 5
VALUE Packet-Type Accounting-Status 6
VALUE Packet-Type Password-Request 7
VALUE Packet-Type Password-Accept 8
VALUE Packet-Type Password-Reject 9
VALUE Packet-Type Accounting-Message 10
VALUE Packet-Type Access-Challenge 11
VALUE Packet-Type Status-Server 12
VALUE Packet-Type Status-Client 13
