You may need to tweak a few things to match your install.
Joel
----- Original Message ----- From: "Eric Gregory" <[EMAIL PROTECTED]>
To: <freeradius-users@lists.freeradius.org>
Sent: Saturday, January 22, 2005 2:47 PM
Subject: Re: Dialupadmin port number
Dialup Admin HOWTO ------------------You need to be running a seperate webserver which serves the dial-up admin pages, set the web server to whatever port you like
Eric On Saturday 22 January 2005 21:44, Ed Engelking II wrote:I'm new to FreeRadius. I've recently setup a FreeRadius server, noting that ports 1645, 1812, and 1813 were in use. Based on the information that I've read thus far, dialupadmin is included with FreeRadius, but I'm stumped on how to access the Web interface. I've directed the Web browser at all the listed ports above to no success.
I've googled for the port number, and have gone over the FAQ and installation information several times to determine if I've missed anything. Am I just overlooking something very obvious?
Any help on this matter would be greately appreciated.
--Ed
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Version 0.1 Sun Oct 26 04:03:00 EET 2003
1. Installation 1.1 Obtaining Dialup Admin 1.2 Prerequisities 1.3 Installing & System Configuration 1.3.1 Unpacking & Installation 1.3.2 Apache Configuration 1.3.2.1 Enabling PHP Support On Apache 1.3.2.2 Creating a more secure web interface 1.3.3 Creating the mySQL Tables
2. Configuration
2.1 Configuration Options
2.1.1 General Options 2.1.2 Realms Options
2.1.3 LDAP/SQL Options
2.1.4 NAS Quering
2.1.5 Test Variables
2.1.6 Encryption Methods
2.1.7 NAS Informations
2.1.8 LDAP Options
2.1.9 SQL Options
2.1.10 Limits Timers
2.1.11 Various Options
2.2 The bin/ scripts
2.2.1 The snmpfinger script
2.2.2 The log_badlogins script
2.2.3 The clean_radacct script
2.2.4 The truncate_radacct script
2.2.5 The tot_stats script
2.2.6 The monthly_tot_stats script
2.3 User Attributes
2.4 Finishing Off
3. Troubleshooting
3.1 When I try to access some page I see the php code instead of html
3.2 When an attribute contains double (") or single (') quotes something goes wrong
3.3 Even though I have uncommented Dialup-Access in user_edits.attrs,
when editing a user, that field is not available...
3.4 Why do the personal information fields show multiple entries for attributes like name, department, etc in the user_admin page?
3.5 After I make a few changes in one of the configuration files things only work like they worked before
3.6 It is still not working
4. HOWTO Information
1. Installation ---------------
This section will take you step by step to create system suitable for dialup admin to run properly.
[1.1] Obtaining Dialup Admin
There are three ways to obtain the dialup admin package.
Either download the latest FreeRadius package which most likely contains
the latest dialup admin available. The FreeRadius Package can be obtained through ftp://ftp.freeradius.org/pub/radius/freeradius-0.9.2.tar.gz which is the current FreeRadius package at the time of writting.
Dialup Admin has it's own web page hosted at Sourceforge at http://sourceforge.net/projects/dialup-admin/
Though that page is not updated very often. The primary store for dialupadmin
is the freeradius CVS tree so the latest version will always be contained there
Finally one could get the cvs version of Dialup Admin by issuing the following commands:
shell> cvs -d:pserver:[EMAIL PROTECTED]:/cvsroot/dialup-admin login
* When prompted for a password simply press the Enter Key
shell> cvs -z3 -d:pserver:[EMAIL PROTECTED]:/cvsroot/dialup-admin co dialup_admin
[1.2] Prerequisities
Dialup Admin requires the following in order to have full functionality: o PHP Obtained at: http://www.php.net o Date::Manip Perl Module Obtained at: http://www.cise.ufl.edu/~sbeck/
[1.3] Installing & System Configuration
At this point we presume that either you have successfully installed PHP and Date::Manip Perl Module or that your distribution has came with both of them precompiled and already installed.
[1.3.1] Unpacking and installation
In order to install the dialup admin first of all the package must be uncompressed presuming that we have it in a .tar.gz format and be placed
at a certain directory at the system (Could be anything, we use /usr/local/dialup_admin)
shell> tar xfvz dialup_admin-X.XX.tar.gz shell> mv dialup_admin /usr/local
The dialup admin contains a number of directories necessary for the program to operate. Let's concentrate on the htdocs directory. This directory
contains the php scripts needed. In order to have it accessable through
our web server we must set a symbolic link between the two locations. We presume that the DefaultRoot of the Apache Web Server is /var/www/htdocs
shell> ln -s /usr/local/dialup_admin/htdocs /var/www/htdocs/dialup
[1.3.2] Apache Configuration
[1.3.2.1] Enabling PHP Support on Apache
Apache must be configured to execute PHP scripts. In order to do so locate the httpd.conf file (for Slackware Linux this is /etc/apache). We must
enter the following lines inside the httpd.conf
LoadModule php4_module libexec/libphp4.so AddModule mod_php4.c AddType application/x-httpd-php .php AddType application/x-httpd-php .php3 # This is most important since many of the PHP scripts of Dialup Admin have this extension
[1.3.2.2] Creating a more secure web interface.
Since dialup admin does not come with any kind of administrators authorisation
of its own it would be safe to protect this ourselves.
Add the following to your httpd.conf file:
<Directory /var/www/htdocs/dialup> AuthName "Restricted Area" AuthType Basic AuthUserFile /var/www/.htpasswd require valid-user </Directory>
Changing of course the directory path to match yours as well as the AuthUserFile argument to point to the place where the usernames/passwords are stored.
In order to create the htpasswd file the htpasswd utility is required (It is provided with the apache web server)
Let's create our first user:
shell> htpasswd -c /var/www/.htpasswd -m administrator password
Note: The -c argument should not be used from that point on since it creates a new password file.
On the next restart of apache the dialup/ directory is only accessable by a username/password verification which in our case is administrator:password
The HTTP authentication we have just configured can be used by dialupadmin when connecting to the ldap and sql databases (see sections on sql and ldap options).
At this point when we connect to the url http://localhost/dialup we should see the Dialup Admin pages
[1.3.3] Creating the mySQL tables
In order to have dialup admin work to the maximum you should create a few tables in your mySQL. We assume at this point you have a fair ammount of mySQL
knowledge and have a mySQL running somewhere on your network.
First of all you should create a database for all the tables to be stored into it. We will call this radius.
shell> mysql -h mysql.host.com -u username -p
mysql> CREATE DATABASE radius; mysql> exit
This step is only necessary if you haven't already created a corresponding database for the freeradius server.
At dialup_admin/sql there are four files containg the SQL command to create the required tables. This is done as follows:
shell> mysql -h mysql.host.com -u username -p radius < badusers.sql shell> mysql -h mysql.host.com -u username -p radius < mtotacct.sql shell> mysql -h mysql.host.com -u username -p radius < totacct.sql shell> mysql -h mysql.host.com -u username -p radius < userinfo.sql
The userinfo table though is only needed if you want to keep your user database in sql. If you keep your users in ldap then it's not needed.
NOTE: Remember we named our database "radius". Have you named it somewhat different replace the "radius" argument on the above commands with the name you used
2. Configuration ----------------
This is the most important part of this document since the configuration must match your needs. The configuration file is located at dialup_admin/conf/admin.conf
[2.1] Configuration Options
A few variables must be set to the correct values in order for dialup admin
to work.
[2.1.1] General Options
General configuration options
general_base_dir: /usr/local/dialup_admin
This is the location where we have installed dialup admin. Refer to section 1.3.1 for more information
general_radiusd_base_dir: /usr/local/bin
This is the location where the radiusd binary and various radius related programs resides. Check where FreeRadius has been installed
general_domain: domain.gr
Set the domain name of your network.
[2.1.2] Realms Options
For more informations on realms consult the documentations provided with FreeRadius under the doc/ directory
general_strip_realms : yes
Should Dialup Admin strip the realm from the username when displaying this? Values: Yes / No (Default Yes)
general_realm_delimiter: @
The delimiter used in realms. Default is @
general_realm_format: suffix
The format of the realms. Can be either suffix (realm is after the username) or prefix (realm is before the username). Default is suffix
[2.1.3] LDAP/SQL Options
Options that specifies the way dialup admin handles users. SQL or LDAP
general_lib_type: sql
This can have as values either ldap or sql.
For the following values there shouldn't be any need for changes
general_ldap_attrmap: /etc/raddb/ldap.attrmap general_sql_attrmap: %{general_base_dir}/conf/sql.attrmap general_extra_ldap_attrmap: %{general_base_dir}/conf/extra.ldap-attrmap general_user_edit_attrs_file: %{general_base_dir}/conf/user_edit.attrs general_sql_attrs_file: %{general_base_dir}/conf/sql.attrs general_default_file: %{general_base_dir}/conf/default.vals
[2.1.4] NAS Quering
In general the nas quering provides the dialup admin with information regarding the Online Users.
general_finger_type: snmp
What should be the default quering method of the nas. It can be 'snmp' (for snmpfinger) or empty to query the radacct table without first querying the nas
general_snmpfinger_bin: %{general_base_dir}/bin/snmpfinger
This probably does not need to be changed For now snmpfinger will only work with Cisco equipment.
general_radclient_bin: /usr/local/bin/radclient
Must point to the radclient binary
general_nas_type: cisco
Defines the nas type. This is only used by snmpfinger cisco and lucent are supported for now
[2.1.5] Test Variables
The following variables which are self explained are being used while the
"Check Server" button is being pressed to verify that the radius server is working. The username and password must be of a valid dialup account
general_test_account_login: dummy general_test_account_password: dummy_password
general_radius_server: localhost
The hostname where the FreeRadius Server runs
general_radius_server_port: 1645
The port that FreeRadius uses on the hostname
general_radius_server_auth_proto: chap
The method of connecting. Could be either 'chap' or 'pap'
general_radius_server_secret: secret_password
The secret of the server that dialup admin should use while connecting.
NOTE: You must have a correct entry in clients.conf for the host running the dialup admin. For more information consult the documentations that come with FreeRadius
general_auth_request_file: %{general_base_dir}/conf/auth.request
The file conf/auth.request contains the options passed while the authentification is performed. Should you need to add anything edit this file
[2.1.6] Encryption Method
general_encryption_method: md5
How the passwords of the users are stored (or should be) in the database.
Could be 'clear', 'md5', 'des'. See Also Section 2.1.9
[2.1.7] NAS Information
nas1_name: host.%{general_domain}
The name of the NAS. Only the host must be replaced to match yours, provided that the nas are on the general_domain specified above
nas1_model: Lucent
The model of the NAS.
nas1_ip: 10.0.0.1
The IP of the NAS
nas1_port_num: 120
The port number to connect to on the NAS
nas1_community: community string
The community string used by the nas for queries via snmp
nas1_finger_type: snmp
The finger type for the specific nas. Comment out to use the general_finger_type from above.
nas1_type: cisco
The nas type for the specific nas. Comment out to use the general_nas_type from above.
[2.1.8] LDAP Options
ldap_server: ldap.%{general_domain}
The ldap server to connect to Both ldap_server and ldap_write_server can be a space-separated list of ldap hostnames. In that case the library will try to connect to the servers in the order that they appear. If the first host is down ldap_connect will ask for the second ldap host and so on.
ldap_write_server: master.%{general_domain}
There are many cases where we have a small write master and a lot of fast read only replicas. If that is the case uncomment ldap_write_server and point it to the write master. It will be used only when writing to the directory, not when reading
ldap_base: dc=company,dc=com
The LDAP base for the ldap searches
ldap_binddn: cn=Directory Manager ldap_bindpw: XXXXXXX
The DN and password which will be used to bind to the LDAP server. If we don't use http credentials (see below) than these setting will be used for all ldap operations (both searches and modifies/adds).
ldap_default_new_entry_suffix: ou=dialup,ou=guests,%{ldap_base}
The LDAP suffix under which all new user entries created through the new user page will be placed
ldap_default_dn: uid=default-dialup,%{ldap_base}
The DN of an ldap entry containing radius user settings which will be applied for all users. Though these settings are applied *before* the regular profile and per user settings, so they can be easily overwritten. That way we could for example set Session-Timeout to 4 hours for all our users and set it to a lower/higher value for specific users or groups of users
ldap_regular_profile_attr: dialupregularprofile
The ldap attribute which if present in a user entry will contain the DN of another ldap entry specifying radius user settings (check and reply items). That way we can keep these settings in only one entry and assign them to each user that we want through the regular profile attribute.
ldap_use_http_credentials: yes
If set to yes then the HTTP credentials (http authentication) will be used to bind to the ldap server instead of ldap_binddn and ldap_bindpw directives. That way multiple admins with different rights on the ldap database can connect through one dialup_admin interface. The ldap_binddn and ldap_bindpw are still needed to find the DN of the user to bind with (http authentication will only provide us with a username). As a result the ldap_binddn should be able to do a search with a filter of (uid=<username>). Normally, the anonymous (empty DN) user can do that.
ldap_directory_manager: cn=Directory Manager ldap_map_to_directory_manager: admin
If we are using http credentials we can map a specific username to the directory manager entry (which usually does not correspond to a specific username)
ldap_debug: true
Set to true to enable ldap debugging
ldap_filter: (uid=%u)
Allow for defining the ldap filter used when searching for a user Variables supported: %u: username %U: username provided though http authentication
One use of this would be to restrict access to only the user's belonging to a specific administrator like this: ldap_filter: (&(uid=%u)(manager=uid=%U,ou=admins,o=company,c=com))
[2.1.9] SQL Options
sql_type: mysql
The type of the database. Currenty dialup admin support mySQL ('mysql') and PostgreSQL('pg')
sql_server: localhost sql_port: 3306 sql_username: radius sql_password: XXXXX
Information regargind the SQL database such as hostname, port, username and password to be used for connection
NOTE: The default port for mySQL is 3306 while for PostgreSQL is 5432. The Username and password are ones set in the database. Creating a
new username is behond the scope of this documentation.
sql_database: radius
The database where all our tables are stored. Read section 1.3.3
sql_accounting_table: radacct sql_check_table: radcheck sql_groupcheck_table: radgroupcheck sql_groupreply_table: radgroupreply sql_reply_table: radreply
The above tables are the ones used also directly through FreeRadius. The SQL file containing the way to create these tables are at freeradius-x.x.x/src/modules/rlm_sql/drivers/rlm_sql_<DATABASE TYPE>/db_<DATABASE_TYPE>.sql
For more information consult the documentation of FreeRadius
sql_badusers_table: badusers sql_user_info_table: userinfo sql_usergroup_table: usergroup sql_total_accounting_table: totacct
These are the tables created during section 1.3.3. There shouldn't be any need to change those
sql_use_user_info_table: true sql_use_operators: true
Could be true or false
sql_default_user_profile: DEFAULT
Set this to the value of the default_user_profile in your sql.conf if that one is set. If it is not set leave blank or commented out
sql_password_attribute: User-Password
The password attribute. Should be User-Password if encryption method is clear (See section 2.1.6) or Crypt-Password if either md5 or des is choosed
sql_date_format: Y-m-d sql_full_date_format: Y-m-d H:i:s
The date format
sql_row_limit: 40
The row limit used in the accounting page in order to limit the output
sql_connect_timeout: 3 sql_extra_servers: sql2.company.com sql3.company.com
The above options are used by bin/log_badlogins (See Section 2.x.x) The sql_connect_timeout is also used by the mysql driver and the sql_extra_servers is also used when adding users in the badusers table
sql_debug: false
Set to true to enable SQL debugging
sql_use_http_credentials: no
If set to yes then the HTTP credentials (http authentication) will be used to connect to the sql server instead of sql_username and sql_password. That way multiple admins with different rights on the sql database can connect through one dialup_admin interface.
sql_command: /usr/local/bin/mysql
This variable is used by the scripts in the bin folder It should contain the path to the sql binary used to run sql commands (mysql is only supported for now)
[2.1.10] Limits Timers
counter_default_daily: 14400 counter_default_weekly: 72000 counter_default_monthly: none
The dialup limit displayed on the Dialup Admin. Set to none for no limit
[2.1.11] Various Options
general_accounting_info_order: desc
Can be either asc (older dates first) or desc (recent dates first)
general_stats_use_totacct: no
Use the totacct table for statistics
general_use_session: yes
Set it to yes to use sessions and cache the various mappings. You can also set use_session = 1 in config.php3 to also cache the admin.conf
NOTE: Remember to use the 'Clear Cache' page if you use sessions and do any changes in any of the configuration files.
general_most_recent_fl: 30
This is used by the failed logins page. It states the default back time in minutes.
general_prefered_lang: el general_prefered_lang_name: Greek
It can be default or whatever language. Only greek are supported from non latin alphabet languages. These attribute only apply for ldap not for sql
general_charset: iso-8859-1
The charset which will be added as a meta tag in all pages
general_decode_normal_attributes: no
Uncomment this if normal attributes (not the ;lang-xx ones) in ldap are utf8 encoded.
[2.2] The bin/ scripts
[2.2.1] The snmpfinger script
This script make an snmp request to the nas server to retrieve the online users directly from the NAS and is being used by dialup admin
when general_finger_type: snmp is set (or the per nas equivelant
directive). (See section 2.1.4).
You also must have installed the net-snmp package obtained at http://www.net-snmp.org
The snmpfinger script must be edited in order to point to the correct snmpwalk binary.
Edit the line $SNMPWALK="/usr/local/bin/snmpwalk"; to represent the location of snmpwalk binary
Besides that the snmpfinger uses MIBs only for the CISCO XXXX NAS or for Lucent equipment (at least for the MAX 3000) which may not work if your NAS is different.
However the snmpfinger is not actually required if your accounting is working properly.
[2.2.2] The log_badlogins script
The log_badlogins scripts actually does a tail -f to the radius.log and
intercepts any authentification failure and passes it to the database. If you are interested in having the Failed Logins on the Dialup Admin you should execute it once like this:
bin/log_badlogins /var/log/radius/radius.log /usr/local/dialup_admin/conf/admin.conf&
Of cource the proper file locations must be set
Also log_badlogins will concatenate the client shortname and the general_domain variable defined in admin.conf in order to find the nas ip address. So it is important to make sure that $client_shortname.$domain resolves to the correct nas ip address. regular expression matching is also supported. If the $regexp variable is set then only failed login lines matching the regular expression will be logged.
[2.2.3] The clean_radacct script
The clean_radacct script can be used to clear the database of stale open sessions (sessions for which an Accounting-Stop has not been received hence they remain open) The $back_days variable can be changed to specify how many days we should leave the sessions open before removing them. Make sure though that all your user sesions are short lived (no DSL users for example) before using the script. If that is not the case edit the sql query to only match short lived sessions (depending on the NAS-Port-Type for example).
[2.2.4] The truncate_radacct script
The truncate_radacct script can be used to delete all sessions which are older than a specified number of days. This number can be changed through the $back_days variable. The script will do a lock tables so make sure you run it during the night when the traffic is low. It will also only delete *closed* session, so the clean_radacct script should be used together to clear the possible open sessions.
[2.2.4] The tot_stats script
This script will log aggregated per user information in the totacct table. It will log a row per user, per day. It should be run *once* every day to create the corresponding entries in the totacct table. The general_stats_use_totacct configuration directive could then be set to yes in order for the statistics page to use the totacct table instead of the radacct table.
[2.2.5] The monthly_tot_stats script
This script can be used to aggregate the information from the totacct table into the mtotacct table creating aggregated accounting information for each spaning in one month period. If the current month has not ended it will log information up to the current month day. It should be run once a day to create the corresponding entries in the mtotacct table.
[2.3] User Attributes
First of all check conf/user_edit.atts and see if the attribute you are interested in is commented out. If it is just enable it by uncommenting it.
If the attribute is not included in the file add it.
If you use SQL check conf/sql.attrmap. Attributes that are not contained in this file are assumed to be reply items and map to the same name as the one used by dialup_admin
If you use LDAP check ${freeradius_install_dir}/etc/raddb/ldap.attrmap and check if the attribute is included in the attribute mapping.
If it is not then add it there also.Everything should work ok after that.
[2.4] Finishing
The above sections should propably have brought you to a working dialup admin.
Note however that if you are interested in logging the failed logins
(See section 2.3.2) you should execute the log_badlogins each time the system starts.
3. Troubleshooting --------------------------
[3.1] When I try to access some page I see the php code instead of html
See section 1.3.2.1
[3.2] When an attribute contains double (") or single (') quotes something goes wrong
Make sure that magic quotes in PHP are turned off
[3.3] Even though I have uncommented Dialup-Access in user_edits.attrs, when editing a user, that field is not available...
...Is this because in sql.attrmap I have:
checkItem Dialup-Access none
What should the attribute be?
Dialup-Access is an attribute used by the ldap module. It is not implemented in the sql module, that's why the mapping is set to none. You could set Auth-Type to Reject instead.
[3.4] Why do the personal information fields show multiple entries for attributes like name, department, etc in the user_admin page?
Set general_prefered_lang to en
[3.5] After I make a few changes in one of the configuration files things only work like they worked before
If you are using sessions then remember to use the 'Clear Cache' page after making any changes. See Section 2.1.11
[3.6] It is still not working
Check that the register_globals in php.ini is set to on. As of PHP 4.2.0 this is set to off by default. The latest versions of dialup_admin will work
even if register_globals is set to off if the php version is > 4.1.0 (Thanks to Evren Yurtesen <[EMAIL PROTECTED]> for the suggestion).
In latest versions you can also enable sql debug (sql_debug: true) and ldap debug (ldap_debug: true)
4. HOWTO Information ---------------------------------
This document is distributed under the terms of the GPL (GNU Public License). Paris Stamatopoulos <[EMAIL PROTECTED]> (main author)
Kostas Kalevras <[EMAIL PROTECTED]> (a few additions)