Re: (RADIATOR) Prefix's Problem

Sun, 16 Jan 2000 18:22:44 -0800 


Hello Paul -

On Mon, 17 Jan 2000, Black, Paul wrote:
> Here is my radiator config file. It is quite similar to the example you
> emailed to me last week. On thinking about the problem with profiles not
> working, the problem seems to have occurred when I can the AuthByPolicy to
> ContinueWhileIgnore, I set this policy to allow customers to be suspended by
> setting a field in the Radiator database.
> 

I think perhaps I didn't make myself clear with my example, so I'll try again
below. Could you also explain to me exactly what you are trying to accomplish
with the AuthBy RADMIN, AuthBY FILE, and AuthBy UNIX? The example below
assumes that your primary user database is RADMIN and if the user is not found
there it will then try UNIX.

> 
> Trace         4
> 
> DbDir             /etc/raddb
> LogDir            /var/log/radacct
> DictionaryFile  /etc/raddb/dictionary
> RewriteUsername s/^.*\\|@.*$|^\s+|\s+$//g
> 
> <Client dm1>
>       Secret   XXXX
> </Client>
> <Client pm1>
>       Secret   XXXX
> </Client>
> 
> <Realm DEFAULT>
>       AuthByPolicy ContinueWhileIgnore
>       <AuthBy RADMIN>
>               DBSource        dbi:mysql:radmin
>               DBUsername      XXXX
>               DBAuth  XXXX
>                 AuthSelect select PASS_WORD, STATICADDRESS, TIMELEFT,
> MAXLOGINS, MAXIDLETIME, FRAMED_FILTER_ID, FRAMED_NETMASK, (%t -
> ADDEDDATE)/86400, SERVICENAME from RADUSERS where USERNAME='%n' and
> SERVICESTATE != 'SUSPENDED' 
>                 AuthColumnDef 0,Idle-Timeout,reply
>                 AuthColumnDef 1,Filter-Id,reply
>                 AuthColumnDef 2,Framed-IP-Netmask,reply
>                 AuthColumnDef 3,Days-Since-Added,reply
>                 AuthColumnDef 4,Service-Name,reply
> 
>               # You can add to or change these if you want, but you
>               # will probably want to change the databse schema first
>               AccountingTable RADUSAGE
>               AcctColumnDef   USERNAME,User-Name
>               AcctColumnDef   TIME_STAMP,Timestamp,integer
>               AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type,integer
>               AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
>               AcctColumnDef   ACCTINPUTOCTETS,Acct-Input-Octets,integer
>               AcctColumnDef   ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
>               AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
>               AcctColumnDef   ACCTSESSIONTIME,Acct-Session-Time,integer
>               AcctColumnDef
> ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer
>               AcctColumnDef   FRAMEDIPADDRESS,Framed-IP-Address
>               AcctColumnDef   NASIDENTIFIER,NAS-Identifier
>               AcctColumnDef   NASIDENTIFIER,NAS-IP-Address
>               AcctColumnDef   NASPORT,NAS-Port,integer
>               AcctColumnDef   DNIS,Called-Station-Id
> 
>               #
>               # This updates the time and octets left for this user
>               #
> 
>               AcctSQLStatement update RADUSERS set
> TIMELEFT=TIMELEFT-0%{Acct-Session-Time},
> OCTETSINLEFT=OCTETSINLEFT-0%{Acct-Input-Octets},
> OCTETSOUTLEFT=OCTETSOUTLEFT-0%{Acct-Output-Octets} where USERNAME='%n'
> 
>               AddToReply Framed-Protocol = PPP,\
>                       Framed-Routing = None,\
>                       Framed-MTU = 1500,\
>                       Acc-Callback-CBCP-Type = CBCP-None,\
>                       Framed-Compression = Van-Jacobson-TCP-IP
>       </AuthBy>
> 
>       <AuthBy FILE>
>               Filename /etc/raddb/users
>       </AuthBy>
> 
> </Realm>
> 
> <AuthBy UNIX>
>       Identifier System
>       Filename /etc/shadow
> </AuthBy>
> 

# configuration file using DEFAULT's in a users file 
# each default matches a different prefix
# the last DEFAULT is used for everything else
# each DEFAULT calls CheckUser
# CheckUser calls RADMIN then UNIX with ContinueUntilAccept

Trace    4

DbDir                /etc/raddb
LogDir          /var/log/radacct
DictionaryFile          /etc/raddb/dictionary
RewriteUsername s/^.*\\|@.*$|^\s+|\s+$//g

<Client dm1>
        Secret   XXXX
</Client>

<Client pm1>
        Secret   XXXX
</Client>

# configure AuthBy RADMIN with Identifier CheckRADMIN

<AuthBy RADMIN>
         Identifier CheckRADMIN         
         DBSource        dbi:mysql:radmin
         DBUsername      XXXX
         DBAuth  XXXX
         AuthSelect select PASS_WORD, STATICADDRESS, TIMELEFT, \ 
         MAXLOGINS, MAXIDLETIME, FRAMED_FILTER_ID, FRAMED_NETMASK, \
         (%t -ADDEDDATE)/86400, SERVICENAME from RADUSERS where \
         USERNAME='%n' and SERVICESTATE != 'SUSPENDED' 
         AuthColumnDef 0,Idle-Timeout,reply
         AuthColumnDef 1,Filter-Id,reply
         AuthColumnDef 2,Framed-IP-Netmask,reply
         AuthColumnDef 3,Days-Since-Added,reply
         AuthColumnDef 4,Service-Name,reply

         # You can add to or change these if you want, but you
         # will probably want to change the databse schema first
         AccountingTable         RADUSAGE
         AcctColumnDef   USERNAME,User-Name
         AcctColumnDef   TIME_STAMP,Timestamp,integer
         AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type,integer
         AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
         AcctColumnDef   ACCTINPUTOCTETS,Acct-Input-Octets,integer
         AcctColumnDef   ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
         AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
         AcctColumnDef   ACCTSESSIONTIME,Acct-Session-Time,integer
         AcctColumnDef
ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer
         AcctColumnDef   FRAMEDIPADDRESS,Framed-IP-Address
         AcctColumnDef   NASIDENTIFIER,NAS-Identifier
         AcctColumnDef   NASIDENTIFIER,NAS-IP-Address
         AcctColumnDef   NASPORT,NAS-Port,integer
         AcctColumnDef   DNIS,Called-Station-Id

         #
         # This updates the time and octets left for this user
         #

         AcctSQLStatement update RADUSERS set \
         TIMELEFT=TIMELEFT-0%{Acct-Session-Time}, \
         OCTETSINLEFT=OCTETSINLEFT-0%{Acct-Input-Octets}, \
         OCTETSOUTLEFT=OCTETSOUTLEFT-0%{Acct-Output-Octets} \
         where USERNAME='%n'

         AddToReply Framed-Protocol = PPP,\
         Framed-Routing = None,\
         Framed-MTU = 1500,\
         Acc-Callback-CBCP-Type = CBCP-None,\
          Framed-Compression = Van-Jacobson-TCP-IP
 </AuthBy>

<AuthBy UNIX>
         Identifier CheckSystem
         Filename /etc/shadow
</AuthBy>

# configure an AuthBy GROUP with Identifier CheckUser
# check RADMIN first and if not accepted then try UNIX

<AuthBy GROUP>
        Identifier CheckUser
        AuthByPolicy ContinueUntilAccept
        AuthBy CheckRADMIN
        AuthBy CheckSystem
</AuthBy>

# configure a single DEFAULT realm

<Realm DEFAULT>

         <AuthBy FILE>
                  Filename /etc/raddb/users
         </AuthBy>

</Realm>


Then in the file /etc/raddb/users, you would have this:

# /etc/raddb/users
# DEFAULT entries for prefixes 
# last DEFAULT matches everything else

DEFAULT  Prefix = U, Auth-Type = CheckUser, Client-Id = pm1 
        Service-Type = Login-User,
        Login-IP-Host = hyperion.triode.net.au,
        ACC-Callback-CBCP-Type = CBCP-None,
        Login-Service = Rlogin

DEFAULT  Prefix = ...., Auth-Type = CheckUser, ....

DEFAULT Suffix = ..... Auth-Type = Check-User

DEFAULT  Auth-Type = Check-User


Note that with the above you will have to decide where to define Reply
attributes. Either in the AuthBy's or in the DEFAULT's, but not both. Otherwise
you will have multiple sets of attributes in the Reply packets.

If you have any further questions feel free to ask.

regards

Hugh


-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
NT, Rhapsody

===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Reply via email to