On Wed, 5 Mar 2003, Bill Anderson wrote:
> I am so close to getting the monthly time limit working and I just need a
> little help. I have looked through the archives and have found things that
> have brought me this far, however, I believe I am close. Does anyone have
> any idea what I am doing wrong? Basically what I would like to do is have a
> user to be rejected if they reach their monthly time limit. I am not using
> SQL. I have attached the following information:
>
> /etc/raddb/users
> radiusd debug session (radiusd -X)
> /etc/raddb/radiusd.conf
>
> users file:
>
> mytestuser Max-Monthly-Session := 30, Auth-Type := Local, User-Password ==
> "somepass"
> Service-Type = Framed-User,
> Framed-Protocol = PPP,
> Framed-IP-Address = 255.255.255.254,
> Framed-IP-Netmask = 255.255.255.255,
> Framed-Routing = None,
> Framed-MTU = 1500,
> Framed-Compression = Van-Jacobson-TCP-IP,
> Idle-Timeout = 900,
> Session-Timeout = 21600,
> Port-Limit = 1,
> DEFAULT Max-Monthly-Session > 30, Auth-Type = Reject
> Reply-Message = "Max monthly hours achieved"
You don't need this check if you set Max-Monthly-Session
>
> Debug Session:
>
> [EMAIL PROTECTED] raddb]# radiusd -X
> Starting - reading configuration files ...
> Config: including file: /etc/raddb/proxy.conf
> Config: including file: /etc/raddb/clients.conf
> rad_recv: Access-Request packet from host 209.95.37.8:1647, id=149,
> length=182
> User-Name = "mytestuser"
> User-Password = "backd00r"
> NAS-IP-Address = 209.247.5.114
> NAS-Port = 136
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Ascend-Data-Rate = 21600
> Ascend-Calling-Id-Type-Of-Num = Unknown
> Ascend-Calling-Id-Number-Plan = Unknown
> Ascend-Xmit-Rate = 49333
> Called-Station-Id = "5032134042"
> Calling-Station-Id = "5038850150"
> Acct-Session-Id = "386694565"
> NAS-Port-Type = Async
> Ascend-NAS-Port-Format = 2_4_5_5
> Proxy-State = 0x3533
> modcall: entering group authorize
> modcall[authorize]: module "preprocess" returns ok
> rlm_chap: Could not find proper Chap-Password attribute in request
> modcall[authorize]: module "chap" returns noop
> modcall[authorize]: module "mschap" returns notfound
> rlm_counter: Entering module authorize code
> rlm_counter: Could not find Check item value pair
> modcall[authorize]: module "counter" returns noop
> rlm_realm: No '@' in User-Name = "mytestuser", looking up realm NULL
> rlm_realm: No such realm NULL
> modcall[authorize]: module "suffix" returns noop
> users: Matched mytestuser at 1
> modcall[authorize]: module "files" returns ok
You have files after counter in your authorize section. Try puting the counter
module after the files module
> # encryption moderate
> # require_encryption = yes
>
> # require_strong always requires 128 bit key
> # encryption
> # require_strong = yes
> }
>
> # Lightweight Directory Access Protocol (LDAP)
> #
> # This module definition allows you to use LDAP for
> # authorization and authentication (Auth-Type := LDAP)
> #
> # See doc/rlm_ldap for description of configuration options
> # and sample authorize{} and authenticate{} blocks
> ldap {
> server = "ldap.your.domain"
> # identity = "cn=admin,o=My Org,c=UA"
> # password = mypass
> basedn = "o=My Org,c=UA"
> filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
>
> # set this to 'yes' to use TLS encrypted connections
> # to the LDAP database by using the StartTLS extended
> # operation.
> start_tls = no
> # set this to 'yes' to use TLS encrypted connections to the
> # LDAP database by passing the LDAP_OPT_X_TLS_TRY option to
> # the ldap library.
> tls_mode = no
>
> # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
> # profile_attribute = "radiusProfileDn"
> access_attr = "dialupAccess"
>
> # Mapping of RADIUS dictionary attributes to LDAP
> # directory attributes.
> dictionary_mapping = ${raddbdir}/ldap.attrmap
>
> # ldap_cache_timeout = 120
> # ldap_cache_size = 0
> ldap_connections_number = 5
> # password_header = "{clear}"
> # password_attribute = userPassword
> # groupname_attribute = cn
> # groupmembership_filter =
> "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupO
> fUniqueNames)(uniquemember=%{Ldap-UserDn})))"
> # groupmembership_attribute = radiusGroupName
> timeout = 4
> timelimit = 3
> net_timeout = 1
> # compare_check_items = yes
> # access_attr_used_for_allow = yes
> }
>
> # passwd module allows to do authorization via any passwd-like
> # file and to extract any attributes from these modules
> #
> # parameters are:
> # filename - path to filename
> # format - format for filename record. This parameters
> # correlates record in the passwd file and RADIUS
> # attributes.
> #
> # Field marked as '*' is key field. That is, the parameter
> # with this name from the request is used to search for
> # the record from passwd file
> #
> # Field marked as ',' may contain a comma separated list
> # of attributes.
> # authtype - if record found this Auth-Type is used to authenticate
> # user
> # hashsize - hashtable size. If 0 or not specified records are not
> # stored in memory and file is red on every request.
> # allowmultiplekeys - if few records for every key are allowed
> # ignorenislike - ignore NIS-related records
> # delimiter - symbol to use as a field separator in passwd file,
> # for format ':' symbol is always used. '\0', '\n' are
> # not allowed
> #
> #passwd etc_smbpasswd {
> # filename = /etc/smbpasswd
> # format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
> # authtype = MS-CHAP
> # hashsize = 100
> # ignorenislike = no
> # allowmultiplekeys = no
> #}
>
> # Similar configuration, for the /etc/group file. Adds a Group-Name
> # attribute for every group that the user is member of.
> #
> #passwd etc_group {
> # filename = /etc/group
> # format = "Group-Name:::*,User-Name"
> # hashsize = 50
> # ignorenislike = yes
> # allowmultiplekeys = yes
> # delimiter = ":"
> #}
>
> # Realm module, for proxying.
> #
> # You can have multiple instances of the realm module to
> # support multiple realm syntaxs at the same time. The
> # search order is defined the order in the authorize and
> # preacct blocks after the module config block.
> #
> # Two config options:
> # format - must be 'prefix' or 'suffix'
> # delimiter - must be a single character
>
> # '[EMAIL PROTECTED]'
> #
> realm suffix {
> format = suffix
> delimiter = "@"
> }
>
> # 'realm/username'
> #
> # Using this entry, IPASS users have their realm set to "IPASS".
> realm realmslash {
> format = prefix
> delimiter = "/"
> }
>
> # 'username%realm'
> #
> realm realmpercent {
> format = suffix
> delimiter = "%"
> }
>
> # rewrite arbitrary packets. Useful in accounting and authorization.
> #
> ## This module is highly experimental at the moment. Please give
> ## feedback to the mailing list.
> #
> # The module can also use the Rewrite-Rule attribute. If it
> # is set and matches the name of the module instance, then
> # that module instance will be the only one which runs.
> #
> # Also if new_attribute is set to yes then a new attribute
> # will be created containing the value replacewith and it
> # will be added to searchin (packet, reply or config).
> # searchfor,ignore_case and max_matches will be ignored in that case.
>
> #
> #attr_rewrite sanecallerid {
> # attribute = Called-Station-Id
> # may be "packet", "reply", or "config"
> # searchin = packet
> # searchfor = "[+ ]"
> # replacewith = ""
> # ignore_case = no
> # new_attribute = no
> # max_matches = 10
> # ## If set to yes then the replace string will be appended to the
> original
> string
> # append = no
> #}
>
> # Preprocess the incoming RADIUS request, before handing it off
> # to other modules.
> #
> # This module processes the 'huntgroups' and 'hints' files.
> # In addition, it re-writes some weird attributes created
> # by some NASes, and converts the attributes into a form which
> # is a little more standard.
> #
> preprocess {
> huntgroups = ${confdir}/huntgroups
> hints = ${confdir}/hints
>
> # This hack changes Ascend's wierd port numberings
> # to standard 0-??? port numbers so that the "+" works
> # for IP address assignments.
> with_ascend_hack = no
> ascend_channels_per_line = 23
>
> # Windows NT machines often authenticate themselves as
> # NT_DOMAIN\username
> #
> # If this is set to 'yes', then the NT_DOMAIN portion
> # of the user-name is silently discarded.
> with_ntdomain_hack = no
>
> # Specialix Jetstream 8500 24 port access server.
> #
> # If the user name is 10 characters or longer, a "/"
> # and the excess characters after the 10th are
> # appended to the user name.
> #
> # If you're not running that NAS, you don't need
> # this hack.
> with_specialix_jetstream_hack = no
>
> # Cisco sends it's VSA attributes with the attribute
> # name *again* in the string, like:
> #
> # H323-Attribute = "h323-attribute=value".
> #
> # If this configuration item is set to 'yes', then
> # the redundant data in the the attribute text is stripped
> # out. The result is:
> #
> # H323-Attribute = "value"
> #
> # If you're not running a Cisco NAS, you don't need
> # this hack.
> with_cisco_vsa_hack = no
> }
>
> # Livingston-style 'users' file
> #
> files {
> usersfile = ${confdir}/users
> acctusersfile = ${confdir}/acct_users
>
> # If you want to use the old Cistron 'users' file
> # with FreeRADIUS, you should change the next line
> # to 'compat = cistron'. You can the copy your 'users'
> # file from Cistron.
> compat = no
> }
>
> # Write a detailed log of all accounting records received.
> #
> detail {
> # Note that we do NOT use NAS-IP-Address here, as
> # that attribute MAY BE from the originating NAS, and
> # NOT from the proxy which actually sent us the
> # request. The Client-IP-Address attribute is ALWAYS
> # the address of the client which sent us the
> # request.
> #
> # The following line creates a new detail file for
> # every radius client (by IP address or hostname).
> # In addition, a new detail file is created every
> # day, so that the detail file doesn't have to go
> # through a 'log rotation'
> #
> # If your detail files are large, you may also want
> # to add a ':%H' (see doc/variables.txt) to the end
> # of it, to create a new detail file every hour, e.g.:
> #
> # ..../detail-%Y%m%d:%H
> #
> # This will create a new detail file for every hour.
> #
> detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
>
> #
> # The Unix-style permissions on the 'detail' file.
> #
> # The detail file often contains secret or private
> # information about users. So by keeping the file
> # permissions restrictive, we can prevent unwanted
> # people from seeing that information.
> detailperm = 0600
> }
>
> # Create a unique accounting session Id. Many NASes re-use or
> # repeat values for Acct-Session-Id, causing no end of
> # confusion.
> #
> # This module will add a (probably) unique session id
> # to an accounting packet based on the attributes listed
> # below found in the packet. See doc/rlm_acct_unique for
> # more information.
> #
> acct_unique {
> key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
> NAS-Port-Id"
> }
>
>
> # Include another file that has the SQL-related configuration.
> # This is another file solely because it tends to be big.
> #
> # The following configuration file is for use with MySQL.
> #
> # For Postgresql, use: ${confdir}/postgresql.conf
> # For MS-SQL, use: ${confdir}/mssql.conf
> #
> $INCLUDE ${confdir}/sql.conf
>
> # Write a 'utmp' style log file, of which users are currently
> # logged in, and where they've logged in from.
> #
> radutmp {
> filename = ${logdir}/radutmp
>
> # Set the file permissions, as the contents of this file
> # are usually private.
> perm = 0600
>
> callerid = "yes"
> }
>
> # "Safe" radutmp - does not contain caller ID, so it can be
> # world-readable, and radwho can work for normal users, without
> # exposing any information that isn't already exposed by who(1).
> #
> # This is another instance of the radutmp module, but it is given
> # then name "sradutmp" to identify it later in the "accounting"
> # section.
> radutmp sradutmp {
> filename = ${logdir}/sradutmp
> perm = 0644
> callerid = "no"
> }
>
> # attr_filter - filters the attributes received in replies from
> # proxied servers, to make sure we send back to our RADIUS client
> # only allowed attributes.
> attr_filter {
> attrsfile = ${confdir}/attrs
> }
>
> # This module takes an attribute (count-attribute).
> # It also takes a key, and creates a counter for each unique
> # key. The count is incremented when accounting packets are
> # received by the server. The value of the increment depends
> # on the attribute type.
> # If the attribute is Acct-Session-Time or an integer we add the
> # value of the attribute. If it is anything else we increase the
> # counter by one.
> #
> # The 'reset' parameter defines when the counters are all reset to
> # zero. It can be hourly, daily, weekly, monthly or never.
> # It can also be user defined. It should be of the form:
> # num[hdwm] where:
> # h: hours, d: days, w: weeks, m: months
> # If the letter is ommited days will be assumed. In example:
> # reset = 10h (reset every 10 hours)
> # reset = 12 (reset every 12 days)
> #
> #
> # The check-name attribute defines an attribute which will be
> # registered by the counter module and can be used to set the
> # maximum allowed value for the counter after which the user
> # is rejected.
> # Something like:
> #
> # DEFAULT Max-Daily-Session := 36000
> # Fall-Through = 1
> #
> # You should add the counter module in the instantiate
> # section so that it registers check-name before the files
> # module reads the users file.
> #
> # If check-name is set and the user is to be rejected then we
> # send back a Reply-Message and we log a Failure-Message in
> # the radius.log
> #
> # The counter-name can also be used like below:
> #
> # DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject
> # Reply-Message = "You've used up more than one hour today"
> #
> # The allowed-servicetype attribute can be used to only take
> # into account specific sessions. For example if a user first
> # logs in through a login menu and then selects ppp there will
> # be two sessions. One for Login-User and one for Framed-User
> # service type. We only need to take into account the second one.
> #
> # The module should be added in the instantiate, authorize and
> # accounting sections. Make sure that in the authorize
> # section it comes after any module which sets the
> # 'check-name' attribute.
> #
> # counter {
> # filename = ${raddbdir}/db.counter
> # key = User-Name
> # count-attribute = Acct-Session-Time
> # reset = daily
> # counter-name = Daily-Session-Time
> # check-name = Max-Daily-Session
> # allowed-servicetype = Framed-User
> # cache-size = 5000
> # }
>
> counter {
> filename = ${raddbdir}/db.counter
> key = User-Name
> count-attribute = Acct-Session-Time
> reset = monthly
> counter-name = Monthly-Session-Time
> check-name = Max-Monthly-Session
> allowed-servicetype = Framed-User
> cache-size = 5000
> }
>
> # The "always" module is here for debugging purposes. Each
> # instance simply returns the same result, always, without
> # doing anything.
> always fail {
> rcode = fail
> }
> always reject {
> rcode = reject
> }
> always ok {
> rcode = ok
> simulcount = 0
> mpp = no
> }
>
> #
> # The 'expression' module current has no configuration.
> expr {
> }
>
> # ANSI X9.9 token support. Not included by default.
> # $INCLUDE ${confdir}/x99.conf
>
> }
>
> # Instantiation
> #
> # This section orders the loading of the modules. Modules
> # listed here will get loaded BEFORE the later sections like
> # authorize, authenticate, etc. get examined.
> #
> # This section is not strictly needed. When a section like
> # authorize refers to a module, it's automatically loaded and
> # initialized. However, some modules may not be listed in any
> # of the following sections, so they can be listed here.
> #
> # Also, listing modules here ensures that you have control over
> # the order in which they are initalized. If one module needs
> # something defined by another module, you can list them in order
> # here, and ensure that the configuration will be OK.
> #
> instantiate {
> #
> # The expression module doesn't do authorization,
> # authentication, or accounting. It only does dynamic
> # translation, of the form:
> #
> # Session-Timeout = `%{expr:2 + 3}`
> #
> # So the module needs to be instantiated, but CANNOT be
> # listed in any other section. See 'doc/rlm_expr' for
> # more information.
> #
> expr
> }
>
> # Authorization. First preprocess (hints and huntgroups files),
> # then realms, and finally look in the "users" file.
> #
> # The order of the realm modules will determine the order that
> # we try to find a matching realm.
> #
> # Make *sure* that 'preprocess' comes before any realm if you
> # need to setup hints for the remote radius server
> authorize {
> #
> # The preprocess module takes care of sanitizing some bizarre
> # attributes in the request, and turning them into attributes
> # which are more standard.
> #
> # It takes care of processing the 'raddb/hints' and the
> # 'raddb/huntgroups' files.
> #
> # It also adds a Client-IP-Address attribute to the request.
> preprocess
>
> #
> # The chap module will set 'Auth-Type := CHAP' if we are
> # handling a CHAP request and Auth-Type has not already been set
> chap
>
> #
> # If the users are logging in with an MS-CHAP-Challenge
> # attribute for authentication, the mschap module will find
> # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
> # to the request, which will cause the server to then use
> # the mschap module for authentication.
> mschap
>
> counter
> # attr_filter
> # eap
> suffix
> files
> # etc_smbpasswd
>
>
> # The ldap module will set Auth-Type to LDAP if it has not already been set
> # ldap
> }
>
>
> # Authentication.
> #
> # This section lists which modules are available for authentication.
> # Note that it does NOT mean 'try each module in order'. It means
> # that you have to have a module from the 'authorize' section add
> # a configuration attribute 'Auth-Type := FOO'. That authentication type
> # is then used to pick the apropriate module from the list below.
> #
> # The default Auth-Type is Local. That is, whatever is not included inside
> # an authtype section will be called only if Auth-Type is set to Local.
> #
> # So you should do the following:
> # - Set Auth-Type to an appropriate value in the authorize modules above.
> # For example, the chap module will set Auth-Type to CHAP, ldap to LDAP,
> etc.
> # - After that create corresponding authtype sections in the
> # authenticate section below and call the appropriate modules.
> authenticate {
> #
> # PAP authentication, when a back-end database listed
> # in the 'authorize' section supplies a password. The
> # password can be clear-text, or encrypted.
> authtype PAP {
> pap
> }
>
> #
> # Most people want CHAP authentication
> # A back-end database listed in the 'authorize' section
> # MUST supply a CLEAR TEXT password. Encrypted passwords
> # won't work.
> authtype CHAP {
> chap
> }
>
> #
> # MSCHAP authentication.
> authtype MS-CHAP {
> mschap
> }
>
> # pam
>
> #
> # See 'man getpwent' for information on how the 'unix'
> # module checks the users password. Note that packets
> # containing CHAP-Password attributes CANNOT be authenticated
> # against /etc/passwd! See the FAQ for details.
> #
> unix
>
> # Uncomment it if you want to use ldap for authentication
> # authtype LDAP {
> # ldap
> # }
>
>
> # eap
> }
>
>
> # Pre-accounting. Look for proxy realm in order of realms, then
> # acct_users file, then preprocess (hints file).
> preacct {
> preprocess
> suffix
> files
> }
>
>
> # Accounting. Log to detail file, and to the radwtmp file, and maintain
> # radutmp.
> accounting {
> acct_unique
> detail
> counter
> unix # wtmp file
> radutmp
> # sradutmp
> }
>
>
> # Session database, used for checking Simultaneous-Use. Either the radutmp
> # or rlm_sql module can handle this.
> # The rlm_sql module is *much* faster
> session {
> radutmp
> # sql
> }
>
>
> # Post-Authentication
> # Once we KNOW that the user has been authenticated, there are
> # additional steps we can take.
> post-auth {
> # Get an address from the IP Pool.
> #main_pool
> }
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
