On Wed, 5 Mar 2003, Bill Anderson wrote: > I am so close to getting the monthly time limit working and I just need a > little help. I have looked through the archives and have found things that > have brought me this far, however, I believe I am close. Does anyone have > any idea what I am doing wrong? Basically what I would like to do is have a > user to be rejected if they reach their monthly time limit. I am not using > SQL. I have attached the following information: > > /etc/raddb/users > radiusd debug session (radiusd -X) > /etc/raddb/radiusd.conf > > users file: > > mytestuser Max-Monthly-Session := 30, Auth-Type := Local, User-Password == > "somepass" > Service-Type = Framed-User, > Framed-Protocol = PPP, > Framed-IP-Address = 255.255.255.254, > Framed-IP-Netmask = 255.255.255.255, > Framed-Routing = None, > Framed-MTU = 1500, > Framed-Compression = Van-Jacobson-TCP-IP, > Idle-Timeout = 900, > Session-Timeout = 21600, > Port-Limit = 1,
> DEFAULT Max-Monthly-Session > 30, Auth-Type = Reject > Reply-Message = "Max monthly hours achieved" You don't need this check if you set Max-Monthly-Session > > Debug Session: > > [EMAIL PROTECTED] raddb]# radiusd -X > Starting - reading configuration files ... > Config: including file: /etc/raddb/proxy.conf > Config: including file: /etc/raddb/clients.conf > rad_recv: Access-Request packet from host 209.95.37.8:1647, id=149, > length=182 > User-Name = "mytestuser" > User-Password = "backd00r" > NAS-IP-Address = 209.247.5.114 > NAS-Port = 136 > Service-Type = Framed-User > Framed-Protocol = PPP > Ascend-Data-Rate = 21600 > Ascend-Calling-Id-Type-Of-Num = Unknown > Ascend-Calling-Id-Number-Plan = Unknown > Ascend-Xmit-Rate = 49333 > Called-Station-Id = "5032134042" > Calling-Station-Id = "5038850150" > Acct-Session-Id = "386694565" > NAS-Port-Type = Async > Ascend-NAS-Port-Format = 2_4_5_5 > Proxy-State = 0x3533 > modcall: entering group authorize > modcall[authorize]: module "preprocess" returns ok > rlm_chap: Could not find proper Chap-Password attribute in request > modcall[authorize]: module "chap" returns noop > modcall[authorize]: module "mschap" returns notfound > rlm_counter: Entering module authorize code > rlm_counter: Could not find Check item value pair > modcall[authorize]: module "counter" returns noop > rlm_realm: No '@' in User-Name = "mytestuser", looking up realm NULL > rlm_realm: No such realm NULL > modcall[authorize]: module "suffix" returns noop > users: Matched mytestuser at 1 > modcall[authorize]: module "files" returns ok You have files after counter in your authorize section. Try puting the counter module after the files module > # encryption moderate > # require_encryption = yes > > # require_strong always requires 128 bit key > # encryption > # require_strong = yes > } > > # Lightweight Directory Access Protocol (LDAP) > # > # This module definition allows you to use LDAP for > # authorization and authentication (Auth-Type := LDAP) > # > # See doc/rlm_ldap for description of configuration options > # and sample authorize{} and authenticate{} blocks > ldap { > server = "ldap.your.domain" > # identity = "cn=admin,o=My Org,c=UA" > # password = mypass > basedn = "o=My Org,c=UA" > filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" > > # set this to 'yes' to use TLS encrypted connections > # to the LDAP database by using the StartTLS extended > # operation. > start_tls = no > # set this to 'yes' to use TLS encrypted connections to the > # LDAP database by passing the LDAP_OPT_X_TLS_TRY option to > # the ldap library. > tls_mode = no > > # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" > # profile_attribute = "radiusProfileDn" > access_attr = "dialupAccess" > > # Mapping of RADIUS dictionary attributes to LDAP > # directory attributes. > dictionary_mapping = ${raddbdir}/ldap.attrmap > > # ldap_cache_timeout = 120 > # ldap_cache_size = 0 > ldap_connections_number = 5 > # password_header = "{clear}" > # password_attribute = userPassword > # groupname_attribute = cn > # groupmembership_filter = > "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupO > fUniqueNames)(uniquemember=%{Ldap-UserDn})))" > # groupmembership_attribute = radiusGroupName > timeout = 4 > timelimit = 3 > net_timeout = 1 > # compare_check_items = yes > # access_attr_used_for_allow = yes > } > > # passwd module allows to do authorization via any passwd-like > # file and to extract any attributes from these modules > # > # parameters are: > # filename - path to filename > # format - format for filename record. This parameters > # correlates record in the passwd file and RADIUS > # attributes. > # > # Field marked as '*' is key field. That is, the parameter > # with this name from the request is used to search for > # the record from passwd file > # > # Field marked as ',' may contain a comma separated list > # of attributes. > # authtype - if record found this Auth-Type is used to authenticate > # user > # hashsize - hashtable size. If 0 or not specified records are not > # stored in memory and file is red on every request. > # allowmultiplekeys - if few records for every key are allowed > # ignorenislike - ignore NIS-related records > # delimiter - symbol to use as a field separator in passwd file, > # for format ':' symbol is always used. '\0', '\n' are > # not allowed > # > #passwd etc_smbpasswd { > # filename = /etc/smbpasswd > # format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::" > # authtype = MS-CHAP > # hashsize = 100 > # ignorenislike = no > # allowmultiplekeys = no > #} > > # Similar configuration, for the /etc/group file. Adds a Group-Name > # attribute for every group that the user is member of. > # > #passwd etc_group { > # filename = /etc/group > # format = "Group-Name:::*,User-Name" > # hashsize = 50 > # ignorenislike = yes > # allowmultiplekeys = yes > # delimiter = ":" > #} > > # Realm module, for proxying. > # > # You can have multiple instances of the realm module to > # support multiple realm syntaxs at the same time. The > # search order is defined the order in the authorize and > # preacct blocks after the module config block. > # > # Two config options: > # format - must be 'prefix' or 'suffix' > # delimiter - must be a single character > > # '[EMAIL PROTECTED]' > # > realm suffix { > format = suffix > delimiter = "@" > } > > # 'realm/username' > # > # Using this entry, IPASS users have their realm set to "IPASS". > realm realmslash { > format = prefix > delimiter = "/" > } > > # 'username%realm' > # > realm realmpercent { > format = suffix > delimiter = "%" > } > > # rewrite arbitrary packets. Useful in accounting and authorization. > # > ## This module is highly experimental at the moment. Please give > ## feedback to the mailing list. > # > # The module can also use the Rewrite-Rule attribute. If it > # is set and matches the name of the module instance, then > # that module instance will be the only one which runs. > # > # Also if new_attribute is set to yes then a new attribute > # will be created containing the value replacewith and it > # will be added to searchin (packet, reply or config). > # searchfor,ignore_case and max_matches will be ignored in that case. > > # > #attr_rewrite sanecallerid { > # attribute = Called-Station-Id > # may be "packet", "reply", or "config" > # searchin = packet > # searchfor = "[+ ]" > # replacewith = "" > # ignore_case = no > # new_attribute = no > # max_matches = 10 > # ## If set to yes then the replace string will be appended to the > original > string > # append = no > #} > > # Preprocess the incoming RADIUS request, before handing it off > # to other modules. > # > # This module processes the 'huntgroups' and 'hints' files. > # In addition, it re-writes some weird attributes created > # by some NASes, and converts the attributes into a form which > # is a little more standard. > # > preprocess { > huntgroups = ${confdir}/huntgroups > hints = ${confdir}/hints > > # This hack changes Ascend's wierd port numberings > # to standard 0-??? port numbers so that the "+" works > # for IP address assignments. > with_ascend_hack = no > ascend_channels_per_line = 23 > > # Windows NT machines often authenticate themselves as > # NT_DOMAIN\username > # > # If this is set to 'yes', then the NT_DOMAIN portion > # of the user-name is silently discarded. > with_ntdomain_hack = no > > # Specialix Jetstream 8500 24 port access server. > # > # If the user name is 10 characters or longer, a "/" > # and the excess characters after the 10th are > # appended to the user name. > # > # If you're not running that NAS, you don't need > # this hack. > with_specialix_jetstream_hack = no > > # Cisco sends it's VSA attributes with the attribute > # name *again* in the string, like: > # > # H323-Attribute = "h323-attribute=value". > # > # If this configuration item is set to 'yes', then > # the redundant data in the the attribute text is stripped > # out. The result is: > # > # H323-Attribute = "value" > # > # If you're not running a Cisco NAS, you don't need > # this hack. > with_cisco_vsa_hack = no > } > > # Livingston-style 'users' file > # > files { > usersfile = ${confdir}/users > acctusersfile = ${confdir}/acct_users > > # If you want to use the old Cistron 'users' file > # with FreeRADIUS, you should change the next line > # to 'compat = cistron'. You can the copy your 'users' > # file from Cistron. > compat = no > } > > # Write a detailed log of all accounting records received. > # > detail { > # Note that we do NOT use NAS-IP-Address here, as > # that attribute MAY BE from the originating NAS, and > # NOT from the proxy which actually sent us the > # request. The Client-IP-Address attribute is ALWAYS > # the address of the client which sent us the > # request. > # > # The following line creates a new detail file for > # every radius client (by IP address or hostname). > # In addition, a new detail file is created every > # day, so that the detail file doesn't have to go > # through a 'log rotation' > # > # If your detail files are large, you may also want > # to add a ':%H' (see doc/variables.txt) to the end > # of it, to create a new detail file every hour, e.g.: > # > # ..../detail-%Y%m%d:%H > # > # This will create a new detail file for every hour. > # > detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d > > # > # The Unix-style permissions on the 'detail' file. > # > # The detail file often contains secret or private > # information about users. So by keeping the file > # permissions restrictive, we can prevent unwanted > # people from seeing that information. > detailperm = 0600 > } > > # Create a unique accounting session Id. Many NASes re-use or > # repeat values for Acct-Session-Id, causing no end of > # confusion. > # > # This module will add a (probably) unique session id > # to an accounting packet based on the attributes listed > # below found in the packet. See doc/rlm_acct_unique for > # more information. > # > acct_unique { > key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, > NAS-Port-Id" > } > > > # Include another file that has the SQL-related configuration. > # This is another file solely because it tends to be big. > # > # The following configuration file is for use with MySQL. > # > # For Postgresql, use: ${confdir}/postgresql.conf > # For MS-SQL, use: ${confdir}/mssql.conf > # > $INCLUDE ${confdir}/sql.conf > > # Write a 'utmp' style log file, of which users are currently > # logged in, and where they've logged in from. > # > radutmp { > filename = ${logdir}/radutmp > > # Set the file permissions, as the contents of this file > # are usually private. > perm = 0600 > > callerid = "yes" > } > > # "Safe" radutmp - does not contain caller ID, so it can be > # world-readable, and radwho can work for normal users, without > # exposing any information that isn't already exposed by who(1). > # > # This is another instance of the radutmp module, but it is given > # then name "sradutmp" to identify it later in the "accounting" > # section. > radutmp sradutmp { > filename = ${logdir}/sradutmp > perm = 0644 > callerid = "no" > } > > # attr_filter - filters the attributes received in replies from > # proxied servers, to make sure we send back to our RADIUS client > # only allowed attributes. > attr_filter { > attrsfile = ${confdir}/attrs > } > > # This module takes an attribute (count-attribute). > # It also takes a key, and creates a counter for each unique > # key. The count is incremented when accounting packets are > # received by the server. The value of the increment depends > # on the attribute type. > # If the attribute is Acct-Session-Time or an integer we add the > # value of the attribute. If it is anything else we increase the > # counter by one. > # > # The 'reset' parameter defines when the counters are all reset to > # zero. It can be hourly, daily, weekly, monthly or never. > # It can also be user defined. It should be of the form: > # num[hdwm] where: > # h: hours, d: days, w: weeks, m: months > # If the letter is ommited days will be assumed. In example: > # reset = 10h (reset every 10 hours) > # reset = 12 (reset every 12 days) > # > # > # The check-name attribute defines an attribute which will be > # registered by the counter module and can be used to set the > # maximum allowed value for the counter after which the user > # is rejected. > # Something like: > # > # DEFAULT Max-Daily-Session := 36000 > # Fall-Through = 1 > # > # You should add the counter module in the instantiate > # section so that it registers check-name before the files > # module reads the users file. > # > # If check-name is set and the user is to be rejected then we > # send back a Reply-Message and we log a Failure-Message in > # the radius.log > # > # The counter-name can also be used like below: > # > # DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject > # Reply-Message = "You've used up more than one hour today" > # > # The allowed-servicetype attribute can be used to only take > # into account specific sessions. For example if a user first > # logs in through a login menu and then selects ppp there will > # be two sessions. One for Login-User and one for Framed-User > # service type. We only need to take into account the second one. > # > # The module should be added in the instantiate, authorize and > # accounting sections. Make sure that in the authorize > # section it comes after any module which sets the > # 'check-name' attribute. > # > # counter { > # filename = ${raddbdir}/db.counter > # key = User-Name > # count-attribute = Acct-Session-Time > # reset = daily > # counter-name = Daily-Session-Time > # check-name = Max-Daily-Session > # allowed-servicetype = Framed-User > # cache-size = 5000 > # } > > counter { > filename = ${raddbdir}/db.counter > key = User-Name > count-attribute = Acct-Session-Time > reset = monthly > counter-name = Monthly-Session-Time > check-name = Max-Monthly-Session > allowed-servicetype = Framed-User > cache-size = 5000 > } > > # The "always" module is here for debugging purposes. Each > # instance simply returns the same result, always, without > # doing anything. > always fail { > rcode = fail > } > always reject { > rcode = reject > } > always ok { > rcode = ok > simulcount = 0 > mpp = no > } > > # > # The 'expression' module current has no configuration. > expr { > } > > # ANSI X9.9 token support. Not included by default. > # $INCLUDE ${confdir}/x99.conf > > } > > # Instantiation > # > # This section orders the loading of the modules. Modules > # listed here will get loaded BEFORE the later sections like > # authorize, authenticate, etc. get examined. > # > # This section is not strictly needed. When a section like > # authorize refers to a module, it's automatically loaded and > # initialized. However, some modules may not be listed in any > # of the following sections, so they can be listed here. > # > # Also, listing modules here ensures that you have control over > # the order in which they are initalized. If one module needs > # something defined by another module, you can list them in order > # here, and ensure that the configuration will be OK. > # > instantiate { > # > # The expression module doesn't do authorization, > # authentication, or accounting. It only does dynamic > # translation, of the form: > # > # Session-Timeout = `%{expr:2 + 3}` > # > # So the module needs to be instantiated, but CANNOT be > # listed in any other section. See 'doc/rlm_expr' for > # more information. > # > expr > } > > # Authorization. First preprocess (hints and huntgroups files), > # then realms, and finally look in the "users" file. > # > # The order of the realm modules will determine the order that > # we try to find a matching realm. > # > # Make *sure* that 'preprocess' comes before any realm if you > # need to setup hints for the remote radius server > authorize { > # > # The preprocess module takes care of sanitizing some bizarre > # attributes in the request, and turning them into attributes > # which are more standard. > # > # It takes care of processing the 'raddb/hints' and the > # 'raddb/huntgroups' files. > # > # It also adds a Client-IP-Address attribute to the request. > preprocess > > # > # The chap module will set 'Auth-Type := CHAP' if we are > # handling a CHAP request and Auth-Type has not already been set > chap > > # > # If the users are logging in with an MS-CHAP-Challenge > # attribute for authentication, the mschap module will find > # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' > # to the request, which will cause the server to then use > # the mschap module for authentication. > mschap > > counter > # attr_filter > # eap > suffix > files > # etc_smbpasswd > > > # The ldap module will set Auth-Type to LDAP if it has not already been set > # ldap > } > > > # Authentication. > # > # This section lists which modules are available for authentication. > # Note that it does NOT mean 'try each module in order'. It means > # that you have to have a module from the 'authorize' section add > # a configuration attribute 'Auth-Type := FOO'. That authentication type > # is then used to pick the apropriate module from the list below. > # > # The default Auth-Type is Local. That is, whatever is not included inside > # an authtype section will be called only if Auth-Type is set to Local. > # > # So you should do the following: > # - Set Auth-Type to an appropriate value in the authorize modules above. > # For example, the chap module will set Auth-Type to CHAP, ldap to LDAP, > etc. > # - After that create corresponding authtype sections in the > # authenticate section below and call the appropriate modules. > authenticate { > # > # PAP authentication, when a back-end database listed > # in the 'authorize' section supplies a password. The > # password can be clear-text, or encrypted. > authtype PAP { > pap > } > > # > # Most people want CHAP authentication > # A back-end database listed in the 'authorize' section > # MUST supply a CLEAR TEXT password. Encrypted passwords > # won't work. > authtype CHAP { > chap > } > > # > # MSCHAP authentication. > authtype MS-CHAP { > mschap > } > > # pam > > # > # See 'man getpwent' for information on how the 'unix' > # module checks the users password. Note that packets > # containing CHAP-Password attributes CANNOT be authenticated > # against /etc/passwd! See the FAQ for details. > # > unix > > # Uncomment it if you want to use ldap for authentication > # authtype LDAP { > # ldap > # } > > > # eap > } > > > # Pre-accounting. Look for proxy realm in order of realms, then > # acct_users file, then preprocess (hints file). > preacct { > preprocess > suffix > files > } > > > # Accounting. Log to detail file, and to the radwtmp file, and maintain > # radutmp. > accounting { > acct_unique > detail > counter > unix # wtmp file > radutmp > # sradutmp > } > > > # Session database, used for checking Simultaneous-Use. Either the radutmp > # or rlm_sql module can handle this. > # The rlm_sql module is *much* faster > session { > radutmp > # sql > } > > > # Post-Authentication > # Once we KNOW that the user has been authenticated, there are > # additional steps we can take. > post-auth { > # Get an address from the IP Pool. > #main_pool > } > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html