Hi Paul,
On Dec 29, 3:38pm, Paul Black wrote:
> Subject: (RADIATOR) Access Control Using Radmin
> Hi Mike,
>
> I have spent most of my Christmas break working on Radmin/Radiator and making
> sure that my /etc/passwd file and Radmin MySQL database exactly mirror each
> other.
>
> I would like to be able to control customer access to my ISP via Radmin. I
> have added an extra field SERVICESTATE to the Radmin Database. When
> SERVICESTATE is set to SUSPENDED I want to prevent that customer from logging
> in. The behaviour I want to get from Radiator is as follows:
>
> If the MySQL Database is running then
> If Customer Login Id is NOT SUSPENDED then
> Authenticate customer for login
> Else if MySQL is not running/working
> Authenticate customer from the passwd file
>
> If the customer is set to suspended the AuthBy Radmin will fail and will drop
> through and authenticate from the password file.
>
> What do I need to do to not let the customer login if he is suspended, but
> still allow authentication from the passwd file is MySQL is not running?
I would normally do it like this:
<Realm whatever>
AuthByPolicy ContinueWhileIgnore
<AuthBy RADMIN>
AuthSelect ............ and SUSPENDED != 'whatever'
</AuthBy>
# Will go to the next auth if the database is down
<AuthBy FILE>
# or any other authby you like
</AuthBy>
</Realm>
Hope that helps.
Cheers.
>
> Regards. Paul
>
>
>
> My Radmin config is as follows:
>
> Trace 4
>
> DbDir /etc/raddb
> LogDir /var/log/radacct
> DictionaryFile /etc/raddb/dictionary
> RewriteUsername s/^.*\\|@.*$|^\s+|\s+$//g
>
> # This clause defines a single client to listen to
> # You will probably want to change localhost and mysecret
> # to suit your site.
> <Client dm1>
> Secret XXXX
> </Client>
> <Client pm1>
> Secret XXXX
> </Client>
>
> # This clause means we will handle any real that arrives
> <Realm DEFAULT>
> AuthByPolicy ContinueWhileReject
> <AuthBy RADMIN>
> # Change DBSource, DBUsername, DBAuth for your database
> # See the reference manual. You will also have to
> # change the one in <SessionDatabse SQL> below
> # so its the same
> DBSource dbi:mysql:radmin
> DBUsername XXXX
> DBAuth XXXX
>
> #
> # Set the Idle Timeout using the Radmin database
> #
> AuthSelect select PASS_WORD, STATICADDRESS, TIMELEFT,
> MAXLOGINS, MAXIDLETIME, FRAMED_FILTER_ID, FRAMED_NETMASK from RADUSERS where
> USERNAME='%n' and SERVICESTATE != 'SUSPENDED'
> AuthColumnDef 0,Idle-Timeout,reply
> AuthColumnDef 1,Filter-Id,reply
> AuthColumnDef 2,Framed-IP-Netmask,reply
>
> # You can add to or change these if you want, but you
> # will probably want to change the databse schema first
> AccountingTable RADUSAGE
> AcctColumnDef USERNAME,User-Name
> AcctColumnDef TIME_STAMP,Timestamp,integer
> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type,integer
> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
> AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
> AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
> AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
> AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer
> AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
> AcctColumnDef NASIDENTIFIER,NAS-Identifier
> AcctColumnDef NASIDENTIFIER,NAS-IP-Address
> AcctColumnDef NASPORT,NAS-Port,integer
> AcctColumnDef DNIS,Called-Station-Id
>
> #
> # This updates the time and octets left for this user
> #
> AcctSQLStatement update RADUSERS set
> TIMELEFT=TIMELEFT-0%{Acct-Session-Time},
> OCTETSINLEFT=OCTETSINLEFT-0%{Acct-Input-Octets},
> OCTETSOUTLEFT=OCTETSOUTLEFT-0%{Acct-Output-Octets} where USERNAME='%n'
> #
> # #
> # # These are the classic things to add to each users
> # # reply to allow a PPP dialup session. It may be
> # # different for your NAS. This will add some
> # # reply items to everyone's reply
> # #
> #
> AddToReply Framed-Protocol = PPP,\
> Framed-Routing = None,\
> Framed-MTU = 1500,\
> Acc-Callback-CBCP-Type = CBCP-None,\
> Framed-Compression = Van-Jacobson-TCP-IP
> </AuthBy>
>
> <AuthBy FILE>
> Filename /etc/raddb/users
> </AuthBy>
>
> # Log accounting to the detail file in LogDir
> AcctLogFileName /var/log/radacct/dm1/detail
> </Realm>
>
> <SessionDatabase SQL>
> # This database spec usually should be exactly the same
> # as in <AuthBy RADMIN> above
> DBSource dbi:mysql:radmin
> DBUsername XXXX
> DBAuth XXXX
>
> </SessionDatabase>
>
>
> # This clause defines an authorisation method that will be used
> # by any users in the database with Auth-Type="System". It will
> # match the "Identifier System"
> <AuthBy UNIX>
> Identifier System
> Filename /etc/shadow
> </AuthBy>
>
> ===
> Archive at http://www.thesite.com.au/~radiator/
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
>-- End of excerpt from Paul Black
--
Mike McCauley [EMAIL PROTECTED]
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
Phone +61 3 9598-0985 Fax +61 3 9598-0955
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
NT, Rhapsody
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
