Re: (RADIATOR) Access Control Using Radmin
Hi Paul, On Dec 29, 3:38pm, Paul Black wrote: Subject: (RADIATOR) Access Control Using Radmin Hi Mike, I have spent most of my Christmas break working on Radmin/Radiator and making sure that my /etc/passwd file and Radmin MySQL database exactly mirror each other. I would like to be able to control customer access to my ISP via Radmin. I have added an extra field SERVICESTATE to the Radmin Database. When SERVICESTATE is set to SUSPENDED I want to prevent that customer from logging in. The behaviour I want to get from Radiator is as follows: If the MySQL Database is running then If Customer Login Id is NOT SUSPENDED then Authenticate customer for login Else if MySQL is not running/working Authenticate customer from the passwd file If the customer is set to suspended the AuthBy Radmin will fail and will drop through and authenticate from the password file. What do I need to do to not let the customer login if he is suspended, but still allow authentication from the passwd file is MySQL is not running? I would normally do it like this: Realm whatever AuthByPolicy ContinueWhileIgnore AuthBy RADMIN AuthSelect and SUSPENDED != 'whatever' /AuthBy # Will go to the next auth if the database is down AuthBy FILE # or any other authby you like /AuthBy /Realm Hope that helps. Cheers. Regards. Paul My Radmin config is as follows: Trace 4 DbDir /etc/raddb LogDir/var/log/radacct DictionaryFile /etc/raddb/dictionary RewriteUsername s/^.*\\|@.*$|^\s+|\s+$//g # This clause defines a single client to listen to # You will probably want to change localhost and mysecret # to suit your site. Client dm1 Secret /Client Client pm1 Secret /Client # This clause means we will handle any real that arrives Realm DEFAULT AuthByPolicy ContinueWhileReject AuthBy RADMIN # Change DBSource, DBUsername, DBAuth for your database # See the reference manual. You will also have to # change the one in SessionDatabse SQL below # so its the same DBSourcedbi:mysql:radmin DBUsername DBAuth # # Set the Idle Timeout using the Radmin database # AuthSelect select PASS_WORD, STATICADDRESS, TIMELEFT, MAXLOGINS, MAXIDLETIME, FRAMED_FILTER_ID, FRAMED_NETMASK from RADUSERS where USERNAME='%n' and SERVICESTATE != 'SUSPENDED' AuthColumnDef 0,Idle-Timeout,reply AuthColumnDef 1,Filter-Id,reply AuthColumnDef 2,Framed-IP-Netmask,reply # You can add to or change these if you want, but you # will probably want to change the databse schema first AccountingTable RADUSAGE AcctColumnDef USERNAME,User-Name AcctColumnDef TIME_STAMP,Timestamp,integer AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type,integer AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address AcctColumnDef NASIDENTIFIER,NAS-Identifier AcctColumnDef NASIDENTIFIER,NAS-IP-Address AcctColumnDef NASPORT,NAS-Port,integer AcctColumnDef DNIS,Called-Station-Id # # This updates the time and octets left for this user # AcctSQLStatement update RADUSERS set TIMELEFT=TIMELEFT-0%{Acct-Session-Time}, OCTETSINLEFT=OCTETSINLEFT-0%{Acct-Input-Octets}, OCTETSOUTLEFT=OCTETSOUTLEFT-0%{Acct-Output-Octets} where USERNAME='%n' # # # # # These are the classic things to add to each users # # reply to allow a PPP dialup session. It may be # # different for your NAS. This will add some # # reply items to everyone's reply # # # AddToReply Framed-Protocol = PPP,\ Framed-Routing = None,\ Framed-MTU = 1500,\ Acc-Callback-CBCP-Type = CBCP-None,\ Framed-Compression = Van-Jacobson-TCP-IP /AuthBy AuthBy FILE Filename /etc/raddb/users /AuthBy # Log accounting to the detail file in LogDir AcctLogFileName /var/log/radacct/dm1/detail /Realm SessionDatabase SQL
Re: (RADIATOR) Access Control Using Radmin
Thanks Mike, I've just tested your suggestion below and it works very nicely. I'm using the SERVICENAME column in the Radamin/Radius database to indicate whether the customer is a TRIAL, HOURLY, etc. What I would like to do next is to get Radiator to send out an email (to my accounts staff and to the customer) when a TRIAL user is in the 10th day of their trial login period. I can see that ADDEDDATE is set correctly, how can I work out if they have been in the trial period for 10 days or more? Regards. Paul Mike McCauley wrote: What do I need to do to not let the customer login if he is suspended, but still allow authentication from the passwd file is MySQL is not running? I would normally do it like this: Realm whatever AuthByPolicy ContinueWhileIgnore AuthBy RADMIN AuthSelect and SUSPENDED != 'whatever' /AuthBy # Will go to the next auth if the database is down AuthBy FILE # or any other authby you like /AuthBy /Realm === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Access Control Using Radmin
Thanks Mike, The way I want to do this is to perform the calculation of the trial period duration and then send an email when the customer has succesfully logged in. Could you show me an outline of how to do this with Radiator? Regards. Paul What I would like to do next is to get Radiator to send out an email (to my accounts staff and to the customer) when a TRIAL user is in the 10th day of their trial login period. I can see that ADDEDDATE is set correctly, how can I work out if they have been in the trial period for 10 days or more? ADDEDDATE is unix epoch seconds (ie seconds since Jan 1 1970), so if the difference between the current time and ADDEDDATE divided by (60*60*24) will give the number of days since the account was added. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Access Control Using Radmin
Thanks Mike, The pseudo reply attributes are now being created correctly. For my first PostAuthHook I want to print out an element of the current request (I hope to be able to see the print in the debug log, otherwise I'll send it to a file). I'm wondering exactly how I should do this. My first thought would be: PostAuthHook sub{ print(_[0][2]); } second thought PostAuthHook sub { print(_[0]-Days-Since-Added); } or is there some other way that I should do this? Regards. Paul Mike McCauley wrote: Sorry, not word-for-word. One approach you might take is to set a pseudo-reply-attribute in the reply, based on the difference betwen the current time and the ADDEDDATE, then in a PostAuthHook, use that value to figure out whether to send mail or not? === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Access Control Using Radmin
Hello - On Thu, 30 Dec 1999, Paul Black wrote: Thanks Mike, I've just tested your suggestion below and it works very nicely. I'm using the SERVICENAME column in the Radamin/Radius database to indicate whether the customer is a TRIAL, HOURLY, etc. What I would like to do next is to get Radiator to send out an email (to my accounts staff and to the customer) when a TRIAL user is in the 10th day of their trial login period. I can see that ADDEDDATE is set correctly, how can I work out if they have been in the trial period for 10 days or more? You should probably do this in a cron job that runs every night. I don't think using Radiator is the right approach. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.