Re: (RADIATOR) Access Control Using Radmin
Hi Paul,
On Dec 29, 3:38pm, Paul Black wrote:
Subject: (RADIATOR) Access Control Using Radmin
Hi Mike,
I have spent most of my Christmas break working on Radmin/Radiator and making
sure that my /etc/passwd file and Radmin MySQL database exactly mirror each
other.
I would like to be able to control customer access to my ISP via Radmin. I
have added an extra field SERVICESTATE to the Radmin Database. When
SERVICESTATE is set to SUSPENDED I want to prevent that customer from logging
in. The behaviour I want to get from Radiator is as follows:
If the MySQL Database is running then
If Customer Login Id is NOT SUSPENDED then
Authenticate customer for login
Else if MySQL is not running/working
Authenticate customer from the passwd file
If the customer is set to suspended the AuthBy Radmin will fail and will drop
through and authenticate from the password file.
What do I need to do to not let the customer login if he is suspended, but
still allow authentication from the passwd file is MySQL is not running?
I would normally do it like this:
Realm whatever
AuthByPolicy ContinueWhileIgnore
AuthBy RADMIN
AuthSelect and SUSPENDED != 'whatever'
/AuthBy
# Will go to the next auth if the database is down
AuthBy FILE
# or any other authby you like
/AuthBy
/Realm
Hope that helps.
Cheers.
Regards. Paul
My Radmin config is as follows:
Trace 4
DbDir /etc/raddb
LogDir/var/log/radacct
DictionaryFile /etc/raddb/dictionary
RewriteUsername s/^.*\\|@.*$|^\s+|\s+$//g
# This clause defines a single client to listen to
# You will probably want to change localhost and mysecret
# to suit your site.
Client dm1
Secret
/Client
Client pm1
Secret
/Client
# This clause means we will handle any real that arrives
Realm DEFAULT
AuthByPolicy ContinueWhileReject
AuthBy RADMIN
# Change DBSource, DBUsername, DBAuth for your database
# See the reference manual. You will also have to
# change the one in SessionDatabse SQL below
# so its the same
DBSourcedbi:mysql:radmin
DBUsername
DBAuth
#
# Set the Idle Timeout using the Radmin database
#
AuthSelect select PASS_WORD, STATICADDRESS, TIMELEFT,
MAXLOGINS, MAXIDLETIME, FRAMED_FILTER_ID, FRAMED_NETMASK from RADUSERS where
USERNAME='%n' and SERVICESTATE != 'SUSPENDED'
AuthColumnDef 0,Idle-Timeout,reply
AuthColumnDef 1,Filter-Id,reply
AuthColumnDef 2,Framed-IP-Netmask,reply
# You can add to or change these if you want, but you
# will probably want to change the databse schema first
AccountingTable RADUSAGE
AcctColumnDef USERNAME,User-Name
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type,integer
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
AcctColumnDef NASIDENTIFIER,NAS-Identifier
AcctColumnDef NASIDENTIFIER,NAS-IP-Address
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef DNIS,Called-Station-Id
#
# This updates the time and octets left for this user
#
AcctSQLStatement update RADUSERS set
TIMELEFT=TIMELEFT-0%{Acct-Session-Time},
OCTETSINLEFT=OCTETSINLEFT-0%{Acct-Input-Octets},
OCTETSOUTLEFT=OCTETSOUTLEFT-0%{Acct-Output-Octets} where USERNAME='%n'
#
# #
# # These are the classic things to add to each users
# # reply to allow a PPP dialup session. It may be
# # different for your NAS. This will add some
# # reply items to everyone's reply
# #
#
AddToReply Framed-Protocol = PPP,\
Framed-Routing = None,\
Framed-MTU = 1500,\
Acc-Callback-CBCP-Type = CBCP-None,\
Framed-Compression = Van-Jacobson-TCP-IP
/AuthBy
AuthBy FILE
Filename /etc/raddb/users
/AuthBy
# Log accounting to the detail file in LogDir
AcctLogFileName /var/log/radacct/dm1/detail
/Realm
SessionDatabase SQL
Re: (RADIATOR) Access Control Using Radmin
Thanks Mike, I've just tested your suggestion below and it works very nicely. I'm using the SERVICENAME column in the Radamin/Radius database to indicate whether the customer is a TRIAL, HOURLY, etc. What I would like to do next is to get Radiator to send out an email (to my accounts staff and to the customer) when a TRIAL user is in the 10th day of their trial login period. I can see that ADDEDDATE is set correctly, how can I work out if they have been in the trial period for 10 days or more? Regards. Paul Mike McCauley wrote: What do I need to do to not let the customer login if he is suspended, but still allow authentication from the passwd file is MySQL is not running? I would normally do it like this: Realm whatever AuthByPolicy ContinueWhileIgnore AuthBy RADMIN AuthSelect and SUSPENDED != 'whatever' /AuthBy # Will go to the next auth if the database is down AuthBy FILE # or any other authby you like /AuthBy /Realm === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Access Control Using Radmin
Thanks Mike, The way I want to do this is to perform the calculation of the trial period duration and then send an email when the customer has succesfully logged in. Could you show me an outline of how to do this with Radiator? Regards. Paul What I would like to do next is to get Radiator to send out an email (to my accounts staff and to the customer) when a TRIAL user is in the 10th day of their trial login period. I can see that ADDEDDATE is set correctly, how can I work out if they have been in the trial period for 10 days or more? ADDEDDATE is unix epoch seconds (ie seconds since Jan 1 1970), so if the difference between the current time and ADDEDDATE divided by (60*60*24) will give the number of days since the account was added. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Access Control Using Radmin
Thanks Mike,
The pseudo reply attributes are now being created correctly. For my first
PostAuthHook I want to print out an element of the current request (I hope to
be able to see the print in the debug log, otherwise I'll send it to a file).
I'm wondering exactly how I should do this. My first thought would be:
PostAuthHook sub{ print(_[0][2]); }
second thought
PostAuthHook sub { print(_[0]-Days-Since-Added); }
or is there some other way that I should do this?
Regards. Paul
Mike McCauley wrote:
Sorry, not word-for-word.
One approach you might take is to set a pseudo-reply-attribute in the reply,
based on the difference betwen the current time and the ADDEDDATE, then in a
PostAuthHook, use that value to figure out whether to send mail or not?
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Access Control Using Radmin
Hello - On Thu, 30 Dec 1999, Paul Black wrote: Thanks Mike, I've just tested your suggestion below and it works very nicely. I'm using the SERVICENAME column in the Radamin/Radius database to indicate whether the customer is a TRIAL, HOURLY, etc. What I would like to do next is to get Radiator to send out an email (to my accounts staff and to the customer) when a TRIAL user is in the 10th day of their trial login period. I can see that ADDEDDATE is set correctly, how can I work out if they have been in the trial period for 10 days or more? You should probably do this in a cron job that runs every night. I don't think using Radiator is the right approach. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
