attributes.texi

gnu 的radius服务器很好用的

program is ignored.

If the value of @attr{Auth-Failure-Trigger} begins with @samp{(}, it
is executed it as a @code{Scheme} expression. The return value of the
expression is ignored.

This attribute is designed as a means to provide special handling for
authentication failures. It can be used, for example, to increase
failure counters and to block accounts after a specified number of
authentication failures occurs. @xref{Auth Probing}, for the detailed
discussion of its usage.

@FIXME{There is no corresponding @attr{Auth-Success-Trigger}...
@attr{Exec-Program} or @attr{Scheme-Procedure} may be used for the
purpose, the latter, however, is not able to execute @emph{s-exps}. At
the time of this writing the release 1.3 is being prepared, so I do
not want to introduce any possibly destabilizing changes. This will be
fixed in future releases.}

@comment **************************************************************
@node Auth-Data
@subsection @attr{Auth-Data}
@atindex Auth-Data

@defattr{Auth-Data,2006,string,L-,-R,-R,Replace,@acronym{N/A}}

The @attr{Auth-Data} can be used to pass additional data to the
authentication methods that need them. In version @value{VERSION}
of GNU Radius, this attribute may be used in conjunction with the
@code{SQL} and @code{Pam} authentication types. When used with the
@code{Pam} authentication type, this attribute holds the name
of the PAM service to use. This attribute is temporarily
appended to the authentication request, so its value can be
referenced to as @code{%C@{Auth-Data@}}. 
@xref{Authentication Server Parameters}, for an example of
of using the @attr{Auth-Data} attribute in @file{raddb/sqlserver}:

@comment **************************************************************
@node Auth-Type
@subsection @attr{Auth-Type}
@atindex Auth-Type

@defattr{Auth-Type,1000,integer,L-,-R,-R,Append,No}

@smallexample
VALUE      Auth-Type         Local                0       
VALUE      Auth-Type         System               1       
VALUE      Auth-Type         Crypt-Local          3       
VALUE      Auth-Type         Reject               4       
VALUE      Auth-Type         SQL                  252     
VALUE      Auth-Type         Pam                  253     
VALUE      Auth-Type         Accept               254     
@end smallexample

This attribute tells the server which type of authentication
to apply to a particular user. It can be used in the @LHS{} of
the user's profile (@pxref{Authentication}.)

Radius interprets values of @attr{Auth-Type} attribute as follows:

@table @code
@item Local
The value of the @attr{User-Password} attribute from the record is taken
as a cleantext password and is compared against the @attr{User-Password} value
from the input packet. 

@item System
This means that a user's password is stored in a system password type.
Radius queries the operating system to determine if the user name and password
supplied in the incoming packet are O.K.

@item Crypt-Local
The value of the @attr{User-Password} attribute from the record is taken
as an MD5 hash on the user's password. Radius generates MD5 hash
on the supplied @attr{User-Password} value and compares the two strings.

@item Reject
Authentication fails.

@item Accept
Authentication succeeds.

@item SQL
@itemx Mysql
The MD5-encrypted user's password is queried from the @sc{sql} database
(@ref{SQL Auth}). @code{Mysql} is an alias maintained for compatibility
with other versions of Radius.

@item Pam
The user-name--password combination is checked using PAM.

@end table

@comment **************************************************************
@node Crypt-Password
@subsection @attr{Crypt-Password}
@atindex Crypt-Password

@defattr{Crypt-Password,1006,string,L-,--,--,Append,No}

This attribute is intended to be used in user's profile @LHS{}.
It specifies the MD5 hash of the user's password. When this attribute
is present, @code{Auth-Type = Crypt-Local} is assumed. If both @attr{Auth-Type}
and @attr{Crypt-Password} are present, the value of @attr{Auth-Type} is
ignored.

@xref{Auth-Type}.

@comment **************************************************************
@node Exec-Program-Wait
@subsection @attr{Exec-Program-Wait}
@atindex Exec-Program-Wait

@defattr{Exec-Program-Wait,1039,string,-R,--,--,Replace,No}

When present in the @RHS{}, the @attr{Exec-Program-Wait} attribute specifies
the program to be executed when the entry matches. If the attribute
value string starts with vertical bar (@samp{|}), then the attribute
specifies the filter program to be used. If it starts with
slash (@samp{/}), then it is understood as the full
pathname and arguments for the external program to be executed. Using
any other character as the start of this string results in error.

@menu
* Running External Program::
* Using External Filter::
@end menu

@comment **************************************************************
@node Running External Program
@subsubsection Running an External Program

The command line can reference any attributes from both check and reply
pairlists using attribute macros @pxref{Macro Substitution}.

Before the execution of the program, @command{radiusd} switches to
uid and gid of the user @code{daemon} and the group @code{daemon}. You can
override these defaults by setting the variable @code{exec-program-user}
in the configuration file to a proper value.
@xref{option,, The option statement}.

The daemon will wait until the program terminates. The return value
of its execution determines whether the entry matches. If the program
exits with a nonzero code, then the match fails. If it exits with a
zero code, the match succeeds. In this case the standard output of the
program is read and parsed as if it were a pairlist. The attributes
thus obtained are added to the entry's reply attributes.

@subheading Example.

Suppose the @file{users} file contains the following entry:

@smallexample
DEFAULT Auth-Type = System,
                Simultaneous-Use = 1
        Exec-Program-Wait = "/usr/local/sbin/telauth \
                             %C@{User-Name@} \
                             %C@{Calling-Station-Id@}"
@end smallexample

@noindent
Then, upon successful matching, the program
@file{/usr/local/sbin/telauth} will be executed. It will get as its
arguments the values of the @attr{User-Name} and @attr{Calling-Station-Id}
attributes from the request pairs.

The @file{/usr/local/sbin/telauth} can, for example, contain the
following:

@smallexample
#! /bin/sh

DB=/var/db/userlist

if grep "$1:$2" $DB; then
    echo "Service-Type = Login,"
    echo "Session-Timeout = 1200"
    exit 0
else
    echo "Reply-Message = \
          \"You are not authorized to log in\""
    exit 1
fi
@end smallexample

@noindent
It is assumed that @file{/var/db/userlist} contains a list of
@code{username}:@code{caller-id} pairs for those users that are
authorized to use login service.

@comment **************************************************************
@node Using External Filter
@subsubsection Using an External Filter

If the value of @attr{Exec-Program-Wait} attribute begins with @samp{|},
@command{radiusd} strips this character from the value and uses the
resulting string
as a name of the predefined external filter. Such filter must be
declared in @file{raddb/config} (@pxref{filters}).

@subheading Example.
Let the @file{users} file contain the following entry:

@smallexample
DEFAULT Auth-Type = System,
                Simultaneous-Use = 1
        Exec-Program-Wait = "|myfilter"
@end smallexample

@noindent
and let the @file{raddb/config} contain the following 
@footnote{In this example the @code{input-format} statement has been
split on two lines to fit the page width. It must occupy a @emph{single line}
in the real configuration file.}:

@smallexample
filters @{
    filter myfilter @{
        exec-path "/usr/libexec/myfilter";
        error-log "myfilter.log";
        auth @{
            input-format "%C@{User-Name@}
                          %C@{Calling-Station-Id@}";
            wait-reply yes;
        @};
    @};        
@};                        
@end smallexample
@noindent
Then, upon successful authentication, the program
@command{/usr/libexec/myfilter} will be invoked, if it hasn't already been
started for this thread. Any output it sends to its standard error
will be redirected to the file @file{myfilter.log} in the current
logging directory. A string consisting of the user's login name and
his calling station @sc{id} followed by a newline will be sent to the
program. 

The following is a sample @command{/usr/libexec/myfilter} written
in the shell:

@smallexample
#! /bin/sh

DB=/var/db/userlist

while read NAME CLID
do
    if grep "$1:$2" $DB; then
        echo "0 Service-Type = Login, Session-Timeout = 1200"
    else
        echo "1 Reply-Message = \
              \"You are not authorized to log in\""
    fi
done
@end smallexample

@comment **************************************************************
@node Exec-Program
@subsection @attr{Exec-Program}
@atindex Exec-Program

@defattr{Exec-Program,1038,string,-R,--,--,Replace,No}

When present in the @RHS{}, the @attr{Exec-Program} attribute specifies
the full pathname and arguments for the program to be executed when the
entry matches.

The command line can reference any attributes from both check and reply
pairlists, using attribute macros (@pxref{Macro Substitution}).

Before the execution of the program, @command{radiusd} switches to the
uid and gid of the user @code{daemon} and the group @code{daemon}. You can
override these defaults by setting variables @code{exec-program-user}
and @code{exec-program-group} in configuration file to proper values
@ref{option,, The option statement}.

The daemon does not wait for the process to terminate.

@subheading Example

Suppose the @file{users} file contains the following entry:

@smallexample
DEFAULT Auth-Type = System,
                Simultaneous-Use = 1
        Exec-Program = "/usr/local/sbin/logauth \
                        %C@{User-Name@} \
                        %C@{Calling-Station-Id@}"
@end smallexample

@noindent
Then, upon successful matching, the program
@file{/usr/local/sbin/logauth} will be executed. It will get as its
arguments the values of the @attr{User-Name} and @attr{Calling-Station-Id}
attributes from the request pairs.

@comment **************************************************************
@node Fall-Through
@subsection @attr{Fall-Through}
@atindex Fall-Through

@defattr{Fall-Through,1036,integer,LR,LR,--,Append,No}

@smallexample
VALUE      Fall-Through      No                   0       
VALUE      Fall-Through      Yes                  1       
@end smallexample

The @attr{Fall-Through} attribute should be used in the reply list.
If its value is set to @code{Yes} in a particular record, that
tells Radius to continue looking up other records
even when the record at hand matches the request. It can be used to provide
default values for several profiles.

Consider the following example. Let's suppose the @file{users} file
contains the following:

@smallexample

johns   Auth-Type = SQL
                Framed-IP-Address = 11.10.10.251,
                Fall-Through = Yes

smith   Auth-Type = SQL
                Framed-IP-Address = 11.10.10.252,
                Fall-Through = Yes

DEFAULT NAS-IP-Address = 11.10.10.1
        Service-Type = Framed-User,
                Framed-Protocol = PPP

@end smallexample

@noindent
Then after successful matching of a particular user's record,
the matching will continue until it finds the @code{DEFAULT} entry,
which will add its @RHS{} to the reply pairs for
this request. The effect is that, if user @samp{johns} authenticates
successfully she gets the following reply pairs:

@smallexample
        Service-Type = Framed-User,
        Framed-Protocol = PPP,  
        Framed-IP-Address = 11.10.10.251
@end smallexample

@noindent
whereas user @code{smith} gets

@smallexample
        Service-Type = Framed-User,
        Framed-Protocol = PPP,  
        Framed-IP-Address = 11.10.10.252
@end smallexample

@noindent
Note that the attribute @attr{Fall-Through} itself
is never returned to the @NAS{}.

@comment **************************************************************
@node Group
@subsection @attr{Group}
@atindex Group

@defattr{Group,1005,string,L-,L-,LR,Append,No}

@comment **************************************************************
@node Hint
@subsection @attr{Hint}
@atindex Hint

@defattr{Hint,1040,string,L-,-R,-R,Append,No}

Use the @attr{Hint} attribute to specify additional matching criteria
depending on the hint (@pxref{hints file}).

Let the @file{hints} file contain

@smallexample
DEFAULT         Prefix = "S", Strip-User-Name = No
                Hint = "SLIP"
@end smallexample

@noindent
and the @file{users} file contain

@smallexample
DEFAULT Hint = "SLIP",
                NAS-IP-Address = 11.10.10.12,
                Auth-Type = System
        Service-Type = Framed-User,
                Framed-Protocol = SLIP
@end smallexample

@noindent

Then any user having a valid system account and coming from @NAS{}
@samp{11.10.10.12} will be provided SLIP service if his user name
starts with @samp{S}.
                
@comment **************************************************************
@node Huntgroup-Name
@subsection @attr{Huntgroup-Name}
@atindex Huntgroup-Name

@defattr{Huntgroup-Name,221,string,L-,-R,LR,Append,No}

The @attr{Huntgroup-Name} can be used either in the @LHS{} of the
@file{users} file record or in the @RHS{} of the @file{huntgroups}
file record.

When encountered in a @LHS{} of a particular @file{users} profile,
this attribute indicates the huntgroup name to be matched. Radius looks
up the corresponding record in the @file{huntgroups} file. If such a
record is found, each @AVP{} from its reply list is compared against
the corresponding pair from the request being processed. The request
matches only if it contains all the attributes from the specified
huntgroup, and their values satisfy the conditions listed in the
huntgroup pairs.

For example, suppose that the authentication request contains the
following attributes:

@smallexample
User-Name = "john",
User-Password = "guess",
NAS-IP-Address = 10.11.11.1,
NAS-Port-Id = 24
@end smallexample

@noindent
Let us further suppose that the @file{users} file contains the following
entry:

@smallexample
john    Huntgroup-Name = "users_group",