howto

linux 下的radius 最新版。linux 下的radius 最新版.linux 下的radius 最新版

Dialup Admin HOWTO 
------------------

Version 0.1 Sun Oct 26 04:03:00 EET 2003


1. Installation
	1.1 Obtaining Dialup Admin
	1.2 Prerequisities
	1.3 Installing & System Configuration
		1.3.1 Unpacking & Installation
		1.3.2 Apache Configuration
			1.3.2.1 Enabling PHP Support On Apache
			1.3.2.2 Creating a more secure web interface
		1.3.3 Creating the mySQL Tables
 
2. Configuration
	2.1 Configuration Options
		2.1.1 General Options 
		2.1.2 Realms Options
		2.1.3 LDAP/SQL Options
		2.1.4 NAS Quering
		2.1.5 Test Variables
		2.1.6 Encryption Methods
		2.1.7 NAS Informations
		2.1.8 LDAP Options
		2.1.9 SQL Options
		2.1.10 Limits Timers
		2.1.11 Various Options
	2.2 The bin/ scripts
		2.2.1 The snmpfinger script
		2.2.2 The log_badlogins script
		2.2.3 The clean_radacct script
		2.2.4 The truncate_radacct script
		2.2.5 The tot_stats script
		2.2.6 The monthly_tot_stats script
	2.3 User Attributes
	2.4 Finishing Off


3. Troubleshooting
	3.1 When I try to access some page I see the php code instead of html
	3.2 When an attribute contains double (") or single (') quotes 
	    something goes wrong
	3.3 Even though I have uncommented Dialup-Access in user_edits.attrs,
	    when editing a user, that field is not available...
	3.4 Why do the personal information fields show multiple entries for 
	    attributes like name, department, etc in the user_admin page?
	3.5 After I make a few changes in one of the configuration files 
	    things only work like they worked before
	3.6 It is still not working

4. HOWTO Information

1. Installation
---------------

This section will take you step by step to create system suitable for 
dialup admin to run properly.


[1.1] Obtaining Dialup Admin

There are three ways to obtain the dialup admin package. 

Either download the latest FreeRadius package which most likely contains
the latest dialup admin available. The FreeRadius Package can be obtained 
through ftp://ftp.freeradius.org/pub/radius/freeradius-0.9.2.tar.gz 
which is the current FreeRadius package at the time of writting.

Dialup Admin has it's own web page hosted at Sourceforge at 
http://sourceforge.net/projects/dialup-admin/
Though that page is not updated very often. The primary store for dialupadmin
is the freeradius CVS tree so the latest version will always be contained there

Finally one could get the cvs version of Dialup Admin by issuing the 
following commands:

shell> cvs -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/dialup-admin login 

* When prompted for a password simply press the Enter Key

shell> cvs -z3 -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/dialup-admin co dialup_admin

[1.2] Prerequisities

Dialup Admin requires the following in order to have full functionality:
o PHP 				Obtained at: http://www.php.net
o Date::Manip Perl Module	Obtained at: http://www.cise.ufl.edu/~sbeck/

[1.3] Installing & System Configuration

At this point we presume that either you have successfully installed PHP and 
Date::Manip Perl Module or that your distribution has came with both of them 
precompiled and already installed.

[1.3.1] Unpacking and installation

In order to install the dialup admin first of all the package must be 
uncompressed presuming that we have it in a .tar.gz format and be placed
at a certain directory at the system 
(Could be anything, we use /usr/local/dialup_admin)

shell> tar xfvz dialup_admin-X.XX.tar.gz
shell> mv dialup_admin /usr/local

The dialup admin contains a number of directories necessary for the program 
to operate. Let's concentrate on the htdocs directory. This directory
contains the php scripts needed. In order to have it accessable through
our web server we must set a symbolic link between the two locations. 
We presume that the DefaultRoot of the Apache Web Server is /var/www/htdocs

shell> ln -s /usr/local/dialup_admin/htdocs /var/www/htdocs/dialup

[1.3.2] Apache Configuration

[1.3.2.1] Enabling PHP Support on Apache

Apache must be configured to execute PHP scripts. In order to do so locate 
the httpd.conf file (for Slackware Linux this is /etc/apache). We must
enter the following lines inside the httpd.conf

LoadModule php4_module libexec/libphp4.so
AddModule mod_php4.c
AddType application/x-httpd-php .php
AddType application/x-httpd-php .php3		# This is most important since many of the PHP scripts of Dialup Admin have this extension

[1.3.2.2] Creating a more secure web interface.

Since dialup admin does not come with any kind of administrators authorisation
of its own it would be safe to protect this ourselves. 

Add the following to your httpd.conf file:

<Directory /var/www/htdocs/dialup>
    AuthName "Restricted Area"
    AuthType Basic
    AuthUserFile /var/www/.htpasswd
    require valid-user
</Directory>

Changing of course the directory path to match yours as well as the 
AuthUserFile argument to point to the place where the usernames/passwords 
are stored.

In order to create the htpasswd file the htpasswd utility is required
(It is provided with the apache web server)

Let's create our first user:

shell> htpasswd -c /var/www/.htpasswd -m administrator password

Note: The -c argument should not be used from that point on since it creates 
      a new password file. 

On the next restart of apache the dialup/ directory is only accessable by a
username/password verification which in our case is administrator:password

The HTTP authentication we have just configured can be used by dialupadmin
when connecting to the ldap and sql databases (see sections on sql and ldap
options).

At this point when we connect to the url http://localhost/dialup we should 
see the Dialup Admin pages

[1.3.3] Creating the mySQL tables

In order to have dialup admin work to the maximum you should create a few 
tables in your mySQL. We assume at this point you have a fair ammount of mySQL
knowledge and have a mySQL running somewhere on your network. 

First of all you should create a database for all the tables to be stored into
it. We will call this radius.

shell> mysql -h mysql.host.com -u username -p 

mysql> CREATE DATABASE radius;
mysql> exit

This step is only necessary if you haven't already created a corresponding database
for the freeradius server.

At dialup_admin/sql there are four files containg the SQL command to create 
the required tables. This is done as follows:

shell> mysql -h mysql.host.com -u username -p radius < badusers.sql
shell> mysql -h mysql.host.com -u username -p radius < mtotacct.sql
shell> mysql -h mysql.host.com -u username -p radius < totacct.sql
shell> mysql -h mysql.host.com -u username -p radius < userinfo.sql

The userinfo table though is only needed if you want to keep your user database in sql.
If you keep your users in ldap then it's not needed.

NOTE: Remember we named our database "radius". Have you named it somewhat 
      different replace the "radius" argument on the above commands with 
      the name you used

2. Configuration
----------------

This is the most important part of this document since the configuration must
match your needs.
The configuration file is located at dialup_admin/conf/admin.conf

[2.1] Configuration Options

A few variables must be set to the correct values in order for dialup admin
to work. 


[2.1.1] General Options


General configuration options 

> general_base_dir: /usr/local/dialup_admin

This is the location where we have installed dialup admin. 
Refer to section 1.3.1 for more information

> general_radiusd_base_dir: /usr/local/bin

This is the location where the radiusd binary and various radius 
related programs resides. Check where FreeRadius has been installed

> general_domain: domain.gr

Set the domain name of your network.


[2.1.2] Realms Options


For more informations on realms consult the documentations provided 
with FreeRadius under the doc/ directory

> general_strip_realms : yes

Should Dialup Admin strip the realm from the username when displaying this?
Values: Yes / No (Default Yes)

> general_realm_delimiter: @

The delimiter used  in realms. Default is @

> general_realm_format: suffix

The format of the realms. Can be either suffix (realm is after the username)
or prefix (realm is before the username). Default is suffix


[2.1.3] LDAP/SQL Options


Options that specifies the way dialup admin handles users. SQL or LDAP

> general_lib_type: sql

This can have as values either ldap or sql.

For the following values there shouldn't be any need for changes

> general_ldap_attrmap: /etc/raddb/ldap.attrmap
> general_sql_attrmap: %{general_base_dir}/conf/sql.attrmap
> general_extra_ldap_attrmap: %{general_base_dir}/conf/extra.ldap-attrmap
> general_user_edit_attrs_file: %{general_base_dir}/conf/user_edit.attrs
> general_sql_attrs_file: %{general_base_dir}/conf/sql.attrs
> general_default_file: %{general_base_dir}/conf/default.vals


[2.1.4] NAS Quering


In general the nas quering provides the dialup admin with information 
regarding the Online Users.

> general_finger_type: snmp

What should be the default quering method of the nas. It can be 'snmp' (for snmpfinger)
or empty to query the radacct table without first querying the nas

> general_snmpfinger_bin: %{general_base_dir}/bin/snmpfinger

This probably does not need to be changed
For now snmpfinger will only work with Cisco equipment.

> general_radclient_bin: /usr/local/bin/radclient

Must point to the radclient binary

> general_nas_type: cisco

Defines the nas type. This is only used by snmpfinger
cisco and lucent are supported for now


[2.1.5] Test Variables


The following variables which are self explained are being used while the
"Check Server" button is being pressed to verify that the radius server 
is working. The username and password must be of a valid dialup account

> general_test_account_login: dummy
> general_test_account_password: dummy_password

> general_radius_server: localhost

The hostname where the FreeRadius Server runs

> general_radius_server_port: 1645

The port that FreeRadius uses on the hostname

> general_radius_server_auth_proto: chap

The method of connecting. Could be either 'chap' or 'pap'

> general_radius_server_secret: secret_password

The secret of the server that dialup admin should use while connecting. 

NOTE: You must have a correct entry in clients.conf for the host running 
      the dialup admin. For more information consult the documentations 
      that come with FreeRadius

> general_auth_request_file: %{general_base_dir}/conf/auth.request

The file conf/auth.request contains the options passed while the 
authentification is performed. Should you need to add anything edit this file


[2.1.6] Encryption Method


> general_encryption_method: md5

How the passwords of the users are stored (or should be) in the database.
Could be 'clear', 'md5', 'des'. See Also Section 2.1.9 


[2.1.7] NAS Information


> nas1_name: host.%{general_domain}

The name of the NAS. Only the host must be replaced to match yours, 
provided that the nas are on the general_domain specified above

> nas1_model: Lucent

The model of the NAS. 

> nas1_ip: 10.0.0.1

The IP of the NAS

> nas1_port_num: 120

The port number to connect to on the NAS

> nas1_community: community string

The community string used by the nas for queries via snmp

> nas1_finger_type: snmp

The finger type for the specific nas. Comment out to use the 
general_finger_type from above.

> nas1_type: cisco

The nas type for the specific nas. Comment out to use the
general_nas_type from above.