howto

linux 下的radius 最新版。linux 下的radius 最新版.linux 下的radius 最新版

[2.1.8] LDAP Options


>ldap_server: ldap.%{general_domain}

The ldap server to connect to
Both ldap_server and ldap_write_server can be a space-separated
list of ldap hostnames. In that case the library will try to connect
to the servers in the order that they appear. If the first host is down
ldap_connect will ask for the second ldap host and so on.

>ldap_write_server: master.%{general_domain}

There are many cases where we have a small write master and
a lot of fast read only replicas. If that is the case uncomment
ldap_write_server and point it to the write master. It will be
used only when writing to the directory, not when reading

>ldap_base: dc=company,dc=com

The LDAP base for the ldap searches

>ldap_binddn: cn=Directory Manager
>ldap_bindpw: XXXXXXX

The DN and password which will be used to bind to the LDAP server. If we don't use
http credentials (see below) than these setting will be used for all ldap operations
(both searches and modifies/adds).

>ldap_default_new_entry_suffix: ou=dialup,ou=guests,%{ldap_base}

The LDAP suffix under which all new user entries created through the new user
page will be placed

>ldap_default_dn: uid=default-dialup,%{ldap_base}

The DN of an ldap entry containing radius user settings which will be
applied for all users. Though these settings are applied *before* the
regular profile and per user settings, so they can be easily overwritten.
That way we could for example set Session-Timeout to 4 hours for all our users
and set it to a lower/higher value for specific users or groups of users

>ldap_regular_profile_attr: dialupregularprofile

The ldap attribute which if present in a user entry will contain the DN
of another ldap entry specifying radius user settings (check and reply items).
That way we can keep these settings in only one entry and assign them to each
user that we want through the regular profile attribute.
 
>ldap_use_http_credentials: yes

If set to yes then the HTTP credentials (http authentication)
will be used to bind to the ldap server instead of ldap_binddn
and ldap_bindpw directives. That way multiple admins with different rights
on the ldap database can connect through one dialup_admin interface.
The ldap_binddn and ldap_bindpw are still needed to find the DN of the user
to bind with (http authentication will only provide us with a
username). As a result the ldap_binddn should be able to do a search
with a filter of (uid=<username>). Normally, the anonymous (empty DN)
user can do that.

>ldap_directory_manager: cn=Directory Manager
>ldap_map_to_directory_manager: admin

If we are using http credentials we can map a specific username to the
directory manager entry (which usually does not correspond to a specific username)

> ldap_debug: true

Set to true to enable ldap debugging

>ldap_filter: (uid=%u)

Allow for defining the ldap filter used when searching for a user
Variables supported:
%u: username
%U: username provided though http authentication

One use of this would be to restrict access to only the user's belonging to
a specific administrator like this:
ldap_filter: (&(uid=%u)(manager=uid=%U,ou=admins,o=company,c=com))


[2.1.9] SQL Options

> sql_type: mysql

The type of the database. Currenty dialup admin support mySQL ('mysql') 
and PostgreSQL('pg')

> sql_server: localhost
> sql_port: 3306
> sql_username: radius
> sql_password: XXXXX

Information regargind the SQL database such as hostname, port, 
username and password to be used for connection

NOTE: The default port for mySQL is 3306 while for PostgreSQL is 5432. 
      The Username and password are ones set in the database. Creating a
      new username is behond the scope of this documentation.

> sql_database: radius

The database where all our tables are stored. Read section 1.3.3

> sql_accounting_table: radacct
> sql_check_table: radcheck
> sql_groupcheck_table: radgroupcheck
> sql_groupreply_table: radgroupreply
> sql_reply_table: radreply

The above tables are the ones used also directly through FreeRadius. 
The SQL file containing the way to create these tables are at 
freeradius-x.x.x/src/modules/rlm_sql/drivers/rlm_sql_<DATABASE TYPE>/db_<DATABASE_TYPE>.sql

For more information consult the documentation of FreeRadius

> sql_badusers_table: badusers
> sql_user_info_table: userinfo
> sql_usergroup_table: usergroup
> sql_total_accounting_table: totacct

These are the tables created during section 1.3.3. 
There shouldn't be any need to change those

> sql_use_user_info_table: true
> sql_use_operators: true

Could be true or false

> sql_default_user_profile: DEFAULT

Set this to the value of the default_user_profile in your sql.conf if 
that one is set. If it is not set leave blank or commented out

> sql_password_attribute: User-Password

The password attribute. Should be User-Password if encryption method 
is clear (See section 2.1.6) or Crypt-Password if either md5 or des is choosed

> sql_date_format: Y-m-d
> sql_full_date_format: Y-m-d H:i:s

The date format

> sql_row_limit: 40

The row limit used in the accounting page in order to limit the output

> sql_connect_timeout: 3
> sql_extra_servers: sql2.company.com sql3.company.com

The above options are used by bin/log_badlogins (See Section 2.x.x)
The sql_connect_timeout is also used by the mysql driver and the sql_extra_servers
is also used when adding users in the badusers table

> sql_debug: false

Set to true to enable SQL debugging

> sql_use_http_credentials: no

If set to yes then the HTTP credentials (http authentication) will be used 
to connect to the sql server instead of sql_username and sql_password. 
That way multiple admins with different rights on the sql database can 
connect through one dialup_admin interface.

> sql_command: /usr/local/bin/mysql
This variable is used by the scripts in the bin folder
It should contain the path to the sql binary used to run
sql commands (mysql is only supported for now)


[2.1.10] Limits Timers

> counter_default_daily: 14400
> counter_default_weekly: 72000
> counter_default_monthly: none

The dialup limit displayed on the Dialup Admin. Set to none for no limit


[2.1.11] Various Options


> general_accounting_info_order: desc

Can be either asc (older dates first) or desc (recent dates first)

> general_stats_use_totacct: no

Use the totacct table for statistics

> general_use_session: yes

Set it to yes to use sessions and cache the various mappings. You can also
set use_session = 1 in config.php3 to also cache the admin.conf

NOTE: Remember to use the 'Clear Cache' page if you use sessions and 
      do any changes in any of the configuration files.

> general_most_recent_fl: 30

This is used by the failed logins page. It states the default back time
in minutes.

> general_prefered_lang: el
> general_prefered_lang_name: Greek

It can be default or whatever language. Only greek are supported from 
non latin alphabet languages. These attribute only apply for ldap not for sql

> general_charset: iso-8859-1

The charset which will be added as a meta tag in all pages

> general_decode_normal_attributes: no

Uncomment this if normal attributes (not the ;lang-xx ones) in ldap 
are utf8 encoded.


[2.2] The bin/ scripts


[2.2.1] The snmpfinger script

This script make an snmp request to the nas server to retrieve 
the online users directly from the NAS and is being used by dialup admin
when general_finger_type: snmp is set (or the per nas equivelant
directive). (See section 2.1.4). 

You also must have installed the net-snmp package obtained at 
http://www.net-snmp.org

The snmpfinger script must be edited in order to point to the correct 
snmpwalk binary. 

Edit the line $SNMPWALK="/usr/local/bin/snmpwalk"; to represent the location 
of snmpwalk binary

Besides that the snmpfinger uses MIBs only for the CISCO XXXX NAS or for Lucent
equipment (at least for the MAX 3000) which may not work if your NAS is different.

However the snmpfinger is not actually required if your accounting 
is working properly.

[2.2.2] The log_badlogins script

The log_badlogins scripts actually does a tail -f to the radius.log and
intercepts any authentification failure and passes it to the database. 
If you are interested in having the Failed Logins on the Dialup Admin 
you should execute it once like this:

bin/log_badlogins /var/log/radius/radius.log /usr/local/dialup_admin/conf/admin.conf& 

Of cource the proper file locations must be set

Also log_badlogins will concatenate the client shortname and the general_domain variable
defined in admin.conf in order to find the nas ip address. So it is important to make sure
that $client_shortname.$domain resolves to the correct nas ip address.
regular expression matching is also supported. If the $regexp variable is set then
only failed login lines matching the regular expression will be logged.

[2.2.3] The clean_radacct script

The clean_radacct script can be used to clear the database of stale open sessions
(sessions for which an Accounting-Stop has not been received hence they remain open)
The $back_days variable can be changed to specify how many days we should leave the
sessions open before removing them. Make sure though that all your user sesions are
short lived (no DSL users for example) before using the script. If that is not the
case edit the sql query to only match short lived sessions (depending on the NAS-Port-Type
for example).

[2.2.4] The truncate_radacct script

The truncate_radacct script can be used to delete all sessions which are older than a
specified number of days. This number can be changed through the $back_days variable.
The script will do a lock tables so make sure you run it during the night when the traffic
is low. It will also only delete *closed* session, so the clean_radacct script should be
used together to clear the possible open sessions.

[2.2.4] The tot_stats script

This script will log aggregated per user information in the totacct table. It will log a row
per user, per day. It should be run *once* every day to create the corresponding entries in
the totacct table. The general_stats_use_totacct configuration directive could then be set to
yes in order for the statistics page to use the totacct table instead of the radacct table.

[2.2.5] The monthly_tot_stats script

This script can be used to aggregate the information from the totacct table into the mtotacct table
creating aggregated accounting information for each spaning in one month period. If the current
month has not ended it will log information up to the current month day. It should be run once
a day to create the corresponding entries in the mtotacct table.


[2.3] User Attributes

First of all check conf/user_edit.atts and see if the attribute you are 
interested in is commented out. If it is just enable it by uncommenting it.
If the attribute is not included in the file add it. 

If you use SQL check conf/sql.attrmap. Attributes that are not contained in this file
are assumed to be reply items and map to the same name as the one used by dialup_admin

If you use LDAP check ${freeradius_install_dir}/etc/raddb/ldap.attrmap 
and check if the attribute is included in the attribute mapping. 

If it is not then add it there also.Everything should work ok after that.

[2.4] Finishing

The above sections should propably have brought you to a working dialup admin.
Note however that if you are interested in logging the failed logins
(See section 2.3.2) you should execute the log_badlogins each time 
the system starts.


3. Troubleshooting
--------------------------

[3.1] When I try to access some page I see the php code instead of html

See section 1.3.2.1

[3.2] When an attribute contains double (") or single (') quotes 
      something goes wrong

Make sure that magic quotes in PHP are turned off

[3.3] Even though I have uncommented Dialup-Access in user_edits.attrs,
      when editing a user, that field is not available...

...Is this because in sql.attrmap
I have:

checkItem     Dialup-Access                   none

What should the attribute be?

Dialup-Access is an attribute used by the ldap module. It is not implemented in the sql module, that's why the mapping is set to none.
You could set Auth-Type to Reject instead.

[3.4] Why do the personal information fields show multiple entries for 
      attributes like name, department, etc in the user_admin page?

Set general_prefered_lang to en

[3.5] After I make a few changes in one of the configuration files things
      only work like they worked before

If you are using sessions then remember to use the 'Clear Cache' page after
making any changes. See Section 2.1.11

[3.6] It is still not working

Check that the register_globals in php.ini is set to on. As of PHP 4.2.0 
this is set to off by default. The latest versions of dialup_admin will work
even if register_globals is set to off if the php version is > 4.1.0 
(Thanks to Evren Yurtesen <eyurtese@turkuamk.fi> for the suggestion).

In latest versions you can also enable sql debug (sql_debug: true) 
and ldap debug (ldap_debug: true)


4. HOWTO Information
---------------------------------

This document is distributed under the terms of the GPL (GNU Public License). 
Paris Stamatopoulos <mobius@hack.gr> (main author)
Kostas Kalevras <kkalev@noc.ntua.gr> (a few additions)