(RADIATOR) IP Accounting
Hugh Irvine
hugh at open.com.au
Sun Dec 5 16:50:58 CST 2004
Hello Dave -
It is usually easiest to have your NAS equipment allocate the IP
addresses.
This of course assumes that said NAS equipment supports multiple
address pools.
If you want Radiator to do IP address allocation you can use either an
SQL database to hold the pools (prefered) or you can use an external
DHCP server (more complex). In either case your configuration file
would look like something this:
<AddressAllocator ...>
Identifier AllocateIPAddress
.....
</AddressAllocator>
<Handler .....>
AuthByPolicy ContinueWhileAccept
<AuthBy LDAP2>
.....
</AuthBy>
<AuthBy DYNADDRESS>
AddressAllocator AllocateIPAddress
.....
</AuthBy>
</Handler>
As you have see there are examples in the "goodies" directory.
regards
Hugh
On 5 Dec 2004, at 23:42, doc at dcclrt.co.uk wrote:
> Hi All,
>
> Having got the idea of handlers etc. thanks to Hugh, I would like to
> know about how Radiator can allocate IP addresses to wireless clients.
> I have read the addressallocationdhcp config file in /goodies and
> other documentation but as ever the penny doesn't drop until the last
> minute.
> In my config file I have numerous sites configured to auth by ldap to
> NDS with a return attribute giving a vlan ID. Also with that return I
> would like the clients to be allocated a dynamic IP from a given
> range. Please would you point me in the right direction as to how each
> site would need configuring in order to achieve this. And am I right
> in thinking that the Radiator server does NOT need a DHCP service
> installed and that it is fully handled by Radiator ?
>
> Many thanks.
> Dave
>
> ---------------------------
> Foreground
> LogStdout
> LogDir /var/log/radius
> LogFile %L/%Y-%m-log
> DbDir /etc/radiator
> Trace 4
> AuthPort 1812
> AcctPort 1813
>
> <Client xxx.xxx.xxx.xxx>
> IdenticalClients xxx.xxx.xxx.xxx
> Secret 1234
> DupInterval 0
> Identifier site
> </Client>
>
> <Client xxx.xxx.xxx.xxx>
> IdenticalClients xxx.xxx.xxx.xxx
> Secret x
> DupInterval 0
> Identifier site1
> </Client>
>
> <Client xxx.xxx.xxx.xxx>
> IdenticalClients xxx.xxx.xxx.xxx
> Secret x
> DupInterval 0
> Identifier site2
> </Client>
>
> # ISU
> <Handler Client-Identifier=site>
> <AuthBy LDAP2>
> # Tell Radiator how to talk to the LDAP server
> ServerChecksPassword 1
> Host xxx.xxx.xxx.xxx
> Port 389
> BaseDN o=xxx
> UsernameAttr cn
>
> # You can enable debugging of the Net::LDAP
> # module with this:
> #Debug 255
>
> # With LDAP2, You can enable SSL or TLS with perl-ldap 0.22 and
> better
> # by setting UseSSL or UseTLS. Not supported on Windows
> #UseSSL
> #UseTLS
> #If you set UseSSL or UseTLS, also need to set these:
> #SSLCAClientCert /etc/radiator/certificates/cert-clt.pem
> #SSLCAClientKey whatever
> # (certificates in PEM format)
> # Also need to set one of:
> #SSLCAFile /etc/radiator/certificates/demoCA/cacert.pem
> #SSLCAPath /etc/radiator/certificates/demoCA
> # (certificates in PEM format)
> # These set the corresponding parameters in the
> # LDAPS connection (see perl-ldap docs)
> # Requires IO::Socket::SSL, Net::SSLeay and openssl
>
> EAPType TTLS
> EAPTLS_CAFile /etc/radiator/certificates/xxxxxxxxxx
> EAPTLS_CertificateFile /etc/radiator/certificates/xxxxxxxxxx
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile /etc/radiator/certificates/xxxxxxxxxx
> EAPTLS_PrivateKeyPassword xxxxxxxxxx
> EAPTLS_MaxFragmentSize 1000
> AutoMPPEKeys
>
> StripFromReply Tunnel-Type,Tunnel-Medium-Type,Tunnel-Private-Group
> AddToReply
> Tunnel-Type=13,Tunnel-Medium-Type=802,Tunnel-Private-Group=3
>
> </AuthBy>
>
> # This is a hook to change the Tunnel-Private-Group-ID information\
> # into a value for non RFC 3850 compliant Access Points
> # PostAuthHook file:"%D/hooks/vlan-ascii-to-binary-postauth"
>
> </Handler>
>
> # SITE 1
> <Handler Client-Identifier=site1>
> <AuthBy LDAP2>
> # Tell Radiator how to talk to the LDAP server
> ServerChecksPassword 1
> Host xxx.xxx.xxx.xxx
> Port 389
> BaseDN o=xxx
> UsernameAttr cn
>
> # You can enable debugging of the Net::LDAP
> # module with this:
> #Debug 255
>
> # With LDAP2, You can enable SSL or TLS with perl-ldap 0.22 and
> better
> # by setting UseSSL or UseTLS. Not supported on Windows
> #UseSSL
> #UseTLS
> #If you set UseSSL or UseTLS, also need to set these:
> #SSLCAClientCert /etc/radiator/certificates/cert-clt.pem
> #SSLCAClientKey whatever
> # (certificates in PEM format)
> # Also need to set one of:
> #SSLCAFile /etc/radiator/certificates/demoCA/cacert.pem
> #SSLCAPath /etc/radiator/certificates/demoCA
> # (certificates in PEM format)
> # These set the corresponding parameters in the
> # LDAPS connection (see perl-ldap docs)
> # Requires IO::Socket::SSL, Net::SSLeay and openssl
>
> EAPType TTLS
> EAPTLS_CAFile /etc/radiator/certificates/xxxxxxxxxx
> EAPTLS_CertificateFile /etc/radiator/certificates/xxxxxxxxxx
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile /etc/radiator/certificates/xxxxxxxxxx
> EAPTLS_PrivateKeyPassword xxxxxxxxxx
> EAPTLS_MaxFragmentSize 1000
> AutoMPPEKeys
>
> StripFromReply Tunnel-Type,Tunnel-Medium-Type,Tunnel-Private-Group
> AddToReply
> Tunnel-Type=13,Tunnel-Medium-Type=802,Tunnel-Private-Group=3
>
> </AuthBy>
>
> # This is a hook to change the Tunnel-Private-Group-ID information\
> # into a value for non RFC 3850 compliant Access Points
> # PostAuthHook file:"%D/hooks/vlan-ascii-to-binary-postauth"
>
> </Handler>
>
> # SITE 2
> <Handler Client-Identifier=site2>
> <AuthBy LDAP2>
> # Tell Radiator how to talk to the LDAP server
> ServerChecksPassword 1
> Host xxx.xxx.xxx.xxx
> Port 389
> BaseDN o=xxx
> UsernameAttr cn
>
> # You can enable debugging of the Net::LDAP
> # module with this:
> #Debug 255
>
> # With LDAP2, You can enable SSL or TLS with perl-ldap 0.22 and
> better
> # by setting UseSSL or UseTLS. Not supported on Windows
> #UseSSL
> #UseTLS
> #If you set UseSSL or UseTLS, also need to set these:
> #SSLCAClientCert /etc/radiator/certificates/cert-clt.pem
> #SSLCAClientKey whatever
> # (certificates in PEM format)
> # Also need to set one of:
> #SSLCAFile /etc/radiator/certificates/demoCA/cacert.pem
> #SSLCAPath /etc/radiator/certificates/demoCA
> # (certificates in PEM format)
> # These set the corresponding parameters in the
> # LDAPS connection (see perl-ldap docs)
> # Requires IO::Socket::SSL, Net::SSLeay and openssl
>
> EAPType TTLS
> EAPTLS_CAFile /etc/radiator/certificates/xxxxxxxxxx
> EAPTLS_CertificateFile /etc/radiator/certificates/xxxxxxxxxx
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile /etc/radiator/certificates/xxxxxxxxxx
> EAPTLS_PrivateKeyPassword xxxxxxxxxx
> EAPTLS_MaxFragmentSize 1000
> AutoMPPEKeys
>
> StripFromReply Tunnel-Type,Tunnel-Medium-Type,Tunnel-Private-Group
> AddToReply
> Tunnel-Type=13,Tunnel-Medium-Type=802,Tunnel-Private-Group=3
>
> </AuthBy>
>
> # This is a hook to change the Tunnel-Private-Group-ID information\
> # into a value for non RFC 3850 compliant Access Points
> # PostAuthHook file:"%D/hooks/vlan-ascii-to-binary-postauth"
>
> </Handler>
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list