(RADIATOR) using different nas for user groups
CHS
chs at vol.at
Fri Mar 11 06:37:44 CST 2005
hi,
we have the following situation for dial-up and adsl customers which we
want to handle with radiator. we do auth by ldap and accounting &
logging by mysql db which is allready working.
we have a lot of nas servers and a lot of different dial-up groups to
handle and therefor want to specify different nas-server for different
user groups.
e.g. a user of type A should only be allowed to login through nas server
1.2.3.4 and 2.3.4.5 and user of type B should only be allowed to login
through 1.2.3.4. one possibility for that would be to give the user
every nas-ip-address that he can log in which would work but is not that
comfortable when you change ip or add some nas servers.
therefore we thought it would be nice to have something like an
identifier for the user which is stored by the user in ldap db. in the
radius config I want to define something like a pool and tell him the
ip's of the nas where the user is allowed to login.
I tried to do that through handlers but I don't know how bind the user
to a goup and the group to the nas server.
could you please tell me how to do that.
thanks,
stormc
here is the radiator config file
# ldap.cfg
#
Foreground
LogStdout
LogDir .
LogFile /var/log/radius.log
DbDir /usr/local/etc/******
# Debugging Level & Logging
# 0 ERR.Error conditions. Serious and unexpected failures
# 1 WARNING. Warning conditions. Unexpected failures
# 2 NOTICE. Normal but significant conditions.
# 3 INFO. Informational messages.
# 4 DEBUG. Debugging messages.
# 5 Incoming raw packet dumps in hexadecimal.
Trace 4
PidFile /var/run/radius.pid
### NAS CLIENTS ###
# default client if no other is defined
<Client DEFAULT>
Secret mysecret
DupInterval 0
</Client>
## Test Client ##
<Client 1.2.3.4>
Identifier Client1
Secret xxxx
# convert domain\username to username at domain
# RewriteUsername s/^(.*)\\(.*)/$2\@$1/
</Client>
<ClientListLDAP>
# Tell Radiator how to talk to the LDAP server
Host localhost
# LDAP server authentication.
AuthDN cn=***, dc=***, dc=***
AuthPassword ****
# This the top of the search tree where realm records
# will be found. It should match the configuration
# of your server, see /etc/openldap/slapd.conf
BaseDN dc=***, dc=***
# You can control the LDAP protocol version to be used
# to talk to the LDAP server. OpenLDAP 2 requires
# Version 3 unless you have 'allow bind_v2' in your
# slapd.conf. Defaults to version 2
Version 3
# SearchFilter specifies how to find the LDAP records that
contain Client configuration information
SearchFilter (&(objectclass=oscRadiusClient)(uid=%1))
# Time in seconds that the clientldap db will be reread
RefreshPeriod 1800
# ClientAttrDef parameters allow you to alter the set of LDAP
attributes that will be fetched
# Format is 'ClientAttrDef ldapattrname,clientparamname'
ClientAttrDef oscRadiusClientName,Name
ClientAttrDef oscRadiusSecret,Secret
#ClientAttrDef oscRadiusIgnoreAcctSignature,IgnoreAcctSignature
#ClientAttrDef oscRadiusDupInterval,DupInterval
ClientAttrDef oscRadiusNasType,NasType
ClientAttrDef oscRadiusSNMPCommunity,SNMPCommunity
#ClientAttrDef oscRadiusLivingstonOffs,LivingstonOffs
#ClientAttrDef oscRadiusLivingstonHole,LivingstonHole
#ClientAttrDef
oscRadiusFramedGroupBaseAddress,FramedGroupBaseAddress
#ClientAttrDef
oscRadiusFramedGroupMaxPortsPerClassC,FramedGroupMaxPortsPerClassC
#ClientAttrDef oscRadiusFramedGroupPortOffset,FramedGroupPortOffset
#ClientAttrDef oscRadiusRewriteUsername,RewriteUsername
#ClientAttrDef oscRadiusUseOldAscendPasswords,UseOldAscendPasswords
#ClientAttrDef
oscRadiusStatusServerShowClientDetails,StatusServerShowClientDetails
#ClientAttrDef oscRadiusPreHandlerHook,PreHandlerHook
#ClientAttrDef oscRadiusPacketTrace,PacketTrace
#ClientAttrDef oscRadiusIdenticalClients,IdenticalClients
#ClientAttrDef oscRadiusNoIgnoreDuplicates,NoIgnoreDuplicates
#ClientAttrDef oscRadiusDefaultReply,DefaultReply
#ClientAttrDef oscRadiusFramedGroup,FramedGroup
#ClientAttrDef oscRadiusStripFromReply,StripFromReply
#ClientAttrDef oscRadiusAllowInReply,AllowInReply
#ClientAttrDef oscRadiusAddToReply,AddToReply
#ClientAttrDef oscRadiusAddToReplyIfNotExist,AddToReplyIfNotExist
#ClientAttrDef oscRadiusDynamicReply,DynamicReply
#ClientAttrDef oscRadiusStripfromRequest,StripfromRequest
#ClientAttrDef oscRadiusAddToRequest,AddToRequest
#ClientAttrDef
oscRadiusAddToRequestIfNotExist,AddToRequestIfNotExist
</ClientListLDAP>
##################
### ACCOUNTING ###
<AuthBy SQL>
Identifier AcctSQL
DBSource dbi:mysql:*******
DBUsername ******
DBAuth ******
# !!! Table must exist !!!
AccountingTable ACCOUNTING%Y%m
AcctColumnDef USERNAME,User-Name
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
AcctColumnDef NASIDENTIFIER,NAS-Identifier
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
AcctFailedLogFileName /usr/local/etc/radiator/missedaccounting
</AuthBy>
########################
### AUTHENTIFICATION ###
<AuthBy LDAP2>
Identifier CheckLDAP
# Tell Radiator how to talk to the LDAP server
Host localhost
# LDAP server authentication.
AuthDN cn=***, dc=***, dc=***
AuthPassword ***
# This the top of the search tree where users will be found.
BaseDN dc=***, dc=***
#BaseDN %0=%1,dc=**, dc=**
# This is the LDAP attribute to match the radius user name
#UsernameAttr cn
UsernameAttr uid
PasswordAttr userPassword
DefaultSimultaneousUse 1
# CheckAttr, ReplyAttr and AuthAttrDef
AuthAttrDef radiusFramedIPAddress,Framed-IP-Address,reply
AuthAttrDef radiusFramedRoute,Framed-Route,reply
AuthAttrDef radiusFramedRouting,Framed-Routing,reply
AuthAttrDef radiusFramedProtocol,Framed-Protocol,reply
AuthAttrDef Cisco-AVPair,Cisco-AVPair,reply
#AuthAttrDef nasPortType,NAS-Port-Type,check
AuthAttrDef radiusLoginLATPort,NAS-Port-Type,check
# These are the classic things to add to each users
AddToReply Framed-Protocol = PPP,\
Framed-IP-Netmask = 255.255.255.255,\
#Framed-Routing = None,\
Framed-MTU = 1500,\
Framed-Compression = Van-Jacobson-TCP-IP
# Debugging of the Net::LDAP
Debug 255
# With LDAP2, You can enable SSL or TLS with perl-ldap 0.22 and
better
# by setting UseSSL or UseTLS. Not supported on Windows
#UseSSL
# UseTLS
# If you set UseSSL or UseTLS, also need to set these:
#SSLCAClientCert certificates/cert-clt.pem
#SSLCAClientKey whatever
# (certificates in PEM format)
# Also need to set one of:
#SSLCAFile certificates/demoCA/cacert.pem
# SSLCAPath /path/to/file/containing/certificate/of/CA
# (certificates in PEM format)
# These set the corresponding parameters in the
# LDAPS connection (see perl-ldap docs)
# Requires IO::Socket::SSL, Net::SSLeay and openssl
# You can control the timout for connection failure
Timeout 5
FailureBackoffTime 10
# You can control the LDAP protocol version to be used
# to talk to the LDAP server. OpenLDAP 2 requires
# Version 3 unless you have 'allow bind_v2' in your
# slapd.conf. Defaults to version 2
Version 3
</AuthBy>
<Handler Request-Type=Accounting-Request>
AuthBy AcctSQL
</Handler>
<Handler Request-Type=Access-Request>
# Delete @auol.at from the User-Name
RewriteUsername s/^([^@]+).*/$1/
# Give additional message if "Request Denied"i
RejectHasReason
AuthBy CheckLDAP
</Handler>
## test handler
#<Handler
###############
### LOGGING ###
# Add SQL Logging to mySQL DB (Table RADLOG%Y%m)
<Log SQL>
DBSource dbi:mysql:******
DBUsername ***
DBAuth ***
Table RADLOG%Y%m
FailureBackoffTime 20
Trace 3
</Log>
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list