(RADIATOR) using different nas for user groups
Ingvar Berg (LI/EAB)
ingvar.berg at ericsson.com
Fri Mar 11 07:32:02 CST 2005
Hi,
You could use the client identifiers, and then have the identifier(s) as check items in the db. More than one nas can have the same identifier, but you may also have to assign some users to more than one identifier => you probably have a logical OR problem to solve in some hook code. Maybe the hook code could sort out the client grouping and put the result in the Class attribute for authentication and also future reference (accounting).
/Ingvar
> -----Original Message-----
> From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au]On
> Behalf Of CHS
> Sent: den 11 mars 2005 13:38
> To: radiator at open.com.au
> Subject: (RADIATOR) using different nas for user groups
>
>
> hi,
> we have the following situation for dial-up and adsl
> customers which we
> want to handle with radiator. we do auth by ldap and accounting &
> logging by mysql db which is allready working.
> we have a lot of nas servers and a lot of different dial-up groups to
> handle and therefor want to specify different nas-server for
> different
> user groups.
> e.g. a user of type A should only be allowed to login through
> nas server
> 1.2.3.4 and 2.3.4.5 and user of type B should only be allowed
> to login
> through 1.2.3.4. one possibility for that would be to give the user
> every nas-ip-address that he can log in which would work but
> is not that
> comfortable when you change ip or add some nas servers.
>
> therefore we thought it would be nice to have something like an
> identifier for the user which is stored by the user in ldap
> db. in the
> radius config I want to define something like a pool and tell him the
> ip's of the nas where the user is allowed to login.
>
> I tried to do that through handlers but I don't know how bind
> the user
> to a goup and the group to the nas server.
>
> could you please tell me how to do that.
>
> thanks,
> stormc
>
> here is the radiator config file
> # ldap.cfg
> #
>
> Foreground
> LogStdout
> LogDir .
> LogFile /var/log/radius.log
> DbDir /usr/local/etc/******
>
> # Debugging Level & Logging
> # 0 ERR.Error conditions. Serious and unexpected failures
> # 1 WARNING. Warning conditions. Unexpected failures
> # 2 NOTICE. Normal but significant conditions.
> # 3 INFO. Informational messages.
> # 4 DEBUG. Debugging messages.
> # 5 Incoming raw packet dumps in hexadecimal.
> Trace 4
>
> PidFile /var/run/radius.pid
>
> ### NAS CLIENTS ###
> # default client if no other is defined
> <Client DEFAULT>
> Secret mysecret
> DupInterval 0
> </Client>
>
> ## Test Client ##
> <Client 1.2.3.4>
> Identifier Client1
> Secret xxxx
> # convert domain\username to username at domain
> # RewriteUsername s/^(.*)\\(.*)/$2\@$1/
> </Client>
>
> <ClientListLDAP>
> # Tell Radiator how to talk to the LDAP server
> Host localhost
>
> # LDAP server authentication.
> AuthDN cn=***, dc=***, dc=***
> AuthPassword ****
>
> # This the top of the search tree where realm records
> # will be found. It should match the configuration
> # of your server, see /etc/openldap/slapd.conf
> BaseDN dc=***, dc=***
>
> # You can control the LDAP protocol version to be used
> # to talk to the LDAP server. OpenLDAP 2 requires
> # Version 3 unless you have 'allow bind_v2' in your
> # slapd.conf. Defaults to version 2
> Version 3
>
> # SearchFilter specifies how to find the LDAP records that
> contain Client configuration information
> SearchFilter (&(objectclass=oscRadiusClient)(uid=%1))
>
> # Time in seconds that the clientldap db will be reread
> RefreshPeriod 1800
>
> # ClientAttrDef parameters allow you to alter the set of LDAP
> attributes that will be fetched
> # Format is 'ClientAttrDef ldapattrname,clientparamname'
> ClientAttrDef oscRadiusClientName,Name
> ClientAttrDef oscRadiusSecret,Secret
> #ClientAttrDef
> oscRadiusIgnoreAcctSignature,IgnoreAcctSignature
> #ClientAttrDef oscRadiusDupInterval,DupInterval
> ClientAttrDef oscRadiusNasType,NasType
> ClientAttrDef oscRadiusSNMPCommunity,SNMPCommunity
> #ClientAttrDef oscRadiusLivingstonOffs,LivingstonOffs
> #ClientAttrDef oscRadiusLivingstonHole,LivingstonHole
> #ClientAttrDef
> oscRadiusFramedGroupBaseAddress,FramedGroupBaseAddress
> #ClientAttrDef
> oscRadiusFramedGroupMaxPortsPerClassC,FramedGroupMaxPortsPerClassC
> #ClientAttrDef
> oscRadiusFramedGroupPortOffset,FramedGroupPortOffset
> #ClientAttrDef oscRadiusRewriteUsername,RewriteUsername
> #ClientAttrDef
> oscRadiusUseOldAscendPasswords,UseOldAscendPasswords
> #ClientAttrDef
> oscRadiusStatusServerShowClientDetails,StatusServerShowClientDetails
> #ClientAttrDef oscRadiusPreHandlerHook,PreHandlerHook
> #ClientAttrDef oscRadiusPacketTrace,PacketTrace
> #ClientAttrDef oscRadiusIdenticalClients,IdenticalClients
> #ClientAttrDef oscRadiusNoIgnoreDuplicates,NoIgnoreDuplicates
> #ClientAttrDef oscRadiusDefaultReply,DefaultReply
> #ClientAttrDef oscRadiusFramedGroup,FramedGroup
> #ClientAttrDef oscRadiusStripFromReply,StripFromReply
> #ClientAttrDef oscRadiusAllowInReply,AllowInReply
> #ClientAttrDef oscRadiusAddToReply,AddToReply
> #ClientAttrDef
> oscRadiusAddToReplyIfNotExist,AddToReplyIfNotExist
> #ClientAttrDef oscRadiusDynamicReply,DynamicReply
> #ClientAttrDef oscRadiusStripfromRequest,StripfromRequest
> #ClientAttrDef oscRadiusAddToRequest,AddToRequest
> #ClientAttrDef
> oscRadiusAddToRequestIfNotExist,AddToRequestIfNotExist
> </ClientListLDAP>
>
> ##################
> ### ACCOUNTING ###
>
> <AuthBy SQL>
> Identifier AcctSQL
> DBSource dbi:mysql:*******
> DBUsername ******
> DBAuth ******
>
> # !!! Table must exist !!!
> AccountingTable ACCOUNTING%Y%m
>
> AcctColumnDef USERNAME,User-Name
> AcctColumnDef TIME_STAMP,Timestamp,integer
> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
> AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
> AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
> AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
> AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
> AcctColumnDef NASIDENTIFIER,NAS-Identifier
> AcctColumnDef NASPORT,NAS-Port,integer
> AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
>
> AcctFailedLogFileName /usr/local/etc/radiator/missedaccounting
>
> </AuthBy>
>
> ########################
> ### AUTHENTIFICATION ###
>
> <AuthBy LDAP2>
> Identifier CheckLDAP
>
> # Tell Radiator how to talk to the LDAP server
> Host localhost
>
> # LDAP server authentication.
> AuthDN cn=***, dc=***, dc=***
> AuthPassword ***
>
> # This the top of the search tree where users will be found.
> BaseDN dc=***, dc=***
> #BaseDN %0=%1,dc=**, dc=**
>
> # This is the LDAP attribute to match the radius user name
> #UsernameAttr cn
> UsernameAttr uid
>
> PasswordAttr userPassword
>
> DefaultSimultaneousUse 1
>
> # CheckAttr, ReplyAttr and AuthAttrDef
> AuthAttrDef radiusFramedIPAddress,Framed-IP-Address,reply
> AuthAttrDef radiusFramedRoute,Framed-Route,reply
> AuthAttrDef radiusFramedRouting,Framed-Routing,reply
> AuthAttrDef radiusFramedProtocol,Framed-Protocol,reply
> AuthAttrDef Cisco-AVPair,Cisco-AVPair,reply
>
> #AuthAttrDef nasPortType,NAS-Port-Type,check
> AuthAttrDef radiusLoginLATPort,NAS-Port-Type,check
>
>
> # These are the classic things to add to each users
> AddToReply Framed-Protocol = PPP,\
> Framed-IP-Netmask = 255.255.255.255,\
> #Framed-Routing = None,\
> Framed-MTU = 1500,\
> Framed-Compression = Van-Jacobson-TCP-IP
>
> # Debugging of the Net::LDAP
> Debug 255
>
> # With LDAP2, You can enable SSL or TLS with
> perl-ldap 0.22 and
> better
> # by setting UseSSL or UseTLS. Not supported on Windows
> #UseSSL
> # UseTLS
> # If you set UseSSL or UseTLS, also need to set these:
> #SSLCAClientCert certificates/cert-clt.pem
> #SSLCAClientKey whatever
> # (certificates in PEM format)
> # Also need to set one of:
> #SSLCAFile certificates/demoCA/cacert.pem
> # SSLCAPath /path/to/file/containing/certificate/of/CA
> # (certificates in PEM format)
> # These set the corresponding parameters in the
> # LDAPS connection (see perl-ldap docs)
> # Requires IO::Socket::SSL, Net::SSLeay and openssl
>
> # You can control the timout for connection failure
> Timeout 5
> FailureBackoffTime 10
>
> # You can control the LDAP protocol version to be used
> # to talk to the LDAP server. OpenLDAP 2 requires
> # Version 3 unless you have 'allow bind_v2' in your
> # slapd.conf. Defaults to version 2
> Version 3
> </AuthBy>
>
>
> <Handler Request-Type=Accounting-Request>
> AuthBy AcctSQL
> </Handler>
>
> <Handler Request-Type=Access-Request>
> # Delete @auol.at from the User-Name
> RewriteUsername s/^([^@]+).*/$1/
>
> # Give additional message if "Request Denied"i
> RejectHasReason
>
> AuthBy CheckLDAP
> </Handler>
>
> ## test handler
> #<Handler
>
> ###############
> ### LOGGING ###
>
> # Add SQL Logging to mySQL DB (Table RADLOG%Y%m)
> <Log SQL>
> DBSource dbi:mysql:******
> DBUsername ***
> DBAuth ***
> Table RADLOG%Y%m
> FailureBackoffTime 20
>
> Trace 3
> </Log>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list