(RADIATOR) DSL Auth setup
Adam Armstrong
lists at memetic.org
Wed Aug 15 06:21:27 CDT 2007
Hi Hugh,
Thanks for the examples, i spent quite a while last night looking at the
things in goodies/. It's probably going to be quite a bit mroe involved
than i had hoped getting this all setup correctly!
I really wish i could spent the cash on paying someone else on setting
it all up, but it's hard enough getting the cash to actually pay for
radiator! ;)
The last thing I'm struggling with is accounting. I know how to set
everything up to account to files or sql, but what i cant' work out is
how to do per-hour accounting.
I'm guessing it's either something really obvious that i've missed, or
just impossible due to the way radius works?
For example, i want to be able to calculate the bandwidth usage for a
client between the hours of 0800 - 0000, when it's entirely possible
that their session will stay up for months at a time. I've currently got
the server kicking out radius accounting updates every 15 minutes, but
they seem to be rolling updates? is it possible to get a just the amount
transferred in the last 15 minutes?
Thanks,
adam.
>
> Hello Adam -
>
> We have many customers who use MySQL very successfully, and all of our
> SQL examples in the Radiator distrubution also use MySQL.
>
> There is script to set up the example MySQL schema in
> "goodies/mysqlCreate.sql".
>
> In my consulting practice I generally tend to organise things around
> functional groups based on Client clause(s) with Identifier(s).
>
> Something like this:
>
> ......
>
> # define Client clauses with Identifiers
>
> <Client 1.1.1.1>
> Identifier SomethingMeaningful
> .....
> </Client>
>
> <Client 2.2.2.2>
> Identifier SomethingMeaningful
> .....
> </Client>
>
> <Client 3.3.3.3>
> Identifier AnotherUsefulTag
> .....
> </Client>
>
> <Client 4.4.4.4>
> Identifier AnotherUsefulTag
> .....
> </Client>
>
> ......
>
> # define AuthBy clause(s) with Identfier(s)
>
> <AuthBy SQL>
> Identifier CheckDatabase
> ......
> AuthSelect select PASSWORD, CHECKATTR, REPLYATTR \
> from SUBSCRIBERS \
> where USERNAME = %0
> AuthColumnDef 0, Password, check
> AuthColumnDef 1, GENERIC, check
> AuthColumnDef 2, GENERIC, reply
> ......
> # add common reply attributes
> AddToReply ......
> ......
> </AuthBy>
>
> ......
>
> # define Handlers
>
> <Handler Client-Identifier = SomethingMeaningful>
>
> <AuthBy GROUP>
>
> AuthBy CheckDatabase
>
> AddToReply ......
>
> </AuthBy>
>
> </Handler>
>
> <Handler Client-Identifier = AnotherUsefulTag>
>
> <AuthBy GROUP>
>
> AuthBy CheckDatabase
>
> AddToReply ......
>
> </AuthBy>
>
> </Handler>
>
> .......
>
>
> Groups of reply attributes for a single user can all be specified in
> the field called "REPLYATTR" in the database.
>
> All of the common reply attributes can be specified in the AddToReply
> in the AuthBy SQL clause, and reply attributes that depend on each
> Handler can be specified in the AddToReply in the AuthBy GROUP.
>
> See section 5.29 in the Radiator 3.17.1 reference manual
> ("doc/ref.html").
>
> BTW - we are available on a contract basis for design, implementation
> and training as required.
>
> regards
>
> Hugh
>
>
>
> On 14 Aug 2007, at 21:00, Adam Armstrong wrote:
>
>> Hugh Irvine wrote:
>>>
>>> Hello Adam -
>>>
>>> Can you give us a bit more detail on your requirements?
>>>
>>> You mention a "flat file mess" - do you need to use flat files or
>>> would you prefer to use SQL or LDAP or something else?
>>>
>>> There are many example configuration files in the "goodies"
>>> directory of the Radiator 3.17.1 distribution.
>>>
>> I'd prefer to use MySQL, but it seemed like a nightmare with
>> FreeRadius. A previous employer of mine used Radiator, so i thought
>> it might be worth looking to see if Radiator could do what we want
>> somewhat more sanely.
>>
>> I initially have 2 basic type of account, a standard internet account
>> and an account which gives access to a VRF.
>>
>> First, the internet service has two types, static and dynamic, i'm
>> sure this is nothing special :)
>>
>> Dynamic like :
>>
>> test at vostron.net User-Password == "testing"
>> Tunnel-Type = L2TP,
>> Tunnel-Medium-Type = IP,
>> Tunnel-Password = BLAH,
>> Tunnel-Server-Endpoint = x.x.x.x,
>> Tunnel-Client-Auth-ID = BLAH,
>> Service-Type = Framed-User,
>> Framed-Protocol = PPP
>>
>> and static the same with the addition of IP details
>>
>> Framed-IP-Address = 89.21.240.0,
>> Framed-IP-Netmask = 255.255.255.255,
>>
>> Is there a way radiator could generate these additions of a
>> particular field in the database has a CIDR block in it or something?
>>
>> It's also possible that static customers could have one or more
>> additional subnets routed to them, which would require cisco avpairs.
>> Are there any best practices on handling that?
>>
>> VRF access accounts are a bit more complicated, and need two extra
>> cisco-avpairs to put them in the right vrf and give them the correct
>> ip unnumbered interface like this :
>>
>> blah at mpls.vostron.net User-Password == "blah"
>> Tunnel-Type = L2TP,
>> Tunnel-Medium-Type = IP,
>> Tunnel-Password = blah,
>> Tunnel-Server-Endpoint = x.x.x.x,
>> Tunnel-Client-Auth-ID = BLAH,
>> Service-Type = Framed-User,
>> Framed-Protocol = PPP,
>> Framed-IP-Address = 10.255.254.1,
>> Framed-IP-Netmask = 255.255.255.255,
>> Cisco-AVPair = "ip:dns-servers=10.10.0.1",
>> Cisco-AVPair += "ip:route=10.255.254.1 255.255.255.255",
>> Cisco-AVPair += "ip:route#1=10.1.0.0 255.255.0.0",
>> Cisco-AVPair += "ip:route#2=10.0.0.0 255.0.0.0",
>> Cisco-AVPair += "lcp:interface-config=ip vrf forwarding
>> XXXXXXXX",
>> Cisco-AVPair += "lcp:interface-config=ip unnumbered loopback
>> 60001"
>>
>> These accounts can also have a bunch of extra routes, as they're
>> often used to provide backup to a private leased line.
>>
>> The final thing i want to be able to do (that i can remember!) is to
>> pool our LNSes. For example, static and dynamic customers could get
>> assigned lns 1.1.1.1 1.1.1.2 or 1.1.1.3 in a round-robin fashion, but
>> i need to be able to lock vrf accounts to one or maybe two LNSes
>> (otherwise every VRF has to be present on every LNS, which is a pain!)
>>
>> I'm basically just looking for a sane database schema and radiator
>> config setup to handle this. An existing management interface would
>> be ace, but I doubt any exist, and i'll probably end up writing one
>> anyways!
>>
>> Kind Regards,
>> Adam Armstrong
>> Vostron Limited
>>
>>> On 14 Aug 2007, at 10:05, Adam Armstrong wrote:
>>>
>>>> Hi,
>>>>
>>>> I'm trying to sort out an authentication for our L2TP ADSL delivery
>>>> to replace the current FreeRadius + Flat Files mess.
>>>>
>>>> Are there any front-ends out there which handle this stuff nicely?
>>>> I also need to pass the occasional extra Cisco-AVPair (for clients
>>>> in other VRFs).
>>>>
>>>> Any example Radiator configs or pointers to some decent
>>>> documentation would be great!
>>>>
>>>> Thanks,
>>>> adam.
>>>>
>>>> --
>>>> Archive at http://www.open.com.au/archives/radiator/
>>>> Announcements on radiator-announce at open.com.au
>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>> 'unsubscribe radiator' in the body of the message.
>>>
>>>
>>>
>>> NB:
>>>
>>> Have you read the reference manual ("doc/ref.html")?
>>> Have you searched the mailing list archive
>>> (www.open.com.au/archives/radiator)?
>>> Have you had a quick look on Google (www.google.com)?
>>> Have you included a copy of your configuration file (no secrets),
>>> together with a trace 4 debug showing what is happening?
>>> Have you checked the RadiusExpert wiki:
>>> http://www.open.com.au/wiki/index.php/Main_Page
>>>
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
>
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list