Freeradius Simultaneous-UseFermé

Question

Bonjour, 
J'ai installer freeradius+mysql+daloradius tout marche bien sauf l'option
simultaneous-use. Sans cette option un login peut être utilisé simultanément. Ce qui me pose problème. 
Que dois-je faire?

mamiemando · Answer

Bonjour,

Je ne connais pas freeradius, mais ce qui est sûr c'est que sans voir comment tu as utilisé cette option dans ton fichier de configuration, on ne pourra pas vraiment te répondre. Dans l'intervalle, je te renvoie à ce lien pour vérifier que tu l'as utilisée correctement.

Bonne chance

Aeros · Answer

Voici les détails de ma configuration: AP: Ubiquiti nanostation M2, authentification et accounting Activé Nas type: other /etc/freeradius/3.0/mods-available/sql # -*- text -*- ## ## mods-available/sql -- SQL modules ## ## $Id: 7e9eee03c58bab67206ec10249db79ebbc0baa3c $ ###################################################################### # # Configuration for the SQL module # # The database schemas and queries are located in subdirectories: # # sql//main/schema.sql Schema # sql//main/queries.conf Authorisation and Accounting queries # # Where "DB" is mysql, mssql, oracle, or postgresql. # # The name used to query SQL is sql_user_name, which is set in the file # # raddb/mods-config/sql/main/${dialect}/queries.conf # # If you are using realms, that configuration should be changed to use # the Stripped-User-Name attribute. See the comments around sql_user_name # for more information. # sql { # # The dialect of SQL being used. # # Allowed dialects are: # # mssql # mysql # oracle # postgresql # sqlite # mongo # dialect = "mysql" # # The driver module used to execute the queries. Since we # don't know which SQL drivers are being used, the default is # "rlm_sql_null", which just logs the queries to disk via the # "logfile" directive, below. # # In order to talk to a real database, delete the next line, # and uncomment the one after it. # # If the dialect is "mssql", then the driver should be set to # one of the following values, depending on your system: # # rlm_sql_db2 # rlm_sql_firebird # rlm_sql_freetds # rlm_sql_iodbc # rlm_sql_unixodbc # # driver = "rlm_sql_null" driver = "rlm_sql_${dialect}" # # Driver-specific subsections. They will only be loaded and # used if "driver" is something other than "rlm_sql_null". # When a real driver is used, the relevant driver # configuration section is loaded, and all other driver # configuration sections are ignored. # sqlite { # Path to the sqlite database filename = "/tmp/freeradius.db" # How long to wait for write locks on the database to be # released (in ms) before giving up. busy_timeout = 200 # If the file above does not exist and bootstrap is set # a new database file will be created, and the SQL statements # contained within the bootstrap file will be executed. bootstrap = "${modconfdir}/${..:name}/main/sqlite/schema.sql" } mysql { # If any of the files below are set, TLS encryption is enabled tls { # ca_file = "/etc/ssl/certs/my_ca.crt" # ca_path = "/etc/ssl/certs/" # certificate_file = "/etc/ssl/certs/private/client.crt" # private_key_file = "/etc/ssl/certs/private/client.key" # cipher = "DHE-RSA-AES256-SHA:AES128-SHA" tls_required = no tls_check_cert = no tls_check_cert_cn = no } # If yes, (or auto and libmysqlclient reports warnings are # available), will retrieve and log additional warnings from # the server if an error has occured. Defaults to 'auto' warnings = auto } postgresql { # unlike MySQL, which has a tls{} connection configuration, postgresql # uses its connection parameters - see the radius_db option below in # this file # Send application_name to the postgres server # Only supported in PG 9.0 and greater. Defaults to no. send_application_name = yes } # # Configuration for Mongo. # # Note that the Mongo driver is experimental. The FreeRADIUS developers # are unable to help with the syntax of the Mongo queries. Please see # the Mongo documentation for that syntax. # # The Mongo driver supports only the following methods: # # aggregate # findAndModify # findOne # insert # # For examples, see the query files: # # raddb/mods-config/sql/main/mongo/queries.conf # raddb/mods-config/sql/main/ippool/queries.conf # mongo { # # The application name to use. # appname = "freeradius" # # The TLS parameters here map directly to the Mongo TLS configuration # tls { certificate_file = /path/to/file certificate_password = "password" ca_file = /path/to/file ca_dir = /path/to/directory crl_file = /path/to/file weak_cert_validation = false allow_invalid_hostname = false } } # Connection info: # server = "localhost" port = 3306 login = "freeradius" password = "kamini123" # Connection info for Mongo # Authentication Without SSL # server = "mongodb://USER:PASSWORD@192.16.0.2:PORT/DATABASE?authSource=admin&ssl=false" # Authentication With SSL # server = "mongodb://USER:PASSWORD@192.16.0.2:PORT/DATABASE?authSource=admin&ssl=true" # Authentication with Certificate # Use this command for retrieve Derived username: # openssl x509 -in mycert.pem -inform PEM -subject -nameopt RFC2253 # server = mongodb://@192.168.0.2:PORT/DATABASE?authSource=$external&ssl=true&authMechanism=MONGODB-X509 # Database table configuration for everything except Oracle radius_db = "radius" # If you are using Oracle then use this instead # radius_db = "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SID=your_sid)))" # If you're using postgresql this can also be used instead of the connection info parameters # radius_db = "dbname=radius host=localhost user=radius password=raddpass" # Postgreql doesn't take tls{} options in its module config like mysql does - if you want to # use SSL connections then use this form of connection info parameter # radius_db = "host=localhost port=5432 dbname=radius user=radius password=raddpass sslmode=verify-full sslcert=/etc/ssl/client.crt sslkey=/etc/ssl/client.key sslrootcert=/etc/ssl/ca.crt" # If you want both stop and start records logged to the # same SQL table, leave this as is. If you want them in # different tables, put the start table in acct_table1 # and stop table in acct_table2 acct_table1 = "radacct" acct_table2 = "radacct" # Allow for storing data after authentication postauth_table = "radpostauth" # Tables containing 'check' items authcheck_table = "radcheck" groupcheck_table = "radgroupcheck" # Tables containing 'reply' items authreply_table = "radreply" groupreply_table = "radgroupreply" # Table to keep group info usergroup_table = "radusergroup" # If set to 'yes' (default) we read the group tables unless Fall-Through = no in the reply table. # If set to 'no' we do not read the group tables unless Fall-Through = yes in the reply table. # read_groups = yes # If set to 'yes' (default) we read profiles unless Fall-Through = no in the groupreply table. # If set to 'no' we do not read profiles unless Fall-Through = yes in the groupreply table. # read_profiles = yes # Remove stale session if checkrad does not see a double login delete_stale_sessions = yes # Write SQL queries to a logfile. This is potentially useful for tracing # issues with authorization queries. See also "logfile" directives in # mods-config/sql/main/*/queries.conf. You can enable per-section logging # by enabling "logfile" there, or global logging by enabling "logfile" here. # # Per-section logging can be disabled by setting "logfile = ''" # logfile = ${logdir}/sqllog.sql # Set the maximum query duration and connection timeout # for rlm_sql_mysql. # query_timeout = 5 # As of version 3.0, the "pool" section has replaced the # following configuration items: # # num_sql_socks # connect_failure_retry_delay # lifetime # max_queries # # The connection pool is new for 3.0, and will be used in many # modules, for all kinds of connection-related activity. # # When the server is not threaded, the connection pool # limits are ignored, and only one connection is used. # # If you want to have multiple SQL modules re-use the same # connection pool, use "pool = name" instead of a "pool" # section. e.g. # # sql sql1 { # ... # pool { # ... # } # } # # # sql2 will use the connection pool from sql1 # sql sql2 { # ... # pool = sql1 # } # pool { # Connections to create during module instantiation. # If the server cannot create specified number of # connections during instantiation it will exit. # Set to 0 to allow the server to start without the # database being available. start = ${thread[pool].start_servers} # Minimum number of connections to keep open min = ${thread[pool].min_spare_servers} # Maximum number of connections # # If these connections are all in use and a new one # is requested, the request will NOT get a connection. # # Setting 'max' to LESS than the number of threads means # that some threads may starve, and you will see errors # like 'No connections available and at max connection limit' # # Setting 'max' to MORE than the number of threads means # that there are more connections than necessary. max = ${thread[pool].max_servers} # Spare connections to be left idle # # NOTE: Idle connections WILL be closed if "idle_timeout" # is set. This should be less than or equal to "max" above. spare = ${thread[pool].max_spare_servers} # Number of uses before the connection is closed # # 0 means "infinite" uses = 0 # The number of seconds to wait after the server tries # to open a connection, and fails. During this time, # no new connections will be opened. retry_delay = 30 # The lifetime (in seconds) of the connection lifetime = 0 # idle timeout (in seconds). A connection which is # unused for this length of time will be closed. idle_timeout = 60 # NOTE: All configuration settings are enforced. If a # connection is closed because of "idle_timeout", # "uses", or "lifetime", then the total number of # connections MAY fall below "min". When that # happens, it will open a new connection. It will # also log a WARNING message. # # The solution is to either lower the "min" connections, # or increase lifetime/idle_timeout. } # Set to 'yes' to read radius clients from the database ('nas' table) # Clients will ONLY be read on server startup. read_clients = yes # Table to keep radius client info client_table = "nas" # # The group attribute specific to this instance of rlm_sql # # This entry should be used for additional instances (sql foo {}) # of the SQL module. # group_attribute = "${.:instance}-SQL-Group" # This entry should be used for the default instance (sql {}) # of the SQL module. group_attribute = "SQL-Group" # Read database-specific queries $INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf } /etc/freeradius/3.0/sites-available/default ###################################################################### # # As of 2.0.0, FreeRADIUS supports virtual hosts using the # "server" section, and configuration directives. # # Virtual hosts should be put into the "sites-available" # directory. Soft links should be created in the "sites-enabled" # directory to these files. This is done in a normal installation. # # If you are using 802.1X (EAP) authentication, please see also # the "inner-tunnel" virtual server. You will likely have to edit # that, too, for authentication to work. # # $Id: c60c0ba4c8728fac10b190dbb3b752f9df317c07 $ # ###################################################################### # # Read "man radiusd" before editing this file. See the section # titled DEBUGGING. It outlines a method where you can quickly # obtain the configuration you want, without running into # trouble. See also "man unlang", which documents the format # of this file. # # This configuration is designed to work in the widest possible # set of circumstances, with the widest possible number of # authentication methods. This means that in general, you should # need to make very few changes to this file. # # The best way to configure the server for your local system # is to CAREFULLY edit this file. Most attempts to make large # edits to this file will BREAK THE SERVER. Any edits should # be small, and tested by running the server with "radiusd -X". # Once the edits have been verified to work, save a copy of these # configuration files somewhere. (e.g. as a "tar" file). Then, # make more edits, and test, as above. # # There are many "commented out" references to modules such # as ldap, sql, etc. These references serve as place-holders. # If you need the functionality of that module, then configure # it in radiusd.conf, and un-comment the references to it in # this file. In most cases, those small changes will result # in the server being able to connect to the DB, and to # authenticate users. # ###################################################################### server default { # # If you want the server to listen on additional addresses, or on # additional ports, you can use multiple "listen" sections. # # Each section make the server listen for only one type of packet, # therefore authentication and accounting have to be configured in # different sections. # # The server ignore all "listen" section if you are using '-i' and '-p' # on the command line. # listen { # Type of packets to listen for. # Allowed values are: # auth listen for authentication packets # acct listen for accounting packets # proxy IP to use for sending proxied packets # detail Read from the detail file. For examples, see # raddb/sites-available/copy-acct-to-home-server # status listen for Status-Server packets. For examples, # see raddb/sites-available/status # coa listen for CoA-Request and Disconnect-Request # packets. For examples, see the file # raddb/sites-available/coa # type = auth # Note: "type = proxy" lets you control the source IP used for # proxying packets, with some limitations: # # * A proxy listener CANNOT be used in a virtual server section. # * You should probably set "port = 0". # * Any "clients" configuration will be ignored. # # See also proxy.conf, and the "src_ipaddr" configuration entry # in the sample "home_server" section. When you specify the # source IP address for packets sent to a home server, the # proxy listeners are automatically created. # ipaddr/ipv4addr/ipv6addr - IP address on which to listen. # If multiple ones are listed, only the first one will # be used, and the others will be ignored. # # The configuration options accept the following syntax: # # ipv4addr - IPv4 address (e.g.192.0.2.3) # - wildcard (i.e. *) # - hostname (radius.example.com) # Only the A record for the host name is used. # If there is no A record, an error is returned, # and the server fails to start. # # ipv6addr - IPv6 address (e.g. 2001:db8::1) # - wildcard (i.e. *) # - hostname (radius.example.com) # Only the AAAA record for the host name is used. # If there is no AAAA record, an error is returned, # and the server fails to start. # # ipaddr - IPv4 address as above # - IPv6 address as above # - wildcard (i.e. *), which means IPv4 wildcard. # - hostname # If there is only one A or AAAA record returned # for the host name, it is used. # If multiple A or AAAA records are returned # for the host name, only the first one is used. # If both A and AAAA records are returned # for the host name, only the A record is used. # # ipv4addr = * # ipv6addr = * ipaddr = * # Port on which to listen. # Allowed values are: # integer port number (1812) # 0 means "use /etc/services for the proper port" port = 0 # Some systems support binding to an interface, in addition # to the IP address. This feature isn't strictly necessary, # but for sites with many IP addresses on one interface, # it's useful to say "listen on all addresses for eth0". # # If your system does not support this feature, you will # get an error if you try to use it. # # interface = eth0 # Per-socket lists of clients. This is a very useful feature. # # The name here is a reference to a section elsewhere in # radiusd.conf, or clients.conf. Having the name as # a reference allows multiple sockets to use the same # set of clients. # # If this configuration is used, then the global list of clients # is IGNORED for this "listen" section. Take care configuring # this feature, to ensure you don't accidentally disable a # client you need. # # See clients.conf for the configuration of "per_socket_clients". # # clients = per_socket_clients # # Set the default UDP receive buffer size. In most cases, # the default values set by the kernel are fine. However, in # some cases the NASes will send large packets, and many of # them at a time. It is then possible to overflow the # buffer, causing the kernel to drop packets before they # reach FreeRADIUS. Increasing the size of the buffer will # avoid these packet drops. # # recv_buff = 65536 # # Connection limiting for sockets with "proto = tcp". # # This section is ignored for other kinds of sockets. # limit { # # Limit the number of simultaneous TCP connections to the socket # # The default is 16. # Setting this to 0 means "no limit" max_connections = 16 # The per-socket "max_requests" option does not exist. # # The lifetime, in seconds, of a TCP connection. After # this lifetime, the connection will be closed. # # Setting this to 0 means "forever". lifetime = 0 # # The idle timeout, in seconds, of a TCP connection. # If no packets have been received over the connection for # this time, the connection will be closed. # # Setting this to 0 means "no timeout". # # We STRONGLY RECOMMEND that you set an idle timeout. # idle_timeout = 30 } } # # This second "listen" section is for listening on the accounting # port, too. # listen { ipaddr = * # ipv6addr = :: port = 0 type = acct # interface = eth0 # clients = per_socket_clients limit { # The number of packets received can be rate limited via the # "max_pps" configuration item. When it is set, the server # tracks the total number of packets received in the previous # second. If the count is greater than "max_pps", then the # new packet is silently discarded. This helps the server # deal with overload situations. # # The packets/s counter is tracked in a sliding window. This # means that the pps calculation is done for the second # before the current packet was received. NOT for the current # wall-clock second, and NOT for the previous wall-clock second. # # Useful values are 0 (no limit), or 100 to 10000. # Values lower than 100 will likely cause the server to ignore # normal traffic. Few systems are capable of handling more than # 10K packets/s. # # It is most useful for accounting systems. Set it to 50% # more than the normal accounting load, and you can be sure that # the server will never get overloaded # # max_pps = 0 # Only for "proto = tcp". These are ignored for "udp" sockets. # # idle_timeout = 0 # lifetime = 0 # max_connections = 0 } } # IPv6 versions of the above - read their full config to understand options listen { type = auth ipv6addr = :: # any. ::1 == localhost port = 0 # interface = eth0 # clients = per_socket_clients limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { ipv6addr = :: port = 0 type = acct # interface = eth0 # clients = per_socket_clients limit { # max_pps = 0 # idle_timeout = 0 # lifetime = 0 # max_connections = 0 } } # Authorization. First preprocess (hints and huntgroups files), # then realms, and finally look in the "users" file. # # Any changes made here should also be made to the "inner-tunnel" # virtual server. # # The order of the realm modules will determine the order that # we try to find a matching realm. # # Make *sure* that 'preprocess' comes before any realm if you # need to setup hints for the remote radius server authorize { # # Take a User-Name, and perform some checks on it, for spaces and other # invalid characters. If the User-Name appears invalid, reject the # request. # # See policy.d/filter for the definition of the filter_username policy. # filter_username # # Some broken equipment sends passwords with embedded zeros. # i.e. the debug output will show # # User-Password = "password\000\000" # # This policy will fix it to just be "password". # # filter_password # # The preprocess module takes care of sanitizing some bizarre # attributes in the request, and turning them into attributes # which are more standard. # # It takes care of processing the 'raddb/mods-config/preprocess/hints' # and the 'raddb/mods-config/preprocess/huntgroups' files. preprocess # If you intend to use CUI and you require that the Operator-Name # be set for CUI generation and you want to generate CUI also # for your local clients then uncomment the operator-name # below and set the operator-name for your clients in clients.conf # operator-name # # If you want to generate CUI for some clients that do not # send proper CUI requests, then uncomment the # cui below and set "add_cui = yes" for these clients in clients.conf # cui # # If you want to have a log of authentication requests, # un-comment the following line. # auth_log # # The chap module will set 'Auth-Type := CHAP' if we are # handling a CHAP request and Auth-Type has not already been set pap # # If the users are logging in with an MS-CHAP-Challenge # attribute for authentication, the mschap module will find # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' # to the request, which will cause the server to then use # the mschap module for authentication. mschap # # If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line, and the 'digest' # line in the 'authenticate' section. digest # # The WiMAX specification says that the Calling-Station-Id # is 6 octets of the MAC. This definition conflicts with # RFC 3580, and all common RADIUS practices. Un-commenting # the "wimax" module here means that it will fix the # Calling-Station-Id attribute to the normal format as # specified in RFC 3580 Section 3.21 # wimax # # Look for IPASS style 'realm/', and if not found, look for # '@realm', and decide whether or not to proxy, based on # that. # IPASS # # Look for realms in user@domain format suffix # ntdomain # # This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP # authentication. # # It also sets the EAP-Type attribute in the request # attribute list to the EAP type from the packet. # # The EAP module returns "ok" or "updated" if it is not yet ready # to authenticate the user. The configuration below checks for # "ok", and stops processing the "authorize" section if so. # # Any LDAP and/or SQL servers will not be queried for the # initial set of packets that go back and forth to set up # TTLS or PEAP. # # The "updated" check is commented out for compatibility with # previous versions of this configuration, but you may wish to # uncomment it as well; this will further reduce the number of # LDAP and/or SQL queries for TTLS or PEAP. # eap { ok = return # updated = return } # # Pull crypt'd passwords from /etc/passwd or /etc/shadow, # using the system API's to get the password. If you want # to read /etc/passwd or /etc/shadow directly, see the # mods-available/passwd module. # # unix # # Read the 'users' file. In v3, this is located in # raddb/mods-config/files/authorize files # # Look in an SQL database. The schema of the database # is meant to mirror the "users" file. # # See "Authorization Queries" in mods-available/sql -sql # # If you are using /etc/smbpasswd, and are also doing # mschap authentication, the un-comment this line, and # configure the 'smbpasswd' module. # smbpasswd # # The ldap module reads passwords from the LDAP database. -ldap # # Enforce daily limits on time spent logged in. # daily # expiration logintime # # If no other module has claimed responsibility for # authentication, then try to use PAP. This allows the # other modules listed above to add a "known good" password # to the request, and to do nothing else. The PAP module # will then see that password, and use it to do PAP # authentication. # # This module should be listed last, so that the other modules # get a chance to set Auth-Type for themselves. # pap # # If "status_server = yes", then Status-Server messages are passed # through the following section, and ONLY the following section. # This permits you to do DB queries, for example. If the modules # listed here return "fail", then NO response is sent. # # Autz-Type Status-Server { # # } } # Authentication. # # # This section lists which modules are available for authentication. # Note that it does NOT mean 'try each module in order'. It means # that a module from the 'authorize' section adds a configuration # attribute 'Auth-Type := FOO'. That authentication type is then # used to pick the appropriate module from the list below. # # In general, you SHOULD NOT set the Auth-Type attribute. The server # will figure it out on its own, and will do the right thing. The # most common side effect of erroneously setting the Auth-Type # attribute is that one authentication method will work, but the # others will not. # # The common reasons to set the Auth-Type attribute by hand # is to either forcibly reject the user (Auth-Type := Reject), # or to or forcibly accept the user (Auth-Type := Accept). # # Note that Auth-Type := Accept will NOT work with EAP. # # Please do not put "unlang" configurations into the "authenticate" # section. Put them in the "post-auth" section instead. That's what # the post-auth section is for. # authenticate { # # PAP authentication, when a back-end database listed # in the 'authorize' section supplies a password. The # password can be clear-text, or encrypted. Auth-Type PAP { pap } # # Most people want CHAP authentication # A back-end database listed in the 'authorize' section # MUST supply a CLEAR TEXT password. Encrypted passwords # won't work. Auth-Type CHAP { chap } # # MSCHAP authentication. Auth-Type MS-CHAP { mschap } # # For old names, too. # mschap # # If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line, and the 'digest' # line in the 'authorize' section. digest # # Pluggable Authentication Modules. # pam # Uncomment it if you want to use ldap for authentication # # Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password. # # We do NOT recommend using this. LDAP servers are databases. # They are NOT authentication servers. FreeRADIUS is an # authentication server, and knows what to do with authentication. # LDAP servers do not. # # Auth-Type LDAP { # ldap # } # # Allow EAP authentication. eap # # The older configurations sent a number of attributes in # Access-Challenge packets, which wasn't strictly correct. # If you want to filter out these attributes, uncomment # the following lines. # # Auth-Type eap { # eap { # handled = 1 # } # if (handled && (Response-Packet-Type == Access-Challenge)) { # attr_filter.access_challenge.post-auth # handled # override the "updated" code from attr_filter # } # } } # # Pre-accounting. Decide which accounting type to use. # preacct { preprocess # # Merge Acct-[Input|Output]-Gigawords and Acct-[Input-Output]-Octets # into a single 64bit counter Acct-[Input|Output]-Octets64. # # acct_counters64 # # Session start times are *implied* in RADIUS. # The NAS never sends a "start time". Instead, it sends # a start packet, *possibly* with an Acct-Delay-Time. # The server is supposed to conclude that the start time # was "Acct-Delay-Time" seconds in the past. # # The code below creates an explicit start time, which can # then be used in other modules. It will be *mostly* correct. # Any errors are due to the 1-second resolution of RADIUS, # and the possibility that the time on the NAS may be off. # # The start time is: NOW - delay - session_length # # update request { # &FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}" # } # # Ensure that we have a semi-unique identifier for every # request, and many NAS boxes are broken. acct_unique # # Look for IPASS-style 'realm/', and if not found, look for # '@realm', and decide whether or not to proxy, based on # that. # # Accounting requests are generally proxied to the same # home server as authentication requests. # IPASS suffix # ntdomain # # Read the 'acct_users' file files } # # Accounting. Log the accounting data. # accounting { # Update accounting packet by adding the CUI attribute # recorded from the corresponding Access-Accept # use it only if your NAS boxes do not support CUI themselves # cui # # Create a 'detail'ed log of the packets. # Note that accounting requests which are proxied # are also logged in the detail file. detail # daily # Update the wtmp file # # If you don't use "radlast", you can delete this line. unix # # For Simultaneous-Use tracking. # # Due to packet losses in the network, the data here # may be incorrect. There is little we can do about it. radutmp # sradutmp # Return an address to the IP Pool when we see a stop record. # sqlippool # # Log traffic to an SQL database. # # See "Accounting queries" in mods-available/sql -sql # # If you receive stop packets with zero session length, # they will NOT be logged in the database. The SQL module # will print a message (only in debugging mode), and will # return "noop". # # You can ignore these packets by uncommenting the following # three lines. Otherwise, the server will not respond to the # accounting request, and the NAS will retransmit. # # if (noop) { # ok # } # Cisco VoIP specific bulk accounting # pgsql-voip # For Exec-Program and Exec-Program-Wait exec # Filter attributes from the accounting response. attr_filter.accounting_response # # See "Autz-Type Status-Server" for how this works. # # Acct-Type Status-Server { # # } } # Session database, used for checking Simultaneous-Use. Either the radutmp # or rlm_sql module can handle this. # The rlm_sql module is *much* faster session { # radutmp # # See "Simultaneous Use Checking Queries" in mods-available/sql sql } # Post-Authentication # Once we KNOW that the user has been authenticated, there are # additional steps we can take. post-auth { # # If you need to have a State attribute, you can # add it here. e.g. for later CoA-Request with # State, and Service-Type = Authorize-Only. # # if (!&reply:State) { # update reply { # State := "0x%{randstr:16h}" # } # } # # For EAP-TTLS and PEAP, add the cached attributes to the reply. # The "session-state" attributes are automatically cached when # an Access-Challenge is sent, and automatically retrieved # when an Access-Request is received. # # The session-state attributes are automatically deleted after # an Access-Reject or Access-Accept is sent. # # If both session-state and reply contain a User-Name attribute, remove # the one in the reply if it is just a copy of the one in the request, so # we don't end up with two User-Name attributes. if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { update reply { &User-Name !* ANY } } update { &reply: += &session-state: } # Refresh leases when we see a start or alive. Return an address to # the IP Pool when we see a stop record. # sqlippool # Create the CUI value and add the attribute to Access-Accept. # Uncomment the line below if *returning* the CUI. # cui # Create empty accounting session to make simultaneous check # more robust. See the accounting queries configuration in # raddb/mods-config/sql/main/*/queries.conf for details. # # The "sql_session_start" policy is defined in # raddb/policy.d/accounting. See that file for more details. # sql_session_start # # If you want to have a log of authentication replies, # un-comment the following line, and enable the # 'detail reply_log' module. # reply_log # # After authenticating the user, do another SQL query. # # See "Authentication Logging Queries" in mods-available/sql -sql # # Un-comment the following if you want to modify the user's object # in LDAP after a successful login. # # ldap # For Exec-Program and Exec-Program-Wait exec # # Calculate the various WiMAX keys. In order for this to work, # you will need to define the WiMAX NAI, usually via # # update request { # &WiMAX-MN-NAI = "%{User-Name}" # } # # If you want various keys to be calculated, you will need to # update the reply with "template" values. The module will see # this, and replace the template values with the correct ones # taken from the cryptographic calculations. e.g. # # update reply { # &WiMAX-FA-RK-Key = 0x00 # &WiMAX-MSK = "%{reply:EAP-MSK}" # } # # You may want to delete the MS-MPPE-*-Keys from the reply, # as some WiMAX clients behave badly when those attributes # are included. See "raddb/modules/wimax", configuration # entry "delete_mppe_keys" for more information. # # wimax # If there is a client certificate (EAP-TLS, sometimes PEAP # and TTLS), then some attributes are filled out after the # certificate verification has been performed. These fields # MAY be available during the authentication, or they may be # available only in the "post-auth" section. # # The first set of attributes contains information about the # issuing certificate which is being used. The second # contains information about the client certificate (if # available). # # update reply { # Reply-Message += "%{TLS-Cert-Serial}" # Reply-Message += "%{TLS-Cert-Expiration}" # Reply-Message += "%{TLS-Cert-Subject}" # Reply-Message += "%{TLS-Cert-Issuer}" # Reply-Message += "%{TLS-Cert-Common-Name}" # Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}" # # Reply-Message += "%{TLS-Client-Cert-Serial}" # Reply-Message += "%{TLS-Client-Cert-Expiration}" # Reply-Message += "%{TLS-Client-Cert-Subject}" # Reply-Message += "%{TLS-Client-Cert-Issuer}" # Reply-Message += "%{TLS-Client-Cert-Common-Name}" # Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}" # } # Insert class attribute (with unique value) into response, # aids matching auth and acct records, and protects against duplicate # Acct-Session-Id. Note: Only works if the NAS has implemented # RFC 2865 behaviour for the class attribute, AND if the NAS # supports long Class attributes. Many older or cheap NASes # only support 16-octet Class attributes. # insert_acct_class # MacSEC requires the use of EAP-Key-Name. However, we don't # want to send it for all EAP sessions. Therefore, the EAP # modules put required data into the EAP-Session-Id attribute. # This attribute is never put into a request or reply packet. # # Uncomment the next few lines to copy the required data into # the EAP-Key-Name attribute # if (&reply:EAP-Session-Id) { # update reply { # EAP-Key-Name := &reply:EAP-Session-Id # } # } # Remove reply message if the response contains an EAP-Message remove_reply_message_if_eap # # Access-Reject packets are sent through the REJECT sub-section of the # post-auth section. # # Add the ldap module name (or instance) if you have set # 'edir = yes' in the ldap module configuration # # The "session-state" attributes are not available here. # Post-Auth-Type REJECT { # log failed authentications in SQL, too. -sql attr_filter.access_reject # Insert EAP-Failure message if the request was # rejected by policy instead of because of an # authentication failure eap # Remove reply message if the response contains an EAP-Message remove_reply_message_if_eap } # # Filter access challenges. # Post-Auth-Type Challenge { # remove_reply_message_if_eap # attr_filter.access_challenge.post-auth } } # # When the server decides to proxy a request to a home server, # the proxied request is first passed through the pre-proxy # stage. This stage can re-write the request, or decide to # cancel the proxy. # # Only a few modules currently have this method. # pre-proxy { # Before proxing the request add an Operator-Name attribute identifying # if the operator-name is found for this client. # No need to uncomment this if you have already enabled this in # the authorize section. # operator-name # The client requests the CUI by sending a CUI attribute # containing one zero byte. # Uncomment the line below if *requesting* the CUI. # cui # Uncomment the following line if you want to change attributes # as defined in the preproxy_users file. # files # Uncomment the following line if you want to filter requests # sent to remote servers based on the rules defined in the # 'attrs.pre-proxy' file. # attr_filter.pre-proxy # If you want to have a log of packets proxied to a home # server, un-comment the following line, and the # 'detail pre_proxy_log' section, above. # pre_proxy_log } # # When the server receives a reply to a request it proxied # to a home server, the request may be massaged here, in the # post-proxy stage. # post-proxy { # If you want to have a log of replies from a home server, # un-comment the following line, and the 'detail post_proxy_log' # section, above. # post_proxy_log # Uncomment the following line if you want to filter replies from # remote proxies based on the rules defined in the 'attrs' file. # attr_filter.post-proxy # # If you are proxying LEAP, you MUST configure the EAP # module, and you MUST list it here, in the post-proxy # stage. # # You MUST also use the 'nostrip' option in the 'realm' # configuration. Otherwise, the User-Name attribute # in the proxied request will not match the user name # hidden inside of the EAP packet, and the end server will # reject the EAP request. # eap # # If the server tries to proxy a request and fails, then the # request is processed through the modules in this section. # # The main use of this section is to permit robust proxying # of accounting packets. The server can be configured to # proxy accounting packets as part of normal processing. # Then, if the home server goes down, accounting packets can # be logged to a local "detail" file, for processing with # radrelay. When the home server comes back up, radrelay # will read the detail file, and send the packets to the # home server. # # See the "mods-available/detail.example.com" file for more # details on writing a detail file specifically for one # destination. # # See the "sites-available/robust-proxy-accounting" virtual # server for more details on reading this "detail" file. # # With this configuration, the server always responds to # Accounting-Requests from the NAS, but only writes # accounting packets to disk if the home server is down. # # Post-Proxy-Type Fail-Accounting { # detail.example.com # } } } /etc/freeradius/3.0/mods-config/sql/main/mysql/queries.conf # -*- text -*- # # main/mysql/queries.conf-- MySQL configuration for default schema (schema.sql) # # $Id: 51560a71ed819a95bc0f5ccc352efe69e374f7c5 $ # Use the driver specific SQL escape method. # # If you enable this configuration item, the "safe_characters" # configuration is ignored. FreeRADIUS then uses the MySQL escape # functions to escape input strings. The only downside to making this # change is that the MySQL escaping method is not the same the one # used by FreeRADIUS. So characters which are NOT in the # "safe_characters" list will now be stored differently in the database. # #auto_escape = yes # Safe characters list for sql queries. Everything else is replaced # with their mime-encoded equivalents. # The default list should be ok # Using 'auto_escape' is preferred safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" ####################################################################### # Connection config ####################################################################### # The character set is not configurable. The default character set of # the mysql client library is used. To control the character set, # create/edit my.cnf (typically in /etc/mysql/my.cnf or /etc/my.cnf) # and enter # [client] # default-character-set = utf8 # ####################################################################### # Query config: Username ####################################################################### # This is the username that will get substituted, escaped, and added # as attribute 'SQL-User-Name'. '%{SQL-User-Name}' should be used below # everywhere a username substitution is needed so you you can be sure # the username passed from the client is escaped properly. # # Uncomment the next line, if you want the sql_user_name to mean: # # Use Stripped-User-Name, if it's there. # Else use User-Name, if it's there, # Else use hard-coded string "DEFAULT" as the user name. #sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}" # sql_user_name = "%{User-Name}" ####################################################################### # Query config: Event-Timestamp ####################################################################### # event_timestamp_epoch is the basis for the time inserted into # accounting records. Typically this will be the Event-Timestamp of the # accounting request, which is usually provided by a NAS. # # Uncomment the next line, if you want the timestamp to be based on the # request reception time recorded by this server, for example if you # distrust the provided Event-Timestamp. #event_timestamp_epoch = "%l" event_timestamp_epoch = "%{%{integer:Event-Timestamp}:-%l}" # event_timestamp is the SQL snippet for converting an epoch timestamp # to an SQL date. event_timestamp = "FROM_UNIXTIME(${event_timestamp_epoch})" ####################################################################### # Default profile ####################################################################### # This is the default profile. It is found in SQL by group membership. # That means that this profile must be a member of at least one group # which will contain the corresponding check and reply items. # This profile will be queried in the authorize section for every user. # The point is to assign all users a default profile without having to # manually add each one to a group that will contain the profile. # The SQL module will also honor the User-Profile attribute. This # attribute can be set anywhere in the authorize section (ie the users # file). It is found exactly as the default profile is found. # If it is set then it will *overwrite* the default profile setting. # The idea is to select profiles based on checks on the incoming packets, # not on user group membership. For example: # -- users file -- # DEFAULT Service-Type == Outbound-User, User-Profile := "outbound" # DEFAULT Service-Type == Framed-User, User-Profile := "framed" # # By default the default_user_profile is not set # default_user_profile = "DEFAULT" ####################################################################### # NAS Query ####################################################################### # This query retrieves the radius clients # # 0. Row ID (currently unused) # 1. Name (or IP address) # 2. Shortname # 3. Type # 4. Secret # 5. Server ####################################################################### client_query = "\ SELECT id, nasname, shortname, type, secret, server \ FROM ${client_table}" ####################################################################### # Authorization Queries ####################################################################### # These queries compare the check items for the user # in ${authcheck_table} and setup the reply items in # ${authreply_table}. You can use any query/tables # you want, but the return data for each row MUST # be in the following order: # # 0. Row ID (currently unused) # 1. UserName/GroupName # 2. Item Attr Name # 3. Item Attr Value # 4. Item Attr Operation ####################################################################### # Use these for case sensitive usernames. #authorize_check_query = "\ # SELECT id, username, attribute, value, op \ # FROM ${authcheck_table} \ # WHERE username = BINARY '%{SQL-User-Name}' \ # ORDER BY id" #authorize_reply_query = "\ # SELECT id, username, attribute, value, op \ # FROM ${authreply_table} \ # WHERE username = BINARY '%{SQL-User-Name}' \ # ORDER BY id" # # The default queries are case insensitive. (for compatibility with # older versions of FreeRADIUS) # authorize_check_query = "\ SELECT id, username, attribute, value, op \ FROM ${authcheck_table} \ WHERE username = '%{SQL-User-Name}' \ ORDER BY id" authorize_reply_query = "\ SELECT id, username, attribute, value, op \ FROM ${authreply_table} \ WHERE username = '%{SQL-User-Name}' \ ORDER BY id" # # Use these for case sensitive usernames. # #group_membership_query = "\ # SELECT groupname \ # FROM ${usergroup_table} \ # WHERE username = BINARY '%{SQL-User-Name}' \ # ORDER BY priority" group_membership_query = "\ SELECT groupname \ FROM ${usergroup_table} \ WHERE username = '%{SQL-User-Name}' \ ORDER BY priority" authorize_group_check_query = "\ SELECT id, groupname, attribute, \ Value, op \ FROM ${groupcheck_table} \ WHERE groupname = '%{${group_attribute}}' \ ORDER BY id" authorize_group_reply_query = "\ SELECT id, groupname, attribute, \ value, op \ FROM ${groupreply_table} \ WHERE groupname = '%{${group_attribute}}' \ ORDER BY id" ####################################################################### # Simultaneous Use Checking Queries ####################################################################### # simul_count_query - query for the number of current connections # - If this is not defined, no simultaneous use checking # - will be performed by this module instance # simul_verify_query - query to return details of current connections # for verification # - Leave blank or commented out to disable verification step # - Note that the returned field order should not be changed. ####################################################################### simul_count_query = "\ SELECT COUNT(*) \ FROM ${acct_table1} \ WHERE username = '%{SQL-User-Name}' \ AND acctstoptime IS NULL" simul_verify_query = "\ SELECT \ radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, \ callingstationid, framedprotocol \ FROM ${acct_table1} \ WHERE username = '%{SQL-User-Name}' \ AND acctstoptime IS NULL" ####################################################################### # Accounting and Post-Auth Queries ####################################################################### # These queries insert/update accounting and authentication records. # The query to use is determined by the value of 'reference'. # This value is used as a configuration path and should resolve to one # or more 'query's. If reference points to multiple queries, and a query # fails, the next query is executed. # # Behaviour is identical to the old 1.x/2.x module, except we can now # fail between N queries, and query selection can be based on any # combination of attributes, or custom 'Acct-Status-Type' values. ####################################################################### accounting { reference = "%{tolower:type.%{%{Acct-Status-Type}:-%{Request-Processing-Stage}}.query}" # Write SQL queries to a logfile. This is potentially useful for bulk inserts # when used with the rlm_sql_null driver. # logfile = ${logdir}/accounting.sql column_list = "\ acctsessionid, acctuniqueid, username, \ realm, nasipaddress, nasportid, \ nasporttype, acctstarttime, acctupdatetime, \ acctstoptime, acctsessiontime, acctauthentic, \ connectinfo_start, connectinfo_stop, acctinputoctets, \ acctoutputoctets, calledstationid, callingstationid, \ acctterminatecause, servicetype, framedprotocol, \ framedipaddress, framedipv6address, framedipv6prefix, \ framedinterfaceid, delegatedipv6prefix" type { accounting-on { # # Bulk terminate all sessions associated with a given NAS # query = "\ UPDATE ${....acct_table1} \ SET \ acctstoptime = ${....event_timestamp}, \ acctsessiontime = '${....event_timestamp_epoch}' \ - UNIX_TIMESTAMP(acctstarttime), \ acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' \ WHERE acctstoptime IS NULL \ AND nasipaddress = '%{NAS-IP-Address}' \ AND acctstarttime <= ${....event_timestamp}" } accounting-off { query = "${..accounting-on.query}" } # # Implement the "sql_session_start" policy. # See raddb/policy.d/accounting for more details. # # You also need to fix the other queries as # documented below. Look for "sql_session_start". # post-auth { query = "\ INSERT INTO ${....acct_table1} \ (${...column_list}) \ VALUES(\ '%{Acct-Session-Id}', \ '%{Acct-Unique-Session-Id}', \ '%{SQL-User-Name}', \ '%{Realm}', \ '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}', \ NULLIF('%{%{NAS-Port-ID}:-%{NAS-Port}}', ''), \ '%{NAS-Port-Type}', \ ${....event_timestamp}, \ NULL, \ NULL, \ 0, \ '', \ '%{Connect-Info}', \ NULL, \ 0, \ 0, \ '%{Called-Station-Id}', \ '%{Calling-Station-Id}', \ '', \ '%{Service-Type}', \ NULL, \ '', \ '', \ '', \ '', \ '')" query = "\ UPDATE ${....acct_table1} SET \ AcctStartTime = ${....event_timestamp}, \ AcctUpdateTime = ${....event_timestamp}, \ ConnectInfo_start = '%{Connect-Info}', \ AcctSessionId = '%{Acct-Session-Id}' \ WHERE UserName = '%{SQL-User-Name}' \ AND NASIPAddress = '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' \ AND NASPortId = '%{%{NAS-Port-ID}:-%{NAS-Port}}' \ AND NASPortType = '%{NAS-Port-Type}' \ AND AcctStopTime IS NULL" } start { # # Insert a new record into the sessions table # query = "\ INSERT INTO ${....acct_table1} \ (${...column_list}) \ VALUES \ ('%{Acct-Session-Id}', \ '%{Acct-Unique-Session-Id}', \ '%{SQL-User-Name}', \ '%{Realm}', \ '%{NAS-IP-Address}', \ '%{%{NAS-Port-ID}:-%{NAS-Port}}', \ '%{NAS-Port-Type}', \ ${....event_timestamp}, \ ${....event_timestamp}, \ NULL, \ '0', \ '%{Acct-Authentic}', \ '%{Connect-Info}', \ '', \ '0', \ '0', \ '%{Called-Station-Id}', \ '%{Calling-Station-Id}', \ '', \ '%{Service-Type}', \ '%{Framed-Protocol}', \ '%{Framed-IP-Address}', \ '%{Framed-IPv6-Address}', \ '%{Framed-IPv6-Prefix}', \ '%{Framed-Interface-Id}', \ '%{Delegated-IPv6-Prefix}')" # # When using "sql_session_start", you should comment out # the previous query, and enable this one. # # Just change the previous query to "-query", # and this one to "query". The previous one # will be ignored, and this one will be # enabled. # -query = "\ UPDATE ${....acct_table1} \ SET \ AcctSessionId = '%{Acct-Session-Id}', \ AcctUniqueId = '%{Acct-Unique-Session-Id}', \ AcctAuthentic = '%{Acct-Authentic}', \ ConnectInfo_start = '%{Connect-Info}', \ ServiceType = '%{Service-Type}', \ FramedProtocol = '%{Framed-Protocol}', \ framedipaddress = '%{Framed-IP-Address}', \ framedipv6address = '%{Framed-IPv6-Address}', \ framedipv6prefix = '%{Framed-IPv6-Prefix}', \ framedinterfaceid = '%{Framed-Interface-Id}', \ delegatedipv6prefix = '%{Delegated-IPv6-Prefix}', \ AcctStartTime = ${....event_timestamp}, \ AcctUpdateTime = ${....event_timestamp} \ WHERE UserName = '%{SQL-User-Name}' \ AND NASIPAddress = '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' \ AND NASPortId = '%{%{NAS-Port-ID}:-%{NAS-Port}}' \ AND NASPortType = '%{NAS-Port-Type}' \ AND AcctStopTime IS NULL" # # Key constraints prevented us from inserting a new session, # use the alternate query to update an existing session. # query = "\ UPDATE ${....acct_table1} SET \ acctstarttime = ${....event_timestamp}, \ acctupdatetime = ${....event_timestamp}, \ connectinfo_start = '%{Connect-Info}' \ WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" } interim-update { # # Update an existing session and calculate the interval # between the last data we received for the session and this # update. This can be used to find stale sessions. # query = "\ UPDATE ${....acct_table1} \ SET \ acctupdatetime = (@acctupdatetime_old:=acctupdatetime), \ acctupdatetime = ${....event_timestamp}, \ acctinterval = ${....event_timestamp_epoch} - \ UNIX_TIMESTAMP(@acctupdatetime_old), \ framedipaddress = '%{Framed-IP-Address}', \ framedipv6address = '%{Framed-IPv6-Address}', \ framedipv6prefix = '%{Framed-IPv6-Prefix}', \ framedinterfaceid = '%{Framed-Interface-Id}', \ delegatedipv6prefix = '%{Delegated-IPv6-Prefix}', \ acctsessiontime = %{%{Acct-Session-Time}:-NULL}, \ acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' \ << 32 | '%{%{Acct-Input-Octets}:-0}', \ acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' \ << 32 | '%{%{Acct-Output-Octets}:-0}' \ WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" # # The update condition matched no existing sessions. Use # the values provided in the update to create a new session. # query = "\ INSERT INTO ${....acct_table1} \ (${...column_list}) \ VALUES \ ('%{Acct-Session-Id}', \ '%{Acct-Unique-Session-Id}', \ '%{SQL-User-Name}', \ '%{Realm}', \ '%{NAS-IP-Address}', \ '%{%{NAS-Port-ID}:-%{NAS-Port}}', \ '%{NAS-Port-Type}', \ FROM_UNIXTIME(${....event_timestamp_epoch} - %{%{Acct-Session-Time}:-0}), \ ${....event_timestamp}, \ NULL, \ %{%{Acct-Session-Time}:-NULL}, \ '%{Acct-Authentic}', \ '%{Connect-Info}', \ '', \ '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', \ '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', \ '%{Called-Station-Id}', \ '%{Calling-Station-Id}', \ '', \ '%{Service-Type}', \ '%{Framed-Protocol}', \ '%{Framed-IP-Address}', \ '%{Framed-IPv6-Address}', \ '%{Framed-IPv6-Prefix}', \ '%{Framed-Interface-Id}', \ '%{Delegated-IPv6-Prefix}')" # # When using "sql_session_start", you should comment out # the previous query, and enable this one. # # Just change the previous query to "-query", # and this one to "query". The previous one # will be ignored, and this one will be # enabled. # -query = "\ UPDATE ${....acct_table1} \ SET \ AcctSessionId = '%{Acct-Session-Id}', \ AcctUniqueId = '%{Acct-Unique-Session-Id}', \ AcctAuthentic = '%{Acct-Authentic}', \ ConnectInfo_start = '%{Connect-Info}', \ ServiceType = '%{Service-Type}', \ FramedProtocol = '%{Framed-Protocol}', \ framedipaddress = '%{Framed-IP-Address}', \ framedipv6address = '%{Framed-IPv6-Address}', \ framedipv6prefix = '%{Framed-IPv6-Prefix}', \ framedinterfaceid = '%{Framed-Interface-Id}', \ delegatedipv6prefix = '%{Delegated-IPv6-Prefix}', \ AcctUpdateTime = ${....event_timestamp}, \ AcctSessionTime = %{%{Acct-Session-Time}:-NULL}, \ AcctInputOctets = '%{%{Acct-Input-Gigawords}:-0}' \ << 32 | '%{%{Acct-Input-Octets}:-0}', \ AcctOutputOctets = '%{%{Acct-Output-Gigawords}:-0}' \ << 32 | '%{%{Acct-Output-Octets}:-0}' \ WHERE UserName = '%{SQL-User-Name}' \ AND NASIPAddress = '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' \ AND NASPortId = '%{%{NAS-Port-ID}:-%{NAS-Port}}' \ AND NASPortType = '%{NAS-Port-Type}' \ AND AcctStopTime IS NULL" } stop { # # Session has terminated, update the stop time and statistics. # query = "\ UPDATE ${....acct_table2} SET \ acctstoptime = ${....event_timestamp}, \ acctsessiontime = %{%{Acct-Session-Time}:-NULL}, \ acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' \ << 32 | '%{%{Acct-Input-Octets}:-0}', \ acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' \ << 32 | '%{%{Acct-Output-Octets}:-0}', \ acctterminatecause = '%{Acct-Terminate-Cause}', \ connectinfo_stop = '%{Connect-Info}' \ WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" # # The update condition matched no existing sessions. Use # the values provided in the update to create a new session. # query = "\ INSERT INTO ${....acct_table2} \ (${...column_list}) \ VALUES \ ('%{Acct-Session-Id}', \ '%{Acct-Unique-Session-Id}', \ '%{SQL-User-Name}', \ '%{Realm}', \ '%{NAS-IP-Address}', \ '%{%{NAS-Port-ID}:-%{NAS-Port}}', \ '%{NAS-Port-Type}', \ FROM_UNIXTIME(${....event_timestamp_epoch} - %{%{Acct-Session-Time}:-0}), \ ${....event_timestamp}, \ ${....event_timestamp}, \ %{%{Acct-Session-Time}:-NULL}, \ '%{Acct-Authentic}', \ '', \ '%{Connect-Info}', \ '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', \ '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', \ '%{Called-Station-Id}', \ '%{Calling-Station-Id}', \ '%{Acct-Terminate-Cause}', \ '%{Service-Type}', \ '%{Framed-Protocol}', \ '%{Framed-IP-Address}', \ '%{Framed-IPv6-Address}', \ '%{Framed-IPv6-Prefix}', \ '%{Framed-Interface-Id}', \ '%{Delegated-IPv6-Prefix}')" # # When using "sql_session_start", you should comment out # the previous query, and enable this one. # # Just change the previous query to "-query", # and this one to "query". The previous one # will be ignored, and this one will be # enabled. # -query = "\ UPDATE ${....acct_table1} \ SET \ AcctSessionId = '%{Acct-Session-Id}', \ AcctUniqueId = '%{Acct-Unique-Session-Id}', \ AcctAuthentic = '%{Acct-Authentic}', \ ConnectInfo_start = '%{Connect-Info}', \ ServiceType = '%{Service-Type}', \ FramedProtocol = '%{Framed-Protocol}', \ framedipaddress = '%{Framed-IP-Address}', \ framedipv6address = '%{Framed-IPv6-Address}', \ framedipv6prefix = '%{Framed-IPv6-Prefix}', \ framedinterfaceid = '%{Framed-Interface-Id}', \ delegatedipv6prefix = '%{Delegated-IPv6-Prefix}', \ AcctStopTime = ${....event_timestamp}, \ AcctUpdateTime = ${....event_timestamp}, \ AcctSessionTime = %{Acct-Session-Time}, \ AcctInputOctets = '%{%{Acct-Input-Gigawords}:-0}' \ << 32 | '%{%{Acct-Input-Octets}:-0}', \ AcctOutputOctets = '%{%{Acct-Output-Gigawords}:-0}' \ << 32 | '%{%{Acct-Output-Octets}:-0}', \ AcctTerminateCause = '%{Acct-Terminate-Cause}', \ ConnectInfo_stop = '%{Connect-Info}' \ WHERE UserName = '%{SQL-User-Name}' \ AND NASIPAddress = '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' \ AND NASPortId = '%{%{NAS-Port-ID}:-%{NAS-Port}}' \ AND NASPortType = '%{NAS-Port-Type}' \ AND AcctStopTime IS NULL" } # # No Acct-Status-Type == ignore the packet # accounting { query = "SELECT true" } } } ####################################################################### # Authentication Logging Queries ####################################################################### # postauth_query - Insert some info after authentication ####################################################################### post-auth { # Write SQL queries to a logfile. This is potentially useful for bulk inserts # when used with the rlm_sql_null driver. # logfile = ${logdir}/post-auth.sql query = "\ INSERT INTO ${..postauth_table} \ (username, pass, reply, authdate) \ VALUES ( \ '%{SQL-User-Name}', \ '%{%{User-Password}:-%{Chap-Password}}', \ '%{reply:Packet-Type}', \ '%S.%M')" } /etc/freeradius/3.0/mods-config/sql/main/sqlite/schema.sql ----------------------------------------------------------------------------- -- $Id: 919687de64f6074868eeff31cdfbfb01b3dbeda2 $ -- -- -- -- schema.sql rlm_sql - FreeRADIUS SQLite Module -- -- -- -- Database schema for SQLite rlm_sql module -- -- -- ----------------------------------------------------------------------------- -- Table structure for table 'radacct' CREATE TABLE IF NOT EXISTS radacct ( radacctid INTEGER PRIMARY KEY AUTOINCREMENT, acctsessionid varchar(64) NOT NULL default '', acctuniqueid varchar(32) NOT NULL default '', username varchar(64) NOT NULL default '', realm varchar(64) default '', nasipaddress varchar(15) NOT NULL default '', nasportid varchar(32) default NULL, nasporttype varchar(32) default NULL, acctstarttime datetime NULL default NULL, acctupdatetime datetime NULL default NULL, acctstoptime datetime NULL default NULL, acctinterval int(12) default NULL, acctsessiontime int(12) default NULL, acctauthentic varchar(32) default NULL, connectinfo_start varchar(50) default NULL, connectinfo_stop varchar(50) default NULL, acctinputoctets bigint(20) default NULL, acctoutputoctets bigint(20) default NULL, calledstationid varchar(50) NOT NULL default '', callingstationid varchar(50) NOT NULL default '', acctterminatecause varchar(32) NOT NULL default '', servicetype varchar(32) default NULL, framedprotocol varchar(32) default NULL, framedipaddress varchar(15) NOT NULL default '', framedipv6address varchar(45) NOT NULL default '', framedipv6prefix varchar(45) NOT NULL default '', framedinterfaceid varchar(44) NOT NULL default '', delegatedipv6prefix varchar(45) NOT NULL default '' ); CREATE UNIQUE INDEX acctuniqueid ON radacct(acctuniqueid); CREATE INDEX username ON radacct(username); CREATE INDEX framedipaddress ON radacct (framedipaddress); CREATE INDEX framedipv6address ON radacct (framedipv6address); CREATE INDEX framedipv6prefix ON radacct (framedipv6prefix); CREATE INDEX framedinterfaceid ON radacct (framedinterfaceid); CREATE INDEX delegatedipv6prefix ON radacct (delegatedipv6prefix); CREATE INDEX acctsessionid ON radacct(acctsessionid); CREATE INDEX acctsessiontime ON radacct(acctsessiontime); CREATE INDEX acctstarttime ON radacct(acctstarttime); CREATE INDEX acctinterval ON radacct(acctinterval); CREATE INDEX acctstoptime ON radacct(acctstoptime); CREATE INDEX nasipaddress ON radacct(nasipaddress); -- Table structure for table 'radcheck' CREATE TABLE IF NOT EXISTS radcheck ( id INTEGER PRIMARY KEY AUTOINCREMENT, username varchar(64) NOT NULL default '', attribute varchar(64) NOT NULL default '', op char(2) NOT NULL DEFAULT '==', value varchar(253) NOT NULL default '' ); CREATE INDEX check_username ON radcheck(username); -- -- Table structure for table 'radgroupcheck' -- CREATE TABLE IF NOT EXISTS radgroupcheck ( id INTEGER PRIMARY KEY AUTOINCREMENT, groupname varchar(64) NOT NULL default '', attribute varchar(64) NOT NULL default '', op char(2) NOT NULL DEFAULT '==', value varchar(253) NOT NULL default '' ); CREATE INDEX check_groupname ON radgroupcheck(groupname); -- -- Table structure for table 'radgroupreply' -- CREATE TABLE IF NOT EXISTS radgroupreply ( id INTEGER PRIMARY KEY AUTOINCREMENT, groupname varchar(64) NOT NULL default '', attribute varchar(64) NOT NULL default '',

Aeros · Answer

Plus clair sur pastebin

https://pastebin.com/S6f1xQQF

mamiemando · Answer

Bonjour,

Si je relis le lien que je t'ai donné, je vois :

 For SQL, after creating and populating your schema, you should execute the following statement (for MySQL, others may vary):

INSERT INTO radgroupcheck (GroupName, Attribute, op, Value) values("dialup", "Simultaneous-Use", ":=", "1");

... or ici dans ton schéma, rien ne semble indiquer que ces attributs existent bien dans radgroupcheck. Ensuite en lançant les commandes évoquées dans la section 3 (radwho, checkrad) tu devrais y voir plus clair. La section 4 parle aussi du script perl sous jacent qui peut être pimpé pour déboguer.

L'idéal serait aussi de chercher un tutoriel sur lequel te baser...

Bonne chance

Aeros · Answer

Bonjour,

J'ai bien ajouté:
INSERT INTO radgroupcheck (GroupName, Attribute, op, Value) values("dialup", "Simultaneous-Use", ":=", "1");

Voici le résultat de radroupcheck et radwho:
https://pastebin.com/b81gmmU7

J'avais lu que checkrad s'utilise uniquement lorsque le nas type est différent de other. Hors je n'ai trouvé aucune information me permettent d'utiliser autre chose que other pour mon AP.

J'ai suivi ces 2 tutos: 
1-) https://bytexd.com/freeradius-ubuntu/
2-) https://www.missingremote.com/guide/2020/05/setup-freeradius-mysql-daloradius-for-dynamic-vlan-assignment-on-unifi

Malheureusement aucun ne traite de l'utilisation de Simultaneous-use.
Le seul tuto que j'ai trouvé est trop vieux avec ubuntu 14 et une vielle version de freeradius (version 2):
https://www.vpsserver.com/community/tutorials/10/setup-and-configuration-of-freeradius-mysql-on-ubuntu-14-04-64bit/

mamiemando · Answer

Bonjour,

De ce que j'ai compris, tu as défini une limite pour deux groupes (dialup et thisgroup) mais qui je présume qu'il faut assigner tes utilisateurs (e.g. tt d'après le résultat de radwho) à l'un de ces deux groupes ?

As-tu commencé à regarder dans le lien que je t'ai donné checkrad ? Merci de me reporter le contenu de ce fichier (même si je ne fais pas de perl, j'imagine qu'on pourra comprendre comment afficher les informations de débogage).

Bonne chance

Aeros · Answer

Oui c'est le cas il faut assigner les utilisateurs à l'un des groupes. On peut aussi définir Simultaneous-use en créant l'utilisateur.

Je n'arrive pas à utiliser checkrad. Je ne sais pas comment l'utiliser malgré ce que j'ai lu sur le wiki:
root@ubuntu:/home/ubuntu# checkradUsage: checkrad nas_type nas_ip nas_port login session_id

mamiemando · Answer

Bonjour,

Pour lancer checkrad :

 nas_type voir la liste décrite dans man 8 checkrad. N'oublie pas de passer l'option -d pour avoir les information de debug.
 nas_ip : l'adresse IP de ton Network Access Server (donc de ton serveur radius)
 nas_port : le port sur lequel il écoute (voir résultat de netstat -ntlp)
 login : dans ton exemple, je suppose que c'était tt ;
 session-id ; aucune idée mais la documentation dit que c'est ignoré (?!).

Bonne chance

Freeradius Simultaneous-Use

8 réponses

Discussions similaires

Newsletters