forum.opennet.ru - "Radius и MySQL" (2)

форумы

помощь

поиск

регистрация

майллист

ВХОД

слежка

"Radius и MySQL"

Форумы OpenNET: Виртуальная конференция (Public)
Вариант для распечатки		Архивированная нить - только для чтения! Пред. тема \| След. тема
Изначальное сообщение		[Проследить за развитием треда]

"Radius и MySQL"
Сообщение от Eldagar (ok) on 27-Апр-04, 16:50 (MSK)
Вопрос. Стоит FreeRadius, все параметры про пользователя при авторизации берет из MySQL. Но в таблицу RADACCT, да и вообще куда-нибудь статистику по траффику не пишет.Таблица вообше девственно чистая. А вроде должен писать. Где грабли?
	Рекомендовать в FAQ \| Cообщить модератору \| Наверх

Оглавление

Radius и MySQL, Eldagar, 17:36 , 27-Апр-04, (1)
- Radius и MySQL, Nightman, 08:23 , 28-Апр-04, (2)

Индекс форумов | Темы | Пред. тема | След. тема

Сообщения по теме

1. "Radius и MySQL"

Сообщение от Eldagar (ok) on 27-Апр-04, 17:36  (MSK)

Поправка - в каталог /var/log/radacct файлы auth-detail-20040427 и reply-detail-20040427 пишет.
Но это не то.
Radiusd.conf
##
## radiusd.conf -- FreeRADIUS server configuration file.
##
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
#  Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
#
# libdir: Where to find the rlm_* modules.
#
libdir = ${exec_prefix}/lib
#  pidfile: Where to place the PID of the RADIUS server.
#
pidfile = ${run_dir}/radiusd.pid

# user/group: The name (or #number) of the user/group to run radiusd as.
#
user = nobody
group = nobody
#  max_request_time: The maximum time (in seconds) to handle a request.
#
#
max_request_time = 5
#  delete_blocked_requests: If the request takes MORE THAN 'max_request_time'
#  to be handled, then maybe the server should delete it.
#
delete_blocked_requests = no
#  cleanup_delay: The time to wait (in seconds) before cleaning up
#  a reply which was sent to the NAS.
#
cleanup_delay = 5
#  max_requests: The maximum number of requests which the server keeps
#  track of.  This should be 256 multiplied by the number of clients.
#  e.g. With 4 clients, this number should be 1024.
#
max_requests = 1024
#  bind_address:  Make the server listen on a particular IP address, and
#  send replies out from that address.  This directive is most useful
#
bind_address = 192.168.10.77
#  port: Allows you to bind FreeRADIUS to a specific port.
#
#
port = 1812
#  hostname_lookups: Log the names of clients or just their IP addresses
#  e.g., www.freeradius.org (on) or 206.47.27.232 (off).
#
hostname_lookups = no
#  Core dumps are a bad thing.  This should only be set to 'yes'
#
allow_core_dumps = no
#  Regular expressions
#
regular_expressions = yes
extended_expressions = yes
#  Log the full User-Name attribute, as it was found in the request.
#
log_stripped_names = yes
#  Log authentication requests to the log file.
#
log_auth = yes
#  Log passwords with the authentication requests.
#  log_auth_badpass  - logs password if it's rejected
#  log_auth_goodpass - logs password if it's correct
#
#  allowed values: {no, yes}
#
log_auth_badpass = yes
log_auth_goodpass = no
# usercollide:  Turn "username collision" code on and off.  See the
# "doc/duplicate-users" file
#
usercollide = no
# lower_user / lower_pass:
lower_user = yes
lower_pass = no
# nospace_user / nospace_pass:
#
nospace_user = yes
nospace_pass = no
#  The program to execute to do concurrency checks.
checkrad = ${sbindir}/checkrad
# SECURITY CONFIGURATION
#
#  There may be multiple methods of attacking on the server.  This
#  section holds the configuration items which minimize the impact
#  of those attacks
#
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
# PROXY CONFIGURATION
#
proxy_requests  = yes
$INCLUDE  ${confdir}/proxy.conf

# CLIENTS CONFIGURATION
#
$INCLUDE  ${confdir}/clients.conf

# SNMP CONFIGURATION
#
snmp = no
$INCLUDE  ${confdir}/snmp.conf

# THREAD POOL CONFIGURATION
#
thread pool {
#  Number of servers to start initially --- should be a reasonable
#  ballpark figure.
start_servers = 2
max_servers = 10
min_spare_servers = 2
max_spare_servers = 10
max_requests_per_server = 0
}
# MODULE CONFIGURATION
#
#  The names and configuration of each module is located in this section.
#
#  After the modules are defined here, they may be referred to by name,
#  in other sections of this configuration file.
#
modules {
# PAP module to authenticate users based on their stored password
#pap {
# encryption_scheme = crypt
#}
# CHAP module
#
#  To authenticate requests containing a CHAP-Password attribute.
#
chap {
authtype = CHAP
}
# Pluggable Authentication Modules
#pam {
# pam_auth = radiusd
#}
# Unix /etc/passwd style authentication
#
unix {
cache = no
cache_reload = 600
radwtmp = ${logdir}/radwtmp
}
#  Extensible Authentication Protocol
#
#  For all EAP related authentications
#eap {
# default_eap_type = md5
# timer_expire     = 60
# md5 {
# }
# leap {
# }
#tls {
# private_key_password = password
# private_key_file = /path/filename
# certificate_file = /path/filename
# CA_file = /path/filename
# dh_file = /path/filename
# random_file = /path/filename
# fragment_size = 1024
# include_length = yes
#}

#}
# Microsoft CHAP authentication
#
#  This module supports MS-CHAP and MS-CHAPv2 authentication.
#  It also enforces the SMB-Account-Ctrl attribute.
#
mschap {
authtype = MS-CHAP
# use_mppe = no
# require_encryption = yes
# require_strong = yes
}
# Lightweight Directory Access Protocol (LDAP)
#ldap {
# server = "ldap.your.domain"
# identity = "cn=admin,o=My Org,c=UA"
# password = mypass
# basedn = "o=My Org,c=UA"
# filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
# start_tls = no
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
# access_attr = "dialupAccess"
# dictionary_mapping = ${raddbdir}/ldap.attrmap
# ldap_connections_number = 5
# password_header = "{clear}"
# password_attribute = userPassword
# groupname_attribute = cn
# groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
# timeout = 4
# timelimit = 3
# net_timeout = 1
# compare_check_items = yes
# access_attr_used_for_allow = yes
#}
# Realm module, for proxying.

realm realmslash {
format = prefix
delimiter = "/"
}
#  'username@realm'
#
realm suffix {
format = suffix
delimiter = "@"
}
#  'username%realm'
#
realm realmpercent {
format = suffix
delimiter = "%"
}

# Preprocess the incoming RADIUS request, before handing it off
# to other modules.
preprocess {
# huntgroups = ${confdir}/huntgroups
# hints = ${confdir}/hints
# with_ascend_hack = no
# ascend_channels_per_line = 23
# with_ntdomain_hack = no
with_specialix_jetstream_hack = no
# with_cisco_vsa_hack = no
}
# Livingston-style 'users' file
#
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
# Write a detailed log of all accounting records received.
#
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0644
}

detail auth_log {
detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
detailperm = 0600
}
detail reply_log {
detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id"
}

$INCLUDE  ${confdir}/sql.conf
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
#  counter module:
#
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
# The "always" module is here for debugging purposes. Each
# instance simply returns the same result, always, without
# doing anything.
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
}
# Instantiation
#
instantiate {
expr
}
#  Authorization.
authorize {
preprocess
auth_log
# chap
# attr_filter
# eap
# digest
# realmslash
suffix
# files
# etc_smbpasswd
mschap
sql
}

# Authentication.
authenticate {
#  MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
# unix
}

#
#  Pre-accounting.  Decide which accounting type to use.
#
preacct {
preprocess
# realmslash
suffix
# files
}
#
#  Accounting.  Log the accounting data.
#
accounting {
acct_unique
detail
# daily
unix # wtmp file
radutmp
# sradutmp
sql
# main_pool
}
#  Session database, used for checking Simultaneous-Use. Either the radutmp
#  or rlm_sql module can handle this.
#  The rlm_sql module is *much* faster
session {
# radutmp
sql
}
#  Post-Authentication
#  Once we KNOW that the user has been authenticated, there are
#  additional steps we can take.
post-auth {
# main_pool
reply_log
}
#
pre-proxy {
# attr_rewrite
}
#
post-proxy {
#
# attr_rewrite
# attr_filter
# eap
}

Рекомендовать в FAQ | Cообщить модератору | Наверх

2. "Radius и MySQL"

Сообщение от Nightman (??) on 28-Апр-04, 08:23  (MSK)

<skip>
sql.conf правил?
запускай radiusd -X

Рекомендовать в FAQ | Cообщить модератору | Наверх

Удалить

Индекс форумов | Темы | Пред. тема | След. тема

Пожалуйста, прежде чем написать сообщение, ознакомьтесь с данными рекомендациями.

Партнёры:

Хостинг:

Закладки на сайте
Проследить за страницей

Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру

1. "Radius и MySQL"
Сообщение от Eldagar (ok) on 27-Апр-04, 17:36 (MSK)
Поправка - в каталог /var/log/radacct файлы auth-detail-20040427 и reply-detail-20040427 пишет. Но это не то. Radiusd.conf ## ## radiusd.conf -- FreeRADIUS server configuration file. ## prefix = /usr/local exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct # Location of config and logfiles. confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log # # libdir: Where to find the rlm_* modules. # libdir = ${exec_prefix}/lib # pidfile: Where to place the PID of the RADIUS server. # pidfile = ${run_dir}/radiusd.pid # user/group: The name (or #number) of the user/group to run radiusd as. # user = nobody group = nobody # max_request_time: The maximum time (in seconds) to handle a request. # # max_request_time = 5 # delete_blocked_requests: If the request takes MORE THAN 'max_request_time' # to be handled, then maybe the server should delete it. # delete_blocked_requests = no # cleanup_delay: The time to wait (in seconds) before cleaning up # a reply which was sent to the NAS. # cleanup_delay = 5 # max_requests: The maximum number of requests which the server keeps # track of. This should be 256 multiplied by the number of clients. # e.g. With 4 clients, this number should be 1024. # max_requests = 1024 # bind_address: Make the server listen on a particular IP address, and # send replies out from that address. This directive is most useful # bind_address = 192.168.10.77 # port: Allows you to bind FreeRADIUS to a specific port. # # port = 1812 # hostname_lookups: Log the names of clients or just their IP addresses # e.g., www.freeradius.org (on) or 206.47.27.232 (off). # hostname_lookups = no # Core dumps are a bad thing. This should only be set to 'yes' # allow_core_dumps = no # Regular expressions # regular_expressions = yes extended_expressions = yes # Log the full User-Name attribute, as it was found in the request. # log_stripped_names = yes # Log authentication requests to the log file. # log_auth = yes # Log passwords with the authentication requests. # log_auth_badpass - logs password if it's rejected # log_auth_goodpass - logs password if it's correct # # allowed values: {no, yes} # log_auth_badpass = yes log_auth_goodpass = no # usercollide: Turn "username collision" code on and off. See the # "doc/duplicate-users" file # usercollide = no # lower_user / lower_pass: lower_user = yes lower_pass = no # nospace_user / nospace_pass: # nospace_user = yes nospace_pass = no # The program to execute to do concurrency checks. checkrad = ${sbindir}/checkrad # SECURITY CONFIGURATION # # There may be multiple methods of attacking on the server. This # section holds the configuration items which minimize the impact # of those attacks # security { max_attributes = 200 reject_delay = 1 status_server = no } # PROXY CONFIGURATION # proxy_requests = yes $INCLUDE ${confdir}/proxy.conf # CLIENTS CONFIGURATION # $INCLUDE ${confdir}/clients.conf # SNMP CONFIGURATION # snmp = no $INCLUDE ${confdir}/snmp.conf # THREAD POOL CONFIGURATION # thread pool { # Number of servers to start initially --- should be a reasonable # ballpark figure. start_servers = 2 max_servers = 10 min_spare_servers = 2 max_spare_servers = 10 max_requests_per_server = 0 } # MODULE CONFIGURATION # # The names and configuration of each module is located in this section. # # After the modules are defined here, they may be referred to by name, # in other sections of this configuration file. # modules { # PAP module to authenticate users based on their stored password #pap { # encryption_scheme = crypt #} # CHAP module # # To authenticate requests containing a CHAP-Password attribute. # chap { authtype = CHAP } # Pluggable Authentication Modules #pam { # pam_auth = radiusd #} # Unix /etc/passwd style authentication # unix { cache = no cache_reload = 600 radwtmp = ${logdir}/radwtmp } # Extensible Authentication Protocol # # For all EAP related authentications #eap { # default_eap_type = md5 # timer_expire = 60 # md5 { # } # leap { # } #tls { # private_key_password = password # private_key_file = /path/filename # certificate_file = /path/filename # CA_file = /path/filename # dh_file = /path/filename # random_file = /path/filename # fragment_size = 1024 # include_length = yes #} #} # Microsoft CHAP authentication # # This module supports MS-CHAP and MS-CHAPv2 authentication. # It also enforces the SMB-Account-Ctrl attribute. # mschap { authtype = MS-CHAP # use_mppe = no # require_encryption = yes # require_strong = yes } # Lightweight Directory Access Protocol (LDAP) #ldap { # server = "ldap.your.domain" # identity = "cn=admin,o=My Org,c=UA" # password = mypass # basedn = "o=My Org,c=UA" # filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" # start_tls = no # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" # access_attr = "dialupAccess" # dictionary_mapping = ${raddbdir}/ldap.attrmap # ldap_connections_number = 5 # password_header = "{clear}" # password_attribute = userPassword # groupname_attribute = cn # groupmembership_filter = "(\|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" # groupmembership_attribute = radiusGroupName # timeout = 4 # timelimit = 3 # net_timeout = 1 # compare_check_items = yes # access_attr_used_for_allow = yes #} # Realm module, for proxying. realm realmslash { format = prefix delimiter = "/" } # 'username@realm' # realm suffix { format = suffix delimiter = "@" } # 'username%realm' # realm realmpercent { format = suffix delimiter = "%" } # Preprocess the incoming RADIUS request, before handing it off # to other modules. preprocess { # huntgroups = ${confdir}/huntgroups # hints = ${confdir}/hints # with_ascend_hack = no # ascend_channels_per_line = 23 # with_ntdomain_hack = no with_specialix_jetstream_hack = no # with_cisco_vsa_hack = no } # Livingston-style 'users' file # files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users compat = no } # Write a detailed log of all accounting records received. # detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0644 } detail auth_log { detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d detailperm = 0600 } detail reply_log { detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id" } $INCLUDE ${confdir}/sql.conf radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } # counter module: # counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } # The "always" module is here for debugging purposes. Each # instance simply returns the same result, always, without # doing anything. always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } } # Instantiation # instantiate { expr } # Authorization. authorize { preprocess auth_log # chap # attr_filter # eap # digest # realmslash suffix # files # etc_smbpasswd mschap sql } # Authentication. authenticate { # MSCHAP authentication. Auth-Type MS-CHAP { mschap } # unix } # # Pre-accounting. Decide which accounting type to use. # preacct { preprocess # realmslash suffix # files } # # Accounting. Log the accounting data. # accounting { acct_unique detail # daily unix # wtmp file radutmp # sradutmp sql # main_pool } # Session database, used for checking Simultaneous-Use. Either the radutmp # or rlm_sql module can handle this. # The rlm_sql module is much faster session { # radutmp sql } # Post-Authentication # Once we KNOW that the user has been authenticated, there are # additional steps we can take. post-auth { # main_pool reply_log } # pre-proxy { # attr_rewrite } # post-proxy { # # attr_rewrite # attr_filter # eap }
	Рекомендовать в FAQ \| Cообщить модератору \| Наверх


	2. "Radius и MySQL"
	Сообщение от Nightman (??) on 28-Апр-04, 08:23 (MSK)
	<skip> sql.conf правил? запускай radiusd -X
		Рекомендовать в FAQ \| Cообщить модератору \| Наверх