This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
app-notes:coova-chilli-standalone [2017/02/21 13:51] fachet |
app-notes:coova-chilli-standalone [2022/01/10 13:36] (current) schmitt |
||
---|---|---|---|
Line 20: | Line 20: | ||
==== Download ==== | ==== Download ==== | ||
- | * [[ ftp://share.netmodule.com/router/public/system-software/alternative/coova/| PWLAN standalone image ]] | + | * [[ https://share.netmodule.com/public/system-software/extra/hotspot/| PWLAN standalone image ]] |
===== Installation ===== | ===== Installation ===== | ||
Line 27: | Line 27: | ||
- Visit the web manager and set your administration password | - Visit the web manager and set your administration password | ||
- | * After connecting your PC to the router via ethernt you should get an ip address from the 192.168.1.0/24 range. Please visit the website http://192.168.1.1:8080 and set your administration password | + | * After connecting your PC to the router via ethernt you should get an ip address from the 192.168.1.0/24 range. Please visit the website http://192.168.1.1 and set your administration password |
- WWAN Link installation | - WWAN Link installation | ||
* Please configure your WWAN Connection according to the needs of your SIM Card. If this step is successfull you will see a steady Mob1 LED on the front of the router. | * Please configure your WWAN Connection according to the needs of your SIM Card. If this step is successfull you will see a steady Mob1 LED on the front of the router. | ||
Line 35: | Line 35: | ||
* Please connect to the WLAN "coovachilli" with a WLAN Client (laptop, smartphone or tablet). Depending on your client device you will get the entry page directly. In most cases you will need to request a webpage with your browser to get the entry page. On this page you need to accept the "terms of service" before you will be forwarded to the Webpage you requested. | * Please connect to the WLAN "coovachilli" with a WLAN Client (laptop, smartphone or tablet). Depending on your client device you will get the entry page directly. In most cases you will need to request a webpage with your browser to get the entry page. On this page you need to accept the "terms of service" before you will be forwarded to the Webpage you requested. | ||
- | {{ :coova1.png?nolink&600 | Hotspot service page}} | + | {{ :app-notes:coova-chilli-hotspot2.png?nolink&600 | Hotspot service page}} |
- | {{ :coova2.png?nolink&600 | Hotspot service page enabled}} | + | {{ :app-notes:coova-chilli-hotspot1.png?nolink&600 | Hotspot service page enabled}} |
Line 58: | Line 58: | ||
* terms.tmpl is the landing page it self, where the user have to accept the terms of service | * terms.tmpl is the landing page it self, where the user have to accept the terms of service | ||
* login_sucess.tmpl is the success page after accepting the terms of service and will redirect the user to the page requested at the beginning. | * login_sucess.tmpl is the success page after accepting the terms of service and will redirect the user to the page requested at the beginning. | ||
- | * logo.jpg is just an example image you can exchange this as you like. | + | * coova.jpg is just an example image you can exchange this as you like. |
Every page is basicly a html page with a few lines of javascript for the redirection. You can edit them | Every page is basicly a html page with a few lines of javascript for the redirection. You can edit them | ||
as you need. | as you need. | ||
Line 68: | Line 68: | ||
first. See 4. | first. See 4. | ||
- | {{ :coova3.png?nolink&600 | Custom Landing Page enabled with example file}} | + | {{ :app-notes:coova-chilli-hotspot-browsed.png?nolink&600 | Custom Landing Page enabled with example file}} |
- | {{ :coova4.png?nolink&600 | Custom Landing Page installed}} | + | {{ :app-notes:coova-chilli-hotspot-installed.png?nolink&600 | Custom Landing Page installed}} |
==== Backend CoovaChilli Captive Portal ==== | ==== Backend CoovaChilli Captive Portal ==== | ||
+ | |||
+ | How to set up a **Backend** server: | ||
+ | |||
+ | ===== Prerequisites ===== | ||
+ | |||
+ | * Debian 8 installation | ||
+ | * CoovaChilli installation on Router (Hotspot image) | ||
+ | * Freeradius Version 2.2.5 | ||
+ | |||
+ | ===== Install Freeradius ===== | ||
+ | |||
+ | |||
+ | ''sudo apt-get install freeradius freeradius-mysql'' | ||
+ | ====== Configure freeradius MySQL tables ====== | ||
+ | |||
+ | <code sql schema.sql> | ||
+ | ########################################################################### | ||
+ | # $Id: 70d8d07b56b44bf4129d7a512a5132ca67d6cd4c $ # | ||
+ | # # | ||
+ | # schema.sql rlm_sql - FreeRADIUS SQL Module # | ||
+ | # # | ||
+ | # Database schema for MySQL rlm_sql module # | ||
+ | # # | ||
+ | # To load: # | ||
+ | # mysql -uroot -prootpass radius < schema.sql # | ||
+ | # # | ||
+ | # Mike Machado <mike@innercite.com> # | ||
+ | ########################################################################### | ||
+ | # | ||
+ | # Table structure for table 'radacct' | ||
+ | # | ||
+ | |||
+ | CREATE TABLE radacct ( | ||
+ | radacctid bigint(21) NOT NULL auto_increment, | ||
+ | acctsessionid varchar(64) NOT NULL default '', | ||
+ | acctuniqueid varchar(32) NOT NULL default '', | ||
+ | username varchar(64) NOT NULL default '', | ||
+ | groupname varchar(64) NOT NULL default '', | ||
+ | realm varchar(64) default '', | ||
+ | nasipaddress varchar(15) NOT NULL default '', | ||
+ | nasportid varchar(50) default NULL, | ||
+ | nasporttype varchar(32) default NULL, | ||
+ | acctstarttime datetime NULL default NULL, | ||
+ | acctupdatetime datetime NULL default NULL, | ||
+ | acctstoptime datetime NULL default NULL, | ||
+ | acctinterval int(12) default NULL, | ||
+ | acctsessiontime int(12) unsigned default NULL, | ||
+ | acctauthentic varchar(32) default NULL, | ||
+ | connectinfo_start varchar(50) default NULL, | ||
+ | connectinfo_stop varchar(50) default NULL, | ||
+ | acctinputoctets bigint(20) default NULL, | ||
+ | acctoutputoctets bigint(20) default NULL, | ||
+ | calledstationid varchar(50) NOT NULL default '', | ||
+ | callingstationid varchar(50) NOT NULL default '', | ||
+ | acctterminatecause varchar(32) NOT NULL default '', | ||
+ | servicetype varchar(32) default NULL, | ||
+ | framedprotocol varchar(32) default NULL, | ||
+ | framedipaddress varchar(15) NOT NULL default '', | ||
+ | acctstartdelay int(12) unsigned default NULL, | ||
+ | acctstopdelay int(12) unsigned default NULL, | ||
+ | xascendsessionsvrkey varchar(10) default NULL, | ||
+ | PRIMARY KEY (radacctid), | ||
+ | UNIQUE KEY acctuniqueid (acctuniqueid), | ||
+ | KEY username (username), | ||
+ | KEY framedipaddress (framedipaddress), | ||
+ | KEY acctsessionid (acctsessionid), | ||
+ | KEY acctsessiontime (acctsessiontime), | ||
+ | KEY acctstarttime (acctstarttime), | ||
+ | KEY acctinterval (acctinterval), | ||
+ | KEY acctstoptime (acctstoptime), | ||
+ | KEY nasipaddress (nasipaddress) | ||
+ | ) ENGINE = INNODB; | ||
+ | |||
+ | # | ||
+ | # Table structure for table 'radcheck' | ||
+ | # | ||
+ | |||
+ | CREATE TABLE radcheck ( | ||
+ | id int(11) unsigned NOT NULL auto_increment, | ||
+ | username varchar(64) NOT NULL default '', | ||
+ | attribute varchar(64) NOT NULL default '', | ||
+ | op char(2) NOT NULL DEFAULT '==', | ||
+ | value varchar(253) NOT NULL default '', | ||
+ | PRIMARY KEY (id), | ||
+ | KEY username (username(32)) | ||
+ | ) ; | ||
+ | |||
+ | # | ||
+ | # Table structure for table 'radgroupcheck' | ||
+ | # | ||
+ | |||
+ | CREATE TABLE radgroupcheck ( | ||
+ | id int(11) unsigned NOT NULL auto_increment, | ||
+ | groupname varchar(64) NOT NULL default '', | ||
+ | attribute varchar(64) NOT NULL default '', | ||
+ | op char(2) NOT NULL DEFAULT '==', | ||
+ | value varchar(253) NOT NULL default '', | ||
+ | PRIMARY KEY (id), | ||
+ | KEY groupname (groupname(32)) | ||
+ | ) ; | ||
+ | |||
+ | # | ||
+ | # Table structure for table 'radgroupreply' | ||
+ | # | ||
+ | |||
+ | CREATE TABLE radgroupreply ( | ||
+ | id int(11) unsigned NOT NULL auto_increment, | ||
+ | groupname varchar(64) NOT NULL default '', | ||
+ | attribute varchar(64) NOT NULL default '', | ||
+ | op char(2) NOT NULL DEFAULT '=', | ||
+ | value varchar(253) NOT NULL default '', | ||
+ | PRIMARY KEY (id), | ||
+ | KEY groupname (groupname(32)) | ||
+ | ) ; | ||
+ | |||
+ | # | ||
+ | # Table structure for table 'radreply' | ||
+ | # | ||
+ | |||
+ | CREATE TABLE radreply ( | ||
+ | id int(11) unsigned NOT NULL auto_increment, | ||
+ | username varchar(64) NOT NULL default '', | ||
+ | attribute varchar(64) NOT NULL default '', | ||
+ | op char(2) NOT NULL DEFAULT '=', | ||
+ | value varchar(253) NOT NULL default '', | ||
+ | PRIMARY KEY (id), | ||
+ | KEY username (username(32)) | ||
+ | ) ; | ||
+ | |||
+ | |||
+ | # | ||
+ | # Table structure for table 'radusergroup' | ||
+ | # | ||
+ | |||
+ | CREATE TABLE radusergroup ( | ||
+ | username varchar(64) NOT NULL default '', | ||
+ | groupname varchar(64) NOT NULL default '', | ||
+ | priority int(11) NOT NULL default '1', | ||
+ | KEY username (username(32)) | ||
+ | ) ; | ||
+ | |||
+ | # | ||
+ | # Table structure for table 'radpostauth' | ||
+ | # | ||
+ | |||
+ | CREATE TABLE radpostauth ( | ||
+ | id int(11) NOT NULL auto_increment, | ||
+ | username varchar(64) NOT NULL default '', | ||
+ | pass varchar(64) NOT NULL default '', | ||
+ | reply varchar(32) NOT NULL default '', | ||
+ | authdate timestamp NOT NULL, | ||
+ | PRIMARY KEY (id) | ||
+ | ) ENGINE = INNODB; | ||
+ | |||
+ | # | ||
+ | # Table structure for table 'nas' | ||
+ | # | ||
+ | CREATE TABLE nas ( | ||
+ | id int(10) NOT NULL auto_increment, | ||
+ | nasname varchar(128) NOT NULL, | ||
+ | shortname varchar(32), | ||
+ | type varchar(30) DEFAULT 'other', | ||
+ | ports int(5), | ||
+ | secret varchar(60) DEFAULT 'secret' NOT NULL, | ||
+ | server varchar(64), | ||
+ | community varchar(50), | ||
+ | description varchar(200) DEFAULT 'RADIUS Client', | ||
+ | PRIMARY KEY (id), | ||
+ | KEY nasname (nasname) | ||
+ | ); | ||
+ | |||
+ | </code> | ||
+ | |||
+ | Create radius database | ||
+ | '' mysqladmin -u root -p[MYSQL_ROOT_PASSWORD] create radius'' | ||
+ | |||
+ | Generate database tables using MySQL schema: | ||
+ | ''sudo schema.sql | mysql -u root -p[MYSQL_ROOT_PASSWORD] radius'' | ||
+ | |||
+ | Create MySQL radius user and set privileges on radius database: | ||
+ | ''mysql -u root -p[MYSQL_ROOT_PASSWORD] radius | ||
+ | GRANT ALL PRIVILEGES ON radius.* to [FREERADIUS_DB_USER]@localhost IDENTIFIED by '[FREERADIUS_DB_PASS]';'' | ||
+ | |||
+ | |||
+ | ====== Configure Freeradius ====== | ||
+ | Configure the SQL radius module: | ||
+ | |||
+ | <code c sql.conf> | ||
+ | # -*- text -*- | ||
+ | ## | ||
+ | ## sql.conf -- SQL modules | ||
+ | ## | ||
+ | ## $Id: 6f346ec9f1d12190f132da20537f99607df71760 $ | ||
+ | |||
+ | ###################################################################### | ||
+ | # | ||
+ | # Configuration for the SQL module | ||
+ | # | ||
+ | # The database schemas and queries are located in subdirectories: | ||
+ | # | ||
+ | # sql/DB/schema.sql Schema | ||
+ | # sql/DB/dialup.conf Basic dialup (including policy) queries | ||
+ | # sql/DB/counter.conf counter | ||
+ | # sql/DB/ippool.conf IP Pools in SQL | ||
+ | # sql/DB/ippool.sql schema for IP pools. | ||
+ | # | ||
+ | # Where "DB" is mysql, mssql, oracle, or postgresql. | ||
+ | # | ||
+ | |||
+ | sql { | ||
+ | # | ||
+ | # Set the database to one of: | ||
+ | # | ||
+ | # mysql, mssql, oracle, postgresql | ||
+ | # | ||
+ | database = "mysql" | ||
+ | |||
+ | # | ||
+ | # Which FreeRADIUS driver to use. | ||
+ | # | ||
+ | driver = "rlm_sql_${database}" | ||
+ | |||
+ | # Connection info: | ||
+ | server = "localhost" | ||
+ | port = 3306 | ||
+ | login = "radius" | ||
+ | password = "test12345678" | ||
+ | |||
+ | # Database table configuration for everything except Oracle | ||
+ | radius_db = "radius" | ||
+ | # If you are using Oracle then use this instead | ||
+ | # radius_db = "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SID=your_sid)))" | ||
+ | |||
+ | # If you want both stop and start records logged to the | ||
+ | # same SQL table, leave this as is. If you want them in | ||
+ | # different tables, put the start table in acct_table1 | ||
+ | # and stop table in acct_table2 | ||
+ | acct_table1 = "radacct" | ||
+ | acct_table2 = "radacct" | ||
+ | |||
+ | # Allow for storing data after authentication | ||
+ | postauth_table = "radpostauth" | ||
+ | |||
+ | authcheck_table = "radcheck" | ||
+ | authreply_table = "radreply" | ||
+ | |||
+ | groupcheck_table = "radgroupcheck" | ||
+ | groupreply_table = "radgroupreply" | ||
+ | |||
+ | # Table to keep group info | ||
+ | usergroup_table = "radusergroup" | ||
+ | |||
+ | # If set to 'yes' (default) we read the group tables | ||
+ | # If set to 'no' the user MUST have Fall-Through = Yes in the radreply table | ||
+ | # read_groups = yes | ||
+ | |||
+ | # Remove stale session if checkrad does not see a double login | ||
+ | deletestalesessions = yes | ||
+ | |||
+ | # Print all SQL statements when in debug mode (-x) | ||
+ | sqltrace = no | ||
+ | sqltracefile = ${logdir}/sqltrace.sql | ||
+ | |||
+ | # number of sql connections to make to server | ||
+ | # | ||
+ | # Setting this to LESS than the number of threads means | ||
+ | # that some threads may starve, and you will see errors | ||
+ | # like "No connections available and at max connection limit" | ||
+ | # | ||
+ | # Setting this to MORE than the number of threads means | ||
+ | # that there are more connections than necessary. | ||
+ | # | ||
+ | num_sql_socks = ${thread[pool].max_servers} | ||
+ | |||
+ | # number of seconds to dely retrying on a failed database | ||
+ | # connection (per_socket) | ||
+ | connect_failure_retry_delay = 60 | ||
+ | |||
+ | # lifetime of an SQL socket. If you are having network issues | ||
+ | # such as TCP sessions expiring, you may need to set the socket | ||
+ | # lifetime. If set to non-zero, any open connections will be | ||
+ | # closed "lifetime" seconds after they were first opened. | ||
+ | lifetime = 0 | ||
+ | |||
+ | # Maximum number of queries used by an SQL socket. If you are | ||
+ | # having issues with SQL sockets lasting "too long", you can | ||
+ | # limit the number of queries performed over one socket. After | ||
+ | # "max_qeuries", the socket will be closed. Use 0 for "no limit". | ||
+ | max_queries = 0 | ||
+ | |||
+ | # Set to 'yes' to read radius clients from the database ('nas' table) | ||
+ | # Clients will ONLY be read on server startup. For performance | ||
+ | # and security reasons, finding clients via SQL queries CANNOT | ||
+ | # be done "live" while the server is running. | ||
+ | # | ||
+ | readclients = yes | ||
+ | |||
+ | # Table to keep radius client info | ||
+ | nas_table = "nas" | ||
+ | |||
+ | # Read driver-specific configuration | ||
+ | $INCLUDE sql/${database}/dialup.conf | ||
+ | } | ||
+ | |||
+ | </code> | ||
+ | |||
+ | |||
+ | Uncomment and or change the following parameters: | ||
+ | ''databae = "mysql" | ||
+ | server = "localhost" | ||
+ | port = 3306 | ||
+ | login = "FREERADIUS_DB_USER" | ||
+ | password = "FREERADIUS_DB_PASS" | ||
+ | readclients = yes'' | ||
+ | |||
+ | Add chillispot SQL counters: | ||
+ | <code sql counter.conf> | ||
+ | # -*- text -*- | ||
+ | ## | ||
+ | ## counter.conf -- PostgreSQL queries for rlm_sqlcounter | ||
+ | ## | ||
+ | ## $Id: a327819efb27c5342579ebb310aa47e9c4ade5d6 $ | ||
+ | |||
+ | # Rather than maintaining seperate (GDBM) databases of | ||
+ | # accounting info for each counter, this module uses the data | ||
+ | # stored in the raddacct table by the sql modules. This | ||
+ | # module NEVER does any database INSERTs or UPDATEs. It is | ||
+ | # totally dependent on the SQL module to process Accounting | ||
+ | # packets. | ||
+ | # | ||
+ | # The 'sqlmod_inst' parameter holds the instance of the sql | ||
+ | # module to use when querying the SQL database. Normally it | ||
+ | # is just "sql". If you define more and one SQL module | ||
+ | # instance (usually for failover situations), you can | ||
+ | # specify which module has access to the Accounting Data | ||
+ | # (radacct table). | ||
+ | # | ||
+ | # The 'reset' parameter defines when the counters are all | ||
+ | # reset to zero. It can be hourly, daily, weekly, monthly or | ||
+ | # never. It can also be user defined. It should be of the | ||
+ | # form: | ||
+ | # num[hdwm] where: | ||
+ | # h: hours, d: days, w: weeks, m: months | ||
+ | # If the letter is ommited days will be assumed. In example: | ||
+ | # reset = 10h (reset every 10 hours) | ||
+ | # reset = 12 (reset every 12 days) | ||
+ | # | ||
+ | # The 'key' parameter specifies the unique identifier for the | ||
+ | # counter records (usually 'User-Name'). | ||
+ | # | ||
+ | # The 'query' parameter specifies the SQL query used to get | ||
+ | # the current Counter value from the database. There are 3 | ||
+ | # parameters that can be used in the query: | ||
+ | # %k 'key' parameter | ||
+ | # %b unix time value of beginning of reset period | ||
+ | # %e unix time value of end of reset period | ||
+ | # | ||
+ | # The 'check-name' parameter is the name of the 'check' | ||
+ | # attribute to use to access the counter in the 'users' file | ||
+ | # or SQL radcheck or radcheckgroup tables. | ||
+ | # | ||
+ | # DEFAULT Max-Daily-Session > 3600, Auth-Type = Reject | ||
+ | # Reply-Message = "You've used up more than one hour today" | ||
+ | # | ||
+ | sqlcounter dailycounter { | ||
+ | counter-name = Daily-Session-Time | ||
+ | check-name = Max-Daily-Session | ||
+ | reply-name = Session-Timeout | ||
+ | sqlmod-inst = sql | ||
+ | key = User-Name | ||
+ | reset = daily | ||
+ | |||
+ | # This query properly handles calls that span from the | ||
+ | # previous reset period into the current period but | ||
+ | # involves more work for the SQL server than those | ||
+ | # below | ||
+ | query = "SELECT SUM(acctsessiontime - \ | ||
+ | GREATEST((%b - UNIX_TIMESTAMP(acctstarttime)), 0)) \ | ||
+ | FROM radacct WHERE username = '%{%k}' AND \ | ||
+ | UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%b'" | ||
+ | |||
+ | # This query ignores calls that started in a previous | ||
+ | # reset period and continue into into this one. But it | ||
+ | # is a little easier on the SQL server | ||
+ | # query = "SELECT SUM(acctsessiontime) FROM radacct WHERE \ | ||
+ | # username = '%{%k}' AND acctstarttime > FROM_UNIXTIME('%b')" | ||
+ | |||
+ | # This query is the same as above, but demonstrates an | ||
+ | # additional counter parameter '%e' which is the | ||
+ | # timestamp for the end of the period | ||
+ | # query = "SELECT SUM(acctsessiontime) FROM radacct \ | ||
+ | # WHERE username = '%{%k}' AND acctstarttime BETWEEN \ | ||
+ | # FROM_UNIXTIME('%b') AND FROM_UNIXTIME('%e')" | ||
+ | } | ||
+ | |||
+ | sqlcounter monthlycounter { | ||
+ | counter-name = Monthly-Session-Time | ||
+ | check-name = Max-Monthly-Session | ||
+ | reply-name = Session-Timeout | ||
+ | sqlmod-inst = sql | ||
+ | key = User-Name | ||
+ | reset = monthly | ||
+ | |||
+ | # This query properly handles calls that span from the | ||
+ | # previous reset period into the current period but | ||
+ | # involves more work for the SQL server than those | ||
+ | # below | ||
+ | query = "SELECT SUM(acctsessiontime - \ | ||
+ | GREATEST((%b - UNIX_TIMESTAMP(acctstarttime)), 0)) \ | ||
+ | FROM radacct WHERE username='%{%k}' AND \ | ||
+ | UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%b'" | ||
+ | |||
+ | # This query ignores calls that started in a previous | ||
+ | # reset period and continue into into this one. But it | ||
+ | # is a little easier on the SQL server | ||
+ | # query = "SELECT SUM(acctsessiontime) FROM radacct WHERE \ | ||
+ | # username='%{%k}' AND acctstarttime > FROM_UNIXTIME('%b')" | ||
+ | |||
+ | # This query is the same as above, but demonstrates an | ||
+ | # additional counter parameter '%e' which is the | ||
+ | # timestamp for the end of the period | ||
+ | # query = "SELECT SUM(acctsessiontime) FROM radacct \ | ||
+ | # WHERE username='%{%k}' AND acctstarttime BETWEEN \ | ||
+ | # FROM_UNIXTIME('%b') AND FROM_UNIXTIME('%e')" | ||
+ | } | ||
+ | |||
+ | sqlcounter noresetcounter { | ||
+ | counter-name = Max-All-Session-Time | ||
+ | check-name = Max-All-Session | ||
+ | sqlmod-inst = sql | ||
+ | key = User-Name | ||
+ | reset = never | ||
+ | query = "SELECT IFNULL(SUM(AcctSessionTime),0) FROM radacct WHERE UserName='%{%k}'" | ||
+ | } | ||
+ | |||
+ | sqlcounter chillispot_max_bytes { | ||
+ | counter-name = Max-Total-Octets | ||
+ | check-name = ChilliSpot-Max-Total-Octets | ||
+ | reply-name = ChilliSpot-Max-Total-Octets | ||
+ | reply-message = "You have reached your bandwidth limit" | ||
+ | sqlmod-inst = sql | ||
+ | key = User-Name | ||
+ | reset = never | ||
+ | query = "SELECT IFNULL((SUM(AcctInputOctets + AcctOutputOctets)),0) FROM radacct WHERE username = '%{${key}}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%%b'" | ||
+ | } | ||
+ | |||
+ | </code> | ||
+ | |||
+ | ''sudo vi /etc/freeradius/sql/mysql/counter.conf'' | ||
+ | |||
+ | Add this lines at the end of the above file: | ||
+ | |||
+ | <code>sqlcounter chillispot_max_bytes { | ||
+ | counter-name = Max-Total-Octets | ||
+ | check-name = ChilliSpot-Max-Total-Octets | ||
+ | reply-name = ChilliSpot-Max-Total-Octets | ||
+ | reply-message = "You have reached your bandwidth limit" | ||
+ | sqlmod-inst = sql | ||
+ | key = User-Name | ||
+ | reset = never | ||
+ | query = "SELECT IFNULL((SUM(AcctInputOctets + AcctOutputOctets)),0) FROM radacct WHERE username = '%{${key}}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%%b'" | ||
+ | } | ||
+ | </code> | ||
+ | |||
+ | |||
+ | ====== Configure radius clients ====== | ||
+ | |||
+ | <code c clients.conf> | ||
+ | # -*- text -*- | ||
+ | ## | ||
+ | ## clients.conf -- client configuration directives | ||
+ | ## | ||
+ | ## $Id: 729c15d3e84c6cdb54a5f3652d93a2d7f8725fd4 $ | ||
+ | |||
+ | ####################################################################### | ||
+ | # | ||
+ | # Define RADIUS clients (usually a NAS, Access Point, etc.). | ||
+ | |||
+ | # | ||
+ | # Defines a RADIUS client. | ||
+ | # | ||
+ | # '127.0.0.1' is another name for 'localhost'. It is enabled by default, | ||
+ | # to allow testing of the server after an initial installation. If you | ||
+ | # are not going to be permitting RADIUS queries from localhost, we suggest | ||
+ | # that you delete, or comment out, this entry. | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # | ||
+ | # Each client has a "short name" that is used to distinguish it from | ||
+ | # other clients. | ||
+ | # | ||
+ | # In version 1.x, the string after the word "client" was the IP | ||
+ | # address of the client. In 2.0, the IP address is configured via | ||
+ | # the "ipaddr" or "ipv6addr" fields. For compatibility, the 1.x | ||
+ | # format is still accepted. | ||
+ | # | ||
+ | client localhost { | ||
+ | # Allowed values are: | ||
+ | # dotted quad (1.2.3.4) | ||
+ | # hostname (radius.example.com) | ||
+ | ipaddr = 127.0.0.1 | ||
+ | |||
+ | # OR, you can use an IPv6 address, but not both | ||
+ | # at the same time. | ||
+ | # ipv6addr = :: # any. ::1 == localhost | ||
+ | |||
+ | # | ||
+ | # A note on DNS: We STRONGLY recommend using IP addresses | ||
+ | # rather than host names. Using host names means that the | ||
+ | # server will do DNS lookups when it starts, making it | ||
+ | # dependent on DNS. i.e. If anything goes wrong with DNS, | ||
+ | # the server won't start! | ||
+ | # | ||
+ | # The server also looks up the IP address from DNS once, and | ||
+ | # only once, when it starts. If the DNS record is later | ||
+ | # updated, the server WILL NOT see that update. | ||
+ | # | ||
+ | |||
+ | # One client definition can be applied to an entire network. | ||
+ | # e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and | ||
+ | # "netmask = 8" | ||
+ | # | ||
+ | # If not specified, the default netmask is 32 (i.e. /32) | ||
+ | # | ||
+ | # We do NOT recommend using anything other than 32. There | ||
+ | # are usually other, better ways to achieve the same goal. | ||
+ | # Using netmasks of other than 32 can cause security issues. | ||
+ | # | ||
+ | # You can specify overlapping networks (127/8 and 127.0/16) | ||
+ | # In that case, the smallest possible network will be used | ||
+ | # as the "best match" for the client. | ||
+ | # | ||
+ | # Clients can also be defined dynamically at run time, based | ||
+ | # on any criteria. e.g. SQL lookups, keying off of NAS-Identifier, | ||
+ | # etc. | ||
+ | # See raddb/sites-available/dynamic-clients for details. | ||
+ | # | ||
+ | |||
+ | # netmask = 32 | ||
+ | |||
+ | # | ||
+ | # The shared secret use to "encrypt" and "sign" packets between | ||
+ | # the NAS and FreeRADIUS. You MUST change this secret from the | ||
+ | # default, otherwise it's not a secret any more! | ||
+ | # | ||
+ | # The secret can be any string, up to 8k characters in length. | ||
+ | # | ||
+ | # Control codes can be entered vi octal encoding, | ||
+ | # e.g. "\101\102" == "AB" | ||
+ | # Quotation marks can be entered by escaping them, | ||
+ | # e.g. "foo\"bar" | ||
+ | # | ||
+ | # A note on security: The security of the RADIUS protocol | ||
+ | # depends COMPLETELY on this secret! We recommend using a | ||
+ | # shared secret that is composed of: | ||
+ | # | ||
+ | # upper case letters | ||
+ | # lower case letters | ||
+ | # numbers | ||
+ | # | ||
+ | # And is at LEAST 8 characters long, preferably 16 characters in | ||
+ | # length. The secret MUST be random, and should not be words, | ||
+ | # phrase, or anything else that is recognizable. | ||
+ | # | ||
+ | # The default secret below is only for testing, and should | ||
+ | # not be used in any real environment. | ||
+ | # | ||
+ | secret = test12345678 | ||
+ | |||
+ | # | ||
+ | # Old-style clients do not send a Message-Authenticator | ||
+ | # in an Access-Request. RFC 5080 suggests that all clients | ||
+ | # SHOULD include it in an Access-Request. The configuration | ||
+ | # item below allows the server to require it. If a client | ||
+ | # is required to include a Message-Authenticator and it does | ||
+ | # not, then the packet will be silently discarded. | ||
+ | # | ||
+ | # allowed values: yes, no | ||
+ | require_message_authenticator = no | ||
+ | |||
+ | # | ||
+ | # The short name is used as an alias for the fully qualified | ||
+ | # domain name, or the IP address. | ||
+ | # | ||
+ | # It is accepted for compatibility with 1.x, but it is no | ||
+ | # longer necessary in 2.0 | ||
+ | # | ||
+ | # shortname = localhost | ||
+ | |||
+ | # | ||
+ | # the following three fields are optional, but may be used by | ||
+ | # checkrad.pl for simultaneous use checks | ||
+ | # | ||
+ | |||
+ | # | ||
+ | # The nastype tells 'checkrad.pl' which NAS-specific method to | ||
+ | # use to query the NAS for simultaneous use. | ||
+ | # | ||
+ | # Permitted NAS types are: | ||
+ | # | ||
+ | # cisco | ||
+ | # computone | ||
+ | # livingston | ||
+ | # juniper | ||
+ | # max40xx | ||
+ | # multitech | ||
+ | # netserver | ||
+ | # pathras | ||
+ | # patton | ||
+ | # portslave | ||
+ | # tc | ||
+ | # usrhiper | ||
+ | # other # for all other types | ||
+ | |||
+ | # | ||
+ | nastype = other # localhost isn't usually a NAS... | ||
+ | |||
+ | # | ||
+ | # The following two configurations are for future use. | ||
+ | # The 'naspasswd' file is currently used to store the NAS | ||
+ | # login name and password, which is used by checkrad.pl | ||
+ | # when querying the NAS for simultaneous use. | ||
+ | # | ||
+ | # login = !root | ||
+ | # password = someadminpas | ||
+ | |||
+ | # | ||
+ | # As of 2.0, clients can also be tied to a virtual server. | ||
+ | # This is done by setting the "virtual_server" configuration | ||
+ | # item, as in the example below. | ||
+ | # | ||
+ | # virtual_server = home1 | ||
+ | |||
+ | # | ||
+ | # A pointer to the "home_server_pool" OR a "home_server" | ||
+ | # section that contains the CoA configuration for this | ||
+ | # client. For an example of a coa home server or pool, | ||
+ | # see raddb/sites-available/originate-coa | ||
+ | # coa_server = coa | ||
+ | } | ||
+ | |||
+ | # IPv6 Client | ||
+ | #client ::1 { | ||
+ | # secret = testing123 | ||
+ | # shortname = localhost | ||
+ | #} | ||
+ | # | ||
+ | # All IPv6 Site-local clients | ||
+ | #client fe80::/16 { | ||
+ | # secret = testing123 | ||
+ | # shortname = localhost | ||
+ | #} | ||
+ | |||
+ | #client some.host.org { | ||
+ | # secret = testing123 | ||
+ | # shortname = localhost | ||
+ | #} | ||
+ | |||
+ | # | ||
+ | # You can now specify one secret for a network of clients. | ||
+ | # When a client request comes in, the BEST match is chosen. | ||
+ | # i.e. The entry from the smallest possible network. | ||
+ | # | ||
+ | #client 192.168.0.0/24 { | ||
+ | # secret = testing123-1 | ||
+ | # shortname = private-network-1 | ||
+ | #} | ||
+ | # | ||
+ | #client 192.168.0.0/16 { | ||
+ | # secret = testing123-2 | ||
+ | # shortname = private-network-2 | ||
+ | #} | ||
+ | |||
+ | |||
+ | #client 10.10.10.10 { | ||
+ | # # secret and password are mapped through the "secrets" file. | ||
+ | # secret = testing123 | ||
+ | # shortname = liv1 | ||
+ | # # the following three fields are optional, but may be used by | ||
+ | # # checkrad.pl for simultaneous usage checks | ||
+ | # nastype = livingston | ||
+ | # login = !root | ||
+ | # password = someadminpas | ||
+ | #} | ||
+ | |||
+ | ####################################################################### | ||
+ | # | ||
+ | # Per-socket client lists. The configuration entries are exactly | ||
+ | # the same as above, but they are nested inside of a section. | ||
+ | # | ||
+ | # You can have as many per-socket client lists as you have "listen" | ||
+ | # sections, or you can re-use a list among multiple "listen" sections. | ||
+ | # | ||
+ | # Un-comment this section, and edit a "listen" section to add: | ||
+ | # "clients = per_socket_clients". That IP address/port combination | ||
+ | # will then accept ONLY the clients listed in this section. | ||
+ | # | ||
+ | #clients per_socket_clients { | ||
+ | # client 192.168.3.4 { | ||
+ | # secret = testing123 | ||
+ | # } | ||
+ | #} | ||
+ | |||
+ | client 192.168.1.0/24 { | ||
+ | secret = [SECRET] | ||
+ | nastype = other | ||
+ | } | ||
+ | |||
+ | </code> | ||
+ | |||
+ | Change the password to the password used above for FreeRadius MySQL database: | ||
+ | ''secret = [FREERADIUS_DB_PASS]'' | ||
+ | |||
+ | or create new client: | ||
+ | |||
+ | <code> | ||
+ | # example for clients with net address 192.168.1.0/24 | ||
+ | client 192.168.1.0/24 { | ||
+ | secret = [FREERADIUS_DB_PASS] | ||
+ | nastype = other | ||
+ | } | ||
+ | </code> | ||
+ | |||
+ | Configure radius server: | ||
+ | |||
+ | <code c radiusd.conf> | ||
+ | # -*- text -*- | ||
+ | ## | ||
+ | ## radiusd.conf -- FreeRADIUS server configuration file. | ||
+ | ## | ||
+ | ## http://www.freeradius.org/ | ||
+ | ## $Id: 201b70b31b5bb4c2ef98c102690daa3462d5e1e3 $ | ||
+ | ## | ||
+ | |||
+ | ###################################################################### | ||
+ | # | ||
+ | # Read "man radiusd" before editing this file. See the section | ||
+ | # titled DEBUGGING. It outlines a method where you can quickly | ||
+ | # obtain the configuration you want, without running into | ||
+ | # trouble. | ||
+ | # | ||
+ | # Run the server in debugging mode, and READ the output. | ||
+ | # | ||
+ | # $ radiusd -X | ||
+ | # | ||
+ | # We cannot emphasize this point strongly enough. The vast | ||
+ | # majority of problems can be solved by carefully reading the | ||
+ | # debugging output, which includes warnings about common issues, | ||
+ | # and suggestions for how they may be fixed. | ||
+ | # | ||
+ | # There may be a lot of output, but look carefully for words like: | ||
+ | # "warning", "error", "reject", or "failure". The messages there | ||
+ | # will usually be enough to guide you to a solution. | ||
+ | # | ||
+ | # If you are going to ask a question on the mailing list, then | ||
+ | # explain what you are trying to do, and include the output from | ||
+ | # debugging mode (radiusd -X). Failure to do so means that all | ||
+ | # of the responses to your question will be people telling you | ||
+ | # to "post the output of radiusd -X". | ||
+ | |||
+ | ###################################################################### | ||
+ | # | ||
+ | # The location of other config files and logfiles are declared | ||
+ | # in this file. | ||
+ | # | ||
+ | # Also general configuration for modules can be done in this | ||
+ | # file, it is exported through the API to modules that ask for | ||
+ | # it. | ||
+ | # | ||
+ | # See "man radiusd.conf" for documentation on the format of this | ||
+ | # file. Note that the individual configuration items are NOT | ||
+ | # documented in that "man" page. They are only documented here, | ||
+ | # in the comments. | ||
+ | # | ||
+ | # As of 2.0.0, FreeRADIUS supports a simple processing language | ||
+ | # in the "authorize", "authenticate", "accounting", etc. sections. | ||
+ | # See "man unlang" for details. | ||
+ | # | ||
+ | |||
+ | prefix = /usr | ||
+ | exec_prefix = /usr | ||
+ | sysconfdir = /etc | ||
+ | localstatedir = /var | ||
+ | sbindir = ${exec_prefix}/sbin | ||
+ | logdir = /var/log/freeradius | ||
+ | raddbdir = /etc/freeradius | ||
+ | radacctdir = ${logdir}/radacct | ||
+ | |||
+ | # | ||
+ | # name of the running server. See also the "-n" command-line option. | ||
+ | name = freeradius | ||
+ | |||
+ | # Location of config and logfiles. | ||
+ | confdir = ${raddbdir} | ||
+ | run_dir = ${localstatedir}/run/${name} | ||
+ | |||
+ | # Should likely be ${localstatedir}/lib/radiusd | ||
+ | db_dir = ${raddbdir} | ||
+ | |||
+ | # | ||
+ | # libdir: Where to find the rlm_* modules. | ||
+ | # | ||
+ | # This should be automatically set at configuration time. | ||
+ | # | ||
+ | # If the server builds and installs, but fails at execution time | ||
+ | # with an 'undefined symbol' error, then you can use the libdir | ||
+ | # directive to work around the problem. | ||
+ | # | ||
+ | # The cause is usually that a library has been installed on your | ||
+ | # system in a place where the dynamic linker CANNOT find it. When | ||
+ | # executing as root (or another user), your personal environment MAY | ||
+ | # be set up to allow the dynamic linker to find the library. When | ||
+ | # executing as a daemon, FreeRADIUS MAY NOT have the same | ||
+ | # personalized configuration. | ||
+ | # | ||
+ | # To work around the problem, find out which library contains that symbol, | ||
+ | # and add the directory containing that library to the end of 'libdir', | ||
+ | # with a colon separating the directory names. NO spaces are allowed. | ||
+ | # | ||
+ | # e.g. libdir = /usr/local/lib:/opt/package/lib | ||
+ | # | ||
+ | # You can also try setting the LD_LIBRARY_PATH environment variable | ||
+ | # in a script which starts the server. | ||
+ | # | ||
+ | # If that does not work, then you can re-configure and re-build the | ||
+ | # server to NOT use shared libraries, via: | ||
+ | # | ||
+ | # ./configure --disable-shared | ||
+ | # make | ||
+ | # make install | ||
+ | # | ||
+ | libdir = /usr/lib/freeradius | ||
+ | |||
+ | # pidfile: Where to place the PID of the RADIUS server. | ||
+ | # | ||
+ | # The server may be signalled while it's running by using this | ||
+ | # file. | ||
+ | # | ||
+ | # This file is written when ONLY running in daemon mode. | ||
+ | # | ||
+ | # e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid` | ||
+ | # | ||
+ | pidfile = ${run_dir}/${name}.pid | ||
+ | |||
+ | # chroot: directory where the server does "chroot". | ||
+ | # | ||
+ | # The chroot is done very early in the process of starting the server. | ||
+ | # After the chroot has been performed it switches to the "user" listed | ||
+ | # below (which MUST be specified). If "group" is specified, it switchs | ||
+ | # to that group, too. Any other groups listed for the specified "user" | ||
+ | # in "/etc/group" are also added as part of this process. | ||
+ | # | ||
+ | # The current working directory (chdir / cd) is left *outside* of the | ||
+ | # chroot until all of the modules have been initialized. This allows | ||
+ | # the "raddb" directory to be left outside of the chroot. Once the | ||
+ | # modules have been initialized, it does a "chdir" to ${logdir}. This | ||
+ | # means that it should be impossible to break out of the chroot. | ||
+ | # | ||
+ | # If you are worried about security issues related to this use of chdir, | ||
+ | # then simply ensure that the "raddb" directory is inside of the chroot, | ||
+ | # end be sure to do "cd raddb" BEFORE starting the server. | ||
+ | # | ||
+ | # If the server is statically linked, then the only files that have | ||
+ | # to exist in the chroot are ${run_dir} and ${logdir}. If you do the | ||
+ | # "cd raddb" as discussed above, then the "raddb" directory has to be | ||
+ | # inside of the chroot directory, too. | ||
+ | # | ||
+ | #chroot = /path/to/chroot/directory | ||
+ | |||
+ | # user/group: The name (or #number) of the user/group to run radiusd as. | ||
+ | # | ||
+ | # If these are commented out, the server will run as the user/group | ||
+ | # that started it. In order to change to a different user/group, you | ||
+ | # MUST be root ( or have root privleges ) to start the server. | ||
+ | # | ||
+ | # We STRONGLY recommend that you run the server with as few permissions | ||
+ | # as possible. That is, if you're not using shadow passwords, the | ||
+ | # user and group items below should be set to radius'. | ||
+ | # | ||
+ | # NOTE that some kernels refuse to setgid(group) when the value of | ||
+ | # (unsigned)group is above 60000; don't use group nobody on these systems! | ||
+ | # | ||
+ | # On systems with shadow passwords, you might have to set 'group = shadow' | ||
+ | # for the server to be able to read the shadow password file. If you can | ||
+ | # authenticate users while in debug mode, but not in daemon mode, it may be | ||
+ | # that the debugging mode server is running as a user that can read the | ||
+ | # shadow info, and the user listed below can not. | ||
+ | # | ||
+ | # The server will also try to use "initgroups" to read /etc/groups. | ||
+ | # It will join all groups where "user" is a member. This can allow | ||
+ | # for some finer-grained access controls. | ||
+ | # | ||
+ | user = radiusd | ||
+ | group = radiusd | ||
+ | |||
+ | # panic_action: Command to execute if the server dies unexpectedly. | ||
+ | # | ||
+ | # FOR PRODUCTION SYSTEMS, ACTIONS SHOULD ALWAYS EXIT. | ||
+ | # AN INTERACTIVE ACTION MEANS THE SERVER IS NOT RESPONDING TO REQUESTS. | ||
+ | # AN INTERACTICE ACTION MEANS THE SERVER WILL NOT RESTART. | ||
+ | # | ||
+ | # The panic action is a command which will be executed if the server | ||
+ | # receives a fatal, non user generated signal, i.e. SIGSEGV, SIGBUS, | ||
+ | # SIGABRT or SIGFPE. | ||
+ | # | ||
+ | # This can be used to start an interactive debugging session so | ||
+ | # that information regarding the current state of the server can | ||
+ | # be acquired. | ||
+ | # | ||
+ | # The following string substitutions are available: | ||
+ | # - %e The currently executing program e.g. /sbin/radiusd | ||
+ | # - %p The PID of the currently executing program e.g. 12345 | ||
+ | # | ||
+ | # Standard ${} substitutions are also allowed. | ||
+ | # | ||
+ | # An example panic action for opening an interactive session in GDB would be: | ||
+ | # | ||
+ | #panic_action = "gdb %e %p" | ||
+ | # | ||
+ | # Again, don't use that on a production system. | ||
+ | # | ||
+ | # An example panic action for opening an automated session in GDB would be: | ||
+ | # | ||
+ | #panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p > ${logdir}/gdb-%e-%p.log 2>&1" | ||
+ | # | ||
+ | # That command can be used on a production system. | ||
+ | # | ||
+ | |||
+ | # max_request_time: The maximum time (in seconds) to handle a request. | ||
+ | # | ||
+ | # Requests which take more time than this to process may be killed, and | ||
+ | # a REJECT message is returned. | ||
+ | # | ||
+ | # WARNING: If you notice that requests take a long time to be handled, | ||
+ | # then this MAY INDICATE a bug in the server, in one of the modules | ||
+ | # used to handle a request, OR in your local configuration. | ||
+ | # | ||
+ | # This problem is most often seen when using an SQL database. If it takes | ||
+ | # more than a second or two to receive an answer from the SQL database, | ||
+ | # then it probably means that you haven't indexed the database. See your | ||
+ | # SQL server documentation for more information. | ||
+ | # | ||
+ | # Useful range of values: 5 to 120 | ||
+ | # | ||
+ | max_request_time = 30 | ||
+ | |||
+ | # cleanup_delay: The time to wait (in seconds) before cleaning up | ||
+ | # a reply which was sent to the NAS. | ||
+ | # | ||
+ | # The RADIUS request is normally cached internally for a short period | ||
+ | # of time, after the reply is sent to the NAS. The reply packet may be | ||
+ | # lost in the network, and the NAS will not see it. The NAS will then | ||
+ | # re-send the request, and the server will respond quickly with the | ||
+ | # cached reply. | ||
+ | # | ||
+ | # If this value is set too low, then duplicate requests from the NAS | ||
+ | # MAY NOT be detected, and will instead be handled as seperate requests. | ||
+ | # | ||
+ | # If this value is set too high, then the server will cache too many | ||
+ | # requests, and some new requests may get blocked. (See 'max_requests'.) | ||
+ | # | ||
+ | # Useful range of values: 2 to 10 | ||
+ | # | ||
+ | cleanup_delay = 5 | ||
+ | |||
+ | # max_requests: The maximum number of requests which the server keeps | ||
+ | # track of. This should be 256 multiplied by the number of clients. | ||
+ | # e.g. With 4 clients, this number should be 1024. | ||
+ | # | ||
+ | # If this number is too low, then when the server becomes busy, | ||
+ | # it will not respond to any new requests, until the 'cleanup_delay' | ||
+ | # time has passed, and it has removed the old requests. | ||
+ | # | ||
+ | # If this number is set too high, then the server will use a bit more | ||
+ | # memory for no real benefit. | ||
+ | # | ||
+ | # If you aren't sure what it should be set to, it's better to set it | ||
+ | # too high than too low. Setting it to 1000 per client is probably | ||
+ | # the highest it should be. | ||
+ | # | ||
+ | # Useful range of values: 256 to infinity | ||
+ | # | ||
+ | max_requests = 1024 | ||
+ | |||
+ | # listen: Make the server listen on a particular IP address, and send | ||
+ | # replies out from that address. This directive is most useful for | ||
+ | # hosts with multiple IP addresses on one interface. | ||
+ | # | ||
+ | # If you want the server to listen on additional addresses, or on | ||
+ | # additionnal ports, you can use multiple "listen" sections. | ||
+ | # | ||
+ | # Each section make the server listen for only one type of packet, | ||
+ | # therefore authentication and accounting have to be configured in | ||
+ | # different sections. | ||
+ | # | ||
+ | # The server ignore all "listen" section if you are using '-i' and '-p' | ||
+ | # on the command line. | ||
+ | # | ||
+ | listen { | ||
+ | # Type of packets to listen for. | ||
+ | # Allowed values are: | ||
+ | # auth listen for authentication packets | ||
+ | # acct listen for accounting packets | ||
+ | # proxy IP to use for sending proxied packets | ||
+ | # detail Read from the detail file. For examples, see | ||
+ | # raddb/sites-available/copy-acct-to-home-server | ||
+ | # status listen for Status-Server packets. For examples, | ||
+ | # see raddb/sites-available/status | ||
+ | # coa listen for CoA-Request and Disconnect-Request | ||
+ | # packets. For examples, see the file | ||
+ | # raddb/sites-available/coa | ||
+ | # | ||
+ | type = auth | ||
+ | |||
+ | # Note: "type = proxy" lets you control the source IP used for | ||
+ | # proxying packets, with some limitations: | ||
+ | # | ||
+ | # * A proxy listener CANNOT be used in a virtual server section. | ||
+ | # * You should probably set "port = 0". | ||
+ | # * Any "clients" configuration will be ignored. | ||
+ | # | ||
+ | # See also proxy.conf, and the "src_ipaddr" configuration entry | ||
+ | # in the sample "home_server" section. When you specify the | ||
+ | # source IP address for packets sent to a home server, the | ||
+ | # proxy listeners are automatically created. | ||
+ | |||
+ | # IP address on which to listen. | ||
+ | # Allowed values are: | ||
+ | # dotted quad (1.2.3.4) | ||
+ | # hostname (radius.example.com) | ||
+ | # wildcard (*) | ||
+ | ipaddr = * | ||
+ | |||
+ | # OR, you can use an IPv6 address, but not both | ||
+ | # at the same time. | ||
+ | # ipv6addr = :: # any. ::1 == localhost | ||
+ | |||
+ | # Port on which to listen. | ||
+ | # Allowed values are: | ||
+ | # integer port number (1812) | ||
+ | # 0 means "use /etc/services for the proper port" | ||
+ | port = 0 | ||
+ | |||
+ | # Some systems support binding to an interface, in addition | ||
+ | # to the IP address. This feature isn't strictly necessary, | ||
+ | # but for sites with many IP addresses on one interface, | ||
+ | # it's useful to say "listen on all addresses for eth0". | ||
+ | # | ||
+ | # If your system does not support this feature, you will | ||
+ | # get an error if you try to use it. | ||
+ | # | ||
+ | # interface = eth0 | ||
+ | |||
+ | # Per-socket lists of clients. This is a very useful feature. | ||
+ | # | ||
+ | # The name here is a reference to a section elsewhere in | ||
+ | # radiusd.conf, or clients.conf. Having the name as | ||
+ | # a reference allows multiple sockets to use the same | ||
+ | # set of clients. | ||
+ | # | ||
+ | # If this configuration is used, then the global list of clients | ||
+ | # is IGNORED for this "listen" section. Take care configuring | ||
+ | # this feature, to ensure you don't accidentally disable a | ||
+ | # client you need. | ||
+ | # | ||
+ | # See clients.conf for the configuration of "per_socket_clients". | ||
+ | # | ||
+ | # clients = per_socket_clients | ||
+ | } | ||
+ | |||
+ | # This second "listen" section is for listening on the accounting | ||
+ | # port, too. | ||
+ | # | ||
+ | listen { | ||
+ | ipaddr = * | ||
+ | # ipv6addr = :: | ||
+ | port = 0 | ||
+ | type = acct | ||
+ | # interface = eth0 | ||
+ | # clients = per_socket_clients | ||
+ | } | ||
+ | |||
+ | # hostname_lookups: Log the names of clients or just their IP addresses | ||
+ | # e.g., www.freeradius.org (on) or 206.47.27.232 (off). | ||
+ | # | ||
+ | # The default is 'off' because it would be overall better for the net | ||
+ | # if people had to knowingly turn this feature on, since enabling it | ||
+ | # means that each client request will result in AT LEAST one lookup | ||
+ | # request to the nameserver. Enabling hostname_lookups will also | ||
+ | # mean that your server may stop randomly for 30 seconds from time | ||
+ | # to time, if the DNS requests take too long. | ||
+ | # | ||
+ | # Turning hostname lookups off also means that the server won't block | ||
+ | # for 30 seconds, if it sees an IP address which has no name associated | ||
+ | # with it. | ||
+ | # | ||
+ | # allowed values: {no, yes} | ||
+ | # | ||
+ | hostname_lookups = no | ||
+ | |||
+ | # Core dumps are a bad thing. This should only be set to 'yes' | ||
+ | # if you're debugging a problem with the server. | ||
+ | # | ||
+ | # allowed values: {no, yes} | ||
+ | # | ||
+ | allow_core_dumps = no | ||
+ | |||
+ | # Regular expressions | ||
+ | # | ||
+ | # These items are set at configure time. If they're set to "yes", | ||
+ | # then setting them to "no" turns off regular expression support. | ||
+ | # | ||
+ | # If they're set to "no" at configure time, then setting them to "yes" | ||
+ | # WILL NOT WORK. It will give you an error. | ||
+ | # | ||
+ | regular_expressions = yes | ||
+ | extended_expressions = yes | ||
+ | |||
+ | # | ||
+ | # Logging section. The various "log_*" configuration items | ||
+ | # will eventually be moved here. | ||
+ | # | ||
+ | log { | ||
+ | # | ||
+ | # Destination for log messages. This can be one of: | ||
+ | # | ||
+ | # files - log to "file", as defined below. | ||
+ | # syslog - to syslog (see also the "syslog_facility", below. | ||
+ | # stdout - standard output | ||
+ | # stderr - standard error. | ||
+ | # | ||
+ | # The command-line option "-X" over-rides this option, and forces | ||
+ | # logging to go to stdout. | ||
+ | # | ||
+ | destination = files | ||
+ | |||
+ | # | ||
+ | # The logging messages for the server are appended to the | ||
+ | # tail of this file if destination == "files" | ||
+ | # | ||
+ | # If the server is running in debugging mode, this file is | ||
+ | # NOT used. | ||
+ | # | ||
+ | file = ${logdir}/radius.log | ||
+ | |||
+ | # | ||
+ | # If this configuration parameter is set, then log messages for | ||
+ | # a *request* go to this file, rather than to radius.log. | ||
+ | # | ||
+ | # i.e. This is a log file per request, once the server has accepted | ||
+ | # the request as being from a valid client. Messages that are | ||
+ | # not associated with a request still go to radius.log. | ||
+ | # | ||
+ | # Not all log messages in the server core have been updated to use | ||
+ | # this new internal API. As a result, some messages will still | ||
+ | # go to radius.log. Please submit patches to fix this behavior. | ||
+ | # | ||
+ | # The file name is expanded dynamically. You should ONLY user | ||
+ | # server-side attributes for the filename (e.g. things you control). | ||
+ | # Using this feature MAY also slow down the server substantially, | ||
+ | # especially if you do thinks like SQL calls as part of the | ||
+ | # expansion of the filename. | ||
+ | # | ||
+ | # The name of the log file should use attributes that don't change | ||
+ | # over the lifetime of a request, such as User-Name, | ||
+ | # Virtual-Server or Packet-Src-IP-Address. Otherwise, the log | ||
+ | # messages will be distributed over multiple files. | ||
+ | # | ||
+ | # Logging can be enabled for an individual request by a special | ||
+ | # dynamic expansion macro: %{debug: 1}, where the debug level | ||
+ | # for this request is set to '1' (or 2, 3, etc.). e.g. | ||
+ | # | ||
+ | # ... | ||
+ | # update control { | ||
+ | # Tmp-String-0 = "%{debug:1}" | ||
+ | # } | ||
+ | # ... | ||
+ | # | ||
+ | # The attribute that the value is assigned to is unimportant, | ||
+ | # and should be a "throw-away" attribute with no side effects. | ||
+ | # | ||
+ | #requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log | ||
+ | |||
+ | # | ||
+ | # Which syslog facility to use, if ${destination} == "syslog" | ||
+ | # | ||
+ | # The exact values permitted here are OS-dependent. You probably | ||
+ | # don't want to change this. | ||
+ | # | ||
+ | syslog_facility = daemon | ||
+ | |||
+ | # Log the full User-Name attribute, as it was found in the request. | ||
+ | # | ||
+ | # allowed values: {no, yes} | ||
+ | # | ||
+ | stripped_names = no | ||
+ | |||
+ | # Log authentication requests to the log file. | ||
+ | # | ||
+ | # allowed values: {no, yes} | ||
+ | # | ||
+ | auth = no | ||
+ | |||
+ | # Log passwords with the authentication requests. | ||
+ | # auth_badpass - logs password if it's rejected | ||
+ | # auth_goodpass - logs password if it's correct | ||
+ | # | ||
+ | # allowed values: {no, yes} | ||
+ | # | ||
+ | auth_badpass = no | ||
+ | auth_goodpass = no | ||
+ | |||
+ | # Log additional text at the end of the "Login OK" messages. | ||
+ | # for these to work, the "auth" and "auth_goopass" or "auth_badpass" | ||
+ | # configurations above have to be set to "yes". | ||
+ | # | ||
+ | # The strings below are dynamically expanded, which means that | ||
+ | # you can put anything you want in them. However, note that | ||
+ | # this expansion can be slow, and can negatively impact server | ||
+ | # performance. | ||
+ | # | ||
+ | # msg_goodpass = "" | ||
+ | # msg_badpass = "" | ||
+ | } | ||
+ | |||
+ | # The program to execute to do concurrency checks. | ||
+ | checkrad = ${sbindir}/checkrad | ||
+ | |||
+ | # SECURITY CONFIGURATION | ||
+ | # | ||
+ | # There may be multiple methods of attacking on the server. This | ||
+ | # section holds the configuration items which minimize the impact | ||
+ | # of those attacks | ||
+ | # | ||
+ | security { | ||
+ | # | ||
+ | # max_attributes: The maximum number of attributes | ||
+ | # permitted in a RADIUS packet. Packets which have MORE | ||
+ | # than this number of attributes in them will be dropped. | ||
+ | # | ||
+ | # If this number is set too low, then no RADIUS packets | ||
+ | # will be accepted. | ||
+ | # | ||
+ | # If this number is set too high, then an attacker may be | ||
+ | # able to send a small number of packets which will cause | ||
+ | # the server to use all available memory on the machine. | ||
+ | # | ||
+ | # Setting this number to 0 means "allow any number of attributes" | ||
+ | max_attributes = 200 | ||
+ | |||
+ | # | ||
+ | # reject_delay: When sending an Access-Reject, it can be | ||
+ | # delayed for a few seconds. This may help slow down a DoS | ||
+ | # attack. It also helps to slow down people trying to brute-force | ||
+ | # crack a users password. | ||
+ | # | ||
+ | # Setting this number to 0 means "send rejects immediately" | ||
+ | # | ||
+ | # If this number is set higher than 'cleanup_delay', then the | ||
+ | # rejects will be sent at 'cleanup_delay' time, when the request | ||
+ | # is deleted from the internal cache of requests. | ||
+ | # | ||
+ | # Useful ranges: 1 to 5 | ||
+ | reject_delay = 1 | ||
+ | |||
+ | # | ||
+ | # status_server: Whether or not the server will respond | ||
+ | # to Status-Server requests. | ||
+ | # | ||
+ | # When sent a Status-Server message, the server responds with | ||
+ | # an Access-Accept or Accounting-Response packet. | ||
+ | # | ||
+ | # This is mainly useful for administrators who want to "ping" | ||
+ | # the server, without adding test users, or creating fake | ||
+ | # accounting packets. | ||
+ | # | ||
+ | # It's also useful when a NAS marks a RADIUS server "dead". | ||
+ | # The NAS can periodically "ping" the server with a Status-Server | ||
+ | # packet. If the server responds, it must be alive, and the | ||
+ | # NAS can start using it for real requests. | ||
+ | # | ||
+ | # See also raddb/sites-available/status | ||
+ | # | ||
+ | status_server = yes | ||
+ | |||
+ | # | ||
+ | # allow_vulnerable_openssl: Allow the server to start with | ||
+ | # versions of OpenSSL known to have critical vulnerabilities. | ||
+ | # | ||
+ | # This check is based on the version number reported by libssl | ||
+ | # and may not reflect patches applied to libssl by | ||
+ | # distribution maintainers. | ||
+ | # | ||
+ | allow_vulnerable_openssl = yes | ||
+ | } | ||
+ | |||
+ | # PROXY CONFIGURATION | ||
+ | # | ||
+ | # proxy_requests: Turns proxying of RADIUS requests on or off. | ||
+ | # | ||
+ | # The server has proxying turned on by default. If your system is NOT | ||
+ | # set up to proxy requests to another server, then you can turn proxying | ||
+ | # off here. This will save a small amount of resources on the server. | ||
+ | # | ||
+ | # If you have proxying turned off, and your configuration files say | ||
+ | # to proxy a request, then an error message will be logged. | ||
+ | # | ||
+ | # To disable proxying, change the "yes" to "no", and comment the | ||
+ | # $INCLUDE line. | ||
+ | # | ||
+ | # allowed values: {no, yes} | ||
+ | # | ||
+ | proxy_requests = yes | ||
+ | $INCLUDE proxy.conf | ||
+ | |||
+ | |||
+ | # CLIENTS CONFIGURATION | ||
+ | # | ||
+ | # Client configuration is defined in "clients.conf". | ||
+ | # | ||
+ | |||
+ | # The 'clients.conf' file contains all of the information from the old | ||
+ | # 'clients' and 'naslist' configuration files. We recommend that you | ||
+ | # do NOT use 'client's or 'naslist', although they are still | ||
+ | # supported. | ||
+ | # | ||
+ | # Anything listed in 'clients.conf' will take precedence over the | ||
+ | # information from the old-style configuration files. | ||
+ | # | ||
+ | $INCLUDE clients.conf | ||
+ | |||
+ | |||
+ | # THREAD POOL CONFIGURATION | ||
+ | # | ||
+ | # The thread pool is a long-lived group of threads which | ||
+ | # take turns (round-robin) handling any incoming requests. | ||
+ | # | ||
+ | # You probably want to have a few spare threads around, | ||
+ | # so that high-load situations can be handled immediately. If you | ||
+ | # don't have any spare threads, then the request handling will | ||
+ | # be delayed while a new thread is created, and added to the pool. | ||
+ | # | ||
+ | # You probably don't want too many spare threads around, | ||
+ | # otherwise they'll be sitting there taking up resources, and | ||
+ | # not doing anything productive. | ||
+ | # | ||
+ | # The numbers given below should be adequate for most situations. | ||
+ | # | ||
+ | thread pool { | ||
+ | # Number of servers to start initially --- should be a reasonable | ||
+ | # ballpark figure. | ||
+ | start_servers = 5 | ||
+ | |||
+ | # Limit on the total number of servers running. | ||
+ | # | ||
+ | # If this limit is ever reached, clients will be LOCKED OUT, so it | ||
+ | # should NOT BE SET TOO LOW. It is intended mainly as a brake to | ||
+ | # keep a runaway server from taking the system with it as it spirals | ||
+ | # down... | ||
+ | # | ||
+ | # You may find that the server is regularly reaching the | ||
+ | # 'max_servers' number of threads, and that increasing | ||
+ | # 'max_servers' doesn't seem to make much difference. | ||
+ | # | ||
+ | # If this is the case, then the problem is MOST LIKELY that | ||
+ | # your back-end databases are taking too long to respond, and | ||
+ | # are preventing the server from responding in a timely manner. | ||
+ | # | ||
+ | # The solution is NOT do keep increasing the 'max_servers' | ||
+ | # value, but instead to fix the underlying cause of the | ||
+ | # problem: slow database, or 'hostname_lookups=yes'. | ||
+ | # | ||
+ | # For more information, see 'max_request_time', above. | ||
+ | # | ||
+ | max_servers = 32 | ||
+ | |||
+ | # Server-pool size regulation. Rather than making you guess | ||
+ | # how many servers you need, FreeRADIUS dynamically adapts to | ||
+ | # the load it sees, that is, it tries to maintain enough | ||
+ | # servers to handle the current load, plus a few spare | ||
+ | # servers to handle transient load spikes. | ||
+ | # | ||
+ | # It does this by periodically checking how many servers are | ||
+ | # waiting for a request. If there are fewer than | ||
+ | # min_spare_servers, it creates a new spare. If there are | ||
+ | # more than max_spare_servers, some of the spares die off. | ||
+ | # The default values are probably OK for most sites. | ||
+ | # | ||
+ | min_spare_servers = 3 | ||
+ | max_spare_servers = 10 | ||
+ | |||
+ | # When the server receives a packet, it places it onto an | ||
+ | # internal queue, where the worker threads (configured above) | ||
+ | # pick it up for processing. The maximum size of that queue | ||
+ | # is given here. | ||
+ | # | ||
+ | # When the queue is full, any new packets will be silently | ||
+ | # discarded. | ||
+ | # | ||
+ | # The most common cause of the queue being full is that the | ||
+ | # server is dependent on a slow database, and it has received | ||
+ | # a large "spike" of traffic. When that happens, there is | ||
+ | # very little you can do other than make sure the server | ||
+ | # receives less traffic, or make sure that the database can | ||
+ | # handle the load. | ||
+ | # | ||
+ | # max_queue_size = 65536 | ||
+ | |||
+ | # There may be memory leaks or resource allocation problems with | ||
+ | # the server. If so, set this value to 300 or so, so that the | ||
+ | # resources will be cleaned up periodically. | ||
+ | # | ||
+ | # This should only be necessary if there are serious bugs in the | ||
+ | # server which have not yet been fixed. | ||
+ | # | ||
+ | # '0' is a special value meaning 'infinity', or 'the servers never | ||
+ | # exit' | ||
+ | max_requests_per_server = 0 | ||
+ | } | ||
+ | |||
+ | # MODULE CONFIGURATION | ||
+ | # | ||
+ | # The names and configuration of each module is located in this section. | ||
+ | # | ||
+ | # After the modules are defined here, they may be referred to by name, | ||
+ | # in other sections of this configuration file. | ||
+ | # | ||
+ | modules { | ||
+ | # | ||
+ | # Each module has a configuration as follows: | ||
+ | # | ||
+ | # name [ instance ] { | ||
+ | # config_item = value | ||
+ | # ... | ||
+ | # } | ||
+ | # | ||
+ | # The 'name' is used to load the 'rlm_name' library | ||
+ | # which implements the functionality of the module. | ||
+ | # | ||
+ | # The 'instance' is optional. To have two different instances | ||
+ | # of a module, it first must be referred to by 'name'. | ||
+ | # The different copies of the module are then created by | ||
+ | # inventing two 'instance' names, e.g. 'instance1' and 'instance2' | ||
+ | # | ||
+ | # The instance names can then be used in later configuration | ||
+ | # INSTEAD of the original 'name'. See the 'radutmp' configuration | ||
+ | # for an example. | ||
+ | # | ||
+ | |||
+ | # | ||
+ | # As of 2.0.5, most of the module configurations are in a | ||
+ | # sub-directory. Files matching the regex /[a-zA-Z0-9_.]+/ | ||
+ | # are loaded. The modules are initialized ONLY if they are | ||
+ | # referenced in a processing section, such as authorize, | ||
+ | # authenticate, accounting, pre/post-proxy, etc. | ||
+ | # | ||
+ | $INCLUDE ${confdir}/modules/ | ||
+ | |||
+ | # Extensible Authentication Protocol | ||
+ | # | ||
+ | # For all EAP related authentications. | ||
+ | # Now in another file, because it is very large. | ||
+ | # | ||
+ | $INCLUDE eap.conf | ||
+ | |||
+ | # Include another file that has the SQL-related configuration. | ||
+ | # This is another file only because it tends to be big. | ||
+ | # | ||
+ | $INCLUDE sql.conf | ||
+ | |||
+ | # | ||
+ | # This module is an SQL enabled version of the counter module. | ||
+ | # | ||
+ | # Rather than maintaining seperate (GDBM) databases of | ||
+ | # accounting info for each counter, this module uses the data | ||
+ | # stored in the raddacct table by the sql modules. This | ||
+ | # module NEVER does any database INSERTs or UPDATEs. It is | ||
+ | # totally dependent on the SQL module to process Accounting | ||
+ | # packets. | ||
+ | # | ||
+ | $INCLUDE sql/mysql/counter.conf | ||
+ | |||
+ | # | ||
+ | # IP addresses managed in an SQL table. | ||
+ | # | ||
+ | # $INCLUDE sqlippool.conf | ||
+ | } | ||
+ | |||
+ | # Instantiation | ||
+ | # | ||
+ | # This section orders the loading of the modules. Modules | ||
+ | # listed here will get loaded BEFORE the later sections like | ||
+ | # authorize, authenticate, etc. get examined. | ||
+ | # | ||
+ | # This section is not strictly needed. When a section like | ||
+ | # authorize refers to a module, it's automatically loaded and | ||
+ | # initialized. However, some modules may not be listed in any | ||
+ | # of the following sections, so they can be listed here. | ||
+ | # | ||
+ | # Also, listing modules here ensures that you have control over | ||
+ | # the order in which they are initalized. If one module needs | ||
+ | # something defined by another module, you can list them in order | ||
+ | # here, and ensure that the configuration will be OK. | ||
+ | # | ||
+ | instantiate { | ||
+ | # | ||
+ | # Allows the execution of external scripts. | ||
+ | # The entire command line (and output) must fit into 253 bytes. | ||
+ | # | ||
+ | # e.g. Framed-Pool = `%{exec:/bin/echo foo}` | ||
+ | exec | ||
+ | |||
+ | # | ||
+ | # The expression module doesn't do authorization, | ||
+ | # authentication, or accounting. It only does dynamic | ||
+ | # translation, of the form: | ||
+ | # | ||
+ | # Session-Timeout = `%{expr:2 + 3}` | ||
+ | # | ||
+ | # This module needs to be instantiated, but CANNOT be | ||
+ | # listed in any other section. See 'doc/rlm_expr' for | ||
+ | # more information. | ||
+ | # | ||
+ | # rlm_expr is also responsible for registering many | ||
+ | # other xlat functions such as md5, sha1 and lc. | ||
+ | # | ||
+ | # We do not recommend removing it's listing here. | ||
+ | expr | ||
+ | |||
+ | # | ||
+ | # We add the counter module here so that it registers | ||
+ | # the check-name attribute before any module which sets | ||
+ | # it | ||
+ | # daily | ||
+ | expiration | ||
+ | logintime | ||
+ | |||
+ | # subsections here can be thought of as "virtual" modules. | ||
+ | # | ||
+ | # e.g. If you have two redundant SQL servers, and you want to | ||
+ | # use them in the authorize and accounting sections, you could | ||
+ | # place a "redundant" block in each section, containing the | ||
+ | # exact same text. Or, you could uncomment the following | ||
+ | # lines, and list "redundant_sql" in the authorize and | ||
+ | # accounting sections. | ||
+ | # | ||
+ | #redundant redundant_sql { | ||
+ | # sql1 | ||
+ | # sql2 | ||
+ | #} | ||
+ | chillispot_max_bytes | ||
+ | noresetcounter | ||
+ | } | ||
+ | |||
+ | ###################################################################### | ||
+ | # | ||
+ | # Policies that can be applied in multiple places are listed | ||
+ | # globally. That way, they can be defined once, and referred | ||
+ | # to multiple times. | ||
+ | # | ||
+ | ###################################################################### | ||
+ | $INCLUDE policy.conf | ||
+ | |||
+ | ###################################################################### | ||
+ | # | ||
+ | # Load virtual servers. | ||
+ | # | ||
+ | # This next $INCLUDE line loads files in the directory that | ||
+ | # match the regular expression: /[a-zA-Z0-9_.]+/ | ||
+ | # | ||
+ | # It allows you to define new virtual servers simply by placing | ||
+ | # a file into the raddb/sites-enabled/ directory. | ||
+ | # | ||
+ | $INCLUDE sites-enabled/ | ||
+ | |||
+ | ###################################################################### | ||
+ | # | ||
+ | # All of the other configuration sections like "authorize {}", | ||
+ | # "authenticate {}", "accounting {}", have been moved to the | ||
+ | # the file: | ||
+ | # | ||
+ | # raddb/sites-available/default | ||
+ | # | ||
+ | # This is the "default" virtual server that has the same | ||
+ | # configuration as in version 1.0.x and 1.1.x. The default | ||
+ | # installation enables this virtual server. You should | ||
+ | # edit it to create policies for your local site. | ||
+ | # | ||
+ | # For more documentation on virtual servers, see: | ||
+ | # | ||
+ | # raddb/sites-available/README | ||
+ | # | ||
+ | ###################################################################### | ||
+ | |||
+ | </code> | ||
+ | sudo vi /etc/freeradius/radiusd.conf | ||
+ | |||
+ | uncomment following includes if necessary: | ||
+ | ''$INCLUDE clients.conf | ||
+ | $INCLUDE sql.conf | ||
+ | $INCLUDE sql/mysql/counter.conf'' | ||
+ | |||
+ | Under the instantiate section add the following counter modules: | ||
+ | ''chillispot_max_bytes | ||
+ | noresetcounter'' | ||
+ | |||
+ | Configure the default virtual server under sites-available: | ||
+ | |||
+ | <code c default> | ||
+ | ###################################################################### | ||
+ | # | ||
+ | # As of 2.0.0, FreeRADIUS supports virtual hosts using the | ||
+ | # "server" section, and configuration directives. | ||
+ | # | ||
+ | # Virtual hosts should be put into the "sites-available" | ||
+ | # directory. Soft links should be created in the "sites-enabled" | ||
+ | # directory to these files. This is done in a normal installation. | ||
+ | # | ||
+ | # If you are using 802.1X (EAP) authentication, please see also | ||
+ | # the "inner-tunnel" virtual server. You wll likely have to edit | ||
+ | # that, too, for authentication to work. | ||
+ | # | ||
+ | # $Id: 520ccbc90f3a09cd6a80e1e3b16000b7ba94d884 $ | ||
+ | # | ||
+ | ###################################################################### | ||
+ | # | ||
+ | # Read "man radiusd" before editing this file. See the section | ||
+ | # titled DEBUGGING. It outlines a method where you can quickly | ||
+ | # obtain the configuration you want, without running into | ||
+ | # trouble. See also "man unlang", which documents the format | ||
+ | # of this file. | ||
+ | # | ||
+ | # This configuration is designed to work in the widest possible | ||
+ | # set of circumstances, with the widest possible number of | ||
+ | # authentication methods. This means that in general, you should | ||
+ | # need to make very few changes to this file. | ||
+ | # | ||
+ | # The best way to configure the server for your local system | ||
+ | # is to CAREFULLY edit this file. Most attempts to make large | ||
+ | # edits to this file will BREAK THE SERVER. Any edits should | ||
+ | # be small, and tested by running the server with "radiusd -X". | ||
+ | # Once the edits have been verified to work, save a copy of these | ||
+ | # configuration files somewhere. (e.g. as a "tar" file). Then, | ||
+ | # make more edits, and test, as above. | ||
+ | # | ||
+ | # There are many "commented out" references to modules such | ||
+ | # as ldap, sql, etc. These references serve as place-holders. | ||
+ | # If you need the functionality of that module, then configure | ||
+ | # it in radiusd.conf, and un-comment the references to it in | ||
+ | # this file. In most cases, those small changes will result | ||
+ | # in the server being able to connect to the DB, and to | ||
+ | # authenticate users. | ||
+ | # | ||
+ | ###################################################################### | ||
+ | |||
+ | # | ||
+ | # In 1.x, the "authorize", etc. sections were global in | ||
+ | # radiusd.conf. As of 2.0, they SHOULD be in a server section. | ||
+ | # | ||
+ | # The server section with no virtual server name is the "default" | ||
+ | # section. It is used when no server name is specified. | ||
+ | # | ||
+ | # We don't indent the rest of this file, because doing so | ||
+ | # would make it harder to read. | ||
+ | # | ||
+ | |||
+ | # Authorization. First preprocess (hints and huntgroups files), | ||
+ | # then realms, and finally look in the "users" file. | ||
+ | # | ||
+ | # Any changes made here should also be made to the "inner-tunnel" | ||
+ | # virtual server. | ||
+ | # | ||
+ | # The order of the realm modules will determine the order that | ||
+ | # we try to find a matching realm. | ||
+ | # | ||
+ | # Make *sure* that 'preprocess' comes before any realm if you | ||
+ | # need to setup hints for the remote radius server | ||
+ | authorize { | ||
+ | # | ||
+ | # Security settings. Take a User-Name, and do some simple | ||
+ | # checks on it, for spaces and other invalid characters. If | ||
+ | # it looks like the user is trying to play games, reject it. | ||
+ | # | ||
+ | # This should probably be enabled by default. | ||
+ | # | ||
+ | # See policy.conf for the definition of the filter_username policy. | ||
+ | # | ||
+ | # filter_username | ||
+ | |||
+ | # | ||
+ | # The preprocess module takes care of sanitizing some bizarre | ||
+ | # attributes in the request, and turning them into attributes | ||
+ | # which are more standard. | ||
+ | # | ||
+ | # It takes care of processing the 'raddb/hints' and the | ||
+ | # 'raddb/huntgroups' files. | ||
+ | #preprocess | ||
+ | |||
+ | # | ||
+ | # If you want to have a log of authentication requests, | ||
+ | # un-comment the following line, and the 'detail auth_log' | ||
+ | # section, above. | ||
+ | auth_log | ||
+ | |||
+ | # | ||
+ | # The chap module will set 'Auth-Type := CHAP' if we are | ||
+ | # handling a CHAP request and Auth-Type has not already been set | ||
+ | chap | ||
+ | |||
+ | # | ||
+ | # If the users are logging in with an MS-CHAP-Challenge | ||
+ | # attribute for authentication, the mschap module will find | ||
+ | # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' | ||
+ | # to the request, which will cause the server to then use | ||
+ | # the mschap module for authentication. | ||
+ | mschap | ||
+ | |||
+ | # | ||
+ | # If you have a Cisco SIP server authenticating against | ||
+ | # FreeRADIUS, uncomment the following line, and the 'digest' | ||
+ | # line in the 'authenticate' section. | ||
+ | digest | ||
+ | |||
+ | # | ||
+ | # The WiMAX specification says that the Calling-Station-Id | ||
+ | # is 6 octets of the MAC. This definition conflicts with | ||
+ | # RFC 3580, and all common RADIUS practices. Un-commenting | ||
+ | # the "wimax" module here means that it will fix the | ||
+ | # Calling-Station-Id attribute to the normal format as | ||
+ | # specified in RFC 3580 Section 3.21 | ||
+ | # wimax | ||
+ | |||
+ | # | ||
+ | # Look for IPASS style 'realm/', and if not found, look for | ||
+ | # '@realm', and decide whether or not to proxy, based on | ||
+ | # that. | ||
+ | # IPASS | ||
+ | |||
+ | # | ||
+ | # If you are using multiple kinds of realms, you probably | ||
+ | # want to set "ignore_null = yes" for all of them. | ||
+ | # Otherwise, when the first style of realm doesn't match, | ||
+ | # the other styles won't be checked. | ||
+ | # | ||
+ | suffix | ||
+ | # ntdomain | ||
+ | |||
+ | # | ||
+ | # This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP | ||
+ | # authentication. | ||
+ | # | ||
+ | # It also sets the EAP-Type attribute in the request | ||
+ | # attribute list to the EAP type from the packet. | ||
+ | # | ||
+ | # As of 2.0, the EAP module returns "ok" in the authorize stage | ||
+ | # for TTLS and PEAP. In 1.x, it never returned "ok" here, so | ||
+ | # this change is compatible with older configurations. | ||
+ | # | ||
+ | # The example below uses module failover to avoid querying all | ||
+ | # of the following modules if the EAP module returns "ok". | ||
+ | # Therefore, your LDAP and/or SQL servers will not be queried | ||
+ | # for the many packets that go back and forth to set up TTLS | ||
+ | # or PEAP. The load on those servers will therefore be reduced. | ||
+ | # | ||
+ | eap { | ||
+ | ok = return | ||
+ | } | ||
+ | |||
+ | # | ||
+ | # Pull crypt'd passwords from /etc/passwd or /etc/shadow, | ||
+ | # using the system API's to get the password. If you want | ||
+ | # to read /etc/passwd or /etc/shadow directly, see the | ||
+ | # passwd module in radiusd.conf. | ||
+ | # | ||
+ | unix | ||
+ | |||
+ | # | ||
+ | # Read the 'users' file | ||
+ | # files | ||
+ | |||
+ | # | ||
+ | # Look in an SQL database. The schema of the database | ||
+ | # is meant to mirror the "users" file. | ||
+ | # | ||
+ | # See "Authorization Queries" in sql.conf | ||
+ | sql | ||
+ | |||
+ | # | ||
+ | # If you are using /etc/smbpasswd, and are also doing | ||
+ | # mschap authentication, the un-comment this line, and | ||
+ | # configure the 'smbpasswd' module. | ||
+ | # smbpasswd | ||
+ | |||
+ | # | ||
+ | # The ldap module will set Auth-Type to LDAP if it has not | ||
+ | # already been set | ||
+ | # ldap | ||
+ | |||
+ | # | ||
+ | # Enforce daily limits on time spent logged in. | ||
+ | # daily | ||
+ | |||
+ | # | ||
+ | # Use the checkval module | ||
+ | # checkval | ||
+ | |||
+ | expiration | ||
+ | logintime | ||
+ | |||
+ | # | ||
+ | # If no other module has claimed responsibility for | ||
+ | # authentication, then try to use PAP. This allows the | ||
+ | # other modules listed above to add a "known good" password | ||
+ | # to the request, and to do nothing else. The PAP module | ||
+ | # will then see that password, and use it to do PAP | ||
+ | # authentication. | ||
+ | # | ||
+ | # This module should be listed last, so that the other modules | ||
+ | # get a chance to set Auth-Type for themselves. | ||
+ | # | ||
+ | pap | ||
+ | |||
+ | # | ||
+ | # If "status_server = yes", then Status-Server messages are passed | ||
+ | # through the following section, and ONLY the following section. | ||
+ | # This permits you to do DB queries, for example. If the modules | ||
+ | # listed here return "fail", then NO response is sent. | ||
+ | # | ||
+ | # Autz-Type Status-Server { | ||
+ | # | ||
+ | # } | ||
+ | noresetcounter | ||
+ | chillispot_max_bytes | ||
+ | } | ||
+ | |||
+ | |||
+ | # Authentication. | ||
+ | # | ||
+ | # | ||
+ | # This section lists which modules are available for authentication. | ||
+ | # Note that it does NOT mean 'try each module in order'. It means | ||
+ | # that a module from the 'authorize' section adds a configuration | ||
+ | # attribute 'Auth-Type := FOO'. That authentication type is then | ||
+ | # used to pick the apropriate module from the list below. | ||
+ | # | ||
+ | |||
+ | # In general, you SHOULD NOT set the Auth-Type attribute. The server | ||
+ | # will figure it out on its own, and will do the right thing. The | ||
+ | # most common side effect of erroneously setting the Auth-Type | ||
+ | # attribute is that one authentication method will work, but the | ||
+ | # others will not. | ||
+ | # | ||
+ | # The common reasons to set the Auth-Type attribute by hand | ||
+ | # is to either forcibly reject the user (Auth-Type := Reject), | ||
+ | # or to or forcibly accept the user (Auth-Type := Accept). | ||
+ | # | ||
+ | # Note that Auth-Type := Accept will NOT work with EAP. | ||
+ | # | ||
+ | # Please do not put "unlang" configurations into the "authenticate" | ||
+ | # section. Put them in the "post-auth" section instead. That's what | ||
+ | # the post-auth section is for. | ||
+ | # | ||
+ | authenticate { | ||
+ | # | ||
+ | # PAP authentication, when a back-end database listed | ||
+ | # in the 'authorize' section supplies a password. The | ||
+ | # password can be clear-text, or encrypted. | ||
+ | Auth-Type PAP { | ||
+ | pap | ||
+ | } | ||
+ | |||
+ | # | ||
+ | # Most people want CHAP authentication | ||
+ | # A back-end database listed in the 'authorize' section | ||
+ | # MUST supply a CLEAR TEXT password. Encrypted passwords | ||
+ | # won't work. | ||
+ | Auth-Type CHAP { | ||
+ | chap | ||
+ | } | ||
+ | |||
+ | # | ||
+ | # MSCHAP authentication. | ||
+ | Auth-Type MS-CHAP { | ||
+ | mschap | ||
+ | } | ||
+ | |||
+ | # | ||
+ | # If you have a Cisco SIP server authenticating against | ||
+ | # FreeRADIUS, uncomment the following line, and the 'digest' | ||
+ | # line in the 'authorize' section. | ||
+ | digest | ||
+ | |||
+ | # | ||
+ | # Pluggable Authentication Modules. | ||
+ | # pam | ||
+ | |||
+ | # | ||
+ | # See 'man getpwent' for information on how the 'unix' | ||
+ | # module checks the users password. Note that packets | ||
+ | # containing CHAP-Password attributes CANNOT be authenticated | ||
+ | # against /etc/passwd! See the FAQ for details. | ||
+ | # | ||
+ | # For normal "crypt" authentication, the "pap" module should | ||
+ | # be used instead of the "unix" module. The "unix" module should | ||
+ | # be used for authentication ONLY for compatibility with legacy | ||
+ | # FreeRADIUS configurations. | ||
+ | # | ||
+ | unix | ||
+ | |||
+ | # Uncomment it if you want to use ldap for authentication | ||
+ | # | ||
+ | # Note that this means "check plain-text password against | ||
+ | # the ldap database", which means that EAP won't work, | ||
+ | # as it does not supply a plain-text password. | ||
+ | # Auth-Type LDAP { | ||
+ | # ldap | ||
+ | # } | ||
+ | |||
+ | # | ||
+ | # Allow EAP authentication. | ||
+ | eap | ||
+ | |||
+ | # | ||
+ | # The older configurations sent a number of attributes in | ||
+ | # Access-Challenge packets, which wasn't strictly correct. | ||
+ | # If you want to filter out these attributes, uncomment | ||
+ | # the following lines. | ||
+ | # | ||
+ | # Auth-Type eap { | ||
+ | # eap { | ||
+ | # handled = 1 | ||
+ | # } | ||
+ | # if (handled && (Response-Packet-Type == Access-Challenge)) { | ||
+ | # attr_filter.access_challenge.post-auth | ||
+ | # handled # override the "updated" code from attr_filter | ||
+ | # } | ||
+ | # } | ||
+ | } | ||
+ | |||
+ | |||
+ | # | ||
+ | # Pre-accounting. Decide which accounting type to use. | ||
+ | # | ||
+ | preacct { | ||
+ | preprocess | ||
+ | |||
+ | # | ||
+ | # Session start times are *implied* in RADIUS. | ||
+ | # The NAS never sends a "start time". Instead, it sends | ||
+ | # a start packet, *possibly* with an Acct-Delay-Time. | ||
+ | # The server is supposed to conclude that the start time | ||
+ | # was "Acct-Delay-Time" seconds in the past. | ||
+ | # | ||
+ | # The code below creates an explicit start time, which can | ||
+ | # then be used in other modules. | ||
+ | # | ||
+ | # The start time is: NOW - delay - session_length | ||
+ | # | ||
+ | |||
+ | # update request { | ||
+ | # FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}" | ||
+ | # } | ||
+ | |||
+ | |||
+ | # | ||
+ | # Ensure that we have a semi-unique identifier for every | ||
+ | # request, and many NAS boxes are broken. | ||
+ | acct_unique | ||
+ | |||
+ | # | ||
+ | # Look for IPASS-style 'realm/', and if not found, look for | ||
+ | # '@realm', and decide whether or not to proxy, based on | ||
+ | # that. | ||
+ | # | ||
+ | # Accounting requests are generally proxied to the same | ||
+ | # home server as authentication requests. | ||
+ | # IPASS | ||
+ | suffix | ||
+ | # ntdomain | ||
+ | |||
+ | # | ||
+ | # Read the 'acct_users' file | ||
+ | files | ||
+ | } | ||
+ | |||
+ | # | ||
+ | # Accounting. Log the accounting data. | ||
+ | # | ||
+ | accounting { | ||
+ | # | ||
+ | # Create a 'detail'ed log of the packets. | ||
+ | # Note that accounting requests which are proxied | ||
+ | # are also logged in the detail file. | ||
+ | detail | ||
+ | # daily | ||
+ | |||
+ | # Update the wtmp file | ||
+ | # | ||
+ | # If you don't use "radlast", you can delete this line. | ||
+ | # unix | ||
+ | |||
+ | # | ||
+ | # For Simultaneous-Use tracking. | ||
+ | # | ||
+ | # Due to packet losses in the network, the data here | ||
+ | # may be incorrect. There is little we can do about it. | ||
+ | radutmp | ||
+ | # sradutmp | ||
+ | |||
+ | # Return an address to the IP Pool when we see a stop record. | ||
+ | # main_pool | ||
+ | |||
+ | # | ||
+ | # Log traffic to an SQL database. | ||
+ | # | ||
+ | # See "Accounting queries" in sql.conf | ||
+ | sql | ||
+ | |||
+ | # | ||
+ | # If you receive stop packets with zero session length, | ||
+ | # they will NOT be logged in the database. The SQL module | ||
+ | # will print a message (only in debugging mode), and will | ||
+ | # return "noop". | ||
+ | # | ||
+ | # You can ignore these packets by uncommenting the following | ||
+ | # three lines. Otherwise, the server will not respond to the | ||
+ | # accounting request, and the NAS will retransmit. | ||
+ | # | ||
+ | # if (noop) { | ||
+ | # ok | ||
+ | # } | ||
+ | |||
+ | # | ||
+ | # Instead of sending the query to the SQL server, | ||
+ | # write it into a log file. | ||
+ | # | ||
+ | # sql_log | ||
+ | |||
+ | # Cisco VoIP specific bulk accounting | ||
+ | # pgsql-voip | ||
+ | |||
+ | # For Exec-Program and Exec-Program-Wait | ||
+ | exec | ||
+ | |||
+ | # Filter attributes from the accounting response. | ||
+ | attr_filter.accounting_response | ||
+ | |||
+ | # | ||
+ | # See "Autz-Type Status-Server" for how this works. | ||
+ | # | ||
+ | # Acct-Type Status-Server { | ||
+ | # | ||
+ | # } | ||
+ | } | ||
+ | |||
+ | |||
+ | # Session database, used for checking Simultaneous-Use. Either the radutmp | ||
+ | # or rlm_sql module can handle this. | ||
+ | # The rlm_sql module is *much* faster | ||
+ | session { | ||
+ | radutmp | ||
+ | |||
+ | # | ||
+ | # See "Simultaneous Use Checking Queries" in sql.conf | ||
+ | sql | ||
+ | } | ||
+ | |||
+ | |||
+ | # Post-Authentication | ||
+ | # Once we KNOW that the user has been authenticated, there are | ||
+ | # additional steps we can take. | ||
+ | post-auth { | ||
+ | # Get an address from the IP Pool. | ||
+ | # main_pool | ||
+ | |||
+ | # | ||
+ | # If you want to have a log of authentication replies, | ||
+ | # un-comment the following line, and the 'detail reply_log' | ||
+ | # section, above. | ||
+ | reply_log | ||
+ | |||
+ | # | ||
+ | # After authenticating the user, do another SQL query. | ||
+ | # | ||
+ | # See "Authentication Logging Queries" in sql.conf | ||
+ | sql | ||
+ | |||
+ | # | ||
+ | # Instead of sending the query to the SQL server, | ||
+ | # write it into a log file. | ||
+ | # | ||
+ | # sql_log | ||
+ | |||
+ | # | ||
+ | # Un-comment the following if you have set | ||
+ | # 'edir_account_policy_check = yes' in the ldap module sub-section of | ||
+ | # the 'modules' section. | ||
+ | # | ||
+ | # ldap | ||
+ | |||
+ | # For Exec-Program and Exec-Program-Wait | ||
+ | exec | ||
+ | |||
+ | # | ||
+ | # Calculate the various WiMAX keys. In order for this to work, | ||
+ | # you will need to define the WiMAX NAI, usually via | ||
+ | # | ||
+ | # update request { | ||
+ | # WiMAX-MN-NAI = "%{User-Name}" | ||
+ | # } | ||
+ | # | ||
+ | # If you want various keys to be calculated, you will need to | ||
+ | # update the reply with "template" values. The module will see | ||
+ | # this, and replace the template values with the correct ones | ||
+ | # taken from the cryptographic calculations. e.g. | ||
+ | # | ||
+ | # update reply { | ||
+ | # WiMAX-FA-RK-Key = 0x00 | ||
+ | # WiMAX-MSK = "%{EAP-MSK}" | ||
+ | # } | ||
+ | # | ||
+ | # You may want to delete the MS-MPPE-*-Keys from the reply, | ||
+ | # as some WiMAX clients behave badly when those attributes | ||
+ | # are included. See "raddb/modules/wimax", configuration | ||
+ | # entry "delete_mppe_keys" for more information. | ||
+ | # | ||
+ | # wimax | ||
+ | |||
+ | # If there is a client certificate (EAP-TLS, sometimes PEAP | ||
+ | # and TTLS), then some attributes are filled out after the | ||
+ | # certificate verification has been performed. These fields | ||
+ | # MAY be available during the authentication, or they may be | ||
+ | # available only in the "post-auth" section. | ||
+ | # | ||
+ | # The first set of attributes contains information about the | ||
+ | # issuing certificate which is being used. The second | ||
+ | # contains information about the client certificate (if | ||
+ | # available). | ||
+ | # | ||
+ | # update reply { | ||
+ | # Reply-Message += "%{TLS-Cert-Serial}" | ||
+ | # Reply-Message += "%{TLS-Cert-Expiration}" | ||
+ | # Reply-Message += "%{TLS-Cert-Subject}" | ||
+ | # Reply-Message += "%{TLS-Cert-Issuer}" | ||
+ | # Reply-Message += "%{TLS-Cert-Common-Name}" | ||
+ | # Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}" | ||
+ | # | ||
+ | # Reply-Message += "%{TLS-Client-Cert-Serial}" | ||
+ | # Reply-Message += "%{TLS-Client-Cert-Expiration}" | ||
+ | # Reply-Message += "%{TLS-Client-Cert-Subject}" | ||
+ | # Reply-Message += "%{TLS-Client-Cert-Issuer}" | ||
+ | # Reply-Message += "%{TLS-Client-Cert-Common-Name}" | ||
+ | # Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}" | ||
+ | # } | ||
+ | |||
+ | # MacSEC requires the use of EAP-Key-Name. However, we don't | ||
+ | # want to send it for all EAP sessions. Therefore, the EAP | ||
+ | # modules put required data into the EAP-Session-Id attribute. | ||
+ | # This attribute is never put into a request or reply packet. | ||
+ | # | ||
+ | # Uncomment the next few lines to copy the required data into | ||
+ | # the EAP-Key-Name attribute | ||
+ | # if (reply:EAP-Session-Id) { | ||
+ | # update reply { | ||
+ | # EAP-Key-Name := "%{reply:EAP-Session-Id}" | ||
+ | # } | ||
+ | # } | ||
+ | |||
+ | # If the WiMAX module did it's work, you may want to do more | ||
+ | # things here, like delete the MS-MPPE-*-Key attributes. | ||
+ | # | ||
+ | # if (updated) { | ||
+ | # update reply { | ||
+ | # MS-MPPE-Recv-Key !* 0x00 | ||
+ | # MS-MPPE-Send-Key !* 0x00 | ||
+ | # } | ||
+ | # } | ||
+ | |||
+ | # | ||
+ | # Access-Reject packets are sent through the REJECT sub-section of the | ||
+ | # post-auth section. | ||
+ | # | ||
+ | # Add the ldap module name (or instance) if you have set | ||
+ | # 'edir_account_policy_check = yes' in the ldap module configuration | ||
+ | # | ||
+ | Post-Auth-Type REJECT { | ||
+ | # log failed authentications in SQL, too. | ||
+ | # sql | ||
+ | attr_filter.access_reject | ||
+ | } | ||
+ | } | ||
+ | |||
+ | # | ||
+ | # When the server decides to proxy a request to a home server, | ||
+ | # the proxied request is first passed through the pre-proxy | ||
+ | # stage. This stage can re-write the request, or decide to | ||
+ | # cancel the proxy. | ||
+ | # | ||
+ | # Only a few modules currently have this method. | ||
+ | # | ||
+ | pre-proxy { | ||
+ | # attr_rewrite | ||
+ | |||
+ | # Uncomment the following line if you want to change attributes | ||
+ | # as defined in the preproxy_users file. | ||
+ | # files | ||
+ | |||
+ | # Uncomment the following line if you want to filter requests | ||
+ | # sent to remote servers based on the rules defined in the | ||
+ | # 'attrs.pre-proxy' file. | ||
+ | # attr_filter.pre-proxy | ||
+ | |||
+ | # If you want to have a log of packets proxied to a home | ||
+ | # server, un-comment the following line, and the | ||
+ | # 'detail pre_proxy_log' section, above. | ||
+ | # pre_proxy_log | ||
+ | } | ||
+ | |||
+ | # | ||
+ | # When the server receives a reply to a request it proxied | ||
+ | # to a home server, the request may be massaged here, in the | ||
+ | # post-proxy stage. | ||
+ | # | ||
+ | post-proxy { | ||
+ | |||
+ | # If you want to have a log of replies from a home server, | ||
+ | # un-comment the following line, and the 'detail post_proxy_log' | ||
+ | # section, above. | ||
+ | # post_proxy_log | ||
+ | |||
+ | # attr_rewrite | ||
+ | |||
+ | # Uncomment the following line if you want to filter replies from | ||
+ | # remote proxies based on the rules defined in the 'attrs' file. | ||
+ | # attr_filter.post-proxy | ||
+ | |||
+ | # | ||
+ | # If you are proxying LEAP, you MUST configure the EAP | ||
+ | # module, and you MUST list it here, in the post-proxy | ||
+ | # stage. | ||
+ | # | ||
+ | # You MUST also use the 'nostrip' option in the 'realm' | ||
+ | # configuration. Otherwise, the User-Name attribute | ||
+ | # in the proxied request will not match the user name | ||
+ | # hidden inside of the EAP packet, and the end server will | ||
+ | # reject the EAP request. | ||
+ | # | ||
+ | eap | ||
+ | |||
+ | # | ||
+ | # If the server tries to proxy a request and fails, then the | ||
+ | # request is processed through the modules in this section. | ||
+ | # | ||
+ | # The main use of this section is to permit robust proxying | ||
+ | # of accounting packets. The server can be configured to | ||
+ | # proxy accounting packets as part of normal processing. | ||
+ | # Then, if the home server goes down, accounting packets can | ||
+ | # be logged to a local "detail" file, for processing with | ||
+ | # radrelay. When the home server comes back up, radrelay | ||
+ | # will read the detail file, and send the packets to the | ||
+ | # home server. | ||
+ | # | ||
+ | # With this configuration, the server always responds to | ||
+ | # Accounting-Requests from the NAS, but only writes | ||
+ | # accounting packets to disk if the home server is down. | ||
+ | # | ||
+ | # Post-Proxy-Type Fail { | ||
+ | # detail | ||
+ | # } | ||
+ | } | ||
+ | </code> | ||
+ | |||
+ | |||
+ | Under authorize section: | ||
+ | Comment the following: | ||
+ | ''#filter_username | ||
+ | #files'' | ||
+ | |||
+ | Uncomment the following: | ||
+ | ''auth_log | ||
+ | unix'' | ||
+ | |||
+ | Change the following if necessary: | ||
+ | '''-sql' to sql'' | ||
+ | |||
+ | Add the following at the end of authorize section: | ||
+ | ''chillispot_max_bytes | ||
+ | noresetcounter'' | ||
+ | |||
+ | Next under accounting section, Uncomment the following: | ||
+ | ''radutmp'' | ||
+ | |||
+ | Change the following if necessary: | ||
+ | '''-sql' to sql'' | ||
+ | |||
+ | Next under session section, Uncomment the following: | ||
+ | ''radutmp | ||
+ | sql'' | ||
+ | |||
+ | Next under post-auth section, Uncomment the following: | ||
+ | ''reply_log'' | ||
+ | |||
+ | Change the following if necessary: | ||
+ | '' '-sql' to sql'' | ||
+ | |||
+ | Configure the inner tunnel requests virtual server under sites-available: | ||
+ | |||
+ | <code c inner-tunnel> | ||
+ | # -*- text -*- | ||
+ | ###################################################################### | ||
+ | # | ||
+ | # This is a virtual server that handles *only* inner tunnel | ||
+ | # requests for EAP-TTLS and PEAP types. | ||
+ | # | ||
+ | # $Id: bb0b93bc9cc9ade4e78725ea113d6f228937fef7 $ | ||
+ | # | ||
+ | ###################################################################### | ||
+ | |||
+ | server inner-tunnel { | ||
+ | |||
+ | # | ||
+ | # This next section is here to allow testing of the "inner-tunnel" | ||
+ | # authentication methods, independently from the "default" server. | ||
+ | # It is listening on "localhost", so that it can only be used from | ||
+ | # the same machine. | ||
+ | # | ||
+ | # $ radtest USER PASSWORD 127.0.0.1:18120 0 testing123 | ||
+ | # | ||
+ | # If it works, you have configured the inner tunnel correctly. To check | ||
+ | # if PEAP will work, use: | ||
+ | # | ||
+ | # $ radtest -t mschap USER PASSWORD 127.0.0.1:18120 0 testing123 | ||
+ | # | ||
+ | # If that works, PEAP should work. If that command doesn't work, then | ||
+ | # | ||
+ | # FIX THE INNER TUNNEL CONFIGURATION SO THAT IT WORKS. | ||
+ | # | ||
+ | # Do NOT do any PEAP tests. It won't help. Instead, concentrate | ||
+ | # on fixing the inner tunnel configuration. DO NOTHING ELSE. | ||
+ | # | ||
+ | listen { | ||
+ | ipaddr = 127.0.0.1 | ||
+ | port = 18120 | ||
+ | type = auth | ||
+ | } | ||
+ | |||
+ | |||
+ | # Authorization. First preprocess (hints and huntgroups files), | ||
+ | # then realms, and finally look in the "users" file. | ||
+ | # | ||
+ | # The order of the realm modules will determine the order that | ||
+ | # we try to find a matching realm. | ||
+ | # | ||
+ | # Make *sure* that 'preprocess' comes before any realm if you | ||
+ | # need to setup hints for the remote radius server | ||
+ | authorize { | ||
+ | # | ||
+ | # The chap module will set 'Auth-Type := CHAP' if we are | ||
+ | # handling a CHAP request and Auth-Type has not already been set | ||
+ | chap | ||
+ | |||
+ | # | ||
+ | # If the users are logging in with an MS-CHAP-Challenge | ||
+ | # attribute for authentication, the mschap module will find | ||
+ | # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' | ||
+ | # to the request, which will cause the server to then use | ||
+ | # the mschap module for authentication. | ||
+ | mschap | ||
+ | |||
+ | # | ||
+ | # Pull crypt'd passwords from /etc/passwd or /etc/shadow, | ||
+ | # using the system API's to get the password. If you want | ||
+ | # to read /etc/passwd or /etc/shadow directly, see the | ||
+ | # passwd module, above. | ||
+ | # | ||
+ | # unix | ||
+ | |||
+ | # | ||
+ | # Look for IPASS style 'realm/', and if not found, look for | ||
+ | # '@realm', and decide whether or not to proxy, based on | ||
+ | # that. | ||
+ | # IPASS | ||
+ | |||
+ | # | ||
+ | # If you are using multiple kinds of realms, you probably | ||
+ | # want to set "ignore_null = yes" for all of them. | ||
+ | # Otherwise, when the first style of realm doesn't match, | ||
+ | # the other styles won't be checked. | ||
+ | # | ||
+ | # Note that proxying the inner tunnel authentication means | ||
+ | # that the user MAY use one identity in the outer session | ||
+ | # (e.g. "anonymous", and a different one here | ||
+ | # (e.g. "user@example.com"). The inner session will then be | ||
+ | # proxied elsewhere for authentication. If you are not | ||
+ | # careful, this means that the user can cause you to forward | ||
+ | # the authentication to another RADIUS server, and have the | ||
+ | # accounting logs *not* sent to the other server. This makes | ||
+ | # it difficult to bill people for their network activity. | ||
+ | # | ||
+ | suffix | ||
+ | # ntdomain | ||
+ | |||
+ | # | ||
+ | # The "suffix" module takes care of stripping the domain | ||
+ | # (e.g. "@example.com") from the User-Name attribute, and the | ||
+ | # next few lines ensure that the request is not proxied. | ||
+ | # | ||
+ | # If you want the inner tunnel request to be proxied, delete | ||
+ | # the next few lines. | ||
+ | # | ||
+ | update control { | ||
+ | Proxy-To-Realm := LOCAL | ||
+ | } | ||
+ | |||
+ | # | ||
+ | # This module takes care of EAP-MSCHAPv2 authentication. | ||
+ | # | ||
+ | # It also sets the EAP-Type attribute in the request | ||
+ | # attribute list to the EAP type from the packet. | ||
+ | # | ||
+ | # The example below uses module failover to avoid querying all | ||
+ | # of the following modules if the EAP module returns "ok". | ||
+ | # Therefore, your LDAP and/or SQL servers will not be queried | ||
+ | # for the many packets that go back and forth to set up TTLS | ||
+ | # or PEAP. The load on those servers will therefore be reduced. | ||
+ | # | ||
+ | eap { | ||
+ | ok = return | ||
+ | } | ||
+ | |||
+ | # | ||
+ | # Read the 'users' file | ||
+ | files | ||
+ | |||
+ | # | ||
+ | # Look in an SQL database. The schema of the database | ||
+ | # is meant to mirror the "users" file. | ||
+ | # | ||
+ | # See "Authorization Queries" in sql.conf | ||
+ | sql | ||
+ | |||
+ | # | ||
+ | # If you are using /etc/smbpasswd, and are also doing | ||
+ | # mschap authentication, the un-comment this line, and | ||
+ | # configure the 'etc_smbpasswd' module, above. | ||
+ | # etc_smbpasswd | ||
+ | |||
+ | # | ||
+ | # The ldap module will set Auth-Type to LDAP if it has not | ||
+ | # already been set | ||
+ | # ldap | ||
+ | |||
+ | # | ||
+ | # Enforce daily limits on time spent logged in. | ||
+ | # daily | ||
+ | |||
+ | # | ||
+ | # Use the checkval module | ||
+ | # checkval | ||
+ | |||
+ | expiration | ||
+ | logintime | ||
+ | |||
+ | # | ||
+ | # If no other module has claimed responsibility for | ||
+ | # authentication, then try to use PAP. This allows the | ||
+ | # other modules listed above to add a "known good" password | ||
+ | # to the request, and to do nothing else. The PAP module | ||
+ | # will then see that password, and use it to do PAP | ||
+ | # authentication. | ||
+ | # | ||
+ | # This module should be listed last, so that the other modules | ||
+ | # get a chance to set Auth-Type for themselves. | ||
+ | # | ||
+ | pap | ||
+ | noresetcounter | ||
+ | chillispot_max_bytes | ||
+ | } | ||
+ | |||
+ | |||
+ | # Authentication. | ||
+ | # | ||
+ | # | ||
+ | # This section lists which modules are available for authentication. | ||
+ | # Note that it does NOT mean 'try each module in order'. It means | ||
+ | # that a module from the 'authorize' section adds a configuration | ||
+ | # attribute 'Auth-Type := FOO'. That authentication type is then | ||
+ | # used to pick the apropriate module from the list below. | ||
+ | # | ||
+ | |||
+ | # In general, you SHOULD NOT set the Auth-Type attribute. The server | ||
+ | # will figure it out on its own, and will do the right thing. The | ||
+ | # most common side effect of erroneously setting the Auth-Type | ||
+ | # attribute is that one authentication method will work, but the | ||
+ | # others will not. | ||
+ | # | ||
+ | # The common reasons to set the Auth-Type attribute by hand | ||
+ | # is to either forcibly reject the user, or forcibly accept him. | ||
+ | # | ||
+ | authenticate { | ||
+ | # | ||
+ | # PAP authentication, when a back-end database listed | ||
+ | # in the 'authorize' section supplies a password. The | ||
+ | # password can be clear-text, or encrypted. | ||
+ | Auth-Type PAP { | ||
+ | pap | ||
+ | } | ||
+ | |||
+ | # | ||
+ | # Most people want CHAP authentication | ||
+ | # A back-end database listed in the 'authorize' section | ||
+ | # MUST supply a CLEAR TEXT password. Encrypted passwords | ||
+ | # won't work. | ||
+ | Auth-Type CHAP { | ||
+ | chap | ||
+ | } | ||
+ | |||
+ | # | ||
+ | # MSCHAP authentication. | ||
+ | Auth-Type MS-CHAP { | ||
+ | mschap | ||
+ | } | ||
+ | |||
+ | # | ||
+ | # Pluggable Authentication Modules. | ||
+ | # pam | ||
+ | |||
+ | # | ||
+ | # See 'man getpwent' for information on how the 'unix' | ||
+ | # module checks the users password. Note that packets | ||
+ | # containing CHAP-Password attributes CANNOT be authenticated | ||
+ | # against /etc/passwd! See the FAQ for details. | ||
+ | # | ||
+ | unix | ||
+ | |||
+ | # Uncomment it if you want to use ldap for authentication | ||
+ | # | ||
+ | # Note that this means "check plain-text password against | ||
+ | # the ldap database", which means that EAP won't work, | ||
+ | # as it does not supply a plain-text password. | ||
+ | # Auth-Type LDAP { | ||
+ | # ldap | ||
+ | # } | ||
+ | |||
+ | # | ||
+ | # Allow EAP authentication. | ||
+ | eap | ||
+ | } | ||
+ | |||
+ | ###################################################################### | ||
+ | # | ||
+ | # There are no accounting requests inside of EAP-TTLS or PEAP | ||
+ | # tunnels. | ||
+ | # | ||
+ | ###################################################################### | ||
+ | |||
+ | |||
+ | # Session database, used for checking Simultaneous-Use. Either the radutmp | ||
+ | # or rlm_sql module can handle this. | ||
+ | # The rlm_sql module is *much* faster | ||
+ | session { | ||
+ | radutmp | ||
+ | |||
+ | # | ||
+ | # See "Simultaneous Use Checking Queries" in sql.conf | ||
+ | sql | ||
+ | } | ||
+ | |||
+ | |||
+ | # Post-Authentication | ||
+ | # Once we KNOW that the user has been authenticated, there are | ||
+ | # additional steps we can take. | ||
+ | post-auth { | ||
+ | # Note that we do NOT assign IP addresses here. | ||
+ | # If you try to assign IP addresses for EAP authentication types, | ||
+ | # it WILL NOT WORK. You MUST use DHCP. | ||
+ | |||
+ | # | ||
+ | # If you want to have a log of authentication replies, | ||
+ | # un-comment the following line, and the 'detail reply_log' | ||
+ | # section, above. | ||
+ | reply_log | ||
+ | |||
+ | # | ||
+ | # After authenticating the user, do another SQL query. | ||
+ | # | ||
+ | # See "Authentication Logging Queries" in sql.conf | ||
+ | sql | ||
+ | |||
+ | # | ||
+ | # Instead of sending the query to the SQL server, | ||
+ | # write it into a log file. | ||
+ | # | ||
+ | # sql_log | ||
+ | |||
+ | # | ||
+ | # Un-comment the following if you have set | ||
+ | # 'edir_account_policy_check = yes' in the ldap module sub-section of | ||
+ | # the 'modules' section. | ||
+ | # | ||
+ | # ldap | ||
+ | |||
+ | # | ||
+ | # Access-Reject packets are sent through the REJECT sub-section of the | ||
+ | # post-auth section. | ||
+ | # | ||
+ | # Add the ldap module name (or instance) if you have set | ||
+ | # 'edir_account_policy_check = yes' in the ldap module configuration | ||
+ | # | ||
+ | Post-Auth-Type REJECT { | ||
+ | # log failed authentications in SQL, too. | ||
+ | # sql | ||
+ | attr_filter.access_reject | ||
+ | } | ||
+ | |||
+ | # | ||
+ | # The example policy below updates the outer tunnel reply | ||
+ | # (usually Access-Accept) with the User-Name from the inner | ||
+ | # tunnel User-Name. Since this section is processed in the | ||
+ | # context of the inner tunnel, "request" here means "inner | ||
+ | # tunnel request", and "outer.reply" means "outer tunnel | ||
+ | # reply attributes". | ||
+ | # | ||
+ | # This example is most useful when the outer session contains | ||
+ | # a User-Name of "anonymous@....", or a MAC address. If it | ||
+ | # is enabled, the NAS SHOULD use the inner tunnel User-Name | ||
+ | # in subsequent accounting packets. This makes it easier to | ||
+ | # track user sessions, as they will all be based on the real | ||
+ | # name, and not on "anonymous". | ||
+ | # | ||
+ | # The problem with doing this is that it ALSO exposes the | ||
+ | # real user name to any intermediate proxies. People use | ||
+ | # "anonymous" identifiers outside of the tunnel for a very | ||
+ | # good reason: it gives them more privacy. Setting the reply | ||
+ | # to contain the real user name removes ALL privacy from | ||
+ | # their session. | ||
+ | # | ||
+ | # If you want privacy to remain, see the | ||
+ | # Chargeable-User-Identity attribute from RFC 4372. In order | ||
+ | # to use that attribute, you will have to allocate a | ||
+ | # per-session identifier for the user, and store it in a | ||
+ | # long-term database (e.g. SQL). You should also use that | ||
+ | # attribute INSTEAD of the configuration below. | ||
+ | # | ||
+ | #update outer.reply { | ||
+ | # User-Name = "%{request:User-Name}" | ||
+ | #} | ||
+ | |||
+ | } | ||
+ | |||
+ | # | ||
+ | # When the server decides to proxy a request to a home server, | ||
+ | # the proxied request is first passed through the pre-proxy | ||
+ | # stage. This stage can re-write the request, or decide to | ||
+ | # cancel the proxy. | ||
+ | # | ||
+ | # Only a few modules currently have this method. | ||
+ | # | ||
+ | pre-proxy { | ||
+ | # attr_rewrite | ||
+ | |||
+ | # Uncomment the following line if you want to change attributes | ||
+ | # as defined in the preproxy_users file. | ||
+ | # files | ||
+ | |||
+ | # Uncomment the following line if you want to filter requests | ||
+ | # sent to remote servers based on the rules defined in the | ||
+ | # 'attrs.pre-proxy' file. | ||
+ | # attr_filter.pre-proxy | ||
+ | |||
+ | # If you want to have a log of packets proxied to a home | ||
+ | # server, un-comment the following line, and the | ||
+ | # 'detail pre_proxy_log' section, above. | ||
+ | # pre_proxy_log | ||
+ | } | ||
+ | |||
+ | # | ||
+ | # When the server receives a reply to a request it proxied | ||
+ | # to a home server, the request may be massaged here, in the | ||
+ | # post-proxy stage. | ||
+ | # | ||
+ | post-proxy { | ||
+ | |||
+ | # If you want to have a log of replies from a home server, | ||
+ | # un-comment the following line, and the 'detail post_proxy_log' | ||
+ | # section, above. | ||
+ | # post_proxy_log | ||
+ | |||
+ | # attr_rewrite | ||
+ | |||
+ | # Uncomment the following line if you want to filter replies from | ||
+ | # remote proxies based on the rules defined in the 'attrs' file. | ||
+ | # attr_filter.post-proxy | ||
+ | |||
+ | # | ||
+ | # If you are proxying LEAP, you MUST configure the EAP | ||
+ | # module, and you MUST list it here, in the post-proxy | ||
+ | # stage. | ||
+ | # | ||
+ | # You MUST also use the 'nostrip' option in the 'realm' | ||
+ | # configuration. Otherwise, the User-Name attribute | ||
+ | # in the proxied request will not match the user name | ||
+ | # hidden inside of the EAP packet, and the end server will | ||
+ | # reject the EAP request. | ||
+ | # | ||
+ | eap | ||
+ | |||
+ | # | ||
+ | # If the server tries to proxy a request and fails, then the | ||
+ | # request is processed through the modules in this section. | ||
+ | # | ||
+ | # The main use of this section is to permit robust proxying | ||
+ | # of accounting packets. The server can be configured to | ||
+ | # proxy accounting packets as part of normal processing. | ||
+ | # Then, if the home server goes down, accounting packets can | ||
+ | # be logged to a local "detail" file, for processing with | ||
+ | # radrelay. When the home server comes back up, radrelay | ||
+ | # will read the detail file, and send the packets to the | ||
+ | # home server. | ||
+ | # | ||
+ | # With this configuration, the server always responds to | ||
+ | # Accounting-Requests from the NAS, but only writes | ||
+ | # accounting packets to disk if the home server is down. | ||
+ | # | ||
+ | # Post-Proxy-Type Fail { | ||
+ | # detail | ||
+ | # } | ||
+ | |||
+ | } | ||
+ | |||
+ | } # inner-tunnel server block | ||
+ | |||
+ | </code> | ||
+ | ''sudo vi /etc/freeradius/sites-available/inner-tunnel'' | ||
+ | |||
+ | Under authorize section, change the following if necessary: | ||
+ | '''-sql' to sql'' | ||
+ | |||
+ | Add the following at the end of authorize section: | ||
+ | ''chillispot_max_bytes | ||
+ | noresetcounter'' | ||
+ | |||
+ | Next under the session section, Uncomment the following: | ||
+ | ''sql'' | ||
+ | |||
+ | Next under post-auth section, Uncomment the following: | ||
+ | ''reply_log'' | ||
+ | |||
+ | Change the following if necessary: | ||
+ | '''-sql' to sql'' | ||
+ | |||
+ | Create Admin User in radius MySQL database: | ||
+ | '' echo "INSERT INTO radcheck (UserName, Attribute, Value, Op) VALUES ('[ADMIN_USER]', 'Cleartext-Password', '[ADMIN_PASSWORD]', ':=');" | mysql -u radius -p[FREERADIUS_DB_PASS] radius'' | ||
+ | |||
+ | ====== Radius Test ====== | ||
+ | |||
+ | Start radius for initialization and testing purposes | ||
+ | ''radtest [ADMIN_USER] [ADMIN_PASSWORD] 127.0.0.1 0 [FREERADIUS_DB_PASS]'' | ||
+ | |||
+ | If you get a message like this one, then you are done with the minimal and required radius setup for the next steps: | ||
+ | ''Received Access-Accept Id 174 from 127.0.0.1:1812 to 0.0.0.0:0 length 20'' | ||
+ | |||
+ | ====== User Management ====== | ||
+ | |||
+ | To add users so they can access the Internet using your hotspot, run the following command for each user. You can automate it using a script if you wish. | ||
+ | |||
+ | ====== Radius max total Octets ======= | ||
+ | '' echo "INSERT INTO radcheck (UserName, Attribute, Value, Op) VALUES ('[LOGIN_NAME]', 'ChilliSpot-Max-Total-Octets', '[MAX_TOTAL_OCTETS]', ':=');" | mysql -u radius -p[FREERADIUS_DB_PASS] radius'' | ||
+ | |||
+ | |||
+ | |||