Hello Colin -
I think you might be well advised to read the RFC's to
understand how the Radius protocol works (they are included in the
"doc" directory).
At 15:12 +1100 19/12/00, Colin wrote:
I have added the 2 AuthBy SQL blocks and it seems to work, however does this necessarily mean that we have to authenticate the user at least twice.
In my case it may be as much as 6 times now :(
Initially we had 2 AuthBy SQL, one for checking non encrypted passwords, one for encrypted passwords. Both of these entered data into the ACCOUNTING table.
Now we have 6 AuthBy SQL clauses.
- one for non encrypted passwords with no ACCOUNTING table (used for authethication only)
- one for non encrypted passwords with ACCOUNTING table
- one for non encrypted passwords with MONTHLY table (secondary mysql table)
- one for encrypted passwords with no ACOUNTING table (used for authethication only)
- one for encrypted passwords with ACOUNTING table
- one for encrypted passwords with MONTH table (secondary mysql table)
However, doing this does not work properly as it produces duplicate entries.
Please advise on how to correct this. Thanks.
Below is an excerpt from my current radius.cfg file.
#define this AuthBy to check the clear text password
<AuthBy SQL>
Identifier CheckClearTextPassword
# Adjust DBSource, DBUsername, DBAuth to suit your DB
DBSource dbi:mysql:freeside:xxx.xxx.xxx.xxx
DBUsername xxxx
DBAuth xxxxx
AuthSelect select _password from svc_acct where username='%n'
DefaultReply Service-Type = Framed-User, Framed-Protocol = PPP, Framed-MTU = 1524, Framed-Routing = None, Framed-Compression = Van-Jacobson-TCP-IP, Framed-IP-Netmask = 255.255.255.255
</AuthBy>
# define this AuthBy to check the encrypted password
<AuthBy SQL>
Identifier CheckEncryptedPassword
# Adjust DBSource, DBUsername, DBAuth to suit your DB
DBSource dbi:mysql:freeside:xxx.xxx.xxx.xxx
DBUsername xxxxx
DBAuth xxxxx
AuthSelect select ENCRYPTEDPASSWORD from svc_acct where USERNAME='%n'
EncryptedPassword
DefaultReply Service-Type = Framed-User, Framed-Protocol = PPP, Framed-MTU = 1524, Framed-Routing = None, Framed-Compression = Van-Jacobson-TCP-IP, Framed-IP-Netmask = 255.255.255.255
</AuthBy>
# Insert accounting details into Mysql table MONTH after checking encrypted password
<AuthBy SQL>
Identifier AccountingMonth
# Adjust DBSource, DBUsername, DBAuth to suit your DB
DBSource dbi:mysql:freeside:xxx.xxx.xxx.xxx
DBUsername xxxxx
DBAuth xxxxx
AuthSelect select ENCRYPTEDPASSWORD from svc_acct where USERNAME='%n'
EncryptedPassword
# You may want to tailor these for your ACCOUNTING table
AccountingTable MONTH
AcctColumnDef USERNAME,User-Name
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
AcctColumnDef NASIDENTIFIER,NAS-Identifier
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
AcctColumnDef CALLEDSTATIONID,Called-Station-Id
AcctColumnDef CALLINGSTATIONID,Calling-Station-Id
AcctColumnDef CONNECTRATE,Ascend-Data-Rate
AcctColumnDef XMITRATE,Ascend-Xmit-Rate
</AuthBy>
# Insert accounting details into Mysql table ACCOUNTING after checking encrypted password
<AuthBy SQL>
Identifier AccountingArchive
# Adjust DBSource, DBUsername, DBAuth to suit your DB
DBSource dbi:mysql:freeside:xxx.xxx.xxx.xxx
DBUsername xxxxx
DBAuth xxxxx
AuthSelect select ENCRYPTEDPASSWORD from svc_acct where USERNAME='%n'
EncryptedPassword
# You may want to tailor these for your ACCOUNTING table
AccountingTable ACCOUNTING
AcctColumnDef USERNAME,User-Name
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
AcctColumnDef NASIDENTIFIER,NAS-Identifier
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
AcctColumnDef CALLEDSTATIONID,Called-Station-Id
AcctColumnDef CALLINGSTATIONID,Calling-Station-Id
AcctColumnDef CONNECTRATE,Ascend-Data-Rate
AcctColumnDef XMITRATE,Ascend-Xmit-Rate
</AuthBy>
# Insert accounting details into Mysql table ACCOUNTING after checking non-encrypted password
<AuthBy SQL>
Identifier AccountingArchive1
# Adjust DBSource, DBUsername, DBAuth to suit your DB
DBSource dbi:mysql:freeside:xxx.xxx.xxx.xxx
DBUsername xxxxx
DBAuth xxxxx
AuthSelect select _password from svc_acct where username='%n'
# You may want to tailor these for your ACCOUNTING table
AccountingTable ACCOUNTING
AcctColumnDef USERNAME,User-Name
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
AcctColumnDef NASIDENTIFIER,NAS-Identifier
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
AcctColumnDef CALLEDSTATIONID,Called-Station-Id
AcctColumnDef CALLINGSTATIONID,Calling-Station-Id
AcctColumnDef CONNECTRATE,Ascend-Data-Rate
AcctColumnDef XMITRATE,Ascend-Xmit-Rate
</AuthBy>
# Insert accounting details into Mysql table MONTH after checking non-encrypted password
<AuthBy SQL>
Identifier AccountingMonth1
# Adjust DBSource, DBUsername, DBAuth to suit your DB
DBSource dbi:mysql:freeside:xxx.xxx.xxx.xxx
DBUsername xxxxx
DBAuth xxxxx
AuthSelect select _password from svc_acct where username='%n'
# You may want to tailor these for your ACCOUNTING table
AccountingTable MONTH
AcctColumnDef USERNAME,User-Name
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
AcctColumnDef NASIDENTIFIER,NAS-Identifier
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
AcctColumnDef CALLEDSTATIONID,Called-Station-Id
AcctColumnDef CALLINGSTATIONID,Calling-Station-Id
AcctColumnDef CONNECTRATE,Ascend-Data-Rate
AcctColumnDef XMITRATE,Ascend-Xmit-Rate
</AuthBy>
# define an AuthBy GROUP to do both checks of non-encrypted and encrypted passwords
<AuthBy GROUP>
Identifier CheckPassword
AuthByPolicy ContinueUntilAccept
AuthBy CheckClearTextPassword
AuthBy CheckEncryptedPassword
</AuthBy>
# Used for handling requests with realms (sec 6.12)
<Handler Realm = /(nobbys.net.au|nobbys.net|nobbys)/i>
#Strip the realm from all requests for nobbys.net.au realms
RewriteUsername s/^([^@]+).*/$1/
RewriteUsername tr/A-Z/a-z/
# Log accounting for this realm to the following file in LogDir (sec 6.13.4)
AcctLogFileName %L/account.%Y%m%d
# Set the number of simultaneous sessions allowed for users in this realm
# (sec 6.13.3)
MaxSessions 1
# File that records all authentication attempts for this realm (sec 6.13.7)
PasswordLogFileName %L/password.%Y%m%d
AuthByPolicy ContinueAlways
AuthBy CheckPassword
AuthBy AccountingArchive
AuthBy AccountingMonth
AuthBy AccountingArchive1
AuthBy AccountingMonth1
</Handler>
Please note that the Radius protocol consists mostly of two
types of requests: Access-Requests and Accounting-Requests, so your
Handler above may not be the best way to approach your problem.
You might want to consider something more like this:
<Handler Request-Type = Accounting-Request>
# Log accounting for this realm to
the following file in LogDir (sec 6.13.4)
AcctLogFileName
%L/account.%Y%m%d
</Handler>
<Handler Realm =
/(nobbys.net.au|nobbys.net|nobbys)/i>
#Strip the realm from all requests for nobbys.net.au realms
RewriteUsername s/^([^@]+).*/$1/
#Strip the realm from all requests for nobbys.net.au realms
RewriteUsername s/^([^@]+).*/$1/
RewriteUsername
tr/A-Z/a-z/
# Set the number of simultaneous
sessions allowed for users in this realm
# (sec 6.13.3)
MaxSessions 1
# File that records all authentication attempts for this realm (sec 6.13.7)
# (sec 6.13.3)
MaxSessions 1
# File that records all authentication attempts for this realm (sec 6.13.7)
PasswordLogFileName %L/password.%Y%m%d
AuthBy
CheckPassword
</Handler>
If you are really concerned about accounting performance, you
can also run a seperate instance of Radiator on the accounting port,
or even do your end-of-month processing via cron jobs from outside
Radiator completely.
There are lots of different alternatives - the discovery of how
many is left as an exercise for the reader.
hth
Hugh
--
NB: I am travelling this week, so there may be delays in our correspondence.
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux,
FreeBSD, Windows 95/98/2000, NT, MacOS X.
