Radius Config

download Radius Config

of 29

description

Radius config with oracle

Transcript of Radius Config

  • 7/17/2019 Radius Config

    1/29

    ######################################################################## As of 2.0.0, FreeRADIUS supports virtual hosts using the# "server" section, and configuration directives.## Virtual hosts should be put into the "sites-available"# directory. Soft links should be created in the "sites-enabled"# directory to these files. This is done in a normal installation.## If you are using 802.1X (EAP) authentication, please see also# the "inner-tunnel" virtual server. You will likely have to edit# that, too, for authentication to work.## $Id: 1c971b91af0989695896f7dbd31ae8befbafca76 $######################################################################### Read "man radiusd" before editing this file. See the section# titled DEBUGGING. It outlines a method where you can quickly# obtain the configuration you want, without running into# trouble. See also "man unlang", which documents the format# of this file.## This configuration is designed to work in the widest possible

    # set of circumstances, with the widest possible number of# authentication methods. This means that in general, you should# need to make very few changes to this file.## The best way to configure the server for your local system# is to CAREFULLY edit this file. Most attempts to make large# edits to this file will BREAK THE SERVER. Any edits should# be small, and tested by running the server with "radiusd -X".# Once the edits have been verified to work, save a copy of these# configuration files somewhere. (e.g. as a "tar" file). Then,# make more edits, and test, as above.## There are many "commented out" references to modules such

    # as ldap, sql, etc. These references serve as place-holders.# If you need the functionality of that module, then configure# it in radiusd.conf, and un-comment the references to it in# this file. In most cases, those small changes will result# in the server being able to connect to the DB, and to# authenticate users.#######################################################################

    server default {## If you want the server to listen on additional addresses, or on# additional ports, you can use multiple "listen" sections.

    ## Each section make the server listen for only one type of packet,# therefore authentication and accounting have to be configured in# different sections.## The server ignore all "listen" section if you are using '-i' and '-p'# on the command line.#listen {

    # Type of packets to listen for.

  • 7/17/2019 Radius Config

    2/29

    # Allowed values are:# auth listen for authentication packets# acct listen for accounting packets# proxy IP to use for sending proxied packets# detail Read from the detail file. For examples, see# raddb/sites-available/copy-acct-to-home-server# status listen for Status-Server packets. For examples,# see raddb/sites-available/status# coa listen for CoA-Request and Disconnect-Request# packets. For examples, see the file# raddb/sites-available/coa#type = auth

    # Note: "type = proxy" lets you control the source IP used for# proxying packets, with some limitations:## * A proxy listener CANNOT be used in a virtual server section.# * You should probably set "port = 0".# * Any "clients" configuration will be ignored.## See also proxy.conf, and the "src_ipaddr" configuration entry# in the sample "home_server" section. When you specify the# source IP address for packets sent to a home server, the

    # proxy listeners are automatically created.

    # ipaddr/ipv4addr/ipv6addr - IP address on which to listen.# Out of several options the first one will be used.## Allowed values are:# IPv4 address (e.g. 1.2.3.4, for ipv4addr/ipaddr)# IPv6 address (e.g. 2001:db8::1, for ipv6addr/ipaddr)# hostname (radius.example.com,# A record for ipv4addr,# AAAA record for ipv6addr,# A or AAAA record for ipaddr)# wildcard (*)

    ## ipv4addr = *# ipv6addr = *ipaddr = *

    # Port on which to listen.# Allowed values are:# integer port number (1812)# 0 means "use /etc/services for the proper port"port = 0

    # Some systems support binding to an interface, in addition# to the IP address. This feature isn't strictly necessary,

    # but for sites with many IP addresses on one interface,# it's useful to say "listen on all addresses for eth0".## If your system does not support this feature, you will# get an error if you try to use it.#

    # interface = eth0

    # Per-socket lists of clients. This is a very useful feature.#

  • 7/17/2019 Radius Config

    3/29

    # The name here is a reference to a section elsewhere in# radiusd.conf, or clients.conf. Having the name as# a reference allows multiple sockets to use the same# set of clients.## If this configuration is used, then the global list of clients# is IGNORED for this "listen" section. Take care configuring# this feature, to ensure you don't accidentally disable a# client you need.## See clients.conf for the configuration of "per_socket_clients".#

    # clients = per_socket_clients

    ## Connection limiting for sockets with "proto = tcp".## This section is ignored for other kinds of sockets.#limit { # # Limit the number of simultaneous TCP connections to the socket # # The default is 16.

    # Setting this to 0 means "no limit" max_connections = 16

    # The per-socket "max_requests" option does not exist.

    # # The lifetime, in seconds, of a TCP connection. After # this lifetime, the connection will be closed. # # Setting this to 0 means "forever". lifetime = 0

    #

    # The idle timeout, in seconds, of a TCP connection. # If no packets have been received over the connection for # this time, the connection will be closed. # # Setting this to 0 means "no timeout". # # We STRONGLY RECOMMEND that you set an idle timeout. # idle_timeout = 30}

    }

    #

    # This second "listen" section is for listening on the accounting# port, too.#listen {

    ipaddr = *# ipv6addr = ::

    port = 0type = acct

    # interface = eth0# clients = per_socket_clients

  • 7/17/2019 Radius Config

    4/29

    limit {# The number of packets received can be rate limited via the# "max_pps" configuration item. When it is set, the server# tracks the total number of packets received in the previous# second. If the count is greater than "max_pps", then the# new packet is silently discarded. This helps the server# deal with overload situations.## The packets/s counter is tracked in a sliding window. This# means that the pps calculation is done for the second# before the current packet was received. NOT for the current# wall-clock second, and NOT for the previous wall-clock second

    .## Useful values are 0 (no limit), or 100 to 10000.# Values lower than 100 will likely cause the server to ignore# normal traffic. Few systems are capable of handling more tha

    n# 10K packets/s.## It is most useful for accounting systems. Set it to 50%# more than the normal accounting load, and you can be sure tha

    t

    # the server will never get overloaded## max_pps = 0

    # Only for "proto = tcp". These are ignored for "udp" sockets.#

    # idle_timeout = 0# lifetime = 0# max_connections = 0

    }}

    # IPv6 versions of the above - read their full config to understand options

    listen {type = authipv6addr = :: # any. ::1 == localhostport = 0

    # interface = eth0# clients = per_socket_clients

    limit { max_connections = 16 lifetime = 0 idle_timeout = 30}

    }

    listen {ipv6addr = ::port = 0type = acct

    # interface = eth0# clients = per_socket_clients

    limit {# max_pps = 0# idle_timeout = 0

  • 7/17/2019 Radius Config

    5/29

    # lifetime = 0# max_connections = 0

    }}

    # Authorization. First preprocess (hints and huntgroups files),# then realms, and finally look in the "users" file.## Any changes made here should also be made to the "inner-tunnel"# virtual server.## The order of the realm modules will determine the order that# we try to find a matching realm.## Make *sure* that 'preprocess' comes before any realm if you# need to setup hints for the remote radius serverauthorize {

    ## Take a User-Name, and perform some checks on it, for spaces and other# invalid characters. If the User-Name appears invalid, reject the# request.## See policy.d/filter for the definition of the filter_username policy.#

    #filter_username

    ## The preprocess module takes care of sanitizing some bizarre# attributes in the request, and turning them into attributes# which are more standard.## It takes care of processing the 'raddb/hints' and the# 'raddb/huntgroups' files.preprocess

    update request { Huntgroup-Name := "%{sql:select groupname from radhuntgroup wher

    e nasipaddress='%{NAS-IP-Address}'}" }

    if ("%{sql:INSERT INTO radprotologs (datetime, username, protomsg, nasip, nasportid) VALUES (SYSDATE,'%{User-Name}','Access-Request' ,'%{NAS-IP-Address}' ,'%{NAS-Port-Id}')}") { ok }

    if (Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){ update request { Calling-Station-Id := "%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}"

    } } else { noop }

    # If you intend to use CUI and you require that the Operator-Name# be set for CUI generation and you want to generate CUI also# for your local clients then uncomment the operator-name# below and set the operator-name for your clients in clients.conf

  • 7/17/2019 Radius Config

    6/29

    # operator-name

    ## If you want to generate CUI for some clients that do not# send proper CUI requests, then uncomment the# cui below and set "add_cui = yes" for these clients in clients.conf

    # cui

    ## If you want to have a log of authentication requests,# un-comment the following line.

    # auth_log

    ## The chap module will set 'Auth-Type := CHAP' if we are# handling a CHAP request and Auth-Type has not already been setchap

    ## If the users are logging in with an MS-CHAP-Challenge# attribute for authentication, the mschap module will find# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'# to the request, which will cause the server to then use# the mschap module for authentication.

    # mschap

    ## If you have a Cisco SIP server authenticating against# FreeRADIUS, uncomment the following line, and the 'digest'# line in the 'authenticate' section.

    # digest

    ## The WiMAX specification says that the Calling-Station-Id# is 6 octets of the MAC. This definition conflicts with# RFC 3580, and all common RADIUS practices. Un-commenting# the "wimax" module here means that it will fix the

    # Calling-Station-Id attribute to the normal format as# specified in RFC 3580 Section 3.21# wimax

    ## Look for IPASS style 'realm/', and if not found, look for# '@realm', and decide whether or not to proxy, based on# that.

    # IPASS

    ## If you are using multiple kinds of realms, you probably# want to set "ignore_null = yes" for all of them.

    # Otherwise, when the first style of realm doesn't match,# the other styles won't be checked.#

    # suffix# ntdomain

    ## This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP# authentication.#

  • 7/17/2019 Radius Config

    7/29

    # It also sets the EAP-Type attribute in the request# attribute list to the EAP type from the packet.## As of 2.0, the EAP module returns "ok" in the authorize stage# for TTLS and PEAP. In 1.x, it never returned "ok" here, so# this change is compatible with older configurations.## The example below uses module failover to avoid querying all# of the following modules if the EAP module returns "ok".# Therefore, your LDAP and/or SQL servers will not be queried# for the many packets that go back and forth to set up TTLS# or PEAP. The load on those servers will therefore be reduced.##eap {# ok = return#}

    ## Pull crypt'd passwords from /etc/passwd or /etc/shadow,# using the system API's to get the password. If you want# to read /etc/passwd or /etc/shadow directly, see the# passwd module in radiusd.conf.#

    # unix

    ## Read the 'users' file#files

    ## Look in an SQL database. The schema of the database# is meant to mirror the "users" file.## See "Authorization Queries" in sql.conf-sql

    #

    # If you are using /etc/smbpasswd, and are also doing# mschap authentication, the un-comment this line, and# configure the 'smbpasswd' module.

    # smbpasswd

    ## The ldap module reads passwords from the LDAP database.

    # -ldap

    ## Enforce daily limits on time spent logged in.

    # daily

    #expirationlogintime

    ## If no other module has claimed responsibility for# authentication, then try to use PAP. This allows the# other modules listed above to add a "known good" password# to the request, and to do nothing else. The PAP module# will then see that password, and use it to do PAP

  • 7/17/2019 Radius Config

    8/29

    # authentication.## This module should be listed last, so that the other modules# get a chance to set Auth-Type for themselves.#pap

    ## If "status_server = yes", then Status-Server messages are passed# through the following section, and ONLY the following section.# This permits you to do DB queries, for example. If the modules# listed here return "fail", then NO response is sent.#

    # Autz-Type Status-Server {## }}

    # Authentication.### This section lists which modules are available for authentication.# Note that it does NOT mean 'try each module in order'. It means

    # that a module from the 'authorize' section adds a configuration# attribute 'Auth-Type := FOO'. That authentication type is then# used to pick the appropriate module from the list below.#

    # In general, you SHOULD NOT set the Auth-Type attribute. The server# will figure it out on its own, and will do the right thing. The# most common side effect of erroneously setting the Auth-Type# attribute is that one authentication method will work, but the# others will not.## The common reasons to set the Auth-Type attribute by hand# is to either forcibly reject the user (Auth-Type := Reject),

    # or to or forcibly accept the user (Auth-Type := Accept).## Note that Auth-Type := Accept will NOT work with EAP.## Please do not put "unlang" configurations into the "authenticate"# section. Put them in the "post-auth" section instead. That's what# the post-auth section is for.#authenticate {

    ## PAP authentication, when a back-end database listed# in the 'authorize' section supplies a password. The# password can be clear-text, or encrypted.

    Auth-Type PAP {pap

    }

    ## Most people want CHAP authentication# A back-end database listed in the 'authorize' section# MUST supply a CLEAR TEXT password. Encrypted passwords# won't work.#Auth-Type CHAP {

  • 7/17/2019 Radius Config

    9/29

    # chap#}

    ## MSCHAP authentication.#Auth-Type MS-CHAP {# mschap#}

    ## If you have a Cisco SIP server authenticating against# FreeRADIUS, uncomment the following line, and the 'digest'# line in the 'authorize' section.#digest

    ## Pluggable Authentication Modules.pam

    # Uncomment it if you want to use ldap for authentication## Note that this means "check plain-text password against# the ldap database", which means that EAP won't work,# as it does not supply a plain-text password.

    ## We do NOT recommend using this. LDAP servers are databases.# They are NOT authentication servers. FreeRADIUS is an# authentication server, and knows what to do with authentication.# LDAP servers do not.#

    # Auth-Type LDAP {# ldap# }

    ## Allow EAP authentication.eap

    ## The older configurations sent a number of attributes in# Access-Challenge packets, which wasn't strictly correct.# If you want to filter out these attributes, uncomment# the following lines.#

    # Auth-Type eap {# eap {# handled = 1# }# if (handled && (Response-Packet-Type == Access-Challenge)) {# attr_filter.access_challenge.post-auth

    # handled # override the "updated" code from attr_filter# }# }}

    ## Pre-accounting. Decide which accounting type to use.#preacct {

  • 7/17/2019 Radius Config

    10/29

    preprocessif (Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f

    ]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){ update request { Calling-Station-Id := "%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" } }

    else { noop }

    ## Merge Acct-[Input|Output]-Gigawords and Acct-[Input-Output]-Octets# into a single 64bit counter Acct-[Input|Output]-Octets64.#

    # acct_counters64

    ## Session start times are *implied* in RADIUS.# The NAS never sends a "start time". Instead, it sends# a start packet, *possibly* with an Acct-Delay-Time.# The server is supposed to conclude that the start time# was "Acct-Delay-Time" seconds in the past.

    ## The code below creates an explicit start time, which can# then be used in other modules. It will be *mostly* correct.# Any errors are due to the 1-second resolution of RADIUS,# and the possibility that the time on the NAS may be off.## The start time is: NOW - delay - session_length#

    # update request {# FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"# }

    ## Ensure that we have a semi-unique identifier for every# request, and many NAS boxes are broken.acct_unique

    ## Look for IPASS-style 'realm/', and if not found, look for# '@realm', and decide whether or not to proxy, based on# that.## Accounting requests are generally proxied to the same

    # home server as authentication requests.# IPASS# suffix# ntdomain

    ## Read the 'acct_users' filefiles

    }

  • 7/17/2019 Radius Config

    11/29

    ## Accounting. Log the accounting data.#accounting {

    # Update accounting packet by adding the CUI attribute# recorded from the corresponding Access-Accept# use it only if your NAS boxes do not support CUI themselves

    # cui## Create a 'detail'ed log of the packets.# Note that accounting requests which are proxied# are also logged in the detail file.detail

    # daily

    # Update the wtmp file## If you don't use "radlast", you can delete this line.

    # unix

    ## For Simultaneous-Use tracking.## Due to packet losses in the network, the data here

    # may be incorrect. There is little we can do about it.# radutmp# sradutmp

    # Return an address to the IP Pool when we see a stop record.# main_pool

    ## Log traffic to an SQL database.## See "Accounting queries" in sql.conf-sqlupdate control {

    VIM-Plan-Limit-Type = "%{sql:SELECT value FROM radgroupcheck WHERE attribute='VIM-Plan-Limit-Type' AND groupname=(SELECT groupname FROM radusergroup WHERE username='%{request:User-Name}') }"

    }

    update request { Huntgroup-Name := "%{sql:select groupname from radhuntgroup where nasipaddress='%{NAS-IP-Address}'}" }

    #Protocol Logging for Acc-Start and Acc-Stop

    if ("%{Acct-Status-Type}" == "Start") {

    if ("%{sql:INSERT INTO radprotologs (datetime,acctstarttime,username,protomsg,details,nasip,acctsessionid,acctuniqueid,nasportid,nasporttype,acctsessiontime,acctauthentic,acctinoutoctets,acctoutputoctets,callingstationid,acctterminatecause,framedipaddress,framedprotocol,framedipv6prefix,servicetype) VALUES (SYSDATE,SYSDATE,'%{User-Name}','Accounting-Request','Accounting Start','%{NAS-IP-Address}','%{Acct-Session-Id}','%{Acct-Unique-Session-Id}','%{NAS-Port-Id}','%{NAS-Port-Type}','%{Acct-Session-Time}','%{Acct-Authentic}','0','0','%{Calling-Station-Id}','','%{Framed-IP-Address}','%{Framed-Protocol}','%{Framed-IPv6-Pr

  • 7/17/2019 Radius Config

    12/29

    efix}','%{Service-Type}') }") { ok }

    if ("%{sql:UPDATE onlinesubscriber SET status = 'Online' WHERE username = '%{User-Name}' }") { ok }

    if("%{sql:UPDATE BB_USERS SET NAS_ID=(SELECT ID FROM NAS WHERE NASNAME='%{NAS-IP-Address}' ) WHERE USER_NAME='%{User-Name}'}"){

    ok}

    }if ("%{Acct-Status-Type}" == "Stop") {

    if ("%{sql:INSERT INTO radprotologs (datetime, acctstoptime, username, protomsg, details, nasip, acctsessionid, acctuniqueid, nasportid, nasporttype,acctsessiontime, acctauthentic, acctinoutoctets, acctoutputoctets, callingstationid, acctterminatecause, framedipaddress, framedprotocol, framedipv6prefix ,servicetype) VALUES (SYSDATE,SYSDATE,'%{User-Name}' ,'Accounting-Request' ,'Accounting Stop' ,'%{NAS-IP-Address}' ,'%{Acct-Session-Id}' ,'%{Acct-Unique-Session-Id}','%{NAS-Port-Id}' ,'%{NAS-Port-Type}' ,'%{Acct-Session-Time}' , '%{Acct-Authentic}' , '%{Acct-Input-Octets}' ,'%{Acct-Output-Octets}' ,'%{Calling-Stat

    ion-Id}' , '%{Acct-Terminate-Cause}' , '%{Framed-IP-Address}' , '%{Framed-Protocol}' ,'%{Framed-IPv6-Prefix}' ,'%{Service-Type}')}") { ok }

    if ("%{sql:UPDATE onlinesubscriber SET status = 'Offline' WHEREusername = '%{User-Name}' }") { ok

    }

    if(control:VIM-Plan-Limit-Type){

    switch "%{control:VIM-Plan-Limit-Type}"{ case V {

    #Calculate the used bytesif("%{sql: SELECT value FROM radcheck WHERE attribute= 'VIM-FUP-Quota-Depleted-Flag' AND username='%{User-Name}'}" == "Yes"){

    update control { VIM-Used-Bytes := "%{sql:SELECT SUM(acctoutputoc

    tets + acctinputoctets) FROM radacct WHERE username='%{request:User-Name}' AND acctsessionid = '%{Acct-Session-Id}' }" }

    #Set Used Bytesif ("%{sql:UPDATE radcheck SET value = '%{control:VIM-Us

    ed-Bytes}' WHERE attribute = 'VIM-Used-Bytes' AND username = '%{User-Name}' }") {

    ok}

    update control { Mikrotik-Xmit-Limit := "%{sql:SELECT value FROM

    radcheck WHERE attribute='Mikrotik-Xmit-Limit' AND username='%{request:User-Name}' }"

    VIM-Used-Bytes := "%{sql:SELECT value FROM radcheck WHERE attribute='VIM-Used-Bytes' AND username='%{request:User-Name}' }"

    }if ("%{sql:UPDATE radcheck SET value = '%{control:Mikrot

  • 7/17/2019 Radius Config

    13/29

    ik-Xmit-Limit}'- '%{control:VIM-Used-Bytes}' WHERE attribute = 'Mikrotik-Xmit-Limit' AND username = '%{User-Name}' } ") {

    ok}

    if ("%{sql:UPDATE radcheck SET value = '0' WHERE attribute = 'VIM-Used-Bytes' AND username = '%{User-Name}' } ") {

    ok}

    }}

    case T {#calculation of Timeupdate control {

    VIM-Avail-Time := "%{sql: SELECT acctsessiontime FROM radacct WHERE username='%{request:User-Name}' ANDacctsessionid = '%{Acct-Session-Id}'}"

    VIM-Subscriber-Activation-Time := "%{sql: SELECT value FROM radcheck WHERE username='%{request:User-Name}' AND attribute = 'VIM-Avail-Time'}"

    }if("%{sql:Update radcheck SET value = '%{control

    :VIM-Subscriber-Activation-Time}'-'%{control:VIM-Avail-Time}' WHERE attribute ='VIM-Avail-Time' AND username = '%{User-Name}'}") {

    ok}}}

    }}#Sending CoA for Volume and Time based plansif ("%{Acct-Status-Type}" == "Interim-Update") {

    if ("%{sql:INSERT INTO radprotologs (datetime, acctstoptime, username, protomsg, details, nasip, acctsessionid, acctuniqueid, nasportid, nasporttype,acctsessiontime, acctauthentic, acctinoutoctets, acctoutputoctets, callingstationid, acctterminatecause, framedipaddress, framedprotocol, framedipv6prefix ,servicetype) VALUES (SYSDATE,SYSDATE,'%{User-Name}' ,'Accounting-Request' ,

    'Interim Update' ,'%{NAS-IP-Address}' ,'%{Acct-Session-Id}' ,'%{Acct-Unique-Session-Id}','%{NAS-Port-Id}' ,'%{NAS-Port-Type}' ,'%{Acct-Session-Time}' , '%{Acct-Authentic}' , '%{Acct-Input-Octets}' ,'%{Acct-Output-Octets}' ,'%{Calling-Station-Id}' , '%{Acct-Terminate-Cause}' , '%{Framed-IP-Address}' , '%{Framed-Protocol}' ,'%{Framed-IPv6-Prefix}' ,'%{Service-Type}') }") { ok }

    if("%{sql:UPDATE radcheck SET value = '%{Acct-Output-Octets}' +'%{Acct-Input-Octets}' WHERE username = '%{User-Name}' AND attribute= 'VIM-Used-Bytes'}") {

    ok}

    if(control:VIM-Plan-Limit-Type){switch "%{control:VIM-Plan-Limit-Type}" {

    case V { if("%{sql:SELECT value FROM radcheck

    WHERE attribute='VIM-Avail-Bytes' AND username='%{request:User-Name}' }" < "%{sql:SELECT value FROM radcheck WHERE attribute='VIM-Used-Bytes' AND username='%{request:User-Name}' }") {

    "%{exec:/usr/local/etc/raddb/disconnect.sh %{User-Name} %{NAS-IP-Address}} "

    if ("%{sql:INSERT INTO radprotol

  • 7/17/2019 Radius Config

    14/29

    ogs (datetime, acctstoptime, username, protomsg, details, nasip, acctsessionid, acctuniqueid, nasportid, nasporttype,acctsessiontime, acctauthentic, acctinoutoctets, acctoutputoctets, callingstationid, acctterminatecause, framedipaddress, framedprotocol, framedipv6prefix ,servicetype) VALUES (SYSDATE,SYSDATE,'%{User-Name}' ,'POD' , 'Interim Update' ,'%{NAS-IP-Address}' ,'%{Acct-Session-Id}' ,'%{Acct-Unique-Session-Id}','%{NAS-Port-Id}' ,'%{NAS-Port-Type}' ,'%{Acct-Session-Time}' , '%{Acct-Authentic}' , '%{Acct-Input-Octets}' ,'%{Acct-Output-Octets}','%{Calling-Station-Id}' , '%{Acct-Terminate-Cause}' , '%{Framed-IP-Address}' ,'%{Framed-Protocol}' ,'%{Framed-IPv6-Prefix}' ,'%{Service-Type}') }") { ok }

    } }

    case T {#calculation of Timeupdate control {

    VIM-Avail-Time := "%{sql: SELECT acctsessiontime FROM radacct WHERE username='%{request:User-Name}' ANDacctsessionid = '%{Acct-Session-Id}'}"

    VIM-Subscriber-Activation-Time := "%{sql: SELECT value FROM radcheck WHERE username='%{request:User-Name}' AND attribute = 'VIM-Avail-Time'}"

    }if("%{sql:Update radcheck SET value = '%{control

    :VIM-Subscriber-Activation-Time}'-'%{control:VIM-Avail-Time}' WHERE attribute ='VIM-Avail-Time' AND username = '%{User-Name}'}") { ok

    }if("%{sql:SELECT TO_NUMBER(VALUE) VALUE FROM RAD

    CHECK WHERE ATTRIBUTE='VIM-Avail-Time' AND username='%{request:User-Name}' AND VALUE

  • 7/17/2019 Radius Config

    15/29

    ssion-Id}','%{NAS-Port-Id}' ,'%{NAS-Port-Type}' ,'%{Acct-Session-Time}' , '%{Acct-Authentic}' , '%{Acct-Input-Octets}' ,'%{Acct-Output-Octets}' ,'%{Calling-Station-Id}' , '%{Acct-Terminate-Cause}' , '%{Framed-IP-Address}' , '%{Framed-Protocol}' ,'%{Framed-IPv6-Prefix}' ,'%{Service-Type}')}") { ok }

    if ("%{sql:UPDATE onlinesubscriber SET status = 'Offline' WHEREusername = '%{User-Name}' }") { ok

    }

    if(control:VIM-Plan-Limit-Type){

    switch "%{control:VIM-Plan-Limit-Type}"{ case V {#Calculate the used bytesif("%{sql: SELECT value FROM radcheck WHERE attribute= 'VIM-FUP-

    Quota-Depleted-Flag' AND username='%{User-Name}'}" == "Yes"){update control {

    VIM-Used-Bytes := "%{sql:SELECT SUM(acctoutputoctets + acctinputoctets) FROM radacct WHERE username='%{request:User-Name}' AND acctsessionid = '%{Acct-Session-Id}' }" }

    #Set Used Bytes

    if ("%{sql:UPDATE radcheck SET value = '%{control:VIM-Used-Bytes}' WHERE attribute = 'VIM-Used-Bytes' AND username = '%{User-Name}' }") {

    ok}

    update control { Mikrotik-Xmit-Limit := "%{sql:SELECT value FROM

    radcheck WHERE attribute='Mikrotik-Xmit-Limit' AND username='%{request:User-Name}' }"

    VIM-Used-Bytes := "%{sql:SELECT value FROM radcheck WHERE attribute='VIM-Used-Bytes' AND username='%{request:User-Name}' }"

    }

    if ("%{sql:UPDATE radcheck SET value = '%{control:Mikrotik-Xmit-Limit}'- '%{control:VIM-Used-Bytes}' WHERE attribute = 'Mikrotik-Xmit-Limit' AND username = '%{User-Name}' } ") {

    ok}

    if ("%{sql:UPDATE radcheck SET value = '0' WHERE attribute = 'VIM-Used-Bytes' AND username = '%{User-Name}' } ") {

    ok}

    }}

    }

    }}#Idle-Timeoutif ("%{Acct-Status-Type}" == "Idle-Timeout") {

    if ("%{sql:INSERT INTO radprotologs (datetime, acctstoptime, username, protomsg, details, nasip, acctsessionid, acctuniqueid, nasportid, nasporttype,acctsessiontime, acctauthentic, acctinoutoctets, acctoutputoctets, callingstationid, acctterminatecause, framedipaddress, framedprotocol, framedipv6prefix ,servicetype) VALUES (SYSDATE,SYSDATE,'%{User-Name}' ,'Accounting-Request' ,

  • 7/17/2019 Radius Config

    16/29

    'Accounting Stop' ,'%{NAS-IP-Address}' ,'%{Acct-Session-Id}' ,'%{Acct-Unique-Session-Id}','%{NAS-Port-Id}' ,'%{NAS-Port-Type}' ,'%{Acct-Session-Time}' , '%{Acct-Authentic}' , '%{Acct-Input-Octets}' ,'%{Acct-Output-Octets}' ,'%{Calling-Station-Id}' , '%{Acct-Terminate-Cause}' , '%{Framed-IP-Address}' , '%{Framed-Protocol}' ,'%{Framed-IPv6-Prefix}' ,'%{Service-Type}')}") { ok }

    if ("%{sql:UPDATE onlinesubscriber SET status = 'Offline' WHEREusername = '%{User-Name}' }") { ok

    }

    if(control:VIM-Plan-Limit-Type){

    switch "%{control:VIM-Plan-Limit-Type}"{ case V {#Calculate the used bytesif("%{sql: SELECT value FROM radcheck WHERE attribute= 'VIM-FUP-

    Quota-Depleted-Flag' AND username='%{User-Name}'}" == "Yes"){update control {

    VIM-Used-Bytes := "%{sql:SELECT SUM(acctoutputoctets + acctinputoctets) FROM radacct WHERE username='%{request:User-Name}' AND acctsessionid = '%{Acct-Session-Id}' }" }

    #Set Used Bytesif ("%{sql:UPDATE radcheck SET value = '%{control:VIM-Used-Bytes}' WHERE attribute = 'VIM-Used-Bytes' AND username = '%{User-Name}' }") {

    ok}

    update control { Mikrotik-Xmit-Limit := "%{sql:SELECT value FROM

    radcheck WHERE attribute='Mikrotik-Xmit-Limit' AND username='%{request:User-Name}' }"

    VIM-Used-Bytes := "%{sql:SELECT value FROM radcheck WHERE attribute='VIM-Used-Bytes' AND username='%{request:User-Name}' }"

    }if ("%{sql:UPDATE radcheck SET value = '%{control:Mikrotik-Xmit-Limit}'- '%{control:VIM-Used-Bytes}' WHERE attribute = 'Mikrotik-Xmit-Limit' AND username = '%{User-Name}' } ") {

    ok}

    if ("%{sql:UPDATE radcheck SET value = '0' WHERE attribute = 'VIM-Used-Bytes' AND username = '%{User-Name}' } ") {

    ok}

    }}

    }}

    }## If you receive stop packets with zero session length,# they will NOT be logged in the database. The SQL module# will print a message (only in debugging mode), and will# return "noop".## You can ignore these packets by uncommenting the following

  • 7/17/2019 Radius Config

    17/29

    # three lines. Otherwise, the server will not respond to the# accounting request, and the NAS will retransmit.#

    # if (noop) {# ok# }

    ## Instead of sending the query to the SQL server,# write it into a log file.#

    # sql_log

    # Cisco VoIP specific bulk accounting# pgsql-voip

    # For Exec-Program and Exec-Program-Waitexec

    # Filter attributes from the accounting response.attr_filter.accounting_response

    ## See "Autz-Type Status-Server" for how this works.

    ## Acct-Type Status-Server {## }}

    # Session database, used for checking Simultaneous-Use. Either the radutmp# or rlm_sql module can handle this.# The rlm_sql module is *much* fastersession {

    #radutmp

    ## See "Simultaneous Use Checking Queries" in sql.confsql

    }

    # Post-Authentication# Once we KNOW that the user has been authenticated, there are# additional steps we can take.post-auth {

    ## If you need to have a State attribute, you can# add it here. e.g. for later CoA-Request with

    # State, and Service-Type = Authorize-Only.#

    # if (!&reply:State) {# update reply {# State := "0x%{randstr:16h}"# }# }

    ## For EAP-TTLS and PEAP, add the cached attributes to the reply.

  • 7/17/2019 Radius Config

    18/29

    # The "session-state" attributes are automatically cached when# an Access-Challenge is sent, and automatically retrieved# when an Access-Request is received.## The session-state attributes are automatically deleted after# an Access-Reject or Access-Accept is sent.#update {

    &reply: += &session-state:}

    # Get an address from the IP Pool.# main_pool

    # Create the CUI value and add the attribute to Access-Accept.# Uncomment the line below if *returning* the CUI.

    # cui

    ## If you want to have a log of authentication replies,# un-comment the following line, and enable the# 'detail reply_log' module.

    # reply_log

    ## After authenticating the user, do another SQL query.## See "Authentication Logging Queries" in sql.conf-sql#Huntgroup checkif("%{sql:select COUNT(*) from radhuntgroup where nasipaddress='%{NAS-IP

    -Address}'}" == 0) {#Huntgroup not foundupdate control {

    VIM-Internal-Failure := "Invalid Huntgroup : %{NAS-IP-Address} "

    }update reply {Reply-Message := "Invalid Huntgroup : %{NAS-IP-A

    ddress} "}

    reject}

    #Date Checkif("%{sql: SELECT STATUS FROM RADIUS_USER_DTL WHERE USER_NAME='%

    {User-Name}'}" == 'A'){if( "%{sql: SELECT case when trunc(END_DATE + 1) < SYSDA

    TE AND DOWNGRADED IS NULL then 'false' else 'true' end as response FROM RADIUS

    _USER_DTL WHERE USER_NAME='%{User-Name}' }" == 'false'){if("%{sql:UPDATE BB_CONTRACT_DT

    L SET STATUS='E',LAST_ACTION_ID=3,LAST_UPD_BY='-2',LAST_UPD_DATE=SYSDATE,DISCONNECT_DATE=SYSDATE WHERE CONTRACT_ID='%{sql: SELECT CONTRACT_ID FROM RADIUS_USER_DTL WHERE USER_NAME='%{User-Name}'}' AND CUSTOMER_ID='%{sql: SELECT CUSTOMER_IDFROM RADIUS_USER_DTL WHERE USER_NAME='%{User-Name}'}'}"){

    ok}

    if("%{sql:UPDATE BB_CUSTOMER_DTL SET STATUS='I',LAST_UPD_BY='-2',LAST_UPD_DATE=SYSDATE WHERE CUSTOMER_ID='%{sql: SELECT CUSTOMER

  • 7/17/2019 Radius Config

    19/29

    _ID FROM RADIUS_USER_DTL WHERE USER_NAME='%{User-Name}'}'}"){ok

    }if ("%{sql:INSERT INTO radprotologs (datetime,us

    ername,protomsg,nasip, callingstationid, nasportid,details) VALUES ( SYSDATE, '%{User-Name}', 'Access-Reject','%{NAS-IP-Address}' ,'%{Calling-Station-Id}', '%{NAS-Port-Id}' , 'Plan Date Expired')} ") {

    ok}update control {

    VIM-Internal-Failure := "Plan Date Expired"

    }update reply {

    Reply-Message :="Plan Date Expired"

    }reject

    }}else {

    if ("%{sql:INSERT INTO radprotologs (datetime,username,protomsg,nasip, callingstationid, nasportid,details) VALUES ( SYSDATE, '%{User-Name}', 'Access-Reject','%{NAS-IP-Address}' ,'%{Calling-Station-Id}', '%{N

    AS-Port-Id}' , 'Plan Status Expired')} ") { ok}

    update reply {Reply-Message := "Plan S

    tatus Expired"

    }reject

    }#Simultaneous User Check

    if( "%{sql: SELECT COUNT(*) from radacct WHERE username = '%{User-Name}' AND acctstoptime IS NULL}" > 0){

    if ("%{sql:INSERT INTO radprotologs (datetime,username,protomsg,nasip, callingstationid, nasportid,details) VALUES ( SYSDATE, '%{User-Name}', 'Access-Reject','%{NAS-IP-Address}' ,'%{Calling-Station-Id}', '%{NAS-Port-Id}' , 'Simultaneous Login Detected')} ") {

    ok}update control {

    VIM-Internal-Failure :="Simultaneous Login Detected "

    }update reply {

    Reply-Message := "Simultaneous Login Detected "

    }reject

    }#mac check

    if(control:VIM-Enable-MAC-Auth == "Yes") {if( "%{sql:SELECT * from radusermacmap W

    HERE username = '%{User-Name}' AND macaddress='0' }" ) {if ("%{sql:UPDATE raduse

    rmacmap SET macaddress = '%{Calling-Station-Id}', LAST_UPDATED_BY='-2' WHERE username='%{User-Name}' } ") {

  • 7/17/2019 Radius Config

    20/29

    ok}

    }else {

    if( "%{sql:SELECT * FROM ( WITH DATA AS ( SELECT MACADDRESS from RADUSERMACMAP WHERE USERNAME='%{User-Name}' ) SELECT trim(regexp_substr(MACADDRESS, '[^,]+', 1, LEVEL)) MACADDRESS FROM DATA CONNECT BY instr(MACADDRESS, ',', 1, LEVEL - 1) > 0) WHERE MACADDRESS='%{calling-Station-Id}' }"){

    ok}

    else {if("%{sql:INSERT

    INTO radprotologs (datetime,username,protomsg,nasip, callingstationid, nasportid,details) VALUES ( SYSDATE, '%{User-Name}', 'Access-Reject','%{NAS-IP-Address}','%{Calling-Station-Id}', '%{NAS-Port-Id}' , 'Mac-Auth-Failed')} ") {

    ok}update control {

    VIM-Internal-Failure := "MAC Authentication Failed " }update reply {

    Reply-Message := "MAC Authentication Failed "}

    reject}

    }}

    #FUP user Validation

    if(control:VIM-Plan-Limit-Type){switch "%{control:VIM-Plan-Limit-Type}"{

    case V {if("%{sql:SELECT

    TO_NUMBER(VALUE) VALUE FROM RADCHECK WHERE ATTRIBUTE='Mikrotik-Xmit-Limit' ANDusername='%{request:User-Name}' AND VALUE

  • 7/17/2019 Radius Config

    21/29

    1',LAST_UPD_DATE=SYSDATE,DISCONNECT_DATE=SYSDATE WHERE CONTRACT_ID='%{sql: SELECT CONTRACT_ID FROM RADIUS_USER_DTL WHERE USER_NAME='%{User-Name}'}' AND CUSTOMER_ID='%{sql: SELECT CUSTOMER_ID FROM RADIUS_USER_DTL WHERE USER_NAME='%{User-Name}'}'}"){

    ok

    }

    if ("%{sql:INSERT INTO radprotologs (datetime,username,protomsg,nasip, callingstationid, nasportid,details) VALUES ( SYSDATE, '%{User-Name}', 'Access-Reject','%{NAS-IP-Address}' ,'%{Calling-Station-Id}', '%{NAS-Port-Id}' , 'Plan Date Expired')} ") {

    ok

    }

    update control {

    VIM-Internal-Failure := "Plan Volume Expired"

    }

    update reply {

    Reply-Message := "Plan Volume Expired"

    }

    reject}

    }}case T {

    if("%{sql:SELECT TO_NUMBER(VALUE) VALUE FROM RADCHECK WHERE ATTRIBUTE='VIM-Avail-Time' AND username='%{r

    equest:User-Name}' AND VALUE

  • 7/17/2019 Radius Config

    22/29

    = '%{User-Name}' AND attribute = 'NAS-IP-Address' AND value = '1'}"){if("%{sql:UPDATE radcheck SET value='%{N

    AS-IP-Address}' WHERE username = '%{User-Name}' AND attribute = 'NAS-IP-Address'AND value = '1' }"){

    ok}if("%{sql:UPDATE BB_USERS SET NAS_ID=(SE

    LECT ID FROM NAS WHERE NASNAME='%{NAS-IP-Address}' ) WHERE USER_NAME='%{User-Name}'}"){

    ok}

    }else {

    if( "%{sql: SELECT value from radcheck WHERE username = '%{User-Name}' AND attribute = 'NAS-IP-Address'}" == "%{NAS-IP-Address}"){

    ok}

    else {if ("%{sql:INSERT INTO radprotologs (dat

    etime,username,protomsg,nasip, callingstationid, nasportid,details) VALUES ( SYSDATE, '%{User-Name}', 'Access-Reject','%{NAS-IP-Address}' ,'%{Calling-Station-Id}', '%{NAS-Port-Id}' , 'NAS IP Authentication Failed')} ") {

    ok

    } update control {VIM-Internal-Fai

    lure := "NAS IP Authentication Failed "}

    update reply {Reply-Message :=

    "NAS IP Authentication Falied "}

    reject}

    }}

    #NAS IP Authentication-Noif(control:VIM-Enable-NASIP-Auth == "No") {

    if ("%{sql:INSERT INTO radprotologs (datetime,username,protomsg,nasip, callingstationid, nasportid,details) VALUES ( SYSDATE, '%{User-Name}', 'Access-Free-NAS-IP-Address','%{NAS-IP-Address}' ,'%{Calling-Station-Id}', '%{NAS-Port-Id}' , 'Free-NAS-IP-Address')} ") {

    ok }

    }

    #NAS Port Authentication

    if(control:VIM-Enable-NASPORT-Auth == "Yes") {if("%{sql: SELECT * from radcheck WHERE username

    = '%{User-Name}' AND attribute = 'NAS-Port-Id' AND value = '1'}"){if("%{sql:UPDATE

    radcheck SET value='%{NAS-Port-Id}' WHERE username = '%{User-Name}' AND attribute = 'NAS-Port-Id' AND value = '1' }"){

    ok}

    }

  • 7/17/2019 Radius Config

    23/29

    else {if( "%{sql: SELECT value from ra

    dcheck WHERE username = '%{User-Name}' AND attribute = 'NAS-Port-Id'}" == "%{NAS-Port-Id}"){

    ok}

    else {if ("%{sql:INSERT INTO r

    adprotologs (datetime,username,protomsg,nasip, callingstationid, nasportid,details) VALUES ( SYSDATE, '%{User-Name}', 'Access-Reject','%{NAS-IP-Address}' ,'%{Calling-Station-Id}', '%{NAS-Port-Id}' , 'NAS Port Authentication Failed')} ") {

    ok}

    update control {VIM-Internal-Fai

    lure := "NAS Port Authentication Failed "}

    update reply {Reply-Message :=

    "NAS Port Authentication Failed "}

    reject}

    }

    }#NAS Port Authentication

    if(control:VIM-Enable-NASPORT-Auth == "No") {if ("%{sql:INSERT INTO radprotologs (datetime,us

    ername,protomsg,nasip, callingstationid, nasportid,details) VALUES ( SYSDATE, '%{User-Name}', 'Access-Free-NAS-Port-Id','%{NAS-IP-Address}' ,'%{Calling-Station-Id}', '%{NAS-Port-Id}' , 'Free-NAS-Port-Id')} ") {

    ok}

    }#Check and enforce policies for Unlimited and FUP limitsif(control:VIM-Plan-Limit-Type){

    switch "%{control:VIM-Plan-Limit-Type}"{case V {

    if("%{sql: SELECT value FROM radcheck WHERE attribute= 'VIM-FUP-Quota-Depleted-Flag' AND username='%{User-Name}'}" == "Yes"){

    update reply {Mikrotik-Rate-Limit = "%

    {control:VIM-Uplink-Speed}/%{control:VIM-Downlink-Speed}"Mikrotik-Xmit-Limit ="%{

    control:Mikrotik-Xmit-Limit}"

    Mikrotik-Recv-Limit ="%{control:Mikrotik-Xmit-Limit}"

    Session-Timeout = "%{control:VIM-Session-Timeout}"

    Idle-Timeout = "%{control:VIM-Idle-Timeout}"

    Framed-Pool = "%{control:Framed-Pool}"

    Framed-IPv6-Pool = "%{control:Framed-IPv6-Pool}"

  • 7/17/2019 Radius Config

    24/29

    }}}

    case U {update reply {

    Mikrotik-Rate-Limit = "%{control:VIM-Uplink-Speed}/%{control:VIM-Downlink-Speed}"

    Session-Timeout= "%{control:VIM-Session-Timeout}"

    Idle-Timeout = "%{control:VIM-Idle-Timeout}"

    Framed-Pool = "%{control:Framed-Pool}"

    Framed-IPv6-Pool= "%{control:Framed-IPv6-Pool}"

    }}

    case T {if("%{sql:SELECT TO_NUMBER(VALUE) VALUE

    FROM RADCHECK WHERE ATTRIBUTE='VIM-Avail-Time' AND username='%{request:User-Name}' AND VALUE >= '86400'}" ){

    update reply {Mikrotik-Rate-Li

    mit = "%{control:VIM-Uplink-Speed}/%{control:VIM-Downlink-Speed}"

    Session-Timeout= "%{control:VIM-Session-Timeout}"Idle-Timeout = "

    %{control:VIM-Idle-Timeout}"Framed-Pool = "%

    {control:Framed-Pool}"Framed-IPv6-Pool

    = "%{control:Framed-IPv6-Pool}"}

    }else{

    update reply { Mikrotik-Rate-Li

    mit = "%{control:VIM-Uplink-Speed}/%{control:VIM-Downlink-Speed}"Session-Timeout= "%{control:VIM-Avail-Time}"

    Idle-Timeout = "%{control:VIM-Idle-Timeout}"

    Framed-Pool = "%{control:Framed-Pool}"

    Framed-IPv6-Pool= "%{control:Framed-IPv6-Pool}"

    }}

    }case P {

    update reply {Mikrotik-Address

    -List = "%{sql:select groupname from radusergroup where username='%{request:User-Name}'}"

    Session-Timeout= "%{control:VIM-Session-Timeout}"

  • 7/17/2019 Radius Config

    25/29

    Idle-Timeout = "%{control:VIM-Idle-Timeout}"

    Framed-Pool = "%{control:Framed-Pool}"

    }}

    }}#New mac

    if(control:VIM-Enable-MAC-Auth == "No"){if("%{sql:SELECT * from RADUSERMACMAP WH

    ERE USERNAME='%{User-Name}' AND MACADDRESS=' ' }" ) {if ("%{sql:UPDATE raduse

    rmacmap SET macaddress = '%{Calling-Station-Id}' WHERE username='%{User-Name}' }") {

    ok}

    }if("%{sql:SELECT * from radusermacmap WHERE user

    name = '%{User-Name}' AND macaddress != ' ' }" ){if ("%{sql:UPDATE radusermacmap

    SET macaddress = '%{Calling-Station-Id}' WHERE username='%{User-Name}' } ") {

    ok }}

    }

    ## Instead of sending the query to the SQL server,# write it into a log file.#

    # sql_log

    #

    # Un-comment the following if you want to modify the user's object# in LDAP after a successful login.#

    # ldap

    # For Exec-Program and Exec-Program-Waitexec

    ## Calculate the various WiMAX keys. In order for this to work,# you will need to define the WiMAX NAI, usually via## update request {

    # WiMAX-MN-NAI = "%{User-Name}"# }## If you want various keys to be calculated, you will need to# update the reply with "template" values. The module will see# this, and replace the template values with the correct ones# taken from the cryptographic calculations. e.g.## update reply {# WiMAX-FA-RK-Key = 0x00

  • 7/17/2019 Radius Config

    26/29

    # WiMAX-MSK = "%{EAP-MSK}"# }## You may want to delete the MS-MPPE-*-Keys from the reply,# as some WiMAX clients behave badly when those attributes# are included. See "raddb/modules/wimax", configuration# entry "delete_mppe_keys" for more information.#

    # wimax

    # If there is a client certificate (EAP-TLS, sometimes PEAP# and TTLS), then some attributes are filled out after the# certificate verification has been performed. These fields# MAY be available during the authentication, or they may be# available only in the "post-auth" section.## The first set of attributes contains information about the# issuing certificate which is being used. The second# contains information about the client certificate (if# available).

    ## update reply {# Reply-Message += "%{TLS-Cert-Serial}"

    # Reply-Message += "%{TLS-Cert-Expiration}"# Reply-Message += "%{TLS-Cert-Subject}"# Reply-Message += "%{TLS-Cert-Issuer}"# Reply-Message += "%{TLS-Cert-Common-Name}"# Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}"## Reply-Message += "%{TLS-Client-Cert-Serial}"# Reply-Message += "%{TLS-Client-Cert-Expiration}"# Reply-Message += "%{TLS-Client-Cert-Subject}"# Reply-Message += "%{TLS-Client-Cert-Issuer}"# Reply-Message += "%{TLS-Client-Cert-Common-Name}"# Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}"# }

    # Insert class attribute (with unique value) into response,# aids matching auth and acct records, and protects against duplicate# Acct-Session-Id. Note: Only works if the NAS has implemented# RFC 2865 behaviour for the class attribute, AND if the NAS# supports long Class attributes. Many older or cheap NASes# only support 16-octet Class attributes.

    # insert_acct_class

    # MacSEC requires the use of EAP-Key-Name. However, we don't# want to send it for all EAP sessions. Therefore, the EAP# modules put required data into the EAP-Session-Id attribute.# This attribute is never put into a request or reply packet.

    ## Uncomment the next few lines to copy the required data into# the EAP-Key-Name attribute

    # if (&reply:EAP-Session-Id) {# update reply {# EAP-Key-Name := &reply:EAP-Session-Id# }# }

    # Remove reply message if the response contains an EAP-Message

  • 7/17/2019 Radius Config

    27/29

    remove_reply_message_if_eap

    ## Access-Reject packets are sent through the REJECT sub-section of the# post-auth section.## Add the ldap module name (or instance) if you have set# 'edir_account_policy_check = yes' in the ldap module configuration## The "session-state" attributes are not available here.#Post-Auth-Type REJECT {

    update control {VIM-Internal-Fai

    lure := "Authentication Failed for Username: %{User-Name} With PASSWORD: %{User-Password}"

    }update reply {

    Reply-Message :="Incorrect Username or Password"

    }

    # log failed authentications in SQL, too.

    -sqlattr_filter.access_rejectif("%{sql:INSERT INTO radprotologs (datetime,use

    rname,protomsg,nasip,nasportid,details,callingstationid) VALUES(SYSDATE,'%{User-Name}' , 'Access-Reject' ,'%{NAS-IP-Address}' ,'%{NAS-Port-Id}' , '%{control:VIM-Internal-Failure}', '%{Calling-Station-Id}') }") {

    ok}

    # Insert EAP-Failure message if the request was# rejected by policy instead of because of an# authentication failure

    eap

    # Remove reply message if the response contains an EAP-Messageremove_reply_message_if_eap

    }}

    ## When the server decides to proxy a request to a home server,# the proxied request is first passed through the pre-proxy# stage. This stage can re-write the request, or decide to# cancel the proxy.#

    # Only a few modules currently have this method.##pre-proxy {

    # Before proxing the request add an Operator-Name attribute identifying# if the operator-name is found for this client.# No need to uncomment this if you have already enabled this in# the authorize section.

    # operator-name

    # The client requests the CUI by sending a CUI attribute

  • 7/17/2019 Radius Config

    28/29

    # containing one zero byte.# Uncomment the line below if *requesting* the CUI.

    # cui

    # Uncomment the following line if you want to change attributes# as defined in the preproxy_users file.

    # files

    # Uncomment the following line if you want to filter requests# sent to remote servers based on the rules defined in the# 'attrs.pre-proxy' file.

    # attr_filter.pre-proxy

    # If you want to have a log of packets proxied to a home# server, un-comment the following line, and the# 'detail pre_proxy_log' section, above.

    # pre_proxy_log#}

    ## When the server receives a reply to a request it proxied# to a home server, the request may be massaged here, in the# post-proxy stage.#

    #post-proxy {

    # If you want to have a log of replies from a home server,# un-comment the following line, and the 'detail post_proxy_log'# section, above.

    # post_proxy_log

    # Uncomment the following line if you want to filter replies from# remote proxies based on the rules defined in the 'attrs' file.

    # attr_filter.post-proxy

    ## If you are proxying LEAP, you MUST configure the EAP

    # module, and you MUST list it here, in the post-proxy# stage.## You MUST also use the 'nostrip' option in the 'realm'# configuration. Otherwise, the User-Name attribute# in the proxied request will not match the user name# hidden inside of the EAP packet, and the end server will# reject the EAP request.##eap

    ## If the server tries to proxy a request and fails, then the

    # request is processed through the modules in this section.## The main use of this section is to permit robust proxying# of accounting packets. The server can be configured to# proxy accounting packets as part of normal processing.# Then, if the home server goes down, accounting packets can# be logged to a local "detail" file, for processing with# radrelay. When the home server comes back up, radrelay# will read the detail file, and send the packets to the# home server.

  • 7/17/2019 Radius Config

    29/29

    ## With this configuration, the server always responds to# Accounting-Requests from the NAS, but only writes# accounting packets to disk if the home server is down.#

    # Post-Proxy-Type Fail-Accounting {# detail# }#}}