Prizee : Jeux Gratuits et Cadeaux !
     
Stats du site :
103 Forums avec 30 inscrits.
3 Visiteurs en ligne
Vous êtes dans : Galoula.net > Projets > HotSpot Complet
Galoula France ! Bricolages Projets Expériences PXE Tutoriels Moi Services Argent du NET Autres Liens  
 
 

Un Hotpot Complet !
Veuillez noter que ce tutoriel n'est pas encore terminé !

 

Cette page décris la mise en place d'un point d'accès WiFi sous Linux.

Ce point d'accès seras OUVERT mais demanderas une authentification auprès de l'utilisateur (Payant ou non), sans quoi, il n'auras pas accès à Internet ou un accès restreint.

Le plus de ce tutoriel, est si vous êtes comme moi, ne voulans pas acheter de certificats aupres d'autorithé de certification, Chillispot vas vous envoyé de messages d'érreurs à chaques connexions cliente pour lui indique un certificat non valide.
Quel est l'idiot qui vas accepter cella ? Surtout si l'on lui demande de payé ?
Mais soyez rassurés : Les paiements restent en SSL avec certification VALIDE aupres de l'autorithé de certification : En effet je ne veux en aucun cas gèrer les transactions : C'est PayPal qui s'en charge ! Donc rien à craindre au niveau sécuritée !

Tout d'abord, voyons l'architecture physique mise en place pour ce projet :

Ce matériel est connecter de la façon suivante :

(Image non disponible).

Pour commencer, nous intallons une Debian de base sur le serveur.
Une installation la plus légère possible à été mise en place. Le nom de la machine est HotSpot.

Légende :

Commande entrée :
Ce styleindique une commande à écrire.

Sortie écran :
Ce style indique ce que vous recevez comme message l'ors de la saisie de la commande.

Texte orginal :
Ce style indique le texte orginal dans un fichier de configuration par exemple.

Texte modifié :
Ce style indique ce que j'ai modifier dans un fichier de configuration par exemple.

Texte ajouté :
Ce style indique ce que j'ai ajouter en complement d'un fichier de configuration par exemple.

 

Préparatifs :

Une fois installée je me suis empressé d'installer SSH (apt-get install ssh) pour pouvoir débrancher mon clavier de cette machine et la remètre dans ma baie de brassage.

Mais nous devons partir sur des bases propre : Une mise à jours du sytème s'impose.

HotSpot:~# apt-get dist-upgrade

et efin on redemarre la machine pour que le nouveau noyau prenne le relais avec un "init 6".

Mise en place des connexions réseaux :

Installation de la carte WiFi :

La carte WiFi Alpha Network 500mw fonctionne sous un chipset RTL8187.

Je vais donc compiler un driver à partir des sources du fabricant qui à eû la bonne idée de les fournir.
Téléchargement des sources :

HotSpot:~# wget ftp://202.65.194.212/cn/wlan/rtl8187_linux_26.1025.0328.2007.tar.gz

Décompression de celles-ci :

HotSpot:~# tar -xzvf rtl8187_linux_26.1025.0328.2007.tar.gz
HotSpot:~# cd rtl8187_linux_26.1025.0328.2007

On on commence à compiller tout ça !
Mais j'ai installer un système Debian très basique !
Nous devons donc installer les paquets pour compiler ce driver :

HotSpot:~/rtl8187_linux_26.1025.0328.2007# apt-get install module-assistant
HotSpot:~/rtl8187_linux_26.1025.0328.2007# module-assistant prepare

Voilà, maintenant je peut réellement compiler mon driver :

HotSpot:~/rtl8187_linux_26.1025.0328.2007# ./makedrv

Maintenant que notre driver est compiler, il faut le mètre en place en copiant les modules aux bons endrois :

HotSpot:~/rtl8187_linux_26.1025.0328.2007# cd ieee80211/
HotSpot:~/rtl8187_linux_26.1025.0328.2007/ieee80211# cp *.ko /lib/modules/2.6.18-5-686/kernel/drivers/net/wireless/
HotSpot:~/rtl8187_linux_26.1025.0328.2007/ieee80211# cd ..
HotSpot:~/rtl8187_linux_26.1025.0328.2007# cd rtl8187/
HotSpot:~/rtl8187_linux_26.1025.0328.2007/rtl8187# cp *.ko /lib/modules/2.6.18-5-686/kernel/drivers/net/wireless/

On regénères la base des modules :

HotSpot:~/rtl8187_linux_26.1025.0328.2007/rtl8187# depmod -a

Et enfin on les chargent manuellement pour effectuer un test :

HotSpot:~/rtl8187_linux_26.1025.0328.2007/rtl8187# modprobe ieee80211_crypt-rtl
HotSpot:~/rtl8187_linux_26.1025.0328.2007/rtl8187# modprobe ieee80211_crypt_wep-rtl
HotSpot:~/rtl8187_linux_26.1025.0328.2007/rtl8187# modprobe ieee80211_crypt_tkip-rtl
HotSpot:~/rtl8187_linux_26.1025.0328.2007/rtl8187# modprobe ieee80211_crypt_ccmp-rtl
HotSpot:~/rtl8187_linux_26.1025.0328.2007/rtl8187# modprobe ieee80211-rtl
HotSpot:~/rtl8187_linux_26.1025.0328.2007/rtl8187# modprobe r8187

Nôtre Debian de base ne sait pas se connecter à un point d'accès WiFi.
Je lui installe donc les paquets pour lui permètre de se connecter à un point d'accès :

HotSpot:~/rtl8187_linux_26.1025.0328.2007/rtl8187# apt-get install wireless-tools

Maintenant, je peut configurer ma connexion WiFi.
Ici, exemple avec un LiveBow de chez Wanadaube :

HotSpot:~/rtl8187_linux_26.1025.0328.2007/rtl8187# iwconfig wlan0 essid Wanadoo_a1b2
Indique le point d'accès sur lequel je veux me connecter.

HotSpot:~/rtl8187_linux_26.1025.0328.2007/rtl8187# iwconfig wlan0 key on
Mon point d'accès est crypté par WEP.

HotSpot:~/rtl8187_linux_26.1025.0328.2007/rtl8187# iwconfig wlan0 key XYXYXYXYXYXYXYXYXYXYXYXYXY
J'indique ma clef WEP.

HotSpot:~/rtl8187_linux_26.1025.0328.2007/rtl8187# iwconfig wlan0 mode Managed
Je lui indique que c'est en mode infrastructure.

HotSpot:~/rtl8187_linux_26.1025.0328.2007/rtl8187# ifconfig wlan0 up
Je monte ma carte réseau (Démarre).

HotSpot:~/rtl8187_linux_26.1025.0328.2007/rtl8187# dhclient wlan0
Je lance une requette DHCP.
Internet Systems Consortium DHCP Client V3.0.4
Copyright 2004-2006 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/

Listening on LPF/wlan0/00:c0:xx:xx:xx:xx
Sending on LPF/wlan0/00:c0:xx:xx:xx:xx
Sending on Socket/fallback
DHCPDISCOVER on wlan0 to 255.255.255.255 port 67 interval 8
DHCPOFFER from 192.168.1.1
DHCPREQUEST on wlan0 to 255.255.255.255 port 67
DHCPACK from 192.168.1.1
bound to 192.168.1.14 -- renewal in 270116 seconds.
--> Ligne disant que tout est OK !

 

 

Maintenant que je sait que cella fonctionne, je vais mètre ma configuration réseau en dur sur le serveur.

Mise en place des modules au démarrage :

HotSpot:~/rtl8187_linux_26.1025.0328.2007/rtl8187# vim /etc/modules

# /etc/modules: kernel modules to load at boot time.
#
# This file contains the names of kernel modules that should be loaded
# at boot time, one per line. Lines beginning with "#" are ignored.

loop
ieee80211_crypt-rtl
ieee80211_crypt_wep-rtl
ieee80211_crypt_tkip-rt
ieee80211_crypt_ccmp-rtl
ieee80211-rtl
r8187

Après, j'indique la configuration réseau :

HotSpot:~/rtl8187_linux_26.1025.0328.2007/rtl8187# vim /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth1
allow-hotplug eth1
iface eth1 inet static
address 10.33.24.253
netmask 255.0.0.0
network 10.0.0.0
broadcast 10.255.255.255

auto eth0
iface eth0 inet static
address 0.0.0.0

auto wlan0
iface wlan0 inet static
address 192.168.1.5
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1
wireless_mode Managed
wireless_essid Wanadoo_a1b2
wireless_key XYXYXYXYXYXYXYXYXYXYXYXYXY

Et enfin on redémarre le serveur et nous aurons une configuration réseau toute propre !
otSpot:~/rtl8187_linux_26.1025.0328.2007/rtl8187# init 6

Installation d'Apache2 :

Nous allons installer un serveur WEB : Apache2, pour fournir au clients les pages web du HotSpot.
L'installation ? Très simple :

HotSpot:~# apt-get install apache2

Installation du DNS : Bind

Le serveur DNS vas nous permètre d'utiliser des nom usuels pour le HotSpot comme par exemple la page de connexion qui seras login.hotspot.

HotSpot:~# apt-get install bind

Configuration du DNS.

Ajout des définitions des nouvelles zones DNS:

HotSpot:~# vim /etc/bind/named.conf.local

//
// Add local zone definitions here.

zone "hotspot" {
type master;
file "/etc/bind/hotspot";
};

zone "24.33.10.in-addr.arpa" {
type master;
file "/etc/bind/db.10.33.24";
};

zone "24.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.192.168.24";
};

Fichier de la zone "HotSpot" :

HotSpot:~# vim /etc/bind/hotspot

$TTL 604800
@ IN SOA hotspot. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS hotspot.
@ IN A 192.168.24.1

login IN A 192.168.24.1

Reverse DNS de la zone HotSpot local:

HotSpot:~# vim /etc/bind/db.10.33.24

$TTL 86400

@ IN SOA dns.hotspot. root.hotspot. (
2000042702 ; serial
0 ; refresh
0 ; retry
0 ; expire
0 ; default_ttl
)
@ IN NS dns.hotspot.

253 IN PTR login.hotspot.

Reverse DNS de la zone HotSpot Public:

HotSpot:~# vim /etc/bind/db.192.168.24

$TTL 86400

@ IN SOA hotspot. galoula.galoula.com. (
2000042702 ; serial
0 ; refresh
0 ; retry
0 ; expire
0 ; default_ttl
)
@ IN NS hotspot.

1 IN PTR login.hotspot.

On configure les redirecteurs :

HotSpot:~# vim /etc/bind/named.conf.options

options {
directory "/var/cache/bind";

// from bind 9:
// [fetch-glue] is obsolete. In BIND 8, fetch-glue yes caused the
// server to attempt to fetch glue resource records it didn't have
// when constructing the additional data section of a response.
// This is now considered a bad idea and BIND 9 never does it.

fetch-glue no;

// If there is a firewall between you and nameservers you want
// to talk to, you might need to uncomment the query-source
// directive below. Previous versions of BIND always asked
// questions using port 53, but BIND 8.1 and later use an unprivileged
// port by default.

// query-source address * port 53;

// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.

forwarders {
10.33.24.254;
};

};

On configure la machine locale pour utilisé le nouveau DNS :

HotSpot:~# vim /etc/hosts
127.0.0.1 localhost
127.0.1.1 HotSpot.GALOULA.COM.local HotSpot

127.0.0.1 login.hotspot
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

On relance bind :

HotSpot:~# /etc/init.d/bind restart

Installation de FreeRadius :

HotSpot:~# apt-get install freeradius

HotSpot:~# vim /etc/freeradius/clients.conf

secret = testing123

par

secret = RadiusSecret

Installation de ChilliSpot.

ChilliSpot est le coeur de notre HotSpot, c'est lui qui gère le routeur WiFi est ses accès physiques.
Pour l'installé suffit de tapper cette commande :

HotSpot:~# apt-get install chillispot

Adresse IP du premier serveur RADIUS : 127.0.0.1
Secret partagé du RADIUS : RadiusSecret
Interface Ethernet où le serveur DHCP sera à l'écoute : eth0
URL du serveur UAM : http://login.hotspot/cgi-bin/hotspotlogin.cgi
URL de la page d'accueil de l'UAM : http://hotspot.galoula.com
Mot de passe partagé entre ChilliSpot et le serveur Web : ChilliSecret

HotSpot:~# vim /etc/chilli.conf

##############################################################################
#
# Sample ChilliSpot configuration file
#
##############################################################################

# TAG: fg
# Include this flag if process is to run in the foreground
#fg

# TAG: debug
# Include this flag to include debug information.
#debug

# TAG: interval
# Re-read configuration file at this interval. Will also cause new domain
# name lookups to be performed. Value is given in seconds.
#interval 3600

# TAG: pidfile
# File to store information about the process id of the program.
# The program must have write access to this file/directory.
#pidfile /var/run/chilli.pid

# TAG: statedir
# Directory to use for nonvolatile storage.
# The program must have write access to this directory.
# This tag is currently ignored
#statedir ./

# TUN parameters

# TAG: net
# IP network address of external packet data network
# Used to allocate dynamic IP addresses and set up routing.
# Normally you do not need to uncomment this tag.
  net 192.168.24.0/24

# TAG: dynip
# Dynamic IP address pool
# Used to allocate dynamic IP addresses to clients.
# If not set it defaults to the net tag.
# Do not uncomment this tag unless you are an experienced user!
#dynip 192.168.182.0/24

# TAG: statip
# Static IP address pool
# Used to allocate static IP addresses to clients.
# Do not uncomment this tag unless you are an experienced user!
#statip 192.168.182.0/24

# TAG: dns1
# Primary DNS server.
# Will be suggested to the client.
# If omitted the system default will be used.
# Normally you do not need to uncomment this tag.
  dns1 192.168.24.1

# TAG: dns2
# Secondary DNS server.
# Will be suggested to the client.
# If omitted the system default will be used.
# Normally you do not need to uncomment this tag.
#dns2 172.16.0.6

# TAG: domain
# Domain name
# Will be suggested to the client.
# Normally you do not need to uncomment this tag.
  domain galoula.com

# TAG: ipup
# Script executed after network interface has been brought up.
# Executed with the following parameters: <devicename> <ip address>
# <mask>
# Normally you do not need to uncomment this tag.
#ipup /etc/chilli.ipup

# TAG: ipdown
# Script executed after network interface has been taken down.
# Executed with the following parameters: <devicename> <ip address>
# <mask>
# Normally you do not need to uncomment this tag.
#ipdown /etc/chilli.ipdown

# Radius parameters

# TAG: radiuslisten
# IP address to listen to
# Normally you do not need to uncomment this tag.
#radiuslisten 127.0.0.1

# TAG: radiusserver1
# IP address of radius server 1
# For most installations you need to modify this tag.
radiusserver1 127.0.0.1

# TAG: radiusserver2
# IP address of radius server 2
# If you have only one radius server you should set radiusserver2 to the
# same value as radiusserver1.
# For most installations you need to modify this tag.
radiusserver2 127.0.0.1

# TAG: radiusauthport
# Radius authentication port
# The UDP port number to use for radius authentication requests.
# The same port number is used for both radiusserver1 and radiusserver2.
# Normally you do not need to uncomment this tag.
#radiusauthport 1812

# TAG: radiusacctport
# Radius accounting port
# The UDP port number to use for radius accounting requests.
# The same port number is used for both radiusserver1 and radiusserver2.
# Normally you do not need to uncomment this tag.
#radiusacctport 1813

# TAG: radiussecret
# Radius shared secret for both servers
# For all installations you should modify this tag.
radiussecret RadiusSecret

# TAG: radiusnasid
# Radius NAS-Identifier
# Normally you do not need to uncomment this tag.
#radiusnasid nas01

# TAG: radiuslocationid
# WISPr Location ID. Should be in the format: isocc=<ISO_Country_Code>,
# cc=<E.164_Country_Code>,ac=<E.164_Area_Code>,network=<ssid/ZONE>
# Normally you do not need to uncomment this tag.
  radiuslocationid isocc=fr,cc=33,ac=78800,network=HotSpot

# TAG: radiuslocationname
# WISPr Location Name. Should be in the format:
# <HOTSPOT_OPERATOR_NAME>,<LOCATION>
# Normally you do not need to uncomment this tag.
  radiuslocationname HotSpotGaloulaFrance,Les_Blanches

# Radius proxy parameters

# TAG: proxylisten
# IP address to listen to
# Normally you do not need to uncomment this tag.
#proxylisten 10.0.0.1

# TAG: proxyport
# UDP port to listen to.
# If not specified a port will be selected by the system
# Normally you do not need to uncomment this tag.
#proxyport 1645

# TAG: proxyclient
# Client(s) from which we accept radius requests
# Normally you do not need to uncomment this tag.
#proxyclient 10.0.0.1/24

# TAG: proxysecret
# Radius proxy shared secret for all clients
# If not specified defaults to radiussecret
# Normally you do not need to uncomment this tag.
#proxysecret testing123

# DHCP Parameters

# TAG: dhcpif
# Ethernet interface to listen to.
# This is the network interface which is connected to the access points.
# In a typical configuration this tag should be set to eth1.
dhcpif eth0

# TAG: dhcpmac
# Use specified MAC address.
# An address in the range 00:00:5E:00:02:00 - 00:00:5E:FF:FF:FF falls
# within the IANA range of addresses and is not allocated for other
# purposes.
# Normally you do not need to uncomment this tag.
#dhcpmac 00:00:5E:00:02:00

# TAG: lease
# Time before DHCP lease expires
# Normally you do not need to uncomment this tag.
#lease 600

# Universal access method (UAM) parameters

# TAG: uamserver
# URL of web server handling authentication.
uamserver http://login.hotspot/cgi-bin/hotspotlogin.cgi

# TAG: uamhomepage
# URL of welcome homepage.
# Unauthenticated users will be redirected to this URL. If not specified
# users will be redirected to the uamserver instead.
# Normally you do not need to uncomment this tag.
uamhomepage http://hotspot.galoula.com

# TAG: uamsecret
# Shared between chilli and authentication web server
uamsecret ChilliSecret

# TAG: uamlisten
# IP address to listen to for authentication requests
# Do not uncomment this tag unless you are an experienced user!
#uamlisten 192.168.182.1

# TAG: uamport
# TCP port to listen to for authentication requests
# Do not uncomment this tag unless you are an experienced user!
#uamport 3990

# TAG: uamallowed
# Comma separated list of domain names, IP addresses or network segments
# the client can access without first authenticating.
# It is possible to specify this tag multiple times.
# Normally you do not need to uncomment this tag.
  uamallowed www.galoula.com,192.168.24.1,hotspot.galoula.com,www.paypal.com,www.sandbox.paypal.com,developer.paypal.com,login.hotspot

# TAG: uamanydns
# If this flag is given unauthenticated users are allowed to use
# any DNS server.
# Normally you do not need to uncomment this tag.
#uamanydns

# MAC authentication

# TAG: macauth
# If this flag is given users will be authenticated only on their MAC
# address.
# Normally you do not need to uncomment this tag.
#macauth

# TAG: macallowed
# List of MAC addresses.
# The MAC addresses specified in this list will be authenticated only on
# their MAC address.
# This tag is ignored if the macauth tag is given.
# It is possible to specify this tag multiple times.
# Normally you do not need to uncomment this tag.
#macallowed 00-0A-5E-AC-BE-51,00-30-1B-3C-32-E9

# TAG: macpasswd
# Password to use for MAC authentication.
# Normally you do not need to uncomment this tag.
#macpasswd password

# TAG: macsuffix
# Suffix to add to MAC address in order to form the username.
# Normally you do not need to uncomment this tag.
#macsuffix suffix

 

Et nous devons lui mètre le script de connexion en place :

HotSpot:~# cp /usr/share/doc/chillispot/hotspotlogin.cgi.gz /usr/lib/cgi-bin/
HotSpot:~# cd /usr/lib/cgi-bin
HotSpot:/usr/lib/cgi-bin# gunzip hotspotlogin.cgi.gz --> Répondre oui (y).
HotSpot:/usr/lib/cgi-bin# chmod a+x hotspotlogin.cgi

Configuration du Portail :

HotSpot:/usr/lib/cgi-bin# vim /usr/lib/cgi-bin/hotspotlogin.cgi

#!/usr/bin/perl

# chilli - ChilliSpot.org. A Wireless LAN Access Point Controller
# Copyright (C) 2003, 2004 Mondru AB.
#
# The contents of this file may be used under the terms of the GNU
# General Public License Version 2, provided that the above copyright
# notice and this permission notice is included in all copies or
# substantial portions of the software.

# Redirects from ChilliSpot daemon:
#
# Redirection when not yet or already authenticated
# notyet: ChilliSpot daemon redirects to login page.
# already: ChilliSpot daemon redirects to success status page.
#
# Response to login:
# already: Attempt to login when already logged in.
# failed: Login failed
# success: Login succeded
#
# logoff: Response to a logout

# Shared secret used to encrypt challenge with. Prevents dictionary attacks.
# You should change this to your own shared secret.
$uamsecret = "ChilliSecret";

# Uncomment the following line if you want to use ordinary user-password
# for radius authentication. Must be used together with $uamsecret.
#$userpassword=1;

# Our own path
$loginpath = "/cgi-bin/hotspotlogin.cgi";

use Digest::MD5 qw(md5 md5_hex md5_base64);

# Make sure that the form parameters are clean
$OK_CHARS='-a-zA-Z0-9_.@&=%!';
$_ = $input = <STDIN>;
s/[^$OK_CHARS]/_/go;
$input = $_;

# Make sure that the get query parameters are clean
$OK_CHARS='-a-zA-Z0-9_.@&=%!';
$_ = $query=$ENV{QUERY_STRING};
s/[^$OK_CHARS]/_/go;
$query = $_;

# If she did not use https tell her that it was wrong.
if (($ENV{HTTPS} =~ /^on$/)) {
print "Content-type: text/html\n\n
<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">
<html>
<head>
<title>&Eacute;chec de connexion au HotSpot</title>
<meta http-equiv=\"Cache-control\" content=\"no-cache\">
<meta http-equiv=\"Pragma\" content=\"no-cache\">
</head>
<body bgColor = '#c0d8f4'>
<h1 style=\"text-align: center;\">&Eacute;chec de connexion au HotSpot</h1>
<center>
Login must use encrypted connection.
</center>
</body>
<!--
<?xml version=\"1.0\" encoding=\"UTF-8\"?>
<WISPAccessGatewayParam
xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"
xsi:noNamespaceSchemaLocation=\"http://www.acmewisp.com/WISPAccessGatewayParam.xsd\">
<AuthenticationReply>
<MessageType>120</MessageType>
<ResponseCode>102</ResponseCode>
<ReplyMessage>Login must use encrypted connection</ReplyMessage>
</AuthenticationReply>
</WISPAccessGatewayParam>
-->
</html>
";
exit(0);
}

#Read form parameters which we care about
@array = split('&',$input);
foreach $var ( @array )
{
@array2 = split('=',$var);
if ($array2[0] =~ /^UserName$/) { $username = $array2[1]; }
if ($array2[0] =~ /^Password$/) { $password = $array2[1]; }
if ($array2[0] =~ /^challenge$/) { $challenge = $array2[1]; }
if ($array2[0] =~ /^button$/) { $button = $array2[1]; }
if ($array2[0] =~ /^logout$/) { $logout = $array2[1]; }
if ($array2[0] =~ /^prelogin$/) { $prelogin = $array2[1]; }
if ($array2[0] =~ /^res$/) { $res = $array2[1]; }
if ($array2[0] =~ /^uamip$/) { $uamip = $array2[1]; }
if ($array2[0] =~ /^uamport$/) { $uamport = $array2[1]; }
if ($array2[0] =~ /^userurl$/) { $userurl = $array2[1]; }
if ($array2[0] =~ /^timeleft$/) { $timeleft = $array2[1]; }
if ($array2[0] =~ /^redirurl$/) { $redirurl = $array2[1]; }
}

#Read query parameters which we care about
@array = split('&',$query);
foreach $var ( @array )
{
@array2 = split('=',$var);
if ($array2[0] =~ /^res$/) { $res = $array2[1]; }
if ($array2[0] =~ /^challenge$/) { $challenge = $array2[1]; }
if ($array2[0] =~ /^uamip$/) { $uamip = $array2[1]; }
if ($array2[0] =~ /^uamport$/) { $uamport = $array2[1]; }
if ($array2[0] =~ /^reply$/) { $reply = $array2[1]; }
if ($array2[0] =~ /^userurl$/) { $userurl = $array2[1]; }
if ($array2[0] =~ /^timeleft$/) { $timeleft = $array2[1]; }
if ($array2[0] =~ /^redirurl$/) { $redirurl = $array2[1]; }
}

$reply =~ s/\+/ /g;
$reply =~s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/seg;

$userurldecode = $userurl;
$userurldecode =~ s/\+/ /g;
$userurldecode =~s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/seg;

$redirurldecode = $redirurl;
$redirurldecode =~ s/\+/ /g;
$redirurldecode =~s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/seg;

$password =~ s/\+/ /g;
$password =~s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/seg;

# If attempt to login
if ($button =~ /^Login$/) {
$hexchal = pack "H32", $challenge;
if (defined $uamsecret) {
$newchal = md5($hexchal, $uamsecret);
}
else {
$newchal = $hexchal;
}
$response = md5_hex("\0", $password, $newchal);
$pappassword = unpack "H32", ($password ^ $newchal);
#sleep 5;
print "Content-type: text/html\n\n";
print "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">
<html>
<head>
<title>Connexion au HotSpot</title>
<meta http-equiv=\"Cache-control\" content=\"no-cache\">
<meta http-equiv=\"Pragma\" content=\"no-cache\">";
if ((defined $uamsecret) && defined($userpassword)) {
print " <meta http-equiv=\"refresh\" content=\"0;url=http://$uamip:$uamport/logon?username=$username&password=$pappassword\">";
} else {
print " <meta http-equiv=\"refresh\" content=\"0;url=http://$uamip:$uamport/logon?username=$username&response=$response&userurl=$userurl\">";
}
print "</head>
<body bgColor = '#c0d8f4'>";
print "<h1 style=\"text-align: center;\">Connexion au HotSpot ....</h1>";
print "
<center>
Veuillez Patientez......
</center>
</body>
<!--
<?xml version=\"1.0\" encoding=\"UTF-8\"?>
<WISPAccessGatewayParam
xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"
xsi:noNamespaceSchemaLocation=\"http://www.acmewisp.com/WISPAccessGatewayParam.xsd\">
<AuthenticationReply>
<MessageType>120</MessageType>
<ResponseCode>201</ResponseCode>
";
if ((defined $uamsecret) && defined($userpassword)) {
print "<LoginResultsURL>http://$uamip:$uamport/logon?username=$username&password=$pappassword</LoginResultsURL>";
} else {
print "<LoginResultsURL>http://$uamip:$uamport/logon?username=$username&response=$response&userurl=$userurl</LoginResultsURL>";
}
print "</AuthenticationReply>
</WISPAccessGatewayParam>
-->
</html>
";
exit(0);
}

# Default: It was not a form request
$result = 0;

# If login successful
if ($res =~ /^success$/) {
$result = 1;
}

# If login failed
if ($res =~ /^failed$/) {
$result = 2;
}

# If logout successful
if ($res =~ /^logoff$/) {
$result = 3;
}

# If tried to login while already logged in
if ($res =~ /^already$/) {
$result = 4;
}

# If not logged in yet
if ($res =~ /^notyet$/) {
$result = 5;
}

# If login from smart client
if ($res =~ /^smartclient$/) {
$result = 6;
}

# If requested a logging in pop up window
if ($res =~ /^popup1$/) {
$result = 11;
}

# If requested a success pop up window
if ($res =~ /^popup2$/) {
$result = 12;
}

# If requested a logout pop up window
if ($res =~ /^popup3$/) {
$result = 13;
}

# Otherwise it was not a form request
# Send out an error message
if ($result == 0) {
print "Content-type: text/html\n\n
<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">
<html>
<head>
<title>&Eacute;chec de connexion au HotSpot</title>
<meta http-equiv=\"Cache-control\" content=\"no-cache\">
<meta http-equiv=\"Pragma\" content=\"no-cache\">
</head>
<body bgColor = '#c0d8f4'>
<h1 style=\"text-align: center;\">&Eacute;chec de connexion au HotSpot</h1>
<center>
Login must be performed through ChilliSpot daemon.
</center>
</body>
</html>
";
exit(0);
}

#Generate the output
print "Content-type: text/html\n\n
<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">
<html>
<head>
<title>Connexion au HotSpot</title>
<meta http-equiv=\"Cache-control\" content=\"no-cache\">
<meta http-equiv=\"Pragma\" content=\"no-cache\">
<SCRIPT LANGUAGE=\"JavaScript\">
var blur = 0;
var starttime = new Date();
var startclock = starttime.getTime();
var mytimeleft = 0;

function doTime() {
window.setTimeout( \"doTime()\", 1000 );
t = new Date();
time = Math.round((t.getTime() - starttime.getTime())/1000);
if (mytimeleft) {
time = mytimeleft - time;
if (time <= 0) {
window.location = \"$loginpath?res=popup3&uamip=$uamip&uamport=$uamport\";
}
}
if (time < 0) time = 0;
hours = (time - (time % 3600)) / 3600;
time = time - (hours * 3600);
mins = (time - (time % 60)) / 60;
secs = time - (mins * 60);
if (hours < 10) hours = \"0\" + hours;
if (mins < 10) mins = \"0\" + mins;
if (secs < 10) secs = \"0\" + secs;
title = \"Temps de connexion écoulé: \" + hours + \":\" + mins + \":\" + secs;
if (mytimeleft) {
title = \"Remaining time: \" + hours + \":\" + mins + \":\" + secs;
}
if(document.all || document.getElementById){
document.title = title;
}
else {
self.status = title;
}
}

function popUp(URL) {
if (self.name != \"chillispot_popup\") {
chillispot_popup = window.open(URL, 'chillispot_popup', 'toolbar=0,scrollbars=0,location=0,statusbar=0,menubar=0,resizable=0,width=500,height=375');
}
}

function doOnLoad(result, URL, userurl, redirurl, timeleft) {
if (timeleft) {
mytimeleft = timeleft;
}
if ((result == 1) && (self.name == \"chillispot_popup\")) {
doTime();
}
if ((result == 1) && (self.name != \"chillispot_popup\")) {
chillispot_popup = window.open(URL, 'chillispot_popup', 'toolbar=0,scrollbars=0,location=0,statusbar=0,menubar=0,resizable=0,width=500,height=375');
}
if ((result == 2) || result == 5) {
document.form1.UserName.focus()
}
if ((result == 2) && (self.name != \"chillispot_popup\")) {
chillispot_popup = window.open('', 'chillispot_popup', 'toolbar=0,scrollbars=0,location=0,statusbar=0,menubar=0,resizable=0,width=400,height=200');
chillispot_popup.close();
}
if ((result == 12) && (self.name == \"chillispot_popup\")) {
doTime();
if (redirurl) {
opener.location = redirurl;
}
else if (opener.home) {
opener.home();
}
else {
opener.location = \"about:home\";
}
self.focus();
blur = 0;
}
if ((result == 13) && (self.name == \"chillispot_popup\")) {
self.focus();
blur = 1;
}
}

function doOnBlur(result) {
if ((result == 12) && (self.name == \"chillispot_popup\")) {
if (blur == 0) {
blur = 1;
self.focus();
}
}
}
</script>
</head>
<body onLoad=\"javascript:doOnLoad($result, '$loginpath?res=popup2&uamip=$uamip&uamport=$uamport&userurl=$userurl&redirurl=$redirurl&timeleft=$timeleft','$userurldecode', '$redirurldecode', '$timeleft')\" onBlur = \"javascript:doOnBlur($result)\" bgColor = '#c0d8f4'>";

# if (!window.opener) {
# document.bgColor = '#c0d8f4';
# }

#print "THE INPUT: $input";
#foreach $key (sort (keys %ENV)) {
# print $key, ' = ', $ENV{$key}, "<br>\n";
#}

if ($result == 2) {
print "
<h1 style=\"text-align: center;\">&Eacute;chec de connexion au HotSpot</h1>";
if ($reply) {
print "<center> $reply </BR></BR></center>";
}
}

if ($result == 5) {
print "
<h1 style=\"text-align: center;\">Connexion au HotSpot<br />Identification.</h1>";
}

if ($result == 2 || $result == 5) {
print "
<form name=\"form1\" method=\"post\" action=\"$loginpath\">
<INPUT TYPE=\"hidden\" NAME=\"challenge\" VALUE=\"$challenge\">
<INPUT TYPE=\"hidden\" NAME=\"uamip\" VALUE=\"$uamip\">
<INPUT TYPE=\"hidden\" NAME=\"uamport\" VALUE=\"$uamport\">
<INPUT TYPE=\"hidden\" NAME=\"userurl\" VALUE=\"$userurl\">
<center>
<table border=\"0\" cellpadding=\"5\" cellspacing=\"0\" style=\"width: 217px;\">
<tbody>
<tr>
<td align=\"right\">Utilisateur:</td>
<td><input STYLE=\"font-family: Arial\" type=\"text\" name=\"UserName\" size=\"20\" maxlength=\"128\"></td>
</tr>
<tr>
<td align=\"right\">Secret:</td>
<td><input STYLE=\"font-family: Arial\" type=\"password\" name=\"Password\" size=\"20\" maxlength=\"128\"></td>
</tr>
<tr>
<td align=\"center\" colspan=\"2\" height=\"23\"><input type=\"submit\" name=\"button\" value=\"Login\" onClick=\"javascript:popUp('$loginpath?res=popup1&uamip=$uamip&uamport=$uamport')\"></td>
</tr>
</tbody>
</table>
</center>
</form>
</body>
</html>";
}

if ($result == 1) {
print "
<h1 style=\"text-align: center;\">Vous &ecirc;tes connect&eacute;(e)</h1>";

if ($reply) {
print "<center> $reply </BR></BR></center>";
}

print "
<center>
<a href=\"http://$uamip:$uamport/logoff\">Se d&eacute;connecter</a>
</center>
</body>
</html>";
}

if (($result == 4) || ($result == 12)) {
print "
<h1 style=\"text-align: center;\">Vous &ecirc;tes connect&eacute;(e)</h1>
<center>
<a href=\"http://$uamip:$uamport/logoff\">Se d&eacute;connecter</a>
</center>
</body>
</html>";
}

if ($result == 11) {
print "<h1 style=\"text-align: center;\">Connexion au HotSpot ...</h1>";
print "
<center>
Veuillez patientez......
</center>
</body>
</html>";
}

if (($result == 3) || ($result == 13)) {
print "
<h1 style=\"text-align: center;\">Vous &ecirc;tes d&eacute;connect&eacute;(e) du HotSpot</h1>
<center>
<a href=\"http://$uamip:$uamport/prelogin\">Se connecter</a>
</center>
</body>
</html>";
}

exit(0);

Mise en place du pare-feu :

HotSpot:/usr/lib/cgi-bin# apt-get install iptables

Configuration du parre-feu.

Je n'ai pas utiliser le fichier d'exemple fournis avec chillispot, j'en ai crée un plus complexe, que voici :

HotSpot:/usr/lib/cgi-bin# vim /etc/chilli.iptables

#!/bin/sh
#

/etc/init.d/bind restart

IPTABLES="/sbin/iptables"
CHILLI="eth0"
LOCAL="eth1"
WAN="wlan0"
HAMACHI="ham0"
IPCHILLI="192.168.24.1"
IPINT="10.33.24.254"
IPEXT="192.168.1.5"

# REMISE à ZERO des règles de filtrage
$IPTABLES -F
$IPTABLES -X
# réinitialisation table NAT
$IPTABLES -t nat -F
$IPTABLES -t nat -X

# Je veux que les connexions entrantes soient bloqué par défaut
#$IPTABLES -P INPUT DROP

# Je veux que les connexions destinétre forwardéoient accepté par défaut
$IPTABLES -P FORWARD ACCEPT

# Je veux que les connexions sortantes soient accepté par défaut
$IPTABLES -P OUTPUT ACCEPT

# J'accepte les packets entrants relatifs à connexions établies
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Tout autorisé en LOCAL (loopback)
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

#$IPTABLES -A INPUT -i $WAN -j ACCEPT
#$IPTABLES -A OUTPUT -o $WAN -j ACCEPT
# DEBUT des rè de FIREWALLING
# DEBUT des politiques par défaut

# J'autorise les connexions HTTP
$IPTABLES -A INPUT -i $WAN -p tcp -m tcp --dport 80 --syn -j ACCEPT
# Je renvoie les connexions TCP ET UDP entrantes sur les ports eMule d'internet vers un serveur sur mon réseau Local
iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 56226 -j DNAT --to-destination 10.33.24.254:56226
iptables -t nat -A PREROUTING -i $WAN -p udp --dport 39998 -j DNAT --to-destination 10.33.24.254:39998

# Je renvoie les connexions TCP entrantes sur le port RDP d'internet vers un serveur sur mon réseau Local
iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 3389 -j DNAT --to-destination 10.33.24.254:3389

# Je renvoie les connexions TCP entrantes sur le port RDP d'internet vers un serveur sur mon réau Local
iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 80 -j DNAT --to-destination 10.33.24.254:80

# J'autorise les connexions TCP entrantes sur le port 22
# (pour que mon serveur SSH soit joignable depuis mon ré local seulement).
$IPTABLES -A INPUT -i $LOCAL -p tcp -m tcp --dport 22 --syn -j ACCEPT

# J'autorise les connexions NFS entrantes sur le port 2049
# (pour que mon serveur NFS soit joignable depuis mon ré local seulement).
$IPTABLES -A INPUT -i $LOCAL -p tcp -m tcp --dport 2049 --syn -j ACCEPT
#$IPTABLES -A INPUT -i $LOCAL -p tcp -m udp --dport 2049 --syn -j ACCEPT

# J'accepte le protocole ICMP (i.e. le "ping") depuis mon ré local et Intranet.
$IPTABLES -A INPUT -i $LOCAL -p icmp -j ACCEPT
$IPTABLES -A INPUT -i $HAMACHI -p icmp -j ACCEPT

# J'autorise les connexions TCP et UDP entrantes sur le port 53
# (pour que mon serveur DNS soit joignable depuis partout).
$IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT

# J'autorise les connexions TCP entrantes des principaux services :
#FTP
$IPTABLES -A INPUT -p tcp -m tcp --dport 20 --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 21 --syn -j ACCEPT
#SMTP
$IPTABLES -A INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT
#HTTP
$IPTABLES -A INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
#POP
$IPTABLES -A INPUT -p tcp -m tcp --dport 110 --syn -j ACCEPT
#HTTPS
$IPTABLES -A INPUT -p tcp -m tcp --dport 443 --syn -j ACCEPT

# J'autorise les connexions TCP entrantes sur le port 3990
# (pour que mon HotSpot soit joignable depuis L'AP ouvert).
$IPTABLES -A INPUT -i $CHILLI -p tcp -m tcp --dport 3990 --syn -j ACCEPT

# La rèpar dé pour la chaine INPUT devient "REJECT"
# (il n'est pas possible de mettre REJECT comme politique par dé)
#$IPTABLES -A INPUT -j REJECT

# Je n'autorise plus rien venant de ChilliSpot, car ce sera lui qui vas
# maintenant géré cette interface.
$IPTABLES -A FORWARD -i $CHILLI -j DROP
$IPTABLES -A FORWARD -o $CHILLI -j DROP

# FIN des rè FIREWALLING
# DEBUT des rè pour le PARTAGE DE CONNEXION (i.e. le NAT)

# Je veux que mon systèasse office de "serveur NAT"
# (Remplaçeth1" par votre interface connectéternet)
$IPTABLES -t nat -A POSTROUTING -o $WAN -j SNAT --to-source $IPEXT

echo "1" > /proc/sys/net/ipv4/ip_forward

Puis le rendre éxécutable :

HotSpot:/usr/lib/cgi-bin# chmod +x /etc/chilli.iptables

On active ChilliSpot :

HotSpot:~# vim /etc/default/chillispot

# /etc/default/chillispot
#
# Enable on system start?
# Change to 1 if you want it to be enabled.
# Please make sure you have configured chillispot first.
ENABLED=1
#
# chillispot default configuration
CHILLICFG=/etc/chilli.conf
#
# daemon arguments
DAEMON_ARGS="--conf $CHILLICFG"

 

Installation de MySQL

HotSpot:/usr/lib/cgi-bin# apt-get install mysql-server mysql-client php4-mysql

Installation d'une interface d'administration conviviale :

HotSpot:/var/PayPal# apt-get install phpmyadmin

Installation de DialUpAdmin :

HotSpot:~# apt-get install freeradius-dialupadmin freeradius-mysql
HotSpot:~# echo "create database radius;" | mysql -u root -p
HotSpot:~# echo "grant all on radius.* to radius@'%' identified by 'motdepasse_sql'; flush privileges;" | mysql -u root -p
HotSpot:~# zcat /usr/share/doc/freeradius/examples/mysql.sql.gz | mysql -u root -p radius
HotSpot:~# echo "INSERT INTO radcheck(UserName,Attribute,op,Value) VALUES ('Galoula','User-Password','==','Test');" | mysql -u root -p radius

HotSpot:~# vim /etc/freeradius/sql.conf

#
# Configuration for the SQL module, when using MySQL.
#
# The database schema is available at:
#
# doc/examples/mysql.sql
#
# If you are using PostgreSQL, please use 'postgresql.conf', instead.
# If you are using Oracle, please use 'oracle.conf', instead.
# If you are using MS-SQL, please use 'mssql.conf', instead.
#
# $Id: sql.conf,v 1.41.2.2.2.2 2006/02/04 14:13:03 nbk Exp $
#
sql {
# Database type
# Current supported are: rlm_sql_mysql, rlm_sql_postgresql,
# rlm_sql_iodbc, rlm_sql_oracle, rlm_sql_unixodbc, rlm_sql_freetds
driver = "rlm_sql_mysql"

# Connect info
server = "localhost"
login = "radius"
password = "motdepasse_sql"

# Database table configuration
radius_db = "radius"

# If you want both stop and start records logged to the
# same SQL table, leave this as is. If you want them in
# different tables, put the start table in acct_table1
# and stop table in acct_table2
acct_table1 = "radacct"
acct_table2 = "radacct"

# Allow for storing data after authentication
postauth_table = "radpostauth"

authcheck_table = "radcheck"
authreply_table = "radreply"

groupcheck_table = "radgroupcheck"
groupreply_table = "radgroupreply"

usergroup_table = "usergroup"

# Table to keep radius client info
nas_table = "nas"

# Remove stale session if checkrad does not see a double login
deletestalesessions = yes

# Print all SQL statements when in debug mode (-x)
sqltrace = no
sqltracefile = ${logdir}/sqltrace.sql

# number of sql connections to make to server
num_sql_socks = 5

# number of seconds to dely retrying on a failed database
# connection (per_socket)
connect_failure_retry_delay = 60

# Safe characters list for sql queries. Everything else is replaced
# with their mime-encoded equivalents.
# The default list should be ok
#safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"

#######################################################################
# Query config: Username
#######################################################################
# This is the username that will get substituted, escaped, and added
# as attribute 'SQL-User-Name'. '%{SQL-User-Name}' should be used below
# everywhere a username substitution is needed so you you can be sure
# the username passed from the client is escaped properly.
#
# Uncomment the next line, if you want the sql_user_name to mean:
#
# Use Stripped-User-Name, if it's there.
# Else use User-Name, if it's there,
# Else use hard-coded string "DEFAULT" as the user name.
#sql_user_name = "%{Stripped-User-Name:-%{User-Name:-DEFAULT}}"
#
sql_user_name = "%{User-Name}"

#######################################################################
# Default profile
#######################################################################
# This is the default profile. It is found in SQL by group membership.
# That means that this profile must be a member of at least one group
# which will contain the corresponding check and reply items.
# This profile will be queried in the authorize section for every user.
# The point is to assign all users a default profile without having to
# manually add each one to a group that will contain the profile.
# The SQL module will also honor the User-Profile attribute. This
# attribute can be set anywhere in the authorize section (ie the users
# file). It is found exactly as the default profile is found.
# If it is set then it will *overwrite* the default profile setting.
# The idea is to select profiles based on checks on the incoming packets,
# not on user group membership. For example:
# -- users file --
# DEFAULT Service-Type == Outbound-User, User-Profile := "outbound"
# DEFAULT Service-Type == Framed-User, User-Profile := "framed"
#
# By default the default_user_profile is not set
#
#default_user_profile = "DEFAULT"
#
# Determines if we will query the default_user_profile or the User-Profile
# if the user is not found. If the profile is found then we consider the user
# found. By default this is set to 'no'.
#
#query_on_not_found = no

#######################################################################
# Authorization Queries
#######################################################################
# These queries compare the check items for the user
# in ${authcheck_table} and setup the reply items in
# ${authreply_table}. You can use any query/tables
# you want, but the return data for each row MUST
# be in the following order:
#
# 0. Row ID (currently unused)
# 1. UserName/GroupName
# 2. Item Attr Name
# 3. Item Attr Value
# 4. Item Attr Operation
#######################################################################
# Use these for case sensitive usernames.
# authorize_check_query = "SELECT id, UserName, Attribute, Value, op \
# FROM ${authcheck_table} \
# WHERE Username = BINARY '%{SQL-User-Name}' \
# ORDER BY id"
# authorize_reply_query = "SELECT id, UserName, Attribute, Value, op \
# FROM ${authreply_table} \
# WHERE Username = BINARY '%{SQL-User-Name}' \
# ORDER BY id"

# The default queries are case insensitive. (for compatibility with
# older versions of FreeRADIUS)
authorize_check_query = "SELECT id, UserName, Attribute, Value, op \
FROM ${authcheck_table} \
WHERE Username = '%{SQL-User-Name}' \
ORDER BY id"
authorize_reply_query = "SELECT id, UserName, Attribute, Value, op \
FROM ${authreply_table} \
WHERE Username = '%{SQL-User-Name}' \
ORDER BY id"

# Use these for case sensitive usernames.
# authorize_group_check_query = "SELECT ${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Attribute,${groupcheck_table}.Value,${groupcheck_table}.op FROM ${groupcheck_table},${usergroup_table} WHERE ${usergroup_table}.Username = BINARY '%{SQL-User-Name}' AND ${usergroup_table}.GroupName = ${groupcheck_table}.GroupName ORDER BY ${groupcheck_table}.id"
# authorize_group_reply_query = "SELECT ${groupreply_table}.id,${groupreply_table}.GroupName,${groupreply_table}.Attribute,${groupreply_table}.Value,${groupreply_table}.op FROM ${groupreply_table},${usergroup_table} WHERE ${usergroup_table}.Username = BINARY '%{SQL-User-Name}' AND ${usergroup_table}.GroupName = ${groupreply_table}.GroupName ORDER BY ${groupreply_table}.id"

authorize_group_check_query = "SELECT ${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Attribute,${groupcheck_table}.Value,${groupcheck_table}.op FROM ${groupcheck_table},${usergroup_table} WHERE ${usergroup_table}.Username = '%{SQL-User-Name}' AND ${usergroup_table}.GroupName = ${groupcheck_table}.GroupName ORDER BY ${groupcheck_table}.id"
authorize_group_reply_query = "SELECT ${groupreply_table}.id,${groupreply_table}.GroupName,${groupreply_table}.Attribute,${groupreply_table}.Value,${groupreply_table}.op FROM ${groupreply_table},${usergroup_table} WHERE ${usergroup_table}.Username = '%{SQL-User-Name}' AND ${usergroup_table}.GroupName = ${groupreply_table}.GroupName ORDER BY ${groupreply_table}.id"

#######################################################################
# Accounting Queries
#######################################################################
# accounting_onoff_query - query for Accounting On/Off packets
# accounting_update_query - query for Accounting update packets
# accounting_update_query_alt - query for Accounting update packets
# (alternate in case first query fails)
# accounting_start_query - query for Accounting start packets
# accounting_start_query_alt - query for Accounting start packets
# (alternate in case first query fails)
# accounting_stop_query - query for Accounting stop packets
# accounting_stop_query_alt - query for Accounting start packets
# (alternate in case first query doesn't
# affect any existing rows in the table)
#######################################################################
accounting_onoff_query = "UPDATE ${acct_table1} SET AcctStopTime='%S', AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime), AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime <= '%S'"

accounting_update_query = "UPDATE ${acct_table1} \
SET FramedIPAddress = '%{Framed-IP-Address}', \
AcctSessionTime = '%{Acct-Session-Time}', \
AcctInputOctets = '%{Acct-Input-Octets}', \
AcctOutputOctets = '%{Acct-Output-Octets}' \
WHERE AcctSessionId = '%{Acct-Session-Id}' \
AND UserName = '%{SQL-User-Name}' \
AND NASIPAddress= '%{NAS-IP-Address}'"

accounting_update_query_alt = "INSERT into ${acct_table1} (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S',INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0')"

accounting_start_query = "INSERT into ${acct_table1} (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0')"

accounting_start_query_alt = "UPDATE ${acct_table1} SET AcctStartTime = '%S', AcctStartDelay = '%{Acct-Delay-Time}', ConnectInfo_start = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'"

accounting_stop_query = "UPDATE ${acct_table2} SET AcctStopTime = '%S', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}', AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'"

accounting_stop_query_alt = "INSERT into ${acct_table2} (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{Acct-Delay-Time}')"

#######################################################################
# Simultaneous Use Checking Queries
#######################################################################
# simul_count_query - query for the number of current connections
# - If this is not defined, no simultaneouls use checking
# - will be performed by this module instance
# simul_verify_query - query to return details of current connections for verification
# - Leave blank or commented out to disable verification step
# - Note that the returned field order should not be changed.
#######################################################################

# Uncomment simul_count_query to enable simultaneous use checking
# simul_count_query = "SELECT COUNT(*) FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0"
simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0"

#######################################################################
# Group Membership Queries
#######################################################################
# group_membership_query - Check user group membership
#######################################################################

group_membership_query = "SELECT GroupName FROM ${usergroup_table} WHERE UserName='%{SQL-User-Name}'"

#######################################################################
# Authentication Logging Queries
#######################################################################
# postauth_query - Insert some info after authentication
#######################################################################

postauth_query = "INSERT into ${postauth_table} (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW())"

#
# Set to 'yes' to read radius clients from the database ('nas' table)
   spreadclients = yes
}

 

HotSpot:~# vim /etc/freeradius/radiusd.conf

##
## radiusd.conf -- FreeRADIUS server configuration file.
##
## http://www.freeradius.org/
## $Id: radiusd.conf.in,v 1.188.2.4.2.12 2006/07/29 19:43:30 nbk Exp $
##

# The location of other config files and
# logfiles are declared in this file
#
# Also general configuration for modules can be done
# in this file, it is exported through the API to
# modules that ask for it.
#
# The configuration variables defined here are of the form ${foo}
# They are local to this file, and do not change from request to
# request.
#
# The per-request variables are of the form %{Attribute-Name}, and
# are taken from the values of the attribute in the incoming
# request. See 'doc/variables.txt' for more information.

prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct

# Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/freeradius

#
# The logging messages for the server are appended to the
# tail of this file.
#
log_file = ${logdir}/radius.log

#
# libdir: Where to find the rlm_* modules.
#
# This should be automatically set at configuration time.
#
# If the server builds and installs, but fails at execution time
# with an 'undefined symbol' error, then you can use the libdir
# directive to work around the problem.
#
# The cause is usually that a library has been installed on your
# system in a place where the dynamic linker CANNOT find it. When
# executing as root (or another user), your personal environment MAY
# be set up to allow the dynamic linker to find the library. When
# executing as a daemon, FreeRADIUS MAY NOT have the same
# personalized configuration.
#
# To work around the problem, find out which library contains that symbol,
# and add the directory containing that library to the end of 'libdir',
# with a colon separating the directory names. NO spaces are allowed.
#
# e.g. libdir = /usr/local/lib:/opt/package/lib
#
# You can also try setting the LD_LIBRARY_PATH environment variable
# in a script which starts the server.
#
# If that does not work, then you can re-configure and re-build the
# server to NOT use shared libraries, via:
#
# ./configure --disable-shared
# make
# make install
#
libdir = /usr/lib/freeradius

# pidfile: Where to place the PID of the RADIUS server.
#
# The server may be signalled while it's running by using this
# file.
#
# This file is written when ONLY running in daemon mode.
#
# e.g.: kill -HUP `cat /var/run/freeradius/freeradius.pid`
#
pidfile = ${run_dir}/freeradius.pid

# user/group: The name (or #number) of the user/group to run radiusd as.
#
# If these are commented out, the server will run as the user/group
# that started it. In order to change to a different user/group, you
# MUST be root ( or have root privleges ) to start the server.
#
# We STRONGLY recommend that you run the server with as few permissions
# as possible. That is, if you're not using shadow passwords, the
# user and group items below should be set to 'nobody'.
#
# On SCO (ODT 3) use "user = nouser" and "group = nogroup".
#
# NOTE that some kernels refuse to setgid(group) when the value of
# (unsigned)group is above 60000; don't use group nobody on these systems!
#
# On systems with shadow passwords, you might have to set 'group = shadow'
# for the server to be able to read the shadow password file. If you can
# authenticate users while in debug mode, but not in daemon mode, it may be
# that the debugging mode server is running as a user that can read the
# shadow info, and the user listed below can not.
#
user = freerad
group = freerad

# max_request_time: The maximum time (in seconds) to handle a request.
#
# Requests which take more time than this to process may be killed, and
# a REJECT message is returned.
#
# WARNING: If you notice that requests take a long time to be handled,
# then this MAY INDICATE a bug in the server, in one of the modules
# used to handle a request, OR in your local configuration.
#
# This problem is most often seen when using an SQL database. If it takes
# more than a second or two to receive an answer from the SQL database,
# then it probably means that you haven't indexed the database. See your
# SQL server documentation for more information.
#
# Useful range of values: 5 to 120
#
max_request_time = 30

# delete_blocked_requests: If the request takes MORE THAN 'max_request_time'
# to be handled, then maybe the server should delete it.
#
# If you're running in threaded, or thread pool mode, this setting
# should probably be 'no'. Setting it to 'yes' when using a threaded
# server MAY cause the server to crash!
#
delete_blocked_requests = no

# cleanup_delay: The time to wait (in seconds) before cleaning up
# a reply which was sent to the NAS.
#
# The RADIUS request is normally cached internally for a short period
# of time, after the reply is sent to the NAS. The reply packet may be
# lost in the network, and the NAS will not see it. The NAS will then
# re-send the request, and the server will respond quickly with the
# cached reply.
#
# If this value is set too low, then duplicate requests from the NAS
# MAY NOT be detected, and will instead be handled as seperate requests.
#
# If this value is set too high, then the server will cache too many
# requests, and some new requests may get blocked. (See 'max_requests'.)
#
# Useful range of values: 2 to 10
#
cleanup_delay = 5

# max_requests: The maximum number of requests which the server keeps
# track of. This should be 256 multiplied by the number of clients.
# e.g. With 4 clients, this number should be 1024.
#
# If this number is too low, then when the server becomes busy,
# it will not respond to any new requests, until the 'cleanup_delay'
# time has passed, and it has removed the old requests.
#
# If this number is set too high, then the server will use a bit more
# memory for no real benefit.
#
# If you aren't sure what it should be set to, it's better to set it
# too high than too low. Setting it to 1000 per client is probably
# the highest it should be.
#
# Useful range of values: 256 to infinity
#
max_requests = 1024

# bind_address: Make the server listen on a particular IP address, and
# send replies out from that address. This directive is most useful
# for machines with multiple IP addresses on one interface.
#
# It can either contain "*", or an IP address, or a fully qualified
# Internet domain name. The default is "*"
#
# As of 1.0, you can also use the "listen" directive. See below for
# more information.
#
bind_address = *

# port: Allows you to bind FreeRADIUS to a specific port.
#
# The default port that most NAS boxes use is 1645, which is historical.
# RFC 2138 defines 1812 to be the new port. Many new servers and
# NAS boxes use 1812, which can create interoperability problems.
#
# The port is defined here to be 0 so that the server will pick up
# the machine's local configuration for the radius port, as defined
# in /etc/services.
#
# If you want to use the default RADIUS port as defined on your server,
# (usually through 'grep radius /etc/services') set this to 0 (zero).
#
# A port given on the command-line via '-p' over-rides this one.
#
# As of 1.0, you can also use the "listen" directive. See below for
# more information.
#
port = 0

#
# By default, the server uses "bind_address" to listen to all IP's
# on a machine, or just one IP. The "port" configuration is used
# to select the authentication port used when listening on those
# addresses.
#
# If you want the server to listen on additional addresses, you can
# use the "listen" section. A sample section (commented out) is included
# below. This "listen" section duplicates the functionality of the
# "bind_address" and "port" configuration entries, but it only listens
# for authentication packets.
#
# If you comment out the "bind_address" and "port" configuration entries,
# then it becomes possible to make the server accept only accounting,
# or authentication packets. Previously, it always listened for both
# types of packets, and it was impossible to make it listen for only
# one type of packet.
#
#listen {
# IP address on which to listen.
# Allowed values are:
# dotted quad (1.2.3.4)
# hostname (radius.example.com)
# wildcard (*)
# ipaddr = *

# Port on which to listen.
# Allowed values are:
# integer port number (1812)
# 0 means "use /etc/services for the proper port"
# port = 0

# Type of packets to listen for.
# Allowed values are:
# auth listen for authentication packets
# acct listen for accounting packets
#
# type = auth
#}

# hostname_lookups: Log the names of clients or just their IP addresses
# e.g., www.freeradius.org (on) or 206.47.27.232 (off).
#
# The default is 'off' because it would be overall better for the net
# if people had to knowingly turn this feature on, since enabling it
# means that each client request will result in AT LEAST one lookup
# request to the nameserver. Enabling hostname_lookups will also
# mean that your server may stop randomly for 30 seconds from time
# to time, if the DNS requests take too long.
#
# Turning hostname lookups off also means that the server won't block
# for 30 seconds, if it sees an IP address which has no name associated
# with it.
#
# allowed values: {no, yes}
#
hostname_lookups = no

# Core dumps are a bad thing. This should only be set to 'yes'
# if you're debugging a problem with the server.
#
# allowed values: {no, yes}
#
allow_core_dumps = no

# Regular expressions
#
# These items are set at configure time. If they're set to "yes",
# then setting them to "no" turns off regular expression support.
#
# If they're set to "no" at configure time, then setting them to "yes"
# WILL NOT WORK. It will give you an error.
#
regular_expressions = yes
extended_expressions = yes

# Log the full User-Name attribute, as it was found in the request.
#
# allowed values: {no, yes}
#
log_stripped_names = no

# Log authentication requests to the log file.
#
# allowed values: {no, yes}
#
log_auth = no

# Log passwords with the authentication requests.
# log_auth_badpass - logs password if it's rejected
# log_auth_goodpass - logs password if it's correct
#
# allowed values: {no, yes}
#
log_auth_badpass = no
log_auth_goodpass = no

# usercollide: Turn "username collision" code on and off. See the
# "doc/duplicate-users" file
#
# WARNING
# !!!!!!! Setting this to "yes" may result in the server behaving
# !!!!!!! strangely. The "username collision" code will ONLY work
# !!!!!!! with clear-text passwords. Even then, it may not do what
# !!!!!!! you want, or what you expect.
# !!!!!!!
# !!!!!!! We STRONGLY RECOMMEND that you do not use this feature,
# !!!!!!! and that you find another way of acheiving the same goal.
# !!!!!!!
# !!!!!!! e,g. module fail-over. See 'doc/configurable_failover'
# WARNING
#
usercollide = no

# lower_user / lower_pass:
# Lower case the username/password "before" or "after"
# attempting to authenticate.
#
# If "before", the server will first modify the request and then try
# to auth the user. If "after", the server will first auth using the
# values provided by the user. If that fails it will reprocess the
# request after modifying it as you specify below.
#
# This is as close as we can get to case insensitivity. It is the
# admin's job to ensure that the username on the auth db side is
# *also* lowercase to make this work
#
# Default is 'no' (don't lowercase values)
# Valid values = "before" / "after" / "no"
#
lower_user = no
lower_pass = no

# nospace_user / nospace_pass:
#
# Some users like to enter spaces in their username or password
# incorrectly. To save yourself the tech support call, you can
# eliminate those spaces here:
#
# Default is 'no' (don't remove spaces)
# Valid values = "before" / "after" / "no" (explanation above)
#
nospace_user = no
nospace_pass = no

# The program to execute to do concurrency checks.
checkrad = ${sbindir}/checkrad

# SECURITY CONFIGURATION
#
# There may be multiple methods of attacking on the server. This
# section holds the configuration items which minimize the impact
# of those attacks
#
security {
#
# max_attributes: The maximum number of attributes
# permitted in a RADIUS packet. Packets which have MORE
# than this number of attributes in them will be dropped.
#
# If this number is set too low, then no RADIUS packets
# will be accepted.
#
# If this number is set too high, then an attacker may be
# able to send a small number of packets which will cause
# the server to use all available memory on the machine.
#
# Setting this number to 0 means "allow any number of attributes"
max_attributes = 200

#
# reject_delay: When sending an Access-Reject, it can be
# delayed for a few seconds. This may help slow down a DoS
# attack. It also helps to slow down people trying to brute-force
# crack a users password.
#
# Setting this number to 0 means "send rejects immediately"
#
# If this number is set higher than 'cleanup_delay', then the
# rejects will be sent at 'cleanup_delay' time, when the request
# is deleted from the internal cache of requests.
#
# Useful ranges: 1 to 5
reject_delay = 1

#
# status_server: Whether or not the server will respond
# to Status-Server requests.
#
# Normally this should be set to "no", because they're useless.
# See: http://www.freeradius.org/rfc/rfc2865.html#Keep-Alives
#
# However, certain NAS boxes may require them.
#
# When sent a Status-Server message, the server responds with
# an Access-Accept packet, containing a Reply-Message attribute,
# which is a string describing how long the server has been
# running.
#
status_server = no
}

# PROXY CONFIGURATION
#
# proxy_requests: Turns proxying of RADIUS requests on or off.
#
# The server has proxying turned on by default. If your system is NOT
# set up to proxy requests to another server, then you can turn proxying
# off here. This will save a small amount of resources on the server.
#
# If you have proxying turned off, and your configuration files say
# to proxy a request, then an error message will be logged.
#
# To disable proxying, change the "yes" to "no", and comment the
# $INCLUDE line.
#
# allowed values: {no, yes}
#
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf

# CLIENTS CONFIGURATION
#
# Client configuration is defined in "clients.conf".
#

# The 'clients.conf' file contains all of the information from the old
# 'clients' and 'naslist' configuration files. We recommend that you
# do NOT use 'client's or 'naslist', although they are still
# supported.
#
# Anything listed in 'clients.conf' will take precedence over the
# information from the old-style configuration files.
#
$INCLUDE ${confdir}/clients.conf

# SNMP CONFIGURATION
#
# Snmp configuration is only valid if SNMP support was enabled
# at compile time.
#
# To enable SNMP querying of the server, set the value of the
# 'snmp' attribute to 'yes'
#
snmp = no
$INCLUDE ${confdir}/snmp.conf

# THREAD POOL CONFIGURATION
#
# The thread pool is a long-lived group of threads which
# take turns (round-robin) handling any incoming requests.
#
# You probably want to have a few spare threads around,
# so that high-load situations can be handled immediately. If you
# don't have any spare threads, then the request handling will
# be delayed while a new thread is created, and added to the pool.
#
# You probably don't want too many spare threads around,
# otherwise they'll be sitting there taking up resources, and
# not doing anything productive.
#
# The numbers given below should be adequate for most situations.
#
thread pool {
# Number of servers to start initially --- should be a reasonable
# ballpark figure.
start_servers = 5

# Limit on the total number of servers running.
#
# If this limit is ever reached, clients will be LOCKED OUT, so it
# should NOT BE SET TOO LOW. It is intended mainly as a brake to
# keep a runaway server from taking the system with it as it spirals
# down...
#
# You may find that the server is regularly reaching the
# 'max_servers' number of threads, and that increasing
# 'max_servers' doesn't seem to make much difference.
#
# If this is the case, then the problem is MOST LIKELY that
# your back-end databases are taking too long to respond, and
# are preventing the server from responding in a timely manner.
#
# The solution is NOT do keep increasing the 'max_servers'
# value, but instead to fix the underlying cause of the
# problem: slow database, or 'hostname_lookups=yes'.
#
# For more information, see 'max_request_time', above.
#
max_servers = 32

# Server-pool size regulation. Rather than making you guess
# how many servers you need, FreeRADIUS dynamically adapts to
# the load it sees, that is, it tries to maintain enough
# servers to handle the current load, plus a few spare
# servers to handle transient load spikes.
#
# It does this by periodically checking how many servers are
# waiting for a request. If there are fewer than
# min_spare_servers, it creates a new spare. If there are
# more than max_spare_servers, some of the spares die off.
# The default values are probably OK for most sites.
#
min_spare_servers = 3
max_spare_servers = 10

# There may be memory leaks or resource allocation problems with
# the server. If so, set this value to 300 or so, so that the
# resources will be cleaned up periodically.
#
# This should only be necessary if there are serious bugs in the
# server which have not yet been fixed.
#
# '0' is a special value meaning 'infinity', or 'the servers never
# exit'
max_requests_per_server = 0
}

# MODULE CONFIGURATION
#
# The names and configuration of each module is located in this section.
#
# After the modules are defined here, they may be referred to by name,
# in other sections of this configuration file.
#
modules {
#
# Each module has a configuration as follows:
#
# name [ instance ] {
# config_item = value
# ...
# }
#
# The 'name' is used to load the 'rlm_name' library
# which implements the functionality of the module.
#
# The 'instance' is optional. To have two different instances
# of a module, it first must be referred to by 'name'.
# The different copies of the module are then created by
# inventing two 'instance' names, e.g. 'instance1' and 'instance2'
#
# The instance names can then be used in later configuration
# INSTEAD of the original 'name'. See the 'radutmp' configuration
# below for an example.
#

# PAP module to authenticate users based on their stored password
#
# Supports multiple encryption schemes
# clear: Clear text
# crypt: Unix crypt
# md5: MD5 ecnryption
# sha1: SHA1 encryption.
# DEFAULT: crypt
pap {
encryption_scheme = crypt
}

# CHAP module
#
# To authenticate requests containing a CHAP-Password attribute.
#
chap {
authtype = CHAP
}

# Pluggable Authentication Modules
#
# For Linux, see:
# http://www.kernel.org/pub/linux/libs/pam/index.html
#
# WARNING: On many systems, the system PAM libraries have
# memory leaks! We STRONGLY SUGGEST that you do not
# use PAM for authentication, due to those memory leaks.
#
pam {
#
# The name to use for PAM authentication.
# PAM looks in /etc/pam.d/${pam_auth_name}
# for it's configuration. See 'redhat/radiusd-pam'
# for a sample PAM configuration file.
#
# Note that any Pam-Auth attribute set in the 'authorize'
# section will over-ride this one.
#
pam_auth = radiusd
}

# Unix /etc/passwd style authentication
#
unix {
#
# Cache /etc/passwd, /etc/shadow, and /etc/group
#
# The default is to NOT cache them.
#
# For FreeBSD and NetBSD, you do NOT want to enable
# the cache, as it's password lookups are done via a
# database, so set this value to 'no'.
#
# Some systems (e.g. RedHat Linux with pam_pwbd) can
# take *seconds* to check a password, when th passwd
# file containing 1000's of entries. For those systems,
# you should set the cache value to 'yes', and set
# the locations of the 'passwd', 'shadow', and 'group'
# files, below.
#
# allowed values: {no, yes}
cache = no

# Reload the cache every 600 seconds (10mins). 0 to disable.
cache_reload = 600

#
# Define the locations of the normal passwd, shadow, and
# group files.
#
# 'shadow' is commented out by default, because not all
# systems have shadow passwords.
#
# To force the module to use the system password functions,
# instead of reading the files, leave the following entries
# commented out.
#
# This is required for some systems, like FreeBSD,
# and Mac OSX.
#
# passwd = /etc/passwd
shadow = /etc/shadow
# group = /etc/group

#
# The location of the "wtmp" file.
# This should be moved to it's own module soon.
#
# The only use for 'radlast'. If you don't use
# 'radlast', then you can comment out this item.
#
radwtmp = ${logdir}/radwtmp
}

# Extensible Authentication Protocol
#
# For all EAP related authentications.
# Now in another file, because it is very large.
#
$INCLUDE ${confdir}/eap.conf

# Microsoft CHAP authentication
#
# This module supports MS-CHAP and MS-CHAPv2 authentication.
# It also enforces the SMB-Account-Ctrl attribute.
#
mschap {
#
# As of 0.9, the mschap module does NOT support
# reading from /etc/smbpasswd.
#
# If you are using /etc/smbpasswd, see the 'passwd'
# module for an example of how to use /etc/smbpasswd

# if use_mppe is not set to no mschap will
# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
#
#use_mppe = no

# if mppe is enabled require_encryption makes
# encryption moderate
#
#require_encryption = yes

# require_strong always requires 128 bit key
# encryption
#
#require_strong = yes

# Windows sends us a username in the form of
# DOMAIN\user, but sends the challenge response
# based on only the user portion. This hack
# corrects for that incorrect behavior.
#
#with_ntdomain_hack = no

# The module can perform authentication itself, OR
# use a Windows Domain Controller. This configuration
# directive tells the module to call the ntlm_auth
# program, which will do the authentication, and return
# the NT-Key. Note that you MUST have "winbindd" and
# "nmbd" running on the local machine for ntlm_auth
# to work. See the ntlm_auth program documentation
# for details.
#
# Be VERY careful when editing the following line!
#
#ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
}

# Lightweight Directory Access Protocol (LDAP)
#
# This module definition allows you to use LDAP for
# authorization and authentication.
#
# See doc/rlm_ldap for description of configuration options
# and sample authorize{} and authenticate{} blocks
#
# However, LDAP can be used for authentication ONLY when the
# Access-Request packet contains a clear-text User-Password
# attribute. LDAP authentication will NOT work for any other
# authentication method.
#
# This means that LDAP servers don't understand EAP. If you
# force "Auth-Type = LDAP", and then send the server a
# request containing EAP authentication, then authentication
# WILL NOT WORK.
#
# The solution is to use the default configuration, which does
# work.
#
# Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We
# really can't emphasize this enough.
#
ldap {
server = "ldap.your.domain"
# identity = "cn=admin,o=My Org,c=UA"
# password = mypass
basedn = "o=My Org,c=UA"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
# base_filter = "(objectclass=radiusprofile)"

# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with normal
# ldap connections instead of using ldaps (port 689) connections
start_tls = no

# tls_cacertfile = /path/to/cacert.pem
# tls_cacertdir = /path/to/ca/dir/
# tls_certfile = /path/to/radius.crt
# tls_keyfile = /path/to/radius.key
# tls_randfile = /path/to/rnd
# tls_require_cert = "demand"

# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
access_attr = "dialupAccess"

# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap

ldap_connections_number = 5

#
# NOTICE: The password_header directive is NOT case insensitive
#
# password_header = "{clear}"
#
# Set:
# password_attribute = nspmPassword
#
# to get the user's password from a Novell eDirectory
# backend. This will work *only if* freeRADIUS is
# configured to build with --with-edir option.
#
#
# The server can usually figure this out on its own, and pull
# the correct User-Password or NT-Password from the database.
#
# Note that NT-Passwords MUST be stored as a 32-digit hex
# string, and MUST start off with "0x", such as:
#
# 0x000102030405060708090a0b0c0d0e0f
#
# Without the leading "0x", NT-Passwords will not work.
# This goes for NT-Passwords stored in SQL, too.
#
# password_attribute = userPassword
#
# Un-comment the following to disable Novell eDirectory account
# policy check and intruder detection. This will work *only if*
# FreeRADIUS is configured to build with --with-edir option.
#
# edir_account_policy_check=no
#
# groupname_attribute = cn
# groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes

#
# By default, if the packet contains a User-Password,
# and no other module is configured to handle the
# authentication, the LDAP module sets itself to do
# LDAP bind for authentication.
#
# You can disable this behavior by setting the following
# configuration entry to "no".
#
# allowed values: {no, yes}
# set_auth_type = yes
}

# passwd module allows to do authorization via any passwd-like
# file and to extract any attributes from these modules
#
# parameters are:
# filename - path to filename
# format - format for filename record. This parameters
# correlates record in the passwd file and RADIUS
# attributes.
#
# Field marked as '*' is key field. That is, the parameter
# with this name from the request is used to search for
# the record from passwd file
# Attribute marked as '=' is added to reply_itmes instead
# of default configure_itmes
# Attribute marked as '~' is added to request_items
#
# Field marked as ',' may contain a comma separated list
# of attributes.
# authtype - if record found this Auth-Type is used to authenticate
# user
# hashsize - hashtable size. If 0 or not specified records are not
# stored in memory and file is red on every request.
# allowmultiplekeys - if few records for every key are allowed
# ignorenislike - ignore NIS-related records
# delimiter - symbol to use as a field separator in passwd file,
# for format ':' symbol is always used. '\0', '\n' are
# not allowed
#

# An example configuration for using /etc/smbpasswd.
#
#passwd etc_smbpasswd {
# filename = /etc/smbpasswd
# format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
# authtype = MS-CHAP
# hashsize = 100
# ignorenislike = no
# allowmultiplekeys = no
#}

# Similar configuration, for the /etc/group file. Adds a Group-Name
# attribute for every group that the user is member of.
#
#passwd etc_group {
# filename = /etc/group
# format = "=Group-Name:::*,User-Name"
# hashsize = 50
# ignorenislike = yes
# allowmultiplekeys = yes
# delimiter = ":"
#}

# Realm module, for proxying.
#
# You can have multiple instances of the realm module to
# support multiple realm syntaxs at the same time. The
# search order is defined by the order in the authorize and
# preacct sections.
#
# Four config options:
# format - must be 'prefix' or 'suffix'
# delimiter - must be a single character
# ignore_default - set to 'yes' or 'no'
# ignore_null - set to 'yes' or 'no'
#
# ignore_default and ignore_null can be set to 'yes' to prevent
# the module from matching against DEFAULT or NULL realms. This
# may be useful if you have have multiple instances of the
# realm module.
#
# They both default to 'no'.
#

# 'realm/username'
#
# Using this entry, IPASS users have their realm set to "IPASS".
realm IPASS {
format = prefix
delimiter = "/"
ignore_default = no
ignore_null = no
}

# 'username@realm'
#
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
}

# 'username%realm'
#
realm realmpercent {
format = suffix
delimiter = "%"
ignore_default = no
ignore_null = no
}

#
# 'domain\user'
#
realm ntdomain {
format = prefix
delimiter = "\\"
ignore_default = no
ignore_null = no
}

# A simple value checking module
#
# It can be used to check if an attribute value in the request
# matches a (possibly multi valued) attribute in the check
# items This can be used for example for caller-id
# authentication. For the module to run, both the request
# attribute and the check items attribute must exist
#
# i.e.
# A user has an ldap entry with 2 radiusCallingStationId
# attributes with values "12345678" and "12345679". If we
# enable rlm_checkval, then any request which contains a
# Calling-Station-Id with one of those two values will be
# accepted. Requests with other values for
# Calling-Station-Id will be rejected.
#
# Regular expressions in the check attribute value are allowed
# as long as the operator is '=~'
#
checkval {
# The attribute to look for in the request
item-name = Calling-Station-Id

# The attribute to look for in check items. Can be multi valued
check-name = Calling-Station-Id

# The data type. Can be
# string,integer,ipaddr,date,abinary,octets
data-type = string

# If set to yes and we dont find the item-name attribute in the
# request then we send back a reject
# DEFAULT is no
#notfound-reject = no
}

# rewrite arbitrary packets. Useful in accounting and authorization.
#
#
# The module can also use the Rewrite-Rule attribute. If it
# is set and matches the name of the module instance, then
# that module instance will be the only one which runs.
#
# Also if new_attribute is set to yes then a new attribute
# will be created containing the value replacewith and it
# will be added to searchin (packet, reply, proxy, proxy_reply or config).
# searchfor,ignore_case and max_matches will be ignored in that case.
#
# Backreferences are supported: %{0} will contain the string the whole match
# and %{1} to %{8} will contain the contents of the 1st to the 8th parentheses
#
# If max_matches is greater than one the backreferences will correspond to the
# first match

#
#attr_rewrite sanecallerid {
# attribute = Called-Station-Id
# may be "packet", "reply", "proxy", "proxy_reply" or "config"
# searchin = packet
# searchfor = "[+ ]"
# replacewith = ""
# ignore_case = no
# new_attribute = no
# max_matches = 10
# ## If set to yes then the replace string will be appended to the original string
# append = no
#}

# Preprocess the incoming RADIUS request, before handing it off
# to other modules.
#
# This module processes the 'huntgroups' and 'hints' files.
# In addition, it re-writes some weird attributes created
# by some NASes, and converts the attributes into a form which
# is a little more standard.
#
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints

# This hack changes Ascend's wierd port numberings
# to standard 0-??? port numbers so that the "+" works
# for IP address assignments.
with_ascend_hack = no
ascend_channels_per_line = 23

# Windows NT machines often authenticate themselves as
# NT_DOMAIN\username
#
# If this is set to 'yes', then the NT_DOMAIN portion
# of the user-name is silently discarded.
#
# This configuration entry SHOULD NOT be used.
# See the "realms" module for a better way to handle
# NT domains.
with_ntdomain_hack = no

# Specialix Jetstream 8500 24 port access server.
#
# If the user name is 10 characters or longer, a "/"
# and the excess characters after the 10th are
# appended to the user name.
#
# If you're not running that NAS, you don't need
# this hack.
with_specialix_jetstream_hack = no

# Cisco (and Quintum in Cisco mode) sends it's VSA attributes
# with the attribute name *again* in the string, like:
#
# H323-Attribute = "h323-attribute=value".
#
# If this configuration item is set to 'yes', then
# the redundant data in the the attribute text is stripped
# out. The result is:
#
# H323-Attribute = "value"
#
# If you're not running a Cisco or Quintum NAS, you don't
# need this hack.
with_cisco_vsa_hack = no
}

# Livingston-style 'users' file
#
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users

# If you want to use the old Cistron 'users' file
# with FreeRADIUS, you should change the next line
# to 'compat = cistron'. You can the copy your 'users'
# file from Cistron.
compat = no
}

# Write a detailed log of all accounting records received.
#
detail {
# Note that we do NOT use NAS-IP-Address here, as
# that attribute MAY BE from the originating NAS, and
# NOT from the proxy which actually sent us the
# request. The Client-IP-Address attribute is ALWAYS
# the address of the client which sent us the
# request.
#
# The following line creates a new detail file for
# every radius client (by IP address or hostname).
# In addition, a new detail file is created every
# day, so that the detail file doesn't have to go
# through a 'log rotation'
#
# If your detail files are large, you may also want
# to add a ':%H' (see doc/variables.txt) to the end
# of it, to create a new detail file every hour, e.g.:
#
# ..../detail-%Y%m%d:%H
#
# This will create a new detail file for every hour.
#
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d

#
# The Unix-style permissions on the 'detail' file.
#
# The detail file often contains secret or private
# information about users. So by keeping the file
# permissions restrictive, we can prevent unwanted
# people from seeing that information.
detailperm = 0600

#
# Certain attributes such as User-Password may be
# "sensitive", so they should not be printed in the
# detail file. This section lists the attributes
# that should be suppressed.
#
# The attributes should be listed one to a line.
#
#suppress {
# User-Password
#}
}

#
# Many people want to log authentication requests.
# Rather than modifying the server core to print out more
# messages, we can use a different instance of the 'detail'
# module, to log the authentication requests to a file.
#
# You will also need to un-comment the 'auth_log' line
# in the 'authorize' section, below.
#
# detail auth_log {
# detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d

#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
# detailperm = 0600
# }

#
# This module logs authentication reply packets sent
# to a NAS. Both Access-Accept and Access-Reject packets
# are logged.
#
# You will also need to un-comment the 'reply_log' line
# in the 'post-auth' section, below.
#
# detail reply_log {
# detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d

#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
# detailperm = 0600
# }

#
# This module logs packets proxied to a home server.
#
# You will also need to un-comment the 'pre_proxy_log' line
# in the 'pre-proxy' section, below.
#
# detail pre_proxy_log {
# detailfile = ${radacctdir}/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d

#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
# detailperm = 0600
# }

#
# This module logs response packets from a home server.
#
# You will also need to un-comment the 'post_proxy_log' line
# in the 'post-proxy' section, below.
#
# detail post_proxy_log {
# detailfile = ${radacctdir}/%{Client-IP-Address}/post-proxy-detail-%Y%m%d

#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
# detailperm = 0600
# }

#
# The rlm_sql_log module appends the SQL queries in a log
# file which is read later by the radsqlrelay program.
#
# This module only performs the dynamic expansion of the
# variables found in the SQL statements. No operation is
# executed on the database server. (this could be done
# later by an external program) That means the module is
# useful only with non-"SELECT" statements.
#
# See rlm_sql_log(5) manpage.
#
# sql_log {
# path = ${radacctdir}/sql-relay
# acct_table = "radacct"
# postauth_table = "radpostauth"
#
# Start = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \
# NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
# AcctSessionTime, AcctTerminateCause) VALUES \
# ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
# '%{Framed-IP-Address}', '%S', '0', '0', '');"
# Stop = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \
# NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
# AcctSessionTime, AcctTerminateCause) VALUES \
# ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
# '%{Framed-IP-Address}', '0', '%S', '%{Acct-Session-Time}', \
# '%{Acct-Terminate-Cause}');"
# Alive = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \
# NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
# AcctSessionTime, AcctTerminateCause) VALUES \
# ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
# '%{Framed-IP-Address}', '0', '0', '%{Acct-Session-Time}','');"
#
# Post-Auth = "INSERT INTO ${postauth_table} \
# (user, pass, reply, date) VALUES \
# ('%{User-Name}', '%{User-Password:-Chap-Password}', \
# '%{reply:Packet-Type}', '%S');"
# }

#
# Create a unique accounting session Id. Many NASes re-use
# or repeat values for Acct-Session-Id, causing no end of
# confusion.
#
# This module will add a (probably) unique session id
# to an accounting packet based on the attributes listed
# below found in the packet. See doc/rlm_acct_unique for
# more information.
#
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}

# Include another file that has the SQL-related configuration.
# This is another file only because it tends to be big.
#
# The following configuration file is for use with MySQL.
#
# For Postgresql, use: ${confdir}/postgresql.conf
# For MS-SQL, use: ${confdir}/mssql.conf
# For Oracle, use: ${confdir}/oraclesql.conf
#
$INCLUDE ${confdir}/sql.conf

# For Cisco VoIP specific accounting with Postgresql,
# use: ${confdir}/pgsql-voip.conf
#
# You will also need the sql schema from:
# src/billing/cisco_h323_db_schema-postgres.sql
# Note: This config can be use AS WELL AS the standard sql
# config if you need SQL based Auth

# Write a 'utmp' style file, of which users are currently
# logged in, and where they've logged in from.
#
# This file is used mainly for Simultaneous-Use checking,
# and also 'radwho', to see who's currently logged in.
#
radutmp {
# Where the file is stored. It's not a log file,
# so it doesn't need rotating.
#
filename = ${logdir}/radutmp

# The field in the packet to key on for the
# 'user' name, If you have other fields which you want
# to use to key on to control Simultaneous-Use,
# then you can use them here.
#
# Note, however, that the size of the field in the
# 'utmp' data structure is small, around 32
# characters, so that will limit the possible choices
# of keys.
#
# You may want instead: %{Stripped-User-Name:-%{User-Name}}
username = %{User-Name}

# Whether or not we want to treat "user" the same
# as "USER", or "User". Some systems have problems
# with case sensitivity, so this should be set to
# 'no' to enable the comparisons of the key attribute
# to be case insensitive.
#
case_sensitive = yes

# Accounting information may be lost, so the user MAY
# have logged off of the NAS, but we haven't noticed.
# If so, we can verify this information with the NAS,
#
# If we want to believe the 'utmp' file, then this
# configuration entry can be set to 'no'.
#
check_with_nas = yes

# Set the file permissions, as the contents of this file
# are usually private.
perm = 0600

callerid = "yes"
}

# "Safe" radutmp - does not contain caller ID, so it can be
# world-readable, and radwho can work for normal users, without
# exposing any information that isn't already exposed by who(1).
#
# This is another 'instance' of the radutmp module, but it is given
# then name "sradutmp" to identify it later in the "accounting"
# section.
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}

# attr_filter - filters the attributes received in replies from
# proxied servers, to make sure we send back to our RADIUS client
# only allowed attributes.
attr_filter {
attrsfile = ${confdir}/attrs
}

# counter module:
# This module takes an attribute (count-attribute).
# It also takes a key, and creates a counter for each unique
# key. The count is incremented when accounting packets are
# received by the server. The value of the increment depends
# on the attribute type.
# If the attribute is Acct-Session-Time or of an integer type we add the
# value of the attribute. If it is anything else we increase the
# counter by one.
#
# The 'reset' parameter defines when the counters are all reset to
# zero. It can be hourly, daily, weekly, monthly or never.
#
# hourly: Reset on 00:00 of every hour
# daily: Reset on 00:00:00 every day
# weekly: Reset on 00:00:00 on sunday
# monthly: Reset on 00:00:00 of the first day of each month
#
# It can also be user defined. It should be of the form:
# num[hdwm] where:
# h: hours, d: days, w: weeks, m: months
# If the letter is ommited days will be assumed. In example:
# reset = 10h (reset every 10 hours)
# reset = 12 (reset every 12 days)
#
#
# The check-name attribute defines an attribute which will be
# registered by the counter module and can be used to set the
# maximum allowed value for the counter after which the user
# is rejected.
# Something like:
#
# DEFAULT Max-Daily-Session := 36000
# Fall-Through = 1
#
# You should add the counter module in the instantiate
# section so that it registers check-name before the files
# module reads the users file.
#
# If check-name is set and the user is to be rejected then we
# send back a Reply-Message and we log a Failure-Message in
# the radius.log
# If the count attribute is Acct-Session-Time then on each login
# we send back the remaining online time as a Session-Timeout attribute
#
# The counter-name can also be used instead of using the check-name
# like below:
#
# DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject
# Reply-Message = "You've used up more than one hour today"
#
# The allowed-servicetype attribute can be used to only take
# into account specific sessions. For example if a user first
# logs in through a login menu and then selects ppp there will
# be two sessions. One for Login-User and one for Framed-User
# service type. We only need to take into account the second one.
#
# The module should be added in the instantiate, authorize and
# accounting sections. Make sure that in the authorize
# section it comes after any module which sets the
# 'check-name' attribute.
#
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}

#
# This module is an SQL enabled version of the counter module.
#
# Rather than maintaining seperate (GDBM) databases of
# accounting info for each counter, this module uses the data
# stored in the raddacct table by the sql modules. This
# module NEVER does any database INSERTs or UPDATEs. It is
# totally dependent on the SQL module to process Accounting
# packets.
#
# The 'sqlmod_inst' parameter holds the instance of the sql
# module to use when querying the SQL database. Normally it
# is just "sql". If you define more and one SQL module
# instance (usually for failover situations), you can
# specify which module has access to the Accounting Data
# (radacct table).
#
# The 'reset' parameter defines when the counters are all
# reset to zero. It can be hourly, daily, weekly, monthly or
# never. It can also be user defined. It should be of the
# form:
# num[hdwm] where:
# h: hours, d: days, w: weeks, m: months
# If the letter is ommited days will be assumed. In example:
# reset = 10h (reset every 10 hours)
# reset = 12 (reset every 12 days)
#
# The 'key' parameter specifies the unique identifier for the
# counter records (usually 'User-Name').
#
# The 'query' parameter specifies the SQL query used to get
# the current Counter value from the database. There are 3
# parameters that can be used in the query:
# %k 'key' parameter
# %b unix time value of beginning of reset period
# %e unix time value of end of reset period
#
# The 'check-name' parameter is the name of the 'check'
# attribute to use to access the counter in the 'users' file
# or SQL radcheck or radcheckgroup tables.
#
# DEFAULT Max-Daily-Session > 3600, Auth-Type = Reject
# Reply-Message = "You've used up more than one hour today"
#
sqlcounter dailycounter {
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
sqlmod-inst = sql
key = User-Name
reset = daily

# This query properly handles calls that span from the
# previous reset period into the current period but
# involves more work for the SQL server than those
# below
# For mysql:
query = "SELECT SUM(AcctSessionTime - \
GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
FROM radacct WHERE UserName='%{%k}' AND \
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"

# For postgresql:
# query = "SELECT SUM(AcctSessionTime - \
# GREATER((%b - AcctStartTime::ABSTIME::INT4), 0)) \
# FROM radacct WHERE UserName='%{%k}' AND \
# AcctStartTime::ABSTIME::INT4 + AcctSessionTime > '%b'"

# This query ignores calls that started in a previous
# reset period and continue into into this one. But it
# is a little easier on the SQL server
# For mysql:
# query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE \
# UserName='%{%k}' AND AcctStartTime > FROM_UNIXTIME('%b')"

# For postgresql:
# query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE \
# UserName='%{%k}' AND AND AcctStartTime::ABSTIME::INT4 > '%b'"

# This query is the same as above, but demonstrates an
# additional counter parameter '%e' which is the
# timestamp for the end of the period
# For mysql:
# query = "SELECT SUM(AcctSessionTime) FROM radacct \
# WHERE UserName='%{%k}' AND AcctStartTime BETWEEN \
# FROM_UNIXTIME('%b') AND FROM_UNIXTIME('%e')"

# For postgresql:
# query = "SELECT SUM(AcctSessionTime) FROM radacct \
# WHERE UserName='%{%k}' AND AcctStartTime::ABSTIME::INT4 \
# BETWEEN '%b' AND '%e'"
}

sqlcounter monthlycounter {
counter-name = Monthly-Session-Time
check-name = Max-Monthly-Session
sqlmod-inst = sql
key = User-Name
reset = monthly

# This query properly handles calls that span from the
# previous reset period into the current period but
# involves more work for the SQL server than those
# below
# The same notes above about the differences between mysql
# versus postgres queries apply here.
query = "SELECT SUM(AcctSessionTime - \
GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
FROM radacct WHERE UserName='%{%k}' AND \
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"

# This query ignores calls that started in a previous
# reset period and continue into into this one. But it
# is a little easier on the SQL server
# query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE \
# UserName='%{%k}' AND AcctStartTime > FROM_UNIXTIME('%b')"

# This query is the same as above, but demonstrates an
# additional counter parameter '%e' which is the
# timestamp for the end of the period
# query = "SELECT SUM(AcctSessionTime) FROM radacct \
# WHERE UserName='%{%k}' AND AcctStartTime BETWEEN \
# FROM_UNIXTIME('%b') AND FROM_UNIXTIME('%e')"
}

#
# The "always" module is here for debugging purposes. Each
# instance simply returns the same result, always, without
# doing anything.
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}

#
# The 'expression' module currently has no configuration.
#
# This module is useful only for 'xlat'. To use it,
# put 'exec' into the 'instantiate' section. You can then
# do dynamic translation of attributes like:
#
# Attribute-Name = `%{expr:2 + 3 + %{exec: uid -u}}`
#
# The value of the attribute will be replaced with the output
# of the program which is executed. Due to RADIUS protocol
# limitations, any output over 253 bytes will be ignored.
expr {
}

#
# The 'digest' module currently has no configuration.
#
# "Digest" authentication against a Cisco SIP server.
# See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details
# on performing digest authentication for Cisco SIP servers.
#
digest {
}

#
# Execute external programs
#
# This module is useful only for 'xlat'. To use it,
# put 'exec' into the 'instantiate' section. You can then
# do dynamic translation of attributes like:
#
# Attribute-Name = `%{exec:/path/to/program args}`
#
# The value of the attribute will be replaced with the output
# of the program which is executed. Due to RADIUS protocol
# limitations, any output over 253 bytes will be ignored.
#
# The RADIUS attributes from the user request will be placed
# into environment variables of the executed program, as
# described in 'doc/variables.txt'
#
exec {
wait = yes
input_pairs = request
}

#
# This is a more general example of the execute module.
#
# This one is called "echo".
#
# Attribute-Name = `%{echo:/path/to/program args}`
#
# If you wish to execute an external program in more than
# one section (e.g. 'authorize', 'pre_proxy', etc), then it
# is probably best to define a different instance of the
# 'exec' module for every section.
#
exec echo {
#
# Wait for the program to finish.
#
# If we do NOT wait, then the program is "fire and
# forget", and any output attributes from it are ignored.
#
# If we are looking for the program to output
# attributes, and want to add those attributes to the
# request, then we MUST wait for the program to
# finish, and therefore set 'wait=yes'
#
# allowed values: {no, yes}
wait = yes

#
# The name of the program to execute, and it's
# arguments. Dynamic translation is done on this
# field, so things like the following example will
# work.
#
program = "/bin/echo %{User-Name}"

#
# The attributes which are placed into the
# environment variables for the program.
#
# Allowed values are:
#
# request attributes from the request
# config attributes from the configuration items list
# reply attributes from the reply
# proxy-request attributes from the proxy request
# proxy-reply attributes from the proxy reply
#
# Note that some attributes may not exist at some
# stages. e.g. There may be no proxy-reply
# attributes if this module is used in the
# 'authorize' section.
#
input_pairs = request

#
# Where to place the output attributes (if any) from
# the executed program. The values allowed, and the
# restrictions as to availability, are the same as
# for the input_pairs.
#
output_pairs = reply

#
# When to execute the program. If the packet
# type does NOT match what's listed here, then
# the module does NOT execute the program.
#
# For a list of allowed packet types, see
# the 'dictionary' file, and look for VALUEs
# of the Packet-Type attribute.
#
# By default, the module executes on ANY packet.
# Un-comment out the following line to tell the
# module to execute only if an Access-Accept is
# being sent to the NAS.
#
#packet_type = Access-Accept
}

# Do server side ip pool management. Should be added in post-auth and
# accounting sections.
#
# The module also requires the existance of the Pool-Name
# attribute. That way the administrator can add the Pool-Name
# attribute in the user profiles and use different pools
# for different users. The Pool-Name attribute is a *check* item not
# a reply item.
#
# Example:
# radiusd.conf: ippool students { [...] }
# users file : DEFAULT Group == students, Pool-Name := "students"
#
# ********* IF YOU CHANGE THE RANGE PARAMETERS YOU MUST *********
# ********* THEN ERASE THE DB FILES *********
#
ippool main_pool {

# range-start,range-stop: The start and end ip
# addresses for the ip pool
range-start = 192.168.1.1
range-stop = 192.168.3.254

# netmask: The network mask used for the ip's
netmask = 255.255.255.0

# cache-size: The gdbm cache size for the db
# files. Should be equal to the number of ip's
# available in the ip pool
cache-size = 800

# session-db: The main db file used to allocate ip's to clients
session-db = ${raddbdir}/db.ippool

# ip-index: Helper db index file used in multilink
ip-index = ${raddbdir}/db.ipindex

# override: Will this ippool override a Framed-IP-Address already set
override = no

# maximum-timeout: If not zero specifies the maximum time in seconds an
# entry may be active. Default: 0
maximum-timeout = 0
}

# $INCLUDE ${confdir}/sqlippool.conf

# OTP token support. Not included by default.
# $INCLUDE ${confdir}/otp.conf

}

# Instantiation
#
# This section orders the loading of the modules. Modules
# listed here will get loaded BEFORE the later sections like
# authorize, authenticate, etc. get examined.
#
# This section is not strictly needed. When a section like
# authorize refers to a module, it's automatically loaded and
# initialized. However, some modules may not be listed in any
# of the following sections, so they can be listed here.
#
# Also, listing modules here ensures that you have control over
# the order in which they are initalized. If one module needs
# something defined by another module, you can list them in order
# here, and ensure that the configuration will be OK.
#
instantiate {
#
# Allows the execution of external scripts.
# The entire command line (and output) must fit into 253 bytes.
#
# e.g. Framed-Pool = `%{exec:/bin/echo foo}`
exec

#
# The expression module doesn't do authorization,
# authentication, or accounting. It only does dynamic
# translation, of the form:
#
# Session-Timeout = `%{expr:2 + 3}`
#
# So the module needs to be instantiated, but CANNOT be
# listed in any other section. See 'doc/rlm_expr' for
# more information.
#
expr

#
# We add the counter module here so that it registers
# the check-name attribute before any module which sets
# it
# daily
}

# Authorization. First preprocess (hints and huntgroups files),
# then realms, and finally look in the "users" file.
#
# The order of the realm modules will determine the order that
# we try to find a matching realm.
#
# Make *sure* that 'preprocess' comes before any realm if you
# need to setup hints for the remote radius server
authorize {
#
# The preprocess module takes care of sanitizing some bizarre
# attributes in the request, and turning them into attributes
# which are more standard.
#
# It takes care of processing the 'raddb/hints' and the
# 'raddb/huntgroups' files.
#
# It also adds the %{Client-IP-Address} attribute to the request.
preprocess

#
# If you want to have a log of authentication requests,
# un-comment the following line, and the 'detail auth_log'
# section, above.
# auth_log

# attr_filter

#
# The chap module will set 'Auth-Type := CHAP' if we are
# handling a CHAP request and Auth-Type has not already been set
chap

#
# If the users are logging in with an MS-CHAP-Challenge
# attribute for authentication, the mschap module will find
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
# to the request, which will cause the server to then use
# the mschap module for authentication.
#mschap

#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authenticate' section.
# digest

#
# Look for IPASS style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
# IPASS

#
# If you are using multiple kinds of realms, you probably
# want to set "ignore_null = yes" for all of them.
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#
suffix
# ntdomain

#
# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
# authentication.
#
# It also sets the EAP-Type attribute in the request
# attribute list to the EAP type from the packet.
eap

#
# Read the 'users' file
#files

#
# Look in an SQL database. The schema of the database
# is meant to mirror the "users" file.
#
# See "Authorization Queries" in sql.conf
  sql

#
# If you are using /etc/smbpasswd, and are also doing
# mschap authentication, the un-comment this line, and
# configure the 'etc_smbpasswd' module, above.
# etc_smbpasswd

#
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
# ldap

#
# Enforce daily limits on time spent logged in.
# daily

#
# Use the checkval module
# checkval
}

# Authentication.
#
#
# This section lists which modules are available for authentication.
# Note that it does NOT mean 'try each module in order'. It means
# that a module from the 'authorize' section adds a configuration
# attribute 'Auth-Type := FOO'. That authentication type is then
# used to pick the apropriate module from the list below.
#

# In general, you SHOULD NOT set the Auth-Type attribute. The server
# will figure it out on its own, and will do the right thing. The
# most common side effect of erroneously setting the Auth-Type
# attribute is that one authentication method will work, but the
# others will not.
#
# The common reasons to set the Auth-Type attribute by hand
# is to either forcibly reject the user, or forcibly accept him.
#
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}

#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}

#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}

#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authorize' section.
# digest

#
# Pluggable Authentication Modules.
# pam

#
# See 'man getpwent' for information on how the 'unix'
# module checks the users password. Note that packets
# containing CHAP-Password attributes CANNOT be authenticated
# against /etc/passwd! See the FAQ for details.
#
#unix

# Uncomment it if you want to use ldap for authentication
#
# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.
# Auth-Type LDAP {
# ldap
# }

#
# Allow EAP authentication.
eap
}

#
# Pre-accounting. Decide which accounting type to use.
#
preacct {
preprocess

#
# Ensure that we have a semi-unique identifier for every
# request, and many NAS boxes are broken.
acct_unique

#
# Look for IPASS-style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
#
# Accounting requests are generally proxied to the same
# home server as authentication requests.
# IPASS
suffix
# ntdomain

#
# Read the 'acct_users' file
files
}

#
# Accounting. Log the accounting data.
#
accounting {
#
# Create a 'detail'ed log of the packets.
# Note that accounting requests which are proxied
# are also logged in the detail file.
detail
# daily

# Update the wtmp file
#
# If you don't use "radlast", you can delete this line.
#unix

#
# For Simultaneous-Use tracking.
#
# Due to packet losses in the network, the data here
# may be incorrect. There is little we can do about it.
#radutmp
# sradutmp

# Return an address to the IP Pool when we see a stop record.
# main_pool

#
# Log traffic to an SQL database.
#
# See "Accounting queries" in sql.conf
  sql

#
# Instead of sending the query to the SQL server,
# write it into a log file.
#
# sql_log

# Cisco VoIP specific bulk accounting
# pgsql-voip

}

# Session database, used for checking Simultaneous-Use. Either the radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
#radutmp

#
# See "Simultaneous Use Checking Querie" in sql.conf
  sql
}

# Post-Authentication
# Once we KNOW that the user has been authenticated, there are
# additional steps we can take.
post-auth {
# Get an address from the IP Pool.
# main_pool

#
# If you want to have a log of authentication replies,
# un-comment the following line, and the 'detail reply_log'
# section, above.
# reply_log

#
# After authenticating the user, do another SQL query.
#
# See "Authentication Logging Queries" in sql.conf
# sql

#
# Instead of sending the query to the SQL server,
# write it into a log file.
#
# sql_log

#
# Un-comment the following if you have set
# 'edir_account_policy_check = yes' in the ldap module sub-section of
# the 'modules' section.
#
# ldap
#
# Access-Reject packets are sent through the REJECT sub-section of the
# post-auth section.
# Uncomment the following and set the module name to the ldap instance
# name if you have set 'edir_account_policy_check = yes' in the ldap
# module sub-section of the 'modules' section.
#
# Post-Auth-Type REJECT {
# insert-module-name-here
# }

}

#
# When the server decides to proxy a request to a home server,
# the proxied request is first passed through the pre-proxy
# stage. This stage can re-write the request, or decide to
# cancel the proxy.
#
# Only a few modules currently have this method.
#
pre-proxy {
# attr_rewrite

# Uncomment the following line if you want to change attributes
# as defined in the preproxy_users file.
# files

# If you want to have a log of packets proxied to a home
# server, un-comment the following line, and the
# 'detail pre_proxy_log' section, above.
# pre_proxy_log
}

#
# When the server receives a reply to a request it proxied
# to a home server, the request may be massaged here, in the
# post-proxy stage.
#
post-proxy {

# If you want to have a log of replies from a home server,
# un-comment the following line, and the 'detail post_proxy_log'
# section, above.
# post_proxy_log

# attr_rewrite

# Uncomment the following line if you want to filter replies from
# remote proxies based on the rules defined in the 'attrs' file.

# attr_filter

#
# If you are proxying LEAP, you MUST configure the EAP
# module, and you MUST list it here, in the post-proxy
# stage.
#
# You MUST also use the 'nostrip' option in the 'realm'
# configuration. Otherwise, the User-Name attribute
# in the proxied request will not match the user name
# hidden inside of the EAP packet, and the end server will
# reject the EAP request.
#
eap
}

 

 

HotSpot:~# vim /etc/freeradius-dialupadmin/admin.conf

#
# Main Configuration File
#
# it can be default or whatever language. Only greek are supported
# from non latin alphabet languages
# These attribute only apply for ldap not for sql
#
general_prefered_lang: fr
general_prefered_lang_name: French
#
# The charset which will be added as a meta tag in all pages
#
general_charset: iso-8859-1
#
# Uncomment this if normal attributes (not the ;lang-xx ones) in ldap
# are utf8 encoded.
#
#general_decode_normal_attributes: yes
#
# The directory where dialupadmin is installed
#
general_base_dir: /usr/share/freeradius-dialupadmin
#
# The base directory of the freeradius radius installation
#
general_radiusd_base_dir: /usr
general_domain: company.com
#
# Set it to yes to use sessions and cache the various mappings
# You can also set use_session = 1 in config.php3 to also cache
# the admin.conf
#
# ---- IMPORTANT -- IMPORTANT -- IMPORTANT ----
#Remember to use the 'Clear Cache' page if you use sessions and do any changes
#in any of the configuration files.
#
general_use_session: no
#
# This is used by the failed logins page. It states the default back time
# in minutes.
#
general_most_recent_fl: 30

#
# Realm setup
#
# Set general_strip_realms to yes in order to stip realms from usernames.
# By default realms are not striped
#general_strip_realms : yes
#
# The delimiter used in realms. Default is @
#
general_realm_delimiter: @
#
# The format of the realms. Can be either suffix (realm is after the username)
# or prefix (realm is before the username). Default is suffix
#
general_realm_format: suffix
#

#
# Determines if the administrator will be able to see and change the user password through
# the user edit page
general_show_user_password: yes

general_raddb_dir: /etc/freeradius
general_ldap_attrmap: %{general_raddb_dir}/ldap.attrmap
# Need to fix admin.conf file parser
#general_clients_conf: %{general_raddb_dir}/clients.conf
general_clients_conf: /etc/freeradius/clients.conf
general_sql_attrmap: /etc/freeradius-dialupadmin/sql.attrmap
general_accounting_attrs_file: %{general_base_dir}/conf/accounting.attrs
general_extra_ldap_attrmap: %{general_base_dir}/conf/extra.ldap-attrmap
#
# it can be either ldap or sql
# This affects the user base not accounting. Accounting is always in sql
#
general_lib_type: sql
#
# Define which attributes will be visible in the user edit page
#
general_user_edit_attrs_file: /etc/freeradius-dialupadmin/user_edit.attrs
#
# Used by the Accounting Report Generator
#
general_sql_attrs_file: /etc/freeradius-dialupadmin/sql.attrs
#
# Set default values for various attributes
#
general_default_file: /etc/freeradius-dialupadmin/default.vals
#general_ld_library_path: /usr/local/snmpd/lib
#
# can be 'snmp' (for snmpfinger) or empty to query the radacct table without first
# querying the nas
# This is used by the online users page
#
general_finger_type: snmp
#
# Defines the nas type. This is only used by snmpfinger
# cisco and lucent are supported for now
#
general_nas_type: cisco
general_snmpfinger_bin: %{general_base_dir}/bin/snmpfinger
general_radclient_bin: %{general_radiusd_base_dir}/bin/radclient
#
# this information is used from the server check page
#
general_test_account_login: test
general_test_account_password: testpass
#
# These are used as default values for the user test page
#
general_radius_server: localhost
general_radius_server_port: 1812
#
# can be either pap or chap
#
general_radius_server_auth_proto: pap
#
# sorry, single valued for now. Should become something like
# password[server-name]: xxxxx
#
general_radius_server_secret: RadiusSecret
general_auth_request_file: /etc/freeradius-dialupadmin/auth.request
#
# can be one of crypt,md5,clear
#
general_encryption_method: crypt
#
# can be either asc (older dates first) or desc (recent dates first)
# This is used in the user accounting and badusers pages
#
general_accounting_info_order: desc
#
# Use the totacct table in the user statistics page instead of the radacct
# table. That will make the page run quicker. totacct should have data for
# this to work :-)
#
general_stats_use_totacct: no
#
# If set to yes then we only allow each administrator to examine it's own entries
# in the badusers table
#
general_restrict_badusers_access: no

INCLUDE: /etc/freeradius-dialupadmin/naslist.conf

INCLUDE: /etc/freeradius-dialupadmin/captions.conf

#
# The ldap server to connect to.
# Both ldap_server and ldap_write_server can be a space-separated
# list of ldap hostnames. In that case the library will try to connect
# to the servers in the order that they appear. If the first host is down
# ldap_connect will ask for the second ldap host and so on.
#
ldap_server: ldap.%{general_domain}
#
# There are many cases where we have a small write master and
# a lot of fast read only replicas. If that is the case uncomment
# ldap_write_server and point it to the write master. It will be
# used only when writing to the directory, not when reading
#
#ldap_write_server: master.%{general_domain}
ldap_base: dc=company,dc=com
ldap_binddn: cn=Directory Manager
ldap_bindpw: XXXXXXX
ldap_default_new_entry_suffix: ou=dialup,ou=guests,%{ldap_base}
ldap_default_dn: uid=default-dialup,%{ldap_base}
ldap_regular_profile_attr: dialupregularprofile
#
# If set to yes then the HTTP credentials (http authentication)
# will be used to bind to the ldap server instead of ldap_binddn
# and ldap_bindpw. That way multiple admins with different rights
# on the ldap database can connect through one dialup_admin interface.
# The ldap_binddn and ldap_bindpw are still needed to find the DN
# to bind with (http authentication will only provide us with a
# username). As a result the ldap_binddn should be able to do a search
# with a filter of (uid=<username>). Normally, the anonymous (empty DN)
# user can do that.
#ldap_use_http_credentials: yes
#
# If we are using http credentials we can map a specific username to the
# directory manager (which usually does not correspond to a specific username)
#
#ldap_directory_manager: cn=Directory Manager
#ldap_map_to_directory_manager: admin
#
# Uncomment to enable ldap debug
#
#ldap_debug: true
#
# Allow for defining the ldap filter used when searching for a user
# Variables supported:
# %u: username
# %U: username provided though http authentication
# %mu: mappings for userdb
# %ma: mappings for accounting
#
# One use of this would be to restrict access to only the user's belonging to
# a specific administrator like this:
# ldap_filter: (&(uid=%u)(manager=uid=%U,ou=admins,o=company,c=com))
#
#ldap_filter: (uid=%u)
#
# If ldap_userdn is set then we use that for user dns, we don't perform an ldap
# search. This can be somewhat faster. The variables supported for ldap_filter
# are also supported here
#
#ldap_userdn: uid=%u,%{ldap_base}

#
# can be one of mysql,pg where:
# mysq: MySQL database (port 3306)
# pg: PostgreSQL database (port 5432)
#
sql_type: mysql
sql_server: localhost
sql_port: 3306
sql_username: radius
sql_password: motdepasse_sql
sql_database: radius
sql_accounting_table: radacct
sql_badusers_table: badusers
sql_check_table: radcheck
sql_reply_table: radreply
sql_user_info_table: userinfo
sql_groupcheck_table: radgroupcheck
sql_groupreply_table: radgroupreply
sql_usergroup_table: usergroup
sql_total_accounting_table: totacct
sql_nas_table: nas
#
# This variable is used by the scripts in the bin folder
# It should contain the path to the sql binary used to run
# sql commands (mysql and psql are only supported for now)
sql_command: /usr/bin/mysql
#
# This variable is used by the scripts in the bin folder
# It should contain the snmp type and path to the binary
# used to run snmp commands.
# (ucd = UCD-Snmp and net = Net-Snmp are only supported for now)
general_snmp_type: net
general_snmpwalk_command: /usr/bin/snmpwalk
general_snmpget_command: /usr/bin/snmpget
#
# Uncomment to enable sql debug
#
sql_debug: false
#
# If set to yes then the HTTP credentials (http authentication)
# will be used to connect to the sql server instead of sql_username
# and sql_password. That way multiple admins with different rights
# on the sql database can connect through one dialup_admin interface.
#sql_use_http_credentials: yes
#
# If set the query will be added to all of the queries on the accounting
# table
#sql_accounting_extra_query: %ma

#
# true or false
#
sql_use_user_info_table: true
sql_use_operators: true
#
# Set this to the value of the default_user_profile in your
# sql.conf if that one is set. If it is not set leave blank
# or commented out
#sql_default_user_profile: DEFAULT
#
#
sql_password_attribute: User-Password
sql_date_format: Y-m-d
sql_full_date_format: Y-m-d H:i:s
#
# Used in the accounting report generator so that we
# don't return too many results
#
sql_row_limit: 40
#
# These options are used by the log_badlogins script and by the
# mysql driver
#
# Set the sql connect timeout (secs)
sql_connect_timeout: 3
# Give a space separated list of extra mysql servers to connect to when
# logging bad logins or adding users in the badusers table
#sql_extra_servers: sql2.company.com sql3.company.com

#
# Default values for the various user limits in case the counter module
# is used to impose such limits.
# The value should be the user limit in seconds or none for nothing
#
counter_default_daily: 14400
counter_default_weekly: 72000
counter_default_monthly: none
#
# Since calculating monthly usage can be quite expensive we make
# it configurable
# This is not needed if the monthly limit is not none
#counter_monthly_calculate_usage: true

HotSpot:~# cd /usr/share/freeradius-dialupadmin/sql

HotSpot:/usr/share/freeradius-dialupadmin/sql# vim badusers.sql
#
# Table structure for table 'badusers'
#
CREATE TABLE badusers (
id int(10)
          NOT NULL auto_increment,
UserName varchar(30),
Date datetime DEFAULT '0000-00-00 00:00:00' NOT NULL,
Reason varchar(200),
Admin varchar(30) DEFAULT '-',
PRIMARY KEY (id),
KEY UserName (UserName),
KEY Date (Date)
);

HotSpot:/usr/share/freeradius-dialupadmin/sql# mysql -u radius -p radius < badusers.sql
Enter password: motdepasse_sql

HotSpot:/usr/share/freeradius-dialupadmin/sql# mysql -u radius -p radius < mtotacct.sql
Enter password: motdepasse_sql

HotSpot:/usr/share/freeradius-dialupadmin/sql# mysql -u radius -p radius < totacct.sql
Enter password: motdepasse_sql

HotSpot:/usr/share/freeradius-dialupadmin/sql# vim userinfo.sql
#
# Table structure for table 'userinfo'
#
CREATE TABLE userinfo (
id int(10)
                NOT NULL auto_increment,
UserName varchar(30),
Name varchar(200),
Mail varchar(200),
Department varchar(200),
WorkPhone varchar(200),
HomePhone varchar(200),
Mobile varchar(200),
PRIMARY KEY (id),
KEY UserName (UserName),
KEY Departmet (Department)
);

HotSpot:/usr/share/freeradius-dialupadmin/sql# mysql -u radius -p radius < userinfo.sql
Enter password: motdepasse_sql

HotSpot:/usr/share/freeradius-dialupadmin/sql# vim /usr/share/freeradius-dialupadmin/bin/monthly_tot_stats

#!/usr/bin/perl
use POSIX;

# Log in the mtotacct table aggregated accounting information for
# each user spaning in one month period.
# If the current month has not ended it will log information up to
# the current month day
# Works only with mysql and postgresql
#

$conf=shift||'/etc/freeradius-dialupadmin/admin.conf';

open CONF, "<$conf"
or die "Could not open configuration file\n";
while(<CONF>){
chomp;
($key,$val)=(split /:\s*/,$_);
$sql_type = $val if ($key eq 'sql_type');
$sql_server = $val if ($key eq 'sql_server');
$sql_username = $val if ($key eq 'sql_username');
$sql_password = $val if ($key eq 'sql_password');
$sql_database = $val if ($key eq 'sql_database');
$sql_accounting_table = $val if ($key eq 'sql_accounting_table');
$sqlcmd = $val if ($key eq 'sql_command');
}
close CONF;

die "sql_command directive is not set in admin.conf\n" if ($sqlcmd eq '');
die "Could not find sql binary. Please make sure that the \$sqlcmd variable points to the right location\n" if (! -x $sqlcmd);

$sql_password = (!$sql_password eq '') ? '' : "-p$sql_password";

($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime;
if ($mday == 1){
$mon--;
}
$date_start = POSIX::strftime("%Y-%m-%d",0,0,0,1,$mon,$year,$wday,$yday,$isdst);
$date_end = POSIX::strftime("%Y-%m-%d",0,0,0,$mday,$mon,$year,$wday,$yday,$isdst);

$query1 = "DELETE FROM mtotacct WHERE AcctDate = '$date_start';";
$query2 = "INSERT INTO mtotacct (UserName,AcctDate,ConnNum,ConnTotDuration,
ConnMaxDuration,ConnMinDuration,InputOctets,OutputOctets,NASIPAddress)
SELECT UserName,'$date_start',SUM(ConnNum),SUM(ConnTotDuration),
MAX(ConnMaxDuration),MIN(ConnMinDuration),SUM(InputOctets),
SUM(OutputOctets),NASIPAddress FROM totacct
WHERE AcctDate >= '$date_start' AND
AcctDate <= '$date_end' GROUP BY UserName,NASIPAddress;";
print "$query1\n";
print "$query2\n";
open TMP, ">/tmp/tot_stats.query"
or die "Could not open tmp file\n";
print TMP $query1;
print TMP $query2;
close TMP;
$command = "$sqlcmd -h $sql_server -u $sql_username $sql_password $sql_database </tmp/tot_stats.query" if ($sql_type eq 'mysql');
$command = "$sqlcmd -U $sql_username -f /tmp/tot_stats.query $sql_database" if ($sql_type eq 'pg');
`$command`;

 

HotSpot:/usr/share/freeradius-dialupadmin/sql# vim /usr/share/freeradius-dialupadmin/bin/tot_stats

#!/usr/bin/perl
use POSIX;

# Log in the totacct table aggregated daily accounting information for
# each user.
# We keep a row per user for each day.
# Works with mysql and postgresql
#

$conf=shift||'/etc/freeradius-dialupadmin/admin.conf';

open CONF, "<$conf"
or die "Could not open configuration file\n";
while(<CONF>){
chomp;
($key,$val)=(split /:\s*/,$_);
$sql_type = $val if ($key eq 'sql_type');
$sql_server = $val if ($key eq 'sql_server');
$sql_username = $val if ($key eq 'sql_username');
$sql_password = $val if ($key eq 'sql_password');
$sql_database = $val if ($key eq 'sql_database');
$sql_accounting_table = $val if ($key eq 'sql_accounting_table');
$sqlcmd = $val if ($key eq 'sql_command');
}
close CONF;

die "sql_command directive is not set in admin.conf\n" if ($sqlcmd eq '');
die "Could not find sql binary. Please make sure that the \$sqlcmd variable points to the right location\n" if (! -x $sqlcmd);

$sql_password = (!$sql_password eq '') ? '' : "-p$sql_password";

($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime;
$date_start = POSIX::strftime("%Y-%m-%d %T",0,0,0,($mday - 1),$mon,$year,$wday,$yday,$isdst);
$date_small_start = POSIX::strftime("%Y-%m-%d",0,0,0,($mday - 1),$mon,$year,$wday,$yday,$isdst);
$date_end = POSIX::strftime("%Y-%m-%d %T",0,0,0,$mday,$mon,$year,$wday,$yday,$isdst);

$query1 = "DELETE FROM totacct WHERE AcctDate = '$date_start';";
$query2 = "INSERT INTO totacct (UserName,AcctDate,ConnNum,ConnTotDuration,
ConnMaxDuration,ConnMinDuration,InputOctets,OutputOctets,NASIPAddress)
SELECT UserName,'$date_small_start',COUNT(*),SUM(AcctSessionTime),
MAX(AcctSessionTime),MIN(AcctSessionTime),SUM(AcctInputOctets),
SUM(AcctOutputOctets),NASIPAddress FROM radacct
WHERE AcctStopTime >= '$date_start' AND
AcctStopTime < '$date_end' GROUP BY UserName,NASIPAddress;";
print "$query1\n";
print "$query2\n";
open TMP, ">/tmp/tot_stats.query"
or die "Could not open tmp file\n";
print TMP $query1;
print TMP $query2;
close TMP;
$command = "$sqlcmd -h $sql_server -u $sql_username $sql_password $sql_database </tmp/tot_stats.query" if ($sql_type eq 'mysql');
$command = "$sqlcmd -U $sql_username -f /tmp/tot_stats.query $sql_database" if ($sql_type eq 'pg');
`$command`;

 

HotSpot:/usr/share/freeradius-dialupadmin/sql# vim /etc/crontab

# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#

1 0 * * * /usr/share/freeradius-dialupadmin/bin/tot_stats >/dev/null 2>&1
5 0 * * * /usr/share/freeradius-dialupadmin/bin/monthly_tot_stats >/dev/null 2>&

HotSpot:/usr/share/freeradius-dialupadmin/sql# echo "INSERT INTO nas(id,nasname,shortname,type,ports,secret,community,description) VALUES ('','127.0.0.1','nas1','other',NULL,'GaloulasecretRadius','public','Bout de PC');" | mysql -u radius -p radius
Enter password: motdepasse_sql

 

HotSpot:/usr/share/freeradius-dialupadmin/sql# vim /etc/freeradius/dictionary
>

#
# This is the master dictionary file, which references the
# pre-defined dictionary files included with the server.
#
# Any new/changed attributes MUST be placed in this file, as
# the pre-defined dictionaries SHOULD NOT be edited.
#
# $Id: dictionary.in,v 1.4 2004/04/14 15:26:20 aland Exp $
#

#
# The filename given here should be an absolute path.
#
$INCLUDE /usr/share/freeradius/dictionary

#
# Place additional attributes or $INCLUDEs here. They will
# over-ride the definitions in the pre-defined dictionaries.
#
# See the 'man' page for 'dictionary' for information on
# the format of the dictionary files.

#
# If you want to add entries to the dictionary file,
# which are NOT going to be placed in a RADIUS packet,
# add them here. The numbers you pick should be between
# 3000 and 4000.
#

#ATTRIBUTE My-Local-String 3000 string
#ATTRIBUTE My-Local-IPAddr 3001 ipaddr
#ATTRIBUTE My-Local-Integer 3002 integer
ATTRIBUTE Max-All-Session 3000 integer

#
# This is the master dictionary file, which references the
# pre-defined dictionary files included with the server.
#
# Any new/changed attributes MUST be placed in this file, as
# the pre-defined dictionaries SHOULD NOT be edited.
#
# $Id: dictionary.in,v 1.4 2004/04/14 15:26:20 aland Exp $
#

#
# The filename given here should be an absolute path.
#
$INCLUDE /usr/share/freeradius/dictionary

#
# Place additional attributes or $INCLUDEs here. They will
# over-ride the definitions in the pre-defined dictionaries.
#
# See the 'man' page for 'dictionary' for information on
# the format of the dictionary files.

#
# If you want to add entries to the dictionary file,
# which are NOT going to be placed in a RADIUS packet,
# add them here. The numbers you pick should be between
# 3000 and 4000.
#

#ATTRIBUTE My-Local-String 3000 string
#ATTRIBUTE My-Local-IPAddr 3001 ipaddr
#ATTRIBUTE My-Local-Integer 3002 integer

ATTRIBUTE Max-All-Session 3000 integer

HotSpot:/usr/share/freeradius-dialupadmin/sql# cd /var/
HotSpot:/var/www# wget http://ovh.dl.sourceforge.net/sourceforge/wifipaypal/wifi-1.1.1.zip

HotSpot:/var/www# apt-get install unzip
HotSpot:/var/www# unzip wifi-1.1.1.zip
HotSpot:/var/www# mv wifi-1.1.1 PayPal
HotSpot:/var/www# cd PayPal/

HotSpot:/var/PayPal# vim config.inc.php

<?

//////////////////////////////////////////////////////////////////////////////
// PayPal Wifi Prepaid v1` //
// C. Dan Arbeau 2006 Email: dan@axis-tech.com //
// This software is released under the GPL //
// Please let us knwo where you are using this software! Email us! //
//////////////////////////////////////////////////////////////////////////////

//Files to include
// include_once('dbconnect.php');
// include_once('functions.inc.php');

//DEBUGGING MODE
//We use this for testing - So we can see variable outputs at the top of the page
//We also use this mode when we are using the paypal sandbox
$debug = "0";
$debugmessage = "We are in debug mode - To use use in a live setting, please turn Debug off in the config file.";

//Branding parameters follow
//Several of these variables are taken fro
$title = "Galoula France ! - HotSpot Wifi";
$logo = "images/losmall.gif";
$hotspotname = "Galoula France ! ";
$slogan = "Internet, tout simplement ";
$footer = "<b>Accès Internet rapide et abordable. <br / >Pour plus d'informations, contactez nous sur <a href="http://hotspot.galoula.com/Contact.php"</a>.</b>";
$hotspotinfo = "Les Informations sont ici. ";
$version="1.1.1";
$loginnow = "http://192.168.24.1:3990/prelogin";
$loginnowtext = "Déjas inscrit ? Connectez-vous maintenant !";

// Paypal parameters
$business = "boutique@galoula.com"; //What account are we using w/paypal
//If transaction is success full, where do we go
$return = "http://login.hotspot/PayPal/success.php";
//If transaction is success canceled, where do we go
$cancel_return = "http://login.hotspot/PayPal/sorry.php";
//What Currency are we using
$currency_code = "EUR";
//What is our Location )Country)
$lc = "FR";

//Testing Information - Are we live or using paypal sandbox
$live = 1; // 1 = live, 0 = Sandbox

// To use this script for Payment Data Transfer (PDT) you must have Auto Return On
// In your paypal profile. You must also get your PDT token for the next step

//$pptoken = "SqN7GWzBZFayzyiejezUjBz-sz7PYsJsul_I1Nf9OFDQ3nN6NavS59UoI3S"; //Paste your token from paypal here
$pptoken = ""; //Paste your token from paypal here

// Are we running Chillispot? or Just writing to MySQL database for radius
// If we are using chillspot, we need uamsecret. - NOT IMPMENTED YET - WILL BE FOR CUSTOM LOGIN
$chillispot = "1"; // 1 = Using Chillispot, 0 = USing other Captive Portal
$uamsecret = "ChilliSecret"; //Change this to reflect your values

//Email Settings
//The email is being sent usinmg your default php.ini email settings - More than likely, localhost
//Next version will include a host variable here
$to = "galoula@galoula.com"; //Where the email is to be sent
$subject = "A new account has been generated"; //Change this for custom notification
//$body = "Hi,\n\n An account has been generated - \n\n ID: $id \n\n Password: $pass \n\n Page Load: $count"; MUST BE SET FROM PAGE ITSELF
$headers = "From: galoula@galoula.com";

//Googe Anlytics
$ga="0"; // 1 = Yes, 0 = No
$gacode='';

//General Calculations
$seconds = 60;
$minutes = $sec / $seconds;
$hours01 = $minutes / 60 ;
$days = $hours01 / 24;
$weeks = $days / 7;
$months = $weeks / 4 + 2;
$years = $days / 365;
$perhour = $_POST['perhour'];

?>

 

HotSpot:/var/PayPal# vim Connections/wifi.php

<?php
# PHP ADODB document - made with PHAkt
# FileName="Connection_php_adodb.htm"
# Type="ADODB"
# HTTP="true"
# DBTYPE="mysql"

$MM_wifi_HOSTNAME = '127.0.0.1';
$MM_wifi_DATABASE = 'mysql:radius';
$MM_wifi_DBTYPE = preg_replace('/:.*$/', '', $MM_wifi_DATABASE);
$MM_wifi_DATABASE = preg_replace('/^[^:]*?:/', '', $MM_wifi_DATABASE);
$MM_wifi_USERNAME = 'radius';
$MM_wifi_PASSWORD = 'motdepasse_sql';
$MM_wifi_LOCALE = 'Fr';
$MM_wifi_MSGLOCALE = 'Fr';
$MM_wifi_CTYPE = 'P';
$KT_locale = $MM_wifi_MSGLOCALE;
$KT_dlocale = $MM_wifi_LOCALE;
$KT_serverFormat = '%Y-%m-%d %H:%M:%S';
$QUB_Caching = 'false';

$KT_localFormat = $KT_serverFormat;

if (!defined('CONN_DIR')) define('CONN_DIR',dirname(__FILE__));
require_once(CONN_DIR.'/../adodb/adodb.inc.php');
$wifi=&KTNewConnection($MM_wifi_DBTYPE);

if($MM_wifi_DBTYPE == 'access' || $MM_wifi_DBTYPE == 'odbc'){
if($MM_wifi_CTYPE == 'P'){
$wifi->PConnect($MM_wifi_DATABASE, $MM_wifi_USERNAME,$MM_wifi_PASSWORD);
} else $wifi->Connect($MM_wifi_DATABASE, $MM_wifi_USERNAME,$MM_wifi_PASSWORD);
} else if (($MM_wifi_DBTYPE == 'ibase') or ($MM_wifi_DBTYPE == 'firebird')) {
if($MM_wifi_CTYPE == 'P'){
$wifi->PConnect($MM_wifi_HOSTNAME.':'.$MM_wifi_DATABASE,$MM_wifi_USERNAME,$MM_wifi_PASSWORD);
} else $wifi->Connect($MM_wifi_HOSTNAME.':'.$MM_wifi_DATABASE,$MM_wifi_USERNAME,$MM_wifi_PASSWORD);
}else {
if($MM_wifi_CTYPE == 'P'){
$wifi->PConnect($MM_wifi_HOSTNAME,$MM_wifi_USERNAME,$MM_wifi_PASSWORD, $MM_wifi_DATABASE);
} else $wifi->Connect($MM_wifi_HOSTNAME,$MM_wifi_USERNAME,$MM_wifi_PASSWORD, $MM_wifi_DATABASE);
}

if (!function_exists('updateMagicQuotes')) {
function updateMagicQuotes($HTTP_VARS){
if (is_array($HTTP_VARS)) {
foreach ($HTTP_VARS as $name=>$value) {

if (!is_array($value)) {
$HTTP_VARS[$name] = addslashes($value);
} else {
foreach ($value as $name1=>$value1) {
if (!is_array($value1)) {
$HTTP_VARS[$name1][$value1] = addslashes($value1);
}
}
}
}
}
return $HTTP_VARS;
}

if (!get_magic_quotes_gpc()) {
$_GET = updateMagicQuotes($_GET);
$_POST = updateMagicQuotes($_POST);
$_COOKIE = updateMagicQuotes($_COOKIE);
}
}
if (!isset($_SERVER['REQUEST_URI']) && isset($_ENV['REQUEST_URI'])) {
$_SERVER['REQUEST_URI'] = $_ENV['REQUEST_URI'];
}
if (!isset($_SERVER['REQUEST_URI'])) {
$_SERVER['REQUEST_URI'] = $_SERVER['PHP_SELF'].(isset($_SERVER['QUERY_STRING'])?"?".$_SERVER['QUERY_STRING']:"");
}
?>

HotSpot:/var/PayPal# apt-get install cacti

Faut-il configurer la base de données de cacti avec dbconfig-common ? --> Oui
Mot de passe de l'administrateur de la base de données : --> (Aucun)
Mot de passe de connexion MySQL pour cacti : --> CactiSQL (Au choix)
Confirmation du mot de passe : --> CactiSQL (Le même choix)
Type de serveur web : --> Apache2


HotSpot:/var/PayPal# vim /etc/apache2/sites-available/default

NameVirtualHost *
<VirtualHost *>
ServerAdmin webmaster@localhost

DocumentRoot /var/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
# This directive allows us to have apache2's default start page
# in /apache2-default/, but still have / go to the right place
                                                                                                          
</Directory>

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog /var/log/apache2/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

CustomLog /var/log/apache2/access.log combined
ServerSignature On

Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>

 

Alias /cacti /usr/share/cacti/site

<DirectoryMatch /usr/share/cacti/site>
Options +FollowSymLinks
AllowOverride None
order allow,deny
allow from all
Deny from 192.168.24.0/24
<IfModule mod_php4.c>
AddType application/x-httpd-php .php

php_flag magic_quotes_gpc Off
php_flag short_open_tag On
php_flag register_globals Off
php_flag register_argc_argv On
php_flag track_vars On
# this setting is necessary for some locales
php_value mbstring.func_overload 0
php_value include_path .

DirectoryIndex index.php
</IfModule>
</DirectoryMatch>

Alias /dialupadmin/ "/usr/share/freeradius-dialupadmin/htdocs/"
<Directory /usr/share/freeradius-dialupadmin/htdocs>
#SSLVerifyClient require
#SSLVerifyDepth 5
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
Allow from all
Deny from 192.168.24.0/24
</Directory>

Alias /MonSql/ "/var/phpmyadmin/"
<Directory "/var/phpmyadmin/">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
Allow from all
Deny from 192.168.24.0/24
</Directory>

 

</VirtualHost>

HotSpot:~# apt-get install libapache2-mod-php4

©CopyRight 2000 - 2017 - Galoula.net par Galoula - Tous droits réservés.

Valid CSS!