Aici veti gasi detalii tehnice despre cum se pot realiza configurari software+ hardware.
Here you can find tehnical details about software/hardware configuration.

duminică, 11 noiembrie 2012

FreeBSD as PPPoE client

To make a PPPoe connection on FreeBSD box put these lines in your /etc/ppp/ppp.conf

===================================================================
default:
# PPP over Ethernet
  set device PPPoE:xl0 #replace with your interface (in my case is xl0)
  set speed sync
  set mru 1492
  set mtu 1492
  set ctsrts off

# Monitor line quality
  enable lqr

# Log just a bit
  set log phase tun

# Insert default route upon connection
  add default HISADDR

# Download /etc/resolv.conf
#  enable dns

papchap:
 set authname User (replace with your username)
 set authkey Pass (Replace with your password)
=================================================================
In /etc/rc.local put these lines:



#ppp
ppp_enable="YES"
ppp_mode="ddial"
ppp_nat="NO"   # if you want to enable nat for your local network, otherwise NO

If you wish to start connection manualy simply type as root the next command
#ppp -ddial papchap

In ifconfig will appear the tun0 interface

tun0: flags=8051 mtu 1492
        inet x.x.x.x --> x.x.x.y netmask 0xffffffff
        Opened by PID 445


For more information you can check log file:
#tail -f /var/log/ppp.log

sâmbătă, 8 septembrie 2012

PPPOE connection phases

1)The PPPoE Active Discovery Initiation (PADI) packet:
The PPPoE client sends out a PADI packet to the broadcast address. This packet can also populate the "service-name" field if a service name has been entered on the dial-up networking properties of the PPPoE broadband connectoid. If a service name has not been entered, this field cannot be populated.

2) The PPPoE Active Discovery Offer (PADO) packet:
The PPPoE server, or Access Concentrator, should respond to the PADI with a PADO if the Access Concentrator is able to service the "service-name" field that had been listed in the PADI packet. If no "service-name" field had been listed, the Access Concentrator should respond with a PADO packet that has the "service-name" field populated with the service names that the Access Concentrator can service. The PADO packet is sent to the unicast address of the PPPoE client.

3) The PPPoE Active Discovery Request (PADR) packet:
When a PADO packet is received, the PPPoE client responds with a PADR packet. This packet is sent to the unicast address of the Access Concentrator. The client may receive multiple PADO packets, but the client responds to the first valid PADO that the client received. If the initial PADI packet had a blank "service-name" field filed, the client populates the "service-name" field of the PADR packet with the first service name that had been returned in the PADO packet.

4) The PPPoE Active Discovery Session-confirmation (PADS) packet:
When the PADR is received, the Access Concentrator generates a unique session identification (ID) for the Point-to-Point Protocol (PPP) session and returns this ID to the PPPoE client in the PADS packet. This packet is sent to the unicast address of the client.

-> PADI (Inquire)
<- PADO (Offer)
>- PADR (Request)
<- PADS (Session!)
source

sâmbătă, 18 august 2012

CentOS Auto Login

If you want to login automatically with a specific user simply edit /etc/gdm/custom.conf to add the following two lines in the [daemon] section: [daemon] AutomaticLoginEnable=true AutomaticLogin=username

joi, 9 august 2012

Installing Xfce4 in FreeBSD with auto login

Installing X11

Xorg is the default X11 implementation for FreeBSD and can be installed using the following command as the root user

1# pkg_add -r xorg
After installing add the lines to /etc/rc.conf as follows
1moused_enable=”YES”
2dbus_enable=”YES”
3hald_enable=”YES”
Check the installation using the following command as an unprivileged user
1$ xinit
If the setup is working, there should be a minimal X session running. Press CTRL+ALT+F1 to move to the first terminal in which the command was executed. Press CTRL+C to stop it.
To create a xorg.conf.new file run the following command as the root user. Reboot the server after installing Xorg if the following command doesn’t work.
1# Xorg -configure
A file named xorg.conf.new will be created in /root. To check the file created run the following command as root
1# Xorg -config /root/xorg.conf.new -retro
If the configuration is working properly, a background with mouse cursor is seen. Press CTRL+ALT+F1 to move to the first terminal in which the command was executed. Press CTRL+C to stop it.
Copy the file to  /etc/X11/ as xorg.conf as the root user using the following command
1# cp /root/xorg.conf.new /etc/X11/xorg.conf
Installing URW fonts
URW fonts can be installed by using the command
1# pkg_add -r  urwfonts
Add the following line to the file /etc/X11/xorg.conf under ‘Section “Files”‘
1FontPath "/usr/local/lib/X11/fonts/URW/"

Installing TTF fonts

TTF fonts can be installed by using the following command
1# pkg_add -r ttmkfdir
Check whether the following line is present under ‘Section “Files”‘ in /etc/X11/xorg.conf
Add the following line to the ‘Section “Modules”‘
1Load  "freetype"
Enter the following commands now
1# cd /usr/local/lib/X11/fonts/TTF/
2# ttmkfdir -o fonts.dir

Installing Xfce4

For installing Xfce4 run the following command as root
1# pkg_add -r xfce4
The Xfce4 installation can be checked using the following command as an unprivileged user
1$ /usr/local/bin/startxfce4
Install XDM using the following command
1# pkg_add -r xdm
Run the following command as the unprivileged user to make xfce the default for the particular user
1$ echo "/usr/local/bin/gnome-session" >> ~/.xsession
2$ echo "/usr/local/bin/gnome-session" >> ~/.xinitrc
Add the following line to /etc/rc.conf
1xdm_enable="YES"
Edit the file /etc/ttys and edit the line as follows
1ttyv8   "/usr/local/bin/xdm -nodaemon"  xterm   on  secure
Now reboot the machine to boot into XDM and try logging in. It will login to Xfce.

In this case after login you can take the "startx" command in console and Xfce will start.

==============================================

If you wish to login xfce after boot with a specific user you can use the folowing procedure:

There are 3 files you need to edit:
1. /etc/gettytab
2. /etc/ttys
3. Your shells' rc file, e.g: ~/.bashrc

Edit /etc/gettytab and search for autologin. Add these after the last entries:


Code:
logmein:\
        :al=your_username:sp#115200:
Replace 'your_username' with your user login.

Next edit /etc/ttys. I set mine to autologin on ttyv5. So my entry looks like this:

Code:
#ttyv5  "/usr/libexec/getty Pc"         cons25  on  secure
ttyv5   "/usr/libexec/getty logmein"    cons25  on  secure
Lastly, I'm using bash shell so this is what I have in my ~/.bashrc:

Code:
if [ `/usr/bin/tty` = '/dev/ttyv5' ]; then
    /usr/bin/ssh-agent /usr/local/bin/startx -- -nolisten tcp
fi
Hope this helps.


source
source

duminică, 5 august 2012

Conexiune la Internet cu Asus WL500G si ZTE MF110

Se conecteaza modemul la un PC si cu ajutorul aplicatiei JoinAir, dezactivam PIN-ul  si optiunea ZeroCD.
Se conecteaza modemul in portul USB al routerului si se verifica in fereastra Status&Log | Diagnostic Info, urmatoarele informatii:
USB Devices
T: Bus=01 Lev=00 Prnt=00 Port=00 Cnt=00 Dev#= 1 Spd=12 MxCh= 2
B: Alloc= 0/900 us ( 0%), #Int= 0, #Iso= 0
D: Ver= 1.10 Cls=09(hub ) Sub=00 Prot=00 MxPS= 8 #Cfgs= 1
P: Vendor=0000 ProdID=0000 Rev= 0.00
S: Product=USB OHCI Root Hub
S: SerialNumber=b8004000
C:* #Ifs= 1 Cfg#= 1 Atr=40 MxPwr= 0mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=09(hub ) Sub=00 Prot=00 Driver=hub
E: Ad=81(I) Atr=03(Int.) MxPS= 2 Ivl=255ms
T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=12 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=19d2 ProdID=0016 Rev= 0.00
S: Manufacturer=ZTE,Incorporated
S: Product=ZTE WCDMA Technologies MSM
S: SerialNumber=P671A2ZTED010000
C:* #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=serial
E: Ad=81(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
E: Ad=01(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
I: If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=serial
E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=serial
E: Ad=83(I) Atr=03(Int.) MxPS= 64 Ivl=5ms
E: Ad=84(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
E: Ad=03(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
I: If#= 3 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage
E: Ad=04(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
USB devfs Devices
Device : Location : Info
/dev/usb/tts/0 : 1.0 : Manufacturer=”ZTE,Incorporated” : Product=”ZTE WCDMA Technologies MSM”
/dev/usb/tts/1 : 1.1 : Manufacturer=”ZTE,Incorporated” : Product=”ZTE WCDMA Technologies MSM”
/dev/usb/tts/2 : 1.2 : Manufacturer=”ZTE,Incorporated” : Product=”ZTE WCDMA Technologies MSM”
Se observa informatiile pentru ProductID, VendorID si locatia pe care a fost detectat modemul (USB devfs Devices | ! Daca aici nu apare nimic inseamna ca nu a reusit dezactivarea optiunii ZeroCd din aplicatia JoinAir si se va face acest lucru prin executarea comenzii AT+ZCDRUN=8).
Mai departe configuram conexiunea. Setarile care trebuiesc efectuate pe router sunt:
In fereastra USB Connection | Connection Mode
- Enable automatic dial on boot | Yes
- Use WAN port as LAN | No
- Disable USB 2.0 controller | No
- Mod conectare | GPRS/EDGE/UMTS
In fereastra USB Connection | GPRS/EDGE/UMTS Config
Username: user
Password: user
APN: internet (sau APN-ul furnizorului, daca difera)
Dial Number (usually *99***1#): *99#
USB device serial speed (usually 115200): 115200
USB device location ID: 1.2 (este posibil sa fie diferit, in functie de modelul de router folosit si de portul pe care a fost conectat modemul)
USB device Vendor ID (0xabcd): 0x19d2
USB device Product ID (0xefgh): 0×0016
USB device packet size (0 for default): 0
Modem type: Not set
Toate celelalte setari se lasa neschimbate. Se da click pe Apply | Finish | Save & Restart. Dupa restart routerul se va conecta la internet automat.
Implicit, routerul va folosi modemul ca si modalitate principala de conectare la internet. Este posibil sa fie setat si ca backup, caz in care se fac setarile corespunzatoare in fereastra Backup Connection.

source


Pentru situatiile in care este necesara executarea comenzilor AT pe modemurile 3G printr-o conexiune seriala, se poate utiliza programul HyperTerminal (Windows), Putty (Windows, Linux) sau Terminal (MAC).
Pentru asta, este necesar sa stim portul utilizat de modem (Windows: Device Manager | Modems | nume_modem | Properties | Modem, Linux: ALT+CTRL+F1 > dmesg | grep tty MAC: System Preferences | Network | Internal Modem).
Pentru a ne asigura ca portul modemului nu este utilizat, se inchide orice aplicatie care comunica cu modemul (JoinAir, VMC etc.); eventual se deconecteaza orice disk drive detectat de catre sistem (cu Safely Remove Hardware, Unmount etc.). Daca modemul a fost conectat la internet, este mai bine sa-l deconectati/reconectati din portul USB si sa va asigurati ca nu mai este lansata nicio aplicatie.
Se creeaza o conexiune seriala pe portul modemului utilizand una din aplicatiile enumerate mai sus  si se conecteaza.
De exemplu, in cazul modemului ZTE MF110, pentru a verifica conexiunea puteti trimite comanda ATI care va returna informatiile despre dispozitivul conectat.
Pentru a dezactiva optiunea ZEROCD, rulati comanda AT+ZCDRUN=8. In cazul in care ulterior doriti reactivarea ZEROCD, rulati comanda AT+ZCDRUN=9.
Rezultatul se poate vedea mai jos.


+ZPSTM: 1,4368616E676520494D5349;1,4368616E676520494D5349;
+ZEND
ATI
Manufacturer: ZTE CORPORATION
Model: MF110
Revision: BD_P671A2V1.0.1B04
IMEI: 351790039268926
+GCAP: +CGSM,+DS,+ES
OK
AT+ZCDRUN=8
Close autorun state result(0:FAIL 1:SUCCESS):1
OK

  source

marți, 24 iulie 2012

FreeRadius With Mysql

Introduction
In September 2001 I started playing around with FreeRadius (then at version 0.2!) and storing user authorisation details in a MySQL database. I had previously been using a proprietary RADIUS solution and wanted rid of it. Lots of people seemed to be posting to the freeradius-users list that they were trying to do the same and found it tricky due to the lack of documentation. Thus, to help anyone out there who needed it, I wrote down all the snippets of info, tips I'd received, and steps I'd used to make it work. This is the result.
This document assumes that you are familiar with:
  • *nix system admin and networking
  • What RADIUS is and should do
  • MySQL administration
  • The basics of how to compile and install open source software.
I'm not going to describe any of the above stuff, especially the latter as I'm far from an expert on it. This document focuses on getting FreeRadius running with MySQL. It does NOT describe a basic FreeRadius installation in detail (e.g. getting it up and running with a 'users' text file or other FreeRadius configurations), nor does it cover using multiple authentication methods, fall-through's or any of that stuff. Just plain-old-MySQL-only. If you don't know about RADIUS itself, go do some background reading... the O'Reilly book ('RADIUS') is pretty good and covers FreeRadius too.
Please note: This isn't official documentation. It's not even UNofficial documentation. It's not documentation of any type by any stretch of the imagination. So far, it's just my own personal notes, written on the fly. Little editing, little detail. You takes your chances. I will try to improve when I can, or have additional information - don't hold your breath though, as life can get busy around here. The notes focus on the SQL element, NOT generally on getting FreeRadius installed and configured and operational with text files (maybe later!) although there is a little bit on that.
Also note: I'm not a programmer - editing low-level code and compiling stuff is not something I'm particularly familiar with. Ask me to read C code and I'll probably panic. My background and experience on Linux (and other stuff) puts me in the system admin/networking bracket (I'm a network builder and web app developer by day), so please bear that in mind here. Feel free to mail me, especially with suggestions and any info useful to add here, but please don't ask me 'how to I compile' stuff. Thanks.
Lastly for this bit : a big thank you to all those that helped, emailed and generally contributed to me getting this up and going, and thus to the creation of these notes.

System
I did my original testing on SuSe Linux 7.0 on Intel with FreeRadius 0.2 and MySQL 3.23.42 using a Cisco 3640 acting as a test NAS unit. The final deployment was to RedHat 7.1. Today I'm running FreeRadius 0.8.1. If you're running an older version you are strongly recommended to upgrade.

Before You Start
Before starting with FreeRadius, make sure your box is up and configured on your network, that you have MySQL installed and running, and that your NAS is configured to point to your server.
If you're using Cisco kit as your NAS, here's a quick example snippet of how to configure IOS to authenticate PPP (e.g. dial, DSL etc) users to a RADIUS server:
 aaa new-model
 aaa authentication ppp default if-needed group radius local
 aaa authorization network default group radius 
 aaa accounting update newinfo
 aaa accounting exec default start-stop group radius
 aaa accounting network default wait-start group radius
 aaa accounting connection default start-stop group radius

 radius-server host a.b.c.d auth-port 1645 acct-port 1646
 radius-server host e.f.g.h auth-port 1645 acct-port 1646
 radius-server key YOUR-RADIUS-KEY
[a.b.c.d and e.f.g.h are the IP's of your primary and secondary RADIUS servers. YOUR-RADIUS-KEY is your RADIUS secret key as defined in clients.conf (see below). ]
Make SURE you have included the development headers in your MySQL installation otherwise the FreeRadius installation/compilation will barf. To make my own life easy, I just installed MySQL to the default location.
Just to clarify: ABSOLUTELY MAKE SURE you have the mysql-devel (headers and libraries) package installed with your MySQL, otherwise freeradius won't compile with MySQL support properly. Many people seem to miss having this.
Oh yep, did I mention about having the MySQL development headers installed? No? Make sure you do... ;-)

Getting Started
First off, you should get FreeRadius compiled, installed and running in a basic text file configuration (e.g. using the 'users' file) on your box. This I'm not going to describe in details (read the stuff in /docs, etc), but it should basically be the following:
1 - Get the latest FreeRadius source code tarball from ftp://ftp.freeradius.org/pub/radius/freeradius.tar.gz. If you're so minded, get the latest CVS instead.
2 - Unpack the tarball and install it. On my own system the basic steps were all that was needed, and everything got dumped in the standard places:
 
      tar  xvf  freeradius.tar.gz
      cd  freeradius
      ./configure
      make
      make install
Note that you might need to add options to ./configure if you installed MySQL to a non-standard place, or want FreeRadius to a non-standard place, or want or need any other odd bits and pieces. I was keeping it simple and didn't need to.
Then you should configure FreeRadius appropriately. It's best to start with a simple config using the standard text files, if at least only to test that FreeRadius installed OK and will work. To very briefly summarise getting the text files configured :
1 - Edit /usr/local/etc/raddb/clients.conf and enter the details of your NAS unit(s). There are examples here, so it should be easy. Tip: You'll also want to enter 'localhost' here for testing purposes (i.e. so you can use radtest).
2 - Edit /usr/local/etc/raddb/users and create an example user account. The file is commented on how to do this. I'm not going to repeat that here. If you've previously used another RADIUS server with text-file configuration (e.g. Livingston, Cistron) you'll know what goes here...
3 - Edit /usr/local/etc/raddb/realms. I just put a single line 'DEFAULT LOCAL' and that was sufficient to strip any suffix domain names in given user names - if you're using realms or proxing you'll doubtless need to do something else here, but I recommend you start with this then come back to setting up realms/ proxying when you know MySQL is working. If you're not using realms, just ignore this.
4 - Edit /usr/local/etc/raddb/radiusd.conf and change as needed. For my own installation I changed the default port to run on 1645 (old port) to match what our existing boxes use (but otherwise make sure your NAS and FreeRadius are using the same) and said 'yes' to all the logging options (I'd strongly recommend you do switch on all the logging to start with). At this point I also said 'no' to using proxy to keep stuff simple. I then told it to run under the 'radius' user and group (I'd initially installed FreeRadius as root and didn't want to run it as such, so I created a user account called 'radius' in a group called 'radius' and then just blanket chown'd and chgrp'd the various radius directories to that user just to be sure the account can access all the right stuff. A bit of a sledgehammer there, but it was quick! I'm sure there's a better and/or more elegant way of doing this!). The rest of the radiusd.conf file was left alone.
At this point you should be able to manually fired up /usr/local/sbin/radiusd. You should do this with the debug turned on so you can see what happens:
      /usr/local/sbin/radiusd -X
Lots of stuff will scroll to the screen, and it should tell you it's ready to accept requests. If you get an error, READ THE DEBUG, then check the docs, check the above and try again.
You should now be able to use FreeRadius. You can use radtest to test an account from the command line:
      radtest username password servername port secret
So, if your example user is 'fred' with password 'wilma', your server is called 'radius.domain.com', is using port 1645, and you put localhost (or your localhost's IP) in clients.conf with a secret of 'mysecret', you should use:
 
      radtest fred wilma radius.domain.com 1645 mysecret
And you should get back something like:
      Sending Access-Request of id 226 to 127.0.0.1:1645
            User-Name = 'fred'
            User-Password = '\304\2323\326B\017\376\322?K\332\350Z;}'
            NAS-IP-Address = radius.domain.com
            NAS-Port = 1645

      rad_recv : Access-Accept packet from host 127.0.0.1:1645,id=226, length=56
            Framed-IP-Address = 80.84.161.1
            Framed-Protocol = PPP
            Service-Type = Framed-User
            Framed-Compression = Van-Jacobson-TCP-IP
            Framed-IP- Netmask = 255.255.255.255
You should get an 'Access Accept' response. If you don't, do not pass Go, do not collect £200. Go back and check everything. Read the docs, READ THE DEBUG!!
Personally, I used NTradPing (downloadable from MasterSoft) on a desktop Windows PC to send test packets towards the radius server - very handy tool. If you do this, or test from any other machine, remember your PC (or other machine) needs to be in your NAS list in clients.conf too!
OK, so at this point you should have text-file authentication working in FreeRadius...

Setting up the RADIUS database in MySQL
First, you should a new empty 'radius' database in MySQL and login user with permissions to that database. You could of course call the database and the user anything you like but we'll stick to 'radius' for both for the purposes of this discussion
Next up, you need to create the schema for the database. There is a file which describes this and is actually a SQL script file. It can be found at /src/modules/rlm_sql/drivers/rlm_sql_mysql/db_mysql.sql where you untar'd FreeRadius. This is the bit that, at least at the time I originally wrote these notes, wasn't really documented anywhere and was the thing most people seemed to be asking.
How you run that script is up to you and how you like to admin MySQL. The easiest way is to:
       mysql -uroot -prootpass radius < db_mysql.sql  
...where 'root' and 'rootpass' are your mysql root name and password respectively.
I happened to run it using MacSQL 2.0 on my Powerbook G4/OS X machine (Cool...). You could do it on the server, or use a MySQL admin tool from a Windows PC (e.g. MySQL CC, SQLion, dbtools etc) or whatever.
Now you have the database running, albeit empty.

Configuring FreeRadius to use MySQL
Edit /usr/local/etc/raddb/sql.conf and enter the server, name and password details to connect to your MySQL server and the RADIUS database. The database and table names should be left at the defaults if you used the default schema. For testing/debug purposes, switch on sqltrace if you wish - FreeRadius will dump all SQL commands to the debug output with this on.
If you're stripping all realm names (i.e. you want user joe@domain.com to authenticate as just 'joe'), then in sql.conf, under the 'query config: username' section, you MAY need to adjust the line(s) referring to sql_user_name. I needed to do this originally because we want to dump all realms, but you probably won't need to do this with the latest FreeRadius. For example, in our case I needed to uncomment the line:
             sql_user_name = '%{Stripped-User-Name}'

...and comment out the following line referring to just User-Name. If you want to see what's happening here, switch on all the logging options in radiusd.conf and run radiusd in debug mode (-X) to see what's happening : you'll see " user@domain" being passed to MySQL when using User-Name, but just "user" when using Stripped-User-Name. Using the latter, realms worked for me (basically, I strip everything, as all user names are unique on the server anyway). Of course, set all your other SQL options as needed (database login details, etc)
Edit /usr/local/etc/raddb/radiusd.conf and add a line saying 'sql' to the authorize{} section (which is towards the end of the file). The best place to put it is just before the 'files' entry. Indeed, if you'll just be using MySQL, and not falling back to text files, you could comment out or lose the 'files' entry altogether.
Also add a line saying 'sql' to the accounting{} section too between 'unix' and 'radutmp'. FreeRadius will now do accounting to MySQL as well.
The end of your radiusd.conf should then look something like this:
authorise {
        preprocess
        chap
        mschap
        #counter
        #attr_filter
        #eap
        suffix  
        sql
        #files
        #etc_smbpasswd
}
 
authenticate {
        authtype PAP {
               pap
        }
        authtype CHAP {
               chap
        }
        authtype MS-CHAP{
               mschap
        }
        #pam
        #unix
        #authtype LDAP {
        #       ldap
        #}
}
 
preacct {      
        preprocess
        suffix
        #files
}
 
accounting {
        acct_unique
        detail
        #counter
        unix
        sql
        radutmp
        #sradutmp
}
 
session {
        radutmp
}

Populating MySQL
You should now created some dummy data in the database to test against. It goes something like this:
  • In usergroup, put entries matching a user account name to a group name.
  • In radcheck, put an entry for each user account name with a 'Password' attribute with a value of their password.
  • In radreply, create entries for each user-specific radius reply attribute against their username
  • In radgroupreply, create attributes to be returned to all group members
Here's a dump of tables from the 'radius' database from mysql on my test box (edited slightly for clarity). This example includes three users, one with a dynamically assigned IP by the NAS (fredf), one assigned a static IP (barney), and one representing a dial-up routed connection (dialrouter):
      mysql> select * from usergroup;
      +----+---------------+-----------+
      | id | UserName      | GroupName |
      +----+---------------+-----------+
      |  1 | fredf         | dynamic   |
      |  2 | barney        | static    |
      |  2 | dialrouter    | netdial   |
      +----+---------------+-----------+
      3 rows in set (0.00 sec)
 
      mysql> select * from radcheck;
      +----+----------------+----------------+------------------+------+
      | id | UserName       | Attribute      | Value            | Op   | 
      +----+----------------+----------------+------------------+------+
      |  1 | fredf          | Password       | wilma            | ==   |
      |  2 | barney         | Password       | betty            | ==   |
      |  2 | dialrouter     | Password       | dialup           | ==   |
      +----+----------------+----------------+------------------+------+
      3 rows in set (0.02 sec)
 
      mysql> select * from radgroupcheck;
 
      +----+------------+-------------------+---------------------+------+
      | id | GroupName  | Attribute         | Value               | Op   |
      +----+------------+-------------------+---------------------+------+
      |  1 | dynamic    | Auth-Type         | Local               | :=   |
      |  2 | static     | Auth-Type         | Local               | :=   |
      |  3 | netdial    | Auth-Type         | Local               | :=   |
      +----+------------+-------------------+---------------------+------+
      3 rows in set (0.01 sec)
 
      mysql> select * from radreply;
 
      +----+------------+-------------------+---------------------------------+------+
      | id | UserName   | Attribute         | Value                           | Op   |
      +----+------------+-------------------+---------------------------------+------+
      |  1 | barney     | Framed-IP-Address | 1.2.3.4                         | :=   |
      |  2 | dialrouter | Framed-IP-Address | 2.3.4.1                         | :=   |
      |  3 | dialrouter | Framed-IP-Netmask | 255.255.255.255                 | :=   |
      |  4 | dialrouter | Framed-Routing    | Broadcast-Listen                | :=   |
      |  5 | dialrouter | Framed-Route      | 2.3.4.0 255.255.255.248         | :=   |
      |  6 | dialrouter | Idle-Timeout      | 900                             | :=   |
      +----+------------+-------------------+---------------------------------+------+
      6 rows in set (0.01 sec)
 
      mysql> select * from radgroupreply;
      +----+-----------+--------------------+---------------------+------+
      | id | GroupName | Attribute          | Value               | Op   |
      +----+-----------+--------------------+---------------------+------+
      | 34 | dynamic   | Framed-Compression | Van-Jacobsen-TCP-IP | :=   |
      | 33 | dynamic   | Framed-Protocol    | PPP                 | :=   |
      | 32 | dynamic   | Service-Type       | Framed-User         | :=   |
      | 35 | dynamic   | Framed-MTU         | 1500                | :=   |
      | 37 | static    | Framed-Protocol    | PPP                 | :=   |
      | 38 | static    | Service-Type       | Framed-User         | :=   |
      | 39 | static    | Framed-Compression | Van-Jacobsen-TCP-IP | :=   |
      | 41 | netdial   | Service-Type       | Framed-User         | :=   |
      | 42 | netdial   | Framed-Protocol    | PPP                 | :=   |
      +----+-----------+--------------------+---------------------+------+
      12 rows in set (0.01 sec)
 
      mysql> 
In this example, 'barney' (who is a single user dialup) only needs an attribute for IP address in radreply so he gets his static IP - he does not need any other attributes here as all the others get picked up from the 'static' group entries in radgroupreply.
'fred' needs no entries in radreply as he is dynamically assigned an IP via the NAS - so he'll just get the 'dynamic' group entries from radgroupreply ONLY.
'dialrouter' is a dial-up router, so as well as needing a static IP it needs route and mask attributes (etc) to be returned. Hence the additional entries.
'dialrouter' also has an idle-timeout attribute so the router gets kicked if it's not doing anything - you could add this for other users too if you wanted to. Of course, if you feel like or need to add any other attributes, that's kind of up to you!
Note the operator ('op') values used in the various tables. The password check attribute should use ==. Most return attributes should have a := operator, although if you're returning multiple attributes of the same type (e.g. multiple Cisco- AVpair's) you should use the += operator instead otherwise only the first one will be returned. Read the docs for more details on operators.
If you're stripping all domain name elements from usernames via realms, remember NOT to include the domain name elements in the usernames you put in the MySQL tables - they should get stripped BEFORE the database is checked, so name@domain will NEVER match if you're realm stripping (assuming you follow point 2 above) – you should just have 'name' as a user in the database. Once it's working without, and if you want more complex realm handling, go back to work out not stripping (and keeping name@domain in the db) if you really want to.
Auth-Type Note, Feb 2003: At the time of writing (i.e. up to and including FreeRadius 0.8.1), FreeRadius will default to an Auth-Type of 'local' if one is not found. This means that you do not need to include this (i.e. the radgroupcheck table above could actually be empty, and indeed is on my own box), but you probably should include it for clarity and for future-proofing in case FreeRadius changes. Please note that a previous version of this page indicated that Auth-Type should be included in the rad(group)reply tables. It appears that this is incorrect and that Auth-Type should be in the rad(group)check tables. Other than Auth-Type, for simple setups, you probably need nothing in radgroupcheck - unless you want users dialing certain nas'es, etc etc.

Using FreeRadius and MySQL
Fire up radiusd again in debug mode. The debug output should show it connecting to the MySQL database. Use radtest (or NTradPing) to test again - the user should authenticate and the debug output should show FreeRadius talking to MySQL.
You're done!

Additional Snippets:
To use encrypted passwords in radcheck use the attribute 'Crypt-Password', instead of 'Password', and just put the encrypted password in the value field. ( i.e. UNIX crypt'd password).
To get NTradPing to send test accounting (e.g. stop) packets it needs arguments, namely acct-session-time. Put something like 'Acct-Session-Time=99999' into the 'Additional RADIUS Attributes' box when sending stops. Thanks to JL for the tip.
If you have a Cisco nas, set the cisco-vsa-hack
Running a backup FreeRadius server and need to replicate the RADIUS database to it? I followed Colin Bloch's basic instructions at http://www.ls-l.net/mysql/ and got replication setup between two MySQL servers. Real easy. Read the MySQL docs on replication for more details. Note that MySQL replication is one-way-only.
On the subject of backup servers. If you want to run TWO MySQL servers and have FreeRadius fall over between them, you'll need to do something like this: duplicate your sql.conf and edit the second copy to reflect connecting to your backup server ; then name the files something like sql1.conf and sql2.conf ; in radiusd.conf change and duplicate the include line for sql.conf to include sql1.conf and sql2.conf instead ; in the 'authorize' section of radiusd.conf change the 'sql' entry to a 'group' one, like this:
 
  group {
    sql1 {
      fail  = 1
      notfound = return
      noop  = 2
      ok  = return
      updated = 3
      reject = return
      userlock = 4
      invalid = 5
      handled = 6
    }
    sql2 {
      fail  = 1
      notfound = return
      noop  = 2
      ok  = return
      updated = 3
      reject = return
      userlock = 4
      invalid = 5
      handled = 6
    }
  }
Note that if FreeRadius fails over to the second MySQL server and tries to update the accounting table (radacct), nasty things might possibly happen to your replication setup and database integrity as the first MySQL server won't have got the updates...
source

miercuri, 25 ianuarie 2012

Patch for Qmail.
 
In many cases we dont need to scan messages for authenticated users. If user IP is in CBL or in RBL 
spamassasin increase score and the message is mark as spam or is not send. I asume all authenticated
users are clean.

Now, how do we know that the user is SMTP authenticated? Simply by checking if TCPREMOTEINFO environment variable is set.
 
The fix turned to be quite simple. It adds another debug log messages, 
skips mail scanning if TCPREMOTEINFO is set except if QS_SPAMASSASSIN 
forces scanning: 
 
----------------------------------------------------------------------------------------------- 
 
--- qmail-scanner-queue.pl.bak      2010-05-17 11:28:21.000000000 +0300
+++ /usr/local/bin/qmail-scanner-queue.pl       2010-05-15 16:35:52.000000000 +0300
@@ -2599,11 +2605,17 @@
   #Don't bother if this is going to be quarantined
   return if ($quarantine_event);

-  #Only run SA if mail is from a "remote" SMTP client, or QS_SPAMASSASSIN
+  #Only run SA if mail is from a "remote" SMTP client which is not SMTP athenticated, or QS_SPAMASSASSIN
   #is defined via tcpserver...
-  if ($QS_RELAYCLIENT && !$ENV{'QS_SPAMASSASSIN'}) {
-    &debug("spamassassin: don't scan as RELAYCLIENT implies this was sent by a local user");
-    return;
+  if (!$ENV{'QS_SPAMASSASSIN'}) {
+       if ($QS_RELAYCLIENT){
+           &debug("spamassassin: don't scan as RELAYCLIENT implies this was sent by a local user");
+           return;
+       }
+       if ($ENV{'TCPREMOTEINFO'}){
+           &debug("spamassassin: don't scan as TCPREMOTEINFO implies this was sent by a SMTP AUTHenticated user");
+           return;
+       }
   }
   #SpamAssassin client scanner
   my ($spamassassin_found,$spamassassin_status);

--------------------------------------------------------------------------------------------------------------------------------------
source

Map


Visitor Map