Freebsd + Freeradius3 + Nodeny Plus: відмінності між версіями
Перейти до навігації
Перейти до пошуку
Gudwin (обговорення | внесок) |
Sv (обговорення | внесок) |
||
| (Не показані 7 проміжних версій ще одного користувача) | |||
| Рядок 1: | Рядок 1: | ||
== '''для dhcp''' == | == '''для dhcp''' == | ||
'''cat /usr/local/etc/raddb/sites-enabled/nodeny''' | |||
cat /usr/local/etc/raddb/sites-enabled/nodeny | |||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
server default { | server default { | ||
| Рядок 34: | Рядок 31: | ||
} | } | ||
accounting { | accounting { | ||
sql | sql | ||
exec | exec | ||
| Рядок 47: | Рядок 43: | ||
} | } | ||
</syntaxhighlight> | </syntaxhighlight> | ||
'''cat /usr/local/etc/raddb/mods-enabled/sql''' | |||
cat /usr/local/etc/raddb/mods-enabled/sql | |||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
sql { | sql { | ||
| Рядок 134: | Рядок 126: | ||
CALL set_auth(ipa, CONCAT('mod=dhcp;user=', usr_mac, ';', REPLACE(properties,';',''))); | CALL set_auth(ipa, CONCAT('mod=dhcp;user=', usr_mac, ';', REPLACE(properties,';',''))); | ||
UPDATE mac_uid SET time=UNIX_TIMESTAMP() WHERE ip=INET_ATON(ipa) LIMIT 1; | UPDATE mac_uid SET time=UNIX_TIMESTAMP() WHERE ip=INET_ATON(ipa) LIMIT 1; | ||
END$$ | |||
DELIMITER ; | |||
</syntaxhighlight> | |||
== '''для pppoe''' == | |||
'''cat /usr/local/etc/raddb/sites-enabled/nodeny''' | |||
<syntaxhighlight lang="bash"> | |||
server default { | |||
listen { | |||
type = auth | |||
ipaddr = * | |||
port = 1812 | |||
} | |||
listen { | |||
type = acct | |||
ipaddr = * | |||
port = 0 | |||
} | |||
authorize { | |||
sql | |||
pap | |||
chap | |||
mschap | |||
} | |||
authenticate { | |||
Auth-Type PAP { | |||
pap | |||
} | |||
Auth-Type CHAP { | |||
chap | |||
} | |||
Auth-Type MSCHAP { | |||
mschap | |||
} | |||
} | |||
preacct { | |||
acct_unique | |||
preprocess | |||
} | |||
accounting { | |||
sql | |||
exec | |||
} | |||
session { | |||
radutmp | |||
sql | |||
} | |||
post-auth { | |||
sql | |||
} | |||
} | |||
</syntaxhighlight> | |||
'''cat /usr/local/etc/raddb/mods-enabled/sql''' | |||
<syntaxhighlight lang="bash"> | |||
sql { | |||
driver = "rlm_sql_mysql" | |||
mysql { | |||
warnings = auto | |||
} | |||
server = "localhost" | |||
port = 3306 | |||
login = "nodeny" | |||
password = "hardpass" | |||
radius_db = "nodeny" | |||
authorize_check_query = "call radcheck('%{User-Name}')" | |||
authorize_reply_query = "call radreply('%{User-Name}')" | |||
accounting { | |||
query = "call radupdate('%{User-Name}','%{Framed-IP-Address}',\ | |||
'user=%{Calling-Station-Id};nas=%{NAS-IP-Address}')" | |||
type { | |||
start { | |||
query = "call radupdate('%{User-Name}','%{Framed-IP-Address}',\ | |||
'user=%{Calling-Station-Id};nas=%{NAS-IP-Address}')" | |||
} | |||
} | |||
} | |||
post-auth { | |||
query = "call radupdate('%{User-Name}','%{reply:Framed-IP-Address}',\ | |||
'user=%{Calling-Station-Id};nas=%{NAS-IP-Address}')" | |||
} | |||
} | |||
</syntaxhighlight> | |||
'''Mysql процедуры''' | |||
<syntaxhighlight lang="bash"> | |||
ALTER DATABASE nodeny CHARACTER SET utf8 COLLATE utf8_general_ci; | |||
DROP PROCEDURE IF EXISTS `radcheck`; | |||
DELIMITER $$ | |||
CREATE PROCEDURE `radcheck` (IN login VARCHAR(64)) | |||
BEGIN | |||
SELECT id,name,'Cleartext-Password' AS Attribute,AES_DECRYPT(passwd,'hardpass') AS Value,':=' | |||
FROM users WHERE name=login; | |||
END$$ | |||
DELIMITER ; | |||
DROP PROCEDURE IF EXISTS `radreply`; | |||
DELIMITER $$ | |||
CREATE PROCEDURE `radreply`(IN login VARCHAR(64)) | |||
BEGIN | |||
DECLARE usr_id INT; | |||
DECLARE usr_ip VARCHAR(15) DEFAULT NULL; | |||
SELECT id INTO usr_id FROM users WHERE name=login LIMIT 1; | |||
SELECT get_ip(usr_id) INTO usr_ip; | |||
SELECT NULL,login,'Framed-IP-Address',usr_ip,'='; | |||
SELECT NULL,login,'Framed-IP-Netmask','255.255.255.255','='; | |||
SELECT NULL,login,'Framed-Protocol','PPP','='; | |||
END$$ | |||
DELIMITER ; | |||
DROP PROCEDURE IF EXISTS `radupdate`; | |||
DELIMITER $$ | |||
CREATE PROCEDURE `radupdate`(IN login VARCHAR(64), IN ip VARCHAR(16), IN properties VARCHAR(255)) | |||
BEGIN | |||
DECLARE usr_id INT; | |||
DECLARE usr_ip VARCHAR(15) DEFAULT NULL; | |||
SELECT id INTO usr_id FROM users WHERE name=login LIMIT 1; | |||
SELECT get_ip(usr_id) INTO usr_ip; | |||
CALL set_auth(usr_ip, CONCAT('mod=pppoe;',REPLACE(properties,':',''))); | |||
UPDATE users SET id=usr_id WHERE id=usr_id LIMIT 1; | |||
END$$ | |||
DELIMITER ; | |||
DROP PROCEDURE IF EXISTS `radstop`; | |||
DELIMITER $$ | |||
CREATE PROCEDURE `radstop`(IN login VARCHAR(64)) | |||
BEGIN | |||
DECLARE usr_id INT; | |||
SELECT id INTO usr_id FROM users WHERE name=login LIMIT 1; | |||
DELETE FROM auth_now WHERE ip = get_ip(usr_id) LIMIT 1; | |||
END$$ | END$$ | ||
DELIMITER ; | DELIMITER ; | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Поточна версія на 10:26, 23 березня 2018
для dhcp
cat /usr/local/etc/raddb/sites-enabled/nodeny
server default {
listen {
type = auth
ipaddr = *
port = 1812
}
listen {
type = acct
ipaddr = *
port = 0
}
authorize {
sql
pap
update control {
Auth-Type := "Accept"
}
}
authenticate {
Auth-Type PAP {
pap
}
}
preacct {
acct_unique
preprocess
}
accounting {
sql
exec
}
session {
radutmp
sql
}
post-auth {
sql
}
}
cat /usr/local/etc/raddb/mods-enabled/sql
sql {
driver = "rlm_sql_mysql"
mysql {
warnings = auto
}
server = "localhost"
port = 3306
login = "nodeny"
password = "hardpass"
radius_db = "nodeny"
authorize_check_query = "call radcheck('%{User-Name}')"
authorize_reply_query = "call radreply('%{User-Name}')"
accounting {
query = "call radupdate('%{User-Name}','%{Framed-IP-Address}',\
'nas=%{NAS-IP-Address}')"
type {
start {
query = "call radupdate('%{User-Name}','%{Framed-IP-Address}',\
'nas=%{NAS-IP-Address}')"
}
}
}
post-auth {
query = "call radupdate('%{User-Name}','%{reply:Framed-IP-Address}',\
'nas=%{NAS-IP-Address}')"
}
}
Mysql процедуры
ALTER DATABASE nodeny CHARACTER SET utf8 COLLATE utf8_general_ci;
DROP PROCEDURE IF EXISTS `radcheck`;
DELIMITER $$
CREATE PROCEDURE `radcheck` (IN login VARCHAR(64))
BEGIN
SELECT Null, login, 'Cleartext-Password' AS Attribute, '' AS Value,':=';
END$$
DELIMITER ;
DROP PROCEDURE IF EXISTS `radreply`;
DELIMITER $$
CREATE PROCEDURE `radreply`(IN login VARCHAR(64))
BEGIN
DECLARE usr_mac VARCHAR(12);
DECLARE usr_ip VARCHAR(15);
DECLARE usr_id INT;
SELECT REPLACE(login, ':', '') INTO usr_mac;
SELECT uid INTO usr_id FROM mac_uid WHERE mac=usr_mac;
IF usr_id IS NOT NULL AND usr_id>0 THEN
SELECT get_ip(usr_id) INTO usr_ip;
UPDATE mac_uid SET ip=0 WHERE ip=INET_ATON(usr_ip) AND uid<>usr_id;
UPDATE mac_uid SET ip=INET_ATON(usr_ip), time=UNIX_TIMESTAMP() WHERE uid=usr_id;
ELSE
UPDATE mac_uid SET ip=0 WHERE uid=0 AND time<(UNIX_TIMESTAMP()-3600);
START TRANSACTION;
SELECT INET_NTOA(ip) INTO usr_ip FROM ip_pool p WHERE uid=0 AND type='dynamic'
AND NOT EXISTS (SELECT ip FROM mac_uid WHERE ip=p.ip)
ORDER BY RAND() LIMIT 1 FOR UPDATE;
INSERT INTO mac_uid VALUES(
NULL, usr_mac, INET_ATON(usr_ip), 0, UNIX_TIMESTAMP(), 0, 0, 0)
ON DUPLICATE KEY
UPDATE ip=IF(ip>0,ip,INET_ATON(usr_ip)), time=UNIX_TIMESTAMP();
COMMIT;
SELECT INET_NTOA(ip) INTO usr_ip FROM mac_uid WHERE mac=usr_mac;
END IF;
SELECT NULL, login, 'Framed-IP-Address', usr_ip, '=';
SELECT NULL, login, 'Session-Timeout', '600', '=';
END$$
DELIMITER ;
DROP PROCEDURE IF EXISTS `radupdate`;
DELIMITER $$
CREATE PROCEDURE `radupdate`(
IN login VARCHAR(64), IN ipa VARCHAR(16), IN properties VARCHAR(255))
BEGIN
DECLARE usr_mac VARCHAR(16);
SELECT REPLACE(login, ':', '') INTO usr_mac;
CALL set_auth(ipa, CONCAT('mod=dhcp;user=', usr_mac, ';', REPLACE(properties,';','')));
UPDATE mac_uid SET time=UNIX_TIMESTAMP() WHERE ip=INET_ATON(ipa) LIMIT 1;
END$$
DELIMITER ;
для pppoe
cat /usr/local/etc/raddb/sites-enabled/nodeny
server default {
listen {
type = auth
ipaddr = *
port = 1812
}
listen {
type = acct
ipaddr = *
port = 0
}
authorize {
sql
pap
chap
mschap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MSCHAP {
mschap
}
}
preacct {
acct_unique
preprocess
}
accounting {
sql
exec
}
session {
radutmp
sql
}
post-auth {
sql
}
}
cat /usr/local/etc/raddb/mods-enabled/sql
sql {
driver = "rlm_sql_mysql"
mysql {
warnings = auto
}
server = "localhost"
port = 3306
login = "nodeny"
password = "hardpass"
radius_db = "nodeny"
authorize_check_query = "call radcheck('%{User-Name}')"
authorize_reply_query = "call radreply('%{User-Name}')"
accounting {
query = "call radupdate('%{User-Name}','%{Framed-IP-Address}',\
'user=%{Calling-Station-Id};nas=%{NAS-IP-Address}')"
type {
start {
query = "call radupdate('%{User-Name}','%{Framed-IP-Address}',\
'user=%{Calling-Station-Id};nas=%{NAS-IP-Address}')"
}
}
}
post-auth {
query = "call radupdate('%{User-Name}','%{reply:Framed-IP-Address}',\
'user=%{Calling-Station-Id};nas=%{NAS-IP-Address}')"
}
}
Mysql процедуры
ALTER DATABASE nodeny CHARACTER SET utf8 COLLATE utf8_general_ci;
DROP PROCEDURE IF EXISTS `radcheck`;
DELIMITER $$
CREATE PROCEDURE `radcheck` (IN login VARCHAR(64))
BEGIN
SELECT id,name,'Cleartext-Password' AS Attribute,AES_DECRYPT(passwd,'hardpass') AS Value,':='
FROM users WHERE name=login;
END$$
DELIMITER ;
DROP PROCEDURE IF EXISTS `radreply`;
DELIMITER $$
CREATE PROCEDURE `radreply`(IN login VARCHAR(64))
BEGIN
DECLARE usr_id INT;
DECLARE usr_ip VARCHAR(15) DEFAULT NULL;
SELECT id INTO usr_id FROM users WHERE name=login LIMIT 1;
SELECT get_ip(usr_id) INTO usr_ip;
SELECT NULL,login,'Framed-IP-Address',usr_ip,'=';
SELECT NULL,login,'Framed-IP-Netmask','255.255.255.255','=';
SELECT NULL,login,'Framed-Protocol','PPP','=';
END$$
DELIMITER ;
DROP PROCEDURE IF EXISTS `radupdate`;
DELIMITER $$
CREATE PROCEDURE `radupdate`(IN login VARCHAR(64), IN ip VARCHAR(16), IN properties VARCHAR(255))
BEGIN
DECLARE usr_id INT;
DECLARE usr_ip VARCHAR(15) DEFAULT NULL;
SELECT id INTO usr_id FROM users WHERE name=login LIMIT 1;
SELECT get_ip(usr_id) INTO usr_ip;
CALL set_auth(usr_ip, CONCAT('mod=pppoe;',REPLACE(properties,':','')));
UPDATE users SET id=usr_id WHERE id=usr_id LIMIT 1;
END$$
DELIMITER ;
DROP PROCEDURE IF EXISTS `radstop`;
DELIMITER $$
CREATE PROCEDURE `radstop`(IN login VARCHAR(64))
BEGIN
DECLARE usr_id INT;
SELECT id INTO usr_id FROM users WHERE name=login LIMIT 1;
DELETE FROM auth_now WHERE ip = get_ip(usr_id) LIMIT 1;
END$$
DELIMITER ;