Freebsd + Freeradius3 + Nodeny Plus: відмінності між версіями

Матеріал з NoDeny
Перейти до навігації Перейти до пошуку
Рядок 2: Рядок 2:
== '''для dhcp''' ==
== '''для dhcp''' ==


''cat /usr/local/etc/raddb/sites-enabled/nodeny''
'''cat /usr/local/etc/raddb/sites-enabled/nodeny'''





Версія за 12:06, 30 листопада 2017

для dhcp

cat /usr/local/etc/raddb/sites-enabled/nodeny


server default {
    listen {
        type = auth
        ipaddr = *
        port = 1812
    }
    listen {
        type = acct
        ipaddr = *
        port = 0
    }
    authorize {
            sql
            pap
            update control {
                             Auth-Type := "Accept"
                            }
    }
    authenticate {
            Auth-Type PAP {
                pap
            }
    }
    preacct {
            acct_unique
            preprocess
    }
    accounting {
            detail
            sql
            exec
    }
    session {
            radutmp
            sql
    }
    post-auth {
            sql
    }
}
cat /usr/local/etc/raddb/mods-enabled/sql
sql {
    driver = "rlm_sql_mysql"
    mysql {
warnings = auto
    }
    server = "localhost"
    port = 3306
    login = "nodeny"
    password = "hardpass"
    radius_db = "nodeny"
        authorize_check_query = "call radcheck('%{User-Name}')"
        authorize_reply_query = "call radreply('%{User-Name}')"
        accounting {
            query = "call radupdate('%{User-Name}','%{Framed-IP-Address}',\
                    'nas=%{NAS-IP-Address}')"
            type {
                start {
                    query = "call radupdate('%{User-Name}','%{Framed-IP-Address}',\
                            'nas=%{NAS-IP-Address}')"
                }
            }
        }
        post-auth {
        query = "call radupdate('%{User-Name}','%{reply:Framed-IP-Address}',\
                'nas=%{NAS-IP-Address}')"
        }
}

Mysql процедуры

ALTER DATABASE nodeny CHARACTER SET utf8 COLLATE utf8_general_ci;

DROP PROCEDURE IF EXISTS `radcheck`;
DELIMITER $$
CREATE PROCEDURE `radcheck` (IN login VARCHAR(64))
BEGIN
  SELECT Null, login, 'Cleartext-Password' AS Attribute, '' AS Value,':=';
END$$
DELIMITER ;

DROP PROCEDURE IF EXISTS `radreply`;
DELIMITER $$
CREATE PROCEDURE `radreply`(IN login VARCHAR(64))
BEGIN
    DECLARE usr_mac VARCHAR(12);
    DECLARE usr_ip VARCHAR(15);
    DECLARE usr_id INT;
    SELECT REPLACE(login, ':', '') INTO usr_mac;
    SELECT uid INTO usr_id FROM mac_uid WHERE mac=usr_mac;
    IF usr_id IS NOT NULL AND usr_id>0 THEN
        SELECT get_ip(usr_id) INTO usr_ip;
        UPDATE mac_uid SET ip=0 WHERE ip=INET_ATON(usr_ip) AND uid<>usr_id;
        UPDATE mac_uid SET ip=INET_ATON(usr_ip), time=UNIX_TIMESTAMP() WHERE uid=usr_id;
    ELSE
        UPDATE mac_uid SET ip=0 WHERE uid=0 AND time<(UNIX_TIMESTAMP()-3600);
        START TRANSACTION;
        SELECT INET_NTOA(ip) INTO usr_ip FROM ip_pool p WHERE uid=0 AND type='dynamic'
            AND NOT EXISTS (SELECT ip FROM mac_uid WHERE ip=p.ip)
            ORDER BY RAND() LIMIT 1 FOR UPDATE;
        INSERT INTO mac_uid VALUES(
            NULL, usr_mac, INET_ATON(usr_ip), 0, UNIX_TIMESTAMP(), 0, 0, 0)
        ON DUPLICATE KEY
            UPDATE ip=IF(ip>0,ip,INET_ATON(usr_ip)), time=UNIX_TIMESTAMP();
        COMMIT;
        SELECT INET_NTOA(ip) INTO usr_ip FROM mac_uid WHERE mac=usr_mac;
    END IF;
    SELECT NULL, login, 'Framed-IP-Address', usr_ip, '=';
    SELECT NULL, login, 'Session-Timeout', '600', '=';
END$$
DELIMITER ;

DROP PROCEDURE IF EXISTS `radupdate`;
DELIMITER $$
CREATE PROCEDURE `radupdate`(
    IN login VARCHAR(64), IN ipa VARCHAR(16), IN properties VARCHAR(255))
BEGIN
    DECLARE usr_mac VARCHAR(16);
    SELECT REPLACE(login, ':', '') INTO usr_mac;
    CALL set_auth(ipa, CONCAT('mod=dhcp;user=', usr_mac, ';', REPLACE(properties,';','')));
    UPDATE mac_uid SET time=UNIX_TIMESTAMP() WHERE ip=INET_ATON(ipa) LIMIT 1;
END$$
DELIMITER ;