Scribd Logo
Hochladen

Willkommen bei Scribd!

  • Freeradius-Config Log

    Hochgeladen von

    -dhitya Vs Remidi-
    81 Ansichten10 Seiten
    The document contains configuration files for a RADIUS server that provides authentication, authorization, and accounting (AAA) services. It summarizes: 1) The authorize section checks for valid credentials, applies filters, and enforces bandwidth and time limits stored in SQL databases. If limits are exceeded, it rejects the user or slows their connection speed. 2) The accounting section tracks usage in SQL and sends Change of Authorization (CoA) requests to network devices like Mikrotik routers if quotas are exceeded, enforcing new rate limits. 3) Additional files configure SQL modules to check limits from the databases, a home server for CoA, and client details. Output from the RADIUS server validates requests against

    Originalbeschreibung:

    Mikrotik Hotspot+Freeradius

    Originaltitel

    Freeradius-Config+Log

    Copyright

    © © All Rights Reserved

    Verfügbare Formate

    DOCX, PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden
    The document contains configuration files for a RADIUS server that provides authentication, authorization, and accounting (AAA) services. It summarizes: 1) The authorize section checks for valid credentials, applies filters, and enforces bandwidth and time limits stored in SQL databases. If limits are exceeded, it rejects the user or slows their connection speed. 2) The accounting section tracks usage in SQL and sends Change of Authorization (CoA) requests to network devices like Mikrotik routers if quotas are exceeded, enforcing new rate limits. 3) Additional files configure SQL modules to check limits from the databases, a home server for CoA, and client details. Output from the RADIUS server validates requests against

    Copyright:

    © All Rights Reserved
    Als DOCX, PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    81 Ansichten10 Seiten

    Freeradius-Config Log

    Hochgeladen von

    -dhitya Vs Remidi-
    The document contains configuration files for a RADIUS server that provides authentication, authorization, and accounting (AAA) services. It summarizes: 1) The authorize section checks for valid credentials, applies filters, and enforces bandwidth and time limits stored in SQL databases. If limits are exceeded, it rejects the user or slows their connection speed. 2) The accounting section tracks usage in SQL and sends Change of Authorization (CoA) requests to network devices like Mikrotik routers if quotas are exceeded, enforcing new rate limits. 3) Additional files configure SQL modules to check limits from the databases, a home server for CoA, and client details. Output from the RADIUS server validates requests against

    Copyright:

    © All Rights Reserved
    Als DOCX, PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 10

    /etc/raddb/sites-available/default authorize section

    authorize {
    filter_username
    preprocess
    chap
    mschap

    sql # -sql
    expiration
    logintime

    # Validasi limitasi waktu berdasarkan waktu login


    accessperiod{
    reject = 1
    }
    if(reject){
    update reply {
    Reply-Message := "CVS REJECT - You have reached your uptime limit"
    }
    reject
    }

    # Validasi limitasi pemakaian dan otomatis menurunkan kecepatan ke 96k/96k


    totalbytecounter{
    reject = 1
    }
    if(reject){
    ok
    update reply {
    Mikrotik-Rate-Limit := "96k/96k"
    Reply-Message := "CVS REJECT - You have reached your bandwidth limit"
    }
    # reject
    }

    pap

    }
    /etc/raddb/sites-available/default accounting section
    accounting {
    detail
    radutmp
    sql #-sql
    attr_filter.accounting_response

    # Over Quota Limitation


    update control {

    # Used QUOTA Value


    Tmp-Integer-0 := "%{sql:SELECT (SUM(acctinputoctets)+SUM(acctoutputoctets)) AS Total FROM radacct where
    acctstarttime >= CURDATE() AND radacct.username='%{User-Name}'}"

    # Value of FUP Bandwidth limit that is 512k, It is stored in a separate table


    Tmp-String-5 := "%{sql: SELECT value FROM fup WHERE attribute='Mikrotik-Rate-Limit'}" ## AND
    username='%{User-Name}'}"

    #Value of Actual QUOTA Allowed


    Tmp-String-1 := "%{sql: SELECT value FROM radcheck WHERE attribute='Mikrotik-Total-Limit' AND
    username='%{User-Name}'}"

    Tmp-String-3 := "%{sql:select calledstationid from radacct where acctsessionid='%{Acct-Session-Id}'}"


    }

    if ("%{control:Tmp-Integer-0}" > "%{control:Tmp-String-1}"){


    # Update COA to Mikrotik
    update coa {
    User-Name = "%{User-Name}"
    Acct-Session-Id = "%{Acct-Session-Id}"
    NAS-IP-Address = "%{NAS-IP-Address}"
    Framed-IP-Address = "%{Framed-IP-Address}"
    Mikrotik-Rate-Limit = "%{control:Tmp-String-5}"
    }
    }
    }
    /etc/raddb/mods-available/sqlcounter totalbytecounter and accessperiod section
    sqlcounter totalbytecounter {
    sql_module_instance = sql
    dialect = ${modules.sql.dialect}

    counter_name = Mikrotik-Total-Limit
    check_name = Mikrotik-Total-Limit
    #reply_name = Mikrotik-Total-Limit
    key = User-Name
    reset = never

    query = "SELECT ((SUM(AcctInputOctets)+SUM(AcctOutputOctets))) FROM radacct WHERE


    UserName='%{${key}}'"
    }

    sqlcounter accessperiod {
    sql_module_instance = sql
    dialect = ${modules.sql.dialect}

    counter_name = Max-Access-Period-Time
    check_name = Access-Period
    reply_name = Session-Timeout
    key = User-Name
    reset = never

    query = "\
    SELECT IF(COUNT(radacctid>=1),(UNIX_TIMESTAMP() - IFNULL(UNIX_TIMESTAMP(AcctStartTime),0)),0) \
    FROM radacct WHERE UserName='%{${key}}' AND AcctSessionTime >= 1 \
    ORDER BY AcctStartTime \
    LIMIT 1;"

    }
    /etc/raddb/sites-available/originate-coa
    home_server example-coa {
    type = coa

    ipaddr = 172.20.63.146
    port = 3799

    secret = radiushotspot2017

    # CoA specific parameters. See raddb/proxy.conf for details.


    coa {
    irt = 2
    mrt = 16
    mrc = 5
    mrd = 30
    }
    }

    /etc/raddb/clients.conf
    client 172.20.63.146 {
    port = 1700
    secret = radiushotspot2017
    shortname = RadiusVoucher
    nastype = mikrotik
    }

    home_server example-coa {
    type = coa
    ipaddr = 172.20.63.146
    port = 3799
    secret = radiushotspot2017

    coa {
    irt = 2
    mrt = 16
    mrc = 5
    mrd = 30
    }
    }
    Below are my mysql data :
    >> radcheck table
    MariaDB [radius]> select * from radcheck;
    +----+----------+----------------------+----+-----------+
    | id | username | attribute | op | value |
    +----+----------+----------------------+----+-----------+
    | 1 | dhitya | Cleartext-Password | := | dhitya |
    | 2 | dhitya | Access-Period | := | 600 |
    | 3 | dhitya | Mikrotik-Total-Limit | := | 10000000 |
    | 4 | tixoez | Cleartext-Password | := | tixoez |
    | 5 | tixoez | Access-Period | := | 1800 |
    | 6 | tixoez | Mikrotik-Total-Limit | := | 100000000 |
    +----+----------+----------------------+----+-----------+
    6 rows in set (0.00 sec)

    Below are my Mikrotik log :


    >> There are logged in log , logged out by user request , and Radius CoA log (which change Mikrotik-
    Rate-Limit if exceed FUP)

    - the log that says Radius CoA succeeded occurs whenever usage exceeded FUP and users doing re-login.
    Below are my radiusd -X output :
    1) on the first login
    ============================================================================
    (1) sql: SQL query returned: success
    (1) sql: 1 record(s) updated
    rlm_sql (sql): Released connection (6)
    (1) [sql] = ok
    (1) attr_filter.accounting_response: EXPAND %{User-Name}
    (1) attr_filter.accounting_response: --> dhitya
    (1) attr_filter.accounting_response: Matched entry DEFAULT at line 12
    (1) [attr_filter.accounting_response] = updated
    (1) update control {
    (1) EXPAND %{User-Name}
    (1) --> dhitya
    (1) SQL-User-Name set to 'dhitya'
    rlm_sql (sql): Reserved connection (5)
    (1) Executing select query: SELECT (SUM(acctinputoctets)+SUM(acctoutputoctets)) AS Total
    FROM radacct where acctstarttime >= CURDATE() AND radacct.username='dhitya'
    rlm_sql (sql): Released connection (5)
    (1) EXPAND %{sql:SELECT (SUM(acctinputoctets)+SUM(acctoutputoctets)) AS Total FROM radacct
    where acctstarttime >= CURDATE() AND radacct.username='%{User-Name}'}
    (1) --> 0
    (1) Tmp-Integer-0 := 0
    (1) EXPAND %{User-Name}
    (1) --> dhitya
    (1) SQL-User-Name set to 'dhitya'
    rlm_sql (sql): Reserved connection (6)
    (1) Executing select query: SELECT value FROM fup WHERE attribute='Mikrotik-Rate-Limit'
    rlm_sql (sql): Released connection (6)
    (1) EXPAND %{sql: SELECT value FROM fup WHERE attribute='Mikrotik-Rate-Limit'}
    (1) --> 96k/96k
    (1) Tmp-String-5 := 96k/96k
    (1) EXPAND %{User-Name}
    (1) --> dhitya
    (1) SQL-User-Name set to 'dhitya'
    rlm_sql (sql): Reserved connection (5)
    (1) Executing select query: SELECT value FROM radcheck WHERE attribute='Mikrotik-Total-
    Limit' AND username='dhitya'
    rlm_sql (sql): Released connection (5)
    (1) EXPAND %{sql: SELECT value FROM radcheck WHERE attribute='Mikrotik-Total-Limit' AND
    username='%{User-Name}'}
    (1) --> 10000000
    (1) Tmp-String-1 := 10000000
    (1) EXPAND %{User-Name}
    (1) --> dhitya
    (1) SQL-User-Name set to 'dhitya'
    rlm_sql (sql): Reserved connection (6)
    (1) Executing select query: select calledstationid from radacct where
    acctsessionid='80200029'
    rlm_sql (sql): Released connection (6)
    (1) EXPAND %{sql:select calledstationid from radacct where acctsessionid='%{Acct-Session-
    Id}'}
    (1) --> hotspot1
    (1) Tmp-String-3 := hotspot1
    (1) } # update control = noop
    (1) if ("%{control:Tmp-Integer-0}" > "%{control:Tmp-String-1}"){
    (1) EXPAND %{control:Tmp-Integer-0}
    (1) --> 0
    (1) EXPAND %{control:Tmp-String-1}
    (1) --> 10000000
    (1) if ("%{control:Tmp-Integer-0}" > "%{control:Tmp-String-1}") -> FALSE
    (1) } # accounting = updated
    (1) Sent Accounting-Response Id 181 from 172.20.63.147:1813 to 172.20.63.146:56395 length 0
    (1) Finished request
    (1) Cleaning up request packet ID 181 with timestamp +428
    Waking up in 4.9 seconds.
    (0) Cleaning up request packet ID 180 with timestamp +428
    Ready to process requests
    ============================================================================
    2) re-login when usage exceeds FUP
    ============================================================================
    (5) [sql] = ok
    (5) attr_filter.accounting_response: EXPAND %{User-Name}
    (5) attr_filter.accounting_response: --> dhitya
    (5) attr_filter.accounting_response: Matched entry DEFAULT at line 12
    (5) [attr_filter.accounting_response] = updated
    (5) update control {
    (5) EXPAND %{User-Name}
    (5) --> dhitya
    (5) SQL-User-Name set to 'dhitya'
    rlm_sql (sql): Reserved connection (10)
    (5) Executing select query: SELECT (SUM(acctinputoctets)+SUM(acctoutputoctets)) AS Total
    FROM radacct where acctstarttime >= CURDATE() AND radacct.username='dhitya'
    rlm_sql (sql): Released connection (10)
    (5) EXPAND %{sql:SELECT (SUM(acctinputoctets)+SUM(acctoutputoctets)) AS Total FROM radacct
    where acctstarttime >= CURDATE() AND radacct.username='%{User-Name}'}
    (5) --> 145687501
    (5) Tmp-Integer-0 := 145687501
    (5) EXPAND %{User-Name}
    (5) --> dhitya
    (5) SQL-User-Name set to 'dhitya'
    rlm_sql (sql): Reserved connection (11)
    (5) Executing select query: SELECT value FROM fup WHERE attribute='Mikrotik-Rate-Limit'
    rlm_sql (sql): Released connection (11)
    (5) EXPAND %{sql: SELECT value FROM fup WHERE attribute='Mikrotik-Rate-Limit'}
    (5) --> 96k/96k
    (5) Tmp-String-5 := 96k/96k
    (5) EXPAND %{User-Name}
    (5) --> dhitya
    (5) SQL-User-Name set to 'dhitya'
    rlm_sql (sql): Reserved connection (10)
    (5) Executing select query: SELECT value FROM radcheck WHERE attribute='Mikrotik-Total-
    Limit' AND username='dhitya'
    rlm_sql (sql): Released connection (10)
    (5) EXPAND %{sql: SELECT value FROM radcheck WHERE attribute='Mikrotik-Total-Limit' AND
    username='%{User-Name}'}
    (5) --> 10000000
    (5) Tmp-String-1 := 10000000
    (5) EXPAND %{User-Name}
    (5) --> dhitya
    (5) SQL-User-Name set to 'dhitya'
    rlm_sql (sql): Reserved connection (11)
    (5) Executing select query: select calledstationid from radacct where
    acctsessionid='8020002a'
    rlm_sql (sql): Released connection (11)
    (5) EXPAND %{sql:select calledstationid from radacct where acctsessionid='%{Acct-Session-
    Id}'}
    (5) --> hotspot1
    (5) Tmp-String-3 := hotspot1
    (5) } # update control = noop
    (5) if ("%{control:Tmp-Integer-0}" > "%{control:Tmp-String-1}"){
    (5) EXPAND %{control:Tmp-Integer-0}
    (5) --> 145687501
    (5) EXPAND %{control:Tmp-String-1}
    (5) --> 10000000
    (5) if ("%{control:Tmp-Integer-0}" > "%{control:Tmp-String-1}") -> TRUE
    (5) if ("%{control:Tmp-Integer-0}" > "%{control:Tmp-String-1}") {
    (5) update coa {
    (5) EXPAND %{User-Name}
    (5) --> dhitya
    (5) User-Name = dhitya
    (5) EXPAND %{Acct-Session-Id}
    (5) --> 8020002a
    (5) Acct-Session-Id = 8020002a
    (5) EXPAND %{NAS-IP-Address}
    (5) --> 172.20.63.146
    (5) NAS-IP-Address = 172.20.63.146
    (5) EXPAND %{Framed-IP-Address}
    (5) --> 10.10.3.141
    (5) Framed-IP-Address = 10.10.3.141
    (5) EXPAND %{control:Tmp-String-5}
    (5) --> 96k/96k
    (5) Mikrotik-Rate-Limit = 96k/96k
    (5) } # update coa = noop
    (5) } # if ("%{control:Tmp-Integer-0}" > "%{control:Tmp-String-1}") = noop
    (5) } # accounting = updated
    (5) Sent CoA-Request Id 227 from 0.0.0.0:58547 to 172.20.63.146:3799 length 65
    (5) User-Name = "dhitya"
    (5) Acct-Session-Id = "8020002a"
    (5) NAS-IP-Address = 172.20.63.146
    (5) Framed-IP-Address = 10.10.3.141
    (5) Mikrotik-Rate-Limit = "96k/96k"
    (5) Sent Accounting-Response Id 185 from 172.20.63.147:1813 to 172.20.63.146:51215 length 0
    (5) Finished request
    (5) Cleaning up request packet ID 185 with timestamp +1028
    Waking up in 2.1 seconds.
    (5) Clearing existing &reply: attributes
    (5) Received CoA-NAK Id 227 from 172.20.63.146:3799 to 172.20.63.147:58547 length 43
    (5) Error-Cause = Unsupported-Extension
    (5) NAS-Identifier = "Ro.HS-KOS"
    (5) NAS-IP-Address = 172.20.63.146
    (5) # Executing section post-proxy from file /etc/raddb/sites-enabled/default
    (5) post-proxy {
    (5) eap: No pre-existing handler found
    (5) [eap] = noop
    (5) } # post-proxy = noop
    (5) Cleaning up request packet ID 185 with timestamp +1028
    Ready to process requests
    ============================================================================
    3) re-login when time limit exceeded
    ============================================================================
    (6) [sql] = ok
    (6) [expiration] = noop
    (6) [logintime] = noop
    sqlcounter_expand: 'SELECT IF(COUNT(radacctid>=1),(UNIX_TIMESTAMP() -
    IFNULL(UNIX_TIMESTAMP(AcctStartTime),0)),0) FROM radacct WHERE UserName='%{User-Name}' AND
    AcctSessionTime >= 1 ORDER BY AcctStartTime LIMIT 1;'
    (6) accessperiod: EXPAND %{User-Name}
    (6) accessperiod: --> dhitya
    (6) accessperiod: SQL-User-Name set to 'dhitya'
    rlm_sql (sql): Reserved connection (12)
    (6) accessperiod: Executing select query: SELECT IF(COUNT(radacctid>=1),(UNIX_TIMESTAMP() -
    IFNULL(UNIX_TIMESTAMP(AcctStartTime),0)),0) FROM radacct WHERE UserName='dhitya' AND
    AcctSessionTime >= 1 ORDER BY AcctStartTime LIMIT 1;
    rlm_sql (sql): Released connection (12)
    (6) accessperiod: EXPAND %{sql:SELECT IF(COUNT(radacctid>=1),(UNIX_TIMESTAMP() -
    IFNULL(UNIX_TIMESTAMP(AcctStartTime),0)),0) FROM radacct WHERE UserName='%{User-Name}' AND
    AcctSessionTime >= 1 ORDER BY AcctStartTime LIMIT 1;}
    (6) accessperiod: --> 759
    (6) accessperiod: ERROR: Maximum never usage time reached
    (6) accessperiod: ERROR: Rejecting user, &control:Access-Period value (600) is less than counter
    value (759)
    (6) [accessperiod] = reject
    (6) if (reject){
    (6) if (reject) -> TRUE
    (6) if (reject) {
    (6) update reply {
    (6) Reply-Message := "CVS REJECT - You have reached your uptime limit"
    (6) } # update reply = noop
    (6) [reject] = reject
    (6) } # if (reject) = reject
    (6) } # authorize = reject
    (6) Using Post-Auth-Type Reject
    (6) # Executing group from file /etc/raddb/sites-enabled/default
    (6) Post-Auth-Type REJECT {
    (6) sql: EXPAND .query
    (6) sql: --> .query
    (6) sql: Using query template 'query'
    rlm_sql (sql): Reserved connection (13)
    (6) sql: EXPAND %{User-Name}
    (6) sql: --> dhitya
    (6) sql: SQL-User-Name set to 'dhitya'
    (6) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-
    Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
    (6) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'dhitya',
    '0x2691a9ee145af2da846d4d8bbda8f330bc', 'Access-Reject', '2017-11-14 19:13:57.243615')
    (6) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES (
    'dhitya', '0x2691a9ee145af2da846d4d8bbda8f330bc', 'Access-Reject', '2017-11-14 19:13:57.243615')
    (6) sql: SQL query returned: success
    (6) sql: 1 record(s) updated
    rlm_sql (sql): Released connection (13)
    (6) [sql] = ok
    (6) attr_filter.access_reject: EXPAND %{User-Name}
    (6) attr_filter.access_reject: --> dhitya
    (6) attr_filter.access_reject: Matched entry DEFAULT at line 11
    (6) [attr_filter.access_reject] = updated
    (6) policy remove_reply_message_if_eap {
    (6) if (&reply:EAP-Message && &reply:Reply-Message) {
    (6) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
    (6) else {
    (6) [noop] = noop
    (6) } # else = noop
    (6) } # policy remove_reply_message_if_eap = noop
    (6) } # Post-Auth-Type REJECT = updated
    (6) Delaying response for 1.000000 seconds
    Waking up in 0.3 seconds.
    Waking up in 0.6 seconds.
    (6) (6) Discarding duplicate request from client RadiusVoucher port 36957 - ID: 186 due to
    delayed response
    Waking up in 0.5 seconds.
    (6) (6) Discarding duplicate request from client RadiusVoucher port 36957 - ID: 186 due to
    delayed response
    (6) Sending delayed response
    (6) Sent Access-Reject Id 186 from 172.20.63.147:1812 to 172.20.63.146:36957 length 69
    (6) Reply-Message := "CVS REJECT - You have reached your uptime limit"
    Waking up in 3.9 seconds.
    (6) Cleaning up request packet ID 186 with timestamp +1187
    Ready to process requests
    ============================================================================

    Das könnte Ihnen auch gefallen