分类: LINUX
2009-07-11 22:55:50
将相应(Reply)信息详细记录到文件上,按照设定时间,每隔一个时段生成一个新文件记录
detail reply_log {
detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d
This MUST be 0600, otherwise anyone can read
the users passwords!
detailperm = 0600
}
This module logs packets proxied to a home server.
detail pre_proxy_log {
detailfile = ${radacctdir}/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d
This MUST be 0600, otherwise anyone can read
the users passwords!
detailperm = 0600
}
This module logs response packets from a home server.
detail post_proxy_log {
detailfile = ${radacctdir}/%{Client-IP-Address}/post-proxy-detail-%Y%m%d
This MUST be 0600, otherwise anyone can read
the users passwords!
detailperm = 0600
}
日志记录模块(sql_log)
The rlm_sql_log module appends the SQL queries in a log file which is read later by the radsqlrelay program.
它只是将sql语句写到文件里,而后由radsqlrelay程序读取.
参看
计费唯一sessionid模块
针对NAS不停重复Acct-Session-Id values造成混淆的问题,建立唯一的计费sessionid
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
模块
通过$INCLUDE来把数据库的模块的配置文件链接进来.
# The following configuration file is for use with MySQL.
#
# For Postgresql, use: ${confdir}/postgresql.conf
# For MS-SQL, use: ${confdir}/mssql.conf
# For Oracle, use: ${confdir}/oraclesql.conf
$INCLUDE ${confdir}/sql.conf
模块
记录了那些在线用户的用户名,以及他们从哪里登陆的信息.
实例1 radutmp
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
实例2 "Safe" radutmp
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
属性过滤模块
属性过滤模块,过滤从代理raidus服务器那里收到响应信息里的属性,来确保我们可以发送回给我们的Radius客户端,详细见attrs配置文件.
attr_filter {
attrsfile = ${confdir}/attrs
}
计数模块
从计费包信息中拿去一个属性及它的值,统计这个属性不同值的总数.
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
计数模块
该模块所需要的信息都储存raddacct表中。它并不进行在数据库中插入数据项和更新数据项,它完全依赖SQL模块来处理计费信息包。(具体请参照SQL模块配置分析第七章)
例1
sqlcounter dailycounter {
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
sqlmod-inst = sql
key = User-Name
reset = daily
query = "SELECT SUM(AcctSessionTime - \
GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
FROM radacct WHERE UserName=’%{%k}’ AND \
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > ‘%b’"
}
例2
sqlcounter monthlycounter {
counter-name = Monthly-Session-Time
check-name = Max-Monthly-Session
sqlmod-inst = sql
key = User-Name
reset = monthly
query = "SELECT SUM(AcctSessionTime - \
GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
FROM radacct WHERE UserName=’%{%k}’ AND \
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > ‘%b’"
}
模块
为了测试用的Always模块,不做任何事情.
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
模块(expr)
This module is useful only for ‘xlat’.
expr {
}
模块
目前没有配置
"Digest" authentication against a Cisco SIP server.
外部程序执行模块(exec)
This module is useful only for ‘xlat’
可以将外界程序运行的结果赋予给属性值.
如:Attribute-Name = `%{exec:/path/to/program args}`
exec {
wait = yes
input_pairs = request
}
例This is a more general example of the execute module.
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
}
IP地址池模块
服务器端IP地址池管理,应该在post-auth和accounting域应该被添加.
例:
ippool main_pool {
range-start = 192.168.1.1
range-stop = 192.168.3.254
netmask = 255.255.255.0
cache-size = 800
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = no
maximum-timeout = 0
}
关键域
实例化域(Instantiation)
这部分的目的是装载模块,那些被列在该域的模块讲在authorize,authenticate,等域之前装载. 本部分并不是必须步骤.
instantiate {
exec
expr
}
域
The preprocess module takes care of sanitizing some bizarre attributes in the request, and turning them into attributes which are more standard. It takes care of processing the ‘raddb/hints’ and the ‘raddb/huntgroups’ files. It also adds the %{Client-IP-Address} attribute to the request.
这个预处理模块解决对request包中的那些奇怪的属性的处理, 并把这些奇怪的属性放到标准的属性中. 它同样处理 hints 与 huntgroups文件. 并在request包中添加%{Client-IP-Address} 属性.
authorize {
preprocess
# auth_log
# attr_filter
Chap
Mschap
# digest
# IPASS
suffix
# ntdomain
Eap
Files
Sql
# etc_smbpasswd
# ldap
# daily
# checkval
}
域
这部分列出验证所需要的模块.. 但各个模块并不是按照顺序进行尝试的. 它的含义是在authorize域添加一份配置属性’Auth-Type := FOO’. 这个验证类型用来拿去域模块列表中合适的模块. 一般来说, 不应该设置Auth-Type 属性. Radius服务器会自己来判断, 然后做正确的事. Auth-Type 一般来说,不正确设置的最普通效果就是只有一种认证方法运行,其他的全部失败.
手动设置Auth-Type attribute的原因一般为要强制拒绝用户,或者强制通过认证用户.
.
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
# digest
# pam
Unix
# Auth-Type LDAP {
# ldap
# }
eap
}
域
决定用何种计费方式
preacct {
preprocess
acct_unique
# IPASS
suffix
# ntdomain
files
}
域
accounting {
建立packets的详细日志
记录那些代理的计费requests ,并在detail文件中记录
detail
# daily
# Update the wtmp file
#
如果你不使用radlast,你就不能删掉下面这行
unix
#
# For Simultaneous-Use tracking.
#
# Due to packet losses in the network, the data here
# may be incorrect. There is little we can do about it.
# 由于网络上数据包的丢失,这里的数据有可能会不正确,对此我们无能为力
radutmp
# sradutmp
# Return an address to the IP Pool when we see a stop record.
# 当我们看到停止记录时向IP Pool中返回地址信息
# main_pool
#
# Log traffic to an SQL database.
# 向SQL数据库中记录日志
#
# See "Accounting queries" in sql.conf
# 在 sql.conf中查看”计费 queries”
sql
#
# Instead of sending the query to the SQL server,
# write it into a log file.
# 除了向SQL数据库中写入query信息,还可以将信息写入log file来代替.
# sql_log
# Cisco VoIP specific bulk accounting
# pgsql-voip
}
域
# Session database, used for checking Simultaneous-Use. Either the radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
Session 数据库用来检查用户的并发使用. 不论是Radutmp还是rlm_sql模块都在这里被处理, rlm_sql模块相比来说速度更快.
session {
radutmp
#
# See "Simultaneous Use Checking Querie" in sql.conf
# sql
}
域
# Post-Authentication
# Once we KNOW that the user has been authenticated, there are
# additional steps we can take.
当用户已经通过前面的认证过程,我们还可以额外添加一些步骤.
post-auth {
# Get an address from the IP Pool.
# 从IP Pool中拿到地址
# main_pool
#
# If you want to have a log of authentication replies,
# un-comment the following line, and the ‘detail reply_log’
# 如果你想获得一个认证replies信息的日志记录, 解除掉这行与’detail reply_log’ 的注释.
# section, above.
# reply_log
#
# After authenticating the user, do another SQL query.
# 在认证用户后, 进行另外的SQL query
#
# See "Authentication Logging Queries" in sql.conf
# 详细请看sql.conf 文件中"Authentication Logging Queries" 部分.
# sql
#
# Instead of sending the query to the SQL server,
# write it into a log file.
# 除了向数据库中写入query信息,还可以写在文件中作为代替.
#
# sql_log
#
# Un-comment the following if you have set
# ‘edir_account_policy_check = yes’ in the ldap module sub-section of
# the ‘modules’ section.
# 如果你设置了’edir_account_policy_check = yes’在ldap模块的域中(见上).
#
# ldap
#
# Access-Reject packets are sent through the REJECT sub-section of the
# post-auth section.
# Uncomment the following and set the module name to the ldap instance
# name if you have set ‘edir_account_policy_check = yes’ in the ldap
# module sub-section of the ‘modules’ section.
# 如果你设置了’edir_account_policy_check = yes’ 在ldap模块的域中,请解除下面的注释信息
# Post-Auth-Type REJECT {
# insert-module-name-here
# }
}
1.4.8 pre-proxy域
# When the server decides to proxy a request to a home server,
# the proxied request is first passed through the pre-proxy
# stage. This stage can re-write the request, or decide to
# cancel the proxy.
#
# Only a few modules currently have this method.
pre-proxy {
# attr_rewrite
# Uncomment the following line if you want to change attributes
# as defined in the preproxy_users file.
# files
# If you want to have a log of packets proxied to a home
# server, un-comment the following line, and the
# ‘detail pre_proxy_log’ section, above.
# pre_proxy_log
}
域
#
# When the server receives a reply to a request it proxied
# to a home server, the request may be massaged here, in the
# post-proxy stage.
#
post-proxy {
# If you want to have a log of replies from a home server,
# un-comment the following line, and the ‘detail post_proxy_log’
# section, above.
# post_proxy_log
# attr_rewrite
# Uncomment the following line if you want to filter replies from
# remote proxies based on the rules defined in the ‘attrs’ file.
# attr_filter
#
# If you are proxying LEAP, you MUST configure the EAP
# module, and you MUST list it here, in the post-proxy
# stage.
#
# You MUST also use the ‘nostrip’ option in the ‘realm’
# configuration. Otherwise, the User-Name attribute
# in the proxied request will not match the user name
# hidden inside of the EAP packet, and the end server will
# reject the EAP request.
#
eap
}
