Koozali.org: home of the SME Server
Legacy Forums => Experienced User Forum => Topic started by: shanen on January 17, 2005, 10:08:09 AM
-
Hi all,
I have been playing with the radius contrib and can say that it works nicely...Thanks
After hacking and googling around, I am yet to make SQL do the authentication. The reason I am interested in this is because there is a web GUI called "dialup_admin" that allows you to add users and view statistics on traffic and other cool stuff.
As Monowall has a built in captive portal, you can force users to authenticate against your radius enabled SME server and even send accounting info to the SQL database.
The SME Radius RPM is using "Unix" users to authenticate...
Does anybody have a use for this?
Shane
-
If I remember correctly - sql is supported in the package. You need to disable the unix passwords method of authentication for sql to work.
I played with dialup_admin briefly for our wireless gear and it worked. I promptly lost interest after xmas.
-
Hi Duncan,
I have changed the config files to use sql for authentication and accounting. When running in debug mode, I can see it query the database and return a positive result but it still bombs out.
I have pulled the freeradius maillist archives apart.
Looks like I will have to ask the guru's there although they don't seem to helpful (some of them anyway)
There is a howto at http://www.frontios.com/freeradius.html but it still doesn't work. I am thinking that the radiusd.conf file supplied with the SME rpm is far from standard.
Anyway, I will keep plugging away
-
Check out this link as well.
http://kstadler.ch/index.php?page=dialup
Regards Duncan
-
Thanks for the link Duncan,
I finally got it going...
Needed to modify dialup admin to insert the attribute "Crypt-Password" when creating a new user
Thanks
Shane
-
No worries,
I was planning to do a dialup_admin rpm later on (Time permitting) - so I will probably post here down the track to see how you got along and what tweaks you implemented.
Regards Duncan
-
Not happy with it yet, but I will scribble some notes here when I get it right...
Shane
-
Shanen,
How's your project going?
Did you manage to get this working?
I tried following another tutorial
http://tldp.org/HOWTO/html_single/8021X-HOWTO/
but the eap support isn't included in the radius package for SME, or am I missing?
Thanks,
-
Looks like you got your answer in another post...
http://forums.contribs.org/index.php?topic=26204.0
-
Thanks for the reply Shanen,
Unfortunatelly no, the answer (and choice) for the other topic is only a partial resolution to my problem. It solves the routing situation, but not the authentication. Even Mikrotik requires another radius server for authentication.
Besides "that" project going, I would still like to use the same method in discussion here for my home network. I found another tutorial, by following the link on my post above, that explains how to implement Nocat http://oob.freeshell.org/nzwireless/LWAP-HOWTO.html and that would be my next choice if I can't get a answer from you or cc_scavenger (he also was working on a similar project).
Regards,
-
Radius works fine on SME Server and once configured, will authenticate users attempting to access through a monowall box.
There are a few issues I still need to iron out and haven't had the time lately.
1. Prevent simultaneous logins.
2. Better accounting (like FreeSide)
Shane
-
Shane,
After installing Radius, you added a user to the users file with a password (same user/pass on monowall), and that's how you have it authenticating?
I really don't know how to do it, and I'll be surprise if it's that simple.
Thanks,
-
I have been using the radius contrib for about a year now with no problem. I am only authenticating mac addresses on a wireless network. What are you trying to do exactly?
I will try to help. This might help me with a free hotspot project I am working on.......
-
The radius contrib for SME server will use the standard unix passwords file on the server. If you want to use another authentication method then I suggest sql.
I used the "dialup_admin" http://sourceforge.net/projects/dialup-admin/
For testing, I created an ibay and placed the files in there. Also add the associated tables to the existing sql database.
In dialup_admin/conf/admin.conf change sql_password_attribute: User-Password to sql_password_attribute: Crypt-Password
Add information about your monowall or ap box into /etc/raddb/clients.conf
This is where you have a "shared secret" as freeradius will only accept connections from devices listed in this file and can provide the correct shared secret. (don't confuse shared secret with a password a user is providing to authenticate).
Here is a snippet from the end of my /etc/raddb/radiusd.conf.
# Authentication.
#
# This section lists which modules are available for authentication.
# Note that it does NOT mean 'try each module in order'. It means
# that you have to have a module from the 'authorize' section add
# a configuration attribute 'Auth-Type := FOO'. That authentication type
# is then used to pick the apropriate module from the list below.
#
# The default Auth-Type is Local. That is, whatever is not included inside
# an authtype section will be called only if Auth-Type is set to Local.
#
# So you should do the following:
# - Set Auth-Type to an appropriate value in the authorize modules above.
# For example, the chap module will set Auth-Type to CHAP, ldap to LDAP, etc.
# - After that create corresponding authtype sections in the
# authenticate section below and call the appropriate modules.
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
authtype PAP {
pap
}
#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
authtype CHAP {
chap
}
#
# MSCHAP authentication.
authtype MS-CHAP {
mschap
}
# pam
#
# See 'man getpwent' for information on how the 'unix'
# module checks the users password. Note that packets
# containing CHAP-Password attributes CANNOT be authenticated
# against /etc/passwd! See the FAQ for details.
#
# unix
# Uncomment it if you want to use ldap for authentication
# authtype LDAP {
# ldap
# }
# eap
}
# Pre-accounting. Look for proxy realm in order of realms, then
# acct_users file, then preprocess (hints file).
preacct {
preprocess
suffix
# files
}
# Accounting. Log to detail file, and to the radwtmp file, and maintain
# radutmp.
accounting {
acct_unique
detail
# counter
# unix # wtmp file
sql
radutmp
# sradutmp
}
# Session database, used for checking Simultaneous-Use. Either the radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
radutmp
sql
}
# Post-Authentication
# Once we KNOW that the user has been authenticated, there are
# additional steps we can take.
post-auth {
# Get an address from the IP Pool.
#main_pool
}
I am currently without a monowall box to test this setup, so I am going from memory.
dialup admin will give you nice accounting information like duration and traffic for the users.
There is a lot of work to be done yet, but this should give you an idea of what's possible.
Shane
-
Marco,
My definite goal would be the set-up of different types of security on a wireless network. I would love to have multiple solutions for different types of customers:
-PPoE for some
-NoCatAuth for the hotspots
-The type of radius control you well explained in another thread (I have a few clients using pico-bsd and I'm not sure if they will be able to authenticate via PPoE, the thing fits on a floppy and runs on minimal hardware)
All that with the adition of the bandwidth control, using CBQ or HTB.
I have been doing wireless networks for more than 7 years now, and pretty much know everything about the wireless connections. The band control and client authentication is the field that I need to master.
I took a job from a small ISP where I plan on provide this type of control, and the best: I need to provide something such as SME for the easy of use, graphical set up, etc.
For the radius I was thinking about the DialUp admin.
Let me know your thoughts!
Thanks,
-
Stuntshell,
I currently use a SME 6.X server for radius authentication (mac address of client only) and bandwidth management (including port limiting) using cbq. I am using another SME 6.X server for a caching gateway (squid setup to use a 20GB cache directory on a separate drive to cache anything and everything 128MB and smaller as well as setup with 8192 available file descriptors). I am also using another SME 6.X server as a DNS server.
We authinticate both the wireless client device and the router (by hand). We also setup the bandwidth management (by hand). I have been reluctant (ok, lazy) to change because I have been doing it this way for a while. I have not tried dialup admin, but will try it tonight on a test server. I am looking into trying to create a server panel for cbq and radius, but am still trying to learn how the panels are created.
I am looking at monowall for the captive portal, but I have only played with it for a couple of hours. I will probably be ordering something in a itx form factor for the monowall box or possibly using some embedded board like a wrap board.
I will post something here about dialup admin, and what it takes to get it to work with the sme-radius contrib.
Sorry for the long story...
-
yeah, ok, dialup admin is beyond me....I think I will stay with editing files by hand. :-)
-
cc_skavenger,
I followed the instructions given by Shane (Thanks a lot!!!) , and recorded my "step by step", so it'll be easier to make it work:
1-Added an ibay[dialadmin in my case] and made execution of dynamic content possible.
2-Downloaded the DialupAdmin and uncompressed to the html folder.
4-In the command line, changed to the sql directory and added the tables to the Radius Database:
cd /home/e-smith/files/ibays/dialadmin/html/sql
[root@brio sql]# mysql radius < userinfo.sql
[root@brio sql]# mysql radius < badusers.sql
[root@brio sql]# mysql radius < mtotacct.sql
[root@brio sql]# mysql radius < totacct.sql
5-Now it's time to edit the admin.conf inside de conf directory:
Things to change:
general_base_dir: /home/e-smith/files/ibays/dialadmin/html/
general_radiusd_base_dir: /usr/sbin/radiusd
general_domain: mydomain.homeunix.net
general_radius_server_secret testing123 "this is the default FreeRadius secret"
sql_password_attribute: Crypt-Password
6-Modify the info of the sql database to fit yours, mine is radius for the database and the user (I'm using the RPM radius package), I used phpmyadmin to reset the user password and added here as well.
Now if I go to my server at:
http://SME/dialadmin/htdocs/
it works!
-
Are you using the server in server only mode or server/gateway mode?
-
Server gateway, and when I created the iBay I restricted the access to only-local.
-
ok, will give it a shot later tonight...
thanks
-
Hi
I have completed the dialupadmin as per this thread and it seems to be working except it says can not connect to database.
I think i have this next bit wrong since i played with it.
I am using sme7.0 alpha3
# This variable is used by the scripts in the bin folder
# It should contain the path to the sql binary used to run
# sql commands (mysql and psql are only supported for now)
sql_command: /usr/bin/mysql
What should it be... i can not find it
Cheers
From Brain Dead Man :hammer:
-
Did you edit the admin.conf and set the database variables?
Lines 168, 169, 170
sql_username:
sql_password:
sql_database:
Shane
-
Hi all
sme-radius-1.0-1.i386.rpm is missing one important feature if you require pre paid cards for your wifi hotspot. Accounting "time to finish". (counter).
The dialup_admin interface makes it easy for us to add users but we have little control over their usage. Sure we can see their usage and we can make them time out or have timed sessions, but they can just log back in again.
Hmmm. Seems to run ok on SME 7 with Freeradius RHEL rpms.
I'll keep you posted
Shane