5
Version 0.1 Sun Oct 26 04:03:00 EET 2003
9
1.1 Obtaining Dialup Admin
11
1.3 Installing & System Configuration
12
1.3.1 Unpacking & Installation
13
1.3.2 Apache Configuration
14
1.3.2.1 Enabling PHP Support On Apache
15
1.3.2.2 Creating a more secure web interface
16
1.3.3 Creating the mySQL Tables
19
2.1 Configuration Options
22
2.1.3 LDAP/SQL Options
25
2.1.6 Encryption Methods
26
2.1.7 NAS Informations
30
2.1.11 Various Options
32
2.2.1 The snmpfinger script
33
2.2.2 The log_badlogins script
34
2.2.3 The clean_radacct script
35
2.2.4 The truncate_radacct script
36
2.2.5 The tot_stats script
37
2.2.6 The monthly_tot_stats script
43
3.1 When I try to access some page I see the php code instead of html
44
3.2 When an attribute contains double (") or single (') quotes
46
3.3 Even though I have uncommented Dialup-Access in user_edits.attrs,
47
when editing a user, that field is not available...
48
3.4 Why do the personal information fields show multiple entries for
49
attributes like name, department, etc in the user_admin page?
50
3.5 After I make a few changes in one of the configuration files
51
things only work like they worked before
52
3.6 It is still not working
59
This section will take you step by step to create system suitable for
60
dialup admin to run properly.
63
[1.1] Obtaining Dialup Admin
65
There are three ways to obtain the dialup admin package.
67
Either download the latest FreeRadius package which most likely contains
68
the latest dialup admin available. The FreeRadius Package can be obtained
69
through ftp://ftp.freeradius.org/pub/radius/freeradius-0.9.2.tar.gz
70
which is the current FreeRadius package at the time of writting.
72
Dialup Admin has it's own web page hosted at Sourceforge at
73
http://sourceforge.net/projects/dialup-admin/
74
Though that page is not updated very often. The primary store for dialupadmin
75
is the freeradius CVS tree so the latest version will always be contained there
77
Finally one could get the cvs version of Dialup Admin by issuing the
80
shell> cvs -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/dialup-admin login
82
* When prompted for a password simply press the Enter Key
84
shell> cvs -z3 -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/dialup-admin co dialup_admin
88
Dialup Admin requires the following in order to have full functionality:
89
o PHP Obtained at: http://www.php.net
90
o Date::Manip Perl Module Obtained at: http://www.cise.ufl.edu/~sbeck/
92
[1.3] Installing & System Configuration
94
At this point we presume that either you have successfully installed PHP and
95
Date::Manip Perl Module or that your distribution has came with both of them
96
precompiled and already installed.
98
[1.3.1] Unpacking and installation
100
In order to install the dialup admin first of all the package must be
101
uncompressed presuming that we have it in a .tar.gz format and be placed
102
at a certain directory at the system
103
(Could be anything, we use /usr/local/dialup_admin)
105
shell> tar xfvz dialup_admin-X.XX.tar.gz
106
shell> mv dialup_admin /usr/local
108
The dialup admin contains a number of directories necessary for the program
109
to operate. Let's concentrate on the htdocs directory. This directory
110
contains the php scripts needed. In order to have it accessable through
111
our web server we must set a symbolic link between the two locations.
112
We presume that the DefaultRoot of the Apache Web Server is /var/www/htdocs
114
shell> ln -s /usr/local/dialup_admin/htdocs /var/www/htdocs/dialup
116
[1.3.2] Apache Configuration
118
[1.3.2.1] Enabling PHP Support on Apache
120
Apache must be configured to execute PHP scripts. In order to do so locate
121
the httpd.conf file (for Slackware Linux this is /etc/apache). We must
122
enter the following lines inside the httpd.conf
124
LoadModule php4_module libexec/libphp4.so
126
AddType application/x-httpd-php .php
127
AddType application/x-httpd-php .php3 # This is most important since many of the PHP scripts of Dialup Admin have this extension
129
[1.3.2.2] Creating a more secure web interface.
131
Since dialup admin does not come with any kind of administrators authorisation
132
of its own it would be safe to protect this ourselves.
134
Add the following to your httpd.conf file:
136
<Directory /var/www/htdocs/dialup>
137
AuthName "Restricted Area"
139
AuthUserFile /var/www/.htpasswd
143
Changing of course the directory path to match yours as well as the
144
AuthUserFile argument to point to the place where the usernames/passwords
147
In order to create the htpasswd file the htpasswd utility is required
148
(It is provided with the apache web server)
150
Let's create our first user:
152
shell> htpasswd -c /var/www/.htpasswd -m administrator password
154
Note: The -c argument should not be used from that point on since it creates
157
On the next restart of apache the dialup/ directory is only accessable by a
158
username/password verification which in our case is administrator:password
160
The HTTP authentication we have just configured can be used by dialupadmin
161
when connecting to the ldap and sql databases (see sections on sql and ldap
164
At this point when we connect to the url http://localhost/dialup we should
165
see the Dialup Admin pages
167
[1.3.3] Creating the mySQL tables
169
In order to have dialup admin work to the maximum you should create a few
170
tables in your mySQL. We assume at this point you have a fair ammount of mySQL
171
knowledge and have a mySQL running somewhere on your network.
173
First of all you should create a database for all the tables to be stored into
174
it. We will call this radius.
176
shell> mysql -h mysql.host.com -u username -p
178
mysql> CREATE DATABASE radius;
181
This step is only necessary if you haven't already created a corresponding database
182
for the freeradius server.
184
At dialup_admin/sql there are four files containg the SQL command to create
185
the required tables. This is done as follows:
187
shell> mysql -h mysql.host.com -u username -p radius < badusers.sql
188
shell> mysql -h mysql.host.com -u username -p radius < mtotacct.sql
189
shell> mysql -h mysql.host.com -u username -p radius < totacct.sql
190
shell> mysql -h mysql.host.com -u username -p radius < userinfo.sql
192
The userinfo table though is only needed if you want to keep your user database in sql.
193
If you keep your users in ldap then it's not needed.
195
NOTE: Remember we named our database "radius". Have you named it somewhat
196
different replace the "radius" argument on the above commands with
202
This is the most important part of this document since the configuration must
204
The configuration file is located at dialup_admin/conf/admin.conf
206
[2.1] Configuration Options
208
A few variables must be set to the correct values in order for dialup admin
212
[2.1.1] General Options
215
General configuration options
217
> general_base_dir: /usr/local/dialup_admin
219
This is the location where we have installed dialup admin.
220
Refer to section 1.3.1 for more information
222
> general_radiusd_base_dir: /usr/local/bin
224
This is the location where the radiusd binary and various radius
225
related programs resides. Check where FreeRadius has been installed
227
> general_domain: domain.gr
229
Set the domain name of your network.
232
[2.1.2] Realms Options
235
For more informations on realms consult the documentations provided
236
with FreeRadius under the doc/ directory
238
> general_strip_realms : yes
240
Should Dialup Admin strip the realm from the username when displaying this?
241
Values: Yes / No (Default Yes)
243
> general_realm_delimiter: @
245
The delimiter used in realms. Default is @
247
> general_realm_format: suffix
249
The format of the realms. Can be either suffix (realm is after the username)
250
or prefix (realm is before the username). Default is suffix
253
[2.1.3] LDAP/SQL Options
256
Options that specifies the way dialup admin handles users. SQL or LDAP
258
> general_lib_type: sql
260
This can have as values either ldap or sql.
262
For the following values there shouldn't be any need for changes
264
> general_ldap_attrmap: /etc/raddb/ldap.attrmap
265
> general_sql_attrmap: %{general_base_dir}/conf/sql.attrmap
266
> general_extra_ldap_attrmap: %{general_base_dir}/conf/extra.ldap-attrmap
267
> general_user_edit_attrs_file: %{general_base_dir}/conf/user_edit.attrs
268
> general_sql_attrs_file: %{general_base_dir}/conf/sql.attrs
269
> general_default_file: %{general_base_dir}/conf/default.vals
275
In general the nas quering provides the dialup admin with information
276
regarding the Online Users.
278
> general_finger_type: snmp
280
What should be the default quering method of the nas. It can be 'snmp' (for snmpfinger)
281
or empty to query the radacct table without first querying the nas
283
> general_snmpfinger_bin: %{general_base_dir}/bin/snmpfinger
285
This probably does not need to be changed
286
For now snmpfinger will only work with Cisco equipment.
288
> general_radclient_bin: /usr/local/bin/radclient
290
Must point to the radclient binary
292
> general_nas_type: cisco
294
Defines the nas type. This is only used by snmpfinger
295
cisco and lucent are supported for now
298
[2.1.5] Test Variables
301
The following variables which are self explained are being used while the
302
"Check Server" button is being pressed to verify that the radius server
303
is working. The username and password must be of a valid dialup account
305
> general_test_account_login: dummy
306
> general_test_account_password: dummy_password
308
> general_radius_server: localhost
310
The hostname where the FreeRadius Server runs
312
> general_radius_server_port: 1645
314
The port that FreeRadius uses on the hostname
316
> general_radius_server_auth_proto: chap
318
The method of connecting. Could be either 'chap' or 'pap'
320
> general_radius_server_secret: secret_password
322
The secret of the server that dialup admin should use while connecting.
324
NOTE: You must have a correct entry in clients.conf for the host running
325
the dialup admin. For more information consult the documentations
326
that come with FreeRadius
328
> general_auth_request_file: %{general_base_dir}/conf/auth.request
330
The file conf/auth.request contains the options passed while the
331
authentification is performed. Should you need to add anything edit this file
334
[2.1.6] Encryption Method
337
> general_encryption_method: md5
339
How the passwords of the users are stored (or should be) in the database.
340
Could be 'clear', 'md5', 'des'. See Also Section 2.1.9
343
[2.1.7] NAS Information
346
> nas1_name: host.%{general_domain}
348
The name of the NAS. Only the host must be replaced to match yours,
349
provided that the nas are on the general_domain specified above
353
The model of the NAS.
361
The port number to connect to on the NAS
363
> nas1_community: community string
365
The community string used by the nas for queries via snmp
367
> nas1_finger_type: snmp
369
The finger type for the specific nas. Comment out to use the
370
general_finger_type from above.
374
The nas type for the specific nas. Comment out to use the
375
general_nas_type from above.
381
>ldap_server: ldap.%{general_domain}
383
The ldap server to connect to
384
Both ldap_server and ldap_write_server can be a space-separated
385
list of ldap hostnames. In that case the library will try to connect
386
to the servers in the order that they appear. If the first host is down
387
ldap_connect will ask for the second ldap host and so on.
389
>ldap_write_server: master.%{general_domain}
391
There are many cases where we have a small write master and
392
a lot of fast read only replicas. If that is the case uncomment
393
ldap_write_server and point it to the write master. It will be
394
used only when writing to the directory, not when reading
396
>ldap_base: dc=company,dc=com
398
The LDAP base for the ldap searches
400
>ldap_binddn: cn=Directory Manager
401
>ldap_bindpw: XXXXXXX
403
The DN and password which will be used to bind to the LDAP server. If we don't use
404
http credentials (see below) than these setting will be used for all ldap operations
405
(both searches and modifies/adds).
407
>ldap_default_new_entry_suffix: ou=dialup,ou=guests,%{ldap_base}
409
The LDAP suffix under which all new user entries created through the new user
412
>ldap_default_dn: uid=default-dialup,%{ldap_base}
414
The DN of an ldap entry containing radius user settings which will be
415
applied for all users. Though these settings are applied *before* the
416
regular profile and per user settings, so they can be easily overwritten.
417
That way we could for example set Session-Timeout to 4 hours for all our users
418
and set it to a lower/higher value for specific users or groups of users
420
>ldap_regular_profile_attr: dialupregularprofile
422
The ldap attribute which if present in a user entry will contain the DN
423
of another ldap entry specifying radius user settings (check and reply items).
424
That way we can keep these settings in only one entry and assign them to each
425
user that we want through the regular profile attribute.
427
>ldap_use_http_credentials: yes
429
If set to yes then the HTTP credentials (http authentication)
430
will be used to bind to the ldap server instead of ldap_binddn
431
and ldap_bindpw directives. That way multiple admins with different rights
432
on the ldap database can connect through one dialup_admin interface.
433
The ldap_binddn and ldap_bindpw are still needed to find the DN of the user
434
to bind with (http authentication will only provide us with a
435
username). As a result the ldap_binddn should be able to do a search
436
with a filter of (uid=<username>). Normally, the anonymous (empty DN)
439
>ldap_directory_manager: cn=Directory Manager
440
>ldap_map_to_directory_manager: admin
442
If we are using http credentials we can map a specific username to the
443
directory manager entry (which usually does not correspond to a specific username)
447
Set to true to enable ldap debugging
449
>ldap_filter: (uid=%u)
451
Allow for defining the ldap filter used when searching for a user
454
%U: username provided though http authentication
456
One use of this would be to restrict access to only the user's belonging to
457
a specific administrator like this:
458
ldap_filter: (&(uid=%u)(manager=uid=%U,ou=admins,o=company,c=com))
465
The type of the database. Currenty dialup admin support mySQL ('mysql')
468
> sql_server: localhost
470
> sql_username: radius
471
> sql_password: XXXXX
473
Information regargind the SQL database such as hostname, port,
474
username and password to be used for connection
476
NOTE: The default port for mySQL is 3306 while for PostgreSQL is 5432.
477
The Username and password are ones set in the database. Creating a
478
new username is behond the scope of this documentation.
480
> sql_database: radius
482
The database where all our tables are stored. Read section 1.3.3
484
> sql_accounting_table: radacct
485
> sql_check_table: radcheck
486
> sql_groupcheck_table: radgroupcheck
487
> sql_groupreply_table: radgroupreply
488
> sql_reply_table: radreply
490
The above tables are the ones used also directly through FreeRadius.
491
The SQL file containing the way to create these tables are at
492
freeradius-x.x.x/src/modules/rlm_sql/drivers/rlm_sql_<DATABASE TYPE>/db_<DATABASE_TYPE>.sql
494
For more information consult the documentation of FreeRadius
496
> sql_badusers_table: badusers
497
> sql_user_info_table: userinfo
498
> sql_usergroup_table: usergroup
499
> sql_total_accounting_table: totacct
501
These are the tables created during section 1.3.3.
502
There shouldn't be any need to change those
504
> sql_use_user_info_table: true
505
> sql_use_operators: true
507
Could be true or false
509
> sql_default_user_profile: DEFAULT
511
Set this to the value of the default_user_profile in your sql.conf if
512
that one is set. If it is not set leave blank or commented out
514
> sql_password_attribute: User-Password
516
The password attribute. Should be User-Password if encryption method
517
is clear (See section 2.1.6) or Crypt-Password if either md5 or des is choosed
519
> sql_date_format: Y-m-d
520
> sql_full_date_format: Y-m-d H:i:s
526
The row limit used in the accounting page in order to limit the output
528
> sql_connect_timeout: 3
529
> sql_extra_servers: sql2.company.com sql3.company.com
531
The above options are used by bin/log_badlogins (See Section 2.x.x)
532
The sql_connect_timeout is also used by the mysql driver and the sql_extra_servers
533
is also used when adding users in the badusers table
537
Set to true to enable SQL debugging
539
> sql_use_http_credentials: no
541
If set to yes then the HTTP credentials (http authentication) will be used
542
to connect to the sql server instead of sql_username and sql_password.
543
That way multiple admins with different rights on the sql database can
544
connect through one dialup_admin interface.
546
> sql_command: /usr/local/bin/mysql
547
This variable is used by the scripts in the bin folder
548
It should contain the path to the sql binary used to run
549
sql commands (mysql is only supported for now)
552
[2.1.10] Limits Timers
554
> counter_default_daily: 14400
555
> counter_default_weekly: 72000
556
> counter_default_monthly: none
558
The dialup limit displayed on the Dialup Admin. Set to none for no limit
561
[2.1.11] Various Options
564
> general_accounting_info_order: desc
566
Can be either asc (older dates first) or desc (recent dates first)
568
> general_stats_use_totacct: no
570
Use the totacct table for statistics
572
> general_use_session: yes
574
Set it to yes to use sessions and cache the various mappings. You can also
575
set use_session = 1 in config.php3 to also cache the admin.conf
577
NOTE: Remember to use the 'Clear Cache' page if you use sessions and
578
do any changes in any of the configuration files.
580
> general_most_recent_fl: 30
582
This is used by the failed logins page. It states the default back time
585
> general_prefered_lang: el
586
> general_prefered_lang_name: Greek
588
It can be default or whatever language. Only greek are supported from
589
non latin alphabet languages. These attribute only apply for ldap not for sql
591
> general_charset: iso-8859-1
593
The charset which will be added as a meta tag in all pages
595
> general_decode_normal_attributes: no
597
Uncomment this if normal attributes (not the ;lang-xx ones) in ldap
601
[2.2] The bin/ scripts
604
[2.2.1] The snmpfinger script
606
This script make an snmp request to the nas server to retrieve
607
the online users directly from the NAS and is being used by dialup admin
608
when general_finger_type: snmp is set (or the per nas equivelant
609
directive). (See section 2.1.4).
611
You also must have installed the net-snmp package obtained at
612
http://www.net-snmp.org
614
The snmpfinger script must be edited in order to point to the correct
617
Edit the line $SNMPWALK="/usr/local/bin/snmpwalk"; to represent the location
620
Besides that the snmpfinger uses MIBs only for the CISCO XXXX NAS or for Lucent
621
equipment (at least for the MAX 3000) which may not work if your NAS is different.
623
However the snmpfinger is not actually required if your accounting
626
[2.2.2] The log_badlogins script
628
The log_badlogins scripts actually does a tail -f to the radius.log and
629
intercepts any authentification failure and passes it to the database.
630
If you are interested in having the Failed Logins on the Dialup Admin
631
you should execute it once like this:
633
bin/log_badlogins /var/log/radius/radius.log /usr/local/dialup_admin/conf/admin.conf&
635
Of cource the proper file locations must be set
637
Also log_badlogins will concatenate the client shortname and the general_domain variable
638
defined in admin.conf in order to find the nas ip address. So it is important to make sure
639
that $client_shortname.$domain resolves to the correct nas ip address.
640
regular expression matching is also supported. If the $regexp variable is set then
641
only failed login lines matching the regular expression will be logged.
643
[2.2.3] The clean_radacct script
645
The clean_radacct script can be used to clear the database of stale open sessions
646
(sessions for which an Accounting-Stop has not been received hence they remain open)
647
The $back_days variable can be changed to specify how many days we should leave the
648
sessions open before removing them. Make sure though that all your user sesions are
649
short lived (no DSL users for example) before using the script. If that is not the
650
case edit the sql query to only match short lived sessions (depending on the NAS-Port-Type
653
[2.2.4] The truncate_radacct script
655
The truncate_radacct script can be used to delete all sessions which are older than a
656
specified number of days. This number can be changed through the $back_days variable.
657
The script will do a lock tables so make sure you run it during the night when the traffic
658
is low. It will also only delete *closed* session, so the clean_radacct script should be
659
used together to clear the possible open sessions.
661
[2.2.4] The tot_stats script
663
This script will log aggregated per user information in the totacct table. It will log a row
664
per user, per day. It should be run *once* every day to create the corresponding entries in
665
the totacct table. The general_stats_use_totacct configuration directive could then be set to
666
yes in order for the statistics page to use the totacct table instead of the radacct table.
668
[2.2.5] The monthly_tot_stats script
670
This script can be used to aggregate the information from the totacct table into the mtotacct table
671
creating aggregated accounting information for each spaning in one month period. If the current
672
month has not ended it will log information up to the current month day. It should be run once
673
a day to create the corresponding entries in the mtotacct table.
676
[2.3] User Attributes
678
First of all check conf/user_edit.atts and see if the attribute you are
679
interested in is commented out. If it is just enable it by uncommenting it.
680
If the attribute is not included in the file add it.
682
If you use SQL check conf/sql.attrmap. Attributes that are not contained in this file
683
are assumed to be reply items and map to the same name as the one used by dialup_admin
685
If you use LDAP check ${freeradius_install_dir}/etc/raddb/ldap.attrmap
686
and check if the attribute is included in the attribute mapping.
688
If it is not then add it there also.Everything should work ok after that.
692
The above sections should propably have brought you to a working dialup admin.
693
Note however that if you are interested in logging the failed logins
694
(See section 2.3.2) you should execute the log_badlogins each time
699
--------------------------
701
[3.1] When I try to access some page I see the php code instead of html
705
[3.2] When an attribute contains double (") or single (') quotes
708
Make sure that magic quotes in PHP are turned off
710
[3.3] Even though I have uncommented Dialup-Access in user_edits.attrs,
711
when editing a user, that field is not available...
713
...Is this because in sql.attrmap
716
checkItem Dialup-Access none
718
What should the attribute be?
720
Dialup-Access is an attribute used by the ldap module. It is not implemented in the sql module, that's why the mapping is set to none.
721
You could set Auth-Type to Reject instead.
723
[3.4] Why do the personal information fields show multiple entries for
724
attributes like name, department, etc in the user_admin page?
726
Set general_prefered_lang to en
728
[3.5] After I make a few changes in one of the configuration files things
729
only work like they worked before
731
If you are using sessions then remember to use the 'Clear Cache' page after
732
making any changes. See Section 2.1.11
734
[3.6] It is still not working
736
Check that the register_globals in php.ini is set to on. As of PHP 4.2.0
737
this is set to off by default. The latest versions of dialup_admin will work
738
even if register_globals is set to off if the php version is > 4.1.0
739
(Thanks to Evren Yurtesen <eyurtese@turkuamk.fi> for the suggestion).
741
In latest versions you can also enable sql debug (sql_debug: true)
742
and ldap debug (ldap_debug: true)
746
---------------------------------
748
This document is distributed under the terms of the GPL (GNU Public License).
749
Paris Stamatopoulos <mobius@hack.gr> (main author)
750
Kostas Kalevras <kkalev@noc.ntua.gr> (a few additions)
added
removed
dialup_admin/doc/HOWTO
