diff options
author | Alexander Wilke <nachtfalkeaw@web.de> | 2012-02-18 22:16:28 +0100 |
---|---|---|
committer | Alexander Wilke <nachtfalkeaw@web.de> | 2012-02-18 22:16:28 +0100 |
commit | 5284d84132fd19ba01f5a4ce6f0382b5f01e5ce5 (patch) | |
tree | bca78c5a70641c3f96f4a429a6932504142b5fbb /config/freeradius2 | |
parent | 7b5250ddad2ae8502f159f5c812fe43655f2be36 (diff) | |
download | pfsense-packages-5284d84132fd19ba01f5a4ce6f0382b5f01e5ce5.tar.gz pfsense-packages-5284d84132fd19ba01f5a4ce6f0382b5f01e5ce5.tar.bz2 pfsense-packages-5284d84132fd19ba01f5a4ce6f0382b5f01e5ce5.zip |
- replaced old traffic counter which didn't work against two shell scripts (authentication + accounting) which now work on interim-updates and start/stop updates. (start/stop istn'working correct BECAUSE CP doesn't reset the octets between every update. Interim-Update does this)
- changed units in GUI from bits, bytes and seconds to high and better readable values
- placing all scripts (traffic counter + motp in central folder under /usr/local/etc/raddb/scripts/)
- placing files and databases for time-/traffic-counter in /var/log/radacct/ This makes it possible to use them on embedded systems because of read-write access to this folders.
Diffstat (limited to 'config/freeradius2')
-rw-r--r-- | config/freeradius2/freeradius.inc | 424 |
1 files changed, 222 insertions, 202 deletions
diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc index df9022c6..a8020c72 100644 --- a/config/freeradius2/freeradius.inc +++ b/config/freeradius2/freeradius.inc @@ -55,7 +55,8 @@ function freeradius_deinstall_command() { function freeradius_install_command() { global $config; - conf_mount_rw(); + conf_mount_rw(); + /* $handle = opendir(RADDB); while (false != ($file = readdir($handle))) { if (false != ($pos = strpos($file, '.sample'))) { @@ -64,31 +65,34 @@ function freeradius_install_command() { unlink(RADDB . "/$file"); } } - closedir($handle); - + */ + + // We create here different folders for different counters. exec("chown -R root:wheel /usr/local/etc/raddb"); + exec("mkdir /usr/local/etc/raddb/scripts"); exec("chown -R root:wheel /usr/local/lib/freeradius-2.1.12"); exec("touch /var/log/radutmp && touch /var/log/radwtmp"); + exec("mkdir /var/log/radacct/datacounter/daily" && "mkdir /var/log/radacct/datacounter/weekly" && "mkdir /var/log/radacct/datacounter/monthly" && "mkdir /var/log/radacct/datacounter/forever"); + exec("mkdir /var/log/radacct/timecounter"); exec("chown -R root:wheel /var/log"); - - + // creating a backup file of the original policy.conf no matter if user checked this or not if (!file_exists("/usr/local/etc/raddb/policy.conf.backup")) { log_error("FreeRADIUS: Creating backup of the original file to /usr/local/etc/raddb/policy.conf.backup"); copy("/usr/local/etc/raddb/policy.conf", "/usr/local/etc/raddb/policy.conf.backup"); } - + // creating a backup file of the original /modules/files no matter if user checked this or not if (!file_exists("/usr/local/etc/raddb/files.backup")) { log_error("FreeRADIUS: Creating backup of the original file to /usr/local/etc/raddb/files.backup"); copy("/usr/local/etc/raddb/modules/files", "/usr/local/etc/raddb/files.backup"); } - + // Disable virtual-server we do not need by default - unlink("/usr/local/etc/raddb/sites-enabled/control-socket"); - unlink("/usr/local/etc/raddb/sites-enabled/inner-tunnel"); - + if (file_exists("/usr/local/etc/raddb/sites-enabled/control-socket")) { unlink("/usr/local/etc/raddb/sites-enabled/control-socket"); } + if (file_exists("/usr/local/etc/raddb/sites-enabled/inner-tunnel")) { unlink("/usr/local/etc/raddb/sites-enabled/inner-tunnel"); } + // We need some additional files in /usr/local/lib for the LDAP module. We fetch these files dependent on the architecture. // For i386 systems if (exec("uname -m") == "i386") { @@ -120,30 +124,35 @@ function freeradius_install_command() { exec("chmod 0755 /usr/local/lib/ldd/libkrb5.so.10"); exec("chmod 0755 /usr/local/lib/libroken.so.10"); } - + // We run this here just to suppress some warnings on syslog if file doesn't exist freeradius_authorizedmacs_resync(); - - // These functions create files which we only need to do one time after installing freeradius2 package - // These two functions create the module and the dictionary entry for Mobile-One-Time-Password - freeradius_dictionary_resync(); - freeradius_modulesmotp_resync(); - freeradius_modulescounter_resync(); + + // These two functions create the module and the dictionary entry for Mobile-One-Time-Password + freeradius_dictionary_resync(); + freeradius_modulesmotp_resync(); + + // Here we create the modules and scripts for the datacounter + freeradius_modules_resync(); + freeradius_datacounter_acct_resync(); + freeradius_datacounter_auth_resync(); + + // Some initial module configuration freeradius_modulesmschap_resync(); freeradius_modulesrealm_resync(); - + freeradius_modulescounter_resync(); + // Initialize some config files - the functions below call other functions freeradius_sqlconf_resync(); freeradius_eapconf_resync(); freeradius_clients_resync(); - + $rcfile = array(); $rcfile['file'] = 'radiusd.sh'; $rcfile['start'] = '/usr/local/etc/rc.d/radiusd onestart'; $rcfile['stop'] = '/usr/local/etc/rc.d/radiusd onestop'; - conf_mount_rw(); write_rcfile($rcfile); - conf_mount_ro(); + conf_mount_ro(); start_service("radiusd"); } @@ -358,14 +367,6 @@ instantiate { weekly monthly forever - maxdailyupload - maxdailydownload - maxweeklyupload - maxweeklydownload - maxmonthlyupload - maxmonthlydownload - maxupload - maxdownload expiration logintime ### Dis-/Enable sql instatiate @@ -373,8 +374,6 @@ instantiate { } \$INCLUDE policy.conf \$INCLUDE sites-enabled/ - - EOD; conf_mount_rw(); @@ -421,14 +420,22 @@ if (is_array($arrusers) && !empty($arrusers)) { $varuserssessiontimeout = $users['varuserssessiontimeout']; $varuserslogintime = $users['varuserslogintime']; $varusersvlanid = $users['varusersvlanid']; + + // GUI uses minutes but RADIUS needs seconds so we do a multiplication $varusersamountoftime = ($users['varusersamountoftime']?$users['varusersamountoftime']:''); + $varusersamountoftime = $varusersamountoftime * 60; $varuserspointoftime = $users['varuserspointoftime']; - $varusersamountofbytesinput = ($users['varusersamountofbytesinput']?$users['varusersamountofbytesinput']:''); - $varuserspointoftimebytesinput = $users['varuserspointoftimebytesinput']; - $varusersamountofbytesoutput = ($users['varusersamountofbytesoutput']?$users['varusersamountofbytesoutput']:''); - $varuserspointoftimebytesoutput = $users['varuserspointoftimebytesoutput']; + + // GUI uses MB but RADIUS needs Bytes so we do a multiplication + $varusersmaxtotaloctets = ($users['varusersmaxtotaloctets']?$users['varusersmaxtotaloctets']:''); + $varusersmaxtotaloctets = $varusersmaxtotaloctets * 1024 * 1024; + $varusersmaxtotaloctetstimerange = $users['varusersmaxtotaloctetstimerange']; + + // GUI uses KiloBit but RADIUS needs Bits so we do a multiplication $varusersmaxbandwidthup = ($users['varusersmaxbandwidthup']?$users['varusersmaxbandwidthup']:''); + $varusersmaxbandwidthup = $varusersmaxbandwidthup * 1024; $varusersmaxbandwidthdown = ($users['varusersmaxbandwidthdown']?$users['varusersmaxbandwidthdown']:''); + $varusersmaxbandwidthdown = $varusersmaxbandwidthdown * 1024; // Clear variables for next user foreach additional options TOP $varuserstopadditionaloptions = ''; @@ -499,12 +506,6 @@ if (is_array($arrusers) && !empty($arrusers)) { if ($varusersamountoftime != '') { $varuserscheckitem .= ", Max-" . "$varuserspointoftime" . "-Session := " . "$varusersamountoftime"; } - if ($varusersamountofbytesinput != '') { - $varuserscheckitem .= ", Max-" . "$varuserspointoftimebytesinput" . "-Input := " . "$varusersamountofbytesinput"; - } - if ($varusersamountofbytesoutput != '') { - $varuserscheckitem .= ", Max-" . "$varuserspointoftimebytesoutput" . "-Output := " . "$varusersamountofbytesoutput"; - } if ($varusersadditionaloptionscheckitems != '') { $varuserscheckitem .= ", $varusersadditionaloptionscheckitems"; } @@ -550,6 +551,21 @@ if (is_array($arrusers) && !empty($arrusers)) { if ($varusersreplyitem != '') { $varusersreplyitem .=","; } $varusersreplyitem .= "\n\tWISPr-Redirection-URL := $varuserswisprredirectionurl"; } + // If an octet limit is set we create the files for the limit and the counter. Further we call an exec script which checks if the limit is reached or not + if ($varusersmaxtotaloctets != '') { + if ($varusersreplyitem != '') { $varusersreplyitem .=","; } + //create exec script + $varusersreplyitem .= "\n\tExec-Program-Wait = " . '"/bin/sh /usr/local/etc/raddb/scripts/datacounter_auth.sh ' . "$varusersusername $varusersmaxtotaloctetstimerange" . '"'; + // create limit file - will be always overwritten so we can increase limit from GUI + exec("`echo $varusersmaxtotaloctets > /var/log/radacct/datacounter/$varusersmaxtotaloctetstimerange/max-octets-$varusersusername`"); + // if used-octets file exist we do NOT overwrite this file!!! + if (!file_exists("/var/log/radacct/datacounter/$varusersmaxtotaloctetstimerange/used-octets-$varusersusername")) { exec("echo 0 > /var/log/radacct/datacounter/$varusersmaxtotaloctetstimerange/used-octets-$varusersusername"); } + } + // If an octet limit is NOT set we delete the files for the limit and the counter. + else { + if (file_exists("/var/log/radacct/datacounter/$varusersmaxtotaloctetstimerange/max-octets-$varusersusername")) { unlink("/var/log/radacct/datacounter/$varusersmaxtotaloctetstimerange/max-octets-$varusersusername"); } + if (file_exists("/var/log/radacct/datacounter/$varusersmaxtotaloctetstimerange/used-octets-$varusersusername")) { unlink("/var/log/radacct/datacounter/$varusersmaxtotaloctetstimerange/used-octets-$varusersusername"); } + } if ($varusersadditionaloptionsreplyitems != '') { if ($varusersreplyitem != '') { $varusersreplyitem .=","; } $varusersreplyitem .= "\n\t$varusersadditionaloptionsreplyitems"; @@ -601,14 +617,22 @@ if (is_array($arrmacs) && !empty($arrmacs)) { $varmacssessiontimeout = $macs['varmacssessiontimeout']; $varmacslogintime = $macs['varmacslogintime']; $varmacsvlanid = $macs['varmacsvlanid']; + + // GUI uses minutes but RADIUS needs seconds so we do a multiplication $varmacsamountoftime = ($macs['varmacsamountoftime']?$macs['varmacsamountoftime']:''); + $varmacsamountoftime = $varmacsamountoftime * 60; $varmacspointoftime = $macs['varmacspointoftime']; - $varmacsamountofbytesinput = ($macs['varmacsamountofbytesinput']?$macs['varmacsamountofbytesinput']:''); - $varmacspointoftimebytesinput = $macs['varmacspointoftimebytesinput']; - $varmacsamountofbytesoutput = ($macs['varmacsamountofbytesoutput']?$macs['varmacsamountofbytesoutput']:''); - $varmacspointoftimebytesoutput = $macs['varmacspointoftimebytesoutput']; + + // GUI uses MB but RADIUS needs Bytes so we do a multiplication + $varmacsmaxtotaloctets = ($macs['varmacsmaxtotaloctets']?$macs['varmacsmaxtotaloctets']:''); + $varmacsmaxtotaloctets = $varmacsmaxtotaloctets * 1024 * 1024; + $varmacsmaxtotaloctetstimerange = $macs['varmacsmaxtotaloctetstimerange']; + + // GUI uses KiloBit but RADIUS needs Bits so we do a multiplication $varmacsmaxbandwidthup = ($macs['varmacsmaxbandwidthup']?$macs['varmacsmaxbandwidthup']:''); + $varmacsmaxbandwidthup = $varmacsmaxbandwidthup * 1024; $varmacsmaxbandwidthdown = ($macs['varmacsmaxbandwidthdown']?$macs['varmacsmaxbandwidthdown']:''); + $varmacsmaxbandwidthdown = $varmacsmaxbandwidthdown * 1024; // Clear variables for next mac foreach additional options TOP $varmacstopadditionaloptions = ''; @@ -671,12 +695,6 @@ if (is_array($arrmacs) && !empty($arrmacs)) { if ($varmacsamountoftime != '') { $varmacscheckitem .= ", Max-" . "$varmacspointoftime" . "-Session := " . "$varmacsamountoftime"; } - if ($varmacsamountofbytesinput != '') { - $varmacscheckitem .= ", Max-" . "$varmacspointoftimebytesinput" . "-Input := " . "$varmacsamountofbytesinput"; - } - if ($varmacsamountofbytesoutput != '') { - $varmacscheckitem .= ", Max-" . "$varmacspointoftimebytesoutput" . "-Output := " . "$varmacsamountofbytesoutput"; - } if ($varmacsadditionaloptionscheckitems != '') { $varmacscheckitem .= ", $varmacsadditionaloptionscheckitems"; } @@ -710,10 +728,25 @@ if (is_array($arrmacs) && !empty($arrmacs)) { if ($varmacsreplyitem != '') { $varmacsreplyitem .=","; } $varmacsreplyitem .= "\n\tWISPr-Bandwidth-Max-Down := $varmacsmaxbandwidthdown"; } - if ($varmacsswisprredirectionurl != '') { + if ($varmacswisprredirectionurl != '') { if ($varmacsreplyitem != '') { $varmacsreplyitem .=","; } $varmacsreplyitem .= "\n\tWISPr-Redirection-URL := $varmacsswisprredirectionurl"; - } + } + // If an octet limit is set we create the files for the limit and the counter. Further we call an exec script which checks if the limit is reached or not + if ($varmacsmaxtotaloctets != '') { + if ($varmacsreplyitem != '') { $varmacsreplyitem .=","; } + //create exec script + $varmacsreplyitem .= "\n\tExec-Program-Wait = " . '"/bin/sh /usr/local/etc/raddb/scripts/datacounter_auth.sh ' . "$varmacsaddress $varmacsmaxtotaloctetstimerange" . '"'; + // create limit file - will be always overwritten so we can increase limit from GUI + exec("`echo $varmacsmaxtotaloctets > /var/log/radacct/datacounter/$varmacsmaxtotaloctetstimerange/max-octets-$varmacsaddress`"); + // if used-octets file exist we do NOT overwrite this file!!! + if (!file_exists("/var/log/radacct/datacounter/$varmacsmaxtotaloctetstimerange/used-octets-$varmacsaddress")) { exec("echo 0 > /var/log/radacct/datacounter/$varmacsmaxtotaloctetstimerange/used-octets-$varmacsaddress"); } + } + // If an octet limit is NOT set we delete the files for the limit and the counter. + else { + if (file_exists("/var/log/radacct/datacounter/$varmacsmaxtotaloctetstimerange/max-octets-$varmacsaddress")) { unlink("/var/log/radacct/datacounter/$varmacsmaxtotaloctetstimerange/max-octets-$varmacsaddress"); } + if (file_exists("/var/log/radacct/datacounter/$varmacsmaxtotaloctetstimerange/used-octets-$varmacsaddress")) { unlink("/var/log/radacct/datacounter/$varmacsmaxtotaloctetstimerange/used-octets-$varmacsaddress"); } + } if ($varmacsadditionaloptionsreplyitems != '') { if ($varmacsreplyitem != '') { $varmacsreplyitem .=","; } $varmacsreplyitem .= "\n\t$varmacsadditionaloptionsreplyitems"; @@ -741,8 +774,6 @@ EOD; restart_service('radiusd'); } - - function freeradius_clients_resync() { global $config; @@ -965,7 +996,6 @@ else { } $conf .= <<<EOD - ### EAP eap { default_eap_type = $vareapconfdefaulteaptype @@ -1031,8 +1061,6 @@ else { # send_error = no } } - - EOD; $filename = RADDB . '/eap.conf'; @@ -1068,8 +1096,6 @@ function freeradius_get_server_certs() { return $cert_arr; } - - function freeradius_sqlconf_resync() { global $config; $conf = ''; @@ -1190,7 +1216,6 @@ sql sql2 { nas_table = "$varsqlconf2nastable" \$INCLUDE sql/\${database}/dialup.conf } - EOD; $filename = RADDB . '/sql.conf'; @@ -1208,8 +1233,7 @@ EOD; function freeradius_serverdefault_resync() { global $config; $conf = ''; - - + // Get Variables from freeradiusmodulesldap.xml $arrmodulesldap = $config['installedpackages']['freeradiusmodulesldap']['config'][0]; // failover/loadbalancing mode @@ -1217,43 +1241,41 @@ function freeradius_serverdefault_resync() { // If unchecked then disable authorize ldap2 if (!$arrmodulesldap['varmodulesldap2enableauthorize']) { - $varmodulesldap2enableauthorize = '### ldap2 disabled ###'; + $varmodulesldap2enableauthorize = '### ldap2 disabled ###'; } else { - $varmodulesldap2enableauthorize = 'ldap2'; + $varmodulesldap2enableauthorize = 'ldap2'; } // If unchecked then disable authorize ldap1 if (!$arrmodulesldap['varmodulesldapenableauthorize']) { - $varmodulesldapenableauthorize = '### ldap ###'; + $varmodulesldapenableauthorize = '### ldap ###'; } else { - $varmodulesldapenableauthorize = ''; - $varmodulesldapenableauthorize .= "$varmodulesldap2failover {"; - $varmodulesldapenableauthorize .= "\n\t\tldap"; + $varmodulesldapenableauthorize = ''; + $varmodulesldapenableauthorize .= "$varmodulesldap2failover {"; + $varmodulesldapenableauthorize .= "\n\t\tldap"; // this line adds ldap2 when activated - $varmodulesldapenableauthorize .= "\n\t\t$varmodulesldap2enableauthorize"; - $varmodulesldapenableauthorize .= "\n\t}"; + $varmodulesldapenableauthorize .= "\n\t\t$varmodulesldap2enableauthorize"; + $varmodulesldapenableauthorize .= "\n\t}"; } // If unchecked then disable authenticate for ldap1 if (!$arrmodulesldap['varmodulesldap2enableauthenticate']) { - $varmodulesldap2enableauthenticate = "### ldap2 disabled ###"; + $varmodulesldap2enableauthenticate = "### ldap2 disabled ###"; } else { - $varmodulesldap2enableauthenticate = "ldap2"; + $varmodulesldap2enableauthenticate = "ldap2"; } // If unchecked then disable authenticate ldap2 if (!$arrmodulesldap['varmodulesldapenableauthenticate']) { - $varmodulesldapenableauthenticate = "#Auth-Type LDAP {" . "\n\t\t\t#ldap" . "\n\t\t\t$varmodulesldap2enableauthenticate" . "\n\t#}"; + $varmodulesldapenableauthenticate = "#Auth-Type LDAP {" . "\n\t\t\t#ldap" . "\n\t\t\t$varmodulesldap2enableauthenticate" . "\n\t#}"; } else { - $varmodulesldapenableauthenticate = "Auth-Type LDAP {" . "\n\t\t\tldap" . "\n\t\t\t$varmodulesldap2enableauthenticate" . "\n\t}"; + $varmodulesldapenableauthenticate = "Auth-Type LDAP {" . "\n\t\t\tldap" . "\n\t\t\t$varmodulesldap2enableauthenticate" . "\n\t}"; } - - // Get Variables from freeradiussqlconf.xml for DATABASE 1 $sqlconf = $config['installedpackages']['freeradiussqlconf']['config'][0]; $varsqlconfenableauthorize = ($sqlconf['varsqlconfenableauthorize']?$sqlconf['varsqlconfenableauthorize']:'Disable'); @@ -1373,7 +1395,6 @@ function freeradius_serverdefault_resync() { } $conf .= <<<EOD - ###################################################################### # # As of 2.0.0, FreeRADIUS supports virtual hosts using the @@ -1577,14 +1598,7 @@ authorize { weekly monthly forever - maxdailyupload - maxdailydownload - maxweeklyupload - maxweeklydownload - maxmonthlyupload - maxmonthlydownload - maxupload - maxdownload + # # Use the checkval module checkval @@ -1784,14 +1798,14 @@ accounting { weekly monthly forever - maxdailyupload - maxdailydownload - maxweeklyupload - maxweeklydownload - maxmonthlyupload - maxmonthlydownload - maxupload - maxdownload + + ### This makes it possible to run the datacounter_acct module only on accounting-stop and interim-updates + if ((request:Acct-Status-Type == Stop) || (request:Acct-Status-Type == Interim-Update)) { + datacounterdaily + datacounterweekly + datacountermonthly + datacounterforever + } # Update the wtmp file # @@ -2050,7 +2064,6 @@ post-proxy { # detail # } } - EOD; $filename = RADDB . '/sites-available/default'; @@ -2146,7 +2159,6 @@ commonName = "$varcertscacommonname" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always basicConstraints = CA:true - EOD; $filename = RADDB . '/certs/ca.cnf'; @@ -2232,7 +2244,6 @@ localityName = $varcertslocalityname organizationName = $varcertsorganizationname emailAddress = $varcertsserveremailaddress commonName = "$varcertsservercommonname" - EOD; $filename = RADDB . '/certs/server.cnf'; @@ -2318,7 +2329,6 @@ localityName = $varcertslocalityname organizationName = $varcertsorganizationname emailAddress = $varcertsclientemailaddress commonName = "$varcertsclientcommonname" - EOD; $filename = RADDB . '/certs/client.cnf'; @@ -2653,7 +2663,7 @@ function freeradius_modulescounter_resync() { # 'check-name' attribute. # counter daily { - filename = \${raddbdir}/db.daily + filename = /var/log/radacct/timecounter/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily @@ -2664,7 +2674,7 @@ counter daily { } counter weekly { - filename = \${raddbdir}/db.weekly + filename = /var/log/radacct/timecounter/db.weekly key = User-Name count-attribute = Acct-Session-Time reset = weekly @@ -2675,7 +2685,7 @@ counter weekly { } counter monthly { - filename = \${raddbdir}/db.monthly + filename = /var/log/radacct/timecounter/db.monthly key = User-Name count-attribute = Acct-Session-Time reset = monthly @@ -2686,7 +2696,7 @@ counter monthly { } counter forever { - filename = \${raddbdir}/db.forever + filename = /var/log/radacct/timecounter/db.forever key = User-Name count-attribute = Acct-Session-Time reset = never @@ -2695,95 +2705,6 @@ counter forever { reply-name = Session-Timeout cache-size = 5000 } - -counter maxdailyupload { - filename = \${raddbdir}/db.maxdailyupload - key = User-Name - count-attribute = Acct-Input-Octets - reset = daily - counter-name = Daily-Input-Octets - check-name = Max-Daily-Input - reply-name = Acct-Input-Octets - cache-size = 5000 -} - -counter maxdailydownload { - filename = \${raddbdir}/db.maxdailydownload - key = User-Name - count-attribute = Acct-Output-Octets - reset = daily - counter-name = Daily-Output-Octets - check-name = Max-Daily-Output - reply-name = Acct-Output-Octets - cache-size = 5000 -} - -counter maxweeklyupload { - filename = \${raddbdir}/db.maxweeklyupload - key = User-Name - count-attribute = Acct-Input-Octets - reset = weekly - counter-name = Weekly-Input-Octets - check-name = Max-Weekly-Input - reply-name = Acct-Input-Octets - cache-size = 5000 -} - -counter maxweeklydownload { - filename = \${raddbdir}/db.maxweeklydownload - key = User-Name - count-attribute = Acct-Output-Octets - reset = weekly - counter-name = Weekly-Output-Octets - check-name = Max-Weekly-Output - reply-name = Acct-Output-Octets - cache-size = 5000 -} - -counter maxmonthlyupload { - filename = \${raddbdir}/db.maxmonthlyupload - key = User-Name - count-attribute = Acct-Input-Octets - reset = monthly - counter-name = Monthly-Input-Octets - check-name = Max-Monthly-Input - reply-name = Acct-Input-Octets - cache-size = 5000 -} - -counter maxmonthlydownload { - filename = \${raddbdir}/db.maxmonthlydownload - key = User-Name - count-attribute = Acct-Output-Octets - reset = monthly - counter-name = Monthly-Output-Octets - check-name = Max-Monthly-Output - reply-name = Acct-Output-Octets - cache-size = 5000 -} - -counter maxupload { - filename = \${raddbdir}/db.maxforeverupload - key = User-Name - count-attribute = Acct-Input-Octets - reset = never - counter-name = Forever-Input-Octets - check-name = Max-Forever-Input - reply-name = Acct-Input-Octets - cache-size = 5000 -} - -counter maxdownload { - filename = \${raddbdir}/db.maxforeverdownload - key = User-Name - count-attribute = Acct-Output-Octets - reset = never - counter-name = Forever-Output-Octets - check-name = Max-Forever-Output - reply-name = Acct-Output-Octets - cache-size = 5000 -} - EOD; $filename = RADDB . '/modules/counter'; @@ -2878,7 +2799,6 @@ nt-response=%{%{mschap:NT-Response}:-00}" # An optional retry message. # retry_msg = "Re-enter (or reset) the password" } - EOD; $filename = RADDB . '/modules/mschap'; @@ -3179,7 +3099,6 @@ else { $varmodulesldap2keepaliveinterval = ($arrmodulesldap['varmodulesldap2keepaliveinterval']?$arrmodulesldap['varmodulesldap2keepaliveinterval']:'3'); $conf .= <<<EOD - # -*- text -*- # # $Id$ @@ -3856,7 +3775,6 @@ policy { } } } - EOD; $filename = RADDB . '/policy.conf'; @@ -3882,8 +3800,8 @@ function freeradius_motp_resync() { // check if disabled then we delete bash und otpverify.sh script if ($varsettings['varsettingsmotpenable'] == '') { - if (file_exists("/usr/local/bin/otpverify.sh")) { - unlink("/usr/local/bin/otpverify.sh"); + if (file_exists("/usr/local/etc/raddb/scripts/otpverify.sh")) { + unlink("/usr/local/etc/raddb/scripts/otpverify.sh"); } if (exec("cd /var/db/pkg && ls | grep bash") == "bash-4.1.7") { exec("cd /var/db/pkg && pkg_delete `ls | grep bash`"); @@ -4016,11 +3934,10 @@ exit 11 EOD; - - $filename = '/usr/local/bin/otpverify.sh'; + $filename = RADDB . '/scripts/otpverify.sh'; conf_mount_rw(); file_put_contents($filename, $conf); - chmod($filename, 0775); + chmod($filename, 0750); conf_mount_ro(); // end of above 'check if enabled then we need to download "bash"' @@ -4035,7 +3952,7 @@ function freeradius_modulesmotp_resync() { $conf .= <<<EOD exec motp { wait = yes - program = "/usr/local/bin/bash /usr/local/bin/otpverify.sh %{User-Name} %{User-Password} %{reply:MOTP-Init-Secret} %{reply:MOTP-PIN} %{reply:MOTP-Offset}" + program = "/usr/local/bin/bash /usr/local/etc/raddb/scripts/otpverify.sh %{User-Name} %{User-Password} %{reply:MOTP-Init-Secret} %{reply:MOTP-PIN} %{reply:MOTP-Offset}" input_pairs = reply #output_pairs = config } @@ -4051,6 +3968,107 @@ EOD; } +function freeradius_modulesdatacounter_resync() { + global $config; + $conf = ''; + + $conf .= <<<EOD +exec datacounterdaily { + wait = yes + program = "/bin/sh /usr/local/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} daily %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}" + } +exec datacounterweekly { + wait = yes + program = "/bin/sh /usr/local/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} weekly %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}" + } +exec datacountermonthly { + wait = yes + program = "/bin/sh /usr/local/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} monthly %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}" + } +exec datacounterforever { + wait = yes + program = "/bin/sh /usr/local/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} forever %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}" + } +EOD; + + $filename = RADDB . '/modules/datacounter_acct'; + conf_mount_rw(); + file_put_contents($filename, $conf); + chmod($filename, 0640); + conf_mount_ro(); + +} + +function freeradius_datacounter_auth_resync() { + global $config; + $conf = ''; + + $conf .= <<<EOD +#!/bin/sh +### USAGE: datacounter_auth.sh USERNAME TIMERANGE +### We need this parameters from freeradius users file and ../raddb/modules/datacounter_acct +USERNAME=`echo -n "\\$1" | sed 's/[^0-9a-zA-Z._-]/X/g' ` +TIMERANGE=`echo -n "\\$2" | sed 's/[^a-z]//g' ` + +### We check if MAX-OCTETS-USERNAME is greater than USED-OCTETS-USERNAME and accept or reject the user +if [ `cat "/var/log/radacct/datacounter/\$TIMERANGE/max-octets-\$USERNAME"` -gt `cat "/var/log/radacct/datacounter/\$TIMERANGE/used-octets-\$USERNAME"` ]; then + exit 0 +else + MAXOCTETSUSERNAMEMB=$((`cat "/var/log/radacct/datacounter/\$TIMERANGE/max-octets-\$USERNAME"`/1024/1024)) + logger -f /var/log/system.log "FreeRADIUS: Credentials are probably correct but the user \$USERNAME has reached the \$TIMERANGE Amount of Upload and Download Traffic which is \$MAXOCTETSUSERNAMEMB MB! The user was rejected!!!" + exit 99 +fi +EOD; + + $filename = RADDB . '/scripts/datacounter_auth.sh'; + conf_mount_rw(); + file_put_contents($filename, $conf); + chmod($filename, 0750); + conf_mount_ro(); + +} + +function freeradius_datacounter_acct_resync() { + global $config; + $conf = ''; + + $conf .= <<<EOD +#!/bin/sh +### USAGE: datacounter_acct.sh USERNAME TIMERANGE ACCTINPUTOCTETS ACCTOUTPUTOCTETS +### We need this from an Accounting-Request packet to count the octets +USERNAME=`echo -n "\\$1" | sed 's/[^0-9a-zA-Z._-]/X/g' ` +TIMERANGE=`echo -n "\\$2" | sed 's/[^a-z]//g' ` +ACCTINPUTOCTETS=`echo -n "\\$3" | sed 's/[^0-9]/0/g' ` +ACCTOUTPUTOCTETS=`echo -n "\\$4" | sed 's/[^0-9]/0/g' ` + +### If we do not get Octets we set some default values +if [ ! \$ACCTINPUTOCTETS ]; then + ACCTINPUTOCTETS=0 +fi +if [ ! \$ACCTOUTPUTOCTETS ]; then + ACCTOUTPUTOCTETS=0 +fi + +### We only write this to file if username exists +### If all counters are activated (daily, weekly, monthly, forever) we need to check which is active for the user +if [ ! -e "/var/log/radacct/datacounter/\$TIMERANGE/max-octets-\$USERNAME" ]; then + exit 0 +else + USEDOCTETS=\$((\$ACCTINPUTOCTETS+\$ACCTOUTPUTOCTETS+`cat "/var/log/radacct/datacounter/\$TIMERANGE/used-octets-\$USERNAME"`)) + echo "\$USEDOCTETS" > "/var/log/radacct/datacounter/\$TIMERANGE/used-octets-\$USERNAME" + exit 0 +fi + +EOD; + + $filename = RADDB . '/scripts/datacounter_acct.sh'; + conf_mount_rw(); + file_put_contents($filename, $conf); + chmod($filename, 0750); + conf_mount_ro(); + +} + function freeradius_dictionary_resync() { global $config; $conf = ''; @@ -4105,8 +4123,10 @@ function freeradius_dictionary_resync() { ### Attributes for mobile-One-Time-Password ATTRIBUTE MOTP-Init-Secret 900 string ATTRIBUTE MOTP-PIN 901 string -ATTRIBUTE MOTP-Offset 902 string - +ATTRIBUTE MOTP-Offset 902 string + + + EOD; $filename = RADDB . '/dictionary'; |