From 5284d84132fd19ba01f5a4ce6f0382b5f01e5ce5 Mon Sep 17 00:00:00 2001 From: Alexander Wilke Date: Sat, 18 Feb 2012 22:16:28 +0100 Subject: - replaced old traffic counter which didn't work against two shell scripts (authentication + accounting) which now work on interim-updates and start/stop updates. (start/stop istn'working correct BECAUSE CP doesn't reset the octets between every update. Interim-Update does this) - changed units in GUI from bits, bytes and seconds to high and better readable values - placing all scripts (traffic counter + motp in central folder under /usr/local/etc/raddb/scripts/) - placing files and databases for time-/traffic-counter in /var/log/radacct/ This makes it possible to use them on embedded systems because of read-write access to this folders. --- config/freeradius2/freeradius.inc | 424 ++++++++++++++++++++------------------ 1 file changed, 222 insertions(+), 202 deletions(-) (limited to 'config/freeradius2') diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc index df9022c6..a8020c72 100644 --- a/config/freeradius2/freeradius.inc +++ b/config/freeradius2/freeradius.inc @@ -55,7 +55,8 @@ function freeradius_deinstall_command() { function freeradius_install_command() { global $config; - conf_mount_rw(); + conf_mount_rw(); + /* $handle = opendir(RADDB); while (false != ($file = readdir($handle))) { if (false != ($pos = strpos($file, '.sample'))) { @@ -64,31 +65,34 @@ function freeradius_install_command() { unlink(RADDB . "/$file"); } } - closedir($handle); - + */ + + // We create here different folders for different counters. exec("chown -R root:wheel /usr/local/etc/raddb"); + exec("mkdir /usr/local/etc/raddb/scripts"); exec("chown -R root:wheel /usr/local/lib/freeradius-2.1.12"); exec("touch /var/log/radutmp && touch /var/log/radwtmp"); + exec("mkdir /var/log/radacct/datacounter/daily" && "mkdir /var/log/radacct/datacounter/weekly" && "mkdir /var/log/radacct/datacounter/monthly" && "mkdir /var/log/radacct/datacounter/forever"); + exec("mkdir /var/log/radacct/timecounter"); exec("chown -R root:wheel /var/log"); - - + // creating a backup file of the original policy.conf no matter if user checked this or not if (!file_exists("/usr/local/etc/raddb/policy.conf.backup")) { log_error("FreeRADIUS: Creating backup of the original file to /usr/local/etc/raddb/policy.conf.backup"); copy("/usr/local/etc/raddb/policy.conf", "/usr/local/etc/raddb/policy.conf.backup"); } - + // creating a backup file of the original /modules/files no matter if user checked this or not if (!file_exists("/usr/local/etc/raddb/files.backup")) { log_error("FreeRADIUS: Creating backup of the original file to /usr/local/etc/raddb/files.backup"); copy("/usr/local/etc/raddb/modules/files", "/usr/local/etc/raddb/files.backup"); } - + // Disable virtual-server we do not need by default - unlink("/usr/local/etc/raddb/sites-enabled/control-socket"); - unlink("/usr/local/etc/raddb/sites-enabled/inner-tunnel"); - + if (file_exists("/usr/local/etc/raddb/sites-enabled/control-socket")) { unlink("/usr/local/etc/raddb/sites-enabled/control-socket"); } + if (file_exists("/usr/local/etc/raddb/sites-enabled/inner-tunnel")) { unlink("/usr/local/etc/raddb/sites-enabled/inner-tunnel"); } + // We need some additional files in /usr/local/lib for the LDAP module. We fetch these files dependent on the architecture. // For i386 systems if (exec("uname -m") == "i386") { @@ -120,30 +124,35 @@ function freeradius_install_command() { exec("chmod 0755 /usr/local/lib/ldd/libkrb5.so.10"); exec("chmod 0755 /usr/local/lib/libroken.so.10"); } - + // We run this here just to suppress some warnings on syslog if file doesn't exist freeradius_authorizedmacs_resync(); - - // These functions create files which we only need to do one time after installing freeradius2 package - // These two functions create the module and the dictionary entry for Mobile-One-Time-Password - freeradius_dictionary_resync(); - freeradius_modulesmotp_resync(); - freeradius_modulescounter_resync(); + + // These two functions create the module and the dictionary entry for Mobile-One-Time-Password + freeradius_dictionary_resync(); + freeradius_modulesmotp_resync(); + + // Here we create the modules and scripts for the datacounter + freeradius_modules_resync(); + freeradius_datacounter_acct_resync(); + freeradius_datacounter_auth_resync(); + + // Some initial module configuration freeradius_modulesmschap_resync(); freeradius_modulesrealm_resync(); - + freeradius_modulescounter_resync(); + // Initialize some config files - the functions below call other functions freeradius_sqlconf_resync(); freeradius_eapconf_resync(); freeradius_clients_resync(); - + $rcfile = array(); $rcfile['file'] = 'radiusd.sh'; $rcfile['start'] = '/usr/local/etc/rc.d/radiusd onestart'; $rcfile['stop'] = '/usr/local/etc/rc.d/radiusd onestop'; - conf_mount_rw(); write_rcfile($rcfile); - conf_mount_ro(); + conf_mount_ro(); start_service("radiusd"); } @@ -358,14 +367,6 @@ instantiate { weekly monthly forever - maxdailyupload - maxdailydownload - maxweeklyupload - maxweeklydownload - maxmonthlyupload - maxmonthlydownload - maxupload - maxdownload expiration logintime ### Dis-/Enable sql instatiate @@ -373,8 +374,6 @@ instantiate { } \$INCLUDE policy.conf \$INCLUDE sites-enabled/ - - EOD; conf_mount_rw(); @@ -421,14 +420,22 @@ if (is_array($arrusers) && !empty($arrusers)) { $varuserssessiontimeout = $users['varuserssessiontimeout']; $varuserslogintime = $users['varuserslogintime']; $varusersvlanid = $users['varusersvlanid']; + + // GUI uses minutes but RADIUS needs seconds so we do a multiplication $varusersamountoftime = ($users['varusersamountoftime']?$users['varusersamountoftime']:''); + $varusersamountoftime = $varusersamountoftime * 60; $varuserspointoftime = $users['varuserspointoftime']; - $varusersamountofbytesinput = ($users['varusersamountofbytesinput']?$users['varusersamountofbytesinput']:''); - $varuserspointoftimebytesinput = $users['varuserspointoftimebytesinput']; - $varusersamountofbytesoutput = ($users['varusersamountofbytesoutput']?$users['varusersamountofbytesoutput']:''); - $varuserspointoftimebytesoutput = $users['varuserspointoftimebytesoutput']; + + // GUI uses MB but RADIUS needs Bytes so we do a multiplication + $varusersmaxtotaloctets = ($users['varusersmaxtotaloctets']?$users['varusersmaxtotaloctets']:''); + $varusersmaxtotaloctets = $varusersmaxtotaloctets * 1024 * 1024; + $varusersmaxtotaloctetstimerange = $users['varusersmaxtotaloctetstimerange']; + + // GUI uses KiloBit but RADIUS needs Bits so we do a multiplication $varusersmaxbandwidthup = ($users['varusersmaxbandwidthup']?$users['varusersmaxbandwidthup']:''); + $varusersmaxbandwidthup = $varusersmaxbandwidthup * 1024; $varusersmaxbandwidthdown = ($users['varusersmaxbandwidthdown']?$users['varusersmaxbandwidthdown']:''); + $varusersmaxbandwidthdown = $varusersmaxbandwidthdown * 1024; // Clear variables for next user foreach additional options TOP $varuserstopadditionaloptions = ''; @@ -499,12 +506,6 @@ if (is_array($arrusers) && !empty($arrusers)) { if ($varusersamountoftime != '') { $varuserscheckitem .= ", Max-" . "$varuserspointoftime" . "-Session := " . "$varusersamountoftime"; } - if ($varusersamountofbytesinput != '') { - $varuserscheckitem .= ", Max-" . "$varuserspointoftimebytesinput" . "-Input := " . "$varusersamountofbytesinput"; - } - if ($varusersamountofbytesoutput != '') { - $varuserscheckitem .= ", Max-" . "$varuserspointoftimebytesoutput" . "-Output := " . "$varusersamountofbytesoutput"; - } if ($varusersadditionaloptionscheckitems != '') { $varuserscheckitem .= ", $varusersadditionaloptionscheckitems"; } @@ -550,6 +551,21 @@ if (is_array($arrusers) && !empty($arrusers)) { if ($varusersreplyitem != '') { $varusersreplyitem .=","; } $varusersreplyitem .= "\n\tWISPr-Redirection-URL := $varuserswisprredirectionurl"; } + // If an octet limit is set we create the files for the limit and the counter. Further we call an exec script which checks if the limit is reached or not + if ($varusersmaxtotaloctets != '') { + if ($varusersreplyitem != '') { $varusersreplyitem .=","; } + //create exec script + $varusersreplyitem .= "\n\tExec-Program-Wait = " . '"/bin/sh /usr/local/etc/raddb/scripts/datacounter_auth.sh ' . "$varusersusername $varusersmaxtotaloctetstimerange" . '"'; + // create limit file - will be always overwritten so we can increase limit from GUI + exec("`echo $varusersmaxtotaloctets > /var/log/radacct/datacounter/$varusersmaxtotaloctetstimerange/max-octets-$varusersusername`"); + // if used-octets file exist we do NOT overwrite this file!!! + if (!file_exists("/var/log/radacct/datacounter/$varusersmaxtotaloctetstimerange/used-octets-$varusersusername")) { exec("echo 0 > /var/log/radacct/datacounter/$varusersmaxtotaloctetstimerange/used-octets-$varusersusername"); } + } + // If an octet limit is NOT set we delete the files for the limit and the counter. + else { + if (file_exists("/var/log/radacct/datacounter/$varusersmaxtotaloctetstimerange/max-octets-$varusersusername")) { unlink("/var/log/radacct/datacounter/$varusersmaxtotaloctetstimerange/max-octets-$varusersusername"); } + if (file_exists("/var/log/radacct/datacounter/$varusersmaxtotaloctetstimerange/used-octets-$varusersusername")) { unlink("/var/log/radacct/datacounter/$varusersmaxtotaloctetstimerange/used-octets-$varusersusername"); } + } if ($varusersadditionaloptionsreplyitems != '') { if ($varusersreplyitem != '') { $varusersreplyitem .=","; } $varusersreplyitem .= "\n\t$varusersadditionaloptionsreplyitems"; @@ -601,14 +617,22 @@ if (is_array($arrmacs) && !empty($arrmacs)) { $varmacssessiontimeout = $macs['varmacssessiontimeout']; $varmacslogintime = $macs['varmacslogintime']; $varmacsvlanid = $macs['varmacsvlanid']; + + // GUI uses minutes but RADIUS needs seconds so we do a multiplication $varmacsamountoftime = ($macs['varmacsamountoftime']?$macs['varmacsamountoftime']:''); + $varmacsamountoftime = $varmacsamountoftime * 60; $varmacspointoftime = $macs['varmacspointoftime']; - $varmacsamountofbytesinput = ($macs['varmacsamountofbytesinput']?$macs['varmacsamountofbytesinput']:''); - $varmacspointoftimebytesinput = $macs['varmacspointoftimebytesinput']; - $varmacsamountofbytesoutput = ($macs['varmacsamountofbytesoutput']?$macs['varmacsamountofbytesoutput']:''); - $varmacspointoftimebytesoutput = $macs['varmacspointoftimebytesoutput']; + + // GUI uses MB but RADIUS needs Bytes so we do a multiplication + $varmacsmaxtotaloctets = ($macs['varmacsmaxtotaloctets']?$macs['varmacsmaxtotaloctets']:''); + $varmacsmaxtotaloctets = $varmacsmaxtotaloctets * 1024 * 1024; + $varmacsmaxtotaloctetstimerange = $macs['varmacsmaxtotaloctetstimerange']; + + // GUI uses KiloBit but RADIUS needs Bits so we do a multiplication $varmacsmaxbandwidthup = ($macs['varmacsmaxbandwidthup']?$macs['varmacsmaxbandwidthup']:''); + $varmacsmaxbandwidthup = $varmacsmaxbandwidthup * 1024; $varmacsmaxbandwidthdown = ($macs['varmacsmaxbandwidthdown']?$macs['varmacsmaxbandwidthdown']:''); + $varmacsmaxbandwidthdown = $varmacsmaxbandwidthdown * 1024; // Clear variables for next mac foreach additional options TOP $varmacstopadditionaloptions = ''; @@ -671,12 +695,6 @@ if (is_array($arrmacs) && !empty($arrmacs)) { if ($varmacsamountoftime != '') { $varmacscheckitem .= ", Max-" . "$varmacspointoftime" . "-Session := " . "$varmacsamountoftime"; } - if ($varmacsamountofbytesinput != '') { - $varmacscheckitem .= ", Max-" . "$varmacspointoftimebytesinput" . "-Input := " . "$varmacsamountofbytesinput"; - } - if ($varmacsamountofbytesoutput != '') { - $varmacscheckitem .= ", Max-" . "$varmacspointoftimebytesoutput" . "-Output := " . "$varmacsamountofbytesoutput"; - } if ($varmacsadditionaloptionscheckitems != '') { $varmacscheckitem .= ", $varmacsadditionaloptionscheckitems"; } @@ -710,10 +728,25 @@ if (is_array($arrmacs) && !empty($arrmacs)) { if ($varmacsreplyitem != '') { $varmacsreplyitem .=","; } $varmacsreplyitem .= "\n\tWISPr-Bandwidth-Max-Down := $varmacsmaxbandwidthdown"; } - if ($varmacsswisprredirectionurl != '') { + if ($varmacswisprredirectionurl != '') { if ($varmacsreplyitem != '') { $varmacsreplyitem .=","; } $varmacsreplyitem .= "\n\tWISPr-Redirection-URL := $varmacsswisprredirectionurl"; - } + } + // If an octet limit is set we create the files for the limit and the counter. Further we call an exec script which checks if the limit is reached or not + if ($varmacsmaxtotaloctets != '') { + if ($varmacsreplyitem != '') { $varmacsreplyitem .=","; } + //create exec script + $varmacsreplyitem .= "\n\tExec-Program-Wait = " . '"/bin/sh /usr/local/etc/raddb/scripts/datacounter_auth.sh ' . "$varmacsaddress $varmacsmaxtotaloctetstimerange" . '"'; + // create limit file - will be always overwritten so we can increase limit from GUI + exec("`echo $varmacsmaxtotaloctets > /var/log/radacct/datacounter/$varmacsmaxtotaloctetstimerange/max-octets-$varmacsaddress`"); + // if used-octets file exist we do NOT overwrite this file!!! + if (!file_exists("/var/log/radacct/datacounter/$varmacsmaxtotaloctetstimerange/used-octets-$varmacsaddress")) { exec("echo 0 > /var/log/radacct/datacounter/$varmacsmaxtotaloctetstimerange/used-octets-$varmacsaddress"); } + } + // If an octet limit is NOT set we delete the files for the limit and the counter. + else { + if (file_exists("/var/log/radacct/datacounter/$varmacsmaxtotaloctetstimerange/max-octets-$varmacsaddress")) { unlink("/var/log/radacct/datacounter/$varmacsmaxtotaloctetstimerange/max-octets-$varmacsaddress"); } + if (file_exists("/var/log/radacct/datacounter/$varmacsmaxtotaloctetstimerange/used-octets-$varmacsaddress")) { unlink("/var/log/radacct/datacounter/$varmacsmaxtotaloctetstimerange/used-octets-$varmacsaddress"); } + } if ($varmacsadditionaloptionsreplyitems != '') { if ($varmacsreplyitem != '') { $varmacsreplyitem .=","; } $varmacsreplyitem .= "\n\t$varmacsadditionaloptionsreplyitems"; @@ -741,8 +774,6 @@ EOD; restart_service('radiusd'); } - - function freeradius_clients_resync() { global $config; @@ -965,7 +996,6 @@ else { } $conf .= << "/var/log/radacct/datacounter/\$TIMERANGE/used-octets-\$USERNAME" + exit 0 +fi + +EOD; + + $filename = RADDB . '/scripts/datacounter_acct.sh'; + conf_mount_rw(); + file_put_contents($filename, $conf); + chmod($filename, 0750); + conf_mount_ro(); + +} + function freeradius_dictionary_resync() { global $config; $conf = ''; @@ -4105,8 +4123,10 @@ function freeradius_dictionary_resync() { ### Attributes for mobile-One-Time-Password ATTRIBUTE MOTP-Init-Secret 900 string ATTRIBUTE MOTP-PIN 901 string -ATTRIBUTE MOTP-Offset 902 string - +ATTRIBUTE MOTP-Offset 902 string + + + EOD; $filename = RADDB . '/dictionary'; -- cgit v1.2.3