m0n0wall Forum - Bandwidth per user with radius/wispr

I'm using FreeRadius from here: http://freeradius.org/ so it should be working.

But the mysql plugin they had for it, there was no documentation on the table structure, so I had to dig through the code to figure out exactly what tables it was looking for, was a bit of hunting, but once I got it working, it was very cool. The radius server does much better than the built in user manager, especially when it comes to idle time. If I set idle time to 1000 minutes, it will work that way properly. Using the built in user manager for m0n0wall, it's hard to set it higher than a few hours before you get weird things like ghost users logged in, etc.

Yeah, I just remembered, the text files override the database. It works if you transfer everything to the database (users, passwords, etc.) I had the same issue at first, some things would work, others wouldn't.

Here are all the changes I had to make to the config file, see if you can fill in the blanks and whether it works.

/etc/raddb

clients.conf (Disable all the examples, have just one near the top like this, it's the IP that m0n0wall will access the radius server from)

Code:

client 192.168.0.1 {
#
# The shared secret use to "encrypt" and "sign" packets between
# the NAS and FreeRADIUS. You MUST change this secret from the
# default, otherwise it's not a secret any more!
#
# The secret can be any string, up to 31 characters in length.
#
secret = mym0n0wallsecret

#
# The short name is used as an alias for the fully qualified
# domain name, or the IP address.
#
shortname = 192.168.0.1

#
# the following three fields are optional, but may be used by
# checkrad.pl for simultaneous use checks
#

#
# The nastype tells 'checkrad.pl' which NAS-specific method to
# use to query the NAS for simultaneous use.
#
# Permitted NAS types are:
#
# cisco
# computone
# livingston
# max40xx
# multitech
# netserver
# pathras
# patton
# portslave
# tc
# usrhiper
# other # for all other types

#
nastype = other # localhost isn't usually a NAS...

#
# The following two configurations are for future use.
# The 'naspasswd' file is currently used to store the NAS
# login name and password, which is used by checkrad.pl
# when querying the NAS for simultaneous use.
#
# login = !root
# password = someadminpas
}

radius.conf (you have to disable these sections and enable sql only, I've separated them out so it's easier to find)

Code:

# Include another file that has the SQL-related configuration.
# This is another file only because it tends to be big.
#
# The following configuration file is for use with MySQL.
#
# For Postgresql, use: ${confdir}/postgresql.conf
# For MS-SQL, use: ${confdir}/mssql.conf
# For Oracle, use: ${confdir}/oraclesql.conf
# For MySQL, use: ${confdir}/mysql.conf
#
#$INCLUDE ${confdir}/postgresql.conf
$INCLUDE ${confdir}/mysql.conf

# Authorization. First preprocess (hints and huntgroups files),
# then realms, and finally look in the "users" file.
#
# The order of the realm modules will determine the order that
# we try to find a matching realm.
#
# Make *sure* that 'preprocess' comes before any realm if you
# need to setup hints for the remote radius server
authorize {
#
# The preprocess module takes care of sanitizing some bizarre
# attributes in the request, and turning them into attributes
# which are more standard.
#
# It takes care of processing the 'raddb/hints' and the
# 'raddb/huntgroups' files.
#
# It also adds the %{Client-IP-Address} attribute to the request.
preprocess

#
# If you want to have a log of authentication requests,
# un-comment the following line, and the 'detail auth_log'
# section, above.
# auth_log

# attr_filter

#
# The chap module will set 'Auth-Type := CHAP' if we are
# handling a CHAP request and Auth-Type has not already been set
# chap

#
# If the users are logging in with an MS-CHAP-Challenge
# attribute for authentication, the mschap module will find
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
# to the request, which will cause the server to then use
# the mschap module for authentication.
# mschap

#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authenticate' section.
# digest

#
# Look for IPASS style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
# IPASS

#
# If you are using multiple kinds of realms, you probably
# want to set "ignore_null = yes" for all of them.
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#
suffix
# ntdomain

#
# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
# authentication.
#
# It also sets the EAP-Type attribute in the request
# attribute list to the EAP type from the packet.
# eap

#
# Read the 'users' file
# files

#
# Look in an SQL database. The schema of the database
# is meant to mirror the "users" file.
#
# See "Authorization Queries" in sql.conf
sql

#
# If you are using /etc/smbpasswd, and are also doing
# mschap authentication, the un-comment this line, and
# configure the 'etc_smbpasswd' module, above.
# etc_smbpasswd

#
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
# ldap

#
# Enforce daily limits on time spent logged in.
# daily

#
# Use the checkval module
# checkval

#
# As of 1.1.4, you should list "pap" last in this section.
# See "man rlm_pap" for more information.
# pap
}

#
# Accounting. Log the accounting data.
#
accounting {
#
# Create a 'detail'ed log of the packets.
# Note that accounting requests which are proxied
# are also logged in the detail file.
detail
# daily

# Update the wtmp file
#
# If you don't use "radlast", you can delete this line.
unix

#
# For Simultaneous-Use tracking.
#
# Due to packet losses in the network, the data here
# may be incorrect. There is little we can do about it.
radutmp
# sradutmp

# Return an address to the IP Pool when we see a stop record.
# main_pool
# sqlippool

#
# Log traffic to an SQL database.
#
# See "Accounting queries" in sql.conf
sql

#
# Instead of sending the query to the SQL server,
# write it into a log file.
#
# sql_log

# Cisco VoIP specific bulk accounting
# pgsql-voip

}

# Session database, used for checking Simultaneous-Use. Either the radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
radutmp

#
# See "Simultaneous Use Checking Querie" in sql.conf
sql
}

# Post-Authentication
# Once we KNOW that the user has been authenticated, there are
# additional steps we can take.
post-auth {
# Get an address from the IP Pool.
# main_pool
# sqlippool

#
# If you want to have a log of authentication replies,
# un-comment the following line, and the 'detail reply_log'
# section, above.
# reply_log

#
# After authenticating the user, do another SQL query.
#
# See "Authentication Logging Queries" in sql.conf
sql

#
# Instead of sending the query to the SQL server,
# write it into a log file.
#
# sql_log

#
# Un-comment the following if you have set
# 'edir_account_policy_check = yes' in the ldap module sub-section of
# the 'modules' section.
#
# ldap
#
# Access-Reject packets are sent through the REJECT sub-section of the
# post-auth section.
# Uncomment the following and set the module name to the ldap instance
# name if you have set 'edir_account_policy_check = yes' in the ldap
# module sub-section of the 'modules' section.
#
# Post-Auth-Type REJECT {
# insert-module-name-here
# }

}

mysql.conf (just verify that you have all the right db stuff for connecting)

Code:

# Connect info
server = "192.168.0.5"
login = "radius_user"
password = "mypassword"

# Database table configuration
radius_db = "radius_data"

If you need a layout of the table structure, let me know. The documentation only told me how to setup about half of what the software really uses. You have to look through the mysql.conf file to get an idea of all the tables it uses and what fields it is looking for.