website - html5 transition
MOST WANTED LINKS
DIALUP ADMINISTRATION INTERFACE & MySQL
Since there is not much documentation available for the dialup admin I started to write a few words about installing and using dialup admin in conjunction with MySQL. It's a long time ago since I installed FreeRadius, MySQL and dialup admin so may I missed some important things. If so please write me to keep this tutorial up-to-date. Additionally I have to mention that you can also ask the authors for feature requests and help on the sourceforge website. Please don't sue me because of my bad english.
The Dialup Administration Interface is a sourceforge project written in PHP4 for the FreeRadius radius server. Supports accounting in SQL (provides finger, user accounting and accounting report generator facilities) and personal user information and dialup settings in LDAP or SQL db.
To use the dialup admin you need a working webserver with php support and MySQL installed. Your FreeRadius should be configured to use MySQL. If you don't know how to do that read these notes first. I also assume that you are familiar with:
- Webserver administration
- MySQL administration
- Radius, Linux
- PHP, Perl, HTML
Download the latest version of dialup admin from sourceforge and untar it to a folder for example /opt/radius/dialup_admin on your webserver.
[root@linux radius]# tar xzf dialup_admin-1.xx.tar.gz
Point the path on your webserver to the directory /opt/radius/dialup_admin/htdocs. That is where the main html files are. Since there are several ways to do that and many different webservers I'm not going to explain it. In the folder /opt/radius/dialup_admin/sql you will find additional *.sql files which you can add to your FreeRadius database.
[root@linux sql]# mysql freeradiusdb < userinfo.sql [root@linux sql]# mysql freeradiusdb < badusers.sql [root@linux sql]# mysql freeradiusdb < mtotacct.sql [root@linux sql]# mysql freeradiusdb < totacct.sql
Replace the word Freeradiusdb with the name of your FreeRadius db.
Understanding the ADMIN.CONF
Now you can start configuring dialup admin. The main config file is called admin.conf and is located under conf/admin.conf. Most of the content in admin.conf is self explaining so go through it and change it to your needs. Most important variables to change in our case are:
|general_base_dir||/opt/radius/dialup_admin||enter the dialup admin path|
|general_radiusd_base_dir||/opt/radius||enter the freeradius base directory|
|general_lib_type||sql||since we use MySQL|
|general_test_account_login||dummy||will be discussed later|
|general_test_account_password||dummy||will be discussed later|
|general_radius_server_secret||testing123||this is the default FreeRadius secret|
|general_encryption_method||crypt||use clear only if you want cleartext passwords in your db|
|sql_type||mysql||defines the SQL type|
|sql_password_attribute||Crypt-Password||has also to be changed to encrypt passwords|
Don't forget to edit all other SQL parameters as well. Especially username, password and databasename must match to connect to your FreeRadius database.
Another cool thing are the nas lines inside admin.conf. Specify one or more NAS and dialup admin will show them up in the menu "Online Users".
Here is an example:
nas1_name: vpnbox1.%(general_domain) nas1_model: Cisco 3015 vpn concentrator nas1_ip: 172.16.1.1 nas1_portnum: 100 nas1_community: public
This is the result
After changing all these values you should now be able to view the dialup admin webpages in your webbrowser. If this is not working you missed something in your webserver settings I guess.
Dialup admin has already some preconfigured common radius attributes. But life is not so easy and you may want to implement your vendor attributes as well. So here we go.
Let's assume we want to add one of the Cisco VPN 3000 dictionary attributes. Fist we have to tell dialup admin how to map the attribute name in the database. So open the file conf/sql.attrmap and add the new attribute. In our case we want to add the IKE-Keep-Alives attribute. So add this line:
replyItem CVPN3000-IKE-Keep-Alives CVPN3000-Keep-Alives
The format you should use is documented in the file.
To make this attribute visible in the WebGUI we need to add it in the file conf/user_edit.attrs as well. So add this line:
CVPN3000-IKE-Keep-Alives VPN IKE-Keep-Alives
Now you should see your new configured attribute in the edit section.
Instead of just a name you can also create a link (see other examples) to another html file as an attribute help page. This would help the people understanding the meaning of the attribute.
By default everybody who logs into dialup admin with http authentication has all buttons on the left side available. Dialup admin looks for a file called buttons.html.php3 in the folder html/buttons//. If this file/folder does not exists the folder called html/buttons/default will be considered. But you may want to customize this for some users.
This can be done by just creating a new folder with the name of the user in html/buttons. Just copy the content of "default" directory into the new folder and edit the buttons.html.php3 to your needs.
GROUPS AND USERS
To add new groups and users you should log into dialup admin now. On the left side is the navigation menu where you can view edit and create users and groups. To add a new group simply press on the "New Group" button, enter name and attributes you want. After creating a group you can add a user by pressing "New User". Now the user form shows up and if the SQL connection is working you can choose the group you have created previously. After entering password and may some attributes, dialup admin will create the necessary records in your MySQL DB. By the way since we are using encrypted passwords a user record would look like this: mysql> select * from radcheck;
+----+----------------+-------------------+----+------------------------------------+ | id | UserName | Attribute | op | Value | +----+----------------+-------------------+----+------------------------------------+ | 17 | Meier | Crypt-Password | := | $1$xvEOUfYu$aopgB1TvmmwA7gpg5x/Am1 |
As described before we added a NAS into the admin.conf file. If you open the Online Users page you should see information about the nas1 showing up. Dialup admin will query the radacct table for records with AcctStopTime = 0 and the configured NAS IP address. So you quickly get an overview who is logged in and so on. Enjoy ...
As you remember we configured a test user called dummy and pw: dummy in admin.conf previously. To test if the FreeRadius responds to an access request simply add this User (dummy) into the MySQL db or the user file on the the FreeRadius. Make also sure that the general_radius_server_secret matches the secret on the FreeRadius.
If everything is correct the dialup admin should show up with a "Authentication was successful" message. By default the dialup admin uses the radclient software from FreeRadius for this test.
For security reason you may change username and password.
To see the bad logins on the dialup admin you have to run a perl script called bin/log_badlogins which fills the FreeRadius db with bad login records. The script searches the radiuslog file called radius.log for values like Invalid-User or Login-Incorrect and add it to the accounting table radacct. So all you need to do is to start run this script with the path of the radius.log as argument. If you like you can also add the path directly into the script by adding following line.
If your FreeRadius radius server is also recording the accounting packets from your NAS in MySQL db you can display them or make reports based on the data.
A klick on "Accounting" will bring up the accounting form where you can select the attributes you would like to display.
Normally if a user has logged in the NAS sends an accounting start packet to the radius when the users logs out the NAS will send a stop packet to the radius again. Let's assume you stopped the FreeRadius for a short time while a NAS is sending a stop packet, the packet will not be processed and get's lost and the user is still logged in for the dialup admin (Online USERS).
To delete such stale sessions with stoptime = 0 record there is a perl script in the folder bin/ called clean_radacct. It will delete all entries in the radacct table > 1 day and stoptime = 0.