Netexpertise

Emacs is a very powerful editor available on all UNIX plate-formes and even Windows but it usually needs a bit of tweaking to get some features activated. Check the manual to get a complete list of options. Here’s a small .emacs file that you can place in your home root directory to activate colors for example when opening perl or C files. Emacs detects the extension of the file and switch to the appropriate mode.

        ;; Syntax hilighting!!
        (global-font-lock-mode t)

        ;; Hilight matching parenthesis
        (show-paren-mode 1)

        ;; fix missing INSERT key to toggle overwrite-mode on the console
        (global-set-key [insertchar] 'overwrite-mode)

        ;; Perl
        ;; Enable colors and "cperl" mode
        (add-to-list 'auto-mode-alist '("\\.pl$" . cperl-mode))
        (add-to-list 'auto-mode-alist '("\\.pm$" . cperl-mode))
        (add-to-list 'interpreter-mode-alist '("perl" . cperl-mode))

        ;; This requires special setup by calling loadkeys(1) from .profile!
        (global-set-key (kbd "ESC [ M") 'dabbrev-expand)

        ;; remove underscore for whitespace
        ;; This is annoying as Perl contains a lot of underscores
        (setq cperl-invalid-face nil)

There is much more you can add into this file but this answers most of my needs.

 

Tags: perl

Logging Radius accounting into Mysql database can fill up a lot of space. Some performance issues will arise at some stage as well, especially if traffic reporting scripts are to be added to the overall system. That’s why we added a new table to archive older Freeradius accounting records.

Motivations

We can of course delete all records older than a certain amount of time. However, we work with ISPs and accounting can provide these 2 important features:
– Traffic reporting for customers
– Past information about IP addresses ownership
Not sure how long ISPs are supposed to keep this last information legally, but 3 months should be a good compromise. Why not just deleting data older than 3 months? It might be just personnal but I like to keep all data for future checks. Someone might complain that he’s been charged and hasn’t used the connection in the last 10 months. How would we check he’s saying the truth?

Creating the New Archive Table

We start from a proper FreeRadius installation running with a Mysql database. Accounting is stored in the Radacct table. Mysql provides a storage engine that can handle large amount of data like logs. The ARCHIVE engine doesn’t support deletion nor indexing so queries would run slower obviously. This is a minor issue as we rarely want to access this table. On the other hand, data is compressed so it takes very little space. You can find a very good article about storage engines written by Robin Schumacher, MySQL’s Director of Product Management, at http://dev.mysql.com/tech-resources/articles/storage-engine.html. Here’s the table creation code (Check it matches last Freeradius radacct table version):

CREATE TABLE `radacctold` (
  `RadAcctId` bigint(21) NOT NULL,
  `AcctSessionId` varchar(128) default NULL,
  `AcctUniqueId` varchar(32) NOT NULL default '',
  `UserName` varchar(64) NOT NULL default '',
  `Realm` varchar(64) default '',
  `NASIPAddress` varchar(15) NOT NULL default '',
  `NASPortId` int(12) default NULL,
  `NASPortType` varchar(32) default NULL,
  `AcctStartTime` datetime NOT NULL default '0000-00-00 00:00:00',
  `AcctStopTime` datetime NOT NULL default '0000-00-00 00:00:00',
  `AcctSessionTime` int(12) default NULL,
  `AcctAuthentic` varchar(32) default NULL,
  `ConnectInfo_start` varchar(32) default NULL,
  `ConnectInfo_stop` varchar(32) default NULL,
  `AcctInputOctets` int(12) unsigned default NULL,
  `AcctOutputOctets` bigint(12) default NULL,
  `CalledStationId` varchar(50) NOT NULL default '',
  `CallingStationId` varchar(50) NOT NULL default '',
  `AcctTerminateCause` varchar(32) NOT NULL default '',
  `ServiceType` varchar(32) default NULL,
  `FramedProtocol` varchar(32) default NULL,
  `FramedIPAddress` varchar(15) NOT NULL default '',
  `AcctStartDelay` int(12) default NULL,
  `AcctStopDelay` int(12) default NULL
) ENGINE = ARCHIVE;

It is basically a copy of the original table with no index and no primary key. Only the storage engine is different.
Note You can check the archive engine is available on your installation with the following statement: SHOW ENGINES;.

Moving Accounting Data Across

Second step is to migrate old data from the orginal to the previously created table. A simple stored procedure can do the job:

CREATE PROCEDURE radius.archive_acct()
BEGIN
  INSERT INTO radacctold
    SELECT * FROM radacct
    WHERE acctstoptime > 0
    AND date(acctstarttime) < (CURDATE() - INTERVAL 3 MONTH);
  DELETE FROM radacct
    WHERE acctstoptime > 0
    AND date(acctstarttime) < (CURDATE() - INTERVAL 3 MONTH);
END

Launch the procedure once a day and you’re sorted for a while. No maintenance needed and good performance remain. You can also modify it just to delete old records.
At the time of this writting Mysql5.1 is still in Beta version so we won’t use events to fire up the script. A simple cron job does the job in the meantime.
I suggest you split the table in multiple partitions (Archive engine supports partitioning) for faster queries and get the ability to delete older data based on years. Archive Freeradius accounting is fairly easy.

 

Tags: Accounting, Database, Freeradius, linux, Mysql, radius

A typical setup in a company is made of Windows clients authenticating on a central Active Directory. Many also have an Apache server on which they could host their Intranet or other critical information. Talking about critical information, there are good chances access should be restricted to certain groups of people. I was asked to install a wiki for my team to build a knowledge base, likely to contain sensitive information about the company. I thought to authenticate Apache against Active Directory would be a good solution.

Why Authenticate Apache against Windows AD?

• It is quick to implement
• Nobody likes to have multiple accounts. It’s a human thing to forget usernames and passwords
• There is no need to recreate each single account
• Everything is centralised. Access to the web server is denied if the AD accounts is disabled
• Give access to users who belongs to Active Directory groups

Even though, I’m not a pro-Microsoft, these are enough reasons to take the plunge!

Bind to Active Directory

Active Directory is LDAP (Lightweight Directory Access Protocol) compliant, meaning you can run queries to retrieve information about users and computers on the domain. You can use the ldapsearch client to browse its structure. However, you need to create a special user who binds to the domain controller to get users details.

• Connect to your domain controller and create a new user in “Active Directory Users and Computers”.
• Untick “User must change password at next logon”.
• Username and password will be needed to bind the Apache server to the domain controller.

Next step is to get your LDAP domain name. We’ll assume it is ‘location.company.com’. If you don’t know it, run through the following procedure to find out.
Run ldp.exe on the domain controller.
Click on ‘Connection’ -> ‘Connect’ from the top menu and leave ‘localhost’ in the bottom field.
Click then ‘Connection’ -> ‘Bind’ from the top menu and enter details of the user you have created earlier.
Go now to ‘Browse’ -> ‘Search’ and press ‘enter’. This will return a list of all objects present in the directory. It is a bit austere but you can easily find lines of users on your system. An entry should be similar to this:
 

Dn: CN=John Doe,CN=Users,DC=location,DC=company,DC=com
objectClass: top; person; organizationalPerson; user;
cn: John Doe;
description: John Doe;

 
We are now going to configure the Apache module.
 

Configure Apache Authentication

Check that mod_auth_ldap or mod_authz_ldap is activated in httpd.conf in the load modules section. The module configuration can be added in httpd.conf but it’s always a good idea to keep it in a separate file. Apache on Redhat stores module config files in /etc/httpd/conf.d/. I added the following lines into authz_ldap.conf:
 

<Location /protected>
Order deny,allow
Allow from all
AuthBasicProvider ldap
AuthzLDAPAuthoritative Off
AuthLDAPURL
ldap://your-domain-controller:389/CN=Users,DC=location,DC=company,DC=com?sAMAccountName?sub?(objectClass=user)
# Or eventually with a filter on a group
# ldap://your-domain-controller:389/CN=Users,DC=location,DC=company,DC=com?sAMAccountName?
# sub?(memberOf=CN=MyGroup,CN=Users,DC=location,DC=company,DC=com)
AuthLDAPBindDN cn=myusername,cn=Users,dc=location,dc=company,dc=com
AuthLDAPBindPassword mypassword
AuthType Basic
AuthName "Protected"
require valid-user
</Location>

 
myusername and mypassword must match user and pass you’ve created to bind to Active directory.
Finally, restart the Apache service, you’re done! A window asking for a username and password will pop up when accessing the directory “protected”.
 

Notes on Authentication

Do not enter the domain name before the username unlike Windows access (\\DOMAINNAME\user). You would get a “wrong credential” message in Apache logs.
 
It is also possible to fall back to other authentication methods. Simply add the keyword AuthLDAPAuthoritative followed by AuthUserFile /var/www/html/Protected/htpasswd for example, if your .htaccess file is located there. You can authenticate on Apache with a user that doesn’t exist in Active directory with this method.
The <Location /protected> directive is recursive meaning that all pages in subdirectories are protected as well. If you want to give public access to subdirectory /pub, you can use the following set of instructions:

<Location "/pub">
    Order allow,deny
    Allow from any
    Satisfy any
</LocationMatch>

Related

I would like to thank my great workmate Phil for helping me out with this. Visit his webpage at www.brassy.net.

 

Tags: Apache, Authentication, ldap, linux, Windows

Our goal here is to reset automatically a customer for whom Radius settings have changed. This is useful after putting him on restriction or cutting him off in case of extensive usage. We are surprised to find very little information about “Packet Of Disconnect” when we type Radius in a search engine. We wrote a script in Expect language that would log in to the router and reset the connection based on the username.
Even though it does the job, we don’t think the method is appropriate. We get the feeling we are emulating a robot that does something that should be done manually. It’s hard to deal with errors because you’re supposed to know what to expect. Anyway, here’s a much better solution: the Radius “Packet Of Disconnect” we are going to use with a Freeradius user database.

Packet Of Disconnect

We shouldn’t have to detail too much.

All information is on the Freeradius wiki. We just thought it wasn’t obvious to find it even once on the wiki.
A few comments on this:

• You don’t have to send all fields to reset a connection. The username is sufficient but I find it more secure to add the session id.
• You need to let your Network Access Server (NAS) listen to port 1700. Check out the next section to activate it on Cisco.

Configuring the Router / NAS

The NAS needs to listen to requests on UDP port 1700. It can be changed of course but this is the standard. Again, this example is specific to Cisco, check your documentation if you have other kind of devices on your network. You need to run the aaa pod command to enable packet of disconnect port

aaa pod server clients your-server auth-type any server-key your-shared-secret

Replace your-server with the IP of the server that will host the reset script.
We have set ‘auth-type’ to ‘any’ as I am only sending username and session id parameters. All of them are not needed securitywise. You can get more information about this on the Cisco command reference.

Disconnection Script

The documentation on the Freeradius wiki should be sufficient but we wanted to mention a quick way to retrieve the NAS and session id. A simple line of SQL should do if you have configured a database such as Mysql or Postgresql to store accounting data (I highly recommend it, it’s so much easier to search for data!)

SELECT Username, AcctSessionId, NASIPAddress
FROM radacct
WHERE username='username'
AND acctstoptime = 0
ORDER BY acctstarttime DESC limit 1;

If no record is returned, the user is not connected and doesn’t need to be reset then.
Having all the information needed, you can simply reset the Radius connection like this:

$ echo "Acct-Session-Id=D91XXXXXXXXX097" > packet.txt
$ echo "User-Name=username" >> packet.txt
$ echo "NAS-IP-Address=nasIPaddress" >> packet.txt

$ cat packet.txt | radclient -x nasIPaddrress:1700 disconnect ''secret''

 

Tags: Cisco, Freeradius, linux, radius