This tutorial is about how to
setup multiple PPPoE Servers accessible from LAN as a load
balanced system, all servers connected to the same router.
Content
-----------
1. Introduction: purpose of the project
2. The simplest setup for a PPPoE Server
3. Network Topology for Load Balanced PPPoE Servers
4. Technologies we used
5. Setting up the Router
6. Setup the PPPoE servers
7. Setup Radius and MySQL
8. Setup Router and PPPoE servers to work with OSPF
9. Firewalls and Traffic Shaping
10. Testing
1. Introduction: purpose of the project
----------------------------------------------------
On medium or large networks an easy way to offer Internet
access to private users or to companies is to use PPPoE
servers. This allows customers to authenticate using a
username and a password, then to login to PPPoE server and
have an Internet connection.
PPPoE stands for Point to Point over Ethernet. This
technology can be used to authenticate users connected to
your own ISP using ADSL, Cable Modem infrastructure or even
on Ethernet. So it is possible to offer Internet connection
to users from local Ethernet networks, using PPPoE.
2. The simplest setup for a PPPoE server
--------------------------------------------------------
To learn how to setup a PPPoE server go to
Setup a PPPoE Server with MPD tutorial . You will find
there the basics of setting up a PPPoE server.
3. Network Topology for Load Balanced PPPoE Servers
--------------------------------------------------------------------------
The previous example will work for a small network, still it
does not have any firewall or traffic shaping. It is useful
to understand how to setup a FreeBSD PPPoE server. From this
section a real case example will be presented, with complete
configuration files.
Next picture shows a network topology for a small or medium
size ISP that will use PPPoE servers for their customers:
This is an example, in real world setup, topology might be
different in complexity.
4. Technologies we used
----------------------------------
- Operating System: FreeBSD 6.x (on Router and on PPPoE
Servers)
- Firewall and traffic shaper on Router: OpenBSD's PF
(packet filter)
- Firewall and traffic shaper on PPPoE Servers: IPFW
- MPD for PPPoE Server - mpd-4.3
- OSPF routing protocol (with quagga) - quagga-0.99.8_2
- radius server - freeradius-1.1.4_1
- all users from LAN have asigned public IPs, routed to
Routers's public IP. Also we have a small public subnet that
we used for Router and PPPoE servers
The purpose of this setup is to asign public IPs to lan
computers and to load balance PPPoE servers. If you do not
have public IPs for every user, you do not need to use OSPF
routing protocol, just asign a private subnet for every
pppoe server and it will work.
PPPoE server respond to requests from clients on LAN
interfaces in a round robin way, and asign IP to lan
clients. If you reboot one server all connected users to
that server will be disconnected and then they will
reconnect to other server from pool.
If you've read previous version you noticed network
topology. For our tutorial we simplified previous picture so
our network topology is presented in the next picture:
Asuming that our config informations are:
Router
---------
Public IP of router (fxp0): 80.10.10.2 gateway 80.10.0.1
netmask 255.255.255.0 (this is the line that comes from our
ISP)
Public IP 2 of router (fxp1): 80.80.0.1 netmask
255.255.255.224 (this is connected to PPPoE servers)
Hostname: router.example.com
PPPoE Server 1
---------------------
Public IP (fxp0) 80.80.0.2 netmask 255.255.255.224
(this is interface conected to Router and other PPPoE
servers)
No IP for LAN interface (fxp1)
PPPoE Server 2
---------------------
Public IP (fxp0) 80.80.0.3 netmask 255.255.255.224
(this is interface conected to Router and other PPPoE
servers)
No IP for LAN interface (fxp1)
PPPoE Server 3
---------------------
Public IP (fxp0) 80.80.0.4 netmask 255.255.255.224
(this is interface conected to Router and other PPPoE
servers)
No IP for LAN interface (fxp1)
5. Setting up the Router
--------------------------------
Config files will be presented next for Router.
# ----------- rc.conf file ----------------------
defaultrouter="80.10.10.1"
gateway_enable="YES"
hostname="router.example.com"
ifconfig_fxp0="inet 80.10.10.2 netmask 255.255.255.0"
ifconfig_fxp1="inet 80.80.0.1 netmask 255.255.255.224"
sshd_enable="YES"
usbd_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"
# -----------------end rc.conf------------------
# ------------- pf.conf file --------------------
ext_if="fxp0"
int_if="fxp1"
pass quick all
# ----------------end pf.conf------------------
6. Setup the PPPoE servers
-------------------------------------
We will show you the config files for PPPoE 1. You
will have to config the rest of your PPPoE servers in
similar way, changing only IP of PPPoE server, according to
diagram (or of course to your particular setup).
# ----------- rc.conf file PPPoE 1
----------------------
defaultrouter="80.80.0.1"
gateway_enable="YES"
hostname="pppoe.example.com"
ifconfig_fxp0="inet 80.80.0.2 netmask 255.255.255.0"
ifconfig_fxp1="inet 10.0.0.1 netmask 255.255.255.0"
sshd_enable="YES"
usbd_enable="YES"
firewall_enable="YES"
firewall_script="/etc/rc.firewall"
quagga_enable="YES"
quagga_flags="-d"
quagga_daemons="zebra ospfd"
watchquagga_enable="YES"
# -----------------end rc.conf------------------
# -------------- mpd.conf file -----------------
default:
log auth iface
load s0
load s1
load s2
load s3
s0:
new -i ng0 s0 ppplink0
load generic
s1:
new -i ng1 s1 ppplink1
load generic
s2:
new -i ng2 s2 ppplink2
load generic
s3:
new -i ng3 s3 ppplink3
load generic
generic:
set iface enable proxy-arp
set pppoe iface fxp1
set iface idle 0
set iface mtu 1462
set iface enable tcpmssfix
set link accmap 0
set link enable pap
set link enable chap
set link accept chap-msv2
set link max-redial -1
set link keep-alive 10 80
set link no acfcomp
set link no protocomp
set ipcp no vjcomp
set ipcp dns 80.20.0.1 80.20.0.2
set bundle enable noretry
set bundle enable multilink
set auth max-logins 1
set pptp disable windowing
set pptp enable always-ack
set iface up-script /usr/local/etc/mpd4/addclient.sh
set iface down-script
/usr/local/etc/mpd4/removeclient.sh
set auth enable radius-auth
set auth enable radius-acct
set radius server 80.80.0.5 secret_password
set radius timeout 7
set radius retries 5
# ---------------- end mpd.conf file ----------
# --------------- mpd.links file ----------------
ppplink0:
set link type pppoe
set pppoe iface fxp1
set pppoe service "*"
set pppoe enable incoming
ppplink1:
set link type pppoe
set pppoe iface fxp1
set pppoe service "*"
set pppoe enable incoming
ppplink2:
set link type pppoe
set pppoe iface fxp1
set pppoe service "*"
set pppoe enable incoming
ppplink3:
set link type pppoe
set pppoe iface fxp1
set pppoe service "*"
set pppoe enable incoming
# --------------end mpd.links file -------------
7. Setup Radius and MySQL
------------------------------------
# ------------------- /usr/local/etc/raddb/clients.conf
----------
client 80.80.0.2 {
secret = secret_password
shortname = pppoe1
nastype = other # localhost isn't usually a
NAS...
}
client 80.80.0.3 {
secret = secret_password
shortname = pppoe2
nastype = other # localhost isn't usually a
NAS...
}
client 80.80.0.4 {
secret = secret_password
shortname = pppoe3
nastype = other # localhost isn't usually a
NAS...
}
# ------------------- end clients.conf
---------------------------
Edit in /usr/local/etc/raddb/sql.conf the following:
# Connect info
server = "localhost"
login = "raduser"
password = "password"
# Database table configuration
radius_db = "radius"
Use your database information instead.
Modify radius.conf file. The configuration file is quite
large so you can view it
here .
Create a new database for radius with clients information
with the following structure:
radacct -table used for logging purposes
radcheck - table that keeps usernames and passwords
radgroupcheck - configurations for groups
radgroupreply - configurations for groups
radpostauth - table used for logging purposes
radreply - table that keeps the ips of the users
usergroup - shows the group each user belongs to
create database radius;
use radius;
-- ------------- Table structure for table `radacct`
-------------------
CREATE TABLE `radacct` (
`RadAcctId` bigint(21) NOT NULL auto_increment,
`AcctSessionId` varchar(32) NOT NULL default '',
`AcctUniqueId` varchar(32) NOT NULL default '',
`UserName` varchar(64) NOT NULL default '',
`Realm` varchar(64) default '',
`NASIPAddress` varchar(15) NOT NULL default '',
`NASPortId` int(12) default NULL,
`NASPortType` varchar(32) default NULL,
`AcctStartTime` datetime NOT NULL default '0000-00-00
00:00:00',
`AcctStopTime` datetime NOT NULL default '0000-00-00
00:00:00',
`AcctSessionTime` int(12) default NULL,
`AcctAuthentic` varchar(32) default NULL,
`ConnectInfo_start` varchar(32) default NULL,
`ConnectInfo_stop` varchar(32) default NULL,
`AcctInputOctets` bigint(12) default NULL,
`AcctOutputOctets` bigint(12) default NULL,
`CalledStationId` varchar(50) NOT NULL default '',
`CallingStationId` varchar(50) NOT NULL default '',
`AcctTerminateCause` varchar(32) NOT NULL default '',
`ServiceType` varchar(32) default NULL,
`FramedProtocol` varchar(32) default NULL,
`FramedIPAddress` varchar(15) NOT NULL default '',
`AcctStartDelay` int(12) default NULL,
`AcctStopDelay` int(12) default NULL,
PRIMARY KEY (`RadAcctId`),
KEY `UserName` (`UserName`),
KEY `FramedIPAddress` (`FramedIPAddress`),
KEY `AcctSessionId` (`AcctSessionId`),
KEY `AcctUniqueId` (`AcctUniqueId`),
KEY `AcctStartTime` (`AcctStartTime`),
KEY `AcctStopTime` (`AcctStopTime`),
KEY `NASIPAddress` (`NASIPAddress`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1
AUTO_INCREMENT=1214869 ;
-- ----------------- Table structure for table `radcheck`
--------------------------
CREATE TABLE `radcheck` (
`id` int(11) unsigned NOT NULL auto_increment,
`UserName` varchar(64) NOT NULL default '',
`Attribute` varchar(32) NOT NULL default '',
`op` char(2) NOT NULL default '==',
`Value` varchar(253) NOT NULL default '',
PRIMARY KEY (`id`),
KEY `UserName` (`UserName`(32))
) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=5811
;
-- --------------- Table structure for table
`radgroupcheck` ------------------
CREATE TABLE `radgroupcheck` (
`id` int(11) unsigned NOT NULL auto_increment,
`GroupName` varchar(64) NOT NULL default '',
`Attribute` varchar(32) NOT NULL default '',
`op` char(2) NOT NULL default '==',
`Value` varchar(253) NOT NULL default '',
PRIMARY KEY (`id`),
KEY `GroupName` (`GroupName`(32))
) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=4 ;
-- ----------------- Table structure for table
`radgroupreply` ---------------
CREATE TABLE `radgroupreply` (
`id` int(11) unsigned NOT NULL auto_increment,
`GroupName` varchar(64) NOT NULL default '',
`Attribute` varchar(32) NOT NULL default '',
`op` char(2) NOT NULL default '=',
`Value` varchar(253) NOT NULL default '',
`prio` int(10) unsigned NOT NULL default '0',
PRIMARY KEY (`id`),
KEY `GroupName` (`GroupName`(32))
) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=9 ;
-- ------------------ Table structure for table
`radpostauth` ------------
CREATE TABLE `radpostauth` (
`id` int(11) NOT NULL auto_increment,
`user` varchar(64) NOT NULL default '',
`pass` varchar(64) NOT NULL default '',
`reply` varchar(32) NOT NULL default '',
`date` timestamp NOT NULL default CURRENT_TIMESTAMP on
update CURRENT_TIMESTAMP,
PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1
AUTO_INCREMENT=1203292 ;
-- ------------ Table structure for table `radreply`
----------------
CREATE TABLE `radreply` (
`id` int(11) unsigned NOT NULL auto_increment,
`UserName` varchar(64) NOT NULL default '',
`Attribute` varchar(32) NOT NULL default '',
`op` char(2) NOT NULL default '=',
`Value` varchar(253) NOT NULL default '',
PRIMARY KEY (`id`),
KEY `UserName` (`UserName`(32))
) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=6283
;
-- ----------- Table structure for table `usergroup`
-------------
CREATE TABLE `usergroup` (
`id` int(11) unsigned NOT NULL auto_increment,
`UserName` varchar(64) NOT NULL default '',
`GroupName` varchar(64) NOT NULL default '',
`priority` int(11) NOT NULL default '1',
PRIMARY KEY (`id`),
KEY `UserName` (`UserName`(32))
) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=7505
;
Create one group for all users, we'll call it dynamic:
INSERT INTO `radgroupcheck` (`id`, `GroupName`,
`Attribute`, `op`, `Value`) VALUES
(2, 'dynamic', 'Simultaneous-Use', ':=', '1'),
(1, 'dynamic', 'Auth-Type', '==', 'Local');
INSERT INTO `radgroupreply` (`id`, `GroupName`,
`Attribute`, `op`, `Value`, `prio`) VALUES
(1, 'dynamic', 'Framed-Compression', ':=',
'Van-Jacobsen-TCP-IP', 0),
(2, 'dynamic', 'Framed-Protocol', ':=', 'PPP', 0),
(3, 'dynamic', 'Service-Type', ':=', 'Framed-User', 0),
(4, 'dynamic', 'Framed-MTU', ':=', '1500', 0),
(5, 'dynamic', 'X-Ascend-Assign-IP-Pool', ':=', '0', 0),
(6, 'dynamic', 'X-Ascend-Maximum-Time', ':=', '7200', 0),
(8, 'dynamic', 'Idle-Timeout', ':=', '1800', 0);
Add a users to the database. To add a user you need to
enter the following data into the database:
insert into radcheck values ("", "customer1",
"Password","==","password");
insert into radreply values ("", "customer1",
"Framed-IP-Address",":=","80.0.0.20");
insert into usergroup values('', 'customer1', 'dynamic', 1);
8. Setup Router and PPPoE servers to work with
OSPF
-------------------------------------------------------------------------
Add following to rc.conf
quagga_enable="YES"
quagga_flags="-d"
quagga_daemons="zebra ospfd"
Edit the file /usr/local/etc/rc.d/quagga and replace the
line:
: ${quagga_enable="NO"}
to
: ${quagga_enable="YES"}
And then start quagga.
/usr/local/etc/quagga start
Here are the configuration files needed to setup OSPF.
You need to make similar configuration files for each PPPOE
server and for router.
# ------------------------- zebra.conf
----------------------
hostname PPPOE1-zebra
password zebra_password
enable password zebra_enable_password
!log file /var/log/zebra.log
interface fxp0
!
interface fxp1
!
interface lo0
!
ip forwarding
ipv6 forwarding
!
line vty
# ------------------------- end zebra.conf
----------------------
# ------------------------- ospfd.conf
----------------------
hostname PPPOE1-ospf
password ospfd_password
enable password ospfd_enable_password
log file /var/log/ospf.log
!
interface fxp0
!
interface fxp1
!
interface lo0
!
router ospf
ospf router-id 80.80.0.2
redistribute connected
passive-interface ng0
passive-interface ng1
passive-interface ng2
passive-interface ng3
network 80.80.0.0/27 area 0.0.0.0
neighbor 80.80.0.3
!
line vty
!
# ------------------------- end ospfd.conf
----------------------
9. Firewalls and Traffic Shaping
------------------------------------------
# ------------------------- rc.firewall
----------------------
#!/bin/sh
cmd="/sbin/ipfw -q"
lif="fxp1"
lif_ng="ng*"
pif="fxp0"
# we have 2 types of subscriptions which will have
different bandwidth setups
ab500="80.80.0.0/25"
ab350="80.80.0.128/25"
net="80.80.0.128/24"
# bandwidth extern
down500_extern="8000kbits/s"
up500_extern="2000kbits/s"
down350_extern="4000kbits/s"
up350_extern="2000kbits/s"
# metropolitan bandwidth
down500_metro="20000kbits/s"
up500_metro="10000kbits/s"
down350_metro="10000kbits/s"
up350_metro="10000kbits/s"
queue="64"
gred="0.02/6/18/0.1"
#flush rules
$cmd flush
$cmd pipe flush
# table for allow fixed ip users
#$cmd table 1 flush
#table for warned users (clients that did not paid in time)
$cmd table 2 flush
#table for metropolitan networks
#$cmd table 3 flush
# load metro networks
/etc/rc.tables
# pipe 1 --> internet pipe (35M)
# pipe 10 --> metropolitan pipe (90M)
# ------------------- extern ---------------------
# pipe 2 --> pipe download ab500 - mask 0x0000ffff 4096K
# pipe 3 --> pipe download ab350 - mask 0x0000ffff 1024K
# pipe 4 --> pipe upload ab500 - mask 0x0000ffff 512K
# pipe 5 --> pipe upload ab350 - mask 0x0000ffff 256K
# queue 1 --> down prioritized traffic - mask 0x0000ffff
weight 15
# queue 2 --> down not prioritized traffic - mask 0x0000ffff
weight 10
# ------------------- metropolitan ---------------------
# pipe 12 --> pipe download ab500 - mask 0x0000ffff 10240K
# pipe 13 --> pipe download ab350 - mask 0x0000ffff 10240K
# pipe 14 --> pipe upload ab500 - mask 0x0000ffff 4096K
# pipe 15 --> pipe upload ab350 - mask 0x0000ffff 4096K
# queue 10 --> down prioritized traffic - mask 0x0000ffff
weight 15
# queue 11 --> down not prioritized traffic - mask
0x0000ffff weight 10
# --------------------- EXTERN---------------------
$cmd pipe 1 config bw 45000Kbit/s
#queues download
$cmd queue 1 config weight 15 pipe 1 queue 100 mask dst-ip
0xffffffff
$cmd queue 2 config weight 10 pipe 1 queue 50 mask dst-ip
0xffffffff
# pipe for download ab500
$cmd pipe 2 config bw $down500_extern mask dst-ip 0xffffffff
queue $queue gred $gred
#upload ab500
$cmd pipe 4 config bw $up500_extern mask src-ip 0xffffffff
queue $queue gred $gred
# pipe for download ab350
$cmd pipe 3 config bw $down350_extern mask dst-ip 0xffffffff
queue $queue gred $gred
#upload ab350
$cmd pipe 5 config bw $up350_extern mask src-ip 0xffffffff
queue $queue gred $gred
# --------------------- METROPOLITAN---------------------
$cmd pipe 10 config bw 120000Kbit/s
#queues download
$cmd queue 10 config weight 15 pipe 10 queue 100 mask dst-ip
0xffffffff
$cmd queue 11 config weight 10 pipe 10 queue 50 mask dst-ip
0xffffffff
# pipe for download ab500
$cmd pipe 12 config bw $down500_metro mask dst-ip 0xffffffff
queue $queue gred $gred
#upload ab500
$cmd pipe 14 config bw $up500_metro mask src-ip 0xffffffff
queue $queue gred $gred
# pipe for download ab350
$cmd pipe 13 config bw $down350_metro mask dst-ip 0xffffffff
queue $queue gred $gred
#upload ab350
$cmd pipe 15 config bw $up350_metro mask src-ip 0xffffffff
queue $queue gred $gred
#permit localhost
$cmd add 10 allow ip from any to any via lo0
$cmd add 20 deny ip from any to 127.0.0.1
$cmd add 7 allow ip from any to me
$cmd add 8 allow ip from me to any
# allow multicast for ospf
$cmd add 130 allow ip from any to 224.0.0.0/29
# antispoof
$cmd add 45 deny all from 172.16.0.0/12 to any via $lif
$cmd add 45 deny all from 192.168.0.0/16 to any via $lif
#$cmd add 50 deny ip from any to any not verrevpath in
#redirect warned clients
$cmd add 60 forward 127.0.0.1,8010 ip from "table(2)" to any
dst-port 80
# fixed ips allow
$cmd add 100 allow ip from any to "table(1)" out xmit $lif
$cmd add 110 allow ip from "table(1)" to any in recv $lif
$cmd add 120 skipto 60000 ip from "table(1)" to any in recv
$lif
# antivirus
$cmd add 3600 deny ip from any
135-139,445,1080,2283,2745,2745,3127-3198,5554,8866,10080,65506
to any in
# block mirc
$cmd add 3700 deny ip from any to any dst-port 6666, 6667,
6668, 6669, 7000, 9000
# deny all except ng* on lan
$cmd add 3800 deny ip from any to any in recv $lif
# ---------------- EXTERN TRAFFIC --------------------
# download clients ab500
$cmd add 4100 pipe 2 ip from not "table(3)" 80,443,53 to
$ab500 in recv $pif
$cmd add 4200 queue 1 ip from not "table(3)" 80,443,53 to
$ab500 in recv $pif
$cmd add 4300 skipto 60000 ip from not "table(3)" 80,443,53
to $ab500 in recv $pif
# default traffic
$cmd add 4400 pipe 2 ip from not "table(3)" to $ab500 in
recv $pif
$cmd add 4500 queue 2 ip from not "table(3)" to $ab500 in
recv $pif
# upload clients ab500
$cmd add 5200 pipe 4 ip from $ab500 to not "table(3)" out
xmit $pif
#download clients ab350
$cmd add 6000 pipe 3 ip from not "table(3)" 80,443,53 to
$ab350 in recv $pif
$cmd add 6100 queue 1 ip from not "table(3)" 80,443,53 to
$ab350 in recv $pif
$cmd add 6200 skipto 60000 ip from not "table(3)" 80,443,53
to $ab350 in recv $pif
# default traffic
$cmd add 6300 pipe 3 ip from not "table(3)" to $ab350 in
recv $pif
$cmd add 6400 queue 2 ip from not "table(3)" to $ab350 in
recv $pif
#upload clients ab350
$cmd add 6500 pipe 5 ip from $ab350 to not "table(3)" out
xmit $pif
# ---------------- METROPOLITAN TRAFFIC --------------------
# download clients ab500
$cmd add 7100 pipe 12 ip from "table(3)" 80,443,53 to $ab500
in recv $pif
$cmd add 7200 queue 10 ip from "table(3)" 80,443,53 to
$ab500 in recv $pif
$cmd add 7300 skipto 60000 ip from "table(3)" 80,443,53 to
$ab500 in recv $pif
# default traffic
$cmd add 7400 pipe 12 ip from "table(3)" to $ab500 in recv
$pif
$cmd add 7500 queue 11 ip from "table(3)" to $ab500 in recv
$pif
# upload clients ab500
$cmd add 7600 pipe 14 ip from $ab500 to "table(3)" out xmit
$pif
#download clients ab350
$cmd add 8000 pipe 13 ip from "table(3)" 80,443,53 to $ab350
in recv $pif
$cmd add 8100 queue 10 ip from "table(3)" 80,443,53 to
$ab350 in recv $pif
$cmd add 8200 skipto 60000 ip from "table(3)" 80,443,53 to
$ab350 in recv $pif
# default traffic
$cmd add 8300 pipe 13 ip from "table(3)" to $ab350 in recv
$pif
$cmd add 8400 queue 11 ip from "table(3)" to $ab350 in recv
$pif
#upload clients ab350
$cmd add 8500 pipe 15 ip from $ab350 to "table(3)" out xmit
$pif
# allow traffic on ng*
$cmd add 60000 allow ip from any to $net out xmit $lif_ng
$cmd add 60100 allow ip from $net to any in recv $lif_ng
$cmd add 60200 allow ip from any to $net in recv $pif
$cmd add 60300 allow ip from $net to any out xmit $pif
$cmd add 61000 deny ip from any to any
# ------------------------- end rc.firewall
----------------------
# ----------------------- rc.tables
----------------------
#!/bin/sh
cmd="/sbin/ipfw -q"
# fixed ips allowed
$cmd table 1 flush
#table for metropolitan networks
$cmd table 3 flush
#se definesc table cu ip-uri permise
$cmd table 1 add 80.80.0.10
$cmd table 1 add 80.80.0.11
#metro
$cmd table 3 add 80.10.0.1/24
$cmd table 3 add 80.15.0.1/24
# ----------------------- end rc.tables
----------------------
10. Testing
---------------
Command to see connected users:
/usr/local/bin/mysql --password=mysql_password
--exec='use radius; select username from radacct where
AcctStopTime=0;'
This setup uses mysql information to check if the user
is still connected. If you want to use radzap script to
remove a connected user from radius server, the default
script will not update the mysql database, so radius will
think it is still connected. To change the script to update
mysql database you can add the following line at the end of
the script:
`/usr/local/bin/mysql --password=mysql_password
--exec='use radius; update radacct set
AcctStopTime=AcctStartTime where AcctStopTime=0 and UserName
like "'$user'";'`
This script executes radzap for all connected users. If
you want it to run at boot time place it it
/usr/local/etc/rc.d folder.
# --------------------- radzap-all.sh script
-----------------------
#!/bin/sh
for i in `radwho | grep -v "Login" | cut -d" " -f1`
do
`/usr/local/bin/radzap -u $i localhost
secret_password`
done
`/usr/local/bin/mysql --password=mysql_password --exec='use
radius; update radacct set AcctStopTime=AcctStartTime where
AcctStopTime=0;'`
# --------------------- radzap-all.sh script
----------------------- |
1 comment:
Have used Kaspersky protection for a couple of years now, I'd recommend this solution to all of you.
Post a Comment