Prepaid
Goal: To implement a simple "prepaid" functionality in the server.
Time: 15-25 minutes
Files:
-
mods-enabled/sqlcounter -
sites-enabled/default -
mods-config/files/authorize
Many system administrators wish to implement "prepaid" billing for
their systems. In this exercise, we will configure the server to use a
simple "prepaid" scheme, wherein all users will be permitted to log in
for only one hour a day using the sqlcounter module.
SQLCounter Module Configuration
Create a symbolic link from mods-available/ to mods-enabled/:
$ cd mods-enabled
$ ln -s ../mods-available/sqlcounter sqlcounterVerify the symbolic link was created:
$ cat mods-enabled/sqlcounterThe mods-enabled/sqlcounter should contain a daily counter instance similar to the following:
sqlcounter dailycounter {
sql_module_instance = sql
dialect = ${modules.sql.dialect}
# reset_period_start_name = control.${.:instance}-Reset-Start
# reset_period_end_name = control.${.:instance}-Reset-End
counter_name = control.Daily-Session-Time
check_name = control.Max-Daily-Session
reply_name = reply.Session-Timeout
auto_extend = yes
key="%{Stripped-User-Name || User-Name}"
reply_message_name = Reply-Message
reset = daily
$INCLUDE ${modconfdir}/sql/counter/${dialect}/${.:instance}.conf
}See sqlcounter for detail on what each configuration item means.
1. Add the user to the SQL database
INSERT INTO radcheck (username, attribute, op, value)
VALUES ('alice', 'Cleartext-Password', ':=', 'testing123');2. Set User Limits
Edit mods-config/files/authorize and add following entry to the file :
DEFAULT control.Max-Daily-Session := 36003. Enable SQLCounter dailycounter
Edit etc/sites-enabled/default and add the dailycounter module to the recv Access-Request section:
recv Access-Request {
...
dailycounter # Add this line
pap
}Testing
Start FreeRADIUS in debug mode:
$ radiusd -XSend Authentication Request
From another terminal, test user authentication:
echo 'User-Name = "alice", CHAP-Password = "hello", NAS-IP-Address = 127.0.0.1, NAS-Port = 501, NAS-Port-Type = Virtual' | radclient -x 127.0.0.1 auth testing123-
Expected Output:
Received Access-Accept Id 48 from 127.0.0.1:1812 to 0.0.0.0:53031 via lo length 99
Message-Authenticator = 0xc8b4a4caa88f7b70217c9ae1d6c91c98
Reply-Message = "Hello! You authenticated via the SQL database."
Session-Timeout = 3600
User-Name = "alice"Note the Session-Timeout = 3600 attribute in the response.
Start a simulated session
echo 'User-Name = "alice", Acct-Status-Type = Start, Acct-Session-Id = "01020304", NAS-IP-Address = 127.0.0.1, NAS-Port = 501, NAS-Port-Type = Virtual, Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 192.168.100.55' | radclient -x 127.0.0.1:1813 acct testing123Send Accounting Stop
Wait a minute or so, and then send an Accounting-Stop to end the session:
echo "User-Name = alice, Acct-Session-Id = 'test-session-1', NAS-IP-Address = 127.0.0.1, NAS-Port = 501, Acct-Status-Type = Stop, Acct-Session-Time = 10" | radclient -x 127.0.0.1:1813 acct testing123Test Reduced Session Timeout
Authenticate the user again:
echo 'User-Name = "alice", CHAP-Password = "hello", NAS-IP-Address = 127.0.0.1, NAS-Port = 501, NAS-Port-Type = Virtual' | radclient -x 127.0.0.1 auth testing123-
Expected Output:
Received Access-Accept Id 167 from 127.0.0.1:1812 to 0.0.0.0:57205 via lo length 99
Message-Authenticator = 0x0e96f55860e0af123286fcb9ccdfd6db
Reply-Message = "Hello! You authenticated via the SQL database."
Session-Timeout = 3590
User-Name = "alice"The Session-Timeout should now be approximately 3590 seconds (3600 - 10 used).