]>
Commit | Line | Data |
---|---|---|
6303d79f JK |
1 | diff -Naur freeradius-server-2.2.0-orig/doc/cui_howto.txt freeradius-server-2.2.0/doc/cui_howto.txt |
2 | --- freeradius-server-2.2.0-orig/doc/cui_howto.txt 1970-01-01 01:00:00.000000000 +0100 | |
3 | +++ freeradius-server-2.2.0/doc/cui_howto.txt 2012-09-13 10:57:56.645722777 +0200 | |
4 | @@ -0,0 +1,78 @@ | |
5 | +Chargeable-User-Identity (CUI) support. | |
6 | + | |
7 | +1. OVERVIEW | |
8 | + | |
9 | +This extension introduces support for Chargeable-User-Identity (CUI) attribute | |
10 | +as defined in RFC 4372. | |
11 | + | |
12 | +The CUI attribute is meant to support roaming scenarios where | |
13 | +the user is accessing the network at one location (Service Provider - SP) | |
14 | +while authenticated by a RADIUS server at another institution (Identity | |
15 | +Provider - IdP). CUI provides means for the SP to request the IdP | |
16 | +to return a unique, persistent, opaque user identifier. | |
17 | + | |
18 | +As defined in RFC 4372, CUI request is sent as a NULL value (single | |
19 | +zero byte) of CUI attribute inside the Access-Request packet. | |
20 | +CUI response should be sent as the CUI value inside the Access-Accept. | |
21 | + | |
22 | +This extension has the following functionality: | |
23 | + | |
24 | +The SP side (*requesting* CUI): | |
25 | + - add the CUI NULL attribute to Access-Request proxied from | |
26 | + the local NAS to the IdP | |
27 | + - receive the CUI value from the IdP and store it in the local | |
28 | + database | |
29 | + - update Accounting-Request packets sent by NAS by adding | |
30 | + the appropriate CUI attribute (unless the attibute is | |
31 | + already present). | |
32 | + | |
33 | +The IdP side (*returning* CUI): | |
34 | + - respond to the CUI request by generating the CUI value. | |
35 | + The value is created as the md5 hash if a configurable local | |
36 | + salt and the User-Name attribute value. | |
37 | + | |
38 | +While CUI support has been added for roaming it is also useful for local | |
39 | +accounting. | |
40 | + | |
41 | +2. INSTALLATION | |
42 | + | |
43 | +The CUI *requesting* and CUI *returning* sides are implemented and | |
44 | +described separately. Most likely you want to run both, so just follow | |
45 | +the instructions of both sections. | |
46 | + | |
47 | +2.1 *requesting* CUI | |
48 | + | |
49 | + - Setup a MySQL database by creating (or using) a database of your | |
50 | + choice and create an additional table cui. The schema is located | |
51 | + in ${raddbdir}/sql/mysql/cui.sql. | |
52 | + | |
53 | + - Enter the necessary details into ${raddbdir}/modules/cui. | |
54 | + Things you need to modify are: | |
55 | + server - typically this will be localhost; | |
56 | + login - mysql user allowed to modify the tables | |
57 | + password - password for this user | |
58 | + radius_db - database name you wish to use | |
59 | + | |
60 | + - Modify the the main configuration file | |
61 | + "${raddbdir}/sites-availabe/default". | |
62 | + Search for CUI. There are four sections where CUI is mentioned. | |
63 | + Follow the instructions for *requesting* the CUI. | |
64 | + | |
65 | +2.2 *returning* CUI | |
66 | + | |
67 | + - Modify the the main configuration file | |
68 | + "${raddbdir}/sites-available/default". | |
69 | + Search for CUI. There are four sections where CUI is mentioned. | |
70 | + Follow the instructions for *returning* the CUI. | |
71 | + The cui_hash_key is used to safeguard the CUI from dictionary | |
72 | + attacks and should be set to some "random" string. | |
73 | + | |
74 | + - Modify "${raddbdir}/sites-availabe/inner-tunnel" | |
75 | + Search for CUI. There is one section where CUI is mentioned. | |
76 | + Follow the instructions for *returning* the CUI. | |
77 | + | |
78 | +3. ACKNOWLEDGEMENTS | |
79 | + | |
80 | +Authors: Maja Gorecka-Wolniewicz <mgw@umk.pl>, Alan DeKok | |
81 | + | |
82 | +Contributors: Stefan Winter, Tomasz Wolniewicz | |
83 | diff -Naur freeradius-server-2.2.0-orig/raddb/modules/cui freeradius-server-2.2.0/raddb/modules/cui | |
84 | --- freeradius-server-2.2.0-orig/raddb/modules/cui 2012-09-10 13:51:34.000000000 +0200 | |
85 | +++ freeradius-server-2.2.0/raddb/modules/cui 2012-09-13 10:58:19.975050772 +0200 | |
86 | @@ -21,5 +21,5 @@ | |
57500fc9 PG |
87 | connect_failure_retry_delay = 60 |
88 | cui_table = "cui" | |
89 | sql_user_name = "%{User-Name}" | |
90 | -#$INCLUDE sql/${database}/cui.conf | |
6303d79f | 91 | + $INCLUDE sql/${database}/cui.conf |
57500fc9 | 92 | } |
6303d79f JK |
93 | diff -Naur freeradius-server-2.2.0-orig/raddb/policy.conf freeradius-server-2.2.0/raddb/policy.conf |
94 | --- freeradius-server-2.2.0-orig/raddb/policy.conf 2012-09-10 13:51:34.000000000 +0200 | |
95 | +++ freeradius-server-2.2.0/raddb/policy.conf 2012-09-13 11:00:40.929563217 +0200 | |
96 | @@ -145,53 +145,80 @@ | |
97 | } | |
57500fc9 PG |
98 | } |
99 | ||
6303d79f JK |
100 | - # |
101 | - # The following policies are for the Chargeable-User-Identity | |
102 | - # (CUI) configuration. | |
103 | + # | |
57500fc9 PG |
104 | + # The following policies are for the Operator-Name handling |
105 | + # (RFC5580) | |
106 | + # | |
107 | + operator_name { | |
108 | + if (Packet-Type == Access-Request) { | |
109 | + update request { | |
110 | + Operator-Name := "%{config:sp_operator_name}" | |
111 | + Chargeable-User-Identity = '\\000' | |
112 | + } | |
6303d79f JK |
113 | + } |
114 | + } | |
57500fc9 PG |
115 | + |
116 | + # | |
117 | + # The following policies are for the Chargeable-User-Identity | |
118 | + # (CUI) configuration. See doc/cui_howto.txt for more information. | |
119 | # | |
120 | ||
121 | # | |
122 | - # The client indicates it can do CUI by sending a CUI attribute | |
123 | - # containing one zero byte | |
124 | + # The client requests the CUI by sending a CUI attribute | |
125 | + # containing one zero byte. | |
126 | # | |
127 | - cui_authorize { | |
128 | - update request { | |
129 | - Chargeable-User-Identity:='\\000' | |
130 | + cui_pre-proxy { | |
131 | + if (Packet-Type == Access-Request) { | |
132 | + update proxy-request { | |
133 | + Chargeable-User-Identity = '\\000' | |
134 | + } | |
135 | } | |
136 | } | |
137 | ||
138 | # | |
139 | - # Add a CUI attribute based on the User-Name, and a secret key | |
140 | - # known only to this server. | |
141 | + # Add a CUI attribute based on the User-Name, and a secret key | |
142 | + # known only to this server. | |
143 | # | |
144 | cui_postauth { | |
145 | - if (FreeRadius-Proxied-To == 127.0.0.1) { | |
146 | - if (outer.request:Chargeable-User-Identity) { | |
147 | - update outer.reply { | |
148 | - Chargeable-User-Identity:="%{md5:%{config:cui_hash_key}%{User-Name}}" | |
149 | + if (FreeRadius-Proxied-To == "127.0.0.1") { | |
150 | + # | |
151 | + # Add the CUI to Access-Accept, but only if the CUI | |
152 | + # was set in the request. | |
153 | + # | |
154 | + if (outer.request:Chargeable-User-Identity && (outer.request:Operator-Name) || !("%{config:cui_require_operator_name}") ) { | |
155 | + update reply { | |
156 | + Chargeable-User-Identity := "%{md5:%{config:cui_hash_key}%{request:User-Name}%{%{outer.request:Operator-Name}:-}}" | |
157 | } | |
158 | } | |
159 | } | |
160 | else { | |
161 | - if (Chargeable-User-Identity) { | |
162 | + # | |
163 | + # If the CUI was set in the request and the CUI reply | |
164 | + # is not already set by inner auth, add it to | |
165 | + # Access-Accept | |
166 | + # | |
167 | + if (!("%{control:Proxy-To-Realm}") && \ | |
168 | + (Chargeable-User-Identity) && \ | |
169 | + !(reply:Chargeable-User-Identity) && \ | |
170 | + ( (Operator-Name) || ! ("%{config:cui_require_operator_name}") ) ) { | |
171 | update reply { | |
172 | - Chargeable-User-Identity="%{md5:%{config:cui_hash_key}%{User-Name}}" | |
173 | + Chargeable-User-Identity = "%{md5:%{config:cui_hash_key}%{request:User-Name}%{%{Operator-Name}:-}}" | |
174 | } | |
175 | } | |
176 | } | |
177 | } | |
178 | ||
179 | # | |
180 | - # If there is a CUI attribute in the reply, add it to the DB. | |
181 | + # If there is a CUI attribute in the reply, add it to the DB. | |
182 | # | |
183 | cui_updatedb { | |
184 | - if (reply:Chargeable-User-Identity) { | |
185 | + if ("%{reply:Chargeable-User-Identity}") { | |
186 | cui | |
187 | } | |
188 | } | |
189 | ||
190 | # | |
191 | - # If we had stored a CUI for the User, add it to the request. | |
192 | + # If we had stored a CUI for the User, add it to the request. | |
193 | # | |
194 | cui_accounting { | |
195 | # | |
6303d79f JK |
196 | @@ -199,20 +226,22 @@ |
197 | # in the DB. | |
57500fc9 PG |
198 | # |
199 | if (!Chargeable-User-Identity) { | |
6303d79f JK |
200 | - update request { |
201 | - Chargeable-User-Identity := "%{cui: SELECT cui FROM cui WHERE clientipaddress = '%{Client-IP-Address}' AND callingstationid = '%{Calling-Station-Id}' AND username = '%{User-Name}'}" | |
202 | + update control { | |
57500fc9 PG |
203 | + Chargeable-User-Identity = "%{cui: SELECT cui FROM cui WHERE clientipaddress = '%{Client-IP-Address}' AND callingstationid = '%{Calling-Station-Id}' AND username = '%{User-Name}'}" |
204 | } | |
205 | } | |
206 | - | |
207 | # | |
208 | - # If it exists now, then write out when we last saw | |
209 | - # this CUI. | |
210 | + # If it exists now, then update request and write out | |
211 | + # when we last saw this CUI. | |
212 | # | |
213 | - if (Chargeable-User-Identity && (Chargeable-User-Identity != "")) { | |
57500fc9 PG |
214 | + if (control:Chargeable-User-Identity && \ |
215 | + (control:Chargeable-User-Identity != "")) { | |
6303d79f | 216 | + update request { |
57500fc9 | 217 | + Chargeable-User-Identity := "%{control:Chargeable-User-Identity}" |
6303d79f JK |
218 | + } |
219 | cui | |
57500fc9 PG |
220 | } |
221 | } | |
6303d79f JK |
222 | - |
223 | # | |
224 | # Normalize the MAC Addresses in the Calling/Called-Station-Id | |
225 | # | |
226 | diff -Naur freeradius-server-2.2.0-orig/raddb/sites-available/default freeradius-server-2.2.0/raddb/sites-available/default | |
227 | --- freeradius-server-2.2.0-orig/raddb/sites-available/default 2012-09-10 13:51:34.000000000 +0200 | |
228 | +++ freeradius-server-2.2.0/raddb/sites-available/default 2012-09-13 11:04:54.939298452 +0200 | |
229 | @@ -1,3 +1,13 @@ | |
57500fc9 PG |
230 | +# If *returning* the CUI, set cui_hash_key to some random string |
231 | +# and uncomment the line below | |
6303d79f | 232 | +# cui_hash_key = "some secret value" |
57500fc9 PG |
233 | +# If *returning* the CUI and the Operator-Name attribute in request is |
234 | +# required, uncomment the line below | |
6303d79f JK |
235 | +# cui_require_operator_name = yes |
236 | +# If Operator-Name attribute is used, uncomment the line below and | |
237 | +# fill out with one of your registered DNS domain names, which | |
238 | +# will be used as the Operator-Name attribute value | |
239 | +# sp_operator_name = "1your.registered.domain.name" | |
57500fc9 PG |
240 | ###################################################################### |
241 | # | |
242 | # As of 2.0.0, FreeRADIUS supports virtual hosts using the | |
6303d79f | 243 | @@ -376,6 +386,11 @@ |
57500fc9 PG |
244 | # Accounting. Log the accounting data. |
245 | # | |
246 | accounting { | |
247 | + # cui_accounting reads the record form the temporary database, | |
248 | + # selects the corresponding CUI value, as set cui_updatedb | |
249 | + # and adds the CUI attribute to the accounting request | |
250 | + # uncomment the line below if *requesting* the CUI | |
251 | +# cui_accounting | |
252 | # | |
253 | # Create a 'detail'ed log of the packets. | |
254 | # Note that accounting requests which are proxied | |
6303d79f | 255 | @@ -459,6 +474,17 @@ |
57500fc9 PG |
256 | # Once we KNOW that the user has been authenticated, there are |
257 | # additional steps we can take. | |
258 | post-auth { | |
259 | + # cui_postauth reacts to the Chargeable-User-Identity request | |
260 | + # by adding the md5 hash created from a configurable local | |
261 | + # salt (cui_hash_key) and the (inner) User-Name value | |
262 | + # uncomment the line below if *returning* the CUI | |
263 | +# cui_postauth | |
264 | + # | |
265 | + # cui_updatedb updates the temporary database adding | |
266 | + # the record containing the received CUI value to be later | |
267 | + # used in accounting | |
268 | + # uncomment the line below if *requesting* the CUI | |
269 | +# cui_updatedb | |
270 | # Get an address from the IP Pool. | |
271 | # main_pool | |
272 | ||
6303d79f JK |
273 | @@ -581,6 +607,14 @@ |
274 | # Uncomment the following line if you want to change attributes | |
57500fc9 PG |
275 | # as defined in the preproxy_users file. |
276 | # files | |
6303d79f | 277 | + |
57500fc9 PG |
278 | + # operator_name adds Operator-Name value to Access-Request |
279 | +# operator_name | |
280 | + | |
281 | + # cui_pre-proxy adds the NULL CUI value to Access-Request | |
282 | + # thus making it a Chargeable-User-Identity request | |
283 | + # uncomment the line below if *requesting* the CUI | |
284 | +# cui_pre-proxy | |
6303d79f | 285 | |
57500fc9 PG |
286 | # Uncomment the following line if you want to filter requests |
287 | # sent to remote servers based on the rules defined in the | |
6303d79f JK |
288 | diff -Naur freeradius-server-2.2.0-orig/raddb/sites-available/inner-tunnel freeradius-server-2.2.0/raddb/sites-available/inner-tunnel |
289 | --- freeradius-server-2.2.0-orig/raddb/sites-available/inner-tunnel 2012-09-10 13:51:34.000000000 +0200 | |
290 | +++ freeradius-server-2.2.0/raddb/sites-available/inner-tunnel 2012-09-13 11:05:56.237168046 +0200 | |
291 | @@ -261,6 +261,12 @@ | |
57500fc9 PG |
292 | # Once we KNOW that the user has been authenticated, there are |
293 | # additional steps we can take. | |
294 | post-auth { | |
295 | + # cui_postauth reacts to the Chargeable-User-Identity request | |
296 | + # by adding the md5 hash created from a configurable local | |
297 | + # salt (cui_hash_key) and the (inner) User-Name value | |
298 | + # uncomment the line below if *returning* the CUI | |
299 | +# cui_postauth | |
6303d79f | 300 | + |
57500fc9 PG |
301 | # Note that we do NOT assign IP addresses here. |
302 | # If you try to assign IP addresses for EAP authentication types, | |
303 | # it WILL NOT WORK. You MUST use DHCP. | |
6303d79f JK |
304 | diff -Naur freeradius-server-2.2.0-orig/raddb/sql/mysql/cui.conf freeradius-server-2.2.0/raddb/sql/mysql/cui.conf |
305 | --- freeradius-server-2.2.0-orig/raddb/sql/mysql/cui.conf 2012-09-10 13:51:34.000000000 +0200 | |
306 | +++ freeradius-server-2.2.0/raddb/sql/mysql/cui.conf 2012-09-13 10:59:05.245170029 +0200 | |
57500fc9 PG |
307 | @@ -1,31 +1,55 @@ |
308 | # -*- text -*- | |
309 | - | |
310 | ## | |
311 | -## Queries to update the CUI table. | |
312 | +## cui.conf -- SQL - CUI queries | |
313 | ## | |
314 | -postauth_query = "INSERT IGNORE INTO ${cui_table} \ | |
315 | - (clientipaddress, callingstationid, username, cui, lastaccounting) \ | |
316 | - VALUES \ | |
317 | - ('%{Client-IP-Address}', '%{Calling-Station-Id}', '%{User-Name}', '%{reply:Chargeable-User-Identity}', NULL) ON DUPLICATE KEY UPDATE lastaccounting='0000-00-00 00:00:00', cui='%{reply:Chargeable-User-Identity}'"; | |
318 | +## $Id$ | |
319 | +# | |
320 | +# This is a part of the Chargeable-User-Identity module | |
321 | +# See doc/cui_howto.txt for more information | |
322 | + | |
323 | + | |
324 | +# postauth_query creates a temporary record remembering | |
325 | +# Client-IP-Address, Calling-Station-Id, User-Name, | |
326 | +# Chargeable-User-Identity. | |
327 | +# This information is used later to correlate accounting requests | |
328 | +# with the information received in Access-Accept | |
329 | +# | |
330 | + postauth_query = "INSERT IGNORE INTO ${cui_table} \ | |
331 | + (clientipaddress, callingstationid, username, \ | |
332 | + cui, lastaccounting) \ | |
333 | + VALUES \ | |
334 | + ('%{Client-IP-Address}', '%{Calling-Station-Id}', \ | |
335 | + '%{User-Name}', '%{reply:Chargeable-User-Identity}', NULL) \ | |
336 | + ON DUPLICATE KEY UPDATE \ | |
337 | + lastaccounting='0000-00-00 00:00:00', \ | |
338 | + cui='%{reply:Chargeable-User-Identity}'"; | |
339 | + | |
340 | +# accounting_start_query and accounting_update_query are called | |
341 | +# by Accounting-Request Start or Interim Update. | |
342 | +# The appropriate temporary record is updates by entering | |
343 | +# the current time as the lastaccounting field. | |
344 | +# The value of lastaccounting can be used to clean up the database | |
345 | +# from stale temporary records. | |
346 | +# | |
347 | + accounting_start_query = "UPDATE ${cui_table} \ | |
348 | + SET lastaccounting = CURRENT_TIMESTAMP \ | |
349 | + WHERE clientipaddress = '%{Client-IP-Address}' \ | |
350 | + AND callingstationid = '%{Calling-Station-Id}' \ | |
351 | + AND username = '%{User-Name}' \ | |
352 | + AND cui = '%{Chargeable-User-Identity}'"; | |
353 | ||
354 | -accounting_start_query = "UPDATE ${cui_table} \ | |
355 | - SET \ | |
356 | - lastaccounting = CURRENT_TIMESTAMP \ | |
357 | - WHERE clientipaddress = '%{Client-IP-Address}' \ | |
358 | - AND callingstationid = '%{Calling-Station-Id}' \ | |
359 | - AND username = '%{User-Name}' \ | |
360 | - AND cui = '%{Chargeable-User-Identity}'"; | |
361 | - | |
362 | -accounting_update_query = "UPDATE ${cui_table} \ | |
363 | - SET \ | |
364 | - lastaccounting = CURRENT_TIMESTAMP \ | |
365 | - WHERE clientipaddress = '%{Client-IP-Address}' \ | |
366 | - AND callingstationid = '%{Calling-Station-Id}' \ | |
367 | - AND username = '%{User-Name}' \ | |
368 | - AND cui = '%{Chargeable-User-Identity}'"; | |
369 | + accounting_update_query = "UPDATE ${cui_table} \ | |
370 | + SET lastaccounting = CURRENT_TIMESTAMP \ | |
371 | + WHERE clientipaddress = '%{Client-IP-Address}' \ | |
372 | + AND callingstationid = '%{Calling-Station-Id}' \ | |
373 | + AND username = '%{User-Name}' \ | |
374 | + AND cui = '%{Chargeable-User-Identity}'"; | |
375 | ||
376 | -accounting_stop_query = "DELETE FROM ${cui_table} WHERE \ | |
377 | - clientipaddress = '%{Client-IP-Address}' \ | |
378 | - AND callingstationid = '%{Calling-Station-Id}' \ | |
379 | - AND username = '%{User-Name}' \ | |
380 | - AND cui = '%{Chargeable-User-Identity}'"; | |
381 | +# accounting_stop_query is called by Accounting-Request Stop. | |
382 | +# It deletes the temporary record form the database. | |
383 | +# | |
384 | + accounting_stop_query = "DELETE FROM ${cui_table} WHERE \ | |
385 | + clientipaddress = '%{Client-IP-Address}' \ | |
386 | + AND callingstationid = '%{Calling-Station-Id}' \ | |
387 | + AND username = '%{User-Name}' \ | |
388 | + AND cui = '%{Chargeable-User-Identity}'"; | |
6303d79f JK |
389 | diff -Naur freeradius-server-2.2.0-orig/raddb/sql/mysql/cui.sql freeradius-server-2.2.0/raddb/sql/mysql/cui.sql |
390 | --- freeradius-server-2.2.0-orig/raddb/sql/mysql/cui.sql 2012-09-10 13:51:34.000000000 +0200 | |
391 | +++ freeradius-server-2.2.0/raddb/sql/mysql/cui.sql 2012-09-13 10:59:05.245170029 +0200 | |
57500fc9 PG |
392 | @@ -1,3 +1,7 @@ |
393 | +# | |
394 | +# Table structure for table 'cui' | |
395 | +# | |
396 | +# | |
397 | CREATE TABLE `cui` ( | |
398 | `clientipaddress` varchar(15) NOT NULL default '', | |
399 | `callingstationid` varchar(50) NOT NULL default '', |