Tonga ny asa handaminana ny famoahana adiresy IP ho an'ny mpanjifa. Ny fepetran'ny olana:
- Tsy homenay mpizara mitokana ho an'ny fanomezan-dΓ lana ianao - ianao no hanao π
- Ny mpanjifa dia tsy maintsy mahazo firafitry ny tambajotra amin'ny alΓ lan'ny DHCP
- Ny tambajotra dia heterogène. Tafiditra ao anatin'izany ny fitaovana PON sy ny switch mahazatra miaraka amin'ny Option 82 sy ny toby WiFi misy toerana mafana
- Raha toa ka tsy tafiditra ao anatin'ny fepetra hamoahana IP ny angon-drakitra, dia tsy maintsy mamoaka IP avy amin'ny tambajotra "vahiny" ianao.
Amin'ny lafiny tsara: mbola misy mpizara ao amin'ny FreeBSD afaka "miasa", fa "lavitra" ;), fa tsy "eto amin'ity tambajotra ity".
Misy ihany koa fitaovana mahafinaritra antsoina hoe Mikrotik. Ny kisary ankapoben'ny tambajotra dia toy izao:
Taorian'ny fieritreretana dia nanapa-kevitra ny hampiasa FreeRadius mba hamoahana rindran-tambajotra ho an'ny mpanjifa. Amin'ny ankapobeny, ny tetika dia mahazatra: mamela ny mpizara DHCP amin'ny Microtick, ary ny Radius Client eo aminy. Izahay dia manamboatra ny server DHCP -> Radius Client -> Radius server connection.
Toa tsy sarotra izany. Fa! Ao amin'ny antsipiriany ny devoly. izany hoe:
- Rehefa manome alalana ny PON OLT amin'ny fampiasana an'io tetika io dia misy fangatahana alefa any amin'ny FreeRadius miaraka amin'ny User-Name mitovy amin'ny adiresy MAC an'ny lohapejy, Agent-Circuit-Id mitovy amin'ny MAC PON Onu ary tenimiafina foana.
- Rehefa mahazo alalana avy amin'ny switch miaraka amin'ny safidy 82, FreeRadius dia mahazo fangatahana miaraka amin'ny User-Name poakaty mitovy amin'ny MAC ny fitaovana ny mpanjifa ary feno toetra fanampiny Agent-Circuit-Id sy Agent-Remote-Id misy, tsirairay avy, indray ny MAC ny ny switch relay sy ny seranan-tsambo izay mampifandray ny mpanjifa.
- Ny mpanjifa sasany manana teboka WiFI dia mahazo alalana amin'ny alΓ lan'ny protocols PAP-CHAP
- Ny mpanjifa sasany avy amin'ny teboka WIFI dia nahazo alalana amin'ny User-Name mitovy amin'ny adiresy MAC an'ny teboka WIFI, tsy misy tenimiafina.
Tantaran'ny tantara: inona ny "Safidy 82" ao amin'ny DHCP
Ireo dia safidy fanampiny ho an'ny protocol DHCP izay ahafahanao mamindra fampahalalana fanampiny, ohatra ao amin'ny saha Agent-Circuit-Id sy Agent-Remote-Id. Matetika ampiasaina handefasana ny adiresy MAC an'ny switch relay sy ny seranan-tsambo izay mifandray amin'ny mpanjifa. Raha ny fitaovana PON na tobim-piantsonan'ny WIFI, ny saha Agent-Circuit-Id dia tsy misy fampahalalana mahasoa (tsy misy seranan-tsambo mpanjifa). Ny rafitra ankapoben'ny fiasan'ny DHCP amin'ity tranga ity dia toy izao manaraka izao:
Mizotra tsikelikely ity drafitra ity:
- Ny fitaovan'ny mpampiasa dia manao fangatahana fampielezam-peo DHCP mba hahazoana firafitry ny tambajotra
- Ny fitaovana (ohatra, switch, WiFi na PON base station) izay mifandray mivantana amin'ny fitaovana mpanjifa dia "manapaka" ity fonosana ity ary manova azy, mampiditra safidy fanampiny Option 82 sy adiresy IP mpizara Relay ao anatiny, ary mampita izany bebe kokoa. ny tambajotra.
- Ny mpizara DHCP dia manaiky ny fangatahana, miteraka valiny ary mandefa izany amin'ny fitaovana fampitana
- Ny fitaovana fampitana dia mandefa ny fonosana valinteny mankany amin'ny fitaovana mpanjifa
Mazava ho azy fa tsy mandeha mora izany rehetra izany; mila manamboatra ny fitaovan'ny tambajotra mifanaraka amin'izany ianao.
Fametrahana FreeRadius
Mazava ho azy fa azo tanterahana amin'ny alΓ lan'ny firafitry ny FreeRadius izany, saingy sarotra sy tsy mazava... indrindra rehefa mandeha any ianao aorian'ny N volana ary "miasa daholo ny zava-drehetra." Noho izany, nanapa-kevitra ny hanoratra ny module fanomezan-dΓ lana anay manokana ho an'ny FreeRadius amin'ny Python. Haka angon-drakitra fahazoan-dΓ lana avy amin'ny angon-drakitra MySQL izahay. Tsy misy dikany ny milazalaza ny firafiny, na izany aza, ny tsirairay dia hanao izany "ho an'ny tenany". Indrindra indrindra, naka ny rafitra atolotra miaraka amin'ny module sql ho an'ny FreeRadius aho, ary nanova kely izany tamin'ny fampidirana saha mac sy port ho an'ny mpanjifa tsirairay, ankoatra ny tenimiafina fidirana.
Noho izany, apetraho aloha ny FreeRadius:
cd /usr/ports/net/freeradius3
make config
make
install clean
Ao amin'ny Settings, safidio ny hametraka:
Manao symlink mankany amin'ny module python izahay (izany hoe "avereno" izany):
ln -s /usr/local/etc/raddb/mods-available/python /usr/local/etc/raddb/mods-enabled
Andao hametraka module fanampiny ho an'ny python:
pip install mysql-connector
Ao amin'ny fikandrana mody python ho an'ny FreeRadius, mila mamaritra ny lΓ lan'ny fikarohana module ao amin'ny fari-piadidiana python_path ianao. Ohatra, manana ity aho:
python_path="/usr/local/etc/raddb/mods-config/python:/usr/local/lib/python2.7:/usr/local/lib/python27.zip:/usr/local/lib/python2.7:/usr/local/lib/python2.7/plat-freebsd12:/usr/local/lib/python2.7/lib-tk:/usr/local/lib/python2.7/lib-old:/usr/local/lib/python2.7/lib-dynload:/usr/local/lib/python2.7/site-packages"
Azonao atao ny mahita ny lalana amin'ny alΓ lan'ny fandefasana ny mpandika teny python ary miditra ny baiko:
root@phaeton:/usr/local/etc/raddb/mods-enabled# python
Python 2.7.15 (default, Dec 8 2018, 01:22:25)
[GCC 4.2.1 Compatible FreeBSD Clang 6.0.1 (tags/RELEASE_601/final 335540)] on freebsd12
Type "help", "copyright", "credits" or "license" for more information.
>>> import sys
>>> sys.path
['', '/usr/local/lib/python27.zip', '/usr/local/lib/python2.7', '/usr/local/lib/python2.7/plat-freebsd12', '/usr/local/lib/python2.7/lib-tk', '/usr/local/lib/python2.7/lib-old', '/usr/local/lib/python2.7/lib-dynload', '/usr/local/lib/python2.7/site-packages']
>
Raha tsy manao an'io dingana io ianao, dia tsy hahita ireo maodely voatanisa ao amin'ny import ny script nosoratana tamin'ny python ary navoakan'i FreeRadius. Ho fanampin'izany, mila manaisotra ny andraikitry ny fiantsoana ny fanomezan-dΓ lana sy ny kaonty ianao ao amin'ny firafitry ny module. Ohatra, ity module ity dia toy izao:
python {
python_path="/usr/local/etc/raddb/mods-config/python:/usr/local/lib/python2.7:/usr/local/lib/python2.7/site-packages:/usr/local/lib/python27.zip:/usr/local/lib/python2.7:/usr/local/lib/python2.7/plat-freebsd12:/usr/local/lib/python2.7/lib-tk:/usr/local/lib/python2.7/lib-old:/usr/local/lib/python2.7/lib-dynload:/usr/local/lib/python2.7/site-packages"
module = work
mod_instantiate = ${.module}
mod_detach = ${.module}
mod_authorize = ${.module}
func_authorize = authorize
mod_authenticate = ${.module}
func_authenticate = authenticate
mod_preacct = ${.module}
func_preacct = preacct
mod_accounting = ${.module}
func_accounting = accounting
mod_checksimul = ${.module}
mod_pre_proxy = ${.module}
mod_post_proxy = ${.module}
mod_post_auth = ${.module}
mod_recv_coa = ${.module}
mod_send_coa = ${.module}
}
Ny script work.py (sy ny hafa rehetra) dia tsy maintsy apetraka ao amin'ny /usr/local/etc/raddb/mods-config/python Manana script telo aho amin'ny fitambarany.
work.py:
#!/usr/local/bin/python
# coding=utf-8
import radiusd
import func
import sys
from pprint import pprint
mysql_host="localhost"
mysql_username="ΡΠΊΠ°ΡΡΠΊ"
mysql_password="ΡΡΠΊΠ°ΡΡΠΊΠ°ΡΡΠΊ"
mysql_base="ΡΡΠΊΠ°ΡΠΊΡΠ°ΡΡ"
def instantiate(p):
print ("*** instantiate ***")
print (p)
# return 0 for success or -1 for failure
def authenticate(p):
print ("*** ΠΡΡΠ΅Π½ΡΠΈΠΊΠ°ΡΠΈΡ!!***")
print (p)
def authorize(p):
radiusd.radlog(radiusd.L_INFO, '*** radlog call in authorize ***')
conn=func.GetConnectionMysql(mysql_host, mysql_username, mysql_password, mysql_base);
param=func.ConvertArrayToNames(p);
pprint(param)
print ("*** ΠΠ²ΡΠΎΡΠΈΠ·Π°ΡΠΈΡ ***")
reply = ()
conf = ()
cnt=0
username="";mac="";
# ΡΠ½Π°ΡΠ°Π»Π° ΠΏΡΠΎΠ²Π΅ΡΡΠ΅ΠΌ "ΠΊΠ°ΠΊ ΠΏΠΎΠ»ΠΎΠΆΠ΅Π½ΠΎ", ΠΏΠΎ ΡΠ²ΡΠ·ΠΊΠ΅ Π»ΠΎΠ³ΠΈΠ½/ΠΏΠ°ΡΠΎΠ»Ρ
if ("User-Name" in param) and ("User-Password" in param) :
print ("ΠΠ°ΡΠΈΠ°Π½Ρ Π°Π²ΡΠΎΡΠΈΠ·Π°ΡΠΈΠΈ (1): Π΅ΡΡΡ Π»ΠΎΠ³ΠΈΠ½-ΠΏΠ°ΡΠΎΠ»Ρ")
pprint(param["User-Name"])
pprint(param["User-Password"])
pprint(conn)
print(sys.version_info)
print (radiusd.config)
sql="select radreply.attribute,radreply.value from radcheck inner join radreply on radreply.username=radcheck.username where radcheck.username=%s and radcheck.value=%s"
print(sql)
cursor = conn.cursor(dictionary=True,buffered=True)
cursor.execute(sql,[param["User-Name"], param["User-Password"]]);
row = cursor.fetchone()
while row is not None:
cnt=cnt+1
username=row["username"]
reply = reply+((str(row["attribute"]),str(row["value"])), )
row = cursor.fetchone()
# Π²Π°ΡΠΈΠ°Π½Ρ, ΡΡΠΎ User-Name - ΡΡΠΎ ΠΠΠ‘ Π°Π΄ΡΠ΅Ρ ΠΠ‘,ΠΏΠ°ΡΠΎΠ»Ρ ΠΈ ΠΏΠΎΡΡΠ° Π½Π΅Ρ
if ("User-Name" in param) and ("User-Password" in param) and (cnt==0):
if param["User-Password"] =='':
if ":" in param["User-Name"]:
pprint(param["User-Name"])
print ("ΠΠ°ΡΠΈΠ°Π½Ρ Π°Π²ΡΠΎΡΠΈΠ·Π°ΡΠΈΠΈ (2): User-Name - ΡΡΠΎ MAC Π°Π΄ΡΠ΅Ρ Π±Π°Π·ΠΎΠ²ΠΎΠΉ ΡΡΠ°Π½ΡΠΈΠΈ, ΠΏΠΎΡΡΠ° ΠΈ ΠΏΠ°ΡΠΎΠ»Ρ Π½Π΅Ρ")
sql="select radreply.username,radreply.attribute,radreply.value from radcheck inner join radreply on radreply.username=radcheck.username where REPLACE(radcheck.mac,':','') = REPLACE(REPLACE('"+str(param["User-Name"])+"','0x',''),':','') and radcheck.sw_port=''"
print (sql)
cursor = conn.cursor(dictionary=True,buffered=True)
cursor.execute(sql);
row = cursor.fetchone()
while row is not None:
cnt=cnt+1
username=row["username"]
mac=param["User-Name"]
reply = reply+((str(row["attribute"]),str(row["value"])), )
row = cursor.fetchone()
if ("Agent-Remote-Id" in param) and ("User-Password" in param) and (cnt==0):
if param["User-Password"] =='':
pprint(param["Agent-Remote-Id"])
print ("ΠΠ°ΡΠΈΠ°Π½Ρ Π°Π²ΡΠΎΡΠΈΠ·Π°ΡΠΈΠΈ (2.5): Agent-Remote-Id - ΡΡΠΎ MAC Π°Π΄ΡΠ΅Ρ PON ΠΎΠ±ΠΎΡΡΠ΄ΠΎΠ²Π°Π½ΠΈΡ")
sql="select radreply.username,radreply.attribute,radreply.value from radcheck inner join radreply on radreply.username=radcheck.username where REPLACE(radcheck.mac,':','') = REPLACE(REPLACE('"+str(param["Agent-Remote-Id"])+"','0x',''),':','') and radcheck.sw_port=''"
print (sql)
cursor = conn.cursor(dictionary=True,buffered=True)
cursor.execute(sql);
row = cursor.fetchone()
while row is not None:
cnt=cnt+1
username=row["username"]
mac=param["User-Name"]
reply = reply+((str(row["attribute"]),str(row["value"])), )
row = cursor.fetchone()
#ΠΠ°ΡΠΈΠ°Π½Ρ, ΡΡΠΎ Agent-Remote-Id - ΡΡΠΎ ΠΠΠ‘ Π°Π΄ΡΠ΅Ρ ΠΠ‘,ΠΏΠ°ΡΠΎΠ»Ρ ΠΈ ΠΏΠΎΡΡΠ° Π½Π΅Ρ ΠΈ ΠΏΡΠ΅Π΄ΡΠ΄ΡΡΠΈΠ΅ Π²Π°ΡΠΈΠ°Π½ΡΡ ΠΏΠΎΠΈΡΠΊΠ° IP ΡΠ΅Π·ΡΠ»ΡΡΠ°ΡΠ° Π½Π΅ Π΄Π°Π»ΠΈ
if ("Agent-Remote-Id" in param) and ("User-Password" not in param) and (cnt==0):
pprint(param["Agent-Remote-Id"])
print ("ΠΠ°ΡΠΈΠ°Π½Ρ Π°Π²ΡΠΎΡΠΈΠ·Π°ΡΠΈΠΈ (3): Agent-Remote-Id - ΠΠΠ‘ Π±Π°Π·ΠΎΠ²ΠΎΠΉ ΡΡΠ°Π½ΡΠΈΠΈ/ΠΏΠΎΠ½. ΠΠΎΡΡΠ° Π² Π±ΠΈΠ»Π»ΠΈΠ½Π³Π΅ Π½Π΅Ρ")
sql="select radreply.username,radreply.attribute,radreply.value from radcheck inner join radreply on radreply.username=radcheck.username where REPLACE(radcheck.mac,':','') = REPLACE(REPLACE('"+str(param["Agent-Remote-Id"])+"','0x',''),':','') and radcheck.sw_port=''"
print(sql)
cursor = conn.cursor(dictionary=True,buffered=True)
cursor.execute(sql);
row = cursor.fetchone()
while row is not None:
cnt=cnt+1
mac=param["Agent-Remote-Id"]
username=row["username"]
reply = reply+((str(row["attribute"]),str(row["value"])), )
row = cursor.fetchone()
#ΠΠ°ΡΠΈΠ°Π½Ρ, ΡΡΠΎ ΠΏΡΠ΅Π΄ΡΠ΄ΡΡΠΈΠ΅ ΠΏΠΎΠΏΡΡΠΊΠΈ ΡΠ΅Π·ΡΠ»ΡΡΠ°ΡΠ° Π½Π΅ Π΄Π°Π»ΠΈ, Π½ΠΎ Π΅ΡΡΡ Agent-Remote-Id ΠΈ Agent-Circuit-Id
if ("Agent-Remote-Id" in param) and ("Agent-Circuit-Id" in param) and (cnt==0):
pprint(param["Agent-Remote-Id"])
pprint(param["Agent-Circuit-Id"])
print ("ΠΠ°ΡΠΈΠ°Π½Ρ Π°Π²ΡΠΎΡΠΈΠ·Π°ΡΠΈΠΈ (4): Π°Π²ΡΠΎΡΠΈΠ·Π°ΡΠΈΡ ΠΏΠΎ Agent-Remote-Id ΠΈ Agent-Circuit-Id, Π² Π±ΠΈΠ»Π»ΠΈΠ½Π³Π΅ Π΅ΡΡΡ ΠΏΠΎΡΡ/ΠΌΠ°ΠΊ")
sql="select radreply.username,radreply.attribute,radreply.value from radcheck inner join radreply on radreply.username=radcheck.username where upper(radcheck.sw_mac)=upper(REPLACE('"+str(param["Agent-Remote-Id"])+"','0x','')) and upper(radcheck.sw_port)=upper(RIGHT('"+str(param["Agent-Circuit-Id"])+"',2)) and radcheck.sw_port<>''"
print(sql)
cursor = conn.cursor(dictionary=True,buffered=True)
cursor.execute(sql);
row = cursor.fetchone()
while row is not None:
cnt=cnt+1
mac=param["Agent-Remote-Id"]
username=row["username"]
reply = reply+((str(row["attribute"]),str(row["value"])), )
row = cursor.fetchone()
# Π΅ΡΠ»ΠΈ ΡΠ°ΠΊ Π΄ΠΎ ΡΠΈΡ
ΠΏΠΎΡ IP Π½Π΅ ΠΏΠΎΠ»ΡΡΠ΅Π½, ΡΠΎ Π²ΡΠ΄Π°Ρ ΠΈΠ΅Π³ΠΎ ΠΈΠ· Π³ΠΎΡΡΠ΅Π²ΠΎΠΉ ΡΠ΅ΡΠΈ..
if cnt==0:
print ("ΠΠΈ ΠΎΠ΄ΠΈΠ½ ΠΈΠ· Π²Π°ΡΠΈΠ°Π½ΡΠΎΠ² Π°Π²ΡΠΎΡΠΈΠ·Π°ΡΠΈΠΈ Π½Π΅ ΡΡΠ°Π±ΠΎΡΠ°Π», ΠΏΠΎΠ»ΡΡΠ°Ρ IP ΠΈΠ· Π³ΠΎΡΡΠ΅Π²ΠΎΠΉ ΡΠ΅ΡΠΈ..")
ip=func.GetGuestNet(conn)
if ip!="":
cnt=cnt+1;
reply = reply+(("Framed-IP-Address",str(ip)), )
# Π΅ΡΠ»ΠΈ ΡΠΎΠ²ΡΠ΅ΠΌ Π²ΡΡ ΠΏΠ»ΠΎΡ
ΠΎ, ΡΠΎ Reject
if cnt==0:
conf = ( ("Auth-Type", "Reject"), )
else:
#Π΅ΡΠ»ΠΈ Π°Π²ΡΠΎΡΠΈΠ·Π°ΡΠΈΡ ΡΡΠΏΠ΅ΡΠ½Π°Ρ (Π΅ΡΡΡ ΡΠ°ΠΊΠΎΠΉ Π°Π±ΠΎΠ½Π΅Π½Ρ), ΡΠΎ Π·Π°ΠΏΠΈΡΠ΅ΠΌ ΠΈΡΡΠΎΡΠΈΡ Π°Π²ΡΠΎΡΠΈΠ·Π°ΡΠΈΠΈ
if username!="":
func.InsertToHistory(conn,username,mac, reply);
conf = ( ("Auth-Type", "Accept"), )
pprint (reply)
conn=None;
return radiusd.RLM_MODULE_OK, reply, conf
def preacct(p):
print ("*** preacct ***")
print (p)
return radiusd.RLM_MODULE_OK
def accounting(p):
print ("*** ΠΠΊΠΊΠ°ΡΠ½ΡΠΈΠ½Π³ ***")
radiusd.radlog(radiusd.L_INFO, '*** radlog call in accounting (0) ***')
print (p)
conn=func.GetConnectionMysql(mysql_host, mysql_username, mysql_password, mysql_base);
param=func.ConvertArrayToNames(p);
pprint(param)
print("Π£Π΄Π°Π»ΠΈΠΌ ΡΡΠ°ΡΡΠ΅ ΡΠ΅ΡΡΠΈΠΈ (Π±ΠΎΠ»Π΅Π΅ 20 ΠΌΠΈΠ½ΡΡ Π½Π΅Ρ Π°ΠΊΠΊΠ°ΡΠ½ΡΠΈΠ½Π³Π°)");
sql="delete from radacct where TIMESTAMPDIFF(minute,acctupdatetime,now())>20"
cursor = conn.cursor(dictionary=True,buffered=True)
cursor.execute(sql);
conn.commit()
print("ΠΠ±Π½ΠΎΠ²ΠΈΠΌ/Π΄ΠΎΠ±Π°Π²ΠΈΠΌ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΡ ΠΎ ΡΠ΅ΡΡΠΈΠΈ")
if (("Acct-Unique-Session-Id" in param) and ("User-Name" in param) and ("Framed-IP-Address" in param)):
sql='insert into radacct (radacctid,acctuniqueid,username,framedipaddress,acctstarttime) values (null,"'+str(param['Acct-Unique-Session-Id'])+'","'+str(param['User-Name'])+'","'+str(param['Framed-IP-Address'])+'",now()) ON DUPLICATE KEY update acctupdatetime=now()'
print(sql)
cursor = conn.cursor(dictionary=True,buffered=True)
cursor.execute(sql)
conn.commit()
conn=None;
return radiusd.RLM_MODULE_OK
def pre_proxy(p):
print ("*** pre_proxy ***")
print (p)
return radiusd.RLM_MODULE_OK
def post_proxy(p):
print ("*** post_proxy ***")
print (p)
return radiusd.RLM_MODULE_OK
def post_auth(p):
print ("*** post_auth ***")
print (p)
return radiusd.RLM_MODULE_OK
def recv_coa(p):
print ("*** recv_coa ***")
print (p)
return radiusd.RLM_MODULE_OK
def send_coa(p):
print ("*** send_coa ***")
print (p)
return radiusd.RLM_MODULE_OK
def detach():
print ("*** ΠΠ° ΡΡΠΎΠΌ Π²ΡΡ Π΄Π΅ΡΠΈΡΠ΅ΡΠΊΠΈ ***")
return radiusd.RLM_MODULE_OK
func.py:
#!/usr/bin/python2.7
# coding=utf-8
import mysql.connector
from mysql.connector import Error
# Π€ΡΠ½ΠΊΡΠΈΡ Π²ΠΎΠ·Π²ΡΠ°ΡΠ°Π΅Ρ ΡΠΎΠ΅Π΄ΠΈΠ½Π΅Π½ΠΈΠ΅ Ρ MySQL
def GetConnectionMysql(mysql_host, mysql_username, mysql_password, mysql_base):
try:
conn = mysql.connector.connect(host=mysql_host,database=mysql_base,user=mysql_username,password=mysql_password)
if conn.is_connected(): print('---cΠΎΠ΅Π΄ΠΈΠ½Π΅Π½ΠΈΠ΅ Ρ ΠΠ '+mysql_base+' ΡΡΡΠ°Π½ΠΎΠ²Π»Π΅Π½ΠΎ')
except Error as e:
print("ΠΡΠΈΠ±ΠΊΠ°: ",e);
exit(1);
return conn
def ConvertArrayToNames(p):
mass={};
for z in p:
mass[z[0]]=z[1]
return mass
# Π€ΡΠ½ΠΊΡΠΈΡ Π·Π°ΠΏΠΈΡΡΠ²Π°Π΅Ρ ΠΈΡΡΠΎΡΠΈΡ ΡΠΎΠ΅Π΄ΠΈΠ½Π΅Π½ΠΈΡ ΠΏΠΎ ΠΈΠ·Π²Π΅ΡΡΠ½ΡΠΌ Π΄Π°Π½Π½ΡΠΌ
def InsertToHistory(conn,username,mac, reply):
print("--Π·Π°ΠΏΠΈΡΡΠ²Π°Ρ Π΄Π»Ρ ΠΈΡΡΠΎΡΠΈΠΈ")
repl=ConvertArrayToNames(reply)
if "Framed-IP-Address" in repl:
sql='insert into radpostauth (username,reply,authdate,ip,mac,session_id,comment) values ("'+username+'","Access-Accept",now(),"'+str(repl["Framed-IP-Address"])+'","'+str(mac)+'","","")'
print(sql)
cursor = conn.cursor(dictionary=True,buffered=True)
cursor.execute(sql);
conn.commit()
# Π€ΡΠ½ΠΊΡΠΈΡ Π²ΡΠ΄Π°Π΅Ρ ΠΏΠΎΡΠ»Π΅Π΄Π½ΠΈΠΉ ΠΏΠΎ Π΄Π°ΡΠ΅ Π²ΡΠ΄Π°ΡΠΈ IP Π°Π΄ΡΠ΅Ρ ΠΈΠ· Π³ΠΎΡΡΠ΅Π²ΠΎΠΉ ΡΠ΅ΡΠΈ
def GetGuestNet(conn):
ip="";id=0
sql="select * from guestnet order by dt limit 1"
print (sql)
cursor = conn.cursor(dictionary=True,buffered=True)
cursor.execute(sql);
row = cursor.fetchone()
while row is not None:
ip=row["ip"]
id=row["id"]
row = cursor.fetchone()
if id>0:
sql="update guestnet set dt=now() where id="+str(id)
print (sql)
cursor = conn.cursor(dictionary=True,buffered=True)
cursor.execute(sql);
conn.commit()
return ip
radiusd.py:
#!/usr/bin/python2.7
# coding=utf-8
# from modules.h
RLM_MODULE_REJECT = 0
RLM_MODULE_FAIL = 1
RLM_MODULE_OK = 2
RLM_MODULE_HANDLED = 3
RLM_MODULE_INVALID = 4
RLM_MODULE_USERLOCK = 5
RLM_MODULE_NOTFOUND = 6
RLM_MODULE_NOOP = 7
RLM_MODULE_UPDATED = 8
RLM_MODULE_NUMCODES = 9
# from log.h
L_AUTH = 2
L_INFO = 3
L_ERR = 4
L_WARN = 5
L_PROXY = 6
L_ACCT = 7
L_DBG = 16
L_DBG_WARN = 17
L_DBG_ERR = 18
L_DBG_WARN_REQ = 19
L_DBG_ERR_REQ = 20
# log function
def radlog(level, msg):
import sys
sys.stdout.write(msg + 'n')
level = level
Araka ny hitanao avy amin'ny kaody dia miezaka ny hamantatra ny mpanjifa amin'ny alΓ lan'ny fomba rehetra misy azy amin'ny alΓ lan'ny adiresy MAC mpanjifa fantatra na ny Option 82 mitambatra izahay, ary raha tsy mandeha izany, dia mamoaka ny adiresy IP tranainy indrindra ampiasaina amin'ny "vahiny" izahay. β tambajotra. Ny hany sisa tavela dia ny manamboatra ny script default ao amin'ny lahatahiry azo ampiasaina amin'ny tranokala, ka ny asa ilaina avy amin'ny script python dia hikorontana amin'ny fotoana voatondro. Raha ny marina dia ampy ny mitondra ny rakitra amin'ny endrika:
toerana misy anao
server default {
listen {
type = auth
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipaddr = *
port = 0
type = acct
limit {
}
}
listen {
type = auth
port = 0
limit {
max_connections = 1600
lifetime = 0
idle_timeout = 30
}
}
listen {
ipv6addr = ::
port = 0
type = acct
limit {
}
}
authorize {
python
filter_username
preprocess
expiration
logintime
}
authenticate {
Auth-Type PAP {
pap
python
}
Auth-Type CHAP {
chap
python
}
Auth-Type MS-CHAP {
mschap
python
}
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
python
exec
attr_filter.accounting_response
}
session {
}
post-auth {
update {
&reply: += &session-state:
}
exec
remove_reply_message_if_eap
Post-Auth-Type REJECT {
attr_filter.access_reject
eap
remove_reply_message_if_eap
}
Post-Auth-Type Challenge {
}
}
pre-proxy {
}
post-proxy {
eap
}
}
Andeha hojerentsika izay miditra ao amin'ny log debug:
/usr/local/etc/rc.d/radiusd debug
Dia inona koa. Rehefa manangana FreeRadius dia mora ny mitsapa ny asany amin'ny fampiasana ny radclient utility. Ohatra ny fanomezan-dΓ lana:
echo "User-Name=4C:5E:0C:2E:7F:15,Agent-Remote-Id=0x9845623a8c98,Agent-Circuit-Id=0x00010006" | radclient -x 127.0.0.1:1812 auth testing123
Na kaonty:
echo "User-Name=4C:5E:0C:2E:7F:15,Agent-Remote-Id=0x00030f26054a,Agent-Circuit-Id=0x00010002" | radclient -x 127.0.0.1:1813 acct testing123
Te hampitandrina anao aho fa tsy azo atao mihitsy ny mampiasa tetika sy script toy izany "tsy misy fiovana" amin'ny ambaratonga "indostrialy". Farafaharatsiny tsikaritra:
- azo atao ny "fake" ny adiresy MAC. Ampy ho an'ny mpanjifa ny fisoratana anarana MAC an'olon-kafa ary hisy olana
- ny lojika amin'ny famoahana tambajotra vahiny dia mihoatra ny fanakianana. Tsy misy fanamarinana akory hoe "mety efa misy mpanjifa manana adiresy IP mitovy?"
Ity dia "vahaolana cookie-cutter" natao hiasa manokana amin'ny toe-javatra misy ahy, tsy misy hafa. Aza mitsara hentitra π
Source: www.habr.com