You are on page 1of 3

PROXY RADIUS CONFIGURATION Adding a VISP To add a VISP one has to make standard steps , BUT manual ones.

BACK END WORK First of all there is the backend configuration to add the realm . Let us assume that the new domain/realm we are adding is called In radius parlance a domain is a realm Go to /ur/local/etc/raddb on and 1) edit hints if the realm we proxy for is charged on a per-minute basis add the following lines: DEFAULT Suffix = "", Strip-User-Name = No Hint = "PER_MINUTE_PROXIED_DOMAIN", Service-Type = Framed-User, Framed-Protocol = PPP If It is charged flatly per user add the following lines: DEFAULT Suffix = "", Strip-User-Name = No Hint = "FLAT_PROXIED_DOMAIN", Service-Type = Framed-User, Framed-Protocol = PPP 2) edit the attrs file and add the following lines if the realm is a per minute realm Service-Type == Framed-User, Framed-IP-Address =* ANY, Framed-IP-Netmask ==, Framed-Protocol == PPP, Framed-Protocol == SLIP, Framed-Compression == Van-Jacobson-TCP-IP, Framed-MTU >= 576, Framed-Filter-ID =* ANY, Filter-ID =* ANY, Reply-Message =* ANY, Proxy-State =* ANY, Session-Timeout <= 14400, Idle-Timeout <= 600, Event-Timestamp =* ANY, Acct-Session-Id =* ANY,

Class =* ANY, Port-Limit =* ANY If the realm is flat charged, change the last line with Port-Limit <= 1 3) edit the proxy.conf file and add the following lines realm { type = radius authhost = $radiusserver:$authentication_port accthost = $radiusserver:$accounting_port secret = $shared_secret } where $radiusserver is the client's radius server's IP address $authentication_port is the port where the server accepts authentication requests, i.e. 1812 $accounting_port is the port where the server accepts accounting requests, i.e. 1813 $shared_secret is the common secret between us and them. If the client has more than one servers then we list them in the order of importance! 4) restart the radiusd service for the changes to take effect 5) tail -f /var/log/radius/radius.log and check for any errors

If the clients are finicky and they want upper and lower case entry of their realms , repeat the above steps with the realm name Upper Cased.

Explanations and notes for the above cruft The users file should never be edited it is generic for all realms and users. All the lines in the configuration files that are indented should be indented with TABs. The hints files is necessary so that a default hint will be processed by the users file. That default hint blocks flat charged proxied realms to one (1) simultaneous login per username. All other domains are let free to log in as many times as they want because each minute they are logged in, we charged them for it.

The attrs file is used to control the Radius attributes that clients send us. We apply a set of pair names and allowed values that we can proxy for them. It is interesting to note that we allow for Framed-IP-Address =* ANY, so that we can get the IPs in our accounting. Although the above sounds counter intelligent because they can send any IP they want, for example static ips to their customers, our NASes will refuse to work with IPs that are not configured with. So this little hack is harmless.

FRONT END WORK To modify the Front-End, the web interface for a visp the work is quite a bit more complicated because one has practically to create a sub interface of the existing one. An easy way to deal with it is to copy over another realm , i.e. algonet and edit all the relevant files. 1) To have automated session information per VISP first of all edit the script /opt/HOLtools/ and insert the newrealm in the REALMS variable. Take down what you enter for the realm because you will need it later. 2) switch to /opt/HOLtools/html and mkdir newrealm 3) copy a sample domain's files (algonet) over and dont forget the .htacces file. Make user that you erase all accounting records that you have copied over. 4) add a user in the htpasswd file with "htpasswd /etc/httpd/htpasswd newrealm" supply new password wheren prompted. 5) In the local copy , edit all the phtml files and replace the old domain with the new 6) include an antry for this subdirectory in the HOL/index.html file 7) link the accounting subdir to ../accounting/ WARNING: should be the same as the one entered in step 1 8) test to see that all of the above works.

All of the above will be rsynced over to radikal each hour. If you need to replicate changes faster then on radikal run the script /opt/HOLtools/allrsync